Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
[WebKit-https.git] / Source / JavaScriptCore / ftl / FTLLowerDFGToB3.cpp
1 /*
2  * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "FTLLowerDFGToB3.h"
28
29 #if ENABLE(FTL_JIT)
30
31 #include "AirCode.h"
32 #include "AirGenerationContext.h"
33 #include "AllowMacroScratchRegisterUsage.h"
34 #include "AllowMacroScratchRegisterUsageIf.h"
35 #include "AtomicsObject.h"
36 #include "B3CheckValue.h"
37 #include "B3FenceValue.h"
38 #include "B3PatchpointValue.h"
39 #include "B3SlotBaseValue.h"
40 #include "B3StackmapGenerationParams.h"
41 #include "B3ValueInlines.h"
42 #include "CallFrameShuffler.h"
43 #include "CodeBlockWithJITType.h"
44 #include "DFGAbstractInterpreterInlines.h"
45 #include "DFGCapabilities.h"
46 #include "DFGDoesGC.h"
47 #include "DFGDominators.h"
48 #include "DFGInPlaceAbstractState.h"
49 #include "DFGMayExit.h"
50 #include "DFGOSRAvailabilityAnalysisPhase.h"
51 #include "DFGOSRExitFuzz.h"
52 #include "DirectArguments.h"
53 #include "FTLAbstractHeapRepository.h"
54 #include "FTLAvailableRecovery.h"
55 #include "FTLExceptionTarget.h"
56 #include "FTLForOSREntryJITCode.h"
57 #include "FTLFormattedValue.h"
58 #include "FTLLazySlowPathCall.h"
59 #include "FTLLoweredNodeValue.h"
60 #include "FTLOperations.h"
61 #include "FTLOutput.h"
62 #include "FTLPatchpointExceptionHandle.h"
63 #include "FTLSnippetParams.h"
64 #include "FTLThunks.h"
65 #include "FTLWeightedTarget.h"
66 #include "JITAddGenerator.h"
67 #include "JITBitAndGenerator.h"
68 #include "JITBitOrGenerator.h"
69 #include "JITBitXorGenerator.h"
70 #include "JITDivGenerator.h"
71 #include "JITInlineCacheGenerator.h"
72 #include "JITLeftShiftGenerator.h"
73 #include "JITMathIC.h"
74 #include "JITMulGenerator.h"
75 #include "JITRightShiftGenerator.h"
76 #include "JITSubGenerator.h"
77 #include "JSAsyncFunction.h"
78 #include "JSAsyncGeneratorFunction.h"
79 #include "JSCInlines.h"
80 #include "JSGeneratorFunction.h"
81 #include "JSImmutableButterfly.h"
82 #include "JSLexicalEnvironment.h"
83 #include "JSMap.h"
84 #include "OperandsInlines.h"
85 #include "RegExpObject.h"
86 #include "ScopedArguments.h"
87 #include "ScopedArgumentsTable.h"
88 #include "ScratchRegisterAllocator.h"
89 #include "SetupVarargsFrame.h"
90 #include "ShadowChicken.h"
91 #include "StructureStubInfo.h"
92 #include "SuperSampler.h"
93 #include "ThunkGenerators.h"
94 #include "VirtualRegister.h"
95 #include "Watchdog.h"
96 #include <atomic>
97 #include <wtf/Box.h>
98 #include <wtf/Gigacage.h>
99 #include <wtf/RecursableLambda.h>
100 #include <wtf/StdUnorderedSet.h>
101
102 #undef RELEASE_ASSERT
103 #define RELEASE_ASSERT(assertion) do { \
104     if (!(assertion)) { \
105         WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, #assertion); \
106         CRASH(); \
107     } \
108 } while (0)
109
110 namespace JSC { namespace FTL {
111
112 using namespace B3;
113 using namespace DFG;
114
115 namespace {
116
117 std::atomic<int> compileCounter;
118
119 #if !ASSERT_DISABLED
120 NO_RETURN_DUE_TO_CRASH static void ftlUnreachable(
121     CodeBlock* codeBlock, BlockIndex blockIndex, unsigned nodeIndex)
122 {
123     dataLog("Crashing in thought-to-be-unreachable FTL-generated code for ", pointerDump(codeBlock), " at basic block #", blockIndex);
124     if (nodeIndex != UINT_MAX)
125         dataLog(", node @", nodeIndex);
126     dataLog(".\n");
127     CRASH();
128 }
129 #endif
130
131 // Using this instead of typeCheck() helps to reduce the load on B3, by creating
132 // significantly less dead code.
133 #define FTL_TYPE_CHECK_WITH_EXIT_KIND(exitKind, lowValue, highValue, typesPassedThrough, failCondition) do { \
134         FormattedValue _ftc_lowValue = (lowValue);                      \
135         Edge _ftc_highValue = (highValue);                              \
136         SpeculatedType _ftc_typesPassedThrough = (typesPassedThrough);  \
137         if (!m_interpreter.needsTypeCheck(_ftc_highValue, _ftc_typesPassedThrough)) \
138             break;                                                      \
139         typeCheck(_ftc_lowValue, _ftc_highValue, _ftc_typesPassedThrough, (failCondition), exitKind); \
140     } while (false)
141
142 #define FTL_TYPE_CHECK(lowValue, highValue, typesPassedThrough, failCondition) \
143     FTL_TYPE_CHECK_WITH_EXIT_KIND(BadType, lowValue, highValue, typesPassedThrough, failCondition)
144
145 class LowerDFGToB3 {
146     WTF_MAKE_NONCOPYABLE(LowerDFGToB3);
147 public:
148     LowerDFGToB3(State& state)
149         : m_graph(state.graph)
150         , m_ftlState(state)
151         , m_out(state)
152         , m_proc(*state.proc)
153         , m_availabilityCalculator(m_graph)
154         , m_state(state.graph)
155         , m_interpreter(state.graph, m_state)
156         , m_indexMaskingMode(Options::enableSpectreMitigations() ?  IndexMaskingEnabled : IndexMaskingDisabled)
157     {
158     }
159     
160     void lower()
161     {
162         State* state = &m_ftlState;
163         
164         CString name;
165         if (verboseCompilationEnabled()) {
166             name = toCString(
167                 "jsBody_", ++compileCounter, "_", codeBlock()->inferredName(),
168                 "_", codeBlock()->hash());
169         } else
170             name = "jsBody";
171
172         {
173             m_proc.setNumEntrypoints(m_graph.m_numberOfEntrypoints);
174             CodeBlock* codeBlock = m_graph.m_codeBlock;
175
176             Ref<B3::Air::PrologueGenerator> catchPrologueGenerator = createSharedTask<B3::Air::PrologueGeneratorFunction>(
177                 [codeBlock] (CCallHelpers& jit, B3::Air::Code& code) {
178                     AllowMacroScratchRegisterUsage allowScratch(jit);
179                     jit.addPtr(CCallHelpers::TrustedImm32(-code.frameSize()), GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister);
180                     if (Options::zeroStackFrame())
181                         jit.clearStackFrame(GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister, GPRInfo::regT0, code.frameSize());
182
183                     jit.emitSave(code.calleeSaveRegisterAtOffsetList());
184                     jit.emitPutToCallFrameHeader(codeBlock, CallFrameSlot::codeBlock);
185                 });
186
187             for (unsigned catchEntrypointIndex : m_graph.m_entrypointIndexToCatchBytecodeOffset.keys()) {
188                 RELEASE_ASSERT(catchEntrypointIndex != 0);
189                 m_proc.code().setPrologueForEntrypoint(catchEntrypointIndex, catchPrologueGenerator.copyRef());
190             }
191
192             if (m_graph.m_maxLocalsForCatchOSREntry) {
193                 uint32_t numberOfLiveLocals = std::max(*m_graph.m_maxLocalsForCatchOSREntry, 1u); // Make sure we always allocate a non-null catchOSREntryBuffer.
194                 m_ftlState.jitCode->common.catchOSREntryBuffer = m_graph.m_vm.scratchBufferForSize(sizeof(JSValue) * numberOfLiveLocals);
195             }
196         }
197         
198         m_graph.ensureSSADominators();
199
200         if (verboseCompilationEnabled())
201             dataLog("Function ready, beginning lowering.\n");
202
203         m_out.initialize(m_heaps);
204
205         // We use prologue frequency for all of the initialization code.
206         m_out.setFrequency(1);
207         
208         bool hasMultipleEntrypoints = m_graph.m_numberOfEntrypoints > 1;
209     
210         LBasicBlock prologue = m_out.newBlock();
211         LBasicBlock callEntrypointArgumentSpeculations = hasMultipleEntrypoints ? m_out.newBlock() : nullptr;
212         m_handleExceptions = m_out.newBlock();
213
214         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
215             m_highBlock = m_graph.block(blockIndex);
216             if (!m_highBlock)
217                 continue;
218             m_out.setFrequency(m_highBlock->executionCount);
219             m_blocks.add(m_highBlock, m_out.newBlock());
220         }
221
222         // Back to prologue frequency for any bocks that get sneakily created in the initialization code.
223         m_out.setFrequency(1);
224         
225         m_out.appendTo(prologue, hasMultipleEntrypoints ? callEntrypointArgumentSpeculations : m_handleExceptions);
226         m_out.initializeConstants(m_proc, prologue);
227         createPhiVariables();
228
229         size_t sizeOfCaptured = sizeof(JSValue) * m_graph.m_nextMachineLocal;
230         B3::SlotBaseValue* capturedBase = m_out.lockedStackSlot(sizeOfCaptured);
231         m_captured = m_out.add(capturedBase, m_out.constIntPtr(sizeOfCaptured));
232         state->capturedValue = capturedBase->slot();
233
234         auto preOrder = m_graph.blocksInPreOrder();
235
236         m_callFrame = m_out.framePointer();
237         m_tagTypeNumber = m_out.constInt64(TagTypeNumber);
238         m_tagMask = m_out.constInt64(TagMask);
239
240         // Make sure that B3 knows that we really care about the mask registers. This forces the
241         // constants to be materialized in registers.
242         m_proc.addFastConstant(m_tagTypeNumber->key());
243         m_proc.addFastConstant(m_tagMask->key());
244         
245         // We don't want the CodeBlock to have a weak pointer to itself because
246         // that would cause it to always get collected.
247         m_out.storePtr(m_out.constIntPtr(bitwise_cast<intptr_t>(codeBlock())), addressFor(CallFrameSlot::codeBlock));
248
249         VM* vm = &this->vm();
250
251         // Stack Overflow Check.
252         unsigned exitFrameSize = m_graph.requiredRegisterCountForExit() * sizeof(Register);
253         MacroAssembler::AbsoluteAddress addressOfStackLimit(vm->addressOfSoftStackLimit());
254         PatchpointValue* stackOverflowHandler = m_out.patchpoint(Void);
255         CallSiteIndex callSiteIndex = callSiteIndexForCodeOrigin(m_ftlState, CodeOrigin(0));
256         stackOverflowHandler->appendSomeRegister(m_callFrame);
257         stackOverflowHandler->clobber(RegisterSet::macroScratchRegisters());
258         stackOverflowHandler->numGPScratchRegisters = 1;
259         stackOverflowHandler->setGenerator(
260             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
261                 AllowMacroScratchRegisterUsage allowScratch(jit);
262                 GPRReg fp = params[0].gpr();
263                 GPRReg scratch = params.gpScratch(0);
264
265                 unsigned ftlFrameSize = params.proc().frameSize();
266                 unsigned maxFrameSize = std::max(exitFrameSize, ftlFrameSize);
267
268                 jit.addPtr(MacroAssembler::TrustedImm32(-maxFrameSize), fp, scratch);
269                 MacroAssembler::JumpList stackOverflow;
270                 if (UNLIKELY(maxFrameSize > Options::reservedZoneSize()))
271                     stackOverflow.append(jit.branchPtr(MacroAssembler::Above, scratch, fp));
272                 stackOverflow.append(jit.branchPtr(MacroAssembler::Above, addressOfStackLimit, scratch));
273
274                 params.addLatePath([=] (CCallHelpers& jit) {
275                     AllowMacroScratchRegisterUsage allowScratch(jit);
276
277                     stackOverflow.link(&jit);
278                     
279                     // FIXME: We would not have to do this if the stack check was part of the Air
280                     // prologue. Then, we would know that there is no way for the callee-saves to
281                     // get clobbered.
282                     // https://bugs.webkit.org/show_bug.cgi?id=172456
283                     jit.emitRestore(params.proc().calleeSaveRegisterAtOffsetList());
284                     
285                     jit.store32(
286                         MacroAssembler::TrustedImm32(callSiteIndex.bits()),
287                         CCallHelpers::tagFor(VirtualRegister(CallFrameSlot::argumentCount)));
288                     jit.copyCalleeSavesToEntryFrameCalleeSavesBuffer(vm->topEntryFrame);
289
290                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
291                     jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()), GPRInfo::argumentGPR1);
292                     CCallHelpers::Call throwCall = jit.call(OperationPtrTag);
293
294                     jit.move(CCallHelpers::TrustedImmPtr(vm), GPRInfo::argumentGPR0);
295                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
296                     CCallHelpers::Call lookupExceptionHandlerCall = jit.call(OperationPtrTag);
297                     jit.jumpToExceptionHandler(*vm);
298
299                     jit.addLinkTask(
300                         [=] (LinkBuffer& linkBuffer) {
301                             linkBuffer.link(throwCall, FunctionPtr<OperationPtrTag>(operationThrowStackOverflowError));
302                             linkBuffer.link(lookupExceptionHandlerCall, FunctionPtr<OperationPtrTag>(lookupExceptionHandlerFromCallerFrame));
303                     });
304                 });
305             });
306
307         LBasicBlock firstDFGBasicBlock = lowBlock(m_graph.block(0));
308
309         {
310             if (hasMultipleEntrypoints) {
311                 Vector<LBasicBlock> successors(m_graph.m_numberOfEntrypoints);
312                 successors[0] = callEntrypointArgumentSpeculations;
313                 for (unsigned i = 1; i < m_graph.m_numberOfEntrypoints; ++i) {
314                     // Currently, the only other entrypoint is an op_catch entrypoint.
315                     // We do OSR entry at op_catch, and we prove argument formats before
316                     // jumping to FTL code, so we don't need to check argument types here
317                     // for these entrypoints.
318                     successors[i] = firstDFGBasicBlock;
319                 }
320                 
321                 m_out.entrySwitch(successors);
322                 m_out.appendTo(callEntrypointArgumentSpeculations, m_handleExceptions);
323             }
324
325             m_node = nullptr;
326             m_origin = NodeOrigin(CodeOrigin(0), CodeOrigin(0), true);
327
328             // Check Arguments.
