[JSC] DFG should respect node's strict flag
[WebKit-https.git] / Source / JavaScriptCore / ftl / FTLLowerDFGToB3.cpp
1 /*
2  * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "FTLLowerDFGToB3.h"
28
29 #if ENABLE(FTL_JIT)
30
31 #include "AirCode.h"
32 #include "AirGenerationContext.h"
33 #include "AllowMacroScratchRegisterUsage.h"
34 #include "AllowMacroScratchRegisterUsageIf.h"
35 #include "AtomicsObject.h"
36 #include "B3CheckValue.h"
37 #include "B3FenceValue.h"
38 #include "B3PatchpointValue.h"
39 #include "B3SlotBaseValue.h"
40 #include "B3StackmapGenerationParams.h"
41 #include "B3ValueInlines.h"
42 #include "CallFrameShuffler.h"
43 #include "CodeBlockWithJITType.h"
44 #include "DFGAbstractInterpreterInlines.h"
45 #include "DFGCapabilities.h"
46 #include "DFGDoesGC.h"
47 #include "DFGDominators.h"
48 #include "DFGInPlaceAbstractState.h"
49 #include "DFGLivenessAnalysisPhase.h"
50 #include "DFGMayExit.h"
51 #include "DFGOSRAvailabilityAnalysisPhase.h"
52 #include "DFGOSRExitFuzz.h"
53 #include "DirectArguments.h"
54 #include "FTLAbstractHeapRepository.h"
55 #include "FTLAvailableRecovery.h"
56 #include "FTLExceptionTarget.h"
57 #include "FTLForOSREntryJITCode.h"
58 #include "FTLFormattedValue.h"
59 #include "FTLLazySlowPathCall.h"
60 #include "FTLLoweredNodeValue.h"
61 #include "FTLOperations.h"
62 #include "FTLOutput.h"
63 #include "FTLPatchpointExceptionHandle.h"
64 #include "FTLSnippetParams.h"
65 #include "FTLThunks.h"
66 #include "FTLWeightedTarget.h"
67 #include "JITAddGenerator.h"
68 #include "JITBitAndGenerator.h"
69 #include "JITBitOrGenerator.h"
70 #include "JITBitXorGenerator.h"
71 #include "JITDivGenerator.h"
72 #include "JITInlineCacheGenerator.h"
73 #include "JITLeftShiftGenerator.h"
74 #include "JITMathIC.h"
75 #include "JITMulGenerator.h"
76 #include "JITRightShiftGenerator.h"
77 #include "JITSubGenerator.h"
78 #include "JSAsyncFunction.h"
79 #include "JSAsyncGeneratorFunction.h"
80 #include "JSCInlines.h"
81 #include "JSGeneratorFunction.h"
82 #include "JSImmutableButterfly.h"
83 #include "JSLexicalEnvironment.h"
84 #include "JSMap.h"
85 #include "OperandsInlines.h"
86 #include "ProbeContext.h"
87 #include "RegExpObject.h"
88 #include "ScopedArguments.h"
89 #include "ScopedArgumentsTable.h"
90 #include "ScratchRegisterAllocator.h"
91 #include "SetupVarargsFrame.h"
92 #include "ShadowChicken.h"
93 #include "StructureStubInfo.h"
94 #include "SuperSampler.h"
95 #include "ThunkGenerators.h"
96 #include "VirtualRegister.h"
97 #include "Watchdog.h"
98 #include <atomic>
99 #include <wtf/Box.h>
100 #include <wtf/Gigacage.h>
101 #include <wtf/RecursableLambda.h>
102 #include <wtf/StdUnorderedSet.h>
103
104 #undef RELEASE_ASSERT
105 #define RELEASE_ASSERT(assertion) do { \
106     if (!(assertion)) { \
107         WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, #assertion); \
108         CRASH(); \
109     } \
110 } while (0)
111
112 namespace JSC { namespace FTL {
113
114 using namespace B3;
115 using namespace DFG;
116
117 namespace {
118
119 std::atomic<int> compileCounter;
120
121 #if !ASSERT_DISABLED
122 NO_RETURN_DUE_TO_CRASH static void ftlUnreachable(
123     CodeBlock* codeBlock, BlockIndex blockIndex, unsigned nodeIndex)
124 {
125     dataLog("Crashing in thought-to-be-unreachable FTL-generated code for ", pointerDump(codeBlock), " at basic block #", blockIndex);
126     if (nodeIndex != UINT_MAX)
127         dataLog(", node @", nodeIndex);
128     dataLog(".\n");
129     CRASH();
130 }
131 #endif
132
133 // Using this instead of typeCheck() helps to reduce the load on B3, by creating
134 // significantly less dead code.
135 #define FTL_TYPE_CHECK_WITH_EXIT_KIND(exitKind, lowValue, highValue, typesPassedThrough, failCondition) do { \
136         FormattedValue _ftc_lowValue = (lowValue);                      \
137         Edge _ftc_highValue = (highValue);                              \
138         SpeculatedType _ftc_typesPassedThrough = (typesPassedThrough);  \
139         if (!m_interpreter.needsTypeCheck(_ftc_highValue, _ftc_typesPassedThrough)) \
140             break;                                                      \
141         typeCheck(_ftc_lowValue, _ftc_highValue, _ftc_typesPassedThrough, (failCondition), exitKind); \
142     } while (false)
143
144 #define FTL_TYPE_CHECK(lowValue, highValue, typesPassedThrough, failCondition) \
145     FTL_TYPE_CHECK_WITH_EXIT_KIND(BadType, lowValue, highValue, typesPassedThrough, failCondition)
146
147 class LowerDFGToB3 {
148     WTF_MAKE_NONCOPYABLE(LowerDFGToB3);
149 public:
150     LowerDFGToB3(State& state)
151         : m_graph(state.graph)
152         , m_ftlState(state)
153         , m_out(state)
154         , m_proc(*state.proc)
155         , m_availabilityCalculator(m_graph)
156         , m_state(state.graph)
157         , m_interpreter(state.graph, m_state)
158         , m_indexMaskingMode(Options::enableSpectreMitigations() ?  IndexMaskingEnabled : IndexMaskingDisabled)
159     {
160         if (Options::validateAbstractInterpreterState()) {
161             performLivenessAnalysis(m_graph);
162
163             // We only use node liveness here, not combined liveness, as we only track
164             // AI state for live nodes.
165             for (DFG::BasicBlock* block : m_graph.blocksInNaturalOrder()) {
166                 NodeSet live;
167
168                 for (NodeFlowProjection node : block->ssa->liveAtTail) {
169                     if (node.kind() == NodeFlowProjection::Primary)
170                         live.addVoid(node.node());
171                 }
172
173                 for (unsigned i = block->size(); i--; ) {
174                     Node* node = block->at(i);
175                     live.remove(node);
176                     m_graph.doToChildren(node, [&] (Edge child) {
177                         live.addVoid(child.node());
178                     });
179                     m_liveInToNode.add(node, live);
180                 }
181             }
182         }
183     }
184     
185     void lower()
186     {
187         State* state = &m_ftlState;
188         
189         CString name;
190         if (verboseCompilationEnabled()) {
191             name = toCString(
192                 "jsBody_", ++compileCounter, "_", codeBlock()->inferredName(),
193                 "_", codeBlock()->hash());
194         } else
195             name = "jsBody";
196
197         {
198             m_proc.setNumEntrypoints(m_graph.m_numberOfEntrypoints);
199             CodeBlock* codeBlock = m_graph.m_codeBlock;
200
201             Ref<B3::Air::PrologueGenerator> catchPrologueGenerator = createSharedTask<B3::Air::PrologueGeneratorFunction>(
202                 [codeBlock] (CCallHelpers& jit, B3::Air::Code& code) {
203                     AllowMacroScratchRegisterUsage allowScratch(jit);
204                     jit.addPtr(CCallHelpers::TrustedImm32(-code.frameSize()), GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister);
205                     if (Options::zeroStackFrame())
206                         jit.clearStackFrame(GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister, GPRInfo::regT0, code.frameSize());
207
208                     jit.emitSave(code.calleeSaveRegisterAtOffsetList());
209                     jit.emitPutToCallFrameHeader(codeBlock, CallFrameSlot::codeBlock);
210                 });
211
212             for (unsigned catchEntrypointIndex : m_graph.m_entrypointIndexToCatchBytecodeOffset.keys()) {
213                 RELEASE_ASSERT(catchEntrypointIndex != 0);
214                 m_proc.code().setPrologueForEntrypoint(catchEntrypointIndex, catchPrologueGenerator.copyRef());
215             }
216
217             if (m_graph.m_maxLocalsForCatchOSREntry) {
218                 uint32_t numberOfLiveLocals = std::max(*m_graph.m_maxLocalsForCatchOSREntry, 1u); // Make sure we always allocate a non-null catchOSREntryBuffer.
219                 m_ftlState.jitCode->common.catchOSREntryBuffer = m_graph.m_vm.scratchBufferForSize(sizeof(JSValue) * numberOfLiveLocals);
220             }
221         }
222         
223         m_graph.ensureSSADominators();
224
225         if (verboseCompilationEnabled())
226             dataLog("Function ready, beginning lowering.\n");
227
228         m_out.initialize(m_heaps);
229
230         // We use prologue frequency for all of the initialization code.
231         m_out.setFrequency(1);
232         
233         bool hasMultipleEntrypoints = m_graph.m_numberOfEntrypoints > 1;
234     
235         LBasicBlock prologue = m_out.newBlock();
236         LBasicBlock callEntrypointArgumentSpeculations = hasMultipleEntrypoints ? m_out.newBlock() : nullptr;
237         m_handleExceptions = m_out.newBlock();
238
239         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
240             m_highBlock = m_graph.block(blockIndex);
241             if (!m_highBlock)
242                 continue;
243             m_out.setFrequency(m_highBlock->executionCount);
244             m_blocks.add(m_highBlock, m_out.newBlock());
245         }
246
247         // Back to prologue frequency for any bocks that get sneakily created in the initialization code.
248         m_out.setFrequency(1);
249         
250         m_out.appendTo(prologue, hasMultipleEntrypoints ? callEntrypointArgumentSpeculations : m_handleExceptions);
251         m_out.initializeConstants(m_proc, prologue);
252         createPhiVariables();
253
254         size_t sizeOfCaptured = sizeof(JSValue) * m_graph.m_nextMachineLocal;
255         B3::SlotBaseValue* capturedBase = m_out.lockedStackSlot(sizeOfCaptured);
256         m_captured = m_out.add(capturedBase, m_out.constIntPtr(sizeOfCaptured));
257         state->capturedValue = capturedBase->slot();
258
259         auto preOrder = m_graph.blocksInPreOrder();
260
261         m_callFrame = m_out.framePointer();
262         m_tagTypeNumber = m_out.constInt64(TagTypeNumber);
263         m_tagMask = m_out.constInt64(TagMask);
264
265         // Make sure that B3 knows that we really care about the mask registers. This forces the
266         // constants to be materialized in registers.
267         m_proc.addFastConstant(m_tagTypeNumber->key());
268         m_proc.addFastConstant(m_tagMask->key());
269         
270         // We don't want the CodeBlock to have a weak pointer to itself because
271         // that would cause it to always get collected.
272         m_out.storePtr(m_out.constIntPtr(bitwise_cast<intptr_t>(codeBlock())), addressFor(CallFrameSlot::codeBlock));
273
274         VM* vm = &this->vm();
275
276         // Stack Overflow Check.
277         unsigned exitFrameSize = m_graph.requiredRegisterCountForExit() * sizeof(Register);
278         MacroAssembler::AbsoluteAddress addressOfStackLimit(vm->addressOfSoftStackLimit());
279         PatchpointValue* stackOverflowHandler = m_out.patchpoint(Void);
280         CallSiteIndex callSiteIndex = callSiteIndexForCodeOrigin(m_ftlState, CodeOrigin(0));
281         stackOverflowHandler->appendSomeRegister(m_callFrame);
282         stackOverflowHandler->clobber(RegisterSet::macroScratchRegisters());
283         stackOverflowHandler->numGPScratchRegisters = 1;
284         stackOverflowHandler->setGenerator(
285             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
286                 AllowMacroScratchRegisterUsage allowScratch(jit);
287                 GPRReg fp = params[0].gpr();
288                 GPRReg scratch = params.gpScratch(0);
289
290                 unsigned ftlFrameSize = params.proc().frameSize();
291                 unsigned maxFrameSize = std::max(exitFrameSize, ftlFrameSize);
292
293                 jit.addPtr(MacroAssembler::TrustedImm32(-maxFrameSize), fp, scratch);
294                 MacroAssembler::JumpList stackOverflow;
295                 if (UNLIKELY(maxFrameSize > Options::reservedZoneSize()))
296                     stackOverflow.append(jit.branchPtr(MacroAssembler::Above, scratch, fp));
297                 stackOverflow.append(jit.branchPtr(MacroAssembler::Above, addressOfStackLimit, scratch));
298
299                 params.addLatePath([=] (CCallHelpers& jit) {
300                     AllowMacroScratchRegisterUsage allowScratch(jit);
301
302                     stackOverflow.link(&jit);
303                     
304                     // FIXME: We would not have to do this if the stack check was part of the Air
305                     // prologue. Then, we would know that there is no way for the callee-saves to
306                     // get clobbered.
307                     // https://bugs.webkit.org/show_bug.cgi?id=172456
308                     jit.emitRestore(params.proc().calleeSaveRegisterAtOffsetList());
309                     
310                     jit.store32(
311                         MacroAssembler::TrustedImm32(callSiteIndex.bits()),
312                         CCallHelpers::tagFor(VirtualRegister(CallFrameSlot::argumentCount)));
313                     jit.copyCalleeSavesToEntryFrameCalleeSavesBuffer(vm->topEntryFrame);
314
315                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
316                     jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()), GPRInfo::argumentGPR1);
317                     CCallHelpers::Call throwCall = jit.call(OperationPtrTag);
318
319                     jit.move(CCallHelpers::TrustedImmPtr(vm), GPRInfo::argumentGPR0);
320                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
321                     CCallHelpers::Call lookupExceptionHandlerCall = jit.call(OperationPtrTag);
322                     jit.jumpToExceptionHandler(*vm);
323
324                     jit.addLinkTask(
325                         [=] (LinkBuffer& linkBuffer) {
326                             linkBuffer.link(throwCall, FunctionPtr<OperationPtrTag>(operationThrowStackOverflowError));
327                             linkBuffer.link(lookupExceptionHandlerCall, FunctionPtr<OperationPtrTag>(lookupExceptionHandlerFromCallerFrame));
328                     });
329                 });
330             });
331
332         LBasicBlock firstDFGBasicBlock = lowBlock(m_graph.block(0));
333
334         {
335             if (hasMultipleEntrypoints) {
336                 Vector<LBasicBlock> successors(m_graph.m_numberOfEntrypoints);
337                 successors[0] = callEntrypointArgumentSpeculations;
338                 for (unsigned i = 1; i < m_graph.m_numberOfEntrypoints; ++i) {
339                     // Currently, the only other entrypoint is an op_catch entrypoint.
