Changeset 256411 in webkit

Timestamp:

Feb 11, 2020 5:00:10 PM (4 years ago)

Author:

Alan Coon

Message:

Apply patch. rdar://problem/59299139

Location:

branches/safari-609-branch/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGSafeToExecute.h (modified) (13 diffs)

branches/safari-609-branch/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-02-11  Alan Coon  <alancoon@apple.com>
+
+        Apply patch. rdar://problem/59299139
+
+    2020-02-11  Saam Barati  <sbarati@apple.com>
+
+            safe to execute should return false when we know code won't be moved
+            https://bugs.webkit.org/show_bug.cgi?id=207074
+
+            Reviewed by Yusuke Suzuki.
+
+            We use safeToExecute to determine inside LICM whether it's safe to execute
+            a node somewhere else in the program. We were returning true for nodes
+            we knew would never be moved, because they were effectful. Things like Call
+            and GetById. This patch makes those nodes return false now, since we want
+            to make it easier to audit the nodes that return true. This makes that audit
+            easier, since it gets rid of the obvious things that will never be hoisted.
+
+            * dfg/DFGSafeToExecute.h:
+            (JSC::DFG::safeToExecute):
+
 2020-02-10  Kocsen Chung  <kocsen_chung@apple.com>
 

branches/safari-609-branch/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -174 +174 @@
     }
 
-    // NOTE: This tends to lie when it comes to effectful nodes, because it knows that they aren't going to
-    // get hoisted anyway.
+    // NOTE: This can lie when it comes to effectful nodes, because it knows that they aren't going to
+    // get hoisted anyway. Sometimes this is convenient so we can avoid branching on some internal
+    // state of the node (like what some child's UseKind might be). However, nodes that are obviously
+    // always effectful, we return false for, to make auditing the "return true" cases easier.
 