329             availabilityMap().clear();
330             availabilityMap().m_locals = Operands<Availability>(codeBlock()->numParameters(), 0);
331             for (unsigned i = codeBlock()->numParameters(); i--;) {
332                 availabilityMap().m_locals.argument(i) =
333                     Availability(FlushedAt(FlushedJSValue, virtualRegisterForArgument(i)));
334             }
335
336             for (unsigned i = codeBlock()->numParameters(); i--;) {
337                 MethodOfGettingAValueProfile profile(&m_graph.m_profiledBlock->valueProfileForArgument(i));
338                 VirtualRegister operand = virtualRegisterForArgument(i);
339                 LValue jsValue = m_out.load64(addressFor(operand));
340                 
341                 switch (m_graph.m_argumentFormats[0][i]) {
342                 case FlushedInt32:
343                     speculate(BadType, jsValueValue(jsValue), profile, isNotInt32(jsValue));
344                     break;
345                 case FlushedBoolean:
346                     speculate(BadType, jsValueValue(jsValue), profile, isNotBoolean(jsValue));
347                     break;
348                 case FlushedCell:
349                     speculate(BadType, jsValueValue(jsValue), profile, isNotCell(jsValue));
350                     break;
351                 case FlushedJSValue:
352                     break;
353                 default:
354                     DFG_CRASH(m_graph, nullptr, "Bad flush format for argument");
355                     break;
356                 }
357             }
358             m_out.jump(firstDFGBasicBlock);
359         }
360
361
362         m_out.appendTo(m_handleExceptions, firstDFGBasicBlock);
363         Box<CCallHelpers::Label> exceptionHandler = state->exceptionHandler;
364         m_out.patchpoint(Void)->setGenerator(
365             [=] (CCallHelpers& jit, const StackmapGenerationParams&) {
366                 CCallHelpers::Jump jump = jit.jump();
367                 jit.addLinkTask(
368                     [=] (LinkBuffer& linkBuffer) {
369                         linkBuffer.link(jump, linkBuffer.locationOf<ExceptionHandlerPtrTag>(*exceptionHandler));
370                     });
371             });
372         m_out.unreachable();
373
374         for (DFG::BasicBlock* block : preOrder)
375             compileBlock(block);
376
377         // Make sure everything is decorated. This does a bunch of deferred decorating. This has
378         // to happen last because our abstract heaps are generated lazily. They have to be
379         // generated lazily because we have an infinite number of numbered, indexed, and
380         // absolute heaps. We only become aware of the ones we actually mention while lowering.
381         m_heaps.computeRangesAndDecorateInstructions();
382
383         // We create all Phi's up front, but we may then decide not to compile the basic block
384         // that would have contained one of them. So this creates orphans, which triggers B3
385         // validation failures. Calling this fixes the issue.
386         //
387         // Note that you should avoid the temptation to make this call conditional upon
388         // validation being enabled. B3 makes no guarantees of any kind of correctness when
389         // dealing with IR that would have failed validation. For example, it would be valid to
390         // write a B3 phase that so aggressively assumes the lack of orphans that it would crash
391         // if any orphans were around. We might even have such phases already.
392         m_proc.deleteOrphans();
393
394         // We put the blocks into the B3 procedure in a super weird order. Now we reorder them.
395         m_out.applyBlockOrder();
396     }
397
398 private:
399     
400     void createPhiVariables()
401     {
402         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
403             DFG::BasicBlock* block = m_graph.block(blockIndex);
404             if (!block)
405                 continue;
406             for (unsigned nodeIndex = block->size(); nodeIndex--;) {
407                 Node* node = block->at(nodeIndex);
408                 if (node->op() != DFG::Phi)
409                     continue;
410                 LType type;
411                 switch (node->flags() & NodeResultMask) {
412                 case NodeResultDouble:
413                     type = Double;
414                     break;
415                 case NodeResultInt32:
416                     type = Int32;
417                     break;
418                 case NodeResultInt52:
419                     type = Int64;
420                     break;
421                 case NodeResultBoolean:
422                     type = Int32;
423                     break;
424                 case NodeResultJS:
425                     type = Int64;
426                     break;
427                 default:
428                     DFG_CRASH(m_graph, node, "Bad Phi node result type");
429                     break;
430                 }
431                 m_phis.add(node, m_proc.add<Value>(B3::Phi, type, Origin(node)));
432             }
433         }
434     }
435     
436     void compileBlock(DFG::BasicBlock* block)
437     {
438         if (!block)
439             return;
440         
441         if (verboseCompilationEnabled())
442             dataLog("Compiling block ", *block, "\n");
443         
444         m_highBlock = block;
445         
446         // Make sure that any blocks created while lowering code in the high block have the frequency of
447         // the high block. This is appropriate because B3 doesn't need precise frequencies. It just needs
448         // something roughly approximate for things like register allocation.
449         m_out.setFrequency(m_highBlock->executionCount);
450         
451         LBasicBlock lowBlock = m_blocks.get(m_highBlock);
452         
453         m_nextHighBlock = 0;
454         for (BlockIndex nextBlockIndex = m_highBlock->index + 1; nextBlockIndex < m_graph.numBlocks(); ++nextBlockIndex) {
455             m_nextHighBlock = m_graph.block(nextBlockIndex);
456             if (m_nextHighBlock)
457                 break;
458         }
459         m_nextLowBlock = m_nextHighBlock ? m_blocks.get(m_nextHighBlock) : 0;
460         
461         // All of this effort to find the next block gives us the ability to keep the
462         // generated IR in roughly program order. This ought not affect the performance
463         // of the generated code (since we expect B3 to reorder things) but it will
464         // make IR dumps easier to read.
465         m_out.appendTo(lowBlock, m_nextLowBlock);
466         
467         if (Options::ftlCrashes())
468             m_out.trap();
469         
470         if (!m_highBlock->cfaHasVisited) {
471             if (verboseCompilationEnabled())
472                 dataLog("Bailing because CFA didn't reach.\n");
473             crash(m_highBlock, nullptr);
474             return;
475         }
476         
477         m_availabilityCalculator.beginBlock(m_highBlock);
478         
479         m_state.reset();
480         m_state.beginBasicBlock(m_highBlock);
481         
482         for (m_nodeIndex = 0; m_nodeIndex < m_highBlock->size(); ++m_nodeIndex) {
483             if (!compileNode(m_nodeIndex))
484                 break;
485         }
486     }
487
488     void safelyInvalidateAfterTermination()
489     {
490         if (verboseCompilationEnabled())
491             dataLog("Bailing.\n");
492         crash();
493
494         // Invalidate dominated blocks. Under normal circumstances we would expect
495         // them to be invalidated already. But you can have the CFA become more
496         // precise over time because the structures of objects change on the main
497         // thread. Failing to do this would result in weird crashes due to a value
498         // being used but not defined. Race conditions FTW!
499         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
500             DFG::BasicBlock* target = m_graph.block(blockIndex);
501             if (!target)
502                 continue;
503             if (m_graph.m_ssaDominators->dominates(m_highBlock, target)) {
504                 if (verboseCompilationEnabled())
505                     dataLog("Block ", *target, " will bail also.\n");
506                 target->cfaHasVisited = false;
507             }
508         }
509     }
510
511     bool compileNode(unsigned nodeIndex)
512     {
513         if (!m_state.isValid()) {
514             safelyInvalidateAfterTermination();
515             return false;
516         }
517         
518         m_node = m_highBlock->at(nodeIndex);
519         m_origin = m_node->origin;
520         m_out.setOrigin(m_node);
521         
522         if (verboseCompilationEnabled())
523             dataLog("Lowering ", m_node, "\n");
524         
525         m_availableRecoveries.shrink(0);
526         
527         m_interpreter.startExecuting();
528         m_interpreter.executeKnownEdgeTypes(m_node);
529
530         if (validateDFGDoesGC) {
531             bool expectDoesGC = doesGC(m_graph, m_node);
532             m_out.store(m_out.constBool(expectDoesGC), m_out.absolute(vm().heap.addressOfExpectDoesGC()));
533         }
534
535         switch (m_node->op()) {
536         case DFG::Upsilon:
537             compileUpsilon();
538             break;
539         case DFG::Phi:
540             compilePhi();
541             break;
542         case JSConstant:
543             break;
544         case DoubleConstant:
545             compileDoubleConstant();
546             break;
547         case Int52Constant:
548             compileInt52Constant();
549             break;
550         case LazyJSConstant:
551             compileLazyJSConstant();
552             break;
553         case DoubleRep:
554             compileDoubleRep();
555             break;
556         case DoubleAsInt32:
557             compileDoubleAsInt32();
558             break;
559         case DFG::ValueRep:
560             compileValueRep();
561             break;
562         case Int52Rep:
563             compileInt52Rep();
564             break;
565         case ValueToInt32:
566             compileValueToInt32();
567             break;
568         case BooleanToNumber:
569             compileBooleanToNumber();
570             break;
571         case ExtractOSREntryLocal:
572             compileExtractOSREntryLocal();
573             break;
574         case ExtractCatchLocal:
575             compileExtractCatchLocal();
576             break;
577         case ClearCatchLocals:
578             compileClearCatchLocals();
579             break;
580         case GetStack:
581             compileGetStack();
582             break;
583         case PutStack:
584             compilePutStack();
585             break;
586         case DFG::Check:
587         case CheckVarargs:
588             compileNoOp();
589             break;
590         case ToObject:
591         case CallObjectConstructor:
592             compileToObjectOrCallObjectConstructor();
593             break;
594         case ToThis:
595             compileToThis();
596             break;
597         case ValueNegate:
598             compileValueNegate();
599             break;
600         case ValueAdd:
601             compileValueAdd();
602             break;
603         case ValueSub:
604             compileValueSub();
605             break;
606         case ValueMul:
607             compileValueMul();
608             break;
609         case StrCat:
610             compileStrCat();
611             break;
612         case ArithAdd:
613         case ArithSub:
614             compileArithAddOrSub();
615             break;
616         case ArithClz32:
617             compileArithClz32();
618             break;
619         case ArithMul:
620             compileArithMul();
621             break;
622         case ValueDiv:
623             compileValueDiv();
624             break;
625         case ArithDiv:
626             compileArithDiv();
627             break;
628         case ArithMod:
629             compileArithMod();
630             break;
631         case ArithMin:
632         case ArithMax:
633             compileArithMinOrMax();
634             break;
635         case ArithAbs:
636             compileArithAbs();
637             break;
638         case ArithPow:
639             compileArithPow();
640             break;
641         case ArithRandom:
642             compileArithRandom();
643             break;
644         case ArithRound:
645             compileArithRound();
646             break;
647         case ArithFloor:
648             compileArithFloor();
649             break;
650         case ArithCeil:
651             compileArithCeil();
652             break;
653         case ArithTrunc:
654             compileArithTrunc();
655             break;
656         case ArithSqrt:
657             compileArithSqrt();
658             break;
659         case ArithFRound:
660             compileArithFRound();
661             break;
662         case ArithNegate:
663             compileArithNegate();
664             break;
665         case ArithUnary:
666             compileArithUnary();
667             break;
668         case ValueBitNot:
669             compileValueBitNot();
670             break;
671         case ArithBitNot:
672             compileArithBitNot();
673             break;
674         case ValueBitAnd:
675             compileValueBitAnd();
676             break;
677         case ArithBitAnd:
678             compileArithBitAnd();
679             break;
680         case ValueBitOr:
681             compileValueBitOr();
682             break;
683         case ArithBitOr:
684             compileArithBitOr();
685             break;
686         case ArithBitXor:
687             compileArithBitXor();
688             break;
689         case ValueBitXor:
690             compileValueBitXor();
691             break;
692         case BitRShift:
693             compileBitRShift();
694             break;
695         case BitLShift:
696             compileBitLShift();
697             break;
698         case BitURShift:
699             compileBitURShift();
700             break;
701         case UInt32ToNumber:
702             compileUInt32ToNumber();
703             break;
704         case CheckStructure:
705             compileCheckStructure();
706             break;
707         case CheckStructureOrEmpty:
708             compileCheckStructureOrEmpty();
709             break;
710         case CheckCell:
711             compileCheckCell();
712             break;
713         case CheckNotEmpty:
714             compileCheckNotEmpty();
715             break;
716         case AssertNotEmpty:
717             compileAssertNotEmpty();
718             break;
719         case CheckBadCell:
720             compileCheckBadCell();
721             break;
722         case CheckStringIdent:
723             compileCheckStringIdent();
724             break;
725         case GetExecutable:
726             compileGetExecutable();
727             break;
728         case Arrayify:
729         case ArrayifyToStructure:
730             compileArrayify();
731             break;
732         case PutStructure:
733             compilePutStructure();
734             break;
735         case TryGetById:
736             compileGetById(AccessType::TryGet);
737             break;
738         case GetById:
739         case GetByIdFlush:
740             compileGetById(AccessType::Get);
741             break;
742         case GetByIdWithThis:
743             compileGetByIdWithThis();
744             break;
745         case GetByIdDirect:
746         case GetByIdDirectFlush:
747             compileGetById(AccessType::GetDirect);
748             break;
749         case InById:
750             compileInById();
751             break;
752         case InByVal:
753             compileInByVal();
754             break;
755         case HasOwnProperty:
756             compileHasOwnProperty();
757             break;
758         case PutById:
759         case PutByIdDirect:
760         case PutByIdFlush:
761             compilePutById();
762             break;
763         case PutByIdWithThis:
764             compilePutByIdWithThis();
765             break;
766         case PutGetterById:
767         case PutSetterById:
768             compilePutAccessorById();
769             break;
770         case PutGetterSetterById:
771             compilePutGetterSetterById();
772             break;
773         case PutGetterByVal:
774         case PutSetterByVal:
775             compilePutAccessorByVal();
776             break;
777         case DeleteById:
778             compileDeleteById();
779             break;
780         case DeleteByVal:
781             compileDeleteByVal();
782             break;
783         case GetButterfly:
784             compileGetButterfly();
785             break;
786         case ConstantStoragePointer:
787             compileConstantStoragePointer();
788             break;
789         case GetIndexedPropertyStorage:
790             compileGetIndexedPropertyStorage();
791             break;
792         case CheckArray:
793             compileCheckArray();
794             break;
795         case GetArrayLength:
796             compileGetArrayLength();
797             break;
798         case GetVectorLength:
799             compileGetVectorLength();
800             break;
801         case CheckInBounds:
802             compileCheckInBounds();
803             break;
804         case GetByVal:
805             compileGetByVal();
806             break;
807         case GetMyArgumentByVal:
808         case GetMyArgumentByValOutOfBounds:
809             compileGetMyArgumentByVal();
810             break;
811         case GetByValWithThis:
812             compileGetByValWithThis();
813             break;
814         case PutByVal:
815         case PutByValAlias:
816         case PutByValDirect:
817             compilePutByVal();
818             break;
819         case PutByValWithThis:
820             compilePutByValWithThis();
821             break;
822         case AtomicsAdd:
823         case AtomicsAnd:
824         case AtomicsCompareExchange:
825         case AtomicsExchange:
826         case AtomicsLoad:
827         case AtomicsOr:
828         case AtomicsStore:
829         case AtomicsSub:
830         case AtomicsXor:
831             compileAtomicsReadModifyWrite();
832             break;
833         case AtomicsIsLockFree:
834             compileAtomicsIsLockFree();
835             break;
836         case DefineDataProperty:
837             compileDefineDataProperty();
838             break;
839         case DefineAccessorProperty:
840             compileDefineAccessorProperty();
841             break;
842         case ArrayPush:
843             compileArrayPush();
844             break;
845         case ArrayPop:
846             compileArrayPop();
847             break;
848         case ArraySlice:
849             compileArraySlice();
850             break;
851         case ArrayIndexOf:
852             compileArrayIndexOf();
853             break;
854         case CreateActivation:
855             compileCreateActivation();
856             break;
857         case PushWithScope:
858             compilePushWithScope();
859             break;
860         case NewFunction:
861         case NewGeneratorFunction:
862         case NewAsyncGeneratorFunction:
863         case NewAsyncFunction:
864             compileNewFunction();
865             break;
866         case CreateDirectArguments:
867             compileCreateDirectArguments();
868             break;
869         case CreateScopedArguments:
870             compileCreateScopedArguments();
871             break;
872         case CreateClonedArguments:
873             compileCreateClonedArguments();
874             break;
875         case ObjectCreate:
876             compileObjectCreate();
877             break;
878         case ObjectKeys:
879             compileObjectKeys();
880             break;
881         case NewObject:
882             compileNewObject();
883             break;
884         case NewStringObject:
885             compileNewStringObject();
886             break;
887         case NewSymbol:
888             compileNewSymbol();
889             break;
890         case NewArray:
891             compileNewArray();
892             break;
893         case NewArrayWithSpread:
894             compileNewArrayWithSpread();
895             break;
896         case CreateThis:
897             compileCreateThis();
898             break;
899         case Spread:
900             compileSpread();
901             break;
902         case NewArrayBuffer:
903             compileNewArrayBuffer();
904             break;
905         case NewArrayWithSize:
906             compileNewArrayWithSize();
907             break;
908         case NewTypedArray:
909             compileNewTypedArray();
910             break;
911         case GetTypedArrayByteOffset:
912             compileGetTypedArrayByteOffset();
913             break;
914         case GetPrototypeOf:
915             compileGetPrototypeOf();
916             break;
917         case AllocatePropertyStorage:
918             compileAllocatePropertyStorage();
919             break;
920         case ReallocatePropertyStorage:
921             compileReallocatePropertyStorage();
922             break;
923         case NukeStructureAndSetButterfly:
924             compileNukeStructureAndSetButterfly();
925             break;
926         case ToNumber:
927             compileToNumber();
928             break;
929         case ToString:
930         case CallStringConstructor:
931         case StringValueOf:
932             compileToStringOrCallStringConstructorOrStringValueOf();
933             break;
934         case ToPrimitive:
935             compileToPrimitive();
936             break;
937         case MakeRope:
938             compileMakeRope();
939             break;
940         case StringCharAt:
941             compileStringCharAt();
942             break;
943         case StringCharCodeAt:
944             compileStringCharCodeAt();
945             break;
946         case StringFromCharCode:
947             compileStringFromCharCode();
948             break;
949         case GetByOffset:
950         case GetGetterSetterByOffset:
951             compileGetByOffset();
952             break;
953         case GetGetter:
954             compileGetGetter();
955             break;
956         case GetSetter:
957             compileGetSetter();
958             break;
959         case MultiGetByOffset:
960             compileMultiGetByOffset();
961             break;
962         case PutByOffset:
963             compilePutByOffset();
964             break;
965         case MultiPutByOffset:
966             compileMultiPutByOffset();
967             break;
968         case MatchStructure:
969             compileMatchStructure();
970             break;
971         case GetGlobalVar:
972         case GetGlobalLexicalVariable:
973             compileGetGlobalVariable();
974             break;
975         case PutGlobalVariable:
976             compilePutGlobalVariable();
977             break;
978         case NotifyWrite:
979             compileNotifyWrite();
980             break;
981         case GetCallee:
982             compileGetCallee();
983             break;
984         case SetCallee:
985             compileSetCallee();
986             break;
987         case GetArgumentCountIncludingThis:
988             compileGetArgumentCountIncludingThis();
989             break;
990         case SetArgumentCountIncludingThis:
991             compileSetArgumentCountIncludingThis();
992             break;
993         case GetScope:
994             compileGetScope();
995             break;
996         case SkipScope:
997             compileSkipScope();
998             break;
999         case GetGlobalObject:
1000             compileGetGlobalObject();
1001             break;
1002         case GetGlobalThis:
1003             compileGetGlobalThis();
1004             break;
1005         case GetClosureVar:
1006             compileGetClosureVar();
1007             break;
1008         case PutClosureVar:
1009             compilePutClosureVar();
1010             break;
1011         case GetFromArguments:
1012             compileGetFromArguments();
1013             break;
1014         case PutToArguments:
1015             compilePutToArguments();
1016             break;
1017         case GetArgument:
1018             compileGetArgument();
1019             break;
1020         case CompareEq:
1021             compileCompareEq();
1022             break;
1023         case CompareStrictEq:
1024             compileCompareStrictEq();
1025             break;
1026         case CompareLess:
1027             compileCompareLess();
1028             break;
1029         case CompareLessEq:
1030             compileCompareLessEq();
1031             break;
1032         case CompareGreater:
1033             compileCompareGreater();
1034             break;
1035         case CompareGreaterEq:
1036             compileCompareGreaterEq();
1037             break;
1038         case CompareBelow:
1039             compileCompareBelow();
1040             break;
1041         case CompareBelowEq:
1042             compileCompareBelowEq();
1043             break;
1044         case CompareEqPtr:
1045             compileCompareEqPtr();
1046             break;
1047         case SameValue:
1048             compileSameValue();
1049             break;
1050         case LogicalNot:
1051             compileLogicalNot();
1052             break;
1053         case Call:
1054         case TailCallInlinedCaller:
1055         case Construct:
1056             compileCallOrConstruct();
1057             break;
1058         case DirectCall:
1059         case DirectTailCallInlinedCaller:
1060         case DirectConstruct:
1061         case DirectTailCall:
1062             compileDirectCallOrConstruct();
1063             break;
1064         case TailCall:
1065             compileTailCall();
1066             break;
1067         case CallVarargs:
1068         case CallForwardVarargs:
1069         case TailCallVarargs:
1070         case TailCallVarargsInlinedCaller:
1071         case TailCallForwardVarargs:
1072         case TailCallForwardVarargsInlinedCaller:
1073         case ConstructVarargs:
1074         case ConstructForwardVarargs:
1075             compileCallOrConstructVarargs();
1076             break;
1077         case CallEval:
1078             compileCallEval();
1079             break;
1080         case LoadVarargs:
1081             compileLoadVarargs();
1082             break;
1083         case ForwardVarargs:
1084             compileForwardVarargs();
1085             break;
1086         case DFG::Jump:
1087             compileJump();
1088             break;
1089         case DFG::Branch:
1090             compileBranch();
1091             break;
1092         case DFG::Switch:
1093             compileSwitch();
1094             break;
1095         case DFG::EntrySwitch:
1096             compileEntrySwitch();
1097             break;
1098         case DFG::Return:
1099             compileReturn();
1100             break;
1101         case ForceOSRExit:
1102             compileForceOSRExit();
1103             break;
1104         case CPUIntrinsic:
1105 #if CPU(X86_64)
1106             compileCPUIntrinsic();
1107 #else
1108             RELEASE_ASSERT_NOT_REACHED();
1109 #endif
1110             break;
1111         case Throw:
1112             compileThrow();
1113             break;
1114         case ThrowStaticError:
1115             compileThrowStaticError();
1116             break;
1117         case InvalidationPoint:
1118             compileInvalidationPoint();
1119             break;
1120         case IsEmpty:
1121             compileIsEmpty();
1122             break;
1123         case IsUndefined:
1124             compileIsUndefined();
1125             break;
1126         case IsUndefinedOrNull:
1127             compileIsUndefinedOrNull();
1128             break;
1129         case IsBoolean:
1130             compileIsBoolean();
1131             break;
1132         case IsNumber:
1133             compileIsNumber();
1134             break;
1135         case NumberIsInteger:
1136             compileNumberIsInteger();
1137             break;
1138         case IsCellWithType:
1139             compileIsCellWithType();
1140             break;
1141         case MapHash:
1142             compileMapHash();
1143             break;
1144         case NormalizeMapKey:
1145             compileNormalizeMapKey();
1146             break;
1147         case GetMapBucket:
1148             compileGetMapBucket();
1149             break;
1150         case GetMapBucketHead:
1151             compileGetMapBucketHead();
1152             break;
1153         case GetMapBucketNext:
1154             compileGetMapBucketNext();
1155             break;
1156         case LoadKeyFromMapBucket:
1157             compileLoadKeyFromMapBucket();
1158             break;
1159         case LoadValueFromMapBucket:
1160             compileLoadValueFromMapBucket();
1161             break;
1162         case ExtractValueFromWeakMapGet:
1163             compileExtractValueFromWeakMapGet();
1164             break;
1165         case SetAdd:
1166             compileSetAdd();
1167             break;
1168         case MapSet:
1169             compileMapSet();
1170             break;
1171         case WeakMapGet:
1172             compileWeakMapGet();
1173             break;
1174         case WeakSetAdd:
1175             compileWeakSetAdd();
1176             break;
1177         case WeakMapSet:
1178             compileWeakMapSet();
1179             break;
1180         case IsObject:
1181             compileIsObject();
1182             break;
1183         case IsObjectOrNull:
1184             compileIsObjectOrNull();
1185             break;
1186         case IsFunction:
1187             compileIsFunction();
1188             break;
1189         case IsTypedArrayView:
1190             compileIsTypedArrayView();
1191             break;
1192         case ParseInt:
1193             compileParseInt();
1194             break;
1195         case TypeOf:
1196             compileTypeOf();
1197             break;
1198         case CheckTypeInfoFlags:
1199             compileCheckTypeInfoFlags();
1200             break;
1201         case OverridesHasInstance:
1202             compileOverridesHasInstance();
1203             break;
1204         case InstanceOf:
1205             compileInstanceOf();
1206             break;
1207         case InstanceOfCustom:
1208             compileInstanceOfCustom();
1209             break;
1210         case CountExecution:
1211             compileCountExecution();
1212             break;
1213         case SuperSamplerBegin:
1214             compileSuperSamplerBegin();
1215             break;
1216         case SuperSamplerEnd:
1217             compileSuperSamplerEnd();
1218             break;
1219         case StoreBarrier:
1220         case FencedStoreBarrier:
1221             compileStoreBarrier();
1222             break;
1223         case HasIndexedProperty:
1224             compileHasIndexedProperty();
1225             break;
1226         case HasGenericProperty:
1227             compileHasGenericProperty();
1228             break;
1229         case HasStructureProperty:
1230             compileHasStructureProperty();
1231             break;
1232         case GetDirectPname:
1233             compileGetDirectPname();
1234             break;
1235         case GetEnumerableLength:
1236             compileGetEnumerableLength();
1237             break;
1238         case GetPropertyEnumerator:
1239             compileGetPropertyEnumerator();
1240             break;
1241         case GetEnumeratorStructurePname:
1242             compileGetEnumeratorStructurePname();
1243             break;
1244         case GetEnumeratorGenericPname:
1245             compileGetEnumeratorGenericPname();
1246             break;
1247         case ToIndexString:
1248             compileToIndexString();
1249             break;
1250         case CheckStructureImmediate:
1251             compileCheckStructureImmediate();
1252             break;
1253         case MaterializeNewObject:
1254             compileMaterializeNewObject();
1255             break;
1256         case MaterializeCreateActivation:
1257             compileMaterializeCreateActivation();
1258             break;
1259         case CheckTraps:
1260             compileCheckTraps();
1261             break;
1262         case CreateRest:
1263             compileCreateRest();
1264             break;
1265         case GetRestLength:
1266             compileGetRestLength();
1267             break;
1268         case RegExpExec:
1269             compileRegExpExec();
1270             break;
