867bd77b8584666aad29972445d447bf6e3fea9f
[WebKit-https.git] / Source / JavaScriptCore / ftl / FTLLowerDFGToB3.cpp
1 /*
2  * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "FTLLowerDFGToB3.h"
28
29 #if ENABLE(FTL_JIT)
30
31 #include "AirCode.h"
32 #include "AirGenerationContext.h"
33 #include "AllowMacroScratchRegisterUsage.h"
34 #include "AllowMacroScratchRegisterUsageIf.h"
35 #include "AtomicsObject.h"
36 #include "B3CheckValue.h"
37 #include "B3FenceValue.h"
38 #include "B3PatchpointValue.h"
39 #include "B3SlotBaseValue.h"
40 #include "B3StackmapGenerationParams.h"
41 #include "B3ValueInlines.h"
42 #include "CallFrameShuffler.h"
43 #include "CodeBlockWithJITType.h"
44 #include "DFGAbstractInterpreterInlines.h"
45 #include "DFGCapabilities.h"
46 #include "DFGDoesGC.h"
47 #include "DFGDominators.h"
48 #include "DFGInPlaceAbstractState.h"
49 #include "DFGLivenessAnalysisPhase.h"
50 #include "DFGMayExit.h"
51 #include "DFGOSRAvailabilityAnalysisPhase.h"
52 #include "DFGOSRExitFuzz.h"
53 #include "DirectArguments.h"
54 #include "FTLAbstractHeapRepository.h"
55 #include "FTLAvailableRecovery.h"
56 #include "FTLExceptionTarget.h"
57 #include "FTLForOSREntryJITCode.h"
58 #include "FTLFormattedValue.h"
59 #include "FTLLazySlowPathCall.h"
60 #include "FTLLoweredNodeValue.h"
61 #include "FTLOperations.h"
62 #include "FTLOutput.h"
63 #include "FTLPatchpointExceptionHandle.h"
64 #include "FTLSnippetParams.h"
65 #include "FTLThunks.h"
66 #include "FTLWeightedTarget.h"
67 #include "JITAddGenerator.h"
68 #include "JITBitAndGenerator.h"
69 #include "JITBitOrGenerator.h"
70 #include "JITBitXorGenerator.h"
71 #include "JITDivGenerator.h"
72 #include "JITInlineCacheGenerator.h"
73 #include "JITLeftShiftGenerator.h"
74 #include "JITMathIC.h"
75 #include "JITMulGenerator.h"
76 #include "JITRightShiftGenerator.h"
77 #include "JITSubGenerator.h"
78 #include "JSAsyncFunction.h"
79 #include "JSAsyncGeneratorFunction.h"
80 #include "JSCInlines.h"
81 #include "JSGenerator.h"
82 #include "JSGeneratorFunction.h"
83 #include "JSImmutableButterfly.h"
84 #include "JSLexicalEnvironment.h"
85 #include "JSMap.h"
86 #include "OperandsInlines.h"
87 #include "ProbeContext.h"
88 #include "RegExpObject.h"
89 #include "ScopedArguments.h"
90 #include "ScopedArgumentsTable.h"
91 #include "ScratchRegisterAllocator.h"
92 #include "SetupVarargsFrame.h"
93 #include "ShadowChicken.h"
94 #include "StructureStubInfo.h"
95 #include "SuperSampler.h"
96 #include "ThunkGenerators.h"
97 #include "VirtualRegister.h"
98 #include "Watchdog.h"
99 #include <atomic>
100 #include <wtf/Box.h>
101 #include <wtf/Gigacage.h>
102 #include <wtf/RecursableLambda.h>
103 #include <wtf/StdUnorderedSet.h>
104
105 #undef RELEASE_ASSERT
106 #define RELEASE_ASSERT(assertion) do { \
107     if (!(assertion)) { \
108         WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, #assertion); \
109         CRASH(); \
110     } \
111 } while (0)
112
113 namespace JSC { namespace FTL {
114
115 using namespace B3;
116 using namespace DFG;
117
118 namespace {
119
120 std::atomic<int> compileCounter;
121
122 #if !ASSERT_DISABLED
123 NO_RETURN_DUE_TO_CRASH static void ftlUnreachable(
124     CodeBlock* codeBlock, BlockIndex blockIndex, unsigned nodeIndex)
125 {
126     dataLog("Crashing in thought-to-be-unreachable FTL-generated code for ", pointerDump(codeBlock), " at basic block #", blockIndex);
127     if (nodeIndex != UINT_MAX)
128         dataLog(", node @", nodeIndex);
129     dataLog(".\n");
130     CRASH();
131 }
132 #endif
133
134 // Using this instead of typeCheck() helps to reduce the load on B3, by creating
135 // significantly less dead code.
136 #define FTL_TYPE_CHECK_WITH_EXIT_KIND(exitKind, lowValue, highValue, typesPassedThrough, failCondition) do { \
137         FormattedValue _ftc_lowValue = (lowValue);                      \
138         Edge _ftc_highValue = (highValue);                              \
139         SpeculatedType _ftc_typesPassedThrough = (typesPassedThrough);  \
140         if (!m_interpreter.needsTypeCheck(_ftc_highValue, _ftc_typesPassedThrough)) \
141             break;                                                      \
142         typeCheck(_ftc_lowValue, _ftc_highValue, _ftc_typesPassedThrough, (failCondition), exitKind); \
143     } while (false)
144
145 #define FTL_TYPE_CHECK(lowValue, highValue, typesPassedThrough, failCondition) \
146     FTL_TYPE_CHECK_WITH_EXIT_KIND(BadType, lowValue, highValue, typesPassedThrough, failCondition)
147
148 class LowerDFGToB3 {
149     WTF_MAKE_NONCOPYABLE(LowerDFGToB3);
150 public:
151     LowerDFGToB3(State& state)
152         : m_graph(state.graph)
153         , m_ftlState(state)
154         , m_out(state)
155         , m_proc(*state.proc)
156         , m_availabilityCalculator(m_graph)
157         , m_state(state.graph)
158         , m_interpreter(state.graph, m_state)
159         , m_indexMaskingMode(Options::enableSpectreMitigations() ?  IndexMaskingEnabled : IndexMaskingDisabled)
160     {
161         if (Options::validateAbstractInterpreterState()) {
162             performLivenessAnalysis(m_graph);
163
164             // We only use node liveness here, not combined liveness, as we only track
165             // AI state for live nodes.
166             for (DFG::BasicBlock* block : m_graph.blocksInNaturalOrder()) {
167                 NodeSet live;
168
169                 for (NodeFlowProjection node : block->ssa->liveAtTail) {
170                     if (node.kind() == NodeFlowProjection::Primary)
171                         live.addVoid(node.node());
172                 }
173
174                 for (unsigned i = block->size(); i--; ) {
175                     Node* node = block->at(i);
176                     live.remove(node);
177                     m_graph.doToChildren(node, [&] (Edge child) {
178                         live.addVoid(child.node());
179                     });
180                     m_liveInToNode.add(node, live);
181                 }
182             }
183         }
184     }
185     
186     void lower()
187     {
188         State* state = &m_ftlState;
189         
190         CString name;
191         if (verboseCompilationEnabled()) {
192             name = toCString(
193                 "jsBody_", ++compileCounter, "_", codeBlock()->inferredName(),
194                 "_", codeBlock()->hash());
195         } else
196             name = "jsBody";
197
198         {
199             m_proc.setNumEntrypoints(m_graph.m_numberOfEntrypoints);
200             CodeBlock* codeBlock = m_graph.m_codeBlock;
201
202             Ref<B3::Air::PrologueGenerator> catchPrologueGenerator = createSharedTask<B3::Air::PrologueGeneratorFunction>(
203                 [codeBlock] (CCallHelpers& jit, B3::Air::Code& code) {
204                     AllowMacroScratchRegisterUsage allowScratch(jit);
205                     jit.addPtr(CCallHelpers::TrustedImm32(-code.frameSize()), GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister);
206                     if (Options::zeroStackFrame())
207                         jit.clearStackFrame(GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister, GPRInfo::regT0, code.frameSize());
208
209                     jit.emitSave(code.calleeSaveRegisterAtOffsetList());
210                     jit.emitPutToCallFrameHeader(codeBlock, CallFrameSlot::codeBlock);
211                 });
212
213             for (unsigned catchEntrypointIndex : m_graph.m_entrypointIndexToCatchBytecodeOffset.keys()) {
214                 RELEASE_ASSERT(catchEntrypointIndex != 0);
215                 m_proc.code().setPrologueForEntrypoint(catchEntrypointIndex, catchPrologueGenerator.copyRef());
216             }
217
218             if (m_graph.m_maxLocalsForCatchOSREntry) {
219                 uint32_t numberOfLiveLocals = std::max(*m_graph.m_maxLocalsForCatchOSREntry, 1u); // Make sure we always allocate a non-null catchOSREntryBuffer.
220                 m_ftlState.jitCode->common.catchOSREntryBuffer = m_graph.m_vm.scratchBufferForSize(sizeof(JSValue) * numberOfLiveLocals);
221             }
222         }
223         
224         m_graph.ensureSSADominators();
225
226         if (verboseCompilationEnabled())
227             dataLog("Function ready, beginning lowering.\n");
228
229         m_out.initialize(m_heaps);
230
231         // We use prologue frequency for all of the initialization code.
232         m_out.setFrequency(1);
233         
234         bool hasMultipleEntrypoints = m_graph.m_numberOfEntrypoints > 1;
235     
236         LBasicBlock prologue = m_out.newBlock();
237         LBasicBlock callEntrypointArgumentSpeculations = hasMultipleEntrypoints ? m_out.newBlock() : nullptr;
238         m_handleExceptions = m_out.newBlock();
239
240         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
241             m_highBlock = m_graph.block(blockIndex);
242             if (!m_highBlock)
243                 continue;
244             m_out.setFrequency(m_highBlock->executionCount);
245             m_blocks.add(m_highBlock, m_out.newBlock());
246         }
247
248         // Back to prologue frequency for any bocks that get sneakily created in the initialization code.
249         m_out.setFrequency(1);
250         
251         m_out.appendTo(prologue, hasMultipleEntrypoints ? callEntrypointArgumentSpeculations : m_handleExceptions);
252         m_out.initializeConstants(m_proc, prologue);
253         createPhiVariables();
254
255         size_t sizeOfCaptured = sizeof(JSValue) * m_graph.m_nextMachineLocal;
256         B3::SlotBaseValue* capturedBase = m_out.lockedStackSlot(sizeOfCaptured);
257         m_captured = m_out.add(capturedBase, m_out.constIntPtr(sizeOfCaptured));
258         state->capturedValue = capturedBase->slot();
259
260         auto preOrder = m_graph.blocksInPreOrder();
261
262         m_callFrame = m_out.framePointer();
263         m_numberTag = m_out.constInt64(JSValue::NumberTag);
264         m_notCellMask = m_out.constInt64(JSValue::NotCellMask);
265
266         // Make sure that B3 knows that we really care about the mask registers. This forces the
267         // constants to be materialized in registers.
268         m_proc.addFastConstant(m_numberTag->key());
269         m_proc.addFastConstant(m_notCellMask->key());
270         
271         // We don't want the CodeBlock to have a weak pointer to itself because
272         // that would cause it to always get collected.
273         m_out.storePtr(m_out.constIntPtr(bitwise_cast<intptr_t>(codeBlock())), addressFor(CallFrameSlot::codeBlock));
274
275         VM* vm = &this->vm();
276
277         // Stack Overflow Check.
278         unsigned exitFrameSize = m_graph.requiredRegisterCountForExit() * sizeof(Register);
279         MacroAssembler::AbsoluteAddress addressOfStackLimit(vm->addressOfSoftStackLimit());
280         PatchpointValue* stackOverflowHandler = m_out.patchpoint(Void);
281         CallSiteIndex callSiteIndex = callSiteIndexForCodeOrigin(m_ftlState, CodeOrigin(0));
282         stackOverflowHandler->appendSomeRegister(m_callFrame);
283         stackOverflowHandler->clobber(RegisterSet::macroScratchRegisters());
284         stackOverflowHandler->numGPScratchRegisters = 1;
285         stackOverflowHandler->setGenerator(
286             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
287                 AllowMacroScratchRegisterUsage allowScratch(jit);
288                 GPRReg fp = params[0].gpr();
289                 GPRReg scratch = params.gpScratch(0);
290
291                 unsigned ftlFrameSize = params.proc().frameSize();
292                 unsigned maxFrameSize = std::max(exitFrameSize, ftlFrameSize);
293
294                 jit.addPtr(MacroAssembler::TrustedImm32(-maxFrameSize), fp, scratch);
295                 MacroAssembler::JumpList stackOverflow;
296                 if (UNLIKELY(maxFrameSize > Options::reservedZoneSize()))
297                     stackOverflow.append(jit.branchPtr(MacroAssembler::Above, scratch, fp));
298                 stackOverflow.append(jit.branchPtr(MacroAssembler::Above, addressOfStackLimit, scratch));
299
300                 params.addLatePath([=] (CCallHelpers& jit) {
301                     AllowMacroScratchRegisterUsage allowScratch(jit);
302
303                     stackOverflow.link(&jit);
304                     
305                     // FIXME: We would not have to do this if the stack check was part of the Air
306                     // prologue. Then, we would know that there is no way for the callee-saves to
307                     // get clobbered.
308                     // https://bugs.webkit.org/show_bug.cgi?id=172456
309                     jit.emitRestore(params.proc().calleeSaveRegisterAtOffsetList());
310                     
311                     jit.store32(
312                         MacroAssembler::TrustedImm32(callSiteIndex.bits()),
313                         CCallHelpers::tagFor(VirtualRegister(CallFrameSlot::argumentCount)));
314                     jit.copyCalleeSavesToEntryFrameCalleeSavesBuffer(vm->topEntryFrame);
315
316                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
317                     jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()), GPRInfo::argumentGPR1);
318                     CCallHelpers::Call throwCall = jit.call(OperationPtrTag);
319
320                     jit.move(CCallHelpers::TrustedImmPtr(vm), GPRInfo::argumentGPR0);
321                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
322                     CCallHelpers::Call lookupExceptionHandlerCall = jit.call(OperationPtrTag);
323                     jit.jumpToExceptionHandler(*vm);
324
325                     jit.addLinkTask(
326                         [=] (LinkBuffer& linkBuffer) {
327                             linkBuffer.link(throwCall, FunctionPtr<OperationPtrTag>(operationThrowStackOverflowError));
328                             linkBuffer.link(lookupExceptionHandlerCall, FunctionPtr<OperationPtrTag>(lookupExceptionHandlerFromCallerFrame));
329                     });
330                 });
331             });
332
333         LBasicBlock firstDFGBasicBlock = lowBlock(m_graph.block(0));
334
335         {
336             if (hasMultipleEntrypoints) {
337                 Vector<LBasicBlock> successors(m_graph.m_numberOfEntrypoints);
338                 successors[0] = callEntrypointArgumentSpeculations;
339                 for (unsigned i = 1; i < m_graph.m_numberOfEntrypoints; ++i) {
340                     // Currently, the only other entrypoint is an op_catch entrypoint.
