[BigInt] Add ValueSub into DFG
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101
102         case ValueSub: {
103             Edge& child1 = node->child1();
104             Edge& child2 = node->child2();
105
106             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
107                 fixEdge<BigIntUse>(child1);
108                 fixEdge<BigIntUse>(child2);
109                 break; 
110             }
111             
112             if (Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
113                 fixEdge<UntypedUse>(child1);
114                 fixEdge<UntypedUse>(child2);
115                 break;
116             }
117
118             if (attemptToMakeIntegerAdd(node)) {
119                 // FIXME: [DFG] Clear ArithSub when ArithMode is Unchecked
120                 // https://bugs.webkit.org/show_bug.cgi?id=190607
121                 node->setOp(ArithSub);
122                 break;
123             }
124
125             DFG_ASSERT(m_graph, node, Node::shouldSpeculateNumberOrBooleanExpectingDefined(child1.node(), child2.node()));
126             fixDoubleOrBooleanEdge(node->child1());
127             fixDoubleOrBooleanEdge(node->child2());
128             node->setOp(ArithSub);
129             node->setResult(NodeResultDouble);
130
131             break;
132         }
133
134         case ValueBitOr:
135         case ValueBitAnd: {
136             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
137                 fixEdge<BigIntUse>(node->child1());
138                 fixEdge<BigIntUse>(node->child2());
139                 break;
140             }
141
142             fixEdge<UntypedUse>(node->child1());
143             fixEdge<UntypedUse>(node->child2());
144             break;
145         }
146     
147         case ArithBitOr:
148         case ArithBitAnd: {
149             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
150                 fixEdge<UntypedUse>(node->child1());
151                 fixEdge<UntypedUse>(node->child2());
152
153                 switch (op) {
154                 case ArithBitOr:
155                     node->setOpAndDefaultFlags(ValueBitOr);
156                     break;
157                 case ArithBitAnd:
158                     node->setOpAndDefaultFlags(ValueBitAnd);
159                     break;
160                 default:
161                     DFG_CRASH(m_graph, node, "Unexpected node during ArithBit operation fixup");
162                     break;
163                 }
164
165                 break;
166             }
167             fixIntConvertingEdge(node->child1());
168             fixIntConvertingEdge(node->child2());
169             break;
170         }
171
172         case BitXor:
173         case BitRShift:
174         case BitLShift:
175         case BitURShift: {
176             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
177                 fixEdge<UntypedUse>(node->child1());
178                 fixEdge<UntypedUse>(node->child2());
179                 break;
180             }
181             fixIntConvertingEdge(node->child1());
182             fixIntConvertingEdge(node->child2());
183             break;
184         }
185
186         case ArithIMul: {
187             fixIntConvertingEdge(node->child1());
188             fixIntConvertingEdge(node->child2());
189             node->setOp(ArithMul);
190             node->setArithMode(Arith::Unchecked);
191             node->child1().setUseKind(Int32Use);
192             node->child2().setUseKind(Int32Use);
193             break;
194         }
195
196         case ArithClz32: {
197             if (node->child1()->shouldSpeculateNotCell()) {
198                 fixIntConvertingEdge(node->child1());
199                 node->clearFlags(NodeMustGenerate);
200             } else
201                 fixEdge<UntypedUse>(node->child1());
202             break;
203         }
204             
205         case UInt32ToNumber: {
206             fixIntConvertingEdge(node->child1());
207             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
208                 node->convertToIdentity();
209             else if (node->canSpeculateInt32(FixupPass))
210                 node->setArithMode(Arith::CheckOverflow);
211             else {
212                 node->setArithMode(Arith::DoOverflow);
213                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
214             }
215             break;
216         }
217
218         case ValueNegate: {
219             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
220                 node->setOp(ArithNegate);
221                 fixIntOrBooleanEdge(node->child1());
222                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
223                     node->setArithMode(Arith::Unchecked);
224                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
225                     node->setArithMode(Arith::CheckOverflow);
226                 else
227                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
228                 node->setResult(NodeResultInt32);
229                 node->clearFlags(NodeMustGenerate);
230                 break;
231             }
232             
233             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
234                 node->setOp(ArithNegate);
235                 fixEdge<Int52RepUse>(node->child1());
236                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
237                     node->setArithMode(Arith::CheckOverflow);
238                 else
239                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
240                 node->setResult(NodeResultInt52);
241                 node->clearFlags(NodeMustGenerate);
242                 break;
243             }
244             if (node->child1()->shouldSpeculateNotCell()) {
245                 node->setOp(ArithNegate);
246                 fixDoubleOrBooleanEdge(node->child1());
247                 node->setResult(NodeResultDouble);
248                 node->clearFlags(NodeMustGenerate);
249             } else {
250                 fixEdge<UntypedUse>(node->child1());
251                 node->setResult(NodeResultJS);
252             }
253             break;
254         }
255
256         case ValueAdd: {
257             if (attemptToMakeIntegerAdd(node)) {
258                 node->setOp(ArithAdd);
259                 break;
260             }
261             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
262                 fixDoubleOrBooleanEdge(node->child1());
263                 fixDoubleOrBooleanEdge(node->child2());
264                 node->setOp(ArithAdd);
265                 node->setResult(NodeResultDouble);
266                 break;
267             }
268             
269             if (attemptToMakeFastStringAdd(node))
270                 break;
271
272             Edge& child1 = node->child1();
273             Edge& child2 = node->child2();
274             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
275                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
276                     auto convertString = [&](Node* node, Edge& edge) {
277                         if (edge->shouldSpeculateInt32())
278                             convertStringAddUse<Int32Use>(node, edge);
279                         else {
280                             ASSERT(edge->shouldSpeculateString());
281                             convertStringAddUse<StringUse>(node, edge);
282                         }
283                     };
284                     convertString(node, child1);
285                     convertString(node, child2);
286                     convertToMakeRope(node);
287                     break;
288                 }
289             }
290
291             fixEdge<UntypedUse>(child1);
292             fixEdge<UntypedUse>(child2);
293             node->setResult(NodeResultJS);
294             break;
295         }
296
297         case StrCat: {
298             if (attemptToMakeFastStringAdd(node))
299                 break;
300
301             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
302             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
303             // the implementation of StrCat doesn't dynamically optimize for empty strings.
304             // https://bugs.webkit.org/show_bug.cgi?id=148540
305             m_graph.doToChildren(
306                 node,
307                 [&] (Edge& edge) {
308                     fixEdge<KnownPrimitiveUse>(edge);
309                     // StrCat automatically coerces the values into strings before concatenating them.
310                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
311                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
312                     // our runtime functions for this slow path expect that they will never be passed
313                     // Symbols.
