Roll out r193974 and follow-up fixes as it caused JSC crashes
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGAbstractInterpreterInlines.h
1 /*
2  * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #ifndef DFGAbstractInterpreterInlines_h
27 #define DFGAbstractInterpreterInlines_h
28
29 #if ENABLE(DFG_JIT)
30
31 #include "DFGAbstractInterpreter.h"
32 #include "GetByIdStatus.h"
33 #include "GetterSetter.h"
34 #include "JITOperations.h"
35 #include "MathCommon.h"
36 #include "Operations.h"
37 #include "PutByIdStatus.h"
38 #include "StringObject.h"
39
40 namespace JSC { namespace DFG {
41
42 template<typename AbstractStateType>
43 AbstractInterpreter<AbstractStateType>::AbstractInterpreter(Graph& graph, AbstractStateType& state)
44     : m_codeBlock(graph.m_codeBlock)
45     , m_graph(graph)
46     , m_state(state)
47 {
48     if (m_graph.m_form == SSA)
49         m_phiChildren = std::make_unique<PhiChildren>(m_graph);
50 }
51
52 template<typename AbstractStateType>
53 AbstractInterpreter<AbstractStateType>::~AbstractInterpreter()
54 {
55 }
56
57 template<typename AbstractStateType>
58 typename AbstractInterpreter<AbstractStateType>::BooleanResult
59 AbstractInterpreter<AbstractStateType>::booleanResult(
60     Node* node, AbstractValue& value)
61 {
62     JSValue childConst = value.value();
63     if (childConst) {
64         if (childConst.toBoolean(m_codeBlock->globalObjectFor(node->origin.semantic)->globalExec()))
65             return DefinitelyTrue;
66         return DefinitelyFalse;
67     }
68
69     // Next check if we can fold because we know that the source is an object or string and does not equal undefined.
70     if (isCellSpeculation(value.m_type) && !value.m_structure.isTop()) {
71         bool allTrue = true;
72         for (unsigned i = value.m_structure.size(); i--;) {
73             Structure* structure = value.m_structure[i];
74             if (structure->masqueradesAsUndefined(m_codeBlock->globalObjectFor(node->origin.semantic))
75                 || structure->typeInfo().type() == StringType) {
76                 allTrue = false;
77                 break;
78             }
79         }
80         if (allTrue)
81             return DefinitelyTrue;
82     }
83     
84     return UnknownBooleanResult;
85 }
86
87 template<typename AbstractStateType>
88 void AbstractInterpreter<AbstractStateType>::startExecuting()
89 {
90     ASSERT(m_state.block());
91     ASSERT(m_state.isValid());
92     
93     m_state.setDidClobber(false);
94 }
95
96 template<typename AbstractStateType>
97 void AbstractInterpreter<AbstractStateType>::executeEdges(Node* node)
98 {
99     DFG_NODE_DO_TO_CHILDREN(m_graph, node, filterEdgeByUse);
100 }
101
102 template<typename AbstractStateType>
103 void AbstractInterpreter<AbstractStateType>::executeEdges(unsigned indexInBlock)
104 {
105     executeEdges(m_state.block()->at(indexInBlock));
106 }
107
108 template<typename AbstractStateType>
109 void AbstractInterpreter<AbstractStateType>::verifyEdge(Node* node, Edge edge)
110 {
111     // Some use kinds are required to not have checks, because we know somehow that the incoming
112     // value will already have the type we want. In those cases, AI may not be smart enough to
113     // prove that this is indeed the case.
114     if (shouldNotHaveTypeCheck(edge.useKind()))
115         return;
116     
117     if (!(forNode(edge).m_type & ~typeFilterFor(edge.useKind())))
118         return;
119     
120     DFG_CRASH(m_graph, node, toCString("Edge verification error: ", node, "->", edge, " was expected to have type ", SpeculationDump(typeFilterFor(edge.useKind())), " but has type ", SpeculationDump(forNode(edge).m_type), " (", forNode(edge).m_type, ")").data());
121 }
122
123 template<typename AbstractStateType>
124 void AbstractInterpreter<AbstractStateType>::verifyEdges(Node* node)
125 {
126     DFG_NODE_DO_TO_CHILDREN(m_graph, node, verifyEdge);
127 }
128
129 template<typename AbstractStateType>
130 bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimit, Node* node)
131 {
132     if (!ASSERT_DISABLED)
133         verifyEdges(node);
134     
135     m_state.createValueForNode(node);
136     
137     switch (node->op()) {
138     case JSConstant:
139     case DoubleConstant:
140     case Int52Constant: {
141         setBuiltInConstant(node, *node->constant());
142         break;
143     }
144         
145     case Identity: {
146         forNode(node) = forNode(node->child1());
147         if (forNode(node).value())
148             m_state.setFoundConstants(true);
149         break;
150     }
151         
152     case ExtractOSREntryLocal: {
153         forNode(node).makeBytecodeTop();
154         break;
155     }
156             
157     case GetLocal: {
158         VariableAccessData* variableAccessData = node->variableAccessData();
159         AbstractValue value = m_state.variables().operand(variableAccessData->local().offset());
160         // The value in the local should already be checked.
161         DFG_ASSERT(m_graph, node, value.isType(typeFilterFor(variableAccessData->flushFormat())));
162         if (value.value())
163             m_state.setFoundConstants(true);
164         forNode(node) = value;
165         break;
166     }
167         
168     case GetStack: {
169         StackAccessData* data = node->stackAccessData();
170         AbstractValue value = m_state.variables().operand(data->local);
171         // The value in the local should already be checked.
172         DFG_ASSERT(m_graph, node, value.isType(typeFilterFor(data->format)));
173         if (value.value())
174             m_state.setFoundConstants(true);
175         forNode(node) = value;
176         break;
177     }
178         
179     case GetLocalUnlinked: {
180         AbstractValue value = m_state.variables().operand(node->unlinkedLocal().offset());
181         if (value.value())
182             m_state.setFoundConstants(true);
183         forNode(node) = value;
184         break;
185     }
186         
187     case SetLocal: {
188         m_state.variables().operand(node->local()) = forNode(node->child1());
189         break;
190     }
191         
192     case PutStack: {
193         m_state.variables().operand(node->stackAccessData()->local) = forNode(node->child1());
194         break;
195     }
196         
197     case MovHint: {
198         // Don't need to do anything. A MovHint only informs us about what would have happened
199         // in bytecode, but this code is just concerned with what is actually happening during
200         // DFG execution.
201         break;
202     }
203         
204     case KillStack: {
205         // This is just a hint telling us that the OSR state of the local is no longer inside the
206         // flushed data.
207         break;
208     }
209         
210     case SetArgument:
211         // Assert that the state of arguments has been set. SetArgument means that someone set
212         // the argument values out-of-band, and currently this always means setting to a
213         // non-clear value.
214         ASSERT(!m_state.variables().operand(node->local()).isClear());
215         break;
216         
217     case LoadVarargs:
218     case ForwardVarargs: {
219         // FIXME: ForwardVarargs should check if the count becomes known, and if it does, it should turn
220         // itself into a straight-line sequence of GetStack/PutStack.
221         // https://bugs.webkit.org/show_bug.cgi?id=143071
222         clobberWorld(node->origin.semantic, clobberLimit);
223         LoadVarargsData* data = node->loadVarargsData();
224         m_state.variables().operand(data->count).setType(SpecInt32);
225         for (unsigned i = data->limit - 1; i--;)
226             m_state.variables().operand(data->start.offset() + i).makeHeapTop();
227         break;
228     }
229             
230     case BitAnd:
231     case BitOr:
232     case BitXor:
233     case BitRShift:
234     case BitLShift:
235     case BitURShift: {
236         JSValue left = forNode(node->child1()).value();
237         JSValue right = forNode(node->child2()).value();
238         if (left && right && left.isInt32() && right.isInt32()) {
239             int32_t a = left.asInt32();
240             int32_t b = right.asInt32();
241             switch (node->op()) {
242             case BitAnd:
243                 setConstant(node, JSValue(a & b));
244                 break;
245             case BitOr:
246                 setConstant(node, JSValue(a | b));
247                 break;
248             case BitXor:
249                 setConstant(node, JSValue(a ^ b));
250                 break;
251             case BitRShift:
252                 setConstant(node, JSValue(a >> static_cast<uint32_t>(b)));
253                 break;
254             case BitLShift:
255                 setConstant(node, JSValue(a << static_cast<uint32_t>(b)));
256                 break;
257             case BitURShift:
258                 setConstant(node, JSValue(static_cast<uint32_t>(a) >> static_cast<uint32_t>(b)));
259                 break;
260             default:
261                 RELEASE_ASSERT_NOT_REACHED();
262                 break;
263             }
264             break;
265         }
266         
267         if (node->op() == BitAnd
268             && (isBoolInt32Speculation(forNode(node->child1()).m_type) ||
269                 isBoolInt32Speculation(forNode(node->child2()).m_type))) {
270             forNode(node).setType(SpecBoolInt32);
271             break;
272         }
273         
274         forNode(node).setType(SpecInt32);
275         break;
276     }
277         
278     case UInt32ToNumber: {
279         JSValue child = forNode(node->child1()).value();
280         if (doesOverflow(node->arithMode())) {
281             if (child && child.isInt32()) {
282                 uint32_t value = child.asInt32();
283                 setConstant(node, jsNumber(value));
284                 break;
285             }
286             forNode(node).setType(SpecInt52AsDouble);
287             break;
288         }
289         if (child && child.isInt32()) {
290             int32_t value = child.asInt32();
291             if (value >= 0) {
292                 setConstant(node, jsNumber(value));
293                 break;
294             }
295         }
296         forNode(node).setType(SpecInt32);
297         break;
298     }
299         
300     case BooleanToNumber: {
301         JSValue concreteValue = forNode(node->child1()).value();
302         if (concreteValue) {
303             if (concreteValue.isBoolean())
304                 setConstant(node, jsNumber(concreteValue.asBoolean()));
305             else
306                 setConstant(node, *m_graph.freeze(concreteValue));
307             break;
308         }
309         AbstractValue& value = forNode(node);
310         value = forNode(node->child1());
311         if (node->child1().useKind() == UntypedUse && !(value.m_type & ~SpecBoolean))
312             m_state.setFoundConstants(true);
313         if (value.m_type & SpecBoolean) {
314             value.merge(SpecBoolInt32);
315             value.filter(~SpecBoolean);
316         }
317         break;
318     }
319             
320     case DoubleAsInt32: {
321         JSValue child = forNode(node->child1()).value();
322         if (child && child.isNumber()) {
323             double asDouble = child.asNumber();
324             int32_t asInt = JSC::toInt32(asDouble);
325             if (bitwise_cast<int64_t>(static_cast<double>(asInt)) == bitwise_cast<int64_t>(asDouble)) {
326                 setConstant(node, JSValue(asInt));
327                 break;
328             }
329         }
330         forNode(node).setType(SpecInt32);
331         break;
332     }
333             
334     case ValueToInt32: {
335         JSValue child = forNode(node->child1()).value();
336         if (child) {
337             if (child.isNumber()) {
338                 if (child.isInt32())
339                     setConstant(node, child);
340                 else
341                     setConstant(node, JSValue(JSC::toInt32(child.asDouble())));
342                 break;
343             }
344             if (child.isBoolean()) {
345                 setConstant(node, jsNumber(child.asBoolean()));
346                 break;
347             }
348             if (child.isUndefinedOrNull()) {
349                 setConstant(node, jsNumber(0));
350                 break;
351             }
352         }
353         
354         if (isBooleanSpeculation(forNode(node->child1()).m_type)) {
355             forNode(node).setType(SpecBoolInt32);
356             break;
357         }
358         
359         forNode(node).setType(SpecInt32);
360         break;
361     }
362         
363     case DoubleRep: {
364         JSValue child = forNode(node->child1()).value();
365         if (child && child.isNumber()) {
366             setConstant(node, jsDoubleNumber(child.asNumber()));
367             break;
368         }
369
370         SpeculatedType type = forNode(node->child1()).m_type;
371         switch (node->child1().useKind()) {
372         case NotCellUse: {
373             if (type & SpecOther) {
374                 type &= ~SpecOther;
375                 type |= SpecDoublePureNaN | SpecBoolInt32; // Null becomes zero, undefined becomes NaN.
