5c356aba19113366f60968c371388c8db35acf32
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2016 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             fixIntConvertingEdge(node->child1());
130             node->setArithMode(Arith::Unchecked);
131             break;
132         }
133             
134         case UInt32ToNumber: {
135             fixIntConvertingEdge(node->child1());
136             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
137                 node->convertToIdentity();
138             else if (node->canSpeculateInt32(FixupPass))
139                 node->setArithMode(Arith::CheckOverflow);
140             else {
141                 node->setArithMode(Arith::DoOverflow);
142                 node->clearFlags(NodeMustGenerate);
143                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
144             }
145             break;
146         }
147             
148         case ValueAdd: {
149             if (attemptToMakeIntegerAdd(node)) {
150                 node->setOp(ArithAdd);
151                 break;
152             }
153             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
154                 fixDoubleOrBooleanEdge(node->child1());
155                 fixDoubleOrBooleanEdge(node->child2());
156                 node->setOp(ArithAdd);
157                 node->setResult(NodeResultDouble);
158                 break;
159             }
160             
161             if (attemptToMakeFastStringAdd(node))
162                 break;
163
164             fixEdge<UntypedUse>(node->child1());
165             fixEdge<UntypedUse>(node->child2());
166             node->setResult(NodeResultJS);
167             break;
168         }
169
170         case StrCat: {
171             if (attemptToMakeFastStringAdd(node))
172                 break;
173
174             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
175             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
176             // the implementation of StrCat doesn't dynamically optimize for empty strings.
177             // https://bugs.webkit.org/show_bug.cgi?id=148540
178             m_graph.doToChildren(
179                 node,
180                 [&] (Edge& edge) {
181                     fixEdge<KnownPrimitiveUse>(edge);
182                 });
183             break;
184         }
185             
186         case MakeRope: {
187             fixupMakeRope(node);
188             break;
189         }
190             
191         case ArithAdd:
192         case ArithSub: {
193             if (op == ArithSub
194                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
195                 fixEdge<UntypedUse>(node->child1());
196                 fixEdge<UntypedUse>(node->child2());
197                 node->setResult(NodeResultJS);
198                 break;
199             }
200             if (attemptToMakeIntegerAdd(node))
201                 break;
202             fixDoubleOrBooleanEdge(node->child1());
203             fixDoubleOrBooleanEdge(node->child2());
204             node->setResult(NodeResultDouble);
205             break;
206         }
207             
208         case ArithNegate: {
209             if (m_graph.unaryArithShouldSpeculateInt32(node, FixupPass)) {
210                 fixIntOrBooleanEdge(node->child1());
211                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
212                     node->setArithMode(Arith::Unchecked);
213                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
214                     node->setArithMode(Arith::CheckOverflow);
215                 else
216                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
217                 break;
218             }
219             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
220                 fixEdge<Int52RepUse>(node->child1());
221                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
222                     node->setArithMode(Arith::CheckOverflow);
223                 else
224                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
225                 node->setResult(NodeResultInt52);
226                 break;
227             }
228             fixDoubleOrBooleanEdge(node->child1());
229             node->setResult(NodeResultDouble);
230             break;
231         }
232             
233         case ArithMul: {
234             Edge& leftChild = node->child1();
235             Edge& rightChild = node->child2();
236             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
237                 fixEdge<UntypedUse>(leftChild);
238                 fixEdge<UntypedUse>(rightChild);
239                 node->setResult(NodeResultJS);
240                 break;
241             }
242             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
243                 fixIntOrBooleanEdge(leftChild);
244                 fixIntOrBooleanEdge(rightChild);
245                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
246                     node->setArithMode(Arith::Unchecked);
247                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
248                     || leftChild.node() == rightChild.node())
249                     node->setArithMode(Arith::CheckOverflow);
250                 else
251                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
252                 break;
253             }
254             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
255                 fixEdge<Int52RepUse>(leftChild);
256                 fixEdge<Int52RepUse>(rightChild);
257                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
258                     || leftChild.node() == rightChild.node())
259                     node->setArithMode(Arith::CheckOverflow);
260                 else
261                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
262                 node->setResult(NodeResultInt52);
263                 break;
264             }
265             fixDoubleOrBooleanEdge(leftChild);
266             fixDoubleOrBooleanEdge(rightChild);
267             node->setResult(NodeResultDouble);
268             break;
269         }
270
271         case ArithDiv:
272         case ArithMod: {
273             Edge& leftChild = node->child1();
274             Edge& rightChild = node->child2();
275             if (op == ArithDiv
276                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
277                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
278                 fixEdge<UntypedUse>(leftChild);
279                 fixEdge<UntypedUse>(rightChild);
280                 node->setResult(NodeResultJS);
281                 break;
282             }
283             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
284                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
285                     fixIntOrBooleanEdge(leftChild);
286                     fixIntOrBooleanEdge(rightChild);
287                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
288                         node->setArithMode(Arith::Unchecked);
289                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
290                         node->setArithMode(Arith::CheckOverflow);
291                     else
292                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
293                     break;
294                 }
295                 
296                 // This will cause conversion nodes to be inserted later.
297                 fixDoubleOrBooleanEdge(leftChild);
298                 fixDoubleOrBooleanEdge(rightChild);
299                 
300                 // We don't need to do ref'ing on the children because we're stealing them from
301                 // the original division.
302                 Node* newDivision = m_insertionSet.insertNode(
303                     m_indexInBlock, SpecBytecodeDouble, *node);
304                 newDivision->setResult(NodeResultDouble);
305                 
306                 node->setOp(DoubleAsInt32);
307                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
308                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
309                     node->setArithMode(Arith::CheckOverflow);
310                 else
311                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
312                 break;
313             }
314             fixDoubleOrBooleanEdge(leftChild);
315             fixDoubleOrBooleanEdge(rightChild);
316             node->setResult(NodeResultDouble);
317             break;
318         }
319             
320         case ArithMin:
321         case ArithMax: {
322             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
323                 fixIntOrBooleanEdge(node->child1());
324                 fixIntOrBooleanEdge(node->child2());
325                 break;
326             }
327             fixDoubleOrBooleanEdge(node->child1());
328             fixDoubleOrBooleanEdge(node->child2());
329             node->setResult(NodeResultDouble);
330             break;
331         }
332             
333         case ArithAbs: {
334             if (node->child1()->shouldSpeculateInt32OrBoolean()
335                 && node->canSpeculateInt32(FixupPass)) {
336                 fixIntOrBooleanEdge(node->child1());
337                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
338                     node->setArithMode(Arith::Unchecked);
339                 else
340                     node->setArithMode(Arith::CheckOverflow);
341                 node->clearFlags(NodeMustGenerate);
342                 node->setResult(NodeResultInt32);
343                 break;
344             }
345
346             if (node->child1()->shouldSpeculateNotCell()) {
347                 fixDoubleOrBooleanEdge(node->child1());
348                 node->clearFlags(NodeMustGenerate);
349             } else
350                 fixEdge<UntypedUse>(node->child1());
351             node->setResult(NodeResultDouble);
352             break;
353         }
354
355         case ArithPow: {
356             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
357                 fixDoubleOrBooleanEdge(node->child1());
358                 fixIntOrBooleanEdge(node->child2());
359                 break;
360             }
361
362             fixDoubleOrBooleanEdge(node->child1());
363             fixDoubleOrBooleanEdge(node->child2());
364             break;
365         }
366
367         case ArithRandom: {
368             node->setResult(NodeResultDouble);
369             break;
370         }
371
372         case ArithRound:
373         case ArithFloor:
374         case ArithCeil:
375         case ArithTrunc: {
376             if (m_graph.unaryArithShouldSpeculateInt32(node, FixupPass)) {
377                 fixIntOrBooleanEdge(node->child1());
378                 insertCheck<Int32Use>(m_indexInBlock, node->child1().node());
379                 node->convertToIdentity();
380                 break;
381             }
382             fixDoubleOrBooleanEdge(node->child1());
383
384             if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
385                 node->setResult(NodeResultInt32);
386                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
387                     node->setArithRoundingMode(Arith::RoundingMode::Int32);
388                 else
389                     node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
390             } else {
391                 node->setResult(NodeResultDouble);
392                 node->setArithRoundingMode(Arith::RoundingMode::Double);
393             }
394             break;
395         }
396
397         case ArithCos:
398         case ArithFRound:
399         case ArithLog:
400         case ArithSin:
401         case ArithSqrt: {
402             Edge& child1 = node->child1();
403             if (child1->shouldSpeculateNotCell()) {
404                 fixDoubleOrBooleanEdge(child1);
405                 node->clearFlags(NodeMustGenerate);
406             } else
407                 fixEdge<UntypedUse>(child1);
408             break;
409         }
410             
411         case LogicalNot: {
412             if (node->child1()->shouldSpeculateBoolean()) {
413                 if (node->child1()->result() == NodeResultBoolean) {
414                     // This is necessary in case we have a bytecode instruction implemented by:
415                     //
416                     // a: CompareEq(...)
417                     // b: LogicalNot(@a)
418                     //
419                     // In that case, CompareEq might have a side-effect. Then, we need to make
420                     // sure that we know that Branch does not exit.
