2a7bf2a85ac826ed8d68653c6d88c5379dcf3416
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149             
150         case ValueAdd: {
151             if (attemptToMakeIntegerAdd(node)) {
152                 node->setOp(ArithAdd);
153                 break;
154             }
155             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
156                 fixDoubleOrBooleanEdge(node->child1());
157                 fixDoubleOrBooleanEdge(node->child2());
158                 node->setOp(ArithAdd);
159                 node->setResult(NodeResultDouble);
160                 break;
161             }
162             
163             if (attemptToMakeFastStringAdd(node))
164                 break;
165
166             Edge& child1 = node->child1();
167             Edge& child2 = node->child2();
168             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
169                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
170                     auto convertString = [&](Node* node, Edge& edge) {
171                         if (edge->shouldSpeculateInt32())
172                             convertStringAddUse<Int32Use>(node, edge);
173                         else {
174                             ASSERT(edge->shouldSpeculateString());
175                             convertStringAddUse<StringUse>(node, edge);
176                         }
177                     };
178                     convertString(node, child1);
179                     convertString(node, child2);
180                     convertToMakeRope(node);
181                     break;
182                 }
183             }
184
185             fixEdge<UntypedUse>(child1);
186             fixEdge<UntypedUse>(child2);
187             node->setResult(NodeResultJS);
188             break;
189         }
190
191         case StrCat: {
192             if (attemptToMakeFastStringAdd(node))
193                 break;
194
195             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
196             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
197             // the implementation of StrCat doesn't dynamically optimize for empty strings.
198             // https://bugs.webkit.org/show_bug.cgi?id=148540
199             m_graph.doToChildren(
200                 node,
201                 [&] (Edge& edge) {
202                     fixEdge<KnownPrimitiveUse>(edge);
203                     // StrCat automatically coerces the values into strings before concatenating them.
204                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
205                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
206                     // our runtime functions for this slow path expect that they will never be passed
207                     // Symbols.
208                     m_insertionSet.insertNode(
209                         m_indexInBlock, SpecNone, Check, node->origin,
210                         Edge(edge.node(), NotSymbolUse));
211                 });
212             break;
213         }
214             
215         case MakeRope: {
216             fixupMakeRope(node);
217             break;
218         }
219             
220         case ArithAdd:
221         case ArithSub: {
222             if (op == ArithSub
223                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
224                 fixEdge<UntypedUse>(node->child1());
225                 fixEdge<UntypedUse>(node->child2());
226                 node->setResult(NodeResultJS);
227                 break;
228             }
229             if (attemptToMakeIntegerAdd(node))
230                 break;
231             fixDoubleOrBooleanEdge(node->child1());
232             fixDoubleOrBooleanEdge(node->child2());
233             node->setResult(NodeResultDouble);
234             break;
235         }
236             
237         case ArithNegate: {
238             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
239                 fixIntOrBooleanEdge(node->child1());
240                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
241                     node->setArithMode(Arith::Unchecked);
242                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
243                     node->setArithMode(Arith::CheckOverflow);
244                 else
245                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
246                 node->setResult(NodeResultInt32);
247                 node->clearFlags(NodeMustGenerate);
248                 break;
249             }
250             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
251                 fixEdge<Int52RepUse>(node->child1());
252                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
253                     node->setArithMode(Arith::CheckOverflow);
254                 else
255                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
256                 node->setResult(NodeResultInt52);
257                 node->clearFlags(NodeMustGenerate);
258                 break;
259             }
260             if (node->child1()->shouldSpeculateNotCell()) {
261                 fixDoubleOrBooleanEdge(node->child1());
262                 node->setResult(NodeResultDouble);
263                 node->clearFlags(NodeMustGenerate);
264             } else
265                 fixEdge<UntypedUse>(node->child1());
266             break;
267         }
268             
269         case ArithMul: {
270             Edge& leftChild = node->child1();
271             Edge& rightChild = node->child2();
272             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
273                 fixEdge<UntypedUse>(leftChild);
274                 fixEdge<UntypedUse>(rightChild);
275                 node->setResult(NodeResultJS);
276                 break;
277             }
278             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
279                 fixIntOrBooleanEdge(leftChild);
280                 fixIntOrBooleanEdge(rightChild);
281                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
282                     node->setArithMode(Arith::Unchecked);
283                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
284                     || leftChild.node() == rightChild.node())
285                     node->setArithMode(Arith::CheckOverflow);
286                 else
287                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
288                 break;
289             }
290             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
291                 fixEdge<Int52RepUse>(leftChild);
292                 fixEdge<Int52RepUse>(rightChild);
293                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
294                     || leftChild.node() == rightChild.node())
295                     node->setArithMode(Arith::CheckOverflow);
296                 else
297                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
298                 node->setResult(NodeResultInt52);
299                 break;
300             }
301             fixDoubleOrBooleanEdge(leftChild);
302             fixDoubleOrBooleanEdge(rightChild);
303             node->setResult(NodeResultDouble);
304             break;
305         }
306
307         case ArithDiv:
308         case ArithMod: {
309             Edge& leftChild = node->child1();
310             Edge& rightChild = node->child2();
311             if (op == ArithDiv
312                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
313                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
314                 fixEdge<UntypedUse>(leftChild);
315                 fixEdge<UntypedUse>(rightChild);
316                 node->setResult(NodeResultJS);
317                 break;
318             }
319             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
320                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
321                     fixIntOrBooleanEdge(leftChild);
322                     fixIntOrBooleanEdge(rightChild);
323                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
324                         node->setArithMode(Arith::Unchecked);
325                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
326                         node->setArithMode(Arith::CheckOverflow);
327                     else
328                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
329                     break;
330                 }
331                 
332                 // This will cause conversion nodes to be inserted later.
333                 fixDoubleOrBooleanEdge(leftChild);
334                 fixDoubleOrBooleanEdge(rightChild);
335                 
336                 // We don't need to do ref'ing on the children because we're stealing them from
337                 // the original division.
338                 Node* newDivision = m_insertionSet.insertNode(
339                     m_indexInBlock, SpecBytecodeDouble, *node);
340                 newDivision->setResult(NodeResultDouble);
341                 
342                 node->setOp(DoubleAsInt32);
343                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
344                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
345                     node->setArithMode(Arith::CheckOverflow);
346                 else
347                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
348                 break;
349             }
350             fixDoubleOrBooleanEdge(leftChild);
351             fixDoubleOrBooleanEdge(rightChild);
352             node->setResult(NodeResultDouble);
353             break;
354         }
355             
356         case ArithMin:
357         case ArithMax: {
358             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
359                 fixIntOrBooleanEdge(node->child1());
360                 fixIntOrBooleanEdge(node->child2());
361                 break;
362             }
363             fixDoubleOrBooleanEdge(node->child1());
364             fixDoubleOrBooleanEdge(node->child2());
365             node->setResult(NodeResultDouble);
366             break;
367         }
368             
369         case ArithAbs: {
370             if (node->child1()->shouldSpeculateInt32OrBoolean()
371                 && node->canSpeculateInt32(FixupPass)) {
372                 fixIntOrBooleanEdge(node->child1());
373                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
374                     node->setArithMode(Arith::Unchecked);
375                 else
376                     node->setArithMode(Arith::CheckOverflow);
377                 node->clearFlags(NodeMustGenerate);
378                 node->setResult(NodeResultInt32);
379                 break;
380             }
381
382             if (node->child1()->shouldSpeculateNotCell()) {
383                 fixDoubleOrBooleanEdge(node->child1());
384                 node->clearFlags(NodeMustGenerate);
385             } else
386                 fixEdge<UntypedUse>(node->child1());
387             node->setResult(NodeResultDouble);
388             break;
389         }
390
391         case ArithPow: {
392             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
393                 fixDoubleOrBooleanEdge(node->child1());
394                 fixIntOrBooleanEdge(node->child2());
395                 break;
396             }
397
398             fixDoubleOrBooleanEdge(node->child1());
399             fixDoubleOrBooleanEdge(node->child2());
400             break;
401         }
402
403         case ArithRandom: {
404             node->setResult(NodeResultDouble);
405             break;
406         }
407
408         case ArithRound:
409         case ArithFloor:
410         case ArithCeil:
411         case ArithTrunc: {
412             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
413                 fixIntOrBooleanEdge(node->child1());
414                 insertCheck<Int32Use>(node->child1().node());
415                 node->convertToIdentity();
416                 break;
417             }
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420
421                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
422                     node->setResult(NodeResultInt32);
423                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
424                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
425                     else
426                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
427                 } else {
428                     node->setResult(NodeResultDouble);
429                     node->setArithRoundingMode(Arith::RoundingMode::Double);
430                 }
431                 node->clearFlags(NodeMustGenerate);
432             } else
433                 fixEdge<UntypedUse>(node->child1());
434             break;
435         }
436
437         case ArithFRound:
438         case ArithSqrt:
439         case ArithUnary: {
440             Edge& child1 = node->child1();
441             if (child1->shouldSpeculateNotCell()) {
442                 fixDoubleOrBooleanEdge(child1);
443                 node->clearFlags(NodeMustGenerate);
444             } else
445                 fixEdge<UntypedUse>(child1);
446             break;
447         }
448             
449         case LogicalNot: {
450             if (node->child1()->shouldSpeculateBoolean()) {
451                 if (node->child1()->result() == NodeResultBoolean) {
452                     // This is necessary in case we have a bytecode instruction implemented by:
453                     //
454                     // a: CompareEq(...)
455                     // b: LogicalNot(@a)
456                     //
457                     // In that case, CompareEq might have a side-effect. Then, we need to make
458                     // sure that we know that Branch does not exit.
