Revert "[csa] disable selected bounds checks for remaining regressions"

This reverts commit c3148664.

Reason for revert: speculative revert for MSAN failure https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/25398

Original change's description:
> [csa] disable selected bounds checks for remaining regressions
> 
> Bug: chromium:932919
> TBR: jarin@chromium.org
> Change-Id: Id1125dcd2978f790af4cf00125bcbb94741d0bf8
> Reviewed-on: https://chromium-review.googlesource.com/c/1480387
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59773}

TBR=jarin@chromium.org,jgruber@chromium.org,leszeks@chromium.org,tebbi@chromium.org

Change-Id: Ib6cb825375725773db73f40ad3b65e084645b568
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:932919
Reviewed-on: https://chromium-review.googlesource.com/c/1480914Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59777}

src/builtins/builtins-collections-gen.cc

@@ -539,7 +539,7 @@ TNode<BoolT> BaseCollectionsAssembler::HasInitialCollectionPrototype(
 
 TNode<Object> BaseCollectionsAssembler::LoadAndNormalizeFixedArrayElement(
     TNode<FixedArray> elements, TNode<IntPtrT> index) {
-  TNode<Object> element = UnsafeLoadFixedArrayElement(elements, index);
+  TNode<Object> element = LoadFixedArrayElement(elements, index);
   return Select<Object>(IsTheHole(element), [=] { return UndefinedConstant(); },
                         [=] { return element; });
 }
@@ -1003,10 +1003,10 @@ TNode<JSArray> CollectionsBuiltinsAssembler::MapIteratorToList(
       CSA_ASSERT(this, InstanceTypeEqual(LoadInstanceType(iterator),
                                          JS_MAP_VALUE_ITERATOR_TYPE));
       TNode<Object> entry_value =
-          UnsafeLoadFixedArrayElement(table, entry_start_position,
-                                      (OrderedHashMap::HashTableStartIndex() +
-                                       OrderedHashMap::kValueOffset) *
-                                          kTaggedSize);
+          LoadFixedArrayElement(table, entry_start_position,
+                                (OrderedHashMap::HashTableStartIndex() +
+                                 OrderedHashMap::kValueOffset) *
+                                    kTaggedSize);
 
       Store(elements, var_offset.value(), entry_value);
       Goto(&continue_loop);
@@ -1410,9 +1410,9 @@ CollectionsBuiltinsAssembler::NextSkipHoles(TNode<TableType> table,
     entry_start_position = IntPtrAdd(
         IntPtrMul(var_index.value(), IntPtrConstant(TableType::kEntrySize)),
         number_of_buckets);
-    entry_key = UnsafeLoadFixedArrayElement(
-        table, entry_start_position,
-        TableType::HashTableStartIndex() * kTaggedSize);
+    entry_key =
+        LoadFixedArrayElement(table, entry_start_position,
+                              TableType::HashTableStartIndex() * kTaggedSize);
     Increment(&var_index);
     Branch(IsTheHole(entry_key), &loop, &done_loop);
   }
@@ -1534,8 +1534,8 @@ TF_BUILTIN(MapPrototypeSet, CollectionsBuiltinsAssembler) {
   TVARIABLE(OrderedHashMap, table_var, table);
   {
     // Check we have enough space for the entry.
-    number_of_buckets.Bind(SmiUntag(CAST(UnsafeLoadFixedArrayElement(
-        table, OrderedHashMap::NumberOfBucketsIndex()))));
+    number_of_buckets.Bind(SmiUntag(CAST(
+        LoadFixedArrayElement(table, OrderedHashMap::NumberOfBucketsIndex()))));
 
     STATIC_ASSERT(OrderedHashMap::kLoadFactor == 2);
     Node* const capacity = WordShl(number_of_buckets.value(), 1);
@@ -1550,7 +1550,7 @@ TF_BUILTIN(MapPrototypeSet, CollectionsBuiltinsAssembler) {
     // fields.
     CallRuntime(Runtime::kMapGrow, context, receiver);
     table_var = CAST(LoadObjectField(receiver, JSMap::kTableOffset));
-    number_of_buckets.Bind(SmiUntag(CAST(UnsafeLoadFixedArrayElement(
+    number_of_buckets.Bind(SmiUntag(CAST(LoadFixedArrayElement(
         table_var.value(), OrderedHashMap::NumberOfBucketsIndex()))));
     Node* const new_number_of_elements = SmiUntag(CAST(LoadObjectField(
         table_var.value(), OrderedHashMap::NumberOfElementsOffset())));
@@ -1572,29 +1572,25 @@ void CollectionsBuiltinsAssembler::StoreOrderedHashMapNewEntry(
     Node* const hash, Node* const number_of_buckets, Node* const occupancy) {
   Node* const bucket =
       WordAnd(hash, IntPtrSub(number_of_buckets, IntPtrConstant(1)));
-  Node* const bucket_entry = UnsafeLoadFixedArrayElement(
+  Node* const bucket_entry = LoadFixedArrayElement(
       table, bucket, OrderedHashMap::HashTableStartIndex() * kTaggedSize);
 
