[32 bit] DFG graph generation: intrinsic getters are fallible

https://bugs.webkit.org/show_bug.cgi?id=260908

Reviewed by Yusuke Suzuki.

On 32-bit, unlike 64-bit, some of the DFG intrinsic getters (really, the
TypedArray ones) are _fallible_: if the SpeculatedType doesn't match our
expecations (a non-strict subset of SpecInt32Only), we refuse to generate code. [1]

However, DFG::ByteCodeParser::handleGetById doesn't appear to handle this case
gracefully--if `handleIntrinsicGetter` fails, we attempt to generate a call to
the getter, but in the case of TypedArray intrinsics, we won't have the
necessary CallLinkStatus and while attempting to do so, we crash.

To fix this, I've added a bit of code that handles the failure from
handleIntrinsicGetter and emits an ordinary `GetById` node instead of trying to
inline anything for this op.

I've added a test that demonstrates the current behavior (a segfault) on armv7
and passes with tihs patch.

[1] For what it's worth, maybe this shouldn't be the case: it does seem like we
should still be able to generate code in these cases anyhow, but it's simpler to
just cope with the failure.

* JSTests/stress/typed-array-intrinsic-getter-with-conflicting-value-profile.js: Added.
(foo):
(i.null.foo.Object.create):
(i.42.foo):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):

Canonical link: https://commits.webkit.org/267511@main

Author: jjgriego

JSTests/stress/typed-array-intrinsic-getter-with-conflicting-value-profile.js

@@ -0,0 +1,22 @@
+function foo(x) {
+    return x.byteLength
+}
+
+var arr = new Uint8Array(42);
+
+var badPrototype = {};
+var bad = Object.create(badPrototype);
+
+for (var i = 0; i < 1e6; i++) {
+    if (null != foo(bad)) {
+        throw new Error();
+    }
+}
+
+badPrototype.byteLength = 42;
+
+for (var i = 0; i < 1e6; i++) {
+    if (42 != foo(arr)) {
+        throw new Error();
+    }
+}

Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -4760,27 +4760,41 @@ void ByteCodeParser::handleGetById(
         return;
     }
 
+    ASSERT(type == AccessType::GetById || type == AccessType::GetByIdDirect || !variant.callLinkStatus());
+
+    if (variant.intrinsic() != NoIntrinsic) {
+        auto const addChecks = [&] {
+            Node* getter = addToGraph(GetGetter, loadedValue);
+            addToGraph(CheckIsConstant, OpInfo(m_graph.freeze(variant.intrinsicFunction())), getter);
+        };
+
+        if (handleIntrinsicGetter(destination, prediction, variant, base, addChecks)) {
+            if (UNLIKELY(m_graph.compilation()))
+                m_graph.compilation()->noticeInlinedGetById();
+            addToGraph(Phantom, base);
+            return;
+        }
+
+        // We couldn't handle this as an intrinsic and can't emit a direct call
+        // to the intrinsic function--bail and emit a regular GetById
+        if (!variant.callLinkStatus()) {
+            set(destination,
+                addToGraph(getById, OpInfo(identifier), OpInfo(prediction), base));
+            return;
+        }
+    }
+
     if (UNLIKELY(m_graph.compilation()))
         m_graph.compilation()->noticeInlinedGetById();
 
-    ASSERT(type == AccessType::GetById || type == AccessType::GetByIdDirect || !variant.callLinkStatus());
-    if (!variant.callLinkStatus() && variant.intrinsic() == NoIntrinsic) {
+    if (!variant.callLinkStatus()) {
         set(destination, loadedValue);
         return;
     }
-    
-    Node* getter = addToGraph(GetGetter, loadedValue);
-
-    if (handleIntrinsicGetter(destination, prediction, variant, base,
-            [&] () {
-                addToGraph(CheckIsConstant, OpInfo(m_graph.freeze(variant.intrinsicFunction())), getter);
-            })) {
-        addToGraph(Phantom, base);
-        return;
-    }
 
     // Make a call. We don't try to get fancy with using the smallest operand number because
     // the stack layout phase should compress the stack anyway.
+    Node* getter = addToGraph(GetGetter, loadedValue);
 
     unsigned numberOfParameters = 0;
     numberOfParameters++; // The 'this' argument.