dfg/DFGAbstractInterpreterInlines.h

   1 /*
   2  * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  * 1. Redistributions of source code must retain the above copyright
   8  *    notice, this list of conditions and the following disclaimer.
   9  * 2. Redistributions in binary form must reproduce the above copyright
  10  *    notice, this list of conditions and the following disclaimer in the
  11  *    documentation and/or other materials provided with the distribution.
  12  *
  13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
  14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
  17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
  21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  24  */
  25
  26 #ifndef DFGAbstractInterpreterInlines_h
  27 #define DFGAbstractInterpreterInlines_h
  28
  29 #if ENABLE(DFG_JIT)
  30
  31 #include "DFGAbstractInterpreter.h"
  32 #include "GetByIdStatus.h"
  33 #include "Operations.h"
  34 #include "PutByIdStatus.h"
  35 #include "StringObject.h"
  36
  37 namespace JSC { namespace DFG {
  38
  39 template<typename AbstractStateType>
  40 AbstractInterpreter<AbstractStateType>::AbstractInterpreter(Graph& graph, AbstractStateType& state)
  41     : m_codeBlock(graph.m_codeBlock)
  42     , m_graph(graph)
  43     , m_state(state)
  44 {
  45 }
  46
  47 template<typename AbstractStateType>
  48 AbstractInterpreter<AbstractStateType>::~AbstractInterpreter()
  49 {
  50 }
  51
  52 template<typename AbstractStateType>
  53 typename AbstractInterpreter<AbstractStateType>::BooleanResult
  54 AbstractInterpreter<AbstractStateType>::booleanResult(
  55     Node* node, AbstractValue& value)
  56 {
  57     JSValue childConst = value.value();
  58     if (childConst) {
  59         if (childConst.toBoolean(m_codeBlock->globalObjectFor(node->origin.semantic)->globalExec()))
  60             return DefinitelyTrue;
  61         return DefinitelyFalse;
  62     }
  63
  64     // Next check if we can fold because we know that the source is an object or string and does not equal undefined.
  65     if (isCellSpeculation(value.m_type)
  66         && value.m_currentKnownStructure.hasSingleton()) {
  67         Structure* structure = value.m_currentKnownStructure.singleton();
  68         if (!structure->masqueradesAsUndefined(m_codeBlock->globalObjectFor(node->origin.semantic))
  69             && structure->typeInfo().type() != StringType)
  70             return DefinitelyTrue;
  71     }
  72
  73     return UnknownBooleanResult;
  74 }
  75
  76 template<typename AbstractStateType>
  77 bool AbstractInterpreter<AbstractStateType>::startExecuting(Node* node)
  78 {
  79     ASSERT(m_state.block());
  80     ASSERT(m_state.isValid());
  81
  82     m_state.setDidClobber(false);
  83
  84     node->setCanExit(false);
  85
  86     return node->shouldGenerate();
  87 }
  88
  89 template<typename AbstractStateType>
  90 bool AbstractInterpreter<AbstractStateType>::startExecuting(unsigned indexInBlock)
  91 {
  92     return startExecuting(m_state.block()->at(indexInBlock));
  93 }
  94
  95 template<typename AbstractStateType>
  96 void AbstractInterpreter<AbstractStateType>::executeEdges(Node* node)
  97 {
  98     DFG_NODE_DO_TO_CHILDREN(m_graph, node, filterEdgeByUse);
  99 }
 100
 101 template<typename AbstractStateType>
 102 void AbstractInterpreter<AbstractStateType>::executeEdges(unsigned indexInBlock)
 103 {
 104     executeEdges(m_state.block()->at(indexInBlock));
 105 }
 106
 107 template<typename AbstractStateType>
 108 void AbstractInterpreter<AbstractStateType>::verifyEdge(Node*, Edge edge)
 109 {
 110     RELEASE_ASSERT(!(forNode(edge).m_type & ~typeFilterFor(edge.useKind())));
 111 }
 112
 113 template<typename AbstractStateType>
 114 void AbstractInterpreter<AbstractStateType>::verifyEdges(Node* node)
 115 {
 116     DFG_NODE_DO_TO_CHILDREN(m_graph, node, verifyEdge);
 117 }
 118
 119 template<typename AbstractStateType>
 120 bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimit, Node* node)
 121 {
 122     if (!ASSERT_DISABLED)
 123         verifyEdges(node);
 124
 125     m_state.createValueForNode(node);
 126
 127     switch (node->op()) {
 128     case JSConstant:
 129     case DoubleConstant:
 130     case Int52Constant:
 131     case WeakJSConstant:
 132     case PhantomArguments: {
 133         setBuiltInConstant(node, m_graph.valueOfJSConstant(node));
 134         break;
 135     }
 136
 137     case Identity: {
 138         forNode(node) = forNode(node->child1());
 139         break;
 140     }
 141
 142     case GetArgument: {
 143         ASSERT(m_graph.m_form == SSA);
 144         VariableAccessData* variable = node->variableAccessData();
 145         AbstractValue& value = m_state.variables().operand(variable->local().offset());
 146         ASSERT(value.isHeapTop());
 147         FiltrationResult result =
 148             value.filter(typeFilterFor(useKindFor(variable->flushFormat())));
 149         ASSERT_UNUSED(result, result == FiltrationOK);
 150         forNode(node) = value;
 151         break;
 152     }
 153
 154     case ExtractOSREntryLocal: {
 155         if (!(node->unlinkedLocal().isArgument())
 156             && m_graph.m_lazyVars.get(node->unlinkedLocal().toLocal())) {
 157             // This is kind of pessimistic - we could know in some cases that the
 158             // DFG code at the point of the OSR had already initialized the lazy
 159             // variable. But maybe this is fine, since we're inserting OSR
 160             // entrypoints very early in the pipeline - so any lazy initializations
 161             // ought to be hoisted out anyway.
 162             forNode(node).makeBytecodeTop();
 163         } else
 164             forNode(node).makeHeapTop();
 165         break;
 166     }
 167
 168     case GetLocal: {
 169         VariableAccessData* variableAccessData = node->variableAccessData();
 170         AbstractValue value = m_state.variables().operand(variableAccessData->local().offset());
 171         if (!variableAccessData->isCaptured()) {
 172             if (value.isClear())
 173                 node->setCanExit(true);
 174         }
 175         if (value.value())
 176             m_state.setFoundConstants(true);
 177         forNode(node) = value;
 178         break;
 179     }
 180
 181     case GetLocalUnlinked: {
 182         AbstractValue value = m_state.variables().operand(node->unlinkedLocal().offset());
 183         if (value.value())
 184             m_state.setFoundConstants(true);
 185         forNode(node) = value;
 186         break;
 187     }
 188
 189     case SetLocal: {
 190         m_state.variables().operand(node->local().offset()) = forNode(node->child1());
 191         break;
 192     }
 193
 194     case MovHint: {
 195         // Don't need to do anything. A MovHint only informs us about what would have happened
 196         // in bytecode, but this code is just concerned with what is actually happening during
 197         // DFG execution.
 198         break;
 199     }
 200
 201     case SetArgument:
 202         // Assert that the state of arguments has been set.
