https://bugs.webkit.org/show_bug.cgi?id=90026
<rdar://problem/11751830>

Source/JavaScriptCore: 

Reviewed by Gavin Barraclough.
        
For CSE on normal arrays, we now treat PutByVal as impure. This does not appear to affect
performance by much.
        
For CSE on typed arrays, we fix PutByValAlias by making GetByVal speculate that the access
is within bounds. This also has the effect of making our out-of-bounds handling consistent
with WebCore.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::byValIsPure):
(JSC::DFG::Graph::clobbersWorld):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):

LayoutTests: 

Reviewed by Gavin Barraclough.

* fast/js/dfg-put-by-val-setter-then-get-by-val-expected.txt: Added.
* fast/js/dfg-put-by-val-setter-then-get-by-val.html: Added.
* fast/js/dfg-uint8clampedarray-out-of-bounds-put-by-val-alias-expected.txt: Added.
* fast/js/dfg-uint8clampedarray-out-of-bounds-put-by-val-alias.html: Added.
* fast/js/script-tests/dfg-put-by-val-setter-then-get-by-val.js: Added.
(foo):
(for):
* fast/js/script-tests/dfg-uint8clampedarray-out-of-bounds-put-by-val-alias.js: Added.
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@121307 268f45cc-cd09-0410-ab3c-d52691b4dbfc