1271         case RegExpExecNonGlobalOrSticky:
1272             compileRegExpExecNonGlobalOrSticky();
1273             break;
1274         case RegExpTest:
1275             compileRegExpTest();
1276             break;
1277         case RegExpMatchFast:
1278             compileRegExpMatchFast();
1279             break;
1280         case RegExpMatchFastGlobal:
1281             compileRegExpMatchFastGlobal();
1282             break;
1283         case NewRegexp:
1284             compileNewRegexp();
1285             break;
1286         case SetFunctionName:
1287             compileSetFunctionName();
1288             break;
1289         case StringReplace:
1290         case StringReplaceRegExp:
1291             compileStringReplace();
1292             break;
1293         case GetRegExpObjectLastIndex:
1294             compileGetRegExpObjectLastIndex();
1295             break;
1296         case SetRegExpObjectLastIndex:
1297             compileSetRegExpObjectLastIndex();
1298             break;
1299         case LogShadowChickenPrologue:
1300             compileLogShadowChickenPrologue();
1301             break;
1302         case LogShadowChickenTail:
1303             compileLogShadowChickenTail();
1304             break;
1305         case RecordRegExpCachedResult:
1306             compileRecordRegExpCachedResult();
1307             break;
1308         case ResolveScopeForHoistingFuncDeclInEval:
1309             compileResolveScopeForHoistingFuncDeclInEval();
1310             break;
1311         case ResolveScope:
1312             compileResolveScope();
1313             break;
1314         case GetDynamicVar:
1315             compileGetDynamicVar();
1316             break;
1317         case PutDynamicVar:
1318             compilePutDynamicVar();
1319             break;
1320         case Unreachable:
1321             compileUnreachable();
1322             break;
1323         case StringSlice:
1324             compileStringSlice();
1325             break;
1326         case ToLowerCase:
1327             compileToLowerCase();
1328             break;
1329         case NumberToStringWithRadix:
1330             compileNumberToStringWithRadix();
1331             break;
1332         case NumberToStringWithValidRadixConstant:
1333             compileNumberToStringWithValidRadixConstant();
1334             break;
1335         case CheckSubClass:
1336             compileCheckSubClass();
1337             break;
1338         case CallDOM:
1339             compileCallDOM();
1340             break;
1341         case CallDOMGetter:
1342             compileCallDOMGetter();
1343             break;
1344         case FilterCallLinkStatus:
1345         case FilterGetByIdStatus:
1346         case FilterPutByIdStatus:
1347         case FilterInByIdStatus:
1348             compileFilterICStatus();
1349             break;
1350         case DataViewGetInt:
1351         case DataViewGetFloat:
1352             compileDataViewGet();
1353             break;
1354         case DataViewSet:
1355             compileDataViewSet();
1356             break;
1357
1358         case PhantomLocal:
1359         case LoopHint:
1360         case MovHint:
1361         case ZombieHint:
1362         case ExitOK:
1363         case PhantomNewObject:
1364         case PhantomNewFunction:
1365         case PhantomNewGeneratorFunction:
1366         case PhantomNewAsyncGeneratorFunction:
1367         case PhantomNewAsyncFunction:
1368         case PhantomCreateActivation:
1369         case PhantomDirectArguments:
1370         case PhantomCreateRest:
1371         case PhantomSpread:
1372         case PhantomNewArrayWithSpread:
1373         case PhantomNewArrayBuffer:
1374         case PhantomClonedArguments:
1375         case PhantomNewRegexp:
1376         case PutHint:
1377         case BottomValue:
1378         case KillStack:
1379         case InitializeEntrypointArguments:
1380             break;
1381         default:
1382             DFG_CRASH(m_graph, m_node, "Unrecognized node in FTL backend");
1383             break;
1384         }
1385         
1386         if (m_node->isTerminal())
1387             return false;
1388         
1389         if (!m_state.isValid()) {
1390             safelyInvalidateAfterTermination();
1391             return false;
1392         }
1393
1394         m_availabilityCalculator.executeNode(m_node);
1395         m_interpreter.executeEffects(nodeIndex);
1396         
1397         return true;
1398     }
1399
1400     void compileUpsilon()
1401     {
1402         LValue upsilonValue = nullptr;
1403         switch (m_node->child1().useKind()) {
1404         case DoubleRepUse:
1405             upsilonValue = lowDouble(m_node->child1());
1406             break;
1407         case Int32Use:
1408         case KnownInt32Use:
1409             upsilonValue = lowInt32(m_node->child1());
1410             break;
1411         case Int52RepUse:
1412             upsilonValue = lowInt52(m_node->child1());
1413             break;
1414         case BooleanUse:
1415         case KnownBooleanUse:
1416             upsilonValue = lowBoolean(m_node->child1());
1417             break;
1418         case CellUse:
1419         case KnownCellUse:
1420             upsilonValue = lowCell(m_node->child1());
1421             break;
1422         case UntypedUse:
1423             upsilonValue = lowJSValue(m_node->child1());
1424             break;
1425         default:
1426             DFG_CRASH(m_graph, m_node, "Bad use kind");
1427             break;
1428         }
1429         ValueFromBlock upsilon = m_out.anchor(upsilonValue);
1430         LValue phiNode = m_phis.get(m_node->phi());
1431         m_out.addIncomingToPhi(phiNode, upsilon);
1432     }
1433     
1434     void compilePhi()
1435     {
1436         LValue phi = m_phis.get(m_node);
1437         m_out.m_block->append(phi);
1438
1439         switch (m_node->flags() & NodeResultMask) {
1440         case NodeResultDouble:
1441             setDouble(phi);
1442             break;
1443         case NodeResultInt32:
1444             setInt32(phi);
1445             break;
1446         case NodeResultInt52:
1447             setInt52(phi);
1448             break;
1449         case NodeResultBoolean:
1450             setBoolean(phi);
1451             break;
1452         case NodeResultJS:
1453             setJSValue(phi);
1454             break;
1455         default:
1456             DFG_CRASH(m_graph, m_node, "Bad result type");
1457             break;
1458         }
1459     }
1460     
1461     void compileDoubleConstant()
1462     {
1463         setDouble(m_out.constDouble(m_node->asNumber()));
1464     }
1465     
1466     void compileInt52Constant()
1467     {
1468         int64_t value = m_node->asAnyInt();
1469         
1470         setInt52(m_out.constInt64(value << JSValue::int52ShiftAmount));
1471         setStrictInt52(m_out.constInt64(value));
1472     }
1473
1474     void compileLazyJSConstant()
1475     {
1476         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
1477         LazyJSValue value = m_node->lazyJSValue();
1478         patchpoint->setGenerator(
1479             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
1480                 value.emit(jit, JSValueRegs(params[0].gpr()));
1481             });
1482         patchpoint->effects = Effects::none();
1483         setJSValue(patchpoint);
1484     }
1485
1486     void compileDoubleRep()
1487     {
1488         switch (m_node->child1().useKind()) {
1489         case RealNumberUse: {
1490             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
1491             
1492             LValue doubleValue = unboxDouble(value);
1493             
1494             LBasicBlock intCase = m_out.newBlock();
1495             LBasicBlock continuation = m_out.newBlock();
1496             
1497             ValueFromBlock fastResult = m_out.anchor(doubleValue);
1498             m_out.branch(
1499                 m_out.doubleEqual(doubleValue, doubleValue),
1500                 usually(continuation), rarely(intCase));
1501             
1502             LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
1503
1504             FTL_TYPE_CHECK(
1505                 jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
1506                 isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
1507             ValueFromBlock slowResult = m_out.anchor(m_out.intToDouble(unboxInt32(value)));
1508             m_out.jump(continuation);
1509             
1510             m_out.appendTo(continuation, lastNext);
1511             
1512             setDouble(m_out.phi(Double, fastResult, slowResult));
1513             return;
1514         }
1515             
1516         case NotCellUse:
1517         case NumberUse: {
1518             bool shouldConvertNonNumber = m_node->child1().useKind() == NotCellUse;
1519             
1520             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
1521
1522             LBasicBlock intCase = m_out.newBlock();
1523             LBasicBlock doubleTesting = m_out.newBlock();
1524             LBasicBlock doubleCase = m_out.newBlock();
1525             LBasicBlock nonDoubleCase = m_out.newBlock();
1526             LBasicBlock continuation = m_out.newBlock();
1527             
1528             m_out.branch(
1529                 isNotInt32(value, provenType(m_node->child1())),
1530                 unsure(doubleTesting), unsure(intCase));
1531             
1532             LBasicBlock lastNext = m_out.appendTo(intCase, doubleTesting);
1533             
1534             ValueFromBlock intToDouble = m_out.anchor(
1535                 m_out.intToDouble(unboxInt32(value)));
1536             m_out.jump(continuation);
1537             
1538             m_out.appendTo(doubleTesting, doubleCase);
1539             LValue valueIsNumber = isNumber(value, provenType(m_node->child1()));
1540             m_out.branch(valueIsNumber, usually(doubleCase), rarely(nonDoubleCase));
1541
1542             m_out.appendTo(doubleCase, nonDoubleCase);
1543             ValueFromBlock unboxedDouble = m_out.anchor(unboxDouble(value));
1544             m_out.jump(continuation);
1545
1546             if (shouldConvertNonNumber) {
1547                 LBasicBlock undefinedCase = m_out.newBlock();
1548                 LBasicBlock testNullCase = m_out.newBlock();
1549                 LBasicBlock nullCase = m_out.newBlock();
1550                 LBasicBlock testBooleanTrueCase = m_out.newBlock();
1551                 LBasicBlock convertBooleanTrueCase = m_out.newBlock();
1552                 LBasicBlock convertBooleanFalseCase = m_out.newBlock();
1553
1554                 m_out.appendTo(nonDoubleCase, undefinedCase);
1555                 LValue valueIsUndefined = m_out.equal(value, m_out.constInt64(ValueUndefined));
1556                 m_out.branch(valueIsUndefined, unsure(undefinedCase), unsure(testNullCase));
1557
1558                 m_out.appendTo(undefinedCase, testNullCase);
1559                 ValueFromBlock convertedUndefined = m_out.anchor(m_out.constDouble(PNaN));
1560                 m_out.jump(continuation);
1561
1562                 m_out.appendTo(testNullCase, nullCase);
1563                 LValue valueIsNull = m_out.equal(value, m_out.constInt64(ValueNull));
1564                 m_out.branch(valueIsNull, unsure(nullCase), unsure(testBooleanTrueCase));
1565
1566                 m_out.appendTo(nullCase, testBooleanTrueCase);
1567                 ValueFromBlock convertedNull = m_out.anchor(m_out.constDouble(0));
1568                 m_out.jump(continuation);
1569
1570                 m_out.appendTo(testBooleanTrueCase, convertBooleanTrueCase);
1571                 LValue valueIsBooleanTrue = m_out.equal(value, m_out.constInt64(ValueTrue));
1572                 m_out.branch(valueIsBooleanTrue, unsure(convertBooleanTrueCase), unsure(convertBooleanFalseCase));
1573
1574                 m_out.appendTo(convertBooleanTrueCase, convertBooleanFalseCase);
1575                 ValueFromBlock convertedTrue = m_out.anchor(m_out.constDouble(1));
1576                 m_out.jump(continuation);
1577
1578                 m_out.appendTo(convertBooleanFalseCase, continuation);
1579
1580                 LValue valueIsNotBooleanFalse = m_out.notEqual(value, m_out.constInt64(ValueFalse));
1581                 FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), ~SpecCellCheck, valueIsNotBooleanFalse);
1582                 ValueFromBlock convertedFalse = m_out.anchor(m_out.constDouble(0));
1583                 m_out.jump(continuation);
1584
1585                 m_out.appendTo(continuation, lastNext);
1586                 setDouble(m_out.phi(Double, intToDouble, unboxedDouble, convertedUndefined, convertedNull, convertedTrue, convertedFalse));
1587                 return;
1588             }
1589             m_out.appendTo(nonDoubleCase, continuation);
1590             FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), SpecBytecodeNumber, m_out.booleanTrue);
1591             m_out.unreachable();
1592
1593             m_out.appendTo(continuation, lastNext);
1594
1595             setDouble(m_out.phi(Double, intToDouble, unboxedDouble));
1596             return;
1597         }
1598             
1599         case Int52RepUse: {
1600             setDouble(strictInt52ToDouble(lowStrictInt52(m_node->child1())));
1601             return;
1602         }
1603             
1604         default:
1605             DFG_CRASH(m_graph, m_node, "Bad use kind");
1606         }
1607     }
1608
1609     void compileDoubleAsInt32()
1610     {
1611         LValue integerValue = convertDoubleToInt32(lowDouble(m_node->child1()), shouldCheckNegativeZero(m_node->arithMode()));
1612         setInt32(integerValue);
1613     }
1614
1615     void compileValueRep()
1616     {
1617         switch (m_node->child1().useKind()) {
1618         case DoubleRepUse: {
1619             LValue value = lowDouble(m_node->child1());
1620             
1621             if (m_interpreter.needsTypeCheck(m_node->child1(), ~SpecDoubleImpureNaN)) {
1622                 value = m_out.select(
1623                     m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN));
1624             }
1625             
1626             setJSValue(boxDouble(value));
1627             return;
1628         }
1629             
1630         case Int52RepUse: {
1631             setJSValue(strictInt52ToJSValue(lowStrictInt52(m_node->child1())));
1632             return;
1633         }
1634             
1635         default:
1636             DFG_CRASH(m_graph, m_node, "Bad use kind");
1637         }
1638     }
1639     
1640     void compileInt52Rep()
1641     {
1642         switch (m_node->child1().useKind()) {
1643         case Int32Use:
1644             setStrictInt52(m_out.signExt32To64(lowInt32(m_node->child1())));
1645             return;
1646             
1647         case AnyIntUse:
1648             setStrictInt52(
1649                 jsValueToStrictInt52(
1650                     m_node->child1(), lowJSValue(m_node->child1(), ManualOperandSpeculation)));
1651             return;
1652             
1653         case DoubleRepAnyIntUse:
1654             setStrictInt52(
1655                 doubleToStrictInt52(
1656                     m_node->child1(), lowDouble(m_node->child1())));
1657             return;
1658             
1659         default:
1660             RELEASE_ASSERT_NOT_REACHED();
1661         }
1662     }
1663     
1664     void compileValueToInt32()
1665     {
1666         switch (m_node->child1().useKind()) {
1667         case Int52RepUse:
1668             setInt32(m_out.castToInt32(lowStrictInt52(m_node->child1())));
1669             break;
1670             
1671         case DoubleRepUse:
1672             setInt32(doubleToInt32(lowDouble(m_node->child1())));
1673             break;
1674             
1675         case NumberUse:
1676         case NotCellUse: {
1677             LoweredNodeValue value = m_int32Values.get(m_node->child1().node());
1678             if (isValid(value)) {
1679                 setInt32(value.value());
1680                 break;
1681             }
1682             
1683             value = m_jsValueValues.get(m_node->child1().node());
1684             if (isValid(value)) {
1685                 setInt32(numberOrNotCellToInt32(m_node->child1(), value.value()));
1686                 break;
1687             }
1688             
1689             // We'll basically just get here for constants. But it's good to have this
1690             // catch-all since we often add new representations into the mix.
