[turbofan] Fix deopt loop in out-of-bounds string element access.

src/compiler/js-native-context-specialization.cc

Index: src/compiler/js-native-context-specialization.cc
diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc
index 33b76716c018fb936c9ea7d61cfc2c113656c956..f6b29ab81c74d93fcef3cf7a182bf4d2b42dda42 100644
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -682,9 +682,9 @@ Reduction JSNativeContextSpecialization::ReduceKeyedAccess(
     Handle<String> string = Handle<String>::cast(mreceiver.Value());
 
     // We can only assume that the {index} is a valid array index if the IC
-    // is in element access mode, otherwise there's no guard for the bounds
-    // check below.
-    if (nexus.GetKeyType() == ELEMENT) {
+    // is in element access mode and not MEGAMORPHIC, otherwise there's no
+    // guard for the bounds check below.
+    if (nexus.ic_state() != MEGAMORPHIC && nexus.GetKeyType() == ELEMENT) {
       // Strings are immutable in JavaScript.
       if (access_mode == AccessMode::kStore) return NoChange();
 
@@ -760,6 +760,12 @@ Reduction JSNativeContextSpecialization::ReduceKeyedAccess(
     // that the {index} is a valid array index, thus we just let the IC continue
     // to deal with this load/store.
     return NoChange();
+  } else if (nexus.ic_state() == MEGAMORPHIC) {
+    // The KeyedLoad/StoreIC uses the MEGAMORPHIC state to guard the assumption
+    // that a numeric {index} is within the valid bounds for {receiver}, i.e.
+    // it transitions to MEGAMORPHIC once it sees an out-of-bounds access. Thus
+    // we cannot continue here if the IC state is MEGAMORPHIC.
+    return NoChange();
   }
 
   // Try to lower the element access based on the {receiver_maps}.