https://bugs.webkit.org/show_bug.cgi?id=115805

Source/JavaScriptCore: 

Reviewed by Geoffrey Garen.

It checks the observed ArrayModes to see if we have seen any ArrayWith* first. If so, it assumes it's 
an Array::Array, even if we've also observed any NonArrayWith* in the ArrayProfile. This leads to the 
code generated by jumpSlowForUnwantedArrayMode to check the indexing type against (shape | IsArray) 
instead of just shape, which can cause us to exit a lot in the case that we saw a NonArray.

To fix this we need to add a case that checks for both ArrayWith* and NonArrayWith* cases first, which 
should then use Array::PossiblyArray, then do the checks we were already doing.

* bytecode/ArrayProfile.h:
(JSC::hasSeenArray):
(JSC::hasSeenNonArray):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::fromObserved):

LayoutTests: 

Added regression test for array access over polymorphic array vs. non-array indexing types.
With the fix, we get 3.666x faster on this microbenchmark.

Reviewed by Geoffrey Garen.

* fast/js/regress/array-nonarray-polymorphic-access-expected.txt: Added.
* fast/js/regress/array-nonarray-polymorphic-access.html: Added.
* fast/js/regress/script-tests/array-nonarray-polymorphic-access.js: Added.
(f):
(run):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@149834 268f45cc-cd09-0410-ab3c-d52691b4dbfc