340                     // We do OSR entry at op_catch, and we prove argument formats before
341                     // jumping to FTL code, so we don't need to check argument types here
342                     // for these entrypoints.
343                     successors[i] = firstDFGBasicBlock;
344                 }
345                 
346                 m_out.entrySwitch(successors);
347                 m_out.appendTo(callEntrypointArgumentSpeculations, m_handleExceptions);
348             }
349
350             m_node = nullptr;
351             m_origin = NodeOrigin(CodeOrigin(0), CodeOrigin(0), true);
352
353             // Check Arguments.
354             availabilityMap().clear();
355             availabilityMap().m_locals = Operands<Availability>(codeBlock()->numParameters(), 0);
356             for (unsigned i = codeBlock()->numParameters(); i--;) {
357                 availabilityMap().m_locals.argument(i) =
358                     Availability(FlushedAt(FlushedJSValue, virtualRegisterForArgument(i)));
359             }
360
361             for (unsigned i = codeBlock()->numParameters(); i--;) {
362                 MethodOfGettingAValueProfile profile(&m_graph.m_profiledBlock->valueProfileForArgument(i));
363                 VirtualRegister operand = virtualRegisterForArgument(i);
364                 LValue jsValue = m_out.load64(addressFor(operand));
365                 
366                 switch (m_graph.m_argumentFormats[0][i]) {
367                 case FlushedInt32:
368                     speculate(BadType, jsValueValue(jsValue), profile, isNotInt32(jsValue));
369                     break;
370                 case FlushedBoolean:
371                     speculate(BadType, jsValueValue(jsValue), profile, isNotBoolean(jsValue));
372                     break;
373                 case FlushedCell:
374                     speculate(BadType, jsValueValue(jsValue), profile, isNotCell(jsValue));
375                     break;
376                 case FlushedJSValue:
377                     break;
378                 default:
379                     DFG_CRASH(m_graph, nullptr, "Bad flush format for argument");
380                     break;
381                 }
382             }
383             m_out.jump(firstDFGBasicBlock);
384         }
385
386
387         m_out.appendTo(m_handleExceptions, firstDFGBasicBlock);
388         Box<CCallHelpers::Label> exceptionHandler = state->exceptionHandler;
389         m_out.patchpoint(Void)->setGenerator(
390             [=] (CCallHelpers& jit, const StackmapGenerationParams&) {
391                 CCallHelpers::Jump jump = jit.jump();
392                 jit.addLinkTask(
393                     [=] (LinkBuffer& linkBuffer) {
394                         linkBuffer.link(jump, linkBuffer.locationOf<ExceptionHandlerPtrTag>(*exceptionHandler));
395                     });
396             });
397         m_out.unreachable();
398
399         for (DFG::BasicBlock* block : preOrder)
400             compileBlock(block);
401
402         // Make sure everything is decorated. This does a bunch of deferred decorating. This has
403         // to happen last because our abstract heaps are generated lazily. They have to be
404         // generated lazily because we have an infinite number of numbered, indexed, and
405         // absolute heaps. We only become aware of the ones we actually mention while lowering.
406         m_heaps.computeRangesAndDecorateInstructions();
407
408         // We create all Phi's up front, but we may then decide not to compile the basic block
409         // that would have contained one of them. So this creates orphans, which triggers B3
410         // validation failures. Calling this fixes the issue.
411         //
412         // Note that you should avoid the temptation to make this call conditional upon
413         // validation being enabled. B3 makes no guarantees of any kind of correctness when
414         // dealing with IR that would have failed validation. For example, it would be valid to
415         // write a B3 phase that so aggressively assumes the lack of orphans that it would crash
416         // if any orphans were around. We might even have such phases already.
417         m_proc.deleteOrphans();
418
419         // We put the blocks into the B3 procedure in a super weird order. Now we reorder them.
420         m_out.applyBlockOrder();
421     }
422
423 private:
424     
425     void createPhiVariables()
426     {
427         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
428             DFG::BasicBlock* block = m_graph.block(blockIndex);
429             if (!block)
430                 continue;
431             for (unsigned nodeIndex = block->size(); nodeIndex--;) {
432                 Node* node = block->at(nodeIndex);
433                 if (node->op() != DFG::Phi)
434                     continue;
435                 LType type;
436                 switch (node->flags() & NodeResultMask) {
437                 case NodeResultDouble:
438                     type = Double;
439                     break;
440                 case NodeResultInt32:
441                     type = Int32;
442                     break;
443                 case NodeResultInt52:
444                     type = Int64;
445                     break;
446                 case NodeResultBoolean:
447                     type = Int32;
448                     break;
449                 case NodeResultJS:
450                     type = Int64;
451                     break;
452                 default:
453                     DFG_CRASH(m_graph, node, "Bad Phi node result type");
454                     break;
455                 }
456                 m_phis.add(node, m_proc.add<Value>(B3::Phi, type, Origin(node)));
457             }
458         }
459     }
460     
461     void compileBlock(DFG::BasicBlock* block)
462     {
463         if (!block)
464             return;
465         
466         if (verboseCompilationEnabled())
467             dataLog("Compiling block ", *block, "\n");
468         
469         m_highBlock = block;
470         
471         // Make sure that any blocks created while lowering code in the high block have the frequency of
472         // the high block. This is appropriate because B3 doesn't need precise frequencies. It just needs
473         // something roughly approximate for things like register allocation.
474         m_out.setFrequency(m_highBlock->executionCount);
475         
476         LBasicBlock lowBlock = m_blocks.get(m_highBlock);
477         
478         m_nextHighBlock = 0;
479         for (BlockIndex nextBlockIndex = m_highBlock->index + 1; nextBlockIndex < m_graph.numBlocks(); ++nextBlockIndex) {
480             m_nextHighBlock = m_graph.block(nextBlockIndex);
481             if (m_nextHighBlock)
482                 break;
483         }
484         m_nextLowBlock = m_nextHighBlock ? m_blocks.get(m_nextHighBlock) : 0;
485         
486         // All of this effort to find the next block gives us the ability to keep the
487         // generated IR in roughly program order. This ought not affect the performance
488         // of the generated code (since we expect B3 to reorder things) but it will
489         // make IR dumps easier to read.
490         m_out.appendTo(lowBlock, m_nextLowBlock);
491         
492         if (Options::ftlCrashes())
493             m_out.trap();
494         
495         if (!m_highBlock->cfaHasVisited) {
496             if (verboseCompilationEnabled())
497                 dataLog("Bailing because CFA didn't reach.\n");
498             crash(m_highBlock, nullptr);
499             return;
500         }
501
502         m_aiCheckedNodes.clear();
503         
504         m_availabilityCalculator.beginBlock(m_highBlock);
505         
506         m_state.reset();
507         m_state.beginBasicBlock(m_highBlock);
508         
509         for (m_nodeIndex = 0; m_nodeIndex < m_highBlock->size(); ++m_nodeIndex) {
510             if (!compileNode(m_nodeIndex))
511                 break;
512         }
513     }
514
515     void safelyInvalidateAfterTermination()
516     {
517         if (verboseCompilationEnabled())
518             dataLog("Bailing.\n");
519         crash();
520
521         // Invalidate dominated blocks. Under normal circumstances we would expect
522         // them to be invalidated already. But you can have the CFA become more
523         // precise over time because the structures of objects change on the main
524         // thread. Failing to do this would result in weird crashes due to a value
525         // being used but not defined. Race conditions FTW!
526         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
527             DFG::BasicBlock* target = m_graph.block(blockIndex);
528             if (!target)
529                 continue;
530             if (m_graph.m_ssaDominators->dominates(m_highBlock, target)) {
531                 if (verboseCompilationEnabled())
532                     dataLog("Block ", *target, " will bail also.\n");
533                 target->cfaHasVisited = false;
534             }
535         }
536     }
537
538     void validateAIState(Node* node)
539     {
540         if (!m_graphDump) {
541             StringPrintStream out;
542             m_graph.dump(out);
543             m_graphDump = out.toString();
544         }
545
546         switch (node->op()) {
547         case MovHint:
548         case ZombieHint:
549         case JSConstant:
550         case LazyJSConstant:
551         case DoubleConstant:
552         case Int52Constant:
553         case GetStack:
554         case PutStack:
555         case KillStack:
556         case ExitOK:
557             return;
558         default:
559             break;
560         }
561
562         // Before we execute node.
563         NodeSet& live = m_liveInToNode.find(node)->value;
564         unsigned highParentIndex = node->index();
565         {
566             uint64_t hash = WTF::intHash(highParentIndex);
567             if (hash >= static_cast<uint64_t>((static_cast<double>(std::numeric_limits<unsigned>::max()) + 1) * Options::validateAbstractInterpreterStateProbability()))
568                 return;
569         }
570
571         for (Node* node : live) {
572             if (node->isPhantomAllocation())
573                 continue;
574
575             if (node->op() == CheckInBounds)
576                 continue;
577
578             AbstractValue value = m_interpreter.forNode(node);
579             {
580                 auto iter = m_aiCheckedNodes.find(node);
581                 if (iter != m_aiCheckedNodes.end()) {
582                     AbstractValue checkedValue = iter->value;
583                     if (checkedValue == value) {
584                         if (!(value.m_type & SpecCell))
585                             continue;
586                     }
587                 }
588                 m_aiCheckedNodes.set(node, value);
589             }
590
591             FlushFormat flushFormat;
592             LValue input;
593             if (node->hasJSResult()) {
594                 input = lowJSValue(Edge(node, UntypedUse));
595                 flushFormat = FlushedJSValue;
596             } else if (node->hasDoubleResult()) {
597                 input = lowDouble(Edge(node, DoubleRepUse));
598                 flushFormat = FlushedDouble;
599             } else if (node->hasInt52Result()) {
600                 input = strictInt52ToJSValue(lowStrictInt52(Edge(node, Int52RepUse)));
601                 flushFormat = FlushedInt52;
602             } else
603                 continue;
604
605             unsigned highChildIndex = node->index();
606
607             String graphDump = m_graphDump;
608
609             PatchpointValue* patchpoint = m_out.patchpoint(Void);
610             patchpoint->effects = Effects::none();
611             patchpoint->effects.writesLocalState = true;
612             patchpoint->appendSomeRegister(input);
613             patchpoint->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
614                 GPRReg reg = InvalidGPRReg;
615                 FPRReg fpReg = InvalidFPRReg;
616                 if (flushFormat == FlushedDouble)
617                     fpReg = params[0].fpr();
618                 else
619                     reg = params[0].gpr();
620                 jit.probe([=] (Probe::Context& context) {
621                     JSValue input;
622                     double doubleInput;
623
624                     auto dumpAndCrash = [&] {
625                         dataLogLn("Validation failed at node: @", highParentIndex);
626                         dataLogLn("Failed validating live value: @", highChildIndex);
627                         dataLogLn();
628                         dataLogLn("Expected AI value = ", value);
629                         if (flushFormat != FlushedDouble)
630                             dataLogLn("Unexpected value = ", input);
631                         else
632                             dataLogLn("Unexpected double value = ", doubleInput);
633                         dataLogLn();
634                         dataLogLn(graphDump);
635                         CRASH();
636                     };
637
638                     if (flushFormat == FlushedDouble) {
639                         doubleInput = context.fpr(fpReg);
640                         SpeculatedType type;
641                         if (!std::isnan(doubleInput))
642                             type = speculationFromValue(jsDoubleNumber(doubleInput));
643                         else if (isImpureNaN(doubleInput))
644                             type = SpecDoubleImpureNaN;
645                         else
646                             type = SpecDoublePureNaN;
647
648                         if (!value.couldBeType(type))
649                             dumpAndCrash();
650                     } else {
651                         input = JSValue::decode(context.gpr(reg)); 
652                         if (flushFormat == FlushedInt52) {
653                             RELEASE_ASSERT(input.isAnyInt());
654                             input = jsDoubleNumber(input.asAnyInt());
655                         }
656                         if (!value.validateOSREntryValue(input, flushFormat))
657                             dumpAndCrash();
658                     }
659
660                 });
661             });
662         }
663     }
664
665     bool compileNode(unsigned nodeIndex)
666     {
667         if (!m_state.isValid()) {
668             safelyInvalidateAfterTermination();
669             return false;
670         }
671         
672         m_node = m_highBlock->at(nodeIndex);
673         m_origin = m_node->origin;
674         m_out.setOrigin(m_node);
675         
676         if (verboseCompilationEnabled())
677             dataLog("Lowering ", m_node, "\n");
678         
679         m_interpreter.startExecuting();
680         m_interpreter.executeKnownEdgeTypes(m_node);
681
682         if (Options::validateAbstractInterpreterState())
683             validateAIState(m_node);
684
685         if (validateDFGDoesGC) {
686             bool expectDoesGC = doesGC(m_graph, m_node);
687             m_out.store(m_out.constBool(expectDoesGC), m_out.absolute(vm().heap.addressOfExpectDoesGC()));
688         }
689
690         switch (m_node->op()) {
691         case DFG::Upsilon:
692             compileUpsilon();
693             break;
694         case DFG::Phi:
695             compilePhi();
696             break;
697         case JSConstant:
698             break;
699         case DoubleConstant:
700             compileDoubleConstant();
701             break;
702         case Int52Constant:
703             compileInt52Constant();
704             break;
705         case LazyJSConstant:
706             compileLazyJSConstant();
707             break;
708         case DoubleRep:
709             compileDoubleRep();
710             break;
711         case DoubleAsInt32:
712             compileDoubleAsInt32();
713             break;
714         case DFG::ValueRep:
715             compileValueRep();
716             break;
717         case Int52Rep:
718             compileInt52Rep();
719             break;
720         case ValueToInt32:
721             compileValueToInt32();
722             break;
723         case BooleanToNumber:
724             compileBooleanToNumber();
725             break;
726         case ExtractOSREntryLocal:
727             compileExtractOSREntryLocal();
728             break;
729         case ExtractCatchLocal:
730             compileExtractCatchLocal();
731             break;
732         case ClearCatchLocals:
733             compileClearCatchLocals();
734             break;
735         case GetStack:
736             compileGetStack();
737             break;
738         case PutStack:
739             compilePutStack();
740             break;
741         case DFG::Check:
742         case CheckVarargs:
743             compileNoOp();
744             break;
745         case ToObject:
746         case CallObjectConstructor:
747             compileToObjectOrCallObjectConstructor();
748             break;
749         case ToThis:
750             compileToThis();
751             break;
752         case ValueNegate:
753             compileValueNegate();
754             break;
755         case ValueAdd:
756             compileValueAdd();
757             break;
758         case ValueSub:
759             compileValueSub();
760             break;
761         case ValueMul:
762             compileValueMul();
763             break;
764         case StrCat:
765             compileStrCat();
766             break;
767         case ArithAdd:
768         case ArithSub:
769             compileArithAddOrSub();
770             break;
771         case ArithClz32:
772             compileArithClz32();
773             break;
774         case ArithMul:
775             compileArithMul();
776             break;
777         case ValueDiv:
778             compileValueDiv();
779             break;
780         case ArithDiv:
781             compileArithDiv();
782             break;
783         case ArithMod:
784             compileArithMod();
785             break;
786         case ArithMin:
787         case ArithMax:
788             compileArithMinOrMax();
789             break;
790         case ArithAbs:
791             compileArithAbs();
792             break;
793         case ArithPow:
794             compileArithPow();
795             break;
796         case ArithRandom:
797             compileArithRandom();
