1151f96e8c3673141ad6e3a700bce894e320dc1e
[WebKit.git] / Source / JavaScriptCore / ftl / FTLLowerDFGToB3.cpp
1 /*
2  * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "FTLLowerDFGToB3.h"
28
29 #if ENABLE(FTL_JIT)
30
31 #include "AirGenerationContext.h"
32 #include "AllowMacroScratchRegisterUsage.h"
33 #include "B3CheckValue.h"
34 #include "B3PatchpointValue.h"
35 #include "B3SlotBaseValue.h"
36 #include "B3StackmapGenerationParams.h"
37 #include "B3ValueInlines.h"
38 #include "CallFrameShuffler.h"
39 #include "CodeBlockWithJITType.h"
40 #include "DFGAbstractInterpreterInlines.h"
41 #include "DFGDominators.h"
42 #include "DFGInPlaceAbstractState.h"
43 #include "DFGOSRAvailabilityAnalysisPhase.h"
44 #include "DFGOSRExitFuzz.h"
45 #include "DirectArguments.h"
46 #include "FTLAbstractHeapRepository.h"
47 #include "FTLAvailableRecovery.h"
48 #include "FTLExceptionTarget.h"
49 #include "FTLForOSREntryJITCode.h"
50 #include "FTLFormattedValue.h"
51 #include "FTLLazySlowPathCall.h"
52 #include "FTLLoweredNodeValue.h"
53 #include "FTLOperations.h"
54 #include "FTLOutput.h"
55 #include "FTLPatchpointExceptionHandle.h"
56 #include "FTLThunks.h"
57 #include "FTLWeightedTarget.h"
58 #include "JITAddGenerator.h"
59 #include "JITBitAndGenerator.h"
60 #include "JITBitOrGenerator.h"
61 #include "JITBitXorGenerator.h"
62 #include "JITDivGenerator.h"
63 #include "JITInlineCacheGenerator.h"
64 #include "JITLeftShiftGenerator.h"
65 #include "JITMulGenerator.h"
66 #include "JITRightShiftGenerator.h"
67 #include "JITSubGenerator.h"
68 #include "JSCInlines.h"
69 #include "JSGeneratorFunction.h"
70 #include "JSLexicalEnvironment.h"
71 #include "OperandsInlines.h"
72 #include "ScopedArguments.h"
73 #include "ScopedArgumentsTable.h"
74 #include "ScratchRegisterAllocator.h"
75 #include "SetupVarargsFrame.h"
76 #include "ShadowChicken.h"
77 #include "StructureStubInfo.h"
78 #include "VirtualRegister.h"
79 #include "Watchdog.h"
80 #include <atomic>
81 #if !OS(WINDOWS)
82 #include <dlfcn.h>
83 #endif
84 #include <unordered_set>
85 #include <wtf/Box.h>
86 #include <wtf/ProcessID.h>
87
88 namespace JSC { namespace FTL {
89
90 using namespace B3;
91 using namespace DFG;
92
93 namespace {
94
95 std::atomic<int> compileCounter;
96
97 #if !ASSERT_DISABLED
98 NO_RETURN_DUE_TO_CRASH static void ftlUnreachable(
99     CodeBlock* codeBlock, BlockIndex blockIndex, unsigned nodeIndex)
100 {
101     dataLog("Crashing in thought-to-be-unreachable FTL-generated code for ", pointerDump(codeBlock), " at basic block #", blockIndex);
102     if (nodeIndex != UINT_MAX)
103         dataLog(", node @", nodeIndex);
104     dataLog(".\n");
105     CRASH();
106 }
107 #endif
108
109 // Using this instead of typeCheck() helps to reduce the load on B3, by creating
110 // significantly less dead code.
111 #define FTL_TYPE_CHECK_WITH_EXIT_KIND(exitKind, lowValue, highValue, typesPassedThrough, failCondition) do { \
112         FormattedValue _ftc_lowValue = (lowValue);                      \
113         Edge _ftc_highValue = (highValue);                              \
114         SpeculatedType _ftc_typesPassedThrough = (typesPassedThrough);  \
115         if (!m_interpreter.needsTypeCheck(_ftc_highValue, _ftc_typesPassedThrough)) \
116             break;                                                      \
117         typeCheck(_ftc_lowValue, _ftc_highValue, _ftc_typesPassedThrough, (failCondition), exitKind); \
118     } while (false)
119
120 #define FTL_TYPE_CHECK(lowValue, highValue, typesPassedThrough, failCondition) \
121     FTL_TYPE_CHECK_WITH_EXIT_KIND(BadType, lowValue, highValue, typesPassedThrough, failCondition)
122
123 class LowerDFGToB3 {
124     WTF_MAKE_NONCOPYABLE(LowerDFGToB3);
125 public:
126     LowerDFGToB3(State& state)
127         : m_graph(state.graph)
128         , m_ftlState(state)
129         , m_out(state)
130         , m_proc(*state.proc)
131         , m_state(state.graph)
132         , m_interpreter(state.graph, m_state)
133     {
134     }
135     
136     void lower()
137     {
138         State* state = &m_ftlState;
139         
140         CString name;
141         if (verboseCompilationEnabled()) {
142             name = toCString(
143                 "jsBody_", ++compileCounter, "_", codeBlock()->inferredName(),
144                 "_", codeBlock()->hash());
145         } else
146             name = "jsBody";
147         
148         m_graph.ensureDominators();
149
150         if (verboseCompilationEnabled())
151             dataLog("Function ready, beginning lowering.\n");
152
153         m_out.initialize(m_heaps);
154
155         // We use prologue frequency for all of the initialization code.
156         m_out.setFrequency(1);
157         
158         m_prologue = m_out.newBlock();
159         m_handleExceptions = m_out.newBlock();
160
161         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
162             m_highBlock = m_graph.block(blockIndex);
163             if (!m_highBlock)
164                 continue;
165             m_out.setFrequency(m_highBlock->executionCount);
166             m_blocks.add(m_highBlock, m_out.newBlock());
167         }
168
169         // Back to prologue frequency for any bocks that get sneakily created in the initialization code.
170         m_out.setFrequency(1);
171         
172         m_out.appendTo(m_prologue, m_handleExceptions);
173         m_out.initializeConstants(m_proc, m_prologue);
174         createPhiVariables();
175
176         size_t sizeOfCaptured = sizeof(JSValue) * m_graph.m_nextMachineLocal;
177         B3::SlotBaseValue* capturedBase = m_out.lockedStackSlot(sizeOfCaptured);
178         m_captured = m_out.add(capturedBase, m_out.constIntPtr(sizeOfCaptured));
179         state->capturedValue = capturedBase->slot();
180
181         auto preOrder = m_graph.blocksInPreOrder();
182
183         m_callFrame = m_out.framePointer();
184         m_tagTypeNumber = m_out.constInt64(TagTypeNumber);
185         m_tagMask = m_out.constInt64(TagMask);
186
187         // Make sure that B3 knows that we really care about the mask registers. This forces the
188         // constants to be materialized in registers.
189         m_proc.addFastConstant(m_tagTypeNumber->key());
190         m_proc.addFastConstant(m_tagMask->key());
191         
192         m_out.storePtr(m_out.constIntPtr(codeBlock()), addressFor(CallFrameSlot::codeBlock));
193
194         // Stack Overflow Check.
195         unsigned exitFrameSize = m_graph.requiredRegisterCountForExit() * sizeof(Register);
196         MacroAssembler::AbsoluteAddress addressOfStackLimit(vm().addressOfSoftStackLimit());
197         PatchpointValue* stackOverflowHandler = m_out.patchpoint(Void);
198         CallSiteIndex callSiteIndex = callSiteIndexForCodeOrigin(m_ftlState, CodeOrigin(0));
199         stackOverflowHandler->appendSomeRegister(m_callFrame);
200         stackOverflowHandler->clobber(RegisterSet::macroScratchRegisters());
201         stackOverflowHandler->numGPScratchRegisters = 1;
202         stackOverflowHandler->setGenerator(
203             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
204                 AllowMacroScratchRegisterUsage allowScratch(jit);
205                 GPRReg fp = params[0].gpr();
206                 GPRReg scratch = params.gpScratch(0);
207
208                 unsigned ftlFrameSize = params.proc().frameSize();
209
210                 jit.addPtr(MacroAssembler::TrustedImm32(-std::max(exitFrameSize, ftlFrameSize)), fp, scratch);
211                 MacroAssembler::Jump stackOverflow = jit.branchPtr(MacroAssembler::Above, addressOfStackLimit, scratch);
212
213                 params.addLatePath([=] (CCallHelpers& jit) {
214                     AllowMacroScratchRegisterUsage allowScratch(jit);
215
216                     stackOverflow.link(&jit);
217                     jit.store32(
218                         MacroAssembler::TrustedImm32(callSiteIndex.bits()),
219                         CCallHelpers::tagFor(VirtualRegister(CallFrameSlot::argumentCount)));
220                     jit.copyCalleeSavesToVMEntryFrameCalleeSavesBuffer();
221
222                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
223                     jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()), GPRInfo::argumentGPR1);
224                     CCallHelpers::Call throwCall = jit.call();
225
226                     jit.move(CCallHelpers::TrustedImmPtr(jit.vm()), GPRInfo::argumentGPR0);
227                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
228                     CCallHelpers::Call lookupExceptionHandlerCall = jit.call();
229                     jit.jumpToExceptionHandler();
230
231                     jit.addLinkTask(
232                         [=] (LinkBuffer& linkBuffer) {
233                             linkBuffer.link(throwCall, FunctionPtr(operationThrowStackOverflowError));
234                             linkBuffer.link(lookupExceptionHandlerCall, FunctionPtr(lookupExceptionHandlerFromCallerFrame));
235                     });
236                 });
237             });
238
239         LBasicBlock firstDFGBasicBlock = lowBlock(m_graph.block(0));
240         // Check Arguments.
241         availabilityMap().clear();
242         availabilityMap().m_locals = Operands<Availability>(codeBlock()->numParameters(), 0);
243         for (unsigned i = codeBlock()->numParameters(); i--;) {
244             availabilityMap().m_locals.argument(i) =
245                 Availability(FlushedAt(FlushedJSValue, virtualRegisterForArgument(i)));
246         }
247         m_node = nullptr;
248         m_origin = NodeOrigin(CodeOrigin(0), CodeOrigin(0), true);
249         for (unsigned i = codeBlock()->numParameters(); i--;) {
250             Node* node = m_graph.m_arguments[i];
251             VirtualRegister operand = virtualRegisterForArgument(i);
252             
253             LValue jsValue = m_out.load64(addressFor(operand));
254             
255             if (node) {
256                 DFG_ASSERT(m_graph, node, operand == node->stackAccessData()->machineLocal);
257                 
258                 // This is a hack, but it's an effective one. It allows us to do CSE on the
259                 // primordial load of arguments. This assumes that the GetLocal that got put in
260                 // place of the original SetArgument doesn't have any effects before it. This
261                 // should hold true.
262                 m_loadedArgumentValues.add(node, jsValue);
263             }
264             
265             switch (m_graph.m_argumentFormats[i]) {
266             case FlushedInt32:
267                 speculate(BadType, jsValueValue(jsValue), node, isNotInt32(jsValue));
268                 break;
269             case FlushedBoolean:
270                 speculate(BadType, jsValueValue(jsValue), node, isNotBoolean(jsValue));
271                 break;
272             case FlushedCell:
273                 speculate(BadType, jsValueValue(jsValue), node, isNotCell(jsValue));
274                 break;
275             case FlushedJSValue:
276                 break;
277             default:
278                 DFG_CRASH(m_graph, node, "Bad flush format for argument");
279                 break;
280             }
281         }
282         m_out.jump(firstDFGBasicBlock);
283
284         m_out.appendTo(m_handleExceptions, firstDFGBasicBlock);
285         Box<CCallHelpers::Label> exceptionHandler = state->exceptionHandler;
286         m_out.patchpoint(Void)->setGenerator(
287             [=] (CCallHelpers& jit, const StackmapGenerationParams&) {
288                 CCallHelpers::Jump jump = jit.jump();
289                 jit.addLinkTask(
290                     [=] (LinkBuffer& linkBuffer) {
291                         linkBuffer.link(jump, linkBuffer.locationOf(*exceptionHandler));
292                     });
293             });
294         m_out.unreachable();
295
296         for (DFG::BasicBlock* block : preOrder)
297             compileBlock(block);
298
299         // Make sure everything is decorated. This does a bunch of deferred decorating. This has
300         // to happen last because our abstract heaps are generated lazily. They have to be
301         // generated lazily because we have an infiniten number of numbered, indexed, and
302         // absolute heaps. We only become aware of the ones we actually mention while lowering.
303         m_heaps.computeRangesAndDecorateInstructions();
304
305         // We create all Phi's up front, but we may then decide not to compile the basic block
306         // that would have contained one of them. So this creates orphans, which triggers B3
307         // validation failures. Calling this fixes the issue.
308         //
309         // Note that you should avoid the temptation to make this call conditional upon
310         // validation being enabled. B3 makes no guarantees of any kind of correctness when
311         // dealing with IR that would have failed validation. For example, it would be valid to
312         // write a B3 phase that so aggressively assumes the lack of orphans that it would crash
313         // if any orphans were around. We might even have such phases already.
314         m_proc.deleteOrphans();
315
316         // We put the blocks into the B3 procedure in a super weird order. Now we reorder them.
317         m_out.applyBlockOrder();
318     }
319
320 private:
321     
322     void createPhiVariables()
323     {
324         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
325             DFG::BasicBlock* block = m_graph.block(blockIndex);
326             if (!block)
327                 continue;
328             for (unsigned nodeIndex = block->size(); nodeIndex--;) {
329                 Node* node = block->at(nodeIndex);
330                 if (node->op() != DFG::Phi)
331                     continue;
332                 LType type;
333                 switch (node->flags() & NodeResultMask) {
334                 case NodeResultDouble:
335                     type = Double;
336                     break;
337                 case NodeResultInt32:
338                     type = Int32;
339                     break;
340                 case NodeResultInt52:
341                     type = Int64;
342                     break;
343                 case NodeResultBoolean:
344                     type = Int32;
345                     break;
346                 case NodeResultJS:
347                     type = Int64;
348                     break;
349                 default:
350                     DFG_CRASH(m_graph, node, "Bad Phi node result type");
351                     break;
352                 }
353                 m_phis.add(node, m_proc.add<Value>(B3::Phi, type, Origin(node)));
354             }
355         }
356     }
357     
358     void compileBlock(DFG::BasicBlock* block)
359     {
360         if (!block)
361             return;
362         
363         if (verboseCompilationEnabled())
364             dataLog("Compiling block ", *block, "\n");
365         
366         m_highBlock = block;
367         
368         // Make sure that any blocks created while lowering code in the high block have the frequency of
369         // the high block. This is appropriate because B3 doesn't need precise frequencies. It just needs
370         // something roughly approximate for things like register allocation.
371         m_out.setFrequency(m_highBlock->executionCount);
372         
373         LBasicBlock lowBlock = m_blocks.get(m_highBlock);
374         
375         m_nextHighBlock = 0;
376         for (BlockIndex nextBlockIndex = m_highBlock->index + 1; nextBlockIndex < m_graph.numBlocks(); ++nextBlockIndex) {
377             m_nextHighBlock = m_graph.block(nextBlockIndex);
378             if (m_nextHighBlock)
379                 break;
380         }
381         m_nextLowBlock = m_nextHighBlock ? m_blocks.get(m_nextHighBlock) : 0;
382         
383         // All of this effort to find the next block gives us the ability to keep the
384         // generated IR in roughly program order. This ought not affect the performance
385         // of the generated code (since we expect B3 to reorder things) but it will
386         // make IR dumps easier to read.
387         m_out.appendTo(lowBlock, m_nextLowBlock);
388         
389         if (Options::ftlCrashes())
390             m_out.trap();
391         
392         if (!m_highBlock->cfaHasVisited) {
393             if (verboseCompilationEnabled())
394                 dataLog("Bailing because CFA didn't reach.\n");
395             crash(m_highBlock, nullptr);
396             return;
397         }
398         
399         m_availabilityCalculator.beginBlock(m_highBlock);
400         
401         m_state.reset();
402         m_state.beginBasicBlock(m_highBlock);
403         
404         for (m_nodeIndex = 0; m_nodeIndex < m_highBlock->size(); ++m_nodeIndex) {
405             if (!compileNode(m_nodeIndex))
406                 break;
407         }
408     }
409
410     void safelyInvalidateAfterTermination()
411     {
412         if (verboseCompilationEnabled())
413             dataLog("Bailing.\n");
414         crash();
415
416         // Invalidate dominated blocks. Under normal circumstances we would expect
417         // them to be invalidated already. But you can have the CFA become more
418         // precise over time because the structures of objects change on the main
419         // thread. Failing to do this would result in weird crashes due to a value
420         // being used but not defined. Race conditions FTW!