376             }
377             if (type & SpecBoolean) {
378                 type &= ~SpecBoolean;
379                 type |= SpecBoolInt32; // True becomes 1, false becomes 0.
380             }
381             type &= SpecBytecodeNumber;
382             break;
383         }
384
385         case Int52RepUse:
386         case NumberUse:
387         case RealNumberUse:
388             break;
389
390         default:
391             RELEASE_ASSERT_NOT_REACHED();
392         }
393         forNode(node).setType(type);
394         forNode(node).fixTypeForRepresentation(m_graph, node);
395         break;
396     }
397         
398     case Int52Rep: {
399         JSValue child = forNode(node->child1()).value();
400         if (child && child.isMachineInt()) {
401             setConstant(node, child);
402             break;
403         }
404         
405         forNode(node).setType(SpecInt32);
406         break;
407     }
408         
409     case ValueRep: {
410         JSValue value = forNode(node->child1()).value();
411         if (value) {
412             setConstant(node, value);
413             break;
414         }
415         
416         forNode(node).setType(m_graph, forNode(node->child1()).m_type & ~SpecDoubleImpureNaN);
417         forNode(node).fixTypeForRepresentation(m_graph, node);
418         break;
419     }
420         
421     case ValueAdd: {
422         ASSERT(node->binaryUseKind() == UntypedUse);
423         clobberWorld(node->origin.semantic, clobberLimit);
424         forNode(node).setType(m_graph, SpecString | SpecBytecodeNumber);
425         break;
426     }
427
428     case StrCat: {
429         forNode(node).setType(m_graph, SpecString);
430         break;
431     }
432         
433     case ArithAdd: {
434         JSValue left = forNode(node->child1()).value();
435         JSValue right = forNode(node->child2()).value();
436         switch (node->binaryUseKind()) {
437         case Int32Use:
438             if (left && right && left.isInt32() && right.isInt32()) {
439                 if (!shouldCheckOverflow(node->arithMode())) {
440                     setConstant(node, jsNumber(left.asInt32() + right.asInt32()));
441                     break;
442                 }
443                 JSValue result = jsNumber(left.asNumber() + right.asNumber());
444                 if (result.isInt32()) {
445                     setConstant(node, result);
446                     break;
447                 }
448             }
449             forNode(node).setType(SpecInt32);
450             break;
451         case Int52RepUse:
452             if (left && right && left.isMachineInt() && right.isMachineInt()) {
453                 JSValue result = jsNumber(left.asMachineInt() + right.asMachineInt());
454                 if (result.isMachineInt()) {
455                     setConstant(node, result);
456                     break;
457                 }
458             }
459             forNode(node).setType(SpecMachineInt);
460             break;
461         case DoubleRepUse:
462             if (left && right && left.isNumber() && right.isNumber()) {
463                 setConstant(node, jsDoubleNumber(left.asNumber() + right.asNumber()));
464                 break;
465             }
466             forNode(node).setType(
467                 typeOfDoubleSum(
468                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
469             break;
470         default:
471             RELEASE_ASSERT_NOT_REACHED();
472             break;
473         }
474         break;
475     }
476
477     case ArithClz32: {
478         JSValue operand = forNode(node->child1()).value();
479         if (operand && operand.isNumber()) {
480             uint32_t value = toUInt32(operand.asNumber());
481             setConstant(node, jsNumber(clz32(value)));
482             break;
483         }
484         forNode(node).setType(SpecInt32);
485         break;
486     }
487
488     case MakeRope: {
489         forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
490         break;
491     }
492             
493     case ArithSub: {
494         JSValue left = forNode(node->child1()).value();
495         JSValue right = forNode(node->child2()).value();
496         switch (node->binaryUseKind()) {
497         case Int32Use:
498             if (left && right && left.isInt32() && right.isInt32()) {
499                 if (!shouldCheckOverflow(node->arithMode())) {
500                     setConstant(node, jsNumber(left.asInt32() - right.asInt32()));
501                     break;
502                 }
503                 JSValue result = jsNumber(left.asNumber() - right.asNumber());
504                 if (result.isInt32()) {
505                     setConstant(node, result);
506                     break;
507                 }
508             }
509             forNode(node).setType(SpecInt32);
510             break;
511         case Int52RepUse:
512             if (left && right && left.isMachineInt() && right.isMachineInt()) {
513                 JSValue result = jsNumber(left.asMachineInt() - right.asMachineInt());
514                 if (result.isMachineInt() || !shouldCheckOverflow(node->arithMode())) {
515                     setConstant(node, result);
516                     break;
517                 }
518             }
519             forNode(node).setType(SpecMachineInt);
520             break;
521         case DoubleRepUse:
522             if (left && right && left.isNumber() && right.isNumber()) {
523                 setConstant(node, jsDoubleNumber(left.asNumber() - right.asNumber()));
524                 break;
525             }
526             forNode(node).setType(
527                 typeOfDoubleDifference(
528                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
529             break;
530         case UntypedUse:
531             clobberWorld(node->origin.semantic, clobberLimit);
532             forNode(node).setType(m_graph, SpecBytecodeNumber);
533             break;
534         default:
535             RELEASE_ASSERT_NOT_REACHED();
536             break;
537         }
538         break;
539     }
540         
541     case ArithNegate: {
542         JSValue child = forNode(node->child1()).value();
543         switch (node->child1().useKind()) {
544         case Int32Use:
545             if (child && child.isInt32()) {
546                 if (!shouldCheckOverflow(node->arithMode())) {
547                     setConstant(node, jsNumber(-child.asInt32()));
548                     break;
549                 }
550                 double doubleResult;
551                 if (shouldCheckNegativeZero(node->arithMode()))
552                     doubleResult = -child.asNumber();
553                 else
554                     doubleResult = 0 - child.asNumber();
555                 JSValue valueResult = jsNumber(doubleResult);
556                 if (valueResult.isInt32()) {
557                     setConstant(node, valueResult);
558                     break;
559                 }
560             }
561             forNode(node).setType(SpecInt32);
562             break;
563         case Int52RepUse:
564             if (child && child.isMachineInt()) {
565                 double doubleResult;
566                 if (shouldCheckNegativeZero(node->arithMode()))
567                     doubleResult = -child.asNumber();
568                 else
569                     doubleResult = 0 - child.asNumber();
570                 JSValue valueResult = jsNumber(doubleResult);
571                 if (valueResult.isMachineInt()) {
572                     setConstant(node, valueResult);
573                     break;
574                 }
575             }
576             forNode(node).setType(SpecMachineInt);
577             break;
578         case DoubleRepUse:
579             if (child && child.isNumber()) {
580                 setConstant(node, jsDoubleNumber(-child.asNumber()));
581                 break;
582             }
583             forNode(node).setType(
584                 typeOfDoubleNegation(
585                     forNode(node->child1()).m_type));
586             break;
587         default:
588             RELEASE_ASSERT_NOT_REACHED();
589             break;
590         }
591         break;
592     }
593         
594     case ArithMul: {
595         JSValue left = forNode(node->child1()).value();
596         JSValue right = forNode(node->child2()).value();
597         switch (node->binaryUseKind()) {
598         case Int32Use:
599             if (left && right && left.isInt32() && right.isInt32()) {
600                 if (!shouldCheckOverflow(node->arithMode())) {
601                     setConstant(node, jsNumber(left.asInt32() * right.asInt32()));
602                     break;
603                 }
604                 double doubleResult = left.asNumber() * right.asNumber();
605                 if (!shouldCheckNegativeZero(node->arithMode()))
606                     doubleResult += 0; // Sanitizes zero.
607                 JSValue valueResult = jsNumber(doubleResult);
608                 if (valueResult.isInt32()) {
609                     setConstant(node, valueResult);
610                     break;
611                 }
612             }
613             forNode(node).setType(SpecInt32);
614             break;
615         case Int52RepUse:
616             if (left && right && left.isMachineInt() && right.isMachineInt()) {
617                 double doubleResult = left.asNumber() * right.asNumber();
618                 if (!shouldCheckNegativeZero(node->arithMode()))
619                     doubleResult += 0;
620                 JSValue valueResult = jsNumber(doubleResult);
621                 if (valueResult.isMachineInt()) {
622                     setConstant(node, valueResult);
623                     break;
624                 }
625             }
626             forNode(node).setType(SpecMachineInt);
627             break;
628         case DoubleRepUse:
629             if (left && right && left.isNumber() && right.isNumber()) {
630                 setConstant(node, jsDoubleNumber(left.asNumber() * right.asNumber()));
631                 break;
632             }
633             forNode(node).setType(
634                 typeOfDoubleProduct(
635                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
636             break;
637         case UntypedUse:
638             clobberWorld(node->origin.semantic, clobberLimit);
639             forNode(node).setType(m_graph, SpecBytecodeNumber);
640             break;
641         default:
642             RELEASE_ASSERT_NOT_REACHED();
643             break;
644         }
645         break;
646     }
647         
648     case ArithDiv: {
649         JSValue left = forNode(node->child1()).value();
650         JSValue right = forNode(node->child2()).value();
651         switch (node->binaryUseKind()) {
652         case Int32Use:
653             if (left && right && left.isInt32() && right.isInt32()) {
654                 double doubleResult = left.asNumber() / right.asNumber();
655                 if (!shouldCheckOverflow(node->arithMode()))
656                     doubleResult = toInt32(doubleResult);
657                 else if (!shouldCheckNegativeZero(node->arithMode()))
658                     doubleResult += 0; // Sanitizes zero.
659                 JSValue valueResult = jsNumber(doubleResult);
660                 if (valueResult.isInt32()) {
661                     setConstant(node, valueResult);
662                     break;
663                 }
664             }
665             forNode(node).setType(SpecInt32);
666             break;
667         case DoubleRepUse:
668             if (left && right && left.isNumber() && right.isNumber()) {
669                 setConstant(node, jsDoubleNumber(left.asNumber() / right.asNumber()));
670                 break;
671             }
672             forNode(node).setType(
673                 typeOfDoubleQuotient(
674                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
675             break;
676         case UntypedUse:
677             clobberWorld(node->origin.semantic, clobberLimit);
678             forNode(node).setType(m_graph, SpecBytecodeNumber);
679             break;
680         default:
681             RELEASE_ASSERT_NOT_REACHED();
682             break;
683         }
684         break;
685     }
686
687     case ArithMod: {
688         JSValue left = forNode(node->child1()).value();
689         JSValue right = forNode(node->child2()).value();
690         switch (node->binaryUseKind()) {
691         case Int32Use:
692             if (left && right && left.isInt32() && right.isInt32()) {
693                 double doubleResult = fmod(left.asNumber(), right.asNumber());
694                 if (!shouldCheckOverflow(node->arithMode()))
695                     doubleResult = toInt32(doubleResult);
696                 else if (!shouldCheckNegativeZero(node->arithMode()))
697                     doubleResult += 0; // Sanitizes zero.
