We should support CreateThis in the FTL
[WebKit-https.git] / Source / JavaScriptCore / ftl / FTLLowerDFGToB3.cpp
1 /*
2  * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "FTLLowerDFGToB3.h"
28
29 #if ENABLE(FTL_JIT)
30
31 #include "AirCode.h"
32 #include "AirGenerationContext.h"
33 #include "AllowMacroScratchRegisterUsage.h"
34 #include "AllowMacroScratchRegisterUsageIf.h"
35 #include "AtomicsObject.h"
36 #include "B3CheckValue.h"
37 #include "B3FenceValue.h"
38 #include "B3PatchpointValue.h"
39 #include "B3SlotBaseValue.h"
40 #include "B3StackmapGenerationParams.h"
41 #include "B3ValueInlines.h"
42 #include "CallFrameShuffler.h"
43 #include "CodeBlockWithJITType.h"
44 #include "DFGAbstractInterpreterInlines.h"
45 #include "DFGCapabilities.h"
46 #include "DFGDominators.h"
47 #include "DFGInPlaceAbstractState.h"
48 #include "DFGOSRAvailabilityAnalysisPhase.h"
49 #include "DFGOSRExitFuzz.h"
50 #include "DirectArguments.h"
51 #include "FTLAbstractHeapRepository.h"
52 #include "FTLAvailableRecovery.h"
53 #include "FTLExceptionTarget.h"
54 #include "FTLForOSREntryJITCode.h"
55 #include "FTLFormattedValue.h"
56 #include "FTLLazySlowPathCall.h"
57 #include "FTLLoweredNodeValue.h"
58 #include "FTLOperations.h"
59 #include "FTLOutput.h"
60 #include "FTLPatchpointExceptionHandle.h"
61 #include "FTLSnippetParams.h"
62 #include "FTLThunks.h"
63 #include "FTLWeightedTarget.h"
64 #include "JITAddGenerator.h"
65 #include "JITBitAndGenerator.h"
66 #include "JITBitOrGenerator.h"
67 #include "JITBitXorGenerator.h"
68 #include "JITDivGenerator.h"
69 #include "JITInlineCacheGenerator.h"
70 #include "JITLeftShiftGenerator.h"
71 #include "JITMathIC.h"
72 #include "JITMulGenerator.h"
73 #include "JITRightShiftGenerator.h"
74 #include "JITSubGenerator.h"
75 #include "JSAsyncFunction.h"
76 #include "JSAsyncGeneratorFunction.h"
77 #include "JSCInlines.h"
78 #include "JSGeneratorFunction.h"
79 #include "JSImmutableButterfly.h"
80 #include "JSLexicalEnvironment.h"
81 #include "JSMap.h"
82 #include "OperandsInlines.h"
83 #include "RegExpObject.h"
84 #include "ScopedArguments.h"
85 #include "ScopedArgumentsTable.h"
86 #include "ScratchRegisterAllocator.h"
87 #include "SetupVarargsFrame.h"
88 #include "ShadowChicken.h"
89 #include "StructureStubInfo.h"
90 #include "SuperSampler.h"
91 #include "ThunkGenerators.h"
92 #include "VirtualRegister.h"
93 #include "Watchdog.h"
94 #include <atomic>
95 #include <wtf/Box.h>
96 #include <wtf/Gigacage.h>
97 #include <wtf/RecursableLambda.h>
98 #include <wtf/StdUnorderedSet.h>
99
100 #undef RELEASE_ASSERT
101 #define RELEASE_ASSERT(assertion) do { \
102     if (!(assertion)) { \
103         WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, #assertion); \
104         CRASH(); \
105     } \
106 } while (0)
107
108 namespace JSC { namespace FTL {
109
110 using namespace B3;
111 using namespace DFG;
112
113 namespace {
114
115 std::atomic<int> compileCounter;
116
117 #if !ASSERT_DISABLED
118 NO_RETURN_DUE_TO_CRASH static void ftlUnreachable(
119     CodeBlock* codeBlock, BlockIndex blockIndex, unsigned nodeIndex)
120 {
121     dataLog("Crashing in thought-to-be-unreachable FTL-generated code for ", pointerDump(codeBlock), " at basic block #", blockIndex);
122     if (nodeIndex != UINT_MAX)
123         dataLog(", node @", nodeIndex);
124     dataLog(".\n");
125     CRASH();
126 }
127 #endif
128
129 // Using this instead of typeCheck() helps to reduce the load on B3, by creating
130 // significantly less dead code.
131 #define FTL_TYPE_CHECK_WITH_EXIT_KIND(exitKind, lowValue, highValue, typesPassedThrough, failCondition) do { \
132         FormattedValue _ftc_lowValue = (lowValue);                      \
133         Edge _ftc_highValue = (highValue);                              \
134         SpeculatedType _ftc_typesPassedThrough = (typesPassedThrough);  \
135         if (!m_interpreter.needsTypeCheck(_ftc_highValue, _ftc_typesPassedThrough)) \
136             break;                                                      \
137         typeCheck(_ftc_lowValue, _ftc_highValue, _ftc_typesPassedThrough, (failCondition), exitKind); \
138     } while (false)
139
140 #define FTL_TYPE_CHECK(lowValue, highValue, typesPassedThrough, failCondition) \
141     FTL_TYPE_CHECK_WITH_EXIT_KIND(BadType, lowValue, highValue, typesPassedThrough, failCondition)
142
143 class LowerDFGToB3 {
144     WTF_MAKE_NONCOPYABLE(LowerDFGToB3);
145 public:
146     LowerDFGToB3(State& state)
147         : m_graph(state.graph)
148         , m_ftlState(state)
149         , m_out(state)
150         , m_proc(*state.proc)
151         , m_availabilityCalculator(m_graph)
152         , m_state(state.graph)
153         , m_interpreter(state.graph, m_state)
154         , m_indexMaskingMode(Options::enableSpectreMitigations() ?  IndexMaskingEnabled : IndexMaskingDisabled)
155     {
156     }
157     
158     void lower()
159     {
160         State* state = &m_ftlState;
161         
162         CString name;
163         if (verboseCompilationEnabled()) {
164             name = toCString(
165                 "jsBody_", ++compileCounter, "_", codeBlock()->inferredName(),
166                 "_", codeBlock()->hash());
167         } else
168             name = "jsBody";
169
170         {
171             m_proc.setNumEntrypoints(m_graph.m_numberOfEntrypoints);
172             CodeBlock* codeBlock = m_graph.m_codeBlock;
173
174             Ref<B3::Air::PrologueGenerator> catchPrologueGenerator = createSharedTask<B3::Air::PrologueGeneratorFunction>(
175                 [codeBlock] (CCallHelpers& jit, B3::Air::Code& code) {
176                     AllowMacroScratchRegisterUsage allowScratch(jit);
177                     jit.addPtr(CCallHelpers::TrustedImm32(-code.frameSize()), GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister);
178                     if (Options::zeroStackFrame())
179                         jit.clearStackFrame(GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister, GPRInfo::regT0, code.frameSize());
180
181                     jit.emitSave(code.calleeSaveRegisterAtOffsetList());
182                     jit.emitPutToCallFrameHeader(codeBlock, CallFrameSlot::codeBlock);
183                 });
184
185             for (unsigned catchEntrypointIndex : m_graph.m_entrypointIndexToCatchBytecodeOffset.keys()) {
186                 RELEASE_ASSERT(catchEntrypointIndex != 0);
187                 m_proc.code().setPrologueForEntrypoint(catchEntrypointIndex, catchPrologueGenerator.copyRef());
188             }
189
190             if (m_graph.m_maxLocalsForCatchOSREntry) {
191                 uint32_t numberOfLiveLocals = std::max(*m_graph.m_maxLocalsForCatchOSREntry, 1u); // Make sure we always allocate a non-null catchOSREntryBuffer.
192                 m_ftlState.jitCode->common.catchOSREntryBuffer = m_graph.m_vm.scratchBufferForSize(sizeof(JSValue) * numberOfLiveLocals);
193             }
194         }
195         
196         m_graph.ensureSSADominators();
197
198         if (verboseCompilationEnabled())
199             dataLog("Function ready, beginning lowering.\n");
200
201         m_out.initialize(m_heaps);
202
203         // We use prologue frequency for all of the initialization code.
204         m_out.setFrequency(1);
205         
206         bool hasMultipleEntrypoints = m_graph.m_numberOfEntrypoints > 1;
207     
208         LBasicBlock prologue = m_out.newBlock();
209         LBasicBlock callEntrypointArgumentSpeculations = hasMultipleEntrypoints ? m_out.newBlock() : nullptr;
210         m_handleExceptions = m_out.newBlock();
211
212         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
213             m_highBlock = m_graph.block(blockIndex);
214             if (!m_highBlock)
215                 continue;
216             m_out.setFrequency(m_highBlock->executionCount);
217             m_blocks.add(m_highBlock, m_out.newBlock());
218         }
219
220         // Back to prologue frequency for any bocks that get sneakily created in the initialization code.
221         m_out.setFrequency(1);
222         
223         m_out.appendTo(prologue, hasMultipleEntrypoints ? callEntrypointArgumentSpeculations : m_handleExceptions);
224         m_out.initializeConstants(m_proc, prologue);
225         createPhiVariables();
226
227         size_t sizeOfCaptured = sizeof(JSValue) * m_graph.m_nextMachineLocal;
228         B3::SlotBaseValue* capturedBase = m_out.lockedStackSlot(sizeOfCaptured);
229         m_captured = m_out.add(capturedBase, m_out.constIntPtr(sizeOfCaptured));
230         state->capturedValue = capturedBase->slot();
231
232         auto preOrder = m_graph.blocksInPreOrder();
233
234         m_callFrame = m_out.framePointer();
235         m_tagTypeNumber = m_out.constInt64(TagTypeNumber);
236         m_tagMask = m_out.constInt64(TagMask);
237
238         // Make sure that B3 knows that we really care about the mask registers. This forces the
239         // constants to be materialized in registers.
240         m_proc.addFastConstant(m_tagTypeNumber->key());
241         m_proc.addFastConstant(m_tagMask->key());
242         
243         // We don't want the CodeBlock to have a weak pointer to itself because
244         // that would cause it to always get collected.
245         m_out.storePtr(m_out.constIntPtr(bitwise_cast<intptr_t>(codeBlock())), addressFor(CallFrameSlot::codeBlock));
246
247         VM* vm = &this->vm();
248
249         // Stack Overflow Check.
250         unsigned exitFrameSize = m_graph.requiredRegisterCountForExit() * sizeof(Register);
251         MacroAssembler::AbsoluteAddress addressOfStackLimit(vm->addressOfSoftStackLimit());
252         PatchpointValue* stackOverflowHandler = m_out.patchpoint(Void);
253         CallSiteIndex callSiteIndex = callSiteIndexForCodeOrigin(m_ftlState, CodeOrigin(0));
254         stackOverflowHandler->appendSomeRegister(m_callFrame);
255         stackOverflowHandler->clobber(RegisterSet::macroScratchRegisters());
256         stackOverflowHandler->numGPScratchRegisters = 1;
257         stackOverflowHandler->setGenerator(
258             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
259                 AllowMacroScratchRegisterUsage allowScratch(jit);
260                 GPRReg fp = params[0].gpr();
261                 GPRReg scratch = params.gpScratch(0);
262
263                 unsigned ftlFrameSize = params.proc().frameSize();
264                 unsigned maxFrameSize = std::max(exitFrameSize, ftlFrameSize);
265
266                 jit.addPtr(MacroAssembler::TrustedImm32(-maxFrameSize), fp, scratch);
267                 MacroAssembler::JumpList stackOverflow;
268                 if (UNLIKELY(maxFrameSize > Options::reservedZoneSize()))
269                     stackOverflow.append(jit.branchPtr(MacroAssembler::Above, scratch, fp));
270                 stackOverflow.append(jit.branchPtr(MacroAssembler::Above, addressOfStackLimit, scratch));
271
272                 params.addLatePath([=] (CCallHelpers& jit) {
273                     AllowMacroScratchRegisterUsage allowScratch(jit);
274
275                     stackOverflow.link(&jit);
276                     
277                     // FIXME: We would not have to do this if the stack check was part of the Air
278                     // prologue. Then, we would know that there is no way for the callee-saves to
279                     // get clobbered.
280                     // https://bugs.webkit.org/show_bug.cgi?id=172456
281                     jit.emitRestore(params.proc().calleeSaveRegisterAtOffsetList());
282                     
283                     jit.store32(
284                         MacroAssembler::TrustedImm32(callSiteIndex.bits()),
285                         CCallHelpers::tagFor(VirtualRegister(CallFrameSlot::argumentCount)));
286                     jit.copyCalleeSavesToEntryFrameCalleeSavesBuffer(vm->topEntryFrame);
287
288                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
289                     jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()), GPRInfo::argumentGPR1);
290                     CCallHelpers::Call throwCall = jit.call(OperationPtrTag);
291
292                     jit.move(CCallHelpers::TrustedImmPtr(vm), GPRInfo::argumentGPR0);
293                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
294                     CCallHelpers::Call lookupExceptionHandlerCall = jit.call(OperationPtrTag);
295                     jit.jumpToExceptionHandler(*vm);
296
297                     jit.addLinkTask(
298                         [=] (LinkBuffer& linkBuffer) {
299                             linkBuffer.link(throwCall, FunctionPtr<OperationPtrTag>(operationThrowStackOverflowError));
300                             linkBuffer.link(lookupExceptionHandlerCall, FunctionPtr<OperationPtrTag>(lookupExceptionHandlerFromCallerFrame));
301                     });
302                 });
303             });
304
305         LBasicBlock firstDFGBasicBlock = lowBlock(m_graph.block(0));
306
307         {
308             if (hasMultipleEntrypoints) {
309                 Vector<LBasicBlock> successors(m_graph.m_numberOfEntrypoints);
310                 successors[0] = callEntrypointArgumentSpeculations;
311                 for (unsigned i = 1; i < m_graph.m_numberOfEntrypoints; ++i) {
312                     // Currently, the only other entrypoint is an op_catch entrypoint.
313                     // We do OSR entry at op_catch, and we prove argument formats before
314                     // jumping to FTL code, so we don't need to check argument types here
315                     // for these entrypoints.
316                     successors[i] = firstDFGBasicBlock;
317                 }
318                 
319                 m_out.entrySwitch(successors);
320                 m_out.appendTo(callEntrypointArgumentSpeculations, m_handleExceptions);
321             }
322
323             m_node = nullptr;
324             m_origin = NodeOrigin(CodeOrigin(0), CodeOrigin(0), true);
325
326             // Check Arguments.
