1 files changed, 24 insertions, 11 deletions

diff --git a/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp b/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp
index 51d5fd0e4..c4b67a361 100644
--- a/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -32,7 +32,7 @@
 #include "DFGGraph.h"
 #include "DFGInsertionSet.h"
 #include "DFGPhase.h"
-#include "Operations.h"
+#include "JSCInlines.h"
 
 namespace JSC { namespace DFG {
 
@@ -69,36 +69,49 @@ private:
     {
         switch (m_node->op()) {
         case GetByVal:
+        case HasIndexedProperty:
             lowerBoundsCheck(m_node->child1(), m_node->child2(), m_node->child3());
             break;
             
         case PutByVal:
-        case PutByValDirect:
-            lowerBoundsCheck(
-                m_graph.varArgChild(m_node, 0),
-                m_graph.varArgChild(m_node, 1),
-                m_graph.varArgChild(m_node, 3));
+        case PutByValDirect: {
+            Edge base = m_graph.varArgChild(m_node, 0);
+            Edge index = m_graph.varArgChild(m_node, 1);
+            Edge storage = m_graph.varArgChild(m_node, 3);
+            if (lowerBoundsCheck(base, index, storage))
+                break;
+            
+            if (m_node->arrayMode().typedArrayType() != NotTypedArray && m_node->arrayMode().isOutOfBounds()) {
+                Node* length = m_insertionSet.insertNode(
+                    m_nodeIndex, SpecInt32, GetArrayLength, m_node->origin,
+                    OpInfo(m_node->arrayMode().asWord()), base, storage);
+                
+                m_graph.varArgChild(m_node, 4) = Edge(length, KnownInt32Use);
+                break;
+            }
             break;
+        }
             
         default:
             break;
         }
     }
     
-    void lowerBoundsCheck(Edge base, Edge index, Edge storage)
+    bool lowerBoundsCheck(Edge base, Edge index, Edge storage)
     {
         if (!m_node->arrayMode().permitsBoundsCheckLowering())
-            return;
+            return false;
         
         if (!m_node->arrayMode().lengthNeedsStorage())
             storage = Edge();
         
         Node* length = m_insertionSet.insertNode(
-            m_nodeIndex, SpecInt32, GetArrayLength, m_node->codeOrigin,
+            m_nodeIndex, SpecInt32, GetArrayLength, m_node->origin,
             OpInfo(m_node->arrayMode().asWord()), base, storage);
         m_insertionSet.insertNode(
-            m_nodeIndex, SpecInt32, CheckInBounds, m_node->codeOrigin,
+            m_nodeIndex, SpecInt32, CheckInBounds, m_node->origin,
             index, Edge(length, KnownInt32Use));
+        return true;
     }
     
     InsertionSet m_insertionSet;