Clusterfuzz identified overflow check needed in dehoisting.

src/hydrogen-instructions.h

Index: src/hydrogen-instructions.h
diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index 9653eac8e6794459eae546c81865070d3d862ff1..b16d5855c7099be26ea2bbe4e655470934bd6c2c 100644
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -6399,8 +6399,9 @@ class ArrayInstructionInterface {
   virtual HValue* GetKey() = 0;
   virtual void SetKey(HValue* key) = 0;
   virtual ElementsKind elements_kind() const = 0;
-  virtual void IncreaseBaseOffset(uint32_t base_offset) = 0;
-  virtual int MaxBaseOffsetBits() = 0;
+  // increase_by_value should be non-negative
+  virtual bool CanIncreaseBaseOffset(int32_t increase_by_value) = 0;
+  virtual void IncreaseBaseOffset(int32_t increase_by_value) = 0;
   virtual bool IsDehoisted() = 0;
   virtual void SetDehoisted(bool is_dehoisted) = 0;
   virtual ~ArrayInstructionInterface() { }
@@ -6446,13 +6447,20 @@ class HLoadKeyed V8_FINAL
     return OperandAt(2);
   }
   bool HasDependency() const { return OperandAt(0) != OperandAt(2); }
-  uint32_t base_offset() { return BaseOffsetField::decode(bit_field_); }
-  void IncreaseBaseOffset(uint32_t base_offset) {
-    base_offset += BaseOffsetField::decode(bit_field_);
-    bit_field_ = BaseOffsetField::update(bit_field_, base_offset);
+  uint32_t base_offset() {
+    int32_t base_offset_value = BaseOffsetField::decode(bit_field_);
+    ASSERT(base_offset_value >= 0);
+    return static_cast<uint32_t>(base_offset_value);
   }
-  virtual int MaxBaseOffsetBits() {
-    return kBitsForBaseOffset;
+  bool CanIncreaseBaseOffset(int32_t increase_by_value) {
+    ASSERT(increase_by_value >= 0);
+    int32_t new_value = BaseOffsetField::decode(bit_field_) + increase_by_value;
+    return (new_value >= 0 || BaseOffsetField::is_valid(new_value));
+  }
+  void IncreaseBaseOffset(int32_t increase_by_value) {
+    ASSERT(increase_by_value >= 0);
+    increase_by_value += BaseOffsetField::decode(bit_field_);
+    bit_field_ = BaseOffsetField::update(bit_field_, increase_by_value);
   }
   HValue* GetKey() { return key(); }
   void SetKey(HValue* key) { SetOperandAt(1, key); }
@@ -6602,7 +6610,7 @@ class HLoadKeyed V8_FINAL
     public BitField<LoadKeyedHoleMode, kStartHoleMode, kBitsForHoleMode>
     {};  // NOLINT
   class BaseOffsetField:
-    public BitField<uint32_t, kStartBaseOffset, kBitsForBaseOffset>
+    public BitField<int32_t, kStartBaseOffset, kBitsForBaseOffset>
     {};  // NOLINT
   class IsDehoistedField:
     public BitField<bool, kStartIsDehoisted, kBitsForIsDehoisted>
@@ -6916,12 +6924,18 @@ class HStoreKeyed V8_FINAL
   }
   StoreFieldOrKeyedMode store_mode() const { return store_mode_; }
   ElementsKind elements_kind() const { return elements_kind_; }
-  uint32_t base_offset() { return base_offset_; }
-  void IncreaseBaseOffset(uint32_t base_offset) {
-    base_offset_ += base_offset;
+  uint32_t base_offset() {
+    ASSERT(base_offset_ >= 0);
+    return static_cast<uint32_t>(base_offset_);
+  }
+  bool CanIncreaseBaseOffset(int32_t increase_by_value) {
+    ASSERT(increase_by_value >= 0);
+    // Guard against overflow
+    return (increase_by_value + base_offset_) >= 0;
   }
-  virtual int MaxBaseOffsetBits() {
-    return 31 - ElementsKindToShiftSize(elements_kind_);
+  void IncreaseBaseOffset(int32_t increase_by_value) {
+    ASSERT(increase_by_value >= 0);
+    base_offset_ += increase_by_value;
   }
   HValue* GetKey() { return key(); }
   void SetKey(HValue* key) { SetOperandAt(1, key); }
@@ -7012,7 +7026,7 @@ class HStoreKeyed V8_FINAL
   }
 
   ElementsKind elements_kind_;
-  uint32_t base_offset_;
+  int32_t base_offset_;
   bool is_dehoisted_ : 1;
   bool is_uninitialized_ : 1;
   StoreFieldOrKeyedMode store_mode_: 1;