5b0de12fa5067183c6b886f11fc0cb04980cb91c
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupArithMul(Node* node, Edge& leftChild, Edge& rightChild)
80     {
81         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
82             fixIntOrBooleanEdge(leftChild);
83             fixIntOrBooleanEdge(rightChild);
84             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
85                 node->setArithMode(Arith::Unchecked);
86             else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
87                 node->setArithMode(Arith::CheckOverflow);
88             else
89                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
90             return;
91         }
92         if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
93             fixEdge<Int52RepUse>(leftChild);
94             fixEdge<Int52RepUse>(rightChild);
95             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
96                 node->setArithMode(Arith::CheckOverflow);
97             else
98                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
99             node->setResult(NodeResultInt52);
100             return;
101         }
102
103         fixDoubleOrBooleanEdge(leftChild);
104         fixDoubleOrBooleanEdge(rightChild);
105         node->setResult(NodeResultDouble);
106     }
107
108     void fixupBlock(BasicBlock* block)
109     {
110         if (!block)
111             return;
112         ASSERT(block->isReachable);
113         m_block = block;
114         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
115             m_currentNode = block->at(m_indexInBlock);
116             fixupNode(m_currentNode);
117         }
118         m_insertionSet.execute(block);
119     }
120     
121     void fixupNode(Node* node)
122     {
123         NodeType op = node->op();
124
125         switch (op) {
126         case SetLocal: {
127             // This gets handled by fixupGetAndSetLocalsInBlock().
128             return;
129         }
130
131         case ValueSub: {
132             Edge& child1 = node->child1();
133             Edge& child2 = node->child2();
134
135             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
136                 fixEdge<BigIntUse>(child1);
137                 fixEdge<BigIntUse>(child2);
138                 break; 
139             }
140             
141             if (Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
142                 fixEdge<UntypedUse>(child1);
143                 fixEdge<UntypedUse>(child2);
144                 break;
145             }
146
147             if (attemptToMakeIntegerAdd(node)) {
148                 // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
149                 // https://bugs.webkit.org/show_bug.cgi?id=190607
150                 node->setOp(ArithSub);
151                 break;
152             }
153
154             fixDoubleOrBooleanEdge(node->child1());
155             fixDoubleOrBooleanEdge(node->child2());
156             node->setOp(ArithSub);
157             node->setResult(NodeResultDouble);
158
159             break;
160         }
161
162         case ValueBitXor:
163         case ValueBitOr:
164         case ValueBitAnd: {
165             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
166                 fixEdge<BigIntUse>(node->child1());
167                 fixEdge<BigIntUse>(node->child2());
168                 break;
169             }
170
171             fixEdge<UntypedUse>(node->child1());
172             fixEdge<UntypedUse>(node->child2());
173             break;
174         }
175
176         case ArithBitNot: {
177             if (node->child1().node()->shouldSpeculateUntypedForBitOps()) {
178                 fixEdge<UntypedUse>(node->child1());
179                 break;
180             }
181
182             fixIntConvertingEdge(node->child1());
183             node->clearFlags(NodeMustGenerate);
184             break;
185         }
186
187         case ArithBitXor:
188         case ArithBitOr:
189         case ArithBitAnd: {
190             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
191                 fixEdge<UntypedUse>(node->child1());
192                 fixEdge<UntypedUse>(node->child2());
193                 switch (op) {
194                 case ArithBitXor:
195                     node->setOpAndDefaultFlags(ValueBitXor);
196                     break;
197                 case ArithBitOr:
198                     node->setOpAndDefaultFlags(ValueBitOr);
199                     break;
200                 case ArithBitAnd:
201                     node->setOpAndDefaultFlags(ValueBitAnd);
202                     break;
203                 default:
204                     DFG_CRASH(m_graph, node, "Unexpected node during ArithBit operation fixup");
205                     break;
206                 }
207                 break;
208             }
209
210             fixIntConvertingEdge(node->child1());
211             fixIntConvertingEdge(node->child2());
212             break;
213         }
214
215         case BitRShift:
216         case BitLShift:
217         case BitURShift: {
218             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
219                 fixEdge<UntypedUse>(node->child1());
220                 fixEdge<UntypedUse>(node->child2());
221                 break;
222             }
223             fixIntConvertingEdge(node->child1());
224             fixIntConvertingEdge(node->child2());
225             break;
226         }
227
228         case ArithIMul: {
229             fixIntConvertingEdge(node->child1());
230             fixIntConvertingEdge(node->child2());
231             node->setOp(ArithMul);
232             node->setArithMode(Arith::Unchecked);
233             node->child1().setUseKind(Int32Use);
234             node->child2().setUseKind(Int32Use);
235             break;
236         }
237
238         case ArithClz32: {
239             if (node->child1()->shouldSpeculateNotCell()) {
240                 fixIntConvertingEdge(node->child1());
241                 node->clearFlags(NodeMustGenerate);
242             } else
243                 fixEdge<UntypedUse>(node->child1());
244             break;
245         }
246             
247         case UInt32ToNumber: {
248             fixIntConvertingEdge(node->child1());
249             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
250                 node->convertToIdentity();
251             else if (node->canSpeculateInt32(FixupPass))
252                 node->setArithMode(Arith::CheckOverflow);
253             else {
254                 node->setArithMode(Arith::DoOverflow);
255                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
256             }
257             break;
258         }
259
260         case ValueNegate: {
261             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
262                 node->setOp(ArithNegate);
263                 fixIntOrBooleanEdge(node->child1());
264                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
265                     node->setArithMode(Arith::Unchecked);
266                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
267                     node->setArithMode(Arith::CheckOverflow);
268                 else
269                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
270                 node->setResult(NodeResultInt32);
271                 node->clearFlags(NodeMustGenerate);
272                 break;
273             }
274             
275             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
276                 node->setOp(ArithNegate);
277                 fixEdge<Int52RepUse>(node->child1());
278                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
279                     node->setArithMode(Arith::CheckOverflow);
280                 else
281                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
282                 node->setResult(NodeResultInt52);
283                 node->clearFlags(NodeMustGenerate);
284                 break;
285             }
286             if (node->child1()->shouldSpeculateNotCell()) {
287                 node->setOp(ArithNegate);
288                 fixDoubleOrBooleanEdge(node->child1());
289                 node->setResult(NodeResultDouble);
290                 node->clearFlags(NodeMustGenerate);
291             } else {
292                 fixEdge<UntypedUse>(node->child1());
293                 node->setResult(NodeResultJS);
294             }
295             break;
296         }
297
298         case ValueAdd: {
299             if (attemptToMakeIntegerAdd(node)) {
300                 node->setOp(ArithAdd);
301                 break;
302             }
303             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
304                 fixDoubleOrBooleanEdge(node->child1());
305                 fixDoubleOrBooleanEdge(node->child2());
306                 node->setOp(ArithAdd);
307                 node->setResult(NodeResultDouble);
308                 break;
309             }
310             
311             if (attemptToMakeFastStringAdd(node))
312                 break;
313
314             Edge& child1 = node->child1();
315             Edge& child2 = node->child2();
316             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
317                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
318                     auto convertString = [&](Node* node, Edge& edge) {
319                         if (edge->shouldSpeculateInt32())
320                             convertStringAddUse<Int32Use>(node, edge);
321                         else {
322                             ASSERT(edge->shouldSpeculateString());
323                             convertStringAddUse<StringUse>(node, edge);
324                         }
325                     };
326                     convertString(node, child1);
327                     convertString(node, child2);
328                     convertToMakeRope(node);
329                     break;
330                 }
331             }
332
333             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
334                 fixEdge<BigIntUse>(child1);
335                 fixEdge<BigIntUse>(child2);
336             } else {
337                 fixEdge<UntypedUse>(child1);
338                 fixEdge<UntypedUse>(child2);
339             }
340
341             node->setResult(NodeResultJS);
342             break;
343         }
344
345         case StrCat: {
346             if (attemptToMakeFastStringAdd(node))
347                 break;
348
349             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
350             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
351             // the implementation of StrCat doesn't dynamically optimize for empty strings.
352             // https://bugs.webkit.org/show_bug.cgi?id=148540
353             m_graph.doToChildren(
354                 node,
355                 [&] (Edge& edge) {
356                     fixEdge<KnownPrimitiveUse>(edge);
357                     // StrCat automatically coerces the values into strings before concatenating them.
358                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
359                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
360                     // our runtime functions for this slow path expect that they will never be passed
361                     // Symbols.
362                     m_insertionSet.insertNode(
363                         m_indexInBlock, SpecNone, Check, node->origin,
364                         Edge(edge.node(), NotSymbolUse));
365                 });
366             break;
367         }
368             
369         case MakeRope: {
370             fixupMakeRope(node);
371             break;
372         }
373             
374         case ArithAdd:
375         case ArithSub: {
376             // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
377             // https://bugs.webkit.org/show_bug.cgi?id=190607
378             if (attemptToMakeIntegerAdd(node))
379                 break;
380             fixDoubleOrBooleanEdge(node->child1());
381             fixDoubleOrBooleanEdge(node->child2());
382             node->setResult(NodeResultDouble);
383             break;
384         }
385             
386         case ArithNegate: {
387             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
388                 fixIntOrBooleanEdge(node->child1());
389                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
390                     node->setArithMode(Arith::Unchecked);
391                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
392                     node->setArithMode(Arith::CheckOverflow);
393                 else
394                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
395                 node->setResult(NodeResultInt32);
396                 node->clearFlags(NodeMustGenerate);
397                 break;
398             }
399             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
400                 fixEdge<Int52RepUse>(node->child1());
401                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
402                     node->setArithMode(Arith::CheckOverflow);
403                 else
404                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
405                 node->setResult(NodeResultInt52);
406                 node->clearFlags(NodeMustGenerate);
407                 break;
408             }
409
410             fixDoubleOrBooleanEdge(node->child1());
411             node->setResult(NodeResultDouble);
412             node->clearFlags(NodeMustGenerate);
413             break;
414         }
415
416         case ValueMul: {
417             Edge& leftChild = node->child1();
418             Edge& rightChild = node->child2();
419
420             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
421                 fixEdge<BigIntUse>(node->child1());
422                 fixEdge<BigIntUse>(node->child2());
423                 break;
424             }
425
426             // There are cases where we can have BigInt + Int32 operands reaching ValueMul.
427             // Imagine the scenario where ValueMul was never executed, but we can predict types
428             // reaching the node:
429             //
430             // 63: GetLocal(Check:Untyped:@72, JS|MustGen, NonBoolInt32, ...)  predicting NonBoolInt32
431             // 64: GetLocal(Check:Untyped:@71, JS|MustGen, BigInt, ...)  predicting BigInt
432             // 65: ValueMul(Check:Untyped:@63, Check:Untyped:@64, BigInt|BoolInt32|NonBoolInt32, ...)
433             // 
434             // In such scenario, we need to emit ValueMul(Untyped, Untyped), so the runtime can throw 
435             // an exception whenever it gets excuted.
436             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
437                 fixEdge<UntypedUse>(leftChild);
438                 fixEdge<UntypedUse>(rightChild);
439                 break;
440             }
441
442             // At this point, all other possible specializations are only handled by ArithMul.
443             node->setOp(ArithMul);
444             node->setResult(NodeResultNumber);
445             fixupArithMul(node, leftChild, rightChild);
446             break;
447         }
448
449         case ArithMul: {
450             Edge& leftChild = node->child1();
451             Edge& rightChild = node->child2();
452
453             fixupArithMul(node, leftChild, rightChild);
454             break;
455         }
456
457         case ArithDiv:
458         case ArithMod: {
459             Edge& leftChild = node->child1();
460             Edge& rightChild = node->child2();
461             if (op == ArithDiv
462                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
463                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
464                 fixEdge<UntypedUse>(leftChild);
465                 fixEdge<UntypedUse>(rightChild);
466                 node->setResult(NodeResultJS);
467                 break;
468             }
469             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
470                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
471                     fixIntOrBooleanEdge(leftChild);
472                     fixIntOrBooleanEdge(rightChild);
473                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
474                         node->setArithMode(Arith::Unchecked);
475                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
476                         node->setArithMode(Arith::CheckOverflow);
477                     else
478                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
479                     break;
480                 }
481                 
482                 // This will cause conversion nodes to be inserted later.
