[turbofan] Fix off-by-one in constant-folding of frozen elements.

Bug: chromium:768367, v8:6819, v8:6820, v8:6831
Change-Id: I90538217f794c91a83ae5cfb12e0d0347d5f8574
Reviewed-on: https://chromium-review.googlesource.com/685240Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48175}

src/compiler/js-native-context-specialization.cc

@@ -1264,7 +1264,7 @@ Reduction JSNativeContextSpecialization::ReduceKeyedAccess(
       // that is non-configurable, non-writable (i.e. the {receiver} was
       // frozen using Object.freeze).
       NumberMatcher mindex(index);
-      if (mindex.IsInteger() && mindex.IsInRange(0.0, kMaxUInt32)) {
+      if (mindex.IsInteger() && mindex.IsInRange(0.0, kMaxUInt32 - 1.0)) {
         LookupIterator it(isolate(), mreceiver.Value(),
                           static_cast<uint32_t>(mindex.Value()),
                           LookupIterator::OWN);

test/mjsunit/regress/regress-crbug-768367.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const o = {};
+
+function foo() { return o[4294967295]; }
+
+assertEquals(undefined, foo());
+assertEquals(undefined, foo());
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(undefined, foo());