341                     // We do OSR entry at op_catch, and we prove argument formats before
342                     // jumping to FTL code, so we don't need to check argument types here
343                     // for these entrypoints.
344                     successors[i] = firstDFGBasicBlock;
345                 }
346                 
347                 m_out.entrySwitch(successors);
348                 m_out.appendTo(callEntrypointArgumentSpeculations, m_handleExceptions);
349             }
350
351             m_node = nullptr;
352             m_origin = NodeOrigin(CodeOrigin(0), CodeOrigin(0), true);
353
354             // Check Arguments.
355             availabilityMap().clear();
356             availabilityMap().m_locals = Operands<Availability>(codeBlock()->numParameters(), 0);
357             for (unsigned i = codeBlock()->numParameters(); i--;) {
358                 availabilityMap().m_locals.argument(i) =
359                     Availability(FlushedAt(FlushedJSValue, virtualRegisterForArgument(i)));
360             }
361
362             for (unsigned i = codeBlock()->numParameters(); i--;) {
363                 MethodOfGettingAValueProfile profile(&m_graph.m_profiledBlock->valueProfileForArgument(i));
364                 VirtualRegister operand = virtualRegisterForArgument(i);
365                 LValue jsValue = m_out.load64(addressFor(operand));
366                 
367                 switch (m_graph.m_argumentFormats[0][i]) {
368                 case FlushedInt32:
369                     speculate(BadType, jsValueValue(jsValue), profile, isNotInt32(jsValue));
370                     break;
371                 case FlushedBoolean:
372                     speculate(BadType, jsValueValue(jsValue), profile, isNotBoolean(jsValue));
373                     break;
374                 case FlushedCell:
375                     speculate(BadType, jsValueValue(jsValue), profile, isNotCell(jsValue));
376                     break;
377                 case FlushedJSValue:
378                     break;
379                 default:
380                     DFG_CRASH(m_graph, nullptr, "Bad flush format for argument");
381                     break;
382                 }
383             }
384             m_out.jump(firstDFGBasicBlock);
385         }
386
387
388         m_out.appendTo(m_handleExceptions, firstDFGBasicBlock);
389         Box<CCallHelpers::Label> exceptionHandler = state->exceptionHandler;
390         m_out.patchpoint(Void)->setGenerator(
391             [=] (CCallHelpers& jit, const StackmapGenerationParams&) {
392                 CCallHelpers::Jump jump = jit.jump();
393                 jit.addLinkTask(
394                     [=] (LinkBuffer& linkBuffer) {
395                         linkBuffer.link(jump, linkBuffer.locationOf<ExceptionHandlerPtrTag>(*exceptionHandler));
396                     });
397             });
398         m_out.unreachable();
399
400         for (DFG::BasicBlock* block : preOrder)
401             compileBlock(block);
402
403         // Make sure everything is decorated. This does a bunch of deferred decorating. This has
404         // to happen last because our abstract heaps are generated lazily. They have to be
405         // generated lazily because we have an infinite number of numbered, indexed, and
406         // absolute heaps. We only become aware of the ones we actually mention while lowering.
407         m_heaps.computeRangesAndDecorateInstructions();
408
409         // We create all Phi's up front, but we may then decide not to compile the basic block
410         // that would have contained one of them. So this creates orphans, which triggers B3
411         // validation failures. Calling this fixes the issue.
412         //
413         // Note that you should avoid the temptation to make this call conditional upon
414         // validation being enabled. B3 makes no guarantees of any kind of correctness when
415         // dealing with IR that would have failed validation. For example, it would be valid to
416         // write a B3 phase that so aggressively assumes the lack of orphans that it would crash
417         // if any orphans were around. We might even have such phases already.
418         m_proc.deleteOrphans();
419
420         // We put the blocks into the B3 procedure in a super weird order. Now we reorder them.
421         m_out.applyBlockOrder();
422     }
423
424 private:
425     
426     void createPhiVariables()
427     {
428         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
429             DFG::BasicBlock* block = m_graph.block(blockIndex);
430             if (!block)
431                 continue;
432             for (unsigned nodeIndex = block->size(); nodeIndex--;) {
433                 Node* node = block->at(nodeIndex);
434                 if (node->op() != DFG::Phi)
435                     continue;
436                 LType type;
437                 switch (node->flags() & NodeResultMask) {
438                 case NodeResultDouble:
439                     type = Double;
440                     break;
441                 case NodeResultInt32:
442                     type = Int32;
443                     break;
444                 case NodeResultInt52:
445                     type = Int64;
446                     break;
447                 case NodeResultBoolean:
448                     type = Int32;
449                     break;
450                 case NodeResultJS:
451                     type = Int64;
452                     break;
453                 default:
454                     DFG_CRASH(m_graph, node, "Bad Phi node result type");
455                     break;
456                 }
457                 m_phis.add(node, m_proc.add<Value>(B3::Phi, type, Origin(node)));
458             }
459         }
460     }
461     
462     void compileBlock(DFG::BasicBlock* block)
463     {
464         if (!block)
465             return;
466         
467         if (verboseCompilationEnabled())
468             dataLog("Compiling block ", *block, "\n");
469         
470         m_highBlock = block;
471         
472         // Make sure that any blocks created while lowering code in the high block have the frequency of
473         // the high block. This is appropriate because B3 doesn't need precise frequencies. It just needs
474         // something roughly approximate for things like register allocation.
475         m_out.setFrequency(m_highBlock->executionCount);
476         
477         LBasicBlock lowBlock = m_blocks.get(m_highBlock);
478         
479         m_nextHighBlock = 0;
480         for (BlockIndex nextBlockIndex = m_highBlock->index + 1; nextBlockIndex < m_graph.numBlocks(); ++nextBlockIndex) {
481             m_nextHighBlock = m_graph.block(nextBlockIndex);
482             if (m_nextHighBlock)
483                 break;
484         }
485         m_nextLowBlock = m_nextHighBlock ? m_blocks.get(m_nextHighBlock) : 0;
486         
487         // All of this effort to find the next block gives us the ability to keep the
488         // generated IR in roughly program order. This ought not affect the performance
489         // of the generated code (since we expect B3 to reorder things) but it will
490         // make IR dumps easier to read.
491         m_out.appendTo(lowBlock, m_nextLowBlock);
492         
493         if (Options::ftlCrashes())
494             m_out.trap();
495         
496         if (!m_highBlock->cfaHasVisited) {
497             if (verboseCompilationEnabled())
498                 dataLog("Bailing because CFA didn't reach.\n");
499             crash(m_highBlock, nullptr);
500             return;
501         }
502
503         m_aiCheckedNodes.clear();
504         
505         m_availabilityCalculator.beginBlock(m_highBlock);
506         
507         m_state.reset();
508         m_state.beginBasicBlock(m_highBlock);
509         
510         for (m_nodeIndex = 0; m_nodeIndex < m_highBlock->size(); ++m_nodeIndex) {
511             if (!compileNode(m_nodeIndex))
512                 break;
513         }
514     }
515
516     void safelyInvalidateAfterTermination()
517     {
518         if (verboseCompilationEnabled())
519             dataLog("Bailing.\n");
520         crash();
521
522         // Invalidate dominated blocks. Under normal circumstances we would expect
523         // them to be invalidated already. But you can have the CFA become more
524         // precise over time because the structures of objects change on the main
525         // thread. Failing to do this would result in weird crashes due to a value
526         // being used but not defined. Race conditions FTW!
527         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
528             DFG::BasicBlock* target = m_graph.block(blockIndex);
529             if (!target)
530                 continue;
531             if (m_graph.m_ssaDominators->dominates(m_highBlock, target)) {
532                 if (verboseCompilationEnabled())
533                     dataLog("Block ", *target, " will bail also.\n");
534                 target->cfaHasVisited = false;
535             }
536         }
537     }
538
539     void validateAIState(Node* node)
540     {
541         if (!m_graphDump) {
542             StringPrintStream out;
543             m_graph.dump(out);
544             m_graphDump = out.toString();
545         }
546
547         switch (node->op()) {
548         case MovHint:
549         case ZombieHint:
550         case JSConstant:
551         case LazyJSConstant:
552         case DoubleConstant:
553         case Int52Constant:
554         case GetStack:
555         case PutStack:
556         case KillStack:
557         case ExitOK:
558             return;
559         default:
560             break;
561         }
562
563         // Before we execute node.
564         NodeSet& live = m_liveInToNode.find(node)->value;
565         unsigned highParentIndex = node->index();
566         {
567             uint64_t hash = WTF::intHash(highParentIndex);
568             if (hash >= static_cast<uint64_t>((static_cast<double>(std::numeric_limits<unsigned>::max()) + 1) * Options::validateAbstractInterpreterStateProbability()))
569                 return;
570         }
571
572         for (Node* node : live) {
573             if (node->isPhantomAllocation())
574                 continue;
575
576             if (node->op() == CheckInBounds)
577                 continue;
578
579             AbstractValue value = m_interpreter.forNode(node);
580             {
581                 auto iter = m_aiCheckedNodes.find(node);
582                 if (iter != m_aiCheckedNodes.end()) {
583                     AbstractValue checkedValue = iter->value;
584                     if (checkedValue == value) {
585                         if (!(value.m_type & SpecCell))
586                             continue;
587                     }
588                 }
589                 m_aiCheckedNodes.set(node, value);
590             }
591
592             FlushFormat flushFormat;
593             LValue input;
594             if (node->hasJSResult()) {
595                 input = lowJSValue(Edge(node, UntypedUse));
596                 flushFormat = FlushedJSValue;
597             } else if (node->hasDoubleResult()) {
598                 input = lowDouble(Edge(node, DoubleRepUse));
599                 flushFormat = FlushedDouble;
600             } else if (node->hasInt52Result()) {
601                 input = strictInt52ToJSValue(lowStrictInt52(Edge(node, Int52RepUse)));
602                 flushFormat = FlushedInt52;
603             } else
604                 continue;
605
606             unsigned highChildIndex = node->index();
607
608             String graphDump = m_graphDump;
609
610             PatchpointValue* patchpoint = m_out.patchpoint(Void);
611             patchpoint->effects = Effects::none();
612             patchpoint->effects.writesLocalState = true;
613             patchpoint->appendSomeRegister(input);
614             patchpoint->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
615                 GPRReg reg = InvalidGPRReg;
616                 FPRReg fpReg = InvalidFPRReg;
617                 if (flushFormat == FlushedDouble)
618                     fpReg = params[0].fpr();
619                 else
620                     reg = params[0].gpr();
621                 jit.probe([=] (Probe::Context& context) {
622                     JSValue input;
623                     double doubleInput;
624
625                     auto dumpAndCrash = [&] {
626                         dataLogLn("Validation failed at node: @", highParentIndex);
627                         dataLogLn("Failed validating live value: @", highChildIndex);
628                         dataLogLn();
629                         dataLogLn("Expected AI value = ", value);
630                         if (flushFormat != FlushedDouble)
631                             dataLogLn("Unexpected value = ", input);
632                         else
633                             dataLogLn("Unexpected double value = ", doubleInput);
634                         dataLogLn();
635                         dataLogLn(graphDump);
636                         CRASH();
637                     };
638
639                     if (flushFormat == FlushedDouble) {
640                         doubleInput = context.fpr(fpReg);
641                         SpeculatedType type;
642                         if (!std::isnan(doubleInput))
643                             type = speculationFromValue(jsDoubleNumber(doubleInput));
644                         else if (isImpureNaN(doubleInput))
645                             type = SpecDoubleImpureNaN;
646                         else
647                             type = SpecDoublePureNaN;
648
649                         if (!value.couldBeType(type))
650                             dumpAndCrash();
651                     } else {
652                         input = JSValue::decode(context.gpr(reg)); 
653                         if (flushFormat == FlushedInt52) {
654                             RELEASE_ASSERT(input.isAnyInt());
655                             input = jsDoubleNumber(input.asAnyInt());
656                         }
657                         if (!value.validateOSREntryValue(input, flushFormat))
658                             dumpAndCrash();
659                     }
660
661                 });
662             });
663         }
664     }
665
666     bool compileNode(unsigned nodeIndex)
667     {
668         if (!m_state.isValid()) {
669             safelyInvalidateAfterTermination();
670             return false;
671         }
672         
673         m_node = m_highBlock->at(nodeIndex);
674         m_origin = m_node->origin;
675         m_out.setOrigin(m_node);
676         
677         if (verboseCompilationEnabled())
678             dataLog("Lowering ", m_node, "\n");
679         
680         m_interpreter.startExecuting();
681         m_interpreter.executeKnownEdgeTypes(m_node);
682
683         if (Options::validateAbstractInterpreterState())
684             validateAIState(m_node);
685
686         if (validateDFGDoesGC) {
687             bool expectDoesGC = doesGC(m_graph, m_node);
688             m_out.store(m_out.constBool(expectDoesGC), m_out.absolute(vm().heap.addressOfExpectDoesGC()));
689         }
690
691         switch (m_node->op()) {
692         case DFG::Upsilon:
693             compileUpsilon();
694             break;
695         case DFG::Phi:
696             compilePhi();
697             break;
698         case JSConstant:
699             break;
700         case DoubleConstant:
701             compileDoubleConstant();
702             break;
703         case Int52Constant:
704             compileInt52Constant();
705             break;
706         case LazyJSConstant:
707             compileLazyJSConstant();
708             break;
709         case DoubleRep:
710             compileDoubleRep();
711             break;
712         case DoubleAsInt32:
713             compileDoubleAsInt32();
714             break;
715         case DFG::ValueRep:
716             compileValueRep();
717             break;
718         case Int52Rep:
719             compileInt52Rep();
720             break;
721         case ValueToInt32:
722             compileValueToInt32();
723             break;
724         case BooleanToNumber:
725             compileBooleanToNumber();
726             break;
727         case ExtractOSREntryLocal:
728             compileExtractOSREntryLocal();
729             break;
730         case ExtractCatchLocal:
731             compileExtractCatchLocal();
732             break;
733         case ClearCatchLocals:
734             compileClearCatchLocals();
735             break;
736         case GetStack:
737             compileGetStack();
738             break;
739         case PutStack:
740             compilePutStack();
741             break;
742         case DFG::Check:
743         case CheckVarargs:
744             compileNoOp();
745             break;
746         case ToObject:
747         case CallObjectConstructor:
748             compileToObjectOrCallObjectConstructor();
749             break;
750         case ToThis:
751             compileToThis();
752             break;
753         case ValueNegate:
754             compileValueNegate();
755             break;
756         case ValueAdd:
757             compileValueAdd();
758             break;
759         case ValueSub:
760             compileValueSub();
761             break;
762         case ValueMul:
763             compileValueMul();
764             break;
765         case StrCat:
766             compileStrCat();
767             break;
768         case ArithAdd:
769         case ArithSub:
770             compileArithAddOrSub();
771             break;
772         case ArithClz32:
773             compileArithClz32();
774             break;
775         case ArithMul:
776             compileArithMul();
777             break;
778         case ValueDiv:
779             compileValueDiv();
780             break;
781         case ArithDiv:
782             compileArithDiv();
783             break;
784         case ValueMod:
785             compileValueMod();
786             break;
787         case ArithMod:
788             compileArithMod();
789             break;
790         case ArithMin:
791         case ArithMax:
792             compileArithMinOrMax();
793             break;
794         case ArithAbs:
795             compileArithAbs();
796             break;
797         case ValuePow:
798             compileValuePow();
799             break;
800         case ArithPow:
801             compileArithPow();
802             break;
803         case ArithRandom:
804             compileArithRandom();
805             break;
806         case ArithRound:
807             compileArithRound();
808             break;
809         case ArithFloor:
810             compileArithFloor();
811             break;
