Try ripping out inferred types because it might be a performance improvement
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInsertionSet.h"
34 #include "DFGPhase.h"
35 #include "DFGPredictionPropagationPhase.h"
36 #include "DFGVariableAccessDataDump.h"
37 #include "JSCInlines.h"
38 #include "TypeLocation.h"
39
40 namespace JSC { namespace DFG {
41
42 class FixupPhase : public Phase {
43 public:
44     FixupPhase(Graph& graph)
45         : Phase(graph, "fixup")
46         , m_insertionSet(graph)
47     {
48     }
49     
50     bool run()
51     {
52         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
53         ASSERT(m_graph.m_form == ThreadedCPS);
54         
55         m_profitabilityChanged = false;
56         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
57             fixupBlock(m_graph.block(blockIndex));
58         
59         while (m_profitabilityChanged) {
60             m_profitabilityChanged = false;
61             
62             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
63                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
64             
65             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
66                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
67         }
68         
69         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
70             fixupChecksInBlock(m_graph.block(blockIndex));
71
72         m_graph.m_planStage = PlanStage::AfterFixup;
73
74         return true;
75     }
76
77 private:
78     void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild)
79     {
80         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
81             if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
82                 fixIntOrBooleanEdge(leftChild);
83                 fixIntOrBooleanEdge(rightChild);
84                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
85                     node->setArithMode(Arith::Unchecked);
86                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
87                     node->setArithMode(Arith::CheckOverflow);
88                 else
89                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
90                 return;
91             }
92             
93             // This will cause conversion nodes to be inserted later.
94             fixDoubleOrBooleanEdge(leftChild);
95             fixDoubleOrBooleanEdge(rightChild);
96             
97             // We don't need to do ref'ing on the children because we're stealing them from
98             // the original division.
99             Node* newDivision = m_insertionSet.insertNode(m_indexInBlock, SpecBytecodeDouble, *node);
100             newDivision->setResult(NodeResultDouble);
101             
102             node->setOp(DoubleAsInt32);
103             node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
104             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
105                 node->setArithMode(Arith::CheckOverflow);
106             else
107                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
108             return;
109         }
110         
111         fixDoubleOrBooleanEdge(leftChild);
112         fixDoubleOrBooleanEdge(rightChild);
113         node->setResult(NodeResultDouble);
114     }
115     
116     void fixupArithMul(Node* node, Edge& leftChild, Edge& rightChild)
117     {
118         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
119             fixIntOrBooleanEdge(leftChild);
120             fixIntOrBooleanEdge(rightChild);
121             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
122                 node->setArithMode(Arith::Unchecked);
123             else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
124                 node->setArithMode(Arith::CheckOverflow);
125             else
126                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
127             return;
128         }
129         if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
130             fixEdge<Int52RepUse>(leftChild);
131             fixEdge<Int52RepUse>(rightChild);
132             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
133                 node->setArithMode(Arith::CheckOverflow);
134             else
135                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
136             node->setResult(NodeResultInt52);
137             return;
138         }
139
140         fixDoubleOrBooleanEdge(leftChild);
141         fixDoubleOrBooleanEdge(rightChild);
142         node->setResult(NodeResultDouble);
143     }
144
145     void fixupBlock(BasicBlock* block)
146     {
147         if (!block)
148             return;
149         ASSERT(block->isReachable);
150         m_block = block;
151         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
152             m_currentNode = block->at(m_indexInBlock);
153             fixupNode(m_currentNode);
154         }
155         m_insertionSet.execute(block);
156     }
157     
158     void fixupNode(Node* node)
159     {
160         NodeType op = node->op();
161
162         switch (op) {
163         case SetLocal: {
164             // This gets handled by fixupGetAndSetLocalsInBlock().
165             return;
166         }
167
168         case ValueSub: {
169             Edge& child1 = node->child1();
170             Edge& child2 = node->child2();
171
172             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
173                 fixEdge<BigIntUse>(child1);
174                 fixEdge<BigIntUse>(child2);
175                 break; 
176             }
177             
178             if (Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
179                 fixEdge<UntypedUse>(child1);
180                 fixEdge<UntypedUse>(child2);
181                 break;
182             }
183
184             if (attemptToMakeIntegerAdd(node)) {
185                 // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
186                 // https://bugs.webkit.org/show_bug.cgi?id=190607
187                 node->setOp(ArithSub);
188                 break;
189             }
190
191             fixDoubleOrBooleanEdge(node->child1());
192             fixDoubleOrBooleanEdge(node->child2());
193             node->setOp(ArithSub);
194             node->setResult(NodeResultDouble);
195
196             break;
197         }
198
199         case ValueBitXor:
200         case ValueBitOr:
201         case ValueBitAnd: {
202             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
203                 fixEdge<BigIntUse>(node->child1());
204                 fixEdge<BigIntUse>(node->child2());
205                 break;
206             }
207
208             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
209                 fixEdge<UntypedUse>(node->child1());
210                 fixEdge<UntypedUse>(node->child2());
211                 break;
212             }
213
214             // In such case, we need to fallback to ArithBitOp
215             switch (op) {
216             case ValueBitXor:
217                 node->setOp(ArithBitXor);
218                 break;
219             case ValueBitOr:
220                 node->setOp(ArithBitOr);
221                 break;
222             case ValueBitAnd:
223                 node->setOp(ArithBitAnd);
224                 break;
225             default:
226                 DFG_CRASH(m_graph, node, "Unexpected node during ValueBit operation fixup");
227                 break;
228             }
229
230             node->clearFlags(NodeMustGenerate);
231             node->setResult(NodeResultInt32);
232             fixIntConvertingEdge(node->child1());
233             fixIntConvertingEdge(node->child2());
234             break;
235         }
236
237         case ArithBitNot: {
238             if (node->child1().node()->shouldSpeculateUntypedForBitOps()) {
239                 fixEdge<UntypedUse>(node->child1());
240                 break;
241             }
242
243             fixIntConvertingEdge(node->child1());
244             node->clearFlags(NodeMustGenerate);
245             break;
246         }
247
248         case ArithBitXor:
249         case ArithBitOr:
250         case ArithBitAnd: {
251             fixIntConvertingEdge(node->child1());
252             fixIntConvertingEdge(node->child2());
253             break;
254         }
255
256         case BitRShift:
257         case BitLShift:
258         case BitURShift: {
259             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
260                 fixEdge<UntypedUse>(node->child1());
261                 fixEdge<UntypedUse>(node->child2());
262                 break;
263             }
264             fixIntConvertingEdge(node->child1());
265             fixIntConvertingEdge(node->child2());
266             break;
267         }
268
269         case ArithIMul: {
270             fixIntConvertingEdge(node->child1());
271             fixIntConvertingEdge(node->child2());
272             node->setOp(ArithMul);
273             node->setArithMode(Arith::Unchecked);
274             node->child1().setUseKind(Int32Use);
275             node->child2().setUseKind(Int32Use);
276             break;
277         }
278
279         case ArithClz32: {
280             if (node->child1()->shouldSpeculateNotCell()) {
281                 fixIntConvertingEdge(node->child1());
282                 node->clearFlags(NodeMustGenerate);
283             } else
284                 fixEdge<UntypedUse>(node->child1());
285             break;
286         }
287             
288         case UInt32ToNumber: {
289             fixIntConvertingEdge(node->child1());
290             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
291                 node->convertToIdentity();
292             else if (node->canSpeculateInt32(FixupPass))
293                 node->setArithMode(Arith::CheckOverflow);
294             else {
295                 node->setArithMode(Arith::DoOverflow);
296                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
297             }
298             break;
299         }
300
301         case ValueNegate: {
302             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
303                 node->setOp(ArithNegate);
304                 fixIntOrBooleanEdge(node->child1());
305                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
306                     node->setArithMode(Arith::Unchecked);
307                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
308                     node->setArithMode(Arith::CheckOverflow);
309                 else
310                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
311                 node->setResult(NodeResultInt32);
312                 node->clearFlags(NodeMustGenerate);
313                 break;
314             }
315             
316             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
317                 node->setOp(ArithNegate);
318                 fixEdge<Int52RepUse>(node->child1());
319                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
320                     node->setArithMode(Arith::CheckOverflow);
321                 else
322                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
323                 node->setResult(NodeResultInt52);
324                 node->clearFlags(NodeMustGenerate);
325                 break;
326             }
327             if (node->child1()->shouldSpeculateNotCell()) {
328                 node->setOp(ArithNegate);
329                 fixDoubleOrBooleanEdge(node->child1());
330                 node->setResult(NodeResultDouble);
331                 node->clearFlags(NodeMustGenerate);
332             } else {
333                 fixEdge<UntypedUse>(node->child1());
334                 node->setResult(NodeResultJS);
335             }
336             break;
337         }
338
339         case ValueAdd: {
340             if (attemptToMakeIntegerAdd(node)) {
341                 node->setOp(ArithAdd);
342                 break;
343             }
344             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
345                 fixDoubleOrBooleanEdge(node->child1());
346                 fixDoubleOrBooleanEdge(node->child2());
347                 node->setOp(ArithAdd);
348                 node->setResult(NodeResultDouble);
349                 break;
350             }
351             
352             if (attemptToMakeFastStringAdd(node))
353                 break;
354
355             Edge& child1 = node->child1();
356             Edge& child2 = node->child2();
357             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
358                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
359                     auto convertString = [&](Node* node, Edge& edge) {
360                         if (edge->shouldSpeculateInt32())
361                             convertStringAddUse<Int32Use>(node, edge);
362                         else {
363                             ASSERT(edge->shouldSpeculateString());
364                             convertStringAddUse<StringUse>(node, edge);
365                         }
366                     };
367                     convertString(node, child1);
368                     convertString(node, child2);
369                     convertToMakeRope(node);
370                     break;
371                 }
372             }
373
374             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
375                 fixEdge<BigIntUse>(child1);
376                 fixEdge<BigIntUse>(child2);
377             } else {
378                 fixEdge<UntypedUse>(child1);
379                 fixEdge<UntypedUse>(child2);
380             }
381
382             node->setResult(NodeResultJS);
383             break;
384         }
385
386         case StrCat: {
387             if (attemptToMakeFastStringAdd(node))
388                 break;
389
390             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
391             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
392             // the implementation of StrCat doesn't dynamically optimize for empty strings.
393             // https://bugs.webkit.org/show_bug.cgi?id=148540
394             m_graph.doToChildren(
395                 node,
396                 [&] (Edge& edge) {
397                     fixEdge<KnownPrimitiveUse>(edge);
398                     // StrCat automatically coerces the values into strings before concatenating them.
399                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
400                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
401                     // our runtime functions for this slow path expect that they will never be passed
402                     // Symbols.
403                     m_insertionSet.insertNode(
404                         m_indexInBlock, SpecNone, Check, node->origin,
405                         Edge(edge.node(), NotSymbolUse));
406                 });
407             break;
408         }
409             
410         case MakeRope: {
411             fixupMakeRope(node);
412             break;
413         }
414             
415         case ArithAdd:
416         case ArithSub: {
417             // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
418             // https://bugs.webkit.org/show_bug.cgi?id=190607
419             if (attemptToMakeIntegerAdd(node))
420                 break;
421             fixDoubleOrBooleanEdge(node->child1());
422             fixDoubleOrBooleanEdge(node->child2());
423             node->setResult(NodeResultDouble);
424             break;
425         }
426             
427         case ArithNegate: {
428             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
429                 fixIntOrBooleanEdge(node->child1());
430                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
431                     node->setArithMode(Arith::Unchecked);
432                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
433                     node->setArithMode(Arith::CheckOverflow);
434                 else
435                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
436                 node->setResult(NodeResultInt32);
437                 node->clearFlags(NodeMustGenerate);
438                 break;
439             }
440             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
441                 fixEdge<Int52RepUse>(node->child1());
442                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
443                     node->setArithMode(Arith::CheckOverflow);
444                 else
445                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
446                 node->setResult(NodeResultInt52);
447                 node->clearFlags(NodeMustGenerate);
448                 break;
449             }
450
451             fixDoubleOrBooleanEdge(node->child1());
452             node->setResult(NodeResultDouble);
453             node->clearFlags(NodeMustGenerate);
454             break;
455         }
456
457         case ValueMul: {
458             Edge& leftChild = node->child1();
459             Edge& rightChild = node->child2();
460
461             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
462                 fixEdge<BigIntUse>(node->child1());
463                 fixEdge<BigIntUse>(node->child2());
464                 break;
465             }
466
467             // There are cases where we can have BigInt + Int32 operands reaching ValueMul.