459                     fixEdge<KnownBooleanUse>(node->child1());
460                 } else
461                     fixEdge<BooleanUse>(node->child1());
462             } else if (node->child1()->shouldSpeculateObjectOrOther())
463                 fixEdge<ObjectOrOtherUse>(node->child1());
464             else if (node->child1()->shouldSpeculateInt32OrBoolean())
465                 fixIntOrBooleanEdge(node->child1());
466             else if (node->child1()->shouldSpeculateNumber())
467                 fixEdge<DoubleRepUse>(node->child1());
468             else if (node->child1()->shouldSpeculateString())
469                 fixEdge<StringUse>(node->child1());
470             else if (node->child1()->shouldSpeculateStringOrOther())
471                 fixEdge<StringOrOtherUse>(node->child1());
472             else {
473                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
474                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
475                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
476             }
477             break;
478         }
479
480         case CompareEq:
481         case CompareLess:
482         case CompareLessEq:
483         case CompareGreater:
484         case CompareGreaterEq: {
485             if (node->op() == CompareEq
486                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
487                 fixEdge<BooleanUse>(node->child1());
488                 fixEdge<BooleanUse>(node->child2());
489                 node->clearFlags(NodeMustGenerate);
490                 break;
491             }
492             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
493                 fixIntOrBooleanEdge(node->child1());
494                 fixIntOrBooleanEdge(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (enableInt52()
499                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
500                 fixEdge<Int52RepUse>(node->child1());
501                 fixEdge<Int52RepUse>(node->child2());
502                 node->clearFlags(NodeMustGenerate);
503                 break;
504             }
505             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
506                 fixDoubleOrBooleanEdge(node->child1());
507                 fixDoubleOrBooleanEdge(node->child2());
508             }
509             if (node->op() != CompareEq
510                 && node->child1()->shouldSpeculateNotCell()
511                 && node->child2()->shouldSpeculateNotCell()) {
512                 if (node->child1()->shouldSpeculateNumberOrBoolean())
513                     fixDoubleOrBooleanEdge(node->child1());
514                 else
515                     fixEdge<DoubleRepUse>(node->child1());
516                 if (node->child2()->shouldSpeculateNumberOrBoolean())
517                     fixDoubleOrBooleanEdge(node->child2());
518                 else
519                     fixEdge<DoubleRepUse>(node->child2());
520                 node->clearFlags(NodeMustGenerate);
521                 break;
522             }
523             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
524                 fixEdge<StringIdentUse>(node->child1());
525                 fixEdge<StringIdentUse>(node->child2());
526                 node->clearFlags(NodeMustGenerate);
527                 break;
528             }
529             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
530                 fixEdge<StringUse>(node->child1());
531                 fixEdge<StringUse>(node->child2());
532                 node->clearFlags(NodeMustGenerate);
533                 break;
534             }
535
536             if (node->op() != CompareEq)
537                 break;
538             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
539                 fixEdge<SymbolUse>(node->child1());
540                 fixEdge<SymbolUse>(node->child2());
541                 node->clearFlags(NodeMustGenerate);
542                 break;
543             }
544             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
545                 fixEdge<ObjectUse>(node->child1());
546                 fixEdge<ObjectUse>(node->child2());
547                 node->clearFlags(NodeMustGenerate);
548                 break;
549             }
550
551             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
552             bool oneArgumentIsUsedAsSpecOther = false;
553             if (node->child1()->isUndefinedOrNullConstant()) {
554                 fixEdge<OtherUse>(node->child1());
555                 oneArgumentIsUsedAsSpecOther = true;
556             } else if (node->child1()->shouldSpeculateOther()) {
557                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
558                     Edge(node->child1().node(), OtherUse));
559                 fixEdge<OtherUse>(node->child1());
560                 oneArgumentIsUsedAsSpecOther = true;
561             }
562             if (node->child2()->isUndefinedOrNullConstant()) {
563                 fixEdge<OtherUse>(node->child2());
564                 oneArgumentIsUsedAsSpecOther = true;
565             } else if (node->child2()->shouldSpeculateOther()) {
566                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
567                     Edge(node->child2().node(), OtherUse));
568                 fixEdge<OtherUse>(node->child2());
569                 oneArgumentIsUsedAsSpecOther = true;
570             }
571             if (oneArgumentIsUsedAsSpecOther) {
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575
576             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
577                 fixEdge<ObjectUse>(node->child1());
578                 fixEdge<ObjectOrOtherUse>(node->child2());
579                 node->clearFlags(NodeMustGenerate);
580                 break;
581             }
582             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
583                 fixEdge<ObjectOrOtherUse>(node->child1());
584                 fixEdge<ObjectUse>(node->child2());
585                 node->clearFlags(NodeMustGenerate);
586                 break;
587             }
588
589             break;
590         }
591             
592         case CompareStrictEq: {
593             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
594                 fixEdge<BooleanUse>(node->child1());
595                 fixEdge<BooleanUse>(node->child2());
596                 break;
597             }
598             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
599                 fixEdge<Int32Use>(node->child1());
600                 fixEdge<Int32Use>(node->child2());
601                 break;
602             }
603             if (enableInt52()
604                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
605                 fixEdge<Int52RepUse>(node->child1());
606                 fixEdge<Int52RepUse>(node->child2());
607                 break;
608             }
609             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
610                 fixEdge<DoubleRepUse>(node->child1());
611                 fixEdge<DoubleRepUse>(node->child2());
612                 break;
613             }
614             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
615                 fixEdge<SymbolUse>(node->child1());
616                 fixEdge<SymbolUse>(node->child2());
617                 break;
618             }
619             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
620                 fixEdge<StringIdentUse>(node->child1());
621                 fixEdge<StringIdentUse>(node->child2());
622                 break;
623             }
624             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
625                 fixEdge<StringUse>(node->child1());
626                 fixEdge<StringUse>(node->child2());
627                 break;
628             }
629             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
630             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
631                 
632                 if (node->child1()->shouldSpeculateObject()) {
633                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
634                     fixEdge<ObjectUse>(node->child1());
635                     break;
636                 }
637                 if (node->child2()->shouldSpeculateObject()) {
638                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
639                     fixEdge<ObjectUse>(node->child2());
640                     break;
641                 }
642                 
643             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
644                 fixEdge<ObjectUse>(node->child1());
645                 fixEdge<ObjectUse>(node->child2());
646                 break;
647             }
648             if (node->child1()->shouldSpeculateSymbol()) {
649                 fixEdge<SymbolUse>(node->child1());
650                 break;
651             }
652             if (node->child2()->shouldSpeculateSymbol()) {
653                 fixEdge<SymbolUse>(node->child2());
654                 break;
655             }
656             if (node->child1()->shouldSpeculateMisc()) {
657                 fixEdge<MiscUse>(node->child1());
658                 break;
659             }
660             if (node->child2()->shouldSpeculateMisc()) {
661                 fixEdge<MiscUse>(node->child2());
662                 break;
663             }
664             if (node->child1()->shouldSpeculateStringIdent()
665                 && node->child2()->shouldSpeculateNotStringVar()) {
666                 fixEdge<StringIdentUse>(node->child1());
667                 fixEdge<NotStringVarUse>(node->child2());
668                 break;
669             }
670             if (node->child2()->shouldSpeculateStringIdent()
671                 && node->child1()->shouldSpeculateNotStringVar()) {
672                 fixEdge<StringIdentUse>(node->child2());
673                 fixEdge<NotStringVarUse>(node->child1());
674                 break;
675             }
676             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
677                 fixEdge<StringUse>(node->child1());
678                 break;
679             }
680             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
681                 fixEdge<StringUse>(node->child2());
682                 break;
683             }
684             break;
685         }
686             
687         case StringFromCharCode:
688             if (node->child1()->shouldSpeculateInt32())
689                 fixEdge<Int32Use>(node->child1());
690             else
691                 fixEdge<UntypedUse>(node->child1());
692             break;
693
694         case StringCharAt:
695         case StringCharCodeAt: {
696             // Currently we have no good way of refining these.
697             ASSERT(node->arrayMode() == ArrayMode(Array::String));
698             blessArrayOperation(node->child1(), node->child2(), node->child3());
699             fixEdge<KnownCellUse>(node->child1());
700             fixEdge<Int32Use>(node->child2());
701             break;
702         }
703
704         case GetByVal: {
705             if (!node->prediction()) {
706                 m_insertionSet.insertNode(
707                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
708             }
709             
710             node->setArrayMode(
711                 node->arrayMode().refine(
712                     m_graph, node,
713                     node->child1()->prediction(),
714                     node->child2()->prediction(),
715                     SpecNone));
716             
717             blessArrayOperation(node->child1(), node->child2(), node->child3());
718             
719             ArrayMode arrayMode = node->arrayMode();
720             switch (arrayMode.type()) {
721             case Array::Contiguous:
722             case Array::Double:
723                 if (arrayMode.arrayClass() == Array::OriginalArray
724                     && arrayMode.speculation() == Array::InBounds) {
725                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
726                     if (globalObject->arrayPrototypeChainIsSane()) {
727                         // Check if SaneChain will work on a per-type basis. Note that:
728                         //
729                         // 1) We don't want double arrays to sometimes return undefined, since
730                         // that would require a change to the return type and it would pessimise
731                         // things a lot. So, we'd only want to do that if we actually had
732                         // evidence that we could read from a hole. That's pretty annoying.
733                         // Likely the best way to handle that case is with an equivalent of
734                         // SaneChain for OutOfBounds. For now we just detect when Undefined and
735                         // NaN are indistinguishable according to backwards propagation, and just
736                         // use SaneChain in that case. This happens to catch a lot of cases.
737                         //
738                         // 2) We don't want int32 array loads to have to do a hole check just to
739                         // coerce to Undefined, since that would mean twice the checks.
740                         //
741                         // This has two implications. First, we have to do more checks than we'd
742                         // like. It's unfortunate that we have to do the hole check. Second,
743                         // some accesses that hit a hole will now need to take the full-blown
744                         // out-of-bounds slow path. We can fix that with:
745                         // https://bugs.webkit.org/show_bug.cgi?id=144668
746                         
747                         bool canDoSaneChain = false;
748                         switch (arrayMode.type()) {
749                         case Array::Contiguous:
750                             // This is happens to be entirely natural. We already would have
751                             // returned any JSValue, and now we'll return Undefined. We still do
752                             // the check but it doesn't require taking any kind of slow path.
753                             canDoSaneChain = true;
754                             break;
755                             
756                         case Array::Double:
757                             if (!(node->flags() & NodeBytecodeUsesAsOther)) {
758                                 // Holes look like NaN already, so if the user doesn't care
759                                 // about the difference between Undefined and NaN then we can
760                                 // do this.
761                                 canDoSaneChain = true;
762                             }
763                             break;
764                             
765                         default:
766                             break;
767                         }
768                         
769                         if (canDoSaneChain) {
770                             m_graph.registerAndWatchStructureTransition(globalObject->arrayPrototype()->structure());
771                             m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure());
772                             if (globalObject->arrayPrototypeChainIsSane())
773                                 node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
774                         }
775                     }
776                 }
777                 break;
778                 
779             case Array::String:
780                 if ((node->prediction() & ~SpecString)
781                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
782                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
783                 break;
784                 
785             default:
786                 break;
787             }
788             
789             arrayMode = node->arrayMode();
790             switch (arrayMode.type()) {
791             case Array::SelectUsingPredictions:
792             case Array::Unprofiled:
793                 RELEASE_ASSERT_NOT_REACHED();
794                 break;
795             case Array::Generic:
796                 if (node->child1()->shouldSpeculateObject()) {
797                     if (node->child2()->shouldSpeculateString()) {
798                         fixEdge<ObjectUse>(node->child1());
799                         fixEdge<StringUse>(node->child2());
800                         break;
801                     }
802
803                     if (node->child2()->shouldSpeculateSymbol()) {
804                         fixEdge<ObjectUse>(node->child1());
805                         fixEdge<SymbolUse>(node->child2());
806                         break;
807                     }
808                 }
809 #if USE(JSVALUE32_64)
810                 fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit.
811 #endif
812                 break;
813             case Array::ForceExit:
814                 break;
815             default:
816                 fixEdge<KnownCellUse>(node->child1());
817                 fixEdge<Int32Use>(node->child2());
818                 break;
819             }
820             
821             switch (arrayMode.type()) {
822             case Array::Double:
823                 if (!arrayMode.isOutOfBounds())
824                     node->setResult(NodeResultDouble);
825                 break;
826                 
827             case Array::Float32Array:
828             case Array::Float64Array:
829                 node->setResult(NodeResultDouble);
830                 break;
831                 
832             case Array::Uint32Array:
833                 if (node->shouldSpeculateInt32())
834                     break;
835                 if (node->shouldSpeculateAnyInt() && enableInt52())
836                     node->setResult(NodeResultInt52);
837                 else
838                     node->setResult(NodeResultDouble);
839                 break;
840                 
841             default:
842                 break;
843             }
844             
845             break;
846         }
847
848         case PutByValDirect:
849         case PutByVal:
850         case PutByValAlias: {
851             Edge& child1 = m_graph.varArgChild(node, 0);
852             Edge& child2 = m_graph.varArgChild(node, 1);
853             Edge& child3 = m_graph.varArgChild(node, 2);
854
855             node->setArrayMode(
856                 node->arrayMode().refine(
857                     m_graph, node,
858                     child1->prediction(),
859                     child2->prediction(),
860                     child3->prediction()));
861             
862             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
863             
864             switch (node->arrayMode().modeForPut().type()) {
865             case Array::SelectUsingPredictions:
866             case Array::SelectUsingArguments:
867             case Array::Unprofiled:
868             case Array::Undecided:
869                 RELEASE_ASSERT_NOT_REACHED();
870                 break;
871             case Array::ForceExit:
872             case Array::Generic:
873                 if (child1->shouldSpeculateCell()) {
874                     if (child2->shouldSpeculateString()) {
875                         fixEdge<CellUse>(child1);
876                         fixEdge<StringUse>(child2);
877                         break;
878                     }
879
880                     if (child2->shouldSpeculateSymbol()) {
881                         fixEdge<CellUse>(child1);
882                         fixEdge<SymbolUse>(child2);
883                         break;
884                     }
885                 }
886 #if USE(JSVALUE32_64)
887                 // Due to register pressure on 32-bit, we speculate cell and
888                 // ignore the base-is-not-cell case entirely by letting the
889                 // baseline JIT handle it.
890                 fixEdge<CellUse>(child1);
891 #endif
892                 break;
893             case Array::Int32:
894                 fixEdge<KnownCellUse>(child1);
895                 fixEdge<Int32Use>(child2);
896                 fixEdge<Int32Use>(child3);
897                 break;
898             case Array::Double:
899                 fixEdge<KnownCellUse>(child1);
900                 fixEdge<Int32Use>(child2);
901                 fixEdge<DoubleRepRealUse>(child3);
902                 break;
903             case Array::Int8Array:
904             case Array::Int16Array:
905             case Array::Int32Array:
906             case Array::Uint8Array:
907             case Array::Uint8ClampedArray:
908             case Array::Uint16Array:
909             case Array::Uint32Array:
910                 fixEdge<KnownCellUse>(child1);
911                 fixEdge<Int32Use>(child2);
912                 if (child3->shouldSpeculateInt32())
913                     fixIntOrBooleanEdge(child3);
914                 else if (child3->shouldSpeculateAnyInt())
915                     fixEdge<Int52RepUse>(child3);
916                 else
917                     fixDoubleOrBooleanEdge(child3);
918                 break;
919             case Array::Float32Array:
920             case Array::Float64Array:
921                 fixEdge<KnownCellUse>(child1);
922                 fixEdge<Int32Use>(child2);
923                 fixDoubleOrBooleanEdge(child3);
924                 break;
925             case Array::Contiguous:
926             case Array::ArrayStorage:
927             case Array::SlowPutArrayStorage:
928                 fixEdge<KnownCellUse>(child1);
929                 fixEdge<Int32Use>(child2);
930                 speculateForBarrier(child3);
931                 break;
932             default:
933                 fixEdge<KnownCellUse>(child1);
934                 fixEdge<Int32Use>(child2);
935                 break;
936             }
937             break;
938         }
939             
940         case AtomicsAdd:
941         case AtomicsAnd:
942         case AtomicsCompareExchange:
943         case AtomicsExchange:
944         case AtomicsLoad:
945         case AtomicsOr:
946         case AtomicsStore:
947         case AtomicsSub:
948         case AtomicsXor: {
949             Edge& base = m_graph.child(node, 0);
950             Edge& index = m_graph.child(node, 1);
951             
952             bool badNews = false;
953             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
954                 Edge& child = m_graph.child(node, 2 + i);
955                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
956                 // just call the function when that happens. But the FTL is totally cool with those
957                 // conversions.