314                     m_insertionSet.insertNode(
315                         m_indexInBlock, SpecNone, Check, node->origin,
316                         Edge(edge.node(), NotSymbolUse));
317                 });
318             break;
319         }
320             
321         case MakeRope: {
322             fixupMakeRope(node);
323             break;
324         }
325             
326         case ArithAdd:
327         case ArithSub: {
328             // FIXME: [DFG] Clear ArithSub when ArithMode is Unchecked
329             // https://bugs.webkit.org/show_bug.cgi?id=190607
330             if (attemptToMakeIntegerAdd(node))
331                 break;
332             fixDoubleOrBooleanEdge(node->child1());
333             fixDoubleOrBooleanEdge(node->child2());
334             node->setResult(NodeResultDouble);
335             break;
336         }
337             
338         case ArithNegate: {
339             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
340                 fixIntOrBooleanEdge(node->child1());
341                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
342                     node->setArithMode(Arith::Unchecked);
343                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
344                     node->setArithMode(Arith::CheckOverflow);
345                 else
346                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
347                 node->setResult(NodeResultInt32);
348                 node->clearFlags(NodeMustGenerate);
349                 break;
350             }
351             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
352                 fixEdge<Int52RepUse>(node->child1());
353                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
354                     node->setArithMode(Arith::CheckOverflow);
355                 else
356                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
357                 node->setResult(NodeResultInt52);
358                 node->clearFlags(NodeMustGenerate);
359                 break;
360             }
361
362             fixDoubleOrBooleanEdge(node->child1());
363             node->setResult(NodeResultDouble);
364             node->clearFlags(NodeMustGenerate);
365             break;
366         }
367             
368         case ArithMul: {
369             Edge& leftChild = node->child1();
370             Edge& rightChild = node->child2();
371             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
372                 fixEdge<UntypedUse>(leftChild);
373                 fixEdge<UntypedUse>(rightChild);
374                 node->setResult(NodeResultJS);
375                 break;
376             }
377             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
378                 fixIntOrBooleanEdge(leftChild);
379                 fixIntOrBooleanEdge(rightChild);
380                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
381                     node->setArithMode(Arith::Unchecked);
382                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
383                     || leftChild.node() == rightChild.node())
384                     node->setArithMode(Arith::CheckOverflow);
385                 else
386                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
387                 break;
388             }
389             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
390                 fixEdge<Int52RepUse>(leftChild);
391                 fixEdge<Int52RepUse>(rightChild);
392                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
393                     || leftChild.node() == rightChild.node())
394                     node->setArithMode(Arith::CheckOverflow);
395                 else
396                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
397                 node->setResult(NodeResultInt52);
398                 break;
399             }
400             fixDoubleOrBooleanEdge(leftChild);
401             fixDoubleOrBooleanEdge(rightChild);
402             node->setResult(NodeResultDouble);
403             break;
404         }
405
406         case ArithDiv:
407         case ArithMod: {
408             Edge& leftChild = node->child1();
409             Edge& rightChild = node->child2();
410             if (op == ArithDiv
411                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
412                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
413                 fixEdge<UntypedUse>(leftChild);
414                 fixEdge<UntypedUse>(rightChild);
415                 node->setResult(NodeResultJS);
416                 break;
417             }
418             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
419                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
420                     fixIntOrBooleanEdge(leftChild);
421                     fixIntOrBooleanEdge(rightChild);
422                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
423                         node->setArithMode(Arith::Unchecked);
424                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
425                         node->setArithMode(Arith::CheckOverflow);
426                     else
427                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
428                     break;
429                 }
430                 
431                 // This will cause conversion nodes to be inserted later.
432                 fixDoubleOrBooleanEdge(leftChild);
433                 fixDoubleOrBooleanEdge(rightChild);
434                 
435                 // We don't need to do ref'ing on the children because we're stealing them from
436                 // the original division.
437                 Node* newDivision = m_insertionSet.insertNode(
438                     m_indexInBlock, SpecBytecodeDouble, *node);
439                 newDivision->setResult(NodeResultDouble);
440                 
441                 node->setOp(DoubleAsInt32);
442                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
443                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
444                     node->setArithMode(Arith::CheckOverflow);
445                 else
446                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
447                 break;
448             }
449             fixDoubleOrBooleanEdge(leftChild);
450             fixDoubleOrBooleanEdge(rightChild);
451             node->setResult(NodeResultDouble);
452             break;
453         }
454             
455         case ArithMin:
456         case ArithMax: {
457             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
458                 fixIntOrBooleanEdge(node->child1());
459                 fixIntOrBooleanEdge(node->child2());
460                 break;
461             }
462             fixDoubleOrBooleanEdge(node->child1());
463             fixDoubleOrBooleanEdge(node->child2());
464             node->setResult(NodeResultDouble);
465             break;
466         }
467             
468         case ArithAbs: {
469             if (node->child1()->shouldSpeculateInt32OrBoolean()
470                 && node->canSpeculateInt32(FixupPass)) {
471                 fixIntOrBooleanEdge(node->child1());
472                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
473                     node->setArithMode(Arith::Unchecked);
474                 else
475                     node->setArithMode(Arith::CheckOverflow);
476                 node->clearFlags(NodeMustGenerate);
477                 node->setResult(NodeResultInt32);
478                 break;
479             }
480
481             if (node->child1()->shouldSpeculateNotCell()) {
482                 fixDoubleOrBooleanEdge(node->child1());
483                 node->clearFlags(NodeMustGenerate);
484             } else
485                 fixEdge<UntypedUse>(node->child1());
486             node->setResult(NodeResultDouble);
487             break;
488         }
489
490         case ArithPow: {
491             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
492                 fixDoubleOrBooleanEdge(node->child1());
493                 fixIntOrBooleanEdge(node->child2());
494                 break;
495             }
496
497             fixDoubleOrBooleanEdge(node->child1());
498             fixDoubleOrBooleanEdge(node->child2());
499             break;
500         }
501
502         case ArithRandom: {
503             node->setResult(NodeResultDouble);
504             break;
505         }
506
507         case ArithRound:
508         case ArithFloor:
509         case ArithCeil:
510         case ArithTrunc: {
511             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
512                 fixIntOrBooleanEdge(node->child1());
513                 insertCheck<Int32Use>(node->child1().node());
514                 node->convertToIdentity();
515                 break;
516             }
517             if (node->child1()->shouldSpeculateNotCell()) {
518                 fixDoubleOrBooleanEdge(node->child1());
519
520                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
521                     node->setResult(NodeResultInt32);
522                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
523                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
524                     else
525                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
526                 } else {
527                     node->setResult(NodeResultDouble);
528                     node->setArithRoundingMode(Arith::RoundingMode::Double);
529                 }
530                 node->clearFlags(NodeMustGenerate);
531             } else
532                 fixEdge<UntypedUse>(node->child1());
533             break;
534         }
535
536         case ArithFRound:
537         case ArithSqrt:
538         case ArithUnary: {
539             Edge& child1 = node->child1();
540             if (child1->shouldSpeculateNotCell()) {
541                 fixDoubleOrBooleanEdge(child1);
542                 node->clearFlags(NodeMustGenerate);
543             } else
544                 fixEdge<UntypedUse>(child1);
545             break;
546         }
547             
548         case LogicalNot: {
549             if (node->child1()->shouldSpeculateBoolean()) {
550                 if (node->child1()->result() == NodeResultBoolean) {
551                     // This is necessary in case we have a bytecode instruction implemented by:
552                     //
553                     // a: CompareEq(...)
554                     // b: LogicalNot(@a)
555                     //
556                     // In that case, CompareEq might have a side-effect. Then, we need to make
557                     // sure that we know that Branch does not exit.