468             // Imagine the scenario where ValueMul was never executed, but we can predict types
469             // reaching the node:
470             //
471             // 63: GetLocal(Check:Untyped:@72, JS|MustGen, NonBoolInt32, ...)  predicting NonBoolInt32
472             // 64: GetLocal(Check:Untyped:@71, JS|MustGen, BigInt, ...)  predicting BigInt
473             // 65: ValueMul(Check:Untyped:@63, Check:Untyped:@64, BigInt|BoolInt32|NonBoolInt32, ...)
474             // 
475             // In such scenario, we need to emit ValueMul(Untyped, Untyped), so the runtime can throw 
476             // an exception whenever it gets excuted.
477             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
478                 fixEdge<UntypedUse>(leftChild);
479                 fixEdge<UntypedUse>(rightChild);
480                 break;
481             }
482
483             // At this point, all other possible specializations are only handled by ArithMul.
484             node->setOp(ArithMul);
485             node->setResult(NodeResultNumber);
486             fixupArithMul(node, leftChild, rightChild);
487             break;
488         }
489
490         case ArithMul: {
491             Edge& leftChild = node->child1();
492             Edge& rightChild = node->child2();
493
494             fixupArithMul(node, leftChild, rightChild);
495             break;
496         }
497
498         case ValueDiv: {
499             Edge& leftChild = node->child1();
500             Edge& rightChild = node->child2();
501
502             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
503                 fixEdge<BigIntUse>(leftChild);
504                 fixEdge<BigIntUse>(rightChild);
505                 break; 
506             }
507
508             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
509                 fixEdge<UntypedUse>(leftChild);
510                 fixEdge<UntypedUse>(rightChild);
511                 break;
512             }
513             node->setOp(ArithDiv);
514             node->setResult(NodeResultNumber);
515             fixupArithDiv(node, leftChild, rightChild);
516             break;
517
518         }
519
520         case ArithDiv:
521         case ArithMod: {
522             Edge& leftChild = node->child1();
523             Edge& rightChild = node->child2();
524
525             fixupArithDiv(node, leftChild, rightChild);
526             break;
527         }
528             
529         case ArithMin:
530         case ArithMax: {
531             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
532                 fixIntOrBooleanEdge(node->child1());
533                 fixIntOrBooleanEdge(node->child2());
534                 break;
535             }
536             fixDoubleOrBooleanEdge(node->child1());
537             fixDoubleOrBooleanEdge(node->child2());
538             node->setResult(NodeResultDouble);
539             break;
540         }
541             
542         case ArithAbs: {
543             if (node->child1()->shouldSpeculateInt32OrBoolean()
544                 && node->canSpeculateInt32(FixupPass)) {
545                 fixIntOrBooleanEdge(node->child1());
546                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
547                     node->setArithMode(Arith::Unchecked);
548                 else
549                     node->setArithMode(Arith::CheckOverflow);
550                 node->clearFlags(NodeMustGenerate);
551                 node->setResult(NodeResultInt32);
552                 break;
553             }
554
555             if (node->child1()->shouldSpeculateNotCell()) {
556                 fixDoubleOrBooleanEdge(node->child1());
557                 node->clearFlags(NodeMustGenerate);
558             } else
559                 fixEdge<UntypedUse>(node->child1());
560             node->setResult(NodeResultDouble);
561             break;
562         }
563
564         case ArithPow: {
565             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
566                 fixDoubleOrBooleanEdge(node->child1());
567                 fixIntOrBooleanEdge(node->child2());
568                 break;
569             }
570
571             fixDoubleOrBooleanEdge(node->child1());
572             fixDoubleOrBooleanEdge(node->child2());
573             break;
574         }
575
576         case ArithRandom: {
577             node->setResult(NodeResultDouble);
578             break;
579         }
580
581         case ArithRound:
582         case ArithFloor:
583         case ArithCeil:
584         case ArithTrunc: {
585             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
586                 fixIntOrBooleanEdge(node->child1());
587                 insertCheck<Int32Use>(node->child1().node());
588                 node->convertToIdentity();
589                 break;
590             }
591             if (node->child1()->shouldSpeculateNotCell()) {
592                 fixDoubleOrBooleanEdge(node->child1());
593
594                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
595                     node->setResult(NodeResultInt32);
596                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
597                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
598                     else
599                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
600                 } else {
601                     node->setResult(NodeResultDouble);
602                     node->setArithRoundingMode(Arith::RoundingMode::Double);
603                 }
604                 node->clearFlags(NodeMustGenerate);
605             } else
606                 fixEdge<UntypedUse>(node->child1());
607             break;
608         }
609
610         case ArithFRound:
611         case ArithSqrt:
612         case ArithUnary: {
613             Edge& child1 = node->child1();
614             if (child1->shouldSpeculateNotCell()) {
615                 fixDoubleOrBooleanEdge(child1);
616                 node->clearFlags(NodeMustGenerate);
617             } else
618                 fixEdge<UntypedUse>(child1);
619             break;
620         }
621             
622         case LogicalNot: {
623             if (node->child1()->shouldSpeculateBoolean()) {
624                 if (node->child1()->result() == NodeResultBoolean) {
625                     // This is necessary in case we have a bytecode instruction implemented by:
626                     //
627                     // a: CompareEq(...)
628                     // b: LogicalNot(@a)
629                     //
630                     // In that case, CompareEq might have a side-effect. Then, we need to make
631                     // sure that we know that Branch does not exit.
632                     fixEdge<KnownBooleanUse>(node->child1());
633                 } else
634                     fixEdge<BooleanUse>(node->child1());
635             } else if (node->child1()->shouldSpeculateObjectOrOther())
636                 fixEdge<ObjectOrOtherUse>(node->child1());
637             else if (node->child1()->shouldSpeculateInt32OrBoolean())
638                 fixIntOrBooleanEdge(node->child1());
639             else if (node->child1()->shouldSpeculateNumber())
640                 fixEdge<DoubleRepUse>(node->child1());
641             else if (node->child1()->shouldSpeculateString())
642                 fixEdge<StringUse>(node->child1());
643             else if (node->child1()->shouldSpeculateStringOrOther())
644                 fixEdge<StringOrOtherUse>(node->child1());
645             else {
646                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
647                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
648                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
649             }
650             break;
651         }
652
653         case CompareEq:
654         case CompareLess:
655         case CompareLessEq:
656         case CompareGreater:
657         case CompareGreaterEq: {
658             if (node->op() == CompareEq
659                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
660                 fixEdge<BooleanUse>(node->child1());
661                 fixEdge<BooleanUse>(node->child2());
662                 node->clearFlags(NodeMustGenerate);
663                 break;
664             }
665             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
666                 fixIntOrBooleanEdge(node->child1());
667                 fixIntOrBooleanEdge(node->child2());
668                 node->clearFlags(NodeMustGenerate);
669                 break;
670             }
671             if (enableInt52()
672                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
673                 fixEdge<Int52RepUse>(node->child1());
674                 fixEdge<Int52RepUse>(node->child2());
675                 node->clearFlags(NodeMustGenerate);
676                 break;
677             }
678             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
679                 fixDoubleOrBooleanEdge(node->child1());
680                 fixDoubleOrBooleanEdge(node->child2());
681             }
682             if (node->op() != CompareEq
683                 && node->child1()->shouldSpeculateNotCell()
684                 && node->child2()->shouldSpeculateNotCell()) {
685                 if (node->child1()->shouldSpeculateNumberOrBoolean())
686                     fixDoubleOrBooleanEdge(node->child1());
687                 else
688                     fixEdge<DoubleRepUse>(node->child1());
689                 if (node->child2()->shouldSpeculateNumberOrBoolean())
690                     fixDoubleOrBooleanEdge(node->child2());
691                 else
692                     fixEdge<DoubleRepUse>(node->child2());
693                 node->clearFlags(NodeMustGenerate);
694                 break;
695             }
696             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
697                 fixEdge<StringIdentUse>(node->child1());
698                 fixEdge<StringIdentUse>(node->child2());
699                 node->clearFlags(NodeMustGenerate);
700                 break;
701             }
702             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
703                 fixEdge<StringUse>(node->child1());
704                 fixEdge<StringUse>(node->child2());
705                 node->clearFlags(NodeMustGenerate);
706                 break;
707             }
708
709             if (node->op() != CompareEq)
710                 break;
711             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
712                 fixEdge<SymbolUse>(node->child1());
713                 fixEdge<SymbolUse>(node->child2());
714                 node->clearFlags(NodeMustGenerate);
715                 break;
716             }
717             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
718                 fixEdge<ObjectUse>(node->child1());
719                 fixEdge<ObjectUse>(node->child2());
720                 node->clearFlags(NodeMustGenerate);
721                 break;
722             }
723
724             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
725             bool oneArgumentIsUsedAsSpecOther = false;
726             if (node->child1()->isUndefinedOrNullConstant()) {
727                 fixEdge<KnownOtherUse>(node->child1());
728                 oneArgumentIsUsedAsSpecOther = true;
729             } else if (node->child1()->shouldSpeculateOther()) {
730                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
731                     Edge(node->child1().node(), OtherUse));
732                 fixEdge<KnownOtherUse>(node->child1());
733                 oneArgumentIsUsedAsSpecOther = true;
734             }
735             if (node->child2()->isUndefinedOrNullConstant()) {
736                 fixEdge<KnownOtherUse>(node->child2());
737                 oneArgumentIsUsedAsSpecOther = true;
738             } else if (node->child2()->shouldSpeculateOther()) {
739                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
740                     Edge(node->child2().node(), OtherUse));
741                 fixEdge<KnownOtherUse>(node->child2());
742                 oneArgumentIsUsedAsSpecOther = true;
743             }
744             if (oneArgumentIsUsedAsSpecOther) {
745                 node->clearFlags(NodeMustGenerate);
746                 break;
747             }
748
749             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
750                 fixEdge<ObjectUse>(node->child1());
751                 fixEdge<ObjectOrOtherUse>(node->child2());
752                 node->clearFlags(NodeMustGenerate);
753                 break;
754             }
755             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
756                 fixEdge<ObjectOrOtherUse>(node->child1());
757                 fixEdge<ObjectUse>(node->child2());
758                 node->clearFlags(NodeMustGenerate);
759                 break;
760             }
761
762             break;
763         }
764             
765         case CompareStrictEq:
766         case SameValue: {
767             fixupCompareStrictEqAndSameValue(node);
768             break;
769         }
770
771         case StringFromCharCode:
772             if (node->child1()->shouldSpeculateInt32()) {
773                 fixEdge<Int32Use>(node->child1());
774                 node->clearFlags(NodeMustGenerate);
775             } else
776                 fixEdge<UntypedUse>(node->child1());
777             break;
778
779         case StringCharAt:
780         case StringCharCodeAt: {
781             // Currently we have no good way of refining these.
782             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
783             blessArrayOperation(node->child1(), node->child2(), node->child3());
784             fixEdge<KnownCellUse>(node->child1());
785             fixEdge<Int32Use>(node->child2());
786             break;
787         }
788
789         case GetByVal: {
790             if (!node->prediction()) {
791                 m_insertionSet.insertNode(
792                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
793             }
794             
795             node->setArrayMode(
796                 node->arrayMode().refine(
797                     m_graph, node,
798                     m_graph.varArgChild(node, 0)->prediction(),
799                     m_graph.varArgChild(node, 1)->prediction(),
800                     SpecNone));
801             
802             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
803             
804             ArrayMode arrayMode = node->arrayMode();
805             switch (arrayMode.type()) {
806             case Array::Contiguous:
807             case Array::Double:
808                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
809                     // Check if SaneChain will work on a per-type basis. Note that:
810                     //
811                     // 1) We don't want double arrays to sometimes return undefined, since
812                     // that would require a change to the return type and it would pessimise
813                     // things a lot. So, we'd only want to do that if we actually had
814                     // evidence that we could read from a hole. That's pretty annoying.
