Various array access corner cases should take OSR exit feedback
https://bugs.webkit.org/show_bug.cgi?id=142056
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
Two major changes here:
- Don't keep converting GetById into GetArrayLength if we exited due to any kind of array
type check.
- Use a generic form of GetByVal/PutByVal if we exited due to any kind of exotic checks,
like the Arguments safety checks. We use the "ExoticObjectMode" for out-of-bounds on
arguments for now, since it's a convenient way of forcing out-of-bounds to be handled by
the Generic array mode.
(JSC::exitKindToString):
- bytecode/ExitKind.h:
- dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
(JSC::DFG::FixupPhase::fixupNode):
- dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
(JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
- tests/stress/array-length-array-storage-plain-object.js: Added.
(foo):
- tests/stress/array-length-plain-object.js: Added.
(foo):
LayoutTests:
- js/regress/arguments-out-of-bounds-expected.txt: Added.
- js/regress/arguments-out-of-bounds.html: Added.
- js/regress/exit-length-on-plain-object-expected.txt: Added.
- js/regress/exit-length-on-plain-object.html: Added.
- js/regress/script-tests/arguments-out-of-bounds.js: Added.
(foo):
(bar):
- js/regress/script-tests/exit-length-on-plain-object.js: Added.
(foo):
- js/regress/script-tests/string-out-of-bounds.js: Added.
(bar):
- js/regress/string-out-of-bounds-expected.txt: Added.
- js/regress/string-out-of-bounds.html: Added.