     switch (node->op()) {
+    // FIXME: Audit these:
+    // https://bugs.webkit.org/show_bug.cgi?id=207075
     case JSConstant:
     case DoubleConstant:
@@ -184 +188 @@
     case Identity:
     case IdentityWithProfile:
-    case ToThis:
-    case CreateThis:
-    case CreatePromise:
-    case CreateGenerator:
-    case CreateAsyncGenerator:
-    case ObjectCreate:
-    case ObjectKeys:
     case GetCallee:
-    case SetCallee:
     case GetArgumentCountIncludingThis:
-    case SetArgumentCountIncludingThis:
     case GetRestLength:
     case GetLocal:
-    case SetLocal:
-    case PutStack:
-    case KillStack:
     case GetStack:
-    case MovHint:
-    case ZombieHint:
     case ExitOK:
     case Phantom:
-    case Upsilon:
-    case Phi:
-    case Flush:
-    case PhantomLocal:
-    case SetArgumentDefinitely:
-    case SetArgumentMaybe:
     case ArithBitNot:
     case ArithBitAnd:
@@ -241 +225 @@
     case ArithTrunc:
     case ArithUnary:
-    case ValueBitAnd:
-    case ValueBitXor:
-    case ValueBitOr:
-    case ValueBitNot:
-    case ValueBitLShift:
-    case ValueBitRShift:
-    case Inc:
-    case Dec:
-    case ValueNegate:
-    case ValueAdd:
-    case ValueSub:
-    case ValueMul:
-    case ValueDiv:
-    case ValueMod:
-    case ValuePow:
-    case TryGetById:
+    case TryGetById: // FIXME: Audit this: https://bugs.webkit.org/show_bug.cgi?id=163834
+    case CheckStructure:
+    case CheckStructureOrEmpty:
+    case GetExecutable:
+    case CallDOMGetter:
+    case CallDOM:
+    case CheckSubClass:
+    case CheckArray:
+    case GetScope:
+    case SkipScope:
+    case GetGlobalObject:
+    case GetGlobalThis:
+    case GetClosureVar:
+    case GetGlobalVar:
+    case GetGlobalLexicalVariable:
+    case CheckCell:
+    case CheckNotEmpty:
+    case AssertNotEmpty:
+    case CheckIdent:
+    case CompareLess:
+    case CompareLessEq:
+    case CompareGreater:
+    case CompareGreaterEq:
+    case CompareBelow:
+    case CompareBelowEq:
+    case CompareEq:
+    case CompareStrictEq:
+    case CompareEqPtr:
+    case SameValue:
+    case CheckTypeInfoFlags:
+    case ParseInt:
+    case OverridesHasInstance:
+    case IsEmpty:
+    case IsUndefined:
+    case IsUndefinedOrNull:
+    case IsBoolean:
+    case IsNumber:
+    case NumberIsInteger:
+    case IsObject:
+    case IsObjectOrNull:
+    case IsFunction:
+    case IsCellWithType:
+    case IsTypedArrayView:
+    case TypeOf:
+    case LogicalNot:
+    case ToString:
+    case NumberToStringWithValidRadixConstant:
+    case StrCat:
+    case CallStringConstructor:
+    case MakeRope:
+    case GetFromArguments:
+    case GetArgument:
+    case StringFromCharCode:
+    case ExtractOSREntryLocal:
+    case ExtractCatchLocal:
+    case CheckInBounds:
+    case ConstantStoragePointer:
+    case Check:
+    case CheckVarargs:
+    case ValueRep:
+    case DoubleRep:
+    case Int52Rep:
+    case BooleanToNumber:
+    case FiatInt52:
+    case HasIndexedProperty:
+    case GetEnumeratorStructurePname:
+    case GetEnumeratorGenericPname:
+    case ToIndexString:
+    case CheckStructureImmediate:
+    case GetMyArgumentByVal:
+    case GetMyArgumentByValOutOfBounds:
+    case GetPrototypeOf:
+    case StringReplace:
+    case StringReplaceRegExp:
+    case GetRegExpObjectLastIndex:
+    case MapHash:
+    case NormalizeMapKey:
+    case StringSlice:
+    case ToLowerCase:
+    case GetMapBucket:
+    case GetMapBucketHead:
+    case GetMapBucketNext:
+    case LoadKeyFromMapBucket:
+    case LoadValueFromMapBucket:
+    case ExtractValueFromWeakMapGet:
+    case WeakMapGet:
+    case AtomicsIsLockFree:
+    case MatchStructure:
+    case DateGetInt32OrNaN:
+    case DateGetTime:
+    case DataViewGetInt:
+    case DataViewGetFloat:
+        return true;
+
+    case GetButterfly:
+        return state.forNode(node->child1()).isType(SpecObject);
+
+    case ArraySlice:
+    case ArrayIndexOf: {
+        // You could plausibly move this code around as long as you proved the
+        // incoming array base structure is an original array at the hoisted location.
+        // Instead of doing that extra work, we just conservatively return false.
+        return false;
+    }
+
+    case GetGetter:
+    case GetSetter: {
+        if (!state.forNode(node->child1()).isType(SpecCell))
+            return false;
+        StructureAbstractValue& value = state.forNode(node->child1()).m_structure;
+        if (value.isInfinite() || value.size() != 1)
+            return false;
+
+        return value[0].get() == graph.m_vm.getterSetterStructure;
+    }
+
+    case BottomValue:
+        // If in doubt, assume that this isn't safe to execute, just because we have no way of