 203         ASSERT(!m_state.block()->valuesAtHead.operand(node->local()).isClear());
 204         break;
 205
 206     case BitAnd:
 207     case BitOr:
 208     case BitXor:
 209     case BitRShift:
 210     case BitLShift:
 211     case BitURShift: {
 212         JSValue left = forNode(node->child1()).value();
 213         JSValue right = forNode(node->child2()).value();
 214         if (left && right && left.isInt32() && right.isInt32()) {
 215             int32_t a = left.asInt32();
 216             int32_t b = right.asInt32();
 217             switch (node->op()) {
 218             case BitAnd:
 219                 setConstant(node, JSValue(a & b));
 220                 break;
 221             case BitOr:
 222                 setConstant(node, JSValue(a | b));
 223                 break;
 224             case BitXor:
 225                 setConstant(node, JSValue(a ^ b));
 226                 break;
 227             case BitRShift:
 228                 setConstant(node, JSValue(a >> static_cast<uint32_t>(b)));
 229                 break;
 230             case BitLShift:
 231                 setConstant(node, JSValue(a << static_cast<uint32_t>(b)));
 232                 break;
 233             case BitURShift:
 234                 setConstant(node, JSValue(static_cast<uint32_t>(a) >> static_cast<uint32_t>(b)));
 235                 break;
 236             default:
 237                 RELEASE_ASSERT_NOT_REACHED();
 238                 break;
 239             }
 240             break;
 241         }
 242         forNode(node).setType(SpecInt32);
 243         break;
 244     }
 245
 246     case UInt32ToNumber: {
 247         JSValue child = forNode(node->child1()).value();
 248         if (doesOverflow(node->arithMode())) {
 249             if (child && child.isInt32()) {
 250                 uint32_t value = child.asInt32();
 251                 setConstant(node, jsNumber(value));
 252                 break;
 253             }
 254             forNode(node).setType(SpecInt52AsDouble);
 255             break;
 256         }
 257         if (child && child.isInt32()) {
 258             int32_t value = child.asInt32();
 259             if (value >= 0) {
 260                 setConstant(node, jsNumber(value));
 261                 break;
 262             }
 263         }
 264         forNode(node).setType(SpecInt32);
 265         node->setCanExit(true);
 266         break;
 267     }
 268
 269     case BooleanToNumber: {
 270         JSValue concreteValue = forNode(node->child1()).value();
 271         if (concreteValue) {
 272             if (concreteValue.isBoolean())
 273                 setConstant(node, jsNumber(concreteValue.asBoolean()));
 274             else
 275                 setConstant(node, concreteValue);
 276             break;
 277         }
 278         AbstractValue& value = forNode(node);
 279         value = forNode(node->child1());
 280         if (node->child1().useKind() == UntypedUse && !(value.m_type & ~SpecBoolean))
 281             m_state.setFoundConstants(true);
 282         if (value.m_type & SpecBoolean) {
 283             value.merge(SpecInt32);
 284             value.filter(~SpecBoolean);
 285         }
 286         break;
 287     }
 288
 289     case DoubleAsInt32: {
 290         JSValue child = forNode(node->child1()).value();
 291         if (child && child.isNumber()) {
 292             double asDouble = child.asNumber();
 293             int32_t asInt = JSC::toInt32(asDouble);
 294             if (bitwise_cast<int64_t>(static_cast<double>(asInt)) == bitwise_cast<int64_t>(asDouble)) {
 295                 setConstant(node, JSValue(asInt));
 296                 break;
 297             }
 298         }
 299         node->setCanExit(true);
 300         forNode(node).setType(SpecInt32);
 301         break;
 302     }
 303
 304     case ValueToInt32: {
 305         JSValue child = forNode(node->child1()).value();
 306         if (child) {
 307             if (child.isNumber()) {
 308                 if (child.isInt32())
 309                     setConstant(node, child);
 310                 else
 311                     setConstant(node, JSValue(JSC::toInt32(child.asDouble())));
 312                 break;
 313             }
 314             if (child.isBoolean()) {
 315                 setConstant(node, jsNumber(child.asBoolean()));
 316                 break;
 317             }
 318             if (child.isUndefinedOrNull()) {
 319                 setConstant(node, jsNumber(0));
 320                 break;
 321             }
 322         }
 323
 324         forNode(node).setType(SpecInt32);
 325         break;
 326     }
 327
 328     case DoubleRep: {
 329         JSValue child = forNode(node->child1()).value();
 330         if (child && child.isNumber()) {
 331             setConstant(node, jsDoubleNumber(child.asNumber()));
 332             break;
 333         }
 334         forNode(node).setType(forNode(node->child1()).m_type);
 335         forNode(node).fixTypeForRepresentation(node);
 336         break;
 337     }
 338
 339     case Int52Rep: {
 340         JSValue child = forNode(node->child1()).value();
 341         if (child && child.isMachineInt()) {
 342             setConstant(node, child);
 343             break;
 344         }
 345
 346         forNode(node).setType(SpecInt32);
 347         break;
 348     }
 349
 350     case ValueRep: {
 351         JSValue value = forNode(node->child1()).value();
 352         if (value) {
 353             setConstant(node, value);
 354             break;
 355         }
 356
 357         forNode(node).setType(forNode(node->child1()).m_type & ~SpecDoubleImpureNaN);
 358         forNode(node).fixTypeForRepresentation(node);
 359         break;
 360     }
 361
 362     case ValueAdd: {
 363         ASSERT(node->binaryUseKind() == UntypedUse);
 364         clobberWorld(node->origin.semantic, clobberLimit);
 365         forNode(node).setType(SpecString | SpecBytecodeNumber);
 366         break;
 367     }
 368
 369     case ArithAdd: {
 370         JSValue left = forNode(node->child1()).value();
 371         JSValue right = forNode(node->child2()).value();
 372         switch (node->binaryUseKind()) {
 373         case Int32Use:
 374             if (left && right && left.isInt32() && right.isInt32()) {
 375                 if (!shouldCheckOverflow(node->arithMode())) {
 376                     setConstant(node, jsNumber(left.asInt32() + right.asInt32()));
 377                     break;
 378                 }
 379                 JSValue result = jsNumber(left.asNumber() + right.asNumber());
 380                 if (result.isInt32()) {
 381                     setConstant(node, result);
 382                     break;
 383                 }
 384             }
 385             forNode(node).setType(SpecInt32);
 386             if (shouldCheckOverflow(node->arithMode()))
 387                 node->setCanExit(true);
 388             break;
 389         case Int52RepUse:
 390             if (left && right && left.isMachineInt() && right.isMachineInt()) {
 391                 JSValue result = jsNumber(left.asMachineInt() + right.asMachineInt());
 392                 if (result.isMachineInt()) {
 393                     setConstant(node, result);
 394                     break;
 395                 }
 396             }
 397             forNode(node).setType(SpecMachineInt);
 398             if (!forNode(node->child1()).isType(SpecInt32)
 399                 || !forNode(node->child2()).isType(SpecInt32))
 400                 node->setCanExit(true);
 401             break;
 402         case DoubleRepUse:
 403             if (left && right && left.isNumber() && right.isNumber()) {
 404                 setConstant(node, jsDoubleNumber(left.asNumber() + right.asNumber()));
 405                 break;
 406             }
 407             forNode(node).setType(
 408                 typeOfDoubleSum(
 409                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
 410             break;
 411         default:
 412             RELEASE_ASSERT_NOT_REACHED();
 413             break;
 414         }
 415         break;
 416     }
 417
 418     case MakeRope: {
 419         node->setCanExit(true);
 420         forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
 421         break;
 422     }
 423
 424     case ArithSub: {
 425         JSValue left = forNode(node->child1()).value();
 426         JSValue right = forNode(node->child2()).value();
 427         switch (node->binaryUseKind()) {
 428         case Int32Use:
 429             if (left && right && left.isInt32() && right.isInt32()) {
 430                 if (!shouldCheckOverflow(node->arithMode())) {
 431                     setConstant(node, jsNumber(left.asInt32() - right.asInt32()));
 432                     break;
 433                 }
 434                 JSValue result = jsNumber(left.asNumber() - right.asNumber());
 435                 if (result.isInt32()) {
 436                     setConstant(node, result);
 437                     break;
 438                 }
 439             }
 440             forNode(node).setType(SpecInt32);
 441             if (shouldCheckOverflow(node->arithMode()))
 442                 node->setCanExit(true);
 443             break;
 444         case Int52RepUse:
 445             if (left && right && left.isMachineInt() && right.isMachineInt()) {
 446                 JSValue result = jsNumber(left.asMachineInt() - right.asMachineInt());
 447                 if (result.isMachineInt() || !shouldCheckOverflow(node->arithMode())) {
 448                     setConstant(node, result);
 449                     break;
 450                 }
 451             }
 452             forNode(node).setType(SpecMachineInt);
 453             if (!forNode(node->child1()).isType(SpecInt32)
 454                 || !forNode(node->child2()).isType(SpecInt32))
 455                 node->setCanExit(true);
 456             break;
 457         case DoubleRepUse:
 458             if (left && right && left.isNumber() && right.isNumber()) {
 459                 setConstant(node, jsDoubleNumber(left.asNumber() - right.asNumber()));
 460                 break;
 461             }
 462             forNode(node).setType(
 463                 typeOfDoubleDifference(
 464                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
 465             break;
 466         default:
 467             RELEASE_ASSERT_NOT_REACHED();
 468             break;
 469         }
 470         break;
 471     }
 472
 473     case ArithNegate: {
 474         JSValue child = forNode(node->child1()).value();
 475         switch (node->child1().useKind()) {
 476         case Int32Use:
 477             if (child && child.isInt32()) {
 478                 if (!shouldCheckOverflow(node->arithMode())) {
 479                     setConstant(node, jsNumber(-child.asInt32()));
 480                     break;
 481                 }
 482                 double doubleResult;
 483                 if (shouldCheckNegativeZero(node->arithMode()))
 484                     doubleResult = -child.asNumber();
 485                 else
 486                     doubleResult = 0 - child.asNumber();
 487                 JSValue valueResult = jsNumber(doubleResult);
 488                 if (valueResult.isInt32()) {
 489                     setConstant(node, valueResult);
 490                     break;
 491                 }
 492             }
 493             forNode(node).setType(SpecInt32);
 494             if (shouldCheckOverflow(node->arithMode()))
 495                 node->setCanExit(true);
 496             break;
 497         case Int52RepUse:
 498             if (child && child.isMachineInt()) {
 499                 double doubleResult;
 500                 if (shouldCheckNegativeZero(node->arithMode()))
 501                     doubleResult = -child.asNumber();
 502                 else
 503                     doubleResult = 0 - child.asNumber();
 504                 JSValue valueResult = jsNumber(doubleResult);
 505                 if (valueResult.isMachineInt()) {
 506                     setConstant(node, valueResult);
 507                     break;
 508                 }
 509             }
 510             forNode(node).setType(SpecMachineInt);
 511             if (m_state.forNode(node->child1()).couldBeType(SpecInt52))
 512                 node->setCanExit(true);
 513             if (shouldCheckNegativeZero(node->arithMode()))
 514                 node->setCanExit(true);
 515             break;
 516         case DoubleRepUse:
 517             if (child && child.isNumber()) {
 518                 setConstant(node, jsDoubleNumber(-child.asNumber()));
 519                 break;
 520             }
 521             forNode(node).setType(
 522                 typeOfDoubleNegation(
 523                     forNode(node->child1()).m_type));
 524             break;
 525         default:
 526             RELEASE_ASSERT_NOT_REACHED();
 527             break;
 528         }
 529         break;
 530     }
 531
 532     case ArithMul: {
 533         JSValue left = forNode(node->child1()).value();
 534         JSValue right = forNode(node->child2()).value();
 535         switch (node->binaryUseKind()) {
 536         case Int32Use:
 537             if (left && right && left.isInt32() && right.isInt32()) {
 538                 if (!shouldCheckOverflow(node->arithMode())) {
 539                     setConstant(node, jsNumber(left.asInt32() * right.asInt32()));
 540                     break;
 541                 }
 542                 double doubleResult = left.asNumber() * right.asNumber();
 543                 if (!shouldCheckNegativeZero(node->arithMode()))
 544                     doubleResult += 0; // Sanitizes zero.