815                     // Likely the best way to handle that case is with an equivalent of
816                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
817                     // NaN are indistinguishable according to backwards propagation, and just
818                     // use SaneChain in that case. This happens to catch a lot of cases.
819                     //
820                     // 2) We don't want int32 array loads to have to do a hole check just to
821                     // coerce to Undefined, since that would mean twice the checks.
822                     //
823                     // This has two implications. First, we have to do more checks than we'd
824                     // like. It's unfortunate that we have to do the hole check. Second,
825                     // some accesses that hit a hole will now need to take the full-blown
826                     // out-of-bounds slow path. We can fix that with:
827                     // https://bugs.webkit.org/show_bug.cgi?id=144668
828                     
829                     bool canDoSaneChain = false;
830                     switch (arrayMode.type()) {
831                     case Array::Contiguous:
832                         // This is happens to be entirely natural. We already would have
833                         // returned any JSValue, and now we'll return Undefined. We still do
834                         // the check but it doesn't require taking any kind of slow path.
835                         canDoSaneChain = true;
836                         break;
837                         
838                     case Array::Double:
839                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
840                             // Holes look like NaN already, so if the user doesn't care
841                             // about the difference between Undefined and NaN then we can
842                             // do this.
843                             canDoSaneChain = true;
844                         }
845                         break;
846                         
847                     default:
848                         break;
849                     }
850                     
851                     if (canDoSaneChain) {
852                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
853                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
854                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
855                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
856                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
857                             && globalObject->arrayPrototypeChainIsSane()) {
858                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
859                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
860                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
861                         }
862                     }
863                 }
864                 break;
865                 
866             case Array::String:
867                 if ((node->prediction() & ~SpecString)
868                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
869                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
870                 break;
871                 
872             default:
873                 break;
874             }
875             
876             arrayMode = node->arrayMode();
877             switch (arrayMode.type()) {
878             case Array::SelectUsingPredictions:
879             case Array::Unprofiled:
880                 RELEASE_ASSERT_NOT_REACHED();
881                 break;
882             case Array::Generic:
883                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
884                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
885                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
886                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
887                         break;
888                     }
889
890                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
891                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
892                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
893                         break;
894                     }
895                 }
896 #if USE(JSVALUE32_64)
897                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
898 #endif
899                 break;
900             case Array::ForceExit:
901                 break;
902             default:
903                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
904                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
905                 break;
906             }
907             
908             switch (arrayMode.type()) {
909             case Array::Double:
910                 if (!arrayMode.isOutOfBounds())
911                     node->setResult(NodeResultDouble);
912                 break;
913                 
914             case Array::Float32Array:
915             case Array::Float64Array:
916                 node->setResult(NodeResultDouble);
917                 break;
918                 
919             case Array::Uint32Array:
920                 if (node->shouldSpeculateInt32())
921                     break;
922                 if (node->shouldSpeculateAnyInt() && enableInt52())
923                     node->setResult(NodeResultInt52);
924                 else
925                     node->setResult(NodeResultDouble);
926                 break;
927                 
928             default:
929                 break;
930             }
931             
932             break;
933         }
934
935         case PutByValDirect:
936         case PutByVal:
937         case PutByValAlias: {
938             Edge& child1 = m_graph.varArgChild(node, 0);
939             Edge& child2 = m_graph.varArgChild(node, 1);
940             Edge& child3 = m_graph.varArgChild(node, 2);
941
942             node->setArrayMode(
943                 node->arrayMode().refine(
944                     m_graph, node,
945                     child1->prediction(),
946                     child2->prediction(),
947                     child3->prediction()));
948             
949             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
950             
951             switch (node->arrayMode().modeForPut().type()) {
952             case Array::SelectUsingPredictions:
953             case Array::SelectUsingArguments:
954             case Array::Unprofiled:
955             case Array::Undecided:
956                 RELEASE_ASSERT_NOT_REACHED();
957                 break;
958             case Array::ForceExit:
959             case Array::Generic:
960                 if (child1->shouldSpeculateCell()) {
961                     if (child2->shouldSpeculateString()) {
962                         fixEdge<CellUse>(child1);
963                         fixEdge<StringUse>(child2);
964                         break;
965                     }
966
967                     if (child2->shouldSpeculateSymbol()) {
968                         fixEdge<CellUse>(child1);
969                         fixEdge<SymbolUse>(child2);
970                         break;
971                     }
972                 }
973 #if USE(JSVALUE32_64)
974                 // Due to register pressure on 32-bit, we speculate cell and
975                 // ignore the base-is-not-cell case entirely by letting the
976                 // baseline JIT handle it.
977                 fixEdge<CellUse>(child1);
978 #endif
979                 break;
980             case Array::Int32:
981                 fixEdge<KnownCellUse>(child1);
982                 fixEdge<Int32Use>(child2);
983                 fixEdge<Int32Use>(child3);
984                 break;
985             case Array::Double:
986                 fixEdge<KnownCellUse>(child1);
987                 fixEdge<Int32Use>(child2);
988                 fixEdge<DoubleRepRealUse>(child3);
989                 break;
990             case Array::Int8Array:
991             case Array::Int16Array:
992             case Array::Int32Array:
993             case Array::Uint8Array:
994             case Array::Uint8ClampedArray:
995             case Array::Uint16Array:
996             case Array::Uint32Array:
997                 fixEdge<KnownCellUse>(child1);
998                 fixEdge<Int32Use>(child2);
999                 if (child3->shouldSpeculateInt32())
1000                     fixIntOrBooleanEdge(child3);
1001                 else if (child3->shouldSpeculateAnyInt())
1002                     fixEdge<Int52RepUse>(child3);
1003                 else
1004                     fixDoubleOrBooleanEdge(child3);
1005                 break;
1006             case Array::Float32Array:
1007             case Array::Float64Array:
1008                 fixEdge<KnownCellUse>(child1);
1009                 fixEdge<Int32Use>(child2);
1010                 fixDoubleOrBooleanEdge(child3);
1011                 break;
1012             case Array::Contiguous:
1013             case Array::ArrayStorage:
1014             case Array::SlowPutArrayStorage:
1015                 fixEdge<KnownCellUse>(child1);
1016                 fixEdge<Int32Use>(child2);
1017                 speculateForBarrier(child3);
1018                 break;
1019             default:
1020                 fixEdge<KnownCellUse>(child1);
1021                 fixEdge<Int32Use>(child2);
1022                 break;
1023             }
1024             break;
1025         }
1026             
1027         case AtomicsAdd:
1028         case AtomicsAnd:
1029         case AtomicsCompareExchange:
1030         case AtomicsExchange:
1031         case AtomicsLoad:
1032         case AtomicsOr:
1033         case AtomicsStore:
1034         case AtomicsSub:
1035         case AtomicsXor: {
1036             Edge& base = m_graph.child(node, 0);
1037             Edge& index = m_graph.child(node, 1);
1038             
1039             bool badNews = false;
1040             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1041                 Edge& child = m_graph.child(node, 2 + i);
1042                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
1043                 // just call the function when that happens. But the FTL is totally cool with those
1044                 // conversions.
1045                 if (!child->shouldSpeculateInt32()
1046                     && !child->shouldSpeculateAnyInt()
1047                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
1048                     badNews = true;
1049             }
1050             
1051             if (badNews) {
1052                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
1053                 break;
1054             }
1055             
1056             node->setArrayMode(
1057                 node->arrayMode().refine(
1058                     m_graph, node, base->prediction(), index->prediction()));
1059             
1060             if (node->arrayMode().type() == Array::Generic)
1061                 break;
1062             
1063             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1064                 Edge& child = m_graph.child(node, 2 + i);
1065                 if (child->shouldSpeculateInt32())
1066                     fixIntOrBooleanEdge(child);
1067                 else if (child->shouldSpeculateAnyInt())
1068                     fixEdge<Int52RepUse>(child);
1069                 else {
1070                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
1071                     fixDoubleOrBooleanEdge(child);
1072                 }
1073             }
1074             
1075             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
1076             fixEdge<CellUse>(base);
1077             fixEdge<Int32Use>(index);
1078             
1079             if (node->arrayMode().type() == Array::Uint32Array) {
1080                 // NOTE: This means basically always doing Int52.
1081                 if (node->shouldSpeculateAnyInt() && enableInt52())
1082                     node->setResult(NodeResultInt52);
1083                 else
1084                     node->setResult(NodeResultDouble);
1085             }
1086             break;
1087         }
1088             
1089         case AtomicsIsLockFree:
1090             if (node->child1()->shouldSpeculateInt32())
1091                 fixIntOrBooleanEdge(node->child1());
1092             break;
1093             
1094         case ArrayPush: {
1095             // May need to refine the array mode in case the value prediction contravenes
1096             // the array prediction. For example, we may have evidence showing that the
1097             // array is in Int32 mode, but the value we're storing is likely to be a double.
1098             // Then we should turn this into a conversion to Double array followed by the
1099             // push. On the other hand, we absolutely don't want to refine based on the
1100             // base prediction. If it has non-cell garbage in it, then we want that to be
1101             // ignored. That's because ArrayPush can't handle any array modes that aren't
1102             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1103             // that would break things.
1104             Edge& storageEdge = m_graph.varArgChild(node, 0);
1105             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1106             unsigned elementOffset = 2;
1107             unsigned elementCount = node->numChildren() - elementOffset;
1108             for (unsigned i = 0; i < elementCount; ++i) {
1109                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1110                 node->setArrayMode(
1111                     node->arrayMode().refine(
1112                         m_graph, node,
1113                         arrayEdge->prediction() & SpecCell,
1114                         SpecInt32Only,
1115                         element->prediction()));
1116             }
1117             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1118             fixEdge<KnownCellUse>(arrayEdge);
1119
1120             // Convert `array.push()` to GetArrayLength.
1121             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1122                 node->setOpAndDefaultFlags(GetArrayLength);
1123                 node->child1() = arrayEdge;
1124                 node->child2() = storageEdge;
1125                 fixEdge<KnownCellUse>(node->child1());
1126                 break;
1127             }
1128
1129             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1130             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1131             for (unsigned i = 0; i < elementCount; ++i) {
1132                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1133                 switch (node->arrayMode().type()) {
1134                 case Array::Int32:
1135                     insertCheck<Int32Use>(element.node());
1136                     fixEdge<KnownInt32Use>(element);
1137                     break;
1138                 case Array::Double:
1139                     insertCheck<DoubleRepRealUse>(element.node());
1140                     fixEdge<DoubleRepUse>(element);
1141                     break;
1142                 case Array::Contiguous:
1143                 case Array::ArrayStorage:
1144                     speculateForBarrier(element);
1145                     break;
1146                 default:
1147                     break;
1148                 }
1149                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1150             }
1151             break;
1152         }
1153             
1154         case ArrayPop: {
1155             blessArrayOperation(node->child1(), Edge(), node->child2());
1156             fixEdge<KnownCellUse>(node->child1());
1157             break;
1158         }
1159
1160         case ArraySlice: {
1161             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1162             if (node->numChildren() >= 3) {
1163                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1164                 if (node->numChildren() == 4)
1165                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1166             }
1167             break;
1168         }
1169
1170         case ArrayIndexOf:
1171             fixupArrayIndexOf(node);
1172             break;
1173             
1174         case RegExpExec:
1175         case RegExpTest: {
1176             fixEdge<KnownCellUse>(node->child1());
1177             
1178             if (node->child2()->shouldSpeculateRegExpObject()) {
1179                 fixEdge<RegExpObjectUse>(node->child2());
1180
1181                 if (node->child3()->shouldSpeculateString())
1182                     fixEdge<StringUse>(node->child3());
1183             }
1184             break;
1185         }
1186
1187         case RegExpMatchFast: {
1188             fixEdge<KnownCellUse>(node->child1());
1189             fixEdge<RegExpObjectUse>(node->child2());
1190             fixEdge<StringUse>(node->child3());
1191             break;
1192         }
1193
1194         case StringReplace:
1195         case StringReplaceRegExp: {
1196             if (node->child2()->shouldSpeculateString()) {
1197                 m_insertionSet.insertNode(
1198                     m_indexInBlock, SpecNone, Check, node->origin,
1199                     Edge(node->child2().node(), StringUse));
1200                 fixEdge<StringUse>(node->child2());
1201             } else if (op == StringReplace) {
1202                 if (node->child2()->shouldSpeculateRegExpObject())
1203                     addStringReplacePrimordialChecks(node->child2().node());
1204                 else 
1205                     m_insertionSet.insertNode(
1206                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1207             }
1208
1209             if (node->child1()->shouldSpeculateString()
1210                 && node->child2()->shouldSpeculateRegExpObject()
1211                 && node->child3()->shouldSpeculateString()) {
1212
1213                 fixEdge<StringUse>(node->child1());
1214                 fixEdge<RegExpObjectUse>(node->child2());
1215                 fixEdge<StringUse>(node->child3());
1216                 break;
1217             }
1218             break;
1219         }
1220             
1221         case Branch: {
1222             if (node->child1()->shouldSpeculateBoolean()) {
1223                 if (node->child1()->result() == NodeResultBoolean) {
1224                     // This is necessary in case we have a bytecode instruction implemented by:
1225                     //
1226                     // a: CompareEq(...)
