[compiler] Fix typing of ToLength.

Typer::Visitor::ToLength was unsound (and non-monotonic).  For instance,
if the input type was Range(2^53, 2^53+1), the result type was
Constant(2^53).  Now the result is type Constant(2^53-1).  (The result
of ToLength is guaranteed to be between 0 and 2^53-1.)

BUG=

Review-Url: https://codereview.chromium.org/2753773010
Cr-Commit-Position: refs/heads/master@{#43914}

src/compiler/typer.cc

@@ -454,9 +454,14 @@ Type* Typer::Visitor::ToLength(Type* type, Typer* t) {
   type = ToInteger(type, t);
   double min = type->Min();
   double max = type->Max();
+  if (max <= 0.0) {
+    return Type::NewConstant(0, t->zone());
+  }
+  if (min >= kMaxSafeInteger) {
+    return Type::NewConstant(kMaxSafeInteger, t->zone());
+  }
   if (min <= 0.0) min = 0.0;
-  if (max > kMaxSafeInteger) max = kMaxSafeInteger;
-  if (max <= min) max = min;
+  if (max >= kMaxSafeInteger) max = kMaxSafeInteger;
   return Type::Range(min, max, t->zone());
 }
 

src/compiler/verifier.cc

@@ -574,8 +574,7 @@ void Verifier::Visitor::Check(Node* node) {
       CheckTypeIs(node, Type::OrderedNumber());
       break;
     case IrOpcode::kJSToLength:
-      // Type is OrderedNumber.
-      CheckTypeIs(node, Type::OrderedNumber());
+      CheckTypeIs(node, Type::Range(0, kMaxSafeInteger, zone));
       break;
     case IrOpcode::kJSToName:
       // Type is Name.