812         case ArithCeil:
813             compileArithCeil();
814             break;
815         case ArithTrunc:
816             compileArithTrunc();
817             break;
818         case ArithSqrt:
819             compileArithSqrt();
820             break;
821         case ArithFRound:
822             compileArithFRound();
823             break;
824         case ArithNegate:
825             compileArithNegate();
826             break;
827         case ArithUnary:
828             compileArithUnary();
829             break;
830         case ValueBitNot:
831             compileValueBitNot();
832             break;
833         case ArithBitNot:
834             compileArithBitNot();
835             break;
836         case ValueBitAnd:
837             compileValueBitAnd();
838             break;
839         case ArithBitAnd:
840             compileArithBitAnd();
841             break;
842         case ValueBitOr:
843             compileValueBitOr();
844             break;
845         case ArithBitOr:
846             compileArithBitOr();
847             break;
848         case ArithBitXor:
849             compileArithBitXor();
850             break;
851         case ValueBitXor:
852             compileValueBitXor();
853             break;
854         case ValueBitRShift:
855             compileValueBitRShift();
856             break;
857         case ArithBitRShift:
858             compileArithBitRShift();
859             break;
860         case ArithBitLShift:
861             compileArithBitLShift();
862             break;
863         case ValueBitLShift:
864             compileValueBitLShift();
865             break;
866         case BitURShift:
867             compileBitURShift();
868             break;
869         case UInt32ToNumber:
870             compileUInt32ToNumber();
871             break;
872         case CheckStructure:
873             compileCheckStructure();
874             break;
875         case CheckStructureOrEmpty:
876             compileCheckStructureOrEmpty();
877             break;
878         case CheckCell:
879             compileCheckCell();
880             break;
881         case CheckNotEmpty:
882             compileCheckNotEmpty();
883             break;
884         case AssertNotEmpty:
885             compileAssertNotEmpty();
886             break;
887         case CheckBadCell:
888             compileCheckBadCell();
889             break;
890         case CheckStringIdent:
891             compileCheckStringIdent();
892             break;
893         case GetExecutable:
894             compileGetExecutable();
895             break;
896         case Arrayify:
897         case ArrayifyToStructure:
898             compileArrayify();
899             break;
900         case PutStructure:
901             compilePutStructure();
902             break;
903         case TryGetById:
904             compileGetById(AccessType::TryGet);
905             break;
906         case GetById:
907         case GetByIdFlush:
908             compileGetById(AccessType::Get);
909             break;
910         case GetByIdWithThis:
911             compileGetByIdWithThis();
912             break;
913         case GetByIdDirect:
914         case GetByIdDirectFlush:
915             compileGetById(AccessType::GetDirect);
916             break;
917         case InById:
918             compileInById();
919             break;
920         case InByVal:
921             compileInByVal();
922             break;
923         case HasOwnProperty:
924             compileHasOwnProperty();
925             break;
926         case PutById:
927         case PutByIdDirect:
928         case PutByIdFlush:
929             compilePutById();
930             break;
931         case PutByIdWithThis:
932             compilePutByIdWithThis();
933             break;
934         case PutGetterById:
935         case PutSetterById:
936             compilePutAccessorById();
937             break;
938         case PutGetterSetterById:
939             compilePutGetterSetterById();
940             break;
941         case PutGetterByVal:
942         case PutSetterByVal:
943             compilePutAccessorByVal();
944             break;
945         case DeleteById:
946             compileDeleteById();
947             break;
948         case DeleteByVal:
949             compileDeleteByVal();
950             break;
951         case GetButterfly:
952             compileGetButterfly();
953             break;
954         case ConstantStoragePointer:
955             compileConstantStoragePointer();
956             break;
957         case GetIndexedPropertyStorage:
958             compileGetIndexedPropertyStorage();
959             break;
960         case CheckArray:
961             compileCheckArray();
962             break;
963         case GetArrayLength:
964             compileGetArrayLength();
965             break;
966         case GetVectorLength:
967             compileGetVectorLength();
968             break;
969         case CheckInBounds:
970             compileCheckInBounds();
971             break;
972         case GetByVal:
973             compileGetByVal();
974             break;
975         case GetMyArgumentByVal:
976         case GetMyArgumentByValOutOfBounds:
977             compileGetMyArgumentByVal();
978             break;
979         case GetByValWithThis:
980             compileGetByValWithThis();
981             break;
982         case PutByVal:
983         case PutByValAlias:
984         case PutByValDirect:
985             compilePutByVal();
986             break;
987         case PutByValWithThis:
988             compilePutByValWithThis();
989             break;
990         case AtomicsAdd:
991         case AtomicsAnd:
992         case AtomicsCompareExchange:
993         case AtomicsExchange:
994         case AtomicsLoad:
995         case AtomicsOr:
996         case AtomicsStore:
997         case AtomicsSub:
998         case AtomicsXor:
999             compileAtomicsReadModifyWrite();
1000             break;
1001         case AtomicsIsLockFree:
1002             compileAtomicsIsLockFree();
1003             break;
1004         case DefineDataProperty:
1005             compileDefineDataProperty();
1006             break;
1007         case DefineAccessorProperty:
1008             compileDefineAccessorProperty();
1009             break;
1010         case ArrayPush:
1011             compileArrayPush();
1012             break;
1013         case ArrayPop:
1014             compileArrayPop();
1015             break;
1016         case ArraySlice:
1017             compileArraySlice();
1018             break;
1019         case ArrayIndexOf:
1020             compileArrayIndexOf();
1021             break;
1022         case CreateActivation:
1023             compileCreateActivation();
1024             break;
1025         case PushWithScope:
1026             compilePushWithScope();
1027             break;
1028         case NewFunction:
1029         case NewGeneratorFunction:
1030         case NewAsyncGeneratorFunction:
1031         case NewAsyncFunction:
1032             compileNewFunction();
1033             break;
1034         case CreateDirectArguments:
1035             compileCreateDirectArguments();
1036             break;
1037         case CreateScopedArguments:
1038             compileCreateScopedArguments();
1039             break;
1040         case CreateClonedArguments:
1041             compileCreateClonedArguments();
1042             break;
1043         case ObjectCreate:
1044             compileObjectCreate();
1045             break;
1046         case ObjectKeys:
1047             compileObjectKeys();
1048             break;
1049         case NewObject:
1050             compileNewObject();
1051             break;
1052         case NewPromise:
1053             compileNewPromise();
1054             break;
1055         case NewGenerator:
1056             compileNewGenerator();
1057             break;
1058         case NewStringObject:
1059             compileNewStringObject();
1060             break;
1061         case NewSymbol:
1062             compileNewSymbol();
1063             break;
1064         case NewArray:
1065             compileNewArray();
1066             break;
1067         case NewArrayWithSpread:
1068             compileNewArrayWithSpread();
1069             break;
1070         case CreateThis:
1071             compileCreateThis();
1072             break;
1073         case CreatePromise:
1074             compileCreatePromise();
1075             break;
1076         case CreateGenerator:
1077             compileCreateGenerator();
1078             break;
1079         case Spread:
1080             compileSpread();
1081             break;
1082         case NewArrayBuffer:
1083             compileNewArrayBuffer();
1084             break;
1085         case NewArrayWithSize:
1086             compileNewArrayWithSize();
1087             break;
1088         case NewTypedArray:
1089             compileNewTypedArray();
1090             break;
1091         case GetTypedArrayByteOffset:
1092             compileGetTypedArrayByteOffset();
1093             break;
1094         case GetPrototypeOf:
1095             compileGetPrototypeOf();
1096             break;
1097         case AllocatePropertyStorage:
1098             compileAllocatePropertyStorage();
1099             break;
1100         case ReallocatePropertyStorage:
1101             compileReallocatePropertyStorage();
1102             break;
1103         case NukeStructureAndSetButterfly:
1104             compileNukeStructureAndSetButterfly();
1105             break;
1106         case ToNumber:
1107             compileToNumber();
1108             break;
1109         case ToString:
1110         case CallStringConstructor:
1111         case StringValueOf:
1112             compileToStringOrCallStringConstructorOrStringValueOf();
1113             break;
1114         case ToPrimitive:
1115             compileToPrimitive();
1116             break;
1117         case MakeRope:
1118             compileMakeRope();
1119             break;
1120         case StringCharAt:
1121             compileStringCharAt();
1122             break;
1123         case StringCharCodeAt:
1124             compileStringCharCodeAt();
1125             break;
1126         case StringCodePointAt:
1127             compileStringCodePointAt();
1128             break;
1129         case StringFromCharCode:
1130             compileStringFromCharCode();
1131             break;
1132         case GetByOffset:
1133         case GetGetterSetterByOffset:
1134             compileGetByOffset();
1135             break;
1136         case GetGetter:
1137             compileGetGetter();
1138             break;
1139         case GetSetter:
1140             compileGetSetter();
1141             break;
1142         case MultiGetByOffset:
1143             compileMultiGetByOffset();
1144             break;
1145         case PutByOffset:
1146             compilePutByOffset();
1147             break;
1148         case MultiPutByOffset:
1149             compileMultiPutByOffset();
1150             break;
1151         case MatchStructure:
1152             compileMatchStructure();
1153             break;
1154         case GetGlobalVar:
1155         case GetGlobalLexicalVariable:
1156             compileGetGlobalVariable();
1157             break;
1158         case PutGlobalVariable:
1159             compilePutGlobalVariable();
1160             break;
1161         case NotifyWrite:
1162             compileNotifyWrite();
1163             break;
1164         case GetCallee:
1165             compileGetCallee();
1166             break;
1167         case SetCallee:
1168             compileSetCallee();
1169             break;
1170         case GetArgumentCountIncludingThis:
1171             compileGetArgumentCountIncludingThis();
1172             break;
1173         case SetArgumentCountIncludingThis:
1174             compileSetArgumentCountIncludingThis();
1175             break;
1176         case GetScope:
1177             compileGetScope();
1178             break;
1179         case SkipScope:
1180             compileSkipScope();
1181             break;
1182         case GetGlobalObject:
1183             compileGetGlobalObject();
1184             break;
1185         case GetGlobalThis:
1186             compileGetGlobalThis();
1187             break;
1188         case GetClosureVar:
1189             compileGetClosureVar();
1190             break;
1191         case PutClosureVar:
1192             compilePutClosureVar();
1193             break;
1194         case GetInternalField:
1195             compileGetInternalField();
1196             break;
1197         case PutInternalField:
1198             compilePutInternalField();
1199             break;
1200         case GetFromArguments:
1201             compileGetFromArguments();
1202             break;
1203         case PutToArguments:
1204             compilePutToArguments();
1205             break;
1206         case GetArgument:
1207             compileGetArgument();
1208             break;
1209         case CompareEq:
1210             compileCompareEq();
1211             break;
1212         case CompareStrictEq:
1213             compileCompareStrictEq();
1214             break;
1215         case CompareLess:
1216             compileCompareLess();
1217             break;
1218         case CompareLessEq:
1219             compileCompareLessEq();
1220             break;
1221         case CompareGreater:
1222             compileCompareGreater();
1223             break;
1224         case CompareGreaterEq:
1225             compileCompareGreaterEq();
1226             break;
1227         case CompareBelow:
1228             compileCompareBelow();
1229             break;
1230         case CompareBelowEq:
1231             compileCompareBelowEq();
1232             break;
1233         case CompareEqPtr:
1234             compileCompareEqPtr();
1235             break;
1236         case SameValue:
1237             compileSameValue();
1238             break;
1239         case LogicalNot:
1240             compileLogicalNot();
1241             break;
1242         case Call:
1243         case TailCallInlinedCaller:
1244         case Construct:
1245             compileCallOrConstruct();
1246             break;
1247         case DirectCall:
1248         case DirectTailCallInlinedCaller:
1249         case DirectConstruct:
1250         case DirectTailCall:
1251             compileDirectCallOrConstruct();
1252             break;
1253         case TailCall:
1254             compileTailCall();
1255             break;
1256         case CallVarargs:
1257         case CallForwardVarargs:
1258         case TailCallVarargs:
1259         case TailCallVarargsInlinedCaller:
1260         case TailCallForwardVarargs:
1261         case TailCallForwardVarargsInlinedCaller:
1262         case ConstructVarargs:
1263         case ConstructForwardVarargs:
1264             compileCallOrConstructVarargs();
1265             break;
1266         case CallEval:
1267             compileCallEval();
1268             break;
1269         case LoadVarargs:
1270             compileLoadVarargs();
1271             break;
1272         case ForwardVarargs:
1273             compileForwardVarargs();
1274             break;
1275         case DFG::Jump:
1276             compileJump();
1277             break;
1278         case DFG::Branch:
1279             compileBranch();
1280             break;
1281         case DFG::Switch:
1282             compileSwitch();
1283             break;
1284         case DFG::EntrySwitch:
1285             compileEntrySwitch();
1286             break;
1287         case DFG::Return:
1288             compileReturn();
1289             break;
1290         case ForceOSRExit:
1291             compileForceOSRExit();
1292             break;
1293         case CPUIntrinsic:
1294 #if CPU(X86_64)
1295             compileCPUIntrinsic();
1296 #else
1297             RELEASE_ASSERT_NOT_REACHED();
1298 #endif
1299             break;
1300         case Throw:
1301             compileThrow();
1302             break;
1303         case ThrowStaticError:
1304             compileThrowStaticError();
1305             break;
1306         case InvalidationPoint:
1307             compileInvalidationPoint();
1308             break;
1309         case IsEmpty:
1310             compileIsEmpty();
1311             break;
1312         case IsUndefined:
1313             compileIsUndefined();
1314             break;
1315         case IsUndefinedOrNull:
1316             compileIsUndefinedOrNull();
1317             break;
1318         case IsBoolean:
1319             compileIsBoolean();
1320             break;
1321         case IsNumber:
1322             compileIsNumber();
1323             break;
1324         case NumberIsInteger:
1325             compileNumberIsInteger();
1326             break;
1327         case IsCellWithType:
1328             compileIsCellWithType();
1329             break;
1330         case MapHash:
1331             compileMapHash();
1332             break;
1333         case NormalizeMapKey:
1334             compileNormalizeMapKey();
1335             break;
1336         case GetMapBucket:
1337             compileGetMapBucket();
1338             break;
1339         case GetMapBucketHead:
1340             compileGetMapBucketHead();
1341             break;
1342         case GetMapBucketNext:
1343             compileGetMapBucketNext();
1344             break;
1345         case LoadKeyFromMapBucket:
1346             compileLoadKeyFromMapBucket();
1347             break;
1348         case LoadValueFromMapBucket:
1349             compileLoadValueFromMapBucket();
1350             break;
1351         case ExtractValueFromWeakMapGet:
1352             compileExtractValueFromWeakMapGet();
1353             break;
1354         case SetAdd:
1355             compileSetAdd();
1356             break;
1357         case MapSet:
1358             compileMapSet();
1359             break;
1360         case WeakMapGet:
1361             compileWeakMapGet();
1362             break;
1363         case WeakSetAdd:
1364             compileWeakSetAdd();
1365             break;
1366         case WeakMapSet:
1367             compileWeakMapSet();
1368             break;
1369         case IsObject:
1370             compileIsObject();
1371             break;
1372         case IsObjectOrNull:
1373             compileIsObjectOrNull();
1374             break;
1375         case IsFunction:
1376             compileIsFunction();
1377             break;
1378         case IsTypedArrayView:
1379             compileIsTypedArrayView();
1380             break;
1381         case ParseInt:
1382             compileParseInt();
1383             break;
1384         case TypeOf:
1385             compileTypeOf();
1386             break;
1387         case CheckTypeInfoFlags:
1388             compileCheckTypeInfoFlags();
1389             break;
1390         case OverridesHasInstance:
1391             compileOverridesHasInstance();
