[turbofan] Fix bounds check for the 'in' operator on typed arrays.

This fixes the bounds check for the 'in' operator to handle the negative
index case properly (by using the same machinery as the potentially
out-of-bounds loads/stores use).

Bug: chromium:952586
Change-Id: I2225acae8be7dcedbcde745e8ef202e789085041
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581179Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60978}

src/compiler/js-native-context-specialization.cc

@@ -2661,7 +2661,7 @@ JSNativeContextSpecialization::BuildElementAccess(
       // below are performed on unsigned values, which means that all the
       // Negative32 values are treated as out-of-bounds.
       index = graph()->NewNode(simplified()->NumberToUint32(), index);
-    } else if (access_mode != AccessMode::kHas) {
+    } else {
       // Check that the {index} is in the valid range for the {receiver}.
       index = effect =
           graph()->NewNode(simplified()->CheckBounds(VectorSlotPair()), index,

test/mjsunit/compiler/regress-952586.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+a = new Int8Array(1);
+
+function f(i) {
+  return i in a;
+}
+
+assertTrue(f(0));
+%OptimizeFunctionOnNextCall(f);
+assertFalse(f(-1));