698                 JSValue valueResult = jsNumber(doubleResult);
699                 if (valueResult.isInt32()) {
700                     setConstant(node, valueResult);
701                     break;
702                 }
703             }
704             forNode(node).setType(SpecInt32);
705             break;
706         case DoubleRepUse:
707             if (left && right && left.isNumber() && right.isNumber()) {
708                 setConstant(node, jsDoubleNumber(fmod(left.asNumber(), right.asNumber())));
709                 break;
710             }
711             forNode(node).setType(
712                 typeOfDoubleBinaryOp(
713                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
714             break;
715         default:
716             RELEASE_ASSERT_NOT_REACHED();
717             break;
718         }
719         break;
720     }
721
722     case ArithMin: {
723         JSValue left = forNode(node->child1()).value();
724         JSValue right = forNode(node->child2()).value();
725         switch (node->binaryUseKind()) {
726         case Int32Use:
727             if (left && right && left.isInt32() && right.isInt32()) {
728                 setConstant(node, jsNumber(std::min(left.asInt32(), right.asInt32())));
729                 break;
730             }
731             forNode(node).setType(SpecInt32);
732             break;
733         case DoubleRepUse:
734             if (left && right && left.isNumber() && right.isNumber()) {
735                 double a = left.asNumber();
736                 double b = right.asNumber();
737                 setConstant(node, jsDoubleNumber(a < b ? a : (b <= a ? b : a + b)));
738                 break;
739             }
740             forNode(node).setType(
741                 typeOfDoubleMinMax(
742                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
743             break;
744         default:
745             RELEASE_ASSERT_NOT_REACHED();
746             break;
747         }
748         break;
749     }
750             
751     case ArithMax: {
752         JSValue left = forNode(node->child1()).value();
753         JSValue right = forNode(node->child2()).value();
754         switch (node->binaryUseKind()) {
755         case Int32Use:
756             if (left && right && left.isInt32() && right.isInt32()) {
757                 setConstant(node, jsNumber(std::max(left.asInt32(), right.asInt32())));
758                 break;
759             }
760             forNode(node).setType(SpecInt32);
761             break;
762         case DoubleRepUse:
763             if (left && right && left.isNumber() && right.isNumber()) {
764                 double a = left.asNumber();
765                 double b = right.asNumber();
766                 setConstant(node, jsDoubleNumber(a > b ? a : (b >= a ? b : a + b)));
767                 break;
768             }
769             forNode(node).setType(
770                 typeOfDoubleMinMax(
771                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
772             break;
773         default:
774             RELEASE_ASSERT_NOT_REACHED();
775             break;
776         }
777         break;
778     }
779             
780     case ArithAbs: {
781         JSValue child = forNode(node->child1()).value();
782         switch (node->child1().useKind()) {
783         case Int32Use:
784             if (child && child.isInt32()) {
785                 JSValue result = jsNumber(fabs(child.asNumber()));
786                 if (result.isInt32()) {
787                     setConstant(node, result);
788                     break;
789                 }
790             }
791             forNode(node).setType(SpecInt32);
792             break;
793         case DoubleRepUse:
794             if (child && child.isNumber()) {
795                 setConstant(node, jsDoubleNumber(fabs(child.asNumber())));
796                 break;
797             }
798             forNode(node).setType(typeOfDoubleAbs(forNode(node->child1()).m_type));
799             break;
800         default:
801             RELEASE_ASSERT_NOT_REACHED();
802             break;
803         }
804         break;
805     }
806
807     case ArithPow: {
808         JSValue childY = forNode(node->child2()).value();
809         if (childY && childY.isNumber()) {
810             if (!childY.asNumber()) {
811                 setConstant(node, jsDoubleNumber(1));
812                 break;
813             }
814
815             JSValue childX = forNode(node->child1()).value();
816             if (childX && childX.isNumber()) {
817                 setConstant(node, jsDoubleNumber(operationMathPow(childX.asNumber(), childY.asNumber())));
818                 break;
819             }
820         }
821         forNode(node).setType(typeOfDoublePow(forNode(node->child1()).m_type, forNode(node->child2()).m_type));
822         break;
823     }
824
825     case ArithRound: {
826         JSValue operand = forNode(node->child1()).value();
827         if (operand && operand.isNumber()) {
828             double roundedValue = jsRound(operand.asNumber());
829
830             if (producesInteger(node->arithRoundingMode())) {
831                 int32_t roundedValueAsInt32 = static_cast<int32_t>(roundedValue);
832                 if (roundedValueAsInt32 == roundedValue) {
833                     if (shouldCheckNegativeZero(node->arithRoundingMode())) {
834                         if (roundedValueAsInt32 || !std::signbit(roundedValue)) {
835                             setConstant(node, jsNumber(roundedValueAsInt32));
836                             break;
837                         }
838                     } else {
839                         setConstant(node, jsNumber(roundedValueAsInt32));
840                         break;
841                     }
842                 }
843             } else {
844                 setConstant(node, jsDoubleNumber(roundedValue));
845                 break;
846             }
847         }
848         if (producesInteger(node->arithRoundingMode()))
849             forNode(node).setType(SpecInt32);
850         else
851             forNode(node).setType(typeOfDoubleRounding(forNode(node->child1()).m_type));
852         break;
853     }
854             
855     case ArithSqrt: {
856         JSValue child = forNode(node->child1()).value();
857         if (child && child.isNumber()) {
858             setConstant(node, jsDoubleNumber(sqrt(child.asNumber())));
859             break;
860         }
861         forNode(node).setType(typeOfDoubleUnaryOp(forNode(node->child1()).m_type));
862         break;
863     }
864         
865     case ArithFRound: {
866         JSValue child = forNode(node->child1()).value();
867         if (child && child.isNumber()) {
868             setConstant(node, jsDoubleNumber(static_cast<float>(child.asNumber())));
869             break;
870         }
871         forNode(node).setType(typeOfDoubleRounding(forNode(node->child1()).m_type));
872         break;
873     }
874         
875     case ArithSin: {
876         JSValue child = forNode(node->child1()).value();
877         if (child && child.isNumber()) {
878             setConstant(node, jsDoubleNumber(sin(child.asNumber())));
879             break;
880         }
881         forNode(node).setType(typeOfDoubleUnaryOp(forNode(node->child1()).m_type));
882         break;
883     }
884     
885     case ArithCos: {
886         JSValue child = forNode(node->child1()).value();
887         if (child && child.isNumber()) {
888             setConstant(node, jsDoubleNumber(cos(child.asNumber())));
889             break;
890         }
891         forNode(node).setType(typeOfDoubleUnaryOp(forNode(node->child1()).m_type));
892         break;
893     }
894
895     case ArithLog: {
896         JSValue child = forNode(node->child1()).value();
897         if (child && child.isNumber()) {
898             setConstant(node, jsDoubleNumber(log(child.asNumber())));
899             break;
900         }
901         forNode(node).setType(typeOfDoubleUnaryOp(forNode(node->child1()).m_type));
902         break;
903     }
904             
905     case LogicalNot: {
906         switch (booleanResult(node, forNode(node->child1()))) {
907         case DefinitelyTrue:
908             setConstant(node, jsBoolean(false));
909             break;
910         case DefinitelyFalse:
911             setConstant(node, jsBoolean(true));
912             break;
913         default:
914             forNode(node).setType(SpecBoolean);
915             break;
916         }
917         break;
918     }
919         
920     case IsUndefined:
921     case IsBoolean:
922     case IsNumber:
923     case IsString:
924     case IsObject:
925     case IsObjectOrNull:
926     case IsFunction: {
927         AbstractValue child = forNode(node->child1());
928         if (child.value()) {
929             bool constantWasSet = true;
930             switch (node->op()) {
931             case IsUndefined:
932                 setConstant(node, jsBoolean(
933                     child.value().isCell()
934                     ? child.value().asCell()->structure()->masqueradesAsUndefined(m_codeBlock->globalObjectFor(node->origin.semantic))
935                     : child.value().isUndefined()));
936                 break;
937             case IsBoolean:
938                 setConstant(node, jsBoolean(child.value().isBoolean()));
939                 break;
940             case IsNumber:
941                 setConstant(node, jsBoolean(child.value().isNumber()));
942                 break;
943             case IsString:
944                 setConstant(node, jsBoolean(isJSString(child.value())));
945                 break;
946             case IsObject:
947                 setConstant(node, jsBoolean(child.value().isObject()));
948                 break;
949             case IsObjectOrNull:
950                 if (child.value().isObject()) {
951                     JSObject* object = asObject(child.value());
952                     if (object->type() == JSFunctionType)
953                         setConstant(node, jsBoolean(false));
954                     else if (!(object->inlineTypeFlags() & TypeOfShouldCallGetCallData))
955                         setConstant(node, jsBoolean(!child.value().asCell()->structure()->masqueradesAsUndefined(m_codeBlock->globalObjectFor(node->origin.semantic))));
956                     else {
957                         // FIXME: This could just call getCallData.
958                         // https://bugs.webkit.org/show_bug.cgi?id=144457
959                         constantWasSet = false;
960                     }
961                 } else
962                     setConstant(node, jsBoolean(child.value().isNull()));
963                 break;
964             case IsFunction:
965                 if (child.value().isObject()) {
966                     JSObject* object = asObject(child.value());
967                     if (object->type() == JSFunctionType)
968                         setConstant(node, jsBoolean(true));
969                     else if (!(object->inlineTypeFlags() & TypeOfShouldCallGetCallData))
970                         setConstant(node, jsBoolean(false));
971                     else {
972                         // FIXME: This could just call getCallData.
973                         // https://bugs.webkit.org/show_bug.cgi?id=144457
974                         constantWasSet = false;
975                     }
976                 } else
977                     setConstant(node, jsBoolean(false));
978                 break;
979             default:
980                 constantWasSet = false;
981                 break;
982             }
983             if (constantWasSet)
984                 break;
985         }
986         
987         // FIXME: This code should really use AbstractValue::isType() and
988         // AbstractValue::couldBeType().
989         // https://bugs.webkit.org/show_bug.cgi?id=146870
990         
991         bool constantWasSet = false;
992         switch (node->op()) {
993         case IsUndefined:
994             // FIXME: Use the masquerades-as-undefined watchpoint thingy.
995             // https://bugs.webkit.org/show_bug.cgi?id=144456
996             
997             if (!(child.m_type & (SpecOther | SpecObjectOther))) {
998                 setConstant(node, jsBoolean(false));
999                 constantWasSet = true;
1000                 break;
1001             }
1002             
1003             break;
1004         case IsBoolean:
1005             if (!(child.m_type & ~SpecBoolean)) {
1006                 setConstant(node, jsBoolean(true));
1007                 constantWasSet = true;
1008                 break;
1009             }
1010             
1011             if (!(child.m_type & SpecBoolean)) {
1012                 setConstant(node, jsBoolean(false));
1013                 constantWasSet = true;
1014                 break;
1015             }
1016             
1017             break;
1018         case IsNumber:
1019             if (!(child.m_type & ~SpecFullNumber)) {
1020                 setConstant(node, jsBoolean(true));
1021                 constantWasSet = true;
1022                 break;
1023             }
1024             
1025             if (!(child.m_type & SpecFullNumber)) {
1026                 setConstant(node, jsBoolean(false));
1027                 constantWasSet = true;
1028                 break;
1029             }
1030             
1031             break;
1032         case IsString:
1033             if (!(child.m_type & ~SpecString)) {
1034                 setConstant(node, jsBoolean(true));
1035                 constantWasSet = true;
1036                 break;
1037             }
1038             
1039             if (!(child.m_type & SpecString)) {
1040                 setConstant(node, jsBoolean(false));
1041                 constantWasSet = true;
1042                 break;
1043             }
1044             
1045             break;
1046         case IsObject:
1047             if (!(child.m_type & ~SpecObject)) {
1048                 setConstant(node, jsBoolean(true));
1049                 constantWasSet = true;
1050                 break;
1051             }
1052             
1053             if (!(child.m_type & SpecObject)) {
1054                 setConstant(node, jsBoolean(false));
1055                 constantWasSet = true;
1056                 break;
1057             }
1058             
1059             break;
1060         case IsObjectOrNull:
1061             // FIXME: Use the masquerades-as-undefined watchpoint thingy.
1062             // https://bugs.webkit.org/show_bug.cgi?id=144456
1063             
1064             // These expressions are complicated to parse. A helpful way to parse this is that
1065             // "!(T & ~S)" means "T is a subset of S". Conversely, "!(T & S)" means "T is a
1066             // disjoint set from S". Things like "T - S" means that, provided that S is a
1067             // subset of T, it's the "set of all things in T but not in S". Things like "T | S"
1068             // mean the "union of T and S".
1069             
1070             // Is the child's type an object that isn't an other-object (i.e. object that could
1071             // have masquaredes-as-undefined traps) and isn't a function?  Then: we should fold
1072             // this to true.
1073             if (!(child.m_type & ~(SpecObject - SpecObjectOther - SpecFunction))) {
1074                 setConstant(node, jsBoolean(true));
1075                 constantWasSet = true;
1076                 break;
1077             }
1078             
1079             // Is the child's type definitely not either of: an object that isn't a function,
1080             // or either undefined or null?  Then: we should fold this to false.  This means
1081             // for example that if it's any non-function object, including those that have
1082             // masquerades-as-undefined traps, then we don't fold. It also means we won't fold
1083             // if it's undefined-or-null, since the type bits don't distinguish between
1084             // undefined (which should fold to false) and null (which should fold to true).