1691             setInt32(
1692                 numberOrNotCellToInt32(
1693                     m_node->child1(),
1694                     lowJSValue(m_node->child1(), ManualOperandSpeculation)));
1695             break;
1696         }
1697             
1698         default:
1699             DFG_CRASH(m_graph, m_node, "Bad use kind");
1700             break;
1701         }
1702     }
1703     
1704     void compileBooleanToNumber()
1705     {
1706         switch (m_node->child1().useKind()) {
1707         case BooleanUse: {
1708             setInt32(m_out.zeroExt(lowBoolean(m_node->child1()), Int32));
1709             return;
1710         }
1711             
1712         case UntypedUse: {
1713             LValue value = lowJSValue(m_node->child1());
1714             
1715             if (!m_interpreter.needsTypeCheck(m_node->child1(), SpecBoolInt32 | SpecBoolean)) {
1716                 setInt32(m_out.bitAnd(m_out.castToInt32(value), m_out.int32One));
1717                 return;
1718             }
1719             
1720             LBasicBlock booleanCase = m_out.newBlock();
1721             LBasicBlock continuation = m_out.newBlock();
1722             
1723             ValueFromBlock notBooleanResult = m_out.anchor(value);
1724             m_out.branch(
1725                 isBoolean(value, provenType(m_node->child1())),
1726                 unsure(booleanCase), unsure(continuation));
1727             
1728             LBasicBlock lastNext = m_out.appendTo(booleanCase, continuation);
1729             ValueFromBlock booleanResult = m_out.anchor(m_out.bitOr(
1730                 m_out.zeroExt(unboxBoolean(value), Int64), m_tagTypeNumber));
1731             m_out.jump(continuation);
1732             
1733             m_out.appendTo(continuation, lastNext);
1734             setJSValue(m_out.phi(Int64, booleanResult, notBooleanResult));
1735             return;
1736         }
1737             
1738         default:
1739             RELEASE_ASSERT_NOT_REACHED();
1740             return;
1741         }
1742     }
1743
1744     void compileExtractOSREntryLocal()
1745     {
1746         EncodedJSValue* buffer = static_cast<EncodedJSValue*>(
1747             m_ftlState.jitCode->ftlForOSREntry()->entryBuffer()->dataBuffer());
1748         setJSValue(m_out.load64(m_out.absolute(buffer + m_node->unlinkedLocal().toLocal())));
1749     }
1750
1751     void compileExtractCatchLocal()
1752     {
1753         EncodedJSValue* buffer = static_cast<EncodedJSValue*>(m_ftlState.jitCode->common.catchOSREntryBuffer->dataBuffer());
1754         setJSValue(m_out.load64(m_out.absolute(buffer + m_node->catchOSREntryIndex())));
1755     }
1756
1757     void compileClearCatchLocals()
1758     {
1759         ScratchBuffer* scratchBuffer = m_ftlState.jitCode->common.catchOSREntryBuffer;
1760         ASSERT(scratchBuffer);
1761         m_out.storePtr(m_out.constIntPtr(0), m_out.absolute(scratchBuffer->addressOfActiveLength()));
1762     }
1763     
1764     void compileGetStack()
1765     {
1766         StackAccessData* data = m_node->stackAccessData();
1767         AbstractValue& value = m_state.operand(data->local);
1768         
1769         DFG_ASSERT(m_graph, m_node, isConcrete(data->format), data->format);
1770         
1771         if (data->format == FlushedDouble)
1772             setDouble(m_out.loadDouble(addressFor(data->machineLocal)));
1773         else if (isInt32Speculation(value.m_type))
1774             setInt32(m_out.load32(payloadFor(data->machineLocal)));
1775         else
1776             setJSValue(m_out.load64(addressFor(data->machineLocal)));
1777     }
1778     
1779     void compilePutStack()
1780     {
1781         StackAccessData* data = m_node->stackAccessData();
1782         switch (data->format) {
1783         case FlushedJSValue: {
1784             LValue value = lowJSValue(m_node->child1());
1785             m_out.store64(value, addressFor(data->machineLocal));
1786             break;
1787         }
1788             
1789         case FlushedDouble: {
1790             LValue value = lowDouble(m_node->child1());
1791             m_out.storeDouble(value, addressFor(data->machineLocal));
1792             break;
1793         }
1794             
1795         case FlushedInt32: {
1796             LValue value = lowInt32(m_node->child1());
1797             m_out.store32(value, payloadFor(data->machineLocal));
1798             break;
1799         }
1800             
1801         case FlushedInt52: {
1802             LValue value = lowInt52(m_node->child1());
1803             m_out.store64(value, addressFor(data->machineLocal));
1804             break;
1805         }
1806             
1807         case FlushedCell: {
1808             LValue value = lowCell(m_node->child1());
1809             m_out.store64(value, addressFor(data->machineLocal));
1810             break;
1811         }
1812             
1813         case FlushedBoolean: {
1814             speculateBoolean(m_node->child1());
1815             m_out.store64(
1816                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
1817                 addressFor(data->machineLocal));
1818             break;
1819         }
1820             
1821         default:
1822             DFG_CRASH(m_graph, m_node, "Bad flush format");
1823             break;
1824         }
1825     }
1826     
1827     void compileNoOp()
1828     {
1829         DFG_NODE_DO_TO_CHILDREN(m_graph, m_node, speculate);
1830     }
1831
1832     void compileToObjectOrCallObjectConstructor()
1833     {
1834         LValue value = lowJSValue(m_node->child1());
1835
1836         LBasicBlock isCellCase = m_out.newBlock();
1837         LBasicBlock slowCase = m_out.newBlock();
1838         LBasicBlock continuation = m_out.newBlock();
1839
1840         m_out.branch(isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
1841
1842         LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
1843         ValueFromBlock fastResult = m_out.anchor(value);
1844         m_out.branch(isObject(value), usually(continuation), rarely(slowCase));
1845
1846         m_out.appendTo(slowCase, continuation);
1847
1848         ValueFromBlock slowResult;
1849         if (m_node->op() == ToObject) {
1850             auto* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
1851             slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationToObject), m_callFrame, weakPointer(globalObject), value, m_out.constIntPtr(m_graph.identifiers()[m_node->identifierNumber()])));
1852         } else
1853             slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationCallObjectConstructor), m_callFrame, frozenPointer(m_node->cellOperand()), value));
1854         m_out.jump(continuation);
1855
1856         m_out.appendTo(continuation, lastNext);
1857         setJSValue(m_out.phi(Int64, fastResult, slowResult));
1858     }
1859     
1860     void compileToThis()
1861     {
1862         LValue value = lowJSValue(m_node->child1());
1863         
1864         LBasicBlock isCellCase = m_out.newBlock();
1865         LBasicBlock slowCase = m_out.newBlock();
1866         LBasicBlock continuation = m_out.newBlock();
1867         
1868         m_out.branch(
1869             isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
1870         
1871         LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
1872         ValueFromBlock fastResult = m_out.anchor(value);
1873         m_out.branch(
1874             m_out.testIsZero32(
1875                 m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoFlags),
1876                 m_out.constInt32(OverridesToThis)),
1877             usually(continuation), rarely(slowCase));
1878         
1879         m_out.appendTo(slowCase, continuation);
1880         J_JITOperation_EJ function;
1881         if (m_graph.isStrictModeFor(m_node->origin.semantic))
1882             function = operationToThisStrict;
1883         else
1884             function = operationToThis;
1885         ValueFromBlock slowResult = m_out.anchor(
1886             vmCall(Int64, m_out.operation(function), m_callFrame, value));
1887         m_out.jump(continuation);
1888         
1889         m_out.appendTo(continuation, lastNext);
1890         setJSValue(m_out.phi(Int64, fastResult, slowResult));
1891     }
1892
1893     void compileValueAdd()
1894     {
1895         if (m_node->isBinaryUseKind(BigIntUse)) {
1896             LValue left = lowBigInt(m_node->child1());
1897             LValue right = lowBigInt(m_node->child2());
1898
1899             LValue result = vmCall(pointerType(), m_out.operation(operationAddBigInt), m_callFrame, left, right);
1900             setJSValue(result);
1901             return;
1902         }
1903
1904         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
1905         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
1906         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
1907         const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex).ptr();
1908         auto repatchingFunction = operationValueAddOptimize;
1909         auto nonRepatchingFunction = operationValueAdd;
1910         compileBinaryMathIC<JITAddGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
1911     }
1912
1913     void compileValueSub()
1914     {
1915         if (m_node->isBinaryUseKind(BigIntUse)) {
1916             LValue left = lowBigInt(m_node->child1());
1917             LValue right = lowBigInt(m_node->child2());
1918             
1919             LValue result = vmCall(pointerType(), m_out.operation(operationSubBigInt), m_callFrame, left, right);
1920             setJSValue(result);
1921             return;
1922         }
1923
1924         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
1925         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
1926         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
1927         const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex).ptr();
1928         auto repatchingFunction = operationValueSubOptimize;
1929         auto nonRepatchingFunction = operationValueSub;
1930         compileBinaryMathIC<JITSubGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
1931     }
1932
1933     void compileValueMul()
1934     {
1935         if (m_node->isBinaryUseKind(BigIntUse)) {
1936             LValue left = lowBigInt(m_node->child1());
1937             LValue right = lowBigInt(m_node->child2());
1938             
1939             LValue result = vmCall(Int64, m_out.operation(operationMulBigInt), m_callFrame, left, right);
1940             setJSValue(result);
1941             return;
1942         }
1943
1944         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
1945         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
1946         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
1947         const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex).ptr();
1948         auto repatchingFunction = operationValueMulOptimize;
1949         auto nonRepatchingFunction = operationValueMul;
1950         compileBinaryMathIC<JITMulGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
1951     }
1952
1953     template <typename Generator, typename Func1, typename Func2,
1954         typename = std::enable_if_t<std::is_function<typename std::remove_pointer<Func1>::type>::value && std::is_function<typename std::remove_pointer<Func2>::type>::value>>
1955     void compileUnaryMathIC(ArithProfile* arithProfile, const Instruction* instruction, Func1 repatchingFunction, Func2 nonRepatchingFunction)
1956     {
1957         Node* node = m_node;
1958
1959         LValue operand = lowJSValue(node->child1());
1960
1961         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
1962         patchpoint->appendSomeRegister(operand);
1963         patchpoint->append(m_tagMask, ValueRep::lateReg(GPRInfo::tagMaskRegister));
1964         patchpoint->append(m_tagTypeNumber, ValueRep::lateReg(GPRInfo::tagTypeNumberRegister));
1965         RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint);
1966         patchpoint->numGPScratchRegisters = 1;
1967         patchpoint->clobber(RegisterSet::macroScratchRegisters());
1968         State* state = &m_ftlState;
1969         patchpoint->setGenerator(
1970             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
1971                 AllowMacroScratchRegisterUsage allowScratch(jit);
1972
1973                 Box<CCallHelpers::JumpList> exceptions =
1974                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
1975
1976 #if ENABLE(MATH_IC_STATS)
1977                 auto inlineStart = jit.label();
1978 #endif
1979
1980                 Box<MathICGenerationState> mathICGenerationState = Box<MathICGenerationState>::create();
1981                 JITUnaryMathIC<Generator>* mathIC = jit.codeBlock()->addMathIC<Generator>(arithProfile, instruction);
1982                 mathIC->m_generator = Generator(JSValueRegs(params[0].gpr()), JSValueRegs(params[1].gpr()), params.gpScratch(0));
1983
1984                 bool shouldEmitProfiling = false;
1985                 bool generatedInline = mathIC->generateInline(jit, *mathICGenerationState, shouldEmitProfiling);
1986
1987                 if (generatedInline) {
1988                     ASSERT(!mathICGenerationState->slowPathJumps.empty());
1989                     auto done = jit.label();
1990                     params.addLatePath([=] (CCallHelpers& jit) {
1991                         AllowMacroScratchRegisterUsage allowScratch(jit);
1992                         mathICGenerationState->slowPathJumps.link(&jit);
1993                         mathICGenerationState->slowPathStart = jit.label();
1994 #if ENABLE(MATH_IC_STATS)
1995                         auto slowPathStart = jit.label();
1996 #endif
1997
1998                         if (mathICGenerationState->shouldSlowPathRepatch) {
1999                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2000                                 repatchingFunction, params[0].gpr(), params[1].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
2001                             mathICGenerationState->slowPathCall = call.call();
2002                         } else {
2003                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic,
2004                                 exceptions.get(), nonRepatchingFunction, params[0].gpr(), params[1].gpr());
2005                             mathICGenerationState->slowPathCall = call.call();
2006                         }
2007                         jit.jump().linkTo(done, &jit);
2008
2009                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2010                             mathIC->finalizeInlineCode(*mathICGenerationState, linkBuffer);
2011                         });
2012
2013 #if ENABLE(MATH_IC_STATS)
2014                         auto slowPathEnd = jit.label();
2015                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2016                             size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
2017                             mathIC->m_generatedCodeSize += size;
2018                         });
2019 #endif
2020                     });
2021                 } else {
2022                     callOperation(
2023                         *state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2024                         nonRepatchingFunction, params[0].gpr(), params[1].gpr());
2025                 }
2026
2027 #if ENABLE(MATH_IC_STATS)
2028                 auto inlineEnd = jit.label();
2029                 jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2030                     size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
2031                     mathIC->m_generatedCodeSize += size;
2032                 });
2033 #endif
2034             });
2035
2036         setJSValue(patchpoint);
2037     }
2038
2039     template <typename Generator, typename Func1, typename Func2,
2040         typename = std::enable_if_t<std::is_function<typename std::remove_pointer<Func1>::type>::value && std::is_function<typename std::remove_pointer<Func2>::type>::value>>
2041     void compileBinaryMathIC(ArithProfile* arithProfile, const Instruction* instruction, Func1 repatchingFunction, Func2 nonRepatchingFunction)
2042     {
2043         Node* node = m_node;
2044         
2045         LValue left = lowJSValue(node->child1());
2046         LValue right = lowJSValue(node->child2());
2047
2048         SnippetOperand leftOperand(m_state.forNode(node->child1()).resultType());
2049         SnippetOperand rightOperand(m_state.forNode(node->child2()).resultType());
2050             
2051         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
2052         patchpoint->appendSomeRegister(left);
2053         patchpoint->appendSomeRegister(right);
2054         patchpoint->append(m_tagMask, ValueRep::lateReg(GPRInfo::tagMaskRegister));
2055         patchpoint->append(m_tagTypeNumber, ValueRep::lateReg(GPRInfo::tagTypeNumberRegister));
2056         RefPtr<PatchpointExceptionHandle> exceptionHandle =
2057             preparePatchpointForExceptions(patchpoint);
2058         patchpoint->numGPScratchRegisters = 1;
2059         patchpoint->numFPScratchRegisters = 2;
2060         patchpoint->clobber(RegisterSet::macroScratchRegisters());
2061         State* state = &m_ftlState;
2062         patchpoint->setGenerator(
2063             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
2064                 AllowMacroScratchRegisterUsage allowScratch(jit);
2065
2066
2067                 Box<CCallHelpers::JumpList> exceptions =
2068                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
2069
2070 #if ENABLE(MATH_IC_STATS)
2071                 auto inlineStart = jit.label();
2072 #endif
2073
2074                 Box<MathICGenerationState> mathICGenerationState = Box<MathICGenerationState>::create();
2075                 JITBinaryMathIC<Generator>* mathIC = jit.codeBlock()->addMathIC<Generator>(arithProfile, instruction);
2076                 mathIC->m_generator = Generator(leftOperand, rightOperand, JSValueRegs(params[0].gpr()),
2077                     JSValueRegs(params[1].gpr()), JSValueRegs(params[2].gpr()), params.fpScratch(0),
2078                     params.fpScratch(1), params.gpScratch(0), InvalidFPRReg);
2079
2080                 bool shouldEmitProfiling = false;
2081                 bool generatedInline = mathIC->generateInline(jit, *mathICGenerationState, shouldEmitProfiling);
2082
2083                 if (generatedInline) {
2084                     ASSERT(!mathICGenerationState->slowPathJumps.empty());
2085                     auto done = jit.label();
2086                     params.addLatePath([=] (CCallHelpers& jit) {
2087                         AllowMacroScratchRegisterUsage allowScratch(jit);
2088                         mathICGenerationState->slowPathJumps.link(&jit);
2089                         mathICGenerationState->slowPathStart = jit.label();
2090 #if ENABLE(MATH_IC_STATS)
2091                         auto slowPathStart = jit.label();
2092 #endif
2093
2094                         if (mathICGenerationState->shouldSlowPathRepatch) {
2095                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2096                                 repatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
2097                             mathICGenerationState->slowPathCall = call.call();
2098                         } else {
2099                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic,
2100                                 exceptions.get(), nonRepatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr());
2101                             mathICGenerationState->slowPathCall = call.call();
2102                         }
2103                         jit.jump().linkTo(done, &jit);
2104
2105                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2106                             mathIC->finalizeInlineCode(*mathICGenerationState, linkBuffer);
2107                         });
2108
2109 #if ENABLE(MATH_IC_STATS)
2110                         auto slowPathEnd = jit.label();
2111                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2112                             size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
2113                             mathIC->m_generatedCodeSize += size;
2114                         });
2115 #endif
2116                     });
2117                 } else {
2118                     callOperation(
2119                         *state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2120                         nonRepatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr());