421         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
422             DFG::BasicBlock* target = m_graph.block(blockIndex);
423             if (!target)
424                 continue;
425             if (m_graph.m_dominators->dominates(m_highBlock, target)) {
426                 if (verboseCompilationEnabled())
427                     dataLog("Block ", *target, " will bail also.\n");
428                 target->cfaHasVisited = false;
429             }
430         }
431     }
432
433     bool compileNode(unsigned nodeIndex)
434     {
435         if (!m_state.isValid()) {
436             safelyInvalidateAfterTermination();
437             return false;
438         }
439         
440         m_node = m_highBlock->at(nodeIndex);
441         m_origin = m_node->origin;
442         m_out.setOrigin(m_node);
443         
444         if (verboseCompilationEnabled())
445             dataLog("Lowering ", m_node, "\n");
446         
447         m_availableRecoveries.resize(0);
448         
449         m_interpreter.startExecuting();
450         m_interpreter.executeKnownEdgeTypes(m_node);
451         
452         switch (m_node->op()) {
453         case DFG::Upsilon:
454             compileUpsilon();
455             break;
456         case DFG::Phi:
457             compilePhi();
458             break;
459         case JSConstant:
460             break;
461         case DoubleConstant:
462             compileDoubleConstant();
463             break;
464         case Int52Constant:
465             compileInt52Constant();
466             break;
467         case LazyJSConstant:
468             compileLazyJSConstant();
469             break;
470         case DoubleRep:
471             compileDoubleRep();
472             break;
473         case DoubleAsInt32:
474             compileDoubleAsInt32();
475             break;
476         case DFG::ValueRep:
477             compileValueRep();
478             break;
479         case Int52Rep:
480             compileInt52Rep();
481             break;
482         case ValueToInt32:
483             compileValueToInt32();
484             break;
485         case BooleanToNumber:
486             compileBooleanToNumber();
487             break;
488         case ExtractOSREntryLocal:
489             compileExtractOSREntryLocal();
490             break;
491         case GetStack:
492             compileGetStack();
493             break;
494         case PutStack:
495             compilePutStack();
496             break;
497         case DFG::Check:
498             compileNoOp();
499             break;
500         case CallObjectConstructor:
501             compileCallObjectConstructor();
502             break;
503         case ToThis:
504             compileToThis();
505             break;
506         case ValueAdd:
507             compileValueAdd();
508             break;
509         case StrCat:
510             compileStrCat();
511             break;
512         case ArithAdd:
513         case ArithSub:
514             compileArithAddOrSub();
515             break;
516         case ArithClz32:
517             compileArithClz32();
518             break;
519         case ArithMul:
520             compileArithMul();
521             break;
522         case ArithDiv:
523             compileArithDiv();
524             break;
525         case ArithMod:
526             compileArithMod();
527             break;
528         case ArithMin:
529         case ArithMax:
530             compileArithMinOrMax();
531             break;
532         case ArithAbs:
533             compileArithAbs();
534             break;
535         case ArithSin:
536             compileArithSin();
537             break;
538         case ArithCos:
539             compileArithCos();
540             break;
541         case ArithPow:
542             compileArithPow();
543             break;
544         case ArithRandom:
545             compileArithRandom();
546             break;
547         case ArithRound:
548             compileArithRound();
549             break;
550         case ArithFloor:
551             compileArithFloor();
552             break;
553         case ArithCeil:
554             compileArithCeil();
555             break;
556         case ArithTrunc:
557             compileArithTrunc();
558             break;
559         case ArithSqrt:
560             compileArithSqrt();
561             break;
562         case ArithLog:
563             compileArithLog();
564             break;
565         case ArithFRound:
566             compileArithFRound();
567             break;
568         case ArithNegate:
569             compileArithNegate();
570             break;
571         case DFG::BitAnd:
572             compileBitAnd();
573             break;
574         case DFG::BitOr:
575             compileBitOr();
576             break;
577         case DFG::BitXor:
578             compileBitXor();
579             break;
580         case BitRShift:
581             compileBitRShift();
582             break;
583         case BitLShift:
584             compileBitLShift();
585             break;
586         case BitURShift:
587             compileBitURShift();
588             break;
589         case UInt32ToNumber:
590             compileUInt32ToNumber();
591             break;
592         case CheckStructure:
593             compileCheckStructure();
594             break;
595         case CheckCell:
596             compileCheckCell();
597             break;
598         case CheckNotEmpty:
599             compileCheckNotEmpty();
600             break;
601         case CheckBadCell:
602             compileCheckBadCell();
603             break;
604         case CheckIdent:
605             compileCheckIdent();
606             break;
607         case GetExecutable:
608             compileGetExecutable();
609             break;
610         case ArrayifyToStructure:
611             compileArrayifyToStructure();
612             break;
613         case PutStructure:
614             compilePutStructure();
615             break;
616         case TryGetById:
617             compileGetById(AccessType::GetPure);
618             break;
619         case GetById:
620         case GetByIdFlush:
621             compileGetById(AccessType::Get);
622             break;
623         case GetByIdWithThis:
624             compileGetByIdWithThis();
625             break;
626         case In:
627             compileIn();
628             break;
629         case PutById:
630         case PutByIdDirect:
631         case PutByIdFlush:
632             compilePutById();
633             break;
634         case PutByIdWithThis:
635             compilePutByIdWithThis();
636             break;
637         case PutGetterById:
638         case PutSetterById:
639             compilePutAccessorById();
640             break;
641         case PutGetterSetterById:
642             compilePutGetterSetterById();
643             break;
644         case PutGetterByVal:
645         case PutSetterByVal:
646             compilePutAccessorByVal();
647             break;
648         case GetButterfly:
649             compileGetButterfly();
650             break;
651         case ConstantStoragePointer:
652             compileConstantStoragePointer();
653             break;
654         case GetIndexedPropertyStorage:
655             compileGetIndexedPropertyStorage();
656             break;
657         case CheckArray:
658             compileCheckArray();
659             break;
660         case GetArrayLength:
661             compileGetArrayLength();
662             break;
663         case CheckInBounds:
664             compileCheckInBounds();
665             break;
666         case GetByVal:
667             compileGetByVal();
668             break;
669         case GetMyArgumentByVal:
670         case GetMyArgumentByValOutOfBounds:
671             compileGetMyArgumentByVal();
672             break;
673         case GetByValWithThis:
674             compileGetByValWithThis();
675             break;
676         case PutByVal:
677         case PutByValAlias:
678         case PutByValDirect:
679             compilePutByVal();
680             break;
681         case PutByValWithThis:
682             compilePutByValWithThis();
683             break;
684         case ArrayPush:
685             compileArrayPush();
686             break;
687         case ArrayPop:
688             compileArrayPop();
689             break;
690         case CreateActivation:
691             compileCreateActivation();
692             break;
693         case NewFunction:
694         case NewGeneratorFunction:
695             compileNewFunction();
696             break;
697         case CreateDirectArguments:
698             compileCreateDirectArguments();
699             break;
700         case CreateScopedArguments:
701             compileCreateScopedArguments();
702             break;
703         case CreateClonedArguments:
704             compileCreateClonedArguments();
705             break;
706         case NewObject:
707             compileNewObject();
708             break;
709         case NewArray:
710             compileNewArray();
711             break;
712         case NewArrayBuffer:
713             compileNewArrayBuffer();
714             break;
715         case NewArrayWithSize:
716             compileNewArrayWithSize();
717             break;
718         case NewTypedArray:
719             compileNewTypedArray();
720             break;
721         case GetTypedArrayByteOffset:
722             compileGetTypedArrayByteOffset();
723             break;
724         case AllocatePropertyStorage:
725             compileAllocatePropertyStorage();
726             break;
727         case ReallocatePropertyStorage:
728             compileReallocatePropertyStorage();
729             break;
730         case ToNumber:
731             compileToNumber();
732             break;
733         case ToString:
734         case CallStringConstructor:
735             compileToStringOrCallStringConstructor();
736             break;
737         case ToPrimitive:
738             compileToPrimitive();
739             break;
740         case MakeRope:
741             compileMakeRope();
742             break;
743         case StringCharAt:
744             compileStringCharAt();
745             break;
746         case StringCharCodeAt:
747             compileStringCharCodeAt();
748             break;
749         case StringFromCharCode:
750             compileStringFromCharCode();
751             break;
752         case GetByOffset:
753         case GetGetterSetterByOffset:
754             compileGetByOffset();
755             break;
756         case GetGetter:
757             compileGetGetter();
758             break;
759         case GetSetter:
760             compileGetSetter();
761             break;
762         case MultiGetByOffset:
763             compileMultiGetByOffset();
764             break;
765         case PutByOffset:
766             compilePutByOffset();
767             break;
768         case MultiPutByOffset:
769             compileMultiPutByOffset();
770             break;
771         case GetGlobalVar:
772         case GetGlobalLexicalVariable:
773             compileGetGlobalVariable();
774             break;
775         case PutGlobalVariable:
776             compilePutGlobalVariable();
777             break;
778         case NotifyWrite:
779             compileNotifyWrite();
780             break;
781         case GetCallee:
782             compileGetCallee();
783             break;
784         case GetArgumentCountIncludingThis:
785             compileGetArgumentCountIncludingThis();
786             break;
787         case GetScope:
788             compileGetScope();
789             break;
790         case SkipScope:
791             compileSkipScope();
792             break;
793         case GetGlobalObject:
794             compileGetGlobalObject();
795             break;
796         case GetClosureVar:
797             compileGetClosureVar();
798             break;
799         case PutClosureVar:
800             compilePutClosureVar();
801             break;
802         case GetFromArguments:
803             compileGetFromArguments();
804             break;
805         case PutToArguments:
806             compilePutToArguments();
807             break;
808         case CompareEq:
809             compileCompareEq();
810             break;
811         case CompareStrictEq:
812             compileCompareStrictEq();
813             break;
814         case CompareLess:
815             compileCompareLess();
816             break;
817         case CompareLessEq:
818             compileCompareLessEq();
819             break;
820         case CompareGreater:
821             compileCompareGreater();
822             break;
823         case CompareGreaterEq:
824             compileCompareGreaterEq();
825             break;
826         case CompareEqPtr:
827             compileCompareEqPtr();
828             break;
829         case LogicalNot:
830             compileLogicalNot();
831             break;
832         case Call:
833         case TailCallInlinedCaller:
834         case Construct:
835             compileCallOrConstruct();
836             break;
837         case TailCall:
838             compileTailCall();
839             break;
840         case CallVarargs:
841         case CallForwardVarargs:
842         case TailCallVarargs:
843         case TailCallVarargsInlinedCaller:
844         case TailCallForwardVarargs:
845         case TailCallForwardVarargsInlinedCaller:
846         case ConstructVarargs:
847         case ConstructForwardVarargs:
848             compileCallOrConstructVarargs();
849             break;
850         case CallEval:
851             compileCallEval();
852             break;
853         case LoadVarargs:
854             compileLoadVarargs();
855             break;
856         case ForwardVarargs:
857             compileForwardVarargs();
858             break;
859         case DFG::Jump:
860             compileJump();
861             break;
862         case DFG::Branch:
863             compileBranch();
864             break;
865         case DFG::Switch:
866             compileSwitch();
867             break;
868         case DFG::Return:
869             compileReturn();
870             break;
871         case ForceOSRExit:
872             compileForceOSRExit();
873             break;
874         case Throw:
875         case ThrowReferenceError:
876             compileThrow();
877             break;
878         case InvalidationPoint:
879             compileInvalidationPoint();
880             break;
881         case IsEmpty:
882             compileIsEmpty();
883             break;
884         case IsUndefined:
885             compileIsUndefined();
886             break;
887         case IsBoolean:
888             compileIsBoolean();
889             break;
890         case IsNumber:
891             compileIsNumber();
892             break;
893         case IsString:
894             compileIsString();
895             break;
896         case IsJSArray:
897             compileIsJSArray();
898             break;
899         case IsObject:
900             compileIsObject();
901             break;
902         case IsObjectOrNull:
903             compileIsObjectOrNull();
904             break;
905         case IsFunction:
906             compileIsFunction();
907             break;
908         case IsRegExpObject:
909             compileIsRegExpObject();
910             break;
911         case IsTypedArrayView:
912             compileIsTypedArrayView();
913             break;
914         case TypeOf:
915             compileTypeOf();
916             break;
917         case CheckTypeInfoFlags:
918             compileCheckTypeInfoFlags();
919             break;
920         case OverridesHasInstance:
921             compileOverridesHasInstance();
922             break;
923         case InstanceOf:
924             compileInstanceOf();
925             break;
926         case InstanceOfCustom:
927             compileInstanceOfCustom();
928             break;
929         case CountExecution:
930             compileCountExecution();
931             break;
932         case StoreBarrier:
933             compileStoreBarrier();
934             break;
935         case HasIndexedProperty:
936             compileHasIndexedProperty();
937             break;
938         case HasGenericProperty:
939             compileHasGenericProperty();
940             break;
941         case HasStructureProperty:
942             compileHasStructureProperty();
943             break;
944         case GetDirectPname:
945             compileGetDirectPname();
946             break;
947         case GetEnumerableLength:
948             compileGetEnumerableLength();
949             break;
950         case GetPropertyEnumerator:
951             compileGetPropertyEnumerator();
952             break;
953         case GetEnumeratorStructurePname:
954             compileGetEnumeratorStructurePname();
955             break;
956         case GetEnumeratorGenericPname:
957             compileGetEnumeratorGenericPname();
958             break;
959         case ToIndexString:
960             compileToIndexString();
961             break;
962         case CheckStructureImmediate:
963             compileCheckStructureImmediate();
964             break;
965         case MaterializeNewObject:
966             compileMaterializeNewObject();
967             break;
968         case MaterializeCreateActivation:
969             compileMaterializeCreateActivation();
970             break;
971         case CheckWatchdogTimer:
972             compileCheckWatchdogTimer();
973             break;
974         case CopyRest:
975             compileCopyRest();
976             break;
977         case GetRestLength:
978             compileGetRestLength();
979             break;
980         case RegExpExec:
981             compileRegExpExec();
982             break;
983         case RegExpTest:
984             compileRegExpTest();
985             break;
986         case NewRegexp:
987             compileNewRegexp();
988             break;
989         case SetFunctionName:
990             compileSetFunctionName();
991             break;
992         case StringReplace:
993         case StringReplaceRegExp:
994             compileStringReplace();
995             break;
996         case GetRegExpObjectLastIndex:
997             compileGetRegExpObjectLastIndex();
998             break;
999         case SetRegExpObjectLastIndex:
1000             compileSetRegExpObjectLastIndex();
1001             break;
1002         case LogShadowChickenPrologue:
1003             compileLogShadowChickenPrologue();
1004             break;
1005         case LogShadowChickenTail:
1006             compileLogShadowChickenTail();
1007             break;
1008         case RecordRegExpCachedResult:
1009             compileRecordRegExpCachedResult();
1010             break;
1011         case ResolveScope:
1012             compileResolveScope();
1013             break;
1014         case GetDynamicVar:
1015             compileGetDynamicVar();
1016             break;
1017         case PutDynamicVar:
1018             compilePutDynamicVar();
1019             break;
1020         case Unreachable:
1021             compileUnreachable();
1022             break;
1023
1024         case PhantomLocal:
1025         case LoopHint:
1026         case MovHint:
1027         case ZombieHint:
1028         case ExitOK:
1029         case PhantomNewObject:
1030         case PhantomNewFunction:
1031         case PhantomNewGeneratorFunction:
1032         case PhantomCreateActivation:
1033         case PhantomDirectArguments:
1034         case PhantomClonedArguments:
1035         case PutHint:
1036         case BottomValue:
1037         case KillStack:
1038             break;
1039         default:
1040             DFG_CRASH(m_graph, m_node, "Unrecognized node in FTL backend");
1041             break;
1042         }
1043         
1044         if (m_node->isTerminal())
1045             return false;
1046         
1047         if (!m_state.isValid()) {
1048             safelyInvalidateAfterTermination();
1049             return false;
1050         }
1051
1052         m_availabilityCalculator.executeNode(m_node);
1053         m_interpreter.executeEffects(nodeIndex);
1054         
1055         return true;
1056     }
1057
1058     void compileUpsilon()
1059     {
1060         LValue upsilonValue = nullptr;
1061         switch (m_node->child1().useKind()) {
1062         case DoubleRepUse:
1063             upsilonValue = lowDouble(m_node->child1());