798             break;
799         case ArithRound:
800             compileArithRound();
801             break;
802         case ArithFloor:
803             compileArithFloor();
804             break;
805         case ArithCeil:
806             compileArithCeil();
807             break;
808         case ArithTrunc:
809             compileArithTrunc();
810             break;
811         case ArithSqrt:
812             compileArithSqrt();
813             break;
814         case ArithFRound:
815             compileArithFRound();
816             break;
817         case ArithNegate:
818             compileArithNegate();
819             break;
820         case ArithUnary:
821             compileArithUnary();
822             break;
823         case ValueBitNot:
824             compileValueBitNot();
825             break;
826         case ArithBitNot:
827             compileArithBitNot();
828             break;
829         case ValueBitAnd:
830             compileValueBitAnd();
831             break;
832         case ArithBitAnd:
833             compileArithBitAnd();
834             break;
835         case ValueBitOr:
836             compileValueBitOr();
837             break;
838         case ArithBitOr:
839             compileArithBitOr();
840             break;
841         case ArithBitXor:
842             compileArithBitXor();
843             break;
844         case ValueBitXor:
845             compileValueBitXor();
846             break;
847         case BitRShift:
848             compileBitRShift();
849             break;
850         case BitLShift:
851             compileBitLShift();
852             break;
853         case BitURShift:
854             compileBitURShift();
855             break;
856         case UInt32ToNumber:
857             compileUInt32ToNumber();
858             break;
859         case CheckStructure:
860             compileCheckStructure();
861             break;
862         case CheckStructureOrEmpty:
863             compileCheckStructureOrEmpty();
864             break;
865         case CheckCell:
866             compileCheckCell();
867             break;
868         case CheckNotEmpty:
869             compileCheckNotEmpty();
870             break;
871         case AssertNotEmpty:
872             compileAssertNotEmpty();
873             break;
874         case CheckBadCell:
875             compileCheckBadCell();
876             break;
877         case CheckStringIdent:
878             compileCheckStringIdent();
879             break;
880         case GetExecutable:
881             compileGetExecutable();
882             break;
883         case Arrayify:
884         case ArrayifyToStructure:
885             compileArrayify();
886             break;
887         case PutStructure:
888             compilePutStructure();
889             break;
890         case TryGetById:
891             compileGetById(AccessType::TryGet);
892             break;
893         case GetById:
894         case GetByIdFlush:
895             compileGetById(AccessType::Get);
896             break;
897         case GetByIdWithThis:
898             compileGetByIdWithThis();
899             break;
900         case GetByIdDirect:
901         case GetByIdDirectFlush:
902             compileGetById(AccessType::GetDirect);
903             break;
904         case InById:
905             compileInById();
906             break;
907         case InByVal:
908             compileInByVal();
909             break;
910         case HasOwnProperty:
911             compileHasOwnProperty();
912             break;
913         case PutById:
914         case PutByIdDirect:
915         case PutByIdFlush:
916             compilePutById();
917             break;
918         case PutByIdWithThis:
919             compilePutByIdWithThis();
920             break;
921         case PutGetterById:
922         case PutSetterById:
923             compilePutAccessorById();
924             break;
925         case PutGetterSetterById:
926             compilePutGetterSetterById();
927             break;
928         case PutGetterByVal:
929         case PutSetterByVal:
930             compilePutAccessorByVal();
931             break;
932         case DeleteById:
933             compileDeleteById();
934             break;
935         case DeleteByVal:
936             compileDeleteByVal();
937             break;
938         case GetButterfly:
939             compileGetButterfly();
940             break;
941         case ConstantStoragePointer:
942             compileConstantStoragePointer();
943             break;
944         case GetIndexedPropertyStorage:
945             compileGetIndexedPropertyStorage();
946             break;
947         case CheckArray:
948             compileCheckArray();
949             break;
950         case GetArrayLength:
951             compileGetArrayLength();
952             break;
953         case GetVectorLength:
954             compileGetVectorLength();
955             break;
956         case CheckInBounds:
957             compileCheckInBounds();
958             break;
959         case GetByVal:
960             compileGetByVal();
961             break;
962         case GetMyArgumentByVal:
963         case GetMyArgumentByValOutOfBounds:
964             compileGetMyArgumentByVal();
965             break;
966         case GetByValWithThis:
967             compileGetByValWithThis();
968             break;
969         case PutByVal:
970         case PutByValAlias:
971         case PutByValDirect:
972             compilePutByVal();
973             break;
974         case PutByValWithThis:
975             compilePutByValWithThis();
976             break;
977         case AtomicsAdd:
978         case AtomicsAnd:
979         case AtomicsCompareExchange:
980         case AtomicsExchange:
981         case AtomicsLoad:
982         case AtomicsOr:
983         case AtomicsStore:
984         case AtomicsSub:
985         case AtomicsXor:
986             compileAtomicsReadModifyWrite();
987             break;
988         case AtomicsIsLockFree:
989             compileAtomicsIsLockFree();
990             break;
991         case DefineDataProperty:
992             compileDefineDataProperty();
993             break;
994         case DefineAccessorProperty:
995             compileDefineAccessorProperty();
996             break;
997         case ArrayPush:
998             compileArrayPush();
999             break;
1000         case ArrayPop:
1001             compileArrayPop();
1002             break;
1003         case ArraySlice:
1004             compileArraySlice();
1005             break;
1006         case ArrayIndexOf:
1007             compileArrayIndexOf();
1008             break;
1009         case CreateActivation:
1010             compileCreateActivation();
1011             break;
1012         case PushWithScope:
1013             compilePushWithScope();
1014             break;
1015         case NewFunction:
1016         case NewGeneratorFunction:
1017         case NewAsyncGeneratorFunction:
1018         case NewAsyncFunction:
1019             compileNewFunction();
1020             break;
1021         case CreateDirectArguments:
1022             compileCreateDirectArguments();
1023             break;
1024         case CreateScopedArguments:
1025             compileCreateScopedArguments();
1026             break;
1027         case CreateClonedArguments:
1028             compileCreateClonedArguments();
1029             break;
1030         case ObjectCreate:
1031             compileObjectCreate();
1032             break;
1033         case ObjectKeys:
1034             compileObjectKeys();
1035             break;
1036         case NewObject:
1037             compileNewObject();
1038             break;
1039         case NewStringObject:
1040             compileNewStringObject();
1041             break;
1042         case NewSymbol:
1043             compileNewSymbol();
1044             break;
1045         case NewArray:
1046             compileNewArray();
1047             break;
1048         case NewArrayWithSpread:
1049             compileNewArrayWithSpread();
1050             break;
1051         case CreateThis:
1052             compileCreateThis();
1053             break;
1054         case Spread:
1055             compileSpread();
1056             break;
1057         case NewArrayBuffer:
1058             compileNewArrayBuffer();
1059             break;
1060         case NewArrayWithSize:
1061             compileNewArrayWithSize();
1062             break;
1063         case NewTypedArray:
1064             compileNewTypedArray();
1065             break;
1066         case GetTypedArrayByteOffset:
1067             compileGetTypedArrayByteOffset();
1068             break;
1069         case GetPrototypeOf:
1070             compileGetPrototypeOf();
1071             break;
1072         case AllocatePropertyStorage:
1073             compileAllocatePropertyStorage();
1074             break;
1075         case ReallocatePropertyStorage:
1076             compileReallocatePropertyStorage();
1077             break;
1078         case NukeStructureAndSetButterfly:
1079             compileNukeStructureAndSetButterfly();
1080             break;
1081         case ToNumber:
1082             compileToNumber();
1083             break;
1084         case ToString:
1085         case CallStringConstructor:
1086         case StringValueOf:
1087             compileToStringOrCallStringConstructorOrStringValueOf();
1088             break;
1089         case ToPrimitive:
1090             compileToPrimitive();
1091             break;
1092         case MakeRope:
1093             compileMakeRope();
1094             break;
1095         case StringCharAt:
1096             compileStringCharAt();
1097             break;
1098         case StringCharCodeAt:
1099             compileStringCharCodeAt();
1100             break;
1101         case StringFromCharCode:
1102             compileStringFromCharCode();
1103             break;
1104         case GetByOffset:
1105         case GetGetterSetterByOffset:
1106             compileGetByOffset();
1107             break;
1108         case GetGetter:
1109             compileGetGetter();
1110             break;
1111         case GetSetter:
1112             compileGetSetter();
1113             break;
1114         case MultiGetByOffset:
1115             compileMultiGetByOffset();
1116             break;
1117         case PutByOffset:
1118             compilePutByOffset();
1119             break;
1120         case MultiPutByOffset:
1121             compileMultiPutByOffset();
1122             break;
1123         case MatchStructure:
1124             compileMatchStructure();
1125             break;
1126         case GetGlobalVar:
1127         case GetGlobalLexicalVariable:
1128             compileGetGlobalVariable();
1129             break;
1130         case PutGlobalVariable:
1131             compilePutGlobalVariable();
1132             break;
1133         case NotifyWrite:
1134             compileNotifyWrite();
1135             break;
1136         case GetCallee:
1137             compileGetCallee();
1138             break;
1139         case SetCallee:
1140             compileSetCallee();
1141             break;
1142         case GetArgumentCountIncludingThis:
1143             compileGetArgumentCountIncludingThis();
1144             break;
1145         case SetArgumentCountIncludingThis:
1146             compileSetArgumentCountIncludingThis();
1147             break;
1148         case GetScope:
1149             compileGetScope();
1150             break;
1151         case SkipScope:
1152             compileSkipScope();
1153             break;
1154         case GetGlobalObject:
1155             compileGetGlobalObject();
1156             break;
1157         case GetGlobalThis:
1158             compileGetGlobalThis();
1159             break;
1160         case GetClosureVar:
1161             compileGetClosureVar();
1162             break;
1163         case PutClosureVar:
1164             compilePutClosureVar();
1165             break;
1166         case GetFromArguments:
1167             compileGetFromArguments();
1168             break;
1169         case PutToArguments:
1170             compilePutToArguments();
1171             break;
1172         case GetArgument:
1173             compileGetArgument();
1174             break;
1175         case CompareEq:
1176             compileCompareEq();
1177             break;
1178         case CompareStrictEq:
1179             compileCompareStrictEq();
1180             break;
1181         case CompareLess:
1182             compileCompareLess();
1183             break;
1184         case CompareLessEq:
1185             compileCompareLessEq();
1186             break;
1187         case CompareGreater:
1188             compileCompareGreater();
1189             break;
1190         case CompareGreaterEq:
1191             compileCompareGreaterEq();
1192             break;
1193         case CompareBelow:
1194             compileCompareBelow();
1195             break;
1196         case CompareBelowEq:
1197             compileCompareBelowEq();
1198             break;
1199         case CompareEqPtr:
1200             compileCompareEqPtr();
1201             break;
1202         case SameValue:
1203             compileSameValue();
1204             break;
1205         case LogicalNot:
1206             compileLogicalNot();
1207             break;
1208         case Call:
1209         case TailCallInlinedCaller:
1210         case Construct:
1211             compileCallOrConstruct();
1212             break;
1213         case DirectCall:
1214         case DirectTailCallInlinedCaller:
1215         case DirectConstruct:
1216         case DirectTailCall:
1217             compileDirectCallOrConstruct();
1218             break;
1219         case TailCall:
1220             compileTailCall();
1221             break;
1222         case CallVarargs:
1223         case CallForwardVarargs:
1224         case TailCallVarargs:
1225         case TailCallVarargsInlinedCaller:
1226         case TailCallForwardVarargs:
1227         case TailCallForwardVarargsInlinedCaller:
1228         case ConstructVarargs:
1229         case ConstructForwardVarargs:
1230             compileCallOrConstructVarargs();
1231             break;
1232         case CallEval:
1233             compileCallEval();
1234             break;
1235         case LoadVarargs:
1236             compileLoadVarargs();
1237             break;
1238         case ForwardVarargs:
1239             compileForwardVarargs();
1240             break;
1241         case DFG::Jump:
1242             compileJump();
1243             break;
1244         case DFG::Branch:
1245             compileBranch();
1246             break;
1247         case DFG::Switch:
1248             compileSwitch();
1249             break;
1250         case DFG::EntrySwitch:
1251             compileEntrySwitch();
1252             break;
1253         case DFG::Return:
1254             compileReturn();
1255             break;
1256         case ForceOSRExit:
1257             compileForceOSRExit();
1258             break;
1259         case CPUIntrinsic:
1260 #if CPU(X86_64)
1261             compileCPUIntrinsic();
1262 #else
1263             RELEASE_ASSERT_NOT_REACHED();
1264 #endif
1265             break;
1266         case Throw:
1267             compileThrow();
1268             break;
1269         case ThrowStaticError:
1270             compileThrowStaticError();
1271             break;
1272         case InvalidationPoint:
1273             compileInvalidationPoint();
1274             break;
1275         case IsEmpty:
1276             compileIsEmpty();
1277             break;
1278         case IsUndefined:
1279             compileIsUndefined();
1280             break;
1281         case IsUndefinedOrNull:
1282             compileIsUndefinedOrNull();
1283             break;
1284         case IsBoolean:
1285             compileIsBoolean();
1286             break;
1287         case IsNumber:
1288             compileIsNumber();
1289             break;
1290         case NumberIsInteger:
1291             compileNumberIsInteger();
1292             break;
1293         case IsCellWithType:
1294             compileIsCellWithType();
1295             break;
1296         case MapHash:
1297             compileMapHash();
1298             break;
1299         case NormalizeMapKey:
1300             compileNormalizeMapKey();
1301             break;
1302         case GetMapBucket:
1303             compileGetMapBucket();
1304             break;
1305         case GetMapBucketHead:
1306             compileGetMapBucketHead();
1307             break;
1308         case GetMapBucketNext:
1309             compileGetMapBucketNext();
1310             break;
1311         case LoadKeyFromMapBucket:
1312             compileLoadKeyFromMapBucket();
1313             break;
1314         case LoadValueFromMapBucket:
1315             compileLoadValueFromMapBucket();
1316             break;
1317         case ExtractValueFromWeakMapGet:
1318             compileExtractValueFromWeakMapGet();
1319             break;
1320         case SetAdd:
1321             compileSetAdd();
1322             break;
1323         case MapSet:
1324             compileMapSet();
1325             break;
1326         case WeakMapGet:
1327             compileWeakMapGet();
1328             break;
1329         case WeakSetAdd:
1330             compileWeakSetAdd();
1331             break;
1332         case WeakMapSet:
1333             compileWeakMapSet();
1334             break;
1335         case IsObject:
1336             compileIsObject();
1337             break;
1338         case IsObjectOrNull:
1339             compileIsObjectOrNull();
1340             break;
1341         case IsFunction:
1342             compileIsFunction();
1343             break;
1344         case IsTypedArrayView:
1345             compileIsTypedArrayView();
1346             break;
1347         case ParseInt:
1348             compileParseInt();
1349             break;
1350         case TypeOf:
1351             compileTypeOf();
1352             break;
1353         case CheckTypeInfoFlags:
1354             compileCheckTypeInfoFlags();
1355             break;
1356         case OverridesHasInstance:
1357             compileOverridesHasInstance();
1358             break;
1359         case InstanceOf:
1360             compileInstanceOf();
1361             break;
1362         case InstanceOfCustom:
1363             compileInstanceOfCustom();
1364             break;
1365         case CountExecution:
1366             compileCountExecution();
1367             break;
