See bug 722331 comment 3. If we want to handle this like JM, we could add a new bailout kind and use it for hoisted bounds checks. When we bailout, we can set script->failedBoundsCheck to |true| and invalidate the caller. The next time the script is compiled, we can check this flag to prevent hoisting bounds checks.
Created attachment 632331 [details] [diff] [review] WIP This fixes some benchmark problems. More complete patch tomorrow.
Created attachment 639296 [details] [diff] [review] Patch If a bounds check fails, recompile and don't optimize bounds checks in the future. On v8-crypto, with --no-jm, this reduces the number of bailouts caused by bounds checks from > 1100 to 3. Without --no-jm, v8-crypto becomes slower unfortunately, because we use IonMonkey more, which isn't as heavily optimized for am3. The right way forward there is enabling/improving our range analysis so that we don't have to rely on using JM+TI instead of Ion though.