1085             if (!(child.m_type & ((SpecObject - SpecFunction) | SpecOther))) {
1086                 setConstant(node, jsBoolean(false));
1087                 constantWasSet = true;
1088                 break;
1089             }
1090             
1091             break;
1092         case IsFunction:
1093             if (!(child.m_type & ~SpecFunction)) {
1094                 setConstant(node, jsBoolean(true));
1095                 constantWasSet = true;
1096                 break;
1097             }
1098             
1099             if (!(child.m_type & (SpecFunction | SpecObjectOther))) {
1100                 setConstant(node, jsBoolean(false));
1101                 constantWasSet = true;
1102                 break;
1103             }
1104             break;
1105         default:
1106             break;
1107         }
1108         if (constantWasSet)
1109             break;
1110         
1111         forNode(node).setType(SpecBoolean);
1112         break;
1113     }
1114
1115     case TypeOf: {
1116         VM* vm = m_codeBlock->vm();
1117         JSValue child = forNode(node->child1()).value();
1118         AbstractValue& abstractChild = forNode(node->child1());
1119         if (child) {
1120             JSValue typeString = jsTypeStringForValue(*vm, m_codeBlock->globalObjectFor(node->origin.semantic), child);
1121             setConstant(node, *m_graph.freeze(typeString));
1122             break;
1123         }
1124         
1125         if (isFullNumberSpeculation(abstractChild.m_type)) {
1126             setConstant(node, *m_graph.freeze(vm->smallStrings.numberString()));
1127             break;
1128         }
1129         
1130         if (isStringSpeculation(abstractChild.m_type)) {
1131             setConstant(node, *m_graph.freeze(vm->smallStrings.stringString()));
1132             break;
1133         }
1134
1135         // FIXME: We could use the masquerades-as-undefined watchpoint here.
1136         // https://bugs.webkit.org/show_bug.cgi?id=144456
1137         if (!(abstractChild.m_type & ~(SpecObject - SpecObjectOther))) {
1138             setConstant(node, *m_graph.freeze(vm->smallStrings.objectString()));
1139             break;
1140         }
1141         
1142         if (isFunctionSpeculation(abstractChild.m_type)) {
1143             setConstant(node, *m_graph.freeze(vm->smallStrings.functionString()));
1144             break;
1145         }
1146         
1147         if (isBooleanSpeculation(abstractChild.m_type)) {
1148             setConstant(node, *m_graph.freeze(vm->smallStrings.booleanString()));
1149             break;
1150         }
1151
1152         if (isSymbolSpeculation(abstractChild.m_type)) {
1153             setConstant(node, *m_graph.freeze(vm->smallStrings.symbolString()));
1154             break;
1155         }
1156
1157         forNode(node).setType(m_graph, SpecStringIdent);
1158         break;
1159     }
1160             
1161     case CompareLess:
1162     case CompareLessEq:
1163     case CompareGreater:
1164     case CompareGreaterEq:
1165     case CompareEq: {
1166         JSValue leftConst = forNode(node->child1()).value();
1167         JSValue rightConst = forNode(node->child2()).value();
1168         if (leftConst && rightConst) {
1169             if (leftConst.isNumber() && rightConst.isNumber()) {
1170                 double a = leftConst.asNumber();
1171                 double b = rightConst.asNumber();
1172                 switch (node->op()) {
1173                 case CompareLess:
1174                     setConstant(node, jsBoolean(a < b));
1175                     break;
1176                 case CompareLessEq:
1177                     setConstant(node, jsBoolean(a <= b));
1178                     break;
1179                 case CompareGreater:
1180                     setConstant(node, jsBoolean(a > b));
1181                     break;
1182                 case CompareGreaterEq:
1183                     setConstant(node, jsBoolean(a >= b));
1184                     break;
1185                 case CompareEq:
1186                     setConstant(node, jsBoolean(a == b));
1187                     break;
1188                 default:
1189                     RELEASE_ASSERT_NOT_REACHED();
1190                     break;
1191                 }
1192                 break;
1193             }
1194             
1195             if (node->op() == CompareEq && leftConst.isString() && rightConst.isString()) {
1196                 const StringImpl* a = asString(leftConst)->tryGetValueImpl();
1197                 const StringImpl* b = asString(rightConst)->tryGetValueImpl();
1198                 if (a && b) {
1199                     setConstant(node, jsBoolean(WTF::equal(a, b)));
1200                     break;
1201                 }
1202             }
1203
1204             if (node->op() == CompareEq && leftConst.isSymbol() && rightConst.isSymbol()) {
1205                 setConstant(node, jsBoolean(asSymbol(leftConst)->privateName() == asSymbol(rightConst)->privateName()));
1206                 break;
1207             }
1208         }
1209         
1210         if (node->op() == CompareEq) {
1211             SpeculatedType leftType = forNode(node->child1()).m_type;
1212             SpeculatedType rightType = forNode(node->child2()).m_type;
1213             if (!valuesCouldBeEqual(leftType, rightType)) {
1214                 setConstant(node, jsBoolean(false));
1215                 break;
1216             }
1217
1218             if (leftType == SpecOther)
1219                 std::swap(leftType, rightType);
1220             if (rightType == SpecOther) {
1221                 // Undefined and Null are always equal when compared to eachother.
1222                 if (!(leftType & ~SpecOther)) {
1223                     setConstant(node, jsBoolean(true));
1224                     break;
1225                 }
1226
1227                 // Any other type compared to Null or Undefined is always false
1228                 // as long as the MasqueradesAsUndefined watchpoint is valid.
1229                 //
1230                 // MasqueradesAsUndefined only matters for SpecObjectOther, other
1231                 // cases are always "false".
1232                 if (!(leftType & (SpecObjectOther | SpecOther))) {
1233                     setConstant(node, jsBoolean(false));
1234                     break;
1235                 }
1236
1237                 if (!(leftType & SpecOther) && m_graph.masqueradesAsUndefinedWatchpointIsStillValid(node->origin.semantic)) {
1238                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1239                     m_graph.watchpoints().addLazily(globalObject->masqueradesAsUndefinedWatchpoint());
1240                     setConstant(node, jsBoolean(false));
1241                     break;
1242                 }
1243             }
1244         }
1245         
1246         if (node->child1() == node->child2()) {
1247             if (node->isBinaryUseKind(Int32Use) ||
1248                 node->isBinaryUseKind(Int52RepUse) ||
1249                 node->isBinaryUseKind(StringUse) ||
1250                 node->isBinaryUseKind(BooleanUse) ||
1251                 node->isBinaryUseKind(SymbolUse) ||
1252                 node->isBinaryUseKind(StringIdentUse) ||
1253                 node->isBinaryUseKind(ObjectUse) ||
1254                 node->isBinaryUseKind(ObjectUse, ObjectOrOtherUse) ||
1255                 node->isBinaryUseKind(ObjectOrOtherUse, ObjectUse)) {
1256                 switch (node->op()) {
1257                 case CompareLess:
1258                 case CompareGreater:
1259                     setConstant(node, jsBoolean(false));
1260                     break;
1261                 case CompareLessEq:
1262                 case CompareGreaterEq:
1263                 case CompareEq:
1264                     setConstant(node, jsBoolean(true));
1265                     break;
1266                 default:
1267                     DFG_CRASH(m_graph, node, "Unexpected node type");
1268                     break;
1269                 }
1270                 break;
1271             }
1272         }
1273         
1274         forNode(node).setType(SpecBoolean);
1275         break;
1276     }
1277             
1278     case CompareStrictEq: {
1279         Node* leftNode = node->child1().node();
1280         Node* rightNode = node->child2().node();
1281         JSValue left = forNode(leftNode).value();
1282         JSValue right = forNode(rightNode).value();
1283         if (left && right) {
1284             if (left.isString() && right.isString()) {
1285                 // We need this case because JSValue::strictEqual is otherwise too racy for
1286                 // string comparisons.
1287                 const StringImpl* a = asString(left)->tryGetValueImpl();
1288                 const StringImpl* b = asString(right)->tryGetValueImpl();
1289                 if (a && b) {
1290                     setConstant(node, jsBoolean(WTF::equal(a, b)));
1291                     break;
1292                 }
1293             } else {
1294                 setConstant(node, jsBoolean(JSValue::strictEqual(0, left, right)));
1295                 break;
1296             }
1297         }
1298         
1299         SpeculatedType leftLUB = leastUpperBoundOfStrictlyEquivalentSpeculations(forNode(leftNode).m_type);
1300         SpeculatedType rightLUB = leastUpperBoundOfStrictlyEquivalentSpeculations(forNode(rightNode).m_type);
1301         if (!(leftLUB & rightLUB)) {
1302             setConstant(node, jsBoolean(false));
1303             break;
1304         }
1305         
1306         if (node->child1() == node->child2()) {
1307             if (node->isBinaryUseKind(BooleanUse) ||
1308                 node->isBinaryUseKind(Int32Use) ||
1309                 node->isBinaryUseKind(Int52RepUse) ||
1310                 node->isBinaryUseKind(StringUse) ||
1311                 node->isBinaryUseKind(StringIdentUse) ||
1312                 node->isBinaryUseKind(SymbolUse) ||
1313                 node->isBinaryUseKind(ObjectUse) ||
1314                 node->isBinaryUseKind(MiscUse, UntypedUse) ||
1315                 node->isBinaryUseKind(UntypedUse, MiscUse) ||
1316                 node->isBinaryUseKind(StringIdentUse, NotStringVarUse) ||
1317                 node->isBinaryUseKind(NotStringVarUse, StringIdentUse) ||
1318                 node->isBinaryUseKind(StringUse, UntypedUse) ||
1319                 node->isBinaryUseKind(UntypedUse, StringUse)) {
1320                 setConstant(node, jsBoolean(true));
1321                 break;
1322             }
1323         }
1324
1325         forNode(node).setType(SpecBoolean);
1326         break;
1327     }
1328         
1329     case StringCharCodeAt:
1330         forNode(node).setType(SpecInt32);
1331         break;
1332         
1333     case StringFromCharCode:
1334         forNode(node).setType(m_graph, SpecString);
1335         break;
1336
1337     case StringCharAt:
1338         forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
1339         break;
1340             
1341     case GetByVal: {
1342         switch (node->arrayMode().type()) {
1343         case Array::SelectUsingPredictions:
1344         case Array::Unprofiled:
1345         case Array::SelectUsingArguments:
1346             RELEASE_ASSERT_NOT_REACHED();
1347             break;
1348         case Array::ForceExit:
1349             m_state.setIsValid(false);
1350             break;
1351         case Array::Undecided: {
1352             JSValue index = forNode(node->child2()).value();
1353             if (index && index.isInt32() && index.asInt32() >= 0) {
1354                 setConstant(node, jsUndefined());
1355                 break;
1356             }
1357             forNode(node).setType(SpecOther);
1358             break;
1359         }
1360         case Array::Generic:
1361             clobberWorld(node->origin.semantic, clobberLimit);
1362             forNode(node).makeHeapTop();
1363             break;
1364         case Array::String:
1365             if (node->arrayMode().isOutOfBounds()) {
1366                 // If the watchpoint was still valid we could totally set this to be
1367                 // SpecString | SpecOther. Except that we'd have to be careful. If we
1368                 // tested the watchpoint state here then it could change by the time
1369                 // we got to the backend. So to do this right, we'd have to get the
1370                 // fixup phase to check the watchpoint state and then bake into the
1371                 // GetByVal operation the fact that we're using a watchpoint, using
1372                 // something like Array::SaneChain (except not quite, because that
1373                 // implies an in-bounds access). None of this feels like it's worth it,
1374                 // so we're going with TOP for now. The same thing applies to
1375                 // clobbering the world.
