Bug 211900

There is a small correctness issue in the FTL JIT's handling of indexed accesses into `arguments` objects. The following PoC demonstrates that:

    const ITERATIONS = 1000000;

    Object.prototype[-1] = 1337;

    function f(i) {
        return arguments[i];
    }

    print(`Before JIT: f(-1) = ${f(-1)}`);

    for (let i = 0; i < ITERATIONS; i++) {
        r = f(42);
    }

    print(`After JIT: f(-1) = ${f(-1)}`);

On a local build of WebKit from the latest source code this prints:

    Before JIT: f(-1) = 1337
    After JIT: f(-1) = undefined

The reason for that seems to be that the arguments access is lowered to a GetMyArgumentByValOutOfBounds operation (as the access has been observed to be out-of-bounds [1] and no indexed elements are installed on the Object prototype [2]), which is then lowered to a piece of code that does a bounds check of the index and, if that fails, simply yields the undefined value [3]. In the case of a negative index this is incorrect as it should be handled as a regular property lookup and should thus consult the prototype chain.

[1] https://github.com/WebKit/webkit/blob/2073ffe6788f487c5bad101ee3ad99846afa42c7/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp#L843
[2] https://github.com/WebKit/webkit/blob/2073ffe6788f487c5bad101ee3ad99846afa42c7/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp#L275
[3] https://github.com/WebKit/webkit/blob/2073ffe6788f487c5bad101ee3ad99846afa42c7/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp#L5005