1392             break;
1393         case InstanceOf:
1394             compileInstanceOf();
1395             break;
1396         case InstanceOfCustom:
1397             compileInstanceOfCustom();
1398             break;
1399         case CountExecution:
1400             compileCountExecution();
1401             break;
1402         case SuperSamplerBegin:
1403             compileSuperSamplerBegin();
1404             break;
1405         case SuperSamplerEnd:
1406             compileSuperSamplerEnd();
1407             break;
1408         case StoreBarrier:
1409         case FencedStoreBarrier:
1410             compileStoreBarrier();
1411             break;
1412         case HasIndexedProperty:
1413             compileHasIndexedProperty();
1414             break;
1415         case HasGenericProperty:
1416             compileHasGenericProperty();
1417             break;
1418         case HasStructureProperty:
1419             compileHasStructureProperty();
1420             break;
1421         case GetDirectPname:
1422             compileGetDirectPname();
1423             break;
1424         case GetEnumerableLength:
1425             compileGetEnumerableLength();
1426             break;
1427         case GetPropertyEnumerator:
1428             compileGetPropertyEnumerator();
1429             break;
1430         case GetEnumeratorStructurePname:
1431             compileGetEnumeratorStructurePname();
1432             break;
1433         case GetEnumeratorGenericPname:
1434             compileGetEnumeratorGenericPname();
1435             break;
1436         case ToIndexString:
1437             compileToIndexString();
1438             break;
1439         case CheckStructureImmediate:
1440             compileCheckStructureImmediate();
1441             break;
1442         case MaterializeNewObject:
1443             compileMaterializeNewObject();
1444             break;
1445         case MaterializeCreateActivation:
1446             compileMaterializeCreateActivation();
1447             break;
1448         case CheckTraps:
1449             compileCheckTraps();
1450             break;
1451         case CreateRest:
1452             compileCreateRest();
1453             break;
1454         case GetRestLength:
1455             compileGetRestLength();
1456             break;
1457         case RegExpExec:
1458             compileRegExpExec();
1459             break;
1460         case RegExpExecNonGlobalOrSticky:
1461             compileRegExpExecNonGlobalOrSticky();
1462             break;
1463         case RegExpTest:
1464             compileRegExpTest();
1465             break;
1466         case RegExpMatchFast:
1467             compileRegExpMatchFast();
1468             break;
1469         case RegExpMatchFastGlobal:
1470             compileRegExpMatchFastGlobal();
1471             break;
1472         case NewRegexp:
1473             compileNewRegexp();
1474             break;
1475         case SetFunctionName:
1476             compileSetFunctionName();
1477             break;
1478         case StringReplace:
1479         case StringReplaceRegExp:
1480             compileStringReplace();
1481             break;
1482         case GetRegExpObjectLastIndex:
1483             compileGetRegExpObjectLastIndex();
1484             break;
1485         case SetRegExpObjectLastIndex:
1486             compileSetRegExpObjectLastIndex();
1487             break;
1488         case LogShadowChickenPrologue:
1489             compileLogShadowChickenPrologue();
1490             break;
1491         case LogShadowChickenTail:
1492             compileLogShadowChickenTail();
1493             break;
1494         case RecordRegExpCachedResult:
1495             compileRecordRegExpCachedResult();
1496             break;
1497         case ResolveScopeForHoistingFuncDeclInEval:
1498             compileResolveScopeForHoistingFuncDeclInEval();
1499             break;
1500         case ResolveScope:
1501             compileResolveScope();
1502             break;
1503         case GetDynamicVar:
1504             compileGetDynamicVar();
1505             break;
1506         case PutDynamicVar:
1507             compilePutDynamicVar();
1508             break;
1509         case Unreachable:
1510             compileUnreachable();
1511             break;
1512         case StringSlice:
1513             compileStringSlice();
1514             break;
1515         case ToLowerCase:
1516             compileToLowerCase();
1517             break;
1518         case NumberToStringWithRadix:
1519             compileNumberToStringWithRadix();
1520             break;
1521         case NumberToStringWithValidRadixConstant:
1522             compileNumberToStringWithValidRadixConstant();
1523             break;
1524         case CheckSubClass:
1525             compileCheckSubClass();
1526             break;
1527         case CallDOM:
1528             compileCallDOM();
1529             break;
1530         case CallDOMGetter:
1531             compileCallDOMGetter();
1532             break;
1533         case FilterCallLinkStatus:
1534         case FilterGetByIdStatus:
1535         case FilterPutByIdStatus:
1536         case FilterInByIdStatus:
1537             compileFilterICStatus();
1538             break;
1539         case DataViewGetInt:
1540         case DataViewGetFloat:
1541             compileDataViewGet();
1542             break;
1543         case DataViewSet:
1544             compileDataViewSet();
1545             break;
1546
1547         case PhantomLocal:
1548         case LoopHint:
1549         case MovHint:
1550         case ZombieHint:
1551         case ExitOK:
1552         case PhantomNewObject:
1553         case PhantomNewFunction:
1554         case PhantomNewGeneratorFunction:
1555         case PhantomNewAsyncGeneratorFunction:
1556         case PhantomNewAsyncFunction:
1557         case PhantomCreateActivation:
1558         case PhantomDirectArguments:
1559         case PhantomCreateRest:
1560         case PhantomSpread:
1561         case PhantomNewArrayWithSpread:
1562         case PhantomNewArrayBuffer:
1563         case PhantomClonedArguments:
1564         case PhantomNewRegexp:
1565         case PutHint:
1566         case BottomValue:
1567         case KillStack:
1568         case InitializeEntrypointArguments:
1569             break;
1570         default:
1571             DFG_CRASH(m_graph, m_node, "Unrecognized node in FTL backend");
1572             break;
1573         }
1574         
1575         if (m_node->isTerminal())
1576             return false;
1577         
1578         if (!m_state.isValid()) {
1579             safelyInvalidateAfterTermination();
1580             return false;
1581         }
1582
1583         m_availabilityCalculator.executeNode(m_node);
1584         m_interpreter.executeEffects(nodeIndex);
1585         
1586         return true;
1587     }
1588
1589     void compileUpsilon()
1590     {
1591         LValue upsilonValue = nullptr;
1592         switch (m_node->child1().useKind()) {
1593         case DoubleRepUse:
1594             upsilonValue = lowDouble(m_node->child1());
1595             break;
1596         case Int32Use:
1597         case KnownInt32Use:
1598             upsilonValue = lowInt32(m_node->child1());
1599             break;
1600         case Int52RepUse:
1601             upsilonValue = lowInt52(m_node->child1());
1602             break;
1603         case BooleanUse:
1604         case KnownBooleanUse:
1605             upsilonValue = lowBoolean(m_node->child1());
1606             break;
1607         case CellUse:
1608         case KnownCellUse:
1609             upsilonValue = lowCell(m_node->child1());
1610             break;
1611         case UntypedUse:
1612             upsilonValue = lowJSValue(m_node->child1());
1613             break;
1614         default:
1615             DFG_CRASH(m_graph, m_node, "Bad use kind");
1616             break;
1617         }
1618         ValueFromBlock upsilon = m_out.anchor(upsilonValue);
1619         LValue phiNode = m_phis.get(m_node->phi());
1620         m_out.addIncomingToPhi(phiNode, upsilon);
1621     }
1622     
1623     void compilePhi()
1624     {
1625         LValue phi = m_phis.get(m_node);
1626         m_out.m_block->append(phi);
1627
1628         switch (m_node->flags() & NodeResultMask) {
1629         case NodeResultDouble:
1630             setDouble(phi);
1631             break;
1632         case NodeResultInt32:
1633             setInt32(phi);
1634             break;
1635         case NodeResultInt52:
1636             setInt52(phi);
1637             break;
1638         case NodeResultBoolean:
1639             setBoolean(phi);
1640             break;
1641         case NodeResultJS:
1642             setJSValue(phi);
1643             break;
1644         default:
1645             DFG_CRASH(m_graph, m_node, "Bad result type");
1646             break;
1647         }
1648     }
1649     
1650     void compileDoubleConstant()
1651     {
1652         setDouble(m_out.constDouble(m_node->asNumber()));
1653     }
1654     
1655     void compileInt52Constant()
1656     {
1657         int64_t value = m_node->asAnyInt();
1658         
1659         setInt52(m_out.constInt64(value << JSValue::int52ShiftAmount));
1660         setStrictInt52(m_out.constInt64(value));
1661     }
1662
1663     void compileLazyJSConstant()
1664     {
1665         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
1666         LazyJSValue value = m_node->lazyJSValue();
1667         patchpoint->setGenerator(
1668             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
1669                 value.emit(jit, JSValueRegs(params[0].gpr()));
1670             });
1671         patchpoint->effects = Effects::none();
1672         setJSValue(patchpoint);
1673     }
1674
1675     void compileDoubleRep()
1676     {
1677         switch (m_node->child1().useKind()) {
1678         case RealNumberUse: {
1679             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
1680             
1681             LValue doubleValue = unboxDouble(value);
1682             
1683             LBasicBlock intCase = m_out.newBlock();
1684             LBasicBlock continuation = m_out.newBlock();
1685             
1686             ValueFromBlock fastResult = m_out.anchor(doubleValue);
1687             m_out.branch(
1688                 m_out.doubleEqual(doubleValue, doubleValue),
1689                 usually(continuation), rarely(intCase));
1690             
1691             LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
1692
1693             FTL_TYPE_CHECK(
1694                 jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
1695                 isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
1696             ValueFromBlock slowResult = m_out.anchor(m_out.intToDouble(unboxInt32(value)));
1697             m_out.jump(continuation);
1698             
1699             m_out.appendTo(continuation, lastNext);
1700             
1701             setDouble(m_out.phi(Double, fastResult, slowResult));
1702             return;
1703         }
1704             
1705         case NotCellUse:
1706         case NumberUse: {
1707             bool shouldConvertNonNumber = m_node->child1().useKind() == NotCellUse;
1708             
1709             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
1710
1711             LBasicBlock intCase = m_out.newBlock();
1712             LBasicBlock doubleTesting = m_out.newBlock();
1713             LBasicBlock doubleCase = m_out.newBlock();
1714             LBasicBlock nonDoubleCase = m_out.newBlock();
1715             LBasicBlock continuation = m_out.newBlock();
1716             
1717             m_out.branch(
1718                 isNotInt32(value, provenType(m_node->child1())),
1719                 unsure(doubleTesting), unsure(intCase));
1720             
1721             LBasicBlock lastNext = m_out.appendTo(intCase, doubleTesting);
1722             
1723             ValueFromBlock intToDouble = m_out.anchor(
1724                 m_out.intToDouble(unboxInt32(value)));
1725             m_out.jump(continuation);
1726             
1727             m_out.appendTo(doubleTesting, doubleCase);
1728             LValue valueIsNumber = isNumber(value, provenType(m_node->child1()));
1729             m_out.branch(valueIsNumber, usually(doubleCase), rarely(nonDoubleCase));
1730
1731             m_out.appendTo(doubleCase, nonDoubleCase);
1732             ValueFromBlock unboxedDouble = m_out.anchor(unboxDouble(value));
1733             m_out.jump(continuation);
1734
1735             if (shouldConvertNonNumber) {
1736                 LBasicBlock undefinedCase = m_out.newBlock();
1737                 LBasicBlock testNullCase = m_out.newBlock();
1738                 LBasicBlock nullCase = m_out.newBlock();
1739                 LBasicBlock testBooleanTrueCase = m_out.newBlock();
1740                 LBasicBlock convertBooleanTrueCase = m_out.newBlock();
1741                 LBasicBlock convertBooleanFalseCase = m_out.newBlock();
1742
1743                 m_out.appendTo(nonDoubleCase, undefinedCase);
1744                 LValue valueIsUndefined = m_out.equal(value, m_out.constInt64(JSValue::ValueUndefined));
1745                 m_out.branch(valueIsUndefined, unsure(undefinedCase), unsure(testNullCase));
1746
1747                 m_out.appendTo(undefinedCase, testNullCase);
1748                 ValueFromBlock convertedUndefined = m_out.anchor(m_out.constDouble(PNaN));
1749                 m_out.jump(continuation);
1750
1751                 m_out.appendTo(testNullCase, nullCase);
1752                 LValue valueIsNull = m_out.equal(value, m_out.constInt64(JSValue::ValueNull));
1753                 m_out.branch(valueIsNull, unsure(nullCase), unsure(testBooleanTrueCase));
1754
1755                 m_out.appendTo(nullCase, testBooleanTrueCase);
1756                 ValueFromBlock convertedNull = m_out.anchor(m_out.constDouble(0));
1757                 m_out.jump(continuation);
1758
1759                 m_out.appendTo(testBooleanTrueCase, convertBooleanTrueCase);
1760                 LValue valueIsBooleanTrue = m_out.equal(value, m_out.constInt64(JSValue::ValueTrue));
1761                 m_out.branch(valueIsBooleanTrue, unsure(convertBooleanTrueCase), unsure(convertBooleanFalseCase));
1762
1763                 m_out.appendTo(convertBooleanTrueCase, convertBooleanFalseCase);
1764                 ValueFromBlock convertedTrue = m_out.anchor(m_out.constDouble(1));
1765                 m_out.jump(continuation);
1766
1767                 m_out.appendTo(convertBooleanFalseCase, continuation);
1768
1769                 LValue valueIsNotBooleanFalse = m_out.notEqual(value, m_out.constInt64(JSValue::ValueFalse));
1770                 FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), ~SpecCellCheck, valueIsNotBooleanFalse);
1771                 ValueFromBlock convertedFalse = m_out.anchor(m_out.constDouble(0));
1772                 m_out.jump(continuation);
1773
1774                 m_out.appendTo(continuation, lastNext);
1775                 setDouble(m_out.phi(Double, intToDouble, unboxedDouble, convertedUndefined, convertedNull, convertedTrue, convertedFalse));
1776                 return;
1777             }
1778             m_out.appendTo(nonDoubleCase, continuation);
1779             FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), SpecBytecodeNumber, m_out.booleanTrue);
1780             m_out.unreachable();
1781
1782             m_out.appendTo(continuation, lastNext);
1783
1784             setDouble(m_out.phi(Double, intToDouble, unboxedDouble));
1785             return;
1786         }
1787             
1788         case Int52RepUse: {
1789             setDouble(strictInt52ToDouble(lowStrictInt52(m_node->child1())));
1790             return;
1791         }
1792             
1793         default:
1794             DFG_CRASH(m_graph, m_node, "Bad use kind");
1795         }
1796     }
1797
1798     void compileDoubleAsInt32()
1799     {
1800         LValue integerValue = convertDoubleToInt32(lowDouble(m_node->child1()), shouldCheckNegativeZero(m_node->arithMode()));
1801         setInt32(integerValue);
1802     }
1803
1804     void compileValueRep()
1805     {
1806         switch (m_node->child1().useKind()) {
1807         case DoubleRepUse: {
1808             LValue value = lowDouble(m_node->child1());
1809             
1810             if (m_interpreter.needsTypeCheck(m_node->child1(), ~SpecDoubleImpureNaN)) {
1811                 value = m_out.select(
1812                     m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN));
1813             }
1814             
1815             setJSValue(boxDouble(value));
1816             return;
1817         }
1818             
1819         case Int52RepUse: {
1820             setJSValue(strictInt52ToJSValue(lowStrictInt52(m_node->child1())));
1821             return;
1822         }
1823             
1824         default:
1825             DFG_CRASH(m_graph, m_node, "Bad use kind");
1826         }
1827     }
1828     
1829     void compileInt52Rep()
1830     {
1831         switch (m_node->child1().useKind()) {
1832         case Int32Use:
1833             setStrictInt52(m_out.signExt32To64(lowInt32(m_node->child1())));
1834             return;
1835             
1836         case AnyIntUse:
1837             setStrictInt52(
1838                 jsValueToStrictInt52(
1839                     m_node->child1(), lowJSValue(m_node->child1(), ManualOperandSpeculation)));
1840             return;
1841             
1842         case DoubleRepAnyIntUse:
1843             setStrictInt52(
1844                 doubleToStrictInt52(
1845                     m_node->child1(), lowDouble(m_node->child1())));
1846             return;
1847             
1848         default:
1849             RELEASE_ASSERT_NOT_REACHED();
1850         }
1851     }
1852     
1853     void compileValueToInt32()
1854     {
1855         switch (m_node->child1().useKind()) {
1856         case Int52RepUse:
1857             setInt32(m_out.castToInt32(lowStrictInt52(m_node->child1())));
1858             break;
1859             
1860         case DoubleRepUse:
1861             setInt32(doubleToInt32(lowDouble(m_node->child1())));
1862             break;
1863             
1864         case NumberUse:
1865         case NotCellUse: {
1866             LoweredNodeValue value = m_int32Values.get(m_node->child1().node());
1867             if (isValid(value)) {
1868                 setInt32(value.value());
1869                 break;
1870             }
1871             
1872             value = m_jsValueValues.get(m_node->child1().node());
1873             if (isValid(value)) {
1874                 setInt32(numberOrNotCellToInt32(m_node->child1(), value.value()));
1875                 break;
1876             }
1877             
1878             // We'll basically just get here for constants. But it's good to have this
1879             // catch-all since we often add new representations into the mix.
