blessArrayOperation() takes an index, which if present, indicates that the DFG should perform additional checks (on the index) when triggering array conversions. This is applicable to things like: array[100000000] = 5; Where we wouldn't want to convert to a contiguous array kind, since that would be kind of not good. But the second child of ArrayPush/Pop is not an index. For ArrayPush, it's the value being pushed. For ArrayPop, it's the storage pointer. So, if we have an ArrayPush or ArrayPop that triggers array conversion (which is admittedly rare) then we'll currently end up doing really strange things. This ought not result in incorrect execution, but likely will execute in bad performance. The Arrayify nodes are already robust against their index child being empty. So we should just pass Edge() (i.e. the non-existant edge) as the index for blessArrayOperation() on ArrayPush/Pop.