1368         case SuperSamplerBegin:
1369             compileSuperSamplerBegin();
1370             break;
1371         case SuperSamplerEnd:
1372             compileSuperSamplerEnd();
1373             break;
1374         case StoreBarrier:
1375         case FencedStoreBarrier:
1376             compileStoreBarrier();
1377             break;
1378         case HasIndexedProperty:
1379             compileHasIndexedProperty();
1380             break;
1381         case HasGenericProperty:
1382             compileHasGenericProperty();
1383             break;
1384         case HasStructureProperty:
1385             compileHasStructureProperty();
1386             break;
1387         case GetDirectPname:
1388             compileGetDirectPname();
1389             break;
1390         case GetEnumerableLength:
1391             compileGetEnumerableLength();
1392             break;
1393         case GetPropertyEnumerator:
1394             compileGetPropertyEnumerator();
1395             break;
1396         case GetEnumeratorStructurePname:
1397             compileGetEnumeratorStructurePname();
1398             break;
1399         case GetEnumeratorGenericPname:
1400             compileGetEnumeratorGenericPname();
1401             break;
1402         case ToIndexString:
1403             compileToIndexString();
1404             break;
1405         case CheckStructureImmediate:
1406             compileCheckStructureImmediate();
1407             break;
1408         case MaterializeNewObject:
1409             compileMaterializeNewObject();
1410             break;
1411         case MaterializeCreateActivation:
1412             compileMaterializeCreateActivation();
1413             break;
1414         case CheckTraps:
1415             compileCheckTraps();
1416             break;
1417         case CreateRest:
1418             compileCreateRest();
1419             break;
1420         case GetRestLength:
1421             compileGetRestLength();
1422             break;
1423         case RegExpExec:
1424             compileRegExpExec();
1425             break;
1426         case RegExpExecNonGlobalOrSticky:
1427             compileRegExpExecNonGlobalOrSticky();
1428             break;
1429         case RegExpTest:
1430             compileRegExpTest();
1431             break;
1432         case RegExpMatchFast:
1433             compileRegExpMatchFast();
1434             break;
1435         case RegExpMatchFastGlobal:
1436             compileRegExpMatchFastGlobal();
1437             break;
1438         case NewRegexp:
1439             compileNewRegexp();
1440             break;
1441         case SetFunctionName:
1442             compileSetFunctionName();
1443             break;
1444         case StringReplace:
1445         case StringReplaceRegExp:
1446             compileStringReplace();
1447             break;
1448         case GetRegExpObjectLastIndex:
1449             compileGetRegExpObjectLastIndex();
1450             break;
1451         case SetRegExpObjectLastIndex:
1452             compileSetRegExpObjectLastIndex();
1453             break;
1454         case LogShadowChickenPrologue:
1455             compileLogShadowChickenPrologue();
1456             break;
1457         case LogShadowChickenTail:
1458             compileLogShadowChickenTail();
1459             break;
1460         case RecordRegExpCachedResult:
1461             compileRecordRegExpCachedResult();
1462             break;
1463         case ResolveScopeForHoistingFuncDeclInEval:
1464             compileResolveScopeForHoistingFuncDeclInEval();
1465             break;
1466         case ResolveScope:
1467             compileResolveScope();
1468             break;
1469         case GetDynamicVar:
1470             compileGetDynamicVar();
1471             break;
1472         case PutDynamicVar:
1473             compilePutDynamicVar();
1474             break;
1475         case Unreachable:
1476             compileUnreachable();
1477             break;
1478         case StringSlice:
1479             compileStringSlice();
1480             break;
1481         case ToLowerCase:
1482             compileToLowerCase();
1483             break;
1484         case NumberToStringWithRadix:
1485             compileNumberToStringWithRadix();
1486             break;
1487         case NumberToStringWithValidRadixConstant:
1488             compileNumberToStringWithValidRadixConstant();
1489             break;
1490         case CheckSubClass:
1491             compileCheckSubClass();
1492             break;
1493         case CallDOM:
1494             compileCallDOM();
1495             break;
1496         case CallDOMGetter:
1497             compileCallDOMGetter();
1498             break;
1499         case FilterCallLinkStatus:
1500         case FilterGetByIdStatus:
1501         case FilterPutByIdStatus:
1502         case FilterInByIdStatus:
1503             compileFilterICStatus();
1504             break;
1505         case DataViewGetInt:
1506         case DataViewGetFloat:
1507             compileDataViewGet();
1508             break;
1509         case DataViewSet:
1510             compileDataViewSet();
1511             break;
1512
1513         case PhantomLocal:
1514         case LoopHint:
1515         case MovHint:
1516         case ZombieHint:
1517         case ExitOK:
1518         case PhantomNewObject:
1519         case PhantomNewFunction:
1520         case PhantomNewGeneratorFunction:
1521         case PhantomNewAsyncGeneratorFunction:
1522         case PhantomNewAsyncFunction:
1523         case PhantomCreateActivation:
1524         case PhantomDirectArguments:
1525         case PhantomCreateRest:
1526         case PhantomSpread:
1527         case PhantomNewArrayWithSpread:
1528         case PhantomNewArrayBuffer:
1529         case PhantomClonedArguments:
1530         case PhantomNewRegexp:
1531         case PutHint:
1532         case BottomValue:
1533         case KillStack:
1534         case InitializeEntrypointArguments:
1535             break;
1536         default:
1537             DFG_CRASH(m_graph, m_node, "Unrecognized node in FTL backend");
1538             break;
1539         }
1540         
1541         if (m_node->isTerminal())
1542             return false;
1543         
1544         if (!m_state.isValid()) {
1545             safelyInvalidateAfterTermination();
1546             return false;
1547         }
1548
1549         m_availabilityCalculator.executeNode(m_node);
1550         m_interpreter.executeEffects(nodeIndex);
1551         
1552         return true;
1553     }
1554
1555     void compileUpsilon()
1556     {
1557         LValue upsilonValue = nullptr;
1558         switch (m_node->child1().useKind()) {
1559         case DoubleRepUse:
1560             upsilonValue = lowDouble(m_node->child1());
1561             break;
1562         case Int32Use:
1563         case KnownInt32Use:
1564             upsilonValue = lowInt32(m_node->child1());
1565             break;
1566         case Int52RepUse:
1567             upsilonValue = lowInt52(m_node->child1());
1568             break;
1569         case BooleanUse:
1570         case KnownBooleanUse:
1571             upsilonValue = lowBoolean(m_node->child1());
1572             break;
1573         case CellUse:
1574         case KnownCellUse:
1575             upsilonValue = lowCell(m_node->child1());
1576             break;
1577         case UntypedUse:
1578             upsilonValue = lowJSValue(m_node->child1());
1579             break;
1580         default:
1581             DFG_CRASH(m_graph, m_node, "Bad use kind");
1582             break;
1583         }
1584         ValueFromBlock upsilon = m_out.anchor(upsilonValue);
1585         LValue phiNode = m_phis.get(m_node->phi());
1586         m_out.addIncomingToPhi(phiNode, upsilon);
1587     }
1588     
1589     void compilePhi()
1590     {
1591         LValue phi = m_phis.get(m_node);
1592         m_out.m_block->append(phi);
1593
1594         switch (m_node->flags() & NodeResultMask) {
1595         case NodeResultDouble:
1596             setDouble(phi);
1597             break;
1598         case NodeResultInt32:
1599             setInt32(phi);
1600             break;
1601         case NodeResultInt52:
1602             setInt52(phi);
1603             break;
1604         case NodeResultBoolean:
1605             setBoolean(phi);
1606             break;
1607         case NodeResultJS:
1608             setJSValue(phi);
1609             break;
1610         default:
1611             DFG_CRASH(m_graph, m_node, "Bad result type");
1612             break;
1613         }
1614     }
1615     
1616     void compileDoubleConstant()
1617     {
1618         setDouble(m_out.constDouble(m_node->asNumber()));
1619     }
1620     
1621     void compileInt52Constant()
1622     {
1623         int64_t value = m_node->asAnyInt();
1624         
1625         setInt52(m_out.constInt64(value << JSValue::int52ShiftAmount));
1626         setStrictInt52(m_out.constInt64(value));
1627     }
1628
1629     void compileLazyJSConstant()
1630     {
1631         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
1632         LazyJSValue value = m_node->lazyJSValue();
1633         patchpoint->setGenerator(
1634             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
1635                 value.emit(jit, JSValueRegs(params[0].gpr()));
1636             });
1637         patchpoint->effects = Effects::none();
1638         setJSValue(patchpoint);
1639     }
1640
1641     void compileDoubleRep()
1642     {
1643         switch (m_node->child1().useKind()) {
1644         case RealNumberUse: {
1645             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
1646             
1647             LValue doubleValue = unboxDouble(value);
1648             
1649             LBasicBlock intCase = m_out.newBlock();
1650             LBasicBlock continuation = m_out.newBlock();
1651             
1652             ValueFromBlock fastResult = m_out.anchor(doubleValue);
1653             m_out.branch(
1654                 m_out.doubleEqual(doubleValue, doubleValue),
1655                 usually(continuation), rarely(intCase));
1656             
1657             LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
1658
1659             FTL_TYPE_CHECK(
1660                 jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
1661                 isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
1662             ValueFromBlock slowResult = m_out.anchor(m_out.intToDouble(unboxInt32(value)));
1663             m_out.jump(continuation);
1664             
1665             m_out.appendTo(continuation, lastNext);
1666             
1667             setDouble(m_out.phi(Double, fastResult, slowResult));
1668             return;
1669         }
1670             
1671         case NotCellUse:
1672         case NumberUse: {
1673             bool shouldConvertNonNumber = m_node->child1().useKind() == NotCellUse;
1674             
1675             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
1676
1677             LBasicBlock intCase = m_out.newBlock();
1678             LBasicBlock doubleTesting = m_out.newBlock();
1679             LBasicBlock doubleCase = m_out.newBlock();
1680             LBasicBlock nonDoubleCase = m_out.newBlock();
1681             LBasicBlock continuation = m_out.newBlock();
1682             
1683             m_out.branch(
1684                 isNotInt32(value, provenType(m_node->child1())),
1685                 unsure(doubleTesting), unsure(intCase));
1686             
1687             LBasicBlock lastNext = m_out.appendTo(intCase, doubleTesting);
1688             
1689             ValueFromBlock intToDouble = m_out.anchor(
1690                 m_out.intToDouble(unboxInt32(value)));
1691             m_out.jump(continuation);
1692             
1693             m_out.appendTo(doubleTesting, doubleCase);
1694             LValue valueIsNumber = isNumber(value, provenType(m_node->child1()));
1695             m_out.branch(valueIsNumber, usually(doubleCase), rarely(nonDoubleCase));
1696
1697             m_out.appendTo(doubleCase, nonDoubleCase);
1698             ValueFromBlock unboxedDouble = m_out.anchor(unboxDouble(value));
1699             m_out.jump(continuation);
1700
1701             if (shouldConvertNonNumber) {
1702                 LBasicBlock undefinedCase = m_out.newBlock();
1703                 LBasicBlock testNullCase = m_out.newBlock();
1704                 LBasicBlock nullCase = m_out.newBlock();
1705                 LBasicBlock testBooleanTrueCase = m_out.newBlock();
1706                 LBasicBlock convertBooleanTrueCase = m_out.newBlock();
1707                 LBasicBlock convertBooleanFalseCase = m_out.newBlock();
1708
1709                 m_out.appendTo(nonDoubleCase, undefinedCase);
1710                 LValue valueIsUndefined = m_out.equal(value, m_out.constInt64(ValueUndefined));
1711                 m_out.branch(valueIsUndefined, unsure(undefinedCase), unsure(testNullCase));
1712
1713                 m_out.appendTo(undefinedCase, testNullCase);
1714                 ValueFromBlock convertedUndefined = m_out.anchor(m_out.constDouble(PNaN));
1715                 m_out.jump(continuation);
1716
1717                 m_out.appendTo(testNullCase, nullCase);
1718                 LValue valueIsNull = m_out.equal(value, m_out.constInt64(ValueNull));
1719                 m_out.branch(valueIsNull, unsure(nullCase), unsure(testBooleanTrueCase));
1720
1721                 m_out.appendTo(nullCase, testBooleanTrueCase);
1722                 ValueFromBlock convertedNull = m_out.anchor(m_out.constDouble(0));
1723                 m_out.jump(continuation);
1724
1725                 m_out.appendTo(testBooleanTrueCase, convertBooleanTrueCase);
1726                 LValue valueIsBooleanTrue = m_out.equal(value, m_out.constInt64(ValueTrue));
1727                 m_out.branch(valueIsBooleanTrue, unsure(convertBooleanTrueCase), unsure(convertBooleanFalseCase));
1728
1729                 m_out.appendTo(convertBooleanTrueCase, convertBooleanFalseCase);
1730                 ValueFromBlock convertedTrue = m_out.anchor(m_out.constDouble(1));
1731                 m_out.jump(continuation);
1732
1733                 m_out.appendTo(convertBooleanFalseCase, continuation);
1734
1735                 LValue valueIsNotBooleanFalse = m_out.notEqual(value, m_out.constInt64(ValueFalse));
1736                 FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), ~SpecCellCheck, valueIsNotBooleanFalse);
1737                 ValueFromBlock convertedFalse = m_out.anchor(m_out.constDouble(0));
1738                 m_out.jump(continuation);
1739
1740                 m_out.appendTo(continuation, lastNext);
1741                 setDouble(m_out.phi(Double, intToDouble, unboxedDouble, convertedUndefined, convertedNull, convertedTrue, convertedFalse));
1742                 return;
1743             }
1744             m_out.appendTo(nonDoubleCase, continuation);
1745             FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), SpecBytecodeNumber, m_out.booleanTrue);
1746             m_out.unreachable();
1747
1748             m_out.appendTo(continuation, lastNext);
1749
1750             setDouble(m_out.phi(Double, intToDouble, unboxedDouble));
1751             return;
1752         }
1753             
1754         case Int52RepUse: {
1755             setDouble(strictInt52ToDouble(lowStrictInt52(m_node->child1())));
1756             return;
1757         }
1758             
1759         default:
1760             DFG_CRASH(m_graph, m_node, "Bad use kind");
1761         }
1762     }
1763
1764     void compileDoubleAsInt32()
1765     {
1766         LValue integerValue = convertDoubleToInt32(lowDouble(m_node->child1()), shouldCheckNegativeZero(m_node->arithMode()));
1767         setInt32(integerValue);
1768     }
1769
1770     void compileValueRep()
1771     {
1772         switch (m_node->child1().useKind()) {
1773         case DoubleRepUse: {
1774             LValue value = lowDouble(m_node->child1());
1775             
1776             if (m_interpreter.needsTypeCheck(m_node->child1(), ~SpecDoubleImpureNaN)) {
1777                 value = m_out.select(
1778                     m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN));
1779             }
1780             
1781             setJSValue(boxDouble(value));
1782             return;
1783         }
1784             
1785         case Int52RepUse: {
1786             setJSValue(strictInt52ToJSValue(lowStrictInt52(m_node->child1())));
1787             return;
1788         }
1789             
1790         default:
1791             DFG_CRASH(m_graph, m_node, "Bad use kind");
1792         }
1793     }
1794     
1795     void compileInt52Rep()
1796     {
1797         switch (m_node->child1().useKind()) {
1798         case Int32Use:
1799             setStrictInt52(m_out.signExt32To64(lowInt32(m_node->child1())));
1800             return;
1801             
1802         case AnyIntUse:
1803             setStrictInt52(
1804                 jsValueToStrictInt52(
1805                     m_node->child1(), lowJSValue(m_node->child1(), ManualOperandSpeculation)));
1806             return;
1807             
1808         case DoubleRepAnyIntUse:
1809             setStrictInt52(
1810                 doubleToStrictInt52(
1811                     m_node->child1(), lowDouble(m_node->child1())));
1812             return;
1813             
1814         default:
1815             RELEASE_ASSERT_NOT_REACHED();
1816         }
1817     }
1818     
1819     void compileValueToInt32()
1820     {
1821         switch (m_node->child1().useKind()) {
1822         case Int52RepUse:
1823             setInt32(m_out.castToInt32(lowStrictInt52(m_node->child1())));
1824             break;
1825             
1826         case DoubleRepUse:
1827             setInt32(doubleToInt32(lowDouble(m_node->child1())));
1828             break;
1829             
1830         case NumberUse:
1831         case NotCellUse: {
1832             LoweredNodeValue value = m_int32Values.get(m_node->child1().node());
1833             if (isValid(value)) {
1834                 setInt32(value.value());
1835                 break;
1836             }
1837             
1838             value = m_jsValueValues.get(m_node->child1().node());
1839             if (isValid(value)) {
1840                 setInt32(numberOrNotCellToInt32(m_node->child1(), value.value()));
1841                 break;
1842             }
1843             
1844             // We'll basically just get here for constants. But it's good to have this
1845             // catch-all since we often add new representations into the mix.