958                 if (!child->shouldSpeculateInt32()
959                     && !child->shouldSpeculateAnyInt()
960                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
961                     badNews = true;
962             }
963             
964             if (badNews) {
965                 node->setArrayMode(ArrayMode(Array::Generic));
966                 break;
967             }
968             
969             node->setArrayMode(
970                 node->arrayMode().refine(
971                     m_graph, node, base->prediction(), index->prediction()));
972             
973             if (node->arrayMode().type() == Array::Generic)
974                 break;
975             
976             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
977                 Edge& child = m_graph.child(node, 2 + i);
978                 if (child->shouldSpeculateInt32())
979                     fixIntOrBooleanEdge(child);
980                 else if (child->shouldSpeculateAnyInt())
981                     fixEdge<Int52RepUse>(child);
982                 else {
983                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
984                     fixDoubleOrBooleanEdge(child);
985                 }
986             }
987             
988             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
989             fixEdge<CellUse>(base);
990             fixEdge<Int32Use>(index);
991             
992             if (node->arrayMode().type() == Array::Uint32Array) {
993                 // NOTE: This means basically always doing Int52.
994                 if (node->shouldSpeculateAnyInt() && enableInt52())
995                     node->setResult(NodeResultInt52);
996                 else
997                     node->setResult(NodeResultDouble);
998             }
999             break;
1000         }
1001             
1002         case AtomicsIsLockFree:
1003             if (node->child1()->shouldSpeculateInt32())
1004                 fixIntOrBooleanEdge(node->child1());
1005             break;
1006             
1007         case ArrayPush: {
1008             // May need to refine the array mode in case the value prediction contravenes
1009             // the array prediction. For example, we may have evidence showing that the
1010             // array is in Int32 mode, but the value we're storing is likely to be a double.
1011             // Then we should turn this into a conversion to Double array followed by the
1012             // push. On the other hand, we absolutely don't want to refine based on the
1013             // base prediction. If it has non-cell garbage in it, then we want that to be
1014             // ignored. That's because ArrayPush can't handle any array modes that aren't
1015             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1016             // that would break things.
1017             Edge& storageEdge = m_graph.varArgChild(node, 0);
1018             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1019             unsigned elementOffset = 2;
1020             unsigned elementCount = node->numChildren() - elementOffset;
1021             for (unsigned i = 0; i < elementCount; ++i) {
1022                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1023                 node->setArrayMode(
1024                     node->arrayMode().refine(
1025                         m_graph, node,
1026                         arrayEdge->prediction() & SpecCell,
1027                         SpecInt32Only,
1028                         element->prediction()));
1029             }
1030             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1031             fixEdge<KnownCellUse>(arrayEdge);
1032
1033             // Convert `array.push()` to GetArrayLength.
1034             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1035                 node->setOpAndDefaultFlags(GetArrayLength);
1036                 node->child1() = arrayEdge;
1037                 node->child2() = storageEdge;
1038                 fixEdge<KnownCellUse>(node->child1());
1039                 break;
1040             }
1041
1042             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1043             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1044             for (unsigned i = 0; i < elementCount; ++i) {
1045                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1046                 switch (node->arrayMode().type()) {
1047                 case Array::Int32:
1048                     insertCheck<Int32Use>(element.node());
1049                     fixEdge<KnownInt32Use>(element);
1050                     break;
1051                 case Array::Double:
1052                     insertCheck<DoubleRepRealUse>(element.node());
1053                     fixEdge<DoubleRepUse>(element);
1054                     break;
1055                 case Array::Contiguous:
1056                 case Array::ArrayStorage:
1057                     speculateForBarrier(element);
1058                     break;
1059                 default:
1060                     break;
1061                 }
1062                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1063             }
1064             break;
1065         }
1066             
1067         case ArrayPop: {
1068             blessArrayOperation(node->child1(), Edge(), node->child2());
1069             fixEdge<KnownCellUse>(node->child1());
1070             break;
1071         }
1072
1073         case ArraySlice: {
1074             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1075             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1076             if (node->numChildren() == 4)
1077                 fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1078             break;
1079         }
1080
1081         case ArrayIndexOf:
1082             fixupArrayIndexOf(node);
1083             break;
1084             
1085         case RegExpExec:
1086         case RegExpTest: {
1087             fixEdge<KnownCellUse>(node->child1());
1088             
1089             if (node->child2()->shouldSpeculateRegExpObject()) {
1090                 fixEdge<RegExpObjectUse>(node->child2());
1091
1092                 if (node->child3()->shouldSpeculateString())
1093                     fixEdge<StringUse>(node->child3());
1094             }
1095             break;
1096         }
1097
1098         case StringReplace:
1099         case StringReplaceRegExp: {
1100             if (node->child2()->shouldSpeculateString()) {
1101                 m_insertionSet.insertNode(
1102                     m_indexInBlock, SpecNone, Check, node->origin,
1103                     Edge(node->child2().node(), StringUse));
1104                 fixEdge<StringUse>(node->child2());
1105             } else if (op == StringReplace) {
1106                 if (node->child2()->shouldSpeculateRegExpObject())
1107                     addStringReplacePrimordialChecks(node->child2().node());
1108                 else 
1109                     m_insertionSet.insertNode(
1110                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1111             }
1112
1113             if (node->child1()->shouldSpeculateString()
1114                 && node->child2()->shouldSpeculateRegExpObject()
1115                 && node->child3()->shouldSpeculateString()) {
1116
1117                 fixEdge<StringUse>(node->child1());
1118                 fixEdge<RegExpObjectUse>(node->child2());
1119                 fixEdge<StringUse>(node->child3());
1120                 break;
1121             }
1122             break;
1123         }
1124             
1125         case Branch: {
1126             if (node->child1()->shouldSpeculateBoolean()) {
1127                 if (node->child1()->result() == NodeResultBoolean) {
1128                     // This is necessary in case we have a bytecode instruction implemented by:
1129                     //
1130                     // a: CompareEq(...)
1131                     // b: Branch(@a)
1132                     //
1133                     // In that case, CompareEq might have a side-effect. Then, we need to make
1134                     // sure that we know that Branch does not exit.
1135                     fixEdge<KnownBooleanUse>(node->child1());
1136                 } else
1137                     fixEdge<BooleanUse>(node->child1());
1138             } else if (node->child1()->shouldSpeculateObjectOrOther())
1139                 fixEdge<ObjectOrOtherUse>(node->child1());
1140             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1141                 fixIntOrBooleanEdge(node->child1());
1142             else if (node->child1()->shouldSpeculateNumber())
1143                 fixEdge<DoubleRepUse>(node->child1());
1144             else if (node->child1()->shouldSpeculateString())
1145                 fixEdge<StringUse>(node->child1());
1146             else if (node->child1()->shouldSpeculateStringOrOther())
1147                 fixEdge<StringOrOtherUse>(node->child1());
1148             else {
1149                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1150                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1151                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1152             }
1153             break;
1154         }
1155             
1156         case Switch: {
1157             SwitchData* data = node->switchData();
1158             switch (data->kind) {
1159             case SwitchImm:
1160                 if (node->child1()->shouldSpeculateInt32())
1161                     fixEdge<Int32Use>(node->child1());
1162                 break;
1163             case SwitchChar:
1164                 if (node->child1()->shouldSpeculateString())
1165                     fixEdge<StringUse>(node->child1());
1166                 break;
1167             case SwitchString:
1168                 if (node->child1()->shouldSpeculateStringIdent())
1169                     fixEdge<StringIdentUse>(node->child1());
1170                 else if (node->child1()->shouldSpeculateString())
1171                     fixEdge<StringUse>(node->child1());
1172                 break;
1173             case SwitchCell:
1174                 if (node->child1()->shouldSpeculateCell())
1175                     fixEdge<CellUse>(node->child1());
1176                 // else it's fine for this to have UntypedUse; we will handle this by just making
1177                 // non-cells take the default case.
1178                 break;
1179             }
1180             break;
1181         }
1182             
1183         case ToPrimitive: {
1184             fixupToPrimitive(node);
1185             break;
1186         }
1187
1188         case ToNumber: {
1189             fixupToNumber(node);
1190             break;
1191         }
1192             
1193         case ToString:
1194         case CallStringConstructor: {
1195             fixupToStringOrCallStringConstructor(node);
1196             break;
1197         }
1198             
1199         case NewStringObject: {
1200             fixEdge<KnownStringUse>(node->child1());
1201             break;
1202         }
1203
1204         case NewArrayWithSpread: {
1205             watchHavingABadTime(node);
1206             
1207             BitVector* bitVector = node->bitVector();
1208             for (unsigned i = node->numChildren(); i--;) {
1209                 if (bitVector->get(i))
1210                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1211                 else
1212                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1213             }
1214
1215             break;
1216         }
1217
1218         case Spread: {
1219             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1220             
1221             watchHavingABadTime(node->child1().node());
1222
1223             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1224             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1225             // that it doesn't contain any indexed properties, and that any holes will result in
1226             // jsUndefined().
1227             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
1228             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
1229             if (node->child1()->shouldSpeculateArray()
1230                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1231                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1232                 && globalObject->arrayPrototypeChainIsSane()
1233                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1234                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1235                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1236                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1237                 fixEdge<ArrayUse>(node->child1());
1238             } else
1239                 fixEdge<CellUse>(node->child1());
1240             break;
1241         }
1242             
1243         case NewArray: {
1244             watchHavingABadTime(node);
1245             
1246             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1247                 node->setIndexingType(
1248                     leastUpperBoundOfIndexingTypeAndType(
1249                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1250             }
1251             switch (node->indexingType()) {
1252             case ALL_BLANK_INDEXING_TYPES:
1253                 CRASH();
1254                 break;
1255             case ALL_UNDECIDED_INDEXING_TYPES:
1256                 if (node->numChildren()) {
1257                     // This will only happen if the children have no type predictions. We
1258                     // would have already exited by now, but insert a forced exit just to
1259                     // be safe.