327             availabilityMap().clear();
328             availabilityMap().m_locals = Operands<Availability>(codeBlock()->numParameters(), 0);
329             for (unsigned i = codeBlock()->numParameters(); i--;) {
330                 availabilityMap().m_locals.argument(i) =
331                     Availability(FlushedAt(FlushedJSValue, virtualRegisterForArgument(i)));
332             }
333
334             for (unsigned i = codeBlock()->numParameters(); i--;) {
335                 MethodOfGettingAValueProfile profile(&m_graph.m_profiledBlock->valueProfileForArgument(i));
336                 VirtualRegister operand = virtualRegisterForArgument(i);
337                 LValue jsValue = m_out.load64(addressFor(operand));
338                 
339                 switch (m_graph.m_argumentFormats[0][i]) {
340                 case FlushedInt32:
341                     speculate(BadType, jsValueValue(jsValue), profile, isNotInt32(jsValue));
342                     break;
343                 case FlushedBoolean:
344                     speculate(BadType, jsValueValue(jsValue), profile, isNotBoolean(jsValue));
345                     break;
346                 case FlushedCell:
347                     speculate(BadType, jsValueValue(jsValue), profile, isNotCell(jsValue));
348                     break;
349                 case FlushedJSValue:
350                     break;
351                 default:
352                     DFG_CRASH(m_graph, nullptr, "Bad flush format for argument");
353                     break;
354                 }
355             }
356             m_out.jump(firstDFGBasicBlock);
357         }
358
359
360         m_out.appendTo(m_handleExceptions, firstDFGBasicBlock);
361         Box<CCallHelpers::Label> exceptionHandler = state->exceptionHandler;
362         m_out.patchpoint(Void)->setGenerator(
363             [=] (CCallHelpers& jit, const StackmapGenerationParams&) {
364                 CCallHelpers::Jump jump = jit.jump();
365                 jit.addLinkTask(
366                     [=] (LinkBuffer& linkBuffer) {
367                         linkBuffer.link(jump, linkBuffer.locationOf<ExceptionHandlerPtrTag>(*exceptionHandler));
368                     });
369             });
370         m_out.unreachable();
371
372         for (DFG::BasicBlock* block : preOrder)
373             compileBlock(block);
374
375         // Make sure everything is decorated. This does a bunch of deferred decorating. This has
376         // to happen last because our abstract heaps are generated lazily. They have to be
377         // generated lazily because we have an infinite number of numbered, indexed, and
378         // absolute heaps. We only become aware of the ones we actually mention while lowering.
379         m_heaps.computeRangesAndDecorateInstructions();
380
381         // We create all Phi's up front, but we may then decide not to compile the basic block
382         // that would have contained one of them. So this creates orphans, which triggers B3
383         // validation failures. Calling this fixes the issue.
384         //
385         // Note that you should avoid the temptation to make this call conditional upon
386         // validation being enabled. B3 makes no guarantees of any kind of correctness when
387         // dealing with IR that would have failed validation. For example, it would be valid to
388         // write a B3 phase that so aggressively assumes the lack of orphans that it would crash
389         // if any orphans were around. We might even have such phases already.
390         m_proc.deleteOrphans();
391
392         // We put the blocks into the B3 procedure in a super weird order. Now we reorder them.
393         m_out.applyBlockOrder();
394     }
395
396 private:
397     
398     void createPhiVariables()
399     {
400         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
401             DFG::BasicBlock* block = m_graph.block(blockIndex);
402             if (!block)
403                 continue;
404             for (unsigned nodeIndex = block->size(); nodeIndex--;) {
405                 Node* node = block->at(nodeIndex);
406                 if (node->op() != DFG::Phi)
407                     continue;
408                 LType type;
409                 switch (node->flags() & NodeResultMask) {
410                 case NodeResultDouble:
411                     type = Double;
412                     break;
413                 case NodeResultInt32:
414                     type = Int32;
415                     break;
416                 case NodeResultInt52:
417                     type = Int64;
418                     break;
419                 case NodeResultBoolean:
420                     type = Int32;
421                     break;
422                 case NodeResultJS:
423                     type = Int64;
424                     break;
425                 default:
426                     DFG_CRASH(m_graph, node, "Bad Phi node result type");
427                     break;
428                 }
429                 m_phis.add(node, m_proc.add<Value>(B3::Phi, type, Origin(node)));
430             }
431         }
432     }
433     
434     void compileBlock(DFG::BasicBlock* block)
435     {
436         if (!block)
437             return;
438         
439         if (verboseCompilationEnabled())
440             dataLog("Compiling block ", *block, "\n");
441         
442         m_highBlock = block;
443         
444         // Make sure that any blocks created while lowering code in the high block have the frequency of
445         // the high block. This is appropriate because B3 doesn't need precise frequencies. It just needs
446         // something roughly approximate for things like register allocation.
447         m_out.setFrequency(m_highBlock->executionCount);
448         
449         LBasicBlock lowBlock = m_blocks.get(m_highBlock);
450         
451         m_nextHighBlock = 0;
452         for (BlockIndex nextBlockIndex = m_highBlock->index + 1; nextBlockIndex < m_graph.numBlocks(); ++nextBlockIndex) {
453             m_nextHighBlock = m_graph.block(nextBlockIndex);
454             if (m_nextHighBlock)
455                 break;
456         }
457         m_nextLowBlock = m_nextHighBlock ? m_blocks.get(m_nextHighBlock) : 0;
458         
459         // All of this effort to find the next block gives us the ability to keep the
460         // generated IR in roughly program order. This ought not affect the performance
461         // of the generated code (since we expect B3 to reorder things) but it will
462         // make IR dumps easier to read.
463         m_out.appendTo(lowBlock, m_nextLowBlock);
464         
465         if (Options::ftlCrashes())
466             m_out.trap();
467         
468         if (!m_highBlock->cfaHasVisited) {
469             if (verboseCompilationEnabled())
470                 dataLog("Bailing because CFA didn't reach.\n");
471             crash(m_highBlock, nullptr);
472             return;
473         }
474         
475         m_availabilityCalculator.beginBlock(m_highBlock);
476         
477         m_state.reset();
478         m_state.beginBasicBlock(m_highBlock);
479         
480         for (m_nodeIndex = 0; m_nodeIndex < m_highBlock->size(); ++m_nodeIndex) {
481             if (!compileNode(m_nodeIndex))
482                 break;
483         }
484     }
485
486     void safelyInvalidateAfterTermination()
487     {
488         if (verboseCompilationEnabled())
489             dataLog("Bailing.\n");
490         crash();
491
492         // Invalidate dominated blocks. Under normal circumstances we would expect
493         // them to be invalidated already. But you can have the CFA become more
494         // precise over time because the structures of objects change on the main
495         // thread. Failing to do this would result in weird crashes due to a value
496         // being used but not defined. Race conditions FTW!
497         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
498             DFG::BasicBlock* target = m_graph.block(blockIndex);
499             if (!target)
500                 continue;
501             if (m_graph.m_ssaDominators->dominates(m_highBlock, target)) {
502                 if (verboseCompilationEnabled())
503                     dataLog("Block ", *target, " will bail also.\n");
504                 target->cfaHasVisited = false;
505             }
506         }
507     }
508
509     bool compileNode(unsigned nodeIndex)
510     {
511         if (!m_state.isValid()) {
512             safelyInvalidateAfterTermination();
513             return false;
514         }
515         
516         m_node = m_highBlock->at(nodeIndex);
517         m_origin = m_node->origin;
518         m_out.setOrigin(m_node);
519         
520         if (verboseCompilationEnabled())
521             dataLog("Lowering ", m_node, "\n");
522         
523         m_availableRecoveries.shrink(0);
524         
525         m_interpreter.startExecuting();
526         m_interpreter.executeKnownEdgeTypes(m_node);
527         
528         switch (m_node->op()) {
529         case DFG::Upsilon:
530             compileUpsilon();
531             break;
532         case DFG::Phi:
533             compilePhi();
534             break;
535         case JSConstant:
536             break;
537         case DoubleConstant:
538             compileDoubleConstant();
539             break;
540         case Int52Constant:
541             compileInt52Constant();
542             break;
543         case LazyJSConstant:
544             compileLazyJSConstant();
545             break;
546         case DoubleRep:
547             compileDoubleRep();
548             break;
549         case DoubleAsInt32:
550             compileDoubleAsInt32();
551             break;
552         case DFG::ValueRep:
553             compileValueRep();
554             break;
555         case Int52Rep:
556             compileInt52Rep();
557             break;
558         case ValueToInt32:
559             compileValueToInt32();
560             break;
561         case BooleanToNumber:
562             compileBooleanToNumber();
563             break;
564         case ExtractOSREntryLocal:
565             compileExtractOSREntryLocal();
566             break;
567         case ExtractCatchLocal:
568             compileExtractCatchLocal();
569             break;
570         case ClearCatchLocals:
571             compileClearCatchLocals();
572             break;
573         case GetStack:
574             compileGetStack();
575             break;
576         case PutStack:
577             compilePutStack();
578             break;
579         case DFG::Check:
580         case CheckVarargs:
581             compileNoOp();
582             break;
583         case ToObject:
584         case CallObjectConstructor:
585             compileToObjectOrCallObjectConstructor();
586             break;
587         case ToThis:
588             compileToThis();
589             break;
590         case ValueNegate:
591             compileValueNegate();
592             break;
593         case ValueAdd:
594             compileValueAdd();
595             break;
596         case StrCat:
597             compileStrCat();
598             break;
599         case ArithAdd:
600         case ArithSub:
601             compileArithAddOrSub();
602             break;
603         case ArithClz32:
604             compileArithClz32();
605             break;
606         case ArithMul:
607             compileArithMul();
608             break;
609         case ArithDiv:
610             compileArithDiv();
611             break;
612         case ArithMod:
613             compileArithMod();
614             break;
615         case ArithMin:
616         case ArithMax:
617             compileArithMinOrMax();
618             break;
619         case ArithAbs:
620             compileArithAbs();
621             break;
622         case ArithPow:
623             compileArithPow();
624             break;
625         case ArithRandom:
626             compileArithRandom();
627             break;
628         case ArithRound:
629             compileArithRound();
630             break;
631         case ArithFloor:
632             compileArithFloor();
633             break;
634         case ArithCeil:
635             compileArithCeil();
636             break;
637         case ArithTrunc:
638             compileArithTrunc();
639             break;
640         case ArithSqrt:
641             compileArithSqrt();
642             break;
643         case ArithFRound:
644             compileArithFRound();
645             break;
646         case ArithNegate:
647             compileArithNegate();
648             break;
649         case ArithUnary:
650             compileArithUnary();
651             break;
652         case DFG::BitAnd:
653             compileBitAnd();
654             break;
655         case DFG::BitOr:
656             compileBitOr();
657             break;
658         case DFG::BitXor:
659             compileBitXor();
660             break;
661         case BitRShift:
662             compileBitRShift();
663             break;
664         case BitLShift:
665             compileBitLShift();
666             break;
667         case BitURShift:
668             compileBitURShift();
669             break;
670         case UInt32ToNumber:
671             compileUInt32ToNumber();
672             break;
673         case CheckStructure:
674             compileCheckStructure();
675             break;
676         case CheckStructureOrEmpty:
677             compileCheckStructureOrEmpty();
678             break;
679         case CheckCell:
680             compileCheckCell();
681             break;
682         case CheckNotEmpty:
683             compileCheckNotEmpty();
684             break;
685         case AssertNotEmpty:
686             compileAssertNotEmpty();
687             break;
688         case CheckBadCell:
689             compileCheckBadCell();
690             break;
691         case CheckStringIdent:
692             compileCheckStringIdent();
693             break;
694         case GetExecutable:
695             compileGetExecutable();
696             break;
697         case Arrayify:
698         case ArrayifyToStructure:
699             compileArrayify();
700             break;
701         case PutStructure:
702             compilePutStructure();
703             break;
704         case TryGetById:
705             compileGetById(AccessType::TryGet);
706             break;
707         case GetById:
708         case GetByIdFlush:
709             compileGetById(AccessType::Get);
710             break;
711         case GetByIdWithThis:
712             compileGetByIdWithThis();
713             break;
714         case GetByIdDirect:
715         case GetByIdDirectFlush:
716             compileGetById(AccessType::GetDirect);
717             break;
718         case InById:
719             compileInById();
720             break;
721         case InByVal:
722             compileInByVal();
723             break;
724         case HasOwnProperty:
725             compileHasOwnProperty();
726             break;
727         case PutById:
728         case PutByIdDirect:
729         case PutByIdFlush:
730             compilePutById();
731             break;
732         case PutByIdWithThis:
733             compilePutByIdWithThis();
734             break;
735         case PutGetterById:
736         case PutSetterById:
737             compilePutAccessorById();
738             break;
739         case PutGetterSetterById:
740             compilePutGetterSetterById();
741             break;
742         case PutGetterByVal:
743         case PutSetterByVal:
744             compilePutAccessorByVal();
745             break;
746         case DeleteById:
747             compileDeleteById();
748             break;
749         case DeleteByVal:
750             compileDeleteByVal();
751             break;
752         case GetButterfly:
753             compileGetButterfly();
754             break;
755         case ConstantStoragePointer:
756             compileConstantStoragePointer();
757             break;
758         case GetIndexedPropertyStorage:
759             compileGetIndexedPropertyStorage();
760             break;
761         case CheckArray:
762             compileCheckArray();
763             break;
764         case GetArrayLength:
765             compileGetArrayLength();
766             break;
767         case GetVectorLength:
768             compileGetVectorLength();
769             break;
770         case CheckInBounds:
771             compileCheckInBounds();
772             break;
773         case GetByVal:
774             compileGetByVal();
775             break;
776         case GetMyArgumentByVal:
777         case GetMyArgumentByValOutOfBounds:
778             compileGetMyArgumentByVal();
779             break;
780         case GetByValWithThis:
781             compileGetByValWithThis();
782             break;
783         case PutByVal:
784         case PutByValAlias:
785         case PutByValDirect:
786             compilePutByVal();
787             break;
788         case PutByValWithThis:
789             compilePutByValWithThis();
790             break;
791         case AtomicsAdd:
792         case AtomicsAnd:
793         case AtomicsCompareExchange:
794         case AtomicsExchange:
795         case AtomicsLoad:
796         case AtomicsOr:
797         case AtomicsStore:
798         case AtomicsSub:
799         case AtomicsXor:
800             compileAtomicsReadModifyWrite();
801             break;
802         case AtomicsIsLockFree:
803             compileAtomicsIsLockFree();
804             break;
805         case DefineDataProperty:
806             compileDefineDataProperty();
807             break;
808         case DefineAccessorProperty:
809             compileDefineAccessorProperty();
810             break;
811         case ArrayPush:
812             compileArrayPush();
813             break;
814         case ArrayPop:
815             compileArrayPop();
816             break;
817         case ArraySlice:
818             compileArraySlice();
819             break;
820         case ArrayIndexOf:
821             compileArrayIndexOf();
822             break;
823         case CreateActivation:
824             compileCreateActivation();
825             break;
826         case PushWithScope:
827             compilePushWithScope();
828             break;
829         case NewFunction:
830         case NewGeneratorFunction:
831         case NewAsyncGeneratorFunction:
832         case NewAsyncFunction:
833             compileNewFunction();
834             break;
835         case CreateDirectArguments:
836             compileCreateDirectArguments();
837             break;
838         case CreateScopedArguments:
839             compileCreateScopedArguments();
840             break;
841         case CreateClonedArguments:
842             compileCreateClonedArguments();
843             break;
844         case ObjectCreate:
845             compileObjectCreate();
846             break;
847         case NewObject:
848             compileNewObject();
849             break;
850         case NewStringObject:
851             compileNewStringObject();
852             break;
853         case NewArray:
854             compileNewArray();
855             break;
856         case NewArrayWithSpread:
857             compileNewArrayWithSpread();
858             break;
859         case CreateThis:
860             compileCreateThis();
861             break;
862         case Spread:
863             compileSpread();
864             break;
865         case NewArrayBuffer:
866             compileNewArrayBuffer();
867             break;
868         case NewArrayWithSize:
869             compileNewArrayWithSize();
870             break;
871         case NewTypedArray:
872             compileNewTypedArray();
873             break;
874         case GetTypedArrayByteOffset:
875             compileGetTypedArrayByteOffset();
876             break;
877         case GetPrototypeOf:
878             compileGetPrototypeOf();
879             break;
880         case AllocatePropertyStorage:
881             compileAllocatePropertyStorage();
882             break;
883         case ReallocatePropertyStorage:
884             compileReallocatePropertyStorage();
885             break;
886         case NukeStructureAndSetButterfly:
887             compileNukeStructureAndSetButterfly();
888             break;
889         case ToNumber:
890             compileToNumber();
891             break;
892         case ToString:
893         case CallStringConstructor:
894             compileToStringOrCallStringConstructor();
895             break;
896         case ToPrimitive:
897             compileToPrimitive();
898             break;
899         case MakeRope:
900             compileMakeRope();
901             break;
902         case StringCharAt:
903             compileStringCharAt();
904             break;
905         case StringCharCodeAt:
906             compileStringCharCodeAt();
907             break;
908         case StringFromCharCode:
909             compileStringFromCharCode();
910             break;
911         case GetByOffset:
912         case GetGetterSetterByOffset:
913             compileGetByOffset();
914             break;
915         case GetGetter:
916             compileGetGetter();
917             break;
918         case GetSetter:
919             compileGetSetter();
920             break;
921         case MultiGetByOffset:
922             compileMultiGetByOffset();
923             break;
924         case PutByOffset:
925             compilePutByOffset();
926             break;
927         case MultiPutByOffset:
928             compileMultiPutByOffset();
929             break;
930         case MatchStructure:
931             compileMatchStructure();
932             break;
933         case GetGlobalVar:
934         case GetGlobalLexicalVariable:
935             compileGetGlobalVariable();
936             break;
937         case PutGlobalVariable:
938             compilePutGlobalVariable();
939             break;
940         case NotifyWrite:
941             compileNotifyWrite();
942             break;
943         case GetCallee:
944             compileGetCallee();
945             break;
946         case SetCallee:
947             compileSetCallee();
948             break;
949         case GetArgumentCountIncludingThis:
950             compileGetArgumentCountIncludingThis();
951             break;
952         case SetArgumentCountIncludingThis:
953             compileSetArgumentCountIncludingThis();
954             break;
955         case GetScope:
956             compileGetScope();
957             break;
958         case SkipScope:
959             compileSkipScope();
960             break;
961         case GetGlobalObject:
962             compileGetGlobalObject();
963             break;
964         case GetGlobalThis:
965             compileGetGlobalThis();
966             break;
967         case GetClosureVar:
968             compileGetClosureVar();
969             break;
970         case PutClosureVar:
971             compilePutClosureVar();
972             break;
973         case GetFromArguments:
974             compileGetFromArguments();
975             break;
976         case PutToArguments:
977             compilePutToArguments();
978             break;
979         case GetArgument:
980             compileGetArgument();
981             break;
982         case CompareEq:
983             compileCompareEq();
984             break;
985         case CompareStrictEq:
986             compileCompareStrictEq();
987             break;
988         case CompareLess:
989             compileCompareLess();
990             break;
991         case CompareLessEq:
992             compileCompareLessEq();
993             break;
994         case CompareGreater:
995             compileCompareGreater();
996             break;
997         case CompareGreaterEq:
998             compileCompareGreaterEq();
999             break;
1000         case CompareBelow:
1001             compileCompareBelow();
1002             break;
1003         case CompareBelowEq:
1004             compileCompareBelowEq();
1005             break;
1006         case CompareEqPtr:
1007             compileCompareEqPtr();
1008             break;
1009         case SameValue:
1010             compileSameValue();
1011             break;
1012         case LogicalNot:
1013             compileLogicalNot();
1014             break;
1015         case Call:
1016         case TailCallInlinedCaller:
1017         case Construct:
1018             compileCallOrConstruct();
1019             break;
1020         case DirectCall:
1021         case DirectTailCallInlinedCaller:
1022         case DirectConstruct:
1023         case DirectTailCall:
1024             compileDirectCallOrConstruct();
1025             break;
1026         case TailCall:
1027             compileTailCall();
1028             break;
1029         case CallVarargs:
1030         case CallForwardVarargs:
1031         case TailCallVarargs:
1032         case TailCallVarargsInlinedCaller:
1033         case TailCallForwardVarargs:
1034         case TailCallForwardVarargsInlinedCaller:
1035         case ConstructVarargs:
1036         case ConstructForwardVarargs:
1037             compileCallOrConstructVarargs();
1038             break;
1039         case CallEval:
1040             compileCallEval();
1041             break;
1042         case LoadVarargs:
1043             compileLoadVarargs();
1044             break;
1045         case ForwardVarargs:
1046             compileForwardVarargs();
1047             break;
1048         case DFG::Jump:
1049             compileJump();
1050             break;
1051         case DFG::Branch:
1052             compileBranch();
1053             break;
1054         case DFG::Switch:
1055             compileSwitch();
1056             break;
1057         case DFG::EntrySwitch:
1058             compileEntrySwitch();
1059             break;
1060         case DFG::Return:
1061             compileReturn();
1062             break;
1063         case ForceOSRExit:
1064             compileForceOSRExit();
1065             break;
1066         case CPUIntrinsic:
1067 #if CPU(X86_64)
1068             compileCPUIntrinsic();
1069 #else
1070             RELEASE_ASSERT_NOT_REACHED();
1071 #endif
1072             break;
1073         case Throw:
1074             compileThrow();
1075             break;
1076         case ThrowStaticError:
1077             compileThrowStaticError();
1078             break;
1079         case InvalidationPoint:
1080             compileInvalidationPoint();
1081             break;
1082         case IsEmpty:
1083             compileIsEmpty();
1084             break;
1085         case IsUndefined:
1086             compileIsUndefined();
1087             break;
1088         case IsBoolean:
1089             compileIsBoolean();
1090             break;
1091         case IsNumber:
1092             compileIsNumber();
1093             break;
1094         case NumberIsInteger:
1095             compileNumberIsInteger();
1096             break;
1097         case IsCellWithType:
1098             compileIsCellWithType();
1099             break;
1100         case MapHash:
1101             compileMapHash();
1102             break;
1103         case NormalizeMapKey:
1104             compileNormalizeMapKey();
1105             break;
1106         case GetMapBucket:
1107             compileGetMapBucket();
1108             break;
1109         case GetMapBucketHead:
1110             compileGetMapBucketHead();
1111             break;
1112         case GetMapBucketNext:
1113             compileGetMapBucketNext();
1114             break;
1115         case LoadKeyFromMapBucket:
1116             compileLoadKeyFromMapBucket();
1117             break;
1118         case LoadValueFromMapBucket:
1119             compileLoadValueFromMapBucket();
1120             break;
1121         case ExtractValueFromWeakMapGet:
1122             compileExtractValueFromWeakMapGet();
1123             break;
1124         case SetAdd:
1125             compileSetAdd();
1126             break;
1127         case MapSet:
1128             compileMapSet();
1129             break;
1130         case WeakMapGet:
1131             compileWeakMapGet();
1132             break;
1133         case WeakSetAdd:
1134             compileWeakSetAdd();
1135             break;
1136         case WeakMapSet:
1137             compileWeakMapSet();
1138             break;
1139         case IsObject:
1140             compileIsObject();
1141             break;
1142         case IsObjectOrNull:
1143             compileIsObjectOrNull();
1144             break;
1145         case IsFunction:
1146             compileIsFunction();
1147             break;
1148         case IsTypedArrayView:
1149             compileIsTypedArrayView();
1150             break;
1151         case ParseInt:
1152             compileParseInt();
1153             break;
1154         case TypeOf:
1155             compileTypeOf();
1156             break;
1157         case CheckTypeInfoFlags:
1158             compileCheckTypeInfoFlags();
1159             break;
1160         case OverridesHasInstance:
1161             compileOverridesHasInstance();
1162             break;
1163         case InstanceOf:
1164             compileInstanceOf();
1165             break;
1166         case InstanceOfCustom:
1167             compileInstanceOfCustom();
1168             break;
1169         case CountExecution:
1170             compileCountExecution();
1171             break;
1172         case SuperSamplerBegin:
1173             compileSuperSamplerBegin();
1174             break;
1175         case SuperSamplerEnd:
1176             compileSuperSamplerEnd();
1177             break;
1178         case StoreBarrier:
1179         case FencedStoreBarrier:
1180             compileStoreBarrier();
1181             break;
1182         case HasIndexedProperty:
1183             compileHasIndexedProperty();
1184             break;
1185         case HasGenericProperty:
1186             compileHasGenericProperty();
1187             break;
1188         case HasStructureProperty:
1189             compileHasStructureProperty();
1190             break;
1191         case GetDirectPname:
1192             compileGetDirectPname();
1193             break;
1194         case GetEnumerableLength:
1195             compileGetEnumerableLength();
1196             break;
1197         case GetPropertyEnumerator:
1198             compileGetPropertyEnumerator();
1199             break;
1200         case GetEnumeratorStructurePname:
1201             compileGetEnumeratorStructurePname();
1202             break;
1203         case GetEnumeratorGenericPname:
1204             compileGetEnumeratorGenericPname();
1205             break;
1206         case ToIndexString:
1207             compileToIndexString();
1208             break;
1209         case CheckStructureImmediate:
1210             compileCheckStructureImmediate();
1211             break;
1212         case MaterializeNewObject:
1213             compileMaterializeNewObject();
1214             break;
1215         case MaterializeCreateActivation:
1216             compileMaterializeCreateActivation();
1217             break;
1218         case CheckTraps:
1219             if (Options::usePollingTraps())
1220                 compileCheckTraps();
1221             break;
1222         case CreateRest:
1223             compileCreateRest();
1224             break;
1225         case GetRestLength:
1226             compileGetRestLength();
1227             break;
1228         case RegExpExec:
1229             compileRegExpExec();
1230             break;
1231         case RegExpExecNonGlobalOrSticky:
1232             compileRegExpExecNonGlobalOrSticky();
1233             break;
1234         case RegExpTest:
1235             compileRegExpTest();
1236             break;
1237         case RegExpMatchFast:
1238             compileRegExpMatchFast();
1239             break;
1240         case RegExpMatchFastGlobal:
1241             compileRegExpMatchFastGlobal();
1242             break;
1243         case NewRegexp:
1244             compileNewRegexp();
1245             break;
1246         case SetFunctionName:
1247             compileSetFunctionName();
1248             break;
1249         case StringReplace:
1250         case StringReplaceRegExp:
1251             compileStringReplace();
1252             break;
1253         case GetRegExpObjectLastIndex:
1254             compileGetRegExpObjectLastIndex();
1255             break;
1256         case SetRegExpObjectLastIndex:
1257             compileSetRegExpObjectLastIndex();
1258             break;
1259         case LogShadowChickenPrologue:
1260             compileLogShadowChickenPrologue();
1261             break;
1262         case LogShadowChickenTail:
1263             compileLogShadowChickenTail();
1264             break;
1265         case RecordRegExpCachedResult:
1266             compileRecordRegExpCachedResult();
1267             break;
1268         case ResolveScopeForHoistingFuncDeclInEval:
1269             compileResolveScopeForHoistingFuncDeclInEval();
1270             break;
1271         case ResolveScope:
1272             compileResolveScope();
1273             break;
1274         case GetDynamicVar:
1275             compileGetDynamicVar();
1276             break;
1277         case PutDynamicVar:
1278             compilePutDynamicVar();
1279             break;
1280         case Unreachable:
1281             compileUnreachable();
1282             break;
1283         case StringSlice:
1284             compileStringSlice();
1285             break;
1286         case ToLowerCase:
1287             compileToLowerCase();
1288             break;
1289         case NumberToStringWithRadix:
1290             compileNumberToStringWithRadix();
1291             break;
1292         case NumberToStringWithValidRadixConstant:
1293             compileNumberToStringWithValidRadixConstant();
1294             break;
1295         case CheckSubClass:
1296             compileCheckSubClass();
1297             break;
1298         case CallDOM:
1299             compileCallDOM();
1300             break;
1301         case CallDOMGetter:
1302             compileCallDOMGetter();
1303             break;
1304         case FilterCallLinkStatus:
1305         case FilterGetByIdStatus:
1306         case FilterPutByIdStatus:
1307         case FilterInByIdStatus:
1308             compileFilterICStatus();
1309             break;
1310
1311         case PhantomLocal:
1312         case LoopHint:
1313         case MovHint:
1314         case ZombieHint:
1315         case ExitOK:
1316         case PhantomNewObject:
1317         case PhantomNewFunction:
1318         case PhantomNewGeneratorFunction:
1319         case PhantomNewAsyncGeneratorFunction:
1320         case PhantomNewAsyncFunction:
1321         case PhantomCreateActivation:
1322         case PhantomDirectArguments:
1323         case PhantomCreateRest:
1324         case PhantomSpread:
1325         case PhantomNewArrayWithSpread:
1326         case PhantomNewArrayBuffer:
1327         case PhantomClonedArguments:
1328         case PhantomNewRegexp:
1329         case PutHint:
1330         case BottomValue:
1331         case KillStack:
1332         case InitializeEntrypointArguments:
1333             break;
1334         default:
1335             DFG_CRASH(m_graph, m_node, "Unrecognized node in FTL backend");
1336             break;
1337         }
1338         
1339         if (m_node->isTerminal())
1340             return false;
1341         
1342         if (!m_state.isValid()) {
1343             safelyInvalidateAfterTermination();
1344             return false;
1345         }
1346
1347         m_availabilityCalculator.executeNode(m_node);
1348         m_interpreter.executeEffects(nodeIndex);
1349         
1350         return true;
1351     }
1352
1353     void compileUpsilon()
1354     {
1355         LValue upsilonValue = nullptr;
1356         switch (m_node->child1().useKind()) {
1357         case DoubleRepUse:
1358             upsilonValue = lowDouble(m_node->child1());
1359             break;
1360         case Int32Use:
1361         case KnownInt32Use:
1362             upsilonValue = lowInt32(m_node->child1());
1363             break;
1364         case Int52RepUse:
1365             upsilonValue = lowInt52(m_node->child1());
1366             break;
1367         case BooleanUse:
1368         case KnownBooleanUse:
1369             upsilonValue = lowBoolean(m_node->child1());
1370             break;
1371         case CellUse:
1372         case KnownCellUse:
1373             upsilonValue = lowCell(m_node->child1());
1374             break;
1375         case UntypedUse:
1376             upsilonValue = lowJSValue(m_node->child1());
1377             break;
1378         default:
1379             DFG_CRASH(m_graph, m_node, "Bad use kind");
1380             break;
1381         }
1382         ValueFromBlock upsilon = m_out.anchor(upsilonValue);
1383         LValue phiNode = m_phis.get(m_node->phi());
1384         m_out.addIncomingToPhi(phiNode, upsilon);
1385     }
1386     
1387     void compilePhi()
1388     {
1389         LValue phi = m_phis.get(m_node);
1390         m_out.m_block->append(phi);
1391
1392         switch (m_node->flags() & NodeResultMask) {
1393         case NodeResultDouble:
1394             setDouble(phi);
1395             break;
1396         case NodeResultInt32:
1397             setInt32(phi);
1398             break;
1399         case NodeResultInt52:
1400             setInt52(phi);
1401             break;
1402         case NodeResultBoolean:
1403             setBoolean(phi);
1404             break;
1405         case NodeResultJS:
1406             setJSValue(phi);
1407             break;
1408         default:
1409             DFG_CRASH(m_graph, m_node, "Bad use kind");
1410             break;
1411         }
1412     }
1413     
1414     void compileDoubleConstant()
1415     {
1416         setDouble(m_out.constDouble(m_node->asNumber()));
1417     }
1418     
1419     void compileInt52Constant()
1420     {
1421         int64_t value = m_node->asAnyInt();
1422         
1423         setInt52(m_out.constInt64(value << JSValue::int52ShiftAmount));
1424         setStrictInt52(m_out.constInt64(value));
1425     }
1426
1427     void compileLazyJSConstant()
1428     {
1429         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
1430         LazyJSValue value = m_node->lazyJSValue();
1431         patchpoint->setGenerator(
1432             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
1433                 value.emit(jit, JSValueRegs(params[0].gpr()));
1434             });
1435         patchpoint->effects = Effects::none();
1436         setJSValue(patchpoint);
1437     }
1438
1439     void compileDoubleRep()
1440     {
1441         switch (m_node->child1().useKind()) {
1442         case RealNumberUse: {
1443             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
1444             
1445             LValue doubleValue = unboxDouble(value);
1446             
1447             LBasicBlock intCase = m_out.newBlock();
1448             LBasicBlock continuation = m_out.newBlock();
1449             
1450             ValueFromBlock fastResult = m_out.anchor(doubleValue);
1451             m_out.branch(
1452                 m_out.doubleEqual(doubleValue, doubleValue),
1453                 usually(continuation), rarely(intCase));
1454             
1455             LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
1456
1457             FTL_TYPE_CHECK(
1458                 jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
1459                 isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
1460             ValueFromBlock slowResult = m_out.anchor(m_out.intToDouble(unboxInt32(value)));
1461             m_out.jump(continuation);
1462             
1463             m_out.appendTo(continuation, lastNext);
1464             
1465             setDouble(m_out.phi(Double, fastResult, slowResult));
1466             return;
1467         }
1468             
1469         case NotCellUse:
1470         case NumberUse: {
1471             bool shouldConvertNonNumber = m_node->child1().useKind() == NotCellUse;
1472             
1473             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
1474
1475             LBasicBlock intCase = m_out.newBlock();
1476             LBasicBlock doubleTesting = m_out.newBlock();
1477             LBasicBlock doubleCase = m_out.newBlock();
1478             LBasicBlock nonDoubleCase = m_out.newBlock();
1479             LBasicBlock continuation = m_out.newBlock();
1480             
1481             m_out.branch(
1482                 isNotInt32(value, provenType(m_node->child1())),
1483                 unsure(doubleTesting), unsure(intCase));
1484             
1485             LBasicBlock lastNext = m_out.appendTo(intCase, doubleTesting);
1486             
1487             ValueFromBlock intToDouble = m_out.anchor(
1488                 m_out.intToDouble(unboxInt32(value)));
1489             m_out.jump(continuation);
1490             
1491             m_out.appendTo(doubleTesting, doubleCase);
1492             LValue valueIsNumber = isNumber(value, provenType(m_node->child1()));
1493             m_out.branch(valueIsNumber, usually(doubleCase), rarely(nonDoubleCase));
1494
1495             m_out.appendTo(doubleCase, nonDoubleCase);
1496             ValueFromBlock unboxedDouble = m_out.anchor(unboxDouble(value));
1497             m_out.jump(continuation);
1498
1499             if (shouldConvertNonNumber) {
1500                 LBasicBlock undefinedCase = m_out.newBlock();
1501                 LBasicBlock testNullCase = m_out.newBlock();
1502                 LBasicBlock nullCase = m_out.newBlock();
1503                 LBasicBlock testBooleanTrueCase = m_out.newBlock();
1504                 LBasicBlock convertBooleanTrueCase = m_out.newBlock();
1505                 LBasicBlock convertBooleanFalseCase = m_out.newBlock();
1506
1507                 m_out.appendTo(nonDoubleCase, undefinedCase);
1508                 LValue valueIsUndefined = m_out.equal(value, m_out.constInt64(ValueUndefined));
1509                 m_out.branch(valueIsUndefined, unsure(undefinedCase), unsure(testNullCase));
1510
1511                 m_out.appendTo(undefinedCase, testNullCase);
1512                 ValueFromBlock convertedUndefined = m_out.anchor(m_out.constDouble(PNaN));
1513                 m_out.jump(continuation);
1514
1515                 m_out.appendTo(testNullCase, nullCase);
1516                 LValue valueIsNull = m_out.equal(value, m_out.constInt64(ValueNull));
1517                 m_out.branch(valueIsNull, unsure(nullCase), unsure(testBooleanTrueCase));
1518
1519                 m_out.appendTo(nullCase, testBooleanTrueCase);
1520                 ValueFromBlock convertedNull = m_out.anchor(m_out.constDouble(0));
1521                 m_out.jump(continuation);
1522
1523                 m_out.appendTo(testBooleanTrueCase, convertBooleanTrueCase);
1524                 LValue valueIsBooleanTrue = m_out.equal(value, m_out.constInt64(ValueTrue));
1525                 m_out.branch(valueIsBooleanTrue, unsure(convertBooleanTrueCase), unsure(convertBooleanFalseCase));
1526
1527                 m_out.appendTo(convertBooleanTrueCase, convertBooleanFalseCase);
1528                 ValueFromBlock convertedTrue = m_out.anchor(m_out.constDouble(1));
1529                 m_out.jump(continuation);
1530
1531                 m_out.appendTo(convertBooleanFalseCase, continuation);
1532
1533                 LValue valueIsNotBooleanFalse = m_out.notEqual(value, m_out.constInt64(ValueFalse));
1534                 FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), ~SpecCellCheck, valueIsNotBooleanFalse);
1535                 ValueFromBlock convertedFalse = m_out.anchor(m_out.constDouble(0));
1536                 m_out.jump(continuation);
1537
1538                 m_out.appendTo(continuation, lastNext);
1539                 setDouble(m_out.phi(Double, intToDouble, unboxedDouble, convertedUndefined, convertedNull, convertedTrue, convertedFalse));
1540                 return;
1541             }
1542             m_out.appendTo(nonDoubleCase, continuation);
1543             FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), SpecBytecodeNumber, m_out.booleanTrue);
1544             m_out.unreachable();
1545
1546             m_out.appendTo(continuation, lastNext);
1547
1548             setDouble(m_out.phi(Double, intToDouble, unboxedDouble));
1549             return;
1550         }
1551             
1552         case Int52RepUse: {
1553             setDouble(strictInt52ToDouble(lowStrictInt52(m_node->child1())));
1554             return;
1555         }
1556             
1557         default:
1558             DFG_CRASH(m_graph, m_node, "Bad use kind");
1559         }
1560     }
1561
1562     void compileDoubleAsInt32()
1563     {
1564         LValue integerValue = convertDoubleToInt32(lowDouble(m_node->child1()), shouldCheckNegativeZero(m_node->arithMode()));
1565         setInt32(integerValue);
1566     }
1567
1568     void compileValueRep()
1569     {
1570         switch (m_node->child1().useKind()) {
1571         case DoubleRepUse: {
1572             LValue value = lowDouble(m_node->child1());
1573             
1574             if (m_interpreter.needsTypeCheck(m_node->child1(), ~SpecDoubleImpureNaN)) {
1575                 value = m_out.select(
1576                     m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN));
1577             }
1578             
1579             setJSValue(boxDouble(value));
1580             return;
1581         }
1582             
1583         case Int52RepUse: {
1584             setJSValue(strictInt52ToJSValue(lowStrictInt52(m_node->child1())));
1585             return;
1586         }
1587             
1588         default:
1589             DFG_CRASH(m_graph, m_node, "Bad use kind");
1590         }
1591     }
1592     
1593     void compileInt52Rep()
1594     {
1595         switch (m_node->child1().useKind()) {
1596         case Int32Use:
1597             setStrictInt52(m_out.signExt32To64(lowInt32(m_node->child1())));
1598             return;
1599             
1600         case AnyIntUse:
1601             setStrictInt52(
1602                 jsValueToStrictInt52(
1603                     m_node->child1(), lowJSValue(m_node->child1(), ManualOperandSpeculation)));
1604             return;
1605             
1606         case DoubleRepAnyIntUse:
1607             setStrictInt52(
1608                 doubleToStrictInt52(
1609                     m_node->child1(), lowDouble(m_node->child1())));
1610             return;
1611             
1612         default:
1613             RELEASE_ASSERT_NOT_REACHED();
1614         }
1615     }
1616     
1617     void compileValueToInt32()
1618     {
1619         switch (m_node->child1().useKind()) {
1620         case Int52RepUse:
1621             setInt32(m_out.castToInt32(lowStrictInt52(m_node->child1())));
1622             break;
1623             
1624         case DoubleRepUse:
1625             setInt32(doubleToInt32(lowDouble(m_node->child1())));
1626             break;
1627             
1628         case NumberUse:
1629         case NotCellUse: {
1630             LoweredNodeValue value = m_int32Values.get(m_node->child1().node());
1631             if (isValid(value)) {
1632                 setInt32(value.value());
1633                 break;
1634             }
1635             
1636             value = m_jsValueValues.get(m_node->child1().node());
1637             if (isValid(value)) {
1638                 setInt32(numberOrNotCellToInt32(m_node->child1(), value.value()));
1639                 break;
1640             }
1641             
1642             // We'll basically just get here for constants. But it's good to have this
1643             // catch-all since we often add new representations into the mix.
1644             setInt32(
1645                 numberOrNotCellToInt32(
1646                     m_node->child1(),
1647                     lowJSValue(m_node->child1(), ManualOperandSpeculation)));
1648             break;
1649         }
1650             
1651         default:
1652             DFG_CRASH(m_graph, m_node, "Bad use kind");
1653             break;
1654         }
1655     }
1656     
1657     void compileBooleanToNumber()
1658     {
1659         switch (m_node->child1().useKind()) {
1660         case BooleanUse: {
1661             setInt32(m_out.zeroExt(lowBoolean(m_node->child1()), Int32));
1662             return;
1663         }
1664             
1665         case UntypedUse: {
1666             LValue value = lowJSValue(m_node->child1());
1667             
1668             if (!m_interpreter.needsTypeCheck(m_node->child1(), SpecBoolInt32 | SpecBoolean)) {
1669                 setInt32(m_out.bitAnd(m_out.castToInt32(value), m_out.int32One));
1670                 return;
1671             }
1672             
1673             LBasicBlock booleanCase = m_out.newBlock();
1674             LBasicBlock continuation = m_out.newBlock();
1675             
1676             ValueFromBlock notBooleanResult = m_out.anchor(value);
1677             m_out.branch(
1678                 isBoolean(value, provenType(m_node->child1())),
1679                 unsure(booleanCase), unsure(continuation));
1680             
1681             LBasicBlock lastNext = m_out.appendTo(booleanCase, continuation);
1682             ValueFromBlock booleanResult = m_out.anchor(m_out.bitOr(
1683                 m_out.zeroExt(unboxBoolean(value), Int64), m_tagTypeNumber));
1684             m_out.jump(continuation);
1685             
1686             m_out.appendTo(continuation, lastNext);
1687             setJSValue(m_out.phi(Int64, booleanResult, notBooleanResult));
1688             return;
1689         }
1690             
1691         default:
1692             RELEASE_ASSERT_NOT_REACHED();
1693             return;
1694         }
1695     }
1696
1697     void compileExtractOSREntryLocal()
1698     {
1699         EncodedJSValue* buffer = static_cast<EncodedJSValue*>(
1700             m_ftlState.jitCode->ftlForOSREntry()->entryBuffer()->dataBuffer());
1701         setJSValue(m_out.load64(m_out.absolute(buffer + m_node->unlinkedLocal().toLocal())));
1702     }
1703
1704     void compileExtractCatchLocal()
1705     {
1706         EncodedJSValue* buffer = static_cast<EncodedJSValue*>(m_ftlState.jitCode->common.catchOSREntryBuffer->dataBuffer());
1707         setJSValue(m_out.load64(m_out.absolute(buffer + m_node->catchOSREntryIndex())));
1708     }
1709
1710     void compileClearCatchLocals()
1711     {
1712         ScratchBuffer* scratchBuffer = m_ftlState.jitCode->common.catchOSREntryBuffer;
1713         ASSERT(scratchBuffer);
1714         m_out.storePtr(m_out.constIntPtr(0), m_out.absolute(scratchBuffer->addressOfActiveLength()));
1715     }
1716     
1717     void compileGetStack()
1718     {
1719         StackAccessData* data = m_node->stackAccessData();
1720         AbstractValue& value = m_state.operand(data->local);
1721         
1722         DFG_ASSERT(m_graph, m_node, isConcrete(data->format), data->format);
1723         DFG_ASSERT(m_graph, m_node, data->format != FlushedDouble, data->format); // This just happens to not arise for GetStacks, right now. It would be trivial to support.