421                     fixEdge<KnownBooleanUse>(node->child1());
422                 } else
423                     fixEdge<BooleanUse>(node->child1());
424             } else if (node->child1()->shouldSpeculateObjectOrOther())
425                 fixEdge<ObjectOrOtherUse>(node->child1());
426             else if (node->child1()->shouldSpeculateInt32OrBoolean())
427                 fixIntOrBooleanEdge(node->child1());
428             else if (node->child1()->shouldSpeculateNumber())
429                 fixEdge<DoubleRepUse>(node->child1());
430             else if (node->child1()->shouldSpeculateString())
431                 fixEdge<StringUse>(node->child1());
432             else if (node->child1()->shouldSpeculateStringOrOther())
433                 fixEdge<StringOrOtherUse>(node->child1());
434             break;
435         }
436
437         case CompareEq:
438         case CompareLess:
439         case CompareLessEq:
440         case CompareGreater:
441         case CompareGreaterEq: {
442             if (node->op() == CompareEq
443                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
444                 fixEdge<BooleanUse>(node->child1());
445                 fixEdge<BooleanUse>(node->child2());
446                 node->clearFlags(NodeMustGenerate);
447                 break;
448             }
449             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
450                 fixIntOrBooleanEdge(node->child1());
451                 fixIntOrBooleanEdge(node->child2());
452                 node->clearFlags(NodeMustGenerate);
453                 break;
454             }
455             if (enableInt52()
456                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
457                 fixEdge<Int52RepUse>(node->child1());
458                 fixEdge<Int52RepUse>(node->child2());
459                 node->clearFlags(NodeMustGenerate);
460                 break;
461             }
462             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
463                 fixDoubleOrBooleanEdge(node->child1());
464                 fixDoubleOrBooleanEdge(node->child2());
465             }
466             if (node->op() != CompareEq
467                 && node->child1()->shouldSpeculateNotCell()
468                 && node->child2()->shouldSpeculateNotCell()) {
469                 if (node->child1()->shouldSpeculateNumberOrBoolean())
470                     fixDoubleOrBooleanEdge(node->child1());
471                 else
472                     fixEdge<DoubleRepUse>(node->child1());
473                 if (node->child2()->shouldSpeculateNumberOrBoolean())
474                     fixDoubleOrBooleanEdge(node->child2());
475                 else
476                     fixEdge<DoubleRepUse>(node->child2());
477                 node->clearFlags(NodeMustGenerate);
478                 break;
479             }
480             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
481                 fixEdge<StringIdentUse>(node->child1());
482                 fixEdge<StringIdentUse>(node->child2());
483                 node->clearFlags(NodeMustGenerate);
484                 break;
485             }
486             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
487                 fixEdge<StringUse>(node->child1());
488                 fixEdge<StringUse>(node->child2());
489                 node->clearFlags(NodeMustGenerate);
490                 break;
491             }
492
493             if (node->op() != CompareEq)
494                 break;
495             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
496                 fixEdge<SymbolUse>(node->child1());
497                 fixEdge<SymbolUse>(node->child2());
498                 node->clearFlags(NodeMustGenerate);
499                 break;
500             }
501             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
502                 fixEdge<ObjectUse>(node->child1());
503                 fixEdge<ObjectUse>(node->child2());
504                 node->clearFlags(NodeMustGenerate);
505                 break;
506             }
507
508             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
509             bool oneArgumentIsUsedAsSpecOther = false;
510             if (node->child1()->isUndefinedOrNullConstant()) {
511                 fixEdge<OtherUse>(node->child1());
512                 oneArgumentIsUsedAsSpecOther = true;
513             } else if (node->child1()->shouldSpeculateOther()) {
514                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
515                     Edge(node->child1().node(), OtherUse));
516                 fixEdge<OtherUse>(node->child1());
517                 oneArgumentIsUsedAsSpecOther = true;
518             }
519             if (node->child2()->isUndefinedOrNullConstant()) {
520                 fixEdge<OtherUse>(node->child2());
521                 oneArgumentIsUsedAsSpecOther = true;
522             } else if (node->child2()->shouldSpeculateOther()) {
523                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
524                     Edge(node->child2().node(), OtherUse));
525                 fixEdge<OtherUse>(node->child2());
526                 oneArgumentIsUsedAsSpecOther = true;
527             }
528             if (oneArgumentIsUsedAsSpecOther) {
529                 node->clearFlags(NodeMustGenerate);
530                 break;
531             }
532
533             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
534                 fixEdge<ObjectUse>(node->child1());
535                 fixEdge<ObjectOrOtherUse>(node->child2());
536                 node->clearFlags(NodeMustGenerate);
537                 break;
538             }
539             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
540                 fixEdge<ObjectOrOtherUse>(node->child1());
541                 fixEdge<ObjectUse>(node->child2());
542                 node->clearFlags(NodeMustGenerate);
543                 break;
544             }
545
546             break;
547         }
548             
549         case CompareStrictEq: {
550             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
551                 fixEdge<BooleanUse>(node->child1());
552                 fixEdge<BooleanUse>(node->child2());
553                 break;
554             }
555             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
556                 fixEdge<Int32Use>(node->child1());
557                 fixEdge<Int32Use>(node->child2());
558                 break;
559             }
560             if (enableInt52()
561                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
562                 fixEdge<Int52RepUse>(node->child1());
563                 fixEdge<Int52RepUse>(node->child2());
564                 break;
565             }
566             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
567                 fixEdge<DoubleRepUse>(node->child1());
568                 fixEdge<DoubleRepUse>(node->child2());
569                 break;
570             }
571             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
572                 fixEdge<SymbolUse>(node->child1());
573                 fixEdge<SymbolUse>(node->child2());
574                 break;
575             }
576             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
577                 fixEdge<StringIdentUse>(node->child1());
578                 fixEdge<StringIdentUse>(node->child2());
579                 break;
580             }
581             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
582                 fixEdge<StringUse>(node->child1());
583                 fixEdge<StringUse>(node->child2());
584                 break;
585             }
586             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
587             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
588                 
589                 if (node->child1()->shouldSpeculateObject()) {
590                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
591                     fixEdge<ObjectUse>(node->child1());
592                     break;
593                 }
594                 if (node->child2()->shouldSpeculateObject()) {
595                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
596                     fixEdge<ObjectUse>(node->child2());
597                     break;
598                 }
599                 
600             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
601                 fixEdge<ObjectUse>(node->child1());
602                 fixEdge<ObjectUse>(node->child2());
603                 break;
604             }
605             if (node->child1()->shouldSpeculateSymbol()) {
606                 fixEdge<SymbolUse>(node->child1());
607                 break;
608             }
609             if (node->child2()->shouldSpeculateSymbol()) {
610                 fixEdge<SymbolUse>(node->child2());
611                 break;
612             }
613             if (node->child1()->shouldSpeculateMisc()) {
614                 fixEdge<MiscUse>(node->child1());
615                 break;
616             }
617             if (node->child2()->shouldSpeculateMisc()) {
618                 fixEdge<MiscUse>(node->child2());
619                 break;
620             }
621             if (node->child1()->shouldSpeculateStringIdent()
622                 && node->child2()->shouldSpeculateNotStringVar()) {
623                 fixEdge<StringIdentUse>(node->child1());
624                 fixEdge<NotStringVarUse>(node->child2());
625                 break;
626             }
627             if (node->child2()->shouldSpeculateStringIdent()
628                 && node->child1()->shouldSpeculateNotStringVar()) {
629                 fixEdge<StringIdentUse>(node->child2());
630                 fixEdge<NotStringVarUse>(node->child1());
631                 break;
632             }
633             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
634                 fixEdge<StringUse>(node->child1());
635                 break;
636             }
637             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
638                 fixEdge<StringUse>(node->child2());
639                 break;
640             }
641             break;
642         }
643             
644         case StringFromCharCode:
645             if (node->child1()->shouldSpeculateInt32())
646                 fixEdge<Int32Use>(node->child1());
647             else
648                 fixEdge<UntypedUse>(node->child1());
649             break;
650
651         case StringCharAt:
652         case StringCharCodeAt: {
653             // Currently we have no good way of refining these.
654             ASSERT(node->arrayMode() == ArrayMode(Array::String));
655             blessArrayOperation(node->child1(), node->child2(), node->child3());
656             fixEdge<KnownCellUse>(node->child1());
657             fixEdge<Int32Use>(node->child2());
658             break;
659         }
660
661         case GetByVal: {
662             if (!node->prediction()) {
663                 m_insertionSet.insertNode(
664                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
665             }
666             
667             node->setArrayMode(
668                 node->arrayMode().refine(
669                     m_graph, node,
670                     node->child1()->prediction(),
671                     node->child2()->prediction(),
672                     SpecNone));
673             
674             blessArrayOperation(node->child1(), node->child2(), node->child3());
675             
676             ArrayMode arrayMode = node->arrayMode();
677             switch (arrayMode.type()) {
678             case Array::Contiguous:
679             case Array::Double:
680                 if (arrayMode.arrayClass() == Array::OriginalArray
681                     && arrayMode.speculation() == Array::InBounds) {
682                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
683                     if (globalObject->arrayPrototypeChainIsSane()) {
684                         // Check if SaneChain will work on a per-type basis. Note that:
685                         //
686                         // 1) We don't want double arrays to sometimes return undefined, since
687                         // that would require a change to the return type and it would pessimise
688                         // things a lot. So, we'd only want to do that if we actually had
689                         // evidence that we could read from a hole. That's pretty annoying.
690                         // Likely the best way to handle that case is with an equivalent of
691                         // SaneChain for OutOfBounds. For now we just detect when Undefined and
692                         // NaN are indistinguishable according to backwards propagation, and just
693                         // use SaneChain in that case. This happens to catch a lot of cases.
694                         //
695                         // 2) We don't want int32 array loads to have to do a hole check just to
696                         // coerce to Undefined, since that would mean twice the checks.
697                         //
698                         // This has two implications. First, we have to do more checks than we'd
699                         // like. It's unfortunate that we have to do the hole check. Second,
700                         // some accesses that hit a hole will now need to take the full-blown
701                         // out-of-bounds slow path. We can fix that with:
702                         // https://bugs.webkit.org/show_bug.cgi?id=144668
703                         
704                         bool canDoSaneChain = false;
705                         switch (arrayMode.type()) {
706                         case Array::Contiguous:
707                             // This is happens to be entirely natural. We already would have
708                             // returned any JSValue, and now we'll return Undefined. We still do
709                             // the check but it doesn't require taking any kind of slow path.
710                             canDoSaneChain = true;
711                             break;
712                             
713                         case Array::Double:
714                             if (!(node->flags() & NodeBytecodeUsesAsOther)) {
715                                 // Holes look like NaN already, so if the user doesn't care
716                                 // about the difference between Undefined and NaN then we can
717                                 // do this.
