[turbofan] Fix negative offset handling in escape analysis.

Bug: chromium:906220
Change-Id: I72547d92ffad4039c22dd7ce2d1438fe85f9c190
Reviewed-on: https://chromium-review.googlesource.com/c/1340292Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57600}

src/compiler/escape-analysis.cc

@@ -516,7 +516,7 @@ Maybe<int> OffsetOfElementsAccess(const Operator* op, Node* index_node) {
   double max = index_type.Max();
   double min = index_type.Min();
   int index = static_cast<int>(min);
-  if (!(index == min && index == max)) return Nothing<int>();
+  if (index < 0 || index != min || index != max) return Nothing<int>();
   return Just(OffsetOfElementAt(ElementAccessOf(op), index));
 }
 

test/mjsunit/regress/regress-crbug-906220.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() { new Array().pop(); }
+
+assertEquals(undefined, foo());
+assertEquals(undefined, foo());
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(undefined, foo());