1064             break;
1065         case Int32Use:
1066         case KnownInt32Use:
1067             upsilonValue = lowInt32(m_node->child1());
1068             break;
1069         case Int52RepUse:
1070             upsilonValue = lowInt52(m_node->child1());
1071             break;
1072         case BooleanUse:
1073         case KnownBooleanUse:
1074             upsilonValue = lowBoolean(m_node->child1());
1075             break;
1076         case CellUse:
1077         case KnownCellUse:
1078             upsilonValue = lowCell(m_node->child1());
1079             break;
1080         case UntypedUse:
1081             upsilonValue = lowJSValue(m_node->child1());
1082             break;
1083         default:
1084             DFG_CRASH(m_graph, m_node, "Bad use kind");
1085             break;
1086         }
1087         ValueFromBlock upsilon = m_out.anchor(upsilonValue);
1088         LValue phiNode = m_phis.get(m_node->phi());
1089         m_out.addIncomingToPhi(phiNode, upsilon);
1090     }
1091     
1092     void compilePhi()
1093     {
1094         LValue phi = m_phis.get(m_node);
1095         m_out.m_block->append(phi);
1096
1097         switch (m_node->flags() & NodeResultMask) {
1098         case NodeResultDouble:
1099             setDouble(phi);
1100             break;
1101         case NodeResultInt32:
1102             setInt32(phi);
1103             break;
1104         case NodeResultInt52:
1105             setInt52(phi);
1106             break;
1107         case NodeResultBoolean:
1108             setBoolean(phi);
1109             break;
1110         case NodeResultJS:
1111             setJSValue(phi);
1112             break;
1113         default:
1114             DFG_CRASH(m_graph, m_node, "Bad use kind");
1115             break;
1116         }
1117     }
1118     
1119     void compileDoubleConstant()
1120     {
1121         setDouble(m_out.constDouble(m_node->asNumber()));
1122     }
1123     
1124     void compileInt52Constant()
1125     {
1126         int64_t value = m_node->asAnyInt();
1127         
1128         setInt52(m_out.constInt64(value << JSValue::int52ShiftAmount));
1129         setStrictInt52(m_out.constInt64(value));
1130     }
1131
1132     void compileLazyJSConstant()
1133     {
1134         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
1135         LazyJSValue value = m_node->lazyJSValue();
1136         patchpoint->setGenerator(
1137             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
1138                 value.emit(jit, JSValueRegs(params[0].gpr()));
1139             });
1140         patchpoint->effects = Effects::none();
1141         setJSValue(patchpoint);
1142     }
1143
1144     void compileDoubleRep()
1145     {
1146         switch (m_node->child1().useKind()) {
1147         case RealNumberUse: {
1148             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
1149             
1150             LValue doubleValue = unboxDouble(value);
1151             
1152             LBasicBlock intCase = m_out.newBlock();
1153             LBasicBlock continuation = m_out.newBlock();
1154             
1155             ValueFromBlock fastResult = m_out.anchor(doubleValue);
1156             m_out.branch(
1157                 m_out.doubleEqual(doubleValue, doubleValue),
1158                 usually(continuation), rarely(intCase));
1159             
1160             LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
1161
1162             FTL_TYPE_CHECK(
1163                 jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
1164                 isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
1165             ValueFromBlock slowResult = m_out.anchor(m_out.intToDouble(unboxInt32(value)));
1166             m_out.jump(continuation);
1167             
1168             m_out.appendTo(continuation, lastNext);
1169             
1170             setDouble(m_out.phi(Double, fastResult, slowResult));
1171             return;
1172         }
1173             
1174         case NotCellUse:
1175         case NumberUse: {
1176             bool shouldConvertNonNumber = m_node->child1().useKind() == NotCellUse;
1177             
1178             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
1179
1180             LBasicBlock intCase = m_out.newBlock();
1181             LBasicBlock doubleTesting = m_out.newBlock();
1182             LBasicBlock doubleCase = m_out.newBlock();
1183             LBasicBlock nonDoubleCase = m_out.newBlock();
1184             LBasicBlock continuation = m_out.newBlock();
1185             
1186             m_out.branch(
1187                 isNotInt32(value, provenType(m_node->child1())),
1188                 unsure(doubleTesting), unsure(intCase));
1189             
1190             LBasicBlock lastNext = m_out.appendTo(intCase, doubleTesting);
1191             
1192             ValueFromBlock intToDouble = m_out.anchor(
1193                 m_out.intToDouble(unboxInt32(value)));
1194             m_out.jump(continuation);
1195             
1196             m_out.appendTo(doubleTesting, doubleCase);
1197             LValue valueIsNumber = isNumber(value, provenType(m_node->child1()));
1198             m_out.branch(valueIsNumber, usually(doubleCase), rarely(nonDoubleCase));
1199
1200             m_out.appendTo(doubleCase, nonDoubleCase);
1201             ValueFromBlock unboxedDouble = m_out.anchor(unboxDouble(value));
1202             m_out.jump(continuation);
1203
1204             if (shouldConvertNonNumber) {
1205                 LBasicBlock undefinedCase = m_out.newBlock();
1206                 LBasicBlock testNullCase = m_out.newBlock();
1207                 LBasicBlock nullCase = m_out.newBlock();
1208                 LBasicBlock testBooleanTrueCase = m_out.newBlock();
1209                 LBasicBlock convertBooleanTrueCase = m_out.newBlock();
1210                 LBasicBlock convertBooleanFalseCase = m_out.newBlock();
1211
1212                 m_out.appendTo(nonDoubleCase, undefinedCase);
1213                 LValue valueIsUndefined = m_out.equal(value, m_out.constInt64(ValueUndefined));
1214                 m_out.branch(valueIsUndefined, unsure(undefinedCase), unsure(testNullCase));
1215
1216                 m_out.appendTo(undefinedCase, testNullCase);
1217                 ValueFromBlock convertedUndefined = m_out.anchor(m_out.constDouble(PNaN));
1218                 m_out.jump(continuation);
1219
1220                 m_out.appendTo(testNullCase, nullCase);
1221                 LValue valueIsNull = m_out.equal(value, m_out.constInt64(ValueNull));
1222                 m_out.branch(valueIsNull, unsure(nullCase), unsure(testBooleanTrueCase));
1223
1224                 m_out.appendTo(nullCase, testBooleanTrueCase);
1225                 ValueFromBlock convertedNull = m_out.anchor(m_out.constDouble(0));
1226                 m_out.jump(continuation);
1227
1228                 m_out.appendTo(testBooleanTrueCase, convertBooleanTrueCase);
1229                 LValue valueIsBooleanTrue = m_out.equal(value, m_out.constInt64(ValueTrue));
1230                 m_out.branch(valueIsBooleanTrue, unsure(convertBooleanTrueCase), unsure(convertBooleanFalseCase));
1231
1232                 m_out.appendTo(convertBooleanTrueCase, convertBooleanFalseCase);
1233                 ValueFromBlock convertedTrue = m_out.anchor(m_out.constDouble(1));
1234                 m_out.jump(continuation);
1235
1236                 m_out.appendTo(convertBooleanFalseCase, continuation);
1237
1238                 LValue valueIsNotBooleanFalse = m_out.notEqual(value, m_out.constInt64(ValueFalse));
1239                 FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), ~SpecCell, valueIsNotBooleanFalse);
1240                 ValueFromBlock convertedFalse = m_out.anchor(m_out.constDouble(0));
1241                 m_out.jump(continuation);
1242
1243                 m_out.appendTo(continuation, lastNext);
1244                 setDouble(m_out.phi(Double, intToDouble, unboxedDouble, convertedUndefined, convertedNull, convertedTrue, convertedFalse));
1245                 return;
1246             }
1247             m_out.appendTo(nonDoubleCase, continuation);
1248             FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), SpecBytecodeNumber, m_out.booleanTrue);
1249             m_out.unreachable();
1250
1251             m_out.appendTo(continuation, lastNext);
1252
1253             setDouble(m_out.phi(Double, intToDouble, unboxedDouble));
1254             return;
1255         }
1256             
1257         case Int52RepUse: {
1258             setDouble(strictInt52ToDouble(lowStrictInt52(m_node->child1())));
1259             return;
1260         }
1261             
1262         default:
1263             DFG_CRASH(m_graph, m_node, "Bad use kind");
1264         }
1265     }
1266
1267     void compileDoubleAsInt32()
1268     {
1269         LValue integerValue = convertDoubleToInt32(lowDouble(m_node->child1()), shouldCheckNegativeZero(m_node->arithMode()));
1270         setInt32(integerValue);
1271     }
1272
1273     void compileValueRep()
1274     {
1275         switch (m_node->child1().useKind()) {
1276         case DoubleRepUse: {
1277             LValue value = lowDouble(m_node->child1());
1278             
1279             if (m_interpreter.needsTypeCheck(m_node->child1(), ~SpecDoubleImpureNaN)) {
1280                 value = m_out.select(
1281                     m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN));
1282             }
1283             
1284             setJSValue(boxDouble(value));
1285             return;
1286         }
1287             
1288         case Int52RepUse: {
1289             setJSValue(strictInt52ToJSValue(lowStrictInt52(m_node->child1())));
1290             return;
1291         }
1292             
1293         default:
1294             DFG_CRASH(m_graph, m_node, "Bad use kind");
1295         }
1296     }
1297     
1298     void compileInt52Rep()
1299     {
1300         switch (m_node->child1().useKind()) {
1301         case Int32Use:
1302             setStrictInt52(m_out.signExt32To64(lowInt32(m_node->child1())));
1303             return;
1304             
1305         case AnyIntUse:
1306             setStrictInt52(
1307                 jsValueToStrictInt52(
1308                     m_node->child1(), lowJSValue(m_node->child1(), ManualOperandSpeculation)));
1309             return;
1310             
1311         case DoubleRepAnyIntUse:
1312             setStrictInt52(
1313                 doubleToStrictInt52(
1314                     m_node->child1(), lowDouble(m_node->child1())));
1315             return;
1316             
1317         default:
1318             RELEASE_ASSERT_NOT_REACHED();
1319         }
1320     }
1321     
1322     void compileValueToInt32()
1323     {
1324         switch (m_node->child1().useKind()) {
1325         case Int52RepUse:
1326             setInt32(m_out.castToInt32(lowStrictInt52(m_node->child1())));
1327             break;
1328             
1329         case DoubleRepUse:
1330             setInt32(doubleToInt32(lowDouble(m_node->child1())));
1331             break;
1332             
1333         case NumberUse:
1334         case NotCellUse: {
1335             LoweredNodeValue value = m_int32Values.get(m_node->child1().node());
1336             if (isValid(value)) {
1337                 setInt32(value.value());
1338                 break;
1339             }
1340             
1341             value = m_jsValueValues.get(m_node->child1().node());
1342             if (isValid(value)) {
1343                 setInt32(numberOrNotCellToInt32(m_node->child1(), value.value()));
1344                 break;
1345             }
1346             
1347             // We'll basically just get here for constants. But it's good to have this
1348             // catch-all since we often add new representations into the mix.
1349             setInt32(
1350                 numberOrNotCellToInt32(
1351                     m_node->child1(),
1352                     lowJSValue(m_node->child1(), ManualOperandSpeculation)));
1353             break;
1354         }
1355             
1356         default:
1357             DFG_CRASH(m_graph, m_node, "Bad use kind");
1358             break;
1359         }
1360     }
1361     
1362     void compileBooleanToNumber()
1363     {
1364         switch (m_node->child1().useKind()) {
1365         case BooleanUse: {
1366             setInt32(m_out.zeroExt(lowBoolean(m_node->child1()), Int32));
1367             return;
1368         }
1369             
1370         case UntypedUse: {
1371             LValue value = lowJSValue(m_node->child1());
1372             
1373             if (!m_interpreter.needsTypeCheck(m_node->child1(), SpecBoolInt32 | SpecBoolean)) {
1374                 setInt32(m_out.bitAnd(m_out.castToInt32(value), m_out.int32One));
1375                 return;
1376             }
1377             
1378             LBasicBlock booleanCase = m_out.newBlock();
1379             LBasicBlock continuation = m_out.newBlock();
1380             
1381             ValueFromBlock notBooleanResult = m_out.anchor(value);
1382             m_out.branch(
1383                 isBoolean(value, provenType(m_node->child1())),
1384                 unsure(booleanCase), unsure(continuation));
1385             
1386             LBasicBlock lastNext = m_out.appendTo(booleanCase, continuation);
1387             ValueFromBlock booleanResult = m_out.anchor(m_out.bitOr(
1388                 m_out.zeroExt(unboxBoolean(value), Int64), m_tagTypeNumber));
1389             m_out.jump(continuation);
1390             
1391             m_out.appendTo(continuation, lastNext);
1392             setJSValue(m_out.phi(Int64, booleanResult, notBooleanResult));
1393             return;
1394         }
1395             
1396         default:
1397             RELEASE_ASSERT_NOT_REACHED();
1398             return;
1399         }
1400     }
1401
1402     void compileExtractOSREntryLocal()
1403     {
1404         EncodedJSValue* buffer = static_cast<EncodedJSValue*>(
1405             m_ftlState.jitCode->ftlForOSREntry()->entryBuffer()->dataBuffer());
1406         setJSValue(m_out.load64(m_out.absolute(buffer + m_node->unlinkedLocal().toLocal())));
1407     }
1408     
1409     void compileGetStack()
1410     {
1411         // GetLocals arise only for captured variables and arguments. For arguments, we might have
1412         // already loaded it.
1413         if (LValue value = m_loadedArgumentValues.get(m_node)) {
1414             setJSValue(value);
1415             return;
1416         }
1417         
1418         StackAccessData* data = m_node->stackAccessData();
1419         AbstractValue& value = m_state.variables().operand(data->local);
1420         
1421         DFG_ASSERT(m_graph, m_node, isConcrete(data->format));
1422         DFG_ASSERT(m_graph, m_node, data->format != FlushedDouble); // This just happens to not arise for GetStacks, right now. It would be trivial to support.
1423         
1424         if (isInt32Speculation(value.m_type))
1425             setInt32(m_out.load32(payloadFor(data->machineLocal)));
1426         else
1427             setJSValue(m_out.load64(addressFor(data->machineLocal)));
1428     }
1429     
1430     void compilePutStack()
1431     {
1432         StackAccessData* data = m_node->stackAccessData();
1433         switch (data->format) {
1434         case FlushedJSValue: {
1435             LValue value = lowJSValue(m_node->child1());
1436             m_out.store64(value, addressFor(data->machineLocal));
1437             break;
1438         }
1439             
1440         case FlushedDouble: {
1441             LValue value = lowDouble(m_node->child1());
1442             m_out.storeDouble(value, addressFor(data->machineLocal));
1443             break;
1444         }
1445             
1446         case FlushedInt32: {
1447             LValue value = lowInt32(m_node->child1());
1448             m_out.store32(value, payloadFor(data->machineLocal));
1449             break;
1450         }
1451             
1452         case FlushedInt52: {
1453             LValue value = lowInt52(m_node->child1());
1454             m_out.store64(value, addressFor(data->machineLocal));
1455             break;
1456         }
1457             
1458         case FlushedCell: {
1459             LValue value = lowCell(m_node->child1());
1460             m_out.store64(value, addressFor(data->machineLocal));
1461             break;
1462         }
1463             
1464         case FlushedBoolean: {
1465             speculateBoolean(m_node->child1());
1466             m_out.store64(
1467                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
1468                 addressFor(data->machineLocal));
1469             break;
1470         }
1471             
1472         default:
1473             DFG_CRASH(m_graph, m_node, "Bad flush format");
1474             break;
1475         }
1476     }
1477     
1478     void compileNoOp()
1479     {
1480         DFG_NODE_DO_TO_CHILDREN(m_graph, m_node, speculate);
1481     }
1482
1483     void compileCallObjectConstructor()
1484     {
1485         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
1486         LValue value = lowJSValue(m_node->child1());
1487
1488         LBasicBlock isCellCase = m_out.newBlock();
1489         LBasicBlock slowCase = m_out.newBlock();
1490         LBasicBlock continuation = m_out.newBlock();
1491
1492         m_out.branch(isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
1493
1494         LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
1495         ValueFromBlock fastResult = m_out.anchor(value);
1496         m_out.branch(isObject(value), usually(continuation), rarely(slowCase));
1497
1498         m_out.appendTo(slowCase, continuation);
1499         ValueFromBlock slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationObjectConstructor), m_callFrame, m_out.constIntPtr(globalObject), value));
1500         m_out.jump(continuation);
1501
1502         m_out.appendTo(continuation, lastNext);
1503         setJSValue(m_out.phi(Int64, fastResult, slowResult));
1504     }
1505     
1506     void compileToThis()
1507     {
1508         LValue value = lowJSValue(m_node->child1());
1509         
1510         LBasicBlock isCellCase = m_out.newBlock();
1511         LBasicBlock slowCase = m_out.newBlock();
1512         LBasicBlock continuation = m_out.newBlock();
1513         
1514         m_out.branch(
1515             isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
1516         
1517         LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
1518         ValueFromBlock fastResult = m_out.anchor(value);
1519         m_out.branch(
1520             m_out.testIsZero32(
1521                 m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoFlags),
1522                 m_out.constInt32(OverridesToThis)),
1523             usually(continuation), rarely(slowCase));
1524         
1525         m_out.appendTo(slowCase, continuation);
1526         J_JITOperation_EJ function;
1527         if (m_graph.isStrictModeFor(m_node->origin.semantic))
1528             function = operationToThisStrict;
1529         else
1530             function = operationToThis;
1531         ValueFromBlock slowResult = m_out.anchor(
1532             vmCall(Int64, m_out.operation(function), m_callFrame, value));
1533         m_out.jump(continuation);
1534         
1535         m_out.appendTo(continuation, lastNext);
1536         setJSValue(m_out.phi(Int64, fastResult, slowResult));
1537     }
1538     
1539     void compileValueAdd()
1540     {
1541         emitBinarySnippet<JITAddGenerator>(operationValueAdd);
1542     }
1543     
1544     void compileStrCat()
1545     {
1546         LValue result;
1547         if (m_node->child3()) {
1548             result = vmCall(
1549                 Int64, m_out.operation(operationStrCat3), m_callFrame,
1550                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
1551                 lowJSValue(m_node->child2(), ManualOperandSpeculation),
1552                 lowJSValue(m_node->child3(), ManualOperandSpeculation));
1553         } else {
1554             result = vmCall(
1555                 Int64, m_out.operation(operationStrCat2), m_callFrame,
1556                 lowJSValue(m_node->child1(), ManualOperandSpeculation),
1557                 lowJSValue(m_node->child2(), ManualOperandSpeculation));
1558         }
1559         setJSValue(result);
1560     }
1561     
1562     void compileArithAddOrSub()
1563     {
1564         bool isSub =  m_node->op() == ArithSub;