718                                 canDoSaneChain = true;
719                             }
720                             break;
721                             
722                         default:
723                             break;
724                         }
725                         
726                         if (canDoSaneChain) {
727                             m_graph.watchpoints().addLazily(
728                                 globalObject->arrayPrototype()->structure()->transitionWatchpointSet());
729                             m_graph.watchpoints().addLazily(
730                                 globalObject->objectPrototype()->structure()->transitionWatchpointSet());
731                             if (globalObject->arrayPrototypeChainIsSane())
732                                 node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
733                         }
734                     }
735                 }
736                 break;
737                 
738             case Array::String:
739                 if ((node->prediction() & ~SpecString)
740                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
741                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
742                 break;
743                 
744             default:
745                 break;
746             }
747             
748             arrayMode = node->arrayMode();
749             switch (arrayMode.type()) {
750             case Array::SelectUsingPredictions:
751             case Array::Unprofiled:
752                 RELEASE_ASSERT_NOT_REACHED();
753                 break;
754             case Array::Generic:
755 #if USE(JSVALUE32_64)
756                 fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit.
757 #endif
758                 break;
759             case Array::ForceExit:
760                 break;
761             default:
762                 fixEdge<KnownCellUse>(node->child1());
763                 fixEdge<Int32Use>(node->child2());
764                 break;
765             }
766             
767             switch (arrayMode.type()) {
768             case Array::Double:
769                 if (!arrayMode.isOutOfBounds())
770                     node->setResult(NodeResultDouble);
771                 break;
772                 
773             case Array::Float32Array:
774             case Array::Float64Array:
775                 node->setResult(NodeResultDouble);
776                 break;
777                 
778             case Array::Uint32Array:
779                 if (node->shouldSpeculateInt32())
780                     break;
781                 if (node->shouldSpeculateAnyInt() && enableInt52())
782                     node->setResult(NodeResultInt52);
783                 else
784                     node->setResult(NodeResultDouble);
785                 break;
786                 
787             default:
788                 break;
789             }
790             
791             break;
792         }
793
794         case PutByValDirect:
795         case PutByVal:
796         case PutByValAlias: {
797             Edge& child1 = m_graph.varArgChild(node, 0);
798             Edge& child2 = m_graph.varArgChild(node, 1);
799             Edge& child3 = m_graph.varArgChild(node, 2);
800
801             node->setArrayMode(
802                 node->arrayMode().refine(
803                     m_graph, node,
804                     child1->prediction(),
805                     child2->prediction(),
806                     child3->prediction()));
807             
808             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
809             
810             switch (node->arrayMode().modeForPut().type()) {
811             case Array::SelectUsingPredictions:
812             case Array::SelectUsingArguments:
813             case Array::Unprofiled:
814             case Array::Undecided:
815                 RELEASE_ASSERT_NOT_REACHED();
816                 break;
817             case Array::ForceExit:
818             case Array::Generic:
819 #if USE(JSVALUE32_64)
820                 // Due to register pressure on 32-bit, we speculate cell and
821                 // ignore the base-is-not-cell case entirely by letting the
822                 // baseline JIT handle it.
823                 fixEdge<CellUse>(child1);
824 #endif
825                 break;
826             case Array::Int32:
827                 fixEdge<KnownCellUse>(child1);
828                 fixEdge<Int32Use>(child2);
829                 fixEdge<Int32Use>(child3);
830                 break;
831             case Array::Double:
832                 fixEdge<KnownCellUse>(child1);
833                 fixEdge<Int32Use>(child2);
834                 fixEdge<DoubleRepRealUse>(child3);
835                 break;
836             case Array::Int8Array:
837             case Array::Int16Array:
838             case Array::Int32Array:
839             case Array::Uint8Array:
840             case Array::Uint8ClampedArray:
841             case Array::Uint16Array:
842             case Array::Uint32Array:
843                 fixEdge<KnownCellUse>(child1);
844                 fixEdge<Int32Use>(child2);
845                 if (child3->shouldSpeculateInt32())
846                     fixIntOrBooleanEdge(child3);
847                 else if (child3->shouldSpeculateAnyInt())
848                     fixEdge<Int52RepUse>(child3);
849                 else
850                     fixDoubleOrBooleanEdge(child3);
851                 break;
852             case Array::Float32Array:
853             case Array::Float64Array:
854                 fixEdge<KnownCellUse>(child1);
855                 fixEdge<Int32Use>(child2);
856                 fixDoubleOrBooleanEdge(child3);
857                 break;
858             case Array::Contiguous:
859             case Array::ArrayStorage:
860             case Array::SlowPutArrayStorage:
861                 fixEdge<KnownCellUse>(child1);
862                 fixEdge<Int32Use>(child2);
863                 speculateForBarrier(child3);
864                 break;
865             default:
866                 fixEdge<KnownCellUse>(child1);
867                 fixEdge<Int32Use>(child2);
868                 break;
869             }
870             break;
871         }
872             
873         case ArrayPush: {
874             // May need to refine the array mode in case the value prediction contravenes
875             // the array prediction. For example, we may have evidence showing that the
876             // array is in Int32 mode, but the value we're storing is likely to be a double.
877             // Then we should turn this into a conversion to Double array followed by the
878             // push. On the other hand, we absolutely don't want to refine based on the
879             // base prediction. If it has non-cell garbage in it, then we want that to be
880             // ignored. That's because ArrayPush can't handle any array modes that aren't
881             // array-related - so if refine() turned this into a "Generic" ArrayPush then
882             // that would break things.
883             node->setArrayMode(
884                 node->arrayMode().refine(
885                     m_graph, node,
886                     node->child1()->prediction() & SpecCell,
887                     SpecInt32Only,
888                     node->child2()->prediction()));
889             blessArrayOperation(node->child1(), Edge(), node->child3());
890             fixEdge<KnownCellUse>(node->child1());
891             
892             switch (node->arrayMode().type()) {
893             case Array::Int32:
894                 fixEdge<Int32Use>(node->child2());
895                 break;
896             case Array::Double:
897                 fixEdge<DoubleRepRealUse>(node->child2());
898                 break;
899             case Array::Contiguous:
900             case Array::ArrayStorage:
901                 speculateForBarrier(node->child2());
902                 break;
903             default:
904                 break;
905             }
906             break;
907         }
908             
909         case ArrayPop: {
910             blessArrayOperation(node->child1(), Edge(), node->child2());
911             fixEdge<KnownCellUse>(node->child1());
912             break;
913         }
914             
915         case RegExpExec:
916         case RegExpTest: {
917             fixEdge<KnownCellUse>(node->child1());
918             
919             if (node->child2()->shouldSpeculateRegExpObject()) {
920                 fixEdge<RegExpObjectUse>(node->child2());
921
922                 if (node->child3()->shouldSpeculateString())
923                     fixEdge<StringUse>(node->child3());
924             }
925             break;
926         }
927
928         case StringReplace:
929         case StringReplaceRegExp: {
930             if (node->child2()->shouldSpeculateString()) {
931                 m_insertionSet.insertNode(
932                     m_indexInBlock, SpecNone, Check, node->origin,
933                     Edge(node->child2().node(), StringUse));
934                 fixEdge<StringUse>(node->child2());
935             } else if (op == StringReplace) {
936                 if (node->child2()->shouldSpeculateRegExpObject())
937                     addStringReplacePrimordialChecks(node->child2().node());
938                 else 
939                     m_insertionSet.insertNode(
940                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
941             }
942
943             if (node->child1()->shouldSpeculateString()
944                 && node->child2()->shouldSpeculateRegExpObject()
945                 && node->child3()->shouldSpeculateString()) {
946
947                 fixEdge<StringUse>(node->child1());
948                 fixEdge<RegExpObjectUse>(node->child2());
949                 fixEdge<StringUse>(node->child3());
950                 break;
951             }
952             break;
953         }
954             
955         case Branch: {
956             if (node->child1()->shouldSpeculateBoolean()) {
957                 if (node->child1()->result() == NodeResultBoolean) {
958                     // This is necessary in case we have a bytecode instruction implemented by:
959                     //
960                     // a: CompareEq(...)
961                     // b: Branch(@a)
962                     //
963                     // In that case, CompareEq might have a side-effect. Then, we need to make
964                     // sure that we know that Branch does not exit.
965                     fixEdge<KnownBooleanUse>(node->child1());
966                 } else
967                     fixEdge<BooleanUse>(node->child1());
968             } else if (node->child1()->shouldSpeculateObjectOrOther())
969                 fixEdge<ObjectOrOtherUse>(node->child1());
970             else if (node->child1()->shouldSpeculateInt32OrBoolean())
971                 fixIntOrBooleanEdge(node->child1());
972             else if (node->child1()->shouldSpeculateNumber())
973                 fixEdge<DoubleRepUse>(node->child1());
974             else if (node->child1()->shouldSpeculateString())
975                 fixEdge<StringUse>(node->child1());
976             else if (node->child1()->shouldSpeculateStringOrOther())
977                 fixEdge<StringOrOtherUse>(node->child1());
978             break;
979         }
980             
981         case Switch: {
982             SwitchData* data = node->switchData();
983             switch (data->kind) {
984             case SwitchImm:
985                 if (node->child1()->shouldSpeculateInt32())
986                     fixEdge<Int32Use>(node->child1());
987                 break;
988             case SwitchChar:
989                 if (node->child1()->shouldSpeculateString())
990                     fixEdge<StringUse>(node->child1());
991                 break;
992             case SwitchString:
993                 if (node->child1()->shouldSpeculateStringIdent())
994                     fixEdge<StringIdentUse>(node->child1());
995                 else if (node->child1()->shouldSpeculateString())
996                     fixEdge<StringUse>(node->child1());
997                 break;
998             case SwitchCell:
999                 if (node->child1()->shouldSpeculateCell())
1000                     fixEdge<CellUse>(node->child1());
1001                 // else it's fine for this to have UntypedUse; we will handle this by just making
1002                 // non-cells take the default case.