1227                     // b: Branch(@a)
1228                     //
1229                     // In that case, CompareEq might have a side-effect. Then, we need to make
1230                     // sure that we know that Branch does not exit.
1231                     fixEdge<KnownBooleanUse>(node->child1());
1232                 } else
1233                     fixEdge<BooleanUse>(node->child1());
1234             } else if (node->child1()->shouldSpeculateObjectOrOther())
1235                 fixEdge<ObjectOrOtherUse>(node->child1());
1236             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1237                 fixIntOrBooleanEdge(node->child1());
1238             else if (node->child1()->shouldSpeculateNumber())
1239                 fixEdge<DoubleRepUse>(node->child1());
1240             else if (node->child1()->shouldSpeculateString())
1241                 fixEdge<StringUse>(node->child1());
1242             else if (node->child1()->shouldSpeculateStringOrOther())
1243                 fixEdge<StringOrOtherUse>(node->child1());
1244             else {
1245                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1246                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1247                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1248             }
1249             break;
1250         }
1251             
1252         case Switch: {
1253             SwitchData* data = node->switchData();
1254             switch (data->kind) {
1255             case SwitchImm:
1256                 if (node->child1()->shouldSpeculateInt32())
1257                     fixEdge<Int32Use>(node->child1());
1258                 break;
1259             case SwitchChar:
1260                 if (node->child1()->shouldSpeculateString())
1261                     fixEdge<StringUse>(node->child1());
1262                 break;
1263             case SwitchString:
1264                 if (node->child1()->shouldSpeculateStringIdent())
1265                     fixEdge<StringIdentUse>(node->child1());
1266                 else if (node->child1()->shouldSpeculateString())
1267                     fixEdge<StringUse>(node->child1());
1268                 break;
1269             case SwitchCell:
1270                 if (node->child1()->shouldSpeculateCell())
1271                     fixEdge<CellUse>(node->child1());
1272                 // else it's fine for this to have UntypedUse; we will handle this by just making
1273                 // non-cells take the default case.
1274                 break;
1275             }
1276             break;
1277         }
1278             
1279         case ToPrimitive: {
1280             fixupToPrimitive(node);
1281             break;
1282         }
1283
1284         case ToNumber: {
1285             fixupToNumber(node);
1286             break;
1287         }
1288             
1289         case ToString:
1290         case CallStringConstructor: {
1291             fixupToStringOrCallStringConstructor(node);
1292             break;
1293         }
1294             
1295         case NewStringObject: {
1296             fixEdge<KnownStringUse>(node->child1());
1297             break;
1298         }
1299
1300         case NewSymbol: {
1301             if (node->child1())
1302                 fixEdge<KnownStringUse>(node->child1());
1303             break;
1304         }
1305
1306         case NewArrayWithSpread: {
1307             watchHavingABadTime(node);
1308             
1309             BitVector* bitVector = node->bitVector();
1310             for (unsigned i = node->numChildren(); i--;) {
1311                 if (bitVector->get(i))
1312                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1313                 else
1314                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1315             }
1316
1317             break;
1318         }
1319
1320         case Spread: {
1321             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1322             
1323             watchHavingABadTime(node->child1().node());
1324
1325             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1326             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1327             // that it doesn't contain any indexed properties, and that any holes will result in
1328             // jsUndefined().
1329             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1330             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1331             if (node->child1()->shouldSpeculateArray()
1332                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1333                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1334                 && globalObject->arrayPrototypeChainIsSane()
1335                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1336                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1337                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1338                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1339                 fixEdge<ArrayUse>(node->child1());
1340             } else
1341                 fixEdge<CellUse>(node->child1());
1342             break;
1343         }
1344             
1345         case NewArray: {
1346             watchHavingABadTime(node);
1347             
1348             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1349                 node->setIndexingType(
1350                     leastUpperBoundOfIndexingTypeAndType(
1351                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1352             }
1353             switch (node->indexingType()) {
1354             case ALL_BLANK_INDEXING_TYPES:
1355                 CRASH();
1356                 break;
1357             case ALL_UNDECIDED_INDEXING_TYPES:
1358                 if (node->numChildren()) {
1359                     // This will only happen if the children have no type predictions. We
1360                     // would have already exited by now, but insert a forced exit just to
1361                     // be safe.
1362                     m_insertionSet.insertNode(
1363                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1364                 }
1365                 break;
1366             case ALL_INT32_INDEXING_TYPES:
1367                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1368                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1369                 break;
1370             case ALL_DOUBLE_INDEXING_TYPES:
1371                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1372                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1373                 break;
1374             case ALL_CONTIGUOUS_INDEXING_TYPES:
1375             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1376                 break;
1377             default:
1378                 CRASH();
1379                 break;
1380             }
1381             break;
1382         }
1383             
1384         case NewTypedArray: {
1385             watchHavingABadTime(node);
1386             
1387             if (node->child1()->shouldSpeculateInt32()) {
1388                 fixEdge<Int32Use>(node->child1());
1389                 node->clearFlags(NodeMustGenerate);
1390                 break;
1391             }
1392             break;
1393         }
1394             
1395         case NewArrayWithSize: {
1396             watchHavingABadTime(node);
1397             fixEdge<Int32Use>(node->child1());
1398             break;
1399         }
1400
1401         case NewArrayBuffer: {
1402             watchHavingABadTime(node);
1403             break;
1404         }
1405
1406         case ToObject: {
1407             fixupToObject(node);
1408             break;
1409         }
1410
1411         case CallObjectConstructor: {
1412             fixupCallObjectConstructor(node);
1413             break;
1414         }
1415
1416         case ToThis: {
1417             fixupToThis(node);
1418             break;
1419         }
1420             
1421         case PutStructure: {
1422             fixEdge<KnownCellUse>(node->child1());
1423             break;
1424         }
1425             
1426         case GetClosureVar:
1427         case GetFromArguments: {
1428             fixEdge<KnownCellUse>(node->child1());
1429             break;
1430         }
1431
1432         case PutClosureVar:
1433         case PutToArguments: {
1434             fixEdge<KnownCellUse>(node->child1());
1435             speculateForBarrier(node->child2());
1436             break;
1437         }
1438
1439         case SkipScope:
1440         case GetScope:
1441         case GetGetter:
1442         case GetSetter:
1443         case GetGlobalObject: {
1444             fixEdge<KnownCellUse>(node->child1());
1445             break;
1446         }
1447             
1448         case AllocatePropertyStorage:
1449         case ReallocatePropertyStorage: {
1450             fixEdge<KnownCellUse>(node->child1());
1451             break;
1452         }
1453             
1454         case NukeStructureAndSetButterfly: {
1455             fixEdge<KnownCellUse>(node->child1());
1456             break;
1457         }
1458
1459         case TryGetById: {
1460             if (node->child1()->shouldSpeculateCell())
1461                 fixEdge<CellUse>(node->child1());
1462             break;
1463         }
1464
1465         case GetByIdDirect:
1466         case GetByIdDirectFlush: {
1467             if (node->child1()->shouldSpeculateCell())
1468                 fixEdge<CellUse>(node->child1());
1469             break;
1470         }
1471
1472         case GetById:
1473         case GetByIdFlush: {
1474             // FIXME: This should be done in the ByteCodeParser based on reading the
1475             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1476             // https://bugs.webkit.org/show_bug.cgi?id=154990
1477             auto uid = m_graph.identifiers()[node->identifierNumber()];
1478             if (node->child1()->shouldSpeculateCellOrOther()
1479                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1480                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1481                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1482                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1483                 
1484                 if (uid == vm().propertyNames->length.impl()) {
1485                     attemptToMakeGetArrayLength(node);
1486                     break;
1487                 }
1488
1489                 if (uid == vm().propertyNames->lastIndex.impl()
1490                     && node->child1()->shouldSpeculateRegExpObject()) {
1491                     node->setOp(GetRegExpObjectLastIndex);
1492                     node->clearFlags(NodeMustGenerate);
1493                     fixEdge<RegExpObjectUse>(node->child1());
1494                     break;
1495                 }
1496             }
1497
1498             if (node->child1()->shouldSpeculateNumber()) {
1499                 if (uid == vm().propertyNames->toString.impl()) {
1500                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1501                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1502                         if (node->child1()->shouldSpeculateInt32()) {
1503                             insertCheck<Int32Use>(node->child1().node());
1504                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1505                             break;
1506                         }
1507
1508                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1509                             insertCheck<Int52RepUse>(node->child1().node());
1510                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1511                             break;
1512                         }
1513
1514                         ASSERT(node->child1()->shouldSpeculateNumber());
1515                         insertCheck<DoubleRepUse>(node->child1().node());
1516                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1517                         break;
1518                     }
1519                 }
1520             }
1521
1522             if (node->child1()->shouldSpeculateCell())
1523                 fixEdge<CellUse>(node->child1());
1524             break;
1525         }
1526         
1527         case GetByIdWithThis: {
1528             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1529                 fixEdge<CellUse>(node->child1());
1530                 fixEdge<CellUse>(node->child2());
1531             }
1532             break;
1533         }
1534
1535         case PutById:
1536         case PutByIdFlush:
1537         case PutByIdDirect: {
1538             if (node->child1()->shouldSpeculateCellOrOther()
1539                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1540                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1541                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1542                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1543                 
1544                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1545                 
1546                 if (uid == vm().propertyNames->lastIndex.impl()
1547                     && node->child1()->shouldSpeculateRegExpObject()) {
1548                     node->convertToSetRegExpObjectLastIndex();
1549                     fixEdge<RegExpObjectUse>(node->child1());
1550                     speculateForBarrier(node->child2());
1551                     break;
1552                 }
1553             }
1554             
1555             fixEdge<CellUse>(node->child1());
1556             break;
1557         }
1558
1559         case PutGetterById:
1560         case PutSetterById: {
1561             fixEdge<KnownCellUse>(node->child1());
1562             fixEdge<KnownCellUse>(node->child2());
1563             break;
1564         }
1565
1566         case PutGetterSetterById: {
1567             fixEdge<KnownCellUse>(node->child1());
1568             break;
1569         }
1570
1571         case PutGetterByVal:
1572         case PutSetterByVal: {
1573             fixEdge<KnownCellUse>(node->child1());
1574             fixEdge<KnownCellUse>(node->child3());
1575             break;
1576         }
1577
1578         case GetExecutable: {
1579             fixEdge<FunctionUse>(node->child1());
1580             break;
1581         }
1582
1583         case OverridesHasInstance:
1584         case CheckStructure:
1585         case CheckCell:
1586         case CreateThis:
1587         case GetButterfly: {
1588             fixEdge<CellUse>(node->child1());
1589             break;
1590         }
1591
1592         case ObjectCreate: {
1593             if (node->child1()->shouldSpeculateObject()) {
1594                 fixEdge<ObjectUse>(node->child1());
1595                 node->clearFlags(NodeMustGenerate);
1596                 break;
1597             }
1598             break;
1599         }
1600
1601         case ObjectKeys: {
1602             if (node->child1()->shouldSpeculateObject()) {
1603                 watchHavingABadTime(node);
1604                 fixEdge<ObjectUse>(node->child1());
1605             }
1606             break;
1607         }
1608
1609         case CheckStringIdent: {
1610             fixEdge<StringIdentUse>(node->child1());
1611             break;
1612         }
1613             
1614         case Arrayify:
1615         case ArrayifyToStructure: {
1616             fixEdge<CellUse>(node->child1());
1617             if (node->child2())
1618                 fixEdge<Int32Use>(node->child2());
1619             break;
1620         }
1621             
1622         case GetByOffset:
1623         case GetGetterSetterByOffset: {
1624             if (!node->child1()->hasStorageResult())
1625                 fixEdge<KnownCellUse>(node->child1());
1626             fixEdge<KnownCellUse>(node->child2());
1627             break;
1628         }
1629             
1630         case MultiGetByOffset: {
1631             fixEdge<CellUse>(node->child1());
1632             break;
1633         }
1634             
1635         case PutByOffset: {
1636             if (!node->child1()->hasStorageResult())
1637                 fixEdge<KnownCellUse>(node->child1());
1638             fixEdge<KnownCellUse>(node->child2());
1639             speculateForBarrier(node->child3());
1640             break;
1641         }
1642             
1643         case MultiPutByOffset: {
1644             fixEdge<CellUse>(node->child1());
1645             break;
1646         }
1647             
1648         case MatchStructure: {
1649             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1650             // https://bugs.webkit.org/show_bug.cgi?id=185784
1651             fixEdge<CellUse>(node->child1());
1652             break;
1653         }
1654             
1655         case InstanceOf: {
1656             if (node->child1()->shouldSpeculateCell()
1657                 && node->child2()->shouldSpeculateCell()
1658                 && is64Bit()) {
1659                 fixEdge<CellUse>(node->child1());
1660                 fixEdge<CellUse>(node->child2());
1661                 break;
1662             }
1663             break;
1664         }
1665
1666         case InstanceOfCustom:
1667             fixEdge<CellUse>(node->child2());
1668             break;
1669
1670         case InById: {
1671             fixEdge<CellUse>(node->child1());
1672             break;
1673         }
1674
1675         case InByVal: {
1676             if (node->child2()->shouldSpeculateInt32()) {
1677                 convertToHasIndexedProperty(node);
1678                 break;
1679             }
1680
1681             fixEdge<CellUse>(node->child1());
1682             break;
1683         }
1684
1685         case HasOwnProperty: {
1686             fixEdge<ObjectUse>(node->child1());
1687 #if CPU(X86)
1688             // We don't have enough registers to do anything interesting on x86 and mips.