483                 fixDoubleOrBooleanEdge(leftChild);
484                 fixDoubleOrBooleanEdge(rightChild);
485                 
486                 // We don't need to do ref'ing on the children because we're stealing them from
487                 // the original division.
488                 Node* newDivision = m_insertionSet.insertNode(
489                     m_indexInBlock, SpecBytecodeDouble, *node);
490                 newDivision->setResult(NodeResultDouble);
491                 
492                 node->setOp(DoubleAsInt32);
493                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
494                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
495                     node->setArithMode(Arith::CheckOverflow);
496                 else
497                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
498                 break;
499             }
500             fixDoubleOrBooleanEdge(leftChild);
501             fixDoubleOrBooleanEdge(rightChild);
502             node->setResult(NodeResultDouble);
503             break;
504         }
505             
506         case ArithMin:
507         case ArithMax: {
508             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
509                 fixIntOrBooleanEdge(node->child1());
510                 fixIntOrBooleanEdge(node->child2());
511                 break;
512             }
513             fixDoubleOrBooleanEdge(node->child1());
514             fixDoubleOrBooleanEdge(node->child2());
515             node->setResult(NodeResultDouble);
516             break;
517         }
518             
519         case ArithAbs: {
520             if (node->child1()->shouldSpeculateInt32OrBoolean()
521                 && node->canSpeculateInt32(FixupPass)) {
522                 fixIntOrBooleanEdge(node->child1());
523                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
524                     node->setArithMode(Arith::Unchecked);
525                 else
526                     node->setArithMode(Arith::CheckOverflow);
527                 node->clearFlags(NodeMustGenerate);
528                 node->setResult(NodeResultInt32);
529                 break;
530             }
531
532             if (node->child1()->shouldSpeculateNotCell()) {
533                 fixDoubleOrBooleanEdge(node->child1());
534                 node->clearFlags(NodeMustGenerate);
535             } else
536                 fixEdge<UntypedUse>(node->child1());
537             node->setResult(NodeResultDouble);
538             break;
539         }
540
541         case ArithPow: {
542             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
543                 fixDoubleOrBooleanEdge(node->child1());
544                 fixIntOrBooleanEdge(node->child2());
545                 break;
546             }
547
548             fixDoubleOrBooleanEdge(node->child1());
549             fixDoubleOrBooleanEdge(node->child2());
550             break;
551         }
552
553         case ArithRandom: {
554             node->setResult(NodeResultDouble);
555             break;
556         }
557
558         case ArithRound:
559         case ArithFloor:
560         case ArithCeil:
561         case ArithTrunc: {
562             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
563                 fixIntOrBooleanEdge(node->child1());
564                 insertCheck<Int32Use>(node->child1().node());
565                 node->convertToIdentity();
566                 break;
567             }
568             if (node->child1()->shouldSpeculateNotCell()) {
569                 fixDoubleOrBooleanEdge(node->child1());
570
571                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
572                     node->setResult(NodeResultInt32);
573                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
574                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
575                     else
576                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
577                 } else {
578                     node->setResult(NodeResultDouble);
579                     node->setArithRoundingMode(Arith::RoundingMode::Double);
580                 }
581                 node->clearFlags(NodeMustGenerate);
582             } else
583                 fixEdge<UntypedUse>(node->child1());
584             break;
585         }
586
587         case ArithFRound:
588         case ArithSqrt:
589         case ArithUnary: {
590             Edge& child1 = node->child1();
591             if (child1->shouldSpeculateNotCell()) {
592                 fixDoubleOrBooleanEdge(child1);
593                 node->clearFlags(NodeMustGenerate);
594             } else
595                 fixEdge<UntypedUse>(child1);
596             break;
597         }
598             
599         case LogicalNot: {
600             if (node->child1()->shouldSpeculateBoolean()) {
601                 if (node->child1()->result() == NodeResultBoolean) {
602                     // This is necessary in case we have a bytecode instruction implemented by:
603                     //
604                     // a: CompareEq(...)
605                     // b: LogicalNot(@a)
606                     //
607                     // In that case, CompareEq might have a side-effect. Then, we need to make
608                     // sure that we know that Branch does not exit.
609                     fixEdge<KnownBooleanUse>(node->child1());
610                 } else
611                     fixEdge<BooleanUse>(node->child1());
612             } else if (node->child1()->shouldSpeculateObjectOrOther())
613                 fixEdge<ObjectOrOtherUse>(node->child1());
614             else if (node->child1()->shouldSpeculateInt32OrBoolean())
615                 fixIntOrBooleanEdge(node->child1());
616             else if (node->child1()->shouldSpeculateNumber())
617                 fixEdge<DoubleRepUse>(node->child1());
618             else if (node->child1()->shouldSpeculateString())
619                 fixEdge<StringUse>(node->child1());
620             else if (node->child1()->shouldSpeculateStringOrOther())
621                 fixEdge<StringOrOtherUse>(node->child1());
622             else {
623                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
624                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
625                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
626             }
627             break;
628         }
629
630         case CompareEq:
631         case CompareLess:
632         case CompareLessEq:
633         case CompareGreater:
634         case CompareGreaterEq: {
635             if (node->op() == CompareEq
636                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
637                 fixEdge<BooleanUse>(node->child1());
638                 fixEdge<BooleanUse>(node->child2());
639                 node->clearFlags(NodeMustGenerate);
640                 break;
641             }
642             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
643                 fixIntOrBooleanEdge(node->child1());
644                 fixIntOrBooleanEdge(node->child2());
645                 node->clearFlags(NodeMustGenerate);
646                 break;
647             }
648             if (enableInt52()
649                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
650                 fixEdge<Int52RepUse>(node->child1());
651                 fixEdge<Int52RepUse>(node->child2());
652                 node->clearFlags(NodeMustGenerate);
653                 break;
654             }
655             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
656                 fixDoubleOrBooleanEdge(node->child1());
657                 fixDoubleOrBooleanEdge(node->child2());
658             }
659             if (node->op() != CompareEq
660                 && node->child1()->shouldSpeculateNotCell()
661                 && node->child2()->shouldSpeculateNotCell()) {
662                 if (node->child1()->shouldSpeculateNumberOrBoolean())
663                     fixDoubleOrBooleanEdge(node->child1());
664                 else
665                     fixEdge<DoubleRepUse>(node->child1());
666                 if (node->child2()->shouldSpeculateNumberOrBoolean())
667                     fixDoubleOrBooleanEdge(node->child2());
668                 else
669                     fixEdge<DoubleRepUse>(node->child2());
670                 node->clearFlags(NodeMustGenerate);
671                 break;
672             }
673             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
674                 fixEdge<StringIdentUse>(node->child1());
675                 fixEdge<StringIdentUse>(node->child2());
676                 node->clearFlags(NodeMustGenerate);
677                 break;
678             }
679             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
680                 fixEdge<StringUse>(node->child1());
681                 fixEdge<StringUse>(node->child2());
682                 node->clearFlags(NodeMustGenerate);
683                 break;
684             }
685
686             if (node->op() != CompareEq)
687                 break;
688             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
689                 fixEdge<SymbolUse>(node->child1());
690                 fixEdge<SymbolUse>(node->child2());
691                 node->clearFlags(NodeMustGenerate);
692                 break;
693             }
694             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
695                 fixEdge<ObjectUse>(node->child1());
696                 fixEdge<ObjectUse>(node->child2());
697                 node->clearFlags(NodeMustGenerate);
698                 break;
699             }
700
701             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
702             bool oneArgumentIsUsedAsSpecOther = false;
703             if (node->child1()->isUndefinedOrNullConstant()) {
704                 fixEdge<KnownOtherUse>(node->child1());
705                 oneArgumentIsUsedAsSpecOther = true;
706             } else if (node->child1()->shouldSpeculateOther()) {
707                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
708                     Edge(node->child1().node(), OtherUse));
709                 fixEdge<KnownOtherUse>(node->child1());
710                 oneArgumentIsUsedAsSpecOther = true;
711             }
712             if (node->child2()->isUndefinedOrNullConstant()) {
713                 fixEdge<KnownOtherUse>(node->child2());
714                 oneArgumentIsUsedAsSpecOther = true;
715             } else if (node->child2()->shouldSpeculateOther()) {
716                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
717                     Edge(node->child2().node(), OtherUse));
718                 fixEdge<KnownOtherUse>(node->child2());
719                 oneArgumentIsUsedAsSpecOther = true;
720             }
721             if (oneArgumentIsUsedAsSpecOther) {
722                 node->clearFlags(NodeMustGenerate);
723                 break;
724             }
725
726             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
727                 fixEdge<ObjectUse>(node->child1());
728                 fixEdge<ObjectOrOtherUse>(node->child2());
729                 node->clearFlags(NodeMustGenerate);
730                 break;
731             }
732             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
733                 fixEdge<ObjectOrOtherUse>(node->child1());
734                 fixEdge<ObjectUse>(node->child2());
735                 node->clearFlags(NodeMustGenerate);
736                 break;
737             }
738
739             break;
740         }
741             
742         case CompareStrictEq:
743         case SameValue: {
744             fixupCompareStrictEqAndSameValue(node);
745             break;
746         }
747
748         case StringFromCharCode:
749             if (node->child1()->shouldSpeculateInt32()) {
750                 fixEdge<Int32Use>(node->child1());
751                 node->clearFlags(NodeMustGenerate);
752             } else
753                 fixEdge<UntypedUse>(node->child1());
754             break;
755
756         case StringCharAt:
757         case StringCharCodeAt: {
758             // Currently we have no good way of refining these.
759             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
760             blessArrayOperation(node->child1(), node->child2(), node->child3());
761             fixEdge<KnownCellUse>(node->child1());
762             fixEdge<Int32Use>(node->child2());
763             break;
764         }
765
766         case GetByVal: {
767             if (!node->prediction()) {
768                 m_insertionSet.insertNode(
769                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
770             }
771             
772             node->setArrayMode(
773                 node->arrayMode().refine(
774                     m_graph, node,
775                     m_graph.varArgChild(node, 0)->prediction(),
776                     m_graph.varArgChild(node, 1)->prediction(),
777                     SpecNone));
778             
779             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
780             
781             ArrayMode arrayMode = node->arrayMode();
782             switch (arrayMode.type()) {
783             case Array::Contiguous:
784             case Array::Double:
785                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
786                     // Check if SaneChain will work on a per-type basis. Note that:
787                     //
788                     // 1) We don't want double arrays to sometimes return undefined, since
789                     // that would require a change to the return type and it would pessimise
790                     // things a lot. So, we'd only want to do that if we actually had
791                     // evidence that we could read from a hole. That's pretty annoying.
792                     // Likely the best way to handle that case is with an equivalent of
793                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
794                     // NaN are indistinguishable according to backwards propagation, and just
795                     // use SaneChain in that case. This happens to catch a lot of cases.
796                     //
797                     // 2) We don't want int32 array loads to have to do a hole check just to
798                     // coerce to Undefined, since that would mean twice the checks.
799                     //
800                     // This has two implications. First, we have to do more checks than we'd
801                     // like. It's unfortunate that we have to do the hole check. Second,
802                     // some accesses that hit a hole will now need to take the full-blown
803                     // out-of-bounds slow path. We can fix that with:
804                     // https://bugs.webkit.org/show_bug.cgi?id=144668
805                     
806                     bool canDoSaneChain = false;
807                     switch (arrayMode.type()) {
808                     case Array::Contiguous:
809                         // This is happens to be entirely natural. We already would have
810                         // returned any JSValue, and now we'll return Undefined. We still do
811                         // the check but it doesn't require taking any kind of slow path.
