[turbofan] Turn off array masking if branch-load poisoning is on.

Bug: chromium:798964
Change-Id: Ia2f0ade9e69aeb4eb0497ff91abb7ffa1d02e03f
Reviewed-on: https://chromium-review.googlesource.com/958515Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51874}

src/compiler/pipeline.cc

@@ -1387,15 +1387,21 @@ struct EffectControlLinearizationPhase {
       if (FLAG_turbo_verify) ScheduleVerifier::Run(schedule);
       TraceSchedule(data->info(), data->isolate(), schedule);
 
+      // We only insert the array masking code if
+      //   - untrusted code mitigations are on,
+      //   - general load poisoning is off.
+      // TODO(jarin) Remove the array index masking code entirely once we have
+      // restricted load poisoning.
+      EffectControlLinearizer::MaskArrayIndexEnable mask_array_index =
+          (data->info()->has_untrusted_code_mitigations() &&
+           !data->info()->is_poison_loads())
+              ? EffectControlLinearizer::kMaskArrayIndex
+              : EffectControlLinearizer::kDoNotMaskArrayIndex;
       // Post-pass for wiring the control/effects
       // - connect allocating representation changes into the control&effect
       //   chains and lower them,
       // - get rid of the region markers,
       // - introduce effect phis and rewire effects to get SSA again.
-      EffectControlLinearizer::MaskArrayIndexEnable mask_array_index =
-          data->info()->has_untrusted_code_mitigations()
-              ? EffectControlLinearizer::kMaskArrayIndex
-              : EffectControlLinearizer::kDoNotMaskArrayIndex;
       EffectControlLinearizer linearizer(data->jsgraph(), schedule, temp_zone,
                                          data->source_positions(),
                                          mask_array_index);