1003                 break;
1004             }
1005             break;
1006         }
1007             
1008         case ToPrimitive: {
1009             fixupToPrimitive(node);
1010             break;
1011         }
1012
1013         case ToNumber: {
1014             fixupToNumber(node);
1015             break;
1016         }
1017             
1018         case ToString:
1019         case CallStringConstructor: {
1020             fixupToStringOrCallStringConstructor(node);
1021             break;
1022         }
1023             
1024         case NewStringObject: {
1025             fixEdge<KnownStringUse>(node->child1());
1026             break;
1027         }
1028             
1029         case NewArray: {
1030             watchHavingABadTime(node);
1031             
1032             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1033                 node->setIndexingType(
1034                     leastUpperBoundOfIndexingTypeAndType(
1035                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1036             }
1037             switch (node->indexingType()) {
1038             case ALL_BLANK_INDEXING_TYPES:
1039                 CRASH();
1040                 break;
1041             case ALL_UNDECIDED_INDEXING_TYPES:
1042                 if (node->numChildren()) {
1043                     // This will only happen if the children have no type predictions. We
1044                     // would have already exited by now, but insert a forced exit just to
1045                     // be safe.
1046                     m_insertionSet.insertNode(
1047                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1048                 }
1049                 break;
1050             case ALL_INT32_INDEXING_TYPES:
1051                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1052                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1053                 break;
1054             case ALL_DOUBLE_INDEXING_TYPES:
1055                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1056                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1057                 break;
1058             case ALL_CONTIGUOUS_INDEXING_TYPES:
1059             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1060                 break;
1061             default:
1062                 CRASH();
1063                 break;
1064             }
1065             break;
1066         }
1067             
1068         case NewTypedArray: {
1069             watchHavingABadTime(node);
1070             
1071             if (node->child1()->shouldSpeculateInt32()) {
1072                 fixEdge<Int32Use>(node->child1());
1073                 node->clearFlags(NodeMustGenerate);
1074                 break;
1075             }
1076             break;
1077         }
1078             
1079         case NewArrayWithSize: {
1080             watchHavingABadTime(node);
1081             fixEdge<Int32Use>(node->child1());
1082             break;
1083         }
1084
1085         case CallObjectConstructor: {
1086             if (node->child1()->shouldSpeculateObject()) {
1087                 fixEdge<ObjectUse>(node->child1());
1088                 node->convertToIdentity();
1089                 break;
1090             }
1091
1092             fixEdge<UntypedUse>(node->child1());
1093             break;
1094         }
1095
1096         case ToThis: {
1097             fixupToThis(node);
1098             break;
1099         }
1100             
1101         case PutStructure: {
1102             fixEdge<KnownCellUse>(node->child1());
1103             break;
1104         }
1105             
1106         case GetClosureVar:
1107         case GetFromArguments: {
1108             fixEdge<KnownCellUse>(node->child1());
1109             break;
1110         }
1111
1112         case PutClosureVar:
1113         case PutToArguments: {
1114             fixEdge<KnownCellUse>(node->child1());
1115             speculateForBarrier(node->child2());
1116             break;
1117         }
1118
1119         case SkipScope:
1120         case GetScope:
1121         case GetGetter:
1122         case GetSetter:
1123         case GetGlobalObject: {
1124             fixEdge<KnownCellUse>(node->child1());
1125             break;
1126         }
1127             
1128         case AllocatePropertyStorage:
1129         case ReallocatePropertyStorage: {
1130             fixEdge<KnownCellUse>(node->child1());
1131             break;
1132         }
1133
1134         case TryGetById: {
1135             if (node->child1()->shouldSpeculateCell())
1136                 fixEdge<CellUse>(node->child1());
1137             break;
1138         }
1139
1140         case GetById:
1141         case GetByIdFlush: {
1142             // FIXME: This should be done in the ByteCodeParser based on reading the
1143             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1144             // https://bugs.webkit.org/show_bug.cgi?id=154990
1145             if (node->child1()->shouldSpeculateCellOrOther()
1146                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1147                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1148                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1149                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1150                 
1151                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1152                 
1153                 if (uid == vm().propertyNames->length.impl()) {
1154                     attemptToMakeGetArrayLength(node);
1155                     break;
1156                 }
1157
1158                 if (uid == vm().propertyNames->lastIndex.impl()
1159                     && node->child1()->shouldSpeculateRegExpObject()) {
1160                     node->setOp(GetRegExpObjectLastIndex);
1161                     node->clearFlags(NodeMustGenerate);
1162                     fixEdge<RegExpObjectUse>(node->child1());
1163                     break;
1164                 }
1165             }
1166
1167             if (node->child1()->shouldSpeculateCell())
1168                 fixEdge<CellUse>(node->child1());
1169             break;
1170         }
1171
1172         case PutById:
1173         case PutByIdFlush:
1174         case PutByIdDirect: {
1175             if (node->child1()->shouldSpeculateCellOrOther()
1176                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1177                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1178                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1179                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1180                 
1181                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1182                 
1183                 if (uid == vm().propertyNames->lastIndex.impl()
1184                     && node->child1()->shouldSpeculateRegExpObject()) {
1185                     node->setOp(SetRegExpObjectLastIndex);
1186                     fixEdge<RegExpObjectUse>(node->child1());
1187                     speculateForBarrier(node->child2());
1188                     break;
1189                 }
1190             }
1191             
1192             fixEdge<CellUse>(node->child1());
1193             break;
1194         }
1195
1196         case PutGetterById:
1197         case PutSetterById: {
1198             fixEdge<KnownCellUse>(node->child1());
1199             fixEdge<KnownCellUse>(node->child2());
1200             break;
1201         }
1202
1203         case PutGetterSetterById: {
1204             fixEdge<KnownCellUse>(node->child1());
1205             break;
1206         }
1207
1208         case PutGetterByVal:
1209         case PutSetterByVal: {
1210             fixEdge<KnownCellUse>(node->child1());
1211             fixEdge<KnownCellUse>(node->child3());
1212             break;
1213         }
1214
1215         case GetExecutable: {
1216             fixEdge<FunctionUse>(node->child1());
1217             break;
1218         }
1219
1220         case OverridesHasInstance:
1221         case CheckStructure:
1222         case CheckCell:
1223         case CreateThis:
1224         case GetButterfly: {
1225             fixEdge<CellUse>(node->child1());
1226             break;
1227         }
1228
1229         case CheckStringIdent: {
1230             fixEdge<StringIdentUse>(node->child1());
1231             break;
1232         }
1233             
1234         case Arrayify:
1235         case ArrayifyToStructure: {
1236             fixEdge<CellUse>(node->child1());
1237             if (node->child2())
1238                 fixEdge<Int32Use>(node->child2());
1239             break;
1240         }
1241             
1242         case GetByOffset:
1243         case GetGetterSetterByOffset: {
1244             if (!node->child1()->hasStorageResult())
1245                 fixEdge<KnownCellUse>(node->child1());
1246             fixEdge<KnownCellUse>(node->child2());
1247             break;
1248         }
1249             
1250         case MultiGetByOffset: {
1251             fixEdge<CellUse>(node->child1());
1252             break;
1253         }
1254             
1255         case PutByOffset: {
1256             if (!node->child1()->hasStorageResult())
1257                 fixEdge<KnownCellUse>(node->child1());
1258             fixEdge<KnownCellUse>(node->child2());
1259             insertInferredTypeCheck(
1260                 m_insertionSet, m_indexInBlock, node->origin, node->child3().node(),
1261                 node->storageAccessData().inferredType);
1262             speculateForBarrier(node->child3());
1263             break;
1264         }
1265             
1266         case MultiPutByOffset: {
1267             fixEdge<CellUse>(node->child1());
1268             speculateForBarrier(node->child2());
1269             break;
1270         }
1271             
1272         case InstanceOf: {
1273             if (!(node->child1()->prediction() & ~SpecCell))
1274                 fixEdge<CellUse>(node->child1());
1275             fixEdge<CellUse>(node->child2());
1276             break;
1277         }
1278
1279         case InstanceOfCustom:
1280             fixEdge<CellUse>(node->child2());
1281             break;
1282
1283         case In: {
1284             // FIXME: We should at some point have array profiling on op_in, in which
1285             // case we would be able to turn this into a kind of GetByVal.
1286             
1287             fixEdge<CellUse>(node->child2());
1288             break;
1289         }
1290
1291         case Check: {
1292             m_graph.doToChildren(
1293                 node,
1294                 [&] (Edge& edge) {
1295                     switch (edge.useKind()) {
1296                     case NumberUse:
1297                         if (edge->shouldSpeculateInt32ForArithmetic())
1298                             edge.setUseKind(Int32Use);
1299                         break;
1300                     default:
1301                         break;
1302                     }
1303                     observeUseKindOnEdge(edge);
1304                 });
1305             break;
1306         }
1307
1308         case Phantom:
1309             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1310             node->remove();
1311             break;
1312
1313         case FiatInt52: {
1314             RELEASE_ASSERT(enableInt52());
1315             node->convertToIdentity();
1316             fixEdge<Int52RepUse>(node->child1());
1317             node->setResult(NodeResultInt52);
1318             break;
1319         }
1320
1321         case GetArrayLength: {
1322             fixEdge<KnownCellUse>(node->child1());
1323             break;
1324         }
1325
1326         case GetTypedArrayByteOffset: {
1327             fixEdge<KnownCellUse>(node->child1());
1328             break;
1329         }
1330
1331         case Phi:
1332         case Upsilon:
1333         case GetIndexedPropertyStorage:
1334         case LastNodeType:
1335         case CheckTierUpInLoop:
1336         case CheckTierUpAtReturn:
1337         case CheckTierUpAndOSREnter:
1338         case InvalidationPoint:
1339         case CheckArray:
1340         case CheckInBounds:
1341         case ConstantStoragePointer:
1342         case DoubleAsInt32:
1343         case ValueToInt32:
1344         case DoubleRep:
1345         case ValueRep:
1346         case Int52Rep:
1347         case Int52Constant:
1348         case Identity: // This should have been cleaned up.
