[turbofan] Mark SeqStringCharCodeAt return type as Word32, not Tagged.

Causes crashes on canary if there is a GC and the value makes it onto
the stack.

Bug: chromium:727662
Change-Id: I44fa8cf8a83b43d64418896c0a1f5518401b454f
Reviewed-on: https://chromium-review.googlesource.com/519302Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45623}

src/compiler/effect-control-linearizer.cc

@@ -2158,7 +2158,7 @@ Node* EffectControlLinearizer::LowerSeqStringCharCodeAt(Node* node) {
   Node* position = node->InputAt(1);
 
   auto one_byte_load = __ MakeLabel<1>();
-  auto done = __ MakeLabel<2>(MachineRepresentation::kTagged);
+  auto done = __ MakeLabel<2>(MachineRepresentation::kWord32);
 
   Node* map = __ LoadField(AccessBuilder::ForMap(), receiver);
   Node* instance_type = __ LoadField(AccessBuilder::ForMapInstanceType(), map);

test/mjsunit/regress/regress-727662.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+(function() {
+  function thingo(i, b) {
+    var s = b ? "ac" : "abcd";
+    i = i >>> 0;
+    if (i < s.length) {
+      var c = s.charCodeAt(i);
+      gc();
+      return c;
+    }
+  }
+  thingo(0, true);
+  thingo(0, true);
+  %OptimizeFunctionOnNextCall(thingo);
+  thingo(0, true);
+
+})();