1376                 clobberWorld(node->origin.semantic, clobberLimit);
1377                 forNode(node).makeHeapTop();
1378             } else
1379                 forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
1380             break;
1381         case Array::DirectArguments:
1382         case Array::ScopedArguments:
1383             forNode(node).makeHeapTop();
1384             break;
1385         case Array::Int32:
1386             if (node->arrayMode().isOutOfBounds()) {
1387                 clobberWorld(node->origin.semantic, clobberLimit);
1388                 forNode(node).makeHeapTop();
1389             } else
1390                 forNode(node).setType(SpecInt32);
1391             break;
1392         case Array::Double:
1393             if (node->arrayMode().isOutOfBounds()) {
1394                 clobberWorld(node->origin.semantic, clobberLimit);
1395                 forNode(node).makeHeapTop();
1396             } else if (node->arrayMode().isSaneChain())
1397                 forNode(node).setType(SpecBytecodeDouble);
1398             else
1399                 forNode(node).setType(SpecDoubleReal);
1400             break;
1401         case Array::Contiguous:
1402         case Array::ArrayStorage:
1403         case Array::SlowPutArrayStorage:
1404             if (node->arrayMode().isOutOfBounds())
1405                 clobberWorld(node->origin.semantic, clobberLimit);
1406             forNode(node).makeHeapTop();
1407             break;
1408         case Array::Int8Array:
1409             forNode(node).setType(SpecInt32);
1410             break;
1411         case Array::Int16Array:
1412             forNode(node).setType(SpecInt32);
1413             break;
1414         case Array::Int32Array:
1415             forNode(node).setType(SpecInt32);
1416             break;
1417         case Array::Uint8Array:
1418             forNode(node).setType(SpecInt32);
1419             break;
1420         case Array::Uint8ClampedArray:
1421             forNode(node).setType(SpecInt32);
1422             break;
1423         case Array::Uint16Array:
1424             forNode(node).setType(SpecInt32);
1425             break;
1426         case Array::Uint32Array:
1427             if (node->shouldSpeculateInt32())
1428                 forNode(node).setType(SpecInt32);
1429             else if (enableInt52() && node->shouldSpeculateMachineInt())
1430                 forNode(node).setType(SpecInt52);
1431             else
1432                 forNode(node).setType(SpecInt52AsDouble);
1433             break;
1434         case Array::Float32Array:
1435             forNode(node).setType(SpecFullDouble);
1436             break;
1437         case Array::Float64Array:
1438             forNode(node).setType(SpecFullDouble);
1439             break;
1440         default:
1441             RELEASE_ASSERT_NOT_REACHED();
1442             break;
1443         }
1444         break;
1445     }
1446             
1447     case PutByValDirect:
1448     case PutByVal:
1449     case PutByValAlias: {
1450         switch (node->arrayMode().modeForPut().type()) {
1451         case Array::ForceExit:
1452             m_state.setIsValid(false);
1453             break;
1454         case Array::Generic:
1455             clobberWorld(node->origin.semantic, clobberLimit);
1456             break;
1457         case Array::Int32:
1458             if (node->arrayMode().isOutOfBounds())
1459                 clobberWorld(node->origin.semantic, clobberLimit);
1460             break;
1461         case Array::Double:
1462             if (node->arrayMode().isOutOfBounds())
1463                 clobberWorld(node->origin.semantic, clobberLimit);
1464             break;
1465         case Array::Contiguous:
1466         case Array::ArrayStorage:
1467             if (node->arrayMode().isOutOfBounds())
1468                 clobberWorld(node->origin.semantic, clobberLimit);
1469             break;
1470         case Array::SlowPutArrayStorage:
1471             if (node->arrayMode().mayStoreToHole())
1472                 clobberWorld(node->origin.semantic, clobberLimit);
1473             break;
1474         default:
1475             break;
1476         }
1477         break;
1478     }
1479             
1480     case ArrayPush:
1481         clobberWorld(node->origin.semantic, clobberLimit);
1482         forNode(node).setType(SpecBytecodeNumber);
1483         break;
1484             
1485     case ArrayPop:
1486         clobberWorld(node->origin.semantic, clobberLimit);
1487         forNode(node).makeHeapTop();
1488         break;
1489         
1490     case GetMyArgumentByVal: {
1491         JSValue index = forNode(node->child2()).m_value;
1492         InlineCallFrame* inlineCallFrame = node->child1()->origin.semantic.inlineCallFrame;
1493
1494         if (index && index.isInt32()) {
1495             // This pretends to return TOP for accesses that are actually proven out-of-bounds because
1496             // that's the conservative thing to do. Otherwise we'd need to write more code to mark such
1497             // paths as unreachable, and it's almost certainly not worth the effort.
1498             
1499             if (inlineCallFrame) {
1500                 if (index.asUInt32() < inlineCallFrame->arguments.size() - 1) {
1501                     forNode(node) = m_state.variables().operand(
1502                         virtualRegisterForArgument(index.asInt32() + 1) + inlineCallFrame->stackOffset);
1503                     m_state.setFoundConstants(true);
1504                     break;
1505                 }
1506             } else {
1507                 if (index.asUInt32() < m_state.variables().numberOfArguments() - 1) {
1508                     forNode(node) = m_state.variables().argument(index.asInt32() + 1);
1509                     m_state.setFoundConstants(true);
1510                     break;
1511                 }
1512             }
1513         }
1514         
1515         if (inlineCallFrame) {
1516             // We have a bound on the types even though it's random access. Take advantage of this.
1517             
1518             AbstractValue result;
1519             for (unsigned i = inlineCallFrame->arguments.size(); i-- > 1;) {
1520                 result.merge(
1521                     m_state.variables().operand(
1522                         virtualRegisterForArgument(i) + inlineCallFrame->stackOffset));
1523             }
1524             
1525             if (result.value())
1526                 m_state.setFoundConstants(true);
1527             forNode(node) = result;
1528             break;
1529         }
1530         
1531         forNode(node).makeHeapTop();
1532         break;
1533     }
1534             
1535     case RegExpExec:
1536         forNode(node).makeHeapTop();
1537         break;
1538
1539     case RegExpTest:
1540         forNode(node).setType(SpecBoolean);
1541         break;
1542             
1543     case Jump:
1544         break;
1545             
1546     case Branch: {
1547         Node* child = node->child1().node();
1548         BooleanResult result = booleanResult(node, forNode(child));
1549         if (result == DefinitelyTrue) {
1550             m_state.setBranchDirection(TakeTrue);
1551             break;
1552         }
1553         if (result == DefinitelyFalse) {
1554             m_state.setBranchDirection(TakeFalse);
1555             break;
1556         }
1557         // FIXME: The above handles the trivial cases of sparse conditional
1558         // constant propagation, but we can do better:
1559         // We can specialize the source variable's value on each direction of
1560         // the branch.
1561         m_state.setBranchDirection(TakeBoth);
1562         break;
1563     }
1564         
1565     case Switch: {
1566         // Nothing to do for now.
1567         // FIXME: Do sparse conditional things.
1568         break;
1569     }
1570             
1571     case Return:
1572         m_state.setIsValid(false);
1573         break;
1574
1575     case TailCall:
1576     case TailCallVarargs:
1577     case TailCallForwardVarargs:
1578         clobberWorld(node->origin.semantic, clobberLimit);
1579         m_state.setIsValid(false);
1580         break;
1581         
1582     case Throw:
1583     case ThrowReferenceError:
1584         m_state.setIsValid(false);
1585         break;
1586             
1587     case ToPrimitive: {
1588         JSValue childConst = forNode(node->child1()).value();
1589         if (childConst && childConst.isNumber()) {
1590             setConstant(node, childConst);
1591             break;
1592         }
1593         
1594         ASSERT(node->child1().useKind() == UntypedUse);
1595         
1596         if (!forNode(node->child1()).m_type) {
1597             m_state.setIsValid(false);
1598             break;
1599         }
1600         
1601         if (!(forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol))) {
1602             m_state.setFoundConstants(true);
1603             forNode(node) = forNode(node->child1());
1604             break;
1605         }
1606         
1607         clobberWorld(node->origin.semantic, clobberLimit);
1608         
1609         forNode(node).setType(m_graph, SpecHeapTop & ~SpecObject);
1610         break;
1611     }
1612         
1613     case ToString:
1614     case CallStringConstructor: {
1615         switch (node->child1().useKind()) {
1616         case StringObjectUse:
1617             // This also filters that the StringObject has the primordial StringObject
1618             // structure.
1619             filter(
1620                 node->child1(),
1621                 m_graph.globalObjectFor(node->origin.semantic)->stringObjectStructure());
1622             break;
1623         case StringOrStringObjectUse:
1624             break;
1625         case CellUse:
1626         case UntypedUse:
1627             clobberWorld(node->origin.semantic, clobberLimit);
1628             break;
1629         default:
1630             RELEASE_ASSERT_NOT_REACHED();
1631             break;
1632         }
1633         forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
1634         break;
1635     }
1636         
1637     case NewStringObject: {
1638         ASSERT(node->structure()->classInfo() == StringObject::info());
1639         forNode(node).set(m_graph, node->structure());
1640         break;
1641     }
1642             
1643     case NewArray:
1644         forNode(node).set(
1645             m_graph,
1646             m_graph.globalObjectFor(node->origin.semantic)->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
1647         break;
1648         
1649     case NewArrayBuffer:
1650         forNode(node).set(
1651             m_graph,
1652             m_graph.globalObjectFor(node->origin.semantic)->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
1653         break;
1654
1655     case NewArrayWithSize:
1656         forNode(node).setType(m_graph, SpecArray);
1657         break;
1658         
1659     case NewTypedArray:
1660         switch (node->child1().useKind()) {
1661         case Int32Use:
1662             break;
1663         case UntypedUse:
1664             clobberWorld(node->origin.semantic, clobberLimit);
1665             break;
1666         default:
1667             RELEASE_ASSERT_NOT_REACHED();
1668             break;
1669         }
1670         forNode(node).set(
1671             m_graph,
1672             m_graph.globalObjectFor(node->origin.semantic)->typedArrayStructure(
1673                 node->typedArrayType()));
1674         break;
1675             
1676     case NewRegexp:
1677         forNode(node).set(m_graph, m_graph.globalObjectFor(node->origin.semantic)->regExpStructure());
1678         break;
1679             
1680     case ToThis: {
1681         AbstractValue& source = forNode(node->child1());
1682         AbstractValue& destination = forNode(node);
1683             
1684         if (m_graph.executableFor(node->origin.semantic)->isStrictMode())
1685             destination.makeHeapTop();
1686         else {
1687             destination = source;
1688             destination.merge(SpecObject);
1689         }
1690         break;
1691     }
1692
1693     case CreateThis: {
1694         // FIXME: We can fold this to NewObject if the incoming callee is a constant.
1695         forNode(node).setType(m_graph, SpecFinalObject);
1696         break;
1697     }
1698         
1699     case NewObject:
1700         ASSERT(node->structure());
1701         forNode(node).set(m_graph, node->structure());
1702         break;
1703         
1704     case PhantomNewObject:
1705     case PhantomNewFunction:
1706     case PhantomCreateActivation:
1707     case PhantomDirectArguments:
1708     case PhantomClonedArguments:
1709     case BottomValue:
1710         m_state.setDidClobber(true); // Prevent constant folding.
1711         // This claims to return bottom.