1349         case BooleanToNumber:
1350         case PhantomNewObject:
1351         case PhantomNewFunction:
1352         case PhantomNewGeneratorFunction:
1353         case PhantomCreateActivation:
1354         case PhantomDirectArguments:
1355         case PhantomClonedArguments:
1356         case GetMyArgumentByVal:
1357         case GetMyArgumentByValOutOfBounds:
1358         case PutHint:
1359         case CheckStructureImmediate:
1360         case MaterializeNewObject:
1361         case MaterializeCreateActivation:
1362         case PutStack:
1363         case KillStack:
1364         case GetStack:
1365         case StoreBarrier:
1366         case GetRegExpObjectLastIndex:
1367         case SetRegExpObjectLastIndex:
1368         case RecordRegExpCachedResult:
1369             // These are just nodes that we don't currently expect to see during fixup.
1370             // If we ever wanted to insert them prior to fixup, then we just have to create
1371             // fixup rules for them.
1372             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1373             break;
1374         
1375         case PutGlobalVariable: {
1376             fixEdge<CellUse>(node->child1());
1377             speculateForBarrier(node->child2());
1378             break;
1379         }
1380
1381         case IsString:
1382             if (node->child1()->shouldSpeculateString()) {
1383                 m_insertionSet.insertNode(
1384                     m_indexInBlock, SpecNone, Check, node->origin,
1385                     Edge(node->child1().node(), StringUse));
1386                 m_graph.convertToConstant(node, jsBoolean(true));
1387                 observeUseKindOnNode<StringUse>(node);
1388             }
1389             break;
1390
1391         case IsObject:
1392             if (node->child1()->shouldSpeculateObject()) {
1393                 m_insertionSet.insertNode(
1394                     m_indexInBlock, SpecNone, Check, node->origin,
1395                     Edge(node->child1().node(), ObjectUse));
1396                 m_graph.convertToConstant(node, jsBoolean(true));
1397                 observeUseKindOnNode<ObjectUse>(node);
1398             }
1399             break;
1400
1401         case GetEnumerableLength: {
1402             fixEdge<CellUse>(node->child1());
1403             break;
1404         }
1405         case HasGenericProperty: {
1406             fixEdge<CellUse>(node->child2());
1407             break;
1408         }
1409         case HasStructureProperty: {
1410             fixEdge<StringUse>(node->child2());
1411             fixEdge<KnownCellUse>(node->child3());
1412             break;
1413         }
1414         case HasIndexedProperty: {
1415             node->setArrayMode(
1416                 node->arrayMode().refine(
1417                     m_graph, node,
1418                     node->child1()->prediction(),
1419                     node->child2()->prediction(),
1420                     SpecNone));
1421             
1422             blessArrayOperation(node->child1(), node->child2(), node->child3());
1423             fixEdge<CellUse>(node->child1());
1424             fixEdge<KnownInt32Use>(node->child2());
1425             break;
1426         }
1427         case GetDirectPname: {
1428             Edge& base = m_graph.varArgChild(node, 0);
1429             Edge& property = m_graph.varArgChild(node, 1);
1430             Edge& index = m_graph.varArgChild(node, 2);
1431             Edge& enumerator = m_graph.varArgChild(node, 3);
1432             fixEdge<CellUse>(base);
1433             fixEdge<KnownCellUse>(property);
1434             fixEdge<KnownInt32Use>(index);
1435             fixEdge<KnownCellUse>(enumerator);
1436             break;
1437         }
1438         case GetPropertyEnumerator: {
1439             fixEdge<CellUse>(node->child1());
1440             break;
1441         }
1442         case GetEnumeratorStructurePname: {
1443             fixEdge<KnownCellUse>(node->child1());
1444             fixEdge<KnownInt32Use>(node->child2());
1445             break;
1446         }
1447         case GetEnumeratorGenericPname: {
1448             fixEdge<KnownCellUse>(node->child1());
1449             fixEdge<KnownInt32Use>(node->child2());
1450             break;
1451         }
1452         case ToIndexString: {
1453             fixEdge<KnownInt32Use>(node->child1());
1454             break;
1455         }
1456         case ProfileType: {
1457             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1458             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1459             // type T for the instructionTypeSet, the global type set must also have information for type T.
1460             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1461             // in the globalTypeSet would've also succeeded.
1462             // (The other direction does not hold in general).
1463
1464             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1465             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1466             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1467                 if (node->child1()->shouldSpeculateInt32()) {
1468                     fixEdge<Int32Use>(node->child1());
1469                     node->remove();
1470                     break;
1471                 }
1472
1473                 if (enableInt52()) {
1474                     fixEdge<AnyIntUse>(node->child1());
1475                     node->remove();
1476                     break;
1477                 }
1478
1479                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1480             }
1481
1482             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1483                 fixEdge<NumberUse>(node->child1());
1484                 node->remove();
1485             } else if (typeSet->doesTypeConformTo(TypeString)) {
1486                 fixEdge<StringUse>(node->child1());
1487                 node->remove();
1488             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1489                 fixEdge<BooleanUse>(node->child1());
1490                 node->remove();
1491             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1492                 fixEdge<OtherUse>(node->child1());
1493                 node->remove();
1494             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1495                 StructureSet set;
1496                 {
1497                     ConcurrentJITLocker locker(typeSet->m_lock);
1498                     set = typeSet->structureSet(locker);
1499                 }
1500                 if (!set.isEmpty()) {
1501                     fixEdge<CellUse>(node->child1());
1502                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1503                 }
1504             }
1505
1506             break;
1507         }
1508
1509         case CreateScopedArguments:
1510         case CreateActivation:
1511         case NewFunction:
1512         case NewGeneratorFunction: {
1513             fixEdge<CellUse>(node->child1());
1514             break;
1515         }
1516
1517         case SetFunctionName: {
1518             // The first child is guaranteed to be a cell because op_set_function_name is only used
1519             // on a newly instantiated function object (the first child).
1520             fixEdge<KnownCellUse>(node->child1());
1521             fixEdge<UntypedUse>(node->child2());
1522             break;
1523         }
1524
1525         case CreateRest: {
1526             watchHavingABadTime(node);
1527             fixEdge<KnownInt32Use>(node->child1());
1528             break;
1529         }
1530
1531         case ResolveScope:
1532         case GetDynamicVar:
1533         case PutDynamicVar: {
1534             fixEdge<KnownCellUse>(node->child1());
1535             break;
1536         }
1537
1538         case LogShadowChickenPrologue: {
1539             fixEdge<KnownCellUse>(node->child1());
1540             break;
1541         }
1542         case LogShadowChickenTail: {
1543             fixEdge<UntypedUse>(node->child1());
1544             fixEdge<KnownCellUse>(node->child2());
1545             break;
1546         }
1547
1548 #if !ASSERT_DISABLED
1549         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
1550         case SetArgument:
1551         case JSConstant:
1552         case LazyJSConstant:
1553         case DoubleConstant:
1554         case GetLocal:
1555         case GetCallee:
1556         case GetArgumentCountIncludingThis:
1557         case GetRestLength:
1558         case Flush:
1559         case PhantomLocal:
1560         case GetLocalUnlinked:
1561         case GetGlobalVar:
1562         case GetGlobalLexicalVariable:
1563         case NotifyWrite:
1564         case Call:
1565         case CheckTypeInfoFlags:
1566         case TailCallInlinedCaller:
1567         case Construct:
1568         case CallVarargs:
1569         case CallEval:
1570         case TailCallVarargsInlinedCaller:
1571         case ConstructVarargs:
1572         case CallForwardVarargs:
1573         case ConstructForwardVarargs:
1574         case TailCallForwardVarargs:
1575         case TailCallForwardVarargsInlinedCaller:
1576         case LoadVarargs:
1577         case ForwardVarargs:
1578         case ProfileControlFlow:
1579         case NewObject:
1580         case NewArrayBuffer:
1581         case NewRegexp:
1582         case DeleteById:
1583         case DeleteByVal:
1584         case IsJSArray:
1585         case IsTypedArrayView:
1586         case IsEmpty:
1587         case IsUndefined:
1588         case IsBoolean:
1589         case IsNumber:
1590         case IsObjectOrNull:
1591         case IsFunction:
1592         case IsRegExpObject:
1593         case CreateDirectArguments:
1594         case CreateClonedArguments:
1595         case Jump:
1596         case Return:
1597         case TailCall:
1598         case TailCallVarargs:
1599         case Throw:
1600         case ThrowReferenceError:
1601         case CountExecution:
1602         case ForceOSRExit:
1603         case CheckBadCell:
1604         case CheckNotEmpty:
1605         case CheckWatchdogTimer:
1606         case Unreachable:
1607         case ExtractOSREntryLocal:
1608         case LoopHint:
1609         case MovHint:
1610         case ZombieHint:
1611         case ExitOK:
1612         case BottomValue:
1613         case TypeOf:
1614         case GetByIdWithThis:
1615         case PutByIdWithThis:
1616         case PutByValWithThis:
1617         case GetByValWithThis:
1618         case CompareEqPtr:
1619             break;
1620             
1621             break;
1622 #else
1623         default:
1624             break;
1625 #endif
1626         }
1627     }
1628
1629     void watchHavingABadTime(Node* node)
1630     {
1631         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1632
1633         // If this global object is not having a bad time, watch it. We go down this path anytime the code
1634         // does an array allocation. The types of array allocations may change if we start to have a bad
1635         // time. It's easier to reason about this if we know that whenever the types change after we start
1636         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
1637         // prior to this point nobody should have been doing optimizations based on the indexing type of
1638         // the allocation.