558                     fixEdge<KnownBooleanUse>(node->child1());
559                 } else
560                     fixEdge<BooleanUse>(node->child1());
561             } else if (node->child1()->shouldSpeculateObjectOrOther())
562                 fixEdge<ObjectOrOtherUse>(node->child1());
563             else if (node->child1()->shouldSpeculateInt32OrBoolean())
564                 fixIntOrBooleanEdge(node->child1());
565             else if (node->child1()->shouldSpeculateNumber())
566                 fixEdge<DoubleRepUse>(node->child1());
567             else if (node->child1()->shouldSpeculateString())
568                 fixEdge<StringUse>(node->child1());
569             else if (node->child1()->shouldSpeculateStringOrOther())
570                 fixEdge<StringOrOtherUse>(node->child1());
571             else {
572                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
573                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
574                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
575             }
576             break;
577         }
578
579         case CompareEq:
580         case CompareLess:
581         case CompareLessEq:
582         case CompareGreater:
583         case CompareGreaterEq: {
584             if (node->op() == CompareEq
585                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
586                 fixEdge<BooleanUse>(node->child1());
587                 fixEdge<BooleanUse>(node->child2());
588                 node->clearFlags(NodeMustGenerate);
589                 break;
590             }
591             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
592                 fixIntOrBooleanEdge(node->child1());
593                 fixIntOrBooleanEdge(node->child2());
594                 node->clearFlags(NodeMustGenerate);
595                 break;
596             }
597             if (enableInt52()
598                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
599                 fixEdge<Int52RepUse>(node->child1());
600                 fixEdge<Int52RepUse>(node->child2());
601                 node->clearFlags(NodeMustGenerate);
602                 break;
603             }
604             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
605                 fixDoubleOrBooleanEdge(node->child1());
606                 fixDoubleOrBooleanEdge(node->child2());
607             }
608             if (node->op() != CompareEq
609                 && node->child1()->shouldSpeculateNotCell()
610                 && node->child2()->shouldSpeculateNotCell()) {
611                 if (node->child1()->shouldSpeculateNumberOrBoolean())
612                     fixDoubleOrBooleanEdge(node->child1());
613                 else
614                     fixEdge<DoubleRepUse>(node->child1());
615                 if (node->child2()->shouldSpeculateNumberOrBoolean())
616                     fixDoubleOrBooleanEdge(node->child2());
617                 else
618                     fixEdge<DoubleRepUse>(node->child2());
619                 node->clearFlags(NodeMustGenerate);
620                 break;
621             }
622             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
623                 fixEdge<StringIdentUse>(node->child1());
624                 fixEdge<StringIdentUse>(node->child2());
625                 node->clearFlags(NodeMustGenerate);
626                 break;
627             }
628             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
629                 fixEdge<StringUse>(node->child1());
630                 fixEdge<StringUse>(node->child2());
631                 node->clearFlags(NodeMustGenerate);
632                 break;
633             }
634
635             if (node->op() != CompareEq)
636                 break;
637             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
638                 fixEdge<SymbolUse>(node->child1());
639                 fixEdge<SymbolUse>(node->child2());
640                 node->clearFlags(NodeMustGenerate);
641                 break;
642             }
643             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
644                 fixEdge<ObjectUse>(node->child1());
645                 fixEdge<ObjectUse>(node->child2());
646                 node->clearFlags(NodeMustGenerate);
647                 break;
648             }
649
650             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
651             bool oneArgumentIsUsedAsSpecOther = false;
652             if (node->child1()->isUndefinedOrNullConstant()) {
653                 fixEdge<KnownOtherUse>(node->child1());
654                 oneArgumentIsUsedAsSpecOther = true;
655             } else if (node->child1()->shouldSpeculateOther()) {
656                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
657                     Edge(node->child1().node(), OtherUse));
658                 fixEdge<KnownOtherUse>(node->child1());
659                 oneArgumentIsUsedAsSpecOther = true;
660             }
661             if (node->child2()->isUndefinedOrNullConstant()) {
662                 fixEdge<KnownOtherUse>(node->child2());
663                 oneArgumentIsUsedAsSpecOther = true;
664             } else if (node->child2()->shouldSpeculateOther()) {
665                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
666                     Edge(node->child2().node(), OtherUse));
667                 fixEdge<KnownOtherUse>(node->child2());
668                 oneArgumentIsUsedAsSpecOther = true;
669             }
670             if (oneArgumentIsUsedAsSpecOther) {
671                 node->clearFlags(NodeMustGenerate);
672                 break;
673             }
674
675             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
676                 fixEdge<ObjectUse>(node->child1());
677                 fixEdge<ObjectOrOtherUse>(node->child2());
678                 node->clearFlags(NodeMustGenerate);
679                 break;
680             }
681             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
682                 fixEdge<ObjectOrOtherUse>(node->child1());
683                 fixEdge<ObjectUse>(node->child2());
684                 node->clearFlags(NodeMustGenerate);
685                 break;
686             }
687
688             break;
689         }
690             
691         case CompareStrictEq:
692         case SameValue: {
693             fixupCompareStrictEqAndSameValue(node);
694             break;
695         }
696
697         case StringFromCharCode:
698             if (node->child1()->shouldSpeculateInt32()) {
699                 fixEdge<Int32Use>(node->child1());
700                 node->clearFlags(NodeMustGenerate);
701             } else
702                 fixEdge<UntypedUse>(node->child1());
703             break;
704
705         case StringCharAt:
706         case StringCharCodeAt: {
707             // Currently we have no good way of refining these.
708             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
709             blessArrayOperation(node->child1(), node->child2(), node->child3());
710             fixEdge<KnownCellUse>(node->child1());
711             fixEdge<Int32Use>(node->child2());
712             break;
713         }
714
715         case GetByVal: {
716             if (!node->prediction()) {
717                 m_insertionSet.insertNode(
718                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
719             }
720             
721             node->setArrayMode(
722                 node->arrayMode().refine(
723                     m_graph, node,
724                     m_graph.varArgChild(node, 0)->prediction(),
725                     m_graph.varArgChild(node, 1)->prediction(),
726                     SpecNone));
727             
728             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
729             
730             ArrayMode arrayMode = node->arrayMode();
731             switch (arrayMode.type()) {
732             case Array::Contiguous:
733             case Array::Double:
734                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
735                     // Check if SaneChain will work on a per-type basis. Note that:
736                     //
737                     // 1) We don't want double arrays to sometimes return undefined, since
738                     // that would require a change to the return type and it would pessimise
739                     // things a lot. So, we'd only want to do that if we actually had
740                     // evidence that we could read from a hole. That's pretty annoying.
741                     // Likely the best way to handle that case is with an equivalent of
742                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
743                     // NaN are indistinguishable according to backwards propagation, and just
744                     // use SaneChain in that case. This happens to catch a lot of cases.
745                     //
746                     // 2) We don't want int32 array loads to have to do a hole check just to
747                     // coerce to Undefined, since that would mean twice the checks.
748                     //
749                     // This has two implications. First, we have to do more checks than we'd
750                     // like. It's unfortunate that we have to do the hole check. Second,
751                     // some accesses that hit a hole will now need to take the full-blown
752                     // out-of-bounds slow path. We can fix that with:
753                     // https://bugs.webkit.org/show_bug.cgi?id=144668
754                     
755                     bool canDoSaneChain = false;
756                     switch (arrayMode.type()) {
757                     case Array::Contiguous:
758                         // This is happens to be entirely natural. We already would have
759                         // returned any JSValue, and now we'll return Undefined. We still do
760                         // the check but it doesn't require taking any kind of slow path.
761                         canDoSaneChain = true;
762                         break;
763                         
764                     case Array::Double:
765                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
766                             // Holes look like NaN already, so if the user doesn't care
767                             // about the difference between Undefined and NaN then we can
768                             // do this.