812                         canDoSaneChain = true;
813                         break;
814                         
815                     case Array::Double:
816                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
817                             // Holes look like NaN already, so if the user doesn't care
818                             // about the difference between Undefined and NaN then we can
819                             // do this.
820                             canDoSaneChain = true;
821                         }
822                         break;
823                         
824                     default:
825                         break;
826                     }
827                     
828                     if (canDoSaneChain) {
829                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
830                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
831                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
832                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
833                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
834                             && globalObject->arrayPrototypeChainIsSane()) {
835                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
836                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
837                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
838                         }
839                     }
840                 }
841                 break;
842                 
843             case Array::String:
844                 if ((node->prediction() & ~SpecString)
845                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
846                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
847                 break;
848                 
849             default:
850                 break;
851             }
852             
853             arrayMode = node->arrayMode();
854             switch (arrayMode.type()) {
855             case Array::SelectUsingPredictions:
856             case Array::Unprofiled:
857                 RELEASE_ASSERT_NOT_REACHED();
858                 break;
859             case Array::Generic:
860                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
861                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
862                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
863                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
864                         break;
865                     }
866
867                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
868                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
869                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
870                         break;
871                     }
872                 }
873 #if USE(JSVALUE32_64)
874                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
875 #endif
876                 break;
877             case Array::ForceExit:
878                 break;
879             default:
880                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
881                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
882                 break;
883             }
884             
885             switch (arrayMode.type()) {
886             case Array::Double:
887                 if (!arrayMode.isOutOfBounds())
888                     node->setResult(NodeResultDouble);
889                 break;
890                 
891             case Array::Float32Array:
892             case Array::Float64Array:
893                 node->setResult(NodeResultDouble);
894                 break;
895                 
896             case Array::Uint32Array:
897                 if (node->shouldSpeculateInt32())
898                     break;
899                 if (node->shouldSpeculateAnyInt() && enableInt52())
900                     node->setResult(NodeResultInt52);
901                 else
902                     node->setResult(NodeResultDouble);
903                 break;
904                 
905             default:
906                 break;
907             }
908             
909             break;
910         }
911
912         case PutByValDirect:
913         case PutByVal:
914         case PutByValAlias: {
915             Edge& child1 = m_graph.varArgChild(node, 0);
916             Edge& child2 = m_graph.varArgChild(node, 1);
917             Edge& child3 = m_graph.varArgChild(node, 2);
918
919             node->setArrayMode(
920                 node->arrayMode().refine(
921                     m_graph, node,
922                     child1->prediction(),
923                     child2->prediction(),
924                     child3->prediction()));
925             
926             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
927             
928             switch (node->arrayMode().modeForPut().type()) {
929             case Array::SelectUsingPredictions:
930             case Array::SelectUsingArguments:
931             case Array::Unprofiled:
932             case Array::Undecided:
933                 RELEASE_ASSERT_NOT_REACHED();
934                 break;
935             case Array::ForceExit:
936             case Array::Generic:
937                 if (child1->shouldSpeculateCell()) {
938                     if (child2->shouldSpeculateString()) {
939                         fixEdge<CellUse>(child1);
940                         fixEdge<StringUse>(child2);
941                         break;
942                     }
943
944                     if (child2->shouldSpeculateSymbol()) {
945                         fixEdge<CellUse>(child1);
946                         fixEdge<SymbolUse>(child2);
947                         break;
948                     }
949                 }
950 #if USE(JSVALUE32_64)
951                 // Due to register pressure on 32-bit, we speculate cell and
952                 // ignore the base-is-not-cell case entirely by letting the
953                 // baseline JIT handle it.
954                 fixEdge<CellUse>(child1);
955 #endif
956                 break;
957             case Array::Int32:
958                 fixEdge<KnownCellUse>(child1);
959                 fixEdge<Int32Use>(child2);
960                 fixEdge<Int32Use>(child3);
961                 break;
962             case Array::Double:
963                 fixEdge<KnownCellUse>(child1);
964                 fixEdge<Int32Use>(child2);
965                 fixEdge<DoubleRepRealUse>(child3);
966                 break;
967             case Array::Int8Array:
968             case Array::Int16Array:
969             case Array::Int32Array:
970             case Array::Uint8Array:
971             case Array::Uint8ClampedArray:
972             case Array::Uint16Array:
973             case Array::Uint32Array:
974                 fixEdge<KnownCellUse>(child1);
975                 fixEdge<Int32Use>(child2);
976                 if (child3->shouldSpeculateInt32())
977                     fixIntOrBooleanEdge(child3);
978                 else if (child3->shouldSpeculateAnyInt())
979                     fixEdge<Int52RepUse>(child3);
980                 else
981                     fixDoubleOrBooleanEdge(child3);
982                 break;
983             case Array::Float32Array:
984             case Array::Float64Array:
985                 fixEdge<KnownCellUse>(child1);
986                 fixEdge<Int32Use>(child2);
987                 fixDoubleOrBooleanEdge(child3);
988                 break;
989             case Array::Contiguous:
990             case Array::ArrayStorage:
991             case Array::SlowPutArrayStorage:
992                 fixEdge<KnownCellUse>(child1);
993                 fixEdge<Int32Use>(child2);
994                 speculateForBarrier(child3);
995                 break;
996             default:
997                 fixEdge<KnownCellUse>(child1);
998                 fixEdge<Int32Use>(child2);
999                 break;
1000             }
1001             break;
1002         }
1003             
1004         case AtomicsAdd:
1005         case AtomicsAnd:
1006         case AtomicsCompareExchange:
1007         case AtomicsExchange:
1008         case AtomicsLoad:
1009         case AtomicsOr:
1010         case AtomicsStore:
1011         case AtomicsSub:
1012         case AtomicsXor: {
1013             Edge& base = m_graph.child(node, 0);
1014             Edge& index = m_graph.child(node, 1);
1015             
1016             bool badNews = false;
1017             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1018                 Edge& child = m_graph.child(node, 2 + i);
1019                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
1020                 // just call the function when that happens. But the FTL is totally cool with those
1021                 // conversions.
1022                 if (!child->shouldSpeculateInt32()
1023                     && !child->shouldSpeculateAnyInt()
1024                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
1025                     badNews = true;
1026             }
1027             
1028             if (badNews) {
1029                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
1030                 break;
1031             }
1032             
1033             node->setArrayMode(
1034                 node->arrayMode().refine(
1035                     m_graph, node, base->prediction(), index->prediction()));
1036             
1037             if (node->arrayMode().type() == Array::Generic)
1038                 break;
1039             
1040             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1041                 Edge& child = m_graph.child(node, 2 + i);
1042                 if (child->shouldSpeculateInt32())
1043                     fixIntOrBooleanEdge(child);
1044                 else if (child->shouldSpeculateAnyInt())
1045                     fixEdge<Int52RepUse>(child);
1046                 else {
1047                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
1048                     fixDoubleOrBooleanEdge(child);
1049                 }
1050             }
1051             
1052             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
1053             fixEdge<CellUse>(base);
1054             fixEdge<Int32Use>(index);
1055             
1056             if (node->arrayMode().type() == Array::Uint32Array) {
1057                 // NOTE: This means basically always doing Int52.
1058                 if (node->shouldSpeculateAnyInt() && enableInt52())
1059                     node->setResult(NodeResultInt52);
1060                 else
1061                     node->setResult(NodeResultDouble);
1062             }
1063             break;
1064         }
1065             
1066         case AtomicsIsLockFree:
1067             if (node->child1()->shouldSpeculateInt32())
1068                 fixIntOrBooleanEdge(node->child1());
1069             break;
1070             
1071         case ArrayPush: {
1072             // May need to refine the array mode in case the value prediction contravenes
1073             // the array prediction. For example, we may have evidence showing that the
1074             // array is in Int32 mode, but the value we're storing is likely to be a double.
1075             // Then we should turn this into a conversion to Double array followed by the
1076             // push. On the other hand, we absolutely don't want to refine based on the
1077             // base prediction. If it has non-cell garbage in it, then we want that to be
1078             // ignored. That's because ArrayPush can't handle any array modes that aren't
1079             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1080             // that would break things.
1081             Edge& storageEdge = m_graph.varArgChild(node, 0);
1082             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1083             unsigned elementOffset = 2;
1084             unsigned elementCount = node->numChildren() - elementOffset;
1085             for (unsigned i = 0; i < elementCount; ++i) {
1086                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1087                 node->setArrayMode(
1088                     node->arrayMode().refine(
1089                         m_graph, node,
1090                         arrayEdge->prediction() & SpecCell,
1091                         SpecInt32Only,
1092                         element->prediction()));
1093             }
1094             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1095             fixEdge<KnownCellUse>(arrayEdge);
1096
1097             // Convert `array.push()` to GetArrayLength.
1098             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1099                 node->setOpAndDefaultFlags(GetArrayLength);
1100                 node->child1() = arrayEdge;
1101                 node->child2() = storageEdge;
1102                 fixEdge<KnownCellUse>(node->child1());
1103                 break;
1104             }
1105
1106             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1107             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1108             for (unsigned i = 0; i < elementCount; ++i) {
1109                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1110                 switch (node->arrayMode().type()) {
1111                 case Array::Int32:
1112                     insertCheck<Int32Use>(element.node());
1113                     fixEdge<KnownInt32Use>(element);
1114                     break;
1115                 case Array::Double:
1116                     insertCheck<DoubleRepRealUse>(element.node());
1117                     fixEdge<DoubleRepUse>(element);
1118                     break;
1119                 case Array::Contiguous:
1120                 case Array::ArrayStorage:
1121                     speculateForBarrier(element);
1122                     break;
1123                 default:
1124                     break;
1125                 }
1126                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1127             }
1128             break;
1129         }
1130             
1131         case ArrayPop: {
1132             blessArrayOperation(node->child1(), Edge(), node->child2());
1133             fixEdge<KnownCellUse>(node->child1());
1134             break;
1135         }
1136
1137         case ArraySlice: {
1138             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1139             if (node->numChildren() >= 3) {
1140                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1141                 if (node->numChildren() == 4)
1142                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1143             }
1144             break;
1145         }
1146
1147         case ArrayIndexOf:
1148             fixupArrayIndexOf(node);
1149             break;
1150             
1151         case RegExpExec:
1152         case RegExpTest: {
1153             fixEdge<KnownCellUse>(node->child1());
1154             
1155             if (node->child2()->shouldSpeculateRegExpObject()) {
1156                 fixEdge<RegExpObjectUse>(node->child2());
1157
1158                 if (node->child3()->shouldSpeculateString())
1159                     fixEdge<StringUse>(node->child3());
1160             }
1161             break;
1162         }
1163
1164         case RegExpMatchFast: {
1165             fixEdge<KnownCellUse>(node->child1());
1166             fixEdge<RegExpObjectUse>(node->child2());
1167             fixEdge<StringUse>(node->child3());
1168             break;
1169         }
1170
1171         case StringReplace:
1172         case StringReplaceRegExp: {
1173             if (node->child2()->shouldSpeculateString()) {
1174                 m_insertionSet.insertNode(
1175                     m_indexInBlock, SpecNone, Check, node->origin,
1176                     Edge(node->child2().node(), StringUse));
1177                 fixEdge<StringUse>(node->child2());
1178             } else if (op == StringReplace) {
1179                 if (node->child2()->shouldSpeculateRegExpObject())
1180                     addStringReplacePrimordialChecks(node->child2().node());
1181                 else 
1182                     m_insertionSet.insertNode(
1183                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1184             }
1185
1186             if (node->child1()->shouldSpeculateString()
1187                 && node->child2()->shouldSpeculateRegExpObject()
1188                 && node->child3()->shouldSpeculateString()) {
1189
1190                 fixEdge<StringUse>(node->child1());
1191                 fixEdge<RegExpObjectUse>(node->child2());
1192                 fixEdge<StringUse>(node->child3());
1193                 break;
1194             }
1195             break;
1196         }
1197             
1198         case Branch: {
1199             if (node->child1()->shouldSpeculateBoolean()) {
1200                 if (node->child1()->result() == NodeResultBoolean) {
1201                     // This is necessary in case we have a bytecode instruction implemented by:
1202                     //
1203                     // a: CompareEq(...)
