[turbofan] Generate the correct bounds when the array protector isn't valid.

The condition for bounds check generation was not in sync with the
condition that was used for the actual access, which lead to invalid
memory accesses when the array protector was invalid.

Tbr: tebbi@chromium.org
Bug: chromium:781506, chromium:781494, chromium:781457, chromium:781285, chromium:781381, chromium:781380, v8:6936, v8:7014, v8:7027
Change-Id: Ia5b2ad02940292572ed9b37abd3f9ffaa6d7a26b
Reviewed-on: https://chromium-review.googlesource.com/753590
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49124}

src/compiler/js-native-context-specialization.cc

@@ -2295,7 +2295,8 @@ JSNativeContextSpecialization::BuildElementAccess(
     if (IsGrowStoreMode(store_mode)) {
       // For growing stores we validate the {index} below.
       DCHECK_EQ(AccessMode::kStore, access_mode);
-    } else if (load_mode == LOAD_IGNORE_OUT_OF_BOUNDS) {
+    } else if (load_mode == LOAD_IGNORE_OUT_OF_BOUNDS &&
+               CanTreatHoleAsUndefined(receiver_maps)) {
       // Check that the {index} is a valid array index, we do the actual
       // bounds check below and just skip the store below if it's out of
       // bounds for the {receiver}.

test/mjsunit/regress/regress-crbug-781506-1.js

@@ -0,0 +1,12 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a) { return a[0]; }
+
+assertEquals(undefined, foo(x => x));
+assertEquals(undefined, foo({}));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(undefined, foo(x => x));

test/mjsunit/regress/regress-crbug-781506-2.js

@@ -0,0 +1,13 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(o) { return o[0]; }
+
+assertEquals(undefined, foo({}));
+Array.prototype[0] = 0;
+assertEquals(undefined, foo({}));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(undefined, foo({}));

test/mjsunit/regress/regress-crbug-781506-3.js

@@ -0,0 +1,13 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a, i) { return a[i] + 0.5; }
+
+foo({}, 1);
+Array.prototype.unshift(1.5);
+assertTrue(Number.isNaN(foo({}, 1)));
+%OptimizeFunctionOnNextCall(foo);
+assertTrue(Number.isNaN(foo({}, 1)));