+        // compiling this node.
+        return false;
+
+    case StoreBarrier:
+    case FencedStoreBarrier:
+    case PutStructure:
+    case NukeStructureAndSetButterfly:
+        // We conservatively assume that these cannot be put anywhere, which forces the compiler to
+        // keep them exactly where they were. This is sort of overkill since the clobberize effects
+        // already force these things to be ordered precisely. I'm just not confident enough in my
+        // effect based memory model to rely solely on that right now.
+        return false;
+        
+    case FilterCallLinkStatus:
+    case FilterGetByStatus:
+    case FilterPutByIdStatus:
+    case FilterInByIdStatus:
+        // We don't want these to be moved anywhere other than where we put them, since we want them
+        // to capture "profiling" at the point in control flow here the user put them.
+        return false;
+
+    case GetByVal:
+    case GetIndexedPropertyStorage:
+    case GetArrayLength:
+    case GetVectorLength:
+    case ArrayPop:
+    case StringCharAt:
+    case StringCharCodeAt:
+    case StringCodePointAt:
+        return node->arrayMode().alreadyChecked(graph, node, state.forNode(graph.child(node, 0)));
+
+    case ArrayPush:
+        return node->arrayMode().alreadyChecked(graph, node, state.forNode(graph.varArgChild(node, 1)));
+
+    case GetTypedArrayByteOffset:
+        return !(state.forNode(node->child1()).m_type & ~(SpecTypedArrayView));
+            
+    case PutByValDirect:
+    case PutByVal:
+    case PutByValAlias:
+        return node->arrayMode().modeForPut().alreadyChecked(
+            graph, node, state.forNode(graph.varArgChild(node, 0)));
+
+    case AllocatePropertyStorage:
+    case ReallocatePropertyStorage:
+        return state.forNode(node->child1()).m_structure.isSubsetOf(
+            RegisteredStructureSet(node->transition()->previous));
+        
+    case GetGetterSetterByOffset: {
+        // If it's an inline property, we need to make sure it's a cell before trusting what the structure set tells us.
+        if (node->child1().node() == node->child2().node() && !state.forNode(node->child2()).isType(SpecCell))
+            return false;
+
+        StorageAccessData& data = node->storageAccessData();
+        auto* uid = graph.identifiers()[data.identifierNumber];
+        PropertyOffset desiredOffset = data.offset;
+        StructureAbstractValue& value = state.forNode(node->child2()).m_structure;
+        if (value.isInfinite())
+            return false;
+        for (unsigned i = value.size(); i--;) {
+            Structure* thisStructure = value[i].get();
+            if (thisStructure->isUncacheableDictionary())
+                return false;
+            unsigned attributes = 0;
+            PropertyOffset checkOffset = thisStructure->getConcurrently(uid, attributes);
+            if (checkOffset != desiredOffset || !(attributes & PropertyAttribute::Accessor))
+                return false;
+        }
+        return true;
+    }
+
+    case GetByOffset:
+    case PutByOffset: {
+        // If it's an inline property, we need to make sure it's a cell before trusting what the structure set tells us.
+        if (node->child1().node() == node->child2().node() && !state.forNode(node->child2()).isType(SpecCell))
+            return false;
+
+        StorageAccessData& data = node->storageAccessData();
+        PropertyOffset offset = data.offset;
+        // Graph::isSafeToLoad() is all about proofs derived from PropertyConditions. Those don't
+        // know anything about inferred types. But if we have a proof derived from watching a
+        // structure that has a type proof, then the next case below will deal with it.
+        if (state.structureClobberState() == StructuresAreWatched) {
+            if (JSObject* knownBase = node->child2()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
+                if (graph.isSafeToLoad(knownBase, offset))
+                    return true;
+            }
+        }
+        
+        StructureAbstractValue& value = state.forNode(node->child2()).m_structure;
+        if (value.isInfinite())
+            return false;
+        for (unsigned i = value.size(); i--;) {
+            Structure* thisStructure = value[i].get();
+            if (thisStructure->isUncacheableDictionary())
+                return false;
+            if (!thisStructure->isValidOffset(offset))
+                return false;
+        }
+        return true;
+    }
+        
+    case MultiGetByOffset: {
+        // We can't always guarantee that the MultiGetByOffset is safe to execute if it
