[maglev][arm] Fix CheckJSTypedArrayBounds index check

... by checking for overflow when shifting the index (actually
the carry bit since mov does not affect the overflow flag).

Fixed: chromium:1459841
Bug: v8:7700
Change-Id: Ide774107d91a0c9e2b1122ebfd00dde56dd0d3c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4677660
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#88824}

src/maglev/arm/maglev-ir-arm.cc

@@ -690,8 +690,13 @@ void CheckJSTypedArrayBounds::GenerateCode(MaglevAssembler* masm,
   int element_size = ElementsKindSize(elements_kind_);
   if (element_size > 1) {
     DCHECK(element_size == 2 || element_size == 4 || element_size == 8);
-    __ cmp(byte_length,
-           Operand(index, LSL, base::bits::CountTrailingZeros(element_size)));
+    __ mov(index,
+           Operand(index, LSL, base::bits::CountTrailingZeros(element_size)),
+           SetCC);
+    // MOVS does not affect the overflow flag on Arm. Since we know {index} is
+    // an unsigned integer, we check the carry flag.
+    __ EmitEagerDeoptIf(cs, DeoptimizeReason::kOutOfBounds, this);
+    __ cmp(byte_length, index);
   } else {
     __ cmp(byte_length, index);
   }

test/mjsunit/maglev/regress-1459841.js

@@ -0,0 +1,16 @@
+// Copyright 2023 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --maglev
+let a = new Float32Array(1000);
+function foo(i) {
+    return a[i];
+}
+
+%PrepareFunctionForOptimization(foo);
+assertEquals(0, foo(0));
+assertEquals(0, foo(0));
+
+%OptimizeMaglevOnNextCall(foo);
+assertEquals(undefined, foo(0x40000000)); // On 32 bits, this will overflow the array index.