1260                     m_insertionSet.insertNode(
1261                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1262                 }
1263                 break;
1264             case ALL_INT32_INDEXING_TYPES:
1265                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1266                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1267                 break;
1268             case ALL_DOUBLE_INDEXING_TYPES:
1269                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1270                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1271                 break;
1272             case ALL_CONTIGUOUS_INDEXING_TYPES:
1273             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1274                 break;
1275             default:
1276                 CRASH();
1277                 break;
1278             }
1279             break;
1280         }
1281             
1282         case NewTypedArray: {
1283             watchHavingABadTime(node);
1284             
1285             if (node->child1()->shouldSpeculateInt32()) {
1286                 fixEdge<Int32Use>(node->child1());
1287                 node->clearFlags(NodeMustGenerate);
1288                 break;
1289             }
1290             break;
1291         }
1292             
1293         case NewArrayWithSize: {
1294             watchHavingABadTime(node);
1295             fixEdge<Int32Use>(node->child1());
1296             break;
1297         }
1298
1299         case NewArrayBuffer: {
1300             watchHavingABadTime(node);
1301             break;
1302         }
1303
1304         case ToObject: {
1305             fixupToObject(node);
1306             break;
1307         }
1308
1309         case CallObjectConstructor: {
1310             fixupCallObjectConstructor(node);
1311             break;
1312         }
1313
1314         case ToThis: {
1315             fixupToThis(node);
1316             break;
1317         }
1318             
1319         case PutStructure: {
1320             fixEdge<KnownCellUse>(node->child1());
1321             break;
1322         }
1323             
1324         case GetClosureVar:
1325         case GetFromArguments: {
1326             fixEdge<KnownCellUse>(node->child1());
1327             break;
1328         }
1329
1330         case PutClosureVar:
1331         case PutToArguments: {
1332             fixEdge<KnownCellUse>(node->child1());
1333             speculateForBarrier(node->child2());
1334             break;
1335         }
1336
1337         case SkipScope:
1338         case GetScope:
1339         case GetGetter:
1340         case GetSetter:
1341         case GetGlobalObject: {
1342             fixEdge<KnownCellUse>(node->child1());
1343             break;
1344         }
1345             
1346         case AllocatePropertyStorage:
1347         case ReallocatePropertyStorage: {
1348             fixEdge<KnownCellUse>(node->child1());
1349             break;
1350         }
1351             
1352         case NukeStructureAndSetButterfly: {
1353             fixEdge<KnownCellUse>(node->child1());
1354             break;
1355         }
1356
1357         case TryGetById: {
1358             if (node->child1()->shouldSpeculateCell())
1359                 fixEdge<CellUse>(node->child1());
1360             break;
1361         }
1362
1363         case GetById:
1364         case GetByIdFlush: {
1365             // FIXME: This should be done in the ByteCodeParser based on reading the
1366             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1367             // https://bugs.webkit.org/show_bug.cgi?id=154990
1368             auto uid = m_graph.identifiers()[node->identifierNumber()];
1369             if (node->child1()->shouldSpeculateCellOrOther()
1370                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1371                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1372                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1373                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1374                 
1375                 if (uid == vm().propertyNames->length.impl()) {
1376                     attemptToMakeGetArrayLength(node);
1377                     break;
1378                 }
1379
1380                 if (uid == vm().propertyNames->lastIndex.impl()
1381                     && node->child1()->shouldSpeculateRegExpObject()) {
1382                     node->setOp(GetRegExpObjectLastIndex);
1383                     node->clearFlags(NodeMustGenerate);
1384                     fixEdge<RegExpObjectUse>(node->child1());
1385                     break;
1386                 }
1387             }
1388
1389             if (node->child1()->shouldSpeculateNumber()) {
1390                 if (uid == vm().propertyNames->toString.impl()) {
1391                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1392                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1393                         if (node->child1()->shouldSpeculateInt32()) {
1394                             insertCheck<Int32Use>(node->child1().node());
1395                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1396                             break;
1397                         }
1398
1399                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1400                             insertCheck<Int52RepUse>(node->child1().node());
1401                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1402                             break;
1403                         }
1404
1405                         ASSERT(node->child1()->shouldSpeculateNumber());
1406                         insertCheck<DoubleRepUse>(node->child1().node());
1407                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1408                         break;
1409                     }
1410                 }
1411             }
1412
1413             if (node->child1()->shouldSpeculateCell())
1414                 fixEdge<CellUse>(node->child1());
1415             break;
1416         }
1417         
1418         case GetByIdWithThis: {
1419             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1420                 fixEdge<CellUse>(node->child1());
1421                 fixEdge<CellUse>(node->child2());
1422             }
1423             break;
1424         }
1425
1426         case PutById:
1427         case PutByIdFlush:
1428         case PutByIdDirect: {
1429             if (node->child1()->shouldSpeculateCellOrOther()
1430                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1431                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1432                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1433                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1434                 
1435                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1436                 
1437                 if (uid == vm().propertyNames->lastIndex.impl()
1438                     && node->child1()->shouldSpeculateRegExpObject()) {
1439                     node->setOp(SetRegExpObjectLastIndex);
1440                     fixEdge<RegExpObjectUse>(node->child1());
1441                     speculateForBarrier(node->child2());
1442                     break;
1443                 }
1444             }
1445             
1446             fixEdge<CellUse>(node->child1());
1447             break;
1448         }
1449
1450         case PutGetterById:
1451         case PutSetterById: {
1452             fixEdge<KnownCellUse>(node->child1());
1453             fixEdge<KnownCellUse>(node->child2());
1454             break;
1455         }
1456
1457         case PutGetterSetterById: {
1458             fixEdge<KnownCellUse>(node->child1());
1459             break;
1460         }
1461
1462         case PutGetterByVal:
1463         case PutSetterByVal: {
1464             fixEdge<KnownCellUse>(node->child1());
1465             fixEdge<KnownCellUse>(node->child3());
1466             break;
1467         }
1468
1469         case GetExecutable: {
1470             fixEdge<FunctionUse>(node->child1());
1471             break;
1472         }
1473
1474         case OverridesHasInstance:
1475         case CheckStructure:
1476         case CheckCell:
1477         case CreateThis:
1478         case GetButterfly:
1479         case GetButterflyWithoutCaging: {
1480             fixEdge<CellUse>(node->child1());
1481             break;
1482         }
1483
1484         case CheckStringIdent: {
1485             fixEdge<StringIdentUse>(node->child1());
1486             break;
1487         }
1488             
1489         case Arrayify:
1490         case ArrayifyToStructure: {
1491             fixEdge<CellUse>(node->child1());
1492             if (node->child2())
1493                 fixEdge<Int32Use>(node->child2());
1494             break;
1495         }
1496             
1497         case GetByOffset:
1498         case GetGetterSetterByOffset: {
1499             if (!node->child1()->hasStorageResult())
1500                 fixEdge<KnownCellUse>(node->child1());
1501             fixEdge<KnownCellUse>(node->child2());
1502             break;
1503         }
1504             
1505         case MultiGetByOffset: {
1506             fixEdge<CellUse>(node->child1());
1507             break;
1508         }
1509             
1510         case PutByOffset: {
1511             if (!node->child1()->hasStorageResult())
1512                 fixEdge<KnownCellUse>(node->child1());
1513             fixEdge<KnownCellUse>(node->child2());
1514             unsigned index = indexForChecks();
1515             insertInferredTypeCheck(
1516                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1517                 node->storageAccessData().inferredType);
1518             speculateForBarrier(node->child3());
1519             break;
1520         }
1521             
1522         case MultiPutByOffset: {
1523             fixEdge<CellUse>(node->child1());
1524             break;
1525         }
1526             
1527         case InstanceOf: {
1528             if (!(node->child1()->prediction() & ~SpecCell))
1529                 fixEdge<CellUse>(node->child1());
1530             fixEdge<CellUse>(node->child2());
1531             break;
1532         }
1533
1534         case InstanceOfCustom:
1535             fixEdge<CellUse>(node->child2());
1536             break;
1537
1538         case In: {
1539             if (node->child2()->shouldSpeculateInt32()) {
1540                 convertToHasIndexedProperty(node);
1541                 break;
1542             }
1543
1544             fixEdge<CellUse>(node->child1());
1545             break;
1546         }
1547
1548         case HasOwnProperty: {
1549             fixEdge<ObjectUse>(node->child1());
1550 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1551             // We don't have enough registers to do anything interesting on x86 and mips.
1552             fixEdge<UntypedUse>(node->child2());
1553 #else
1554             if (node->child2()->shouldSpeculateString())
1555                 fixEdge<StringUse>(node->child2());
1556             else if (node->child2()->shouldSpeculateSymbol())
1557                 fixEdge<SymbolUse>(node->child2());
1558             else
1559                 fixEdge<UntypedUse>(node->child2());
1560 #endif
1561             break;
1562         }
1563
1564         case Check: {
1565             m_graph.doToChildren(
1566                 node,
1567                 [&] (Edge& edge) {
1568                     switch (edge.useKind()) {
1569                     case NumberUse:
1570                         if (edge->shouldSpeculateInt32ForArithmetic())
1571                             edge.setUseKind(Int32Use);
1572                         break;
1573                     default:
1574                         break;
1575                     }
1576                     observeUseKindOnEdge(edge);
1577                 });
1578             break;
1579         }
1580
1581         case Phantom:
1582             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1583             node->remove();
1584             break;
1585
1586         case FiatInt52: {
1587             RELEASE_ASSERT(enableInt52());
1588             node->convertToIdentity();
1589             fixEdge<Int52RepUse>(node->child1());
1590             node->setResult(NodeResultInt52);
1591             break;
1592         }
1593
1594         case GetArrayLength: {
1595             fixEdge<KnownCellUse>(node->child1());
1596             break;
1597         }
1598
1599         case GetTypedArrayByteOffset: {
1600             fixEdge<KnownCellUse>(node->child1());
1601             break;
1602         }
1603
1604         case CompareBelow:
1605         case CompareBelowEq: {
1606             fixEdge<Int32Use>(node->child1());
1607             fixEdge<Int32Use>(node->child2());
1608             break;
1609         }
1610
1611         case GetPrototypeOf: {
1612             fixupGetPrototypeOf(node);
1613             break;
1614         }
1615
1616         case Phi:
1617         case Upsilon:
1618         case EntrySwitch:
1619         case GetIndexedPropertyStorage:
1620         case LastNodeType:
1621         case CheckTierUpInLoop:
1622         case CheckTierUpAtReturn:
1623         case CheckTierUpAndOSREnter:
1624         case InvalidationPoint:
1625         case CheckArray:
1626         case CheckInBounds:
1627         case ConstantStoragePointer:
1628         case DoubleAsInt32:
1629         case ValueToInt32:
1630         case DoubleRep:
1631         case ValueRep:
1632         case Int52Rep:
1633         case Int52Constant:
1634         case Identity: // This should have been cleaned up.
1635         case BooleanToNumber:
1636         case PhantomNewObject:
1637         case PhantomNewFunction:
1638         case PhantomNewGeneratorFunction:
1639         case PhantomNewAsyncGeneratorFunction:
1640         case PhantomNewAsyncFunction:
1641         case PhantomCreateActivation:
1642         case PhantomDirectArguments:
1643         case PhantomCreateRest:
1644         case PhantomSpread:
1645         case PhantomNewArrayWithSpread:
1646         case PhantomClonedArguments:
1647         case GetMyArgumentByVal:
1648         case GetMyArgumentByValOutOfBounds:
1649         case GetVectorLength:
1650         case PutHint:
1651         case CheckStructureImmediate:
1652         case CheckStructureOrEmpty:
1653         case MaterializeNewObject:
1654         case MaterializeCreateActivation:
1655         case PutStack:
1656         case KillStack:
1657         case GetStack:
1658         case StoreBarrier:
1659         case FencedStoreBarrier:
1660         case GetRegExpObjectLastIndex:
1661         case SetRegExpObjectLastIndex:
1662         case RecordRegExpCachedResult:
1663             // These are just nodes that we don't currently expect to see during fixup.
1664             // If we ever wanted to insert them prior to fixup, then we just have to create
1665             // fixup rules for them.
1666             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1667             break;
1668
1669         case PutGlobalVariable: {
1670             fixEdge<CellUse>(node->child1());
1671             speculateForBarrier(node->child2());
1672             break;
1673         }
1674
1675         case IsObject:
1676             if (node->child1()->shouldSpeculateObject()) {
1677                 m_insertionSet.insertNode(
1678                     m_indexInBlock, SpecNone, Check, node->origin,
1679                     Edge(node->child1().node(), ObjectUse));
1680                 m_graph.convertToConstant(node, jsBoolean(true));
1681                 observeUseKindOnNode<ObjectUse>(node);
1682             }
1683             break;
1684
1685         case IsCellWithType: {
1686             fixupIsCellWithType(node);
1687             break;
1688         }
1689
1690         case GetEnumerableLength: {
1691             fixEdge<CellUse>(node->child1());
1692             break;
1693         }
1694         case HasGenericProperty: {
1695             fixEdge<CellUse>(node->child2());
1696             break;
1697         }
1698         case HasStructureProperty: {
1699             fixEdge<StringUse>(node->child2());
1700             fixEdge<KnownCellUse>(node->child3());
1701             break;
1702         }
1703         case HasIndexedProperty: {
1704             node->setArrayMode(
1705                 node->arrayMode().refine(
1706                     m_graph, node,
1707                     node->child1()->prediction(),
1708                     node->child2()->prediction(),
1709                     SpecNone));
1710             
1711             blessArrayOperation(node->child1(), node->child2(), node->child3());
1712             fixEdge<CellUse>(node->child1());
1713             fixEdge<KnownInt32Use>(node->child2());
1714             break;
1715         }
1716         case GetDirectPname: {
1717             Edge& base = m_graph.varArgChild(node, 0);
1718             Edge& property = m_graph.varArgChild(node, 1);
1719             Edge& index = m_graph.varArgChild(node, 2);
1720             Edge& enumerator = m_graph.varArgChild(node, 3);
1721             fixEdge<CellUse>(base);
1722             fixEdge<KnownCellUse>(property);
1723             fixEdge<KnownInt32Use>(index);
1724             fixEdge<KnownCellUse>(enumerator);
1725             break;
1726         }
1727         case GetPropertyEnumerator: {
1728             fixEdge<CellUse>(node->child1());
1729             break;
1730         }
1731         case GetEnumeratorStructurePname: {
1732             fixEdge<KnownCellUse>(node->child1());
1733             fixEdge<KnownInt32Use>(node->child2());
1734             break;
1735         }
1736         case GetEnumeratorGenericPname: {
1737             fixEdge<KnownCellUse>(node->child1());
1738             fixEdge<KnownInt32Use>(node->child2());
1739             break;
1740         }
1741         case ToIndexString: {
1742             fixEdge<KnownInt32Use>(node->child1());
1743             break;
1744         }
1745         case ProfileType: {
1746             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1747             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1748             // type T for the instructionTypeSet, the global type set must also have information for type T.
1749             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1750             // in the globalTypeSet would've also succeeded.
1751             // (The other direction does not hold in general).
1752
1753             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1754             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1755             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1756                 if (node->child1()->shouldSpeculateInt32()) {
1757                     fixEdge<Int32Use>(node->child1());
1758                     node->remove();
1759                     break;
1760                 }
1761
1762                 if (enableInt52()) {
1763                     fixEdge<AnyIntUse>(node->child1());
1764                     node->remove();
1765                     break;
1766                 }
1767
1768                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1769             }
1770
1771             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1772                 fixEdge<NumberUse>(node->child1());
1773                 node->remove();
1774             } else if (typeSet->doesTypeConformTo(TypeString)) {
1775                 fixEdge<StringUse>(node->child1());
1776                 node->remove();
1777             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1778                 fixEdge<BooleanUse>(node->child1());
1779                 node->remove();
1780             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1781                 fixEdge<OtherUse>(node->child1());
1782                 node->remove();
1783             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1784                 StructureSet set;
1785                 {
1786                     ConcurrentJSLocker locker(typeSet->m_lock);
1787                     set = typeSet->structureSet(locker);
1788                 }
1789                 if (!set.isEmpty()) {
1790                     fixEdge<CellUse>(node->child1());
1791                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1792                 }
1793             }
1794
1795             break;
1796         }
1797
1798         case CreateClonedArguments: {
1799             watchHavingABadTime(node);
1800             break;
1801         }
1802
1803         case CreateScopedArguments:
1804         case CreateActivation:
1805         case NewFunction:
1806         case NewGeneratorFunction:
1807         case NewAsyncGeneratorFunction:
1808         case NewAsyncFunction: {
1809             // Child 1 is always the current scope, which is guaranteed to be an object
1810             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1811             fixEdge<KnownCellUse>(node->child1());
1812             break;
1813         }
1814
1815         case PushWithScope: {
1816             // Child 1 is always the current scope, which is guaranteed to be an object
1817             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1818             fixEdge<KnownCellUse>(node->child1());
1819             if (node->child2()->shouldSpeculateObject())
1820                 fixEdge<ObjectUse>(node->child2());
1821             break;
1822         }
1823
1824         case SetFunctionName: {
1825             // The first child is guaranteed to be a cell because op_set_function_name is only used
1826             // on a newly instantiated function object (the first child).