1712         break;
1713         
1714     case PutHint:
1715         break;
1716         
1717     case MaterializeNewObject: {
1718         StructureSet set;
1719         
1720         m_phiChildren->forAllTransitiveIncomingValues(
1721             m_graph.varArgChild(node, 0).node(),
1722             [&] (Node* incoming) {
1723                 set.add(incoming->castConstant<Structure*>());
1724             });
1725         
1726         forNode(node).set(m_graph, set);
1727         break;
1728     }
1729
1730     case CreateActivation:
1731     case MaterializeCreateActivation:
1732         forNode(node).set(
1733             m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->activationStructure());
1734         break;
1735         
1736     case CreateDirectArguments:
1737         forNode(node).set(m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->directArgumentsStructure());
1738         break;
1739         
1740     case CreateScopedArguments:
1741         forNode(node).set(m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->scopedArgumentsStructure());
1742         break;
1743         
1744     case CreateClonedArguments:
1745         forNode(node).setType(m_graph, SpecObjectOther);
1746         break;
1747             
1748     case NewArrowFunction:
1749         forNode(node).set(
1750             m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->arrowFunctionStructure());
1751         break;
1752             
1753     case NewFunction:
1754         forNode(node).set(
1755             m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->functionStructure());
1756         break;
1757         
1758     case GetCallee:
1759         if (FunctionExecutable* executable = jsDynamicCast<FunctionExecutable*>(m_codeBlock->ownerExecutable())) {
1760             InferredValue* singleton = executable->singletonFunction();
1761             if (JSValue value = singleton->inferredValue()) {
1762                 m_graph.watchpoints().addLazily(singleton);
1763                 JSFunction* function = jsCast<JSFunction*>(value);
1764                 setConstant(node, *m_graph.freeze(function));
1765                 break;
1766             }
1767         }
1768         forNode(node).setType(m_graph, SpecFunction);
1769         break;
1770         
1771     case GetArgumentCount:
1772         forNode(node).setType(SpecInt32);
1773         break;
1774         
1775     case GetRestLength:
1776         forNode(node).setType(SpecInt32);
1777         break;
1778         
1779     case GetGetter: {
1780         JSValue base = forNode(node->child1()).m_value;
1781         if (base) {
1782             GetterSetter* getterSetter = jsCast<GetterSetter*>(base);
1783             if (!getterSetter->isGetterNull()) {
1784                 setConstant(node, *m_graph.freeze(getterSetter->getterConcurrently()));
1785                 break;
1786             }
1787         }
1788         
1789         forNode(node).setType(m_graph, SpecObject);
1790         break;
1791     }
1792         
1793     case GetSetter: {
1794         JSValue base = forNode(node->child1()).m_value;
1795         if (base) {
1796             GetterSetter* getterSetter = jsCast<GetterSetter*>(base);
1797             if (!getterSetter->isSetterNull()) {
1798                 setConstant(node, *m_graph.freeze(getterSetter->setterConcurrently()));
1799                 break;
1800             }
1801         }
1802         
1803         forNode(node).setType(m_graph, SpecObject);
1804         break;
1805     }
1806         
1807     case GetScope:
1808         if (JSValue base = forNode(node->child1()).m_value) {
1809             if (JSFunction* function = jsDynamicCast<JSFunction*>(base)) {
1810                 setConstant(node, *m_graph.freeze(function->scope()));
1811                 break;
1812             }
1813         }
1814         forNode(node).setType(m_graph, SpecObjectOther);
1815         break;
1816
1817     case SkipScope: {
1818         JSValue child = forNode(node->child1()).value();
1819         if (child) {
1820             setConstant(node, *m_graph.freeze(JSValue(jsCast<JSScope*>(child.asCell())->next())));
1821             break;
1822         }
1823         forNode(node).setType(m_graph, SpecObjectOther);
1824         break;
1825     }
1826
1827     case GetClosureVar:
1828         if (JSValue value = m_graph.tryGetConstantClosureVar(forNode(node->child1()), node->scopeOffset())) {
1829             setConstant(node, *m_graph.freeze(value));
1830             break;
1831         }
1832         forNode(node).makeBytecodeTop();
1833         break;
1834             
1835     case PutClosureVar:
1836         break;
1837         
1838     case GetFromArguments:
1839         forNode(node).makeHeapTop();
1840         break;
1841         
1842     case PutToArguments:
1843         break;
1844             
1845     case GetById:
1846     case GetByIdFlush: {
1847         if (!node->prediction()) {
1848             m_state.setIsValid(false);
1849             break;
1850         }
1851         
1852         AbstractValue& value = forNode(node->child1());
1853         if (value.m_structure.isFinite()
1854             && (node->child1().useKind() == CellUse || !(value.m_type & ~SpecCell))) {
1855             UniquedStringImpl* uid = m_graph.identifiers()[node->identifierNumber()];
1856             GetByIdStatus status = GetByIdStatus::computeFor(value.m_structure.set(), uid);
1857             if (status.isSimple()) {
1858                 // Figure out what the result is going to be - is it TOP, a constant, or maybe
1859                 // something more subtle?
1860                 AbstractValue result;
1861                 for (unsigned i = status.numVariants(); i--;) {
1862                     // This thing won't give us a variant that involves prototypes. If it did, we'd
1863                     // have more work to do here.
1864                     DFG_ASSERT(m_graph, node, status[i].conditionSet().isEmpty());
1865
1866                     result.merge(
1867                         m_graph.inferredValueForProperty(
1868                             value, uid, status[i].offset(), m_state.structureClobberState()));
1869                 }
1870                 m_state.setFoundConstants(true);
1871                 forNode(node) = result;
1872                 break;
1873             }
1874         }
1875
1876         clobberWorld(node->origin.semantic, clobberLimit);
1877         forNode(node).makeHeapTop();
1878         break;
1879     }
1880             
1881     case GetArrayLength: {
1882         JSArrayBufferView* view = m_graph.tryGetFoldableView(
1883             forNode(node->child1()).m_value, node->arrayMode());
1884         if (view) {
1885             setConstant(node, jsNumber(view->length()));
1886             break;
1887         }
1888         forNode(node).setType(SpecInt32);
1889         break;
1890     }
1891         
1892     case CheckStructure: {
1893         AbstractValue& value = forNode(node->child1());
1894
1895         StructureSet& set = node->structureSet();
1896         
1897         // It's interesting that we could have proven that the object has a larger structure set
1898         // that includes the set we're testing. In that case we could make the structure check
1899         // more efficient. We currently don't.
1900         
1901         if (value.m_structure.isSubsetOf(set))
1902             m_state.setFoundConstants(true);
1903
1904         SpeculatedType admittedTypes = SpecNone;
1905         switch (node->child1().useKind()) {
1906         case CellUse:
1907         case KnownCellUse:
1908             admittedTypes = SpecNone;
1909             break;
1910         case CellOrOtherUse:
1911             admittedTypes = SpecOther;
1912             break;
1913         default:
1914             DFG_CRASH(m_graph, node, "Bad use kind");
1915             break;
1916         }
1917         
1918         filter(value, set, admittedTypes);
1919         break;
1920     }
1921         
1922     case CheckStructureImmediate: {
1923         // FIXME: This currently can only reason about one structure at a time.
1924         // https://bugs.webkit.org/show_bug.cgi?id=136988
1925         
1926         AbstractValue& value = forNode(node->child1());
1927         StructureSet& set = node->structureSet();
1928         
1929         if (value.value()) {
1930             if (Structure* structure = jsDynamicCast<Structure*>(value.value())) {
1931                 if (set.contains(structure)) {
1932                     m_state.setFoundConstants(true);
1933                     break;
1934                 }
1935             }
1936             m_state.setIsValid(false);
1937             break;
1938         }
1939         
1940         if (m_phiChildren) {
1941             bool allGood = true;
1942             m_phiChildren->forAllTransitiveIncomingValues(
1943                 node,
1944                 [&] (Node* incoming) {
1945                     if (Structure* structure = incoming->dynamicCastConstant<Structure*>()) {
1946                         if (set.contains(structure))
1947                             return;
1948                     }
1949                     allGood = false;
1950                 });
1951             if (allGood) {
1952                 m_state.setFoundConstants(true);
1953                 break;
1954             }
1955         }
1956             
1957         if (Structure* structure = set.onlyStructure()) {
1958             filterByValue(node->child1(), *m_graph.freeze(structure));
1959             break;
1960         }
1961         
1962         // Aw shucks, we can't do anything!
1963         break;
1964     }
1965         
1966     case PutStructure:
1967         if (!forNode(node->child1()).m_structure.isClear()) {
1968             if (forNode(node->child1()).m_structure.onlyStructure() == node->transition()->next)
1969                 m_state.setFoundConstants(true);
1970             else {
1971                 observeTransition(
1972                     clobberLimit, node->transition()->previous, node->transition()->next);
1973                 forNode(node->child1()).changeStructure(m_graph, node->transition()->next);
1974             }
1975         }
1976         break;
1977     case GetButterfly:
1978     case GetButterflyReadOnly:
1979     case AllocatePropertyStorage:
1980     case ReallocatePropertyStorage:
1981         forNode(node).clear(); // The result is not a JS value.
1982         break;
1983     case CheckArray: {
1984         if (node->arrayMode().alreadyChecked(m_graph, node, forNode(node->child1()))) {
1985             m_state.setFoundConstants(true);
1986             break;
1987         }
1988         switch (node->arrayMode().type()) {
1989         case Array::String:
1990             filter(node->child1(), SpecString);
1991             break;
1992         case Array::Int32:
1993         case Array::Double:
1994         case Array::Contiguous:
1995         case Array::Undecided:
1996         case Array::ArrayStorage:
1997         case Array::SlowPutArrayStorage:
1998             break;
1999         case Array::DirectArguments:
2000             filter(node->child1(), SpecDirectArguments);
2001             break;
2002         case Array::ScopedArguments:
2003             filter(node->child1(), SpecScopedArguments);
2004             break;
2005         case Array::Int8Array:
2006             filter(node->child1(), SpecInt8Array);
2007             break;
2008         case Array::Int16Array:
2009             filter(node->child1(), SpecInt16Array);
2010             break;
2011         case Array::Int32Array:
2012             filter(node->child1(), SpecInt32Array);
2013             break;
2014         case Array::Uint8Array:
2015             filter(node->child1(), SpecUint8Array);
2016             break;
2017         case Array::Uint8ClampedArray:
2018             filter(node->child1(), SpecUint8ClampedArray);
2019             break;
2020         case Array::Uint16Array:
2021             filter(node->child1(), SpecUint16Array);
2022             break;
2023         case Array::Uint32Array:
2024             filter(node->child1(), SpecUint32Array);
2025             break;
2026         case Array::Float32Array:
2027             filter(node->child1(), SpecFloat32Array);
2028             break;
2029         case Array::Float64Array:
2030             filter(node->child1(), SpecFloat64Array);
2031             break;
2032         case Array::AnyTypedArray:
2033             filter(node->child1(), SpecTypedArrayView);
2034             break;
2035         default:
2036             RELEASE_ASSERT_NOT_REACHED();
2037             break;
2038         }
2039         filterArrayModes(node->child1(), node->arrayMode().arrayModesThatPassFiltering());
2040         break;
2041     }
2042     case Arrayify: {
2043         if (node->arrayMode().alreadyChecked(m_graph, node, forNode(node->child1()))) {
2044             m_state.setFoundConstants(true);
2045             break;
2046         }
2047         ASSERT(node->arrayMode().conversion() == Array::Convert);
2048         clobberStructures(clobberLimit);
2049         filterArrayModes(node->child1(), node->arrayMode().arrayModesThatPassFiltering());
2050         break;
2051     }
2052     case ArrayifyToStructure: {
2053         AbstractValue& value = forNode(node->child1());
2054         if (value.m_structure.isSubsetOf(StructureSet(node->structure())))
2055             m_state.setFoundConstants(true);
2056         clobberStructures(clobberLimit);
2057         
2058         // We have a bunch of options of how to express the abstract set at this point. Let set S
2059         // be the set of structures that the value had before clobbering and assume that all of
2060         // them are watchable. The new value should be the least expressible upper bound of the
2061         // intersection of "values that currently have structure = node->structure()" and "values
2062         // that have structure in S plus any structure transition-reachable from S". Assume that
2063         // node->structure() is not in S but it is transition-reachable from S. Then we would
2064         // like to say that the result is "values that have structure = node->structure() until
2065         // we invalidate", but there is no way to express this using the AbstractValue syntax. So
2066         // we must choose between:
2067         //
2068         // 1) "values that currently have structure = node->structure()". This is a valid
2069         //    superset of the value that we really want, and it's specific enough to satisfy the
2070         //    preconditions of the array access that this is guarding. It's also specific enough
2071         //    to allow relevant optimizations in the case that we didn't have a contradiction
2072         //    like in this example. Notice that in the abscence of any contradiction, this result
2073         //    is precise rather than being a conservative LUB.
2074         //
2075         // 2) "values that currently hava structure in S plus any structure transition-reachable
2076         //    from S". This is also a valid superset of the value that we really want, but it's
2077         //    not specific enough to satisfy the preconditions of the array access that this is
2078         //    guarding - so playing such shenanigans would preclude us from having assertions on
2079         //    the typing preconditions of any array accesses. This would also not be a desirable
2080         //    answer in the absence of a contradiction.
