36524b0324916133ac1578ecc7987de1a151f132
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149             
150         case ValueAdd: {
151             if (attemptToMakeIntegerAdd(node)) {
152                 node->setOp(ArithAdd);
153                 break;
154             }
155             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
156                 fixDoubleOrBooleanEdge(node->child1());
157                 fixDoubleOrBooleanEdge(node->child2());
158                 node->setOp(ArithAdd);
159                 node->setResult(NodeResultDouble);
160                 break;
161             }
162             
163             if (attemptToMakeFastStringAdd(node))
164                 break;
165
166             Edge& child1 = node->child1();
167             Edge& child2 = node->child2();
168             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
169                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
170                     auto convertString = [&](Node* node, Edge& edge) {
171                         if (edge->shouldSpeculateInt32())
172                             convertStringAddUse<Int32Use>(node, edge);
173                         else {
174                             ASSERT(edge->shouldSpeculateString());
175                             convertStringAddUse<StringUse>(node, edge);
176                         }
177                     };
178                     convertString(node, child1);
179                     convertString(node, child2);
180                     convertToMakeRope(node);
181                     break;
182                 }
183             }
184
185             fixEdge<UntypedUse>(child1);
186             fixEdge<UntypedUse>(child2);
187             node->setResult(NodeResultJS);
188             break;
189         }
190
191         case StrCat: {
192             if (attemptToMakeFastStringAdd(node))
193                 break;
194
195             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
196             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
197             // the implementation of StrCat doesn't dynamically optimize for empty strings.
198             // https://bugs.webkit.org/show_bug.cgi?id=148540
199             m_graph.doToChildren(
200                 node,
201                 [&] (Edge& edge) {
202                     fixEdge<KnownPrimitiveUse>(edge);
203                     // StrCat automatically coerces the values into strings before concatenating them.
204                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
205                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
206                     // our runtime functions for this slow path expect that they will never be passed
207                     // Symbols.
208                     m_insertionSet.insertNode(
209                         m_indexInBlock, SpecNone, Check, node->origin,
210                         Edge(edge.node(), NotSymbolUse));
211                 });
212             break;
213         }
214             
215         case MakeRope: {
216             fixupMakeRope(node);
217             break;
218         }
219             
220         case ArithAdd:
221         case ArithSub: {
222             if (op == ArithSub
223                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
224                 fixEdge<UntypedUse>(node->child1());
225                 fixEdge<UntypedUse>(node->child2());
226                 node->setResult(NodeResultJS);
227                 break;
228             }
229             if (attemptToMakeIntegerAdd(node))
230                 break;
231             fixDoubleOrBooleanEdge(node->child1());
232             fixDoubleOrBooleanEdge(node->child2());
233             node->setResult(NodeResultDouble);
234             break;
235         }
236             
237         case ArithNegate: {
238             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
239                 fixIntOrBooleanEdge(node->child1());
240                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
241                     node->setArithMode(Arith::Unchecked);
242                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
243                     node->setArithMode(Arith::CheckOverflow);
244                 else
245                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
246                 node->setResult(NodeResultInt32);
247                 node->clearFlags(NodeMustGenerate);
248                 break;
249             }
250             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
251                 fixEdge<Int52RepUse>(node->child1());
252                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
253                     node->setArithMode(Arith::CheckOverflow);
254                 else
255                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
256                 node->setResult(NodeResultInt52);
257                 node->clearFlags(NodeMustGenerate);
258                 break;
259             }
260             if (node->child1()->shouldSpeculateNotCell()) {
261                 fixDoubleOrBooleanEdge(node->child1());
262                 node->setResult(NodeResultDouble);
263                 node->clearFlags(NodeMustGenerate);
264             } else
265                 fixEdge<UntypedUse>(node->child1());
266             break;
267         }
268             
269         case ArithMul: {
270             Edge& leftChild = node->child1();
271             Edge& rightChild = node->child2();
272             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
273                 fixEdge<UntypedUse>(leftChild);
274                 fixEdge<UntypedUse>(rightChild);
275                 node->setResult(NodeResultJS);
276                 break;
277             }
278             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
279                 fixIntOrBooleanEdge(leftChild);
280                 fixIntOrBooleanEdge(rightChild);
281                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
282                     node->setArithMode(Arith::Unchecked);
283                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
284                     || leftChild.node() == rightChild.node())
285                     node->setArithMode(Arith::CheckOverflow);
286                 else
287                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
288                 break;
289             }
290             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
291                 fixEdge<Int52RepUse>(leftChild);
292                 fixEdge<Int52RepUse>(rightChild);
293                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
294                     || leftChild.node() == rightChild.node())
295                     node->setArithMode(Arith::CheckOverflow);
296                 else
297                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
298                 node->setResult(NodeResultInt52);
299                 break;
300             }
301             fixDoubleOrBooleanEdge(leftChild);
302             fixDoubleOrBooleanEdge(rightChild);
303             node->setResult(NodeResultDouble);
304             break;
305         }
306
307         case ArithDiv:
308         case ArithMod: {
309             Edge& leftChild = node->child1();
310             Edge& rightChild = node->child2();
311             if (op == ArithDiv
312                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
313                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
314                 fixEdge<UntypedUse>(leftChild);
315                 fixEdge<UntypedUse>(rightChild);
316                 node->setResult(NodeResultJS);
317                 break;
318             }
319             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
320                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
321                     fixIntOrBooleanEdge(leftChild);
322                     fixIntOrBooleanEdge(rightChild);
323                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
324                         node->setArithMode(Arith::Unchecked);
325                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
326                         node->setArithMode(Arith::CheckOverflow);
327                     else
328                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
329                     break;
330                 }
331                 
332                 // This will cause conversion nodes to be inserted later.
333                 fixDoubleOrBooleanEdge(leftChild);
334                 fixDoubleOrBooleanEdge(rightChild);
335                 
336                 // We don't need to do ref'ing on the children because we're stealing them from
337                 // the original division.
338                 Node* newDivision = m_insertionSet.insertNode(
339                     m_indexInBlock, SpecBytecodeDouble, *node);
340                 newDivision->setResult(NodeResultDouble);
341                 
342                 node->setOp(DoubleAsInt32);
343                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
344                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
345                     node->setArithMode(Arith::CheckOverflow);
346                 else
347                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
348                 break;
349             }
350             fixDoubleOrBooleanEdge(leftChild);
351             fixDoubleOrBooleanEdge(rightChild);
352             node->setResult(NodeResultDouble);
353             break;
354         }
355             
356         case ArithMin:
357         case ArithMax: {
358             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
359                 fixIntOrBooleanEdge(node->child1());
360                 fixIntOrBooleanEdge(node->child2());
361                 break;
362             }
363             fixDoubleOrBooleanEdge(node->child1());
364             fixDoubleOrBooleanEdge(node->child2());
365             node->setResult(NodeResultDouble);
366             break;
367         }
368             
369         case ArithAbs: {
370             if (node->child1()->shouldSpeculateInt32OrBoolean()
371                 && node->canSpeculateInt32(FixupPass)) {
372                 fixIntOrBooleanEdge(node->child1());
373                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
374                     node->setArithMode(Arith::Unchecked);
375                 else
376                     node->setArithMode(Arith::CheckOverflow);
377                 node->clearFlags(NodeMustGenerate);
378                 node->setResult(NodeResultInt32);
379                 break;
380             }
381
382             if (node->child1()->shouldSpeculateNotCell()) {
383                 fixDoubleOrBooleanEdge(node->child1());
384                 node->clearFlags(NodeMustGenerate);
385             } else
386                 fixEdge<UntypedUse>(node->child1());
387             node->setResult(NodeResultDouble);
388             break;
389         }
390
391         case ArithPow: {
392             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
393                 fixDoubleOrBooleanEdge(node->child1());
394                 fixIntOrBooleanEdge(node->child2());
395                 break;
396             }
397
398             fixDoubleOrBooleanEdge(node->child1());
399             fixDoubleOrBooleanEdge(node->child2());
400             break;
401         }
402
403         case ArithRandom: {
404             node->setResult(NodeResultDouble);
405             break;
406         }
407
408         case ArithRound:
409         case ArithFloor:
410         case ArithCeil:
411         case ArithTrunc: {
412             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
413                 fixIntOrBooleanEdge(node->child1());
414                 insertCheck<Int32Use>(node->child1().node());
415                 node->convertToIdentity();
416                 break;
417             }
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420
421                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
422                     node->setResult(NodeResultInt32);
423                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
424                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
425                     else
426                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
427                 } else {
428                     node->setResult(NodeResultDouble);
429                     node->setArithRoundingMode(Arith::RoundingMode::Double);
430                 }
431                 node->clearFlags(NodeMustGenerate);
432             } else
433                 fixEdge<UntypedUse>(node->child1());
434             break;
435         }
436
437         case ArithFRound:
438         case ArithSqrt:
439         case ArithUnary: {
440             Edge& child1 = node->child1();
441             if (child1->shouldSpeculateNotCell()) {
442                 fixDoubleOrBooleanEdge(child1);
443                 node->clearFlags(NodeMustGenerate);
444             } else
445                 fixEdge<UntypedUse>(child1);
446             break;
447         }
448             
449         case LogicalNot: {
450             if (node->child1()->shouldSpeculateBoolean()) {
451                 if (node->child1()->result() == NodeResultBoolean) {
452                     // This is necessary in case we have a bytecode instruction implemented by:
453                     //
454                     // a: CompareEq(...)
455                     // b: LogicalNot(@a)
456                     //
457                     // In that case, CompareEq might have a side-effect. Then, we need to make
458                     // sure that we know that Branch does not exit.