769                             canDoSaneChain = true;
770                         }
771                         break;
772                         
773                     default:
774                         break;
775                     }
776                     
777                     if (canDoSaneChain) {
778                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
779                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
780                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
781                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
782                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
783                             && globalObject->arrayPrototypeChainIsSane()) {
784                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
785                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
786                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
787                         }
788                     }
789                 }
790                 break;
791                 
792             case Array::String:
793                 if ((node->prediction() & ~SpecString)
794                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
795                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
796                 break;
797                 
798             default:
799                 break;
800             }
801             
802             arrayMode = node->arrayMode();
803             switch (arrayMode.type()) {
804             case Array::SelectUsingPredictions:
805             case Array::Unprofiled:
806                 RELEASE_ASSERT_NOT_REACHED();
807                 break;
808             case Array::Generic:
809                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
810                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
811                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
812                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
813                         break;
814                     }
815
816                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
817                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
818                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
819                         break;
820                     }
821                 }
822 #if USE(JSVALUE32_64)
823                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
824 #endif
825                 break;
826             case Array::ForceExit:
827                 break;
828             default:
829                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
830                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
831                 break;
832             }
833             
834             switch (arrayMode.type()) {
835             case Array::Double:
836                 if (!arrayMode.isOutOfBounds())
837                     node->setResult(NodeResultDouble);
838                 break;
839                 
840             case Array::Float32Array:
841             case Array::Float64Array:
842                 node->setResult(NodeResultDouble);
843                 break;
844                 
845             case Array::Uint32Array:
846                 if (node->shouldSpeculateInt32())
847                     break;
848                 if (node->shouldSpeculateAnyInt() && enableInt52())
849                     node->setResult(NodeResultInt52);
850                 else
851                     node->setResult(NodeResultDouble);
852                 break;
853                 
854             default:
855                 break;
856             }
857             
858             break;
859         }
860
861         case PutByValDirect:
862         case PutByVal:
863         case PutByValAlias: {
864             Edge& child1 = m_graph.varArgChild(node, 0);
865             Edge& child2 = m_graph.varArgChild(node, 1);
866             Edge& child3 = m_graph.varArgChild(node, 2);
867
868             node->setArrayMode(
869                 node->arrayMode().refine(
870                     m_graph, node,
871                     child1->prediction(),
872                     child2->prediction(),
873                     child3->prediction()));
874             
875             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
876             
877             switch (node->arrayMode().modeForPut().type()) {
878             case Array::SelectUsingPredictions:
879             case Array::SelectUsingArguments:
880             case Array::Unprofiled:
881             case Array::Undecided:
882                 RELEASE_ASSERT_NOT_REACHED();
883                 break;
884             case Array::ForceExit:
885             case Array::Generic:
886                 if (child1->shouldSpeculateCell()) {
887                     if (child2->shouldSpeculateString()) {
888                         fixEdge<CellUse>(child1);
889                         fixEdge<StringUse>(child2);
890                         break;
891                     }
892
893                     if (child2->shouldSpeculateSymbol()) {
894                         fixEdge<CellUse>(child1);
895                         fixEdge<SymbolUse>(child2);
896                         break;
897                     }
898                 }
899 #if USE(JSVALUE32_64)
900                 // Due to register pressure on 32-bit, we speculate cell and
901                 // ignore the base-is-not-cell case entirely by letting the
902                 // baseline JIT handle it.
903                 fixEdge<CellUse>(child1);
904 #endif
905                 break;
906             case Array::Int32:
907                 fixEdge<KnownCellUse>(child1);
908                 fixEdge<Int32Use>(child2);
909                 fixEdge<Int32Use>(child3);
910                 break;
911             case Array::Double:
912                 fixEdge<KnownCellUse>(child1);
913                 fixEdge<Int32Use>(child2);
914                 fixEdge<DoubleRepRealUse>(child3);
915                 break;
916             case Array::Int8Array:
917             case Array::Int16Array:
918             case Array::Int32Array:
919             case Array::Uint8Array:
920             case Array::Uint8ClampedArray:
921             case Array::Uint16Array:
922             case Array::Uint32Array:
923                 fixEdge<KnownCellUse>(child1);
924                 fixEdge<Int32Use>(child2);
925                 if (child3->shouldSpeculateInt32())
926                     fixIntOrBooleanEdge(child3);
927                 else if (child3->shouldSpeculateAnyInt())
928                     fixEdge<Int52RepUse>(child3);
929                 else
930                     fixDoubleOrBooleanEdge(child3);
931                 break;
932             case Array::Float32Array:
933             case Array::Float64Array:
934                 fixEdge<KnownCellUse>(child1);
935                 fixEdge<Int32Use>(child2);
936                 fixDoubleOrBooleanEdge(child3);
937                 break;
938             case Array::Contiguous:
939             case Array::ArrayStorage:
940             case Array::SlowPutArrayStorage:
941                 fixEdge<KnownCellUse>(child1);
942                 fixEdge<Int32Use>(child2);
943                 speculateForBarrier(child3);
944                 break;
945             default:
946                 fixEdge<KnownCellUse>(child1);
947                 fixEdge<Int32Use>(child2);
948                 break;
949             }
950             break;
951         }
952             
953         case AtomicsAdd:
954         case AtomicsAnd:
955         case AtomicsCompareExchange:
956         case AtomicsExchange:
957         case AtomicsLoad:
958         case AtomicsOr:
959         case AtomicsStore:
960         case AtomicsSub:
961         case AtomicsXor: {
962             Edge& base = m_graph.child(node, 0);
963             Edge& index = m_graph.child(node, 1);
964             
965             bool badNews = false;
966             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
967                 Edge& child = m_graph.child(node, 2 + i);
968                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
969                 // just call the function when that happens. But the FTL is totally cool with those
970                 // conversions.
971                 if (!child->shouldSpeculateInt32()
972                     && !child->shouldSpeculateAnyInt()
973                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
974                     badNews = true;
975             }
976             
977             if (badNews) {
978                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
979                 break;
980             }
981             
982             node->setArrayMode(
983                 node->arrayMode().refine(
984                     m_graph, node, base->prediction(), index->prediction()));
985             
986             if (node->arrayMode().type() == Array::Generic)
987                 break;
988             
989             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
990                 Edge& child = m_graph.child(node, 2 + i);
991                 if (child->shouldSpeculateInt32())
992                     fixIntOrBooleanEdge(child);
993                 else if (child->shouldSpeculateAnyInt())
994                     fixEdge<Int52RepUse>(child);
995                 else {
996                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
997                     fixDoubleOrBooleanEdge(child);
998                 }
999             }
1000             
1001             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
1002             fixEdge<CellUse>(base);
1003             fixEdge<Int32Use>(index);
1004             
1005             if (node->arrayMode().type() == Array::Uint32Array) {
1006                 // NOTE: This means basically always doing Int52.
1007                 if (node->shouldSpeculateAnyInt() && enableInt52())
1008                     node->setResult(NodeResultInt52);
1009                 else
1010                     node->setResult(NodeResultDouble);
1011             }
1012             break;
1013         }
1014             
1015         case AtomicsIsLockFree:
1016             if (node->child1()->shouldSpeculateInt32())
1017                 fixIntOrBooleanEdge(node->child1());
1018             break;
1019             
1020         case ArrayPush: {
1021             // May need to refine the array mode in case the value prediction contravenes
1022             // the array prediction. For example, we may have evidence showing that the
1023             // array is in Int32 mode, but the value we're storing is likely to be a double.
1024             // Then we should turn this into a conversion to Double array followed by the
1025             // push. On the other hand, we absolutely don't want to refine based on the
1026             // base prediction. If it has non-cell garbage in it, then we want that to be
1027             // ignored. That's because ArrayPush can't handle any array modes that aren't
1028             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1029             // that would break things.
1030             Edge& storageEdge = m_graph.varArgChild(node, 0);
1031             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1032             unsigned elementOffset = 2;
1033             unsigned elementCount = node->numChildren() - elementOffset;
1034             for (unsigned i = 0; i < elementCount; ++i) {
1035                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1036                 node->setArrayMode(
1037                     node->arrayMode().refine(
1038                         m_graph, node,
1039                         arrayEdge->prediction() & SpecCell,
1040                         SpecInt32Only,
1041                         element->prediction()));
1042             }
1043             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1044             fixEdge<KnownCellUse>(arrayEdge);
1045
1046             // Convert `array.push()` to GetArrayLength.