+        // contains loads from prototypes. If the load requires a check in IR, which is rare, then
+        // we currently claim that we don't know if it's safe to execute because finding that
+        // check in the abstract state would be hard. If the load requires watchpoints, we just
+        // check if we're not in a clobbered state (i.e. in between a side effect and an
+        // invalidation point).
+        for (const MultiGetByOffsetCase& getCase : node->multiGetByOffsetData().cases) {
+            GetByOffsetMethod method = getCase.method();
+            switch (method.kind()) {
+            case GetByOffsetMethod::Invalid:
+                RELEASE_ASSERT_NOT_REACHED();
+                break;
+            case GetByOffsetMethod::Constant: // OK because constants are always safe to execute.
+            case GetByOffsetMethod::Load: // OK because the MultiGetByOffset has its own checks for loading from self.
+                break;
+            case GetByOffsetMethod::LoadFromPrototype:
+                // Only OK if the state isn't clobbered. That's almost always the case.
+                if (state.structureClobberState() != StructuresAreWatched)
+                    return false;
+                if (!graph.isSafeToLoad(method.prototype()->cast<JSObject*>(), method.offset()))
+                    return false;
+                break;
+            }
+        }
+        return true;
+    }
+
+    case ToThis:
+    case CreateThis:
+    case CreatePromise:
+    case CreateGenerator:
+    case CreateAsyncGenerator:
+    case ObjectCreate:
+    case ObjectKeys:
+    case SetLocal:
+    case SetCallee:
+    case PutStack:
+    case KillStack:
+    case MovHint:
+    case ZombieHint:
+    case Upsilon:
+    case Phi:
+    case Flush:
+    case SetArgumentDefinitely:
+    case SetArgumentMaybe:
+    case SetArgumentCountIncludingThis:
+    case PhantomLocal:
     case DeleteById:
     case DeleteByVal:
@@ -277 +513 @@
     case DefineDataProperty:
     case DefineAccessorProperty:
-    case CheckStructure:
-    case CheckStructureOrEmpty:
-    case GetExecutable:
-    case CallDOMGetter:
-    case CallDOM:
-    case CheckSubClass:
-    case CheckArray:
     case Arrayify:
     case ArrayifyToStructure:
-    case GetScope:
-    case SkipScope:
-    case GetGlobalObject:
-    case GetGlobalThis:
-    case GetClosureVar:
     case PutClosureVar:
-    case GetGlobalVar:
-    case GetGlobalLexicalVariable:
     case PutGlobalVariable:
-    case CheckCell:
     case CheckBadCell:
-    case CheckNotEmpty:
-    case AssertNotEmpty:
-    case CheckIdent:
     case RegExpExec:
     case RegExpExecNonGlobalOrSticky:
@@ -305 +523 @@
     case RegExpMatchFast:
     case RegExpMatchFastGlobal:
-    case CompareLess:
-    case CompareLessEq:
-    case CompareGreater:
-    case CompareGreaterEq:
-    case CompareBelow:
-    case CompareBelowEq:
-    case CompareEq:
-    case CompareStrictEq:
-    case CompareEqPtr:
-    case SameValue:
     case Call:
     case DirectCall:
@@ -342 +550 @@
     case ProfileType:
     case ProfileControlFlow:
-    case CheckTypeInfoFlags:
-    case ParseInt:
-    case OverridesHasInstance:
     case InstanceOf:
     case InstanceOfCustom:
-    case IsEmpty:
-    case IsUndefined:
-    case IsUndefinedOrNull:
-    case IsBoolean:
-    case IsNumber:
-    case NumberIsInteger:
-    case IsObject:
-    case IsObjectOrNull:
-    case IsFunction:
-    case IsCellWithType:
-    case IsTypedArrayView:
-    case TypeOf:
-    case LogicalNot:
     case CallObjectConstructor:
     case ToPrimitive:
-    case ToString:
     case ToNumber:
     case ToNumeric:
     case ToObject:
     case NumberToStringWithRadix:
-    case NumberToStringWithValidRadixConstant:
     case SetFunctionName:
-    case StrCat:
-    case CallStringConstructor:
     case NewStringObject:
-    case MakeRope:
     case InByVal:
     case InById:
@@ -382 +569 @@
     case CreateClonedArguments:
     case CreateArgumentsButterfly:
-    case GetFromArguments:
-    case GetArgument:
     case PutToArguments:
     case NewFunction:
@@ -408 +593 @@
     case LogShadowChickenPrologue:
     case LogShadowChickenTail:
-    case StringFromCharCode:
     case NewTypedArray:
     case Unreachable:
-    case ExtractOSREntryLocal:
-    case ExtractCatchLocal:
     case ClearCatchLocals:
     case CheckTierUpInLoop:
@@ -420 +602 @@
     case InvalidationPoint:
     case NotifyWrite:
-    case CheckInBounds:
-    case ConstantStoragePointer:
-    case Check:
-    case CheckVarargs:
     case MultiPutByOffset:
-    case ValueRep:
-    case DoubleRep:
-    case Int52Rep:
-    case BooleanToNumber:
-    case FiatInt52:
     case GetEnumerableLength:
     case HasGenericProperty:
     case HasStructureProperty:
-    case HasIndexedProperty:
     case GetDirectPname:
     case GetPropertyEnumerator:
-    case GetEnumeratorStructurePname:
-    case GetEnumeratorGenericPname:
-    case ToIndexString:
     case PhantomNewObject:
     case PhantomNewFunction:
@@ -447 +616 @@
     case PhantomNewRegexp:
     case PutHint:
-    case CheckStructureImmediate:
     case MaterializeNewObject:
     case MaterializeCreateActivation:
@@ -456 +624 @@
     case PhantomNewArrayBuffer:
     case PhantomClonedArguments:
-    case GetMyArgumentByVal:
-    case GetMyArgumentByValOutOfBounds:
     case ForwardVarargs:
     case CreateRest:
-    case GetPrototypeOf:
-    case StringReplace:
-    case StringReplaceRegExp:
-    case GetRegExpObjectLastIndex:
     case SetRegExpObjectLastIndex:
     case RecordRegExpCachedResult:
@@ -470 +632 @@
     case ResolveScopeForHoistingFuncDeclInEval:
     case ResolveScope:
-    case MapHash:
-    case NormalizeMapKey:
     case StringValueOf:
-    case StringSlice:
-    case ToLowerCase:
-    case GetMapBucket:
-    case GetMapBucketHead:
-    case GetMapBucketNext:
-    case LoadKeyFromMapBucket:
-    case LoadValueFromMapBucket:
-    case ExtractValueFromWeakMapGet:
-    case WeakMapGet:
     case WeakSetAdd:
     case WeakMapSet:
@@ -493 +644 @@
     case AtomicsSub:
     case AtomicsXor:
-    case AtomicsIsLockFree:
     case InitializeEntrypointArguments:
-    case MatchStructure:
-    case DateGetInt32OrNaN:
-    case DateGetTime:
-    case DataViewGetInt:
-    case DataViewGetFloat:
-        return true;
-
-    case GetButterfly:
-        return state.forNode(node->child1()).isType(SpecObject);
-
-    case ArraySlice:
-    case ArrayIndexOf: {
-        // You could plausibly move this code around as long as you proved the
-        // incoming array base structure is an original array at the hoisted location.
-        // Instead of doing that extra work, we just conservatively return false.
-        return false;
-    }
-
-    case GetGetter:
-    case GetSetter: {
-        if (!state.forNode(node->child1()).isType(SpecCell))
-            return false;
-        StructureAbstractValue& value = state.forNode(node->child1()).m_structure;
-        if (value.isInfinite() || value.size() != 1)
-            return false;
-
-        return value[0].get() == graph.m_vm.getterSetterStructure;
-    }
-
-    case BottomValue:
-        // If in doubt, assume that this isn't safe to execute, just because we have no way of
-        // compiling this node.
-        return false;
-
-    case StoreBarrier:
-    case FencedStoreBarrier:
-    case PutStructure:
-    case NukeStructureAndSetButterfly:
-        // We conservatively assume that these cannot be put anywhere, which forces the compiler to
-        // keep them exactly where they were. This is sort of overkill since the clobberize effects
-        // already force these things to be ordered precisely. I'm just not confident enough in my
-        // effect based memory model to rely solely on that right now.
-        return false;
-        
-    case FilterCallLinkStatus:
-    case FilterGetByStatus:
-    case FilterPutByIdStatus:
-    case FilterInByIdStatus:
-        // We don't want these to be moved anywhere other than where we put them, since we want them
-        // to capture "profiling" at the point in control flow here the user put them.
-        return false;
-
-    case GetByVal:
-    case GetIndexedPropertyStorage:
-    case GetArrayLength:
-    case GetVectorLength:
-    case ArrayPop:
-    case StringCharAt:
-    case StringCharCodeAt:
-    case StringCodePointAt:
-        return node->arrayMode().alreadyChecked(graph, node, state.forNode(graph.child(node, 0)));
-
-    case ArrayPush:
-        return node->arrayMode().alreadyChecked(graph, node, state.forNode(graph.varArgChild(node, 1)));
-
-    case GetTypedArrayByteOffset:
-        return !(state.forNode(node->child1()).m_type & ~(SpecTypedArrayView));
-            
-    case PutByValDirect:
-    case PutByVal:
-    case PutByValAlias:
-        return node->arrayMode().modeForPut().alreadyChecked(
-            graph, node, state.forNode(graph.varArgChild(node, 0)));
-
-    case AllocatePropertyStorage:
-    case ReallocatePropertyStorage:
-        return state.forNode(node->child1()).m_structure.isSubsetOf(
-            RegisteredStructureSet(node->transition()->previous));
-        
-    case GetGetterSetterByOffset: {
-        // If it's an inline property, we need to make sure it's a cell before trusting what the structure set tells us.