1827             fixEdge<KnownCellUse>(node->child1());
1828             fixEdge<UntypedUse>(node->child2());
1829             break;
1830         }
1831
1832         case CreateRest: {
1833             watchHavingABadTime(node);
1834             fixEdge<KnownInt32Use>(node->child1());
1835             break;
1836         }
1837
1838         case ResolveScopeForHoistingFuncDeclInEval: {
1839             fixEdge<KnownCellUse>(node->child1());
1840             break;
1841         }
1842         case ResolveScope:
1843         case GetDynamicVar:
1844         case PutDynamicVar: {
1845             fixEdge<KnownCellUse>(node->child1());
1846             break;
1847         }
1848
1849         case LogShadowChickenPrologue: {
1850             fixEdge<KnownCellUse>(node->child1());
1851             break;
1852         }
1853         case LogShadowChickenTail: {
1854             fixEdge<UntypedUse>(node->child1());
1855             fixEdge<KnownCellUse>(node->child2());
1856             break;
1857         }
1858
1859         case GetMapBucket:
1860             if (node->child1().useKind() == MapObjectUse)
1861                 fixEdge<MapObjectUse>(node->child1());
1862             else if (node->child1().useKind() == SetObjectUse)
1863                 fixEdge<SetObjectUse>(node->child1());
1864             else
1865                 RELEASE_ASSERT_NOT_REACHED();
1866
1867 #if USE(JSVALUE64)
1868             if (node->child2()->shouldSpeculateBoolean())
1869                 fixEdge<BooleanUse>(node->child2());
1870             else if (node->child2()->shouldSpeculateInt32())
1871                 fixEdge<Int32Use>(node->child2());
1872             else if (node->child2()->shouldSpeculateSymbol())
1873                 fixEdge<SymbolUse>(node->child2());
1874             else if (node->child2()->shouldSpeculateObject())
1875                 fixEdge<ObjectUse>(node->child2());
1876             else if (node->child2()->shouldSpeculateString())
1877                 fixEdge<StringUse>(node->child2());
1878             else if (node->child2()->shouldSpeculateCell())
1879                 fixEdge<CellUse>(node->child2());
1880             else
1881                 fixEdge<UntypedUse>(node->child2());
1882 #else
1883             fixEdge<UntypedUse>(node->child2());
1884 #endif // USE(JSVALUE64)
1885
1886             fixEdge<Int32Use>(node->child3());
1887             break;
1888
1889         case GetMapBucketHead:
1890             if (node->child1().useKind() == MapObjectUse)
1891                 fixEdge<MapObjectUse>(node->child1());
1892             else if (node->child1().useKind() == SetObjectUse)
1893                 fixEdge<SetObjectUse>(node->child1());
1894             else
1895                 RELEASE_ASSERT_NOT_REACHED();
1896             break;
1897
1898         case GetMapBucketNext:
1899         case LoadKeyFromMapBucket:
1900         case LoadValueFromMapBucket:
1901             fixEdge<CellUse>(node->child1());
1902             break;
1903
1904         case MapHash: {
1905 #if USE(JSVALUE64)
1906             if (node->child1()->shouldSpeculateBoolean()) {
1907                 fixEdge<BooleanUse>(node->child1());
1908                 break;
1909             }
1910
1911             if (node->child1()->shouldSpeculateInt32()) {
1912                 fixEdge<Int32Use>(node->child1());
1913                 break;
1914             }
1915
1916             if (node->child1()->shouldSpeculateSymbol()) {
1917                 fixEdge<SymbolUse>(node->child1());
1918                 break;
1919             }
1920
1921             if (node->child1()->shouldSpeculateObject()) {
1922                 fixEdge<ObjectUse>(node->child1());
1923                 break;
1924             }
1925
1926             if (node->child1()->shouldSpeculateString()) {
1927                 fixEdge<StringUse>(node->child1());
1928                 break;
1929             }
1930
1931             if (node->child1()->shouldSpeculateCell()) {
1932                 fixEdge<CellUse>(node->child1());
1933                 break;
1934             }
1935
1936             fixEdge<UntypedUse>(node->child1());
1937 #else
1938             fixEdge<UntypedUse>(node->child1());
1939 #endif // USE(JSVALUE64)
1940             break;
1941         }
1942
1943         case WeakMapGet: {
1944             fixEdge<WeakMapObjectUse>(node->child1());
1945             fixEdge<ObjectUse>(node->child2());
1946             fixEdge<Int32Use>(node->child3());
1947             break;
1948         }
1949
1950         case SetAdd: {
1951             fixEdge<SetObjectUse>(node->child1());
1952             fixEdge<Int32Use>(node->child3());
1953             break;
1954         }
1955
1956         case MapSet: {
1957             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1958             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1959             break;
1960         }
1961
1962         case DefineDataProperty: {
1963             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1964             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1965             if (propertyEdge->shouldSpeculateSymbol())
1966                 fixEdge<SymbolUse>(propertyEdge);
1967             else if (propertyEdge->shouldSpeculateStringIdent())
1968                 fixEdge<StringIdentUse>(propertyEdge);
1969             else if (propertyEdge->shouldSpeculateString())
1970                 fixEdge<StringUse>(propertyEdge);
1971             else
1972                 fixEdge<UntypedUse>(propertyEdge);
1973             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1974             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1975             break;
1976         }
1977
1978         case StringSlice: {
1979             fixEdge<StringUse>(node->child1());
1980             fixEdge<Int32Use>(node->child2());
1981             if (node->child3())
1982                 fixEdge<Int32Use>(node->child3());
1983             break;
1984         }
1985
1986         case ToLowerCase: {
1987             // We currently only support StringUse since that will ensure that
1988             // ToLowerCase is a pure operation. If we decide to update this with
1989             // more types in the future, we need to ensure that the clobberize rules
1990             // are correct.
1991             fixEdge<StringUse>(node->child1());
1992             break;
1993         }
1994
1995         case NumberToStringWithRadix: {
1996             if (node->child1()->shouldSpeculateInt32())
1997                 fixEdge<Int32Use>(node->child1());
1998             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
1999                 fixEdge<Int52RepUse>(node->child1());
2000             else
2001                 fixEdge<DoubleRepUse>(node->child1());
2002             fixEdge<Int32Use>(node->child2());
2003             break;
2004         }
2005
2006         case DefineAccessorProperty: {
2007             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2008             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2009             if (propertyEdge->shouldSpeculateSymbol())
2010                 fixEdge<SymbolUse>(propertyEdge);
2011             else if (propertyEdge->shouldSpeculateStringIdent())
2012                 fixEdge<StringIdentUse>(propertyEdge);
2013             else if (propertyEdge->shouldSpeculateString())
2014                 fixEdge<StringUse>(propertyEdge);
2015             else
2016                 fixEdge<UntypedUse>(propertyEdge);
2017             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2018             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2019             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2020             break;
2021         }
2022
2023         case CheckSubClass: {
2024             fixupCheckSubClass(node);
2025             break;
2026         }
2027
2028         case CallDOMGetter: {
2029             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2030             fixEdge<CellUse>(node->child1()); // DOM.
2031             if (snippet && snippet->requireGlobalObject)
2032                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2033             break;
2034         }
2035
2036         case CallDOM: {
2037             fixupCallDOM(node);
2038             break;
2039         }
2040
2041         case Call: {
2042             attemptToMakeCallDOM(node);
2043             break;
2044         }
2045
2046         case ParseInt: {
2047             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2048                 fixEdge<Int32Use>(node->child1());
2049                 node->convertToIdentity();
2050                 break;
2051             }
2052
2053             if (node->child1()->shouldSpeculateString()) {
2054                 fixEdge<StringUse>(node->child1());
2055                 node->clearFlags(NodeMustGenerate);
2056             }
2057
2058             if (node->child2())
2059                 fixEdge<Int32Use>(node->child2());
2060
2061             break;
2062         }
2063
2064         case IdentityWithProfile: {
2065             node->clearFlags(NodeMustGenerate);
2066             break;
2067         }
2068
2069         case ThrowStaticError:
2070             fixEdge<StringUse>(node->child1());
2071             break;
2072
2073 #if !ASSERT_DISABLED
2074         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2075         case SetArgument:
2076         case JSConstant:
2077         case LazyJSConstant:
2078         case DoubleConstant:
2079         case GetLocal:
2080         case GetCallee:
2081         case GetArgumentCountIncludingThis:
2082         case GetRestLength:
2083         case GetArgument:
2084         case Flush:
2085         case PhantomLocal:
2086         case GetGlobalVar:
2087         case GetGlobalLexicalVariable:
2088         case NotifyWrite:
2089         case DirectCall:
2090         case CheckTypeInfoFlags:
2091         case TailCallInlinedCaller:
2092         case DirectTailCallInlinedCaller:
2093         case Construct:
2094         case DirectConstruct:
2095         case CallVarargs:
2096         case CallEval:
2097         case TailCallVarargsInlinedCaller:
2098         case ConstructVarargs:
2099         case CallForwardVarargs:
2100         case ConstructForwardVarargs:
2101         case TailCallForwardVarargs:
2102         case TailCallForwardVarargsInlinedCaller:
2103         case LoadVarargs:
2104         case ForwardVarargs:
2105         case ProfileControlFlow:
2106         case NewObject:
2107         case NewRegexp:
2108         case DeleteById:
2109         case DeleteByVal:
2110         case IsTypedArrayView:
2111         case IsEmpty:
2112         case IsUndefined:
2113         case IsBoolean:
2114         case IsNumber:
2115         case IsObjectOrNull:
2116         case IsFunction:
2117         case CreateDirectArguments:
2118         case Jump:
2119         case Return:
2120         case TailCall:
2121         case DirectTailCall:
2122         case TailCallVarargs:
2123         case Throw:
2124         case CountExecution:
2125         case SuperSamplerBegin:
2126         case SuperSamplerEnd:
2127         case ForceOSRExit:
2128         case CheckBadCell:
2129         case CheckNotEmpty:
2130         case CheckTraps:
2131         case Unreachable:
2132         case ExtractOSREntryLocal:
2133         case ExtractCatchLocal:
2134         case LoopHint:
2135         case MovHint:
2136         case InitializeEntrypointArguments:
2137         case ZombieHint:
2138         case ExitOK:
2139         case BottomValue:
2140         case TypeOf:
2141         case PutByIdWithThis:
2142         case PutByValWithThis:
2143         case GetByValWithThis:
2144         case CompareEqPtr:
2145         case NumberToStringWithValidRadixConstant:
2146         case GetGlobalThis:
2147         case CPUIntrinsic:
2148             break;
2149 #else
2150         default:
2151             break;
2152 #endif
2153         }
2154     }
2155
2156     void watchHavingABadTime(Node* node)
2157     {
2158         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2159
2160         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2161         // does an array allocation. The types of array allocations may change if we start to have a bad
2162         // time. It's easier to reason about this if we know that whenever the types change after we start
2163         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2164         // prior to this point nobody should have been doing optimizations based on the indexing type of
2165         // the allocation.
2166         if (!globalObject->isHavingABadTime()) {
2167             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2168             m_graph.freeze(globalObject);
2169         }
2170     }
2171     
2172     template<UseKind useKind>
2173     void createToString(Node* node, Edge& edge)
2174     {
2175         Node* toString = m_insertionSet.insertNode(
2176             m_indexInBlock, SpecString, ToString, node->origin,
2177             Edge(edge.node(), useKind));
2178         switch (useKind) {
2179         case Int32Use:
2180         case Int52RepUse:
2181         case DoubleRepUse:
2182         case NotCellUse:
2183             toString->clearFlags(NodeMustGenerate);
2184             break;
2185         default:
2186             break;
2187         }
2188         edge.setNode(toString);
2189     }
2190     
2191     template<UseKind useKind>
2192     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2193     {
2194         ASSERT(arrayMode == ArrayMode(Array::Generic));
2195         
2196         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2197             return;
2198         
2199         createToString<useKind>(node, node->child1());
2200         arrayMode = ArrayMode(Array::String);
2201     }
2202     
2203     template<UseKind useKind>
2204     bool isStringObjectUse()
2205     {
2206         switch (useKind) {
2207         case StringObjectUse:
2208         case StringOrStringObjectUse:
2209             return true;
2210         default:
2211             return false;
2212         }
2213     }
2214     
2215     template<UseKind useKind>
2216     void convertStringAddUse(Node* node, Edge& edge)
2217     {
2218         if (useKind == StringUse) {
2219             observeUseKindOnNode<StringUse>(edge.node());
2220             m_insertionSet.insertNode(
2221                 m_indexInBlock, SpecNone, Check, node->origin,
2222                 Edge(edge.node(), StringUse));
2223             edge.setUseKind(KnownStringUse);
2224             return;
2225         }
2226         
2227         observeUseKindOnNode<useKind>(edge.node());
2228         createToString<useKind>(node, edge);
2229     }
2230     
2231     void convertToMakeRope(Node* node)
2232     {
2233         node->setOpAndDefaultFlags(MakeRope);
2234         fixupMakeRope(node);
2235     }
2236     
2237     void fixupMakeRope(Node* node)
2238     {
2239         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2240             Edge& edge = node->children.child(i);
2241             if (!edge)
2242                 break;
2243             edge.setUseKind(KnownStringUse);
2244             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2245             if (!string)
2246                 continue;
2247             if (string->length())
2248                 continue;
2249             
2250             // Don't allow the MakeRope to have zero children.