 545                 JSValue valueResult = jsNumber(doubleResult);
 546                 if (valueResult.isInt32()) {
 547                     setConstant(node, valueResult);
 548                     break;
 549                 }
 550             }
 551             forNode(node).setType(SpecInt32);
 552             if (shouldCheckOverflow(node->arithMode()))
 553                 node->setCanExit(true);
 554             break;
 555         case Int52RepUse:
 556             if (left && right && left.isMachineInt() && right.isMachineInt()) {
 557                 double doubleResult = left.asNumber() * right.asNumber();
 558                 if (!shouldCheckNegativeZero(node->arithMode()))
 559                     doubleResult += 0;
 560                 JSValue valueResult = jsNumber(doubleResult);
 561                 if (valueResult.isMachineInt()) {
 562                     setConstant(node, valueResult);
 563                     break;
 564                 }
 565             }
 566             forNode(node).setType(SpecMachineInt);
 567             node->setCanExit(true);
 568             break;
 569         case DoubleRepUse:
 570             if (left && right && left.isNumber() && right.isNumber()) {
 571                 setConstant(node, jsDoubleNumber(left.asNumber() * right.asNumber()));
 572                 break;
 573             }
 574             forNode(node).setType(
 575                 typeOfDoubleProduct(
 576                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
 577             break;
 578         default:
 579             RELEASE_ASSERT_NOT_REACHED();
 580             break;
 581         }
 582         break;
 583     }
 584
 585     case ArithDiv: {
 586         JSValue left = forNode(node->child1()).value();
 587         JSValue right = forNode(node->child2()).value();
 588         switch (node->binaryUseKind()) {
 589         case Int32Use:
 590             if (left && right && left.isInt32() && right.isInt32()) {
 591                 double doubleResult = left.asNumber() / right.asNumber();
 592                 if (!shouldCheckOverflow(node->arithMode()))
 593                     doubleResult = toInt32(doubleResult);
 594                 else if (!shouldCheckNegativeZero(node->arithMode()))
 595                     doubleResult += 0; // Sanitizes zero.
 596                 JSValue valueResult = jsNumber(doubleResult);
 597                 if (valueResult.isInt32()) {
 598                     setConstant(node, valueResult);
 599                     break;
 600                 }
 601             }
 602             forNode(node).setType(SpecInt32);
 603             node->setCanExit(true);
 604             break;
 605         case DoubleRepUse:
 606             if (left && right && left.isNumber() && right.isNumber()) {
 607                 setConstant(node, jsDoubleNumber(left.asNumber() / right.asNumber()));
 608                 break;
 609             }
 610             forNode(node).setType(
 611                 typeOfDoubleQuotient(
 612                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
 613             break;
 614         default:
 615             RELEASE_ASSERT_NOT_REACHED();
 616             break;
 617         }
 618         break;
 619     }
 620
 621     case ArithMod: {
 622         JSValue left = forNode(node->child1()).value();
 623         JSValue right = forNode(node->child2()).value();
 624         switch (node->binaryUseKind()) {
 625         case Int32Use:
 626             if (left && right && left.isInt32() && right.isInt32()) {
 627                 double doubleResult = fmod(left.asNumber(), right.asNumber());
 628                 if (!shouldCheckOverflow(node->arithMode()))
 629                     doubleResult = toInt32(doubleResult);
 630                 else if (!shouldCheckNegativeZero(node->arithMode()))
 631                     doubleResult += 0; // Sanitizes zero.
 632                 JSValue valueResult = jsNumber(doubleResult);
 633                 if (valueResult.isInt32()) {
 634                     setConstant(node, valueResult);
 635                     break;
 636                 }
 637             }
 638             forNode(node).setType(SpecInt32);
 639             node->setCanExit(true);
 640             break;
 641         case DoubleRepUse:
 642             if (left && right && left.isNumber() && right.isNumber()) {
 643                 setConstant(node, jsDoubleNumber(fmod(left.asNumber(), right.asNumber())));
 644                 break;
 645             }
 646             forNode(node).setType(
 647                 typeOfDoubleBinaryOp(
 648                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
 649             break;
 650         default:
 651             RELEASE_ASSERT_NOT_REACHED();
 652             break;
 653         }
 654         break;
 655     }
 656
 657     case ArithMin: {
 658         JSValue left = forNode(node->child1()).value();
 659         JSValue right = forNode(node->child2()).value();
 660         switch (node->binaryUseKind()) {
 661         case Int32Use:
 662             if (left && right && left.isInt32() && right.isInt32()) {
 663                 setConstant(node, jsNumber(std::min(left.asInt32(), right.asInt32())));
 664                 break;
 665             }
 666             forNode(node).setType(SpecInt32);
 667             node->setCanExit(true);
 668             break;
 669         case DoubleRepUse:
 670             if (left && right && left.isNumber() && right.isNumber()) {
 671                 double a = left.asNumber();
 672                 double b = right.asNumber();
 673                 setConstant(node, jsDoubleNumber(a < b ? a : (b <= a ? b : a + b)));
 674                 break;
 675             }
 676             forNode(node).setType(
 677                 typeOfDoubleMinMax(
 678                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
 679             break;
 680         default:
 681             RELEASE_ASSERT_NOT_REACHED();
 682             break;
 683         }
 684         break;
 685     }
 686
 687     case ArithMax: {
 688         JSValue left = forNode(node->child1()).value();
 689         JSValue right = forNode(node->child2()).value();
 690         switch (node->binaryUseKind()) {
 691         case Int32Use:
 692             if (left && right && left.isInt32() && right.isInt32()) {
 693                 setConstant(node, jsNumber(std::max(left.asInt32(), right.asInt32())));
 694                 break;
 695             }
 696             forNode(node).setType(SpecInt32);
 697             node->setCanExit(true);
 698             break;
 699         case DoubleRepUse:
 700             if (left && right && left.isNumber() && right.isNumber()) {
 701                 double a = left.asNumber();
 702                 double b = right.asNumber();
 703                 setConstant(node, jsDoubleNumber(a > b ? a : (b >= a ? b : a + b)));
 704                 break;
 705             }
 706             forNode(node).setType(
 707                 typeOfDoubleMinMax(
 708                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
 709             break;
 710         default:
 711             RELEASE_ASSERT_NOT_REACHED();
 712             break;
 713         }
 714         break;
 715     }
 716
 717     case ArithAbs: {
 718         JSValue child = forNode(node->child1()).value();
 719         switch (node->child1().useKind()) {
 720         case Int32Use:
 721             if (child && child.isInt32()) {
 722                 JSValue result = jsNumber(fabs(child.asNumber()));
 723                 if (result.isInt32()) {
 724                     setConstant(node, result);
 725                     break;
 726                 }
 727             }
 728             forNode(node).setType(SpecInt32);
 729             node->setCanExit(true);
 730             break;
 731         case DoubleRepUse:
 732             if (child && child.isNumber()) {
 733                 setConstant(node, jsDoubleNumber(child.asNumber()));
 734                 break;
 735             }
 736             forNode(node).setType(typeOfDoubleAbs(forNode(node->child1()).m_type));
 737             break;
 738         default:
 739             RELEASE_ASSERT_NOT_REACHED();
 740             break;
 741         }
 742         break;
 743     }
 744
 745     case ArithSqrt: {
 746         JSValue child = forNode(node->child1()).value();
 747         if (child && child.isNumber()) {
 748             setConstant(node, jsDoubleNumber(sqrt(child.asNumber())));
 749             break;
 750         }
 751         forNode(node).setType(typeOfDoubleUnaryOp(forNode(node->child1()).m_type));
 752         break;
 753     }
 754
 755     case ArithFRound: {
 756         JSValue child = forNode(node->child1()).value();
 757         if (child && child.isNumber()) {
 758             setConstant(node, jsDoubleNumber(static_cast<float>(child.asNumber())));
 759             break;
 760         }
 761         forNode(node).setType(typeOfDoubleFRound(forNode(node->child1()).m_type));
 762         break;
 763     }
 764
 765     case ArithSin: {
 766         JSValue child = forNode(node->child1()).value();
 767         if (child && child.isNumber()) {
 768             setConstant(node, jsDoubleNumber(sin(child.asNumber())));
 769             break;
 770         }
 771         forNode(node).setType(typeOfDoubleUnaryOp(forNode(node->child1()).m_type));
 772         break;
 773     }
