[maglev] Ensure CheckedObjectToIndex zero extends

Use SmiToInt32 instead of SmiUntag to get a zero extended value in
CheckedObjectToIndex.

Bug: v8:7700
Change-Id: I034039781d8db106713e54ebaf72672c261b8fc1
Fixed: chromium:1406573
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4161759
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85252}

src/codegen/x64/macro-assembler-x64.cc

@@ -1580,6 +1580,12 @@ void TurboAssembler::SmiToInt32(Register reg) {
   }
 }
 
+void TurboAssembler::SmiToInt32(Register dst, Register src) {
+  DCHECK(dst != src);
+  mov_tagged(dst, src);
+  SmiToInt32(dst);
+}
+
 void TurboAssembler::SmiCompare(Register smi1, Register smi2) {
   AssertSmi(smi1);
   AssertSmi(smi2);

src/codegen/x64/macro-assembler-x64.h

@@ -367,6 +367,7 @@ class V8_EXPORT_PRIVATE TurboAssembler
 
   // Convert smi to 32-bit value.
   void SmiToInt32(Register reg);
+  void SmiToInt32(Register dst, Register src);
 
   // Loads the address of the external reference into the destination
   // register.

src/maglev/arm64/maglev-ir-arm64.cc

@@ -790,9 +790,9 @@ void CheckedObjectToIndex::GenerateCode(MaglevAssembler* masm,
 
   // If we didn't enter the deferred block, we're a Smi.
   if (result_reg == object) {
-    __ SmiUntag(object);
+    __ SmiToInt32(result_reg);
   } else {
-    __ SmiUntag(result_reg, object);
+    __ SmiToInt32(result_reg, object);
   }
 
   __ bind(*done);

src/maglev/x64/maglev-ir-x64.cc

@@ -714,9 +714,9 @@ void CheckedObjectToIndex::GenerateCode(MaglevAssembler* masm,
 
   // If we didn't enter the deferred block, we're a Smi.
   if (result_reg == object) {
-    __ SmiUntag(object);
+    __ SmiToInt32(result_reg);
   } else {
-    __ SmiUntag(result_reg, object);
+    __ SmiToInt32(result_reg, object);
   }
 
   __ bind(*done);