1724         
1725         if (isInt32Speculation(value.m_type))
1726             setInt32(m_out.load32(payloadFor(data->machineLocal)));
1727         else
1728             setJSValue(m_out.load64(addressFor(data->machineLocal)));
1729     }
1730     
1731     void compilePutStack()
1732     {
1733         StackAccessData* data = m_node->stackAccessData();
1734         switch (data->format) {
1735         case FlushedJSValue: {
1736             LValue value = lowJSValue(m_node->child1());
1737             m_out.store64(value, addressFor(data->machineLocal));
1738             break;
1739         }
1740             
1741         case FlushedDouble: {
1742             LValue value = lowDouble(m_node->child1());
1743             m_out.storeDouble(value, addressFor(data->machineLocal));
1744             break;
1745         }
1746             
1747         case FlushedInt32: {
1748             LValue value = lowInt32(m_node->child1());
1749             m_out.store32(value, payloadFor(data->machineLocal));
1750             break;
1751         }
1752             
1753         case FlushedInt52: {
1754             LValue value = lowInt52(m_node->child1());
1755             m_out.store64(value, addressFor(data->machineLocal));
1756             break;
1757         }
1758             
1759         case FlushedCell: {
1760             LValue value = lowCell(m_node->child1());
1761             m_out.store64(value, addressFor(data->machineLocal));
1762             break;
1763         }
1764             
1765         case FlushedBoolean: {
1766             speculateBoolean(m_node->child1());
1767             m_out.store64(
1768                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
1769                 addressFor(data->machineLocal));
1770             break;
1771         }
1772             
1773         default:
1774             DFG_CRASH(m_graph, m_node, "Bad flush format");
1775             break;
1776         }
1777     }
1778     
1779     void compileNoOp()
1780     {
1781         DFG_NODE_DO_TO_CHILDREN(m_graph, m_node, speculate);
1782     }
1783
1784     void compileToObjectOrCallObjectConstructor()
1785     {
1786         LValue value = lowJSValue(m_node->child1());
1787
1788         LBasicBlock isCellCase = m_out.newBlock();
1789         LBasicBlock slowCase = m_out.newBlock();
1790         LBasicBlock continuation = m_out.newBlock();
1791
1792         m_out.branch(isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
1793
1794         LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
1795         ValueFromBlock fastResult = m_out.anchor(value);
1796         m_out.branch(isObject(value), usually(continuation), rarely(slowCase));
1797
1798         m_out.appendTo(slowCase, continuation);
1799
1800         ValueFromBlock slowResult;
1801         if (m_node->op() == ToObject) {
1802             auto* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
1803             slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationToObject), m_callFrame, weakPointer(globalObject), value, m_out.constIntPtr(m_graph.identifiers()[m_node->identifierNumber()])));
1804         } else
1805             slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationCallObjectConstructor), m_callFrame, frozenPointer(m_node->cellOperand()), value));
1806         m_out.jump(continuation);
1807
1808         m_out.appendTo(continuation, lastNext);
1809         setJSValue(m_out.phi(Int64, fastResult, slowResult));
1810     }
1811     
1812     void compileToThis()
1813     {
1814         LValue value = lowJSValue(m_node->child1());
1815         
1816         LBasicBlock isCellCase = m_out.newBlock();
1817         LBasicBlock slowCase = m_out.newBlock();
1818         LBasicBlock continuation = m_out.newBlock();
1819         
1820         m_out.branch(
1821             isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
1822         
1823         LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
1824         ValueFromBlock fastResult = m_out.anchor(value);
1825         m_out.branch(
1826             m_out.testIsZero32(
1827                 m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoFlags),
1828                 m_out.constInt32(OverridesToThis)),
1829             usually(continuation), rarely(slowCase));
1830         
1831         m_out.appendTo(slowCase, continuation);
1832         J_JITOperation_EJ function;
1833         if (m_graph.isStrictModeFor(m_node->origin.semantic))
1834             function = operationToThisStrict;
1835         else
1836             function = operationToThis;
1837         ValueFromBlock slowResult = m_out.anchor(
1838             vmCall(Int64, m_out.operation(function), m_callFrame, value));
1839         m_out.jump(continuation);
1840         
1841         m_out.appendTo(continuation, lastNext);
1842         setJSValue(m_out.phi(Int64, fastResult, slowResult));
1843     }
1844
1845     void compileValueAdd()
1846     {
1847         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
1848         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(m_node->origin.semantic.bytecodeIndex);
1849         Instruction* instruction = &baselineCodeBlock->instructions()[m_node->origin.semantic.bytecodeIndex];
1850         auto repatchingFunction = operationValueAddOptimize;
1851         auto nonRepatchingFunction = operationValueAdd;
1852         compileBinaryMathIC<JITAddGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
1853     }
1854
1855     template <typename Generator, typename Func1, typename Func2,
1856         typename = std::enable_if_t<std::is_function<typename std::remove_pointer<Func1>::type>::value && std::is_function<typename std::remove_pointer<Func2>::type>::value>>
1857     void compileUnaryMathIC(ArithProfile* arithProfile, Instruction* instruction, Func1 repatchingFunction, Func2 nonRepatchingFunction)
1858     {
1859         Node* node = m_node;
1860
1861         LValue operand = lowJSValue(node->child1());
1862
1863         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
1864         patchpoint->appendSomeRegister(operand);
1865         patchpoint->append(m_tagMask, ValueRep::lateReg(GPRInfo::tagMaskRegister));
1866         patchpoint->append(m_tagTypeNumber, ValueRep::lateReg(GPRInfo::tagTypeNumberRegister));
1867         RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint);
1868         patchpoint->numGPScratchRegisters = 1;
1869         patchpoint->clobber(RegisterSet::macroScratchRegisters());
1870         State* state = &m_ftlState;
1871         patchpoint->setGenerator(
1872             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
1873                 AllowMacroScratchRegisterUsage allowScratch(jit);
1874
1875                 Box<CCallHelpers::JumpList> exceptions =
1876                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
1877
1878 #if ENABLE(MATH_IC_STATS)
1879                 auto inlineStart = jit.label();
1880 #endif
1881
1882                 Box<MathICGenerationState> mathICGenerationState = Box<MathICGenerationState>::create();
1883                 JITUnaryMathIC<Generator>* mathIC = jit.codeBlock()->addMathIC<Generator>(arithProfile, instruction);
1884                 mathIC->m_generator = Generator(JSValueRegs(params[0].gpr()), JSValueRegs(params[1].gpr()), params.gpScratch(0));
1885
1886                 bool shouldEmitProfiling = false;
1887                 bool generatedInline = mathIC->generateInline(jit, *mathICGenerationState, shouldEmitProfiling);
1888
1889                 if (generatedInline) {
1890                     ASSERT(!mathICGenerationState->slowPathJumps.empty());
1891                     auto done = jit.label();
1892                     params.addLatePath([=] (CCallHelpers& jit) {
1893                         AllowMacroScratchRegisterUsage allowScratch(jit);
1894                         mathICGenerationState->slowPathJumps.link(&jit);
1895                         mathICGenerationState->slowPathStart = jit.label();
1896 #if ENABLE(MATH_IC_STATS)
1897                         auto slowPathStart = jit.label();
1898 #endif
1899
1900                         if (mathICGenerationState->shouldSlowPathRepatch) {
1901                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
1902                                 repatchingFunction, params[0].gpr(), params[1].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
1903                             mathICGenerationState->slowPathCall = call.call();
1904                         } else {
1905                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic,
1906                                 exceptions.get(), nonRepatchingFunction, params[0].gpr(), params[1].gpr());
1907                             mathICGenerationState->slowPathCall = call.call();
1908                         }
1909                         jit.jump().linkTo(done, &jit);
1910
1911                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
1912                             mathIC->finalizeInlineCode(*mathICGenerationState, linkBuffer);
1913                         });
1914
1915 #if ENABLE(MATH_IC_STATS)
1916                         auto slowPathEnd = jit.label();
1917                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
1918                             size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
1919                             mathIC->m_generatedCodeSize += size;
1920                         });
1921 #endif
1922                     });
1923                 } else {
1924                     callOperation(
1925                         *state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
1926                         nonRepatchingFunction, params[0].gpr(), params[1].gpr());
1927                 }
1928
1929 #if ENABLE(MATH_IC_STATS)
1930                 auto inlineEnd = jit.label();
1931                 jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
1932                     size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
1933                     mathIC->m_generatedCodeSize += size;
1934                 });
1935 #endif
1936             });
1937
1938         setJSValue(patchpoint);
1939     }
1940
1941     template <typename Generator, typename Func1, typename Func2,
1942         typename = std::enable_if_t<std::is_function<typename std::remove_pointer<Func1>::type>::value && std::is_function<typename std::remove_pointer<Func2>::type>::value>>
1943     void compileBinaryMathIC(ArithProfile* arithProfile, Instruction* instruction, Func1 repatchingFunction, Func2 nonRepatchingFunction)
1944     {
1945         Node* node = m_node;
1946         
1947         LValue left = lowJSValue(node->child1());
1948         LValue right = lowJSValue(node->child2());
1949
1950         SnippetOperand leftOperand(m_state.forNode(node->child1()).resultType());
1951         SnippetOperand rightOperand(m_state.forNode(node->child2()).resultType());
1952             
1953         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
1954         patchpoint->appendSomeRegister(left);
1955         patchpoint->appendSomeRegister(right);
1956         patchpoint->append(m_tagMask, ValueRep::lateReg(GPRInfo::tagMaskRegister));
1957         patchpoint->append(m_tagTypeNumber, ValueRep::lateReg(GPRInfo::tagTypeNumberRegister));
1958         RefPtr<PatchpointExceptionHandle> exceptionHandle =
1959             preparePatchpointForExceptions(patchpoint);
1960         patchpoint->numGPScratchRegisters = 1;
1961         patchpoint->numFPScratchRegisters = 2;
1962         patchpoint->clobber(RegisterSet::macroScratchRegisters());
1963         State* state = &m_ftlState;
1964         patchpoint->setGenerator(
1965             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
1966                 AllowMacroScratchRegisterUsage allowScratch(jit);
1967
1968
1969                 Box<CCallHelpers::JumpList> exceptions =
1970                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
1971
1972 #if ENABLE(MATH_IC_STATS)
1973                 auto inlineStart = jit.label();
1974 #endif
1975
1976                 Box<MathICGenerationState> mathICGenerationState = Box<MathICGenerationState>::create();
1977                 JITBinaryMathIC<Generator>* mathIC = jit.codeBlock()->addMathIC<Generator>(arithProfile, instruction);
1978                 mathIC->m_generator = Generator(leftOperand, rightOperand, JSValueRegs(params[0].gpr()),
1979                     JSValueRegs(params[1].gpr()), JSValueRegs(params[2].gpr()), params.fpScratch(0),
1980                     params.fpScratch(1), params.gpScratch(0), InvalidFPRReg);
1981
1982                 bool shouldEmitProfiling = false;
1983                 bool generatedInline = mathIC->generateInline(jit, *mathICGenerationState, shouldEmitProfiling);
1984
1985                 if (generatedInline) {
1986                     ASSERT(!mathICGenerationState->slowPathJumps.empty());
1987                     auto done = jit.label();
1988                     params.addLatePath([=] (CCallHelpers& jit) {
1989                         AllowMacroScratchRegisterUsage allowScratch(jit);
1990                         mathICGenerationState->slowPathJumps.link(&jit);
1991                         mathICGenerationState->slowPathStart = jit.label();
1992 #if ENABLE(MATH_IC_STATS)
1993                         auto slowPathStart = jit.label();
1994 #endif
1995
1996                         if (mathICGenerationState->shouldSlowPathRepatch) {
1997                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
1998                                 repatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
1999                             mathICGenerationState->slowPathCall = call.call();
2000                         } else {
2001                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic,
2002                                 exceptions.get(), nonRepatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr());
2003                             mathICGenerationState->slowPathCall = call.call();
2004                         }
2005                         jit.jump().linkTo(done, &jit);
2006
2007                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2008                             mathIC->finalizeInlineCode(*mathICGenerationState, linkBuffer);
2009                         });
2010
2011 #if ENABLE(MATH_IC_STATS)
2012                         auto slowPathEnd = jit.label();
2013                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2014                             size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
2015                             mathIC->m_generatedCodeSize += size;
2016                         });
2017 #endif
2018                     });
2019                 } else {
2020                     callOperation(
2021                         *state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2022                         nonRepatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr());
2023                 }
2024
2025 #if ENABLE(MATH_IC_STATS)
2026                 auto inlineEnd = jit.label();
2027                 jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2028                     size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
2029                     mathIC->m_generatedCodeSize += size;
2030                 });
2031 #endif
2032             });
2033
2034         setJSValue(patchpoint);
2035     }
2036     
2037     void compileStrCat()
2038     {
2039         LValue result;
2040         if (m_node->child3()) {
2041             result = vmCall(
2042                 Int64, m_out.operation(operationStrCat3), m_callFrame,
2043                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
2044                 lowJSValue(m_node->child2(), ManualOperandSpeculation),
2045                 lowJSValue(m_node->child3(), ManualOperandSpeculation));
2046         } else {
2047             result = vmCall(
2048                 Int64, m_out.operation(operationStrCat2), m_callFrame,
2049                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
2050                 lowJSValue(m_node->child2(), ManualOperandSpeculation));
2051         }
2052         setJSValue(result);
2053     }
2054     
2055     void compileArithAddOrSub()
2056     {
2057         bool isSub =  m_node->op() == ArithSub;
2058         switch (m_node->binaryUseKind()) {
2059         case Int32Use: {
2060             LValue left = lowInt32(m_node->child1());
2061             LValue right = lowInt32(m_node->child2());
2062
2063             if (!shouldCheckOverflow(m_node->arithMode())) {
2064                 setInt32(isSub ? m_out.sub(left, right) : m_out.add(left, right));
2065                 break;
2066             }
2067
2068             CheckValue* result =
2069                 isSub ? m_out.speculateSub(left, right) : m_out.speculateAdd(left, right);
2070             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2071             setInt32(result);
2072             break;
2073         }
2074             
2075         case Int52RepUse: {
2076             if (!abstractValue(m_node->child1()).couldBeType(SpecInt52Only)
2077                 && !abstractValue(m_node->child2()).couldBeType(SpecInt52Only)) {
2078                 Int52Kind kind;
2079                 LValue left = lowWhicheverInt52(m_node->child1(), kind);
2080                 LValue right = lowInt52(m_node->child2(), kind);
2081                 setInt52(isSub ? m_out.sub(left, right) : m_out.add(left, right), kind);
2082                 break;
2083             }
2084
2085             LValue left = lowInt52(m_node->child1());
2086             LValue right = lowInt52(m_node->child2());
2087             CheckValue* result =
2088                 isSub ? m_out.speculateSub(left, right) : m_out.speculateAdd(left, right);
2089             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2090             setInt52(result);
2091             break;
2092         }
2093             
2094         case DoubleRepUse: {
2095             LValue C1 = lowDouble(m_node->child1());
2096             LValue C2 = lowDouble(m_node->child2());
2097
2098             setDouble(isSub ? m_out.doubleSub(C1, C2) : m_out.doubleAdd(C1, C2));