1846             setInt32(
1847                 numberOrNotCellToInt32(
1848                     m_node->child1(),
1849                     lowJSValue(m_node->child1(), ManualOperandSpeculation)));
1850             break;
1851         }
1852             
1853         default:
1854             DFG_CRASH(m_graph, m_node, "Bad use kind");
1855             break;
1856         }
1857     }
1858     
1859     void compileBooleanToNumber()
1860     {
1861         switch (m_node->child1().useKind()) {
1862         case BooleanUse: {
1863             setInt32(m_out.zeroExt(lowBoolean(m_node->child1()), Int32));
1864             return;
1865         }
1866             
1867         case UntypedUse: {
1868             LValue value = lowJSValue(m_node->child1());
1869             
1870             if (!m_interpreter.needsTypeCheck(m_node->child1(), SpecBoolInt32 | SpecBoolean)) {
1871                 setInt32(m_out.bitAnd(m_out.castToInt32(value), m_out.int32One));
1872                 return;
1873             }
1874             
1875             LBasicBlock booleanCase = m_out.newBlock();
1876             LBasicBlock continuation = m_out.newBlock();
1877             
1878             ValueFromBlock notBooleanResult = m_out.anchor(value);
1879             m_out.branch(
1880                 isBoolean(value, provenType(m_node->child1())),
1881                 unsure(booleanCase), unsure(continuation));
1882             
1883             LBasicBlock lastNext = m_out.appendTo(booleanCase, continuation);
1884             ValueFromBlock booleanResult = m_out.anchor(m_out.bitOr(
1885                 m_out.zeroExt(unboxBoolean(value), Int64), m_tagTypeNumber));
1886             m_out.jump(continuation);
1887             
1888             m_out.appendTo(continuation, lastNext);
1889             setJSValue(m_out.phi(Int64, booleanResult, notBooleanResult));
1890             return;
1891         }
1892             
1893         default:
1894             RELEASE_ASSERT_NOT_REACHED();
1895             return;
1896         }
1897     }
1898
1899     void compileExtractOSREntryLocal()
1900     {
1901         EncodedJSValue* buffer = static_cast<EncodedJSValue*>(
1902             m_ftlState.jitCode->ftlForOSREntry()->entryBuffer()->dataBuffer());
1903         setJSValue(m_out.load64(m_out.absolute(buffer + m_node->unlinkedLocal().toLocal())));
1904     }
1905
1906     void compileExtractCatchLocal()
1907     {
1908         EncodedJSValue* buffer = static_cast<EncodedJSValue*>(m_ftlState.jitCode->common.catchOSREntryBuffer->dataBuffer());
1909         setJSValue(m_out.load64(m_out.absolute(buffer + m_node->catchOSREntryIndex())));
1910     }
1911
1912     void compileClearCatchLocals()
1913     {
1914         ScratchBuffer* scratchBuffer = m_ftlState.jitCode->common.catchOSREntryBuffer;
1915         ASSERT(scratchBuffer);
1916         m_out.storePtr(m_out.constIntPtr(0), m_out.absolute(scratchBuffer->addressOfActiveLength()));
1917     }
1918     
1919     void compileGetStack()
1920     {
1921         StackAccessData* data = m_node->stackAccessData();
1922         AbstractValue& value = m_state.operand(data->local);
1923         
1924         DFG_ASSERT(m_graph, m_node, isConcrete(data->format), data->format);
1925         
1926         if (data->format == FlushedDouble)
1927             setDouble(m_out.loadDouble(addressFor(data->machineLocal)));
1928         else if (isInt32Speculation(value.m_type))
1929             setInt32(m_out.load32(payloadFor(data->machineLocal)));
1930         else
1931             setJSValue(m_out.load64(addressFor(data->machineLocal)));
1932     }
1933     
1934     void compilePutStack()
1935     {
1936         StackAccessData* data = m_node->stackAccessData();
1937         switch (data->format) {
1938         case FlushedJSValue: {
1939             LValue value = lowJSValue(m_node->child1());
1940             m_out.store64(value, addressFor(data->machineLocal));
1941             break;
1942         }
1943             
1944         case FlushedDouble: {
1945             LValue value = lowDouble(m_node->child1());
1946             m_out.storeDouble(value, addressFor(data->machineLocal));
1947             break;
1948         }
1949             
1950         case FlushedInt32: {
1951             LValue value = lowInt32(m_node->child1());
1952             m_out.store32(value, payloadFor(data->machineLocal));
1953             break;
1954         }
1955             
1956         case FlushedInt52: {
1957             LValue value = lowInt52(m_node->child1());
1958             m_out.store64(value, addressFor(data->machineLocal));
1959             break;
1960         }
1961             
1962         case FlushedCell: {
1963             LValue value = lowCell(m_node->child1());
1964             m_out.store64(value, addressFor(data->machineLocal));
1965             break;
1966         }
1967             
1968         case FlushedBoolean: {
1969             speculateBoolean(m_node->child1());
1970             m_out.store64(
1971                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
1972                 addressFor(data->machineLocal));
1973             break;
1974         }
1975             
1976         default:
1977             DFG_CRASH(m_graph, m_node, "Bad flush format");
1978             break;
1979         }
1980     }
1981     
1982     void compileNoOp()
1983     {
1984         DFG_NODE_DO_TO_CHILDREN(m_graph, m_node, speculate);
1985     }
1986
1987     void compileToObjectOrCallObjectConstructor()
1988     {
1989         LValue value = lowJSValue(m_node->child1());
1990
1991         LBasicBlock isCellCase = m_out.newBlock();
1992         LBasicBlock slowCase = m_out.newBlock();
1993         LBasicBlock continuation = m_out.newBlock();
1994
1995         m_out.branch(isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
1996
1997         LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
1998         ValueFromBlock fastResult = m_out.anchor(value);
1999         m_out.branch(isObject(value), usually(continuation), rarely(slowCase));
2000
2001         m_out.appendTo(slowCase, continuation);
2002
2003         ValueFromBlock slowResult;
2004         if (m_node->op() == ToObject) {
2005             auto* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
2006             slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationToObject), m_callFrame, weakPointer(globalObject), value, m_out.constIntPtr(m_graph.identifiers()[m_node->identifierNumber()])));
2007         } else
2008             slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationCallObjectConstructor), m_callFrame, frozenPointer(m_node->cellOperand()), value));
2009         m_out.jump(continuation);
2010
2011         m_out.appendTo(continuation, lastNext);
2012         setJSValue(m_out.phi(Int64, fastResult, slowResult));
2013     }
2014     
2015     void compileToThis()
2016     {
2017         LValue value = lowJSValue(m_node->child1());
2018         
2019         LBasicBlock isCellCase = m_out.newBlock();
2020         LBasicBlock slowCase = m_out.newBlock();
2021         LBasicBlock continuation = m_out.newBlock();
2022         
2023         m_out.branch(
2024             isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
2025         
2026         LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
2027         ValueFromBlock fastResult = m_out.anchor(value);
2028         m_out.branch(
2029             m_out.testIsZero32(
2030                 m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoFlags),
2031                 m_out.constInt32(OverridesToThis)),
2032             usually(continuation), rarely(slowCase));
2033         
2034         m_out.appendTo(slowCase, continuation);
2035         J_JITOperation_EJ function;
2036         if (m_graph.isStrictModeFor(m_node->origin.semantic))
2037             function = operationToThisStrict;
2038         else
2039             function = operationToThis;
2040         ValueFromBlock slowResult = m_out.anchor(
2041             vmCall(Int64, m_out.operation(function), m_callFrame, value));
2042         m_out.jump(continuation);
2043         
2044         m_out.appendTo(continuation, lastNext);
2045         setJSValue(m_out.phi(Int64, fastResult, slowResult));
2046     }
2047
2048     void compileValueAdd()
2049     {
2050         if (m_node->isBinaryUseKind(BigIntUse)) {
2051             LValue left = lowBigInt(m_node->child1());
2052             LValue right = lowBigInt(m_node->child2());
2053
2054             LValue result = vmCall(pointerType(), m_out.operation(operationAddBigInt), m_callFrame, left, right);
2055             setJSValue(result);
2056             return;
2057         }
2058
2059         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2060         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2061         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2062         const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex).ptr();
2063         auto repatchingFunction = operationValueAddOptimize;
2064         auto nonRepatchingFunction = operationValueAdd;
2065         compileBinaryMathIC<JITAddGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
2066     }
2067
2068     void compileValueSub()
2069     {
2070         if (m_node->isBinaryUseKind(BigIntUse)) {
2071             LValue left = lowBigInt(m_node->child1());
2072             LValue right = lowBigInt(m_node->child2());
2073             
2074             LValue result = vmCall(pointerType(), m_out.operation(operationSubBigInt), m_callFrame, left, right);
2075             setJSValue(result);
2076             return;
2077         }
2078
2079         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2080         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2081         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2082         const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex).ptr();
2083         auto repatchingFunction = operationValueSubOptimize;
2084         auto nonRepatchingFunction = operationValueSub;
2085         compileBinaryMathIC<JITSubGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
2086     }
2087
2088     void compileValueMul()
2089     {
2090         if (m_node->isBinaryUseKind(BigIntUse)) {
2091             LValue left = lowBigInt(m_node->child1());
2092             LValue right = lowBigInt(m_node->child2());
2093             
2094             LValue result = vmCall(Int64, m_out.operation(operationMulBigInt), m_callFrame, left, right);
2095             setJSValue(result);
2096             return;
2097         }
2098
2099         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2100         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2101         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2102         const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex).ptr();
2103         auto repatchingFunction = operationValueMulOptimize;
2104         auto nonRepatchingFunction = operationValueMul;
2105         compileBinaryMathIC<JITMulGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
2106     }
2107
2108     template <typename Generator, typename Func1, typename Func2,
2109         typename = std::enable_if_t<std::is_function<typename std::remove_pointer<Func1>::type>::value && std::is_function<typename std::remove_pointer<Func2>::type>::value>>
2110     void compileUnaryMathIC(ArithProfile* arithProfile, const Instruction* instruction, Func1 repatchingFunction, Func2 nonRepatchingFunction)
2111     {
2112         Node* node = m_node;
2113
2114         LValue operand = lowJSValue(node->child1());
2115
2116         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
2117         patchpoint->appendSomeRegister(operand);
2118         patchpoint->append(m_tagMask, ValueRep::lateReg(GPRInfo::tagMaskRegister));
2119         patchpoint->append(m_tagTypeNumber, ValueRep::lateReg(GPRInfo::tagTypeNumberRegister));
2120         RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint);
2121         patchpoint->numGPScratchRegisters = 1;
2122         patchpoint->clobber(RegisterSet::macroScratchRegisters());
2123         State* state = &m_ftlState;
2124         patchpoint->setGenerator(
2125             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
2126                 AllowMacroScratchRegisterUsage allowScratch(jit);
2127
2128                 Box<CCallHelpers::JumpList> exceptions =
2129                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
2130
2131 #if ENABLE(MATH_IC_STATS)
2132                 auto inlineStart = jit.label();
2133 #endif
2134
2135                 Box<MathICGenerationState> mathICGenerationState = Box<MathICGenerationState>::create();
2136                 JITUnaryMathIC<Generator>* mathIC = jit.codeBlock()->addMathIC<Generator>(arithProfile, instruction);
2137                 mathIC->m_generator = Generator(JSValueRegs(params[0].gpr()), JSValueRegs(params[1].gpr()), params.gpScratch(0));
2138
2139                 bool shouldEmitProfiling = false;
2140                 bool generatedInline = mathIC->generateInline(jit, *mathICGenerationState, shouldEmitProfiling);
2141
2142                 if (generatedInline) {
2143                     ASSERT(!mathICGenerationState->slowPathJumps.empty());
2144                     auto done = jit.label();
2145                     params.addLatePath([=] (CCallHelpers& jit) {
2146                         AllowMacroScratchRegisterUsage allowScratch(jit);
2147                         mathICGenerationState->slowPathJumps.link(&jit);
2148                         mathICGenerationState->slowPathStart = jit.label();
2149 #if ENABLE(MATH_IC_STATS)
2150                         auto slowPathStart = jit.label();
2151 #endif
2152
2153                         if (mathICGenerationState->shouldSlowPathRepatch) {
2154                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2155                                 repatchingFunction, params[0].gpr(), params[1].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
2156                             mathICGenerationState->slowPathCall = call.call();
2157                         } else {
2158                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic,
2159                                 exceptions.get(), nonRepatchingFunction, params[0].gpr(), params[1].gpr());
2160                             mathICGenerationState->slowPathCall = call.call();
2161                         }
2162                         jit.jump().linkTo(done, &jit);
2163
2164                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2165                             mathIC->finalizeInlineCode(*mathICGenerationState, linkBuffer);
2166                         });
2167
2168 #if ENABLE(MATH_IC_STATS)
2169                         auto slowPathEnd = jit.label();
2170                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2171                             size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
2172                             mathIC->m_generatedCodeSize += size;
2173                         });
2174 #endif
2175                     });
2176                 } else {
2177                     callOperation(
2178                         *state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2179                         nonRepatchingFunction, params[0].gpr(), params[1].gpr());
2180                 }
2181
2182 #if ENABLE(MATH_IC_STATS)
2183                 auto inlineEnd = jit.label();