 774
 775     case ArithCos: {
 776         JSValue child = forNode(node->child1()).value();
 777         if (child && child.isNumber()) {
 778             setConstant(node, jsDoubleNumber(cos(child.asNumber())));
 779             break;
 780         }
 781         forNode(node).setType(typeOfDoubleUnaryOp(forNode(node->child1()).m_type));
 782         break;
 783     }
 784
 785     case LogicalNot: {
 786         switch (booleanResult(node, forNode(node->child1()))) {
 787         case DefinitelyTrue:
 788             setConstant(node, jsBoolean(false));
 789             break;
 790         case DefinitelyFalse:
 791             setConstant(node, jsBoolean(true));
 792             break;
 793         default:
 794             switch (node->child1().useKind()) {
 795             case BooleanUse:
 796             case Int32Use:
 797             case DoubleRepUse:
 798             case UntypedUse:
 799             case StringUse:
 800                 break;
 801             case ObjectOrOtherUse:
 802                 node->setCanExit(true);
 803                 break;
 804             default:
 805                 RELEASE_ASSERT_NOT_REACHED();
 806                 break;
 807             }
 808             forNode(node).setType(SpecBoolean);
 809             break;
 810         }
 811         break;
 812     }
 813
 814     case IsUndefined:
 815     case IsBoolean:
 816     case IsNumber:
 817     case IsString:
 818     case IsObject:
 819     case IsFunction: {
 820         node->setCanExit(
 821             node->op() == IsUndefined
 822             && m_graph.masqueradesAsUndefinedWatchpointIsStillValid(node->origin.semantic));
 823         JSValue child = forNode(node->child1()).value();
 824         if (child) {
 825             bool constantWasSet = true;
 826             switch (node->op()) {
 827             case IsUndefined:
 828                 setConstant(node, jsBoolean(
 829                     child.isCell()
 830                     ? child.asCell()->structure()->masqueradesAsUndefined(m_codeBlock->globalObjectFor(node->origin.semantic))
 831                     : child.isUndefined()));
 832                 break;
 833             case IsBoolean:
 834                 setConstant(node, jsBoolean(child.isBoolean()));
 835                 break;
 836             case IsNumber:
 837                 setConstant(node, jsBoolean(child.isNumber()));
 838                 break;
 839             case IsString:
 840                 setConstant(node, jsBoolean(isJSString(child)));
 841                 break;
 842             case IsObject:
 843                 if (child.isNull() || !child.isObject()) {
 844                     setConstant(node, jsBoolean(child.isNull()));
 845                     break;
 846                 }
 847                 constantWasSet = false;
 848                 break;
 849             default:
 850                 constantWasSet = false;
 851                 break;
 852             }
 853             if (constantWasSet)
 854                 break;
 855         }
 856
 857         forNode(node).setType(SpecBoolean);
 858         break;
 859     }
 860
 861     case TypeOf: {
 862         VM* vm = m_codeBlock->vm();
 863         JSValue child = forNode(node->child1()).value();
 864         AbstractValue& abstractChild = forNode(node->child1());
 865         if (child) {
 866             JSValue typeString = jsTypeStringForValue(*vm, m_codeBlock->globalObjectFor(node->origin.semantic), child);
 867             setConstant(node, typeString);
 868             break;
 869         }
 870
 871         if (isFullNumberSpeculation(abstractChild.m_type)) {
 872             setConstant(node, vm->smallStrings.numberString());
 873             break;
 874         }
 875
 876         if (isStringSpeculation(abstractChild.m_type)) {
 877             setConstant(node, vm->smallStrings.stringString());
 878             break;
 879         }
 880
 881         if (isFinalObjectSpeculation(abstractChild.m_type) || isArraySpeculation(abstractChild.m_type) || isArgumentsSpeculation(abstractChild.m_type)) {
 882             setConstant(node, vm->smallStrings.objectString());
 883             break;
 884         }
 885
 886         if (isFunctionSpeculation(abstractChild.m_type)) {
 887             setConstant(node, vm->smallStrings.functionString());
 888             break;
 889         }
 890
 891         if (isBooleanSpeculation(abstractChild.m_type)) {
 892             setConstant(node, vm->smallStrings.booleanString());
 893             break;
 894         }
 895
 896         switch (node->child1().useKind()) {
 897         case StringUse:
 898         case CellUse:
 899             node->setCanExit(true);
 900             break;
 901         case UntypedUse:
 902             break;
 903         default:
 904             RELEASE_ASSERT_NOT_REACHED();
 905             break;
 906         }
 907         forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
 908         break;
 909     }
 910
 911     case CompareLess:
 912     case CompareLessEq:
 913     case CompareGreater:
 914     case CompareGreaterEq:
 915     case CompareEq:
 916     case CompareEqConstant: {
 917         JSValue leftConst = forNode(node->child1()).value();
 918         JSValue rightConst = forNode(node->child2()).value();
 919         if (leftConst && rightConst) {
 920             if (leftConst.isNumber() && rightConst.isNumber()) {
 921                 double a = leftConst.asNumber();
 922                 double b = rightConst.asNumber();
 923                 switch (node->op()) {
 924                 case CompareLess:
 925                     setConstant(node, jsBoolean(a < b));
 926                     break;
 927                 case CompareLessEq:
 928                     setConstant(node, jsBoolean(a <= b));
 929                     break;
 930                 case CompareGreater:
 931                     setConstant(node, jsBoolean(a > b));
 932                     break;
 933                 case CompareGreaterEq:
 934                     setConstant(node, jsBoolean(a >= b));
 935                     break;
 936                 case CompareEq:
 937                     setConstant(node, jsBoolean(a == b));
 938                     break;
 939                 default:
 940                     RELEASE_ASSERT_NOT_REACHED();
 941                     break;
 942                 }
 943                 break;
 944             }
 945
 946             if (node->op() == CompareEq && leftConst.isString() && rightConst.isString()) {
 947                 const StringImpl* a = asString(leftConst)->tryGetValueImpl();
 948                 const StringImpl* b = asString(rightConst)->tryGetValueImpl();
 949                 if (a && b) {
 950                     setConstant(node, jsBoolean(WTF::equal(a, b)));
 951                     break;
 952                 }
 953             }
 954         }
 955
 956         if (node->op() == CompareEqConstant || node->op() == CompareEq) {
 957             SpeculatedType leftType = forNode(node->child1()).m_type;
 958             SpeculatedType rightType = forNode(node->child2()).m_type;
 959             if (!valuesCouldBeEqual(leftType, rightType)) {
 960                 setConstant(node, jsBoolean(false));
 961                 break;
 962             }
 963         }
 964
 965         forNode(node).setType(SpecBoolean);
 966
 967         // This is overly conservative. But the only thing this prevents is store elimination,
 968         // and how likely is it, really, that you'll have redundant stores across a comparison
 969         // operation? Comparison operations are typically at the end of basic blocks, so
 970         // unless we have global store elimination (super unlikely given how unprofitable that
 971         // optimization is to begin with), you aren't going to be wanting to store eliminate
 972         // across an equality op.
 973         node->setCanExit(true);
 974         break;
 975     }
 976
 977     case CompareStrictEq: {
 978         Node* leftNode = node->child1().node();
 979         Node* rightNode = node->child2().node();
 980         JSValue left = forNode(leftNode).value();
 981         JSValue right = forNode(rightNode).value();
 982         if (left && right) {
 983             if (left.isString() && right.isString()) {
 984                 // We need this case because JSValue::strictEqual is otherwise too racy for
 985                 // string comparisons.
 986                 const StringImpl* a = asString(left)->tryGetValueImpl();
 987                 const StringImpl* b = asString(right)->tryGetValueImpl();
 988                 if (a && b) {
 989                     setConstant(node, jsBoolean(WTF::equal(a, b)));
 990                     break;
 991                 }
 992             } else {
 993                 setConstant(node, jsBoolean(JSValue::strictEqual(0, left, right)));
 994                 break;
 995             }
 996         }
 997
 998         SpeculatedType leftLUB = leastUpperBoundOfStrictlyEquivalentSpeculations(forNode(leftNode).m_type);
 999         SpeculatedType rightLUB = leastUpperBoundOfStrictlyEquivalentSpeculations(forNode(rightNode).m_type);
1000         if (!(leftLUB & rightLUB)) {
1001             setConstant(node, jsBoolean(false));
1002             break;
1003         }
1004
1005         forNode(node).setType(SpecBoolean);
1006         node->setCanExit(true); // This is overly conservative.
