[regexp] Pass correct limit to Runtime::kRegExpSplit

The Uint32(limit) conversion can end up transitioning the regexp
instance to slow mode. In this case we need to bail out to runtime while
ensuring that ToUint32 is not observably called a second time. We do
this by passing the already-converted value to runtime.

This particular path was broken and we ended up passing the original
maybe_limit value to runtime instead.

TBR=yangguo@chromium.org

Bug: chromium:758763
Change-Id: If7f23b452d2e134ad9be3d4ef1d78d1c946fcef0
Reviewed-on: https://chromium-review.googlesource.com/635588Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47609}

src/builtins/builtins-regexp-gen.cc

@@ -2559,7 +2559,7 @@ TF_BUILTIN(RegExpSplit, RegExpBuiltinsAssembler) {
     GotoIf(IsUndefined(maybe_limit), &if_limitissmimax);
     GotoIf(TaggedIsPositiveSmi(maybe_limit), &next);
 
-    Node* const limit = ToUint32(context, maybe_limit);
+    var_limit.Bind(ToUint32(context, maybe_limit));
     {
       // ToUint32(limit) could potentially change the shape of the RegExp
       // object. Recheck that we are still on the fast path and bail to runtime
@@ -2570,10 +2570,7 @@ TF_BUILTIN(RegExpSplit, RegExpBuiltinsAssembler) {
         BIND(&next);
       }
 
-      GotoIfNot(TaggedIsPositiveSmi(limit), &if_limitissmimax);
-
-      var_limit.Bind(limit);
-      Goto(&next);
+      Branch(TaggedIsPositiveSmi(var_limit.value()), &next, &if_limitissmimax);
     }
 
     BIND(&if_limitissmimax);

test/mjsunit/regress/regress-758763.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const re = /./g;
+function toSlowMode() { re.slow = true; }
+re[Symbol.split]("abc", { valueOf: toSlowMode });