[ic] Properly handle negative indices.

We need to explicitly rule out negative indices for the out-of-bounds
case, otherwise we can end up with a monomorphic KeyedLoadIC that allows
OOB accesses, but doesn't properly check whether there are properties
with negative integer names on the receiver.

Bug: chromium:784835
Change-Id: Ic3ef5438b76094f024de0c6348183fb62b32088c
Reviewed-on: https://chromium-review.googlesource.com/774278Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49396}

src/ic/accessor-assembler.cc

@@ -263,6 +263,11 @@ void AccessorAssembler::HandleLoadICSmiHandlerCase(
       Comment("out of bounds elements access");
       Label return_undefined(this);
 
+      // Negative indices aren't valid array indices (according to
+      // the ECMAScript specification), and are stored as properties
+      // in V8, not elements. So we cannot handle them here.
+      GotoIf(IntPtrLessThan(intptr_index, IntPtrConstant(0)), miss);
+
       // Check if we're allowed to handle OOB accesses.
       Node* allow_out_of_bounds =
           IsSetWord<LoadHandler::AllowOutOfBoundsBits>(handler_word);

test/mjsunit/regress/regress-crbug-784835.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function foo(o, k) { return o[k]; }
+
+var a = [1,2];
+a["-1"] = 42;
+
+assertEquals(1, foo(a, 0));
+assertEquals(2, foo(a, 1));
+assertEquals(undefined, foo(a, 3));
+assertEquals(42, foo(a, -1));