1689             fixEdge<UntypedUse>(node->child2());
1690 #else
1691             if (node->child2()->shouldSpeculateString())
1692                 fixEdge<StringUse>(node->child2());
1693             else if (node->child2()->shouldSpeculateSymbol())
1694                 fixEdge<SymbolUse>(node->child2());
1695             else
1696                 fixEdge<UntypedUse>(node->child2());
1697 #endif
1698             break;
1699         }
1700
1701         case CheckVarargs:
1702         case Check: {
1703             m_graph.doToChildren(
1704                 node,
1705                 [&] (Edge& edge) {
1706                     switch (edge.useKind()) {
1707                     case NumberUse:
1708                         if (edge->shouldSpeculateInt32ForArithmetic())
1709                             edge.setUseKind(Int32Use);
1710                         break;
1711                     default:
1712                         break;
1713                     }
1714                     observeUseKindOnEdge(edge);
1715                 });
1716             break;
1717         }
1718
1719         case Phantom:
1720             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1721             node->remove(m_graph);
1722             break;
1723
1724         case FiatInt52: {
1725             RELEASE_ASSERT(enableInt52());
1726             node->convertToIdentity();
1727             fixEdge<Int52RepUse>(node->child1());
1728             node->setResult(NodeResultInt52);
1729             break;
1730         }
1731
1732         case GetArrayLength: {
1733             fixEdge<KnownCellUse>(node->child1());
1734             break;
1735         }
1736
1737         case GetTypedArrayByteOffset: {
1738             fixEdge<KnownCellUse>(node->child1());
1739             break;
1740         }
1741
1742         case CompareBelow:
1743         case CompareBelowEq: {
1744             fixEdge<Int32Use>(node->child1());
1745             fixEdge<Int32Use>(node->child2());
1746             break;
1747         }
1748
1749         case GetPrototypeOf: {
1750             fixupGetPrototypeOf(node);
1751             break;
1752         }
1753
1754         case Phi:
1755         case Upsilon:
1756         case EntrySwitch:
1757         case GetIndexedPropertyStorage:
1758         case LastNodeType:
1759         case CheckTierUpInLoop:
1760         case CheckTierUpAtReturn:
1761         case CheckTierUpAndOSREnter:
1762         case CheckArray:
1763         case CheckInBounds:
1764         case ConstantStoragePointer:
1765         case DoubleAsInt32:
1766         case ValueToInt32:
1767         case DoubleRep:
1768         case ValueRep:
1769         case Int52Rep:
1770         case Int52Constant:
1771         case Identity: // This should have been cleaned up.
1772         case BooleanToNumber:
1773         case PhantomNewObject:
1774         case PhantomNewFunction:
1775         case PhantomNewGeneratorFunction:
1776         case PhantomNewAsyncGeneratorFunction:
1777         case PhantomNewAsyncFunction:
1778         case PhantomCreateActivation:
1779         case PhantomDirectArguments:
1780         case PhantomCreateRest:
1781         case PhantomSpread:
1782         case PhantomNewArrayWithSpread:
1783         case PhantomNewArrayBuffer:
1784         case PhantomClonedArguments:
1785         case PhantomNewRegexp:
1786         case GetMyArgumentByVal:
1787         case GetMyArgumentByValOutOfBounds:
1788         case GetVectorLength:
1789         case PutHint:
1790         case CheckStructureImmediate:
1791         case CheckStructureOrEmpty:
1792         case MaterializeNewObject:
1793         case MaterializeCreateActivation:
1794         case PutStack:
1795         case KillStack:
1796         case GetStack:
1797         case StoreBarrier:
1798         case FencedStoreBarrier:
1799         case GetRegExpObjectLastIndex:
1800         case SetRegExpObjectLastIndex:
1801         case RecordRegExpCachedResult:
1802         case RegExpExecNonGlobalOrSticky:
1803         case RegExpMatchFastGlobal:
1804             // These are just nodes that we don't currently expect to see during fixup.
1805             // If we ever wanted to insert them prior to fixup, then we just have to create
1806             // fixup rules for them.
1807             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1808             break;
1809
1810         case PutGlobalVariable: {
1811             fixEdge<CellUse>(node->child1());
1812             speculateForBarrier(node->child2());
1813             break;
1814         }
1815
1816         case IsObject:
1817             if (node->child1()->shouldSpeculateObject()) {
1818                 m_insertionSet.insertNode(
1819                     m_indexInBlock, SpecNone, Check, node->origin,
1820                     Edge(node->child1().node(), ObjectUse));
1821                 m_graph.convertToConstant(node, jsBoolean(true));
1822                 observeUseKindOnNode<ObjectUse>(node);
1823             }
1824             break;
1825
1826         case IsCellWithType: {
1827             fixupIsCellWithType(node);
1828             break;
1829         }
1830
1831         case GetEnumerableLength: {
1832             fixEdge<CellUse>(node->child1());
1833             break;
1834         }
1835         case HasGenericProperty: {
1836             fixEdge<CellUse>(node->child2());
1837             break;
1838         }
1839         case HasStructureProperty: {
1840             fixEdge<StringUse>(node->child2());
1841             fixEdge<KnownCellUse>(node->child3());
1842             break;
1843         }
1844         case HasIndexedProperty: {
1845             node->setArrayMode(
1846                 node->arrayMode().refine(
1847                     m_graph, node,
1848                     node->child1()->prediction(),
1849                     node->child2()->prediction(),
1850                     SpecNone));
1851             
1852             blessArrayOperation(node->child1(), node->child2(), node->child3());
1853             fixEdge<CellUse>(node->child1());
1854             fixEdge<KnownInt32Use>(node->child2());
1855             break;
1856         }
1857         case GetDirectPname: {
1858             Edge& base = m_graph.varArgChild(node, 0);
1859             Edge& property = m_graph.varArgChild(node, 1);
1860             Edge& index = m_graph.varArgChild(node, 2);
1861             Edge& enumerator = m_graph.varArgChild(node, 3);
1862             fixEdge<CellUse>(base);
1863             fixEdge<KnownCellUse>(property);
1864             fixEdge<KnownInt32Use>(index);
1865             fixEdge<KnownCellUse>(enumerator);
1866             break;
1867         }
1868         case GetPropertyEnumerator: {
1869             if (node->child1()->shouldSpeculateCell())
1870                 fixEdge<CellUse>(node->child1());
1871             break;
1872         }
1873         case GetEnumeratorStructurePname: {
1874             fixEdge<KnownCellUse>(node->child1());
1875             fixEdge<KnownInt32Use>(node->child2());
1876             break;
1877         }
1878         case GetEnumeratorGenericPname: {
1879             fixEdge<KnownCellUse>(node->child1());
1880             fixEdge<KnownInt32Use>(node->child2());
1881             break;
1882         }
1883         case ToIndexString: {
1884             fixEdge<KnownInt32Use>(node->child1());
1885             break;
1886         }
1887         case ProfileType: {
1888             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1889             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1890             // type T for the instructionTypeSet, the global type set must also have information for type T.
1891             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1892             // in the globalTypeSet would've also succeeded.
1893             // (The other direction does not hold in general).
1894
1895             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1896             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1897             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1898                 if (node->child1()->shouldSpeculateInt32()) {
1899                     fixEdge<Int32Use>(node->child1());
1900                     node->remove(m_graph);
1901                     break;
1902                 }
1903
1904                 if (enableInt52()) {
1905                     fixEdge<AnyIntUse>(node->child1());
1906                     node->remove(m_graph);
1907                     break;
1908                 }
1909
1910                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1911             }
1912
1913             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1914                 fixEdge<NumberUse>(node->child1());
1915                 node->remove(m_graph);
1916             } else if (typeSet->doesTypeConformTo(TypeString)) {
1917                 fixEdge<StringUse>(node->child1());
1918                 node->remove(m_graph);
1919             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1920                 fixEdge<BooleanUse>(node->child1());
1921                 node->remove(m_graph);
1922             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1923                 fixEdge<OtherUse>(node->child1());
1924                 node->remove(m_graph);
1925             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1926                 StructureSet set;
1927                 {
1928                     ConcurrentJSLocker locker(typeSet->m_lock);
1929                     set = typeSet->structureSet(locker);
1930                 }
1931                 if (!set.isEmpty()) {
1932                     fixEdge<CellUse>(node->child1());
1933                     node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
1934                 }
1935             }
1936
1937             break;
1938         }
1939
1940         case CreateClonedArguments: {
1941             watchHavingABadTime(node);
1942             break;
1943         }
1944
1945         case CreateScopedArguments:
1946         case CreateActivation:
1947         case NewFunction:
1948         case NewGeneratorFunction:
1949         case NewAsyncGeneratorFunction:
1950         case NewAsyncFunction: {
1951             // Child 1 is always the current scope, which is guaranteed to be an object
1952             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1953             fixEdge<KnownCellUse>(node->child1());
1954             break;
1955         }
1956
1957         case PushWithScope: {
1958             // Child 1 is always the current scope, which is guaranteed to be an object
1959             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1960             fixEdge<KnownCellUse>(node->child1());
1961             if (node->child2()->shouldSpeculateObject())
1962                 fixEdge<ObjectUse>(node->child2());
1963             break;
1964         }
1965
1966         case SetFunctionName: {
1967             // The first child is guaranteed to be a cell because op_set_function_name is only used
1968             // on a newly instantiated function object (the first child).