1880             setInt32(
1881                 numberOrNotCellToInt32(
1882                     m_node->child1(),
1883                     lowJSValue(m_node->child1(), ManualOperandSpeculation)));
1884             break;
1885         }
1886             
1887         default:
1888             DFG_CRASH(m_graph, m_node, "Bad use kind");
1889             break;
1890         }
1891     }
1892     
1893     void compileBooleanToNumber()
1894     {
1895         switch (m_node->child1().useKind()) {
1896         case BooleanUse: {
1897             setInt32(m_out.zeroExt(lowBoolean(m_node->child1()), Int32));
1898             return;
1899         }
1900             
1901         case UntypedUse: {
1902             LValue value = lowJSValue(m_node->child1());
1903             
1904             if (!m_interpreter.needsTypeCheck(m_node->child1(), SpecBoolInt32 | SpecBoolean)) {
1905                 setInt32(m_out.bitAnd(m_out.castToInt32(value), m_out.int32One));
1906                 return;
1907             }
1908             
1909             LBasicBlock booleanCase = m_out.newBlock();
1910             LBasicBlock continuation = m_out.newBlock();
1911             
1912             ValueFromBlock notBooleanResult = m_out.anchor(value);
1913             m_out.branch(
1914                 isBoolean(value, provenType(m_node->child1())),
1915                 unsure(booleanCase), unsure(continuation));
1916             
1917             LBasicBlock lastNext = m_out.appendTo(booleanCase, continuation);
1918             ValueFromBlock booleanResult = m_out.anchor(m_out.bitOr(
1919                 m_out.zeroExt(unboxBoolean(value), Int64), m_numberTag));
1920             m_out.jump(continuation);
1921             
1922             m_out.appendTo(continuation, lastNext);
1923             setJSValue(m_out.phi(Int64, booleanResult, notBooleanResult));
1924             return;
1925         }
1926             
1927         default:
1928             RELEASE_ASSERT_NOT_REACHED();
1929             return;
1930         }
1931     }
1932
1933     void compileExtractOSREntryLocal()
1934     {
1935         EncodedJSValue* buffer = static_cast<EncodedJSValue*>(
1936             m_ftlState.jitCode->ftlForOSREntry()->entryBuffer()->dataBuffer());
1937         setJSValue(m_out.load64(m_out.absolute(buffer + m_node->unlinkedLocal().toLocal())));
1938     }
1939
1940     void compileExtractCatchLocal()
1941     {
1942         EncodedJSValue* buffer = static_cast<EncodedJSValue*>(m_ftlState.jitCode->common.catchOSREntryBuffer->dataBuffer());
1943         setJSValue(m_out.load64(m_out.absolute(buffer + m_node->catchOSREntryIndex())));
1944     }
1945
1946     void compileClearCatchLocals()
1947     {
1948         ScratchBuffer* scratchBuffer = m_ftlState.jitCode->common.catchOSREntryBuffer;
1949         ASSERT(scratchBuffer);
1950         m_out.storePtr(m_out.constIntPtr(0), m_out.absolute(scratchBuffer->addressOfActiveLength()));
1951     }
1952     
1953     void compileGetStack()
1954     {
1955         StackAccessData* data = m_node->stackAccessData();
1956         AbstractValue& value = m_state.operand(data->local);
1957         
1958         DFG_ASSERT(m_graph, m_node, isConcrete(data->format), data->format);
1959         
1960         switch (data->format) {
1961         case FlushedDouble:
1962             setDouble(m_out.loadDouble(addressFor(data->machineLocal)));
1963             break;
1964         case FlushedInt52:
1965             setInt52(m_out.load64(addressFor(data->machineLocal)));
1966             break;
1967         default:
1968             if (isInt32Speculation(value.m_type))
1969                 setInt32(m_out.load32(payloadFor(data->machineLocal)));
1970             else
1971                 setJSValue(m_out.load64(addressFor(data->machineLocal)));
1972             break;
1973         }
1974     }
1975     
1976     void compilePutStack()
1977     {
1978         StackAccessData* data = m_node->stackAccessData();
1979         switch (data->format) {
1980         case FlushedJSValue: {
1981             LValue value = lowJSValue(m_node->child1());
1982             m_out.store64(value, addressFor(data->machineLocal));
1983             break;
1984         }
1985             
1986         case FlushedDouble: {
1987             LValue value = lowDouble(m_node->child1());
1988             m_out.storeDouble(value, addressFor(data->machineLocal));
1989             break;
1990         }
1991             
1992         case FlushedInt32: {
1993             LValue value = lowInt32(m_node->child1());
1994             m_out.store32(value, payloadFor(data->machineLocal));
1995             break;
1996         }
1997             
1998         case FlushedInt52: {
1999             LValue value = lowInt52(m_node->child1());
2000             m_out.store64(value, addressFor(data->machineLocal));
2001             break;
2002         }
2003             
2004         case FlushedCell: {
2005             LValue value = lowCell(m_node->child1());
2006             m_out.store64(value, addressFor(data->machineLocal));
2007             break;
2008         }
2009             
2010         case FlushedBoolean: {
2011             speculateBoolean(m_node->child1());
2012             m_out.store64(
2013                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
2014                 addressFor(data->machineLocal));
2015             break;
2016         }
2017             
2018         default:
2019             DFG_CRASH(m_graph, m_node, "Bad flush format");
2020             break;
2021         }
2022     }
2023     
2024     void compileNoOp()
2025     {
2026         DFG_NODE_DO_TO_CHILDREN(m_graph, m_node, speculate);
2027     }
2028
2029     void compileToObjectOrCallObjectConstructor()
2030     {
2031         LValue value = lowJSValue(m_node->child1());
2032
2033         LBasicBlock isCellCase = m_out.newBlock();
2034         LBasicBlock slowCase = m_out.newBlock();
2035         LBasicBlock continuation = m_out.newBlock();
2036
2037         m_out.branch(isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
2038
2039         LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
2040         ValueFromBlock fastResult = m_out.anchor(value);
2041         m_out.branch(isObject(value), usually(continuation), rarely(slowCase));
2042
2043         m_out.appendTo(slowCase, continuation);
2044
2045         ValueFromBlock slowResult;
2046         if (m_node->op() == ToObject) {
2047             auto* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
2048             slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationToObject), m_callFrame, weakPointer(globalObject), value, m_out.constIntPtr(m_graph.identifiers()[m_node->identifierNumber()])));
2049         } else
2050             slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationCallObjectConstructor), m_callFrame, frozenPointer(m_node->cellOperand()), value));
2051         m_out.jump(continuation);
2052
2053         m_out.appendTo(continuation, lastNext);
2054         setJSValue(m_out.phi(Int64, fastResult, slowResult));
2055     }
2056     
2057     void compileToThis()
2058     {
2059         LValue value = lowJSValue(m_node->child1());
2060         
2061         LBasicBlock isCellCase = m_out.newBlock();
2062         LBasicBlock slowCase = m_out.newBlock();
2063         LBasicBlock continuation = m_out.newBlock();
2064         
2065         m_out.branch(
2066             isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
2067         
2068         LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
2069         ValueFromBlock fastResult = m_out.anchor(value);
2070         m_out.branch(
2071             m_out.testIsZero32(
2072                 m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoFlags),
2073                 m_out.constInt32(OverridesToThis)),
2074             usually(continuation), rarely(slowCase));
2075         
2076         m_out.appendTo(slowCase, continuation);
2077         J_JITOperation_EJ function;
2078         if (m_graph.isStrictModeFor(m_node->origin.semantic))
2079             function = operationToThisStrict;
2080         else
2081             function = operationToThis;
2082         ValueFromBlock slowResult = m_out.anchor(
2083             vmCall(Int64, m_out.operation(function), m_callFrame, value));
2084         m_out.jump(continuation);
2085         
2086         m_out.appendTo(continuation, lastNext);
2087         setJSValue(m_out.phi(Int64, fastResult, slowResult));
2088     }
2089
2090     void compileValueAdd()
2091     {
2092         if (m_node->isBinaryUseKind(BigIntUse)) {
2093             LValue left = lowBigInt(m_node->child1());
2094             LValue right = lowBigInt(m_node->child2());
2095
2096             LValue result = vmCall(pointerType(), m_out.operation(operationAddBigInt), m_callFrame, left, right);
2097             setJSValue(result);
2098             return;
2099         }
2100
2101         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2102         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2103         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2104         auto repatchingFunction = operationValueAddOptimize;
2105         auto nonRepatchingFunction = operationValueAdd;
2106         compileBinaryMathIC<JITAddGenerator>(arithProfile, repatchingFunction, nonRepatchingFunction);
2107     }
2108
2109     void compileValueSub()
2110     {
2111         if (m_node->isBinaryUseKind(BigIntUse)) {
2112             LValue left = lowBigInt(m_node->child1());
2113             LValue right = lowBigInt(m_node->child2());
2114             
2115             LValue result = vmCall(pointerType(), m_out.operation(operationSubBigInt), m_callFrame, left, right);
2116             setJSValue(result);
2117             return;
2118         }
2119
2120         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2121         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2122         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2123         auto repatchingFunction = operationValueSubOptimize;
2124         auto nonRepatchingFunction = operationValueSub;
2125         compileBinaryMathIC<JITSubGenerator>(arithProfile, repatchingFunction, nonRepatchingFunction);
2126     }
2127
2128     void compileValueMul()
2129     {
2130         if (m_node->isBinaryUseKind(BigIntUse)) {
2131             LValue left = lowBigInt(m_node->child1());
2132             LValue right = lowBigInt(m_node->child2());
2133             
2134             LValue result = vmCall(Int64, m_out.operation(operationMulBigInt), m_callFrame, left, right);
2135             setJSValue(result);
2136             return;
2137         }
2138
2139         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2140         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2141         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2142         auto repatchingFunction = operationValueMulOptimize;
2143         auto nonRepatchingFunction = operationValueMul;
2144         compileBinaryMathIC<JITMulGenerator>(arithProfile, repatchingFunction, nonRepatchingFunction);
2145     }
2146
2147     template <typename Generator, typename Func1, typename Func2,
2148         typename = std::enable_if_t<std::is_function<typename std::remove_pointer<Func1>::type>::value && std::is_function<typename std::remove_pointer<Func2>::type>::value>>
2149     void compileUnaryMathIC(ArithProfile* arithProfile, Func1 repatchingFunction, Func2 nonRepatchingFunction)
2150     {
2151         Node* node = m_node;
2152
2153         LValue operand = lowJSValue(node->child1());
2154
2155         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
2156         patchpoint->appendSomeRegister(operand);
2157         patchpoint->append(m_notCellMask, ValueRep::lateReg(GPRInfo::notCellMaskRegister));
2158         patchpoint->append(m_numberTag, ValueRep::lateReg(GPRInfo::numberTagRegister));
2159         RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint);
2160         patchpoint->numGPScratchRegisters = 1;
2161         patchpoint->clobber(RegisterSet::macroScratchRegisters());
2162         State* state = &m_ftlState;
2163         patchpoint->setGenerator(
2164             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
2165                 AllowMacroScratchRegisterUsage allowScratch(jit);
2166
2167                 Box<CCallHelpers::JumpList> exceptions =
2168                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
2169
2170 #if ENABLE(MATH_IC_STATS)
2171                 auto inlineStart = jit.label();
2172 #endif
2173
2174                 Box<MathICGenerationState> mathICGenerationState = Box<MathICGenerationState>::create();
2175                 JITUnaryMathIC<Generator>* mathIC = jit.codeBlock()->addMathIC<Generator>(arithProfile);
2176                 mathIC->m_generator = Generator(JSValueRegs(params[0].gpr()), JSValueRegs(params[1].gpr()), params.gpScratch(0));
2177
2178                 bool shouldEmitProfiling = false;
2179                 bool generatedInline = mathIC->generateInline(jit, *mathICGenerationState, shouldEmitProfiling);
2180
2181                 if (generatedInline) {
2182                     ASSERT(!mathICGenerationState->slowPathJumps.empty());
2183                     auto done = jit.label();
2184                     params.addLatePath([=] (CCallHelpers& jit) {
2185                         AllowMacroScratchRegisterUsage allowScratch(jit);
2186                         mathICGenerationState->slowPathJumps.link(&jit);
2187                         mathICGenerationState->slowPathStart = jit.label();
2188 #if ENABLE(MATH_IC_STATS)
2189                         auto slowPathStart = jit.label();
2190 #endif
2191
2192                         if (mathICGenerationState->shouldSlowPathRepatch) {
2193                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2194                                 repatchingFunction, params[0].gpr(), params[1].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
2195                             mathICGenerationState->slowPathCall = call.call();
2196                         } else {
2197                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic,
2198                                 exceptions.get(), nonRepatchingFunction, params[0].gpr(), params[1].gpr());
2199                             mathICGenerationState->slowPathCall = call.call();
2200                         }
2201                         jit.jump().linkTo(done, &jit);
2202
2203                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2204                             mathIC->finalizeInlineCode(*mathICGenerationState, linkBuffer);
2205                         });
2206
2207 #if ENABLE(MATH_IC_STATS)
2208                         auto slowPathEnd = jit.label();
2209                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2210                             size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
2211                             mathIC->m_generatedCodeSize += size;