459                     fixEdge<KnownBooleanUse>(node->child1());
460                 } else
461                     fixEdge<BooleanUse>(node->child1());
462             } else if (node->child1()->shouldSpeculateObjectOrOther())
463                 fixEdge<ObjectOrOtherUse>(node->child1());
464             else if (node->child1()->shouldSpeculateInt32OrBoolean())
465                 fixIntOrBooleanEdge(node->child1());
466             else if (node->child1()->shouldSpeculateNumber())
467                 fixEdge<DoubleRepUse>(node->child1());
468             else if (node->child1()->shouldSpeculateString())
469                 fixEdge<StringUse>(node->child1());
470             else if (node->child1()->shouldSpeculateStringOrOther())
471                 fixEdge<StringOrOtherUse>(node->child1());
472             else {
473                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
474                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
475                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
476             }
477             break;
478         }
479
480         case CompareEq:
481         case CompareLess:
482         case CompareLessEq:
483         case CompareGreater:
484         case CompareGreaterEq: {
485             if (node->op() == CompareEq
486                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
487                 fixEdge<BooleanUse>(node->child1());
488                 fixEdge<BooleanUse>(node->child2());
489                 node->clearFlags(NodeMustGenerate);
490                 break;
491             }
492             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
493                 fixIntOrBooleanEdge(node->child1());
494                 fixIntOrBooleanEdge(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (enableInt52()
499                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
500                 fixEdge<Int52RepUse>(node->child1());
501                 fixEdge<Int52RepUse>(node->child2());
502                 node->clearFlags(NodeMustGenerate);
503                 break;
504             }
505             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
506                 fixDoubleOrBooleanEdge(node->child1());
507                 fixDoubleOrBooleanEdge(node->child2());
508             }
509             if (node->op() != CompareEq
510                 && node->child1()->shouldSpeculateNotCell()
511                 && node->child2()->shouldSpeculateNotCell()) {
512                 if (node->child1()->shouldSpeculateNumberOrBoolean())
513                     fixDoubleOrBooleanEdge(node->child1());
514                 else
515                     fixEdge<DoubleRepUse>(node->child1());
516                 if (node->child2()->shouldSpeculateNumberOrBoolean())
517                     fixDoubleOrBooleanEdge(node->child2());
518                 else
519                     fixEdge<DoubleRepUse>(node->child2());
520                 node->clearFlags(NodeMustGenerate);
521                 break;
522             }
523             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
524                 fixEdge<StringIdentUse>(node->child1());
525                 fixEdge<StringIdentUse>(node->child2());
526                 node->clearFlags(NodeMustGenerate);
527                 break;
528             }
529             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
530                 fixEdge<StringUse>(node->child1());
531                 fixEdge<StringUse>(node->child2());
532                 node->clearFlags(NodeMustGenerate);
533                 break;
534             }
535
536             if (node->op() != CompareEq)
537                 break;
538             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
539                 fixEdge<SymbolUse>(node->child1());
540                 fixEdge<SymbolUse>(node->child2());
541                 node->clearFlags(NodeMustGenerate);
542                 break;
543             }
544             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
545                 fixEdge<ObjectUse>(node->child1());
546                 fixEdge<ObjectUse>(node->child2());
547                 node->clearFlags(NodeMustGenerate);
548                 break;
549             }
550
551             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
552             bool oneArgumentIsUsedAsSpecOther = false;
553             if (node->child1()->isUndefinedOrNullConstant()) {
554                 fixEdge<OtherUse>(node->child1());
555                 oneArgumentIsUsedAsSpecOther = true;
556             } else if (node->child1()->shouldSpeculateOther()) {
557                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
558                     Edge(node->child1().node(), OtherUse));
559                 fixEdge<OtherUse>(node->child1());
560                 oneArgumentIsUsedAsSpecOther = true;
561             }
562             if (node->child2()->isUndefinedOrNullConstant()) {
563                 fixEdge<OtherUse>(node->child2());
564                 oneArgumentIsUsedAsSpecOther = true;
565             } else if (node->child2()->shouldSpeculateOther()) {
566                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
567                     Edge(node->child2().node(), OtherUse));
568                 fixEdge<OtherUse>(node->child2());
569                 oneArgumentIsUsedAsSpecOther = true;
570             }
571             if (oneArgumentIsUsedAsSpecOther) {
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575
576             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
577                 fixEdge<ObjectUse>(node->child1());
578                 fixEdge<ObjectOrOtherUse>(node->child2());
579                 node->clearFlags(NodeMustGenerate);
580                 break;
581             }
582             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
583                 fixEdge<ObjectOrOtherUse>(node->child1());
584                 fixEdge<ObjectUse>(node->child2());
585                 node->clearFlags(NodeMustGenerate);
586                 break;
587             }
588
589             break;
590         }
591             
592         case CompareStrictEq: {
593             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
594                 fixEdge<BooleanUse>(node->child1());
595                 fixEdge<BooleanUse>(node->child2());
596                 break;
597             }
598             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
599                 fixEdge<Int32Use>(node->child1());
600                 fixEdge<Int32Use>(node->child2());
601                 break;
602             }
603             if (enableInt52()
604                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
605                 fixEdge<Int52RepUse>(node->child1());
606                 fixEdge<Int52RepUse>(node->child2());
607                 break;
608             }
609             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
610                 fixEdge<DoubleRepUse>(node->child1());
611                 fixEdge<DoubleRepUse>(node->child2());
612                 break;
613             }
614             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
615                 fixEdge<SymbolUse>(node->child1());
616                 fixEdge<SymbolUse>(node->child2());
617                 break;
618             }
619             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
620                 fixEdge<StringIdentUse>(node->child1());
621                 fixEdge<StringIdentUse>(node->child2());
622                 break;
623             }
624             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
625                 fixEdge<StringUse>(node->child1());
626                 fixEdge<StringUse>(node->child2());
627                 break;
628             }
629             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
630             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
631                 
632                 if (node->child1()->shouldSpeculateObject()) {
633                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
634                     fixEdge<ObjectUse>(node->child1());
635                     break;
636                 }
637                 if (node->child2()->shouldSpeculateObject()) {
638                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
639                     fixEdge<ObjectUse>(node->child2());
640                     break;
641                 }
642                 
643             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
644                 fixEdge<ObjectUse>(node->child1());
645                 fixEdge<ObjectUse>(node->child2());
646                 break;
647             }
648             if (node->child1()->shouldSpeculateSymbol()) {
649                 fixEdge<SymbolUse>(node->child1());
650                 break;
651             }
652             if (node->child2()->shouldSpeculateSymbol()) {
653                 fixEdge<SymbolUse>(node->child2());
654                 break;
655             }
656             if (node->child1()->shouldSpeculateMisc()) {
657                 fixEdge<MiscUse>(node->child1());
658                 break;
659             }
660             if (node->child2()->shouldSpeculateMisc()) {
661                 fixEdge<MiscUse>(node->child2());
662                 break;
663             }
664             if (node->child1()->shouldSpeculateStringIdent()
665                 && node->child2()->shouldSpeculateNotStringVar()) {
666                 fixEdge<StringIdentUse>(node->child1());
667                 fixEdge<NotStringVarUse>(node->child2());
668                 break;
669             }
670             if (node->child2()->shouldSpeculateStringIdent()
671                 && node->child1()->shouldSpeculateNotStringVar()) {
672                 fixEdge<StringIdentUse>(node->child2());
673                 fixEdge<NotStringVarUse>(node->child1());
674                 break;
675             }
676             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
677                 fixEdge<StringUse>(node->child1());
678                 break;
679             }
680             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
681                 fixEdge<StringUse>(node->child2());
682                 break;
683             }
684             break;
685         }
686             
687         case StringFromCharCode:
688             if (node->child1()->shouldSpeculateInt32())
689                 fixEdge<Int32Use>(node->child1());
690             else
691                 fixEdge<UntypedUse>(node->child1());
692             break;
693
694         case StringCharAt:
695         case StringCharCodeAt: {
696             // Currently we have no good way of refining these.
697             ASSERT(node->arrayMode() == ArrayMode(Array::String));
698             blessArrayOperation(node->child1(), node->child2(), node->child3());
699             fixEdge<KnownCellUse>(node->child1());
700             fixEdge<Int32Use>(node->child2());
701             break;
702         }
703
704         case GetByVal: {
705             if (!node->prediction()) {
706                 m_insertionSet.insertNode(
707                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
708             }
709             
710             node->setArrayMode(
711                 node->arrayMode().refine(
712                     m_graph, node,
713                     m_graph.varArgChild(node, 0)->prediction(),
714                     m_graph.varArgChild(node, 1)->prediction(),
715                     SpecNone));
716             
717             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
718             
719             ArrayMode arrayMode = node->arrayMode();
720             switch (arrayMode.type()) {
721             case Array::Contiguous:
722             case Array::Double:
723                 if (arrayMode.arrayClass() == Array::OriginalArray
724                     && arrayMode.speculation() == Array::InBounds) {
725                     // Check if SaneChain will work on a per-type basis. Note that:
726                     //
727                     // 1) We don't want double arrays to sometimes return undefined, since
728                     // that would require a change to the return type and it would pessimise
729                     // things a lot. So, we'd only want to do that if we actually had
730                     // evidence that we could read from a hole. That's pretty annoying.
731                     // Likely the best way to handle that case is with an equivalent of
732                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
733                     // NaN are indistinguishable according to backwards propagation, and just
734                     // use SaneChain in that case. This happens to catch a lot of cases.
735                     //
736                     // 2) We don't want int32 array loads to have to do a hole check just to
737                     // coerce to Undefined, since that would mean twice the checks.
738                     //
739                     // This has two implications. First, we have to do more checks than we'd
740                     // like. It's unfortunate that we have to do the hole check. Second,
741                     // some accesses that hit a hole will now need to take the full-blown
742                     // out-of-bounds slow path. We can fix that with:
743                     // https://bugs.webkit.org/show_bug.cgi?id=144668
744                     
745                     bool canDoSaneChain = false;
746                     switch (arrayMode.type()) {
747                     case Array::Contiguous:
748                         // This is happens to be entirely natural. We already would have
749                         // returned any JSValue, and now we'll return Undefined. We still do
750                         // the check but it doesn't require taking any kind of slow path.
751                         canDoSaneChain = true;
752                         break;
753                         
754                     case Array::Double:
755                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
756                             // Holes look like NaN already, so if the user doesn't care
757                             // about the difference between Undefined and NaN then we can
758                             // do this.
759                             canDoSaneChain = true;
760                         }
761                         break;
762                         
763                     default:
764                         break;
765                     }
766                     
767                     if (canDoSaneChain) {
768                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
769                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
770                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
771                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
772                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
773                             && globalObject->arrayPrototypeChainIsSane()) {
774                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
775                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
776                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
777                         }
778                     }
779                 }
780                 break;
781                 
782             case Array::String:
783                 if ((node->prediction() & ~SpecString)
784                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
785                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
786                 break;
787                 
788             default:
789                 break;
790             }
791             
792             arrayMode = node->arrayMode();
793             switch (arrayMode.type()) {
794             case Array::SelectUsingPredictions:
795             case Array::Unprofiled:
796                 RELEASE_ASSERT_NOT_REACHED();
797                 break;
798             case Array::Generic:
799                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
800                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
801                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
802                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
803                         break;
804                     }
805
806                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
807                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
808                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
809                         break;
810                     }
811                 }
812 #if USE(JSVALUE32_64)
813                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
814 #endif
815                 break;
816             case Array::ForceExit:
817                 break;
818             default:
819                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
820                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
821                 break;
822             }
823             
824             switch (arrayMode.type()) {
825             case Array::Double:
826                 if (!arrayMode.isOutOfBounds())
827                     node->setResult(NodeResultDouble);
828                 break;
829                 
830             case Array::Float32Array:
831             case Array::Float64Array:
832                 node->setResult(NodeResultDouble);
833                 break;
834                 
835             case Array::Uint32Array:
836                 if (node->shouldSpeculateInt32())
837                     break;
838                 if (node->shouldSpeculateAnyInt() && enableInt52())
839                     node->setResult(NodeResultInt52);
840                 else
841                     node->setResult(NodeResultDouble);
842                 break;
843                 
844             default:
845                 break;
846             }
847             
848             break;
849         }
850
851         case PutByValDirect:
852         case PutByVal:
853         case PutByValAlias: {
854             Edge& child1 = m_graph.varArgChild(node, 0);
855             Edge& child2 = m_graph.varArgChild(node, 1);
856             Edge& child3 = m_graph.varArgChild(node, 2);
857
858             node->setArrayMode(
859                 node->arrayMode().refine(
860                     m_graph, node,
861                     child1->prediction(),
862                     child2->prediction(),
863                     child3->prediction()));
864             
865             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
866             
867             switch (node->arrayMode().modeForPut().type()) {
868             case Array::SelectUsingPredictions:
869             case Array::SelectUsingArguments:
870             case Array::Unprofiled:
871             case Array::Undecided:
872                 RELEASE_ASSERT_NOT_REACHED();
873                 break;
874             case Array::ForceExit:
875             case Array::Generic:
876                 if (child1->shouldSpeculateCell()) {
877                     if (child2->shouldSpeculateString()) {
878                         fixEdge<CellUse>(child1);
879                         fixEdge<StringUse>(child2);
880                         break;
881                     }
882
883                     if (child2->shouldSpeculateSymbol()) {
884                         fixEdge<CellUse>(child1);
885                         fixEdge<SymbolUse>(child2);
886                         break;
887                     }
888                 }
889 #if USE(JSVALUE32_64)
890                 // Due to register pressure on 32-bit, we speculate cell and
891                 // ignore the base-is-not-cell case entirely by letting the
892                 // baseline JIT handle it.