2251             if (!i && !node->child2())
2252                 break;
2253             
2254             node->children.removeEdge(i--);
2255         }
2256         
2257         if (!node->child2()) {
2258             ASSERT(!node->child3());
2259             node->convertToIdentity();
2260         }
2261     }
2262
2263     void fixupIsCellWithType(Node* node)
2264     {
2265         switch (node->speculatedTypeForQuery()) {
2266         case SpecString:
2267             if (node->child1()->shouldSpeculateString()) {
2268                 m_insertionSet.insertNode(
2269                     m_indexInBlock, SpecNone, Check, node->origin,
2270                     Edge(node->child1().node(), StringUse));
2271                 m_graph.convertToConstant(node, jsBoolean(true));
2272                 observeUseKindOnNode<StringUse>(node);
2273                 return;
2274             }
2275             break;
2276
2277         case SpecProxyObject:
2278             if (node->child1()->shouldSpeculateProxyObject()) {
2279                 m_insertionSet.insertNode(
2280                     m_indexInBlock, SpecNone, Check, node->origin,
2281                     Edge(node->child1().node(), ProxyObjectUse));
2282                 m_graph.convertToConstant(node, jsBoolean(true));
2283                 observeUseKindOnNode<ProxyObjectUse>(node);
2284                 return;
2285             }
2286             break;
2287
2288         case SpecRegExpObject:
2289             if (node->child1()->shouldSpeculateRegExpObject()) {
2290                 m_insertionSet.insertNode(
2291                     m_indexInBlock, SpecNone, Check, node->origin,
2292                     Edge(node->child1().node(), RegExpObjectUse));
2293                 m_graph.convertToConstant(node, jsBoolean(true));
2294                 observeUseKindOnNode<RegExpObjectUse>(node);
2295                 return;
2296             }
2297             break;
2298
2299         case SpecArray:
2300             if (node->child1()->shouldSpeculateArray()) {
2301                 m_insertionSet.insertNode(
2302                     m_indexInBlock, SpecNone, Check, node->origin,
2303                     Edge(node->child1().node(), ArrayUse));
2304                 m_graph.convertToConstant(node, jsBoolean(true));
2305                 observeUseKindOnNode<ArrayUse>(node);
2306                 return;
2307             }
2308             break;
2309
2310         case SpecDerivedArray:
2311             if (node->child1()->shouldSpeculateDerivedArray()) {
2312                 m_insertionSet.insertNode(
2313                     m_indexInBlock, SpecNone, Check, node->origin,
2314                     Edge(node->child1().node(), DerivedArrayUse));
2315                 m_graph.convertToConstant(node, jsBoolean(true));
2316                 observeUseKindOnNode<DerivedArrayUse>(node);
2317                 return;
2318             }
2319             break;
2320         }
2321
2322         if (node->child1()->shouldSpeculateCell()) {
2323             fixEdge<CellUse>(node->child1());
2324             return;
2325         }
2326
2327         if (node->child1()->shouldSpeculateNotCell()) {
2328             m_insertionSet.insertNode(
2329                 m_indexInBlock, SpecNone, Check, node->origin,
2330                 Edge(node->child1().node(), NotCellUse));
2331             m_graph.convertToConstant(node, jsBoolean(false));
2332             observeUseKindOnNode<NotCellUse>(node);
2333             return;
2334         }
2335     }
2336
2337     void fixupGetPrototypeOf(Node* node)
2338     {
2339         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2340         if (node->child1().useKind() != ObjectUse) {
2341             if (node->child1()->shouldSpeculateString()) {
2342                 insertCheck<StringUse>(node->child1().node());
2343                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2344                 return;
2345             }
2346             if (node->child1()->shouldSpeculateInt32()) {
2347                 insertCheck<Int32Use>(node->child1().node());
2348                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2349                 return;
2350             }
2351             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2352                 insertCheck<Int52RepUse>(node->child1().node());
2353                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2354                 return;
2355             }
2356             if (node->child1()->shouldSpeculateNumber()) {
2357                 insertCheck<NumberUse>(node->child1().node());
2358                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2359                 return;
2360             }
2361             if (node->child1()->shouldSpeculateSymbol()) {
2362                 insertCheck<SymbolUse>(node->child1().node());
2363                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2364                 return;
2365             }
2366             if (node->child1()->shouldSpeculateBoolean()) {
2367                 insertCheck<BooleanUse>(node->child1().node());
2368                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2369                 return;
2370             }
2371         }
2372
2373         if (node->child1()->shouldSpeculateFinalObject()) {
2374             fixEdge<FinalObjectUse>(node->child1());
2375             node->clearFlags(NodeMustGenerate);
2376             return;
2377         }
2378         if (node->child1()->shouldSpeculateArray()) {
2379             fixEdge<ArrayUse>(node->child1());
2380             node->clearFlags(NodeMustGenerate);
2381             return;
2382         }
2383         if (node->child1()->shouldSpeculateFunction()) {
2384             fixEdge<FunctionUse>(node->child1());
2385             node->clearFlags(NodeMustGenerate);
2386             return;
2387         }
2388     }
2389
2390     void fixupToThis(Node* node)
2391     {
2392         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2393
2394         if (ecmaMode == StrictMode) {
2395             if (node->child1()->shouldSpeculateBoolean()) {
2396                 fixEdge<BooleanUse>(node->child1());
2397                 node->convertToIdentity();
2398                 return;
2399             }
2400
2401             if (node->child1()->shouldSpeculateInt32()) {
2402                 fixEdge<Int32Use>(node->child1());
2403                 node->convertToIdentity();
2404                 return;
2405             }
2406
2407             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2408                 fixEdge<Int52RepUse>(node->child1());
2409                 node->convertToIdentity();
2410                 node->setResult(NodeResultInt52);
2411                 return;
2412             }
2413
2414             if (node->child1()->shouldSpeculateNumber()) {
2415                 fixEdge<DoubleRepUse>(node->child1());
2416                 node->convertToIdentity();
2417                 node->setResult(NodeResultDouble);
2418                 return;
2419             }
2420
2421             if (node->child1()->shouldSpeculateSymbol()) {
2422                 fixEdge<SymbolUse>(node->child1());
2423                 node->convertToIdentity();
2424                 return;
2425             }
2426
2427             if (node->child1()->shouldSpeculateStringIdent()) {
2428                 fixEdge<StringIdentUse>(node->child1());
2429                 node->convertToIdentity();
2430                 return;
2431             }
2432
2433             if (node->child1()->shouldSpeculateString()) {
2434                 fixEdge<StringUse>(node->child1());
2435                 node->convertToIdentity();
2436                 return;
2437             }
2438         }
2439
2440         if (node->child1()->shouldSpeculateOther()) {
2441             if (ecmaMode == StrictMode) {
2442                 fixEdge<OtherUse>(node->child1());
2443                 node->convertToIdentity();
2444                 return;
2445             }
2446
2447             m_insertionSet.insertNode(
2448                 m_indexInBlock, SpecNone, Check, node->origin,
2449                 Edge(node->child1().node(), OtherUse));
2450             observeUseKindOnNode<OtherUse>(node->child1().node());
2451             m_graph.convertToConstant(
2452                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2453             return;
2454         }
2455
2456         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2457         // however, since we cover all the missing cases in constant folding.
2458         // https://bugs.webkit.org/show_bug.cgi?id=157213
2459         if (node->child1()->shouldSpeculateStringObject()) {
2460             fixEdge<StringObjectUse>(node->child1());
2461             node->convertToIdentity();
2462             return;
2463         }
2464
2465         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2466             fixEdge<FinalObjectUse>(node->child1());
2467             node->convertToIdentity();
2468             return;
2469         }
2470     }
2471     
2472     void fixupToPrimitive(Node* node)
2473     {
2474         if (node->child1()->shouldSpeculateInt32()) {
2475             fixEdge<Int32Use>(node->child1());
2476             node->convertToIdentity();
2477             return;
2478         }
2479         
2480         if (node->child1()->shouldSpeculateString()) {
2481             fixEdge<StringUse>(node->child1());
2482             node->convertToIdentity();
2483             return;
2484         }
2485         
2486         if (node->child1()->shouldSpeculateStringObject()
2487             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2488             fixEdge<StringObjectUse>(node->child1());
2489             node->convertToToString();
2490             return;
2491         }
2492         
2493         if (node->child1()->shouldSpeculateStringOrStringObject()
2494             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2495             fixEdge<StringOrStringObjectUse>(node->child1());
2496             node->convertToToString();
2497             return;
2498         }
2499     }
2500
2501     void fixupToNumber(Node* node)
2502     {
2503         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2504         if (node->child1()->shouldSpeculateNumber()) {
2505             if (isInt32Speculation(node->getHeapPrediction())) {
2506                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2507                 if (node->child1()->shouldSpeculateInt32()) {
2508                     fixEdge<Int32Use>(node->child1());
2509                     node->convertToIdentity();
2510                     return;
2511                 }
2512
2513                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2514                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2515                 fixEdge<DoubleRepUse>(node->child1());
2516                 node->setOp(DoubleAsInt32);
2517                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2518                     node->setArithMode(Arith::CheckOverflow);
2519                 else
2520                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2521                 return;
2522             }
2523
2524             fixEdge<DoubleRepUse>(node->child1());
2525             node->convertToIdentity();
2526             node->setResult(NodeResultDouble);
2527             return;
2528         }
2529
2530         fixEdge<UntypedUse>(node->child1());
2531         node->setResult(NodeResultJS);
2532     }
2533
2534     void fixupToObject(Node* node)
2535     {
2536         if (node->child1()->shouldSpeculateObject()) {
2537             fixEdge<ObjectUse>(node->child1());
2538             node->convertToIdentity();
2539             return;
2540         }
2541
2542         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2543
2544         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2545
2546         if (node->child1()->shouldSpeculateString()) {
2547             insertCheck<StringUse>(node->child1().node());
2548             fixEdge<KnownStringUse>(node->child1());
2549             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2550             return;
2551         }
2552
2553         if (node->child1()->shouldSpeculateSymbol()) {
2554             insertCheck<SymbolUse>(node->child1().node());
2555             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2556             return;
2557         }
2558
2559         if (node->child1()->shouldSpeculateNumber()) {
2560             insertCheck<NumberUse>(node->child1().node());
2561             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2562             return;
2563         }
2564
2565         if (node->child1()->shouldSpeculateBoolean()) {
2566             insertCheck<BooleanUse>(node->child1().node());
2567             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2568             return;
2569         }
2570
2571         fixEdge<UntypedUse>(node->child1());
2572     }
2573
2574     void fixupCallObjectConstructor(Node* node)
2575     {
2576         if (node->child1()->shouldSpeculateObject()) {
2577             fixEdge<ObjectUse>(node->child1());
2578             node->convertToIdentity();
2579             return;
2580         }
2581
2582         if (node->child1()->shouldSpeculateString()) {
2583             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2584             insertCheck<StringUse>(node->child1().node());
2585             fixEdge<KnownStringUse>(node->child1());
2586             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2587             return;
2588         }
2589
2590         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2591         if (node->child1()->shouldSpeculateOther()) {
2592             insertCheck<OtherUse>(node->child1().node());
2593             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2594             return;
2595         }
2596
2597         fixEdge<UntypedUse>(node->child1());
2598     }
2599     
2600     void fixupToStringOrCallStringConstructor(Node* node)
2601     {
2602         if (node->child1()->shouldSpeculateString()) {
2603             fixEdge<StringUse>(node->child1());
2604             node->convertToIdentity();
2605             return;
2606         }
2607         
2608         if (node->child1()->shouldSpeculateStringObject()
2609             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2610             fixEdge<StringObjectUse>(node->child1());
2611             return;
2612         }
2613         
2614         if (node->child1()->shouldSpeculateStringOrStringObject()
2615             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2616             fixEdge<StringOrStringObjectUse>(node->child1());
2617             return;
2618         }
2619         
2620         if (node->child1()->shouldSpeculateCell()) {
2621             fixEdge<CellUse>(node->child1());
2622             return;
2623         }
2624
2625         if (node->child1()->shouldSpeculateInt32()) {
2626             fixEdge<Int32Use>(node->child1());
2627             node->clearFlags(NodeMustGenerate);
2628             return;
2629         }
2630
2631         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2632             fixEdge<Int52RepUse>(node->child1());
2633             node->clearFlags(NodeMustGenerate);
2634             return;
2635         }
2636
2637         if (node->child1()->shouldSpeculateNumber()) {
2638             fixEdge<DoubleRepUse>(node->child1());
2639             node->clearFlags(NodeMustGenerate);
2640             return;
2641         }
2642
2643         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2644         // we need to care about it in the clobberize. In the following case,
2645         // since NotCellUse edge filter is used and this edge filters Symbols,
2646         // we can say that ToString never throws an error!