1565         switch (m_node->binaryUseKind()) {
1566         case Int32Use: {
1567             LValue left = lowInt32(m_node->child1());
1568             LValue right = lowInt32(m_node->child2());
1569
1570             if (!shouldCheckOverflow(m_node->arithMode())) {
1571                 setInt32(isSub ? m_out.sub(left, right) : m_out.add(left, right));
1572                 break;
1573             }
1574
1575             CheckValue* result =
1576                 isSub ? m_out.speculateSub(left, right) : m_out.speculateAdd(left, right);
1577             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
1578             setInt32(result);
1579             break;
1580         }
1581             
1582         case Int52RepUse: {
1583             if (!abstractValue(m_node->child1()).couldBeType(SpecInt52Only)
1584                 && !abstractValue(m_node->child2()).couldBeType(SpecInt52Only)) {
1585                 Int52Kind kind;
1586                 LValue left = lowWhicheverInt52(m_node->child1(), kind);
1587                 LValue right = lowInt52(m_node->child2(), kind);
1588                 setInt52(isSub ? m_out.sub(left, right) : m_out.add(left, right), kind);
1589                 break;
1590             }
1591
1592             LValue left = lowInt52(m_node->child1());
1593             LValue right = lowInt52(m_node->child2());
1594             CheckValue* result =
1595                 isSub ? m_out.speculateSub(left, right) : m_out.speculateAdd(left, right);
1596             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
1597             setInt52(result);
1598             break;
1599         }
1600             
1601         case DoubleRepUse: {
1602             LValue C1 = lowDouble(m_node->child1());
1603             LValue C2 = lowDouble(m_node->child2());
1604
1605             setDouble(isSub ? m_out.doubleSub(C1, C2) : m_out.doubleAdd(C1, C2));
1606             break;
1607         }
1608
1609         case UntypedUse: {
1610             if (!isSub) {
1611                 DFG_CRASH(m_graph, m_node, "Bad use kind");
1612                 break;
1613             }
1614
1615             emitBinarySnippet<JITSubGenerator>(operationValueSub);
1616             break;
1617         }
1618
1619         default:
1620             DFG_CRASH(m_graph, m_node, "Bad use kind");
1621             break;
1622         }
1623     }
1624
1625     void compileArithClz32()
1626     {
1627         LValue operand = lowInt32(m_node->child1());
1628         setInt32(m_out.ctlz32(operand));
1629     }
1630     
1631     void compileArithMul()
1632     {
1633         switch (m_node->binaryUseKind()) {
1634         case Int32Use: {
1635             LValue left = lowInt32(m_node->child1());
1636             LValue right = lowInt32(m_node->child2());
1637             
1638             LValue result;
1639
1640             if (!shouldCheckOverflow(m_node->arithMode()))
1641                 result = m_out.mul(left, right);
1642             else {
1643                 CheckValue* speculation = m_out.speculateMul(left, right);
1644                 blessSpeculation(speculation, Overflow, noValue(), nullptr, m_origin);
1645                 result = speculation;
1646             }
1647             
1648             if (shouldCheckNegativeZero(m_node->arithMode())) {
1649                 LBasicBlock slowCase = m_out.newBlock();
1650                 LBasicBlock continuation = m_out.newBlock();
1651                 
1652                 m_out.branch(
1653                     m_out.notZero32(result), usually(continuation), rarely(slowCase));
1654                 
1655                 LBasicBlock lastNext = m_out.appendTo(slowCase, continuation);
1656                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(left, m_out.int32Zero));
1657                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(right, m_out.int32Zero));
1658                 m_out.jump(continuation);
1659                 m_out.appendTo(continuation, lastNext);
1660             }
1661             
1662             setInt32(result);
1663             break;
1664         }
1665             
1666         case Int52RepUse: {
1667             Int52Kind kind;
1668             LValue left = lowWhicheverInt52(m_node->child1(), kind);
1669             LValue right = lowInt52(m_node->child2(), opposite(kind));
1670
1671             CheckValue* result = m_out.speculateMul(left, right);
1672             blessSpeculation(result, Overflow, noValue(), nullptr, m_origin);
1673
1674             if (shouldCheckNegativeZero(m_node->arithMode())) {
1675                 LBasicBlock slowCase = m_out.newBlock();
1676                 LBasicBlock continuation = m_out.newBlock();
1677                 
1678                 m_out.branch(
1679                     m_out.notZero64(result), usually(continuation), rarely(slowCase));
1680                 
1681                 LBasicBlock lastNext = m_out.appendTo(slowCase, continuation);
1682                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(left, m_out.int64Zero));
1683                 speculate(NegativeZero, noValue(), nullptr, m_out.lessThan(right, m_out.int64Zero));
1684                 m_out.jump(continuation);
1685                 m_out.appendTo(continuation, lastNext);
1686             }
1687             
1688             setInt52(result);
1689             break;
1690         }
1691             
1692         case DoubleRepUse: {
1693             setDouble(
1694                 m_out.doubleMul(lowDouble(m_node->child1()), lowDouble(m_node->child2())));
1695             break;
1696         }
1697
1698         case UntypedUse: {
1699             emitBinarySnippet<JITMulGenerator>(operationValueMul);
1700             break;
1701         }
1702
1703         default:
1704             DFG_CRASH(m_graph, m_node, "Bad use kind");
1705             break;
1706         }
1707     }
1708
1709     void compileArithDiv()
1710     {
1711         switch (m_node->binaryUseKind()) {
1712         case Int32Use: {
1713             LValue numerator = lowInt32(m_node->child1());
1714             LValue denominator = lowInt32(m_node->child2());
1715
1716             if (shouldCheckNegativeZero(m_node->arithMode())) {
1717                 LBasicBlock zeroNumerator = m_out.newBlock();
1718                 LBasicBlock numeratorContinuation = m_out.newBlock();
1719
1720                 m_out.branch(
1721                     m_out.isZero32(numerator),
1722                     rarely(zeroNumerator), usually(numeratorContinuation));
1723
1724                 LBasicBlock innerLastNext = m_out.appendTo(zeroNumerator, numeratorContinuation);
1725
1726                 speculate(
1727                     NegativeZero, noValue(), 0, m_out.lessThan(denominator, m_out.int32Zero));
1728
1729                 m_out.jump(numeratorContinuation);
1730
1731                 m_out.appendTo(numeratorContinuation, innerLastNext);
1732             }
1733             
1734             if (shouldCheckOverflow(m_node->arithMode())) {
1735                 LBasicBlock unsafeDenominator = m_out.newBlock();
1736                 LBasicBlock continuation = m_out.newBlock();
1737
1738                 LValue adjustedDenominator = m_out.add(denominator, m_out.int32One);
1739                 m_out.branch(
1740                     m_out.above(adjustedDenominator, m_out.int32One),
1741                     usually(continuation), rarely(unsafeDenominator));
1742
1743                 LBasicBlock lastNext = m_out.appendTo(unsafeDenominator, continuation);
1744                 LValue neg2ToThe31 = m_out.constInt32(-2147483647-1);
1745                 speculate(Overflow, noValue(), nullptr, m_out.isZero32(denominator));
1746                 speculate(Overflow, noValue(), nullptr, m_out.equal(numerator, neg2ToThe31));
1747                 m_out.jump(continuation);
1748
1749                 m_out.appendTo(continuation, lastNext);
1750                 LValue result = m_out.div(numerator, denominator);
1751                 speculate(
1752                     Overflow, noValue(), 0,
1753                     m_out.notEqual(m_out.mul(result, denominator), numerator));
1754                 setInt32(result);
1755             } else
1756                 setInt32(m_out.chillDiv(numerator, denominator));
1757
1758             break;
1759         }
1760             
1761         case DoubleRepUse: {
1762             setDouble(m_out.doubleDiv(
1763                 lowDouble(m_node->child1()), lowDouble(m_node->child2())));
1764             break;
1765         }
1766
1767         case UntypedUse: {
1768             emitBinarySnippet<JITDivGenerator, NeedScratchFPR>(operationValueDiv);
1769             break;
1770         }
1771
1772         default:
1773             DFG_CRASH(m_graph, m_node, "Bad use kind");
1774             break;
1775         }
1776     }
1777     
1778     void compileArithMod()
1779     {
1780         switch (m_node->binaryUseKind()) {
1781         case Int32Use: {
1782             LValue numerator = lowInt32(m_node->child1());
1783             LValue denominator = lowInt32(m_node->child2());
1784
1785             LValue remainder;
1786             if (shouldCheckOverflow(m_node->arithMode())) {
1787                 LBasicBlock unsafeDenominator = m_out.newBlock();
1788                 LBasicBlock continuation = m_out.newBlock();
1789
1790                 LValue adjustedDenominator = m_out.add(denominator, m_out.int32One);
1791                 m_out.branch(
1792                     m_out.above(adjustedDenominator, m_out.int32One),
1793                     usually(continuation), rarely(unsafeDenominator));
1794
1795                 LBasicBlock lastNext = m_out.appendTo(unsafeDenominator, continuation);
1796                 LValue neg2ToThe31 = m_out.constInt32(-2147483647-1);
1797                 speculate(Overflow, noValue(), nullptr, m_out.isZero32(denominator));
1798                 speculate(Overflow, noValue(), nullptr, m_out.equal(numerator, neg2ToThe31));
1799                 m_out.jump(continuation);
1800
1801                 m_out.appendTo(continuation, lastNext);
1802                 LValue result = m_out.mod(numerator, denominator);
1803                 remainder = result;
1804             } else
1805                 remainder = m_out.chillMod(numerator, denominator);
1806
1807             if (shouldCheckNegativeZero(m_node->arithMode())) {
1808                 LBasicBlock negativeNumerator = m_out.newBlock();
1809                 LBasicBlock numeratorContinuation = m_out.newBlock();
1810
1811                 m_out.branch(
1812                     m_out.lessThan(numerator, m_out.int32Zero),
1813                     unsure(negativeNumerator), unsure(numeratorContinuation));
1814
1815                 LBasicBlock innerLastNext = m_out.appendTo(negativeNumerator, numeratorContinuation);
1816
1817                 speculate(NegativeZero, noValue(), 0, m_out.isZero32(remainder));
1818
1819                 m_out.jump(numeratorContinuation);
1820
1821                 m_out.appendTo(numeratorContinuation, innerLastNext);
1822             }
1823
1824             setInt32(remainder);
1825             break;
1826         }
1827             
1828         case DoubleRepUse: {
1829             setDouble(
1830                 m_out.doubleMod(lowDouble(m_node->child1()), lowDouble(m_node->child2())));
1831             break;
1832         }
1833             
1834         default:
1835             DFG_CRASH(m_graph, m_node, "Bad use kind");
1836             break;
1837         }
1838     }
1839
1840     void compileArithMinOrMax()
1841     {
1842         switch (m_node->binaryUseKind()) {
1843         case Int32Use: {
1844             LValue left = lowInt32(m_node->child1());
1845             LValue right = lowInt32(m_node->child2());
1846             
1847             setInt32(
1848                 m_out.select(
1849                     m_node->op() == ArithMin
1850                         ? m_out.lessThan(left, right)
1851                         : m_out.lessThan(right, left),
1852                     left, right));
1853             break;
1854         }
1855             
1856         case DoubleRepUse: {
1857             LValue left = lowDouble(m_node->child1());
1858             LValue right = lowDouble(m_node->child2());
1859             
1860             LBasicBlock notLessThan = m_out.newBlock();
1861             LBasicBlock continuation = m_out.newBlock();
1862             
1863             Vector<ValueFromBlock, 2> results;
1864             
1865             results.append(m_out.anchor(left));
1866             m_out.branch(
1867                 m_node->op() == ArithMin
1868                     ? m_out.doubleLessThan(left, right)
1869                     : m_out.doubleGreaterThan(left, right),
1870                 unsure(continuation), unsure(notLessThan));
1871             
1872             LBasicBlock lastNext = m_out.appendTo(notLessThan, continuation);
1873             results.append(m_out.anchor(m_out.select(
1874                 m_node->op() == ArithMin
1875                     ? m_out.doubleGreaterThanOrEqual(left, right)
1876                     : m_out.doubleLessThanOrEqual(left, right),
1877                 right, m_out.constDouble(PNaN))));
1878             m_out.jump(continuation);
1879             
1880             m_out.appendTo(continuation, lastNext);
1881             setDouble(m_out.phi(Double, results));
1882             break;
1883         }
1884             
1885         default:
1886             DFG_CRASH(m_graph, m_node, "Bad use kind");
1887             break;
1888         }
1889     }
1890     
1891     void compileArithAbs()
1892     {
1893         switch (m_node->child1().useKind()) {
1894         case Int32Use: {
1895             LValue value = lowInt32(m_node->child1());
1896
1897             LValue mask = m_out.aShr(value, m_out.constInt32(31));
1898             LValue result = m_out.bitXor(mask, m_out.add(mask, value));
1899
1900             if (shouldCheckOverflow(m_node->arithMode()))
1901                 speculate(Overflow, noValue(), 0, m_out.lessThan(result, m_out.int32Zero));
1902
1903             setInt32(result);
1904             break;
1905         }
1906             
1907         case DoubleRepUse: {
1908             setDouble(m_out.doubleAbs(lowDouble(m_node->child1())));
1909             break;
1910         }
1911             
1912         default:
1913             DFG_CRASH(m_graph, m_node, "Bad use kind");
1914             break;
1915         }
1916     }
1917
1918     void compileArithSin() { setDouble(m_out.doubleSin(lowDouble(m_node->child1()))); }
1919
1920     void compileArithCos() { setDouble(m_out.doubleCos(lowDouble(m_node->child1()))); }
1921
1922     void compileArithPow()
1923     {
1924         if (m_node->child2().useKind() == Int32Use)
1925             setDouble(m_out.doublePowi(lowDouble(m_node->child1()), lowInt32(m_node->child2())));
1926         else {
1927             LValue base = lowDouble(m_node->child1());
1928             LValue exponent = lowDouble(m_node->child2());
1929
1930             LBasicBlock integerExponentIsSmallBlock = m_out.newBlock();
1931             LBasicBlock integerExponentPowBlock = m_out.newBlock();
1932             LBasicBlock doubleExponentPowBlockEntry = m_out.newBlock();
1933             LBasicBlock nanExceptionBaseIsOne = m_out.newBlock();
1934             LBasicBlock nanExceptionExponentIsInfinity = m_out.newBlock();
1935             LBasicBlock testExponentIsOneHalf = m_out.newBlock();
1936             LBasicBlock handleBaseZeroExponentIsOneHalf = m_out.newBlock();
1937             LBasicBlock handleInfinityForExponentIsOneHalf = m_out.newBlock();
1938             LBasicBlock exponentIsOneHalfNormal = m_out.newBlock();
1939             LBasicBlock exponentIsOneHalfInfinity = m_out.newBlock();
1940             LBasicBlock testExponentIsNegativeOneHalf = m_out.newBlock();
1941             LBasicBlock testBaseZeroExponentIsNegativeOneHalf = m_out.newBlock();
1942             LBasicBlock handleBaseZeroExponentIsNegativeOneHalf = m_out.newBlock();
1943             LBasicBlock handleInfinityForExponentIsNegativeOneHalf = m_out.newBlock();
1944             LBasicBlock exponentIsNegativeOneHalfNormal = m_out.newBlock();
1945             LBasicBlock exponentIsNegativeOneHalfInfinity = m_out.newBlock();
1946             LBasicBlock powBlock = m_out.newBlock();
1947             LBasicBlock nanExceptionResultIsNaN = m_out.newBlock();
1948             LBasicBlock continuation = m_out.newBlock();
1949
1950             LValue integerExponent = m_out.doubleToInt(exponent);
1951             LValue integerExponentConvertedToDouble = m_out.intToDouble(integerExponent);
1952             LValue exponentIsInteger = m_out.doubleEqual(exponent, integerExponentConvertedToDouble);
1953             m_out.branch(exponentIsInteger, unsure(integerExponentIsSmallBlock), unsure(doubleExponentPowBlockEntry));
1954
1955             LBasicBlock lastNext = m_out.appendTo(integerExponentIsSmallBlock, integerExponentPowBlock);
1956             LValue integerExponentBelowMax = m_out.belowOrEqual(integerExponent, m_out.constInt32(maxExponentForIntegerMathPow));
1957             m_out.branch(integerExponentBelowMax, usually(integerExponentPowBlock), rarely(doubleExponentPowBlockEntry));
1958
1959             m_out.appendTo(integerExponentPowBlock, doubleExponentPowBlockEntry);
1960             ValueFromBlock powDoubleIntResult = m_out.anchor(m_out.doublePowi(base, integerExponent));
1961             m_out.jump(continuation);
1962
1963             // If y is NaN, the result is NaN.
1964             m_out.appendTo(doubleExponentPowBlockEntry, nanExceptionBaseIsOne);
1965             LValue exponentIsNaN;
1966             if (provenType(m_node->child2()) & SpecDoubleNaN)
1967                 exponentIsNaN = m_out.doubleNotEqualOrUnordered(exponent, exponent);
1968             else
1969                 exponentIsNaN = m_out.booleanFalse;
1970             m_out.branch(exponentIsNaN, rarely(nanExceptionResultIsNaN), usually(nanExceptionBaseIsOne));
1971
1972             // If abs(x) is 1 and y is +infinity, the result is NaN.
1973             // If abs(x) is 1 and y is -infinity, the result is NaN.
1974
1975             //     Test if base == 1.
1976             m_out.appendTo(nanExceptionBaseIsOne, nanExceptionExponentIsInfinity);
1977             LValue absoluteBase = m_out.doubleAbs(base);
1978             LValue absoluteBaseIsOne = m_out.doubleEqual(absoluteBase, m_out.constDouble(1));
1979             m_out.branch(absoluteBaseIsOne, rarely(nanExceptionExponentIsInfinity), usually(testExponentIsOneHalf));
1980
1981             //     Test if abs(y) == Infinity.
1982             m_out.appendTo(nanExceptionExponentIsInfinity, testExponentIsOneHalf);
1983             LValue absoluteExponent = m_out.doubleAbs(exponent);
1984             LValue absoluteExponentIsInfinity = m_out.doubleEqual(absoluteExponent, m_out.constDouble(std::numeric_limits<double>::infinity()));
1985             m_out.branch(absoluteExponentIsInfinity, rarely(nanExceptionResultIsNaN), usually(testExponentIsOneHalf));
1986
1987             // If y == 0.5 or y == -0.5, handle it through SQRT.
1988             // We have be carefuly with -0 and -Infinity.
1989
1990             //     Test if y == 0.5
1991             m_out.appendTo(testExponentIsOneHalf, handleBaseZeroExponentIsOneHalf);
1992             LValue exponentIsOneHalf = m_out.doubleEqual(exponent, m_out.constDouble(0.5));
1993             m_out.branch(exponentIsOneHalf, rarely(handleBaseZeroExponentIsOneHalf), usually(testExponentIsNegativeOneHalf));
1994
1995             //     Handle x == -0.
1996             m_out.appendTo(handleBaseZeroExponentIsOneHalf, handleInfinityForExponentIsOneHalf);
1997             LValue baseIsZeroExponentIsOneHalf = m_out.doubleEqual(base, m_out.doubleZero);
1998             ValueFromBlock zeroResultExponentIsOneHalf = m_out.anchor(m_out.doubleZero);
1999             m_out.branch(baseIsZeroExponentIsOneHalf, rarely(continuation), usually(handleInfinityForExponentIsOneHalf));
2000
2001             //     Test if abs(x) == Infinity.
2002             m_out.appendTo(handleInfinityForExponentIsOneHalf, exponentIsOneHalfNormal);
2003             LValue absoluteBaseIsInfinityOneHalf = m_out.doubleEqual(absoluteBase, m_out.constDouble(std::numeric_limits<double>::infinity()));
2004             m_out.branch(absoluteBaseIsInfinityOneHalf, rarely(exponentIsOneHalfInfinity), usually(exponentIsOneHalfNormal));
2005
2006             //     The exponent is 0.5, the base is finite or NaN, we can use SQRT.