893                 fixEdge<CellUse>(child1);
894 #endif
895                 break;
896             case Array::Int32:
897                 fixEdge<KnownCellUse>(child1);
898                 fixEdge<Int32Use>(child2);
899                 fixEdge<Int32Use>(child3);
900                 break;
901             case Array::Double:
902                 fixEdge<KnownCellUse>(child1);
903                 fixEdge<Int32Use>(child2);
904                 fixEdge<DoubleRepRealUse>(child3);
905                 break;
906             case Array::Int8Array:
907             case Array::Int16Array:
908             case Array::Int32Array:
909             case Array::Uint8Array:
910             case Array::Uint8ClampedArray:
911             case Array::Uint16Array:
912             case Array::Uint32Array:
913                 fixEdge<KnownCellUse>(child1);
914                 fixEdge<Int32Use>(child2);
915                 if (child3->shouldSpeculateInt32())
916                     fixIntOrBooleanEdge(child3);
917                 else if (child3->shouldSpeculateAnyInt())
918                     fixEdge<Int52RepUse>(child3);
919                 else
920                     fixDoubleOrBooleanEdge(child3);
921                 break;
922             case Array::Float32Array:
923             case Array::Float64Array:
924                 fixEdge<KnownCellUse>(child1);
925                 fixEdge<Int32Use>(child2);
926                 fixDoubleOrBooleanEdge(child3);
927                 break;
928             case Array::Contiguous:
929             case Array::ArrayStorage:
930             case Array::SlowPutArrayStorage:
931                 fixEdge<KnownCellUse>(child1);
932                 fixEdge<Int32Use>(child2);
933                 speculateForBarrier(child3);
934                 break;
935             default:
936                 fixEdge<KnownCellUse>(child1);
937                 fixEdge<Int32Use>(child2);
938                 break;
939             }
940             break;
941         }
942             
943         case AtomicsAdd:
944         case AtomicsAnd:
945         case AtomicsCompareExchange:
946         case AtomicsExchange:
947         case AtomicsLoad:
948         case AtomicsOr:
949         case AtomicsStore:
950         case AtomicsSub:
951         case AtomicsXor: {
952             Edge& base = m_graph.child(node, 0);
953             Edge& index = m_graph.child(node, 1);
954             
955             bool badNews = false;
956             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
957                 Edge& child = m_graph.child(node, 2 + i);
958                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
959                 // just call the function when that happens. But the FTL is totally cool with those
960                 // conversions.
961                 if (!child->shouldSpeculateInt32()
962                     && !child->shouldSpeculateAnyInt()
963                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
964                     badNews = true;
965             }
966             
967             if (badNews) {
968                 node->setArrayMode(ArrayMode(Array::Generic));
969                 break;
970             }
971             
972             node->setArrayMode(
973                 node->arrayMode().refine(
974                     m_graph, node, base->prediction(), index->prediction()));
975             
976             if (node->arrayMode().type() == Array::Generic)
977                 break;
978             
979             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
980                 Edge& child = m_graph.child(node, 2 + i);
981                 if (child->shouldSpeculateInt32())
982                     fixIntOrBooleanEdge(child);
983                 else if (child->shouldSpeculateAnyInt())
984                     fixEdge<Int52RepUse>(child);
985                 else {
986                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
987                     fixDoubleOrBooleanEdge(child);
988                 }
989             }
990             
991             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
992             fixEdge<CellUse>(base);
993             fixEdge<Int32Use>(index);
994             
995             if (node->arrayMode().type() == Array::Uint32Array) {
996                 // NOTE: This means basically always doing Int52.
997                 if (node->shouldSpeculateAnyInt() && enableInt52())
998                     node->setResult(NodeResultInt52);
999                 else
1000                     node->setResult(NodeResultDouble);
1001             }
1002             break;
1003         }
1004             
1005         case AtomicsIsLockFree:
1006             if (node->child1()->shouldSpeculateInt32())
1007                 fixIntOrBooleanEdge(node->child1());
1008             break;
1009             
1010         case ArrayPush: {
1011             // May need to refine the array mode in case the value prediction contravenes
1012             // the array prediction. For example, we may have evidence showing that the
1013             // array is in Int32 mode, but the value we're storing is likely to be a double.
1014             // Then we should turn this into a conversion to Double array followed by the
1015             // push. On the other hand, we absolutely don't want to refine based on the
1016             // base prediction. If it has non-cell garbage in it, then we want that to be
1017             // ignored. That's because ArrayPush can't handle any array modes that aren't
1018             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1019             // that would break things.
1020             Edge& storageEdge = m_graph.varArgChild(node, 0);
1021             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1022             unsigned elementOffset = 2;
1023             unsigned elementCount = node->numChildren() - elementOffset;
1024             for (unsigned i = 0; i < elementCount; ++i) {
1025                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1026                 node->setArrayMode(
1027                     node->arrayMode().refine(
1028                         m_graph, node,
1029                         arrayEdge->prediction() & SpecCell,
1030                         SpecInt32Only,
1031                         element->prediction()));
1032             }
1033             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1034             fixEdge<KnownCellUse>(arrayEdge);
1035
1036             // Convert `array.push()` to GetArrayLength.
1037             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1038                 node->setOpAndDefaultFlags(GetArrayLength);
1039                 node->child1() = arrayEdge;
1040                 node->child2() = storageEdge;
1041                 fixEdge<KnownCellUse>(node->child1());
1042                 break;
1043             }
1044
1045             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1046             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1047             for (unsigned i = 0; i < elementCount; ++i) {
1048                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1049                 switch (node->arrayMode().type()) {
1050                 case Array::Int32:
1051                     insertCheck<Int32Use>(element.node());
1052                     fixEdge<KnownInt32Use>(element);
1053                     break;
1054                 case Array::Double:
1055                     insertCheck<DoubleRepRealUse>(element.node());
1056                     fixEdge<DoubleRepUse>(element);
1057                     break;
1058                 case Array::Contiguous:
1059                 case Array::ArrayStorage:
1060                     speculateForBarrier(element);
1061                     break;
1062                 default:
1063                     break;
1064                 }
1065                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1066             }
1067             break;
1068         }
1069             
1070         case ArrayPop: {
1071             blessArrayOperation(node->child1(), Edge(), node->child2());
1072             fixEdge<KnownCellUse>(node->child1());
1073             break;
1074         }
1075
1076         case ArraySlice: {
1077             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1078             if (node->numChildren() >= 3) {
1079                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1080                 if (node->numChildren() == 4)
1081                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1082             }
1083             break;
1084         }
1085
1086         case ArrayIndexOf:
1087             fixupArrayIndexOf(node);
1088             break;
1089             
1090         case RegExpExec:
1091         case RegExpTest: {
1092             fixEdge<KnownCellUse>(node->child1());
1093             
1094             if (node->child2()->shouldSpeculateRegExpObject()) {
1095                 fixEdge<RegExpObjectUse>(node->child2());
1096
1097                 if (node->child3()->shouldSpeculateString())
1098                     fixEdge<StringUse>(node->child3());
1099             }
1100             break;
1101         }
1102
1103         case RegExpMatchFast: {
1104             fixEdge<KnownCellUse>(node->child1());
1105             fixEdge<RegExpObjectUse>(node->child2());
1106             fixEdge<StringUse>(node->child3());
1107             break;
1108         }
1109
1110         case StringReplace:
1111         case StringReplaceRegExp: {
1112             if (node->child2()->shouldSpeculateString()) {
1113                 m_insertionSet.insertNode(
1114                     m_indexInBlock, SpecNone, Check, node->origin,
1115                     Edge(node->child2().node(), StringUse));
1116                 fixEdge<StringUse>(node->child2());
1117             } else if (op == StringReplace) {
1118                 if (node->child2()->shouldSpeculateRegExpObject())
1119                     addStringReplacePrimordialChecks(node->child2().node());
1120                 else 
1121                     m_insertionSet.insertNode(
1122                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1123             }
1124
1125             if (node->child1()->shouldSpeculateString()
1126                 && node->child2()->shouldSpeculateRegExpObject()
1127                 && node->child3()->shouldSpeculateString()) {
1128
1129                 fixEdge<StringUse>(node->child1());
1130                 fixEdge<RegExpObjectUse>(node->child2());
1131                 fixEdge<StringUse>(node->child3());
1132                 break;
1133             }
1134             break;
1135         }
1136             
1137         case Branch: {
1138             if (node->child1()->shouldSpeculateBoolean()) {
1139                 if (node->child1()->result() == NodeResultBoolean) {
1140                     // This is necessary in case we have a bytecode instruction implemented by:
1141                     //
1142                     // a: CompareEq(...)
1143                     // b: Branch(@a)
1144                     //
1145                     // In that case, CompareEq might have a side-effect. Then, we need to make
1146                     // sure that we know that Branch does not exit.
1147                     fixEdge<KnownBooleanUse>(node->child1());
1148                 } else
1149                     fixEdge<BooleanUse>(node->child1());
1150             } else if (node->child1()->shouldSpeculateObjectOrOther())
1151                 fixEdge<ObjectOrOtherUse>(node->child1());
1152             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1153                 fixIntOrBooleanEdge(node->child1());
1154             else if (node->child1()->shouldSpeculateNumber())
1155                 fixEdge<DoubleRepUse>(node->child1());
1156             else if (node->child1()->shouldSpeculateString())
1157                 fixEdge<StringUse>(node->child1());
1158             else if (node->child1()->shouldSpeculateStringOrOther())
1159                 fixEdge<StringOrOtherUse>(node->child1());
1160             else {
1161                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1162                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1163                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1164             }
1165             break;
1166         }
1167             
1168         case Switch: {
1169             SwitchData* data = node->switchData();
1170             switch (data->kind) {
1171             case SwitchImm:
1172                 if (node->child1()->shouldSpeculateInt32())
1173                     fixEdge<Int32Use>(node->child1());
1174                 break;
1175             case SwitchChar:
1176                 if (node->child1()->shouldSpeculateString())
1177                     fixEdge<StringUse>(node->child1());
1178                 break;
1179             case SwitchString:
1180                 if (node->child1()->shouldSpeculateStringIdent())
1181                     fixEdge<StringIdentUse>(node->child1());
1182                 else if (node->child1()->shouldSpeculateString())
1183                     fixEdge<StringUse>(node->child1());
1184                 break;
1185             case SwitchCell:
1186                 if (node->child1()->shouldSpeculateCell())
1187                     fixEdge<CellUse>(node->child1());
1188                 // else it's fine for this to have UntypedUse; we will handle this by just making
1189                 // non-cells take the default case.