2647         if (node->child1()->shouldSpeculateNotCell()) {
2648             fixEdge<NotCellUse>(node->child1());
2649             node->clearFlags(NodeMustGenerate);
2650             return;
2651         }
2652     }
2653
2654     bool attemptToMakeFastStringAdd(Node* node)
2655     {
2656         bool goodToGo = true;
2657         m_graph.doToChildren(
2658             node,
2659             [&] (Edge& edge) {
2660                 if (edge->shouldSpeculateString())
2661                     return;
2662                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2663                     if (edge->shouldSpeculateStringObject())
2664                         return;
2665                     if (edge->shouldSpeculateStringOrStringObject())
2666                         return;
2667                 }
2668                 goodToGo = false;
2669             });
2670         if (!goodToGo)
2671             return false;
2672
2673         m_graph.doToChildren(
2674             node,
2675             [&] (Edge& edge) {
2676                 if (edge->shouldSpeculateString()) {
2677                     convertStringAddUse<StringUse>(node, edge);
2678                     return;
2679                 }
2680                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2681                 if (edge->shouldSpeculateStringObject()) {
2682                     convertStringAddUse<StringObjectUse>(node, edge);
2683                     return;
2684                 }
2685                 if (edge->shouldSpeculateStringOrStringObject()) {
2686                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2687                     return;
2688                 }
2689                 RELEASE_ASSERT_NOT_REACHED();
2690             });
2691         
2692         convertToMakeRope(node);
2693         return true;
2694     }
2695
2696     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2697     {
2698         if (!block)
2699             return;
2700         ASSERT(block->isReachable);
2701         m_block = block;
2702         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2703             Node* node = m_currentNode = block->at(m_indexInBlock);
2704             if (node->op() != SetLocal && node->op() != GetLocal)
2705                 continue;
2706             
2707             VariableAccessData* variable = node->variableAccessData();
2708             switch (node->op()) {
2709             case GetLocal:
2710                 switch (variable->flushFormat()) {
2711                 case FlushedDouble:
2712                     node->setResult(NodeResultDouble);
2713                     break;
2714                 case FlushedInt52:
2715                     node->setResult(NodeResultInt52);
2716                     break;
2717                 default:
2718                     break;
2719                 }
2720                 break;
2721                 
2722             case SetLocal:
2723                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2724                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2725                 
2726                 switch (variable->flushFormat()) {
2727                 case FlushedJSValue:
2728                     break;
2729                 case FlushedDouble:
2730                     fixEdge<DoubleRepUse>(node->child1());
2731                     break;
2732                 case FlushedInt32:
2733                     fixEdge<Int32Use>(node->child1());
2734                     break;
2735                 case FlushedInt52:
2736                     fixEdge<Int52RepUse>(node->child1());
2737                     break;
2738                 case FlushedCell:
2739                     fixEdge<CellUse>(node->child1());
2740                     break;
2741                 case FlushedBoolean:
2742                     fixEdge<BooleanUse>(node->child1());
2743                     break;
2744                 default:
2745                     RELEASE_ASSERT_NOT_REACHED();
2746                     break;
2747                 }
2748                 break;
2749                 
2750             default:
2751                 RELEASE_ASSERT_NOT_REACHED();
2752                 break;
2753             }
2754         }
2755         m_insertionSet.execute(block);
2756     }
2757     
2758     void addStringReplacePrimordialChecks(Node* searchRegExp)
2759     {
2760         Node* node = m_currentNode;
2761
2762         // Check that structure of searchRegExp is RegExp object
2763         m_insertionSet.insertNode(
2764             m_indexInBlock, SpecNone, Check, node->origin,
2765             Edge(searchRegExp, RegExpObjectUse));
2766
2767         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2768             unsigned index = m_graph.identifiers().ensure(propertyUID);
2769
2770             Node* actualProperty = m_insertionSet.insertNode(
2771                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2772                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2773
2774             m_insertionSet.insertNode(
2775                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2776                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2777         };
2778
2779         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2780
2781         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2782         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2783         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2784         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2785         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2786         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2787         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2788         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2789     }
2790
2791     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2792     {
2793         ASSERT(arrayMode.isSpecific());
2794         
2795         if (arrayMode.type() == Array::String) {
2796             m_insertionSet.insertNode(
2797                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2798         } else {
2799             // Note that we only need to be using a structure check if we opt for SaneChain, since
2800             // that needs to protect against JSArray's __proto__ being changed.
2801             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2802         
2803             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2804             
2805             if (arrayMode.doesConversion()) {
2806                 if (structure) {
2807                     m_insertionSet.insertNode(
2808                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2809                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2810                 } else {
2811                     m_insertionSet.insertNode(
2812                         m_indexInBlock, SpecNone, Arrayify, origin,
2813                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2814                 }
2815             } else {
2816                 if (structure) {
2817                     m_insertionSet.insertNode(
2818                         m_indexInBlock, SpecNone, CheckStructure, origin,
2819                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2820                 } else {
2821                     m_insertionSet.insertNode(
2822                         m_indexInBlock, SpecNone, CheckArray, origin,
2823                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2824                 }
2825             }
2826         }
2827         
2828         if (!storageCheck(arrayMode))
2829             return nullptr;
2830         
2831         if (arrayMode.usesButterfly()) {
2832             return m_insertionSet.insertNode(
2833                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2834         }
2835         
2836         return m_insertionSet.insertNode(
2837             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2838             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2839     }
2840     
2841     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2842     {
2843         Node* node = m_currentNode;
2844         
2845         switch (node->arrayMode().type()) {
2846         case Array::ForceExit: {
2847             m_insertionSet.insertNode(
2848                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2849             return;
2850         }
2851             
2852         case Array::SelectUsingPredictions:
2853         case Array::Unprofiled:
2854             RELEASE_ASSERT_NOT_REACHED();
2855             return;
2856             
2857         case Array::Generic:
2858             return;
2859             
2860         default: {
2861             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2862             if (!storage)
2863                 return;
2864             
2865             storageChild = Edge(storage);
2866             return;
2867         } }
2868     }
2869     
2870     bool alwaysUnboxSimplePrimitives()
2871     {
2872 #if USE(JSVALUE64)
2873         return false;
2874 #else
2875         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2876         // reduces traffic.
2877         return true;
2878 #endif
2879     }
2880
2881     template<UseKind useKind>
2882     void observeUseKindOnNode(Node* node)
2883     {
2884         if (useKind == UntypedUse)
2885             return;
2886         observeUseKindOnNode(node, useKind);
2887     }
2888
2889     void observeUseKindOnEdge(Edge edge)
2890     {
2891         observeUseKindOnNode(edge.node(), edge.useKind());
2892     }
2893
2894     void observeUseKindOnNode(Node* node, UseKind useKind)
2895     {
2896         if (node->op() != GetLocal)
2897             return;
2898         
2899         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2900         // https://bugs.webkit.org/show_bug.cgi?id=121518
2901         
2902         VariableAccessData* variable = node->variableAccessData();
2903         switch (useKind) {
2904         case Int32Use:
2905         case KnownInt32Use:
2906             if (alwaysUnboxSimplePrimitives()
2907                 || isInt32Speculation(variable->prediction()))
2908                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2909             break;
2910         case NumberUse:
2911         case RealNumberUse:
2912         case DoubleRepUse:
2913         case DoubleRepRealUse:
2914             if (variable->doubleFormatState() == UsingDoubleFormat)
2915                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2916             break;
2917         case BooleanUse:
2918         case KnownBooleanUse:
2919             if (alwaysUnboxSimplePrimitives()
2920                 || isBooleanSpeculation(variable->prediction()))
2921                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2922             break;
2923         case Int52RepUse:
2924             if (isAnyIntSpeculation(variable->prediction()))
2925                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2926             break;
2927         case CellUse:
2928         case KnownCellUse:
2929         case ObjectUse:
2930         case FunctionUse:
2931         case StringUse:
2932         case KnownStringUse:
2933         case SymbolUse:
2934         case StringObjectUse:
2935         case StringOrStringObjectUse:
2936             if (alwaysUnboxSimplePrimitives()
2937                 || isCellSpeculation(variable->prediction()))
2938                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2939             break;
2940         default:
2941             break;
2942         }
2943     }
2944     
2945     template<UseKind useKind>
2946     void fixEdge(Edge& edge)
2947     {
2948         observeUseKindOnNode<useKind>(edge.node());
2949         edge.setUseKind(useKind);
2950     }
2951     
2952     unsigned indexForChecks()
2953     {
2954         unsigned index = m_indexInBlock;
2955         while (!m_block->at(index)->origin.exitOK)
2956             index--;
2957         return index;
2958     }
2959     
2960     NodeOrigin originForCheck(unsigned index)
2961     {
2962         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
2963     }
2964     
2965     void speculateForBarrier(Edge value)
2966     {
2967         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
2968         // the DFG anyway because if such a speculation would be wrong, we want to know before
2969         // we do an expensive compile.
2970         
2971         if (value->shouldSpeculateInt32()) {
2972             insertCheck<Int32Use>(value.node());
2973             return;
2974         }
2975             
2976         if (value->shouldSpeculateBoolean()) {
2977             insertCheck<BooleanUse>(value.node());
2978             return;
2979         }
2980             
2981         if (value->shouldSpeculateOther()) {
2982             insertCheck<OtherUse>(value.node());
2983             return;
2984         }
2985             
2986         if (value->shouldSpeculateNumber()) {
2987             insertCheck<NumberUse>(value.node());
2988             return;
2989         }
2990             
2991         if (value->shouldSpeculateNotCell()) {
2992             insertCheck<NotCellUse>(value.node());
2993             return;
2994         }
2995     }
2996     
2997     template<UseKind useKind>
2998     void insertCheck(Node* node)
2999     {
3000         observeUseKindOnNode<useKind>(node);
3001         unsigned index = indexForChecks();
3002         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3003     }
3004
3005     void fixIntConvertingEdge(Edge& edge)
3006     {
3007         Node* node = edge.node();
3008         if (node->shouldSpeculateInt32OrBoolean()) {
3009             fixIntOrBooleanEdge(edge);
3010             return;
3011         }
3012         
3013         UseKind useKind;
3014         if (node->shouldSpeculateAnyInt())
3015             useKind = Int52RepUse;
3016         else if (node->shouldSpeculateNumber())
3017             useKind = DoubleRepUse;
3018         else
3019             useKind = NotCellUse;
3020         Node* newNode = m_insertionSet.insertNode(
3021             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3022             Edge(node, useKind));
3023         observeUseKindOnNode(node, useKind);
3024         
3025         edge = Edge(newNode, KnownInt32Use);
3026     }
3027     
3028     void fixIntOrBooleanEdge(Edge& edge)
3029     {
3030         Node* node = edge.node();
3031         if (!node->sawBooleans()) {
3032             fixEdge<Int32Use>(edge);
3033             return;
3034         }
3035         
3036         UseKind useKind;
3037         if (node->shouldSpeculateBoolean())
3038             useKind = BooleanUse;
3039         else
3040             useKind = UntypedUse;
3041         Node* newNode = m_insertionSet.insertNode(
3042             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3043             Edge(node, useKind));
3044         observeUseKindOnNode(node, useKind);
3045         
3046         edge = Edge(newNode, Int32Use);
3047     }
3048     
3049     void fixDoubleOrBooleanEdge(Edge& edge)
3050     {
3051         Node* node = edge.node();
3052         if (!node->sawBooleans()) {
3053             fixEdge<DoubleRepUse>(edge);
3054             return;
3055         }
3056         
3057         UseKind useKind;
3058         if (node->shouldSpeculateBoolean())
3059             useKind = BooleanUse;
3060         else
3061             useKind = UntypedUse;
3062         Node* newNode = m_insertionSet.insertNode(
3063             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3064             Edge(node, useKind));
3065         observeUseKindOnNode(node, useKind);
3066         
3067         edge = Edge(newNode, DoubleRepUse);
3068     }
3069     
3070     void truncateConstantToInt32(Edge& edge)
3071     {
3072         Node* oldNode = edge.node();
3073         
3074         JSValue value = oldNode->asJSValue();
3075         if (value.isInt32())
3076             return;
3077         
3078         value = jsNumber(JSC::toInt32(value.asNumber()));
3079         ASSERT(value.isInt32());
3080         edge.setNode(m_insertionSet.insertNode(
3081             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3082             OpInfo(m_graph.freeze(value))));
3083     }
3084     
3085     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3086     {
3087         if (mode != SpeculateInt32AndTruncateConstants)
3088             return;
3089         
3090         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3091         if (node->child1()->hasConstant())
3092             truncateConstantToInt32(node->child1());
3093         else
3094             truncateConstantToInt32(node->child2());
3095     }
3096
3097     bool attemptToMakeIntegerAdd(Node* node)
3098     {
3099         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3100         if (mode != DontSpeculateInt32) {
3101             truncateConstantsIfNecessary(node, mode);
3102             fixIntOrBooleanEdge(node->child1());
3103             fixIntOrBooleanEdge(node->child2());
3104             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3105                 node->setArithMode(Arith::Unchecked);
3106             else
3107                 node->setArithMode(Arith::CheckOverflow);
3108             return true;
3109         }
3110         
3111         if (m_graph.addShouldSpeculateAnyInt(node)) {
3112             fixEdge<Int52RepUse>(node->child1());
3113             fixEdge<Int52RepUse>(node->child2());
3114             node->setArithMode(Arith::CheckOverflow);
3115             node->setResult(NodeResultInt52);
3116             return true;
3117         }
3118         
3119         return false;
3120     }
3121     
3122     bool attemptToMakeGetArrayLength(Node* node)
3123     {
3124         if (!isInt32Speculation(node->prediction()))
3125             return false;
3126         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3127         ArrayProfile* arrayProfile = 
3128             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3129         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
3130         if (arrayProfile) {
3131             ConcurrentJSLocker locker(profiledBlock->m_lock);
3132             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3133             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3134             if (arrayMode.type() == Array::Unprofiled) {
3135                 // For normal array operations, it makes sense to treat Unprofiled
3136                 // accesses as ForceExit and get more data rather than using
3137                 // predictions and then possibly ending up with a Generic. But here,
3138                 // we treat anything that is Unprofiled as Generic and keep the
3139                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3140                 // profit - from treating the Unprofiled case as
3141                 // SelectUsingPredictions.
