[turbofan] Introduce a dedicated CheckBounds operator.

src/compiler/js-native-context-specialization.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/js-native-context-specialization.h"
 
 #include "src/accessors.h"
 #include "src/code-factory.h"
 #include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
@@ skipping 616 matching lines @@
                                           transition_source->elements_kind(),
                                           transition_target->elements_kind());
           CallDescriptor const* const desc = Linkage::GetStubCallDescriptor(
               isolate(), graph()->zone(), stub.GetCallInterfaceDescriptor(), 0,
               CallDescriptor::kNeedsFrameState, node->op()->properties());
           transition_effect = graph()->NewNode(
               common()->Call(desc), jsgraph()->HeapConstant(stub.GetCode()),
               receiver, jsgraph()->HeapConstant(transition_target), context,
               frame_state, transition_effect, transition_control);
         }
+
         this_controls.push_back(transition_control);
         this_effects.push_back(transition_effect);
       }
 
       // Create single chokepoint for the control.
       int const this_control_count = static_cast<int>(this_controls.size());
       if (this_control_count == 1) {
         this_control = this_controls.front();
         this_effect = this_effects.front();
       } else {
@@ skipping 16 matching lines @@
     }
 
     // Certain stores need a prototype chain check because shape changes
     // could allow callbacks on elements in the prototype chain that are
     // not compatible with (monomorphic) keyed stores.
     Handle<JSObject> holder;
     if (access_info.holder().ToHandle(&holder)) {
       AssumePrototypesStable(receiver_type, native_context, holder);
     }
 
-    // Check that the {index} is actually a Number.
-    if (!NumberMatcher(this_index).HasValue()) {
-      Node* check =
-          graph()->NewNode(simplified()->ObjectIsNumber(), this_index);
-      this_control = this_effect =
-          graph()->NewNode(common()->DeoptimizeUnless(), check, frame_state,
-                           this_effect, this_control);
-      this_index = graph()->NewNode(simplified()->TypeGuard(Type::Number()),
-                                    this_index, this_control);
-    }
-
-    // Convert the {index} to an unsigned32 value and check if the result is
-    // equal to the original {index}.
-    if (!NumberMatcher(this_index).IsInRange(0.0, kMaxUInt32)) {
-      Node* this_index32 =
-          graph()->NewNode(simplified()->NumberToUint32(), this_index);
-      Node* check = graph()->NewNode(simplified()->NumberEqual(), this_index32,
-                                     this_index);
-      this_control = this_effect =
-          graph()->NewNode(common()->DeoptimizeUnless(), check, frame_state,
-                           this_effect, this_control);
-      this_index = this_index32;
-    }
-
     // TODO(bmeurer): We currently specialize based on elements kind. We should
     // also be able to properly support strings and other JSObjects here.
     ElementsKind elements_kind = access_info.elements_kind();
 
     // Load the elements for the {receiver}.
     Node* this_elements = this_effect = graph()->NewNode(
         simplified()->LoadField(AccessBuilder::ForJSObjectElements()),
         this_receiver, this_effect, this_control);
 
     // Don't try to store to a copy-on-write backing store.
@@ skipping 15 matching lines @@
         receiver_is_jsarray
             ? graph()->NewNode(
                   simplified()->LoadField(
                       AccessBuilder::ForJSArrayLength(elements_kind)),
                   this_receiver, this_effect, this_control)
             : graph()->NewNode(
                   simplified()->LoadField(AccessBuilder::ForFixedArrayLength()),
                   this_elements, this_effect, this_control);
 
     // Check that the {index} is in the valid range for the {receiver}.
-    Node* check = graph()->NewNode(simplified()->NumberLessThan(), this_index,
-                                   this_length);
-    this_control = this_effect =
-        graph()->NewNode(common()->DeoptimizeUnless(), check, frame_state,
+    this_index = this_effect =
+        graph()->NewNode(simplified()->CheckBounds(), this_index, this_length,
                          this_effect, this_control);
 
     // Compute the element access.
     Type* element_type = Type::Any();
     MachineType element_machine_type = MachineType::AnyTagged();
     if (IsFastDoubleElementsKind(elements_kind)) {
       element_type = Type::Number();
       element_machine_type = MachineType::Float64();
     } else if (IsFastSmiElementsKind(elements_kind)) {
       element_type = type_cache_.kSmi;
@@ skipping 370 matching lines @@
 }
 
 
 SimplifiedOperatorBuilder* JSNativeContextSpecialization::simplified() const {
   return jsgraph()->simplified();
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8