1190                 break;
1191             }
1192             break;
1193         }
1194             
1195         case ToPrimitive: {
1196             fixupToPrimitive(node);
1197             break;
1198         }
1199
1200         case ToNumber: {
1201             fixupToNumber(node);
1202             break;
1203         }
1204             
1205         case ToString:
1206         case CallStringConstructor: {
1207             fixupToStringOrCallStringConstructor(node);
1208             break;
1209         }
1210             
1211         case NewStringObject: {
1212             fixEdge<KnownStringUse>(node->child1());
1213             break;
1214         }
1215
1216         case NewArrayWithSpread: {
1217             watchHavingABadTime(node);
1218             
1219             BitVector* bitVector = node->bitVector();
1220             for (unsigned i = node->numChildren(); i--;) {
1221                 if (bitVector->get(i))
1222                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1223                 else
1224                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1225             }
1226
1227             break;
1228         }
1229
1230         case Spread: {
1231             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1232             
1233             watchHavingABadTime(node->child1().node());
1234
1235             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1236             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1237             // that it doesn't contain any indexed properties, and that any holes will result in
1238             // jsUndefined().
1239             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
1240             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
1241             if (node->child1()->shouldSpeculateArray()
1242                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1243                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1244                 && globalObject->arrayPrototypeChainIsSane()
1245                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1246                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1247                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1248                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1249                 fixEdge<ArrayUse>(node->child1());
1250             } else
1251                 fixEdge<CellUse>(node->child1());
1252             break;
1253         }
1254             
1255         case NewArray: {
1256             watchHavingABadTime(node);
1257             
1258             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1259                 node->setIndexingType(
1260                     leastUpperBoundOfIndexingTypeAndType(
1261                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1262             }
1263             switch (node->indexingType()) {
1264             case ALL_BLANK_INDEXING_TYPES:
1265                 CRASH();
1266                 break;
1267             case ALL_UNDECIDED_INDEXING_TYPES:
1268                 if (node->numChildren()) {
1269                     // This will only happen if the children have no type predictions. We
1270                     // would have already exited by now, but insert a forced exit just to
1271                     // be safe.
1272                     m_insertionSet.insertNode(
1273                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1274                 }
1275                 break;
1276             case ALL_INT32_INDEXING_TYPES:
1277                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1278                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1279                 break;
1280             case ALL_DOUBLE_INDEXING_TYPES:
1281                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1282                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1283                 break;
1284             case ALL_CONTIGUOUS_INDEXING_TYPES:
1285             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1286                 break;
1287             default:
1288                 CRASH();
1289                 break;
1290             }
1291             break;
1292         }
1293             
1294         case NewTypedArray: {
1295             watchHavingABadTime(node);
1296             
1297             if (node->child1()->shouldSpeculateInt32()) {
1298                 fixEdge<Int32Use>(node->child1());
1299                 node->clearFlags(NodeMustGenerate);
1300                 break;
1301             }
1302             break;
1303         }
1304             
1305         case NewArrayWithSize: {
1306             watchHavingABadTime(node);
1307             fixEdge<Int32Use>(node->child1());
1308             break;
1309         }
1310
1311         case NewArrayBuffer: {
1312             watchHavingABadTime(node);
1313             break;
1314         }
1315
1316         case ToObject: {
1317             fixupToObject(node);
1318             break;
1319         }
1320
1321         case CallObjectConstructor: {
1322             fixupCallObjectConstructor(node);
1323             break;
1324         }
1325
1326         case ToThis: {
1327             fixupToThis(node);
1328             break;
1329         }
1330             
1331         case PutStructure: {
1332             fixEdge<KnownCellUse>(node->child1());
1333             break;
1334         }
1335             
1336         case GetClosureVar:
1337         case GetFromArguments: {
1338             fixEdge<KnownCellUse>(node->child1());
1339             break;
1340         }
1341
1342         case PutClosureVar:
1343         case PutToArguments: {
1344             fixEdge<KnownCellUse>(node->child1());
1345             speculateForBarrier(node->child2());
1346             break;
1347         }
1348
1349         case SkipScope:
1350         case GetScope:
1351         case GetGetter:
1352         case GetSetter:
1353         case GetGlobalObject: {
1354             fixEdge<KnownCellUse>(node->child1());
1355             break;
1356         }
1357             
1358         case AllocatePropertyStorage:
1359         case ReallocatePropertyStorage: {
1360             fixEdge<KnownCellUse>(node->child1());
1361             break;
1362         }
1363             
1364         case NukeStructureAndSetButterfly: {
1365             fixEdge<KnownCellUse>(node->child1());
1366             break;
1367         }
1368
1369         case TryGetById: {
1370             if (node->child1()->shouldSpeculateCell())
1371                 fixEdge<CellUse>(node->child1());
1372             break;
1373         }
1374
1375         case GetByIdDirect:
1376         case GetByIdDirectFlush: {
1377             if (node->child1()->shouldSpeculateCell())
1378                 fixEdge<CellUse>(node->child1());
1379             break;
1380         }
1381
1382         case GetById:
1383         case GetByIdFlush: {
1384             // FIXME: This should be done in the ByteCodeParser based on reading the
1385             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1386             // https://bugs.webkit.org/show_bug.cgi?id=154990
1387             auto uid = m_graph.identifiers()[node->identifierNumber()];
1388             if (node->child1()->shouldSpeculateCellOrOther()
1389                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1390                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1391                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1392                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1393                 
1394                 if (uid == vm().propertyNames->length.impl()) {
1395                     attemptToMakeGetArrayLength(node);
1396                     break;
1397                 }
1398
1399                 if (uid == vm().propertyNames->lastIndex.impl()
1400                     && node->child1()->shouldSpeculateRegExpObject()) {
1401                     node->setOp(GetRegExpObjectLastIndex);
1402                     node->clearFlags(NodeMustGenerate);
1403                     fixEdge<RegExpObjectUse>(node->child1());
1404                     break;
1405                 }
1406             }
1407
1408             if (node->child1()->shouldSpeculateNumber()) {
1409                 if (uid == vm().propertyNames->toString.impl()) {
1410                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1411                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1412                         if (node->child1()->shouldSpeculateInt32()) {
1413                             insertCheck<Int32Use>(node->child1().node());
1414                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1415                             break;
1416                         }
1417
1418                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1419                             insertCheck<Int52RepUse>(node->child1().node());
1420                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1421                             break;
1422                         }
1423
1424                         ASSERT(node->child1()->shouldSpeculateNumber());
1425                         insertCheck<DoubleRepUse>(node->child1().node());
1426                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1427                         break;
1428                     }
1429                 }
1430             }
1431
1432             if (node->child1()->shouldSpeculateCell())
1433                 fixEdge<CellUse>(node->child1());
1434             break;
1435         }
1436         
1437         case GetByIdWithThis: {
1438             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1439                 fixEdge<CellUse>(node->child1());
1440                 fixEdge<CellUse>(node->child2());
1441             }
1442             break;
1443         }
1444
1445         case PutById:
1446         case PutByIdFlush:
1447         case PutByIdDirect: {
1448             if (node->child1()->shouldSpeculateCellOrOther()
1449                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1450                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1451                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1452                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1453                 
1454                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1455                 
1456                 if (uid == vm().propertyNames->lastIndex.impl()
1457                     && node->child1()->shouldSpeculateRegExpObject()) {
1458                     node->convertToSetRegExpObjectLastIndex();
1459                     fixEdge<RegExpObjectUse>(node->child1());
1460                     speculateForBarrier(node->child2());
1461                     break;
1462                 }
1463             }
1464             
1465             fixEdge<CellUse>(node->child1());
1466             break;
1467         }
1468
1469         case PutGetterById:
1470         case PutSetterById: {
1471             fixEdge<KnownCellUse>(node->child1());
1472             fixEdge<KnownCellUse>(node->child2());
1473             break;
1474         }
1475
1476         case PutGetterSetterById: {
1477             fixEdge<KnownCellUse>(node->child1());
1478             break;
1479         }
1480
1481         case PutGetterByVal:
1482         case PutSetterByVal: {
1483             fixEdge<KnownCellUse>(node->child1());
1484             fixEdge<KnownCellUse>(node->child3());
1485             break;
1486         }
1487
1488         case GetExecutable: {
1489             fixEdge<FunctionUse>(node->child1());
1490             break;
1491         }
1492
1493         case OverridesHasInstance:
1494         case CheckStructure:
1495         case CheckCell:
1496         case CreateThis:
1497         case GetButterfly: {
1498             fixEdge<CellUse>(node->child1());
1499             break;
1500         }
1501
1502         case CheckStringIdent: {
1503             fixEdge<StringIdentUse>(node->child1());
1504             break;
1505         }
1506             
1507         case Arrayify:
1508         case ArrayifyToStructure: {
1509             fixEdge<CellUse>(node->child1());
1510             if (node->child2())
1511                 fixEdge<Int32Use>(node->child2());
1512             break;
1513         }
1514             
1515         case GetByOffset:
1516         case GetGetterSetterByOffset: {
1517             if (!node->child1()->hasStorageResult())
1518                 fixEdge<KnownCellUse>(node->child1());
1519             fixEdge<KnownCellUse>(node->child2());
1520             break;
1521         }
1522             
1523         case MultiGetByOffset: {
1524             fixEdge<CellUse>(node->child1());
1525             break;
1526         }
1527             
1528         case PutByOffset: {
1529             if (!node->child1()->hasStorageResult())
1530                 fixEdge<KnownCellUse>(node->child1());
1531             fixEdge<KnownCellUse>(node->child2());
1532             unsigned index = indexForChecks();
1533             insertInferredTypeCheck(
1534                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1535                 node->storageAccessData().inferredType);
1536             speculateForBarrier(node->child3());
1537             break;
1538         }
1539             
1540         case MultiPutByOffset: {
1541             fixEdge<CellUse>(node->child1());
1542             break;
1543         }
1544             
1545         case InstanceOf: {
1546             if (!(node->child1()->prediction() & ~SpecCell))
1547                 fixEdge<CellUse>(node->child1());
1548             fixEdge<CellUse>(node->child2());
1549             break;
1550         }
1551
1552         case InstanceOfCustom:
1553             fixEdge<CellUse>(node->child2());
1554             break;
1555
1556         case In: {
1557             if (node->child2()->shouldSpeculateInt32()) {
1558                 convertToHasIndexedProperty(node);
1559                 break;
1560             }
1561
1562             fixEdge<CellUse>(node->child1());
1563             break;
1564         }
1565
1566         case HasOwnProperty: {
1567             fixEdge<ObjectUse>(node->child1());
1568 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1569             // We don't have enough registers to do anything interesting on x86 and mips.