2184                 jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2185                     size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
2186                     mathIC->m_generatedCodeSize += size;
2187                 });
2188 #endif
2189             });
2190
2191         setJSValue(patchpoint);
2192     }
2193
2194     template <typename Generator, typename Func1, typename Func2,
2195         typename = std::enable_if_t<std::is_function<typename std::remove_pointer<Func1>::type>::value && std::is_function<typename std::remove_pointer<Func2>::type>::value>>
2196     void compileBinaryMathIC(ArithProfile* arithProfile, const Instruction* instruction, Func1 repatchingFunction, Func2 nonRepatchingFunction)
2197     {
2198         Node* node = m_node;
2199         
2200         LValue left = lowJSValue(node->child1());
2201         LValue right = lowJSValue(node->child2());
2202
2203         SnippetOperand leftOperand(m_state.forNode(node->child1()).resultType());
2204         SnippetOperand rightOperand(m_state.forNode(node->child2()).resultType());
2205             
2206         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
2207         patchpoint->appendSomeRegister(left);
2208         patchpoint->appendSomeRegister(right);
2209         patchpoint->append(m_tagMask, ValueRep::lateReg(GPRInfo::tagMaskRegister));
2210         patchpoint->append(m_tagTypeNumber, ValueRep::lateReg(GPRInfo::tagTypeNumberRegister));
2211         RefPtr<PatchpointExceptionHandle> exceptionHandle =
2212             preparePatchpointForExceptions(patchpoint);
2213         patchpoint->numGPScratchRegisters = 1;
2214         patchpoint->numFPScratchRegisters = 2;
2215         patchpoint->clobber(RegisterSet::macroScratchRegisters());
2216         State* state = &m_ftlState;
2217         patchpoint->setGenerator(
2218             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
2219                 AllowMacroScratchRegisterUsage allowScratch(jit);
2220
2221
2222                 Box<CCallHelpers::JumpList> exceptions =
2223                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
2224
2225 #if ENABLE(MATH_IC_STATS)
2226                 auto inlineStart = jit.label();
2227 #endif
2228
2229                 Box<MathICGenerationState> mathICGenerationState = Box<MathICGenerationState>::create();
2230                 JITBinaryMathIC<Generator>* mathIC = jit.codeBlock()->addMathIC<Generator>(arithProfile, instruction);
2231                 mathIC->m_generator = Generator(leftOperand, rightOperand, JSValueRegs(params[0].gpr()),
2232                     JSValueRegs(params[1].gpr()), JSValueRegs(params[2].gpr()), params.fpScratch(0),
2233                     params.fpScratch(1), params.gpScratch(0), InvalidFPRReg);
2234
2235                 bool shouldEmitProfiling = false;
2236                 bool generatedInline = mathIC->generateInline(jit, *mathICGenerationState, shouldEmitProfiling);
2237
2238                 if (generatedInline) {
2239                     ASSERT(!mathICGenerationState->slowPathJumps.empty());
2240                     auto done = jit.label();
2241                     params.addLatePath([=] (CCallHelpers& jit) {
2242                         AllowMacroScratchRegisterUsage allowScratch(jit);
2243                         mathICGenerationState->slowPathJumps.link(&jit);
2244                         mathICGenerationState->slowPathStart = jit.label();
2245 #if ENABLE(MATH_IC_STATS)
2246                         auto slowPathStart = jit.label();
2247 #endif
2248
2249                         if (mathICGenerationState->shouldSlowPathRepatch) {
2250                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2251                                 repatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
2252                             mathICGenerationState->slowPathCall = call.call();
2253                         } else {
2254                             SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic,
2255                                 exceptions.get(), nonRepatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr());
2256                             mathICGenerationState->slowPathCall = call.call();
2257                         }
2258                         jit.jump().linkTo(done, &jit);
2259
2260                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2261                             mathIC->finalizeInlineCode(*mathICGenerationState, linkBuffer);
2262                         });
2263
2264 #if ENABLE(MATH_IC_STATS)
2265                         auto slowPathEnd = jit.label();
2266                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2267                             size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
2268                             mathIC->m_generatedCodeSize += size;
2269                         });
2270 #endif
2271                     });
2272                 } else {
2273                     callOperation(
2274                         *state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
2275                         nonRepatchingFunction, params[0].gpr(), params[1].gpr(), params[2].gpr());
2276                 }
2277
2278 #if ENABLE(MATH_IC_STATS)
2279                 auto inlineEnd = jit.label();
2280                 jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
2281                     size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
2282                     mathIC->m_generatedCodeSize += size;
2283                 });
2284 #endif
2285             });
2286
2287         setJSValue(patchpoint);
2288     }
2289     
2290     void compileStrCat()
2291     {
2292         LValue result;
2293         if (m_node->child3()) {
2294             result = vmCall(
2295                 Int64, m_out.operation(operationStrCat3), m_callFrame,
2296                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
2297                 lowJSValue(m_node->child2(), ManualOperandSpeculation),
2298                 lowJSValue(m_node->child3(), ManualOperandSpeculation));
2299         } else {
2300             result = vmCall(
2301                 Int64, m_out.operation(operationStrCat2), m_callFrame,
2302                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
2303                 lowJSValue(m_node->child2(), ManualOperandSpeculation));
2304         }
2305         setJSValue(result);
2306     }
2307     
2308     void compileArithAddOrSub()
2309     {
2310         bool isSub =  m_node->op() == ArithSub;
2311         switch (m_node->binaryUseKind()) {
2312         case Int32Use: {
2313             LValue left = lowInt32(m_node->child1());
2314             LValue right = lowInt32(m_node->child2());
2315
2316             if (!shouldCheckOverflow(m_node->arithMode())) {
2317                 setInt32(isSub ? m_out.sub(left, right) : m_out.add(left, right));
2318                 break;
2319             }
2320
2321             CheckValue* result =
2322                 isSub ? m_out.speculateSub(left, right) : m_out.speculateAdd(left, right);
2323             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2324             setInt32(result);
2325             break;
2326         }
2327             
2328         case Int52RepUse: {
2329             if (!abstractValue(m_node->child1()).couldBeType(SpecInt52Only)
2330                 && !abstractValue(m_node->child2()).couldBeType(SpecInt52Only)) {
2331                 Int52Kind kind;
2332                 LValue left = lowWhicheverInt52(m_node->child1(), kind);
2333                 LValue right = lowInt52(m_node->child2(), kind);
2334                 setInt52(isSub ? m_out.sub(left, right) : m_out.add(left, right), kind);
2335                 break;
2336             }
2337
2338             LValue left = lowInt52(m_node->child1());
2339             LValue right = lowInt52(m_node->child2());
2340             CheckValue* result =
2341                 isSub ? m_out.speculateSub(left, right) : m_out.speculateAdd(left, right);
2342             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2343             setInt52(result);
2344             break;
2345         }
2346             
2347         case DoubleRepUse: {
2348             LValue C1 = lowDouble(m_node->child1());
2349             LValue C2 = lowDouble(m_node->child2());
2350
2351             setDouble(isSub ? m_out.doubleSub(C1, C2) : m_out.doubleAdd(C1, C2));
2352             break;
2353         }
2354
2355         case UntypedUse: {
2356             if (!isSub) {
2357                 DFG_CRASH(m_graph, m_node, "Bad use kind");
2358                 break;
2359             }
2360
2361             CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2362             unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2363             ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2364             const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex).ptr();
2365             auto repatchingFunction = operationValueSubOptimize;
2366             auto nonRepatchingFunction = operationValueSub;
2367             compileBinaryMathIC<JITSubGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
2368             break;
2369         }
2370
2371         default:
2372             DFG_CRASH(m_graph, m_node, "Bad use kind");
2373             break;
2374         }
2375     }
2376
2377     void compileArithClz32()
2378     {
2379         if (m_node->child1().useKind() == Int32Use || m_node->child1().useKind() == KnownInt32Use) {
2380             LValue operand = lowInt32(m_node->child1());
2381             setInt32(m_out.ctlz32(operand));
2382             return;
2383         }
2384         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2385         LValue argument = lowJSValue(m_node->child1());
2386         LValue result = vmCall(Int32, m_out.operation(operationArithClz32), m_callFrame, argument);
2387         setInt32(result);
2388     }
2389     
2390     void compileArithMul()
2391     {
2392         switch (m_node->binaryUseKind()) {
2393         case Int32Use: {
2394             LValue left = lowInt32(m_node->child1());
2395             LValue right = lowInt32(m_node->child2());
2396             
2397             LValue result;
2398
2399             if (!shouldCheckOverflow(m_node->arithMode()))
2400                 result = m_out.mul(left, right);
2401             else {
2402                 CheckValue* speculation = m_out.speculateMul(left, right);
2403                 blessSpeculation(speculation, Overflow, noValue(), nullptr, m_origin);
2404                 result = speculation;
2405             }
2406             
2407             if (shouldCheckNegativeZero(m_node->arithMode())) {
2408                 LBasicBlock slowCase = m_out.newBlock();
2409                 LBasicBlock continuation = m_out.newBlock();
2410                 
2411                 m_out.branch(
2412                     m_out.notZero32(result), usually(continuation), rarely(slowCase));
2413                 
2414                 LBasicBlock lastNext = m_out.appendTo(slowCase, continuation);
2415                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(left, m_out.int32Zero));
2416                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(right, m_out.int32Zero));
2417                 m_out.jump(continuation);
2418                 m_out.appendTo(continuation, lastNext);
2419             }
2420             
2421             setInt32(result);
2422             break;
2423         }
2424             
2425         case Int52RepUse: {
2426             Int52Kind kind;
2427             LValue left = lowWhicheverInt52(m_node->child1(), kind);
2428             LValue right = lowInt52(m_node->child2(), opposite(kind));
2429
2430             CheckValue* result = m_out.speculateMul(left, right);
2431             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
2432
2433             if (shouldCheckNegativeZero(m_node->arithMode())) {
2434                 LBasicBlock slowCase = m_out.newBlock();
2435                 LBasicBlock continuation = m_out.newBlock();
2436                 
2437                 m_out.branch(
2438                     m_out.notZero64(result), usually(continuation), rarely(slowCase));
2439                 
2440                 LBasicBlock lastNext = m_out.appendTo(slowCase, continuation);
2441                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(left, m_out.int64Zero));
2442                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(right, m_out.int64Zero));
2443                 m_out.jump(continuation);
2444                 m_out.appendTo(continuation, lastNext);
2445             }
2446             
2447             setInt52(result);
2448             break;
2449         }
2450             
2451         case DoubleRepUse: {
2452             setDouble(
2453                 m_out.doubleMul(lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2454             break;
2455         }
2456
2457         default:
2458             DFG_CRASH(m_graph, m_node, "Bad use kind");
2459             break;
2460         }
2461     }
2462
2463     void compileValueDiv()
2464     {
2465         if (m_node->isBinaryUseKind(BigIntUse)) {
2466             LValue left = lowBigInt(m_node->child1());
2467             LValue right = lowBigInt(m_node->child2());
2468             
2469             LValue result = vmCall(pointerType(), m_out.operation(operationDivBigInt), m_callFrame, left, right);
2470             setJSValue(result);
2471             return;
2472         }
2473
2474         emitBinarySnippet<JITDivGenerator, NeedScratchFPR>(operationValueDiv);
2475     }
2476
2477     void compileArithDiv()
2478     {
2479         switch (m_node->binaryUseKind()) {
2480         case Int32Use: {
2481             LValue numerator = lowInt32(m_node->child1());
2482             LValue denominator = lowInt32(m_node->child2());
2483
2484             if (shouldCheckNegativeZero(m_node->arithMode())) {
2485                 LBasicBlock zeroNumerator = m_out.newBlock();
2486                 LBasicBlock numeratorContinuation = m_out.newBlock();
2487
2488                 m_out.branch(
2489                     m_out.isZero32(numerator),
2490                     rarely(zeroNumerator), usually(numeratorContinuation));
2491
2492                 LBasicBlock innerLastNext = m_out.appendTo(zeroNumerator, numeratorContinuation);
2493
2494                 speculate(
2495                     NegativeZero, noValue(), 0, m_out.lessThan(denominator, m_out.int32Zero));
2496
2497                 m_out.jump(numeratorContinuation);
2498
2499                 m_out.appendTo(numeratorContinuation, innerLastNext);
2500             }
2501             
2502             if (shouldCheckOverflow(m_node->arithMode())) {
2503                 LBasicBlock unsafeDenominator = m_out.newBlock();
2504                 LBasicBlock continuation = m_out.newBlock();
2505
2506                 LValue adjustedDenominator = m_out.add(denominator, m_out.int32One);
2507                 m_out.branch(
2508                     m_out.above(adjustedDenominator, m_out.int32One),
2509                     usually(continuation), rarely(unsafeDenominator));
2510
2511                 LBasicBlock lastNext = m_out.appendTo(unsafeDenominator, continuation);
2512                 LValue neg2ToThe31 = m_out.constInt32(-2147483647-1);
2513                 speculate(Overflow, noValue(), nullptr, m_out.isZero32(denominator));
2514                 speculate(Overflow, noValue(), nullptr, m_out.equal(numerator, neg2ToThe31));