2081         //
2082         // Note that it's tempting to simply say that the resulting value is BOTTOM because of
2083         // the contradiction. That would be wrong, since we haven't hit an invalidation point,
2084         // yet.
2085         value.set(m_graph, node->structure());
2086         break;
2087     }
2088     case GetIndexedPropertyStorage: {
2089         JSArrayBufferView* view = m_graph.tryGetFoldableView(
2090             forNode(node->child1()).m_value, node->arrayMode());
2091         if (view)
2092             m_state.setFoundConstants(true);
2093         forNode(node).clear();
2094         break;
2095     }
2096     case ConstantStoragePointer: {
2097         forNode(node).clear();
2098         break; 
2099     }
2100         
2101     case GetTypedArrayByteOffset: {
2102         JSArrayBufferView* view = m_graph.tryGetFoldableView(forNode(node->child1()).m_value);
2103         if (view) {
2104             setConstant(node, jsNumber(view->byteOffset()));
2105             break;
2106         }
2107         forNode(node).setType(SpecInt32);
2108         break;
2109     }
2110         
2111     case GetByOffset: {
2112         StorageAccessData& data = node->storageAccessData();
2113         UniquedStringImpl* uid = m_graph.identifiers()[data.identifierNumber];
2114
2115         // FIXME: The part of this that handles inferred property types relies on AI knowing the structure
2116         // right now. That's probably not optimal. In some cases, we may perform an optimization (usually
2117         // by something other than AI, maybe by CSE for example) that obscures AI's view of the structure
2118         // at the point where GetByOffset runs. Currently, when that happens, we'll have to rely entirely
2119         // on the type that ByteCodeParser was able to prove.
2120         AbstractValue value = m_graph.inferredValueForProperty(
2121             forNode(node->child2()), uid, data.offset, m_state.structureClobberState());
2122
2123         // It's possible that the type that ByteCodeParser came up with is better.
2124         AbstractValue typeFromParsing;
2125         typeFromParsing.set(m_graph, data.inferredType, m_state.structureClobberState());
2126         value.filter(typeFromParsing);
2127
2128         // If we decide that there does not exist any value that this can return, then it's probably
2129         // because the compilation was already invalidated.
2130         if (value.isClear())
2131             m_state.setIsValid(false);
2132
2133         forNode(node) = value;
2134         if (value.m_value)
2135             m_state.setFoundConstants(true);
2136         break;
2137     }
2138         
2139     case GetGetterSetterByOffset: {
2140         StorageAccessData& data = node->storageAccessData();
2141         JSValue result = m_graph.tryGetConstantProperty(forNode(node->child2()), data.offset);
2142         if (result && jsDynamicCast<GetterSetter*>(result)) {
2143             setConstant(node, *m_graph.freeze(result));
2144             break;
2145         }
2146         
2147         forNode(node).set(m_graph, m_graph.m_vm.getterSetterStructure.get());
2148         break;
2149     }
2150         
2151     case MultiGetByOffset: {
2152         // This code will filter the base value in a manner that is possibly different (either more
2153         // or less precise) than the way it would be filtered if this was strength-reduced to a
2154         // CheckStructure. This is fine. It's legal for different passes over the code to prove
2155         // different things about the code, so long as all of them are sound. That even includes
2156         // one guy proving that code should never execute (due to a contradiction) and another guy
2157         // not finding that contradiction. If someone ever proved that there would be a
2158         // contradiction then there must always be a contradiction even if subsequent passes don't
2159         // realize it. This is the case here.
2160         
2161         // Ordinarily you have to be careful with calling setFoundConstants()
2162         // because of the effect on compile times, but this node is FTL-only.
2163         m_state.setFoundConstants(true);
2164         
2165         UniquedStringImpl* uid = m_graph.identifiers()[node->multiGetByOffsetData().identifierNumber];
2166
2167         AbstractValue base = forNode(node->child1());
2168         StructureSet baseSet;
2169         AbstractValue result;
2170         for (const MultiGetByOffsetCase& getCase : node->multiGetByOffsetData().cases) {
2171             StructureSet set = getCase.set();
2172             set.filter(base);
2173             if (set.isEmpty())
2174                 continue;
2175             baseSet.merge(set);
2176
2177             switch (getCase.method().kind()) {
2178             case GetByOffsetMethod::Constant: {
2179                 AbstractValue thisResult;
2180                 thisResult.set(
2181                     m_graph,
2182                     *getCase.method().constant(),
2183                     m_state.structureClobberState());
2184                 result.merge(thisResult);
2185                 break;
2186             }
2187
2188             case GetByOffsetMethod::Load: {
2189                 result.merge(
2190                     m_graph.inferredValueForProperty(
2191                         set, uid, m_state.structureClobberState()));
2192                 break;
2193             }
2194
2195             default: {
2196                 result.makeHeapTop();
2197                 break;
2198             } }
2199         }
2200         
2201         if (forNode(node->child1()).changeStructure(m_graph, baseSet) == Contradiction)
2202             m_state.setIsValid(false);
2203         
2204         forNode(node) = result;
2205         break;
2206     }
2207             
2208     case PutByOffset: {
2209         break;
2210     }
2211         
2212     case MultiPutByOffset: {
2213         StructureSet newSet;
2214         TransitionVector transitions;
2215         
2216         // Ordinarily you have to be careful with calling setFoundConstants()
2217         // because of the effect on compile times, but this node is FTL-only.
2218         m_state.setFoundConstants(true);
2219         
2220         AbstractValue base = forNode(node->child1());
2221         AbstractValue originalValue = forNode(node->child2());
2222         AbstractValue resultingValue;
2223         
2224         for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
2225             const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
2226             StructureSet thisSet = variant.oldStructure();
2227             thisSet.filter(base);
2228             if (thisSet.isEmpty())
2229                 continue;
2230
2231             AbstractValue thisValue = originalValue;
2232             thisValue.filter(m_graph, variant.requiredType());
2233             resultingValue.merge(thisValue);
2234             
2235             if (variant.kind() == PutByIdVariant::Transition) {
2236                 if (thisSet.onlyStructure() != variant.newStructure()) {
2237                     transitions.append(
2238                         Transition(variant.oldStructureForTransition(), variant.newStructure()));
2239                 } // else this is really a replace.
2240                 newSet.add(variant.newStructure());
2241             } else {
2242                 ASSERT(variant.kind() == PutByIdVariant::Replace);
2243                 newSet.merge(thisSet);
2244             }
2245         }
2246         
2247         observeTransitions(clobberLimit, transitions);
2248         if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
2249             m_state.setIsValid(false);
2250         forNode(node->child2()) = resultingValue;
2251         if (!!originalValue && !resultingValue)
2252             m_state.setIsValid(false);
2253         break;
2254     }
2255         
2256     case GetExecutable: {
2257         JSValue value = forNode(node->child1()).value();
2258         if (value) {
2259             JSFunction* function = jsDynamicCast<JSFunction*>(value);
2260             if (function) {
2261                 setConstant(node, *m_graph.freeze(function->executable()));
2262                 break;
2263             }
2264         }
2265         forNode(node).setType(m_graph, SpecCellOther);
2266         break;
2267     }
2268     
2269     case CheckCell: {
2270         JSValue value = forNode(node->child1()).value();
2271         if (value == node->cellOperand()->value()) {
2272             m_state.setFoundConstants(true);
2273             ASSERT(value);
2274             break;
2275         }
2276         filterByValue(node->child1(), *node->cellOperand());
2277         break;
2278     }
2279
2280     case CheckNotEmpty: {
2281         AbstractValue& value = forNode(node->child1());
2282         if (!(value.m_type & SpecEmpty)) {
2283             m_state.setFoundConstants(true);
2284             break;
2285         }
2286         
2287         filter(value, ~SpecEmpty);
2288         break;
2289     }
2290
2291     case CheckIdent: {
2292         AbstractValue& value = forNode(node->child1());
2293         UniquedStringImpl* uid = node->uidOperand();
2294         ASSERT(uid->isSymbol() ? !(value.m_type & ~SpecSymbol) : !(value.m_type & ~SpecStringIdent)); // Edge filtering should have already ensured this.
2295
2296         JSValue childConstant = value.value();
2297         if (childConstant) {
2298             if (uid->isSymbol()) {
2299                 ASSERT(childConstant.isSymbol());
2300                 if (asSymbol(childConstant)->privateName().uid() == uid) {
2301                     m_state.setFoundConstants(true);
2302                     break;
2303                 }
2304             } else {
2305                 ASSERT(childConstant.isString());
2306                 if (asString(childConstant)->tryGetValueImpl() == uid) {
2307                     m_state.setFoundConstants(true);
2308                     break;
2309                 }
2310             }
2311         }
2312
2313         filter(value, uid->isSymbol() ? SpecSymbol : SpecStringIdent);
2314         break;
2315     }
2316
2317     case CheckInBounds: {
2318         JSValue left = forNode(node->child1()).value();
2319         JSValue right = forNode(node->child2()).value();
2320         if (left && right && left.isInt32() && right.isInt32()
2321             && static_cast<uint32_t>(left.asInt32()) < static_cast<uint32_t>(right.asInt32())) {
2322             m_state.setFoundConstants(true);
2323             break;
2324         }
2325         break;
2326     }
2327         
2328     case PutById:
2329     case PutByIdFlush:
2330     case PutByIdDirect: {
2331         AbstractValue& value = forNode(node->child1());
2332         if (value.m_structure.isFinite()) {
2333             PutByIdStatus status = PutByIdStatus::computeFor(
2334                 m_graph.globalObjectFor(node->origin.semantic),
2335                 value.m_structure.set(),
2336                 m_graph.identifiers()[node->identifierNumber()],
2337                 node->op() == PutByIdDirect);
2338
2339             if (status.isSimple()) {
2340                 StructureSet newSet;
2341                 TransitionVector transitions;
2342                 
2343                 for (unsigned i = status.numVariants(); i--;) {
2344                     const PutByIdVariant& variant = status[i];
2345                     if (variant.kind() == PutByIdVariant::Transition) {
2346                         transitions.append(
2347                             Transition(
2348                                 variant.oldStructureForTransition(), variant.newStructure()));
2349                         m_graph.registerStructure(variant.newStructure());
2350                         newSet.add(variant.newStructure());
2351                     } else {
2352                         ASSERT(variant.kind() == PutByIdVariant::Replace);
2353                         newSet.merge(variant.oldStructure());
2354                     }
2355                 }
2356                 
2357                 if (status.numVariants() == 1 || isFTL(m_graph.m_plan.mode))
2358                     m_state.setFoundConstants(true);
2359                 
2360                 observeTransitions(clobberLimit, transitions);
2361                 if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
2362                     m_state.setIsValid(false);
2363                 break;
2364             }
2365         }
2366         
2367         clobberWorld(node->origin.semantic, clobberLimit);
2368         break;
2369     }
2370
2371     case PutGetterById:
2372     case PutSetterById:
2373     case PutGetterSetterById:
2374     case PutGetterByVal:
2375     case PutSetterByVal: {
2376         clobberWorld(node->origin.semantic, clobberLimit);
2377         break;
2378     }
2379         
2380     case In: {
2381         // FIXME: We can determine when the property definitely exists based on abstract
2382         // value information.