2007             m_out.appendTo(exponentIsOneHalfNormal, exponentIsOneHalfInfinity);
2008             ValueFromBlock sqrtResult = m_out.anchor(m_out.doubleSqrt(base));
2009             m_out.jump(continuation);
2010
2011             //     The exponent is 0.5, the base is infinite, the result is always infinite.
2012             m_out.appendTo(exponentIsOneHalfInfinity, testExponentIsNegativeOneHalf);
2013             ValueFromBlock sqrtInfinityResult = m_out.anchor(m_out.constDouble(std::numeric_limits<double>::infinity()));
2014             m_out.jump(continuation);
2015
2016             //     Test if y == -0.5
2017             m_out.appendTo(testExponentIsNegativeOneHalf, testBaseZeroExponentIsNegativeOneHalf);
2018             LValue exponentIsNegativeOneHalf = m_out.doubleEqual(exponent, m_out.constDouble(-0.5));
2019             m_out.branch(exponentIsNegativeOneHalf, rarely(testBaseZeroExponentIsNegativeOneHalf), usually(powBlock));
2020
2021             //     Handle x == -0.
2022             m_out.appendTo(testBaseZeroExponentIsNegativeOneHalf, handleBaseZeroExponentIsNegativeOneHalf);
2023             LValue baseIsZeroExponentIsNegativeOneHalf = m_out.doubleEqual(base, m_out.doubleZero);
2024             m_out.branch(baseIsZeroExponentIsNegativeOneHalf, rarely(handleBaseZeroExponentIsNegativeOneHalf), usually(handleInfinityForExponentIsNegativeOneHalf));
2025
2026             m_out.appendTo(handleBaseZeroExponentIsNegativeOneHalf, handleInfinityForExponentIsNegativeOneHalf);
2027             ValueFromBlock oneOverSqrtZeroResult = m_out.anchor(m_out.constDouble(std::numeric_limits<double>::infinity()));
2028             m_out.jump(continuation);
2029
2030             //     Test if abs(x) == Infinity.
2031             m_out.appendTo(handleInfinityForExponentIsNegativeOneHalf, exponentIsNegativeOneHalfNormal);
2032             LValue absoluteBaseIsInfinityNegativeOneHalf = m_out.doubleEqual(absoluteBase, m_out.constDouble(std::numeric_limits<double>::infinity()));
2033             m_out.branch(absoluteBaseIsInfinityNegativeOneHalf, rarely(exponentIsNegativeOneHalfInfinity), usually(exponentIsNegativeOneHalfNormal));
2034
2035             //     The exponent is -0.5, the base is finite or NaN, we can use 1/SQRT.
2036             m_out.appendTo(exponentIsNegativeOneHalfNormal, exponentIsNegativeOneHalfInfinity);
2037             LValue sqrtBase = m_out.doubleSqrt(base);
2038             ValueFromBlock oneOverSqrtResult = m_out.anchor(m_out.div(m_out.constDouble(1.), sqrtBase));
2039             m_out.jump(continuation);
2040
2041             //     The exponent is -0.5, the base is infinite, the result is always zero.
2042             m_out.appendTo(exponentIsNegativeOneHalfInfinity, powBlock);
2043             ValueFromBlock oneOverSqrtInfinityResult = m_out.anchor(m_out.doubleZero);
2044             m_out.jump(continuation);
2045
2046             m_out.appendTo(powBlock, nanExceptionResultIsNaN);
2047             ValueFromBlock powResult = m_out.anchor(m_out.doublePow(base, exponent));
2048             m_out.jump(continuation);
2049
2050             m_out.appendTo(nanExceptionResultIsNaN, continuation);
2051             ValueFromBlock pureNan = m_out.anchor(m_out.constDouble(PNaN));
2052             m_out.jump(continuation);
2053
2054             m_out.appendTo(continuation, lastNext);
2055             setDouble(m_out.phi(Double, powDoubleIntResult, zeroResultExponentIsOneHalf, sqrtResult, sqrtInfinityResult, oneOverSqrtZeroResult, oneOverSqrtResult, oneOverSqrtInfinityResult, powResult, pureNan));
2056         }
2057     }
2058
2059     void compileArithRandom()
2060     {
2061         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
2062
2063         // Inlined WeakRandom::advance().
2064         // uint64_t x = m_low;
2065         void* lowAddress = reinterpret_cast<uint8_t*>(globalObject) + JSGlobalObject::weakRandomOffset() + WeakRandom::lowOffset();
2066         LValue low = m_out.load64(m_out.absolute(lowAddress));
2067         // uint64_t y = m_high;
2068         void* highAddress = reinterpret_cast<uint8_t*>(globalObject) + JSGlobalObject::weakRandomOffset() + WeakRandom::highOffset();
2069         LValue high = m_out.load64(m_out.absolute(highAddress));
2070         // m_low = y;
2071         m_out.store64(high, m_out.absolute(lowAddress));
2072
2073         // x ^= x << 23;
2074         LValue phase1 = m_out.bitXor(m_out.shl(low, m_out.constInt64(23)), low);
2075
2076         // x ^= x >> 17;
2077         LValue phase2 = m_out.bitXor(m_out.lShr(phase1, m_out.constInt64(17)), phase1);
2078
2079         // x ^= y ^ (y >> 26);
2080         LValue phase3 = m_out.bitXor(m_out.bitXor(high, m_out.lShr(high, m_out.constInt64(26))), phase2);
2081
2082         // m_high = x;
2083         m_out.store64(phase3, m_out.absolute(highAddress));
2084
2085         // return x + y;
2086         LValue random64 = m_out.add(phase3, high);
2087
2088         // Extract random 53bit. [0, 53] bit is safe integer number ranges in double representation.
2089         LValue random53 = m_out.bitAnd(random64, m_out.constInt64((1ULL << 53) - 1));
2090
2091         LValue double53Integer = m_out.intToDouble(random53);
2092
2093         // Convert `(53bit double integer value) / (1 << 53)` to `(53bit double integer value) * (1.0 / (1 << 53))`.
2094         // In latter case, `1.0 / (1 << 53)` will become a double value represented as (mantissa = 0 & exp = 970, it means 1e-(2**54)).
2095         static const double scale = 1.0 / (1ULL << 53);
2096
2097         // Multiplying 1e-(2**54) with the double integer does not change anything of the mantissa part of the double integer.
2098         // It just reduces the exp part of the given 53bit double integer.
2099         // (Except for 0.0. This is specially handled and in this case, exp just becomes 0.)
2100         // Now we get 53bit precision random double value in [0, 1).
2101         LValue result = m_out.doubleMul(double53Integer, m_out.constDouble(scale));
2102
2103         setDouble(result);
2104     }
2105
2106     void compileArithRound()
2107     {
2108         LValue result = nullptr;
2109
2110         if (producesInteger(m_node->arithRoundingMode()) && !shouldCheckNegativeZero(m_node->arithRoundingMode())) {
2111             LValue value = lowDouble(m_node->child1());
2112             result = m_out.doubleFloor(m_out.doubleAdd(value, m_out.constDouble(0.5)));
2113         } else {
2114             LBasicBlock realPartIsMoreThanHalf = m_out.newBlock();
2115             LBasicBlock continuation = m_out.newBlock();
2116
2117             LValue value = lowDouble(m_node->child1());
2118             LValue integerValue = m_out.doubleCeil(value);
2119             ValueFromBlock integerValueResult = m_out.anchor(integerValue);
2120
2121             LValue realPart = m_out.doubleSub(integerValue, value);
2122
2123             m_out.branch(m_out.doubleGreaterThanOrUnordered(realPart, m_out.constDouble(0.5)), unsure(realPartIsMoreThanHalf), unsure(continuation));
2124
2125             LBasicBlock lastNext = m_out.appendTo(realPartIsMoreThanHalf, continuation);
2126             LValue integerValueRoundedDown = m_out.doubleSub(integerValue, m_out.constDouble(1));
2127             ValueFromBlock integerValueRoundedDownResult = m_out.anchor(integerValueRoundedDown);
2128             m_out.jump(continuation);
2129             m_out.appendTo(continuation, lastNext);
2130
2131             result = m_out.phi(Double, integerValueResult, integerValueRoundedDownResult);
2132         }
2133
2134         if (producesInteger(m_node->arithRoundingMode())) {
2135             LValue integerValue = convertDoubleToInt32(result, shouldCheckNegativeZero(m_node->arithRoundingMode()));
2136             setInt32(integerValue);
2137         } else
2138             setDouble(result);
2139     }
2140
2141     void compileArithFloor()
2142     {
2143         LValue value = lowDouble(m_node->child1());
2144         LValue integerValue = m_out.doubleFloor(value);
2145         if (producesInteger(m_node->arithRoundingMode()))
2146             setInt32(convertDoubleToInt32(integerValue, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2147         else
2148             setDouble(integerValue);
2149     }
2150
2151     void compileArithCeil()
2152     {
2153         LValue value = lowDouble(m_node->child1());
2154         LValue integerValue = m_out.doubleCeil(value);
2155         if (producesInteger(m_node->arithRoundingMode()))
2156             setInt32(convertDoubleToInt32(integerValue, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2157         else
2158             setDouble(integerValue);
2159     }
2160
2161     void compileArithTrunc()
2162     {
2163         LValue value = lowDouble(m_node->child1());
2164         LValue result = m_out.doubleTrunc(value);
2165         if (producesInteger(m_node->arithRoundingMode()))
2166             setInt32(convertDoubleToInt32(result, shouldCheckNegativeZero(m_node->arithRoundingMode())));
2167         else
2168             setDouble(result);
2169     }
2170
2171     void compileArithSqrt() { setDouble(m_out.doubleSqrt(lowDouble(m_node->child1()))); }
2172
2173     void compileArithLog() { setDouble(m_out.doubleLog(lowDouble(m_node->child1()))); }
2174     
2175     void compileArithFRound()
2176     {
2177         setDouble(m_out.fround(lowDouble(m_node->child1())));
2178     }
2179     
2180     void compileArithNegate()
2181     {
2182         switch (m_node->child1().useKind()) {
2183         case Int32Use: {
2184             LValue value = lowInt32(m_node->child1());
2185             
2186             LValue result;
2187             if (!shouldCheckOverflow(m_node->arithMode()))
2188                 result = m_out.neg(value);
2189             else if (!shouldCheckNegativeZero(m_node->arithMode())) {
2190                 CheckValue* check = m_out.speculateSub(m_out.int32Zero, value);
2191                 blessSpeculation(check, Overflow, noValue(), nullptr, m_origin);
2192                 result = check;
2193             } else {
2194                 speculate(Overflow, noValue(), 0, m_out.testIsZero32(value, m_out.constInt32(0x7fffffff)));
2195                 result = m_out.neg(value);
2196             }
2197
2198             setInt32(result);
2199             break;
2200         }
2201             
2202         case Int52RepUse: {
2203             if (!abstractValue(m_node->child1()).couldBeType(SpecInt52Only)) {
2204                 Int52Kind kind;
2205                 LValue value = lowWhicheverInt52(m_node->child1(), kind);
2206                 LValue result = m_out.neg(value);
2207                 if (shouldCheckNegativeZero(m_node->arithMode()))
2208                     speculate(NegativeZero, noValue(), 0, m_out.isZero64(result));
2209                 setInt52(result, kind);
2210                 break;
2211             }
2212             
2213             LValue value = lowInt52(m_node->child1());
2214             CheckValue* result = m_out.speculateSub(m_out.int64Zero, value);
2215             blessSpeculation(result, Int52Overflow, noValue(), nullptr, m_origin);
2216             speculate(NegativeZero, noValue(), 0, m_out.isZero64(result));
2217             setInt52(result);
2218             break;
2219         }
2220             
2221         case DoubleRepUse: {
2222             setDouble(m_out.doubleNeg(lowDouble(m_node->child1())));
2223             break;
2224         }
2225             
2226         default:
2227             DFG_CRASH(m_graph, m_node, "Bad use kind");
2228             break;
2229         }
2230     }
2231     
2232     void compileBitAnd()
2233     {
2234         if (m_node->isBinaryUseKind(UntypedUse)) {
2235             emitBinaryBitOpSnippet<JITBitAndGenerator>(operationValueBitAnd);
2236             return;
2237         }
2238         setInt32(m_out.bitAnd(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
2239     }
2240     
2241     void compileBitOr()
2242     {
2243         if (m_node->isBinaryUseKind(UntypedUse)) {
2244             emitBinaryBitOpSnippet<JITBitOrGenerator>(operationValueBitOr);
2245             return;
2246         }
2247         setInt32(m_out.bitOr(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
2248     }
2249     
2250     void compileBitXor()
2251     {
2252         if (m_node->isBinaryUseKind(UntypedUse)) {
2253             emitBinaryBitOpSnippet<JITBitXorGenerator>(operationValueBitXor);
2254             return;
2255         }
2256         setInt32(m_out.bitXor(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
2257     }
2258     
2259     void compileBitRShift()
2260     {
2261         if (m_node->isBinaryUseKind(UntypedUse)) {
2262             emitRightShiftSnippet(JITRightShiftGenerator::SignedShift);
2263             return;
2264         }
2265         setInt32(m_out.aShr(
2266             lowInt32(m_node->child1()),
2267             m_out.bitAnd(lowInt32(m_node->child2()), m_out.constInt32(31))));
2268     }
2269     
2270     void compileBitLShift()
2271     {
2272         if (m_node->isBinaryUseKind(UntypedUse)) {
2273             emitBinaryBitOpSnippet<JITLeftShiftGenerator>(operationValueBitLShift);
2274             return;
2275         }
2276         setInt32(m_out.shl(
2277             lowInt32(m_node->child1()),
2278             m_out.bitAnd(lowInt32(m_node->child2()), m_out.constInt32(31))));
2279     }
2280     
2281     void compileBitURShift()
2282     {
2283         if (m_node->isBinaryUseKind(UntypedUse)) {
2284             emitRightShiftSnippet(JITRightShiftGenerator::UnsignedShift);
2285             return;
2286         }
2287         setInt32(m_out.lShr(
2288             lowInt32(m_node->child1()),
2289             m_out.bitAnd(lowInt32(m_node->child2()), m_out.constInt32(31))));
2290     }
2291     
2292     void compileUInt32ToNumber()
2293     {
2294         LValue value = lowInt32(m_node->child1());
2295
2296         if (doesOverflow(m_node->arithMode())) {
2297             setStrictInt52(m_out.zeroExtPtr(value));
2298             return;
2299         }
2300
2301         speculate(Overflow, noValue(), 0, m_out.lessThan(value, m_out.int32Zero));
2302         setInt32(value);
2303     }
2304     
2305     void compileCheckStructure()
2306     {
2307         ExitKind exitKind;
2308         if (m_node->child1()->hasConstant())
2309             exitKind = BadConstantCache;
2310         else
2311             exitKind = BadCache;
2312
2313         switch (m_node->child1().useKind()) {
2314         case CellUse:
2315         case KnownCellUse: {
2316             LValue cell = lowCell(m_node->child1());
2317             
2318             checkStructure(
2319                 m_out.load32(cell, m_heaps.JSCell_structureID), jsValueValue(cell),
2320                 exitKind, m_node->structureSet(),
2321                 [&] (Structure* structure) {
2322                     return weakStructureID(structure);
2323                 });
2324             return;
2325         }
2326
2327         case CellOrOtherUse: {
2328             LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
2329
2330             LBasicBlock cellCase = m_out.newBlock();
2331             LBasicBlock notCellCase = m_out.newBlock();
2332             LBasicBlock continuation = m_out.newBlock();
2333
2334             m_out.branch(
2335                 isCell(value, provenType(m_node->child1())), unsure(cellCase), unsure(notCellCase));
2336
2337             LBasicBlock lastNext = m_out.appendTo(cellCase, notCellCase);
2338             checkStructure(
2339                 m_out.load32(value, m_heaps.JSCell_structureID), jsValueValue(value),
2340                 exitKind, m_node->structureSet(),
2341                 [&] (Structure* structure) {
2342                     return weakStructureID(structure);
2343                 });
2344             m_out.jump(continuation);
2345
2346             m_out.appendTo(notCellCase, continuation);
2347             FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), SpecCell | SpecOther, isNotOther(value));
2348             m_out.jump(continuation);
2349
2350             m_out.appendTo(continuation, lastNext);
2351             return;
2352         }
2353
2354         default:
2355             DFG_CRASH(m_graph, m_node, "Bad use kind");
2356             return;
2357         }
2358     }
2359     
2360     void compileCheckCell()
2361     {
2362         LValue cell = lowCell(m_node->child1());
2363         
2364         speculate(
2365             BadCell, jsValueValue(cell), m_node->child1().node(),
2366             m_out.notEqual(cell, weakPointer(m_node->cellOperand()->cell())));
2367     }
2368     
2369     void compileCheckBadCell()
2370     {
2371         terminate(BadCell);
2372     }
2373
2374     void compileCheckNotEmpty()
2375     {
2376         speculate(TDZFailure, noValue(), nullptr, m_out.isZero64(lowJSValue(m_node->child1())));
2377     }
2378
2379     void compileCheckIdent()
2380     {
2381         UniquedStringImpl* uid = m_node->uidOperand();
2382         if (uid->isSymbol()) {
2383             LValue stringImpl = lowSymbolUID(m_node->child1());
2384             speculate(BadIdent, noValue(), nullptr, m_out.notEqual(stringImpl, m_out.constIntPtr(uid)));
2385         } else {
2386             LValue string = lowStringIdent(m_node->child1());
2387             LValue stringImpl = m_out.loadPtr(string, m_heaps.JSString_value);
2388             speculate(BadIdent, noValue(), nullptr, m_out.notEqual(stringImpl, m_out.constIntPtr(uid)));
2389         }
2390     }
2391
2392     void compileGetExecutable()
2393     {
2394         LValue cell = lowCell(m_node->child1());
2395         speculateFunction(m_node->child1(), cell);
2396         setJSValue(m_out.loadPtr(cell, m_heaps.JSFunction_executable));
2397     }
2398     
2399     void compileArrayifyToStructure()
2400     {
2401         LValue cell = lowCell(m_node->child1());
2402         LValue property = !!m_node->child2() ? lowInt32(m_node->child2()) : 0;
2403         
2404         LBasicBlock unexpectedStructure = m_out.newBlock();
2405         LBasicBlock continuation = m_out.newBlock();
2406         
2407         LValue structureID = m_out.load32(cell, m_heaps.JSCell_structureID);
2408         
2409         m_out.branch(
2410             m_out.notEqual(structureID, weakStructureID(m_node->structure())),
2411             rarely(unexpectedStructure), usually(continuation));
2412         
2413         LBasicBlock lastNext = m_out.appendTo(unexpectedStructure, continuation);
2414         
2415         if (property) {
2416             switch (m_node->arrayMode().type()) {
2417             case Array::Int32:
2418             case Array::Double:
2419             case Array::Contiguous:
2420                 speculate(
2421                     Uncountable, noValue(), 0,
2422                     m_out.aboveOrEqual(property, m_out.constInt32(MIN_SPARSE_ARRAY_INDEX)));
2423                 break;
2424             default:
2425                 break;
2426             }
2427         }
2428         
2429         switch (m_node->arrayMode().type()) {
2430         case Array::Int32:
2431             vmCall(Void, m_out.operation(operationEnsureInt32), m_callFrame, cell);
2432             break;
2433         case Array::Double:
2434             vmCall(Void, m_out.operation(operationEnsureDouble), m_callFrame, cell);
2435             break;
2436         case Array::Contiguous:
2437             vmCall(Void, m_out.operation(operationEnsureContiguous), m_callFrame, cell);
2438             break;
2439         case Array::ArrayStorage:
2440         case Array::SlowPutArrayStorage:
2441             vmCall(Void, m_out.operation(operationEnsureArrayStorage), m_callFrame, cell);
2442             break;
2443         default:
2444             DFG_CRASH(m_graph, m_node, "Bad array type");
2445             break;
2446         }
2447         
2448         structureID = m_out.load32(cell, m_heaps.JSCell_structureID);
2449         speculate(
2450             BadIndexingType, jsValueValue(cell), 0,
2451             m_out.notEqual(structureID, weakStructureID(m_node->structure())));
2452         m_out.jump(continuation);
2453         
2454         m_out.appendTo(continuation, lastNext);
2455     }
2456     
2457     void compilePutStructure()
2458     {
2459         m_ftlState.jitCode->common.notifyCompilingStructureTransition(m_graph.m_plan, codeBlock(), m_node);
2460
2461         Structure* oldStructure = m_node->transition()->previous;
2462         Structure* newStructure = m_node->transition()->next;
2463         ASSERT_UNUSED(oldStructure, oldStructure->indexingType() == newStructure->indexingType());
2464         ASSERT(oldStructure->typeInfo().inlineTypeFlags() == newStructure->typeInfo().inlineTypeFlags());
2465         ASSERT(oldStructure->typeInfo().type() == newStructure->typeInfo().type());
2466
2467         LValue cell = lowCell(m_node->child1()); 
2468         m_out.store32(
2469             weakStructureID(newStructure),
2470             cell, m_heaps.JSCell_structureID);
2471     }
2472     
2473     void compileGetById(AccessType type)
2474     {
2475         ASSERT(type == AccessType::Get || type == AccessType::GetPure);
2476         switch (m_node->child1().useKind()) {
2477         case CellUse: {
2478             setJSValue(getById(lowCell(m_node->child1()), type));
2479             return;
2480         }
2481             
2482         case UntypedUse: {
2483             // This is pretty weird, since we duplicate the slow path both here and in the
2484             // code generated by the IC. We should investigate making this less bad.
