[turbofan] Fix HasProperty for OOB access on polymorphic ICs

The existing has property handling did not account for the fact an IC can have LOAD_IGNORE_OUT_OF_BOUNDS while some of the maps in the IC do not allow out of bounds loads.

bug: chromium:942068
Change-Id: I935402d9d72e9c0228510ef69154ea130d1c71f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1525876Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60269}

src/compiler/js-native-context-specialization.cc

@@ -2876,8 +2876,7 @@ JSNativeContextSpecialization::BuildElementAccess(
       index = effect = graph()->NewNode(
           simplified()->CheckBounds(VectorSlotPair()), index,
           jsgraph()->Constant(Smi::kMaxValue), effect, control);
-    } else if (access_mode != AccessMode::kHas ||
-               load_mode != LOAD_IGNORE_OUT_OF_BOUNDS) {
+    } else {
       // Check that the {index} is in the valid range for the {receiver}.
       index = effect =
           graph()->NewNode(simplified()->CheckBounds(VectorSlotPair()), index,

test/mjsunit/regress/regress-crbug-942068.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(index, array) {
+  return index in array;
+}
+
+let arr = [];
+arr.__proto__ = [0];
+assertFalse(foo(0, {}));
+assertTrue(foo(0, arr));
+assertFalse(foo(0, {}));
+%OptimizeFunctionOnNextCall(foo);
+assertTrue(foo(0, arr));