1204                     // b: Branch(@a)
1205                     //
1206                     // In that case, CompareEq might have a side-effect. Then, we need to make
1207                     // sure that we know that Branch does not exit.
1208                     fixEdge<KnownBooleanUse>(node->child1());
1209                 } else
1210                     fixEdge<BooleanUse>(node->child1());
1211             } else if (node->child1()->shouldSpeculateObjectOrOther())
1212                 fixEdge<ObjectOrOtherUse>(node->child1());
1213             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1214                 fixIntOrBooleanEdge(node->child1());
1215             else if (node->child1()->shouldSpeculateNumber())
1216                 fixEdge<DoubleRepUse>(node->child1());
1217             else if (node->child1()->shouldSpeculateString())
1218                 fixEdge<StringUse>(node->child1());
1219             else if (node->child1()->shouldSpeculateStringOrOther())
1220                 fixEdge<StringOrOtherUse>(node->child1());
1221             else {
1222                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1223                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1224                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1225             }
1226             break;
1227         }
1228             
1229         case Switch: {
1230             SwitchData* data = node->switchData();
1231             switch (data->kind) {
1232             case SwitchImm:
1233                 if (node->child1()->shouldSpeculateInt32())
1234                     fixEdge<Int32Use>(node->child1());
1235                 break;
1236             case SwitchChar:
1237                 if (node->child1()->shouldSpeculateString())
1238                     fixEdge<StringUse>(node->child1());
1239                 break;
1240             case SwitchString:
1241                 if (node->child1()->shouldSpeculateStringIdent())
1242                     fixEdge<StringIdentUse>(node->child1());
1243                 else if (node->child1()->shouldSpeculateString())
1244                     fixEdge<StringUse>(node->child1());
1245                 break;
1246             case SwitchCell:
1247                 if (node->child1()->shouldSpeculateCell())
1248                     fixEdge<CellUse>(node->child1());
1249                 // else it's fine for this to have UntypedUse; we will handle this by just making
1250                 // non-cells take the default case.
1251                 break;
1252             }
1253             break;
1254         }
1255             
1256         case ToPrimitive: {
1257             fixupToPrimitive(node);
1258             break;
1259         }
1260
1261         case ToNumber: {
1262             fixupToNumber(node);
1263             break;
1264         }
1265             
1266         case ToString:
1267         case CallStringConstructor: {
1268             fixupToStringOrCallStringConstructor(node);
1269             break;
1270         }
1271             
1272         case NewStringObject: {
1273             fixEdge<KnownStringUse>(node->child1());
1274             break;
1275         }
1276
1277         case NewArrayWithSpread: {
1278             watchHavingABadTime(node);
1279             
1280             BitVector* bitVector = node->bitVector();
1281             for (unsigned i = node->numChildren(); i--;) {
1282                 if (bitVector->get(i))
1283                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1284                 else
1285                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1286             }
1287
1288             break;
1289         }
1290
1291         case Spread: {
1292             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1293             
1294             watchHavingABadTime(node->child1().node());
1295
1296             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1297             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1298             // that it doesn't contain any indexed properties, and that any holes will result in
1299             // jsUndefined().
1300             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1301             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1302             if (node->child1()->shouldSpeculateArray()
1303                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1304                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1305                 && globalObject->arrayPrototypeChainIsSane()
1306                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1307                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1308                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1309                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1310                 fixEdge<ArrayUse>(node->child1());
1311             } else
1312                 fixEdge<CellUse>(node->child1());
1313             break;
1314         }
1315             
1316         case NewArray: {
1317             watchHavingABadTime(node);
1318             
1319             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1320                 node->setIndexingType(
1321                     leastUpperBoundOfIndexingTypeAndType(
1322                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1323             }
1324             switch (node->indexingType()) {
1325             case ALL_BLANK_INDEXING_TYPES:
1326                 CRASH();
1327                 break;
1328             case ALL_UNDECIDED_INDEXING_TYPES:
1329                 if (node->numChildren()) {
1330                     // This will only happen if the children have no type predictions. We
1331                     // would have already exited by now, but insert a forced exit just to
1332                     // be safe.
1333                     m_insertionSet.insertNode(
1334                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1335                 }
1336                 break;
1337             case ALL_INT32_INDEXING_TYPES:
1338                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1339                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1340                 break;
1341             case ALL_DOUBLE_INDEXING_TYPES:
1342                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1343                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1344                 break;
1345             case ALL_CONTIGUOUS_INDEXING_TYPES:
1346             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1347                 break;
1348             default:
1349                 CRASH();
1350                 break;
1351             }
1352             break;
1353         }
1354             
1355         case NewTypedArray: {
1356             watchHavingABadTime(node);
1357             
1358             if (node->child1()->shouldSpeculateInt32()) {
1359                 fixEdge<Int32Use>(node->child1());
1360                 node->clearFlags(NodeMustGenerate);
1361                 break;
1362             }
1363             break;
1364         }
1365             
1366         case NewArrayWithSize: {
1367             watchHavingABadTime(node);
1368             fixEdge<Int32Use>(node->child1());
1369             break;
1370         }
1371
1372         case NewArrayBuffer: {
1373             watchHavingABadTime(node);
1374             break;
1375         }
1376
1377         case ToObject: {
1378             fixupToObject(node);
1379             break;
1380         }
1381
1382         case CallObjectConstructor: {
1383             fixupCallObjectConstructor(node);
1384             break;
1385         }
1386
1387         case ToThis: {
1388             fixupToThis(node);
1389             break;
1390         }
1391             
1392         case PutStructure: {
1393             fixEdge<KnownCellUse>(node->child1());
1394             break;
1395         }
1396             
1397         case GetClosureVar:
1398         case GetFromArguments: {
1399             fixEdge<KnownCellUse>(node->child1());
1400             break;
1401         }
1402
1403         case PutClosureVar:
1404         case PutToArguments: {
1405             fixEdge<KnownCellUse>(node->child1());
1406             speculateForBarrier(node->child2());
1407             break;
1408         }
1409
1410         case SkipScope:
1411         case GetScope:
1412         case GetGetter:
1413         case GetSetter:
1414         case GetGlobalObject: {
1415             fixEdge<KnownCellUse>(node->child1());
1416             break;
1417         }
1418             
1419         case AllocatePropertyStorage:
1420         case ReallocatePropertyStorage: {
1421             fixEdge<KnownCellUse>(node->child1());
1422             break;
1423         }
1424             
1425         case NukeStructureAndSetButterfly: {
1426             fixEdge<KnownCellUse>(node->child1());
1427             break;
1428         }
1429
1430         case TryGetById: {
1431             if (node->child1()->shouldSpeculateCell())
1432                 fixEdge<CellUse>(node->child1());
1433             break;
1434         }
1435
1436         case GetByIdDirect:
1437         case GetByIdDirectFlush: {
1438             if (node->child1()->shouldSpeculateCell())
1439                 fixEdge<CellUse>(node->child1());
1440             break;
1441         }
1442
1443         case GetById:
1444         case GetByIdFlush: {
1445             // FIXME: This should be done in the ByteCodeParser based on reading the
1446             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1447             // https://bugs.webkit.org/show_bug.cgi?id=154990
1448             auto uid = m_graph.identifiers()[node->identifierNumber()];
1449             if (node->child1()->shouldSpeculateCellOrOther()
1450                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1451                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1452                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1453                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1454                 
1455                 if (uid == vm().propertyNames->length.impl()) {
1456                     attemptToMakeGetArrayLength(node);
1457                     break;
1458                 }
1459
1460                 if (uid == vm().propertyNames->lastIndex.impl()
1461                     && node->child1()->shouldSpeculateRegExpObject()) {
1462                     node->setOp(GetRegExpObjectLastIndex);
1463                     node->clearFlags(NodeMustGenerate);
1464                     fixEdge<RegExpObjectUse>(node->child1());
1465                     break;
1466                 }
1467             }
1468
1469             if (node->child1()->shouldSpeculateNumber()) {
1470                 if (uid == vm().propertyNames->toString.impl()) {
1471                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1472                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1473                         if (node->child1()->shouldSpeculateInt32()) {
1474                             insertCheck<Int32Use>(node->child1().node());
1475                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1476                             break;
1477                         }
1478
1479                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1480                             insertCheck<Int52RepUse>(node->child1().node());
1481                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1482                             break;
1483                         }
1484
1485                         ASSERT(node->child1()->shouldSpeculateNumber());
1486                         insertCheck<DoubleRepUse>(node->child1().node());
1487                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1488                         break;
1489                     }
1490                 }
1491             }
1492
1493             if (node->child1()->shouldSpeculateCell())
1494                 fixEdge<CellUse>(node->child1());
1495             break;
1496         }
1497         
1498         case GetByIdWithThis: {
1499             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1500                 fixEdge<CellUse>(node->child1());
1501                 fixEdge<CellUse>(node->child2());
1502             }
1503             break;
1504         }
1505
1506         case PutById:
1507         case PutByIdFlush:
1508         case PutByIdDirect: {
1509             if (node->child1()->shouldSpeculateCellOrOther()
1510                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1511                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1512                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1513                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1514                 
1515                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1516                 
1517                 if (uid == vm().propertyNames->lastIndex.impl()
1518                     && node->child1()->shouldSpeculateRegExpObject()) {
1519                     node->convertToSetRegExpObjectLastIndex();
1520                     fixEdge<RegExpObjectUse>(node->child1());
1521                     speculateForBarrier(node->child2());
1522                     break;
1523                 }
1524             }
1525             
1526             fixEdge<CellUse>(node->child1());
1527             break;
1528         }
1529
1530         case PutGetterById:
1531         case PutSetterById: {
1532             fixEdge<KnownCellUse>(node->child1());
1533             fixEdge<KnownCellUse>(node->child2());
1534             break;
1535         }
1536
1537         case PutGetterSetterById: {
1538             fixEdge<KnownCellUse>(node->child1());
1539             break;
1540         }
1541
1542         case PutGetterByVal:
1543         case PutSetterByVal: {
1544             fixEdge<KnownCellUse>(node->child1());
1545             fixEdge<KnownCellUse>(node->child3());
1546             break;
1547         }
1548
1549         case GetExecutable: {
1550             fixEdge<FunctionUse>(node->child1());
1551             break;
1552         }
1553
1554         case OverridesHasInstance:
1555         case CheckStructure:
1556         case CheckCell:
1557         case CreateThis:
1558         case GetButterfly: {
1559             fixEdge<CellUse>(node->child1());
1560             break;
1561         }
1562
1563         case ObjectCreate: {
1564             if (node->child1()->shouldSpeculateObject()) {
1565                 fixEdge<ObjectUse>(node->child1());
1566                 node->clearFlags(NodeMustGenerate);
1567                 break;
1568             }
1569             break;
1570         }
1571
1572         case CheckStringIdent: {
1573             fixEdge<StringIdentUse>(node->child1());
1574             break;
1575         }
1576             
1577         case Arrayify:
1578         case ArrayifyToStructure: {
1579             fixEdge<CellUse>(node->child1());
1580             if (node->child2())
1581                 fixEdge<Int32Use>(node->child2());
1582             break;
1583         }
1584             
1585         case GetByOffset:
1586         case GetGetterSetterByOffset: {
1587             if (!node->child1()->hasStorageResult())
1588                 fixEdge<KnownCellUse>(node->child1());
1589             fixEdge<KnownCellUse>(node->child2());
1590             break;
1591         }
1592             
1593         case MultiGetByOffset: {
1594             fixEdge<CellUse>(node->child1());
1595             break;
1596         }
1597             
1598         case PutByOffset: {
1599             if (!node->child1()->hasStorageResult())
1600                 fixEdge<KnownCellUse>(node->child1());
1601             fixEdge<KnownCellUse>(node->child2());
1602             unsigned index = indexForChecks();
1603             insertInferredTypeCheck(
1604                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1605                 node->storageAccessData().inferredType);
1606             speculateForBarrier(node->child3());
1607             break;
1608         }
1609             
1610         case MultiPutByOffset: {
1611             fixEdge<CellUse>(node->child1());
1612             break;
1613         }
1614             
1615         case MatchStructure: {
1616             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1617             // https://bugs.webkit.org/show_bug.cgi?id=185784
1618             fixEdge<CellUse>(node->child1());
1619             break;
1620         }
1621             
1622         case InstanceOf: {
1623             if (node->child1()->shouldSpeculateCell()
1624                 && node->child2()->shouldSpeculateCell()
1625                 && is64Bit()) {
1626                 fixEdge<CellUse>(node->child1());
1627                 fixEdge<CellUse>(node->child2());
1628                 break;
1629             }
1630             break;
1631         }
1632
1633         case InstanceOfCustom:
1634             fixEdge<CellUse>(node->child2());
1635             break;
1636
1637         case InById: {
1638             fixEdge<CellUse>(node->child1());
1639             break;
1640         }
1641
1642         case InByVal: {
1643             if (node->child2()->shouldSpeculateInt32()) {
1644                 convertToHasIndexedProperty(node);
1645                 break;
1646             }
1647
1648             fixEdge<CellUse>(node->child1());
1649             break;
1650         }
1651
1652         case HasOwnProperty: {
1653             fixEdge<ObjectUse>(node->child1());
1654 #if CPU(X86)
1655             // We don't have enough registers to do anything interesting on x86 and mips.