2485             // https://bugs.webkit.org/show_bug.cgi?id=127830
2486             LValue value = lowJSValue(m_node->child1());
2487             
2488             LBasicBlock cellCase = m_out.newBlock();
2489             LBasicBlock notCellCase = m_out.newBlock();
2490             LBasicBlock continuation = m_out.newBlock();
2491             
2492             m_out.branch(
2493                 isCell(value, provenType(m_node->child1())), unsure(cellCase), unsure(notCellCase));
2494             
2495             LBasicBlock lastNext = m_out.appendTo(cellCase, notCellCase);
2496             ValueFromBlock cellResult = m_out.anchor(getById(value, type));
2497             m_out.jump(continuation);
2498
2499             J_JITOperation_EJI getByIdFunction;
2500             if (type == AccessType::Get)
2501                 getByIdFunction = operationGetByIdGeneric;
2502             else
2503                 getByIdFunction = operationTryGetByIdGeneric;
2504
2505             m_out.appendTo(notCellCase, continuation);
2506             ValueFromBlock notCellResult = m_out.anchor(vmCall(
2507                 Int64, m_out.operation(getByIdFunction),
2508                 m_callFrame, value,
2509                 m_out.constIntPtr(m_graph.identifiers()[m_node->identifierNumber()])));
2510             m_out.jump(continuation);
2511             
2512             m_out.appendTo(continuation, lastNext);
2513             setJSValue(m_out.phi(Int64, cellResult, notCellResult));
2514             return;
2515         }
2516             
2517         default:
2518             DFG_CRASH(m_graph, m_node, "Bad use kind");
2519             return;
2520         }
2521     }
2522
2523     void compileGetByIdWithThis()
2524     {
2525         LValue base = lowJSValue(m_node->child1());
2526         LValue thisValue = lowJSValue(m_node->child2());
2527         LValue result = vmCall(Int64, m_out.operation(operationGetByIdWithThis), m_callFrame, base, thisValue, m_out.constIntPtr(m_graph.identifiers()[m_node->identifierNumber()]));
2528         setJSValue(result);
2529     }
2530
2531     void compileGetByValWithThis()
2532     {
2533         LValue base = lowJSValue(m_node->child1());
2534         LValue thisValue = lowJSValue(m_node->child2());
2535         LValue subscript = lowJSValue(m_node->child3());
2536
2537         LValue result = vmCall(Int64, m_out.operation(operationGetByValWithThis), m_callFrame, base, thisValue, subscript);
2538         setJSValue(result);
2539     }
2540
2541     void compilePutByIdWithThis()
2542     {
2543         LValue base = lowJSValue(m_node->child1());
2544         LValue thisValue = lowJSValue(m_node->child2());
2545         LValue value = lowJSValue(m_node->child3());
2546
2547         vmCall(Void, m_out.operation(m_graph.isStrictModeFor(m_node->origin.semantic) ? operationPutByIdWithThisStrict : operationPutByIdWithThis),
2548             m_callFrame, base, thisValue, value, m_out.constIntPtr(m_graph.identifiers()[m_node->identifierNumber()]));
2549     }
2550
2551     void compilePutByValWithThis()
2552     {
2553         LValue base = lowJSValue(m_graph.varArgChild(m_node, 0));
2554         LValue thisValue = lowJSValue(m_graph.varArgChild(m_node, 1));
2555         LValue property = lowJSValue(m_graph.varArgChild(m_node, 2));
2556         LValue value = lowJSValue(m_graph.varArgChild(m_node, 3));
2557
2558         vmCall(Void, m_out.operation(m_graph.isStrictModeFor(m_node->origin.semantic) ? operationPutByValWithThisStrict : operationPutByValWithThis),
2559             m_callFrame, base, thisValue, property, value);
2560     }
2561     
2562     void compilePutById()
2563     {
2564         Node* node = m_node;
2565         
2566         // See above; CellUse is easier so we do only that for now.
2567         ASSERT(node->child1().useKind() == CellUse);
2568
2569         LValue base = lowCell(node->child1());
2570         LValue value = lowJSValue(node->child2());
2571         auto uid = m_graph.identifiers()[node->identifierNumber()];
2572
2573         B3::PatchpointValue* patchpoint = m_out.patchpoint(Void);
2574         patchpoint->appendSomeRegister(base);
2575         patchpoint->appendSomeRegister(value);
2576         patchpoint->append(m_tagMask, ValueRep::reg(GPRInfo::tagMaskRegister));
2577         patchpoint->append(m_tagTypeNumber, ValueRep::reg(GPRInfo::tagTypeNumberRegister));
2578         patchpoint->clobber(RegisterSet::macroScratchRegisters());
2579
2580         // FIXME: If this is a PutByIdFlush, we might want to late-clobber volatile registers.
2581         // https://bugs.webkit.org/show_bug.cgi?id=152848
2582
2583         RefPtr<PatchpointExceptionHandle> exceptionHandle =
2584             preparePatchpointForExceptions(patchpoint);
2585
2586         State* state = &m_ftlState;
2587         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->ecmaMode();
2588         
2589         patchpoint->setGenerator(
2590             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
2591                 AllowMacroScratchRegisterUsage allowScratch(jit);
2592
2593                 CallSiteIndex callSiteIndex =
2594                     state->jitCode->common.addUniqueCallSiteIndex(node->origin.semantic);
2595
2596                 Box<CCallHelpers::JumpList> exceptions =
2597                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
2598
2599                 // JS setter call ICs generated by the PutById IC will need this.
2600                 exceptionHandle->scheduleExitCreationForUnwind(params, callSiteIndex);
2601
2602                 auto generator = Box<JITPutByIdGenerator>::create(
2603                     jit.codeBlock(), node->origin.semantic, callSiteIndex,
2604                     params.unavailableRegisters(), JSValueRegs(params[0].gpr()),
2605                     JSValueRegs(params[1].gpr()), GPRInfo::patchpointScratchRegister, ecmaMode,
2606                     node->op() == PutByIdDirect ? Direct : NotDirect);
2607
2608                 generator->generateFastPath(jit);
2609                 CCallHelpers::Label done = jit.label();
2610
2611                 params.addLatePath(
2612                     [=] (CCallHelpers& jit) {
2613                         AllowMacroScratchRegisterUsage allowScratch(jit);
2614
2615                         generator->slowPathJump().link(&jit);
2616                         CCallHelpers::Label slowPathBegin = jit.label();
2617                         CCallHelpers::Call slowPathCall = callOperation(
2618                             *state, params.unavailableRegisters(), jit, node->origin.semantic,
2619                             exceptions.get(), generator->slowPathFunction(), InvalidGPRReg,
2620                             CCallHelpers::TrustedImmPtr(generator->stubInfo()), params[1].gpr(),
2621                             params[0].gpr(), CCallHelpers::TrustedImmPtr(uid)).call();
2622                         jit.jump().linkTo(done, &jit);
2623
2624                         generator->reportSlowPathCall(slowPathBegin, slowPathCall);
2625
2626                         jit.addLinkTask(
2627                             [=] (LinkBuffer& linkBuffer) {
2628                                 generator->finalize(linkBuffer);
2629                             });
2630                     });
2631             });
2632     }
2633     
2634     void compileGetButterfly()
2635     {
2636         setStorage(m_out.loadPtr(lowCell(m_node->child1()), m_heaps.JSObject_butterfly));
2637     }
2638
2639     void compileConstantStoragePointer()
2640     {
2641         setStorage(m_out.constIntPtr(m_node->storagePointer()));
2642     }
2643     
2644     void compileGetIndexedPropertyStorage()
2645     {
2646         LValue cell = lowCell(m_node->child1());
2647         
2648         if (m_node->arrayMode().type() == Array::String) {
2649             LBasicBlock slowPath = m_out.newBlock();
2650             LBasicBlock continuation = m_out.newBlock();
2651
2652             LValue fastResultValue = m_out.loadPtr(cell, m_heaps.JSString_value);
2653             ValueFromBlock fastResult = m_out.anchor(fastResultValue);
2654             
2655             m_out.branch(
2656                 m_out.notNull(fastResultValue), usually(continuation), rarely(slowPath));
2657             
2658             LBasicBlock lastNext = m_out.appendTo(slowPath, continuation);
2659             
2660             ValueFromBlock slowResult = m_out.anchor(
2661                 vmCall(pointerType(), m_out.operation(operationResolveRope), m_callFrame, cell));
2662             
2663             m_out.jump(continuation);
2664             
2665             m_out.appendTo(continuation, lastNext);
2666             
2667             setStorage(m_out.loadPtr(m_out.phi(pointerType(), fastResult, slowResult), m_heaps.StringImpl_data));
2668             return;
2669         }
2670         
2671         setStorage(m_out.loadPtr(cell, m_heaps.JSArrayBufferView_vector));
2672     }
2673     
2674     void compileCheckArray()
2675     {
2676         Edge edge = m_node->child1();
2677         LValue cell = lowCell(edge);
2678         
2679         if (m_node->arrayMode().alreadyChecked(m_graph, m_node, abstractValue(edge)))
2680             return;
2681         
2682         speculate(
2683             BadIndexingType, jsValueValue(cell), 0,
2684             m_out.logicalNot(isArrayType(cell, m_node->arrayMode())));
2685     }
2686
2687     void compileGetTypedArrayByteOffset()
2688     {
2689         LValue basePtr = lowCell(m_node->child1());    
2690
2691         LBasicBlock simpleCase = m_out.newBlock();
2692         LBasicBlock wastefulCase = m_out.newBlock();
2693         LBasicBlock continuation = m_out.newBlock();
2694         
2695         LValue mode = m_out.load32(basePtr, m_heaps.JSArrayBufferView_mode);
2696         m_out.branch(
2697             m_out.notEqual(mode, m_out.constInt32(WastefulTypedArray)),
2698             unsure(simpleCase), unsure(wastefulCase));
2699
2700         LBasicBlock lastNext = m_out.appendTo(simpleCase, wastefulCase);
2701
2702         ValueFromBlock simpleOut = m_out.anchor(m_out.constIntPtr(0));
2703
2704         m_out.jump(continuation);
2705
2706         m_out.appendTo(wastefulCase, continuation);
2707
2708         LValue vectorPtr = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector);
2709         LValue butterflyPtr = m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly);
2710         LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer);
2711         LValue dataPtr = m_out.loadPtr(arrayBufferPtr, m_heaps.ArrayBuffer_data);
2712
2713         ValueFromBlock wastefulOut = m_out.anchor(m_out.sub(vectorPtr, dataPtr));
2714
2715         m_out.jump(continuation);
2716         m_out.appendTo(continuation, lastNext);
2717
2718         setInt32(m_out.castToInt32(m_out.phi(pointerType(), simpleOut, wastefulOut)));
2719     }
2720     
2721     void compileGetArrayLength()
2722     {
2723         switch (m_node->arrayMode().type()) {
2724         case Array::Int32:
2725         case Array::Double:
2726         case Array::Contiguous: {
2727             setInt32(m_out.load32NonNegative(lowStorage(m_node->child2()), m_heaps.Butterfly_publicLength));
2728             return;
2729         }
2730             
2731         case Array::String: {
2732             LValue string = lowCell(m_node->child1());
2733             setInt32(m_out.load32NonNegative(string, m_heaps.JSString_length));
2734             return;
2735         }
2736             
2737         case Array::DirectArguments: {
2738             LValue arguments = lowCell(m_node->child1());
2739             speculate(
2740                 ExoticObjectMode, noValue(), nullptr,
2741                 m_out.notNull(m_out.loadPtr(arguments, m_heaps.DirectArguments_overrides)));
2742             setInt32(m_out.load32NonNegative(arguments, m_heaps.DirectArguments_length));
2743             return;
2744         }
2745             
2746         case Array::ScopedArguments: {
2747             LValue arguments = lowCell(m_node->child1());
2748             speculate(
2749                 ExoticObjectMode, noValue(), nullptr,
2750                 m_out.notZero32(m_out.load8ZeroExt32(arguments, m_heaps.ScopedArguments_overrodeThings)));
2751             setInt32(m_out.load32NonNegative(arguments, m_heaps.ScopedArguments_totalLength));
2752             return;
2753         }
2754             
2755         default:
2756             if (m_node->arrayMode().isSomeTypedArrayView()) {
2757                 setInt32(
2758                     m_out.load32NonNegative(lowCell(m_node->child1()), m_heaps.JSArrayBufferView_length));
2759                 return;
2760             }
2761             
2762             DFG_CRASH(m_graph, m_node, "Bad array type");
2763             return;
2764         }
2765     }
2766     
2767     void compileCheckInBounds()
2768     {
2769         speculate(
2770             OutOfBounds, noValue(), 0,
2771             m_out.aboveOrEqual(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
2772     }
2773     
2774     void compileGetByVal()
2775     {
2776         switch (m_node->arrayMode().type()) {
2777         case Array::Int32:
2778         case Array::Contiguous: {
2779             LValue index = lowInt32(m_node->child2());
2780             LValue storage = lowStorage(m_node->child3());
2781             
2782             IndexedAbstractHeap& heap = m_node->arrayMode().type() == Array::Int32 ?
2783                 m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties;
2784             
2785             if (m_node->arrayMode().isInBounds()) {
2786                 LValue result = m_out.load64(baseIndex(heap, storage, index, m_node->child2()));
2787                 LValue isHole = m_out.isZero64(result);
2788                 if (m_node->arrayMode().isSaneChain()) {
2789                     DFG_ASSERT(
2790                         m_graph, m_node, m_node->arrayMode().type() == Array::Contiguous);
2791                     result = m_out.select(
2792                         isHole, m_out.constInt64(JSValue::encode(jsUndefined())), result);
2793                 } else
2794                     speculate(LoadFromHole, noValue(), 0, isHole);
2795                 setJSValue(result);
2796                 return;
2797             }
2798             
2799             LValue base = lowCell(m_node->child1());
2800             
2801             LBasicBlock fastCase = m_out.newBlock();
2802             LBasicBlock slowCase = m_out.newBlock();
2803             LBasicBlock continuation = m_out.newBlock();
2804             
2805             m_out.branch(
2806                 m_out.aboveOrEqual(
2807                     index, m_out.load32NonNegative(storage, m_heaps.Butterfly_publicLength)),
2808                 rarely(slowCase), usually(fastCase));
2809             
2810             LBasicBlock lastNext = m_out.appendTo(fastCase, slowCase);
2811
2812             LValue fastResultValue = m_out.load64(baseIndex(heap, storage, index, m_node->child2()));
2813             ValueFromBlock fastResult = m_out.anchor(fastResultValue);
2814             m_out.branch(
2815                 m_out.isZero64(fastResultValue), rarely(slowCase), usually(continuation));
2816             
2817             m_out.appendTo(slowCase, continuation);
2818             ValueFromBlock slowResult = m_out.anchor(
2819                 vmCall(Int64, m_out.operation(operationGetByValArrayInt), m_callFrame, base, index));
2820             m_out.jump(continuation);
2821             
2822             m_out.appendTo(continuation, lastNext);
2823             setJSValue(m_out.phi(Int64, fastResult, slowResult));
2824             return;
2825         }
2826             
2827         case Array::Double: {
2828             LValue index = lowInt32(m_node->child2());
2829             LValue storage = lowStorage(m_node->child3());
2830             
2831             IndexedAbstractHeap& heap = m_heaps.indexedDoubleProperties;
2832             
2833             if (m_node->arrayMode().isInBounds()) {
2834                 LValue result = m_out.loadDouble(
2835                     baseIndex(heap, storage, index, m_node->child2()));
2836                 
2837                 if (!m_node->arrayMode().isSaneChain()) {
2838                     speculate(
2839                         LoadFromHole, noValue(), 0,
2840                         m_out.doubleNotEqualOrUnordered(result, result));
2841                 }
2842                 setDouble(result);
2843                 break;
2844             }
2845             
2846             LValue base = lowCell(m_node->child1());
2847             
2848             LBasicBlock inBounds = m_out.newBlock();
2849             LBasicBlock boxPath = m_out.newBlock();
2850             LBasicBlock slowCase = m_out.newBlock();
2851             LBasicBlock continuation = m_out.newBlock();
2852             
2853             m_out.branch(
2854                 m_out.aboveOrEqual(
2855                     index, m_out.load32NonNegative(storage, m_heaps.Butterfly_publicLength)),
2856                 rarely(slowCase), usually(inBounds));
2857             
2858             LBasicBlock lastNext = m_out.appendTo(inBounds, boxPath);
2859             LValue doubleValue = m_out.loadDouble(
2860                 baseIndex(heap, storage, index, m_node->child2()));
2861             m_out.branch(
2862                 m_out.doubleNotEqualOrUnordered(doubleValue, doubleValue),
2863                 rarely(slowCase), usually(boxPath));
2864             
2865             m_out.appendTo(boxPath, slowCase);
2866             ValueFromBlock fastResult = m_out.anchor(boxDouble(doubleValue));
2867             m_out.jump(continuation);
2868             
2869             m_out.appendTo(slowCase, continuation);
2870             ValueFromBlock slowResult = m_out.anchor(
2871                 vmCall(Int64, m_out.operation(operationGetByValArrayInt), m_callFrame, base, index));
2872             m_out.jump(continuation);
2873             
2874             m_out.appendTo(continuation, lastNext);
2875             setJSValue(m_out.phi(Int64, fastResult, slowResult));
2876             return;
2877         }
2878
2879         case Array::Undecided: {
2880             LValue index = lowInt32(m_node->child2());
2881
2882             speculate(OutOfBounds, noValue(), m_node, m_out.lessThan(index, m_out.int32Zero));
2883             setJSValue(m_out.constInt64(ValueUndefined));
2884             return;
2885         }
2886             
2887         case Array::DirectArguments: {
2888             LValue base = lowCell(m_node->child1());
2889             LValue index = lowInt32(m_node->child2());
2890             
2891             speculate(
2892                 ExoticObjectMode, noValue(), nullptr,
2893                 m_out.notNull(m_out.loadPtr(base, m_heaps.DirectArguments_overrides)));
2894             speculate(
2895                 ExoticObjectMode, noValue(), nullptr,
2896                 m_out.aboveOrEqual(
2897                     index,
2898                     m_out.load32NonNegative(base, m_heaps.DirectArguments_length)));
2899
2900             TypedPointer address = m_out.baseIndex(
2901                 m_heaps.DirectArguments_storage, base, m_out.zeroExtPtr(index));
2902             setJSValue(m_out.load64(address));
2903             return;
2904         }
2905             
2906         case Array::ScopedArguments: {
2907             LValue base = lowCell(m_node->child1());
2908             LValue index = lowInt32(m_node->child2());
2909             
2910             speculate(
2911                 ExoticObjectMode, noValue(), nullptr,
2912                 m_out.aboveOrEqual(
2913                     index,
2914                     m_out.load32NonNegative(base, m_heaps.ScopedArguments_totalLength)));
2915             
2916             LValue table = m_out.loadPtr(base, m_heaps.ScopedArguments_table);
2917             LValue namedLength = m_out.load32(table, m_heaps.ScopedArgumentsTable_length);
2918             
2919             LBasicBlock namedCase = m_out.newBlock();
2920             LBasicBlock overflowCase = m_out.newBlock();
2921             LBasicBlock continuation = m_out.newBlock();
2922             
2923             m_out.branch(
2924                 m_out.aboveOrEqual(index, namedLength), unsure(overflowCase), unsure(namedCase));
2925             
2926             LBasicBlock lastNext = m_out.appendTo(namedCase, overflowCase);
2927             
2928             LValue scope = m_out.loadPtr(base, m_heaps.ScopedArguments_scope);
2929             LValue arguments = m_out.loadPtr(table, m_heaps.ScopedArgumentsTable_arguments);
2930             
2931             TypedPointer address = m_out.baseIndex(
2932                 m_heaps.scopedArgumentsTableArguments, arguments, m_out.zeroExtPtr(index));
2933             LValue scopeOffset = m_out.load32(address);
2934             
2935             speculate(
2936                 ExoticObjectMode, noValue(), nullptr,
2937                 m_out.equal(scopeOffset, m_out.constInt32(ScopeOffset::invalidOffset)));
2938             
2939             address = m_out.baseIndex(
2940                 m_heaps.JSEnvironmentRecord_variables, scope, m_out.zeroExtPtr(scopeOffset));
2941             ValueFromBlock namedResult = m_out.anchor(m_out.load64(address));
2942             m_out.jump(continuation);
2943             
2944             m_out.appendTo(overflowCase, continuation);
2945             
2946             address = m_out.baseIndex(
2947                 m_heaps.ScopedArguments_overflowStorage, base,
2948                 m_out.zeroExtPtr(m_out.sub(index, namedLength)));
2949             LValue overflowValue = m_out.load64(address);
2950             speculate(ExoticObjectMode, noValue(), nullptr, m_out.isZero64(overflowValue));
2951             ValueFromBlock overflowResult = m_out.anchor(overflowValue);
2952             m_out.jump(continuation);
2953             
2954             m_out.appendTo(continuation, lastNext);
2955             setJSValue(m_out.phi(Int64, namedResult, overflowResult));
2956             return;
2957         }
2958             
2959         case Array::Generic: {
2960             setJSValue(vmCall(
2961                 Int64, m_out.operation(operationGetByVal), m_callFrame,
2962                 lowJSValue(m_node->child1()), lowJSValue(m_node->child2())));
2963             return;
2964         }
2965             
2966         case Array::String: {
2967             compileStringCharAt();
2968             return;
2969         }
2970             
2971         default: {
2972             LValue index = lowInt32(m_node->child2());
2973             LValue storage = lowStorage(m_node->child3());
2974             
2975             TypedArrayType type = m_node->arrayMode().typedArrayType();
2976             
2977             if (isTypedView(type)) {
2978                 TypedPointer pointer = TypedPointer(
2979                     m_heaps.typedArrayProperties,
2980                     m_out.add(
2981                         storage,
2982                         m_out.shl(
2983                             m_out.zeroExtPtr(index),
2984                             m_out.constIntPtr(logElementSize(type)))));
2985                 
2986                 if (isInt(type)) {
2987                     LValue result;
2988                     switch (elementSize(type)) {
2989                     case 1:
2990                         result = isSigned(type) ? m_out.load8SignExt32(pointer) :  m_out.load8ZeroExt32(pointer);
2991                         break;
2992                     case 2:
2993                         result = isSigned(type) ? m_out.load16SignExt32(pointer) :  m_out.load16ZeroExt32(pointer);
2994                         break;
2995                     case 4:
2996                         result = m_out.load32(pointer);
2997                         break;
2998                     default:
2999                         DFG_CRASH(m_graph, m_node, "Bad element size");
3000                     }
3001                     
3002                     if (elementSize(type) < 4 || isSigned(type)) {
3003                         setInt32(result);
3004                         return;
3005                     }
3006
3007                     if (m_node->shouldSpeculateInt32()) {
3008                         speculate(
3009                             Overflow, noValue(), 0, m_out.lessThan(result, m_out.int32Zero));
3010                         setInt32(result);
3011                         return;
3012                     }
3013                     
3014                     if (m_node->shouldSpeculateAnyInt()) {
3015                         setStrictInt52(m_out.zeroExt(result, Int64));
3016                         return;
3017                     }
3018                     
3019                     setDouble(m_out.unsignedToDouble(result));
3020                     return;
3021                 }
3022             
3023                 ASSERT(isFloat(type));
3024                 
3025                 LValue result;
3026                 switch (type) {
3027                 case TypeFloat32:
3028                     result = m_out.floatToDouble(m_out.loadFloat(pointer));
3029                     break;
3030                 case TypeFloat64:
3031                     result = m_out.loadDouble(pointer);
3032                     break;
3033                 default:
3034                     DFG_CRASH(m_graph, m_node, "Bad typed array type");
3035                 }
3036                 
3037                 setDouble(result);
3038                 return;
3039             }
3040             
3041             DFG_CRASH(m_graph, m_node, "Bad array type");
3042             return;
3043         } }
3044     }
3045     
3046     void compileGetMyArgumentByVal()
3047     {
3048         InlineCallFrame* inlineCallFrame = m_node->child1()->origin.semantic.inlineCallFrame;
3049         
3050         LValue index = lowInt32(m_node->child2());
3051         
3052         LValue limit;
3053         if (inlineCallFrame && !inlineCallFrame->isVarargs())
3054             limit = m_out.constInt32(inlineCallFrame->arguments.size() - 1);
3055         else {
3056             VirtualRegister argumentCountRegister;
3057             if (!inlineCallFrame)
3058                 argumentCountRegister = VirtualRegister(CallFrameSlot::argumentCount);
3059             else
3060                 argumentCountRegister = inlineCallFrame->argumentCountRegister;
3061             limit = m_out.sub(m_out.load32(payloadFor(argumentCountRegister)), m_out.int32One);
3062         }
3063         
3064         LValue isOutOfBounds = m_out.aboveOrEqual(index, limit);
3065         LBasicBlock continuation = nullptr;
3066         LBasicBlock lastNext = nullptr;
3067         ValueFromBlock slowResult;
3068         if (m_node->op() == GetMyArgumentByValOutOfBounds) {
3069             LBasicBlock normalCase = m_out.newBlock();
3070             continuation = m_out.newBlock();
3071             
3072             slowResult = m_out.anchor(m_out.constInt64(JSValue::encode(jsUndefined())));
3073             m_out.branch(isOutOfBounds, unsure(continuation), unsure(normalCase));
3074             
3075             lastNext = m_out.appendTo(normalCase, continuation);
3076         } else
3077             speculate(ExoticObjectMode, noValue(), 0, isOutOfBounds);
3078         
3079         TypedPointer base;
3080         if (inlineCallFrame) {
3081             if (inlineCallFrame->arguments.size() > 1)
3082                 base = addressFor(inlineCallFrame->arguments[1].virtualRegister());
3083         } else
3084             base = addressFor(virtualRegisterForArgument(1));
3085         
3086         LValue result;
3087         if (base) {
3088             LValue pointer = m_out.baseIndex(
3089                 base.value(), m_out.zeroExt(index, pointerType()), ScaleEight);
3090             result = m_out.load64(TypedPointer(m_heaps.variables.atAnyIndex(), pointer));
3091         } else
3092             result = m_out.constInt64(JSValue::encode(jsUndefined()));
3093         
3094         if (m_node->op() == GetMyArgumentByValOutOfBounds) {
3095             ValueFromBlock normalResult = m_out.anchor(result);
3096             m_out.jump(continuation);
3097             
3098             m_out.appendTo(continuation, lastNext);
3099             result = m_out.phi(Int64, slowResult, normalResult);
3100         }
3101         
3102         setJSValue(result);
3103     }
3104     
3105     void compilePutByVal()
3106     {
3107         Edge child1 = m_graph.varArgChild(m_node, 0);
3108         Edge child2 = m_graph.varArgChild(m_node, 1);
3109         Edge child3 = m_graph.varArgChild(m_node, 2);
3110         Edge child4 = m_graph.varArgChild(m_node, 3);
3111         Edge child5 = m_graph.varArgChild(m_node, 4);
3112         
3113         switch (m_node->arrayMode().type()) {
3114         case Array::Generic: {
3115             V_JITOperation_EJJJ operation;
3116             if (m_node->op() == PutByValDirect) {
3117                 if (m_graph.isStrictModeFor(m_node->origin.semantic))
3118                     operation = operationPutByValDirectStrict;
3119                 else
3120                     operation = operationPutByValDirectNonStrict;
3121             } else {
3122                 if (m_graph.isStrictModeFor(m_node->origin.semantic))
3123                     operation = operationPutByValStrict;
3124                 else
3125                     operation = operationPutByValNonStrict;
3126             }
3127                 
3128             vmCall(
3129                 Void, m_out.operation(operation), m_callFrame,
3130                 lowJSValue(child1), lowJSValue(child2), lowJSValue(child3));
3131             return;
3132         }
3133             
3134         default:
3135             break;
3136         }
3137
3138         LValue base = lowCell(child1);
3139         LValue index = lowInt32(child2);
3140         LValue storage = lowStorage(child4);
3141         
3142         switch (m_node->arrayMode().type()) {
3143         case Array::Int32:
3144         case Array::Double:
3145         case Array::Contiguous: {
3146             LBasicBlock continuation = m_out.newBlock();
3147             LBasicBlock outerLastNext = m_out.appendTo(m_out.m_block, continuation);
3148             
3149             switch (m_node->arrayMode().type()) {
3150             case Array::Int32:
3151             case Array::Contiguous: {
3152                 LValue value = lowJSValue(child3, ManualOperandSpeculation);
3153                 
3154                 if (m_node->arrayMode().type() == Array::Int32)
3155                     FTL_TYPE_CHECK(jsValueValue(value), child3, SpecInt32Only, isNotInt32(value));
3156                 
3157                 TypedPointer elementPointer = m_out.baseIndex(
3158                     m_node->arrayMode().type() == Array::Int32 ?