2212                         });
2213 #endif
2214                     });
2215                 } else {
2216                     callOperation(
2217                         *state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2218                         nonRepatchingFunction, params[0].gpr(), params[1].gpr());
2219                 }
2220
2221 #if ENABLE(MATH_IC_STATS)
2222                 auto inlineEnd = jit.label();
2223                 jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2224                     size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
2225                     mathIC->m_generatedCodeSize += size;
2226                 });
2227 #endif
2228             });
2229
2230         setJSValue(patchpoint);
2231     }
2232
2233     template <typename Generator, typename Func1, typename Func2,
2234         typename = std::enable_if_t<std::is_function<typename std::remove_pointer<Func1>::type>::value && std::is_function<typename std::remove_pointer<Func2>::type>::value>>
2235     void compileBinaryMathIC(ArithProfile* arithProfile, Func1 repatchingFunction, Func2 nonRepatchingFunction)
2236     {
2237         Node* node = m_node;
2238         
2239         LValue left = lowJSValue(node->child1());
2240         LValue right = lowJSValue(node->child2());
2241
2242         SnippetOperand leftOperand(m_state.forNode(node->child1()).resultType());
2243         SnippetOperand rightOperand(m_state.forNode(node->child2()).resultType());
2244             
2245         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
2246         patchpoint->appendSomeRegister(left);
2247         patchpoint->appendSomeRegister(right);
2248         patchpoint->append(m_notCellMask, ValueRep::lateReg(GPRInfo::notCellMaskRegister));
2249         patchpoint->append(m_numberTag, ValueRep::lateReg(GPRInfo::numberTagRegister));
2250         RefPtr<PatchpointExceptionHandle> exceptionHandle =
2251             preparePatchpointForExceptions(patchpoint);
2252         patchpoint->numGPScratchRegisters = 1;
2253         patchpoint->numFPScratchRegisters = 2;
2254         patchpoint->clobber(RegisterSet::macroScratchRegisters());
2255         State* state = &m_ftlState;
2256         patchpoint->setGenerator(
2257             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
2258                 AllowMacroScratchRegisterUsage allowScratch(jit);
2259
2260
2261                 Box<CCallHelpers::JumpList> exceptions =
2262                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
2263
2264 #if ENABLE(MATH_IC_STATS)
2265                 auto inlineStart = jit.label();
2266 #endif
2267
2268                 Box<MathICGenerationState> mathICGenerationState = Box<MathICGenerationState>::create();
2269                 JITBinaryMathIC<Generator>* mathIC = jit.codeBlock()->addMathIC<Generator>(arithProfile);
2270                 mathIC->m_generator = Generator(leftOperand, rightOperand, JSValueRegs(params[0].gpr()),
2271                     JSValueRegs(params[1].gpr()), JSValueRegs(params[2].gpr()), params.fpScratch(0),
2272                     params.fpScratch(1), params.gpScratch(0), InvalidFPRReg);
2273
2274                 bool shouldEmitProfiling = false;
2275                 bool generatedInline = mathIC->generateInline(jit, *mathICGenerationState, shouldEmitProfiling);
2276
2277                 if (generatedInline) {
2278                     ASSERT(!mathICGenerationState->slowPathJumps.empty());
2279                     auto done = jit.label();
2280                     params.addLatePath([=] (CCallHelpers& jit) {
2281                         AllowMacroScratchRegisterUsage allowScratch(jit);
2282                         mathICGenerationState->slowPathJumps.link(&jit);
2283                         mathICGenerationState->slowPathStart = jit.label();
2284 #if ENABLE(MATH_IC_STATS)
2285                         auto slowPathStart = jit.label();
2286 #endif
2287
2288                         if (mathICGenerationState->shouldSlowPathRepatch) {
2289                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2290                                 repatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
2291                             mathICGenerationState->slowPathCall = call.call();
2292                         } else {
2293                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic,
2294                                 exceptions.get(), nonRepatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr());
2295                             mathICGenerationState->slowPathCall = call.call();
2296                         }
2297                         jit.jump().linkTo(done, &jit);
2298
2299                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2300                             mathIC->finalizeInlineCode(*mathICGenerationState, linkBuffer);
2301                         });
2302
2303 #if ENABLE(MATH_IC_STATS)
2304                         auto slowPathEnd = jit.label();
2305                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2306                             size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
2307                             mathIC->m_generatedCodeSize += size;
2308                         });
2309 #endif
2310                     });
2311                 } else {
2312                     callOperation(
2313                         *state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2314                         nonRepatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr());
2315                 }
2316
2317 #if ENABLE(MATH_IC_STATS)
2318                 auto inlineEnd = jit.label();
2319                 jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2320                     size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
2321                     mathIC->m_generatedCodeSize += size;
2322                 });
2323 #endif
2324             });
2325
2326         setJSValue(patchpoint);
2327     }
2328     
2329     void compileStrCat()
2330     {
2331         LValue result;
2332         if (m_node->child3()) {
2333             result = vmCall(
2334                 Int64, m_out.operation(operationStrCat3), m_callFrame,
2335                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
2336                 lowJSValue(m_node->child2(), ManualOperandSpeculation),
2337                 lowJSValue(m_node->child3(), ManualOperandSpeculation));
2338         } else {
2339             result = vmCall(
2340                 Int64, m_out.operation(operationStrCat2), m_callFrame,
2341                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
2342                 lowJSValue(m_node->child2(), ManualOperandSpeculation));
2343         }
2344         setJSValue(result);
2345     }
2346     
2347     void compileArithAddOrSub()
2348     {
2349         bool isSub =  m_node->op() == ArithSub;
2350         switch (m_node->binaryUseKind()) {
2351         case Int32Use: {
2352             LValue left = lowInt32(m_node->child1());
2353             LValue right = lowInt32(m_node->child2());
2354
2355             if (!shouldCheckOverflow(m_node->arithMode())) {
2356                 setInt32(isSub ? m_out.sub(left, right) : m_out.add(left, right));
2357                 break;
2358             }
2359
2360             CheckValue* result =
2361                 isSub ? m_out.speculateSub(left, right) : m_out.speculateAdd(left, right);
2362             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2363             setInt32(result);
2364             break;
2365         }
2366             
2367         case Int52RepUse: {
2368             if (!abstractValue(m_node->child1()).couldBeType(SpecNonInt32AsInt52)
2369                 && !abstractValue(m_node->child2()).couldBeType(SpecNonInt32AsInt52)) {
2370                 Int52Kind kind;
2371                 LValue left = lowWhicheverInt52(m_node->child1(), kind);
2372                 LValue right = lowInt52(m_node->child2(), kind);
2373                 setInt52(isSub ? m_out.sub(left, right) : m_out.add(left, right), kind);
2374                 break;
2375             }
2376
2377             LValue left = lowInt52(m_node->child1());
2378             LValue right = lowInt52(m_node->child2());
2379             CheckValue* result =
2380                 isSub ? m_out.speculateSub(left, right) : m_out.speculateAdd(left, right);
2381             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2382             setInt52(result);
2383             break;
2384         }
2385             
2386         case DoubleRepUse: {
2387             LValue C1 = lowDouble(m_node->child1());
2388             LValue C2 = lowDouble(m_node->child2());
2389
2390             setDouble(isSub ? m_out.doubleSub(C1, C2) : m_out.doubleAdd(C1, C2));
2391             break;
2392         }
2393
2394         case UntypedUse: {
2395             if (!isSub) {
2396                 DFG_CRASH(m_graph, m_node, "Bad use kind");
2397                 break;
2398             }
2399
2400             CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2401             unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2402             ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2403             auto repatchingFunction = operationValueSubOptimize;
2404             auto nonRepatchingFunction = operationValueSub;
2405             compileBinaryMathIC<JITSubGenerator>(arithProfile, repatchingFunction, nonRepatchingFunction);
2406             break;
2407         }
2408
2409         default:
2410             DFG_CRASH(m_graph, m_node, "Bad use kind");
2411             break;
2412         }
2413     }
2414
2415     void compileArithClz32()
2416     {
2417         if (m_node->child1().useKind() == Int32Use || m_node->child1().useKind() == KnownInt32Use) {
2418             LValue operand = lowInt32(m_node->child1());
2419             setInt32(m_out.ctlz32(operand));
2420             return;
2421         }
2422         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2423         LValue argument = lowJSValue(m_node->child1());
2424         LValue result = vmCall(Int32, m_out.operation(operationArithClz32), m_callFrame, argument);
2425         setInt32(result);
2426     }
2427     
2428     void compileArithMul()
2429     {
2430         switch (m_node->binaryUseKind()) {
2431         case Int32Use: {
2432             LValue left = lowInt32(m_node->child1());
2433             LValue right = lowInt32(m_node->child2());
2434             
2435             LValue result;
2436
2437             if (!shouldCheckOverflow(m_node->arithMode()))
2438                 result = m_out.mul(left, right);
2439             else {
2440                 CheckValue* speculation = m_out.speculateMul(left, right);
2441                 blessSpeculation(speculation, Overflow, noValue(), nullptr, m_origin);
2442                 result = speculation;
2443             }
2444             
2445             if (shouldCheckNegativeZero(m_node->arithMode())) {
2446                 LBasicBlock slowCase = m_out.newBlock();
2447                 LBasicBlock continuation = m_out.newBlock();
2448                 
2449                 m_out.branch(
2450                     m_out.notZero32(result), usually(continuation), rarely(slowCase));
2451                 
2452                 LBasicBlock lastNext = m_out.appendTo(slowCase, continuation);
2453                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(left, m_out.int32Zero));
2454                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(right, m_out.int32Zero));
2455                 m_out.jump(continuation);
2456                 m_out.appendTo(continuation, lastNext);
2457             }
2458             
2459             setInt32(result);
2460             break;
2461         }
2462             
2463         case Int52RepUse: {
2464             Int52Kind kind;
2465             LValue left = lowWhicheverInt52(m_node->child1(), kind);
2466             LValue right = lowInt52(m_node->child2(), opposite(kind));
2467
2468             CheckValue* result = m_out.speculateMul(left, right);
2469             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2470
2471             if (shouldCheckNegativeZero(m_node->arithMode())) {
2472                 LBasicBlock slowCase = m_out.newBlock();
2473                 LBasicBlock continuation = m_out.newBlock();
2474                 
2475                 m_out.branch(
2476                     m_out.notZero64(result), usually(continuation), rarely(slowCase));
2477                 
2478                 LBasicBlock lastNext = m_out.appendTo(slowCase, continuation);
2479                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(left, m_out.int64Zero));
2480                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(right, m_out.int64Zero));
2481                 m_out.jump(continuation);
2482                 m_out.appendTo(continuation, lastNext);
2483             }
2484             
2485             setInt52(result);
2486             break;
2487         }
2488             
2489         case DoubleRepUse: {
2490             setDouble(
2491                 m_out.doubleMul(lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2492             break;
2493         }
2494
2495         default:
2496             DFG_CRASH(m_graph, m_node, "Bad use kind");
2497             break;
2498         }
2499     }
2500
2501     void compileValueDiv()
2502     {
2503         if (m_node->isBinaryUseKind(BigIntUse)) {
2504             LValue left = lowBigInt(m_node->child1());
2505             LValue right = lowBigInt(m_node->child2());
2506             
2507             LValue result = vmCall(pointerType(), m_out.operation(operationDivBigInt), m_callFrame, left, right);
2508             setJSValue(result);
2509             return;
2510         }
2511
2512         emitBinarySnippet<JITDivGenerator, NeedScratchFPR>(operationValueDiv);
2513     }
2514
2515     void compileArithDiv()
2516     {
2517         switch (m_node->binaryUseKind()) {
2518         case Int32Use: {
2519             LValue numerator = lowInt32(m_node->child1());
2520             LValue denominator = lowInt32(m_node->child2());
2521
2522             if (shouldCheckNegativeZero(m_node->arithMode())) {
2523                 LBasicBlock zeroNumerator = m_out.newBlock();
2524                 LBasicBlock numeratorContinuation = m_out.newBlock();
2525
2526                 m_out.branch(
2527                     m_out.isZero32(numerator),
2528                     rarely(zeroNumerator), usually(numeratorContinuation));
2529
2530                 LBasicBlock innerLastNext = m_out.appendTo(zeroNumerator, numeratorContinuation);
2531
2532                 speculate(
2533                     NegativeZero, noValue(), 0, m_out.lessThan(denominator, m_out.int32Zero));
2534
2535                 m_out.jump(numeratorContinuation);
2536
2537                 m_out.appendTo(numeratorContinuation, innerLastNext);
2538             }
2539             
2540             if (shouldCheckOverflow(m_node->arithMode())) {