1656             fixEdge<UntypedUse>(node->child2());
1657 #else
1658             if (node->child2()->shouldSpeculateString())
1659                 fixEdge<StringUse>(node->child2());
1660             else if (node->child2()->shouldSpeculateSymbol())
1661                 fixEdge<SymbolUse>(node->child2());
1662             else
1663                 fixEdge<UntypedUse>(node->child2());
1664 #endif
1665             break;
1666         }
1667
1668         case CheckVarargs:
1669         case Check: {
1670             m_graph.doToChildren(
1671                 node,
1672                 [&] (Edge& edge) {
1673                     switch (edge.useKind()) {
1674                     case NumberUse:
1675                         if (edge->shouldSpeculateInt32ForArithmetic())
1676                             edge.setUseKind(Int32Use);
1677                         break;
1678                     default:
1679                         break;
1680                     }
1681                     observeUseKindOnEdge(edge);
1682                 });
1683             break;
1684         }
1685
1686         case Phantom:
1687             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1688             node->remove(m_graph);
1689             break;
1690
1691         case FiatInt52: {
1692             RELEASE_ASSERT(enableInt52());
1693             node->convertToIdentity();
1694             fixEdge<Int52RepUse>(node->child1());
1695             node->setResult(NodeResultInt52);
1696             break;
1697         }
1698
1699         case GetArrayLength: {
1700             fixEdge<KnownCellUse>(node->child1());
1701             break;
1702         }
1703
1704         case GetTypedArrayByteOffset: {
1705             fixEdge<KnownCellUse>(node->child1());
1706             break;
1707         }
1708
1709         case CompareBelow:
1710         case CompareBelowEq: {
1711             fixEdge<Int32Use>(node->child1());
1712             fixEdge<Int32Use>(node->child2());
1713             break;
1714         }
1715
1716         case GetPrototypeOf: {
1717             fixupGetPrototypeOf(node);
1718             break;
1719         }
1720
1721         case Phi:
1722         case Upsilon:
1723         case EntrySwitch:
1724         case GetIndexedPropertyStorage:
1725         case LastNodeType:
1726         case CheckTierUpInLoop:
1727         case CheckTierUpAtReturn:
1728         case CheckTierUpAndOSREnter:
1729         case CheckArray:
1730         case CheckInBounds:
1731         case ConstantStoragePointer:
1732         case DoubleAsInt32:
1733         case ValueToInt32:
1734         case DoubleRep:
1735         case ValueRep:
1736         case Int52Rep:
1737         case Int52Constant:
1738         case Identity: // This should have been cleaned up.
1739         case BooleanToNumber:
1740         case PhantomNewObject:
1741         case PhantomNewFunction:
1742         case PhantomNewGeneratorFunction:
1743         case PhantomNewAsyncGeneratorFunction:
1744         case PhantomNewAsyncFunction:
1745         case PhantomCreateActivation:
1746         case PhantomDirectArguments:
1747         case PhantomCreateRest:
1748         case PhantomSpread:
1749         case PhantomNewArrayWithSpread:
1750         case PhantomNewArrayBuffer:
1751         case PhantomClonedArguments:
1752         case PhantomNewRegexp:
1753         case GetMyArgumentByVal:
1754         case GetMyArgumentByValOutOfBounds:
1755         case GetVectorLength:
1756         case PutHint:
1757         case CheckStructureImmediate:
1758         case CheckStructureOrEmpty:
1759         case MaterializeNewObject:
1760         case MaterializeCreateActivation:
1761         case PutStack:
1762         case KillStack:
1763         case GetStack:
1764         case StoreBarrier:
1765         case FencedStoreBarrier:
1766         case GetRegExpObjectLastIndex:
1767         case SetRegExpObjectLastIndex:
1768         case RecordRegExpCachedResult:
1769         case RegExpExecNonGlobalOrSticky:
1770         case RegExpMatchFastGlobal:
1771             // These are just nodes that we don't currently expect to see during fixup.
1772             // If we ever wanted to insert them prior to fixup, then we just have to create
1773             // fixup rules for them.
1774             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1775             break;
1776
1777         case PutGlobalVariable: {
1778             fixEdge<CellUse>(node->child1());
1779             speculateForBarrier(node->child2());
1780             break;
1781         }
1782
1783         case IsObject:
1784             if (node->child1()->shouldSpeculateObject()) {
1785                 m_insertionSet.insertNode(
1786                     m_indexInBlock, SpecNone, Check, node->origin,
1787                     Edge(node->child1().node(), ObjectUse));
1788                 m_graph.convertToConstant(node, jsBoolean(true));
1789                 observeUseKindOnNode<ObjectUse>(node);
1790             }
1791             break;
1792
1793         case IsCellWithType: {
1794             fixupIsCellWithType(node);
1795             break;
1796         }
1797
1798         case GetEnumerableLength: {
1799             fixEdge<CellUse>(node->child1());
1800             break;
1801         }
1802         case HasGenericProperty: {
1803             fixEdge<CellUse>(node->child2());
1804             break;
1805         }
1806         case HasStructureProperty: {
1807             fixEdge<StringUse>(node->child2());
1808             fixEdge<KnownCellUse>(node->child3());
1809             break;
1810         }
1811         case HasIndexedProperty: {
1812             node->setArrayMode(
1813                 node->arrayMode().refine(
1814                     m_graph, node,
1815                     node->child1()->prediction(),
1816                     node->child2()->prediction(),
1817                     SpecNone));
1818             
1819             blessArrayOperation(node->child1(), node->child2(), node->child3());
1820             fixEdge<CellUse>(node->child1());
1821             fixEdge<KnownInt32Use>(node->child2());
1822             break;
1823         }
1824         case GetDirectPname: {
1825             Edge& base = m_graph.varArgChild(node, 0);
1826             Edge& property = m_graph.varArgChild(node, 1);
1827             Edge& index = m_graph.varArgChild(node, 2);
1828             Edge& enumerator = m_graph.varArgChild(node, 3);
1829             fixEdge<CellUse>(base);
1830             fixEdge<KnownCellUse>(property);
1831             fixEdge<KnownInt32Use>(index);
1832             fixEdge<KnownCellUse>(enumerator);
1833             break;
1834         }
1835         case GetPropertyEnumerator: {
1836             if (node->child1()->shouldSpeculateCell())
1837                 fixEdge<CellUse>(node->child1());
1838             break;
1839         }
1840         case GetEnumeratorStructurePname: {
1841             fixEdge<KnownCellUse>(node->child1());
1842             fixEdge<KnownInt32Use>(node->child2());
1843             break;
1844         }
1845         case GetEnumeratorGenericPname: {
1846             fixEdge<KnownCellUse>(node->child1());
1847             fixEdge<KnownInt32Use>(node->child2());
1848             break;
1849         }
1850         case ToIndexString: {
1851             fixEdge<KnownInt32Use>(node->child1());
1852             break;
1853         }
1854         case ProfileType: {
1855             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1856             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1857             // type T for the instructionTypeSet, the global type set must also have information for type T.
1858             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1859             // in the globalTypeSet would've also succeeded.
1860             // (The other direction does not hold in general).
1861
1862             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1863             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1864             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1865                 if (node->child1()->shouldSpeculateInt32()) {
1866                     fixEdge<Int32Use>(node->child1());
1867                     node->remove(m_graph);
1868                     break;
1869                 }
1870
1871                 if (enableInt52()) {
1872                     fixEdge<AnyIntUse>(node->child1());
1873                     node->remove(m_graph);
1874                     break;
1875                 }
1876
1877                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1878             }
1879
1880             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1881                 fixEdge<NumberUse>(node->child1());
1882                 node->remove(m_graph);
1883             } else if (typeSet->doesTypeConformTo(TypeString)) {
1884                 fixEdge<StringUse>(node->child1());
1885                 node->remove(m_graph);
1886             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1887                 fixEdge<BooleanUse>(node->child1());
1888                 node->remove(m_graph);
1889             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1890                 fixEdge<OtherUse>(node->child1());
1891                 node->remove(m_graph);
1892             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1893                 StructureSet set;
1894                 {
1895                     ConcurrentJSLocker locker(typeSet->m_lock);
1896                     set = typeSet->structureSet(locker);
1897                 }
1898                 if (!set.isEmpty()) {
1899                     fixEdge<CellUse>(node->child1());
1900                     node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
1901                 }
1902             }
1903
1904             break;
1905         }
1906
1907         case CreateClonedArguments: {
1908             watchHavingABadTime(node);
1909             break;
1910         }
1911
1912         case CreateScopedArguments:
1913         case CreateActivation:
1914         case NewFunction:
1915         case NewGeneratorFunction:
1916         case NewAsyncGeneratorFunction:
1917         case NewAsyncFunction: {
1918             // Child 1 is always the current scope, which is guaranteed to be an object
1919             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1920             fixEdge<KnownCellUse>(node->child1());
1921             break;
1922         }
1923
1924         case PushWithScope: {
1925             // Child 1 is always the current scope, which is guaranteed to be an object
1926             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1927             fixEdge<KnownCellUse>(node->child1());
1928             if (node->child2()->shouldSpeculateObject())
1929                 fixEdge<ObjectUse>(node->child2());
1930             break;
1931         }
1932
1933         case SetFunctionName: {
1934             // The first child is guaranteed to be a cell because op_set_function_name is only used
1935             // on a newly instantiated function object (the first child).