1969             fixEdge<KnownCellUse>(node->child1());
1970             fixEdge<UntypedUse>(node->child2());
1971             break;
1972         }
1973
1974         case CreateRest: {
1975             watchHavingABadTime(node);
1976             fixEdge<KnownInt32Use>(node->child1());
1977             break;
1978         }
1979
1980         case ResolveScopeForHoistingFuncDeclInEval: {
1981             fixEdge<KnownCellUse>(node->child1());
1982             break;
1983         }
1984         case ResolveScope:
1985         case GetDynamicVar:
1986         case PutDynamicVar: {
1987             fixEdge<KnownCellUse>(node->child1());
1988             break;
1989         }
1990
1991         case LogShadowChickenPrologue: {
1992             fixEdge<KnownCellUse>(node->child1());
1993             break;
1994         }
1995         case LogShadowChickenTail: {
1996             fixEdge<UntypedUse>(node->child1());
1997             fixEdge<KnownCellUse>(node->child2());
1998             break;
1999         }
2000
2001         case GetMapBucket:
2002             if (node->child1().useKind() == MapObjectUse)
2003                 fixEdge<MapObjectUse>(node->child1());
2004             else if (node->child1().useKind() == SetObjectUse)
2005                 fixEdge<SetObjectUse>(node->child1());
2006             else
2007                 RELEASE_ASSERT_NOT_REACHED();
2008
2009 #if USE(JSVALUE64)
2010             if (node->child2()->shouldSpeculateBoolean())
2011                 fixEdge<BooleanUse>(node->child2());
2012             else if (node->child2()->shouldSpeculateInt32())
2013                 fixEdge<Int32Use>(node->child2());
2014             else if (node->child2()->shouldSpeculateSymbol())
2015                 fixEdge<SymbolUse>(node->child2());
2016             else if (node->child2()->shouldSpeculateObject())
2017                 fixEdge<ObjectUse>(node->child2());
2018             else if (node->child2()->shouldSpeculateString())
2019                 fixEdge<StringUse>(node->child2());
2020             else if (node->child2()->shouldSpeculateCell())
2021                 fixEdge<CellUse>(node->child2());
2022             else
2023                 fixEdge<UntypedUse>(node->child2());
2024 #else
2025             fixEdge<UntypedUse>(node->child2());
2026 #endif // USE(JSVALUE64)
2027
2028             fixEdge<Int32Use>(node->child3());
2029             break;
2030
2031         case GetMapBucketHead:
2032             if (node->child1().useKind() == MapObjectUse)
2033                 fixEdge<MapObjectUse>(node->child1());
2034             else if (node->child1().useKind() == SetObjectUse)
2035                 fixEdge<SetObjectUse>(node->child1());
2036             else
2037                 RELEASE_ASSERT_NOT_REACHED();
2038             break;
2039
2040         case GetMapBucketNext:
2041         case LoadKeyFromMapBucket:
2042         case LoadValueFromMapBucket:
2043             fixEdge<CellUse>(node->child1());
2044             break;
2045
2046         case MapHash: {
2047 #if USE(JSVALUE64)
2048             if (node->child1()->shouldSpeculateBoolean()) {
2049                 fixEdge<BooleanUse>(node->child1());
2050                 break;
2051             }
2052
2053             if (node->child1()->shouldSpeculateInt32()) {
2054                 fixEdge<Int32Use>(node->child1());
2055                 break;
2056             }
2057
2058             if (node->child1()->shouldSpeculateSymbol()) {
2059                 fixEdge<SymbolUse>(node->child1());
2060                 break;
2061             }
2062
2063             if (node->child1()->shouldSpeculateObject()) {
2064                 fixEdge<ObjectUse>(node->child1());
2065                 break;
2066             }
2067
2068             if (node->child1()->shouldSpeculateString()) {
2069                 fixEdge<StringUse>(node->child1());
2070                 break;
2071             }
2072
2073             if (node->child1()->shouldSpeculateCell()) {
2074                 fixEdge<CellUse>(node->child1());
2075                 break;
2076             }
2077
2078             fixEdge<UntypedUse>(node->child1());
2079 #else
2080             fixEdge<UntypedUse>(node->child1());
2081 #endif // USE(JSVALUE64)
2082             break;
2083         }
2084
2085         case NormalizeMapKey: {
2086             fixupNormalizeMapKey(node);
2087             break;
2088         }
2089
2090         case WeakMapGet: {
2091             if (node->child1().useKind() == WeakMapObjectUse)
2092                 fixEdge<WeakMapObjectUse>(node->child1());
2093             else if (node->child1().useKind() == WeakSetObjectUse)
2094                 fixEdge<WeakSetObjectUse>(node->child1());
2095             else
2096                 RELEASE_ASSERT_NOT_REACHED();
2097             fixEdge<ObjectUse>(node->child2());
2098             fixEdge<Int32Use>(node->child3());
2099             break;
2100         }
2101
2102         case SetAdd: {
2103             fixEdge<SetObjectUse>(node->child1());
2104             fixEdge<Int32Use>(node->child3());
2105             break;
2106         }
2107
2108         case MapSet: {
2109             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
2110             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2111             break;
2112         }
2113
2114         case WeakSetAdd: {
2115             fixEdge<WeakSetObjectUse>(node->child1());
2116             fixEdge<ObjectUse>(node->child2());
2117             fixEdge<Int32Use>(node->child3());
2118             break;
2119         }
2120
2121         case WeakMapSet: {
2122             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2123             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2124             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2125             break;
2126         }
2127
2128         case DefineDataProperty: {
2129             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2130             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2131             if (propertyEdge->shouldSpeculateSymbol())
2132                 fixEdge<SymbolUse>(propertyEdge);
2133             else if (propertyEdge->shouldSpeculateStringIdent())
2134                 fixEdge<StringIdentUse>(propertyEdge);
2135             else if (propertyEdge->shouldSpeculateString())
2136                 fixEdge<StringUse>(propertyEdge);
2137             else
2138                 fixEdge<UntypedUse>(propertyEdge);
2139             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2140             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2141             break;
2142         }
2143
2144         case StringValueOf: {
2145             fixupStringValueOf(node);
2146             break;
2147         }
2148
2149         case ObjectToString: {
2150             fixupObjectToString(node);
2151             break;
2152         }
2153
2154         case StringSlice: {
2155             fixEdge<StringUse>(node->child1());
2156             fixEdge<Int32Use>(node->child2());
2157             if (node->child3())
2158                 fixEdge<Int32Use>(node->child3());
2159             break;
2160         }
2161
2162         case ToLowerCase: {
2163             // We currently only support StringUse since that will ensure that
2164             // ToLowerCase is a pure operation. If we decide to update this with
2165             // more types in the future, we need to ensure that the clobberize rules
2166             // are correct.
2167             fixEdge<StringUse>(node->child1());
2168             break;
2169         }
2170
2171         case NumberToStringWithRadix: {
2172             if (node->child1()->shouldSpeculateInt32())
2173                 fixEdge<Int32Use>(node->child1());
2174             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2175                 fixEdge<Int52RepUse>(node->child1());
2176             else
2177                 fixEdge<DoubleRepUse>(node->child1());
2178             fixEdge<Int32Use>(node->child2());
2179             break;
2180         }
2181
2182         case DefineAccessorProperty: {
2183             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2184             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2185             if (propertyEdge->shouldSpeculateSymbol())
2186                 fixEdge<SymbolUse>(propertyEdge);
2187             else if (propertyEdge->shouldSpeculateStringIdent())
2188                 fixEdge<StringIdentUse>(propertyEdge);
2189             else if (propertyEdge->shouldSpeculateString())
2190                 fixEdge<StringUse>(propertyEdge);
2191             else
2192                 fixEdge<UntypedUse>(propertyEdge);
2193             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2194             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2195             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2196             break;
2197         }
2198
2199         case CheckSubClass: {
2200             fixupCheckSubClass(node);
2201             break;
2202         }
2203
2204         case CallDOMGetter: {
2205             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2206             fixEdge<CellUse>(node->child1()); // DOM.
2207             if (snippet && snippet->requireGlobalObject)
2208                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2209             break;
2210         }
2211
2212         case CallDOM: {
2213             fixupCallDOM(node);
2214             break;
2215         }
2216
2217         case Call: {
2218             attemptToMakeCallDOM(node);
2219             break;
2220         }
2221
2222         case ParseInt: {
2223             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2224                 fixEdge<Int32Use>(node->child1());
2225                 node->convertToIdentity();
2226                 break;
2227             }
2228
2229             if (node->child1()->shouldSpeculateString()) {
2230                 fixEdge<StringUse>(node->child1());
2231                 node->clearFlags(NodeMustGenerate);
2232             }
2233
2234             if (node->child2())
2235                 fixEdge<Int32Use>(node->child2());
2236
2237             break;
2238         }
2239
2240         case IdentityWithProfile: {
2241             node->clearFlags(NodeMustGenerate);
2242             break;
2243         }
2244
2245         case ThrowStaticError:
2246             fixEdge<StringUse>(node->child1());
2247             break;
2248
2249         case NumberIsInteger:
2250             if (node->child1()->shouldSpeculateInt32()) {
2251                 m_insertionSet.insertNode(
2252                     m_indexInBlock, SpecNone, Check, node->origin,
2253                     Edge(node->child1().node(), Int32Use));
2254                 m_graph.convertToConstant(node, jsBoolean(true));
2255                 break;
2256             }
2257             break;
2258
2259         case SetCallee:
2260             fixEdge<CellUse>(node->child1());
2261             break;
2262
2263         case DataViewGetInt:
2264         case DataViewGetFloat: {
2265             fixEdge<DataViewObjectUse>(node->child1());
2266             fixEdge<Int32Use>(node->child2());
2267             if (node->child3())
2268                 fixEdge<BooleanUse>(node->child3());
2269
2270             if (node->op() == DataViewGetInt) {
2271                 DataViewData data = node->dataViewData();
2272                 switch (data.byteSize) {
2273                 case 1:
2274                 case 2:
2275                     node->setResult(NodeResultInt32);
2276                     break;
2277                 case 4:
2278                     if (data.isSigned)
2279                         node->setResult(NodeResultInt32);
2280                     else
2281                         node->setResult(NodeResultInt52);
2282                     break;
2283                 default:
2284                     RELEASE_ASSERT_NOT_REACHED();
2285                 }
2286             }
2287             break;
2288         }
2289
2290         case DataViewSet: {
2291             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2292             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2293             if (m_graph.varArgChild(node, 3))
2294                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2295             
2296             DataViewData data = node->dataViewData();
2297             Edge& valueToStore = m_graph.varArgChild(node, 2);
2298             if (data.isFloatingPoint)
2299                 fixEdge<DoubleRepUse>(valueToStore);
2300             else {
2301                 switch (data.byteSize) {
2302                 case 1:
2303                 case 2:
2304                     fixEdge<Int32Use>(valueToStore);
2305                     break;
2306                 case 4:
2307                     if (data.isSigned)
2308                         fixEdge<Int32Use>(valueToStore);
2309                     else
2310                         fixEdge<Int52RepUse>(valueToStore);
2311                     break;
2312                 }
2313             }
2314             break;
2315         }
2316
2317 #if !ASSERT_DISABLED
2318         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2319         case SetArgument:
2320         case JSConstant:
2321         case LazyJSConstant:
2322         case DoubleConstant:
2323         case GetLocal:
2324         case GetCallee:
2325         case GetArgumentCountIncludingThis:
2326         case SetArgumentCountIncludingThis:
2327         case GetRestLength:
2328         case GetArgument:
2329         case Flush:
2330         case PhantomLocal:
2331         case GetGlobalVar:
2332         case GetGlobalLexicalVariable:
2333         case NotifyWrite:
2334         case DirectCall:
2335         case CheckTypeInfoFlags:
2336         case TailCallInlinedCaller:
2337         case DirectTailCallInlinedCaller:
2338         case Construct:
2339         case DirectConstruct:
2340         case CallVarargs:
2341         case CallEval:
2342         case TailCallVarargsInlinedCaller:
2343         case ConstructVarargs:
2344         case CallForwardVarargs:
2345         case ConstructForwardVarargs:
2346         case TailCallForwardVarargs:
2347         case TailCallForwardVarargsInlinedCaller:
2348         case LoadVarargs:
2349         case ForwardVarargs:
2350         case ProfileControlFlow:
2351         case NewObject:
2352         case NewRegexp:
2353         case DeleteById:
2354         case DeleteByVal:
2355         case IsTypedArrayView:
2356         case IsEmpty:
2357         case IsUndefined:
2358         case IsUndefinedOrNull:
2359         case IsBoolean:
2360         case IsNumber:
2361         case IsObjectOrNull:
2362         case IsFunction:
2363         case CreateDirectArguments:
2364         case Jump:
2365         case Return:
2366         case TailCall:
2367         case DirectTailCall:
2368         case TailCallVarargs:
2369         case Throw:
2370         case CountExecution:
2371         case SuperSamplerBegin:
2372         case SuperSamplerEnd:
2373         case ForceOSRExit:
2374         case CheckBadCell:
2375         case CheckNotEmpty:
2376         case AssertNotEmpty:
2377         case CheckTraps:
2378         case Unreachable:
2379         case ExtractOSREntryLocal:
2380         case ExtractCatchLocal:
2381         case ClearCatchLocals:
2382         case LoopHint:
2383         case MovHint:
2384         case InitializeEntrypointArguments:
2385         case ZombieHint:
2386         case ExitOK:
2387         case BottomValue:
2388         case TypeOf:
2389         case PutByIdWithThis:
2390         case PutByValWithThis:
2391         case GetByValWithThis:
2392         case CompareEqPtr:
2393         case NumberToStringWithValidRadixConstant:
2394         case GetGlobalThis:
2395         case ExtractValueFromWeakMapGet:
2396         case CPUIntrinsic:
2397         case FilterCallLinkStatus:
2398         case FilterGetByIdStatus:
2399         case FilterPutByIdStatus:
2400         case FilterInByIdStatus:
2401         case InvalidationPoint:
2402             break;
2403 #else
2404         default:
2405             break;
2406 #endif
2407         }
2408     }
2409
2410     void watchHavingABadTime(Node* node)
2411     {
2412         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2413
2414         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2415         // does an array allocation. The types of array allocations may change if we start to have a bad
2416         // time. It's easier to reason about this if we know that whenever the types change after we start
2417         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2418         // prior to this point nobody should have been doing optimizations based on the indexing type of
2419         // the allocation.