3159                     m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties,
3160                     storage, m_out.zeroExtPtr(index), provenValue(child2));
3161                 
3162                 if (m_node->op() == PutByValAlias) {
3163                     m_out.store64(value, elementPointer);
3164                     break;
3165                 }
3166                 
3167                 contiguousPutByValOutOfBounds(
3168                     codeBlock()->isStrictMode()
3169                     ? operationPutByValBeyondArrayBoundsStrict
3170                     : operationPutByValBeyondArrayBoundsNonStrict,
3171                     base, storage, index, value, continuation);
3172                 
3173                 m_out.store64(value, elementPointer);
3174                 break;
3175             }
3176                 
3177             case Array::Double: {
3178                 LValue value = lowDouble(child3);
3179                 
3180                 FTL_TYPE_CHECK(
3181                     doubleValue(value), child3, SpecDoubleReal,
3182                     m_out.doubleNotEqualOrUnordered(value, value));
3183                 
3184                 TypedPointer elementPointer = m_out.baseIndex(
3185                     m_heaps.indexedDoubleProperties, storage, m_out.zeroExtPtr(index),
3186                     provenValue(child2));
3187                 
3188                 if (m_node->op() == PutByValAlias) {
3189                     m_out.storeDouble(value, elementPointer);
3190                     break;
3191                 }
3192                 
3193                 contiguousPutByValOutOfBounds(
3194                     codeBlock()->isStrictMode()
3195                     ? operationPutDoubleByValBeyondArrayBoundsStrict
3196                     : operationPutDoubleByValBeyondArrayBoundsNonStrict,
3197                     base, storage, index, value, continuation);
3198                 
3199                 m_out.storeDouble(value, elementPointer);
3200                 break;
3201             }
3202                 
3203             default:
3204                 DFG_CRASH(m_graph, m_node, "Bad array type");
3205             }
3206
3207             m_out.jump(continuation);
3208             m_out.appendTo(continuation, outerLastNext);
3209             return;
3210         }
3211             
3212         default:
3213             TypedArrayType type = m_node->arrayMode().typedArrayType();
3214             
3215             if (isTypedView(type)) {
3216                 TypedPointer pointer = TypedPointer(
3217                     m_heaps.typedArrayProperties,
3218                     m_out.add(
3219                         storage,
3220                         m_out.shl(
3221                             m_out.zeroExt(index, pointerType()),
3222                             m_out.constIntPtr(logElementSize(type)))));
3223                 
3224                 Output::StoreType storeType;
3225                 LValue valueToStore;
3226                 
3227                 if (isInt(type)) {
3228                     LValue intValue;
3229                     switch (child3.useKind()) {
3230                     case Int52RepUse:
3231                     case Int32Use: {
3232                         if (child3.useKind() == Int32Use)
3233                             intValue = lowInt32(child3);
3234                         else
3235                             intValue = m_out.castToInt32(lowStrictInt52(child3));
3236
3237                         if (isClamped(type)) {
3238                             ASSERT(elementSize(type) == 1);
3239                             
3240                             LBasicBlock atLeastZero = m_out.newBlock();
3241                             LBasicBlock continuation = m_out.newBlock();
3242                             
3243                             Vector<ValueFromBlock, 2> intValues;
3244                             intValues.append(m_out.anchor(m_out.int32Zero));
3245                             m_out.branch(
3246                                 m_out.lessThan(intValue, m_out.int32Zero),
3247                                 unsure(continuation), unsure(atLeastZero));
3248                             
3249                             LBasicBlock lastNext = m_out.appendTo(atLeastZero, continuation);
3250                             
3251                             intValues.append(m_out.anchor(m_out.select(
3252                                 m_out.greaterThan(intValue, m_out.constInt32(255)),
3253                                 m_out.constInt32(255),
3254                                 intValue)));
3255                             m_out.jump(continuation);
3256                             
3257                             m_out.appendTo(continuation, lastNext);
3258                             intValue = m_out.phi(Int32, intValues);
3259                         }
3260                         break;
3261                     }
3262                         
3263                     case DoubleRepUse: {
3264                         LValue doubleValue = lowDouble(child3);
3265                         
3266                         if (isClamped(type)) {
3267                             ASSERT(elementSize(type) == 1);
3268                             
3269                             LBasicBlock atLeastZero = m_out.newBlock();
3270                             LBasicBlock withinRange = m_out.newBlock();
3271                             LBasicBlock continuation = m_out.newBlock();
3272                             
3273                             Vector<ValueFromBlock, 3> intValues;
3274                             intValues.append(m_out.anchor(m_out.int32Zero));
3275                             m_out.branch(
3276                                 m_out.doubleLessThanOrUnordered(doubleValue, m_out.doubleZero),
3277                                 unsure(continuation), unsure(atLeastZero));
3278                             
3279                             LBasicBlock lastNext = m_out.appendTo(atLeastZero, withinRange);
3280                             intValues.append(m_out.anchor(m_out.constInt32(255)));
3281                             m_out.branch(
3282                                 m_out.doubleGreaterThan(doubleValue, m_out.constDouble(255)),
3283                                 unsure(continuation), unsure(withinRange));
3284                             
3285                             m_out.appendTo(withinRange, continuation);
3286                             intValues.append(m_out.anchor(m_out.doubleToInt(doubleValue)));
3287                             m_out.jump(continuation);
3288                             
3289                             m_out.appendTo(continuation, lastNext);
3290                             intValue = m_out.phi(Int32, intValues);
3291                         } else
3292                             intValue = doubleToInt32(doubleValue);
3293                         break;
3294                     }
3295                         
3296                     default:
3297                         DFG_CRASH(m_graph, m_node, "Bad use kind");
3298                     }
3299
3300                     valueToStore = intValue;
3301                     switch (elementSize(type)) {
3302                     case 1:
3303                         storeType = Output::Store32As8;
3304                         break;
3305                     case 2:
3306                         storeType = Output::Store32As16;
3307                         break;
3308                     case 4:
3309                         storeType = Output::Store32;
3310                         break;
3311                     default:
3312                         DFG_CRASH(m_graph, m_node, "Bad element size");
3313                     }
3314                 } else /* !isInt(type) */ {
3315                     LValue value = lowDouble(child3);
3316                     switch (type) {
3317                     case TypeFloat32:
3318                         valueToStore = m_out.doubleToFloat(value);
3319                         storeType = Output::StoreFloat;
3320                         break;
3321                     case TypeFloat64:
3322                         valueToStore = value;
3323                         storeType = Output::StoreDouble;
3324                         break;
3325                     default:
3326                         DFG_CRASH(m_graph, m_node, "Bad typed array type");
3327                     }
3328                 }
3329
3330                 if (m_node->arrayMode().isInBounds() || m_node->op() == PutByValAlias)
3331                     m_out.store(valueToStore, pointer, storeType);
3332                 else {
3333                     LBasicBlock isInBounds = m_out.newBlock();
3334                     LBasicBlock isOutOfBounds = m_out.newBlock();
3335                     LBasicBlock continuation = m_out.newBlock();
3336                     
3337                     m_out.branch(
3338                         m_out.aboveOrEqual(index, lowInt32(child5)),
3339                         unsure(isOutOfBounds), unsure(isInBounds));
3340                     
3341                     LBasicBlock lastNext = m_out.appendTo(isInBounds, isOutOfBounds);
3342                     m_out.store(valueToStore, pointer, storeType);
3343                     m_out.jump(continuation);
3344
3345                     m_out.appendTo(isOutOfBounds, continuation);
3346                     speculateTypedArrayIsNotNeutered(base);
3347                     m_out.jump(continuation);
3348                     
3349                     m_out.appendTo(continuation, lastNext);
3350                 }
3351                 
3352                 return;
3353             }
3354
3355             DFG_CRASH(m_graph, m_node, "Bad array type");
3356             break;
3357         }
3358     }
3359
3360     void compilePutAccessorById()
3361     {
3362         LValue base = lowCell(m_node->child1());
3363         LValue accessor = lowCell(m_node->child2());
3364         auto uid = m_graph.identifiers()[m_node->identifierNumber()];
3365         vmCall(
3366             Void,
3367             m_out.operation(m_node->op() == PutGetterById ? operationPutGetterById : operationPutSetterById),
3368             m_callFrame, base, m_out.constIntPtr(uid), m_out.constInt32(m_node->accessorAttributes()), accessor);
3369     }
3370
3371     void compilePutGetterSetterById()
3372     {
3373         LValue base = lowCell(m_node->child1());
3374         LValue getter = lowJSValue(m_node->child2());
3375         LValue setter = lowJSValue(m_node->child3());
3376         auto uid = m_graph.identifiers()[m_node->identifierNumber()];
3377         vmCall(
3378             Void, m_out.operation(operationPutGetterSetter),
3379             m_callFrame, base, m_out.constIntPtr(uid), m_out.constInt32(m_node->accessorAttributes()), getter, setter);
3380
3381     }
3382
3383     void compilePutAccessorByVal()
3384     {
3385         LValue base = lowCell(m_node->child1());
3386         LValue subscript = lowJSValue(m_node->child2());
3387         LValue accessor = lowCell(m_node->child3());
3388         vmCall(
3389             Void,
3390             m_out.operation(m_node->op() == PutGetterByVal ? operationPutGetterByVal : operationPutSetterByVal),
3391             m_callFrame, base, subscript, m_out.constInt32(m_node->accessorAttributes()), accessor);
3392     }
3393     
3394     void compileArrayPush()
3395     {
3396         LValue base = lowCell(m_node->child1());
3397         LValue storage = lowStorage(m_node->child3());
3398         
3399         switch (m_node->arrayMode().type()) {
3400         case Array::Int32:
3401         case Array::Contiguous:
3402         case Array::Double: {
3403             LValue value;
3404             Output::StoreType storeType;
3405             
3406             if (m_node->arrayMode().type() != Array::Double) {
3407                 value = lowJSValue(m_node->child2(), ManualOperandSpeculation);
3408                 if (m_node->arrayMode().type() == Array::Int32) {
3409                     FTL_TYPE_CHECK(
3410                         jsValueValue(value), m_node->child2(), SpecInt32Only, isNotInt32(value));
3411                 }
3412                 storeType = Output::Store64;
3413             } else {
3414                 value = lowDouble(m_node->child2());
3415                 FTL_TYPE_CHECK(
3416                     doubleValue(value), m_node->child2(), SpecDoubleReal,
3417                     m_out.doubleNotEqualOrUnordered(value, value));
3418                 storeType = Output::StoreDouble;
3419             }
3420             
3421             IndexedAbstractHeap& heap = m_heaps.forArrayType(m_node->arrayMode().type());
3422
3423             LValue prevLength = m_out.load32(storage, m_heaps.Butterfly_publicLength);
3424             
3425             LBasicBlock fastPath = m_out.newBlock();
3426             LBasicBlock slowPath = m_out.newBlock();
3427             LBasicBlock continuation = m_out.newBlock();
3428             
3429             m_out.branch(
3430                 m_out.aboveOrEqual(
3431                     prevLength, m_out.load32(storage, m_heaps.Butterfly_vectorLength)),
3432                 unsure(slowPath), unsure(fastPath));
3433             
3434             LBasicBlock lastNext = m_out.appendTo(fastPath, slowPath);
3435             m_out.store(
3436                 value, m_out.baseIndex(heap, storage, m_out.zeroExtPtr(prevLength)), storeType);
3437             LValue newLength = m_out.add(prevLength, m_out.int32One);
3438             m_out.store32(newLength, storage, m_heaps.Butterfly_publicLength);
3439             
3440             ValueFromBlock fastResult = m_out.anchor(boxInt32(newLength));
3441             m_out.jump(continuation);
3442             
3443             m_out.appendTo(slowPath, continuation);
3444             LValue operation;
3445             if (m_node->arrayMode().type() != Array::Double)
3446                 operation = m_out.operation(operationArrayPush);
3447             else
3448                 operation = m_out.operation(operationArrayPushDouble);
3449             ValueFromBlock slowResult = m_out.anchor(
3450                 vmCall(Int64, operation, m_callFrame, value, base));
3451             m_out.jump(continuation);
3452             
3453             m_out.appendTo(continuation, lastNext);
3454             setJSValue(m_out.phi(Int64, fastResult, slowResult));
3455             return;
3456         }
3457             
3458         default:
3459             DFG_CRASH(m_graph, m_node, "Bad array type");
3460             return;
3461         }
3462     }
3463     
3464     void compileArrayPop()
3465     {
3466         LValue base = lowCell(m_node->child1());
3467         LValue storage = lowStorage(m_node->child2());
3468         
3469         switch (m_node->arrayMode().type()) {
3470         case Array::Int32:
3471         case Array::Double:
3472         case Array::Contiguous: {
3473             IndexedAbstractHeap& heap = m_heaps.forArrayType(m_node->arrayMode().type());
3474             
3475             LBasicBlock fastCase = m_out.newBlock();
3476             LBasicBlock slowCase = m_out.newBlock();
3477             LBasicBlock continuation = m_out.newBlock();
3478             
3479             LValue prevLength = m_out.load32(storage, m_heaps.Butterfly_publicLength);
3480             
3481             Vector<ValueFromBlock, 3> results;
3482             results.append(m_out.anchor(m_out.constInt64(JSValue::encode(jsUndefined()))));
3483             m_out.branch(
3484                 m_out.isZero32(prevLength), rarely(continuation), usually(fastCase));
3485             
3486             LBasicBlock lastNext = m_out.appendTo(fastCase, slowCase);
3487             LValue newLength = m_out.sub(prevLength, m_out.int32One);
3488             m_out.store32(newLength, storage, m_heaps.Butterfly_publicLength);
3489             TypedPointer pointer = m_out.baseIndex(heap, storage, m_out.zeroExtPtr(newLength));
3490             if (m_node->arrayMode().type() != Array::Double) {
3491                 LValue result = m_out.load64(pointer);
3492                 m_out.store64(m_out.int64Zero, pointer);
3493                 results.append(m_out.anchor(result));
3494                 m_out.branch(
3495                     m_out.notZero64(result), usually(continuation), rarely(slowCase));
3496             } else {
3497                 LValue result = m_out.loadDouble(pointer);
3498                 m_out.store64(m_out.constInt64(bitwise_cast<int64_t>(PNaN)), pointer);
3499                 results.append(m_out.anchor(boxDouble(result)));
3500                 m_out.branch(
3501                     m_out.doubleEqual(result, result),
3502                     usually(continuation), rarely(slowCase));
3503             }
3504             
3505             m_out.appendTo(slowCase, continuation);
3506             results.append(m_out.anchor(vmCall(
3507                 Int64, m_out.operation(operationArrayPopAndRecoverLength), m_callFrame, base)));
3508             m_out.jump(continuation);
3509             
3510             m_out.appendTo(continuation, lastNext);
3511             setJSValue(m_out.phi(Int64, results));
3512             return;
3513         }
3514
3515         default:
3516             DFG_CRASH(m_graph, m_node, "Bad array type");
3517             return;
3518         }
3519     }
3520     
3521     void compileCreateActivation()
3522     {
3523         LValue scope = lowCell(m_node->child1());
3524         SymbolTable* table = m_node->castOperand<SymbolTable*>();
3525         Structure* structure = m_graph.globalObjectFor(m_node->origin.semantic)->activationStructure();
3526         JSValue initializationValue = m_node->initializationValueForActivation();
3527         ASSERT(initializationValue.isUndefined() || initializationValue == jsTDZValue());
3528         if (table->singletonScope()->isStillValid()) {
3529             LValue callResult = vmCall(
3530                 Int64,
3531                 m_out.operation(operationCreateActivationDirect), m_callFrame, weakPointer(structure),
3532                 scope, weakPointer(table), m_out.constInt64(JSValue::encode(initializationValue)));
3533             setJSValue(callResult);
3534             return;
3535         }
3536         
3537         LBasicBlock slowPath = m_out.newBlock();
3538         LBasicBlock continuation = m_out.newBlock();
3539         
3540         LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
3541         
3542         LValue fastObject = allocateObject<JSLexicalEnvironment>(
3543             JSLexicalEnvironment::allocationSize(table), structure, m_out.intPtrZero, slowPath);
3544         
3545         // We don't need memory barriers since we just fast-created the activation, so the
3546         // activation must be young.
3547         m_out.storePtr(scope, fastObject, m_heaps.JSScope_next);
3548         m_out.storePtr(weakPointer(table), fastObject, m_heaps.JSSymbolTableObject_symbolTable);
3549         
3550         for (unsigned i = 0; i < table->scopeSize(); ++i) {
3551             m_out.store64(
3552                 m_out.constInt64(JSValue::encode(initializationValue)),
3553                 fastObject, m_heaps.JSEnvironmentRecord_variables[i]);
3554         }
3555         
3556         ValueFromBlock fastResult = m_out.anchor(fastObject);
3557         m_out.jump(continuation);
3558         
3559         m_out.appendTo(slowPath, continuation);
3560         LValue callResult = lazySlowPath(
3561             [=] (const Vector<Location>& locations) -> RefPtr<LazySlowPath::Generator> {
3562                 return createLazyCallGenerator(
3563                     operationCreateActivationDirect, locations[0].directGPR(),
3564                     CCallHelpers::TrustedImmPtr(structure), locations[1].directGPR(),
3565                     CCallHelpers::TrustedImmPtr(table),
3566                     CCallHelpers::TrustedImm64(JSValue::encode(initializationValue)));
3567             },
3568             scope);
3569         ValueFromBlock slowResult = m_out.anchor(callResult);
3570         m_out.jump(continuation);
3571         
3572         m_out.appendTo(continuation, lastNext);
3573         setJSValue(m_out.phi(pointerType(), fastResult, slowResult));
3574     }
3575     
3576     void compileNewFunction()
3577     {
3578         ASSERT(m_node->op() == NewFunction || m_node->op() == NewGeneratorFunction);
3579         bool isGeneratorFunction = m_node->op() == NewGeneratorFunction;
3580         
3581         LValue scope = lowCell(m_node->child1());
3582         
3583         FunctionExecutable* executable = m_node->castOperand<FunctionExecutable*>();
3584         if (executable->singletonFunction()->isStillValid()) {
3585             LValue callResult =
3586                 isGeneratorFunction ? vmCall(Int64, m_out.operation(operationNewGeneratorFunction), m_callFrame, scope, weakPointer(executable)) :
3587                 vmCall(Int64, m_out.operation(operationNewFunction), m_callFrame, scope, weakPointer(executable));
3588             setJSValue(callResult);
3589             return;
3590         }
3591         
3592         Structure* structure =
3593             isGeneratorFunction ? m_graph.globalObjectFor(m_node->origin.semantic)->generatorFunctionStructure() :
3594             m_graph.globalObjectFor(m_node->origin.semantic)->functionStructure();
3595         
3596         LBasicBlock slowPath = m_out.newBlock();
3597         LBasicBlock continuation = m_out.newBlock();
3598         
3599         LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
3600         
3601         LValue fastObject =
3602             isGeneratorFunction ? allocateObject<JSGeneratorFunction>(structure, m_out.intPtrZero, slowPath) :
3603             allocateObject<JSFunction>(structure, m_out.intPtrZero, slowPath);
3604         
3605         
3606         // We don't need memory barriers since we just fast-created the function, so it
3607         // must be young.
3608         m_out.storePtr(scope, fastObject, m_heaps.JSFunction_scope);
3609         m_out.storePtr(weakPointer(executable), fastObject, m_heaps.JSFunction_executable);
3610         m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.JSFunction_rareData);
3611         
3612         ValueFromBlock fastResult = m_out.anchor(fastObject);
3613         m_out.jump(continuation);
3614         
3615         m_out.appendTo(slowPath, continuation);
3616
3617         Vector<LValue> slowPathArguments;
3618         slowPathArguments.append(scope);
3619         LValue callResult = lazySlowPath(
3620             [=] (const Vector<Location>& locations) -> RefPtr<LazySlowPath::Generator> {
3621                 if (isGeneratorFunction) {
3622                     return createLazyCallGenerator(
3623                         operationNewGeneratorFunctionWithInvalidatedReallocationWatchpoint,
3624                         locations[0].directGPR(), locations[1].directGPR(),
3625                         CCallHelpers::TrustedImmPtr(executable));
3626                 }
3627                 return createLazyCallGenerator(
3628                     operationNewFunctionWithInvalidatedReallocationWatchpoint,
3629                     locations[0].directGPR(), locations[1].directGPR(),
3630                     CCallHelpers::TrustedImmPtr(executable));
3631             },
3632             slowPathArguments);
3633         ValueFromBlock slowResult = m_out.anchor(callResult);
3634         m_out.jump(continuation);
3635         
3636         m_out.appendTo(continuation, lastNext);
3637         setJSValue(m_out.phi(pointerType(), fastResult, slowResult));
3638     }
3639     
3640     void compileCreateDirectArguments()
3641     {
3642         // FIXME: A more effective way of dealing with the argument count and callee is to have
3643         // them be explicit arguments to this node.
3644         // https://bugs.webkit.org/show_bug.cgi?id=142207
3645         
3646         Structure* structure =
3647             m_graph.globalObjectFor(m_node->origin.semantic)->directArgumentsStructure();
3648         
3649         unsigned minCapacity = m_graph.baselineCodeBlockFor(m_node->origin.semantic)->numParameters() - 1;
3650         
3651         LBasicBlock slowPath = m_out.newBlock();
3652         LBasicBlock continuation = m_out.newBlock();
3653         
3654         LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
3655         
3656         ArgumentsLength length = getArgumentsLength();
3657         
3658         LValue fastObject;
3659         if (length.isKnown) {
3660             fastObject = allocateObject<DirectArguments>(
3661                 DirectArguments::allocationSize(std::max(length.known, minCapacity)), structure,
3662               &