1047             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1048                 node->setOpAndDefaultFlags(GetArrayLength);
1049                 node->child1() = arrayEdge;
1050                 node->child2() = storageEdge;
1051                 fixEdge<KnownCellUse>(node->child1());
1052                 break;
1053             }
1054
1055             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1056             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1057             for (unsigned i = 0; i < elementCount; ++i) {
1058                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1059                 switch (node->arrayMode().type()) {
1060                 case Array::Int32:
1061                     insertCheck<Int32Use>(element.node());
1062                     fixEdge<KnownInt32Use>(element);
1063                     break;
1064                 case Array::Double:
1065                     insertCheck<DoubleRepRealUse>(element.node());
1066                     fixEdge<DoubleRepUse>(element);
1067                     break;
1068                 case Array::Contiguous:
1069                 case Array::ArrayStorage:
1070                     speculateForBarrier(element);
1071                     break;
1072                 default:
1073                     break;
1074                 }
1075                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1076             }
1077             break;
1078         }
1079             
1080         case ArrayPop: {
1081             blessArrayOperation(node->child1(), Edge(), node->child2());
1082             fixEdge<KnownCellUse>(node->child1());
1083             break;
1084         }
1085
1086         case ArraySlice: {
1087             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1088             if (node->numChildren() >= 3) {
1089                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1090                 if (node->numChildren() == 4)
1091                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1092             }
1093             break;
1094         }
1095
1096         case ArrayIndexOf:
1097             fixupArrayIndexOf(node);
1098             break;
1099             
1100         case RegExpExec:
1101         case RegExpTest: {
1102             fixEdge<KnownCellUse>(node->child1());
1103             
1104             if (node->child2()->shouldSpeculateRegExpObject()) {
1105                 fixEdge<RegExpObjectUse>(node->child2());
1106
1107                 if (node->child3()->shouldSpeculateString())
1108                     fixEdge<StringUse>(node->child3());
1109             }
1110             break;
1111         }
1112
1113         case RegExpMatchFast: {
1114             fixEdge<KnownCellUse>(node->child1());
1115             fixEdge<RegExpObjectUse>(node->child2());
1116             fixEdge<StringUse>(node->child3());
1117             break;
1118         }
1119
1120         case StringReplace:
1121         case StringReplaceRegExp: {
1122             if (node->child2()->shouldSpeculateString()) {
1123                 m_insertionSet.insertNode(
1124                     m_indexInBlock, SpecNone, Check, node->origin,
1125                     Edge(node->child2().node(), StringUse));
1126                 fixEdge<StringUse>(node->child2());
1127             } else if (op == StringReplace) {
1128                 if (node->child2()->shouldSpeculateRegExpObject())
1129                     addStringReplacePrimordialChecks(node->child2().node());
1130                 else 
1131                     m_insertionSet.insertNode(
1132                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1133             }
1134
1135             if (node->child1()->shouldSpeculateString()
1136                 && node->child2()->shouldSpeculateRegExpObject()
1137                 && node->child3()->shouldSpeculateString()) {
1138
1139                 fixEdge<StringUse>(node->child1());
1140                 fixEdge<RegExpObjectUse>(node->child2());
1141                 fixEdge<StringUse>(node->child3());
1142                 break;
1143             }
1144             break;
1145         }
1146             
1147         case Branch: {
1148             if (node->child1()->shouldSpeculateBoolean()) {
1149                 if (node->child1()->result() == NodeResultBoolean) {
1150                     // This is necessary in case we have a bytecode instruction implemented by:
1151                     //
1152                     // a: CompareEq(...)
1153                     // b: Branch(@a)
1154                     //
1155                     // In that case, CompareEq might have a side-effect. Then, we need to make
1156                     // sure that we know that Branch does not exit.
1157                     fixEdge<KnownBooleanUse>(node->child1());
1158                 } else
1159                     fixEdge<BooleanUse>(node->child1());
1160             } else if (node->child1()->shouldSpeculateObjectOrOther())
1161                 fixEdge<ObjectOrOtherUse>(node->child1());
1162             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1163                 fixIntOrBooleanEdge(node->child1());
1164             else if (node->child1()->shouldSpeculateNumber())
1165                 fixEdge<DoubleRepUse>(node->child1());
1166             else if (node->child1()->shouldSpeculateString())
1167                 fixEdge<StringUse>(node->child1());
1168             else if (node->child1()->shouldSpeculateStringOrOther())
1169                 fixEdge<StringOrOtherUse>(node->child1());
1170             else {
1171                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1172                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1173                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1174             }
1175             break;
1176         }
1177             
1178         case Switch: {
1179             SwitchData* data = node->switchData();
1180             switch (data->kind) {
1181             case SwitchImm:
1182                 if (node->child1()->shouldSpeculateInt32())
1183                     fixEdge<Int32Use>(node->child1());
1184                 break;
1185             case SwitchChar:
1186                 if (node->child1()->shouldSpeculateString())
1187                     fixEdge<StringUse>(node->child1());
1188                 break;
1189             case SwitchString:
1190                 if (node->child1()->shouldSpeculateStringIdent())
1191                     fixEdge<StringIdentUse>(node->child1());
1192                 else if (node->child1()->shouldSpeculateString())
1193                     fixEdge<StringUse>(node->child1());
1194                 break;
1195             case SwitchCell:
1196                 if (node->child1()->shouldSpeculateCell())
1197                     fixEdge<CellUse>(node->child1());
1198                 // else it's fine for this to have UntypedUse; we will handle this by just making
1199                 // non-cells take the default case.
1200                 break;
1201             }
1202             break;
1203         }
1204             
1205         case ToPrimitive: {
1206             fixupToPrimitive(node);
1207             break;
1208         }
1209
1210         case ToNumber: {
1211             fixupToNumber(node);
1212             break;
1213         }
1214             
1215         case ToString:
1216         case CallStringConstructor: {
1217             fixupToStringOrCallStringConstructor(node);
1218             break;
1219         }
1220             
1221         case NewStringObject: {
1222             fixEdge<KnownStringUse>(node->child1());
1223             break;
1224         }
1225
1226         case NewArrayWithSpread: {
1227             watchHavingABadTime(node);
1228             
1229             BitVector* bitVector = node->bitVector();
1230             for (unsigned i = node->numChildren(); i--;) {
1231                 if (bitVector->get(i))
1232                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1233                 else
1234                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1235             }
1236
1237             break;
1238         }
1239
1240         case Spread: {
1241             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1242             
1243             watchHavingABadTime(node->child1().node());
1244
1245             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1246             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1247             // that it doesn't contain any indexed properties, and that any holes will result in
1248             // jsUndefined().
1249             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1250             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1251             if (node->child1()->shouldSpeculateArray()
1252                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1253                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1254                 && globalObject->arrayPrototypeChainIsSane()
1255                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1256                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1257                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1258                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1259                 fixEdge<ArrayUse>(node->child1());
1260             } else
1261                 fixEdge<CellUse>(node->child1());
1262             break;
1263         }
1264             
1265         case NewArray: {
1266             watchHavingABadTime(node);
1267             
1268             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1269                 node->setIndexingType(
1270                     leastUpperBoundOfIndexingTypeAndType(
1271                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1272             }
1273             switch (node->indexingType()) {
1274             case ALL_BLANK_INDEXING_TYPES:
1275                 CRASH();
1276                 break;
1277             case ALL_UNDECIDED_INDEXING_TYPES:
1278                 if (node->numChildren()) {
1279                     // This will only happen if the children have no type predictions. We
1280                     // would have already exited by now, but insert a forced exit just to
1281                     // be safe.