1936             fixEdge<KnownCellUse>(node->child1());
1937             fixEdge<UntypedUse>(node->child2());
1938             break;
1939         }
1940
1941         case CreateRest: {
1942             watchHavingABadTime(node);
1943             fixEdge<KnownInt32Use>(node->child1());
1944             break;
1945         }
1946
1947         case ResolveScopeForHoistingFuncDeclInEval: {
1948             fixEdge<KnownCellUse>(node->child1());
1949             break;
1950         }
1951         case ResolveScope:
1952         case GetDynamicVar:
1953         case PutDynamicVar: {
1954             fixEdge<KnownCellUse>(node->child1());
1955             break;
1956         }
1957
1958         case LogShadowChickenPrologue: {
1959             fixEdge<KnownCellUse>(node->child1());
1960             break;
1961         }
1962         case LogShadowChickenTail: {
1963             fixEdge<UntypedUse>(node->child1());
1964             fixEdge<KnownCellUse>(node->child2());
1965             break;
1966         }
1967
1968         case GetMapBucket:
1969             if (node->child1().useKind() == MapObjectUse)
1970                 fixEdge<MapObjectUse>(node->child1());
1971             else if (node->child1().useKind() == SetObjectUse)
1972                 fixEdge<SetObjectUse>(node->child1());
1973             else
1974                 RELEASE_ASSERT_NOT_REACHED();
1975
1976 #if USE(JSVALUE64)
1977             if (node->child2()->shouldSpeculateBoolean())
1978                 fixEdge<BooleanUse>(node->child2());
1979             else if (node->child2()->shouldSpeculateInt32())
1980                 fixEdge<Int32Use>(node->child2());
1981             else if (node->child2()->shouldSpeculateSymbol())
1982                 fixEdge<SymbolUse>(node->child2());
1983             else if (node->child2()->shouldSpeculateObject())
1984                 fixEdge<ObjectUse>(node->child2());
1985             else if (node->child2()->shouldSpeculateString())
1986                 fixEdge<StringUse>(node->child2());
1987             else if (node->child2()->shouldSpeculateCell())
1988                 fixEdge<CellUse>(node->child2());
1989             else
1990                 fixEdge<UntypedUse>(node->child2());
1991 #else
1992             fixEdge<UntypedUse>(node->child2());
1993 #endif // USE(JSVALUE64)
1994
1995             fixEdge<Int32Use>(node->child3());
1996             break;
1997
1998         case GetMapBucketHead:
1999             if (node->child1().useKind() == MapObjectUse)
2000                 fixEdge<MapObjectUse>(node->child1());
2001             else if (node->child1().useKind() == SetObjectUse)
2002                 fixEdge<SetObjectUse>(node->child1());
2003             else
2004                 RELEASE_ASSERT_NOT_REACHED();
2005             break;
2006
2007         case GetMapBucketNext:
2008         case LoadKeyFromMapBucket:
2009         case LoadValueFromMapBucket:
2010             fixEdge<CellUse>(node->child1());
2011             break;
2012
2013         case MapHash: {
2014 #if USE(JSVALUE64)
2015             if (node->child1()->shouldSpeculateBoolean()) {
2016                 fixEdge<BooleanUse>(node->child1());
2017                 break;
2018             }
2019
2020             if (node->child1()->shouldSpeculateInt32()) {
2021                 fixEdge<Int32Use>(node->child1());
2022                 break;
2023             }
2024
2025             if (node->child1()->shouldSpeculateSymbol()) {
2026                 fixEdge<SymbolUse>(node->child1());
2027                 break;
2028             }
2029
2030             if (node->child1()->shouldSpeculateObject()) {
2031                 fixEdge<ObjectUse>(node->child1());
2032                 break;
2033             }
2034
2035             if (node->child1()->shouldSpeculateString()) {
2036                 fixEdge<StringUse>(node->child1());
2037                 break;
2038             }
2039
2040             if (node->child1()->shouldSpeculateCell()) {
2041                 fixEdge<CellUse>(node->child1());
2042                 break;
2043             }
2044
2045             fixEdge<UntypedUse>(node->child1());
2046 #else
2047             fixEdge<UntypedUse>(node->child1());
2048 #endif // USE(JSVALUE64)
2049             break;
2050         }
2051
2052         case NormalizeMapKey: {
2053             fixupNormalizeMapKey(node);
2054             break;
2055         }
2056
2057         case WeakMapGet: {
2058             if (node->child1().useKind() == WeakMapObjectUse)
2059                 fixEdge<WeakMapObjectUse>(node->child1());
2060             else if (node->child1().useKind() == WeakSetObjectUse)
2061                 fixEdge<WeakSetObjectUse>(node->child1());
2062             else
2063                 RELEASE_ASSERT_NOT_REACHED();
2064             fixEdge<ObjectUse>(node->child2());
2065             fixEdge<Int32Use>(node->child3());
2066             break;
2067         }
2068
2069         case SetAdd: {
2070             fixEdge<SetObjectUse>(node->child1());
2071             fixEdge<Int32Use>(node->child3());
2072             break;
2073         }
2074
2075         case MapSet: {
2076             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
2077             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2078             break;
2079         }
2080
2081         case WeakSetAdd: {
2082             fixEdge<WeakSetObjectUse>(node->child1());
2083             fixEdge<ObjectUse>(node->child2());
2084             fixEdge<Int32Use>(node->child3());
2085             break;
2086         }
2087
2088         case WeakMapSet: {
2089             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2090             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2091             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2092             break;
2093         }
2094
2095         case DefineDataProperty: {
2096             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2097             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2098             if (propertyEdge->shouldSpeculateSymbol())
2099                 fixEdge<SymbolUse>(propertyEdge);
2100             else if (propertyEdge->shouldSpeculateStringIdent())
2101                 fixEdge<StringIdentUse>(propertyEdge);
2102             else if (propertyEdge->shouldSpeculateString())
2103                 fixEdge<StringUse>(propertyEdge);
2104             else
2105                 fixEdge<UntypedUse>(propertyEdge);
2106             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2107             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2108             break;
2109         }
2110
2111         case StringValueOf: {
2112             fixupStringValueOf(node);
2113             break;
2114         }
2115
2116         case StringSlice: {
2117             fixEdge<StringUse>(node->child1());
2118             fixEdge<Int32Use>(node->child2());
2119             if (node->child3())
2120                 fixEdge<Int32Use>(node->child3());
2121             break;
2122         }
2123
2124         case ToLowerCase: {
2125             // We currently only support StringUse since that will ensure that
2126             // ToLowerCase is a pure operation. If we decide to update this with
2127             // more types in the future, we need to ensure that the clobberize rules
2128             // are correct.
2129             fixEdge<StringUse>(node->child1());
2130             break;
2131         }
2132
2133         case NumberToStringWithRadix: {
2134             if (node->child1()->shouldSpeculateInt32())
2135                 fixEdge<Int32Use>(node->child1());
2136             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2137                 fixEdge<Int52RepUse>(node->child1());
2138             else
2139                 fixEdge<DoubleRepUse>(node->child1());
2140             fixEdge<Int32Use>(node->child2());
2141             break;
2142         }
2143
2144         case DefineAccessorProperty: {
2145             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2146             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2147             if (propertyEdge->shouldSpeculateSymbol())
2148                 fixEdge<SymbolUse>(propertyEdge);
2149             else if (propertyEdge->shouldSpeculateStringIdent())
2150                 fixEdge<StringIdentUse>(propertyEdge);
2151             else if (propertyEdge->shouldSpeculateString())
2152                 fixEdge<StringUse>(propertyEdge);
2153             else
2154                 fixEdge<UntypedUse>(propertyEdge);
2155             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2156             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2157             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2158             break;
2159         }
2160
2161         case CheckSubClass: {
2162             fixupCheckSubClass(node);
2163             break;
2164         }
2165
2166         case CallDOMGetter: {
2167             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2168             fixEdge<CellUse>(node->child1()); // DOM.
2169             if (snippet && snippet->requireGlobalObject)
2170                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2171             break;
2172         }
2173
2174         case CallDOM: {
2175             fixupCallDOM(node);
2176             break;
2177         }
2178
2179         case Call: {
2180             attemptToMakeCallDOM(node);
2181             break;
2182         }
2183
2184         case ParseInt: {
2185             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2186                 fixEdge<Int32Use>(node->child1());
2187                 node->convertToIdentity();
2188                 break;
2189             }
2190
2191             if (node->child1()->shouldSpeculateString()) {
2192                 fixEdge<StringUse>(node->child1());
2193                 node->clearFlags(NodeMustGenerate);
2194             }
2195
2196             if (node->child2())
2197                 fixEdge<Int32Use>(node->child2());
2198
2199             break;
2200         }
2201
2202         case IdentityWithProfile: {
2203             node->clearFlags(NodeMustGenerate);
2204             break;
2205         }
2206
2207         case ThrowStaticError:
2208             fixEdge<StringUse>(node->child1());
2209             break;
2210
2211         case NumberIsInteger:
2212             if (node->child1()->shouldSpeculateInt32()) {
2213                 m_insertionSet.insertNode(
2214                     m_indexInBlock, SpecNone, Check, node->origin,
2215                     Edge(node->child1().node(), Int32Use));
2216                 m_graph.convertToConstant(node, jsBoolean(true));
2217                 break;
2218             }
2219             break;
2220
2221         case SetCallee:
2222             fixEdge<CellUse>(node->child1());
2223             break;
2224
2225         case DataViewGetInt:
2226         case DataViewGetFloat: {
2227             fixEdge<DataViewObjectUse>(node->child1());
2228             fixEdge<Int32Use>(node->child2());
2229             if (node->child3())
2230                 fixEdge<BooleanUse>(node->child3());
2231
2232             if (node->op() == DataViewGetInt) {
2233                 DataViewData data = node->dataViewData();
2234                 switch (data.byteSize) {
2235                 case 1:
2236                 case 2:
2237                     node->setResult(NodeResultInt32);
2238                     break;
2239                 case 4:
2240                     if (data.isSigned)
2241                         node->setResult(NodeResultInt32);
2242                     else
2243                         node->setResult(NodeResultInt52);
2244                     break;
2245                 default:
2246                     RELEASE_ASSERT_NOT_REACHED();
2247                 }
2248             }
2249             break;
2250         }
2251
2252         case DataViewSet: {
2253             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2254             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2255             if (m_graph.varArgChild(node, 3))
2256                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2257             
2258             DataViewData data = node->dataViewData();
2259             Edge& valueToStore = m_graph.varArgChild(node, 2);
2260             if (data.isFloatingPoint)
2261                 fixEdge<DoubleRepUse>(valueToStore);
2262             else {
2263                 switch (data.byteSize) {
2264                 case 1:
2265                 case 2:
2266                     fixEdge<Int32Use>(valueToStore);
2267                     break;
2268                 case 4:
2269                     if (data.isSigned)
2270                         fixEdge<Int32Use>(valueToStore);
2271                     else
2272                         fixEdge<Int52RepUse>(valueToStore);
2273                     break;
2274                 }
2275             }
2276             break;
2277         }
2278
2279 #if !ASSERT_DISABLED
2280         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2281         case SetArgument:
2282         case JSConstant:
2283         case LazyJSConstant:
2284         case DoubleConstant:
2285         case GetLocal:
2286         case GetCallee:
2287         case GetArgumentCountIncludingThis:
2288         case SetArgumentCountIncludingThis:
2289         case GetRestLength:
2290         case GetArgument:
2291         case Flush:
2292         case PhantomLocal:
2293         case GetGlobalVar:
2294         case GetGlobalLexicalVariable:
2295         case NotifyWrite:
2296         case DirectCall:
2297         case CheckTypeInfoFlags:
2298         case TailCallInlinedCaller:
2299         case DirectTailCallInlinedCaller:
2300         case Construct:
2301         case DirectConstruct:
2302         case CallVarargs:
2303         case CallEval:
2304         case TailCallVarargsInlinedCaller:
2305         case ConstructVarargs:
2306         case CallForwardVarargs:
2307         case ConstructForwardVarargs:
2308         case TailCallForwardVarargs:
2309         case TailCallForwardVarargsInlinedCaller:
2310         case LoadVarargs:
2311         case ForwardVarargs:
2312         case ProfileControlFlow:
2313         case NewObject:
2314         case NewRegexp:
2315         case DeleteById:
2316         case DeleteByVal:
2317         case IsTypedArrayView:
2318         case IsEmpty:
2319         case IsUndefined:
2320         case IsBoolean:
2321         case IsNumber:
2322         case IsObjectOrNull:
2323         case IsFunction:
2324         case CreateDirectArguments:
2325         case Jump:
2326         case Return:
2327         case TailCall:
2328         case DirectTailCall:
2329         case TailCallVarargs:
2330         case Throw:
2331         case CountExecution:
2332         case SuperSamplerBegin:
2333         case SuperSamplerEnd:
2334         case ForceOSRExit:
2335         case CheckBadCell:
2336         case CheckNotEmpty:
2337         case AssertNotEmpty:
2338         case CheckTraps:
2339         case Unreachable:
2340         case ExtractOSREntryLocal:
2341         case ExtractCatchLocal:
2342         case ClearCatchLocals:
2343         case LoopHint:
2344         case MovHint:
2345         case InitializeEntrypointArguments:
2346         case ZombieHint:
2347         case ExitOK:
2348         case BottomValue:
2349         case TypeOf:
2350         case PutByIdWithThis:
2351         case PutByValWithThis:
2352         case GetByValWithThis:
2353         case CompareEqPtr:
2354         case NumberToStringWithValidRadixConstant:
2355         case GetGlobalThis:
2356         case ExtractValueFromWeakMapGet:
2357         case CPUIntrinsic:
2358         case FilterCallLinkStatus:
2359         case FilterGetByIdStatus:
2360         case FilterPutByIdStatus:
2361         case FilterInByIdStatus:
2362         case InvalidationPoint:
2363             break;
2364 #else
2365         default:
2366             break;
2367 #endif
2368         }
2369     }
2370
2371     void watchHavingABadTime(Node* node)
2372     {
2373         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2374
2375         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2376         // does an array allocation. The types of array allocations may change if we start to have a bad
2377         // time. It's easier to reason about this if we know that whenever the types change after we start
2378         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2379         // prior to this point nobody should have been doing optimizations based on the indexing type of
2380         // the allocation.