2121                 }
2122
2123 #if ENABLE(MATH_IC_STATS)
2124                 auto inlineEnd = jit.label();
2125                 jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2126                     size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
2127                     mathIC->m_generatedCodeSize += size;
2128                 });
2129 #endif
2130             });
2131
2132         setJSValue(patchpoint);
2133     }
2134     
2135     void compileStrCat()
2136     {
2137         LValue result;
2138         if (m_node->child3()) {
2139             result = vmCall(
2140                 Int64, m_out.operation(operationStrCat3), m_callFrame,
2141                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
2142                 lowJSValue(m_node->child2(), ManualOperandSpeculation),
2143                 lowJSValue(m_node->child3(), ManualOperandSpeculation));
2144         } else {
2145             result = vmCall(
2146                 Int64, m_out.operation(operationStrCat2), m_callFrame,
2147                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
2148                 lowJSValue(m_node->child2(), ManualOperandSpeculation));
2149         }
2150         setJSValue(result);
2151     }
2152     
2153     void compileArithAddOrSub()
2154     {
2155         bool isSub =  m_node->op() == ArithSub;
2156         switch (m_node->binaryUseKind()) {
2157         case Int32Use: {
2158             LValue left = lowInt32(m_node->child1());
2159             LValue right = lowInt32(m_node->child2());
2160
2161             if (!shouldCheckOverflow(m_node->arithMode())) {
2162                 setInt32(isSub ? m_out.sub(left, right) : m_out.add(left, right));
2163                 break;
2164             }
2165
2166             CheckValue* result =
2167                 isSub ? m_out.speculateSub(left, right) : m_out.speculateAdd(left, right);
2168             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2169             setInt32(result);
2170             break;
2171         }
2172             
2173         case Int52RepUse: {
2174             if (!abstractValue(m_node->child1()).couldBeType(SpecInt52Only)
2175                 && !abstractValue(m_node->child2()).couldBeType(SpecInt52Only)) {
2176                 Int52Kind kind;
2177                 LValue left = lowWhicheverInt52(m_node->child1(), kind);
2178                 LValue right = lowInt52(m_node->child2(), kind);
2179                 setInt52(isSub ? m_out.sub(left, right) : m_out.add(left, right), kind);
2180                 break;
2181             }
2182
2183             LValue left = lowInt52(m_node->child1());
2184             LValue right = lowInt52(m_node->child2());
2185             CheckValue* result =
2186                 isSub ? m_out.speculateSub(left, right) : m_out.speculateAdd(left, right);
2187             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2188             setInt52(result);
2189             break;
2190         }
2191             
2192         case DoubleRepUse: {
2193             LValue C1 = lowDouble(m_node->child1());
2194             LValue C2 = lowDouble(m_node->child2());
2195
2196             setDouble(isSub ? m_out.doubleSub(C1, C2) : m_out.doubleAdd(C1, C2));
2197             break;
2198         }
2199
2200         case UntypedUse: {
2201             if (!isSub) {
2202                 DFG_CRASH(m_graph, m_node, "Bad use kind");
2203                 break;
2204             }
2205
2206             CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2207             unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2208             ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2209             const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex).ptr();
2210             auto repatchingFunction = operationValueSubOptimize;
2211             auto nonRepatchingFunction = operationValueSub;
2212             compileBinaryMathIC<JITSubGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
2213             break;
2214         }
2215
2216         default:
2217             DFG_CRASH(m_graph, m_node, "Bad use kind");
2218             break;
2219         }
2220     }
2221
2222     void compileArithClz32()
2223     {
2224         if (m_node->child1().useKind() == Int32Use || m_node->child1().useKind() == KnownInt32Use) {
2225             LValue operand = lowInt32(m_node->child1());
2226             setInt32(m_out.ctlz32(operand));
2227             return;
2228         }
2229         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2230         LValue argument = lowJSValue(m_node->child1());
2231         LValue result = vmCall(Int32, m_out.operation(operationArithClz32), m_callFrame, argument);
2232         setInt32(result);
2233     }
2234     
2235     void compileArithMul()
2236     {
2237         switch (m_node->binaryUseKind()) {
2238         case Int32Use: {
2239             LValue left = lowInt32(m_node->child1());
2240             LValue right = lowInt32(m_node->child2());
2241             
2242             LValue result;
2243
2244             if (!shouldCheckOverflow(m_node->arithMode()))
2245                 result = m_out.mul(left, right);
2246             else {
2247                 CheckValue* speculation = m_out.speculateMul(left, right);
2248                 blessSpeculation(speculation, Overflow, noValue(), nullptr, m_origin);
2249                 result = speculation;
2250             }
2251             
2252             if (shouldCheckNegativeZero(m_node->arithMode())) {
2253                 LBasicBlock slowCase = m_out.newBlock();
2254                 LBasicBlock continuation = m_out.newBlock();
2255                 
2256                 m_out.branch(
2257                     m_out.notZero32(result), usually(continuation), rarely(slowCase));
2258                 
2259                 LBasicBlock lastNext = m_out.appendTo(slowCase, continuation);
2260                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(left, m_out.int32Zero));
2261                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(right, m_out.int32Zero));
2262                 m_out.jump(continuation);
2263                 m_out.appendTo(continuation, lastNext);
2264             }
2265             
2266             setInt32(result);
2267             break;
2268         }
2269             
2270         case Int52RepUse: {
2271             Int52Kind kind;
2272             LValue left = lowWhicheverInt52(m_node->child1(), kind);
2273             LValue right = lowInt52(m_node->child2(), opposite(kind));
2274
2275             CheckValue* result = m_out.speculateMul(left, right);
2276             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2277
2278             if (shouldCheckNegativeZero(m_node->arithMode())) {
2279                 LBasicBlock slowCase = m_out.newBlock();
2280                 LBasicBlock continuation = m_out.newBlock();
2281                 
2282                 m_out.branch(
2283                     m_out.notZero64(result), usually(continuation), rarely(slowCase));
2284                 
2285                 LBasicBlock lastNext = m_out.appendTo(slowCase, continuation);
2286                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(left, m_out.int64Zero));
2287                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(right, m_out.int64Zero));
2288                 m_out.jump(continuation);
2289                 m_out.appendTo(continuation, lastNext);
2290             }
2291             
2292             setInt52(result);
2293             break;
2294         }
2295             
2296         case DoubleRepUse: {
2297             setDouble(
2298                 m_out.doubleMul(lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2299             break;
2300         }
2301
2302         default:
2303             DFG_CRASH(m_graph, m_node, "Bad use kind");
2304             break;
2305         }
2306     }
2307
2308     void compileValueDiv()
2309     {
2310         if (m_node->isBinaryUseKind(BigIntUse)) {
2311             LValue left = lowBigInt(m_node->child1());
2312             LValue right = lowBigInt(m_node->child2());
2313             
2314             LValue result = vmCall(pointerType(), m_out.operation(operationDivBigInt), m_callFrame, left, right);
2315             setJSValue(result);
2316             return;
2317         }
2318
2319         emitBinarySnippet<JITDivGenerator, NeedScratchFPR>(operationValueDiv);
2320     }
2321
2322     void compileArithDiv()
2323     {
2324         switch (m_node->binaryUseKind()) {
2325         case Int32Use: {
2326             LValue numerator = lowInt32(m_node->child1());
2327             LValue denominator = lowInt32(m_node->child2());
2328
2329             if (shouldCheckNegativeZero(m_node->arithMode())) {
2330                 LBasicBlock zeroNumerator = m_out.newBlock();
2331                 LBasicBlock numeratorContinuation = m_out.newBlock();
2332
2333                 m_out.branch(
2334                     m_out.isZero32(numerator),
2335                     rarely(zeroNumerator), usually(numeratorContinuation));
2336
2337                 LBasicBlock innerLastNext = m_out.appendTo(zeroNumerator, numeratorContinuation);
2338
2339                 speculate(
2340                     NegativeZero, noValue(), 0, m_out.lessThan(denominator, m_out.int32Zero));
2341
2342                 m_out.jump(numeratorContinuation);
2343
2344                 m_out.appendTo(numeratorContinuation, innerLastNext);
2345             }
2346             
2347             if (shouldCheckOverflow(m_node->arithMode())) {
2348                 LBasicBlock unsafeDenominator = m_out.newBlock();
2349                 LBasicBlock continuation = m_out.newBlock();
2350
2351                 LValue adjustedDenominator = m_out.add(denominator, m_out.int32One);
2352                 m_out.branch(
2353                     m_out.above(adjustedDenominator, m_out.int32One),
2354                     usually(continuation), rarely(unsafeDenominator));
2355
2356                 LBasicBlock lastNext = m_out.appendTo(unsafeDenominator, continuation);
2357                 LValue neg2ToThe31 = m_out.constInt32(-2147483647-1);
2358                 speculate(Overflow, noValue(), nullptr, m_out.isZero32(denominator));
2359                 speculate(Overflow, noValue(), nullptr, m_out.equal(numerator, neg2ToThe31));
2360                 m_out.jump(continuation);
2361
2362                 m_out.appendTo(continuation, lastNext);
2363                 LValue result = m_out.div(numerator, denominator);
2364                 speculate(
2365                     Overflow, noValue(), 0,
2366                     m_out.notEqual(m_out.mul(result, denominator), numerator));
2367                 setInt32(result);
2368             } else
2369                 setInt32(m_out.chillDiv(numerator, denominator));
2370
2371             break;
2372         }
2373             
2374         case DoubleRepUse: {
2375             setDouble(m_out.doubleDiv(
2376                 lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2377             break;
2378         }
2379
2380         default:
2381             DFG_CRASH(m_graph, m_node, "Bad use kind");
2382             break;
2383         }
2384     }
2385     
2386     void compileArithMod()
2387     {
2388         switch (m_node->binaryUseKind()) {
2389         case Int32Use: {
2390             LValue numerator = lowInt32(m_node->child1());
2391             LValue denominator = lowInt32(m_node->child2());
2392
2393             LValue remainder;
2394             if (shouldCheckOverflow(m_node->arithMode())) {
2395                 LBasicBlock unsafeDenominator = m_out.newBlock();
2396                 LBasicBlock continuation = m_out.newBlock();
2397
2398                 LValue adjustedDenominator = m_out.add(denominator, m_out.int32One);
2399                 m_out.branch(
2400                     m_out.above(adjustedDenominator, m_out.int32One),
2401                     usually(continuation), rarely(unsafeDenominator));
2402
2403                 LBasicBlock lastNext = m_out.appendTo(unsafeDenominator, continuation);
2404                 LValue neg2ToThe31 = m_out.constInt32(-2147483647-1);
2405                 speculate(Overflow, noValue(), nullptr, m_out.isZero32(denominator));
2406                 speculate(Overflow, noValue(), nullptr, m_out.equal(numerator, neg2ToThe31));
2407                 m_out.jump(continuation);
2408
2409                 m_out.appendTo(continuation, lastNext);
2410                 LValue result = m_out.mod(numerator, denominator);
2411                 remainder = result;
2412             } else
2413                 remainder = m_out.chillMod(numerator, denominator);
2414
2415             if (shouldCheckNegativeZero(m_node->arithMode())) {
2416                 LBasicBlock negativeNumerator = m_out.newBlock();
2417                 LBasicBlock numeratorContinuation = m_out.newBlock();
2418
2419                 m_out.branch(
2420                     m_out.lessThan(numerator, m_out.int32Zero),
2421                     unsure(negativeNumerator), unsure(numeratorContinuation));
2422
2423                 LBasicBlock innerLastNext = m_out.appendTo(negativeNumerator, numeratorContinuation);
2424
2425                 speculate(NegativeZero, noValue(), 0, m_out.isZero32(remainder));
2426
2427                 m_out.jump(numeratorContinuation);
2428
2429                 m_out.appendTo(numeratorContinuation, innerLastNext);
2430             }
2431
2432             setInt32(remainder);
2433             break;
2434         }
2435             
2436         case DoubleRepUse: {
2437             setDouble(
2438                 m_out.doubleMod(lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2439             break;
2440         }
2441             
2442         default:
2443             DFG_CRASH(m_graph, m_node, "Bad use kind");
2444             break;
2445         }
2446     }
2447
2448     void compileArithMinOrMax()
2449     {
2450         switch (m_node->binaryUseKind()) {
2451         case Int32Use: {
2452             LValue left = lowInt32(m_node->child1());
2453             LValue right = lowInt32(m_node->child2());
2454             
2455             setInt32(
2456                 m_out.select(
2457                     m_node->op() == ArithMin
2458                         ? m_out.lessThan(left, right)
2459                         : m_out.lessThan(right, left),
2460                     left, right));
2461             break;
2462         }
2463             
2464         case DoubleRepUse: {
2465             LValue left = lowDouble(m_node->child1());
2466             LValue right = lowDouble(m_node->child2());
2467             
2468             LBasicBlock notLessThan = m_out.newBlock();
2469             LBasicBlock continuation = m_out.newBlock();
2470             
2471             Vector<ValueFromBlock, 2> results;
2472             
2473             results.append(m_out.anchor(left));
2474             m_out.branch(
2475                 m_node->op() == ArithMin
2476                     ? m_out.doubleLessThan(left, right)
2477                     : m_out.doubleGreaterThan(left, right),
2478                 unsure(continuation), unsure(notLessThan));
2479             
2480             LBasicBlock lastNext = m_out.appendTo(notLessThan, continuation);
2481             results.append(m_out.anchor(m_out.select(
2482                 m_node->op() == ArithMin
2483                     ? m_out.doubleGreaterThanOrEqual(left, right)
2484                     : m_out.doubleLessThanOrEqual(left, right),
2485                 right, m_out.constDouble(PNaN))));
2486             m_out.jump(continuation);
2487             
2488             m_out.appendTo(continuation, lastNext);
2489             setDouble(m_out.phi(Double, results));
2490             break;
2491         }
2492             
2493         default:
2494             DFG_CRASH(m_graph, m_node, "Bad use kind");
2495             break;
2496         }
2497     }
2498     
2499     void compileArithAbs()
2500     {
2501         switch (m_node->child1().useKind()) {
2502         case Int32Use: {
2503             LValue value = lowInt32(m_node->child1());
2504
2505             LValue mask = m_out.aShr(value, m_out.constInt32(31));
2506             LValue result = m_out.bitXor(mask, m_out.add(mask, value));
2507
2508             if (shouldCheckOverflow(m_node->arithMode()))
2509                 speculate(Overflow, noValue(), 0, m_out.lessThan(result, m_out.int32Zero));
2510
2511             setInt32(result);
2512             break;
2513         }
2514             
2515         case DoubleRepUse: {
2516             setDouble(m_out.doubleAbs(lowDouble(m_node->child1())));
2517             break;
2518         }
2519             
2520         default: {
2521             DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2522             LValue argument = lowJSValue(m_node->child1());
2523             LValue result = vmCall(Double, m_out.operation(operationArithAbs), m_callFrame, argument);
2524             setDouble(result);
2525             break;
2526         }
2527         }
2528     }
2529
2530     void compileArithUnary()
2531     {
2532         if (m_node->child1().useKind() == DoubleRepUse) {
2533             setDouble(m_out.doubleUnary(m_node->arithUnaryType(), lowDouble(m_node->child1())));
2534             return;
2535         }
2536         LValue argument = lowJSValue(m_node->child1());
2537         LValue result = vmCall(Double, m_out.operation(DFG::arithUnaryOperation(m_node->arithUnaryType())), m_callFrame, argument);
2538         setDouble(result);
2539     }
2540
2541     void compileArithPow()
2542     {
2543         if (m_node->child2().useKind() == Int32Use)
2544             setDouble(m_out.doublePowi(lowDouble(m_node->child1()), lowInt32(m_node->child2())));
2545         else {
2546             LValue base = lowDouble(m_node->child1());
2547             LValue exponent = lowDouble(m_node->child2());
2548
2549             LBasicBlock integerExponentIsSmallBlock = m_out.newBlock();
2550             LBasicBlock integerExponentPowBlock = m_out.newBlock();
2551             LBasicBlock doubleExponentPowBlockEntry = m_out.newBlock();
2552             LBasicBlock nanExceptionBaseIsOne = m_out.newBlock();
2553             LBasicBlock nanExceptionExponentIsInfinity = m_out.newBlock();
2554             LBasicBlock testExponentIsOneHalf = m_out.newBlock();
2555             LBasicBlock handleBaseZeroExponentIsOneHalf = m_out.newBlock();
2556             LBasicBlock handleInfinityForExponentIsOneHalf = m_out.newBlock();
2557             LBasicBlock exponentIsOneHalfNormal = m_out.newBlock();
2558             LBasicBlock exponentIsOneHalfInfinity = m_out.newBlock();
2559             LBasicBlock testExponentIsNegativeOneHalf = m_out.newBlock();
2560             LBasicBlock testBaseZeroExponentIsNegativeOneHalf = m_out.newBlock();
2561             LBasicBlock handleBaseZeroExponentIsNegativeOneHalf = m_out.newBlock();
2562             LBasicBlock handleInfinityForExponentIsNegativeOneHalf = m_out.newBlock();
2563             LBasicBlock exponentIsNegativeOneHalfNormal = m_out.newBlock();
2564             LBasicBlock exponentIsNegativeOneHalfInfinity = m_out.newBlock();
2565             LBasicBlock powBlock = m_out.newBlock();
2566             LBasicBlock nanExceptionResultIsNaN = m_out.newBlock();
2567             LBasicBlock continuation = m_out.newBlock();
2568
2569             LValue integerExponent = m_out.doubleToInt(exponent);
2570             LValue integerExponentConvertedToDouble = m_out.intToDouble(integerExponent);
2571             LValue exponentIsInteger = m_out.doubleEqual(exponent, integerExponentConvertedToDouble);
2572             m_out.branch(exponentIsInteger, unsure(integerExponentIsSmallBlock), unsure(doubleExponentPowBlockEntry));
2573
2574             LBasicBlock lastNext = m_out.appendTo(integerExponentIsSmallBlock, integerExponentPowBlock);
2575             LValue integerExponentBelowMax = m_out.belowOrEqual(integerExponent, m_out.constInt32(maxExponentForIntegerMathPow));
2576             m_out.branch(integerExponentBelowMax, usually(integerExponentPowBlock), rarely(doubleExponentPowBlockEntry));
2577
2578             m_out.appendTo(integerExponentPowBlock, doubleExponentPowBlockEntry);
2579             ValueFromBlock powDoubleIntResult = m_out.anchor(m_out.doublePowi(base, integerExponent));
2580             m_out.jump(continuation);
2581
2582             // If y is NaN, the result is NaN.