   // Store the entry elements.
   Node* const entry_start = IntPtrAdd(
       IntPtrMul(occupancy, IntPtrConstant(OrderedHashMap::kEntrySize)),
       number_of_buckets);
-  UnsafeStoreFixedArrayElement(
-      table, entry_start, key, UPDATE_WRITE_BARRIER,
-      kTaggedSize * OrderedHashMap::HashTableStartIndex());
-  UnsafeStoreFixedArrayElement(
-      table, entry_start, value, UPDATE_WRITE_BARRIER,
-      kTaggedSize * (OrderedHashMap::HashTableStartIndex() +
-                     OrderedHashMap::kValueOffset));
-  UnsafeStoreFixedArrayElement(
-      table, entry_start, bucket_entry, SKIP_WRITE_BARRIER,
-      kTaggedSize * (OrderedHashMap::HashTableStartIndex() +
-                     OrderedHashMap::kChainOffset));
+  StoreFixedArrayElement(table, entry_start, key, UPDATE_WRITE_BARRIER,
+                         kTaggedSize * OrderedHashMap::HashTableStartIndex());
+  StoreFixedArrayElement(table, entry_start, value, UPDATE_WRITE_BARRIER,
+                         kTaggedSize * (OrderedHashMap::HashTableStartIndex() +
+                                        OrderedHashMap::kValueOffset));
+  StoreFixedArrayElement(table, entry_start, bucket_entry, SKIP_WRITE_BARRIER,
+                         kTaggedSize * (OrderedHashMap::HashTableStartIndex() +
+                                        OrderedHashMap::kChainOffset));
 
   // Update the bucket head.
-  UnsafeStoreFixedArrayElement(
-      table, bucket, SmiTag(occupancy), SKIP_WRITE_BARRIER,
-      OrderedHashMap::HashTableStartIndex() * kTaggedSize);
+  StoreFixedArrayElement(table, bucket, SmiTag(occupancy), SKIP_WRITE_BARRIER,
+                         OrderedHashMap::HashTableStartIndex() * kTaggedSize);
 
   // Bump the elements count.
   TNode<Smi> const number_of_elements =
@@ -1708,8 +1704,8 @@ TF_BUILTIN(SetPrototypeAdd, CollectionsBuiltinsAssembler) {
   TVARIABLE(OrderedHashSet, table_var, table);
   {
     // Check we have enough space for the entry.
-    number_of_buckets.Bind(SmiUntag(CAST(UnsafeLoadFixedArrayElement(
-        table, OrderedHashSet::NumberOfBucketsIndex()))));
+    number_of_buckets.Bind(SmiUntag(CAST(
+        LoadFixedArrayElement(table, OrderedHashSet::NumberOfBucketsIndex()))));
 
     STATIC_ASSERT(OrderedHashSet::kLoadFactor == 2);
     Node* const capacity = WordShl(number_of_buckets.value(), 1);
@@ -1724,7 +1720,7 @@ TF_BUILTIN(SetPrototypeAdd, CollectionsBuiltinsAssembler) {
     // fields.
     CallRuntime(Runtime::kSetGrow, context, receiver);
     table_var = CAST(LoadObjectField(receiver, JSMap::kTableOffset));
-    number_of_buckets.Bind(SmiUntag(CAST(UnsafeLoadFixedArrayElement(
+    number_of_buckets.Bind(SmiUntag(CAST(LoadFixedArrayElement(
         table_var.value(), OrderedHashSet::NumberOfBucketsIndex()))));
     Node* const new_number_of_elements = SmiUntag(CAST(LoadObjectField(
         table_var.value(), OrderedHashSet::NumberOfElementsOffset())));
@@ -1746,25 +1742,22 @@ void CollectionsBuiltinsAssembler::StoreOrderedHashSetNewEntry(
     Node* const number_of_buckets, Node* const occupancy) {
   Node* const bucket =
       WordAnd(hash, IntPtrSub(number_of_buckets, IntPtrConstant(1)));
-  Node* const bucket_entry = UnsafeLoadFixedArrayElement(
+  Node* const bucket_entry = LoadFixedArrayElement(
       table, bucket, OrderedHashSet::HashTableStartIndex() * kTaggedSize);
 