1570             fixEdge<UntypedUse>(node->child2());
1571 #else
1572             if (node->child2()->shouldSpeculateString())
1573                 fixEdge<StringUse>(node->child2());
1574             else if (node->child2()->shouldSpeculateSymbol())
1575                 fixEdge<SymbolUse>(node->child2());
1576             else
1577                 fixEdge<UntypedUse>(node->child2());
1578 #endif
1579             break;
1580         }
1581
1582         case CheckVarargs:
1583         case Check: {
1584             m_graph.doToChildren(
1585                 node,
1586                 [&] (Edge& edge) {
1587                     switch (edge.useKind()) {
1588                     case NumberUse:
1589                         if (edge->shouldSpeculateInt32ForArithmetic())
1590                             edge.setUseKind(Int32Use);
1591                         break;
1592                     default:
1593                         break;
1594                     }
1595                     observeUseKindOnEdge(edge);
1596                 });
1597             break;
1598         }
1599
1600         case Phantom:
1601             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1602             node->remove(m_graph);
1603             break;
1604
1605         case FiatInt52: {
1606             RELEASE_ASSERT(enableInt52());
1607             node->convertToIdentity();
1608             fixEdge<Int52RepUse>(node->child1());
1609             node->setResult(NodeResultInt52);
1610             break;
1611         }
1612
1613         case GetArrayLength: {
1614             fixEdge<KnownCellUse>(node->child1());
1615             break;
1616         }
1617
1618         case GetTypedArrayByteOffset: {
1619             fixEdge<KnownCellUse>(node->child1());
1620             break;
1621         }
1622
1623         case CompareBelow:
1624         case CompareBelowEq: {
1625             fixEdge<Int32Use>(node->child1());
1626             fixEdge<Int32Use>(node->child2());
1627             break;
1628         }
1629
1630         case GetPrototypeOf: {
1631             fixupGetPrototypeOf(node);
1632             break;
1633         }
1634
1635         case Phi:
1636         case Upsilon:
1637         case EntrySwitch:
1638         case GetIndexedPropertyStorage:
1639         case LastNodeType:
1640         case CheckTierUpInLoop:
1641         case CheckTierUpAtReturn:
1642         case CheckTierUpAndOSREnter:
1643         case InvalidationPoint:
1644         case CheckArray:
1645         case CheckInBounds:
1646         case ConstantStoragePointer:
1647         case DoubleAsInt32:
1648         case ValueToInt32:
1649         case DoubleRep:
1650         case ValueRep:
1651         case Int52Rep:
1652         case Int52Constant:
1653         case Identity: // This should have been cleaned up.
1654         case BooleanToNumber:
1655         case PhantomNewObject:
1656         case PhantomNewFunction:
1657         case PhantomNewGeneratorFunction:
1658         case PhantomNewAsyncGeneratorFunction:
1659         case PhantomNewAsyncFunction:
1660         case PhantomCreateActivation:
1661         case PhantomDirectArguments:
1662         case PhantomCreateRest:
1663         case PhantomSpread:
1664         case PhantomNewArrayWithSpread:
1665         case PhantomNewArrayBuffer:
1666         case PhantomClonedArguments:
1667         case PhantomNewRegexp:
1668         case GetMyArgumentByVal:
1669         case GetMyArgumentByValOutOfBounds:
1670         case GetVectorLength:
1671         case PutHint:
1672         case CheckStructureImmediate:
1673         case CheckStructureOrEmpty:
1674         case MaterializeNewObject:
1675         case MaterializeCreateActivation:
1676         case PutStack:
1677         case KillStack:
1678         case GetStack:
1679         case StoreBarrier:
1680         case FencedStoreBarrier:
1681         case GetRegExpObjectLastIndex:
1682         case SetRegExpObjectLastIndex:
1683         case RecordRegExpCachedResult:
1684         case RegExpExecNonGlobalOrSticky:
1685         case RegExpMatchFastGlobal:
1686             // These are just nodes that we don't currently expect to see during fixup.
1687             // If we ever wanted to insert them prior to fixup, then we just have to create
1688             // fixup rules for them.
1689             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1690             break;
1691
1692         case PutGlobalVariable: {
1693             fixEdge<CellUse>(node->child1());
1694             speculateForBarrier(node->child2());
1695             break;
1696         }
1697
1698         case IsObject:
1699             if (node->child1()->shouldSpeculateObject()) {
1700                 m_insertionSet.insertNode(
1701                     m_indexInBlock, SpecNone, Check, node->origin,
1702                     Edge(node->child1().node(), ObjectUse));
1703                 m_graph.convertToConstant(node, jsBoolean(true));
1704                 observeUseKindOnNode<ObjectUse>(node);
1705             }
1706             break;
1707
1708         case IsCellWithType: {
1709             fixupIsCellWithType(node);
1710             break;
1711         }
1712
1713         case GetEnumerableLength: {
1714             fixEdge<CellUse>(node->child1());
1715             break;
1716         }
1717         case HasGenericProperty: {
1718             fixEdge<CellUse>(node->child2());
1719             break;
1720         }
1721         case HasStructureProperty: {
1722             fixEdge<StringUse>(node->child2());
1723             fixEdge<KnownCellUse>(node->child3());
1724             break;
1725         }
1726         case HasIndexedProperty: {
1727             node->setArrayMode(
1728                 node->arrayMode().refine(
1729                     m_graph, node,
1730                     node->child1()->prediction(),
1731                     node->child2()->prediction(),
1732                     SpecNone));
1733             
1734             blessArrayOperation(node->child1(), node->child2(), node->child3());
1735             fixEdge<CellUse>(node->child1());
1736             fixEdge<KnownInt32Use>(node->child2());
1737             break;
1738         }
1739         case GetDirectPname: {
1740             Edge& base = m_graph.varArgChild(node, 0);
1741             Edge& property = m_graph.varArgChild(node, 1);
1742             Edge& index = m_graph.varArgChild(node, 2);
1743             Edge& enumerator = m_graph.varArgChild(node, 3);
1744             fixEdge<CellUse>(base);
1745             fixEdge<KnownCellUse>(property);
1746             fixEdge<KnownInt32Use>(index);
1747             fixEdge<KnownCellUse>(enumerator);
1748             break;
1749         }
1750         case GetPropertyEnumerator: {
1751             if (node->child1()->shouldSpeculateCell())
1752                 fixEdge<CellUse>(node->child1());
1753             break;
1754         }
1755         case GetEnumeratorStructurePname: {
1756             fixEdge<KnownCellUse>(node->child1());
1757             fixEdge<KnownInt32Use>(node->child2());
1758             break;
1759         }
1760         case GetEnumeratorGenericPname: {
1761             fixEdge<KnownCellUse>(node->child1());
1762             fixEdge<KnownInt32Use>(node->child2());
1763             break;
1764         }
1765         case ToIndexString: {
1766             fixEdge<KnownInt32Use>(node->child1());
1767             break;
1768         }
1769         case ProfileType: {
1770             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1771             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1772             // type T for the instructionTypeSet, the global type set must also have information for type T.
1773             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1774             // in the globalTypeSet would've also succeeded.
1775             // (The other direction does not hold in general).
1776
1777             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1778             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1779             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1780                 if (node->child1()->shouldSpeculateInt32()) {
1781                     fixEdge<Int32Use>(node->child1());
1782                     node->remove(m_graph);
1783                     break;
1784                 }
1785
1786                 if (enableInt52()) {
1787                     fixEdge<AnyIntUse>(node->child1());
1788                     node->remove(m_graph);
1789                     break;
1790                 }
1791
1792                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1793             }
1794
1795             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1796                 fixEdge<NumberUse>(node->child1());
1797                 node->remove(m_graph);
1798             } else if (typeSet->doesTypeConformTo(TypeString)) {
1799                 fixEdge<StringUse>(node->child1());
1800                 node->remove(m_graph);
1801             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1802                 fixEdge<BooleanUse>(node->child1());
1803                 node->remove(m_graph);
1804             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1805                 fixEdge<OtherUse>(node->child1());
1806                 node->remove(m_graph);
1807             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1808                 StructureSet set;
1809                 {
1810                     ConcurrentJSLocker locker(typeSet->m_lock);
1811                     set = typeSet->structureSet(locker);
1812                 }
1813                 if (!set.isEmpty()) {
1814                     fixEdge<CellUse>(node->child1());
1815                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1816                 }
1817             }
1818
1819             break;
1820         }
1821
1822         case CreateClonedArguments: {
1823             watchHavingABadTime(node);
1824             break;
1825         }
1826
1827         case CreateScopedArguments:
1828         case CreateActivation:
1829         case NewFunction:
1830         case NewGeneratorFunction:
1831         case NewAsyncGeneratorFunction:
1832         case NewAsyncFunction: {
1833             // Child 1 is always the current scope, which is guaranteed to be an object
1834             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1835             fixEdge<KnownCellUse>(node->child1());
1836             break;
1837         }
1838
1839         case PushWithScope: {
1840             // Child 1 is always the current scope, which is guaranteed to be an object
1841             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1842             fixEdge<KnownCellUse>(node->child1());
1843             if (node->child2()->shouldSpeculateObject())
1844                 fixEdge<ObjectUse>(node->child2());
1845             break;
1846         }
1847
1848         case SetFunctionName: {
1849             // The first child is guaranteed to be a cell because op_set_function_name is only used
1850             // on a newly instantiated function object (the first child).
1851             fixEdge<KnownCellUse>(node->child1());
1852             fixEdge<UntypedUse>(node->child2());
1853             break;
1854         }
1855
1856         case CreateRest: {
1857             watchHavingABadTime(node);
1858             fixEdge<KnownInt32Use>(node->child1());
1859             break;
1860         }
1861
1862         case ResolveScopeForHoistingFuncDeclInEval: {
1863             fixEdge<KnownCellUse>(node->child1());
1864             break;
1865         }
1866         case ResolveScope:
1867         case GetDynamicVar:
1868         case PutDynamicVar: {
1869             fixEdge<KnownCellUse>(node->child1());
1870             break;
1871         }
1872
1873         case LogShadowChickenPrologue: {
1874             fixEdge<KnownCellUse>(node->child1());
1875             break;
1876         }
1877         case LogShadowChickenTail: {
1878             fixEdge<UntypedUse>(node->child1());
1879             fixEdge<KnownCellUse>(node->child2());
1880             break;
1881         }
1882
1883         case GetMapBucket:
1884             if (node->child1().useKind() == MapObjectUse)
1885                 fixEdge<MapObjectUse>(node->child1());
1886             else if (node->child1().useKind() == SetObjectUse)
1887                 fixEdge<SetObjectUse>(node->child1());
1888             else
1889                 RELEASE_ASSERT_NOT_REACHED();
1890
1891 #if USE(JSVALUE64)
1892             if (node->child2()->shouldSpeculateBoolean())
1893                 fixEdge<BooleanUse>(node->child2());
1894             else if (node->child2()->shouldSpeculateInt32())
1895                 fixEdge<Int32Use>(node->child2());
1896             else if (node->child2()->shouldSpeculateSymbol())
1897                 fixEdge<SymbolUse>(node->child2());
1898             else if (node->child2()->shouldSpeculateObject())
1899                 fixEdge<ObjectUse>(node->child2());
1900             else if (node->child2()->shouldSpeculateString())
1901                 fixEdge<StringUse>(node->child2());
1902             else if (node->child2()->shouldSpeculateCell())
1903                 fixEdge<CellUse>(node->child2());
1904             else
1905                 fixEdge<UntypedUse>(node->child2());
1906 #else
1907             fixEdge<UntypedUse>(node->child2());
1908 #endif // USE(JSVALUE64)
1909
1910             fixEdge<Int32Use>(node->child3());
1911             break;
1912
1913         case GetMapBucketHead:
1914             if (node->child1().useKind() == MapObjectUse)
1915                 fixEdge<MapObjectUse>(node->child1());
1916             else if (node->child1().useKind() == SetObjectUse)
1917                 fixEdge<SetObjectUse>(node->child1());
1918             else
1919                 RELEASE_ASSERT_NOT_REACHED();
1920             break;
1921
1922         case GetMapBucketNext:
1923         case LoadKeyFromMapBucket:
1924         case LoadValueFromMapBucket:
1925             fixEdge<CellUse>(node->child1());
1926             break;
1927
1928         case MapHash: {
1929 #if USE(JSVALUE64)
1930             if (node->child1()->shouldSpeculateBoolean()) {
1931                 fixEdge<BooleanUse>(node->child1());
1932                 break;
1933             }
1934
1935             if (node->child1()->shouldSpeculateInt32()) {
1936                 fixEdge<Int32Use>(node->child1());
1937                 break;
1938             }
1939
1940             if (node->child1()->shouldSpeculateSymbol()) {
1941                 fixEdge<SymbolUse>(node->child1());
1942                 break;
1943             }
1944
1945             if (node->child1()->shouldSpeculateObject()) {
1946                 fixEdge<ObjectUse>(node->child1());
1947                 break;
1948             }
1949
1950             if (node->child1()->shouldSpeculateString()) {
1951                 fixEdge<StringUse>(node->child1());
1952                 break;
1953             }
1954
1955             if (node->child1()->shouldSpeculateCell()) {
1956                 fixEdge<CellUse>(node->child1());
1957                 break;
1958             }
1959
1960             fixEdge<UntypedUse>(node->child1());
1961 #else
1962             fixEdge<UntypedUse>(node->child1());
1963 #endif // USE(JSVALUE64)
1964             break;
1965         }
1966
1967         case NormalizeMapKey: {
1968             fixupNormalizeMapKey(node);
1969             break;
1970         }
1971
1972         case WeakMapGet: {
1973             if (node->child1().useKind() == WeakMapObjectUse)
1974                 fixEdge<WeakMapObjectUse>(node->child1());
1975             else if (node->child1().useKind() == WeakSetObjectUse)
1976                 fixEdge<WeakSetObjectUse>(node->child1());
1977             else
1978                 RELEASE_ASSERT_NOT_REACHED();
1979             fixEdge<ObjectUse>(node->child2());
1980             fixEdge<Int32Use>(node->child3());
1981             break;
1982         }
1983
1984         case SetAdd: {
1985             fixEdge<SetObjectUse>(node->child1());
1986             fixEdge<Int32Use>(node->child3());
1987             break;
1988         }
1989
1990         case MapSet: {
1991             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1992             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1993             break;
1994         }
1995
1996         case WeakSetAdd: {
1997             fixEdge<WeakSetObjectUse>(node->child1());
1998             fixEdge<ObjectUse>(node->child2());
1999             fixEdge<Int32Use>(node->child3());
2000             break;
2001         }
2002
2003         case WeakMapSet: {
2004             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2005             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2006             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2007             break;
2008         }
2009
2010         case DefineDataProperty: {
2011             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2012             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2013             if (propertyEdge->shouldSpeculateSymbol())
2014                 fixEdge<SymbolUse>(propertyEdge);
2015             else if (propertyEdge->shouldSpeculateStringIdent())
2016                 fixEdge<StringIdentUse>(propertyEdge);
2017             else if (propertyEdge->shouldSpeculateString())
2018                 fixEdge<StringUse>(propertyEdge);
2019             else
2020                 fixEdge<UntypedUse>(propertyEdge);
2021             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2022             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2023             break;
2024         }
2025
2026         case StringSlice: {
2027             fixEdge<StringUse>(node->child1());
2028             fixEdge<Int32Use>(node->child2());
2029             if (node->child3())
2030                 fixEdge<Int32Use>(node->child3());
2031             break;
2032         }
2033
2034         case ToLowerCase: {
2035             // We currently only support StringUse since that will ensure that
2036             // ToLowerCase is a pure operation. If we decide to update this with
2037             // more types in the future, we need to ensure that the clobberize rules
2038             // are correct.
