Merged: [turbofan] Relax range for arguments object length

Revision: 8e4588915ba7a9d9d744075781cea114d49f0c7b

BUG=chromium:906043
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jarin@chromium.org

Change-Id: I35ea165d8e9e2b0e32f38f7f607a23ece97dffdd
Reviewed-on: https://chromium-review.googlesource.com/c/1363142
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.2@{#7}
Cr-Branched-From: 6acd03c9b8a8232aee95f25fbf6ae822aaedae75-refs/heads/7.2.502@{#1}
Cr-Branched-From: b03041de094610ef24e0e4fb6bf4c700fa1553ed-refs/heads/master@{#57910}
diff --git a/src/compiler/type-cache.h b/src/compiler/type-cache.h
index 251ea08..9be7261 100644
--- a/src/compiler/type-cache.h
+++ b/src/compiler/type-cache.h
@@ -166,8 +166,7 @@
       Type::Union(Type::SignedSmall(), Type::NaN(), zone());
 
   // The valid number of arguments for JavaScript functions.
-  Type const kArgumentsLengthType =
-      Type::Range(0.0, Code::kMaxArguments, zone());
+  Type const kArgumentsLengthType = Type::Unsigned30();
 
   // The JSArrayIterator::kind property always contains an integer in the
   // range [0, 2], representing the possible IterationKinds.
diff --git a/src/compiler/verifier.cc b/src/compiler/verifier.cc
index 0a9342e..9ea93da 100644
--- a/src/compiler/verifier.cc
+++ b/src/compiler/verifier.cc
@@ -1258,8 +1258,7 @@
       break;
     case IrOpcode::kNewArgumentsElements:
       CheckValueInputIs(node, 0, Type::ExternalPointer());
-      CheckValueInputIs(node, 1, Type::Range(-Code::kMaxArguments,
-                                             Code::kMaxArguments, zone));
+      CheckValueInputIs(node, 1, Type::Unsigned30());
       CheckTypeIs(node, Type::OtherInternal());
       break;
     case IrOpcode::kNewConsString:
diff --git a/test/mjsunit/regress/regress-crbug-906043.js b/test/mjsunit/regress/regress-crbug-906043.js
new file mode 100644
index 0000000..dbc283f
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-906043.js
@@ -0,0 +1,33 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function fun(arg) {
+  let x = arguments.length;
+  a1 = new Array(0x10);
+  a1[0] = 1.1;
+  a2 = new Array(0x10);
+  a2[0] = 1.1;
+  a1[(x >> 16) * 21] = 1.39064994160909e-309;  // 0xffff00000000
+  a1[(x >> 16) * 41] = 8.91238232205e-313;  // 0x2a00000000
+}
+
+var a1, a2;
+var a3 = [1.1, 2.2];
+a3.length = 0x11000;
+a3.fill(3.3);
+
+var a4 = [1.1];
+
+for (let i = 0; i < 3; i++) fun(...a4);
+%OptimizeFunctionOnNextCall(fun);
+fun(...a4);
+
+res = fun(...a3);
+
+assertEquals(16, a2.length);
+for (let i = 8; i < 32; i++) {
+  assertEquals(undefined, a2[i]);
+}