-        if (node->child1().node() == node->child2().node() && !state.forNode(node->child2()).isType(SpecCell))
-            return false;
-
-        StorageAccessData& data = node->storageAccessData();
-        auto* uid = graph.identifiers()[data.identifierNumber];
-        PropertyOffset desiredOffset = data.offset;
-        StructureAbstractValue& value = state.forNode(node->child2()).m_structure;
-        if (value.isInfinite())
-            return false;
-        for (unsigned i = value.size(); i--;) {
-            Structure* thisStructure = value[i].get();
-            if (thisStructure->isUncacheableDictionary())
-                return false;
-            unsigned attributes = 0;
-            PropertyOffset checkOffset = thisStructure->getConcurrently(uid, attributes);
-            if (checkOffset != desiredOffset || !(attributes & PropertyAttribute::Accessor))
-                return false;
-        }
-        return true;
-    }
-
-    case GetByOffset:
-    case PutByOffset: {
-        // If it's an inline property, we need to make sure it's a cell before trusting what the structure set tells us.
-        if (node->child1().node() == node->child2().node() && !state.forNode(node->child2()).isType(SpecCell))
-            return false;
-
-        StorageAccessData& data = node->storageAccessData();
-        PropertyOffset offset = data.offset;
-        // Graph::isSafeToLoad() is all about proofs derived from PropertyConditions. Those don't
-        // know anything about inferred types. But if we have a proof derived from watching a
-        // structure that has a type proof, then the next case below will deal with it.
-        if (state.structureClobberState() == StructuresAreWatched) {
-            if (JSObject* knownBase = node->child2()->dynamicCastConstant<JSObject*>(graph.m_vm)) {
-                if (graph.isSafeToLoad(knownBase, offset))
-                    return true;
-            }
-        }
-        
-        StructureAbstractValue& value = state.forNode(node->child2()).m_structure;
-        if (value.isInfinite())
-            return false;
-        for (unsigned i = value.size(); i--;) {
-            Structure* thisStructure = value[i].get();
-            if (thisStructure->isUncacheableDictionary())
-                return false;
-            if (!thisStructure->isValidOffset(offset))
-                return false;
-        }
-        return true;
-    }
-        
-    case MultiGetByOffset: {
-        // We can't always guarantee that the MultiGetByOffset is safe to execute if it
-        // contains loads from prototypes. If the load requires a check in IR, which is rare, then
-        // we currently claim that we don't know if it's safe to execute because finding that
-        // check in the abstract state would be hard. If the load requires watchpoints, we just
-        // check if we're not in a clobbered state (i.e. in between a side effect and an
-        // invalidation point).
-        for (const MultiGetByOffsetCase& getCase : node->multiGetByOffsetData().cases) {
-            GetByOffsetMethod method = getCase.method();
-            switch (method.kind()) {
-            case GetByOffsetMethod::Invalid:
-                RELEASE_ASSERT_NOT_REACHED();
-                break;
-            case GetByOffsetMethod::Constant: // OK because constants are always safe to execute.
-            case GetByOffsetMethod::Load: // OK because the MultiGetByOffset has its own checks for loading from self.
-                break;
-            case GetByOffsetMethod::LoadFromPrototype:
-                // Only OK if the state isn't clobbered. That's almost always the case.
-                if (state.structureClobberState() != StructuresAreWatched)
-                    return false;
-                if (!graph.isSafeToLoad(method.prototype()->cast<JSObject*>(), method.offset()))
-                    return false;
-                break;
-            }
-        }
-        return true;
-    }
-
+    case ValueNegate:
     case GetInternalField:
     case PutInternalField:
-        return false;
-
     case DataViewSet:
-        return false;
-
     case SetAdd:
     case MapSet:
         return false;
+
+    case Inc:
+    case Dec:
+        return node->child1().useKind() != UntypedUse;
+
+    case ValueBitAnd:
+    case ValueBitXor:
+    case ValueBitOr:
+    case ValueBitLShift:
+    case ValueBitRShift:
+    case ValueAdd:
+    case ValueSub:
+    case ValueMul:
+    case ValueDiv:
+    case ValueMod:
+    case ValuePow:
+        return node->isBinaryUseKind(BigIntUse);
+
+    case ValueBitNot:
+        return node->child1().useKind() == BigIntUse;
 
     case LastNodeType: