DFGArrayMode::fromObserved is too liberal when it sees different Array and NonArray shapes
https://bugs.webkit.org/show_bug.cgi?id=115805
Source/JavaScriptCore:
Reviewed by Geoffrey Garen.
It checks the observed ArrayModes to see if we have seen any ArrayWith* first. If so, it assumes it's
an Array::Array, even if we've also observed any NonArrayWith* in the ArrayProfile. This leads to the
code generated by jumpSlowForUnwantedArrayMode to check the indexing type against (shape | IsArray)
instead of just shape, which can cause us to exit a lot in the case that we saw a NonArray.
To fix this we need to add a case that checks for both ArrayWith* and NonArrayWith* cases first, which
should then use Array::PossiblyArray, then do the checks we were already doing.
(JSC::hasSeenArray):
(JSC::hasSeenNonArray):
(JSC::DFG::ArrayMode::fromObserved):
LayoutTests:
Added regression test for array access over polymorphic array vs. non-array indexing types.
With the fix, we get 3.666x faster on this microbenchmark.
Reviewed by Geoffrey Garen.
- fast/js/regress/array-nonarray-polymorphic-access-expected.txt: Added.
- fast/js/regress/array-nonarray-polymorphic-access.html: Added.
- fast/js/regress/script-tests/array-nonarray-polymorphic-access.js: Added.
(f):
(run):