2099             break;
2100         }
2101
2102         case UntypedUse: {
2103             if (!isSub) {
2104                 DFG_CRASH(m_graph, m_node, "Bad use kind");
2105                 break;
2106             }
2107
2108             CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2109             ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(m_node->origin.semantic.bytecodeIndex);
2110             Instruction* instruction = &baselineCodeBlock->instructions()[m_node->origin.semantic.bytecodeIndex];
2111             auto repatchingFunction = operationValueSubOptimize;
2112             auto nonRepatchingFunction = operationValueSub;
2113             compileBinaryMathIC<JITSubGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
2114             break;
2115         }
2116
2117         default:
2118             DFG_CRASH(m_graph, m_node, "Bad use kind");
2119             break;
2120         }
2121     }
2122
2123     void compileArithClz32()
2124     {
2125         if (m_node->child1().useKind() == Int32Use || m_node->child1().useKind() == KnownInt32Use) {
2126             LValue operand = lowInt32(m_node->child1());
2127             setInt32(m_out.ctlz32(operand));
2128             return;
2129         }
2130         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2131         LValue argument = lowJSValue(m_node->child1());
2132         LValue result = vmCall(Int32, m_out.operation(operationArithClz32), m_callFrame, argument);
2133         setInt32(result);
2134     }
2135     
2136     void compileArithMul()
2137     {
2138         switch (m_node->binaryUseKind()) {
2139         case Int32Use: {
2140             LValue left = lowInt32(m_node->child1());
2141             LValue right = lowInt32(m_node->child2());
2142             
2143             LValue result;
2144
2145             if (!shouldCheckOverflow(m_node->arithMode()))
2146                 result = m_out.mul(left, right);
2147             else {
2148                 CheckValue* speculation = m_out.speculateMul(left, right);
2149                 blessSpeculation(speculation, Overflow, noValue(), nullptr, m_origin);
2150                 result = speculation;
2151             }
2152             
2153             if (shouldCheckNegativeZero(m_node->arithMode())) {
2154                 LBasicBlock slowCase = m_out.newBlock();
2155                 LBasicBlock continuation = m_out.newBlock();
2156                 
2157                 m_out.branch(
2158                     m_out.notZero32(result), usually(continuation), rarely(slowCase));
2159                 
2160                 LBasicBlock lastNext = m_out.appendTo(slowCase, continuation);
2161                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(left, m_out.int32Zero));
2162                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(right, m_out.int32Zero));
2163                 m_out.jump(continuation);
2164                 m_out.appendTo(continuation, lastNext);
2165             }
2166             
2167             setInt32(result);
2168             break;
2169         }
2170             
2171         case Int52RepUse: {
2172             Int52Kind kind;
2173             LValue left = lowWhicheverInt52(m_node->child1(), kind);
2174             LValue right = lowInt52(m_node->child2(), opposite(kind));
2175
2176             CheckValue* result = m_out.speculateMul(left, right);
2177             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2178
2179             if (shouldCheckNegativeZero(m_node->arithMode())) {
2180                 LBasicBlock slowCase = m_out.newBlock();
2181                 LBasicBlock continuation = m_out.newBlock();
2182                 
2183                 m_out.branch(
2184                     m_out.notZero64(result), usually(continuation), rarely(slowCase));
2185                 
2186                 LBasicBlock lastNext = m_out.appendTo(slowCase, continuation);
2187                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(left, m_out.int64Zero));
2188                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(right, m_out.int64Zero));
2189                 m_out.jump(continuation);
2190                 m_out.appendTo(continuation, lastNext);
2191             }
2192             
2193             setInt52(result);
2194             break;
2195         }
2196             
2197         case DoubleRepUse: {
2198             setDouble(
2199                 m_out.doubleMul(lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2200             break;
2201         }
2202
2203         case UntypedUse: {
2204             CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2205             ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(m_node->origin.semantic.bytecodeIndex);
2206             Instruction* instruction = &baselineCodeBlock->instructions()[m_node->origin.semantic.bytecodeIndex];
2207             auto repatchingFunction = operationValueMulOptimize;
2208             auto nonRepatchingFunction = operationValueMul;
2209             compileBinaryMathIC<JITMulGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
2210             break;
2211         }
2212
2213         default:
2214             DFG_CRASH(m_graph, m_node, "Bad use kind");
2215             break;
2216         }
2217     }
2218
2219     void compileArithDiv()
2220     {
2221         switch (m_node->binaryUseKind()) {
2222         case Int32Use: {
2223             LValue numerator = lowInt32(m_node->child1());
2224             LValue denominator = lowInt32(m_node->child2());
2225
2226             if (shouldCheckNegativeZero(m_node->arithMode())) {
2227                 LBasicBlock zeroNumerator = m_out.newBlock();
2228                 LBasicBlock numeratorContinuation = m_out.newBlock();
2229
2230                 m_out.branch(
2231                     m_out.isZero32(numerator),
2232                     rarely(zeroNumerator), usually(numeratorContinuation));
2233
2234                 LBasicBlock innerLastNext = m_out.appendTo(zeroNumerator, numeratorContinuation);
2235
2236                 speculate(
2237                     NegativeZero, noValue(), 0, m_out.lessThan(denominator, m_out.int32Zero));
2238
2239                 m_out.jump(numeratorContinuation);
2240
2241                 m_out.appendTo(numeratorContinuation, innerLastNext);
2242             }
2243             
2244             if (shouldCheckOverflow(m_node->arithMode())) {
2245                 LBasicBlock unsafeDenominator = m_out.newBlock();
2246                 LBasicBlock continuation = m_out.newBlock();
2247
2248                 LValue adjustedDenominator = m_out.add(denominator, m_out.int32One);
2249                 m_out.branch(
2250                     m_out.above(adjustedDenominator, m_out.int32One),
2251                     usually(continuation), rarely(unsafeDenominator));
2252
2253                 LBasicBlock lastNext = m_out.appendTo(unsafeDenominator, continuation);
2254                 LValue neg2ToThe31 = m_out.constInt32(-2147483647-1);
2255                 speculate(Overflow, noValue(), nullptr, m_out.isZero32(denominator));
2256                 speculate(Overflow, noValue(), nullptr, m_out.equal(numerator, neg2ToThe31));
2257                 m_out.jump(continuation);
2258
2259                 m_out.appendTo(continuation, lastNext);
2260                 LValue result = m_out.div(numerator, denominator);
2261                 speculate(
2262                     Overflow, noValue(), 0,
2263                     m_out.notEqual(m_out.mul(result, denominator), numerator));
2264                 setInt32(result);
2265             } else
2266                 setInt32(m_out.chillDiv(numerator, denominator));
2267
2268             break;
2269         }
2270             
2271         case DoubleRepUse: {
2272             setDouble(m_out.doubleDiv(
2273                 lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2274             break;
2275         }
2276
2277         case UntypedUse: {
2278             emitBinarySnippet<JITDivGenerator, NeedScratchFPR>(operationValueDiv);
2279             break;
2280         }
2281
2282         default:
2283             DFG_CRASH(m_graph, m_node, "Bad use kind");
2284             break;
2285         }
2286     }
2287     
2288     void compileArithMod()
2289     {
2290         switch (m_node->binaryUseKind()) {
2291         case Int32Use: {
2292             LValue numerator = lowInt32(m_node->child1());
2293             LValue denominator = lowInt32(m_node->child2());
2294
2295             LValue remainder;
2296             if (shouldCheckOverflow(m_node->arithMode())) {
2297                 LBasicBlock unsafeDenominator = m_out.newBlock();
2298                 LBasicBlock continuation = m_out.newBlock();
2299
2300                 LValue adjustedDenominator = m_out.add(denominator, m_out.int32One);
2301                 m_out.branch(
2302                     m_out.above(adjustedDenominator, m_out.int32One),
2303                     usually(continuation), rarely(unsafeDenominator));
2304
2305                 LBasicBlock lastNext = m_out.appendTo(unsafeDenominator, continuation);
2306                 LValue neg2ToThe31 = m_out.constInt32(-2147483647-1);
2307                 speculate(Overflow, noValue(), nullptr, m_out.isZero32(denominator));
2308                 speculate(Overflow, noValue(), nullptr, m_out.equal(numerator, neg2ToThe31));
2309                 m_out.jump(continuation);
2310
2311                 m_out.appendTo(continuation, lastNext);
2312                 LValue result = m_out.mod(numerator, denominator);
2313                 remainder = result;
2314             } else
2315                 remainder = m_out.chillMod(numerator, denominator);
2316
2317             if (shouldCheckNegativeZero(m_node->arithMode())) {
2318                 LBasicBlock negativeNumerator = m_out.newBlock();
2319                 LBasicBlock numeratorContinuation = m_out.newBlock();
2320
2321                 m_out.branch(
2322                     m_out.lessThan(numerator, m_out.int32Zero),
2323                     unsure(negativeNumerator), unsure(numeratorContinuation));
2324
2325                 LBasicBlock innerLastNext = m_out.appendTo(negativeNumerator, numeratorContinuation);
2326
2327                 speculate(NegativeZero, noValue(), 0, m_out.isZero32(remainder));
2328
2329                 m_out.jump(numeratorContinuation);
2330
2331                 m_out.appendTo(numeratorContinuation, innerLastNext);
2332             }
2333
2334             setInt32(remainder);
2335             break;
2336         }
2337             
2338         case DoubleRepUse: {
2339             setDouble(
2340                 m_out.doubleMod(lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2341             break;
2342         }
2343             
2344         default:
2345             DFG_CRASH(m_graph, m_node, "Bad use kind");
2346             break;
2347         }
2348     }
2349
2350     void compileArithMinOrMax()
2351     {
2352         switch (m_node->binaryUseKind()) {
2353         case Int32Use: {
2354             LValue left = lowInt32(m_node->child1());
2355             LValue right = lowInt32(m_node->child2());
2356             
2357             setInt32(
2358                 m_out.select(
2359                     m_node->op() == ArithMin
2360                         ? m_out.lessThan(left, right)
2361                         : m_out.lessThan(right, left),
2362                     left, right));
2363             break;
2364         }
2365             
2366         case DoubleRepUse: {
2367             LValue left = lowDouble(m_node->child1());
2368             LValue right = lowDouble(m_node->child2());
2369             
2370             LBasicBlock notLessThan = m_out.newBlock();
2371             LBasicBlock continuation = m_out.newBlock();
2372             
2373             Vector<ValueFromBlock, 2> results;
2374             
2375             results.append(m_out.anchor(left));
2376             m_out.branch(
2377                 m_node->op() == ArithMin
2378                     ? m_out.doubleLessThan(left, right)
2379                     : m_out.doubleGreaterThan(left, right),
2380                 unsure(continuation), unsure(notLessThan));
2381             
2382             LBasicBlock lastNext = m_out.appendTo(notLessThan, continuation);
2383             results.append(m_out.anchor(m_out.select(
2384                 m_node->op() == ArithMin
2385                     ? m_out.doubleGreaterThanOrEqual(left, right)
2386                     : m_out.doubleLessThanOrEqual(left, right),
2387                 right, m_out.constDouble(PNaN))));
2388             m_out.jump(continuation);
2389             
2390             m_out.appendTo(continuation, lastNext);
2391             setDouble(m_out.phi(Double, results));
2392             break;
2393         }
2394             
2395         default:
2396             DFG_CRASH(m_graph, m_node, "Bad use kind");
2397             break;
2398         }
2399     }
2400     
2401     void compileArithAbs()
2402     {
2403         switch (m_node->child1().useKind()) {
2404         case Int32Use: {
2405             LValue value = lowInt32(m_node->child1());
2406
2407             LValue mask = m_out.aShr(value, m_out.constInt32(31));
2408             LValue result = m_out.bitXor(mask, m_out.add(mask, value));
2409
2410             if (shouldCheckOverflow(m_node->arithMode()))
2411                 speculate(Overflow, noValue(), 0, m_out.lessThan(result, m_out.int32Zero));
2412
2413             setInt32(result);
2414             break;
2415         }
2416             
2417         case DoubleRepUse: {
2418             setDouble(m_out.doubleAbs(lowDouble(m_node->child1())));
2419             break;
2420         }
2421             
2422         default: {
2423             DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2424             LValue argument = lowJSValue(m_node->child1());
2425             LValue result = vmCall(Double, m_out.operation(operationArithAbs), m_callFrame, argument);
2426             setDouble(result);
2427             break;
2428         }
2429         }
2430     }
2431
2432     void compileArithUnary()
2433     {
2434         if (m_node->child1().useKind() == DoubleRepUse) {
2435             setDouble(m_out.doubleUnary(m_node->arithUnaryType(), lowDouble(m_node->child1())));
2436             return;
2437         }
2438         LValue argument = lowJSValue(m_node->child1());
2439         LValue result = vmCall(Double, m_out.operation(DFG::arithUnaryOperation(m_node->arithUnaryType())), m_callFrame, argument);
2440         setDouble(result);
2441     }
2442
2443     void compileArithPow()
2444     {
2445         if (m_node->child2().useKind() == Int32Use)
2446             setDouble(m_out.doublePowi(lowDouble(m_node->child1()), lowInt32(m_node->child2())));
2447         else {
2448             LValue base = lowDouble(m_node->child1());
2449             LValue exponent = lowDouble(m_node->child2());
2450
2451             LBasicBlock integerExponentIsSmallBlock = m_out.newBlock();
2452             LBasicBlock integerExponentPowBlock = m_out.newBlock();
2453             LBasicBlock doubleExponentPowBlockEntry = m_out.newBlock();
2454             LBasicBlock nanExceptionBaseIsOne = m_out.newBlock();
2455             LBasicBlock nanExceptionExponentIsInfinity = m_out.newBlock();
2456             LBasicBlock testExponentIsOneHalf = m_out.newBlock();
2457             LBasicBlock handleBaseZeroExponentIsOneHalf = m_out.newBlock();
2458             LBasicBlock handleInfinityForExponentIsOneHalf = m_out.newBlock();
2459             LBasicBlock exponentIsOneHalfNormal = m_out.newBlock();
2460             LBasicBlock exponentIsOneHalfInfinity = m_out.newBlock();
2461             LBasicBlock testExponentIsNegativeOneHalf = m_out.newBlock();
2462             LBasicBlock testBaseZeroExponentIsNegativeOneHalf = m_out.newBlock();
2463             LBasicBlock handleBaseZeroExponentIsNegativeOneHalf = m_out.newBlock();
2464             LBasicBlock handleInfinityForExponentIsNegativeOneHalf = m_out.newBlock();
2465             LBasicBlock exponentIsNegativeOneHalfNormal = m_out.newBlock();
2466             LBasicBlock exponentIsNegativeOneHalfInfinity = m_out.newBlock();
2467             LBasicBlock powBlock = m_out.newBlock();
2468             LBasicBlock nanExceptionResultIsNaN = m_out.newBlock();
2469             LBasicBlock continuation = m_out.newBlock();
2470
2471             LValue integerExponent = m_out.doubleToInt(exponent);
2472             LValue integerExponentConvertedToDouble = m_out.intToDouble(integerExponent);
2473             LValue exponentIsInteger = m_out.doubleEqual(exponent, integerExponentConvertedToDouble);
2474             m_out.branch(exponentIsInteger, unsure(integerExponentIsSmallBlock), unsure(doubleExponentPowBlockEntry));
2475
2476             LBasicBlock lastNext = m_out.appendTo(integerExponentIsSmallBlock, integerExponentPowBlock);
2477             LValue integerExponentBelowMax = m_out.belowOrEqual(integerExponent, m_out.constInt32(maxExponentForIntegerMathPow));
2478             m_out.branch(integerExponentBelowMax, usually(integerExponentPowBlock), rarely(doubleExponentPowBlockEntry));
2479
2480             m_out.appendTo(integerExponentPowBlock, doubleExponentPowBlockEntry);
2481             ValueFromBlock powDoubleIntResult = m_out.anchor(m_out.doublePowi(base, integerExponent));
2482             m_out.jump(continuation);
2483
2484             // If y is NaN, the result is NaN.
2485             m_out.appendTo(doubleExponentPowBlockEntry, nanExceptionBaseIsOne);
2486             LValue exponentIsNaN;
2487             if (provenType(m_node->child2()) & SpecDoubleNaN)
2488                 exponentIsNaN = m_out.doubleNotEqualOrUnordered(exponent, exponent);
2489             else
2490                 exponentIsNaN = m_out.booleanFalse;
2491             m_out.branch(exponentIsNaN, rarely(nanExceptionResultIsNaN), usually(nanExceptionBaseIsOne));
2492
2493             // If abs(x) is 1 and y is +infinity, the result is NaN.
2494             // If abs(x) is 1 and y is -infinity, the result is NaN.
2495
2496             //     Test if base == 1.