2381         if (!globalObject->isHavingABadTime()) {
2382             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2383             m_graph.freeze(globalObject);
2384         }
2385     }
2386     
2387     template<UseKind useKind>
2388     void createToString(Node* node, Edge& edge)
2389     {
2390         Node* toString = m_insertionSet.insertNode(
2391             m_indexInBlock, SpecString, ToString, node->origin,
2392             Edge(edge.node(), useKind));
2393         switch (useKind) {
2394         case Int32Use:
2395         case Int52RepUse:
2396         case DoubleRepUse:
2397         case NotCellUse:
2398             toString->clearFlags(NodeMustGenerate);
2399             break;
2400         default:
2401             break;
2402         }
2403         edge.setNode(toString);
2404     }
2405     
2406     template<UseKind useKind>
2407     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2408     {
2409         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2410         
2411         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2412             return;
2413         
2414         createToString<useKind>(node, node->child1());
2415         arrayMode = ArrayMode(Array::String, Array::Read);
2416     }
2417     
2418     template<UseKind useKind>
2419     bool isStringObjectUse()
2420     {
2421         switch (useKind) {
2422         case StringObjectUse:
2423         case StringOrStringObjectUse:
2424             return true;
2425         default:
2426             return false;
2427         }
2428     }
2429     
2430     template<UseKind useKind>
2431     void convertStringAddUse(Node* node, Edge& edge)
2432     {
2433         if (useKind == StringUse) {
2434             observeUseKindOnNode<StringUse>(edge.node());
2435             m_insertionSet.insertNode(
2436                 m_indexInBlock, SpecNone, Check, node->origin,
2437                 Edge(edge.node(), StringUse));
2438             edge.setUseKind(KnownStringUse);
2439             return;
2440         }
2441         
2442         observeUseKindOnNode<useKind>(edge.node());
2443         createToString<useKind>(node, edge);
2444     }
2445     
2446     void convertToMakeRope(Node* node)
2447     {
2448         node->setOpAndDefaultFlags(MakeRope);
2449         fixupMakeRope(node);
2450     }
2451     
2452     void fixupMakeRope(Node* node)
2453     {
2454         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2455             Edge& edge = node->children.child(i);
2456             if (!edge)
2457                 break;
2458             edge.setUseKind(KnownStringUse);
2459             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2460             if (!string)
2461                 continue;
2462             if (string->length())
2463                 continue;
2464             
2465             // Don't allow the MakeRope to have zero children.
2466             if (!i && !node->child2())
2467                 break;
2468             
2469             node->children.removeEdge(i--);
2470         }
2471         
2472         if (!node->child2()) {
2473             ASSERT(!node->child3());
2474             node->convertToIdentity();
2475         }
2476     }
2477
2478     void fixupIsCellWithType(Node* node)
2479     {
2480         switch (node->speculatedTypeForQuery()) {
2481         case SpecString:
2482             if (node->child1()->shouldSpeculateString()) {
2483                 m_insertionSet.insertNode(
2484                     m_indexInBlock, SpecNone, Check, node->origin,
2485                     Edge(node->child1().node(), StringUse));
2486                 m_graph.convertToConstant(node, jsBoolean(true));
2487                 observeUseKindOnNode<StringUse>(node);
2488                 return;
2489             }
2490             break;
2491
2492         case SpecProxyObject:
2493             if (node->child1()->shouldSpeculateProxyObject()) {
2494                 m_insertionSet.insertNode(
2495                     m_indexInBlock, SpecNone, Check, node->origin,
2496                     Edge(node->child1().node(), ProxyObjectUse));
2497                 m_graph.convertToConstant(node, jsBoolean(true));
2498                 observeUseKindOnNode<ProxyObjectUse>(node);
2499                 return;
2500             }
2501             break;
2502
2503         case SpecRegExpObject:
2504             if (node->child1()->shouldSpeculateRegExpObject()) {
2505                 m_insertionSet.insertNode(
2506                     m_indexInBlock, SpecNone, Check, node->origin,
2507                     Edge(node->child1().node(), RegExpObjectUse));
2508                 m_graph.convertToConstant(node, jsBoolean(true));
2509                 observeUseKindOnNode<RegExpObjectUse>(node);
2510                 return;
2511             }
2512             break;
2513
2514         case SpecArray:
2515             if (node->child1()->shouldSpeculateArray()) {
2516                 m_insertionSet.insertNode(
2517                     m_indexInBlock, SpecNone, Check, node->origin,
2518                     Edge(node->child1().node(), ArrayUse));
2519                 m_graph.convertToConstant(node, jsBoolean(true));
2520                 observeUseKindOnNode<ArrayUse>(node);
2521                 return;
2522             }
2523             break;
2524
2525         case SpecDerivedArray:
2526             if (node->child1()->shouldSpeculateDerivedArray()) {
2527                 m_insertionSet.insertNode(
2528                     m_indexInBlock, SpecNone, Check, node->origin,
2529                     Edge(node->child1().node(), DerivedArrayUse));
2530                 m_graph.convertToConstant(node, jsBoolean(true));
2531                 observeUseKindOnNode<DerivedArrayUse>(node);
2532                 return;
2533             }
2534             break;
2535         }
2536
2537         if (node->child1()->shouldSpeculateCell()) {
2538             fixEdge<CellUse>(node->child1());
2539             return;
2540         }
2541
2542         if (node->child1()->shouldSpeculateNotCell()) {
2543             m_insertionSet.insertNode(
2544                 m_indexInBlock, SpecNone, Check, node->origin,
2545                 Edge(node->child1().node(), NotCellUse));
2546             m_graph.convertToConstant(node, jsBoolean(false));
2547             observeUseKindOnNode<NotCellUse>(node);
2548             return;
2549         }
2550     }
2551
2552     void fixupGetPrototypeOf(Node* node)
2553     {
2554         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2555         if (node->child1().useKind() != ObjectUse) {
2556             if (node->child1()->shouldSpeculateString()) {
2557                 insertCheck<StringUse>(node->child1().node());
2558                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2559                 return;
2560             }
2561             if (node->child1()->shouldSpeculateInt32()) {
2562                 insertCheck<Int32Use>(node->child1().node());
2563                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2564                 return;
2565             }
2566             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2567                 insertCheck<Int52RepUse>(node->child1().node());
2568                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2569                 return;
2570             }
2571             if (node->child1()->shouldSpeculateNumber()) {
2572                 insertCheck<NumberUse>(node->child1().node());
2573                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2574                 return;
2575             }
2576             if (node->child1()->shouldSpeculateSymbol()) {
2577                 insertCheck<SymbolUse>(node->child1().node());
2578                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2579                 return;
2580             }
2581             if (node->child1()->shouldSpeculateBoolean()) {
2582                 insertCheck<BooleanUse>(node->child1().node());
2583                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2584                 return;
2585             }
2586         }
2587
2588         if (node->child1()->shouldSpeculateFinalObject()) {
2589             fixEdge<FinalObjectUse>(node->child1());
2590             node->clearFlags(NodeMustGenerate);
2591             return;
2592         }
2593         if (node->child1()->shouldSpeculateArray()) {
2594             fixEdge<ArrayUse>(node->child1());
2595             node->clearFlags(NodeMustGenerate);
2596             return;
2597         }
2598         if (node->child1()->shouldSpeculateFunction()) {
2599             fixEdge<FunctionUse>(node->child1());
2600             node->clearFlags(NodeMustGenerate);
2601             return;
2602         }
2603     }
2604
2605     void fixupToThis(Node* node)
2606     {
2607         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2608
2609         if (ecmaMode == StrictMode) {
2610             if (node->child1()->shouldSpeculateBoolean()) {
2611                 fixEdge<BooleanUse>(node->child1());
2612                 node->convertToIdentity();
2613                 return;
2614             }
2615
2616             if (node->child1()->shouldSpeculateInt32()) {
2617                 fixEdge<Int32Use>(node->child1());
2618                 node->convertToIdentity();
2619                 return;
2620             }
2621
2622             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2623                 fixEdge<Int52RepUse>(node->child1());
2624                 node->convertToIdentity();
2625                 node->setResult(NodeResultInt52);
2626                 return;
2627             }
2628
2629             if (node->child1()->shouldSpeculateNumber()) {
2630                 fixEdge<DoubleRepUse>(node->child1());
2631                 node->convertToIdentity();
2632                 node->setResult(NodeResultDouble);
2633                 return;
2634             }
2635
2636             if (node->child1()->shouldSpeculateSymbol()) {
2637                 fixEdge<SymbolUse>(node->child1());
2638                 node->convertToIdentity();
2639                 return;
2640             }
2641
2642             if (node->child1()->shouldSpeculateStringIdent()) {
2643                 fixEdge<StringIdentUse>(node->child1());
2644                 node->convertToIdentity();
2645                 return;
2646             }
2647
2648             if (node->child1()->shouldSpeculateString()) {
2649                 fixEdge<StringUse>(node->child1());
2650                 node->convertToIdentity();
2651                 return;
2652             }
2653             
2654             if (node->child1()->shouldSpeculateBigInt()) {
2655                 fixEdge<BigIntUse>(node->child1());
2656                 node->convertToIdentity();
2657                 return;
2658             }
2659         }
2660
2661         if (node->child1()->shouldSpeculateOther()) {
2662             if (ecmaMode == StrictMode) {
2663                 fixEdge<OtherUse>(node->child1());
2664                 node->convertToIdentity();
2665                 return;
2666             }
2667
2668             m_insertionSet.insertNode(
2669                 m_indexInBlock, SpecNone, Check, node->origin,
2670                 Edge(node->child1().node(), OtherUse));
2671             observeUseKindOnNode<OtherUse>(node->child1().node());
2672             m_graph.convertToConstant(
2673                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2674             return;
2675         }
2676
2677         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2678         // however, since we cover all the missing cases in constant folding.