2541                 LBasicBlock unsafeDenominator = m_out.newBlock();
2542                 LBasicBlock continuation = m_out.newBlock();
2543
2544                 LValue adjustedDenominator = m_out.add(denominator, m_out.int32One);
2545                 m_out.branch(
2546                     m_out.above(adjustedDenominator, m_out.int32One),
2547                     usually(continuation), rarely(unsafeDenominator));
2548
2549                 LBasicBlock lastNext = m_out.appendTo(unsafeDenominator, continuation);
2550                 LValue neg2ToThe31 = m_out.constInt32(-2147483647-1);
2551                 speculate(Overflow, noValue(), nullptr, m_out.isZero32(denominator));
2552                 speculate(Overflow, noValue(), nullptr, m_out.equal(numerator, neg2ToThe31));
2553                 m_out.jump(continuation);
2554
2555                 m_out.appendTo(continuation, lastNext);
2556                 LValue result = m_out.div(numerator, denominator);
2557                 speculate(
2558                     Overflow, noValue(), 0,
2559                     m_out.notEqual(m_out.mul(result, denominator), numerator));
2560                 setInt32(result);
2561             } else
2562                 setInt32(m_out.chillDiv(numerator, denominator));
2563
2564             break;
2565         }
2566             
2567         case DoubleRepUse: {
2568             setDouble(m_out.doubleDiv(
2569                 lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2570             break;
2571         }
2572
2573         default:
2574             DFG_CRASH(m_graph, m_node, "Bad use kind");
2575             break;
2576         }
2577     }
2578     
2579     void compileValueMod()
2580     {
2581         if (m_node->binaryUseKind() == BigIntUse) {
2582             LValue left = lowBigInt(m_node->child1());
2583             LValue right = lowBigInt(m_node->child2());
2584
2585             LValue result = vmCall(pointerType(), m_out.operation(operationModBigInt), m_callFrame, left, right);
2586             setJSValue(result);
2587             return;
2588         }
2589
2590         DFG_ASSERT(m_graph, m_node, m_node->binaryUseKind() == UntypedUse, m_node->binaryUseKind());
2591         LValue left = lowJSValue(m_node->child1());
2592         LValue right = lowJSValue(m_node->child2());
2593         LValue result = vmCall(Int64, m_out.operation(operationValueMod), m_callFrame, left, right);
2594         setJSValue(result);
2595     }
2596
2597     void compileArithMod()
2598     {
2599         switch (m_node->binaryUseKind()) {
2600         case Int32Use: {
2601             LValue numerator = lowInt32(m_node->child1());
2602             LValue denominator = lowInt32(m_node->child2());
2603
2604             LValue remainder;
2605             if (shouldCheckOverflow(m_node->arithMode())) {
2606                 LBasicBlock unsafeDenominator = m_out.newBlock();
2607                 LBasicBlock continuation = m_out.newBlock();
2608
2609                 LValue adjustedDenominator = m_out.add(denominator, m_out.int32One);
2610                 m_out.branch(
2611                     m_out.above(adjustedDenominator, m_out.int32One),
2612                     usually(continuation), rarely(unsafeDenominator));
2613
2614                 LBasicBlock lastNext = m_out.appendTo(unsafeDenominator, continuation);
2615                 LValue neg2ToThe31 = m_out.constInt32(-2147483647-1);
2616                 speculate(Overflow, noValue(), nullptr, m_out.isZero32(denominator));
2617                 speculate(Overflow, noValue(), nullptr, m_out.equal(numerator, neg2ToThe31));
2618                 m_out.jump(continuation);
2619
2620                 m_out.appendTo(continuation, lastNext);
2621                 LValue result = m_out.mod(numerator, denominator);
2622                 remainder = result;
2623             } else
2624                 remainder = m_out.chillMod(numerator, denominator);
2625
2626             if (shouldCheckNegativeZero(m_node->arithMode())) {
2627                 LBasicBlock negativeNumerator = m_out.newBlock();
2628                 LBasicBlock numeratorContinuation = m_out.newBlock();
2629
2630                 m_out.branch(
2631                     m_out.lessThan(numerator, m_out.int32Zero),
2632                     unsure(negativeNumerator), unsure(numeratorContinuation));
2633
2634                 LBasicBlock innerLastNext = m_out.appendTo(negativeNumerator, numeratorContinuation);
2635
2636                 speculate(NegativeZero, noValue(), 0, m_out.isZero32(remainder));
2637
2638                 m_out.jump(numeratorContinuation);
2639
2640                 m_out.appendTo(numeratorContinuation, innerLastNext);
2641             }
2642
2643             setInt32(remainder);
2644             break;
2645         }
2646             
2647         case DoubleRepUse: {
2648             setDouble(
2649                 m_out.doubleMod(lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2650             break;
2651         }
2652             
2653         default:
2654             DFG_CRASH(m_graph, m_node, "Bad use kind");
2655             break;
2656         }
2657     }
2658
2659     void compileArithMinOrMax()
2660     {
2661         switch (m_node->binaryUseKind()) {
2662         case Int32Use: {
2663             LValue left = lowInt32(m_node->child1());
2664             LValue right = lowInt32(m_node->child2());
2665             
2666             setInt32(
2667                 m_out.select(
2668                     m_node->op() == ArithMin
2669                         ? m_out.lessThan(left, right)
2670                         : m_out.lessThan(right, left),
2671                     left, right));
2672             break;
2673         }
2674             
2675         case DoubleRepUse: {
2676             LValue left = lowDouble(m_node->child1());
2677             LValue right = lowDouble(m_node->child2());
2678             
2679             LBasicBlock notLessThan = m_out.newBlock();
2680             LBasicBlock continuation = m_out.newBlock();
2681             
2682             Vector<ValueFromBlock, 2> results;
2683             
2684             results.append(m_out.anchor(left));
2685             m_out.branch(
2686                 m_node->op() == ArithMin
2687                     ? m_out.doubleLessThan(left, right)
2688                     : m_out.doubleGreaterThan(left, right),
2689                 unsure(continuation), unsure(notLessThan));
2690             
2691             LBasicBlock lastNext = m_out.appendTo(notLessThan, continuation);
2692             results.append(m_out.anchor(m_out.select(
2693                 m_node->op() == ArithMin
2694                     ? m_out.doubleGreaterThanOrEqual(left, right)
2695                     : m_out.doubleLessThanOrEqual(left, right),
2696                 right, m_out.constDouble(PNaN))));
2697             m_out.jump(continuation);
2698             
2699             m_out.appendTo(continuation, lastNext);
2700             setDouble(m_out.phi(Double, results));
2701             break;
2702         }
2703             
2704         default:
2705             DFG_CRASH(m_graph, m_node, "Bad use kind");
2706             break;
2707         }
2708     }
2709     
2710     void compileArithAbs()
2711     {
2712         switch (m_node->child1().useKind()) {
2713         case Int32Use: {
2714             LValue value = lowInt32(m_node->child1());
2715
2716             LValue mask = m_out.aShr(value, m_out.constInt32(31));
2717             LValue result = m_out.bitXor(mask, m_out.add(mask, value));
2718
2719             if (shouldCheckOverflow(m_node->arithMode()))
2720                 speculate(Overflow, noValue(), 0, m_out.lessThan(result, m_out.int32Zero));
2721
2722             setInt32(result);
2723             break;
2724         }
2725             
2726         case DoubleRepUse: {
2727             setDouble(m_out.doubleAbs(lowDouble(m_node->child1())));
2728             break;
2729         }
2730             
2731         default: {
2732             DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2733             LValue argument = lowJSValue(m_node->child1());
2734             LValue result = vmCall(Double, m_out.operation(operationArithAbs), m_callFrame, argument);
2735             setDouble(result);
2736             break;
2737         }
2738         }
2739     }
2740
2741     void compileArithUnary()
2742     {
2743         if (m_node->child1().useKind() == DoubleRepUse) {
2744             setDouble(m_out.doubleUnary(m_node->arithUnaryType(), lowDouble(m_node->child1())));
2745             return;
2746         }
2747         LValue argument = lowJSValue(m_node->child1());
2748         LValue result = vmCall(Double, m_out.operation(DFG::arithUnaryOperation(m_node->arithUnaryType())), m_callFrame, argument);
2749         setDouble(result);
2750     }
2751
2752     void compileValuePow()
2753     {
2754         if (m_node->isBinaryUseKind(BigIntUse)) {
2755             LValue base = lowBigInt(m_node->child1());
2756             LValue exponent = lowBigInt(m_node->child2());
2757             
2758             LValue result = vmCall(pointerType(), m_out.operation(operationPowBigInt), m_callFrame, base, exponent);
2759             setJSValue(result);
2760             return;
2761         }
2762
2763         LValue base = lowJSValue(m_node->child1());
2764         LValue exponent = lowJSValue(m_node->child2());
2765         LValue result = vmCall(Int64, m_out.operation(operationValuePow), m_callFrame, base, exponent);
2766         setJSValue(result);
2767     }
2768
2769     void compileArithPow()
2770     {
2771         if (m_node->child2().useKind() == Int32Use)
2772             setDouble(m_out.doublePowi(lowDouble(m_node->child1()), lowInt32(m_node->child2())));
2773         else {
2774             LValue base = lowDouble(m_node->child1());
2775             LValue exponent = lowDouble(m_node->child2());
2776
2777             LBasicBlock integerExponentIsSmallBlock = m_out.newBlock();
2778             LBasicBlock integerExponentPowBlock = m_out.newBlock();
2779             LBasicBlock doubleExponentPowBlockEntry = m_out.newBlock();
2780             LBasicBlock nanExceptionBaseIsOne = m_out.newBlock();
2781             LBasicBlock nanExceptionExponentIsInfinity = m_out.newBlock();
2782             LBasicBlock testExponentIsOneHalf = m_out.newBlock();
2783             LBasicBlock handleBaseZeroExponentIsOneHalf = m_out.newBlock();
2784             LBasicBlock handleInfinityForExponentIsOneHalf = m_out.newBlock();
2785             LBasicBlock exponentIsOneHalfNormal = m_out.newBlock();
2786             LBasicBlock exponentIsOneHalfInfinity = m_out.newBlock();
2787             LBasicBlock testExponentIsNegativeOneHalf = m_out.newBlock();
2788             LBasicBlock testBaseZeroExponentIsNegativeOneHalf = m_out.newBlock();
2789             LBasicBlock handleBaseZeroExponentIsNegativeOneHalf = m_out.newBlock();
2790             LBasicBlock handleInfinityForExponentIsNegativeOneHalf = m_out.newBlock();
2791             LBasicBlock exponentIsNegativeOneHalfNormal = m_out.newBlock();
2792             LBasicBlock exponentIsNegativeOneHalfInfinity = m_out.newBlock();
2793             LBasicBlock powBlock = m_out.newBlock();
2794             LBasicBlock nanExceptionResultIsNaN = m_out.newBlock();
2795             LBasicBlock continuation = m_out.newBlock();
2796
2797             LValue integerExponent = m_out.doubleToInt(exponent);
2798             LValue integerExponentConvertedToDouble = m_out.intToDouble(integerExponent);
2799             LValue exponentIsInteger = m_out.doubleEqual(exponent, integerExponentConvertedToDouble);
2800             m_out.branch(exponentIsInteger, unsure(integerExponentIsSmallBlock), unsure(doubleExponentPowBlockEntry));
2801
2802             LBasicBlock lastNext = m_out.appendTo(integerExponentIsSmallBlock, integerExponentPowBlock);
2803             LValue integerExponentBelowMax = m_out.belowOrEqual(integerExponent, m_out.constInt32(maxExponentForIntegerMathPow));
2804             m_out.branch(integerExponentBelowMax, usually(integerExponentPowBlock), rarely(doubleExponentPowBlockEntry));
2805
2806             m_out.appendTo(integerExponentPowBlock, doubleExponentPowBlockEntry);
2807             ValueFromBlock powDoubleIntResult = m_out.anchor(m_out.doublePowi(base, integerExponent));
2808             m_out.jump(continuation);
2809
2810             // If y is NaN, the result is NaN.
2811             m_out.appendTo(doubleExponentPowBlockEntry, nanExceptionBaseIsOne);
2812             LValue exponentIsNaN;
2813             if (provenType(m_node->child2()) & SpecDoubleNaN)
2814                 exponentIsNaN = m_out.doubleNotEqualOrUnordered(exponent, exponent);
2815             else
2816                 exponentIsNaN = m_out.booleanFalse;
2817             m_out.branch(exponentIsNaN, rarely(nanExceptionResultIsNaN), usually(nanExceptionBaseIsOne));
2818
2819             // If abs(x) is 1 and y is +infinity, the result is NaN.
2820             // If abs(x) is 1 and y is -infinity, the result is NaN.
2821
2822             //     Test if base == 1.
2823             m_out.appendTo(nanExceptionBaseIsOne, nanExceptionExponentIsInfinity);
2824             LValue absoluteBase = m_out.doubleAbs(base);
2825             LValue absoluteBaseIsOne = m_out.doubleEqual(absoluteBase, m_out.constDouble(1));
2826             m_out.branch(absoluteBaseIsOne, rarely(nanExceptionExponentIsInfinity), usually(testExponentIsOneHalf));
2827
2828             //     Test if abs(y) == Infinity.
2829             m_out.appendTo(nanExceptionExponentIsInfinity, testExponentIsOneHalf);
2830             LValue absoluteExponent = m_out.doubleAbs(exponent);
2831             LValue absoluteExponentIsInfinity = m_out.doubleEqual(absoluteExponent, m_out.constDouble(std::numeric_limits<double>::infinity()));
2832             m_out.branch(absoluteExponentIsInfinity, rarely(nanExceptionResultIsNaN), usually(testExponentIsOneHalf));
2833
2834             // If y == 0.5 or y == -0.5, handle it through SQRT.
2835             // We have be carefuly with -0 and -Infinity.
2836
2837             //     Test if y == 0.5
2838             m_out.appendTo(testExponentIsOneHalf, handleBaseZeroExponentIsOneHalf);
2839             LValue exponentIsOneHalf = m_out.doubleEqual(exponent, m_out.constDouble(0.5));
2840             m_out.branch(exponentIsOneHalf, rarely(handleBaseZeroExponentIsOneHalf), usually(testExponentIsNegativeOneHalf));
2841
2842             //     Handle x == -0.
2843             m_out.appendTo(handleBaseZeroExponentIsOneHalf, handleInfinityForExponentIsOneHalf);
2844             LValue baseIsZeroExponentIsOneHalf = m_out.doubleEqual(base, m_out.doubleZero);
2845             ValueFromBlock zeroResultExponentIsOneHalf = m_out.anchor(m_out.doubleZero);
2846             m_out.branch(baseIsZeroExponentIsOneHalf, rarely(continuation), usually(handleInfinityForExponentIsOneHalf));
2847
2848             //     Test if abs(x) == Infinity.