1639         if (!globalObject->isHavingABadTime())
1640             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
1641     }
1642     
1643     template<UseKind useKind>
1644     void createToString(Node* node, Edge& edge)
1645     {
1646         edge.setNode(m_insertionSet.insertNode(
1647             m_indexInBlock, SpecString, ToString, node->origin,
1648             Edge(edge.node(), useKind)));
1649     }
1650     
1651     template<UseKind useKind>
1652     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
1653     {
1654         ASSERT(arrayMode == ArrayMode(Array::Generic));
1655         
1656         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
1657             return;
1658         
1659         createToString<useKind>(node, node->child1());
1660         arrayMode = ArrayMode(Array::String);
1661     }
1662     
1663     template<UseKind useKind>
1664     bool isStringObjectUse()
1665     {
1666         switch (useKind) {
1667         case StringObjectUse:
1668         case StringOrStringObjectUse:
1669             return true;
1670         default:
1671             return false;
1672         }
1673     }
1674     
1675     template<UseKind useKind>
1676     void convertStringAddUse(Node* node, Edge& edge)
1677     {
1678         if (useKind == StringUse) {
1679             observeUseKindOnNode<StringUse>(edge.node());
1680             m_insertionSet.insertNode(
1681                 m_indexInBlock, SpecNone, Check, node->origin,
1682                 Edge(edge.node(), StringUse));
1683             edge.setUseKind(KnownStringUse);
1684             return;
1685         }
1686         
1687         observeUseKindOnNode<useKind>(edge.node());
1688         createToString<useKind>(node, edge);
1689     }
1690     
1691     void convertToMakeRope(Node* node)
1692     {
1693         node->setOpAndDefaultFlags(MakeRope);
1694         fixupMakeRope(node);
1695     }
1696     
1697     void fixupMakeRope(Node* node)
1698     {
1699         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
1700             Edge& edge = node->children.child(i);
1701             if (!edge)
1702                 break;
1703             edge.setUseKind(KnownStringUse);
1704             JSString* string = edge->dynamicCastConstant<JSString*>();
1705             if (!string)
1706                 continue;
1707             if (string->length())
1708                 continue;
1709             
1710             // Don't allow the MakeRope to have zero children.
1711             if (!i && !node->child2())
1712                 break;
1713             
1714             node->children.removeEdge(i--);
1715         }
1716         
1717         if (!node->child2()) {
1718             ASSERT(!node->child3());
1719             node->convertToIdentity();
1720         }
1721     }
1722
1723     void fixupToThis(Node* node)
1724     {
1725         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
1726
1727         if (ecmaMode == StrictMode) {
1728             if (node->child1()->shouldSpeculateBoolean()) {
1729                 fixEdge<BooleanUse>(node->child1());
1730                 node->convertToIdentity();
1731                 return;
1732             }
1733
1734             if (node->child1()->shouldSpeculateInt32()) {
1735                 fixEdge<Int32Use>(node->child1());
1736                 node->convertToIdentity();
1737                 return;
1738             }
1739
1740             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1741                 fixEdge<Int52RepUse>(node->child1());
1742                 node->convertToIdentity();
1743                 node->setResult(NodeResultInt52);
1744                 return;
1745             }
1746
1747             if (node->child1()->shouldSpeculateNumber()) {
1748                 fixEdge<DoubleRepUse>(node->child1());
1749                 node->convertToIdentity();
1750                 node->setResult(NodeResultDouble);
1751                 return;
1752             }
1753
1754             if (node->child1()->shouldSpeculateSymbol()) {
1755                 fixEdge<SymbolUse>(node->child1());
1756                 node->convertToIdentity();
1757                 return;
1758             }
1759
1760             if (node->child1()->shouldSpeculateStringIdent()) {
1761                 fixEdge<StringIdentUse>(node->child1());
1762                 node->convertToIdentity();
1763                 return;
1764             }
1765
1766             if (node->child1()->shouldSpeculateString()) {
1767                 fixEdge<StringUse>(node->child1());
1768                 node->convertToIdentity();
1769                 return;
1770             }
1771         }
1772
1773         if (node->child1()->shouldSpeculateOther()) {
1774             if (ecmaMode == StrictMode) {
1775                 fixEdge<OtherUse>(node->child1());
1776                 node->convertToIdentity();
1777                 return;
1778             }
1779
1780             m_insertionSet.insertNode(
1781                 m_indexInBlock, SpecNone, Check, node->origin,
1782                 Edge(node->child1().node(), OtherUse));
1783             observeUseKindOnNode<OtherUse>(node->child1().node());
1784             m_graph.convertToConstant(
1785                 node, m_graph.globalThisObjectFor(node->origin.semantic));
1786             return;
1787         }
1788
1789         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
1790         // however, since we cover all the missing cases in constant folding.
1791         // https://bugs.webkit.org/show_bug.cgi?id=157213
1792         if (node->child1()->shouldSpeculateStringObject()) {
1793             fixEdge<StringObjectUse>(node->child1());
1794             node->convertToIdentity();
1795             return;
1796         }
1797
1798         if (isFinalObjectSpeculation(node->child1()->prediction())) {
1799             fixEdge<FinalObjectUse>(node->child1());
1800             node->convertToIdentity();
1801             return;
1802         }
1803     }
1804     
1805     void fixupToPrimitive(Node* node)
1806     {
1807         if (node->child1()->shouldSpeculateInt32()) {
1808             fixEdge<Int32Use>(node->child1());
1809             node->convertToIdentity();
1810             return;
1811         }
1812         
1813         if (node->child1()->shouldSpeculateString()) {
1814             fixEdge<StringUse>(node->child1());
1815             node->convertToIdentity();
1816             return;
1817         }
1818         
1819         if (node->child1()->shouldSpeculateStringObject()
1820             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
1821             fixEdge<StringObjectUse>(node->child1());
1822             node->convertToToString();
1823             return;
1824         }
1825         
1826         if (node->child1()->shouldSpeculateStringOrStringObject()
1827             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
1828             fixEdge<StringOrStringObjectUse>(node->child1());
1829             node->convertToToString();
1830             return;
1831         }
1832     }
1833
1834     void fixupToNumber(Node* node)
1835     {
1836         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
1837         if (node->child1()->shouldSpeculateNumber()) {
1838             if (isInt32Speculation(node->getHeapPrediction())) {
1839                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
1840                 if (node->child1()->shouldSpeculateInt32()) {
1841                     fixEdge<Int32Use>(node->child1());
1842                     node->convertToIdentity();
1843                     return;
1844                 }
1845
1846                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
1847                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
1848                 fixEdge<DoubleRepUse>(node->child1());
1849                 node->setOp(DoubleAsInt32);
1850                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
1851                     node->setArithMode(Arith::CheckOverflow);
1852                 else
1853                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
1854                 return;
1855             }
1856
1857             fixEdge<DoubleRepUse>(node->child1());
1858             node->convertToIdentity();
1859             node->setResult(NodeResultDouble);
1860             return;
1861         }
1862
1863         fixEdge<UntypedUse>(node->child1());
1864         node->setResult(NodeResultJS);
1865     }
1866     
1867     void fixupToStringOrCallStringConstructor(Node* node)
1868     {
1869         if (node->child1()->shouldSpeculateString()) {
1870             fixEdge<StringUse>(node->child1());
1871             node->convertToIdentity();
1872             return;
1873         }
1874         
1875         if (node->child1()->shouldSpeculateStringObject()
1876             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
1877             fixEdge<StringObjectUse>(node->child1());
1878             return;
1879         }
1880         
1881         if (node->child1()->shouldSpeculateStringOrStringObject()
1882             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
1883             fixEdge<StringOrStringObjectUse>(node->child1());
1884             return;
1885         }
1886         
1887         if (node->child1()->shouldSpeculateCell()) {
1888             fixEdge<CellUse>(node->child1());
1889             return;
1890         }
1891     }
1892
1893     bool attemptToMakeFastStringAdd(Node* node)
1894     {
1895         bool goodToGo = true;
1896         m_graph.doToChildren(
1897             node,
1898             [&] (Edge& edge) {
1899                 if (edge->shouldSpeculateString())
1900                     return;
1901                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
1902                     if (edge->shouldSpeculateStringObject())
1903                         return;
1904                     if (edge->shouldSpeculateStringOrStringObject())
1905                         return;
1906                 }
1907                 goodToGo = false;
1908             });
1909         if (!goodToGo)
1910             return false;
1911
1912         m_graph.doToChildren(
1913             node,
1914             [&] (Edge& edge) {
1915                 if (edge->shouldSpeculateString()) {
1916                     convertStringAddUse<StringUse>(node, edge);
1917                     return;
1918                 }
1919                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
1920                 if (edge->shouldSpeculateStringObject()) {
1921                     convertStringAddUse<StringObjectUse>(node, edge);
1922                     return;
1923                 }
1924                 if (edge->shouldSpeculateStringOrStringObject()) {
1925                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
1926                     return;
1927                 }
1928                 RELEASE_ASSERT_NOT_REACHED();
1929             });
1930         
1931         convertToMakeRope(node);
1932         return true;
1933     }
1934
1935     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
1936     {
1937         if (!block)
1938             return;
1939         ASSERT(block->isReachable);
1940         m_block = block;
1941         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
1942             Node* node = m_currentNode = block->at(m_indexInBlock);
1943             if (node->op() != SetLocal && node->op() != GetLocal)
1944                 continue;
1945             
1946             VariableAccessData* variable = node->variableAccessData();
1947             switch (node->op()) {
1948             case GetLocal:
1949                 switch (variable->flushFormat()) {
1950                 case FlushedDouble:
1951                     node->setResult(NodeResultDouble);
1952                     break;
1953                 case FlushedInt52:
1954                     node->setResult(NodeResultInt52);
1955                     break;
1956                 default:
1957                     break;
1958                 }
1959                 break;
1960                 
1961             case SetLocal:
1962                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
1963                 // add new type checking use kind for SetLocals, we need to modify that code as well.