2039             fixEdge<StringUse>(node->child1());
2040             break;
2041         }
2042
2043         case NumberToStringWithRadix: {
2044             if (node->child1()->shouldSpeculateInt32())
2045                 fixEdge<Int32Use>(node->child1());
2046             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2047                 fixEdge<Int52RepUse>(node->child1());
2048             else
2049                 fixEdge<DoubleRepUse>(node->child1());
2050             fixEdge<Int32Use>(node->child2());
2051             break;
2052         }
2053
2054         case DefineAccessorProperty: {
2055             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2056             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2057             if (propertyEdge->shouldSpeculateSymbol())
2058                 fixEdge<SymbolUse>(propertyEdge);
2059             else if (propertyEdge->shouldSpeculateStringIdent())
2060                 fixEdge<StringIdentUse>(propertyEdge);
2061             else if (propertyEdge->shouldSpeculateString())
2062                 fixEdge<StringUse>(propertyEdge);
2063             else
2064                 fixEdge<UntypedUse>(propertyEdge);
2065             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2066             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2067             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2068             break;
2069         }
2070
2071         case CheckSubClass: {
2072             fixupCheckSubClass(node);
2073             break;
2074         }
2075
2076         case CallDOMGetter: {
2077             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2078             fixEdge<CellUse>(node->child1()); // DOM.
2079             if (snippet && snippet->requireGlobalObject)
2080                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2081             break;
2082         }
2083
2084         case CallDOM: {
2085             fixupCallDOM(node);
2086             break;
2087         }
2088
2089         case Call: {
2090             attemptToMakeCallDOM(node);
2091             break;
2092         }
2093
2094         case ParseInt: {
2095             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2096                 fixEdge<Int32Use>(node->child1());
2097                 node->convertToIdentity();
2098                 break;
2099             }
2100
2101             if (node->child1()->shouldSpeculateString()) {
2102                 fixEdge<StringUse>(node->child1());
2103                 node->clearFlags(NodeMustGenerate);
2104             }
2105
2106             if (node->child2())
2107                 fixEdge<Int32Use>(node->child2());
2108
2109             break;
2110         }
2111
2112         case IdentityWithProfile: {
2113             node->clearFlags(NodeMustGenerate);
2114             break;
2115         }
2116
2117         case ThrowStaticError:
2118             fixEdge<StringUse>(node->child1());
2119             break;
2120
2121         case NumberIsInteger:
2122             if (node->child1()->shouldSpeculateInt32()) {
2123                 m_insertionSet.insertNode(
2124                     m_indexInBlock, SpecNone, Check, node->origin,
2125                     Edge(node->child1().node(), Int32Use));
2126                 m_graph.convertToConstant(node, jsBoolean(true));
2127                 break;
2128             }
2129             break;
2130
2131 #if !ASSERT_DISABLED
2132         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2133         case SetArgument:
2134         case JSConstant:
2135         case LazyJSConstant:
2136         case DoubleConstant:
2137         case GetLocal:
2138         case GetCallee:
2139         case GetArgumentCountIncludingThis:
2140         case SetArgumentCountIncludingThis:
2141         case GetRestLength:
2142         case GetArgument:
2143         case Flush:
2144         case PhantomLocal:
2145         case GetGlobalVar:
2146         case GetGlobalLexicalVariable:
2147         case NotifyWrite:
2148         case DirectCall:
2149         case CheckTypeInfoFlags:
2150         case TailCallInlinedCaller:
2151         case DirectTailCallInlinedCaller:
2152         case Construct:
2153         case DirectConstruct:
2154         case CallVarargs:
2155         case CallEval:
2156         case TailCallVarargsInlinedCaller:
2157         case ConstructVarargs:
2158         case CallForwardVarargs:
2159         case ConstructForwardVarargs:
2160         case TailCallForwardVarargs:
2161         case TailCallForwardVarargsInlinedCaller:
2162         case LoadVarargs:
2163         case ForwardVarargs:
2164         case ProfileControlFlow:
2165         case NewObject:
2166         case NewRegexp:
2167         case DeleteById:
2168         case DeleteByVal:
2169         case IsTypedArrayView:
2170         case IsEmpty:
2171         case IsUndefined:
2172         case IsBoolean:
2173         case IsNumber:
2174         case IsObjectOrNull:
2175         case IsFunction:
2176         case CreateDirectArguments:
2177         case Jump:
2178         case Return:
2179         case TailCall:
2180         case DirectTailCall:
2181         case TailCallVarargs:
2182         case Throw:
2183         case CountExecution:
2184         case SuperSamplerBegin:
2185         case SuperSamplerEnd:
2186         case ForceOSRExit:
2187         case CheckBadCell:
2188         case CheckNotEmpty:
2189         case AssertNotEmpty:
2190         case CheckTraps:
2191         case Unreachable:
2192         case ExtractOSREntryLocal:
2193         case ExtractCatchLocal:
2194         case LoopHint:
2195         case MovHint:
2196         case InitializeEntrypointArguments:
2197         case ZombieHint:
2198         case ExitOK:
2199         case BottomValue:
2200         case TypeOf:
2201         case PutByIdWithThis:
2202         case PutByValWithThis:
2203         case GetByValWithThis:
2204         case CompareEqPtr:
2205         case NumberToStringWithValidRadixConstant:
2206         case GetGlobalThis:
2207         case ExtractValueFromWeakMapGet:
2208         case CPUIntrinsic:
2209             break;
2210 #else
2211         default:
2212             break;
2213 #endif
2214         }
2215     }
2216
2217     void watchHavingABadTime(Node* node)
2218     {
2219         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2220
2221         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2222         // does an array allocation. The types of array allocations may change if we start to have a bad
2223         // time. It's easier to reason about this if we know that whenever the types change after we start
2224         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2225         // prior to this point nobody should have been doing optimizations based on the indexing type of
2226         // the allocation.
2227         if (!globalObject->isHavingABadTime()) {
2228             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2229             m_graph.freeze(globalObject);
2230         }
2231     }
2232     
2233     template<UseKind useKind>
2234     void createToString(Node* node, Edge& edge)
2235     {
2236         Node* toString = m_insertionSet.insertNode(
2237             m_indexInBlock, SpecString, ToString, node->origin,
2238             Edge(edge.node(), useKind));
2239         switch (useKind) {
2240         case Int32Use:
2241         case Int52RepUse:
2242         case DoubleRepUse:
2243         case NotCellUse:
2244             toString->clearFlags(NodeMustGenerate);
2245             break;
2246         default:
2247             break;
2248         }
2249         edge.setNode(toString);
2250     }
2251     
2252     template<UseKind useKind>
2253     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2254     {
2255         ASSERT(arrayMode == ArrayMode(Array::Generic));
2256         
2257         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2258             return;
2259         
2260         createToString<useKind>(node, node->child1());
2261         arrayMode = ArrayMode(Array::String);
2262     }
2263     
2264     template<UseKind useKind>
2265     bool isStringObjectUse()
2266     {
2267         switch (useKind) {
2268         case StringObjectUse:
2269         case StringOrStringObjectUse:
2270             return true;
2271         default:
2272             return false;
2273         }
2274     }
2275     
2276     template<UseKind useKind>
2277     void convertStringAddUse(Node* node, Edge& edge)
2278     {
2279         if (useKind == StringUse) {
2280             observeUseKindOnNode<StringUse>(edge.node());
2281             m_insertionSet.insertNode(
2282                 m_indexInBlock, SpecNone, Check, node->origin,
2283                 Edge(edge.node(), StringUse));
2284             edge.setUseKind(KnownStringUse);
2285             return;
2286         }
2287         
2288         observeUseKindOnNode<useKind>(edge.node());
2289         createToString<useKind>(node, edge);
2290     }
2291     
2292     void convertToMakeRope(Node* node)
2293     {
2294         node->setOpAndDefaultFlags(MakeRope);
2295         fixupMakeRope(node);
2296     }
2297     
2298     void fixupMakeRope(Node* node)
2299     {
2300         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2301             Edge& edge = node->children.child(i);
2302             if (!edge)
2303                 break;
2304             edge.setUseKind(KnownStringUse);
2305             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2306             if (!string)
2307                 continue;
2308             if (string->length())
2309                 continue;
2310             
2311             // Don't allow the MakeRope to have zero children.