2679         // https://bugs.webkit.org/show_bug.cgi?id=157213
2680         if (node->child1()->shouldSpeculateStringObject()) {
2681             fixEdge<StringObjectUse>(node->child1());
2682             node->convertToIdentity();
2683             return;
2684         }
2685
2686         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2687             fixEdge<FinalObjectUse>(node->child1());
2688             node->convertToIdentity();
2689             return;
2690         }
2691     }
2692     
2693     void fixupToPrimitive(Node* node)
2694     {
2695         if (node->child1()->shouldSpeculateInt32()) {
2696             fixEdge<Int32Use>(node->child1());
2697             node->convertToIdentity();
2698             return;
2699         }
2700         
2701         if (node->child1()->shouldSpeculateString()) {
2702             fixEdge<StringUse>(node->child1());
2703             node->convertToIdentity();
2704             return;
2705         }
2706         
2707         if (node->child1()->shouldSpeculateStringObject()
2708             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2709             fixEdge<StringObjectUse>(node->child1());
2710             node->convertToToString();
2711             return;
2712         }
2713         
2714         if (node->child1()->shouldSpeculateStringOrStringObject()
2715             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2716             fixEdge<StringOrStringObjectUse>(node->child1());
2717             node->convertToToString();
2718             return;
2719         }
2720     }
2721
2722     void fixupToNumber(Node* node)
2723     {
2724         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2725         if (node->child1()->shouldSpeculateNumber()) {
2726             if (isInt32Speculation(node->getHeapPrediction())) {
2727                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2728                 if (node->child1()->shouldSpeculateInt32()) {
2729                     fixEdge<Int32Use>(node->child1());
2730                     node->convertToIdentity();
2731                     return;
2732                 }
2733
2734                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2735                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2736                 fixEdge<DoubleRepUse>(node->child1());
2737                 node->setOp(DoubleAsInt32);
2738                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2739                     node->setArithMode(Arith::CheckOverflow);
2740                 else
2741                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2742                 return;
2743             }
2744
2745             fixEdge<DoubleRepUse>(node->child1());
2746             node->convertToIdentity();
2747             node->setResult(NodeResultDouble);
2748             return;
2749         }
2750
2751         fixEdge<UntypedUse>(node->child1());
2752         node->setResult(NodeResultJS);
2753     }
2754
2755     void fixupToObject(Node* node)
2756     {
2757         if (node->child1()->shouldSpeculateObject()) {
2758             fixEdge<ObjectUse>(node->child1());
2759             node->convertToIdentity();
2760             return;
2761         }
2762
2763         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2764
2765         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2766
2767         if (node->child1()->shouldSpeculateString()) {
2768             insertCheck<StringUse>(node->child1().node());
2769             fixEdge<KnownStringUse>(node->child1());
2770             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2771             return;
2772         }
2773
2774         if (node->child1()->shouldSpeculateSymbol()) {
2775             insertCheck<SymbolUse>(node->child1().node());
2776             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2777             return;
2778         }
2779
2780         if (node->child1()->shouldSpeculateNumber()) {
2781             insertCheck<NumberUse>(node->child1().node());
2782             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2783             return;
2784         }
2785
2786         if (node->child1()->shouldSpeculateBoolean()) {
2787             insertCheck<BooleanUse>(node->child1().node());
2788             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2789             return;
2790         }
2791
2792         fixEdge<UntypedUse>(node->child1());
2793     }
2794
2795     void fixupCallObjectConstructor(Node* node)
2796     {
2797         if (node->child1()->shouldSpeculateObject()) {
2798             fixEdge<ObjectUse>(node->child1());
2799             node->convertToIdentity();
2800             return;
2801         }
2802
2803         if (node->child1()->shouldSpeculateString()) {
2804             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2805             insertCheck<StringUse>(node->child1().node());
2806             fixEdge<KnownStringUse>(node->child1());
2807             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2808             return;
2809         }
2810
2811         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2812         if (node->child1()->shouldSpeculateOther()) {
2813             insertCheck<OtherUse>(node->child1().node());
2814             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2815             return;
2816         }
2817
2818         fixEdge<UntypedUse>(node->child1());
2819     }
2820     
2821     void fixupToStringOrCallStringConstructor(Node* node)
2822     {
2823         if (node->child1()->shouldSpeculateString()) {
2824             fixEdge<StringUse>(node->child1());
2825             node->convertToIdentity();
2826             return;
2827         }
2828         
2829         if (node->child1()->shouldSpeculateStringObject()
2830             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2831             fixEdge<StringObjectUse>(node->child1());
2832             return;
2833         }
2834         
2835         if (node->child1()->shouldSpeculateStringOrStringObject()
2836             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2837             fixEdge<StringOrStringObjectUse>(node->child1());
2838             return;
2839         }
2840         
2841         if (node->child1()->shouldSpeculateCell()) {
2842             fixEdge<CellUse>(node->child1());
2843             return;
2844         }
2845
2846         if (node->child1()->shouldSpeculateInt32()) {
2847             fixEdge<Int32Use>(node->child1());
2848             node->clearFlags(NodeMustGenerate);
2849             return;
2850         }
2851
2852         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2853             fixEdge<Int52RepUse>(node->child1());
2854             node->clearFlags(NodeMustGenerate);
2855             return;
2856         }
2857
2858         if (node->child1()->shouldSpeculateNumber()) {
2859             fixEdge<DoubleRepUse>(node->child1());
2860             node->clearFlags(NodeMustGenerate);
2861             return;
2862         }
2863
2864         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2865         // we need to care about it in the clobberize. In the following case,
2866         // since NotCellUse edge filter is used and this edge filters Symbols,
2867         // we can say that ToString never throws an error!
2868         if (node->child1()->shouldSpeculateNotCell()) {
2869             fixEdge<NotCellUse>(node->child1());
2870             node->clearFlags(NodeMustGenerate);
2871             return;
2872         }
2873     }
2874
2875     void fixupStringValueOf(Node* node)
2876     {
2877         if (node->child1()->shouldSpeculateString()) {
2878             fixEdge<StringUse>(node->child1());
2879             node->convertToIdentity();
2880             return;
2881         }
2882
2883         if (node->child1()->shouldSpeculateStringObject()) {
2884             fixEdge<StringObjectUse>(node->child1());
2885             node->convertToToString();
2886             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2887             node->clearFlags(NodeMustGenerate);
2888             return;
2889         }
2890
2891         if (node->child1()->shouldSpeculateStringOrStringObject()) {
2892             fixEdge<StringOrStringObjectUse>(node->child1());
2893             node->convertToToString();
2894             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2895             node->clearFlags(NodeMustGenerate);
2896             return;
2897         }
2898     }
2899
2900     bool attemptToMakeFastStringAdd(Node* node)
2901     {
2902         bool goodToGo = true;
2903         m_graph.doToChildren(
2904             node,
2905             [&] (Edge& edge) {
2906                 if (edge->shouldSpeculateString())
2907                     return;
2908                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2909                     if (edge->shouldSpeculateStringObject())
2910                         return;
2911                     if (edge->shouldSpeculateStringOrStringObject())
2912                         return;
2913                 }
2914                 goodToGo = false;
2915             });
2916         if (!goodToGo)
2917             return false;
2918
2919         m_graph.doToChildren(
2920             node,
2921             [&] (Edge& edge) {
2922                 if (edge->shouldSpeculateString()) {
2923                     convertStringAddUse<StringUse>(node, edge);
2924                     return;
2925                 }
2926                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2927                 if (edge->shouldSpeculateStringObject()) {
2928                     convertStringAddUse<StringObjectUse>(node, edge);
2929                     return;
2930                 }
2931                 if (edge->shouldSpeculateStringOrStringObject()) {
2932                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2933                     return;
2934                 }
2935                 RELEASE_ASSERT_NOT_REACHED();
2936             });
2937         
2938         convertToMakeRope(node);
2939         return true;
2940     }
2941
2942     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2943     {
2944         if (!block)
2945             return;
2946         ASSERT(block->isReachable);
2947         m_block = block;
2948         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2949             Node* node = m_currentNode = block->at(m_indexInBlock);
2950             if (node->op() != SetLocal && node->op() != GetLocal)
2951                 continue;
2952             
2953             VariableAccessData* variable = node->variableAccessData();
2954             switch (node->op()) {
2955             case GetLocal:
2956                 switch (variable->flushFormat()) {
2957                 case FlushedDouble:
2958                     node->setResult(NodeResultDouble);
2959                     break;
2960                 case FlushedInt52:
2961                     node->setResult(NodeResultInt52);
2962                     break;
2963                 default:
2964                     break;
2965                 }
2966                 break;
2967                 
2968             case SetLocal:
2969                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2970                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2971                 
2972                 switch (variable->flushFormat()) {
2973                 case FlushedJSValue:
2974                     break;
2975                 case FlushedDouble:
2976                     fixEdge<DoubleRepUse>(node->child1());
2977                     break;
2978                 case FlushedInt32:
2979                     fixEdge<Int32Use>(node->child1());
2980                     break;
2981                 case FlushedInt52:
2982                     fixEdge<Int52RepUse>(node->child1());
2983                     break;
2984                 case FlushedCell:
2985                     fixEdge<CellUse>(node->child1());
2986                     break;
2987                 case FlushedBoolean:
2988                     fixEdge<BooleanUse>(node->child1());
2989                     break;
2990                 default:
2991                     RELEASE_ASSERT_NOT_REACHED();
2992                     break;
2993                 }
2994                 break;
2995                 
2996             default:
2997                 RELEASE_ASSERT_NOT_REACHED();
2998                 break;
2999             }
3000         }
3001         m_insertionSet.execute(block);
3002     }
3003     
3004     void addStringReplacePrimordialChecks(Node* searchRegExp)
3005     {
3006         Node* node = m_currentNode;
3007
3008         // Check that structure of searchRegExp is RegExp object
3009         m_insertionSet.insertNode(
3010             m_indexInBlock, SpecNone, Check, node->origin,
3011             Edge(searchRegExp, RegExpObjectUse));
3012
3013         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
3014             unsigned index = m_graph.identifiers().ensure(propertyUID);
3015
3016             Node* actualProperty = m_insertionSet.insertNode(
3017                 m_indexInBlock, SpecNone, TryGetById, node->origin,
3018                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
3019
3020             m_insertionSet.insertNode(
3021                 m_indexInBlock, SpecNone, CheckCell, node->origin,
3022                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
3023         };
3024
3025         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
3026
3027         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
3028         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
3029         // Check that searchRegExp.global is the primordial RegExp.prototype.global
3030         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
3031         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
3032         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
3033         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
3034         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
3035     }
3036
3037     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
3038     {
3039         ASSERT(arrayMode.isSpecific());
3040         
3041         if (arrayMode.type() == Array::String) {
3042             m_insertionSet.insertNode(
3043                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
3044         } else {
3045             // Note that we only need to be using a structure check if we opt for SaneChain, since
3046             // that needs to protect against JSArray's __proto__ being changed.
3047             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
3048         
3049             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
3050             
3051             if (arrayMode.doesConversion()) {
3052                 if (structure) {
3053                     m_insertionSet.insertNode(
3054                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
3055                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3056                 } else {
3057                     m_insertionSet.insertNode(
3058                         m_indexInBlock, SpecNone, Arrayify, origin,
3059                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3060                 }
3061             } else {
3062                 if (structure) {
3063                     m_insertionSet.insertNode(
3064                         m_indexInBlock, SpecNone, CheckStructure, origin,
3065                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
3066                 } else {
3067                     m_insertionSet.insertNode(
3068                         m_indexInBlock, SpecNone, CheckArray, origin,
3069                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
3070                 }
3071</