2849             m_out.appendTo(handleInfinityForExponentIsOneHalf, exponentIsOneHalfNormal);
2850             LValue absoluteBaseIsInfinityOneHalf = m_out.doubleEqual(absoluteBase, m_out.constDouble(std::numeric_limits<double>::infinity()));
2851             m_out.branch(absoluteBaseIsInfinityOneHalf, rarely(exponentIsOneHalfInfinity), usually(exponentIsOneHalfNormal));
2852
2853             //     The exponent is 0.5, the base is finite or NaN, we can use SQRT.
2854             m_out.appendTo(exponentIsOneHalfNormal, exponentIsOneHalfInfinity);
2855             ValueFromBlock sqrtResult = m_out.anchor(m_out.doubleSqrt(base));
2856             m_out.jump(continuation);
2857
2858             //     The exponent is 0.5, the base is infinite, the result is always infinite.
2859             m_out.appendTo(exponentIsOneHalfInfinity, testExponentIsNegativeOneHalf);
2860             ValueFromBlock sqrtInfinityResult = m_out.anchor(m_out.constDouble(std::numeric_limits<double>::infinity()));
2861             m_out.jump(continuation);
2862
2863             //     Test if y == -0.5
2864             m_out.appendTo(testExponentIsNegativeOneHalf, testBaseZeroExponentIsNegativeOneHalf);
2865             LValue exponentIsNegativeOneHalf = m_out.doubleEqual(exponent, m_out.constDouble(-0.5));
2866             m_out.branch(exponentIsNegativeOneHalf, rarely(testBaseZeroExponentIsNegativeOneHalf), usually(powBlock));
2867
2868             //     Handle x == -0.
2869             m_out.appendTo(testBaseZeroExponentIsNegativeOneHalf, handleBaseZeroExponentIsNegativeOneHalf);
2870             LValue baseIsZeroExponentIsNegativeOneHalf = m_out.doubleEqual(base, m_out.doubleZero);
2871             m_out.branch(baseIsZeroExponentIsNegativeOneHalf, rarely(handleBaseZeroExponentIsNegativeOneHalf), usually(handleInfinityForExponentIsNegativeOneHalf));
2872
2873             m_out.appendTo(handleBaseZeroExponentIsNegativeOneHalf, handleInfinityForExponentIsNegativeOneHalf);
2874             ValueFromBlock oneOverSqrtZeroResult = m_out.anchor(m_out.constDouble(std::numeric_limits<double>::infinity()));
2875             m_out.jump(continuation);
2876
2877             //     Test if abs(x) == Infinity.
2878             m_out.appendTo(handleInfinityForExponentIsNegativeOneHalf, exponentIsNegativeOneHalfNormal);
2879             LValue absoluteBaseIsInfinityNegativeOneHalf = m_out.doubleEqual(absoluteBase, m_out.constDouble(std::numeric_limits<double>::infinity()));
2880             m_out.branch(absoluteBaseIsInfinityNegativeOneHalf, rarely(exponentIsNegativeOneHalfInfinity), usually(exponentIsNegativeOneHalfNormal));
2881
2882             //     The exponent is -0.5, the base is finite or NaN, we can use 1/SQRT.
2883             m_out.appendTo(exponentIsNegativeOneHalfNormal, exponentIsNegativeOneHalfInfinity);
2884             LValue sqrtBase = m_out.doubleSqrt(base);
2885             ValueFromBlock oneOverSqrtResult = m_out.anchor(m_out.div(m_out.constDouble(1.), sqrtBase));
2886             m_out.jump(continuation);
2887
2888             //     The exponent is -0.5, the base is infinite, the result is always zero.
2889             m_out.appendTo(exponentIsNegativeOneHalfInfinity, powBlock);
2890             ValueFromBlock oneOverSqrtInfinityResult = m_out.anchor(m_out.doubleZero);
2891             m_out.jump(continuation);
2892
2893             m_out.appendTo(powBlock, nanExceptionResultIsNaN);
2894             ValueFromBlock powResult = m_out.anchor(m_out.doublePow(base, exponent));
2895             m_out.jump(continuation);
2896
2897             m_out.appendTo(nanExceptionResultIsNaN, continuation);
2898             ValueFromBlock pureNan = m_out.anchor(m_out.constDouble(PNaN));
2899             m_out.jump(continuation);
2900
2901             m_out.appendTo(continuation, lastNext);
2902             setDouble(m_out.phi(Double, powDoubleIntResult, zeroResultExponentIsOneHalf, sqrtResult, sqrtInfinityResult, oneOverSqrtZeroResult, oneOverSqrtResult, oneOverSqrtInfinityResult, powResult, pureNan));
2903         }
2904     }
2905
2906     void compileArithRandom()
2907     {
2908         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
2909
2910         // Inlined WeakRandom::advance().
2911         // uint64_t x = m_low;
2912         void* lowAddress = reinterpret_cast<uint8_t*>(globalObject) + JSGlobalObject::weakRandomOffset() + WeakRandom::lowOffset();
2913         LValue low = m_out.load64(m_out.absolute(lowAddress));
2914         // uint64_t y = m_high;
2915         void* highAddress = reinterpret_cast<uint8_t*>(globalObject) + JSGlobalObject::weakRandomOffset() + WeakRandom::highOffset();
2916         LValue high = m_out.load64(m_out.absolute(highAddress));
2917         // m_low = y;
2918         m_out.store64(high, m_out.absolute(lowAddress));
2919
2920         // x ^= x << 23;
2921         LValue phase1 = m_out.bitXor(m_out.shl(low, m_out.constInt64(23)), low);
2922
2923         // x ^= x >> 17;
2924         LValue phase2 = m_out.bitXor(m_out.lShr(phase1, m_out.constInt64(17)), phase1);
2925
2926         // x ^= y ^ (y >> 26);
2927         LValue phase3 = m_out.bitXor(m_out.bitXor(high, m_out.lShr(high, m_out.constInt64(26))), phase2);
2928
2929         // m_high = x;
2930         m_out.store64(phase3, m_out.absolute(highAddress));
2931
2932         // return x + y;
2933         LValue random64 = m_out.add(phase3, high);
2934
2935         // Extract random 53bit. [0, 53] bit is safe integer number ranges in double representation.
2936         LValue random53 = m_out.bitAnd(random64, m_out.constInt64((1ULL << 53) - 1));
2937
2938         LValue double53Integer = m_out.intToDouble(random53);
2939
2940         // Convert `(53bit double integer value) / (1 << 53)` to `(53bit double integer value) * (1.0 / (1 << 53))`.
2941         // In latter case, `1.0 / (1 << 53)` will become a double value represented as (mantissa = 0 & exp = 970, it means 1e-(2**54)).
2942         static constexpr double scale = 1.0 / (1ULL << 53);
2943
2944         // Multiplying 1e-(2**54) with the double integer does not change anything of the mantissa part of the double integer.
2945         // It just reduces the exp part of the given 53bit double integer.
2946         // (Except for 0.0. This is specially handled and in this case, exp just becomes 0.)
2947         // Now we get 53bit precision random double value in [0, 1).
2948         LValue result = m_out.doubleMul(double53Integer, m_out.constDouble(scale));
2949
2950         setDouble(result);
2951     }
2952
2953     void compileArithRound()
2954     {
2955         if (m_node->child1().useKind() == DoubleRepUse) {
2956             LValue result = nullptr;
2957             if (producesInteger(m_node->arithRoundingMode()) && !shouldCheckNegativeZero(m_node->arithRoundingMode())) {
2958                 LValue value = lowDouble(m_node->child1());
2959                 result = m_out.doubleFloor(m_out.doubleAdd(value, m_out.constDouble(0.5)));
2960             } else {
2961                 LBasicBlock shouldRoundDown = m_out.newBlock();
2962                 LBasicBlock continuation = m_out.newBlock();
2963
2964                 LValue value = lowDouble(m_node->child1());
2965                 LValue integerValue = m_out.doubleCeil(value);
2966                 ValueFromBlock integerValueResult = m_out.anchor(integerValue);
2967
2968                 LValue ceilMinusHalf = m_out.doubleSub(integerValue, m_out.constDouble(0.5));
2969                 m_out.branch(m_out.doubleGreaterThanOrUnordered(ceilMinusHalf, value), unsure(shouldRoundDown), unsure(continuation));
2970
2971                 LBasicBlock lastNext = m_out.appendTo(shouldRoundDown, continuation);
2972                 LValue integerValueRoundedDown = m_out.doubleSub(integerValue, m_out.constDouble(1));
2973                 ValueFromBlock integerValueRoundedDownResult = m_out.anchor(integerValueRoundedDown);
2974                 m_out.jump(continuation);
2975                 m_out.appendTo(continuation, lastNext);
2976
2977                 result = m_out.phi(Double, integerValueResult, integerValueRoundedDownResult);
2978             }
2979
2980             if (producesInteger(m_node->arithRoundingMode())) {
2981                 LValue integerValue = convertDoubleToInt32(result, shouldCheckNegativeZero(m_node->arithRoundingMode()));
2982                 setInt32(integerValue);
2983             } else
2984                 setDouble(result);
2985             return;
2986         }
2987
2988         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2989         LValue argument = lowJSValue(m_node->child1());
2990         setJSValue(vmCall(Int64, m_out.operation(operationArithRound), m_callFrame, argument));
2991     }
2992
2993     void compileArithFloor()
2994     {
2995         if (m_node->child1().useKind() == DoubleRepUse) {
2996             LValue value = lowDouble(m_node->child1());
2997             LValue integerValue = m_out.doubleFloor(value);
2998             if (producesInteger(m_node->arithRoundingMode()))
2999                 setInt32(convertDoubleToInt32(integerValue, shouldCheckNegativeZero(m_node->arithRoundingMode())));
3000             else
3001                 setDouble(integerValue);
3002             return;
3003         }
3004         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
3005         LValue argument = lowJSValue(m_node->child1());
3006         setJSValue(vmCall(Int64, m_out.operation(operationArithFloor), m_callFrame, argument));
3007     }
3008
3009     void compileArithCeil()
3010     {
3011         if (m_node->child1().useKind() == DoubleRepUse) {
3012             LValue value = lowDouble(m_node->child1());
3013             LValue integerValue = m_out.doubleCeil(value);
3014             if (producesInteger(m_node->arithRoundingMode()))
3015                 setInt32(convertDoubleToInt32(integerValue, shouldCheckNegativeZero(m_node->arithRoundingMode())));
3016             else
3017                 setDouble(integerValue);
3018             return;
3019         }
3020         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
3021         LValue argument = lowJSValue(m_node->child1());
3022         setJSValue(vmCall(Int64, m_out.operation(operationArithCeil), m_callFrame, argument));
3023     }
3024
3025     void compileArithTrunc()
3026     {
3027         if (m_node->child1().useKind() == DoubleRepUse) {
3028             LValue value = lowDouble(m_node->child1());
3029             LValue result = m_out.doubleTrunc(value);
3030             if (producesInteger(m_node->arithRoundingMode()))
3031                 setInt32(convertDoubleToInt32(result, shouldCheckNegativeZero(m_node->arithRoundingMode())));
3032             else
3033                 setDouble(result);
3034             return;
3035         }
3036         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
3037         LValue argument = lowJSValue(m_node->child1());
3038         setJSValue(vmCall(Int64, m_out.operation(operationArithTrunc), m_callFrame, argument));
3039     }
3040
3041     void compileArithSqrt()
3042     {
3043         if (m_node->child1().useKind() == DoubleRepUse) {
3044             setDouble(m_out.doubleSqrt(lowDouble(m_node->child1())));
3045             return;
3046         }
3047         LValue argument = lowJSValue(m_node->child1());
3048         LValue result = vmCall(Double, m_out.operation(operationArithSqrt), m_callFrame, argument);
3049         setDouble(result);
3050     }
3051
3052     void compileArithFRound()
3053     {
3054         if (m_node->child1().useKind() == DoubleRepUse) {
3055             setDouble(m_out.fround(lowDouble(m_node->child1())));
3056             return;
3057         }
3058         LValue argument = lowJSValue(m_node->child1());
3059         LValue result = vmCall(Double, m_out.operation(operationArithFRound), m_callFrame, argument);
3060         setDouble(result);
3061     }
3062
3063     void compileValueNegate()
3064     {
3065         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse);
3066         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
3067         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
3068         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
3069         auto repatchingFunction = operationArithNegateOptimize;
3070         auto nonRepatchingFunction = operationArithNegate;
3071         compileUnaryMathIC<JITNegGenerator>(arithProfile, repatchingFunction, nonRepatchingFunction);
3072     }
3073
3074     void compileArithNegate()
3075     {
3076         switch (m_node->child1().useKind()) {
3077         case Int32Use: {
3078             LValue value = lowInt32(m_node->child1());
3079             
3080             LValue result;
3081             if (!shouldCheckOverflow(m_node->arithMode()))
3082                 result = m_out.neg(value);
3083             else if (!shouldCheckNegativeZero(m_node->arithMode())) {
3084                 CheckValue* check = m_out.speculateSub(m_out.int32Zero, value);
3085                 blessSpeculation(check, Overflow, noValue(), nullptr, m_origin);
3086                 result = check;
3087             } else {
3088                 speculate(Overflow, noValue(), 0, m_out.testIsZero32(value, m_out.constInt32(0x7fffffff)));
3089                 result = m_out.neg(value);
3090             }
3091
3092             setInt32(result);
3093             break;
3094         }
3095             
3096         case Int52RepUse: {
3097             if (!abstractValue(m_node->child1()).couldBeType(SpecNonInt32AsInt52)) {
3098                 Int52Kind kind;
3099                 LValue value = lowWhicheverInt52(m_node->child1(), kind);
3100                 LValue result = m_out.neg(value);
3101                 if (shouldCheckNegativeZero(m_node->arithMode()))
3102                     speculate(NegativeZero, noValue(), 0, m_out.isZero64(result));
3103                 setInt52(result, kind);
3104                 break;
3105             }
3106             
3107             LValue value = lowInt52(m_node->child1());
3108             CheckValue* result = m_out.speculateSub(m_out.int64Zero, value);
3109             blessSpeculation(result, Int52Overflow, noValue(), nullptr, m_origin);
3110             if (shouldCheckNegativeZero(m_node->arithMode()))
3111                 speculate(NegativeZero, noValue(), 0, m_out.isZero64(result));
3112             setInt52(result);
3113             break;
3114         }
3115             
3116         case DoubleRepUse: {
3117             setDouble(m_out.doubleNeg(lowDouble(m_node->child1())));
3118             break;
3119         }
3120             
3121         default:
3122             DFG_CRASH(m_graph, m_node, "Bad use kind");
3123             break;
3124         }
3125     }
3126     
3127     void compileValueBitNot()
3128     {
3129         if (m_node->child1().useKind() == BigIntUse) {
3130             LValue operand = lowBigInt(m_node->child1());
3131             LValue result = vmCall(pointerType(), m_out.operation(operationBitNotBigInt), m_callFrame, operand);
3132             setJSValue(result);
3133             return;
3134         }
3135
3136         LValue operand = lowJSValue(m_node->child1());
3137         LValue result = vmCall(Int64, m_out.operation(operationValueBitNot), m_callFrame, operand);
3138         setJSValue(result);