2515                 m_out.jump(continuation);
2516
2517                 m_out.appendTo(continuation, lastNext);
2518                 LValue result = m_out.div(numerator, denominator);
2519                 speculate(
2520                     Overflow, noValue(), 0,
2521                     m_out.notEqual(m_out.mul(result, denominator), numerator));
2522                 setInt32(result);
2523             } else
2524                 setInt32(m_out.chillDiv(numerator, denominator));
2525
2526             break;
2527         }
2528             
2529         case DoubleRepUse: {
2530             setDouble(m_out.doubleDiv(
2531                 lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2532             break;
2533         }
2534
2535         default:
2536             DFG_CRASH(m_graph, m_node, "Bad use kind");
2537             break;
2538         }
2539     }
2540     
2541     void compileArithMod()
2542     {
2543         switch (m_node->binaryUseKind()) {
2544         case Int32Use: {
2545             LValue numerator = lowInt32(m_node->child1());
2546             LValue denominator = lowInt32(m_node->child2());
2547
2548             LValue remainder;
2549             if (shouldCheckOverflow(m_node->arithMode())) {
2550                 LBasicBlock unsafeDenominator = m_out.newBlock();
2551                 LBasicBlock continuation = m_out.newBlock();
2552
2553                 LValue adjustedDenominator = m_out.add(denominator, m_out.int32One);
2554                 m_out.branch(
2555                     m_out.above(adjustedDenominator, m_out.int32One),
2556                     usually(continuation), rarely(unsafeDenominator));
2557
2558                 LBasicBlock lastNext = m_out.appendTo(unsafeDenominator, continuation);
2559                 LValue neg2ToThe31 = m_out.constInt32(-2147483647-1);
2560                 speculate(Overflow, noValue(), nullptr, m_out.isZero32(denominator));
2561                 speculate(Overflow, noValue(), nullptr, m_out.equal(numerator, neg2ToThe31));
2562                 m_out.jump(continuation);
2563
2564                 m_out.appendTo(continuation, lastNext);
2565                 LValue result = m_out.mod(numerator, denominator);
2566                 remainder = result;
2567             } else
2568                 remainder = m_out.chillMod(numerator, denominator);
2569
2570             if (shouldCheckNegativeZero(m_node->arithMode())) {
2571                 LBasicBlock negativeNumerator = m_out.newBlock();
2572                 LBasicBlock numeratorContinuation = m_out.newBlock();
2573
2574                 m_out.branch(
2575                     m_out.lessThan(numerator, m_out.int32Zero),
2576                     unsure(negativeNumerator), unsure(numeratorContinuation));
2577
2578                 LBasicBlock innerLastNext = m_out.appendTo(negativeNumerator, numeratorContinuation);
2579
2580                 speculate(NegativeZero, noValue(), 0, m_out.isZero32(remainder));
2581
2582                 m_out.jump(numeratorContinuation);
2583
2584                 m_out.appendTo(numeratorContinuation, innerLastNext);
2585             }
2586
2587             setInt32(remainder);
2588             break;
2589         }
2590             
2591         case DoubleRepUse: {
2592             setDouble(
2593                 m_out.doubleMod(lowDouble(m_node->child1()), lowDouble(m_node->child2())));
2594             break;
2595         }
2596             
2597         default:
2598             DFG_CRASH(m_graph, m_node, "Bad use kind");
2599             break;
2600         }
2601     }
2602
2603     void compileArithMinOrMax()
2604     {
2605         switch (m_node->binaryUseKind()) {
2606         case Int32Use: {
2607             LValue left = lowInt32(m_node->child1());
2608             LValue right = lowInt32(m_node->child2());
2609             
2610             setInt32(
2611                 m_out.select(
2612                     m_node->op() == ArithMin
2613                         ? m_out.lessThan(left, right)
2614                         : m_out.lessThan(right, left),
2615                     left, right));
2616             break;
2617         }
2618             
2619         case DoubleRepUse: {
2620             LValue left = lowDouble(m_node->child1());
2621             LValue right = lowDouble(m_node->child2());
2622             
2623             LBasicBlock notLessThan = m_out.newBlock();
2624             LBasicBlock continuation = m_out.newBlock();
2625             
2626             Vector<ValueFromBlock, 2> results;
2627             
2628             results.append(m_out.anchor(left));
2629             m_out.branch(
2630                 m_node->op() == ArithMin
2631                     ? m_out.doubleLessThan(left, right)
2632                     : m_out.doubleGreaterThan(left, right),
2633                 unsure(continuation), unsure(notLessThan));
2634             
2635             LBasicBlock lastNext = m_out.appendTo(notLessThan, continuation);
2636             results.append(m_out.anchor(m_out.select(
2637                 m_node->op() == ArithMin
2638                     ? m_out.doubleGreaterThanOrEqual(left, right)
2639                     : m_out.doubleLessThanOrEqual(left, right),
2640                 right, m_out.constDouble(PNaN))));
2641             m_out.jump(continuation);
2642             
2643             m_out.appendTo(continuation, lastNext);
2644             setDouble(m_out.phi(Double, results));
2645             break;
2646         }
2647             
2648         default:
2649             DFG_CRASH(m_graph, m_node, "Bad use kind");
2650             break;
2651         }
2652     }
2653     
2654     void compileArithAbs()
2655     {
2656         switch (m_node->child1().useKind()) {
2657         case Int32Use: {
2658             LValue value = lowInt32(m_node->child1());
2659
2660             LValue mask = m_out.aShr(value, m_out.constInt32(31));
2661             LValue result = m_out.bitXor(mask, m_out.add(mask, value));
2662
2663             if (shouldCheckOverflow(m_node->arithMode()))
2664                 speculate(Overflow, noValue(), 0, m_out.lessThan(result, m_out.int32Zero));
2665
2666             setInt32(result);
2667             break;
2668         }
2669             
2670         case DoubleRepUse: {
2671             setDouble(m_out.doubleAbs(lowDouble(m_node->child1())));
2672             break;
2673         }
2674             
2675         default: {
2676             DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2677             LValue argument = lowJSValue(m_node->child1());
2678             LValue result = vmCall(Double, m_out.operation(operationArithAbs), m_callFrame, argument);
2679             setDouble(result);
2680             break;
2681         }
2682         }
2683     }
2684
2685     void compileArithUnary()
2686     {
2687         if (m_node->child1().useKind() == DoubleRepUse) {
2688             setDouble(m_out.doubleUnary(m_node->arithUnaryType(), lowDouble(m_node->child1())));
2689             return;
2690         }
2691         LValue argument = lowJSValue(m_node->child1());
2692         LValue result = vmCall(Double, m_out.operation(DFG::arithUnaryOperation(m_node->arithUnaryType())), m_callFrame, argument);
2693         setDouble(result);
2694     }
2695
2696     void compileArithPow()
2697     {
2698         if (m_node->child2().useKind() == Int32Use)
2699             setDouble(m_out.doublePowi(lowDouble(m_node->child1()), lowInt32(m_node->child2())));
2700         else {
2701             LValue base = lowDouble(m_node->child1());
2702             LValue exponent = lowDouble(m_node->child2());
2703
2704             LBasicBlock integerExponentIsSmallBlock = m_out.newBlock();
2705             LBasicBlock integerExponentPowBlock = m_out.newBlock();
2706             LBasicBlock doubleExponentPowBlockEntry = m_out.newBlock();
2707             LBasicBlock nanExceptionBaseIsOne = m_out.newBlock();
2708             LBasicBlock nanExceptionExponentIsInfinity = m_out.newBlock();
2709             LBasicBlock testExponentIsOneHalf = m_out.newBlock();
2710             LBasicBlock handleBaseZeroExponentIsOneHalf = m_out.newBlock();
2711             LBasicBlock handleInfinityForExponentIsOneHalf = m_out.newBlock();
2712             LBasicBlock exponentIsOneHalfNormal = m_out.newBlock();
2713             LBasicBlock exponentIsOneHalfInfinity = m_out.newBlock();
2714             LBasicBlock testExponentIsNegativeOneHalf = m_out.newBlock();
2715             LBasicBlock testBaseZeroExponentIsNegativeOneHalf = m_out.newBlock();
2716             LBasicBlock handleBaseZeroExponentIsNegativeOneHalf = m_out.newBlock();
2717             LBasicBlock handleInfinityForExponentIsNegativeOneHalf = m_out.newBlock();
2718             LBasicBlock exponentIsNegativeOneHalfNormal = m_out.newBlock();
2719             LBasicBlock exponentIsNegativeOneHalfInfinity = m_out.newBlock();
2720             LBasicBlock powBlock = m_out.newBlock();
2721             LBasicBlock nanExceptionResultIsNaN = m_out.newBlock();
2722             LBasicBlock continuation = m_out.newBlock();
2723
2724             LValue integerExponent = m_out.doubleToInt(exponent);
2725             LValue integerExponentConvertedToDouble = m_out.intToDouble(integerExponent);
2726             LValue exponentIsInteger = m_out.doubleEqual(exponent, integerExponentConvertedToDouble);
2727             m_out.branch(exponentIsInteger, unsure(integerExponentIsSmallBlock), unsure(doubleExponentPowBlockEntry));
2728
2729             LBasicBlock lastNext = m_out.appendTo(integerExponentIsSmallBlock, integerExponentPowBlock);
2730             LValue integerExponentBelowMax = m_out.belowOrEqual(integerExponent, m_out.constInt32(maxExponentForIntegerMathPow));
2731             m_out.branch(integerExponentBelowMax, usually(integerExponentPowBlock), rarely(doubleExponentPowBlockEntry));
2732
2733             m_out.appendTo(integerExponentPowBlock, doubleExponentPowBlockEntry);
2734             ValueFromBlock powDoubleIntResult = m_out.anchor(m_out.doublePowi(base, integerExponent));
2735             m_out.jump(continuation);
2736
2737             // If y is NaN, the result is NaN.
2738             m_out.appendTo(doubleExponentPowBlockEntry, nanExceptionBaseIsOne);
2739             LValue exponentIsNaN;
2740             if (provenType(m_node->child2()) & SpecDoubleNaN)
2741                 exponentIsNaN = m_out.doubleNotEqualOrUnordered(exponent, exponent);
2742             else
2743                 exponentIsNaN = m_out.booleanFalse;
2744             m_out.branch(exponentIsNaN, rarely(nanExceptionResultIsNaN), usually(nanExceptionBaseIsOne));
2745
2746             // If abs(x) is 1 and y is +infinity, the result is NaN.
2747             // If abs(x) is 1 and y is -infinity, the result is NaN.
2748
2749             //     Test if base == 1.
2750             m_out.appendTo(nanExceptionBaseIsOne, nanExceptionExponentIsInfinity);
2751             LValue absoluteBase = m_out.doubleAbs(base);
2752             LValue absoluteBaseIsOne = m_out.doubleEqual(absoluteBase, m_out.constDouble(1));
2753             m_out.branch(absoluteBaseIsOne, rarely(nanExceptionExponentIsInfinity), usually(testExponentIsOneHalf));
2754
2755             //     Test if abs(y) == Infinity.
2756             m_out.appendTo(nanExceptionExponentIsInfinity, testExponentIsOneHalf);
2757             LValue absoluteExponent = m_out.doubleAbs(exponent);
2758             LValue absoluteExponentIsInfinity = m_out.doubleEqual(absoluteExponent, m_out.constDouble(std::numeric_limits<double>::infinity()));
2759             m_out.branch(absoluteExponentIsInfinity, rarely(nanExceptionResultIsNaN), usually(testExponentIsOneHalf));
2760
2761             // If y == 0.5 or y == -0.5, handle it through SQRT.
2762             // We have be carefuly with -0 and -Infinity.
2763
2764             //     Test if y == 0.5
2765             m_out.appendTo(testExponentIsOneHalf, handleBaseZeroExponentIsOneHalf);
2766             LValue exponentIsOneHalf = m_out.doubleEqual(exponent, m_out.constDouble(0.5));
2767             m_out.branch(exponentIsOneHalf, rarely(handleBaseZeroExponentIsOneHalf), usually(testExponentIsNegativeOneHalf));
2768
2769             //     Handle x == -0.
2770             m_out.appendTo(handleBaseZeroExponentIsOneHalf, handleInfinityForExponentIsOneHalf);
2771             LValue baseIsZeroExponentIsOneHalf = m_out.doubleEqual(base, m_out.doubleZero);
2772             ValueFromBlock zeroResultExponentIsOneHalf = m_out.anchor(m_out.doubleZero);
2773             m_out.branch(baseIsZeroExponentIsOneHalf, rarely(continuation), usually(handleInfinityForExponentIsOneHalf));
2774
2775             //     Test if abs(x) == Infinity.
2776             m_out.appendTo(handleInfinityForExponentIsOneHalf, exponentIsOneHalfNormal);
2777             LValue absoluteBaseIsInfinityOneHalf = m_out.doubleEqual(absoluteBase, m_out.constDouble(std::numeric_limits<double>::infinity()));
2778             m_out.branch(absoluteBaseIsInfinityOneHalf, rarely(exponentIsOneHalfInfinity), usually(exponentIsOneHalfNormal));
2779
2780             //     The exponent is 0.5, the base is finite or NaN, we can use SQRT.
2781             m_out.appendTo(exponentIsOneHalfNormal, exponentIsOneHalfInfinity);
2782             ValueFromBlock sqrtResult = m_out.anchor(m_out.doubleSqrt(base));
2783             m_out.jump(continuation);
2784
2785             //     The exponent is 0.5, the base is infinite, the result is always infinite.
2786             m_out.appendTo(exponentIsOneHalfInfinity, testExponentIsNegativeOneHalf);
2787             ValueFromBlock sqrtInfinityResult = m_out.anchor(m_out.constDouble(std::numeric_limits<double>::infinity()));
2788             m_out.jump(continuation);
2789
2790             //     Test if y == -0.5
2791             m_out.appendTo(testExponentIsNegativeOneHalf, testBaseZeroExponentIsNegativeOneHalf);
2792             LValue exponentIsNegativeOneHalf = m_out.doubleEqual(exponent, m_out.constDouble(-0.5));
2793             m_out.branch(exponentIsNegativeOneHalf, rarely(testBaseZeroExponentIsNegativeOneHalf), usually(powBlock));
2794
2795             //     Handle x == -0.
2796             m_out.appendTo(testBaseZeroExponentIsNegativeOneHalf, handleBaseZeroExponentIsNegativeOneHalf);
2797             LValue baseIsZeroExponentIsNegativeOneHalf = m_out.doubleEqual(base, m_out.doubleZero);
2798             m_out.branch(baseIsZeroExponentIsNegativeOneHalf, rarely(handleBaseZeroExponentIsNegativeOneHalf), usually(handleInfinityForExponentIsNegativeOneHalf));
2799
2800             m_out.appendTo(handleBaseZeroExponentIsNegativeOneHalf, handleInfinityForExponentIsNegativeOneHalf);
2801             ValueFromBlock oneOverSqrtZeroResult = m_out.anchor(m_out.constDouble(std::numeric_limits<double>::infinity()));
2802             m_out.jump(continuation);
2803
2804             //     Test if abs(x) == Infinity.
2805             m_out.appendTo(handleInfinityForExponentIsNegativeOneHalf, exponentIsNegativeOneHalfNormal);
2806             LValue absoluteBaseIsInfinityNegativeOneHalf = m_out.doubleEqual(absoluteBase, m_out.constDouble(std::numeric_limits<double>::infinity()));
2807             m_out.branch(absoluteBaseIsInfinityNegativeOneHalf, rarely(exponentIsNegativeOneHalfInfinity), usually(exponentIsNegativeOneHalfNormal));
2808
2809             //     The exponent is -0.5, the base is finite or NaN, we can use 1/SQRT.
