This would make our various mechanisms of array speculation work as well as all of our other speculation modes.
It appears that this might just work already. If we exit due to an invalid structure on an array access, then the baseline JIT will log *only* the invalid structure(s) in the array profile. Subsequent recompiles will see only one of the invalid structures, and LUBing will conclude that the structure has gone polymorphic. I will keep this open for now, but I suspect that this is not really a bug. I mean, it could be good to unify how speculations work and make everything use OSR exit profiling, but this doesn't really smell like a bug right now.
Actually. Right now array profiles are too accurate. They will catch *every* array type that flows through them, when what we really want is for them to catch the high probability array types. Renaming the bug.
Created attachment 169483 [details] the patch
Landed in http://trac.webkit.org/changeset/131868