1964                 
1965                 switch (variable->flushFormat()) {
1966                 case FlushedJSValue:
1967                     break;
1968                 case FlushedDouble:
1969                     fixEdge<DoubleRepUse>(node->child1());
1970                     break;
1971                 case FlushedInt32:
1972                     fixEdge<Int32Use>(node->child1());
1973                     break;
1974                 case FlushedInt52:
1975                     fixEdge<Int52RepUse>(node->child1());
1976                     break;
1977                 case FlushedCell:
1978                     fixEdge<CellUse>(node->child1());
1979                     break;
1980                 case FlushedBoolean:
1981                     fixEdge<BooleanUse>(node->child1());
1982                     break;
1983                 default:
1984                     RELEASE_ASSERT_NOT_REACHED();
1985                     break;
1986                 }
1987                 break;
1988                 
1989             default:
1990                 RELEASE_ASSERT_NOT_REACHED();
1991                 break;
1992             }
1993         }
1994         m_insertionSet.execute(block);
1995     }
1996     
1997     void addStringReplacePrimordialChecks(Node* searchRegExp)
1998     {
1999         Node* node = m_currentNode;
2000
2001         // Check that structure of searchRegExp is RegExp object
2002         m_insertionSet.insertNode(
2003             m_indexInBlock, SpecNone, Check, node->origin,
2004             Edge(searchRegExp, RegExpObjectUse));
2005
2006         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2007             unsigned index = m_graph.identifiers().ensure(propertyUID);
2008
2009             Node* actualProperty = m_insertionSet.insertNode(
2010                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2011                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2012
2013             m_insertionSet.insertNode(
2014                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2015                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2016         };
2017
2018         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2019
2020         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2021         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2022         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2023         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2024         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2025         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2026         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2027         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2028     }
2029
2030     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2031     {
2032         ASSERT(arrayMode.isSpecific());
2033         
2034         if (arrayMode.type() == Array::String) {
2035             m_insertionSet.insertNode(
2036                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2037         } else {
2038             // Note that we only need to be using a structure check if we opt for SaneChain, since
2039             // that needs to protect against JSArray's __proto__ being changed.
2040             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2041         
2042             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2043             
2044             if (arrayMode.doesConversion()) {
2045                 if (structure) {
2046                     m_insertionSet.insertNode(
2047                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2048                         OpInfo(structure), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2049                 } else {
2050                     m_insertionSet.insertNode(
2051                         m_indexInBlock, SpecNone, Arrayify, origin,
2052                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2053                 }
2054             } else {
2055                 if (structure) {
2056                     m_insertionSet.insertNode(
2057                         m_indexInBlock, SpecNone, CheckStructure, origin,
2058                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2059                 } else {
2060                     m_insertionSet.insertNode(
2061                         m_indexInBlock, SpecNone, CheckArray, origin,
2062                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2063                 }
2064             }
2065         }
2066         
2067         if (!storageCheck(arrayMode))
2068             return 0;
2069         
2070         if (arrayMode.usesButterfly()) {
2071             return m_insertionSet.insertNode(
2072                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2073         }
2074         
2075         return m_insertionSet.insertNode(
2076             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2077             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2078     }
2079     
2080     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2081     {
2082         Node* node = m_currentNode;
2083         
2084         switch (node->arrayMode().type()) {
2085         case Array::ForceExit: {
2086             m_insertionSet.insertNode(
2087                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2088             return;
2089         }
2090             
2091         case Array::SelectUsingPredictions:
2092         case Array::Unprofiled:
2093             RELEASE_ASSERT_NOT_REACHED();
2094             return;
2095             
2096         case Array::Generic:
2097             return;
2098             
2099         default: {
2100             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2101             if (!storage)
2102                 return;
2103             
2104             storageChild = Edge(storage);
2105             return;
2106         } }
2107     }
2108     
2109     bool alwaysUnboxSimplePrimitives()
2110     {
2111 #if USE(JSVALUE64)
2112         return false;
2113 #else
2114         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2115         // reduces traffic.
2116         return true;
2117 #endif
2118     }
2119
2120     template<UseKind useKind>
2121     void observeUseKindOnNode(Node* node)
2122     {
2123         if (useKind == UntypedUse)
2124             return;
2125         observeUseKindOnNode(node, useKind);
2126     }
2127
2128     void observeUseKindOnEdge(Edge edge)
2129     {
2130         observeUseKindOnNode(edge.node(), edge.useKind());
2131     }
2132
2133     void observeUseKindOnNode(Node* node, UseKind useKind)
2134     {
2135         if (node->op() != GetLocal)
2136             return;
2137         
2138         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2139         // https://bugs.webkit.org/show_bug.cgi?id=121518
2140         
2141         VariableAccessData* variable = node->variableAccessData();
2142         switch (useKind) {
2143         case Int32Use:
2144         case KnownInt32Use:
2145             if (alwaysUnboxSimplePrimitives()
2146                 || isInt32Speculation(variable->prediction()))
2147                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2148             break;
2149         case NumberUse:
2150         case RealNumberUse:
2151         case DoubleRepUse:
2152         case DoubleRepRealUse:
2153             if (variable->doubleFormatState() == UsingDoubleFormat)
2154                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2155             break;
2156         case BooleanUse:
2157         case KnownBooleanUse:
2158             if (alwaysUnboxSimplePrimitives()
2159                 || isBooleanSpeculation(variable->prediction()))
2160                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2161             break;
2162         case Int52RepUse:
2163             if (isAnyIntSpeculation(variable->prediction()))
2164                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2165             break;
2166         case CellUse:
2167         case KnownCellUse:
2168         case ObjectUse:
2169         case FunctionUse:
2170         case StringUse:
2171         case KnownStringUse:
2172         case SymbolUse:
2173         case StringObjectUse:
2174         case StringOrStringObjectUse:
2175             if (alwaysUnboxSimplePrimitives()
2176                 || isCellSpeculation(variable->prediction()))
2177                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2178             break;
2179         default:
2180             break;
2181         }
2182     }
2183     
2184     template<UseKind useKind>
2185     void fixEdge(Edge& edge)
2186     {
2187         observeUseKindOnNode<useKind>(edge.node());
2188         edge.setUseKind(useKind);
2189     }
2190     
2191     void speculateForBarrier(Edge value)
2192     {
2193         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
2194         // the DFG anyway because if such a speculation would be wrong, we want to know before
2195         // we do an expensive compile.
2196         
2197         if (value->shouldSpeculateInt32()) {
2198             insertCheck<Int32Use>(m_indexInBlock, value.node());
2199             return;
2200         }
2201             
2202         if (value->shouldSpeculateBoolean()) {
2203             insertCheck<BooleanUse>(m_indexInBlock, value.node());
2204             return;
2205         }
2206             
2207         if (value->shouldSpeculateOther()) {
2208             insertCheck<OtherUse>(m_indexInBlock, value.node());
2209             return;
2210         }
2211             
2212         if (value->shouldSpeculateNumber()) {
2213             insertCheck<NumberUse>(m_indexInBlock, value.node());
2214             return;
2215         }
2216             
2217         if (value->shouldSpeculateNotCell()) {
2218             insertCheck<NotCellUse>(m_indexInBlock, value.node());
2219             return;
2220         }
2221     }
2222     
2223     template<UseKind useKind>
2224     void insertCheck(unsigned indexInBlock, Node* node)
2225     {
2226         observeUseKindOnNode<useKind>(node);
2227         m_insertionSet.insertNode(
2228             indexInBlock, SpecNone, Check, m_currentNode->origin, Edge(node, useKind));
2229     }
2230
2231     void fixIntConvertingEdge(Edge& edge)
2232     {
2233         Node* node = edge.node();
2234         if (node->shouldSpeculateInt32OrBoolean()) {
2235             fixIntOrBooleanEdge(edge);
2236             return;
2237         }
2238         
2239         UseKind useKind;
2240         if (node->shouldSpeculateAnyInt())
2241             useKind = Int52RepUse;
2242         else if (node->shouldSpeculateNumber())
2243             useKind = DoubleRepUse;
2244         else
2245             useKind = NotCellUse;
2246         Node* newNode = m_insertionSet.insertNode(
2247             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
2248             Edge(node, useKind));
2249         observeUseKindOnNode(node, useKind);
2250         
2251         edge = Edge(newNode, KnownInt32Use);
2252     }
2253     
2254     void fixIntOrBooleanEdge(Edge& edge)
2255     {
2256         Node* node = edge.node();
2257         if (!node->sawBooleans()) {
2258             fixEdge<Int32Use>(edge);
2259             return;
2260         }
2261         
2262         UseKind useKind;
2263         if (node->shouldSpeculateBoolean())
2264             useKind = BooleanUse;
2265         else
2266             useKind = UntypedUse;
2267         Node* newNode = m_insertionSet.insertNode(
2268             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2269             Edge(node, useKind));
2270         observeUseKindOnNode(node, useKind);
2271         
2272         edge = Edge(newNode, Int32Use);
2273     }
2274     
2275     void fixDoubleOrBooleanEdge(Edge& edge)
2276     {
2277         Node* node = edge.node();
2278         if (!node->sawBooleans()) {
2279             fixEdge<DoubleRepUse>(edge);
2280             return;
2281         }
2282         
2283         UseKind useKind;
2284         if (node->shouldSpeculateBoolean())
2285             useKind = BooleanUse;
2286         else
2287             useKind = UntypedUse;
2288         Node* newNode = m_insertionSet.insertNode(
2289             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2290             Edge(node, useKind));
2291         observeUseKindOnNode(node, useKind);
2292         
2293         edge = Edge(newNode, DoubleRepUse);
2294     }
2295     
2296     void truncateConstantToInt32(Edge& edge)
2297     {
2298         Node* oldNode = edge.node();
2299         
2300         JSValue value = oldNode->asJSValue();
2301         if (value.isInt32())
2302             return;
2303         
2304         value = jsNumber(JSC::toInt32(value.asNumber()));
2305         ASSERT(value.isInt32());
2306         edge.setNode(m_insertionSet.insertNode(
2307             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
2308             OpInfo(m_graph.freeze(value))));
2309     }
2310     
2311     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
2312     {
2313         if (mode != SpeculateInt32AndTruncateConstants)
2314             return;
2315         
2316         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
2317         if (node->child1()->hasConstant())
2318             truncateConstantToInt32(node->child1());
2319         else
2320             truncateConstantToInt32(node->child2());
2321     }
2322     
2323     bool attemptToMakeIntegerAdd(Node* node)
2324     {
2325         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
2326         if (mode != DontSpeculateInt32) {
2327             truncateConstantsIfNecessary(node, mode);
2328             fixIntOrBooleanEdge(node->child1());
2329             fixIntOrBooleanEdge(node->child2());
2330             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
2331                 node->setArithMode(Arith::Unchecked);
2332             else
2333                 node->setArithMode(Arith::CheckOverflow);
2334             return true;
2335         }
2336         
2337         if (m_graph.addShouldSpeculateAnyInt(node)) {
2338             fixEdge<Int52RepUse>(node->child1());
2339             fixEdge<Int52RepUse>(node->child2());
2340             node->setArithMode(Arith::CheckOverflow);
2341             node->setResult(NodeResultInt52);
2342             return true;
2343         }
2344         
2345         return false;
2346     }
2347     
2348     bool attemptToMakeGetArrayLength(Node* node)
2349     {
2350         if (!isInt32Speculation(node->prediction()))
2351             return false;
2352         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
2353         ArrayProfile* arrayProfile = 
2354             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
2355         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
2356         if (arrayProfile) {
2357             ConcurrentJITLocker locker(profiledBlock->m_lock);
2358             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
2359             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
2360             if (arrayMode.type() == Array::Unprofiled) {
2361                 // For normal array operations, it makes sense to treat Unprofiled
2362                 // accesses as ForceExit and get more data rather than using
2363                 // predictions and then possibly ending up with a Generic. But here,
2364                 // we treat anything that is Unprofiled as Generic and keep the
2365                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
2366                 // profit - from treating the Unprofiled case as
2367                 // SelectUsingPredictions.
