[turbofan] Fix deopt loop in out-of-bounds string element access.

src/compiler/js-native-context-specialization.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/js-native-context-specialization.h"
 
 #include "src/accessors.h"
 #include "src/code-factory.h"
 #include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
@@ skipping 664 matching lines @@
   Node* receiver = NodeProperties::GetValueInput(node, 0);
   Node* effect = NodeProperties::GetEffectInput(node);
   Node* control = NodeProperties::GetControlInput(node);
 
   // Optimize access for constant {receiver}.
   HeapObjectMatcher mreceiver(receiver);
   if (mreceiver.HasValue() && mreceiver.Value()->IsString()) {
     Handle<String> string = Handle<String>::cast(mreceiver.Value());
 
     // We can only assume that the {index} is a valid array index if the IC
-    // is in element access mode, otherwise there's no guard for the bounds
-    // check below.
-    if (nexus.GetKeyType() == ELEMENT) {
+    // is in element access mode and not MEGAMORPHIC, otherwise there's no
+    // guard for the bounds check below.
+    if (nexus.ic_state() != MEGAMORPHIC && nexus.GetKeyType() == ELEMENT) {
       // Strings are immutable in JavaScript.
       if (access_mode == AccessMode::kStore) return NoChange();
 
       // Ensure that {index} is less than {receiver} length.
       Node* length = jsgraph()->Constant(string->length());
       index = effect = graph()->NewNode(simplified()->CheckBounds(), index,
                                         length, effect, control);
 
       // Load the character from the {receiver}.
       value = graph()->NewNode(simplified()->StringCharCodeAt(), receiver,
@@ skipping 55 matching lines @@
   // Check if we have feedback for a named access.
   if (Name* name = nexus.FindFirstName()) {
     return ReduceNamedAccess(node, value, receiver_maps,
                              handle(name, isolate()), access_mode,
                              language_mode, index);
   } else if (nexus.GetKeyType() != ELEMENT) {
     // The KeyedLoad/StoreIC has seen non-element accesses, so we cannot assume
     // that the {index} is a valid array index, thus we just let the IC continue
     // to deal with this load/store.
     return NoChange();
+  } else if (nexus.ic_state() == MEGAMORPHIC) {
+    // The KeyedLoad/StoreIC uses the MEGAMORPHIC state to guard the assumption
+    // that a numeric {index} is within the valid bounds for {receiver}, i.e.
+    // it transitions to MEGAMORPHIC once it sees an out-of-bounds access. Thus
+    // we cannot continue here if the IC state is MEGAMORPHIC.
+    return NoChange();
   }
 
   // Try to lower the element access based on the {receiver_maps}.
   return ReduceElementAccess(node, index, value, receiver_maps, access_mode,
                              language_mode, store_mode);
 }
 
 Reduction JSNativeContextSpecialization::ReduceSoftDeoptimize(
     Node* node, DeoptimizeReason reason) {
   Node* effect = NodeProperties::GetEffectInput(node);
@@ skipping 756 matching lines @@
   return jsgraph()->javascript();
 }
 
 SimplifiedOperatorBuilder* JSNativeContextSpecialization::simplified() const {
   return jsgraph()->simplified();
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8