1007         break;
1008     }
1009
1010     case StringCharCodeAt:
1011         node->setCanExit(true);
1012         forNode(node).setType(SpecInt32);
1013         break;
1014
1015     case StringFromCharCode:
1016         forNode(node).setType(SpecString);
1017         break;
1018
1019     case StringCharAt:
1020         node->setCanExit(true);
1021         forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
1022         break;
1023
1024     case GetByVal: {
1025         node->setCanExit(true);
1026         switch (node->arrayMode().type()) {
1027         case Array::SelectUsingPredictions:
1028         case Array::Unprofiled:
1029         case Array::Undecided:
1030             RELEASE_ASSERT_NOT_REACHED();
1031             break;
1032         case Array::ForceExit:
1033             m_state.setIsValid(false);
1034             break;
1035         case Array::Generic:
1036             clobberWorld(node->origin.semantic, clobberLimit);
1037             forNode(node).makeHeapTop();
1038             break;
1039         case Array::String:
1040             if (node->arrayMode().isOutOfBounds()) {
1041                 // If the watchpoint was still valid we could totally set this to be
1042                 // SpecString | SpecOther. Except that we'd have to be careful. If we
1043                 // tested the watchpoint state here then it could change by the time
1044                 // we got to the backend. So to do this right, we'd have to get the
1045                 // fixup phase to check the watchpoint state and then bake into the
1046                 // GetByVal operation the fact that we're using a watchpoint, using
1047                 // something like Array::SaneChain (except not quite, because that
1048                 // implies an in-bounds access). None of this feels like it's worth it,
1049                 // so we're going with TOP for now. The same thing applies to
1050                 // clobbering the world.
1051                 clobberWorld(node->origin.semantic, clobberLimit);
1052                 forNode(node).makeHeapTop();
1053             } else
1054                 forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
1055             break;
1056         case Array::Arguments:
1057             forNode(node).makeHeapTop();
1058             break;
1059         case Array::Int32:
1060             if (node->arrayMode().isOutOfBounds()) {
1061                 clobberWorld(node->origin.semantic, clobberLimit);
1062                 forNode(node).makeHeapTop();
1063             } else
1064                 forNode(node).setType(SpecInt32);
1065             break;
1066         case Array::Double:
1067             if (node->arrayMode().isOutOfBounds()) {
1068                 clobberWorld(node->origin.semantic, clobberLimit);
1069                 forNode(node).makeHeapTop();
1070             } else if (node->arrayMode().isSaneChain())
1071                 forNode(node).setType(SpecBytecodeDouble);
1072             else
1073                 forNode(node).setType(SpecDoubleReal);
1074             break;
1075         case Array::Contiguous:
1076         case Array::ArrayStorage:
1077         case Array::SlowPutArrayStorage:
1078             if (node->arrayMode().isOutOfBounds())
1079                 clobberWorld(node->origin.semantic, clobberLimit);
1080             forNode(node).makeHeapTop();
1081             break;
1082         case Array::Int8Array:
1083             forNode(node).setType(SpecInt32);
1084             break;
1085         case Array::Int16Array:
1086             forNode(node).setType(SpecInt32);
1087             break;
1088         case Array::Int32Array:
1089             forNode(node).setType(SpecInt32);
1090             break;
1091         case Array::Uint8Array:
1092             forNode(node).setType(SpecInt32);
1093             break;
1094         case Array::Uint8ClampedArray:
1095             forNode(node).setType(SpecInt32);
1096             break;
1097         case Array::Uint16Array:
1098             forNode(node).setType(SpecInt32);
1099             break;
1100         case Array::Uint32Array:
1101             if (node->shouldSpeculateInt32())
1102                 forNode(node).setType(SpecInt32);
1103             else if (enableInt52() && node->shouldSpeculateMachineInt())
1104                 forNode(node).setType(SpecInt52);
1105             else
1106                 forNode(node).setType(SpecInt52AsDouble);
1107             break;
1108         case Array::Float32Array:
1109             forNode(node).setType(SpecFullDouble);
1110             break;
1111         case Array::Float64Array:
1112             forNode(node).setType(SpecFullDouble);
1113             break;
1114         default:
1115             RELEASE_ASSERT_NOT_REACHED();
1116             break;
1117         }
1118         break;
1119     }
1120
1121     case PutByValDirect:
1122     case PutByVal:
1123     case PutByValAlias: {
1124         node->setCanExit(true);
1125         switch (node->arrayMode().modeForPut().type()) {
1126         case Array::ForceExit:
1127             m_state.setIsValid(false);
1128             break;
1129         case Array::Generic:
1130             clobberWorld(node->origin.semantic, clobberLimit);
1131             break;
1132         case Array::Int32:
1133             if (node->arrayMode().isOutOfBounds())
1134                 clobberWorld(node->origin.semantic, clobberLimit);
1135             break;
1136         case Array::Double:
1137             if (node->arrayMode().isOutOfBounds())
1138                 clobberWorld(node->origin.semantic, clobberLimit);
1139             break;
1140         case Array::Contiguous:
1141         case Array::ArrayStorage:
1142             if (node->arrayMode().isOutOfBounds())
1143                 clobberWorld(node->origin.semantic, clobberLimit);
1144             break;
1145         case Array::SlowPutArrayStorage:
1146             if (node->arrayMode().mayStoreToHole())
1147                 clobberWorld(node->origin.semantic, clobberLimit);
1148             break;
1149         default:
1150             break;
1151         }
1152         break;
1153     }
1154
1155     case ArrayPush:
1156         node->setCanExit(true);
1157         clobberWorld(node->origin.semantic, clobberLimit);
1158         forNode(node).setType(SpecBytecodeNumber);
1159         break;
1160
1161     case ArrayPop:
1162         node->setCanExit(true);
1163         clobberWorld(node->origin.semantic, clobberLimit);
1164         forNode(node).makeHeapTop();
1165         break;
1166
1167     case RegExpExec:
1168         forNode(node).makeHeapTop();
1169         break;
1170
1171     case RegExpTest:
1172         forNode(node).setType(SpecBoolean);
1173         break;
1174
1175     case Jump:
1176         break;
1177
1178     case Branch: {
1179         Node* child = node->child1().node();
1180         BooleanResult result = booleanResult(node, forNode(child));
1181         if (result == DefinitelyTrue) {
1182             m_state.setBranchDirection(TakeTrue);
1183             break;
1184         }
1185         if (result == DefinitelyFalse) {
1186             m_state.setBranchDirection(TakeFalse);
1187             break;
1188         }
1189         // FIXME: The above handles the trivial cases of sparse conditional
1190         // constant propagation, but we can do better:
1191         // We can specialize the source variable's value on each direction of
1192         // the branch.
1193         node->setCanExit(true); // This is overly conservative.
1194         m_state.setBranchDirection(TakeBoth);
1195         break;
1196     }
1197
1198     case Switch: {
1199         // Nothing to do for now.
1200         // FIXME: Do sparse conditional things.
1201         break;
1202     }
1203
1204     case Return:
1205         m_state.setIsValid(false);
1206         break;
1207
1208     case Throw:
1209     case ThrowReferenceError:
1210         m_state.setIsValid(false);
1211         node->setCanExit(true);
1212         break;
1213
1214     case ToPrimitive: {
1215         JSValue childConst = forNode(node->child1()).value();
1216         if (childConst && childConst.isNumber()) {
1217             setConstant(node, childConst);
1218             break;
1219         }
1220
1221         ASSERT(node->child1().useKind() == UntypedUse);
1222
1223         if (!forNode(node->child1()).m_type) {
1224             m_state.setIsValid(false);
1225             break;
1226         }
1227
1228         if (!(forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString))) {
1229             m_state.setFoundConstants(true);
1230             forNode(node) = forNode(node->child1());
1231             break;
1232         }
1233
1234         clobberWorld(node->origin.semantic, clobberLimit);
1235
1236         forNode(node).setType((SpecHeapTop & ~SpecCell) | SpecString);
1237         break;
1238     }
1239
1240     case ToString: {
1241         switch (node->child1().useKind()) {
1242         case StringObjectUse:
1243             // This also filters that the StringObject has the primordial StringObject
1244             // structure.
1245             filter(
1246                 node->child1(),
1247                 m_graph.globalObjectFor(node->origin.semantic)->stringObjectStructure());
1248             node->setCanExit(true); // We could be more precise but it's likely not worth it.
1249             break;
1250         case StringOrStringObjectUse:
1251             node->setCanExit(true); // We could be more precise but it's likely not worth it.