   // Store the entry elements.
   Node* const entry_start = IntPtrAdd(
       IntPtrMul(occupancy, IntPtrConstant(OrderedHashSet::kEntrySize)),
       number_of_buckets);
-  UnsafeStoreFixedArrayElement(
-      table, entry_start, key, UPDATE_WRITE_BARRIER,
-      kTaggedSize * OrderedHashSet::HashTableStartIndex());
-  UnsafeStoreFixedArrayElement(
-      table, entry_start, bucket_entry, SKIP_WRITE_BARRIER,
-      kTaggedSize * (OrderedHashSet::HashTableStartIndex() +
-                     OrderedHashSet::kChainOffset));
+  StoreFixedArrayElement(table, entry_start, key, UPDATE_WRITE_BARRIER,
+                         kTaggedSize * OrderedHashSet::HashTableStartIndex());
+  StoreFixedArrayElement(table, entry_start, bucket_entry, SKIP_WRITE_BARRIER,
+                         kTaggedSize * (OrderedHashSet::HashTableStartIndex() +
+                                        OrderedHashSet::kChainOffset));
 
   // Update the bucket head.
-  UnsafeStoreFixedArrayElement(
-      table, bucket, SmiTag(occupancy), SKIP_WRITE_BARRIER,
-      OrderedHashSet::HashTableStartIndex() * kTaggedSize);
+  StoreFixedArrayElement(table, bucket, SmiTag(occupancy), SKIP_WRITE_BARRIER,
+                         OrderedHashSet::HashTableStartIndex() * kTaggedSize);
 
   // Bump the elements count.
   TNode<Smi> const number_of_elements =
@@ -2341,13 +2334,12 @@ void WeakCollectionsBuiltinsAssembler::AddEntry(
     TNode<Object> key, TNode<Object> value, TNode<IntPtrT> number_of_elements) {
   // See EphemeronHashTable::AddEntry().
   TNode<IntPtrT> value_index = ValueIndexFromKeyIndex(key_index);
-  UnsafeStoreFixedArrayElement(table, key_index, key);
-  UnsafeStoreFixedArrayElement(table, value_index, value);
+  StoreFixedArrayElement(table, key_index, key);
+  StoreFixedArrayElement(table, value_index, value);
 
   // See HashTableBase::ElementAdded().
-  UnsafeStoreFixedArrayElement(
-      table, EphemeronHashTable::kNumberOfElementsIndex,
-      SmiFromIntPtr(number_of_elements), SKIP_WRITE_BARRIER);
+  StoreFixedArrayElement(table, EphemeronHashTable::kNumberOfElementsIndex,
+                         SmiFromIntPtr(number_of_elements), SKIP_WRITE_BARRIER);
 }
 
 TNode<Object> WeakCollectionsBuiltinsAssembler::AllocateTable(
@@ -2412,8 +2404,7 @@ TNode<IntPtrT> WeakCollectionsBuiltinsAssembler::FindKeyIndex(
   TNode<IntPtrT> key_index;
   {
     key_index = KeyIndexFromEntry(var_entry.value());
-    TNode<Object> entry_key =
-        UnsafeLoadFixedArrayElement(CAST(table), key_index);
+    TNode<Object> entry_key = LoadFixedArrayElement(CAST(table), key_index);
 
     key_compare(entry_key, &if_found);
 
@@ -2463,14 +2454,14 @@ TNode<IntPtrT> WeakCollectionsBuiltinsAssembler::KeyIndexFromEntry(
 
 TNode<IntPtrT> WeakCollectionsBuiltinsAssembler::LoadNumberOfElements(
     TNode<EphemeronHashTable> table, int offset) {
-  TNode<IntPtrT> number_of_elements = SmiUntag(CAST(UnsafeLoadFixedArrayElement(
+  TNode<IntPtrT> number_of_elements = SmiUntag(CAST(LoadFixedArrayElement(
       table, EphemeronHashTable::kNumberOfElementsIndex)));
   return IntPtrAdd(number_of_elements, IntPtrConstant(offset));
 }
 
 TNode<IntPtrT> WeakCollectionsBuiltinsAssembler::LoadNumberOfDeleted(
     TNode<EphemeronHashTable> table, int offset) {
-  TNode<IntPtrT> number_of_deleted = SmiUntag(CAST(UnsafeLoadFixedArrayElement(
+  TNode<IntPtrT> number_of_deleted = SmiUntag(CAST(LoadFixedArrayElement(
       table, EphemeronHashTable::kNumberOfDeletedElementsIndex)));
   return IntPtrAdd(number_of_deleted, IntPtrConstant(offset));
 }
@@ -2482,8 +2473,8 @@ TNode<EphemeronHashTable> WeakCollectionsBuiltinsAssembler::LoadTable(
 
