[JSC] CheckArray+NonArray is not filtering out Array in AI
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 Sep 2019 19:52:43 +0000 (19:52 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 Sep 2019 19:52:43 +0000 (19:52 +0000)
commitd621ec6f9bc55e66ccbfe3ca6dd348cb06a70566
tree394169c6c73e61d91bc67aaaaa34d960e771113e
parentb249656afff70e631a70a8a002a29e683ffa413c
[JSC] CheckArray+NonArray is not filtering out Array in AI
https://bugs.webkit.org/show_bug.cgi?id=201857
<rdar://problem/54194820>

Reviewed by Keith Miller.

JSTests:

* stress/check-array-with-non-array-does-not-filter-arrays.js: Added.
(foo):

Source/JavaScriptCore:

The code of DFG::ArrayMode::alreadyChecked is different from SpeculativeJIT's CheckArray / CheckStructure.
While we assume CheckArray+NonArray ensures it only passes non-array inputs, DFG::ArrayMode::alreadyChecked
accepts arrays too. So CheckArray+NonArray is removed in AI if the input is proven that it is an array.
This patch aligns DFG::ArrayMode::alreadyChecked to the checks done at runtime.

* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::alreadyChecked const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249976 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/check-array-with-non-array-does-not-filter-arrays.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGArrayMode.cpp