2312             if (!i && !node->child2())
2313                 break;
2314             
2315             node->children.removeEdge(i--);
2316         }
2317         
2318         if (!node->child2()) {
2319             ASSERT(!node->child3());
2320             node->convertToIdentity();
2321         }
2322     }
2323
2324     void fixupIsCellWithType(Node* node)
2325     {
2326         switch (node->speculatedTypeForQuery()) {
2327         case SpecString:
2328             if (node->child1()->shouldSpeculateString()) {
2329                 m_insertionSet.insertNode(
2330                     m_indexInBlock, SpecNone, Check, node->origin,
2331                     Edge(node->child1().node(), StringUse));
2332                 m_graph.convertToConstant(node, jsBoolean(true));
2333                 observeUseKindOnNode<StringUse>(node);
2334                 return;
2335             }
2336             break;
2337
2338         case SpecProxyObject:
2339             if (node->child1()->shouldSpeculateProxyObject()) {
2340                 m_insertionSet.insertNode(
2341                     m_indexInBlock, SpecNone, Check, node->origin,
2342                     Edge(node->child1().node(), ProxyObjectUse));
2343                 m_graph.convertToConstant(node, jsBoolean(true));
2344                 observeUseKindOnNode<ProxyObjectUse>(node);
2345                 return;
2346             }
2347             break;
2348
2349         case SpecRegExpObject:
2350             if (node->child1()->shouldSpeculateRegExpObject()) {
2351                 m_insertionSet.insertNode(
2352                     m_indexInBlock, SpecNone, Check, node->origin,
2353                     Edge(node->child1().node(), RegExpObjectUse));
2354                 m_graph.convertToConstant(node, jsBoolean(true));
2355                 observeUseKindOnNode<RegExpObjectUse>(node);
2356                 return;
2357             }
2358             break;
2359
2360         case SpecArray:
2361             if (node->child1()->shouldSpeculateArray()) {
2362                 m_insertionSet.insertNode(
2363                     m_indexInBlock, SpecNone, Check, node->origin,
2364                     Edge(node->child1().node(), ArrayUse));
2365                 m_graph.convertToConstant(node, jsBoolean(true));
2366                 observeUseKindOnNode<ArrayUse>(node);
2367                 return;
2368             }
2369             break;
2370
2371         case SpecDerivedArray:
2372             if (node->child1()->shouldSpeculateDerivedArray()) {
2373                 m_insertionSet.insertNode(
2374                     m_indexInBlock, SpecNone, Check, node->origin,
2375                     Edge(node->child1().node(), DerivedArrayUse));
2376                 m_graph.convertToConstant(node, jsBoolean(true));
2377                 observeUseKindOnNode<DerivedArrayUse>(node);
2378                 return;
2379             }
2380             break;
2381         }
2382
2383         if (node->child1()->shouldSpeculateCell()) {
2384             fixEdge<CellUse>(node->child1());
2385             return;
2386         }
2387
2388         if (node->child1()->shouldSpeculateNotCell()) {
2389             m_insertionSet.insertNode(
2390                 m_indexInBlock, SpecNone, Check, node->origin,
2391                 Edge(node->child1().node(), NotCellUse));
2392             m_graph.convertToConstant(node, jsBoolean(false));
2393             observeUseKindOnNode<NotCellUse>(node);
2394             return;
2395         }
2396     }
2397
2398     void fixupGetPrototypeOf(Node* node)
2399     {
2400         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2401         if (node->child1().useKind() != ObjectUse) {
2402             if (node->child1()->shouldSpeculateString()) {
2403                 insertCheck<StringUse>(node->child1().node());
2404                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2405                 return;
2406             }
2407             if (node->child1()->shouldSpeculateInt32()) {
2408                 insertCheck<Int32Use>(node->child1().node());
2409                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2410                 return;
2411             }
2412             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2413                 insertCheck<Int52RepUse>(node->child1().node());
2414                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2415                 return;
2416             }
2417             if (node->child1()->shouldSpeculateNumber()) {
2418                 insertCheck<NumberUse>(node->child1().node());
2419                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2420                 return;
2421             }
2422             if (node->child1()->shouldSpeculateSymbol()) {
2423                 insertCheck<SymbolUse>(node->child1().node());
2424                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2425                 return;
2426             }
2427             if (node->child1()->shouldSpeculateBoolean()) {
2428                 insertCheck<BooleanUse>(node->child1().node());
2429                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2430                 return;
2431             }
2432         }
2433
2434         if (node->child1()->shouldSpeculateFinalObject()) {
2435             fixEdge<FinalObjectUse>(node->child1());
2436             node->clearFlags(NodeMustGenerate);
2437             return;
2438         }
2439         if (node->child1()->shouldSpeculateArray()) {
2440             fixEdge<ArrayUse>(node->child1());
2441             node->clearFlags(NodeMustGenerate);
2442             return;
2443         }
2444         if (node->child1()->shouldSpeculateFunction()) {
2445             fixEdge<FunctionUse>(node->child1());
2446             node->clearFlags(NodeMustGenerate);
2447             return;
2448         }
2449     }
2450
2451     void fixupToThis(Node* node)
2452     {
2453         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2454
2455         if (ecmaMode == StrictMode) {
2456             if (node->child1()->shouldSpeculateBoolean()) {
2457                 fixEdge<BooleanUse>(node->child1());
2458                 node->convertToIdentity();
2459                 return;
2460             }
2461
2462             if (node->child1()->shouldSpeculateInt32()) {
2463                 fixEdge<Int32Use>(node->child1());
2464                 node->convertToIdentity();
2465                 return;
2466             }
2467
2468             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2469                 fixEdge<Int52RepUse>(node->child1());
2470                 node->convertToIdentity();
2471                 node->setResult(NodeResultInt52);
2472                 return;
2473             }
2474
2475             if (node->child1()->shouldSpeculateNumber()) {
2476                 fixEdge<DoubleRepUse>(node->child1());
2477                 node->convertToIdentity();
2478                 node->setResult(NodeResultDouble);
2479                 return;
2480             }
2481
2482             if (node->child1()->shouldSpeculateSymbol()) {
2483                 fixEdge<SymbolUse>(node->child1());
2484                 node->convertToIdentity();
2485                 return;
2486             }
2487
2488             if (node->child1()->shouldSpeculateStringIdent()) {
2489                 fixEdge<StringIdentUse>(node->child1());
2490                 node->convertToIdentity();
2491                 return;
2492             }
2493
2494             if (node->child1()->shouldSpeculateString()) {
2495                 fixEdge<StringUse>(node->child1());
2496                 node->convertToIdentity();
2497                 return;
2498             }
2499         }
2500
2501         if (node->child1()->shouldSpeculateOther()) {
2502             if (ecmaMode == StrictMode) {
2503                 fixEdge<OtherUse>(node->child1());
2504                 node->convertToIdentity();
2505                 return;
2506             }
2507
2508             m_insertionSet.insertNode(
2509                 m_indexInBlock, SpecNone, Check, node->origin,
2510                 Edge(node->child1().node(), OtherUse));
2511             observeUseKindOnNode<OtherUse>(node->child1().node());
2512             m_graph.convertToConstant(
2513                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2514             return;
2515         }
2516
2517         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2518         // however, since we cover all the missing cases in constant folding.
2519         // https://bugs.webkit.org/show_bug.cgi?id=157213
2520         if (node->child1()->shouldSpeculateStringObject()) {
2521             fixEdge<StringObjectUse>(node->child1());
2522             node->convertToIdentity();
2523             return;
2524         }
2525
2526         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2527             fixEdge<FinalObjectUse>(node->child1());
2528             node->convertToIdentity();
2529             return;
2530         }
2531     }
2532     
2533     void fixupToPrimitive(Node* node)
2534     {
2535         if (node->child1()->shouldSpeculateInt32()) {
2536             fixEdge<Int32Use>(node->child1());
2537             node->convertToIdentity();
2538             return;
2539         }
2540         
2541         if (node->child1()->shouldSpeculateString()) {
2542             fixEdge<StringUse>(node->child1());
2543             node->convertToIdentity();
2544             return;
2545         }
2546         
2547         if (node->child1()->shouldSpeculateStringObject()
2548             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2549             fixEdge<StringObjectUse>(node->child1());
2550             node->convertToToString();
2551             return;
2552         }
2553         
2554         if (node->child1()->shouldSpeculateStringOrStringObject()
2555             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2556             fixEdge<StringOrStringObjectUse>(node->child1());
2557             node->convertToToString();
2558             return;
2559         }
2560     }
2561
2562     void fixupToNumber(Node* node)
2563     {
2564         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2565         if (node->child1()->shouldSpeculateNumber()) {
2566             if (isInt32Speculation(node->getHeapPrediction())) {
2567                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2568                 if (node->child1()->shouldSpeculateInt32()) {
2569                     fixEdge<Int32Use>(node->child1());
2570                     node->convertToIdentity();
2571                     return;
2572                 }
2573
2574                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2575                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2576                 fixEdge<DoubleRepUse>(node->child1());
2577                 node->setOp(DoubleAsInt32);
2578                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2579                     node->setArithMode(Arith::CheckOverflow);
2580                 else
2581                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2582                 return;
2583             }
2584
2585             fixEdge<DoubleRepUse>(node->child1());
2586             node->convertToIdentity();
2587             node->setResult(NodeResultDouble);
2588             return;
2589         }
2590
2591         fixEdge<UntypedUse>(node->child1());
2592         node->setResult(NodeResultJS);
2593     }
2594
2595     void fixupToObject(Node* node)
2596     {
2597         if (node->child1()->shouldSpeculateObject()) {
2598             fixEdge<ObjectUse>(node->child1());
2599             node->convertToIdentity();
2600             return;
2601         }
2602
2603         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2604
2605         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2606
2607         if (node->child1()->shouldSpeculateString()) {
2608             insertCheck<StringUse>(node->child1().node());
2609             fixEdge<KnownStringUse>(node->child1());
2610             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2611             return;
2612         }
2613
2614         if (node->child1()->shouldSpeculateSymbol()) {
2615             insertCheck<SymbolUse>(node->child1().node());
2616             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2617             return;
2618         }
2619
2620         if (node->child1()->shouldSpeculateNumber()) {
2621             insertCheck<NumberUse>(node->child1().node());
2622             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2623             return;
2624         }
2625
2626         if (node->child1()->shouldSpeculateBoolean()) {
2627             insertCheck<BooleanUse>(node->child1().node());
2628             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2629             return;
2630         }
2631
2632         fixEdge<UntypedUse>(node->child1());
2633     }
2634
2635     void fixupCallObjectConstructor(Node* node)
2636     {
2637         if (node->child1()->shouldSpeculateObject()) {
2638             fixEdge<ObjectUse>(node->child1());
2639             node->convertToIdentity();
2640             return;
2641         }
2642
2643         if (node->child1()->shouldSpeculateString()) {
2644             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2645             insertCheck<StringUse>(node->child1().node());
2646             fixEdge<KnownStringUse>(node->child1());
2647             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2648             return;
2649         }
2650
2651         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2652         if (node->child1()->shouldSpeculateOther()) {
2653             insertCheck<OtherUse>(node->child1().node());
2654             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2655             return;
2656         }
2657
2658         fixEdge<UntypedUse>(node->child1());
2659     }
2660     
2661     void fixupToStringOrCallStringConstructor(Node* node)
2662     {
2663         if (node->child1()->shouldSpeculateString()) {
2664             fixEdge<StringUse>(node->child1());
2665             node->convertToIdentity();
2666             return;
2667         }
2668         
2669         if (node->child1()->shouldSpeculateStringObject()
2670             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2671             fixEdge<StringObjectUse>(node->child1());
2672             return;
2673         }
2674         
2675         if (node->child1()->shouldSpeculateStringOrStringObject()
2676             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2677             fixEdge<StringOrStringObjectUse>(node->child1());
2678             return;
2679         }
2680         
2681         if (node->child1()->shouldSpeculateCell()) {
2682             fixEdge<CellUse>(node->child1());
2683             return;
2684         }
2685
2686         if (node->child1()->shouldSpeculateInt32()) {
2687             fixEdge<Int32Use>(node->child1());
2688             node->clearFlags(NodeMustGenerate);
2689             return;
2690         }
2691
2692         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2693             fixEdge<Int52RepUse>(node->child1());
2694             node->clearFlags(NodeMustGenerate);
2695             return;
2696         }
2697
2698         if (node->child1()->shouldSpeculateNumber()) {
2699             fixEdge<DoubleRepUse>(node->child1());
2700             node->clearFlags(NodeMustGenerate);
2701             return;
2702         }
2703
2704         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2705         // we need to care about it in the clobberize. In the following case,
2706         // since NotCellUse edge filter is used and this edge filters Symbols,
2707         // we can say that ToString never throws an error!