1252             break;
1253         case CellUse:
1254         case UntypedUse:
1255             clobberWorld(node->origin.semantic, clobberLimit);
1256             break;
1257         default:
1258             RELEASE_ASSERT_NOT_REACHED();
1259             break;
1260         }
1261         forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
1262         break;
1263     }
1264
1265     case NewStringObject: {
1266         ASSERT(node->structure()->classInfo() == StringObject::info());
1267         forNode(node).set(m_graph, node->structure());
1268         break;
1269     }
1270
1271     case NewArray:
1272         node->setCanExit(true);
1273         forNode(node).set(
1274             m_graph,
1275             m_graph.globalObjectFor(node->origin.semantic)->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
1276         m_state.setHaveStructures(true);
1277         break;
1278
1279     case NewArrayBuffer:
1280         node->setCanExit(true);
1281         forNode(node).set(
1282             m_graph,
1283             m_graph.globalObjectFor(node->origin.semantic)->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
1284         m_state.setHaveStructures(true);
1285         break;
1286
1287     case NewArrayWithSize:
1288         node->setCanExit(true);
1289         forNode(node).setType(SpecArray);
1290         m_state.setHaveStructures(true);
1291         break;
1292
1293     case NewTypedArray:
1294         switch (node->child1().useKind()) {
1295         case Int32Use:
1296             break;
1297         case UntypedUse:
1298             clobberWorld(node->origin.semantic, clobberLimit);
1299             break;
1300         default:
1301             RELEASE_ASSERT_NOT_REACHED();
1302             break;
1303         }
1304         forNode(node).set(
1305             m_graph,
1306             m_graph.globalObjectFor(node->origin.semantic)->typedArrayStructure(
1307                 node->typedArrayType()));
1308         m_state.setHaveStructures(true);
1309         break;
1310
1311     case NewRegexp:
1312         forNode(node).set(m_graph, m_graph.globalObjectFor(node->origin.semantic)->regExpStructure());
1313         m_state.setHaveStructures(true);
1314         break;
1315
1316     case ToThis: {
1317         AbstractValue& source = forNode(node->child1());
1318         AbstractValue& destination = forNode(node);
1319
1320         if (m_graph.executableFor(node->origin.semantic)->isStrictMode())
1321             destination.makeHeapTop();
1322         else {
1323             destination = source;
1324             destination.merge(SpecObject);
1325         }
1326         break;
1327     }
1328
1329     case CreateThis: {
1330         forNode(node).setType(SpecFinalObject);
1331         break;
1332     }
1333
1334     case AllocationProfileWatchpoint:
1335         node->setCanExit(true);
1336         break;
1337
1338     case NewObject:
1339         ASSERT(node->structure());
1340         forNode(node).set(m_graph, node->structure());
1341         m_state.setHaveStructures(true);
1342         break;
1343
1344     case CreateActivation:
1345         forNode(node).set(
1346             m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->activationStructure());
1347         m_state.setHaveStructures(true);
1348         break;
1349
1350     case FunctionReentryWatchpoint:
1351     case TypedArrayWatchpoint:
1352         break;
1353
1354     case CreateArguments:
1355         forNode(node) = forNode(node->child1());
1356         forNode(node).filter(~SpecEmpty);
1357         forNode(node).merge(SpecArguments);
1358         break;
1359
1360     case TearOffActivation:
1361     case TearOffArguments:
1362         // Does nothing that is user-visible.
1363         break;
1364
1365     case CheckArgumentsNotCreated:
1366         if (isEmptySpeculation(
1367                 m_state.variables().operand(
1368                     m_graph.argumentsRegisterFor(node->origin.semantic).offset()).m_type))
1369             m_state.setFoundConstants(true);
1370         else
1371             node->setCanExit(true);
1372         break;
1373
1374     case GetMyArgumentsLength:
1375         // We know that this executable does not escape its arguments, so we can optimize
1376         // the arguments a bit. Note that this is not sufficient to force constant folding
1377         // of GetMyArgumentsLength, because GetMyArgumentsLength is a clobbering operation.
1378         // We perform further optimizations on this later on.
1379         if (node->origin.semantic.inlineCallFrame) {
1380             forNode(node).set(
1381                 m_graph, jsNumber(node->origin.semantic.inlineCallFrame->arguments.size() - 1));
1382         } else
1383             forNode(node).setType(SpecInt32);
1384         node->setCanExit(
1385             !isEmptySpeculation(
1386                 m_state.variables().operand(
1387                     m_graph.argumentsRegisterFor(node->origin.semantic)).m_type));
1388         break;
1389
1390     case GetMyArgumentsLengthSafe:
1391         // This potentially clobbers all structures if the arguments object had a getter
1392         // installed on the length property.
1393         clobberWorld(node->origin.semantic, clobberLimit);
1394         // We currently make no guarantee about what this returns because it does not
1395         // speculate that the length property is actually a length.
1396         forNode(node).makeHeapTop();
1397         break;
1398
1399     case GetMyArgumentByVal:
1400         node->setCanExit(true);
1401         // We know that this executable does not escape its arguments, so we can optimize
1402         // the arguments a bit. Note that this ends up being further optimized by the
1403         // ArgumentsSimplificationPhase.
1404         forNode(node).makeHeapTop();
1405         break;
1406
1407     case GetMyArgumentByValSafe:
1408         node->setCanExit(true);
1409         // This potentially clobbers all structures if the property we're accessing has
1410         // a getter. We don't speculate against this.
1411         clobberWorld(node->origin.semantic, clobberLimit);
1412         // And the result is unknown.
1413         forNode(node).makeHeapTop();
1414         break;
1415
1416     case NewFunction: {
1417         AbstractValue& value = forNode(node);
1418         value = forNode(node->child1());
1419
1420         if (!(value.m_type & SpecEmpty)) {
1421             m_state.setFoundConstants(true);
1422             break;
1423         }
1424
1425         value.setType((value.m_type & ~SpecEmpty) | SpecFunction);
1426         break;
1427     }
1428
1429     case NewFunctionExpression:
1430     case NewFunctionNoCheck:
1431         forNode(node).set(
1432             m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->functionStructure());
1433         m_state.setHaveStructures(true);
1434         break;
1435
1436     case GetCallee:
1437         forNode(node).setType(SpecFunction);
1438         break;
1439
1440     case GetScope: // FIXME: We could get rid of these if we know that the JSFunction is a constant. https://bugs.webkit.org/show_bug.cgi?id=106202
1441     case GetMyScope:
1442     case SkipTopScope:
1443         forNode(node).setType(SpecObjectOther);
1444         break;
1445
1446     case SkipScope: {
1447         JSValue child = forNode(node->child1()).value();
1448         if (child) {
1449             setConstant(node, JSValue(jsCast<JSScope*>(child.asCell())->next()));
1450             break;
1451         }
1452         forNode(node).setType(SpecObjectOther);
1453         break;
1454     }
1455
1456     case GetClosureRegisters:
1457         forNode(node).clear(); // The result is not a JS value.
1458         break;
1459
1460     case GetClosureVar:
1461         forNode(node).makeHeapTop();
1462         break;
1463
1464     case PutClosureVar:
1465         clobberCapturedVars(node->origin.semantic);
1466         break;
1467
1468     case GetById:
1469     case GetByIdFlush:
1470         node->setCanExit(true);
1471         if (!node->prediction()) {
1472             m_state.setIsValid(false);
1473             break;
1474         }
1475         if (isCellSpeculation(node->child1()->prediction())) {
1476             if (Structure* structure = forNode(node->child1()).bestProvenStructure()) {
1477                 GetByIdStatus status = GetByIdStatus::computeFor(
1478                     m_graph.m_vm, structure,
1479                     m_graph.identifiers()[node->identifierNumber()]);
1480                 if (status.isSimple() && status.numVariants() == 1) {
1481                     // Assert things that we can't handle and that the computeFor() method
1482                     // above won't be able to return.
1483                     ASSERT(status[0].structureSet().size() == 1);
1484                     ASSERT(!status[0].chain());
1485
1486                     if (status[0].specificValue())
1487                         setConstant(node, status[0].specificValue());
1488                     else
1489                         forNode(node).makeHeapTop();
1490                     filter(node->child1(), status[0].structureSet());
1491
1492                     m_state.setFoundConstants(true);
1493                     m_state.setHaveStructures(true);
1494                     break;
1495                 }
1496             }
1497         }
1498         clobberWorld(node->origin.semantic, clobberLimit);
1499         forNode(node).makeHeapTop();
1500         break;
1501
1502     case GetArrayLength:
1503         node->setCanExit(true); // Lies, but it's true for the common case of JSArray, so it's good enough.
1504         forNode(node).setType(SpecInt32);
1505         break;
1506
1507     case CheckExecutable: {
1508         // FIXME: We could track executables in AbstractValue, which would allow us to get rid of these checks
1509         // more thoroughly. https://bugs.webkit.org/show_bug.cgi?id=106200
1510         // FIXME: We could eliminate these entirely if we know the exact value that flows into this.
1511         // https://bugs.webkit.org/show_bug.cgi?id=106201
1512         node->setCanExit(true);
1513         break;
1514     }
1515
1516     case CheckStructure: {
1517         // FIXME: We should be able to propagate the structure sets of constants (i.e. prototypes).
1518         AbstractValue& value = forNode(node->child1());
1519         ASSERT(!(value.m_type & ~SpecCell)); // Edge filtering should have already ensured this.
1520
1521         StructureSet& set = node->structureSet();
1522
1523         if (value.m_currentKnownStructure.isSubsetOf(set)) {
1524             m_state.setFoundConstants(true);
1525             break;
1526         }
1527
1528         node->setCanExit(true);
1529         m_state.setHaveStructures(true);
1530
1531         // If this structure check is attempting to prove knowledge already held in
1532         // the futurePossibleStructure set then the constant folding phase should
1533         // turn this into a watchpoint instead.