2368                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
2369             }
2370         }
2371             
2372         arrayMode = arrayMode.refine(
2373             m_graph, node, node->child1()->prediction(), node->prediction());
2374             
2375         if (arrayMode.type() == Array::Generic) {
2376             // Check if the input is something that we can't get array length for, but for which we
2377             // could insert some conversions in order to transform it into something that we can do it
2378             // for.
2379             if (node->child1()->shouldSpeculateStringObject())
2380                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
2381             else if (node->child1()->shouldSpeculateStringOrStringObject())
2382                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
2383         }
2384             
2385         if (!arrayMode.supportsSelfLength())
2386             return false;
2387         
2388         convertToGetArrayLength(node, arrayMode);
2389         return true;
2390     }
2391
2392     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
2393     {
2394         node->setOp(GetArrayLength);
2395         node->clearFlags(NodeMustGenerate);
2396         fixEdge<KnownCellUse>(node->child1());
2397         node->setArrayMode(arrayMode);
2398             
2399         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
2400         if (!storage)
2401             return;
2402             
2403         node->child2() = Edge(storage);
2404     }
2405     
2406     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
2407     {
2408         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
2409         return m_insertionSet.insertNode(
2410             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
2411             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
2412     }
2413     
2414     void fixupChecksInBlock(BasicBlock* block)
2415     {
2416         if (!block)
2417             return;
2418         ASSERT(block->isReachable);
2419         m_block = block;
2420         unsigned indexForChecks = UINT_MAX;
2421         NodeOrigin originForChecks;
2422         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
2423             Node* node = block->at(indexInBlock);
2424
2425             // If this is a node at which we could exit, then save its index. If nodes after this one
2426             // cannot exit, then we will hoist checks to here.
2427             if (node->origin.exitOK) {
2428                 indexForChecks = indexInBlock;
2429                 originForChecks = node->origin;
2430             }
2431
2432             originForChecks = originForChecks.withSemantic(node->origin.semantic);
2433
2434             // First, try to relax the representational demands of each node, in order to have
2435             // fewer conversions.
2436             switch (node->op()) {
2437             case MovHint:
2438             case Check:
2439                 m_graph.doToChildren(
2440                     node,
2441                     [&] (Edge& edge) {
2442                         switch (edge.useKind()) {
2443                         case DoubleRepUse:
2444                         case DoubleRepRealUse:
2445                             if (edge->hasDoubleResult())
2446                                 break;
2447             
2448                             if (edge->hasInt52Result())
2449                                 edge.setUseKind(Int52RepUse);
2450                             else if (edge.useKind() == DoubleRepUse)
2451                                 edge.setUseKind(NumberUse);
2452                             break;
2453             
2454                         case Int52RepUse:
2455                             // Nothing we can really do.
2456                             break;
2457             
2458                         case UntypedUse:
2459                         case NumberUse:
2460                             if (edge->hasDoubleResult())
2461                                 edge.setUseKind(DoubleRepUse);
2462                             else if (edge->hasInt52Result())
2463                                 edge.setUseKind(Int52RepUse);
2464                             break;
2465             
2466                         case RealNumberUse:
2467                             if (edge->hasDoubleResult())
2468                                 edge.setUseKind(DoubleRepRealUse);
2469                             else if (edge->hasInt52Result())
2470                                 edge.setUseKind(Int52RepUse);
2471                             break;
2472             
2473                         default:
2474                             break;
2475                         }
2476                     });
2477                 break;
2478                 
2479             case ValueToInt32:
2480                 if (node->child1().useKind() == DoubleRepUse
2481                     && !node->child1()->hasDoubleResult()) {
2482                     node->child1().setUseKind(NumberUse);
2483                     break;
2484                 }
2485                 break;
2486                 
2487             default:
2488                 break;
2489             }
2490
2491             // Now, insert type conversions if necessary.
2492             m_graph.doToChildren(
2493                 node,
2494                 [&] (Edge& edge) {
2495                     Node* result = nullptr;
2496
2497                     switch (edge.useKind()) {
2498                     case DoubleRepUse:
2499                     case DoubleRepRealUse:
2500                     case DoubleRepAnyIntUse: {
2501                         if (edge->hasDoubleResult())
2502                             break;
2503             
2504                         if (edge->isNumberConstant()) {
2505                             result = m_insertionSet.insertNode(
2506                                 indexForChecks, SpecBytecodeDouble, DoubleConstant, originForChecks,
2507                                 OpInfo(m_graph.freeze(jsDoubleNumber(edge->asNumber()))));
2508                         } else if (edge->hasInt52Result()) {
2509                             result = m_insertionSet.insertNode(
2510                                 indexForChecks, SpecAnyIntAsDouble, DoubleRep, originForChecks,
2511                                 Edge(edge.node(), Int52RepUse));
2512                         } else {
2513                             UseKind useKind;
2514                             if (edge->shouldSpeculateDoubleReal())
2515                                 useKind = RealNumberUse;
2516                             else if (edge->shouldSpeculateNumber())
2517                                 useKind = NumberUse;
2518                             else
2519                                 useKind = NotCellUse;
2520
2521                             result = m_insertionSet.insertNode(
2522                                 indexForChecks, SpecBytecodeDouble, DoubleRep, originForChecks,
2523                                 Edge(edge.node(), useKind));
2524                         }
2525
2526                         edge.setNode(result);
2527                         break;
2528                     }
2529             
2530                     case Int52RepUse: {
2531                         if (edge->hasInt52Result())
2532                             break;
2533             
2534                         if (edge->isAnyIntConstant()) {
2535                             result = m_insertionSet.insertNode(
2536                                 indexForChecks, SpecAnyInt, Int52Constant, originForChecks,
2537                                 OpInfo(edge->constant()));
2538                         } else if (edge->hasDoubleResult()) {
2539                             result = m_insertionSet.insertNode(
2540                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
2541                                 Edge(edge.node(), DoubleRepAnyIntUse));
2542                         } else if (edge->shouldSpeculateInt32ForArithmetic()) {
2543                             result = m_insertionSet.insertNode(
2544                                 indexForChecks, SpecInt32Only, Int52Rep, originForChecks,
2545                                 Edge(edge.node(), Int32Use));
2546                         } else {
2547                             result = m_insertionSet.insertNode(
2548                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
2549                                 Edge(edge.node(), AnyIntUse));
2550                         }
2551
2552                         edge.setNode(result);
2553                         break;
2554                     }
2555
2556                     default: {
2557                         if (!edge->hasDoubleResult() && !edge->hasInt52Result())
2558                             break;
2559             
2560                         if (edge->hasDoubleResult()) {
2561                             result = m_insertionSet.insertNode(
2562                                 indexForChecks, SpecBytecodeDouble, ValueRep, originForChecks,
2563                                 Edge(edge.node(), DoubleRepUse));
2564                         } else {
2565                             result = m_insertionSet.insertNode(
2566                                 indexForChecks, SpecInt32Only | SpecAnyIntAsDouble, ValueRep,
2567                                 originForChecks, Edge(edge.node(), Int52RepUse));
2568                         }
2569
2570                         edge.setNode(result);
2571                         break;
2572                     } }
2573
2574                     // It's remotely possible that this node cannot do type checks, but we now have a
2575                     // type check on this node. We don't have to handle the general form of this
2576                     // problem. It only arises when ByteCodeParser emits an immediate SetLocal, rather
2577                     // than a delayed one. So, we only worry about those checks that we may have put on
2578                     // a SetLocal. Note that "indexForChecks != indexInBlock" is just another way of
2579                     // saying "!node->origin.exitOK".
2580                     if (indexForChecks != indexInBlock && mayHaveTypeCheck(edge.useKind())) {
2581                         UseKind knownUseKind;
2582                         
2583                         switch (edge.useKind()) {
2584                         case Int32Use:
2585                             knownUseKind = KnownInt32Use;
2586                             break;
2587                         case CellUse:
2588                             knownUseKind = KnownCellUse;
2589                             break;
2590                         case BooleanUse:
2591                             knownUseKind = KnownBooleanUse;
2592                             break;
2593                         default:
2594                             // This can only arise if we have a Check node, and in that case, we can
2595                             // just remove the original check.
2596                             DFG_ASSERT(m_graph, node, node->op() == Check);
2597                             knownUseKind = UntypedUse;
2598                             break;
2599                         }
2600
2601                         m_insertionSet.insertNode(
2602                             indexForChecks, SpecNone, Check, originForChecks, edge);
2603
2604                         edge.setUseKind(knownUseKind);
2605                     }
2606                 });
2607         }
2608         
2609         m_insertionSet.execute(block);
2610     }
2611     
2612     BasicBlock* m_block;
2613     unsigned m_indexInBlock;
2614     Node* m_currentNode;
2615     InsertionSet m_insertionSet;
2616     bool m_profitabilityChanged;
2617 };
2618     
2619 bool performFixup(Graph& graph)
2620 {
2621     return runPhase<FixupPhase>(graph);
2622 }
2623
2624 } } // namespace JSC::DFG
2625
2626 #endif // ENABLE(DFG_JIT)
2627