2497             m_out.appendTo(nanExceptionBaseIsOne, nanExceptionExponentIsInfinity);
2498             LValue absoluteBase = m_out.doubleAbs(base);
2499             LValue absoluteBaseIsOne = m_out.doubleEqual(absoluteBase, m_out.constDouble(1));
2500             m_out.branch(absoluteBaseIsOne, rarely(nanExceptionExponentIsInfinity), usually(testExponentIsOneHalf));
2501
2502             //     Test if abs(y) == Infinity.
2503             m_out.appendTo(nanExceptionExponentIsInfinity, testExponentIsOneHalf);
2504             LValue absoluteExponent = m_out.doubleAbs(exponent);
2505             LValue absoluteExponentIsInfinity = m_out.doubleEqual(absoluteExponent, m_out.constDouble(std::numeric_limits<double>::infinity()));
2506             m_out.branch(absoluteExponentIsInfinity, rarely(nanExceptionResultIsNaN), usually(testExponentIsOneHalf));
2507
2508             // If y == 0.5 or y == -0.5, handle it through SQRT.
2509             // We have be carefuly with -0 and -Infinity.
2510
2511             //     Test if y == 0.5
2512             m_out.appendTo(testExponentIsOneHalf, handleBaseZeroExponentIsOneHalf);
2513             LValue exponentIsOneHalf = m_out.doubleEqual(exponent, m_out.constDouble(0.5));
2514             m_out.branch(exponentIsOneHalf, rarely(handleBaseZeroExponentIsOneHalf), usually(testExponentIsNegativeOneHalf));
2515
2516             //     Handle x == -0.
2517             m_out.appendTo(handleBaseZeroExponentIsOneHalf, handleInfinityForExponentIsOneHalf);
2518             LValue baseIsZeroExponentIsOneHalf = m_out.doubleEqual(base, m_out.doubleZero);
2519             ValueFromBlock zeroResultExponentIsOneHalf = m_out.anchor(m_out.doubleZero);
2520             m_out.branch(baseIsZeroExponentIsOneHalf, rarely(continuation), usually(handleInfinityForExponentIsOneHalf));
2521
2522             //     Test if abs(x) == Infinity.
2523             m_out.appendTo(handleInfinityForExponentIsOneHalf, exponentIsOneHalfNormal);
2524             LValue absoluteBaseIsInfinityOneHalf = m_out.doubleEqual(absoluteBase, m_out.constDouble(std::numeric_limits<double>::infinity()));
2525             m_out.branch(absoluteBaseIsInfinityOneHalf, rarely(exponentIsOneHalfInfinity), usually(exponentIsOneHalfNormal));
2526
2527             //     The exponent is 0.5, the base is finite or NaN, we can use SQRT.
2528             m_out.appendTo(exponentIsOneHalfNormal, exponentIsOneHalfInfinity);
2529             ValueFromBlock sqrtResult = m_out.anchor(m_out.doubleSqrt(base));
2530             m_out.jump(continuation);
2531
2532             //     The exponent is 0.5, the base is infinite, the result is always infinite.
2533             m_out.appendTo(exponentIsOneHalfInfinity, testExponentIsNegativeOneHalf);
2534             ValueFromBlock sqrtInfinityResult = m_out.anchor(m_out.constDouble(std::numeric_limits<double>::infinity()));
2535             m_out.jump(continuation);
2536
2537             //     Test if y == -0.5
2538             m_out.appendTo(testExponentIsNegativeOneHalf, testBaseZeroExponentIsNegativeOneHalf);
2539             LValue exponentIsNegativeOneHalf = m_out.doubleEqual(exponent, m_out.constDouble(-0.5));
2540             m_out.branch(exponentIsNegativeOneHalf, rarely(testBaseZeroExponentIsNegativeOneHalf), usually(powBlock));
2541
2542             //     Handle x == -0.
2543             m_out.appendTo(testBaseZeroExponentIsNegativeOneHalf, handleBaseZeroExponentIsNegativeOneHalf);
2544             LValue baseIsZeroExponentIsNegativeOneHalf = m_out.doubleEqual(base, m_out.doubleZero);
2545             m_out.branch(baseIsZeroExponentIsNegativeOneHalf, rarely(handleBaseZeroExponentIsNegativeOneHalf), usually(handleInfinityForExponentIsNegativeOneHalf));
2546
2547             m_out.appendTo(handleBaseZeroExponentIsNegativeOneHalf, handleInfinityForExponentIsNegativeOneHalf);
2548             ValueFromBlock oneOverSqrtZeroResult = m_out.anchor(m_out.constDouble(std::numeric_limits<double>::infinity()));
2549             m_out.jump(continuation);
2550
2551             //     Test if abs(x) == Infinity.
2552             m_out.appendTo(handleInfinityForExponentIsNegativeOneHalf, exponentIsNegativeOneHalfNormal);
2553             LValue absoluteBaseIsInfinityNegativeOneHalf = m_out.doubleEqual(absoluteBase, m_out.constDouble(std::numeric_limits<double>::infinity()));
2554             m_out.branch(absoluteBaseIsInfinityNegativeOneHalf, rarely(exponentIsNegativeOneHalfInfinity), usually(exponentIsNegativeOneHalfNormal));
2555
2556             //     The exponent is -0.5, the base is finite or NaN, we can use 1/SQRT.
2557             m_out.appendTo(exponentIsNegativeOneHalfNormal, exponentIsNegativeOneHalfInfinity);
2558             LValue sqrtBase = m_out.doubleSqrt(base);
2559             ValueFromBlock oneOverSqrtResult = m_out.anchor(m_out.div(m_out.constDouble(1.), sqrtBase));
2560             m_out.jump(continuation);
2561
2562             //     The exponent is -0.5, the base is infinite, the result is always zero.
2563             m_out.appendTo(exponentIsNegativeOneHalfInfinity, powBlock);
2564             ValueFromBlock oneOverSqrtInfinityResult = m_out.anchor(m_out.doubleZero);
2565             m_out.jump(continuation);
2566
2567             m_out.appendTo(powBlock, nanExceptionResultIsNaN);
2568             ValueFromBlock powResult = m_out.anchor(m_out.doublePow(base, exponent));
2569             m_out.jump(continuation);
2570
2571             m_out.appendTo(nanExceptionResultIsNaN, continuation);
2572             ValueFromBlock pureNan = m_out.anchor(m_out.constDouble(PNaN));
2573             m_out.jump(continuation);
2574
2575             m_out.appendTo(continuation, lastNext);
2576             setDouble(m_out.phi(Double, powDoubleIntResult, zeroResultExponentIsOneHalf, sqrtResult, sqrtInfinityResult, oneOverSqrtZeroResult, oneOverSqrtResult, oneOverSqrtInfinityResult, powResult, pureNan));
2577         }
2578     }
2579
2580     void compileArithRandom()
2581     {
2582         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
2583
2584         // Inlined WeakRandom::advance().
2585         // uint64_t x = m_low;
2586         void* lowAddress = reinterpret_cast<uint8_t*>(globalObject) + JSGlobalObject::weakRandomOffset() + WeakRandom::lowOffset();
2587         LValue low = m_out.load64(m_out.absolute(lowAddress));
2588         // uint64_t y = m_high;
2589         void* highAddress = reinterpret_cast<uint8_t*>(globalObject) + JSGlobalObject::weakRandomOffset() + WeakRandom::highOffset();
2590         LValue high = m_out.load64(m_out.absolute(highAddress));
2591         // m_low = y;
2592         m_out.store64(high, m_out.absolute(lowAddress));
2593
2594         // x ^= x << 23;
2595         LValue phase1 = m_out.bitXor(m_out.shl(low, m_out.constInt64(23)), low);
2596
2597         // x ^= x >> 17;
2598         LValue phase2 = m_out.bitXor(m_out.lShr(phase1, m_out.constInt64(17)), phase1);
2599
2600         // x ^= y ^ (y >> 26);
2601         LValue phase3 = m_out.bitXor(m_out.bitXor(high, m_out.lShr(high, m_out.constInt64(26))), phase2);
2602
2603         // m_high = x;
2604         m_out.store64(phase3, m_out.absolute(highAddress));
2605
2606         // return x + y;
2607         LValue random64 = m_out.add(phase3, high);
2608
2609         // Extract random 53bit. [0, 53] bit is safe integer number ranges in double representation.
2610         LValue random53 = m_out.bitAnd(random64, m_out.constInt64((1ULL << 53) - 1));
2611
2612         LValue double53Integer = m_out.intToDouble(random53);
2613
2614         // Convert `(53bit double integer value) / (1 << 53)` to `(53bit double integer value) * (1.0 / (1 << 53))`.
2615         // In latter case, `1.0 / (1 << 53)` will become a double value represented as (mantissa = 0 & exp = 970, it means 1e-(2**54)).
2616         static const double scale = 1.0 / (1ULL << 53);
2617
2618         // Multiplying 1e-(2**54) with the double integer does not change anything of the mantissa part of the double integer.
2619         // It just reduces the exp part of the given 53bit double integer.
2620         // (Except for 0.0. This is specially handled and in this case, exp just becomes 0.)
2621         // Now we get 53bit precision random double value in [0, 1).
2622         LValue result = m_out.doubleMul(double53Integer, m_out.constDouble(scale));
2623
2624         setDouble(result);
2625     }
2626
2627     void compileArithRound()
2628     {
2629         if (m_node->child1().useKind() == DoubleRepUse) {
2630             LValue result = nullptr;
2631             if (producesInteger(m_node->arithRoundingMode()) && !shouldCheckNegativeZero(m_node->arithRoundingMode())) {
2632                 LValue value = lowDouble(m_node->child1());
2633                 result = m_out.doubleFloor(m_out.doubleAdd(value, m_out.constDouble(0.5)));
2634             } else {
2635                 LBasicBlock realPartIsMoreThanHalf = m_out.newBlock();
2636                 LBasicBlock continuation = m_out.newBlock();
2637
2638                 LValue value = lowDouble(m_node->child1());
2639                 LValue integerValue = m_out.doubleCeil(value);
2640                 ValueFromBlock integerValueResult = m_out.anchor(integerValue);
2641
2642                 LValue realPart = m_out.doubleSub(integerValue, value);
2643
2644                 m_out.branch(m_out.doubleGreaterThanOrUnordered(realPart, m_out.constDouble(0.5)), unsure(realPartIsMoreThanHalf), unsure(continuation));
2645
2646                 LBasicBlock lastNext = m_out.appendTo(realPartIsMoreThanHalf, continuation);
2647                 LValue integerValueRoundedDown = m_out.doubleSub(integerValue, m_out.constDouble(1));
2648                 ValueFromBlock integerValueRoundedDownResult = m_out.anchor(integerValueRoundedDown);
2649                 m_out.jump(continuation);
2650                 m_out.appendTo(continuation, lastNext);
2651
2652                 result = m_out.phi(Double, integerValueResult, integerValueRoundedDownResult);
2653             }
2654
2655             if (producesInteger(m_node->arithRoundingMode())) {
2656                 LValue integerValue = convertDoubleToInt32(result, shouldCheckNegativeZero(m_node->arithRoundingMode()));
2657                 setInt32(integerValue);
2658             } else
2659                 setDouble(result);
2660             return;
2661         }
2662
2663         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2664         LValue argument = lowJSValue(m_node->child1());
2665         setJSValue(vmCall(Int64, m_out.operation(operationArithRound), m_callFrame, argument));
2666     }
2667
2668     void compileArithFloor()
2669     {
2670         if (m_node->child1().useKind() == DoubleRepUse) {
2671             LValue value = lowDouble(m_node->child1());
2672             LValue integerValue = m_out.doubleFloor(value);
2673             if (producesInteger(m_node->arithRoundingMode()))
2674                 setInt32(convertDoubleToInt32(integerValue, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2675             else
2676                 setDouble(integerValue);
2677             return;
2678         }
2679         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2680         LValue argument = lowJSValue(m_node->child1());
2681         setJSValue(vmCall(Int64, m_out.operation(operationArithFloor), m_callFrame, argument));
2682     }
2683
2684     void compileArithCeil()
2685     {
2686         if (m_node->child1().useKind() == DoubleRepUse) {
2687             LValue value = lowDouble(m_node->child1());
2688             LValue integerValue = m_out.doubleCeil(value);
2689             if (producesInteger(m_node->arithRoundingMode()))
2690                 setInt32(convertDoubleToInt32(integerValue, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2691             else
2692                 setDouble(integerValue);
2693             return;
2694         }
2695         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2696         LValue argument = lowJSValue(m_node->child1());
2697         setJSValue(vmCall(Int64, m_out.operation(operationArithCeil), m_callFrame, argument));
2698     }
2699
2700     void compileArithTrunc()
2701     {
2702         if (m_node->child1().useKind() == DoubleRepUse) {
2703             LValue value = lowDouble(m_node->child1());
2704             LValue result = m_out.doubleTrunc(value);
2705             if (producesInteger(m_node->arithRoundingMode()))
2706                 setInt32(convertDoubleToInt32(result, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2707             else
2708                 setDouble(result);
2709             return;
2710         }
2711         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2712         LValue argument = lowJSValue(m_node->child1());
2713         setJSValue(vmCall(Int64, m_out.operation(operationArithTrunc), m_callFrame, argument));
2714     }
2715
2716     void compileArithSqrt()
2717     {
2718         if (m_node->child1().useKind() == DoubleRepUse) {
2719             setDouble(m_out.doubleSqrt(lowDouble(m_node->child1())));
2720             return;
2721         }
2722         LValue argument = lowJSValue(m_node->child1());
2723         LValue result = vmCall(Double, m_out.operation(operationArithSqrt), m_callFrame, argument);
2724         setDouble(result);
2725     }
2726
2727     void compileArithFRound()
2728     {
2729         if (m_node->child1().useKind() == DoubleRepUse) {
2730             setDouble(m_out.fround(lowDouble(m_node->child1())));
2731             return;
2732         }
2733         LValue argument = lowJSValue(m_node->child1());
2734         LValue result = vmCall(Double, m_out.operation(operationArithFRound), m_callFrame, argument);
2735         setDouble(result);
2736     }
2737
2738     void compileValueNegate()
2739     {
2740         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse);
2741         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2742         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(m_node->origin.semantic.bytecodeIndex);
2743         Instruction* instruction = &baselineCodeBlock->instructions()[m_node->origin.semantic.bytecodeIndex];
2744         auto repatchingFunction = operationArithNegateOptimize;
2745         auto nonRepatchingFunction = operationArithNegate;
2746         compileUnaryMathIC<JITNegGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
2747     }
2748
2749     void compileArithNegate()
2750     {
2751         switch (m_node->child1().useKind()) {
2752         case Int32Use: {
2753             LValue value = lowInt32(m_node->child1());
2754             
2755             LValue result;
2756             if (!shouldCheckOverflow(m_node->arithMode()))
2757                 result = m_out.neg(value);
2758             else if (!shouldCheckNegativeZero(m_node->arithMode())) {
2759                 CheckValue* check = m_out.speculateSub(m_out.int32Zero, value);
2760                 blessSpeculation(check, Overflow, noValue(), nullptr, m_origin);
2761                 result = check;
2762             } else {
2763                 speculate(Overflow, noValue(), 0, m_out.testIsZero32(value, m_out.constInt32(0x7fffffff)));
2764                 result = m_out.neg(value);
2765             }
2766
2767             setInt32(result);
2768             break;
2769         }
2770             