2810             m_out.appendTo(exponentIsNegativeOneHalfNormal, exponentIsNegativeOneHalfInfinity);
2811             LValue sqrtBase = m_out.doubleSqrt(base);
2812             ValueFromBlock oneOverSqrtResult = m_out.anchor(m_out.div(m_out.constDouble(1.), sqrtBase));
2813             m_out.jump(continuation);
2814
2815             //     The exponent is -0.5, the base is infinite, the result is always zero.
2816             m_out.appendTo(exponentIsNegativeOneHalfInfinity, powBlock);
2817             ValueFromBlock oneOverSqrtInfinityResult = m_out.anchor(m_out.doubleZero);
2818             m_out.jump(continuation);
2819
2820             m_out.appendTo(powBlock, nanExceptionResultIsNaN);
2821             ValueFromBlock powResult = m_out.anchor(m_out.doublePow(base, exponent));
2822             m_out.jump(continuation);
2823
2824             m_out.appendTo(nanExceptionResultIsNaN, continuation);
2825             ValueFromBlock pureNan = m_out.anchor(m_out.constDouble(PNaN));
2826             m_out.jump(continuation);
2827
2828             m_out.appendTo(continuation, lastNext);
2829             setDouble(m_out.phi(Double, powDoubleIntResult, zeroResultExponentIsOneHalf, sqrtResult, sqrtInfinityResult, oneOverSqrtZeroResult, oneOverSqrtResult, oneOverSqrtInfinityResult, powResult, pureNan));
2830         }
2831     }
2832
2833     void compileArithRandom()
2834     {
2835         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
2836
2837         // Inlined WeakRandom::advance().
2838         // uint64_t x = m_low;
2839         void* lowAddress = reinterpret_cast<uint8_t*>(globalObject) + JSGlobalObject::weakRandomOffset() + WeakRandom::lowOffset();
2840         LValue low = m_out.load64(m_out.absolute(lowAddress));
2841         // uint64_t y = m_high;
2842         void* highAddress = reinterpret_cast<uint8_t*>(globalObject) + JSGlobalObject::weakRandomOffset() + WeakRandom::highOffset();
2843         LValue high = m_out.load64(m_out.absolute(highAddress));
2844         // m_low = y;
2845         m_out.store64(high, m_out.absolute(lowAddress));
2846
2847         // x ^= x << 23;
2848         LValue phase1 = m_out.bitXor(m_out.shl(low, m_out.constInt64(23)), low);
2849
2850         // x ^= x >> 17;
2851         LValue phase2 = m_out.bitXor(m_out.lShr(phase1, m_out.constInt64(17)), phase1);
2852
2853         // x ^= y ^ (y >> 26);
2854         LValue phase3 = m_out.bitXor(m_out.bitXor(high, m_out.lShr(high, m_out.constInt64(26))), phase2);
2855
2856         // m_high = x;
2857         m_out.store64(phase3, m_out.absolute(highAddress));
2858
2859         // return x + y;
2860         LValue random64 = m_out.add(phase3, high);
2861
2862         // Extract random 53bit. [0, 53] bit is safe integer number ranges in double representation.
2863         LValue random53 = m_out.bitAnd(random64, m_out.constInt64((1ULL << 53) - 1));
2864
2865         LValue double53Integer = m_out.intToDouble(random53);
2866
2867         // Convert `(53bit double integer value) / (1 << 53)` to `(53bit double integer value) * (1.0 / (1 << 53))`.
2868         // In latter case, `1.0 / (1 << 53)` will become a double value represented as (mantissa = 0 & exp = 970, it means 1e-(2**54)).
2869         static const double scale = 1.0 / (1ULL << 53);
2870
2871         // Multiplying 1e-(2**54) with the double integer does not change anything of the mantissa part of the double integer.
2872         // It just reduces the exp part of the given 53bit double integer.
2873         // (Except for 0.0. This is specially handled and in this case, exp just becomes 0.)
2874         // Now we get 53bit precision random double value in [0, 1).
2875         LValue result = m_out.doubleMul(double53Integer, m_out.constDouble(scale));
2876
2877         setDouble(result);
2878     }
2879
2880     void compileArithRound()
2881     {
2882         if (m_node->child1().useKind() == DoubleRepUse) {
2883             LValue result = nullptr;
2884             if (producesInteger(m_node->arithRoundingMode()) && !shouldCheckNegativeZero(m_node->arithRoundingMode())) {
2885                 LValue value = lowDouble(m_node->child1());
2886                 result = m_out.doubleFloor(m_out.doubleAdd(value, m_out.constDouble(0.5)));
2887             } else {
2888                 LBasicBlock realPartIsMoreThanHalf = m_out.newBlock();
2889                 LBasicBlock continuation = m_out.newBlock();
2890
2891                 LValue value = lowDouble(m_node->child1());
2892                 LValue integerValue = m_out.doubleCeil(value);
2893                 ValueFromBlock integerValueResult = m_out.anchor(integerValue);
2894
2895                 LValue realPart = m_out.doubleSub(integerValue, value);
2896
2897                 m_out.branch(m_out.doubleGreaterThanOrUnordered(realPart, m_out.constDouble(0.5)), unsure(realPartIsMoreThanHalf), unsure(continuation));
2898
2899                 LBasicBlock lastNext = m_out.appendTo(realPartIsMoreThanHalf, continuation);
2900                 LValue integerValueRoundedDown = m_out.doubleSub(integerValue, m_out.constDouble(1));
2901                 ValueFromBlock integerValueRoundedDownResult = m_out.anchor(integerValueRoundedDown);
2902                 m_out.jump(continuation);
2903                 m_out.appendTo(continuation, lastNext);
2904
2905                 result = m_out.phi(Double, integerValueResult, integerValueRoundedDownResult);
2906             }
2907
2908             if (producesInteger(m_node->arithRoundingMode())) {
2909                 LValue integerValue = convertDoubleToInt32(result, shouldCheckNegativeZero(m_node->arithRoundingMode()));
2910                 setInt32(integerValue);
2911             } else
2912                 setDouble(result);
2913             return;
2914         }
2915
2916         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2917         LValue argument = lowJSValue(m_node->child1());
2918         setJSValue(vmCall(Int64, m_out.operation(operationArithRound), m_callFrame, argument));
2919     }
2920
2921     void compileArithFloor()
2922     {
2923         if (m_node->child1().useKind() == DoubleRepUse) {
2924             LValue value = lowDouble(m_node->child1());
2925             LValue integerValue = m_out.doubleFloor(value);
2926             if (producesInteger(m_node->arithRoundingMode()))
2927                 setInt32(convertDoubleToInt32(integerValue, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2928             else
2929                 setDouble(integerValue);
2930             return;
2931         }
2932         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2933         LValue argument = lowJSValue(m_node->child1());
2934         setJSValue(vmCall(Int64, m_out.operation(operationArithFloor), m_callFrame, argument));
2935     }
2936
2937     void compileArithCeil()
2938     {
2939         if (m_node->child1().useKind() == DoubleRepUse) {
2940             LValue value = lowDouble(m_node->child1());
2941             LValue integerValue = m_out.doubleCeil(value);
2942             if (producesInteger(m_node->arithRoundingMode()))
2943                 setInt32(convertDoubleToInt32(integerValue, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2944             else
2945                 setDouble(integerValue);
2946             return;
2947         }
2948         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2949         LValue argument = lowJSValue(m_node->child1());
2950         setJSValue(vmCall(Int64, m_out.operation(operationArithCeil), m_callFrame, argument));
2951     }
2952
2953     void compileArithTrunc()
2954     {
2955         if (m_node->child1().useKind() == DoubleRepUse) {
2956             LValue value = lowDouble(m_node->child1());
2957             LValue result = m_out.doubleTrunc(value);
2958             if (producesInteger(m_node->arithRoundingMode()))
2959                 setInt32(convertDoubleToInt32(result, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2960             else
2961                 setDouble(result);
2962             return;
2963         }
2964         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
2965         LValue argument = lowJSValue(m_node->child1());
2966         setJSValue(vmCall(Int64, m_out.operation(operationArithTrunc), m_callFrame, argument));
2967     }
2968
2969     void compileArithSqrt()
2970     {
2971         if (m_node->child1().useKind() == DoubleRepUse) {
2972             setDouble(m_out.doubleSqrt(lowDouble(m_node->child1())));
2973             return;
2974         }
2975         LValue argument = lowJSValue(m_node->child1());
2976         LValue result = vmCall(Double, m_out.operation(operationArithSqrt), m_callFrame, argument);
2977         setDouble(result);
2978     }
2979
2980     void compileArithFRound()
2981     {
2982         if (m_node->child1().useKind() == DoubleRepUse) {
2983             setDouble(m_out.fround(lowDouble(m_node->child1())));
2984             return;
2985         }
2986         LValue argument = lowJSValue(m_node->child1());
2987         LValue result = vmCall(Double, m_out.operation(operationArithFRound), m_callFrame, argument);
2988         setDouble(result);
2989     }
2990
2991     void compileValueNegate()
2992     {
2993         DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse);
2994         CodeBlock* baselineCodeBlock = m_ftlState.graph.baselineCodeBlockFor(m_node->origin.semantic);
2995         unsigned bytecodeIndex = m_node->origin.semantic.bytecodeIndex();
2996         ArithProfile* arithProfile = baselineCodeBlock->arithProfileForBytecodeOffset(bytecodeIndex);
2997         const Instruction* instruction = baselineCodeBlock->instructions().at(bytecodeIndex).ptr();
2998         auto repatchingFunction = operationArithNegateOptimize;
2999         auto nonRepatchingFunction = operationArithNegate;
3000         compileUnaryMathIC<JITNegGenerator>(arithProfile, instruction, repatchingFunction, nonRepatchingFunction);
3001     }
3002
3003     void compileArithNegate()
3004     {
3005         switch (m_node->child1().useKind()) {
3006         case Int32Use: {
3007             LValue value = lowInt32(m_node->child1());
3008             
3009             LValue result;
3010             if (!shouldCheckOverflow(m_node->arithMode()))
3011                 result = m_out.neg(value);
3012             else if (!shouldCheckNegativeZero(m_node->arithMode())) {
3013                 CheckValue* check = m_out.speculateSub(m_out.int32Zero, value);
3014                 blessSpeculation(check, Overflow, noValue(), nullptr, m_origin);
3015                 result = check;
3016             } else {
3017                 speculate(Overflow, noValue(), 0, m_out.testIsZero32(value, m_out.constInt32(0x7fffffff)));
3018                 result = m_out.neg(value);
3019             }
3020
3021             setInt32(result);
3022             break;
3023         }
3024             
3025         case Int52RepUse: {
3026             if (!abstractValue(m_node->child1()).couldBeType(SpecInt52Only)) {
3027                 Int52Kind kind;
3028                 LValue value = lowWhicheverInt52(m_node->child1(), kind);
3029                 LValue result = m_out.neg(value);
3030                 if (shouldCheckNegativeZero(m_node->arithMode()))
3031                     speculate(NegativeZero, noValue(), 0, m_out.isZero64(result));
3032                 setInt52(result, kind);
3033                 break;
3034             }
3035             
3036             LValue value = lowInt52(m_node->child1());
3037             CheckValue* result = m_out.speculateSub(m_out.int64Zero, value);
3038             blessSpeculation(result, Int52Overflow, noValue(), nullptr, m_origin);
3039             if (shouldCheckNegativeZero(m_node->arithMode()))
3040                 speculate(NegativeZero, noValue(), 0, m_out.isZero64(result));
3041             setInt52(result);
3042             break;
3043         }
3044             
3045         case DoubleRepUse: {
3046             setDouble(m_out.doubleNeg(lowDouble(m_node->child1())));
3047             break;
3048         }
3049             
3050         default:
3051             DFG_CRASH(m_graph, m_node, "Bad use kind");
3052             break;
3053         }
3054     }
3055     
3056     void compileValueBitNot()
3057     {
3058         if (m_node->child1().useKind() == BigIntUse) {
3059             LValue operand = lowBigInt(m_node->child1());
3060             LValue result = vmCall(pointerType(), m_out.operation(operationBitNotBigInt), m_callFrame, operand);
3061             setJSValue(result);
3062             return;
3063         }
3064
3065         LValue operand = lowJSValue(m_node->child1());
3066         LValue result = vmCall(Int64, m_out.operation(operationValueBitNot), m_callFrame, operand);
3067         setJSValue(result);
3068     }
3069
3070     void compileArithBitNot()
3071     {
3072         setInt32(m_out.bitNot(lowInt32(m_node->child1())));
3073     }
3074
3075     void compileValueBitAnd()
3076     {
3077         if (m_node->isBinaryUseKind(BigIntUse)) {
3078             LValue left = lowBigInt(m_node->child1());
3079             LValue right = lowBigInt(m_node->child2());
3080             
3081             LValue result = vmCall(pointerType(), m_out.operation(operationBitAndBigInt), m_callFrame, left, right);
3082             setJSValue(result);
3083             return;
3084         }
3085         
3086         emitBinaryBitOpSnippet<JITBitAndGenerator>(operationValueBitAnd);
3087     }
3088     
3089     void compileArithBitAnd()
3090     {
3091         setInt32(m_out.bitAnd(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
3092     }
3093     
3094     void compileValueBitOr()
3095     {
3096         if (m_node->isBinaryUseKind(BigIntUse)) {
3097             LValue left = lowBigInt(m_node->child1());
3098             LValue right = lowBigInt(m_node->child2());
3099
3100             LValue result = vmCall(pointerType(), m_out.operation(operationBitOrBigInt), m_callFrame, left, right);
3101             setJSValue(result);
3102             return;
3103         }
3104
3105         emitBinaryBitOpSnippet<JITBitOrGenerator>(operationValueBitOr);
3106     }
3107
3108     void compileArithBitOr()
3109     {
3110         setInt32(m_out.bitOr(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
3111     }
3112     
3113     void compileValueBitXor()
3114     {
3115         if (m_node->isBinaryUseKind(BigIntUse)) {
3116             LValue left = lowBigInt(m_node->child1());
3117             LValue right = lowBigInt(m_node->child2());
3118
3119             LValue result = vmCall(pointerType(), m_out.operation(operationBitXorBigInt), m_callFrame, left, right);
3120             setJSValue(result);
3121             return;
3122         }
3123
3124         emitBinaryBitOpSnippet<JITBitXorGenerator>(operationValueBitXor);
3125     }
3126
3127     void compileArithBitXor()
3128     {
3129         setInt32(m_out.bitXor(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
3130     }
3131     
3132     void compileBitRShift()
3133     {
3134         if (m_node->isBinaryUseKind(UntypedUse)) {
3135             emitRightShiftSnippet(JITRightShiftGenerator::SignedShift);
3136             return;
3137