[turbofan] Fix CHECK failure in graph verifier

ForInNext can get lowered to a low-level call to the ForInFilter
builtin. We currently type low-level Call nodes simply as Any, leading
to a CHECK failure when the verifier expects a primitive.

This CL fixes the issue simply by manually setting the type as part of
the lowering. An alternative would be to have the Call typing inspect
its input similar to what the JSCall typing does. We can consider this
if we hit the same issue in other cases.

Bug: chromium:1102053
Change-Id: I6682d8cf95c6a3ebaff9c8de677aa20ca676573f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2282523
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68688}

src/compiler/js-typed-lowering.cc

@@ -1976,6 +1976,9 @@ Reduction JSTypedLowering::ReduceJSForInNext(Node* node) {
             graph()->NewNode(common()->Call(call_descriptor),
                              jsgraph()->HeapConstant(callable.code()), key,
                              receiver, context, frame_state, effect, if_false);
+        NodeProperties::SetType(
+            vfalse,
+            Type::Union(Type::String(), Type::Undefined(), graph()->zone()));
 
         // Update potential {IfException} uses of {node} to point to the above
         // ForInFilter stub call node instead.

test/mjsunit/compiler/regress-1102053.js

@@ -0,0 +1,25 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --interrupt-budget=1024
+
+const v10 =
+  {__proto__: [42], a: 1757695453, length: Promise, toString: 1337, d: []};
+
+async function foo(a) {
+  a.length;
+  for (const k in v10) {
+    for (let i = 0; i < k; i++) {}
+    for (let i = 0; i < 10; i++) {
+      function bar() {}
+      while (a < 1) {
+        for (const kk of []) await 42;
+      }
+    }
+  }
+}
+
+for (let i = 0; i < 2; i++) {
+  foo([42]);
+}