[Backport] Security bug 420637585

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/6606162:
Convert Smi to Word64 using zero extension

... when a known type range contains only positive values.

(cherry picked from commit 45eb42cd398ea2a0fd6d145a6c36d57f71498d34)

Bug: 420637585
Change-Id: I8d9bb3f2fe2e5268e1659bb4ea7bbf97bfb52288
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6594731
Reviewed-by: Nico Hartmann <[email protected]>
Commit-Queue: Igor Sheludko <[email protected]>
Cr-Original-Commit-Position: refs/heads/main@{#100538}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6606162
Reviewed-by: Igor Sheludko <[email protected]>
Commit-Queue: Gyuyoung Kim (xWF) <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.2@{#86}
Cr-Branched-From: 24068c59cedad9ee976ddc05431f5f497b1ebd71-refs/heads/13.2.152@{#1}
Cr-Branched-From: 6054ba94db0969220be4f94dc1677fc4696bdc4f-refs/heads/main@{#97085}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/652004
Reviewed-by: Anu Aliyas <[email protected]>

Author: isheludko

chromium/v8/src/compiler/representation-change.cc

@@ -1240,7 +1240,12 @@ Node* RepresentationChanger::GetWord64RepresentationFor(
     }
   } else if (output_rep == MachineRepresentation::kTaggedSigned) {
     if (output_type.Is(Type::SignedSmall())) {
-      op = simplified()->ChangeTaggedSignedToInt64();
+      if (output_type.IsRange() && output_type.AsRange()->Min() >= 0) {
+        node = InsertChangeTaggedSignedToInt32(node);
+        op = machine()->ChangeUint32ToUint64();
+      } else {
+        op = simplified()->ChangeTaggedSignedToInt64();
+      }
     } else {
       return TypeError(node, output_rep, output_type,
                        MachineRepresentation::kWord64);