1534         if (value.m_futurePossibleStructure.isSubsetOf(set)
1535             && value.m_futurePossibleStructure.hasSingleton()) {
1536             m_state.setFoundConstants(true);
1537             filter(value, value.m_futurePossibleStructure.singleton());
1538             break;
1539         }
1540
1541         filter(value, set);
1542         break;
1543     }
1544
1545     case StructureTransitionWatchpoint: {
1546         AbstractValue& value = forNode(node->child1());
1547
1548         filter(value, node->structure());
1549         m_state.setHaveStructures(true);
1550         node->setCanExit(true);
1551         break;
1552     }
1553
1554     case PutStructure:
1555     case PhantomPutStructure:
1556         if (!forNode(node->child1()).m_currentKnownStructure.isClear()) {
1557             clobberStructures(clobberLimit);
1558             forNode(node->child1()).set(m_graph, node->structureTransitionData().newStructure);
1559             m_state.setHaveStructures(true);
1560         }
1561         break;
1562     case GetButterfly:
1563     case AllocatePropertyStorage:
1564     case ReallocatePropertyStorage:
1565         forNode(node).clear(); // The result is not a JS value.
1566         break;
1567     case CheckArray: {
1568         if (node->arrayMode().alreadyChecked(m_graph, node, forNode(node->child1()))) {
1569             m_state.setFoundConstants(true);
1570             break;
1571         }
1572         node->setCanExit(true); // Lies, but this is followed by operations (like GetByVal) that always exit, so there is no point in us trying to be clever here.
1573         switch (node->arrayMode().type()) {
1574         case Array::String:
1575             filter(node->child1(), SpecString);
1576             break;
1577         case Array::Int32:
1578         case Array::Double:
1579         case Array::Contiguous:
1580         case Array::ArrayStorage:
1581         case Array::SlowPutArrayStorage:
1582             break;
1583         case Array::Arguments:
1584             filter(node->child1(), SpecArguments);
1585             break;
1586         case Array::Int8Array:
1587             filter(node->child1(), SpecInt8Array);
1588             break;
1589         case Array::Int16Array:
1590             filter(node->child1(), SpecInt16Array);
1591             break;
1592         case Array::Int32Array:
1593             filter(node->child1(), SpecInt32Array);
1594             break;
1595         case Array::Uint8Array:
1596             filter(node->child1(), SpecUint8Array);
1597             break;
1598         case Array::Uint8ClampedArray:
1599             filter(node->child1(), SpecUint8ClampedArray);
1600             break;
1601         case Array::Uint16Array:
1602             filter(node->child1(), SpecUint16Array);
1603             break;
1604         case Array::Uint32Array:
1605             filter(node->child1(), SpecUint32Array);
1606             break;
1607         case Array::Float32Array:
1608             filter(node->child1(), SpecFloat32Array);
1609             break;
1610         case Array::Float64Array:
1611             filter(node->child1(), SpecFloat64Array);
1612             break;
1613         default:
1614             RELEASE_ASSERT_NOT_REACHED();
1615             break;
1616         }
1617         filterArrayModes(node->child1(), node->arrayMode().arrayModesThatPassFiltering());
1618         m_state.setHaveStructures(true);
1619         break;
1620     }
1621     case Arrayify: {
1622         if (node->arrayMode().alreadyChecked(m_graph, node, forNode(node->child1()))) {
1623             m_state.setFoundConstants(true);
1624             break;
1625         }
1626         ASSERT(node->arrayMode().conversion() == Array::Convert
1627             || node->arrayMode().conversion() == Array::RageConvert);
1628         node->setCanExit(true);
1629         clobberStructures(clobberLimit);
1630         filterArrayModes(node->child1(), node->arrayMode().arrayModesThatPassFiltering());
1631         m_state.setHaveStructures(true);
1632         break;
1633     }
1634     case ArrayifyToStructure: {
1635         AbstractValue& value = forNode(node->child1());
1636         StructureSet set = node->structure();
1637         if (value.m_futurePossibleStructure.isSubsetOf(set)
1638             || value.m_currentKnownStructure.isSubsetOf(set))
1639             m_state.setFoundConstants(true);
1640         node->setCanExit(true);
1641         clobberStructures(clobberLimit);
1642         filter(value, set);
1643         m_state.setHaveStructures(true);
1644         break;
1645     }
1646     case GetIndexedPropertyStorage:
1647     case ConstantStoragePointer: {
1648         forNode(node).clear();
1649         break;
1650     }
1651
1652     case GetTypedArrayByteOffset: {
1653         forNode(node).setType(SpecInt32);
1654         break;
1655     }
1656
1657     case GetByOffset: {
1658         forNode(node).makeHeapTop();
1659         break;
1660     }
1661
1662     case MultiGetByOffset: {
1663         AbstractValue& value = forNode(node->child1());
1664         ASSERT(!(value.m_type & ~SpecCell)); // Edge filtering should have already ensured this.
1665
1666         if (Structure* structure = value.bestProvenStructure()) {
1667             bool done = false;
1668             for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;) {
1669                 const GetByIdVariant& variant = node->multiGetByOffsetData().variants[i];
1670                 if (!variant.structureSet().contains(structure))
1671                     continue;
1672
1673                 if (variant.chain())
1674                     break;
1675
1676                 filter(value, structure);
1677                 forNode(node).makeHeapTop();
1678                 m_state.setFoundConstants(true);
1679                 done = true;
1680                 break;
1681             }
1682             if (done)
1683                 break;
1684         }
1685
1686         StructureSet set;
1687         for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;)
1688             set.addAll(node->multiGetByOffsetData().variants[i].structureSet());
1689
1690         filter(node->child1(), set);
1691         forNode(node).makeHeapTop();
1692         break;
1693     }
1694
1695     case PutByOffset: {
1696         break;
1697     }
1698
1699     case MultiPutByOffset: {
1700         AbstractValue& value = forNode(node->child1());
1701         ASSERT(!(value.m_type & ~SpecCell)); // Edge filtering should have already ensured this.
1702
1703         if (Structure* structure = value.bestProvenStructure()) {
1704             bool done = false;
1705             for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
1706                 const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
1707                 if (variant.oldStructure() != structure)
1708                     continue;
1709
1710                 if (variant.kind() == PutByIdVariant::Replace) {
1711                     filter(node->child1(), structure);
1712                     m_state.setFoundConstants(true);
1713                     m_state.setHaveStructures(true);
1714                     done = true;
1715                     break;
1716                 }
1717
1718                 ASSERT(variant.kind() == PutByIdVariant::Transition);
1719                 clobberStructures(clobberLimit);
1720                 forNode(node->child1()).set(m_graph, variant.newStructure());
1721                 m_state.setFoundConstants(true);
1722                 m_state.setHaveStructures(true);
1723                 done = true;
1724                 break;
1725             }
1726             if (done)
1727                 break;
1728         }
1729
1730         clobberStructures(clobberLimit);
1731
1732         StructureSet newSet;
1733         for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
1734             const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
1735             if (variant.kind() == PutByIdVariant::Replace) {
1736                 if (value.m_currentKnownStructure.contains(variant.structure()))
1737                     newSet.addAll(variant.structure());
1738                 continue;
1739             }
1740             ASSERT(variant.kind() == PutByIdVariant::Transition);
1741             if (value.m_currentKnownStructure.contains(variant.oldStructure()))
1742                 newSet.addAll(variant.newStructure());
1743         }
1744
1745         // Use filter(value, set) as a way of setting the structure set. This works because
1746         // we would have already made the set be TOP before this. Filtering top is another
1747         // way of setting.
1748         filter(node->child1(), newSet);
1749         break;
1750     }
1751
1752     case CheckFunction: {
1753         JSValue value = forNode(node->child1()).value();
1754         if (value == node->function()) {
1755             m_state.setFoundConstants(true);
1756             ASSERT(value);
1757             break;
1758         }
1759
1760         node->setCanExit(true); // Lies! We can do better.
1761         filterByValue(node->child1(), node->function());
1762         break;
1763     }
1764
1765     case CheckInBounds: {
1766         JSValue left = forNode(node->child1()).value();
1767         JSValue right = forNode(node->child2()).value();
1768         if (left && right && left.isInt32() && right.isInt32()
1769             && static_cast<uint32_t>(left.asInt32()) < static_cast<uint32_t>(right.asInt32())) {
1770             m_state.setFoundConstants(true);
1771             break;
1772         }
1773
1774         node->setCanExit(true);
1775         break;
1776     }
1777
1778     case PutById:
1779     case PutByIdFlush:
1780     case PutByIdDirect:
1781         node->setCanExit(true);
1782         if (Structure* structure = forNode(node->child1()).bestProvenStructure()) {
1783             PutByIdStatus status = PutByIdStatus::computeFor(
1784                 m_graph.m_vm,
1785                 m_graph.globalObjectFor(node->origin.semantic),
1786                 structure,
1787                 m_graph.identifiers()[node->identifierNumber()],
1788                 node->op() == PutByIdDirect);
1789             if (status.isSimple() && status.numVariants() == 1) {
1790                 if (status[0].kind() == PutByIdVariant::Replace) {
1791                     filter(node->child1(), structure);
1792                     m_state.setFoundConstants(true);
1793                     m_state.setHaveStructures(true);
1794                     break;
1795                 }
1796                 if (status[0].kind() == PutByIdVariant::Transition) {
1797                     clobberStructures(clobberLimit);
1798                     forNode(node->child1()).set(m_graph, status[0].newStructure());
1799                     m_state.setHaveStructures(true);
1800                     m_state.setFoundConstants(true);
1801                     break;
1802                 }
1803             }
1804         }
1805         clobberWorld(node->origin.semantic, clobberLimit);
1806         break;
1807
1808     case In:
1809         // FIXME: We can determine when the property definitely exists based on abstract
1810         // value information.
