[ic] Fix KeyedLoadIC for "string"[4294967295]

If index > JSObject::kMaxElementIndex, we have to perform a prototype
chain lookup for a named property. The corresponding check was missing
for string receivers.

Fixed: chromium:1265043
Change-Id: Ibccd058a4bd108eeee235762bea0bc4163aaa0b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3257704
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77683}

src/ic/accessor-assembler.cc

@@ -600,7 +600,15 @@ void AccessorAssembler::HandleLoadICSmiHandlerCase(
         Return(result);
 
         BIND(&if_oob_string);
-        GotoIf(IntPtrLessThan(index, IntPtrConstant(0)), miss);
+        if (Is64()) {
+          // Indices >= 4294967295 are stored as named properties; handle them
+          // in the runtime.
+          GotoIfNot(UintPtrLessThanOrEqual(
+                        index, IntPtrConstant(JSObject::kMaxElementIndex)),
+                    miss);
+        } else {
+          GotoIf(IntPtrLessThan(index, IntPtrConstant(0)), miss);
+        }
         TNode<BoolT> allow_out_of_bounds =
             IsSetWord<LoadHandler::AllowOutOfBoundsBits>(handler_word);
         GotoIfNot(allow_out_of_bounds, miss);

test/mjsunit/regress/regress-crbug-1265043.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+val = "hello";
+function foo(i) {
+  return val[i];
+}
+assertEquals(undefined, foo(8));
+Object.prototype[4294967295] = "boom";
+assertEquals("boom", foo(4294967295));
+%PrepareFunctionForOptimization(foo);
+assertEquals(undefined, foo(8));
+assertEquals("boom", foo(4294967295));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(undefined, foo(8));
+assertEquals("boom", foo(4294967295));