2771         case Int52RepUse: {
2772             if (!abstractValue(m_node->child1()).couldBeType(SpecInt52Only)) {
2773                 Int52Kind kind;
2774                 LValue value = lowWhicheverInt52(m_node->child1(), kind);
2775                 LValue result = m_out.neg(value);
2776                 if (shouldCheckNegativeZero(m_node->arithMode()))
2777                     speculate(NegativeZero, noValue(), 0, m_out.isZero64(result));
2778                 setInt52(result, kind);
2779                 break;
2780             }
2781             
2782             LValue value = lowInt52(m_node->child1());
2783             CheckValue* result = m_out.speculateSub(m_out.int64Zero, value);
2784             blessSpeculation(result, Int52Overflow, noValue(), nullptr, m_origin);
2785             if (shouldCheckNegativeZero(m_node->arithMode()))
2786                 speculate(NegativeZero, noValue(), 0, m_out.isZero64(result));
2787             setInt52(result);
2788             break;
2789         }
2790             
2791         case DoubleRepUse: {
2792             setDouble(m_out.doubleNeg(lowDouble(m_node->child1())));
2793             break;
2794         }
2795             
2796         default:
2797             DFG_CRASH(m_graph, m_node, "Bad use kind");
2798             break;
2799         }
2800     }
2801     
2802     void compileBitAnd()
2803     {
2804         if (m_node->isBinaryUseKind(UntypedUse)) {
2805             emitBinaryBitOpSnippet<JITBitAndGenerator>(operationValueBitAnd);
2806             return;
2807         }
2808         setInt32(m_out.bitAnd(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
2809     }
2810     
2811     void compileBitOr()
2812     {
2813         if (m_node->isBinaryUseKind(UntypedUse)) {
2814             emitBinaryBitOpSnippet<JITBitOrGenerator>(operationValueBitOr);
2815             return;
2816         }
2817         setInt32(m_out.bitOr(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
2818     }
2819     
2820     void compileBitXor()
2821     {
2822         if (m_node->isBinaryUseKind(UntypedUse)) {
2823             emitBinaryBitOpSnippet<JITBitXorGenerator>(operationValueBitXor);
2824             return;
2825         }
2826         setInt32(m_out.bitXor(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
2827     }
2828     
2829     void compileBitRShift()
2830     {
2831         if (m_node->isBinaryUseKind(UntypedUse)) {
2832             emitRightShiftSnippet(JITRightShiftGenerator::SignedShift);
2833             return;
2834         }
2835         setInt32(m_out.aShr(
2836             lowInt32(m_node->child1()),
2837             m_out.bitAnd(lowInt32(m_node->child2()), m_out.constInt32(31))));
2838     }
2839     
2840     void compileBitLShift()
2841     {
2842         if (m_node->isBinaryUseKind(UntypedUse)) {
2843             emitBinaryBitOpSnippet<JITLeftShiftGenerator>(operationValueBitLShift);
2844             return;
2845         }
2846         setInt32(m_out.shl(
2847             lowInt32(m_node->child1()),
2848             m_out.bitAnd(lowInt32(m_node->child2()), m_out.constInt32(31))));
2849     }
2850     
2851     void compileBitURShift()
2852     {
2853         if (m_node->isBinaryUseKind(UntypedUse)) {
2854             emitRightShiftSnippet(JITRightShiftGenerator::UnsignedShift);
2855             return;
2856         }
2857         setInt32(m_out.lShr(
2858             lowInt32(m_node->child1()),
2859             m_out.bitAnd(lowInt32(m_node->child2()), m_out.constInt32(31))));
2860     }
2861     
2862     void compileUInt32ToNumber()
2863     {
2864         LValue value = lowInt32(m_node->child1());
2865
2866         if (doesOverflow(m_node->arithMode())) {
2867             setStrictInt52(m_out.zeroExtPtr(value));
2868             return;
2869         }
2870
2871         speculate(Overflow, noValue(), 0, m_out.lessThan(value, m_out.int32Zero));
2872         setInt32(value);
2873     }
2874     
2875     void compileCheckStructure()
2876     {
2877         ExitKind exitKind;
2878         if (m_node->child1()->hasConstant())
2879             exitKind = BadConstantCache;
2880         else
2881             exitKind = BadCache;
2882
2883         switch (m_node->child1().useKind()) {
2884         case CellUse:
2885         case KnownCellUse: {
2886             LValue cell = lowCell(m_node->child1());
2887             
2888             checkStructure(
2889                 m_out.load32(cell, m_heaps.JSCell_structureID), jsValueValue(cell),
2890                 exitKind, m_node->structureSet(),
2891                 [&] (RegisteredStructure structure) {
2892                     return weakStructureID(structure);
2893                 });
2894             return;
2895         }
2896
2897         case CellOrOtherUse: {
2898             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
2899
2900             LBasicBlock cellCase = m_out.newBlock();
2901             LBasicBlock notCellCase = m_out.newBlock();
2902             LBasicBlock continuation = m_out.newBlock();
2903
2904             m_out.branch(
2905                 isCell(value, provenType(m_node->child1())), unsure(cellCase), unsure(notCellCase));
2906
2907             LBasicBlock lastNext = m_out.appendTo(cellCase, notCellCase);
2908             checkStructure(
2909                 m_out.load32(value, m_heaps.JSCell_structureID), jsValueValue(value),
2910                 exitKind, m_node->structureSet(),
2911                 [&] (RegisteredStructure structure) {
2912                     return weakStructureID(structure);
2913                 });
2914             m_out.jump(continuation);
2915
2916             m_out.appendTo(notCellCase, continuation);
2917             FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), SpecCell | SpecOther, isNotOther(value));
2918             m_out.jump(continuation);
2919
2920             m_out.appendTo(continuation, lastNext);
2921             return;
2922         }
2923
2924         default:
2925             DFG_CRASH(m_graph, m_node, "Bad use kind");
2926             return;
2927         }
2928     }
2929
2930     void compileCheckStructureOrEmpty()
2931     {
2932         ExitKind exitKind;
2933         if (m_node->child1()->hasConstant())
2934             exitKind = BadConstantCache;
2935         else
2936             exitKind = BadCache;
2937
2938         LValue cell = lowCell(m_node->child1());
2939         bool maySeeEmptyValue = m_interpreter.forNode(m_node->child1()).m_type & SpecEmpty;
2940         LBasicBlock notEmpty;
2941         LBasicBlock continuation;
2942         LBasicBlock lastNext;
2943         if (maySeeEmptyValue) {
2944             notEmpty = m_out.newBlock();
2945             continuation = m_out.newBlock();
2946             m_out.branch(m_out.isZero64(cell), unsure(continuation), unsure(notEmpty));
2947             lastNext = m_out.appendTo(notEmpty, continuation);
2948         }
2949
2950         checkStructure(
2951             m_out.load32(cell, m_heaps.JSCell_structureID), jsValueValue(cell),
2952             exitKind, m_node->structureSet(),
2953             [&] (RegisteredStructure structure) {
2954                 return weakStructureID(structure);
2955             });
2956
2957         if (maySeeEmptyValue) {
2958             m_out.jump(continuation);
2959             m_out.appendTo(continuation, lastNext);
2960         }
2961     }
2962     
2963     void compileCheckCell()
2964     {
2965         LValue cell = lowCell(m_node->child1());
2966         
2967         speculate(
2968             BadCell, jsValueValue(cell), m_node->child1().node(),
2969             m_out.notEqual(cell, weakPointer(m_node->cellOperand()->cell())));
2970     }
2971     
2972     void compileCheckBadCell()
2973     {
2974         terminate(BadCell);
2975     }
2976
2977     void compileCheckNotEmpty()
2978     {
2979         speculate(TDZFailure, noValue(), nullptr, m_out.isZero64(lowJSValue(m_node->child1())));
2980     }
2981
2982     void compileAssertNotEmpty()
2983     {
2984         if (!validationEnabled())
2985             return;
2986
2987         PatchpointValue* patchpoint = m_out.patchpoint(Void);
2988         patchpoint->appendSomeRegister(lowJSValue(m_node->child1()));
2989         patchpoint->setGenerator(
2990             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
2991                 AllowMacroScratchRegisterUsage allowScratch(jit);
2992                 GPRReg input =  params[0].gpr();
2993                 CCallHelpers::Jump done = jit.branchIfNotEmpty(input);
2994                 jit.breakpoint();
2995                 done.link(&jit);
2996             });
2997     }
2998
2999     void compileCheckStringIdent()
3000     {
3001         UniquedStringImpl* uid = m_node->uidOperand();
3002         LValue stringImpl = lowStringIdent(m_node->child1());
3003         speculate(BadIdent, noValue(), nullptr, m_out.notEqual(stringImpl, m_out.constIntPtr(uid)));
3004     }
3005
3006     void compileGetExecutable()
3007     {
3008         LValue cell = lowCell(m_node->child1());
3009         speculateFunction(m_node->child1(), cell);
3010         setJSValue(
3011             m_out.bitXor(
3012                 m_out.loadPtr(cell, m_heaps.JSFunction_executable),
3013                 m_out.constIntPtr(JSFunctionPoison::key())));
3014     }
3015     
3016     void compileArrayify()
3017     {
3018         LValue cell = lowCell(m_node->child1());
3019         LValue property = !!m_node->child2() ? lowInt32(m_node->child2()) : 0;
3020         
3021         LBasicBlock unexpectedStructure = m_out.newBlock();
3022         LBasicBlock continuation = m_out.newBlock();
3023         
3024         auto isUnexpectedArray = [&] (LValue cell) {
3025             if (m_node->op() == Arrayify)
3026                 return m_out.logicalNot(isArrayTypeForArrayify(cell, m_node->arrayMode()));
3027
3028             ASSERT(m_node->op() == ArrayifyToStructure);
3029             return m_out.notEqual(m_out.load32(cell, m_heaps.JSCell_structureID), weakStructureID(m_node->structure()));
3030         };
3031
3032         m_out.branch(isUnexpectedArray(cell), rarely(unexpectedStructure), usually(continuation));
3033
3034         LBasicBlock lastNext = m_out.appendTo(unexpectedStructure, continuation);
3035         
3036         if (property) {
3037             switch (m_node->arrayMode().type()) {
3038             case Array::Int32:
3039             case Array::Double:
3040             case Array::Contiguous:
3041                 speculate(
3042                     Uncountable, noValue(), 0,
3043                     m_out.aboveOrEqual(property, m_out.constInt32(MIN_SPARSE_ARRAY_INDEX)));
3044                 break;
3045             default:
3046                 break;
3047             }
3048         }
3049         
3050         switch (m_node->arrayMode().type()) {
3051         case Array::Int32:
3052             vmCall(Void, m_out.operation(operationEnsureInt32), m_callFrame, cell);
3053             break;
3054         case Array::Double:
3055             vmCall(Void, m_out.operation(operationEnsureDouble), m_callFrame, cell);
3056             break;
3057         case Array::Contiguous:
3058             vmCall(Void, m_out.operation(operationEnsureContiguous), m_callFrame, cell);
3059             break;
3060         case Array::ArrayStorage:
3061         case Array::SlowPutArrayStorage:
3062             vmCall(Void, m_out.operation(operationEnsureArrayStorage), m_callFrame, cell);
3063             break;
3064         default:
3065             DFG_CRASH(m_graph, m_node, "Bad array type");
3066             break;
3067         }
3068         
3069         speculate(BadIndexingType, jsValueValue(cell), 0, isUnexpectedArray(cell));
3070         m_out.jump(continuation);
3071         
3072         m_out.appendTo(continuation, lastNext);
3073     }
3074     
3075     void compilePutStructure()
3076     {
3077         m_ftlState.jitCode->common.notifyCompilingStructureTransition(m_graph.m_plan, codeBlock(), m_node);
3078         
3079         RegisteredStructure oldStructure = m_node->transition()->previous;
3080         RegisteredStructure newStructure = m_node->transition()->next;
3081         ASSERT_UNUSED(oldStructure, oldStructure->indexingMode() == newStructure->indexingMode());
3082         ASSERT(oldStructure->typeInfo().inlineTypeFlags() == newStructure->typeInfo().inlineTypeFlags());
3083         ASSERT(oldStructure->typeInfo().type() == newStructure->typeInfo().type());
3084
3085         LValue cell = lowCell(m_node->child1()); 
3086         m_out.store32(
3087             weakStructureID(newStructure),
3088             cell, m_heaps.JSCell_structureID);
3089     }
3090     
3091     void compileGetById(AccessType type)
3092     {
3093         ASSERT(type == AccessType::Get || type == AccessType::TryGet || type == AccessType::GetDirect);
3094         switch (m_node->child1().useKind()) {
3095         case CellUse: {
3096             setJSValue(getById(lowCell(m_node->child1()), type));
3097             return;
3098         }
3099             
3100         case UntypedUse: {
3101             // This is pretty weird, since we duplicate the slow path both here and in the
3102             // code generated by the IC. We should investigate making this less bad.
3103             // https://bugs.webkit.org/show_bug.cgi?id=127830
3104             LValue value = lowJSValue(m_node->child1());
3105             
3106             LBasicBlock cellCase = m_out.newBlock();
3107             LBasicBlock notCellCase = m_out.newBlock();
3108             LBasicBlock continuation = m_out.newBlock();
3109             
3110             m_out.branch(
3111                 isCell(value, provenType(m_node->child1())), unsure(cellCase), unsure(notCellCase));
3112             
3113             LBasicBlock lastNext = m_out.appendTo(cellCase, notCellCase);
3114             ValueFromBlock cellResult = m_out.anchor(getById(value, type));
3115             m_out.jump(continuation);
3116
3117             J_JITOperation_EJI getByIdFunction = appropriateGenericGetByIdFunction(type);
3118
3119             m_out.appendTo(notCellCase, continuation);
3120             ValueFromBlock notCellResult = m_out.anchor(vmCall(
3121                 Int64, m_out.operation(getByIdFunction),
3122                 m_callFrame, value,
3123                 m_out.constIntPtr(m_graph.identifiers()[m_node->identifierNumber()])));
3124             m_out.jump(continuation);
3125             
3126             m_out.appendTo(continuation, lastNext);
3127             setJSValue(m_out.phi(Int64, cellResult, notCellResult));
3128             return;
3129         }
3130             
3131         default:
3132             DFG_CRASH(m_graph, m_node, "Bad use kind");
3133             return;
3134         }
3135     }
3136
3137     void compileGetByIdWithThis()
3138     {
3139         if (m_node->child1().useKind() == CellUse && m_node->child2().useKind() == CellUse)
3140             setJSValue(getByIdWithThis(lowCell(m_node->child1()), lowCell(m_node->child2())));
3141         else {
3142             LValue base = lowJSValue(m_node->child1());
3143             LValue thisValue = lowJSValue(m_node->child2());
3144             
3145             LBasicBlock baseCellCase = m_out.newBlock();
3146             LBasicBlock notCellCase = m_out.newBlock();
3147             LBasicBlock thisValueCellCase = m_out.newBlock();