2420         if (!globalObject->isHavingABadTime()) {
2421             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2422             m_graph.freeze(globalObject);
2423         }
2424     }
2425     
2426     template<UseKind useKind>
2427     void createToString(Node* node, Edge& edge)
2428     {
2429         Node* toString = m_insertionSet.insertNode(
2430             m_indexInBlock, SpecString, ToString, node->origin,
2431             Edge(edge.node(), useKind));
2432         switch (useKind) {
2433         case Int32Use:
2434         case Int52RepUse:
2435         case DoubleRepUse:
2436         case NotCellUse:
2437             toString->clearFlags(NodeMustGenerate);
2438             break;
2439         default:
2440             break;
2441         }
2442         edge.setNode(toString);
2443     }
2444     
2445     template<UseKind useKind>
2446     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2447     {
2448         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read) || arrayMode == ArrayMode(Array::Generic, Array::OriginalNonArray, Array::Read));
2449         
2450         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2451             return;
2452         
2453         createToString<useKind>(node, node->child1());
2454         arrayMode = ArrayMode(Array::String, Array::Read);
2455     }
2456     
2457     template<UseKind useKind>
2458     bool isStringObjectUse()
2459     {
2460         switch (useKind) {
2461         case StringObjectUse:
2462         case StringOrStringObjectUse:
2463             return true;
2464         default:
2465             return false;
2466         }
2467     }
2468     
2469     template<UseKind useKind>
2470     void convertStringAddUse(Node* node, Edge& edge)
2471     {
2472         if (useKind == StringUse) {
2473             observeUseKindOnNode<StringUse>(edge.node());
2474             m_insertionSet.insertNode(
2475                 m_indexInBlock, SpecNone, Check, node->origin,
2476                 Edge(edge.node(), StringUse));
2477             edge.setUseKind(KnownStringUse);
2478             return;
2479         }
2480         
2481         observeUseKindOnNode<useKind>(edge.node());
2482         createToString<useKind>(node, edge);
2483     }
2484     
2485     void convertToMakeRope(Node* node)
2486     {
2487         node->setOpAndDefaultFlags(MakeRope);
2488         fixupMakeRope(node);
2489     }
2490     
2491     void fixupMakeRope(Node* node)
2492     {
2493         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2494             Edge& edge = node->children.child(i);
2495             if (!edge)
2496                 break;
2497             edge.setUseKind(KnownStringUse);
2498             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2499             if (!string)
2500                 continue;
2501             if (string->length())
2502                 continue;
2503             
2504             // Don't allow the MakeRope to have zero children.
2505             if (!i && !node->child2())
2506                 break;
2507             
2508             node->children.removeEdge(i--);
2509         }
2510         
2511         if (!node->child2()) {
2512             ASSERT(!node->child3());
2513             node->convertToIdentity();
2514         }
2515     }
2516
2517     void fixupIsCellWithType(Node* node)
2518     {
2519         switch (node->speculatedTypeForQuery()) {
2520         case SpecString:
2521             if (node->child1()->shouldSpeculateString()) {
2522                 m_insertionSet.insertNode(
2523                     m_indexInBlock, SpecNone, Check, node->origin,
2524                     Edge(node->child1().node(), StringUse));
2525                 m_graph.convertToConstant(node, jsBoolean(true));
2526                 observeUseKindOnNode<StringUse>(node);
2527                 return;
2528             }
2529             break;
2530
2531         case SpecProxyObject:
2532             if (node->child1()->shouldSpeculateProxyObject()) {
2533                 m_insertionSet.insertNode(
2534                     m_indexInBlock, SpecNone, Check, node->origin,
2535                     Edge(node->child1().node(), ProxyObjectUse));
2536                 m_graph.convertToConstant(node, jsBoolean(true));
2537                 observeUseKindOnNode<ProxyObjectUse>(node);
2538                 return;
2539             }
2540             break;
2541
2542         case SpecRegExpObject:
2543             if (node->child1()->shouldSpeculateRegExpObject()) {
2544                 m_insertionSet.insertNode(
2545                     m_indexInBlock, SpecNone, Check, node->origin,
2546                     Edge(node->child1().node(), RegExpObjectUse));
2547                 m_graph.convertToConstant(node, jsBoolean(true));
2548                 observeUseKindOnNode<RegExpObjectUse>(node);
2549                 return;
2550             }
2551             break;
2552
2553         case SpecArray:
2554             if (node->child1()->shouldSpeculateArray()) {
2555                 m_insertionSet.insertNode(
2556                     m_indexInBlock, SpecNone, Check, node->origin,
2557                     Edge(node->child1().node(), ArrayUse));
2558                 m_graph.convertToConstant(node, jsBoolean(true));
2559                 observeUseKindOnNode<ArrayUse>(node);
2560                 return;
2561             }
2562             break;
2563
2564         case SpecDerivedArray:
2565             if (node->child1()->shouldSpeculateDerivedArray()) {
2566                 m_insertionSet.insertNode(
2567                     m_indexInBlock, SpecNone, Check, node->origin,
2568                     Edge(node->child1().node(), DerivedArrayUse));
2569                 m_graph.convertToConstant(node, jsBoolean(true));
2570                 observeUseKindOnNode<DerivedArrayUse>(node);
2571                 return;
2572             }
2573             break;
2574         }
2575
2576         if (node->child1()->shouldSpeculateCell()) {
2577             fixEdge<CellUse>(node->child1());
2578             return;
2579         }
2580
2581         if (node->child1()->shouldSpeculateNotCell()) {
2582             m_insertionSet.insertNode(
2583                 m_indexInBlock, SpecNone, Check, node->origin,
2584                 Edge(node->child1().node(), NotCellUse));
2585             m_graph.convertToConstant(node, jsBoolean(false));
2586             observeUseKindOnNode<NotCellUse>(node);
2587             return;
2588         }
2589     }
2590
2591     void fixupGetPrototypeOf(Node* node)
2592     {
2593         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2594         if (node->child1().useKind() != ObjectUse) {
2595             if (node->child1()->shouldSpeculateString()) {
2596                 insertCheck<StringUse>(node->child1().node());
2597                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2598                 return;
2599             }
2600             if (node->child1()->shouldSpeculateInt32()) {
2601                 insertCheck<Int32Use>(node->child1().node());
2602                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2603                 return;
2604             }
2605             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2606                 insertCheck<Int52RepUse>(node->child1().node());
2607                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2608                 return;
2609             }
2610             if (node->child1()->shouldSpeculateNumber()) {
2611                 insertCheck<NumberUse>(node->child1().node());
2612                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2613                 return;
2614             }
2615             if (node->child1()->shouldSpeculateSymbol()) {
2616                 insertCheck<SymbolUse>(node->child1().node());
2617                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2618                 return;
2619             }
2620             if (node->child1()->shouldSpeculateBoolean()) {
2621                 insertCheck<BooleanUse>(node->child1().node());
2622                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2623                 return;
2624             }
2625         }
2626
2627         if (node->child1()->shouldSpeculateFinalObject()) {
2628             fixEdge<FinalObjectUse>(node->child1());
2629             node->clearFlags(NodeMustGenerate);
2630             return;
2631         }
2632         if (node->child1()->shouldSpeculateArray()) {
2633             fixEdge<ArrayUse>(node->child1());
2634             node->clearFlags(NodeMustGenerate);
2635             return;
2636         }
2637         if (node->child1()->shouldSpeculateFunction()) {
2638             fixEdge<FunctionUse>(node->child1());
2639             node->clearFlags(NodeMustGenerate);
2640             return;
2641         }
2642     }
2643
2644     void fixupToThis(Node* node)
2645     {
2646         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2647
2648         if (ecmaMode == StrictMode) {
2649             if (node->child1()->shouldSpeculateBoolean()) {
2650                 fixEdge<BooleanUse>(node->child1());
2651                 node->convertToIdentity();
2652                 return;
2653             }
2654
2655             if (node->child1()->shouldSpeculateInt32()) {
2656                 fixEdge<Int32Use>(node->child1());
2657                 node->convertToIdentity();
2658                 return;
2659             }
2660
2661             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2662                 fixEdge<Int52RepUse>(node->child1());
2663                 node->convertToIdentity();
2664                 node->setResult(NodeResultInt52);
2665                 return;
2666             }
2667
2668             if (node->child1()->shouldSpeculateNumber()) {
2669                 fixEdge<DoubleRepUse>(node->child1());
2670                 node->convertToIdentity();
2671                 node->setResult(NodeResultDouble);
2672                 return;
2673             }
2674
2675             if (node->child1()->shouldSpeculateSymbol()) {
2676                 fixEdge<SymbolUse>(node->child1());
2677                 node->convertToIdentity();
2678                 return;
2679             }
2680
2681             if (node->child1()->shouldSpeculateStringIdent()) {
2682                 fixEdge<StringIdentUse>(node->child1());
2683                 node->convertToIdentity();
2684                 return;
2685             }
2686
2687             if (node->child1()->shouldSpeculateString()) {
2688                 fixEdge<StringUse>(node->child1());
2689                 node->convertToIdentity();
2690                 return;
2691             }
2692             
2693             if (node->child1()->shouldSpeculateBigInt()) {
2694                 fixEdge<BigIntUse>(node->child1());
2695                 node->convertToIdentity();
2696                 return;
2697             }
2698         }
2699
2700         if (node->child1()->shouldSpeculateOther()) {
2701             if (ecmaMode == StrictMode) {
2702                 fixEdge<OtherUse>(node->child1());
2703                 node->convertToIdentity();
2704                 return;
2705             }
2706
2707             m_insertionSet.insertNode(
2708                 m_indexInBlock, SpecNone, Check, node->origin,
2709                 Edge(node->child1().node(), OtherUse));
2710             observeUseKindOnNode<OtherUse>(node->child1().node());
2711             m_graph.convertToConstant(
2712                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2713             return;
2714         }
2715
2716         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2717         // however, since we cover all the missing cases in constant folding.