1282                     m_insertionSet.insertNode(
1283                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1284                 }
1285                 break;
1286             case ALL_INT32_INDEXING_TYPES:
1287                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1288                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1289                 break;
1290             case ALL_DOUBLE_INDEXING_TYPES:
1291                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1292                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1293                 break;
1294             case ALL_CONTIGUOUS_INDEXING_TYPES:
1295             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1296                 break;
1297             default:
1298                 CRASH();
1299                 break;
1300             }
1301             break;
1302         }
1303             
1304         case NewTypedArray: {
1305             watchHavingABadTime(node);
1306             
1307             if (node->child1()->shouldSpeculateInt32()) {
1308                 fixEdge<Int32Use>(node->child1());
1309                 node->clearFlags(NodeMustGenerate);
1310                 break;
1311             }
1312             break;
1313         }
1314             
1315         case NewArrayWithSize: {
1316             watchHavingABadTime(node);
1317             fixEdge<Int32Use>(node->child1());
1318             break;
1319         }
1320
1321         case NewArrayBuffer: {
1322             watchHavingABadTime(node);
1323             break;
1324         }
1325
1326         case ToObject: {
1327             fixupToObject(node);
1328             break;
1329         }
1330
1331         case CallObjectConstructor: {
1332             fixupCallObjectConstructor(node);
1333             break;
1334         }
1335
1336         case ToThis: {
1337             fixupToThis(node);
1338             break;
1339         }
1340             
1341         case PutStructure: {
1342             fixEdge<KnownCellUse>(node->child1());
1343             break;
1344         }
1345             
1346         case GetClosureVar:
1347         case GetFromArguments: {
1348             fixEdge<KnownCellUse>(node->child1());
1349             break;
1350         }
1351
1352         case PutClosureVar:
1353         case PutToArguments: {
1354             fixEdge<KnownCellUse>(node->child1());
1355             speculateForBarrier(node->child2());
1356             break;
1357         }
1358
1359         case SkipScope:
1360         case GetScope:
1361         case GetGetter:
1362         case GetSetter:
1363         case GetGlobalObject: {
1364             fixEdge<KnownCellUse>(node->child1());
1365             break;
1366         }
1367             
1368         case AllocatePropertyStorage:
1369         case ReallocatePropertyStorage: {
1370             fixEdge<KnownCellUse>(node->child1());
1371             break;
1372         }
1373             
1374         case NukeStructureAndSetButterfly: {
1375             fixEdge<KnownCellUse>(node->child1());
1376             break;
1377         }
1378
1379         case TryGetById: {
1380             if (node->child1()->shouldSpeculateCell())
1381                 fixEdge<CellUse>(node->child1());
1382             break;
1383         }
1384
1385         case GetByIdDirect:
1386         case GetByIdDirectFlush: {
1387             if (node->child1()->shouldSpeculateCell())
1388                 fixEdge<CellUse>(node->child1());
1389             break;
1390         }
1391
1392         case GetById:
1393         case GetByIdFlush: {
1394             // FIXME: This should be done in the ByteCodeParser based on reading the
1395             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1396             // https://bugs.webkit.org/show_bug.cgi?id=154990
1397             auto uid = m_graph.identifiers()[node->identifierNumber()];
1398             if (node->child1()->shouldSpeculateCellOrOther()
1399                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1400                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1401                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1402                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1403                 
1404                 if (uid == vm().propertyNames->length.impl()) {
1405                     attemptToMakeGetArrayLength(node);
1406                     break;
1407                 }
1408
1409                 if (uid == vm().propertyNames->lastIndex.impl()
1410                     && node->child1()->shouldSpeculateRegExpObject()) {
1411                     node->setOp(GetRegExpObjectLastIndex);
1412                     node->clearFlags(NodeMustGenerate);
1413                     fixEdge<RegExpObjectUse>(node->child1());
1414                     break;
1415                 }
1416             }
1417
1418             if (node->child1()->shouldSpeculateNumber()) {
1419                 if (uid == vm().propertyNames->toString.impl()) {
1420                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1421                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1422                         if (node->child1()->shouldSpeculateInt32()) {
1423                             insertCheck<Int32Use>(node->child1().node());
1424                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1425                             break;
1426                         }
1427
1428                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1429                             insertCheck<Int52RepUse>(node->child1().node());
1430                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1431                             break;
1432                         }
1433
1434                         ASSERT(node->child1()->shouldSpeculateNumber());
1435                         insertCheck<DoubleRepUse>(node->child1().node());
1436                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1437                         break;
1438                     }
1439                 }
1440             }
1441
1442             if (node->child1()->shouldSpeculateCell())
1443                 fixEdge<CellUse>(node->child1());
1444             break;
1445         }
1446         
1447         case GetByIdWithThis: {
1448             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1449                 fixEdge<CellUse>(node->child1());
1450                 fixEdge<CellUse>(node->child2());
1451             }
1452             break;
1453         }
1454
1455         case PutById:
1456         case PutByIdFlush:
1457         case PutByIdDirect: {
1458             if (node->child1()->shouldSpeculateCellOrOther()
1459                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1460                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1461                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1462                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1463                 
1464                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1465                 
1466                 if (uid == vm().propertyNames->lastIndex.impl()
1467                     && node->child1()->shouldSpeculateRegExpObject()) {
1468                     node->convertToSetRegExpObjectLastIndex();
1469                     fixEdge<RegExpObjectUse>(node->child1());
1470                     speculateForBarrier(node->child2());
1471                     break;
1472                 }
1473             }
1474             
1475             fixEdge<CellUse>(node->child1());
1476             break;
1477         }
1478
1479         case PutGetterById:
1480         case PutSetterById: {
1481             fixEdge<KnownCellUse>(node->child1());
1482             fixEdge<KnownCellUse>(node->child2());
1483             break;
1484         }
1485
1486         case PutGetterSetterById: {
1487             fixEdge<KnownCellUse>(node->child1());
1488             break;
1489         }
1490
1491         case PutGetterByVal:
1492         case PutSetterByVal: {
1493             fixEdge<KnownCellUse>(node->child1());
1494             fixEdge<KnownCellUse>(node->child3());
1495             break;
1496         }
1497
1498         case GetExecutable: {
1499             fixEdge<FunctionUse>(node->child1());
1500             break;
1501         }
1502
1503         case OverridesHasInstance:
1504         case CheckStructure:
1505         case CheckCell:
1506         case CreateThis:
1507         case GetButterfly: {
1508             fixEdge<CellUse>(node->child1());
1509             break;
1510         }
1511
1512         case ObjectCreate: {
1513             if (node->child1()->shouldSpeculateObject()) {
1514                 fixEdge<ObjectUse>(node->child1());
1515                 node->clearFlags(NodeMustGenerate);
1516                 break;
1517             }
1518             break;
1519         }
1520
1521         case CheckStringIdent: {
1522             fixEdge<StringIdentUse>(node->child1());
1523             break;
1524         }
1525             
1526         case Arrayify:
1527         case ArrayifyToStructure: {
1528             fixEdge<CellUse>(node->child1());
1529             if (node->child2())
1530                 fixEdge<Int32Use>(node->child2());
1531             break;
1532         }
1533             
1534         case GetByOffset:
1535         case GetGetterSetterByOffset: {
1536             if (!node->child1()->hasStorageResult())
1537                 fixEdge<KnownCellUse>(node->child1());
1538             fixEdge<KnownCellUse>(node->child2());
1539             break;
1540         }
1541             
1542         case MultiGetByOffset: {
1543             fixEdge<CellUse>(node->child1());
1544             break;
1545         }
1546             
1547         case PutByOffset: {
1548             if (!node->child1()->hasStorageResult())
1549                 fixEdge<KnownCellUse>(node->child1());
1550             fixEdge<KnownCellUse>(node->child2());
1551             unsigned index = indexForChecks();
1552             insertInferredTypeCheck(
1553                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1554                 node->storageAccessData().inferredType);
1555             speculateForBarrier(node->child3());
1556             break;
1557         }
1558             
1559         case MultiPutByOffset: {
1560             fixEdge<CellUse>(node->child1());
1561             break;
1562         }
1563             
1564         case MatchStructure: {
1565             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1566             // https://bugs.webkit.org/show_bug.cgi?id=185784
1567             fixEdge<CellUse>(node->child1());
1568             break;
1569         }
1570             
1571         case InstanceOf: {
1572             if (node->child1()->shouldSpeculateCell()
1573                 && node->child2()->shouldSpeculateCell()
1574                 && is64Bit()) {
1575                 fixEdge<CellUse>(node->child1());
1576                 fixEdge<CellUse>(node->child2());
1577                 break;
1578             }
1579             break;
1580         }
1581
1582         case InstanceOfCustom:
1583             fixEdge<CellUse>(node->child2());
1584             break;
1585
1586         case InById: {
1587             fixEdge<CellUse>(node->child1());
1588             break;
1589         }
1590
1591         case InByVal: {
1592             if (node->child2()->shouldSpeculateInt32()) {
1593                 convertToHasIndexedProperty(node);
1594                 break;
1595             }
1596
1597             fixEdge<CellUse>(node->child1());
1598             break;
1599         }
1600
1601         case HasOwnProperty: {
1602             fixEdge<ObjectUse>(node->child1());
1603 #if CPU(X86)
1604             // We don't have enough registers to do anything interesting on x86 and mips.