3142                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
3143             }
3144         }
3145             
3146         arrayMode = arrayMode.refine(
3147             m_graph, node, node->child1()->prediction(), node->prediction());
3148             
3149         if (arrayMode.type() == Array::Generic) {
3150             // Check if the input is something that we can't get array length for, but for which we
3151             // could insert some conversions in order to transform it into something that we can do it
3152             // for.
3153             if (node->child1()->shouldSpeculateStringObject())
3154                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3155             else if (node->child1()->shouldSpeculateStringOrStringObject())
3156                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3157         }
3158             
3159         if (!arrayMode.supportsSelfLength())
3160             return false;
3161         
3162         convertToGetArrayLength(node, arrayMode);
3163         return true;
3164     }
3165
3166     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3167     {
3168         node->setOp(GetArrayLength);
3169         node->clearFlags(NodeMustGenerate);
3170         fixEdge<KnownCellUse>(node->child1());
3171         node->setArrayMode(arrayMode);
3172             
3173         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3174         if (!storage)
3175             return;
3176             
3177         node->child2() = Edge(storage);
3178     }
3179     
3180     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3181     {
3182         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3183         return m_insertionSet.insertNode(
3184             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3185             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3186     }
3187
3188     void convertToHasIndexedProperty(Node* node)
3189     {
3190         node->setOp(HasIndexedProperty);
3191         node->clearFlags(NodeMustGenerate);
3192         node->setArrayMode(
3193             node->arrayMode().refine(
3194                 m_graph, node,
3195                 node->child1()->prediction(),
3196                 node->child2()->prediction(),
3197                 SpecNone));
3198         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3199
3200         blessArrayOperation(node->child1(), node->child2(), node->child3());
3201
3202         fixEdge<CellUse>(node->child1());
3203         fixEdge<Int32Use>(node->child2());
3204     }
3205
3206     bool attemptToMakeCallDOM(Node* node)
3207     {
3208         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3209             return false;
3210
3211         const DOMJIT::Signature* signature = node->signature();
3212         if (!signature)
3213             return false;
3214
3215         {
3216             unsigned index = 0;
3217             bool shouldConvertToCallDOM = true;
3218             m_graph.doToChildren(node, [&](Edge& edge) {
3219                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3220                 if (!index)
3221                     return;
3222
3223                 if (index == 1) {
3224                     // DOM node case.
3225                     if (edge->shouldSpeculateNotCell())
3226                         shouldConvertToCallDOM = false;
3227                 } else {
3228                     switch (signature->arguments[index - 2]) {
3229                     case SpecString:
3230                         if (edge->shouldSpeculateNotString())
3231                             shouldConvertToCallDOM = false;
3232                         break;
3233                     case SpecInt32Only:
3234                         if (edge->shouldSpeculateNotInt32())
3235                             shouldConvertToCallDOM = false;
3236                         break;
3237                     case SpecBoolean:
3238                         if (edge->shouldSpeculateNotBoolean())
3239                             shouldConvertToCallDOM = false;
3240                         break;
3241                     default:
3242                         RELEASE_ASSERT_NOT_REACHED();
3243                         break;
3244                     }
3245                 }
3246                 ++index;
3247             });
3248             if (!shouldConvertToCallDOM)
3249                 return false;
3250         }
3251
3252         Node* thisNode = m_graph.varArgChild(node, 1).node();
3253         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3254         node->convertToCallDOM(m_graph);
3255         fixupCheckSubClass(checkSubClass);
3256         fixupCallDOM(node);
3257         return true;
3258     }
3259
3260     void fixupCheckSubClass(Node* node)
3261     {
3262         fixEdge<CellUse>(node->child1());
3263     }
3264
3265     void fixupCallDOM(Node* node)
3266     {
3267         const DOMJIT::Signature* signature = node->signature();
3268         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3269             if (!edge)
3270                 return;
3271             switch (signature->arguments[argumentIndex]) {
3272             case SpecString:
3273                 fixEdge<StringUse>(edge);
3274                 break;
3275             case SpecInt32Only:
3276                 fixEdge<Int32Use>(edge);
3277                 break;
3278             case SpecBoolean:
3279                 fixEdge<BooleanUse>(edge);
3280                 break;
3281             default:
3282                 RELEASE_ASSERT_NOT_REACHED();
3283                 break;
3284             }
3285         };
3286         fixEdge<CellUse>(node->child1()); // DOM.
3287         fixup(node->child2(), 0);
3288         fixup(node->child3(), 1);
3289     }
3290
3291     void fixupArrayIndexOf(Node* node)
3292     {
3293         Edge& array = m_graph.varArgChild(node, 0);
3294         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3295         blessArrayOperation(array, Edge(), storage);
3296         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3297
3298         Edge& searchElement = m_graph.varArgChild(node, 1);
3299
3300         // Constant folding.
3301         switch (node->arrayMode().type()) {
3302         case Array::Double:
3303         case Array::Int32: {
3304             if (searchElement->shouldSpeculateCell()) {
3305                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3306                 m_graph.convertToConstant(node, jsNumber(-1));
3307                 observeUseKindOnNode<CellUse>(searchElement.node());
3308                 return;
3309             }
3310
3311             if (searchElement->shouldSpeculateOther()) {
3312                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3313                 m_graph.convertToConstant(node, jsNumber(-1));
3314                 observeUseKindOnNode<OtherUse>(searchElement.node());
3315                 return;
3316             }
3317
3318             if (searchElement->shouldSpeculateBoolean()) {
3319                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3320                 m_graph.convertToConstant(node, jsNumber(-1));
3321                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3322                 return;
3323             }
3324             break;
3325         }
3326         default:
3327             break;
3328         }
3329
3330         fixEdge<KnownCellUse>(array);
3331         if (node->numChildren() == 4)
3332             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3333
3334         switch (node->arrayMode().type()) {
3335         case Array::Double: {
3336             if (searchElement->shouldSpeculateNumber())
3337                 fixEdge<DoubleRepUse>(searchElement);
3338             return;
3339         }
3340         case Array::Int32: {
3341             if (searchElement->shouldSpeculateInt32())
3342                 fixEdge<Int32Use>(searchElement);
3343             return;
3344         }
3345         case Array::Contiguous: {
3346             if (searchElement->shouldSpeculateString())
3347                 fixEdge<StringUse>(searchElement);
3348             else if (searchElement->shouldSpeculateSymbol())
3349                 fixEdge<SymbolUse>(searchElement);
3350             else if (searchElement->shouldSpeculateOther())
3351                 fixEdge<OtherUse>(searchElement);
3352             else if (searchElement->shouldSpeculateObject())
3353                 fixEdge<ObjectUse>(searchElement);
3354             return;
3355         }
3356         default:
3357             RELEASE_ASSERT_NOT_REACHED();
3358             return;
3359         }
3360     }
3361
3362     void fixupChecksInBlock(BasicBlock* block)
3363     {
3364         if (!block)
3365             return;
3366         ASSERT(block->isReachable);
3367         m_block = block;
3368         unsigned indexForChecks = UINT_MAX;
3369         NodeOrigin originForChecks;
3370         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
3371             Node* node = block->at(indexInBlock);
3372
3373             // If this is a node at which we could exit, then save its index. If nodes after this one
3374             // cannot exit, then we will hoist checks to here.
3375             if (node->origin.exitOK) {
3376                 indexForChecks = indexInBlock;
3377                 originForChecks = node->origin;
3378             }
3379
3380             originForChecks = originForChecks.withSemantic(node->origin.semantic);
3381             
3382             // First, try to relax the representational demands of each node, in order to have
3383             // fewer conversions.
3384             switch (node->op()) {
3385             case MovHint:
3386             case Check:
3387                 m_graph.doToChildren(
3388                     node,
3389                     [&] (Edge& edge) {
3390                         switch (edge.useKind()) {
3391                         case DoubleRepUse:
3392                         case DoubleRepRealUse:
3393                             if (edge->hasDoubleResult())
3394                                 break;
3395             
3396                             if (edge->hasInt52Result())
3397                                 edge.setUseKind(Int52RepUse);
3398                             else if (edge.useKind() == DoubleRepUse)
3399                                 edge.setUseKind(NumberUse);
3400                             break;
3401             
3402                         case Int52RepUse:
3403                             // Nothing we can really do.
3404                             break;
3405             
3406                         case UntypedUse:
3407                         case NumberUse:
3408                             if (edge->hasDoubleResult())
3409                                 edge.setUseKind(DoubleRepUse);
3410                             else if (edge->hasInt52Result())
3411                                 edge.setUseKind(Int52RepUse);
3412                             break;
3413             
3414                         case RealNumberUse:
3415                             if (edge->hasDoubleResult())
3416                                 edge.setUseKind(DoubleRepRealUse);
3417                             else if (edge->hasInt52Result())
3418                                 edge.setUseKind(Int52RepUse);
3419                             break;
3420             
3421                         default:
3422                             break;
3423                         }
3424                     });
3425                 break;
3426                 
3427             case ValueToInt32:
3428                 if (node->child1().useKind() == DoubleRepUse
3429                     && !node->child1()->hasDoubleResult()) {
3430                     node->child1().setUseKind(NumberUse);
3431                     break;
3432                 }
3433                 break;
3434                 
3435             default:
3436                 break;
3437             }
3438
3439             // Now, insert type conversions if necessary.
3440             m_graph.doToChildren(
3441                 node,
3442                 [&] (Edge& edge) {
3443                     Node* result = nullptr;
3444
3445                     switch (edge.useKind()) {
3446                     case DoubleRepUse:
3447                     case DoubleRepRealUse:
3448                     case DoubleRepAnyIntUse: {
3449                         if (edge->hasDoubleResult())
3450                             break;
3451             
3452                         ASSERT(indexForChecks != UINT_MAX);
3453                         if (edge->isNumberConstant()) {
3454                             result = m_insertionSet.insertNode(
3455                                 indexForChecks, SpecBytecodeDouble, DoubleConstant, originForChecks,
3456                                 OpInfo(m_graph.freeze(jsDoubleNumber(edge->asNumber()))));
3457                         } else if (edge->hasInt52Result()) {
3458                             result = m_insertionSet.insertNode(
3459                                 indexForChecks, SpecAnyIntAsDouble, DoubleRep, originForChecks,
3460                                 Edge(edge.node(), Int52RepUse));
3461                         } else {
3462                             UseKind useKind;
3463                             if (edge->shouldSpeculateDoubleReal())
3464                                 useKind = RealNumberUse;
3465                             else if (edge->shouldSpeculateNumber())
3466                                 useKind = NumberUse;
3467                             else
3468                                 useKind = NotCellUse;
3469
3470                             result = m_insertionSet.insertNode(
3471                                 indexForChecks, SpecBytecodeDouble, DoubleRep, originForChecks,
3472                                 Edge(edge.node(), useKind));
3473                         }
3474
3475                         edge.setNode(result);
3476                         break;
3477                     }
3478             
3479                     case Int52RepUse: {
3480                         if (edge->hasInt52Result())
3481                             break;
3482             
3483                         ASSERT(indexForChecks != UINT_MAX);
3484                         if (edge->isAnyIntConstant()) {
3485                             result = m_insertionSet.insertNode(
3486                                 indexForChecks, SpecAnyInt, Int52Constant, originForChecks,
3487                                 OpInfo(edge->constant()));
3488                         } else if (edge->hasDoubleResult()) {
3489                             result = m_insertionSet.insertNode(
3490                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3491                                 Edge(edge.node(), DoubleRepAnyIntUse));
3492                         } else if (edge->shouldSpeculateInt32ForArithmetic()) {
3493                             result = m_insertionSet.insertNode(
3494                                 indexForChecks, SpecInt32Only, Int52Rep, originForChecks,
3495                                 Edge(edge.node(), Int32Use));
3496                         } else {
3497                             result = m_insertionSet.insertNode(
3498                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3499                                 Edge(edge.node(), AnyIntUse));
3500                         }
3501
3502                         edge.setNode(result);
3503                         break;
3504                     }
3505
3506                     default: {
3507                         if (!edge->hasDoubleResult() && !edge->hasInt52Result())
3508                             break;
3509             
3510                         ASSERT(indexForChecks != UINT_MAX);
3511                         if (edge->hasDoubleResult()) {
3512                             result = m_insertionSet.insertNode(
3513<