2583             m_out.appendTo(doubleExponentPowBlockEntry, nanExceptionBaseIsOne);
2584             LValue exponentIsNaN;
2585             if (provenType(m_node->child2()) & SpecDoubleNaN)
2586                 exponentIsNaN = m_out.doubleNotEqualOrUnordered(exponent, exponent);
2587             else
2588                 exponentIsNaN = m_out.booleanFalse;
2589             m_out.branch(exponentIsNaN, rarely(nanExceptionResultIsNaN), usually(nanExceptionBaseIsOne));
2590
2591             // If abs(x) is 1 and y is +infinity, the result is NaN.
2592             // If abs(x) is 1 and y is -infinity, the result is NaN.
2593
2594             //     Test if base == 1.
2595             m_out.appendTo(nanExceptionBaseIsOne, nanExceptionExponentIsInfinity);
2596             LValue absoluteBase = m_out.doubleAbs(base);
2597             LValue absoluteBaseIsOne = m_out.doubleEqual(absoluteBase, m_out.constDouble(1));
2598             m_out.branch(absoluteBaseIsOne, rarely(nanExceptionExponentIsInfinity), usually(testExponentIsOneHalf));
2599
2600             //     Test if abs(y) == Infinity.
2601             m_out.appendTo(nanExceptionExponentIsInfinity, testExponentIsOneHalf);
2602             LValue absoluteExponent = m_out.doubleAbs(exponent);
2603             LValue absoluteExponentIsInfinity = m_out.doubleEqual(absoluteExponent, m_out.constDouble(std::numeric_limits<double>::infinity()));
2604             m_out.branch(absoluteExponentIsInfinity, rarely(nanExceptionResultIsNaN), usually(testExponentIsOneHalf));
2605
2606             // If y == 0.5 or y == -0.5, handle it through SQRT.
2607             // We have be carefuly with -0 and -Infinity.
2608
2609             //     Test if y == 0.5
2610             m_out.appendTo(testExponentIsOneHalf, handleBaseZeroExponentIsOneHalf);
2611             LValue exponentIsOneHalf = m_out.doubleEqual(exponent, m_out.constDouble(0.5));
2612             m_out.branch(exponentIsOneHalf, rarely(handleBaseZeroExponentIsOneHalf), usually(testExponentIsNegativeOneHalf));
2613
2614             //     Handle x == -0.
2615             m_out.appendTo(handleBaseZeroExponentIsOneHalf, handleInfinityForExponentIsOneHalf);
2616             LValue baseIsZeroExponentIsOneHalf = m_out.doubleEqual(base, m_out.doubleZero);
2617             ValueFromBlock zeroResultExponentIsOneHalf = m_out.anchor(m_out.doubleZero);
2618             m_out.branch(baseIsZeroExponentIsOneHalf, rarely(continuation), usually(handleInfinityForExponentIsOneHalf));
2619
2620             //     Test if abs(x) == Infinity.
2621             m_out.appendTo(handleInfinityForExponentIsOneHalf, exponentIsOneHalfNormal);
2622             LValue absoluteBaseIsInfinityOneHalf = m_out.doubleEqual(absoluteBase, m_out.constDouble(std::numeric_limits<double>::infinity()));
2623             m_out.branch(absoluteBaseIsInfinityOneHalf, rarely(exponentIsOneHalfInfinity), usually(exponentIsOneHalfNormal));
2624
2625             //     The exponent is 0.5, the base is finite or NaN, we can use SQRT.
2626             m_out.appendTo(exponentIsOneHalfNormal, exponentIsOneHalfInfinity);
2627             ValueFromBlock sqrtResult = m_out.anchor(m_out.doubleSqrt(base));
2628             m_out.jump(continuation);
2629
2630             //     The exponent is 0.5, the base is infinite, the result is always infinite.
2631             m_out.appendTo(exponentIsOneHalfInfinity, testExponentIsNegativeOneHalf);
2632             ValueFromBlock sqrtInfinityResult = m_out.anchor(m_out.constDouble(std::numeric_limits<double>::infinity()));
2633             m_out.jump(continuation);
2634
2635             //     Test if y == -0.5
2636             m_out.appendTo(testExponentIsNegativeOneHalf, testBaseZeroExponentIsNegativeOneHalf);
2637             LValue exponentIsNegativeOneHalf = m_out.doubleEqual(exponent, m_out.constDouble(-0.5));
2638             m_out.branch(exponentIsNegativeOneHalf, rarely(testBaseZeroExponentIsNegativeOneHalf), usually(powBlock));
2639
2640             //     Handle x == -0.
2641             m_out.appendTo(testBaseZeroExponentIsNegativeOneHalf, handleBaseZeroExponentIsNegativeOneHalf);
2642             LValue baseIsZeroExponentIsNegativeOneHalf = m_out.doubleEqual(base, m_out.doubleZero);
2643             m_out.branch(baseIsZeroExponentIsNegativeOneHalf, rarely(handleBaseZeroExponentIsNegativeOneHalf), usually(handleInfinityForExponentIsNegativeOneHalf));
2644
2645             m_out.appendTo(handleBaseZeroExponentIsNegativeOneHalf, handleInfinityForExponentIsNegativeOneHalf);
2646             ValueFromBlock oneOverSqrtZeroResult = m_out.anchor(m_out.constDouble(std::numeric_limits<double>::infinity()));
2647             m_out.jump(continuation);
2648
2649             //     Test if abs(x) == Infinity.
2650             m_out.appendTo(handleInfinityForExponentIsNegativeOneHalf, exponentIsNegativeOneHalfNormal);
2651             LValue absoluteBaseIsInfinityNegativeOneHalf = m_out.doubleEqual(absoluteBase, m_out.constDouble(std::numeric_limits<double>::infinity()));
2652             m_out.branch(absoluteBaseIsInfinityNegativeOneHalf, rarely(exponentIsNegativeOneHalfInfinity), usually(exponentIsNegativeOneHalfNormal));
2653
2654             //     The exponent is -0.5, the base is finite or NaN, we can use 1/SQRT.
2655             m_out.appendTo(exponentIsNegativeOneHalfNormal, exponentIsNegativeOneHalfInfinity);
2656             LValue sqrtBase = m_out.doubleSqrt(base);
2657             ValueFromBlock oneOverSqrtResult = m_out.anchor(m_out.div(m_out.constDouble(1.), sqrtBase));
2658             m_out.jump(continuation);
2659
2660             //     The exponent is -0.5, the base is infinite, the result is always zero.
2661             m_out.appendTo(exponentIsNegativeOneHalfInfinity, powBlock);
2662             ValueFromBlock oneOverSqrtInfinityResult = m_out.anchor(m_out.doubleZero);
2663             m_out.jump(continuation);
2664
2665             m_out.appendTo(powBlock, nanExceptionResultIsNaN);
2666             ValueFromBlock powResult = m_out.anchor(m_out.doublePow(base, exponent));
2667             m_out.jump(continuation);
2668
2669             m_out.appendTo(nanExceptionResultIsNaN, continuation);
2670             ValueFromBlock pureNan = m_out.anchor(m_out.constDouble(PNaN));
2671             m_out.jump(continuation);
2672
2673             m_out.appendTo(continuation, lastNext);
2674             setDouble(m_out.phi(Double, powDoubleIntResult, zeroResultExponentIsOneHalf, sqrtResult, sqrtInfinityResult, oneOverSqrtZeroResult, oneOverSqrtResult, oneOverSqrtInfinityResult, powResult, pureNan));
2675         }
2676     }
2677
2678     void compileArithRandom()
2679     {
2680         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
2681
2682         // Inlined WeakRandom::advance().
2683         // uint64_t x = m_low;
2684         void* lowAddress = reinterpret_cast<uint8_t*>(globalObject) + JSGlobalObject::weakRandomOffset() + WeakRandom::lowOffset();
2685         LValue low = m_out.load64(m_out.absolute(lowAddress));
2686         // uint64_t y = m_high;
2687         void* highAddress = reinterpret_cast<uint8_t*>(globalObject) + JSGlobalObject::weakRandomOffset() + WeakRandom::highOffset();
2688         LValue high = m_out.load64(m_out.absolute(highAddress));
2689         // m_low = y;
2690         m_out.store64(high, m_out.absolute(lowAddress));
2691
2692         // x ^= x << 23;
2693         LValue phase1 = m_out.bitXor(m_out.shl(low, m_out.constInt64(23)), low);
2694
2695         // x ^= x >> 17;
2696         LValue phase2 = m_out.bitXor(m_out.lShr(phase1, m_out.constInt64(17)), phase1);
2697
2698         // x ^= y ^ (y >> 26);
2699         LValue phase3 = m_out.bitXor(m_out.bitXor(high, m_out.lShr(high, m_out.constInt64(26))), phase2);
2700
2701         // m_high = x;
2702         m_out.store64(phase3, m_out.absolute(highAddress));
2703
2704         // return x + y;
2705         LValue random64 = m_out.add(phase3, high);
2706
2707         // Extract random 53bit. [0, 53] bit is safe integer number ranges in double representation.
2708         LValue random53 = m_out.bitAnd(random64, m_out.constInt64((1ULL << 53) - 1));
2709
2710         LValue double53Integer = m_out.intToDouble(random53);
2711
2712         // Convert `(53bit double integer value) / (1 << 53)` to `(53bit double integer value) * (1.0 / (1 << 53))`.
2713         // In latter case, `1.0 / (1 << 53)` will become a double value represented as (mantissa = 0 & exp = 970, it means 1e-(2**54)).
2714         static const double scale = 1.0 / (1ULL << 53);
2715
2716         // Multiplying 1e-(2**54) with the double integer does not change anything of the mantissa part of the double integer.
2717         // It just reduces the exp part of the given 53bit double integer.
2718         // (Except for 0.0. This is specially handled and in this case, exp just becomes 0.)
2719         // Now we get 53bit precision random double value in [0, 1).