 TNode<IntPtrT> WeakCollectionsBuiltinsAssembler::LoadTableCapacity(
     TNode<EphemeronHashTable> table) {
-  return SmiUntag(CAST(
-      UnsafeLoadFixedArrayElement(table, EphemeronHashTable::kCapacityIndex)));
+  return SmiUntag(
+      CAST(LoadFixedArrayElement(table, EphemeronHashTable::kCapacityIndex)));
 }
 
 TNode<Word32T> WeakCollectionsBuiltinsAssembler::InsufficientCapacityToAdd(

src/builtins/builtins-regexp-gen.cc

@@ -1925,9 +1925,9 @@ void RegExpBuiltinsAssembler::RegExpPrototypeMatchBody(Node* const context,
             RegExpPrototypeExecBodyWithoutResult(CAST(context), CAST(regexp),
                                                  string, &if_didnotmatch, true);
 
-        Node* const match_from = UnsafeLoadFixedArrayElement(
+        Node* const match_from = LoadFixedArrayElement(
             match_indices, RegExpMatchInfo::kFirstCaptureIndex);
-        Node* const match_to = UnsafeLoadFixedArrayElement(
+        Node* const match_to = LoadFixedArrayElement(
             match_indices, RegExpMatchInfo::kFirstCaptureIndex + 1);
 
         var_match.Bind(CallBuiltin(Builtins::kSubString, context, string,
@@ -2403,7 +2403,7 @@ void RegExpBuiltinsAssembler::RegExpPrototypeSplitBody(Node* const context,
                                                 length, allocation_site, mode);
 
         TNode<FixedArray> fixed_array = CAST(LoadElements(result));
-        UnsafeStoreFixedArrayElement(fixed_array, 0, string);
+        StoreFixedArrayElement(fixed_array, 0, string);
 
         Return(result);
       }
@@ -2456,7 +2456,7 @@ void RegExpBuiltinsAssembler::RegExpPrototypeSplitBody(Node* const context,
     }
 
     TNode<FixedArray> match_indices = CAST(match_indices_ho);
-    TNode<Smi> const match_from = CAST(UnsafeLoadFixedArrayElement(
+    TNode<Smi> const match_from = CAST(LoadFixedArrayElement(
         match_indices, RegExpMatchInfo::kFirstCaptureIndex));
 
     // We're done if the match starts beyond the string.
@@ -2466,7 +2466,7 @@ void RegExpBuiltinsAssembler::RegExpPrototypeSplitBody(Node* const context,
       BIND(&next);
     }
 
-    TNode<Smi> const match_to = CAST(UnsafeLoadFixedArrayElement(
+    TNode<Smi> const match_to = CAST(LoadFixedArrayElement(
         match_indices, RegExpMatchInfo::kFirstCaptureIndex + 1));
 
     // Advance index and continue if the match is empty.

src/builtins/growable-fixed-array-gen.cc

@@ -27,7 +27,7 @@ void GrowableFixedArray::Push(TNode<Object> const value) {
   BIND(&store);
   {
     TNode<FixedArray> const array = var_array_.value();
-    UnsafeStoreFixedArrayElement(array, length, value);
+    StoreFixedArrayElement(array, length, value);
 
     var_length_ = IntPtrAdd(length, IntPtrConstant(1));
   }

src/code-stub-assembler.cc

@@ -6742,7 +6742,7 @@ TNode<String> CodeStubAssembler::StringFromSingleCharCode(TNode<Int32T> code) {
     // cache already.
     Label if_entryisundefined(this, Label::kDeferred),
         if_entryisnotundefined(this);
-    Node* entry = UnsafeLoadFixedArrayElement(cache, code_index);
+    Node* entry = LoadFixedArrayElement(cache, code_index);
     Branch(IsUndefined(entry), &if_entryisundefined, &if_entryisnotundefined);
 
     BIND(&if_entryisundefined);
@@ -8414,8 +8414,7 @@ void CodeStubAssembler::NameDictionaryLookup(
     TNode<IntPtrT> index = EntryToIndex<Dictionary>(entry);
     *var_name_index = index;
 