1605             fixEdge<UntypedUse>(node->child2());
1606 #else
1607             if (node->child2()->shouldSpeculateString())
1608                 fixEdge<StringUse>(node->child2());
1609             else if (node->child2()->shouldSpeculateSymbol())
1610                 fixEdge<SymbolUse>(node->child2());
1611             else
1612                 fixEdge<UntypedUse>(node->child2());
1613 #endif
1614             break;
1615         }
1616
1617         case CheckVarargs:
1618         case Check: {
1619             m_graph.doToChildren(
1620                 node,
1621                 [&] (Edge& edge) {
1622                     switch (edge.useKind()) {
1623                     case NumberUse:
1624                         if (edge->shouldSpeculateInt32ForArithmetic())
1625                             edge.setUseKind(Int32Use);
1626                         break;
1627                     default:
1628                         break;
1629                     }
1630                     observeUseKindOnEdge(edge);
1631                 });
1632             break;
1633         }
1634
1635         case Phantom:
1636             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1637             node->remove(m_graph);
1638             break;
1639
1640         case FiatInt52: {
1641             RELEASE_ASSERT(enableInt52());
1642             node->convertToIdentity();
1643             fixEdge<Int52RepUse>(node->child1());
1644             node->setResult(NodeResultInt52);
1645             break;
1646         }
1647
1648         case GetArrayLength: {
1649             fixEdge<KnownCellUse>(node->child1());
1650             break;
1651         }
1652
1653         case GetTypedArrayByteOffset: {
1654             fixEdge<KnownCellUse>(node->child1());
1655             break;
1656         }
1657
1658         case CompareBelow:
1659         case CompareBelowEq: {
1660             fixEdge<Int32Use>(node->child1());
1661             fixEdge<Int32Use>(node->child2());
1662             break;
1663         }
1664
1665         case GetPrototypeOf: {
1666             fixupGetPrototypeOf(node);
1667             break;
1668         }
1669
1670         case Phi:
1671         case Upsilon:
1672         case EntrySwitch:
1673         case GetIndexedPropertyStorage:
1674         case LastNodeType:
1675         case CheckTierUpInLoop:
1676         case CheckTierUpAtReturn:
1677         case CheckTierUpAndOSREnter:
1678         case CheckArray:
1679         case CheckInBounds:
1680         case ConstantStoragePointer:
1681         case DoubleAsInt32:
1682         case ValueToInt32:
1683         case DoubleRep:
1684         case ValueRep:
1685         case Int52Rep:
1686         case Int52Constant:
1687         case Identity: // This should have been cleaned up.
1688         case BooleanToNumber:
1689         case PhantomNewObject:
1690         case PhantomNewFunction:
1691         case PhantomNewGeneratorFunction:
1692         case PhantomNewAsyncGeneratorFunction:
1693         case PhantomNewAsyncFunction:
1694         case PhantomCreateActivation:
1695         case PhantomDirectArguments:
1696         case PhantomCreateRest:
1697         case PhantomSpread:
1698         case PhantomNewArrayWithSpread:
1699         case PhantomNewArrayBuffer:
1700         case PhantomClonedArguments:
1701         case PhantomNewRegexp:
1702         case GetMyArgumentByVal:
1703         case GetMyArgumentByValOutOfBounds:
1704         case GetVectorLength:
1705         case PutHint:
1706         case CheckStructureImmediate:
1707         case CheckStructureOrEmpty:
1708         case MaterializeNewObject:
1709         case MaterializeCreateActivation:
1710         case PutStack:
1711         case KillStack:
1712         case GetStack:
1713         case StoreBarrier:
1714         case FencedStoreBarrier:
1715         case GetRegExpObjectLastIndex:
1716         case SetRegExpObjectLastIndex:
1717         case RecordRegExpCachedResult:
1718         case RegExpExecNonGlobalOrSticky:
1719         case RegExpMatchFastGlobal:
1720             // These are just nodes that we don't currently expect to see during fixup.
1721             // If we ever wanted to insert them prior to fixup, then we just have to create
1722             // fixup rules for them.
1723             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1724             break;
1725
1726         case PutGlobalVariable: {
1727             fixEdge<CellUse>(node->child1());
1728             speculateForBarrier(node->child2());
1729             break;
1730         }
1731
1732         case IsObject:
1733             if (node->child1()->shouldSpeculateObject()) {
1734                 m_insertionSet.insertNode(
1735                     m_indexInBlock, SpecNone, Check, node->origin,
1736                     Edge(node->child1().node(), ObjectUse));
1737                 m_graph.convertToConstant(node, jsBoolean(true));
1738                 observeUseKindOnNode<ObjectUse>(node);
1739             }
1740             break;
1741
1742         case IsCellWithType: {
1743             fixupIsCellWithType(node);
1744             break;
1745         }
1746
1747         case GetEnumerableLength: {
1748             fixEdge<CellUse>(node->child1());
1749             break;
1750         }
1751         case HasGenericProperty: {
1752             fixEdge<CellUse>(node->child2());
1753             break;
1754         }
1755         case HasStructureProperty: {
1756             fixEdge<StringUse>(node->child2());
1757             fixEdge<KnownCellUse>(node->child3());
1758             break;
1759         }
1760         case HasIndexedProperty: {
1761             node->setArrayMode(
1762                 node->arrayMode().refine(
1763                     m_graph, node,
1764                     node->child1()->prediction(),
1765                     node->child2()->prediction(),
1766                     SpecNone));
1767             
1768             blessArrayOperation(node->child1(), node->child2(), node->child3());
1769             fixEdge<CellUse>(node->child1());
1770             fixEdge<KnownInt32Use>(node->child2());
1771             break;
1772         }
1773         case GetDirectPname: {
1774             Edge& base = m_graph.varArgChild(node, 0);
1775             Edge& property = m_graph.varArgChild(node, 1);
1776             Edge& index = m_graph.varArgChild(node, 2);
1777             Edge& enumerator = m_graph.varArgChild(node, 3);
1778             fixEdge<CellUse>(base);
1779             fixEdge<KnownCellUse>(property);
1780             fixEdge<KnownInt32Use>(index);
1781             fixEdge<KnownCellUse>(enumerator);
1782             break;
1783         }
1784         case GetPropertyEnumerator: {
1785             if (node->child1()->shouldSpeculateCell())
1786                 fixEdge<CellUse>(node->child1());
1787             break;
1788         }
1789         case GetEnumeratorStructurePname: {
1790             fixEdge<KnownCellUse>(node->child1());
1791             fixEdge<KnownInt32Use>(node->child2());
1792             break;
1793         }
1794         case GetEnumeratorGenericPname: {
1795             fixEdge<KnownCellUse>(node->child1());
1796             fixEdge<KnownInt32Use>(node->child2());
1797             break;
1798         }
1799         case ToIndexString: {
1800             fixEdge<KnownInt32Use>(node->child1());
1801             break;
1802         }
1803         case ProfileType: {
1804             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1805             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1806             // type T for the instructionTypeSet, the global type set must also have information for type T.