2720         LValue result = m_out.doubleMul(double53Integer, m_out.constDouble(scale));
2721
2722         setDouble(result);
2723     }
2724
2725     void compileArithRound()
2726     {
2727         if (m_node->child1().useKind() == DoubleRepUse) {
2728             LValue result = nullptr;
2729             if (producesInteger(m_node->arithRoundingMode()) && !shouldCheckNegativeZero(m_node->arithRoundingMode())) {
2730                 LValue value = lowDouble(m_node->child1());
2731                 result = m_out.doubleFloor(m_out.doubleAdd(value, m_out.constDouble(0.5)));
2732             } else {
2733                 LBasicBlock realPartIsMoreThanHalf = m_out.newBlock();
2734                 LBasicBlock continuation = m_out.newBlock();
2735
2736                 LValue value = lowDouble(m_node->child1());
2737                 LValue integerValue = m_out.doubleCeil(value);
2738                 ValueFromBlock integerValueResult = m_out.anchor(integerValue);
2739
2740                 LValue realPart = m_out.doubleSub(integerValue, value);
2741
2742                 m_out.branch(m_out.doubleGreaterThanOrUnordered(realPart, m_out.constDouble(0.5)), unsure(realPartIsMoreThanHalf), unsure(continuation));
2743
2744                 LBasicBlock lastNext = m_out.appendTo(realPartIsMoreThanHalf, continuation);
2745                 LValue integerValueRoundedDown = m_out.doubleSub(integerValue, m_out.constDouble(1));
2746                 ValueFromBlock integerValueRoundedDownResult = m_out.anchor(integerValueRoundedDown);
2747                 m_out.jump(continuation);
2748                 m_out.appendTo(continuation, lastNext);
2749
2750                 result = m_out.phi(Double, integerValueResult, integerValueRoundedDownResult);
2751             }
2752
2753             if (producesInteger(m_node->arithRoundingMode())) {
2754                 LValue integerValue = convertDoubleToInt32(result, shouldCheckNegativeZero(m_node->arithRoundingMode()));
2755                 setInt32(integerValue);
2756             } else
2757                 setDouble(result);
2758             return;
2759         }
2760
2761         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2762         LValue argument = lowJSValue(m_node->child1());
2763         setJSValue(vmCall(Int64, m_out.operation(operationArithRound), m_callFrame, argument));
2764     }
2765
2766     void compileArithFloor()
2767     {
2768         if (m_node->child1().useKind() == DoubleRepUse) {
2769             LValue value = lowDouble(m_node->child1());
2770             LValue integerValue = m_out.doubleFloor(value);
2771             if (producesInteger(m_node->arithRoundingMode()))
2772                 setInt32(convertDoubleToInt32(integerValue, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2773             else
2774                 setDouble(integerValue);
2775             return;
2776         }
2777         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2778         LValue argument = lowJSValue(m_node->child1());
2779         setJSValue(vmCall(Int64, m_out.operation(operationArithFloor), m_callFrame, argument));
2780     }
2781
2782     void compileArithCeil()
2783     {
2784         if (m_node->child1().useKind() == DoubleRepUse) {
2785             LValue value = lowDouble(m_node->child1());
2786             LValue integerValue = m_out.doubleCeil(value);
2787             if (producesInteger(m_node->arithRoundingMode()))
2788                 setInt32(convertDoubleToInt32(integerValue, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2789             else
2790                 setDouble(integerValue);
2791             return;
2792         }
2793         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2794         LValue argument = lowJSValue(m_node->child1());
2795         setJSValue(vmCall(Int64, m_out.operation(operationArithCeil), m_callFrame, argument));
2796     }
2797
2798     void compileArithTrunc()
2799     {
2800         if (m_node->child1().useKind() == DoubleRepUse) {
2801             LValue value = lowDouble(m_node->child1());
2802             LValue result = m_out.doubleTrunc(value);
2803             if (producesInteger(m_node->arithRoundingMode()))
2804                 setInt32(convertDoubleToInt32(result, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2805             else
2806                 setDouble(result);
2807             return;
2808         }
2809         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2810         LValue argument = lowJSValue(m_node->child1());
2811         setJSValue(vmCall(Int64, m_out.operation(operationArithTrunc), m_callFrame, argument));
2812     }
2813
2814     void compileArithSqrt()
2815     {
2816         if (m_node->child1().useKind() == DoubleRepUse) {
2817             setDouble(m_out.doubleSqrt(lowDouble(m_node->child1())));
2818             return;
2819         }
2820         LValue argument = lowJSValue(m_node->child1());
2821         LValue result = vmCall(Double, m_out.operation(operationArithSqrt), m_callFrame, argument);
2822         setDouble(result);
2823     }
2824
2825     void compileArithFRound()
2826     {
2827         if (m_node->child1().useKind() == DoubleRepUse) {
2828             setDouble(m_out.fround(lowDouble(m_node->child1())));
2829             return;
2830         }
2831         LValue argument = lowJSValue(m_node->child1());
2832         LValue result = vmCall(Double, m_out.operation(operationArithFRound), m_callFrame, argument);
2833         setDouble(result);
2834     }
2835
2836     void compileValueNegate()
2837     {
2838         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse);
2839         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2840         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2841         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2842         const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex).ptr();
2843         auto repatchingFunction = operationArithNegateOptimize;
2844         auto nonRepatchingFunction = operationArithNegate;
2845         compileUnaryMathIC<JITNegGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
2846     }
2847
2848     void compileArithNegate()
2849     {
2850         switch (m_node->child1().useKind()) {
2851         case Int32Use: {
2852             LValue value = lowInt32(m_node->child1());
2853             
2854             LValue result;
2855             if (!shouldCheckOverflow(m_node->arithMode()))
2856                 result = m_out.neg(value);
2857             else if (!shouldCheckNegativeZero(m_node->arithMode())) {
2858                 CheckValue* check = m_out.speculateSub(m_out.int32Zero, value);
2859                 blessSpeculation(check, Overflow, noValue(), nullptr, m_origin);
2860                 result = check;
2861             } else {
2862                 speculate(Overflow, noValue(), 0, m_out.testIsZero32(value, m_out.constInt32(0x7fffffff)));
2863                 result = m_out.neg(value);
2864             }
2865
2866             setInt32(result);
2867             break;
2868         }
2869             
2870         case Int52RepUse: {
2871             if (!abstractValue(m_node->child1()).couldBeType(SpecInt52Only)) {
2872                 Int52Kind kind;
2873                 LValue value = lowWhicheverInt52(m_node->child1(), kind);
2874                 LValue result = m_out.neg(value);
2875                 if (shouldCheckNegativeZero(m_node->arithMode()))
2876                     speculate(NegativeZero, noValue(), 0, m_out.isZero64(result));
2877                 setInt52(result, kind);
2878                 break;
2879             }
2880             
2881             LValue value = lowInt52(m_node->child1());
2882             CheckValue* result = m_out.speculateSub(m_out.int64Zero, value);
2883             blessSpeculation(result, Int52Overflow, noValue(), nullptr, m_origin);
2884             if (shouldCheckNegativeZero(m_node->arithMode()))
2885                 speculate(NegativeZero, noValue(), 0, m_out.isZero64(result));
2886             setInt52(result);
2887             break;
2888         }
2889             
2890         case DoubleRepUse: {
2891             setDouble(m_out.doubleNeg(lowDouble(m_node->child1())));
2892             break;
2893         }
2894             
2895         default:
2896             DFG_CRASH(m_graph, m_node, "Bad use kind");
2897             break;
2898         }
2899     }
2900     
2901     void compileValueBitNot()
2902     {
2903         if (m_node->child1().useKind() == BigIntUse) {
2904             LValue operand = lowBigInt(m_node->child1());
2905             LValue result = vmCall(pointerType(), m_out.operation(operationBitNotBigInt), m_callFrame, operand);
2906             setJSValue(result);
2907             return;
2908         }
2909
2910         LValue operand = lowJSValue(m_node->child1());
2911         LValue result = vmCall(Int64, m_out.operation(operationValueBitNot), m_callFrame, operand);
2912         setJSValue(result);
2913     }
2914
2915     void compileArithBitNot()
2916     {
2917         setInt32(m_out.bitNot(lowInt32(m_node->child1())));
2918     }
2919
2920     void compileValueBitAnd()
2921     {
2922         if (m_node->isBinaryUseKind(BigIntUse)) {
2923             LValue left = lowBigInt(m_node->child1());
2924             LValue right = lowBigInt(m_node->child2());
2925             
2926             LValue result = vmCall(pointerType(), m_out.operation(operationBitAndBigInt), m_callFrame, left, right);
2927             setJSValue(result);
2928             return;
2929         }
2930         
2931         emitBinaryBitOpSnippet<JITBitAndGenerator>(operationValueBitAnd);
2932     }
2933     
2934     void compileArithBitAnd()
2935     {
2936         setInt32(m_out.bitAnd(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
2937     }
2938     
2939     void compileValueBitOr()
2940     {
2941         if (m_node->isBinaryUseKind(BigIntUse)) {
2942             LValue left = lowBigInt(m_node->child1());
2943             LValue right = lowBigInt(m_node->child2());
2944
2945             LValue result = vmCall(pointerType(), m_out.operation(operationBitOrBigInt), m_callFrame, left, right);
2946             setJSValue(result);
2947             return;
2948         }
2949
2950         emitBinaryBitOpSnippet<JITBitOrGenerator>(operationValueBitOr);
2951     }
2952
2953     void compileArithBitOr()
2954     {
2955         setInt32(m_out.bitOr(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
2956     }
2957     
2958     void compileValueBitXor()
2959     {
2960         if (m_node->isBinaryUseKind(BigIntUse)) {
2961             LValue left = lowBigInt(m_node->child1());
2962             LValue right = lowBigInt(m_node->child2());
2963
2964             LValue result = vmCall(pointerType(), m_out.operation(operationBitXorBigInt), m_callFrame, left, right);
2965             setJSValue(result);
2966             return;
2967         }
2968
2969         emitBinaryBitOpSnippet<JITBitXorGenerator>(operationValueBitXor);
2970     }
2971
2972     void compileArithBitXor()
2973     {
2974         setInt32(m_out.bitXor(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
2975     }
2976     
2977     void compileBitRShift()
2978     {
2979         if (m_node->isBinaryUseKind(UntypedUse)) {
2980             emitRightShiftSnippet(JITRightShiftGenerator::SignedShift);
2981             return;
2982         }
2983         setInt32(m_out.aShr(
2984             lowInt32(m_node->child1()),
2985             m_out.bitAnd(lowInt32(m_node->child2()), m_out.constInt32(31))));
2986     }
2987     
2988     void compileBitLShift()
2989     {
2990         if (m_node->isBinaryUseKind(UntypedUse)) {
2991             emitBinaryBitOpSnippet<JITLeftShiftGenerator>(operationValueBitLShift);
2992             return;
2993         }
2994         setInt32(m_out.shl(
2995             lowInt32(m_node->child1()),
2996             m_out.bitAnd(lowInt32(m_node->child2()), m_out.constInt32(31))));
2997     }
2998     
2999     void compileBitURShift()
3000     {
3001         if (m_node->isBinaryUseKind(UntypedUse)) {
3002             emitRightShiftSnippet(JITRightShiftGenerator::UnsignedShift);
3003             return;
3004         }
3005         setInt32(m_out.lShr(
3006             lowInt32(m_node->child1()),
3007             m_out.bitAnd(lowInt32(m_node->child2()), m_out.constInt32(31))));
3008     }
3009     
3010     void compileUInt32ToNumber()
3011     {
3012         LValue value = lowInt32(m_node->child1());
3013
3014         if (doesOverflow(m_node->arithMode())) {
3015             setStrictInt52(m_out.zeroExtPtr(value));
3016             return;
3017         }
3018
3019         speculate(Overflow, noValue(), 0, m_out.lessThan(value, m_out.int32Zero));
3020         setInt32(value);
3021     }
3022     
3023     void compileCheckStructure()
3024     {
3025         ExitKind exitKind;
3026         if (m_node->child1()->hasConstant())
3027             exitKind = BadConstantCache;
3028         else
3029             exitKind = BadCache;
3030
3031         switch (m_node->child1().useKind()) {
3032         case CellUse:
3033         case KnownCellUse: {
3034             LValue cell = lowCell(m_node->child1());
3035             
3036             checkStructure(
3037                 m_out.load32(cell, m_heaps.JSCell_structureID), jsValueValue(cell),
3038                 exitKind, m_node->structureSet(),
3039                 [&] (RegisteredStructure structure) {
3040                     return weakStructureID(structure);
3041                 });
3042             return;
3043         }
3044
3045         case CellOrOtherUse: {
3046             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
3047
3048             LBasicBlock cellCase = m_out.newBlock();
3049             LBasicBlock notCellCase = m_out.newBlock();
3050             LBasicBlock continuation = m_out.newBlock();
3051
3052             m_out.branch(
3053                 isCell(value, provenType(m_node->child1())), unsure(cellCase), unsure(notCellCase));
3054
3055             LBasicBlock lastNext = m_out.appendTo(cellCase, notCellCase);
3056             checkStructure(
3057                 m_out.load32(value, m_heaps.JSCell_structureID), jsValueValue(value),
3058                 exitKind, m_node->structureSet(),
3059                 [&] (RegisteredStructure structure) {
3060                     return weakStructureID(structure);
3061                 });
3062             m_out.jump(continuation);
3063
3064             m_out.appendTo(notCellCase, continuation);
3065             FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), SpecCell | SpecOther, isNotOther(value));
3066             m_out.jump(continuation);
3067
3068             m_out.appendTo(continuation, lastNext);
3069             return;
3070         }
3071
3072         default:
3073             DFG_CRASH(m_graph, m_node, "Bad use kind");
3074             return;
3075         }
3076     }
3077
3078     void compileCheckStructureOrEmpty()
3079     {
3080         ExitKind exitKind;
3081         if (m_node->child1()->hasConstant())
3082             exitKind = BadConstantCache;
3083         else
3084             exitKind = BadCache;
3085
3086         LValue cell = lowCell(m_node->child1());
3087         bool maySeeEmptyValue = m_interpreter.forNode(m_node->child1()).m_type & SpecEmpty;
3088         LBasicBlock notEmpty;
3089         LBasicBlock continuation;
3090         LBasicBlock lastNext;
3091         if (maySeeEmptyValue) {
3092             notEmpty = m_out.newBlock();
3093             continuation = m_out.newBlock();
3094             m_out.branch(m_out.isZero64(cell), unsure(continuation), unsure(notEmpty));
3095             lastNext = m_out.appendTo(notEmpty, continuation);
3096         }
3097
3098         checkStructure(
3099             m_out.load32(cell, m_heaps.JSCell_structureID), jsValueValue(cell),
3100             exitKind, m_node->structureSet(),
3101             [&] (RegisteredStructure structure) {
3102                 return weakStructureID(structure);
3103             });
3104
3105         if (maySeeEmptyValue) {
3106             m_out.jump(continuation);
3107             m_out.appendTo(continuation, lastNext);
3108         }
3109     }
3110     
3111     void compileCheckCell()
3112     {
3113         LValue cell = lowCell(m_node->child1());
3114         
3115         speculate(
3116             BadCell, jsValueValue(cell), m_node->child1().node(),
3117             m_out.notEqual(cell, weakPointer(m_node->cellOperand()->cell())));
3118     }
3119     
3120     void compileCheckBadCell()
3121     {
3122         terminate(BadCell);
3123     }
3124
3125     void compileCheckNotEmpty()
3126     {
3127         speculate(TDZFailure, noValue(), nullptr, m_out.isZero64(lowJSValue(m_node->child1())));
3128     }
3129
3130     void compileAssertNotEmpty()
3131     {
3132         if (!validationEnabled())
3133             return;
3134
3135         LValue val = lowJSValue(m_node->child1());
3136         PatchpointValue* patchpoint = m_out.patchpoint(Void);
3137         patchpoint->appendSomeRegister(val);
3138         patchpoint->setGenerator(
3139             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
3140                 AllowMacroScratchRegisterUsage allowScratch(jit);
3141                 GPRReg input =  params[0].gpr();
3142                 CCallHelpers::Jump done = jit.branchIfNotEmpty(input);
3143                 jit.breakpoint();
3144                 done.link(&jit);
3145             });
3146     }
3147
3148     void compileCheckStringIdent()
3149     {
3150         UniquedStringImpl* uid = m_node->uidOperand();
3151         LValue stringImpl = lowStringIdent(m_node->child1());
3152         speculate(BadIdent, noValue(), nullptr, m_out.notEqual(stringImpl, m_out.constIntPtr(uid)));
3153     }
3154
3155     void compileGetExecutable()