-    TNode<HeapObject> current =
-        CAST(UnsafeLoadFixedArrayElement(dictionary, index));
+    TNode<HeapObject> current = CAST(LoadFixedArrayElement(dictionary, index));
     GotoIf(WordEqual(current, undefined), if_not_found);
     current = LoadName<Dictionary>(current);
     GotoIf(WordEqual(current, unique_name), if_found);
@@ -8526,7 +8525,7 @@ void CodeStubAssembler::NumberDictionaryLookup(
     TNode<IntPtrT> entry = var_entry->value();
 
     TNode<IntPtrT> index = EntryToIndex<NumberDictionary>(entry);
-    Node* current = UnsafeLoadFixedArrayElement(dictionary, index);
+    Node* current = LoadFixedArrayElement(dictionary, index);
     GotoIf(WordEqual(current, undefined), if_not_found);
     Label next_probe(this);
     {
@@ -9614,7 +9613,7 @@ void CodeStubAssembler::TryLookupElement(Node* object, Node* map,
 
     GotoIfNot(UintPtrLessThan(intptr_index, length), &if_oob);
 
-    TNode<Object> element = UnsafeLoadFixedArrayElement(elements, intptr_index);
+    TNode<Object> element = LoadFixedArrayElement(elements, intptr_index);
     TNode<Oddball> the_hole = TheHoleConstant();
     Branch(WordEqual(element, the_hole), if_not_found, if_found);
   }

src/code-stub-assembler.h

@@ -1027,20 +1027,11 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
                                  CheckBounds::kDebugOnly);
   }
 
-  TNode<Object> LoadFixedArrayElement(
-      TNode<FixedArray> object, TNode<IntPtrT> index,
-      LoadSensitivity needs_poisoning,
-      CheckBounds check_bounds = CheckBounds::kAlways) {
+  TNode<Object> LoadFixedArrayElement(TNode<FixedArray> object,
+                                      TNode<IntPtrT> index,
+                                      LoadSensitivity needs_poisoning) {
     return LoadFixedArrayElement(object, index, 0, INTPTR_PARAMETERS,
-                                 needs_poisoning, check_bounds);
-  }
-  // This doesn't emit a bounds-check. As part of the security-performance
-  // tradeoff, only use it if it is performance critical.
-  TNode<Object> UnsafeLoadFixedArrayElement(TNode<FixedArray> object,
-                                            TNode<IntPtrT> index,
-                                            LoadSensitivity needs_poisoning) {
-    return LoadFixedArrayElement(object, index, needs_poisoning,
-                                 CheckBounds::kDebugOnly);
+                                 needs_poisoning);
   }
 
   TNode<Object> LoadFixedArrayElement(
@@ -2622,8 +2613,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
 
   template <class Dictionary>
   TNode<Smi> GetCapacity(TNode<Dictionary> dictionary) {
-    return CAST(
-        UnsafeLoadFixedArrayElement(dictionary, Dictionary::kCapacityIndex));
+    return CAST(LoadFixedArrayElement(dictionary, Dictionary::kCapacityIndex));
   }
 
   template <class Dictionary>

src/ic/accessor-assembler.cc

@@ -1796,14 +1796,13 @@ void AccessorAssembler::EmitElementLoad(
   BIND(&if_fast_packed);
   {
     Comment("fast packed elements");
-    exit_point->Return(
-        UnsafeLoadFixedArrayElement(CAST(elements), intptr_index));
+    exit_point->Return(LoadFixedArrayElement(CAST(elements), intptr_index));
   }
 
   BIND(&if_fast_holey);
   {
     Comment("fast holey elements");
-    Node* element = UnsafeLoadFixedArrayElement(CAST(elements), intptr_index);
+    Node* element = LoadFixedArrayElement(CAST(elements), intptr_index);
     GotoIf(WordEqual(element, TheHoleConstant()), if_hole);
     exit_point->Return(element);
   }

src/interpreter/interpreter-assembler.cc

@@ -648,8 +648,8 @@ Node* InterpreterAssembler::BytecodeOperandIntrinsicId(int operand_index) {
 Node* InterpreterAssembler::LoadConstantPoolEntry(Node* index) {
   TNode<FixedArray> constant_pool = CAST(LoadObjectField(
       BytecodeArrayTaggedPointer(), BytecodeArray::kConstantPoolOffset));
-  return UnsafeLoadFixedArrayElement(
-      constant_pool, UncheckedCast<IntPtrT>(index), LoadSensitivity::kCritical);
+  return LoadFixedArrayElement(constant_pool, UncheckedCast<IntPtrT>(index),
+                               LoadSensitivity::kCritical);
 }
 
 Node* InterpreterAssembler::LoadAndUntagConstantPoolEntry(Node* index) {