[turbofan] add CheckSmi call to String.p.startsWith

Add a CheckSmi call to the value of the position argument to
String.prototype.startsWith(search, [position]).

Bug: v8:8400, chromium:939746
Change-Id: I7462bebe0d3fde605a4c27a34c0d9bb3f0cc1c20
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1514198
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60216}

src/compiler/js-call-reducer.cc

@@ -5191,6 +5191,8 @@ Reduction JSCallReducer::ReduceStringPrototypeStartsWith(Node* node) {
         // Ensure that the {string} is actually a String.
         string = effect = graph()->NewNode(
             simplified()->CheckString(p.feedback()), string, effect, control);
+        position = effect = graph()->NewNode(
+            simplified()->CheckSmi(p.feedback()), position, effect, control);
 
         Node* string_length =
             graph()->NewNode(simplified()->StringLength(), string);

test/mjsunit/regress/regress-939746.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// String.p.startsWith(x, NaN) shouldn't crash V8 when optimized.
+(function () {
+  function f() { 'a'.startsWith('a', NaN); }
+
+  %PrepareFunctionForOptimization(f);
+  f();
+  f();
+  %OptimizeFunctionOnNextCall(f);
+  f();
+})();
+
+// String.p.startsWith should try to coerce non-numbers to numbers.
+(function() {
+  let wasCalled = false;
+
+  const obj = {
+    [Symbol.toPrimitive]: () => wasCalled = true
+  };
+
+  function f() { ''.startsWith('a', obj); }
+
+  %PrepareFunctionForOptimization(f);
+  f();
+  f();
+  %OptimizeFunctionOnNextCall(f);
+  f();
+
+  assertTrue(wasCalled, "String.p.startsWith didn't attempt to coerce the position argument to a Number.")
+})();