2708         if (node->child1()->shouldSpeculateNotCell()) {
2709             fixEdge<NotCellUse>(node->child1());
2710             node->clearFlags(NodeMustGenerate);
2711             return;
2712         }
2713     }
2714
2715     bool attemptToMakeFastStringAdd(Node* node)
2716     {
2717         bool goodToGo = true;
2718         m_graph.doToChildren(
2719             node,
2720             [&] (Edge& edge) {
2721                 if (edge->shouldSpeculateString())
2722                     return;
2723                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2724                     if (edge->shouldSpeculateStringObject())
2725                         return;
2726                     if (edge->shouldSpeculateStringOrStringObject())
2727                         return;
2728                 }
2729                 goodToGo = false;
2730             });
2731         if (!goodToGo)
2732             return false;
2733
2734         m_graph.doToChildren(
2735             node,
2736             [&] (Edge& edge) {
2737                 if (edge->shouldSpeculateString()) {
2738                     convertStringAddUse<StringUse>(node, edge);
2739                     return;
2740                 }
2741                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2742                 if (edge->shouldSpeculateStringObject()) {
2743                     convertStringAddUse<StringObjectUse>(node, edge);
2744                     return;
2745                 }
2746                 if (edge->shouldSpeculateStringOrStringObject()) {
2747                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2748                     return;
2749                 }
2750                 RELEASE_ASSERT_NOT_REACHED();
2751             });
2752         
2753         convertToMakeRope(node);
2754         return true;
2755     }
2756
2757     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2758     {
2759         if (!block)
2760             return;
2761         ASSERT(block->isReachable);
2762         m_block = block;
2763         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2764             Node* node = m_currentNode = block->at(m_indexInBlock);
2765             if (node->op() != SetLocal && node->op() != GetLocal)
2766                 continue;
2767             
2768             VariableAccessData* variable = node->variableAccessData();
2769             switch (node->op()) {
2770             case GetLocal:
2771                 switch (variable->flushFormat()) {
2772                 case FlushedDouble:
2773                     node->setResult(NodeResultDouble);
2774                     break;
2775                 case FlushedInt52:
2776                     node->setResult(NodeResultInt52);
2777                     break;
2778                 default:
2779                     break;
2780                 }
2781                 break;
2782                 
2783             case SetLocal:
2784                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2785                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2786                 
2787                 switch (variable->flushFormat()) {
2788                 case FlushedJSValue:
2789                     break;
2790                 case FlushedDouble:
2791                     fixEdge<DoubleRepUse>(node->child1());
2792                     break;
2793                 case FlushedInt32:
2794                     fixEdge<Int32Use>(node->child1());
2795                     break;
2796                 case FlushedInt52:
2797                     fixEdge<Int52RepUse>(node->child1());
2798                     break;
2799                 case FlushedCell:
2800                     fixEdge<CellUse>(node->child1());
2801                     break;
2802                 case FlushedBoolean:
2803                     fixEdge<BooleanUse>(node->child1());
2804                     break;
2805                 default:
2806                     RELEASE_ASSERT_NOT_REACHED();
2807                     break;
2808                 }
2809                 break;
2810                 
2811             default:
2812                 RELEASE_ASSERT_NOT_REACHED();
2813                 break;
2814             }
2815         }
2816         m_insertionSet.execute(block);
2817     }
2818     
2819     void addStringReplacePrimordialChecks(Node* searchRegExp)
2820     {
2821         Node* node = m_currentNode;
2822
2823         // Check that structure of searchRegExp is RegExp object
2824         m_insertionSet.insertNode(
2825             m_indexInBlock, SpecNone, Check, node->origin,
2826             Edge(searchRegExp, RegExpObjectUse));
2827
2828         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2829             unsigned index = m_graph.identifiers().ensure(propertyUID);
2830
2831             Node* actualProperty = m_insertionSet.insertNode(
2832                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2833                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2834
2835             m_insertionSet.insertNode(
2836                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2837                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2838         };
2839
2840         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2841
2842         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2843         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2844         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2845         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2846         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2847         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2848         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2849         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2850     }
2851
2852     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2853     {
2854         ASSERT(arrayMode.isSpecific());
2855         
2856         if (arrayMode.type() == Array::String) {
2857             m_insertionSet.insertNode(
2858                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2859         } else {
2860             // Note that we only need to be using a structure check if we opt for SaneChain, since
2861             // that needs to protect against JSArray's __proto__ being changed.
2862             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2863         
2864             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2865             
2866             if (arrayMode.doesConversion()) {
2867                 if (structure) {
2868                     m_insertionSet.insertNode(
2869                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2870                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2871                 } else {
2872                     m_insertionSet.insertNode(
2873                         m_indexInBlock, SpecNone, Arrayify, origin,
2874                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2875                 }
2876             } else {
2877                 if (structure) {
2878                     m_insertionSet.insertNode(
2879                         m_indexInBlock, SpecNone, CheckStructure, origin,
2880                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2881                 } else {
2882                     m_insertionSet.insertNode(
2883                         m_indexInBlock, SpecNone, CheckArray, origin,
2884                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2885                 }
2886             }
2887         }
2888         
2889         if (!storageCheck(arrayMode))
2890             return nullptr;
2891         
2892         if (arrayMode.usesButterfly()) {
2893             return m_insertionSet.insertNode(
2894                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2895         }
2896         
2897         return m_insertionSet.insertNode(
2898             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2899             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2900     }
2901     
2902     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2903     {
2904         Node* node = m_currentNode;
2905         
2906         switch (node->arrayMode().type()) {
2907         case Array::ForceExit: {
2908             m_insertionSet.insertNode(
2909                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2910             return;
2911         }
2912             
2913         case Array::SelectUsingPredictions:
2914         case Array::Unprofiled:
2915             RELEASE_ASSERT_NOT_REACHED();
2916             return;
2917             
2918         case Array::Generic:
2919             return;
2920             
2921         default: {
2922             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2923             if (!storage)
2924                 return;
2925             
2926             storageChild = Edge(storage);
2927             return;
2928         } }
2929     }
2930     
2931     bool alwaysUnboxSimplePrimitives()
2932     {
2933 #if USE(JSVALUE64)
2934         return false;
2935 #else
2936         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2937         // reduces traffic.
2938         return true;
2939 #endif
2940     }
2941
2942     template<UseKind useKind>
2943     void observeUseKindOnNode(Node* node)
2944     {
2945         if (useKind == UntypedUse)
2946             return;
2947         observeUseKindOnNode(node, useKind);
2948     }
2949
2950     void observeUseKindOnEdge(Edge edge)
2951     {
2952         observeUseKindOnNode(edge.node(), edge.useKind());
2953     }
2954
2955     void observeUseKindOnNode(Node* node, UseKind useKind)
2956     {
2957         if (node->op() != GetLocal)
2958             return;
2959         
2960         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2961         // https://bugs.webkit.org/show_bug.cgi?id=121518
2962         
2963         VariableAccessData* variable = node->variableAccessData();
2964         switch (useKind) {
2965         case Int32Use:
2966         case KnownInt32Use:
2967             if (alwaysUnboxSimplePrimitives()
2968                 || isInt32Speculation(variable->prediction()))
2969                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2970             break;
2971         case NumberUse:
2972         case RealNumberUse:
2973         case DoubleRepUse:
2974         case DoubleRepRealUse:
2975             if (variable->doubleFormatState() == UsingDoubleFormat)
2976                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2977             break;
2978         case BooleanUse:
2979         case KnownBooleanUse:
2980             if (alwaysUnboxSimplePrimitives()
2981                 || isBooleanSpeculation(variable->prediction()))
2982                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2983             break;
2984         case Int52RepUse:
2985             if (isAnyIntSpeculation(variable->prediction()))
2986                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2987             break;
2988         case CellUse:
2989         case KnownCellUse:
2990         case ObjectUse:
2991         case FunctionUse:
2992         case StringUse:
2993         case KnownStringUse:
2994         case SymbolUse:
2995         case StringObjectUse:
2996         case StringOrStringObjectUse:
2997             if (alwaysUnboxSimplePrimitives()
2998                 || isCellSpeculation(variable->prediction()))
2999                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3000             break;
3001         default:
3002             break;
3003         }
3004     }
3005     
3006     template<UseKind useKind>
3007     void fixEdge(Edge& edge)
3008     {
3009         observeUseKindOnNode<useKind>(edge.node());
3010         edge.setUseKind(useKind);
3011     }
3012     
3013     unsigned indexForChecks()
3014     {
3015         unsigned index = m_indexInBlock;
3016         while (!m_block->at(index)->origin.exitOK)
3017             index--;
3018         return index;
3019     }
3020     
3021     NodeOrigin originForCheck(unsigned index)
3022     {
3023         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3024     }
3025     
3026     void speculateForBarrier(Edge value)
3027     {
3028         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3029         // the DFG anyway because if such a speculation would be wrong, we want to know before
3030         // we do an expensive compile.
3031         
3032         if (value->shouldSpeculateInt32()) {
3033             insertCheck<Int32Use>(value.node());
3034             return;
3035         }
3036             
3037         if (value->shouldSpeculateBoolean()) {
3038             insertCheck<BooleanUse>(value.node());
3039             return;
3040         }
3041             
3042         if (value->shouldSpeculateOther()) {
3043             insertCheck<OtherUse>(value.node());
3044             return;
3045         }
3046             
3047         if (value->shouldSpeculateNumber()) {
3048             insertCheck<NumberUse>(value.node());
3049             return;
3050         }
3051             
3052         if (value->shouldSpeculateNotCell()) {
3053             insertCheck<NotCellUse>(value.node());
3054             return;
3055         }
3056     }
3057     
3058     template<UseKind useKind>
3059     void insertCheck(Node* node)
3060     {
3061         observeUseKindOnNode<useKind>(node);
3062         unsigned index = indexForChecks();
3063         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3064     }
3065
3066     void fixIntConvertingEdge(Edge& edge)
3067     {
3068         Node* node = edge.node();
3069         if (node->shouldSpeculateInt32OrBoolean()) {
3070             fixIntOrBooleanEdge(edge);
3071             return;
3072         }
3073