Revert of [turbofan] Introduce a dedicated CheckBounds operator.

src/compiler/js-native-context-specialization.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/js-native-context-specialization.h"
 
 #include "src/accessors.h"
 #include "src/code-factory.h"
 #include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
@@ skipping 618 matching lines @@
                                           transition_target->elements_kind(),
                                           transition_source->IsJSArrayMap());
           CallDescriptor const* const desc = Linkage::GetStubCallDescriptor(
               isolate(), graph()->zone(), stub.GetCallInterfaceDescriptor(), 0,
               CallDescriptor::kNeedsFrameState, node->op()->properties());
           transition_effect = graph()->NewNode(
               common()->Call(desc), jsgraph()->HeapConstant(stub.GetCode()),
               receiver, jsgraph()->HeapConstant(transition_target), context,
               frame_state, transition_effect, transition_control);
         }
-
-        // TODO(turbofan): The effect/control linearization will not find a
-        // FrameState after the StoreField or Call that is generated for the
-        // elements kind transition above. This is because those operatos don't
-        // have the kNoWrite flag on it, even tho they are not JavaScript
-        // observable, but at the same time adding kNoWrite would make them
-        // eliminatable during instruction selection (at least the Call one).
-        transition_effect =
-            graph()->NewNode(common()->Checkpoint(), frame_state,
-                             transition_effect, transition_control);
-
         this_controls.push_back(transition_control);
         this_effects.push_back(transition_effect);
       }
 
       // Create single chokepoint for the control.
       int const this_control_count = static_cast<int>(this_controls.size());
       if (this_control_count == 1) {
         this_control = this_controls.front();
         this_effect = this_effects.front();
       } else {
         this_control =
             graph()->NewNode(common()->Merge(this_control_count),
                              this_control_count, &this_controls.front());
         this_effects.push_back(this_control);
         this_effect =
             graph()->NewNode(common()->EffectPhi(this_control_count),
                              this_control_count + 1, &this_effects.front());
-
-        // TODO(turbofan): This is another work-around, which is necessary
-        // in addition to the Checkpoint above, as the CheckpointElimination
-        // is not really compositional. We really need a way to address the
-        // "no-write" problem on non-side-effecting nodes.
-        this_effect = graph()->NewNode(common()->Checkpoint(), frame_state,
-                                       this_effect, this_control);
       }
     }
 
     // Certain stores need a prototype chain check because shape changes
     // could allow callbacks on elements in the prototype chain that are
     // not compatible with (monomorphic) keyed stores.
     Handle<JSObject> holder;
     if (access_info.holder().ToHandle(&holder)) {
       AssumePrototypesStable(receiver_type, native_context, holder);
     }
 
+    // Check that the {index} is actually a Number.
+    if (!NumberMatcher(this_index).HasValue()) {
+      Node* check =
+          graph()->NewNode(simplified()->ObjectIsNumber(), this_index);
+      this_control = this_effect =
+          graph()->NewNode(common()->DeoptimizeUnless(), check, frame_state,
+                           this_effect, this_control);
+      this_index = graph()->NewNode(simplified()->TypeGuard(Type::Number()),
+                                    this_index, this_control);
+    }
+
+    // Convert the {index} to an unsigned32 value and check if the result is
+    // equal to the original {index}.
+    if (!NumberMatcher(this_index).IsInRange(0.0, kMaxUInt32)) {
+      Node* this_index32 =
+          graph()->NewNode(simplified()->NumberToUint32(), this_index);
+      Node* check = graph()->NewNode(simplified()->NumberEqual(), this_index32,
+                                     this_index);
+      this_control = this_effect =
+          graph()->NewNode(common()->DeoptimizeUnless(), check, frame_state,
+                           this_effect, this_control);
+      this_index = this_index32;
+    }
+
     // TODO(bmeurer): We currently specialize based on elements kind. We should
     // also be able to properly support strings and other JSObjects here.
     ElementsKind elements_kind = access_info.elements_kind();
 
     // Load the elements for the {receiver}.
     Node* this_elements = this_effect = graph()->NewNode(
         simplified()->LoadField(AccessBuilder::ForJSObjectElements()),
         this_receiver, this_effect, this_control);
 
     // Don't try to store to a copy-on-write backing store.
@@ skipping 15 matching lines @@
         receiver_is_jsarray
             ? graph()->NewNode(
                   simplified()->LoadField(
                       AccessBuilder::ForJSArrayLength(elements_kind)),
                   this_receiver, this_effect, this_control)
             : graph()->NewNode(
                   simplified()->LoadField(AccessBuilder::ForFixedArrayLength()),
                   this_elements, this_effect, this_control);
 
     // Check that the {index} is in the valid range for the {receiver}.
-    this_index = this_effect =
-        graph()->NewNode(simplified()->CheckBounds(), this_index, this_length,
+    Node* check = graph()->NewNode(simplified()->NumberLessThan(), this_index,
+                                   this_length);
+    this_control = this_effect =
+        graph()->NewNode(common()->DeoptimizeUnless(), check, frame_state,
                          this_effect, this_control);
 
     // Compute the element access.
     Type* element_type = Type::Any();
     MachineType element_machine_type = MachineType::AnyTagged();
     if (IsFastDoubleElementsKind(elements_kind)) {
       element_type = Type::Number();
       element_machine_type = MachineType::Float64();
     } else if (IsFastSmiElementsKind(elements_kind)) {
       element_type = type_cache_.kSmi;
@@ skipping 389 matching lines @@
 }
 
 
 SimplifiedOperatorBuilder* JSNativeContextSpecialization::simplified() const {
   return jsgraph()->simplified();
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8