[maglev] Fix bogus SmiTagUint32AndJumpIfSuccess logic

We were not correcting tagging (and moving reg-to-reg) when
materializing values in an exception trampoline for Uint32.

Fixed chromium:1477938

Bug: v8:7700
Change-Id: I5ec0c725eda5b32c4037cffe484c5d27bfc3e78a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4840338
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#89793}

src/maglev/maglev-assembler-inl.h

@@ -717,11 +717,10 @@ inline void MaglevAssembler::SmiTagUint32AndJumpIfFail(
 
 inline void MaglevAssembler::SmiTagUint32AndJumpIfSuccess(
     Register dst, Register src, Label* success, Label::Distance distance) {
-  // Perform an unsigned comparison against Smi::kMaxValue.
-  CompareInt32AndJumpIf(src, Smi::kMaxValue, kUnsignedLessThanEqual, success,
-                        distance);
-  SmiTagInt32AndSetFlags(dst, src);
-  Assert(kNoOverflow, AbortReason::kInputDoesNotFitSmi);
+  Label fail;
+  SmiTagUint32AndJumpIfFail(dst, src, &fail, Label::Distance::kNear);
+  Jump(success, distance);
+  bind(&fail);
 }
 
 inline void MaglevAssembler::SmiTagUint32AndJumpIfSuccess(

test/mjsunit/maglev/regress-1477938.js

@@ -0,0 +1,30 @@
+// Copyright 2023 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --maglev --no-maglev-inlining
+
+function foo() {
+  return undefined;
+}
+
+function opt(){
+  let a = 4096;
+  let b = 13;
+  for (let i = 0; i < 10; i++) {
+    try {
+      let f = foo()
+      ++b;
+      let c = '' ** b;
+      a = i >>> c;
+      f();
+    } catch {
+    }
+  }
+  return a;
+}
+
+%PrepareFunctionForOptimization(opt);
+assertEquals(9, opt());
+%OptimizeMaglevOnNextCall(opt);
+assertEquals(9, opt());