1811         clobberWorld(node->origin.semantic, clobberLimit);
1812         forNode(node).setType(SpecBoolean);
1813         break;
1814
1815     case GetGlobalVar:
1816         forNode(node).makeHeapTop();
1817         break;
1818
1819     case VariableWatchpoint:
1820     case VarInjectionWatchpoint:
1821         node->setCanExit(true);
1822         break;
1823
1824     case PutGlobalVar:
1825     case NotifyWrite:
1826         break;
1827
1828     case CheckHasInstance:
1829         node->setCanExit(true);
1830         // Sadly, we don't propagate the fact that we've done CheckHasInstance
1831         break;
1832
1833     case InstanceOf:
1834         node->setCanExit(true);
1835         // Again, sadly, we don't propagate the fact that we've done InstanceOf
1836         forNode(node).setType(SpecBoolean);
1837         break;
1838
1839     case Phi:
1840         RELEASE_ASSERT(m_graph.m_form == SSA);
1841         // The state of this node would have already been decided.
1842         break;
1843
1844     case Upsilon: {
1845         m_state.createValueForNode(node->phi());
1846         AbstractValue& value = forNode(node->child1());
1847         forNode(node) = value;
1848         forNode(node->phi()) = value;
1849         break;
1850     }
1851
1852     case Flush:
1853     case PhantomLocal:
1854         break;
1855
1856     case Call:
1857     case Construct:
1858         node->setCanExit(true);
1859         clobberWorld(node->origin.semantic, clobberLimit);
1860         forNode(node).makeHeapTop();
1861         break;
1862
1863     case ForceOSRExit:
1864         node->setCanExit(true);
1865         m_state.setIsValid(false);
1866         break;
1867
1868     case InvalidationPoint:
1869         node->setCanExit(true);
1870         break;
1871
1872     case CheckWatchdogTimer:
1873         node->setCanExit(true);
1874         break;
1875
1876     case Breakpoint:
1877     case ProfileWillCall:
1878     case ProfileDidCall:
1879     case Phantom:
1880     case HardPhantom:
1881     case Check:
1882     case CountExecution:
1883     case CheckTierUpInLoop:
1884     case CheckTierUpAtReturn:
1885         break;
1886
1887     case StoreBarrier: {
1888         filter(node->child1(), SpecCell);
1889         break;
1890     }
1891
1892     case StoreBarrierWithNullCheck: {
1893         break;
1894     }
1895
1896     case CheckTierUpAndOSREnter:
1897     case LoopHint:
1898         // We pretend that it can exit because it may want to get all state.
1899         node->setCanExit(true);
1900         break;
1901
1902     case ZombieHint:
1903     case Unreachable:
1904     case LastNodeType:
1905     case ArithIMul:
1906     case FiatInt52:
1907         RELEASE_ASSERT_NOT_REACHED();
1908         break;
1909     }
1910
1911     return m_state.isValid();
1912 }
1913
1914 template<typename AbstractStateType>
1915 bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned indexInBlock)
1916 {
1917     return executeEffects(indexInBlock, m_state.block()->at(indexInBlock));
1918 }
1919
1920 template<typename AbstractStateType>
1921 bool AbstractInterpreter<AbstractStateType>::execute(unsigned indexInBlock)
1922 {
1923     Node* node = m_state.block()->at(indexInBlock);
1924     if (!startExecuting(node))
1925         return true;
1926
1927     executeEdges(node);
1928     return executeEffects(indexInBlock, node);
1929 }
1930
1931 template<typename AbstractStateType>
1932 bool AbstractInterpreter<AbstractStateType>::execute(Node* node)
1933 {
1934     if (!startExecuting(node))
1935         return true;
1936
1937     executeEdges(node);
1938     return executeEffects(UINT_MAX, node);
1939 }
1940
1941 template<typename AbstractStateType>
1942 void AbstractInterpreter<AbstractStateType>::clobberWorld(
1943     const CodeOrigin& codeOrigin, unsigned clobberLimit)
1944 {
1945     clobberCapturedVars(codeOrigin);
1946     clobberStructures(clobberLimit);
1947 }
1948
1949 template<typename AbstractStateType>
1950 void AbstractInterpreter<AbstractStateType>::clobberCapturedVars(const CodeOrigin& codeOrigin)
1951 {
1952     if (codeOrigin.inlineCallFrame) {
1953         const BitVector& capturedVars = codeOrigin.inlineCallFrame->capturedVars;
1954         for (size_t i = capturedVars.size(); i--;) {
1955             if (!capturedVars.quickGet(i))
1956                 continue;
1957             m_state.variables().local(i).makeHeapTop();
1958         }
1959     } else {
1960         for (size_t i = m_codeBlock->m_numVars; i--;) {
1961             if (m_codeBlock->isCaptured(virtualRegisterForLocal(i)))
1962                 m_state.variables().local(i).makeHeapTop();
1963         }
1964     }
1965
1966     for (size_t i = m_state.variables().numberOfArguments(); i--;) {
1967         if (m_codeBlock->isCaptured(virtualRegisterForArgument(i)))
1968             m_state.variables().argument(i).makeHeapTop();
1969     }
1970 }
1971
1972 template<typename AbstractStateType>
1973 void AbstractInterpreter<AbstractStateType>::clobberStructures(unsigned clobberLimit)
1974 {
1975     if (!m_state.haveStructures())
1976         return;
1977     if (clobberLimit >= m_state.block()->size())
1978         clobberLimit = m_state.block()->size();
1979     else
1980         clobberLimit++;
1981     ASSERT(clobberLimit <= m_state.block()->size());
1982     for (size_t i = clobberLimit; i--;)
1983         forNode(m_state.block()->at(i)).clobberStructures();
1984     if (m_graph.m_form == SSA) {
1985         HashSet<Node*>::iterator iter = m_state.block()->ssa->liveAtHead.begin();
1986         HashSet<Node*>::iterator end = m_state.block()->ssa->liveAtHead.end();
1987         for (; iter != end; ++iter)
1988             forNode(*iter).clobberStructures();
1989     }
1990     for (size_t i = m_state.variables().numberOfArguments(); i--;)
1991         m_state.variables().argument(i).clobberStructures();
1992     for (size_t i = m_state.variables().numberOfLocals(); i--;)
1993         m_state.variables().local(i).clobberStructures();
1994     m_state.setHaveStructures(true);
1995     m_state.setDidClobber(true);
1996 }
1997
1998 template<typename AbstractStateType>
1999 void AbstractInterpreter<AbstractStateType>::dump(PrintStream& out)
2000 {
2001     CommaPrinter comma(" ");
2002     if (m_graph.m_form == SSA) {
2003         HashSet<Node*>::iterator iter = m_state.block()->ssa->liveAtHead.begin();
2004         HashSet<Node*>::iterator end = m_state.block()->ssa->liveAtHead.end();
2005         for (; iter != end; ++iter) {
2006             Node* node = *iter;
2007             AbstractValue& value = forNode(node);
2008             if (value.isClear())
2009                 continue;
2010             out.print(comma, node, ":", value);
2011         }
2012     }
2013     for (size_t i = 0; i < m_state.block()->size(); ++i) {
2014         Node* node = m_state.block()->at(i);
2015         AbstractValue& value = forNode(node);
2016         if (value.isClear())
2017             continue;
2018         out.print(comma, node, ":", value);
2019     }
2020 }
2021
2022 template<typename AbstractStateType>
2023 FiltrationResult AbstractInterpreter<AbstractStateType>::filter(
2024     AbstractValue& value, const StructureSet& set)
2025 {
2026     if (value.filter(m_graph, set) == FiltrationOK)
2027         return FiltrationOK;
2028     m_state.setIsValid(false);
2029     return Contradiction;
2030 }
2031
2032 template<typename AbstractStateType>
2033 FiltrationResult AbstractInterpreter<AbstractStateType>::filterArrayModes(
2034     AbstractValue& value, ArrayModes arrayModes)
2035 {
2036     if (value.filterArrayModes(arrayModes) == FiltrationOK)
2037         return FiltrationOK;
2038     m_state.setIsValid(false);
2039     return Contradiction;
2040 }
2041
2042 template<typename AbstractStateType>
2043 FiltrationResult AbstractInterpreter<AbstractStateType>::filter(
2044     AbstractValue& value, SpeculatedType type)
2045 {
2046     if (value.filter(type) == FiltrationOK)
2047         return FiltrationOK;
2048     m_state.setIsValid(false);
2049     return Contradiction;
2050 }
2051
2052 template<typename AbstractStateType>
2053 FiltrationResult AbstractInterpreter<AbstractStateType>::filterByValue(
2054     AbstractValue& abstractValue, JSValue concreteValue)
2055 {
2056     if (abstractValue.filterByValue(concreteValue) == FiltrationOK)
2057         return FiltrationOK;
2058     m_state.setIsValid(false);
2059     return Contradiction;
2060 }
2061
2062 } } // namespace JSC::DFG
2063
2064 #endif // ENABLE(DFG_JIT)
2065
2066 #endif // DFGAbstractInterpreterInlines_h
2067