2718         // https://bugs.webkit.org/show_bug.cgi?id=157213
2719         if (node->child1()->shouldSpeculateStringObject()) {
2720             fixEdge<StringObjectUse>(node->child1());
2721             node->convertToIdentity();
2722             return;
2723         }
2724
2725         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2726             fixEdge<FinalObjectUse>(node->child1());
2727             node->convertToIdentity();
2728             return;
2729         }
2730     }
2731     
2732     void fixupToPrimitive(Node* node)
2733     {
2734         if (node->child1()->shouldSpeculateInt32()) {
2735             fixEdge<Int32Use>(node->child1());
2736             node->convertToIdentity();
2737             return;
2738         }
2739         
2740         if (node->child1()->shouldSpeculateString()) {
2741             fixEdge<StringUse>(node->child1());
2742             node->convertToIdentity();
2743             return;
2744         }
2745         
2746         if (node->child1()->shouldSpeculateStringObject()
2747             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2748             fixEdge<StringObjectUse>(node->child1());
2749             node->convertToToString();
2750             return;
2751         }
2752         
2753         if (node->child1()->shouldSpeculateStringOrStringObject()
2754             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2755             fixEdge<StringOrStringObjectUse>(node->child1());
2756             node->convertToToString();
2757             return;
2758         }
2759     }
2760
2761     void fixupToNumber(Node* node)
2762     {
2763         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2764         if (node->child1()->shouldSpeculateNumber()) {
2765             if (isInt32Speculation(node->getHeapPrediction())) {
2766                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2767                 if (node->child1()->shouldSpeculateInt32()) {
2768                     fixEdge<Int32Use>(node->child1());
2769                     node->convertToIdentity();
2770                     return;
2771                 }
2772
2773                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2774                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2775                 fixEdge<DoubleRepUse>(node->child1());
2776                 node->setOp(DoubleAsInt32);
2777                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2778                     node->setArithMode(Arith::CheckOverflow);
2779                 else
2780                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2781                 return;
2782             }
2783
2784             fixEdge<DoubleRepUse>(node->child1());
2785             node->convertToIdentity();
2786             node->setResult(NodeResultDouble);
2787             return;
2788         }
2789
2790         fixEdge<UntypedUse>(node->child1());
2791         node->setResult(NodeResultJS);
2792     }
2793
2794     void fixupToObject(Node* node)
2795     {
2796         if (node->child1()->shouldSpeculateObject()) {
2797             fixEdge<ObjectUse>(node->child1());
2798             node->convertToIdentity();
2799             return;
2800         }
2801
2802         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2803
2804         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2805
2806         if (node->child1()->shouldSpeculateString()) {
2807             insertCheck<StringUse>(node->child1().node());
2808             fixEdge<KnownStringUse>(node->child1());
2809             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2810             return;
2811         }
2812
2813         if (node->child1()->shouldSpeculateSymbol()) {
2814             insertCheck<SymbolUse>(node->child1().node());
2815             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2816             return;
2817         }
2818
2819         if (node->child1()->shouldSpeculateNumber()) {
2820             insertCheck<NumberUse>(node->child1().node());
2821             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2822             return;
2823         }
2824
2825         if (node->child1()->shouldSpeculateBoolean()) {
2826             insertCheck<BooleanUse>(node->child1().node());
2827             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2828             return;
2829         }
2830
2831         fixEdge<UntypedUse>(node->child1());
2832     }
2833
2834     void fixupCallObjectConstructor(Node* node)
2835     {
2836         if (node->child1()->shouldSpeculateObject()) {
2837             fixEdge<ObjectUse>(node->child1());
2838             node->convertToIdentity();
2839             return;
2840         }
2841
2842         if (node->child1()->shouldSpeculateString()) {
2843             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2844             insertCheck<StringUse>(node->child1().node());
2845             fixEdge<KnownStringUse>(node->child1());
2846             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2847             return;
2848         }
2849
2850         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2851         if (node->child1()->shouldSpeculateOther()) {
2852             insertCheck<OtherUse>(node->child1().node());
2853             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2854             return;
2855         }
2856
2857         fixEdge<UntypedUse>(node->child1());
2858     }
2859     
2860     void fixupToStringOrCallStringConstructor(Node* node)
2861     {
2862         if (node->child1()->shouldSpeculateString()) {
2863             fixEdge<StringUse>(node->child1());
2864             node->convertToIdentity();
2865             return;
2866         }
2867         
2868         if (node->child1()->shouldSpeculateStringObject()
2869             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2870             fixEdge<StringObjectUse>(node->child1());
2871             return;
2872         }
2873         
2874         if (node->child1()->shouldSpeculateStringOrStringObject()
2875             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2876             fixEdge<StringOrStringObjectUse>(node->child1());
2877             return;
2878         }
2879         
2880         if (node->child1()->shouldSpeculateCell()) {
2881             fixEdge<CellUse>(node->child1());
2882             return;
2883         }
2884
2885         if (node->child1()->shouldSpeculateInt32()) {
2886             fixEdge<Int32Use>(node->child1());
2887             node->clearFlags(NodeMustGenerate);
2888             return;
2889         }
2890
2891         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2892             fixEdge<Int52RepUse>(node->child1());
2893             node->clearFlags(NodeMustGenerate);
2894             return;
2895         }
2896
2897         if (node->child1()->shouldSpeculateNumber()) {
2898             fixEdge<DoubleRepUse>(node->child1());
2899             node->clearFlags(NodeMustGenerate);
2900             return;
2901         }
2902
2903         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2904         // we need to care about it in the clobberize. In the following case,
2905         // since NotCellUse edge filter is used and this edge filters Symbols,
2906         // we can say that ToString never throws an error!
2907         if (node->child1()->shouldSpeculateNotCell()) {
2908             fixEdge<NotCellUse>(node->child1());
2909             node->clearFlags(NodeMustGenerate);
2910             return;
2911         }
2912     }
2913
2914     void fixupStringValueOf(Node* node)
2915     {
2916         if (node->child1()->shouldSpeculateString()) {
2917             fixEdge<StringUse>(node->child1());
2918             node->convertToIdentity();
2919             return;
2920         }
2921
2922         if (node->child1()->shouldSpeculateStringObject()) {
2923             fixEdge<StringObjectUse>(node->child1());
2924             node->convertToToString();
2925             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2926             node->clearFlags(NodeMustGenerate);
2927             return;
2928         }
2929
2930         if (node->child1()->shouldSpeculateStringOrStringObject()) {
2931             fixEdge<StringOrStringObjectUse>(node->child1());
2932             node->convertToToString();
2933             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2934             node->clearFlags(NodeMustGenerate);
2935             return;
2936         }
2937     }
2938
2939     void fixupObjectToString(Node* node)
2940     {
2941         if (node->child1()->shouldSpeculateOther()) {
2942             fixEdge<OtherUse>(node->child1());
2943             node->clearFlags(NodeMustGenerate);
2944             return;
2945         }
2946     }
2947
2948     bool attemptToMakeFastStringAdd(Node* node)
2949     {
2950         bool goodToGo = true;
2951         m_graph.doToChildren(
2952             node,
2953             [&] (Edge& edge) {
2954                 if (edge->shouldSpeculateString())
2955                     return;
2956                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2957                     if (edge->shouldSpeculateStringObject())
2958                         return;
2959                     if (edge->shouldSpeculateStringOrStringObject())
2960                         return;
2961                 }
2962                 goodToGo = false;
2963             });
2964         if (!goodToGo)
2965             return false;
2966
2967         m_graph.doToChildren(
2968             node,
2969             [&] (Edge& edge) {
2970                 if (edge->shouldSpeculateString()) {
2971                     convertStringAddUse<StringUse>(node, edge);
2972                     return;
2973                 }
2974                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2975                 if (edge->shouldSpeculateStringObject()) {
2976                     convertStringAddUse<StringObjectUse>(node, edge);
2977                     return;
2978                 }
2979                 if (edge->shouldSpeculateStringOrStringObject()) {
2980                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2981                     return;
2982                 }
2983                 RELEASE_ASSERT_NOT_REACHED();
2984             });
2985         
2986         convertToMakeRope(node);
2987         return true;
2988     }
2989
2990     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2991     {
2992         if (!block)
2993             return;
2994         ASSERT(block->isReachable);
2995         m_block = block;
2996         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2997             Node* node = m_currentNode = block->at(m_indexInBlock);
2998             if (node->op() != SetLocal && node->op() != GetLocal)
2999                 continue;
3000             
3001             VariableAccessData* variable = node->variableAccessData();
3002             switch (node->op()) {
3003             case GetLocal:
3004                 switch (variable->flushFormat()) {
3005                 case FlushedDouble:
3006                     node->setResult(NodeResultDouble);
3007                     break;
3008                 case FlushedInt52:
3009                     node->setResult(NodeResultInt52);
3010                     break;
3011                 default:
3012                     break;
3013                 }
3014                 break;
3015                 
3016             case SetLocal:
3017                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
3018                 // add new type checking use kind for SetLocals, we need to modify that code as well.
3019                 
3020                 switch (variable->flushFormat()) {
3021                 case FlushedJSValue:
3022                     break;
3023                 case FlushedDouble:
3024                     fixEdge<DoubleRepUse>(node->child1());
3025                     break;
3026                 case FlushedInt32:
3027                     fixEdge<Int32Use>(node->child1());
3028                     break;
3029                 case FlushedInt52:
3030                     fixEdge<Int52RepUse>(node->child1());
3031                     break;
3032                 case FlushedCell:
3033                     fixEdge<CellUse>(node->child1());
3034                     break;
3035                 case FlushedBoolean:
3036                     fixEdge<BooleanUse>(node->child1());
3037                     break;
3038                 default:
3039                     RELEASE_ASSERT_NOT_REACHED();
3040                     break;
3041                 }
3042                 break;
3043                 
3044             default:
3045                 RELEASE_ASSERT_NOT_REACHED();
3046                 break;
3047             }
3048         }
3049         m_insertionSet.execute(block);
3050     }
3051     
3052     void addStringReplacePrimordialChecks(Node* searchRegExp)
3053     {
3054         Node* node = m_currentNode;
3055
3056         // Check that structure of searchRegExp is RegExp object
3057         m_insertionSet.insertNode(
3058             m_indexInBlock, SpecNone, Check, node->origin,
3059             Edge(searchRegExp, RegExpObjectUse));
3060
3061         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
3062             unsigned index = m_graph.identifiers().ensure(propertyUID);
3063
3064             Node* actualProperty = m_insertionSet.insertNode(
3065                 m_indexInBlock, SpecNone, TryGetById, node->origin,
3066                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
3067
3068             m_insertionSet.insertNode(
3069                 m_indexInBlock, SpecNone, CheckCell, node->origin,
3070                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
3071         };
3072
3073         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
3074
3075         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
3076         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
3077         // Check that searchRegExp.global is the primordial RegExp.prototype.global
3078         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
3079         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
3080         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());