2383         clobberWorld(node->origin.semantic, clobberLimit);
2384         forNode(node).setType(SpecBoolean);
2385         break;
2386     }
2387             
2388     case GetEnumerableLength: {
2389         forNode(node).setType(SpecInt32);
2390         break;
2391     }
2392     case HasGenericProperty: {
2393         forNode(node).setType(SpecBoolean);
2394         break;
2395     }
2396     case HasStructureProperty: {
2397         forNode(node).setType(SpecBoolean);
2398         break;
2399     }
2400     case HasIndexedProperty: {
2401         ArrayMode mode = node->arrayMode();
2402         switch (mode.type()) {
2403         case Array::Int32:
2404         case Array::Double:
2405         case Array::Contiguous:
2406         case Array::ArrayStorage: {
2407             break;
2408         }
2409         default: {
2410             clobberWorld(node->origin.semantic, clobberLimit);
2411             break;
2412         }
2413         }
2414         forNode(node).setType(SpecBoolean);
2415         break;
2416     }
2417     case GetDirectPname: {
2418         clobberWorld(node->origin.semantic, clobberLimit);
2419         forNode(node).makeHeapTop();
2420         break;
2421     }
2422     case GetPropertyEnumerator: {
2423         forNode(node).setType(m_graph, SpecCell);
2424         break;
2425     }
2426     case GetEnumeratorStructurePname: {
2427         forNode(node).setType(m_graph, SpecString | SpecOther);
2428         break;
2429     }
2430     case GetEnumeratorGenericPname: {
2431         forNode(node).setType(m_graph, SpecString | SpecOther);
2432         break;
2433     }
2434     case ToIndexString: {
2435         forNode(node).setType(m_graph, SpecString);
2436         break;
2437     }
2438
2439     case GetGlobalVar:
2440         forNode(node).makeHeapTop();
2441         break;
2442     case GetGlobalLexicalVariable:
2443         forNode(node).makeBytecodeTop();
2444         break;
2445         
2446     case VarInjectionWatchpoint:
2447     case PutGlobalVariable:
2448     case NotifyWrite:
2449         break;
2450             
2451     case CheckHasInstance:
2452         // Sadly, we don't propagate the fact that we've done CheckHasInstance
2453         break;
2454             
2455     case InstanceOf:
2456         // Again, sadly, we don't propagate the fact that we've done InstanceOf
2457         forNode(node).setType(SpecBoolean);
2458         break;
2459             
2460     case Phi:
2461         RELEASE_ASSERT(m_graph.m_form == SSA);
2462         // The state of this node would have already been decided, but it may have become a
2463         // constant, in which case we'd like to know.
2464         if (forNode(node).m_value)
2465             m_state.setFoundConstants(true);
2466         break;
2467         
2468     case Upsilon: {
2469         m_state.createValueForNode(node->phi());
2470         forNode(node->phi()) = forNode(node->child1());
2471         break;
2472     }
2473         
2474     case Flush:
2475     case PhantomLocal:
2476         break;
2477             
2478     case Call:
2479     case TailCallInlinedCaller:
2480     case Construct:
2481     case CallVarargs:
2482     case CallForwardVarargs:
2483     case TailCallVarargsInlinedCaller:
2484     case ConstructVarargs:
2485     case ConstructForwardVarargs:
2486     case TailCallForwardVarargsInlinedCaller:
2487         clobberWorld(node->origin.semantic, clobberLimit);
2488         forNode(node).makeHeapTop();
2489         break;
2490
2491     case ForceOSRExit:
2492     case CheckBadCell:
2493         m_state.setIsValid(false);
2494         break;
2495         
2496     case InvalidationPoint:
2497         forAllValues(clobberLimit, AbstractValue::observeInvalidationPointFor);
2498         m_state.setStructureClobberState(StructuresAreWatched);
2499         break;
2500
2501     case CheckWatchdogTimer:
2502         break;
2503
2504     case Breakpoint:
2505     case ProfileWillCall:
2506     case ProfileDidCall:
2507     case ProfileType:
2508     case ProfileControlFlow:
2509     case Phantom:
2510     case CountExecution:
2511     case CheckTierUpInLoop:
2512     case CheckTierUpAtReturn:
2513         break;
2514
2515     case CopyRest:
2516         break;
2517             
2518     case Check: {
2519         // Simplify out checks that don't actually do checking.
2520         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2521             Edge edge = node->children.child(i);
2522             if (!edge)
2523                 break;
2524             if (edge.isProved() || edge.willNotHaveCheck()) {
2525                 m_state.setFoundConstants(true);
2526                 break;
2527             }
2528         }
2529         break;
2530     }
2531
2532     case StoreBarrier: {
2533         filter(node->child1(), SpecCell);
2534         break;
2535     }
2536
2537     case CheckTierUpAndOSREnter:
2538     case CheckTierUpWithNestedTriggerAndOSREnter:
2539     case LoopHint:
2540     case ZombieHint:
2541     case ExitOK:
2542         break;
2543
2544     case Unreachable:
2545     case LastNodeType:
2546     case ArithIMul:
2547     case FiatInt52:
2548         DFG_CRASH(m_graph, node, "Unexpected node type");
2549         break;
2550     }
2551     
2552     return m_state.isValid();
2553 }
2554
2555 template<typename AbstractStateType>
2556 bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned indexInBlock)
2557 {
2558     return executeEffects(indexInBlock, m_state.block()->at(indexInBlock));
2559 }
2560
2561 template<typename AbstractStateType>
2562 bool AbstractInterpreter<AbstractStateType>::execute(unsigned indexInBlock)
2563 {
2564     Node* node = m_state.block()->at(indexInBlock);
2565     
2566     startExecuting();
2567     executeEdges(node);
2568     return executeEffects(indexInBlock, node);
2569 }
2570
2571 template<typename AbstractStateType>
2572 bool AbstractInterpreter<AbstractStateType>::execute(Node* node)
2573 {
2574     startExecuting();
2575     executeEdges(node);
2576     return executeEffects(UINT_MAX, node);
2577 }
2578
2579 template<typename AbstractStateType>
2580 void AbstractInterpreter<AbstractStateType>::clobberWorld(
2581     const CodeOrigin&, unsigned clobberLimit)
2582 {
2583     clobberStructures(clobberLimit);
2584 }
2585
2586 template<typename AbstractStateType>
2587 template<typename Functor>
2588 void AbstractInterpreter<AbstractStateType>::forAllValues(
2589     unsigned clobberLimit, Functor& functor)
2590 {
2591     SamplingRegion samplingRegion("DFG AI For All Values");
2592     if (clobberLimit >= m_state.block()->size())
2593         clobberLimit = m_state.block()->size();
2594     else
2595         clobberLimit++;
2596     ASSERT(clobberLimit <= m_state.block()->size());
2597     for (size_t i = clobberLimit; i--;)
2598         functor(forNode(m_state.block()->at(i)));
2599     if (m_graph.m_form == SSA) {
2600         HashSet<Node*>::iterator iter = m_state.block()->ssa->liveAtHead.begin();
2601         HashSet<Node*>::iterator end = m_state.block()->ssa->liveAtHead.end();
2602         for (; iter != end; ++iter)
2603             functor(forNode(*iter));
2604     }
2605     for (size_t i = m_state.variables().numberOfArguments(); i--;)
2606         functor(m_state.variables().argument(i));
2607     for (size_t i = m_state.variables().numberOfLocals(); i--;)
2608         functor(m_state.variables().local(i));
2609 }
2610
2611 template<typename AbstractStateType>
2612 void AbstractInterpreter<AbstractStateType>::clobberStructures(unsigned clobberLimit)
2613 {
2614     SamplingRegion samplingRegion("DFG AI Clobber Structures");
2615     forAllValues(clobberLimit, AbstractValue::clobberStructuresFor);
2616     setDidClobber();
2617 }
2618
2619 template<typename AbstractStateType>
2620 void AbstractInterpreter<AbstractStateType>::observeTransition(
2621     unsigned clobberLimit, Structure* from, Structure* to)
2622 {
2623     AbstractValue::TransitionObserver transitionObserver(from, to);
2624     forAllValues(clobberLimit, transitionObserver);
2625     
2626     ASSERT(!from->dfgShouldWatch()); // We don't need to claim to be in a clobbered state because 'from' was never watchable (during the time we were compiling), hence no constants ever introduced into the DFG IR that ever had a watchable structure would ever have the same structure as from.
2627 }
2628
2629 template<typename AbstractStateType>
2630 void AbstractInterpreter<AbstractStateType>::observeTransitions(
2631     unsigned clobberLimit, const TransitionVector& vector)
2632 {
2633     AbstractValue::TransitionsObserver transitionsObserver(vector);
2634     forAllValues(clobberLimit, transitionsObserver);
2635     
2636     if (!ASSERT_DISABLED) {
2637         // We don't need to claim to be in a clobbered state because none of the Transition::previous structures are watchable.
2638         for (unsigned i = vector.size(); i--;)
2639             ASSERT(!vector[i].previous->dfgShouldWatch());
2640     }
2641 }
2642
2643 template<typename AbstractStateType>
2644 void AbstractInterpreter<AbstractStateType>::setDidClobber()
2645 {
2646     m_state.setDidClobber(true);
2647     m_state.setStructureClobberState(StructuresAreClobbered);
2648 }
2649
2650 template<typename AbstractStateType>
2651 void AbstractInterpreter<AbstractStateType>::dump(PrintStream& out) const
2652 {
2653     const_cast<AbstractInterpreter<AbstractStateType>*>(this)->dump(out);
2654 }
2655
2656 template<typename AbstractStateType>
2657 void AbstractInterpreter<AbstractStateType>::dump(PrintStream& out)
2658 {
2659     CommaPrinter comma(" ");
2660     HashSet<Node*> seen;
2661     if (m_graph.m_form == SSA) {
2662         HashSet<Node*>::iterator iter = m_state.block()->ssa->liveAtHead.begin();
2663         HashSet<Node*>::iterator end = m_state.block()->ssa->liveAtHead.end();
2664         for (; iter != end; ++iter) {
2665             Node* node = *iter;
2666             seen.add(node);
2667             AbstractValue& value = forNode(node);
2668             if (value.isClear())
2669                 continue;
2670             out.print(comma, node, ":", value);
2671         }
2672     }
2673     for (size_t i = 0; i < m_state.block()->size(); ++i) {
2674         Node* node = m_state.block()->at(i);
2675         seen.add(node);
2676         AbstractValue& value = forNode(node);
2677         if (value.isClear())
2678             continue;
2679         out.print(comma, node, ":", value);
2680     }
2681     if (m_graph.m_form == SSA) {
2682         HashSet<Node*>::iterator iter = m_state.block()->ssa->liveAtTail.begin();
2683         HashSet<Node*>::iterator end = m_state.block()->ssa->liveAtTail.end();
2684         for (; iter != end; ++iter) {
2685             Node* node = *iter;
2686             if (seen.contains(node))
2687                 continue;
2688             AbstractValue& value = forNode(node);
2689             if (value.isClear())
2690                 continue;
2691             out.print(comma, node, ":", value);
2692         }
2693     }
2694 }
2695
2696 template<typename AbstractStateType>
2697 FiltrationResult AbstractInterpreter<AbstractStateType>::filter(
2698     AbstractValue& value, const StructureSet& set, SpeculatedType admittedTypes)
2699 {
2700     if (value.filter(m_graph, set, admittedTypes) == FiltrationOK)
2701         return FiltrationOK;
2702     m_state.setIsValid(false);
2703     return Contradiction;
2704 }
2705
2706 template<typename AbstractStateType>
2707 FiltrationResult AbstractInterpreter<AbstractStateType>::filterArrayModes(
2708     AbstractValue& value, ArrayModes arrayModes)
2709 {
2710     if (value.filterArrayModes(arrayModes) == FiltrationOK)
2711         return FiltrationOK;
2712     m_state.setIsValid(false);
2713     return Contradiction;
2714 }
2715
2716 template<typename AbstractStateType>
2717 FiltrationResult AbstractInterpreter<AbstractStateType>::filter(
2718     AbstractValue& value, SpeculatedType type)
2719 {
2720     if (value.filter(type) == FiltrationOK)
2721         return FiltrationOK;
2722     m_state.setIsValid(false);
2723     return Contradiction;
2724 }
2725
2726 template<typename AbstractStateType>
2727 FiltrationResult AbstractInterpreter<AbstractStateType>::filterByValue(
2728     AbstractValue& abstractValue, FrozenValue concreteValue)
2729 {
2730     if (abstractValue.filterByValue(concreteValue) == FiltrationOK)
2731         return FiltrationOK;
2732     m_state.setIsValid(false);
2733     return Contradiction;
2734 }
2735
2736 } } // namespace JSC::DFG
2737
2738 #endif // ENABLE(DFG_JIT)
2739
2740 #endif // DFGAbstractInterpreterInlines_h
2741