1807             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1808             // in the globalTypeSet would've also succeeded.
1809             // (The other direction does not hold in general).
1810
1811             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1812             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1813             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1814                 if (node->child1()->shouldSpeculateInt32()) {
1815                     fixEdge<Int32Use>(node->child1());
1816                     node->remove(m_graph);
1817                     break;
1818                 }
1819
1820                 if (enableInt52()) {
1821                     fixEdge<AnyIntUse>(node->child1());
1822                     node->remove(m_graph);
1823                     break;
1824                 }
1825
1826                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1827             }
1828
1829             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1830                 fixEdge<NumberUse>(node->child1());
1831                 node->remove(m_graph);
1832             } else if (typeSet->doesTypeConformTo(TypeString)) {
1833                 fixEdge<StringUse>(node->child1());
1834                 node->remove(m_graph);
1835             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1836                 fixEdge<BooleanUse>(node->child1());
1837                 node->remove(m_graph);
1838             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1839                 fixEdge<OtherUse>(node->child1());
1840                 node->remove(m_graph);
1841             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1842                 StructureSet set;
1843                 {
1844                     ConcurrentJSLocker locker(typeSet->m_lock);
1845                     set = typeSet->structureSet(locker);
1846                 }
1847                 if (!set.isEmpty()) {
1848                     fixEdge<CellUse>(node->child1());
1849                     node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
1850                 }
1851             }
1852
1853             break;
1854         }
1855
1856         case CreateClonedArguments: {
1857             watchHavingABadTime(node);
1858             break;
1859         }
1860
1861         case CreateScopedArguments:
1862         case CreateActivation:
1863         case NewFunction:
1864         case NewGeneratorFunction:
1865         case NewAsyncGeneratorFunction:
1866         case NewAsyncFunction: {
1867             // Child 1 is always the current scope, which is guaranteed to be an object
1868             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1869             fixEdge<KnownCellUse>(node->child1());
1870             break;
1871         }
1872
1873         case PushWithScope: {
1874             // Child 1 is always the current scope, which is guaranteed to be an object
1875             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1876             fixEdge<KnownCellUse>(node->child1());
1877             if (node->child2()->shouldSpeculateObject())
1878                 fixEdge<ObjectUse>(node->child2());
1879             break;
1880         }
1881
1882         case SetFunctionName: {
1883             // The first child is guaranteed to be a cell because op_set_function_name is only used
1884             // on a newly instantiated function object (the first child).
1885             fixEdge<KnownCellUse>(node->child1());
1886             fixEdge<UntypedUse>(node->child2());
1887             break;
1888         }
1889
1890         case CreateRest: {
1891             watchHavingABadTime(node);
1892             fixEdge<KnownInt32Use>(node->child1());
1893             break;
1894         }
1895
1896         case ResolveScopeForHoistingFuncDeclInEval: {
1897             fixEdge<KnownCellUse>(node->child1());
1898             break;
1899         }
1900         case ResolveScope:
1901         case GetDynamicVar:
1902         case PutDynamicVar: {
1903             fixEdge<KnownCellUse>(node->child1());
1904             break;
1905         }
1906
1907         case LogShadowChickenPrologue: {
1908             fixEdge<KnownCellUse>(node->child1());
1909             break;
1910         }
1911         case LogShadowChickenTail: {
1912             fixEdge<UntypedUse>(node->child1());
1913             fixEdge<KnownCellUse>(node->child2());
1914             break;
1915         }
1916
1917         case GetMapBucket:
1918             if (node->child1().useKind() == MapObjectUse)
1919                 fixEdge<MapObjectUse>(node->child1());
1920             else if (node->child1().useKind() == SetObjectUse)
1921                 fixEdge<SetObjectUse>(node->child1());
1922             else
1923                 RELEASE_ASSERT_NOT_REACHED();
1924
1925 #if USE(JSVALUE64)
1926             if (node->child2()->shouldSpeculateBoolean())
1927                 fixEdge<BooleanUse>(node->child2());
1928             else if (node->child2()->shouldSpeculateInt32())
1929                 fixEdge<Int32Use>(node->child2());
1930             else if (node->child2()->shouldSpeculateSymbol())
1931                 fixEdge<SymbolUse>(node->child2());
1932             else if (node->child2()->shouldSpeculateObject())
1933                 fixEdge<ObjectUse>(node->child2());
1934             else if (node->child2()->shouldSpeculateString())
1935                 fixEdge<StringUse>(node->child2());
1936             else if (node->child2()->shouldSpeculateCell())
1937                 fixEdge<CellUse>(node->child2());
1938             else
1939                 fixEdge<UntypedUse>(node->child2());
1940 #else
1941             fixEdge<UntypedUse>(node->child2());
1942 #endif // USE(JSVALUE64)
1943
1944             fixEdge<Int32Use>(node->child3());
1945             break;
1946
1947         case GetMapBucketHead:
1948             if (node->child1().useKind() == MapObjectUse)
1949                 fixEdge<MapObjectUse>(node->child1());
1950             else if (node->child1().useKind() == SetObjectUse)
1951                 fixEdge<SetObjectUse>(node->child1());
1952             else
1953                 RELEASE_ASSERT_NOT_REACHED();
1954             break;
1955
1956         case GetMapBucketNext:
1957         case LoadKeyFromMapBucket:
1958         case LoadValueFromMapBucket:
1959             fixEdge<CellUse>(node->child1());
1960             break;
1961
1962         case MapHash: {
1963 #if USE(JSVALUE64)
1964             if (node->child1()->shouldSpeculateBoolean()) {
1965                 fixEdge<BooleanUse>(node->child1());
1966                 break;
1967             }
1968
1969             if (node->child1()->shouldSpeculateInt32()) {
1970                 fixEdge<Int32Use>(node->child1());
1971                 break;
1972             }
1973
1974             if (node->child1()->shouldSpeculateSymbol()) {
1975                 fixEdge<SymbolUse>(node->child1());
1976                 break;
1977             }
1978
1979             if (node->child1()->shouldSpeculateObject()) {
1980                 fixEdge<ObjectUse>(node->child1());
1981                 break;
1982             }
1983
1984             if (node->child1()->shouldSpeculateString()) {
1985                 fixEdge<StringUse>(node->child1());
1986                 break;
1987             }
1988
1989             if (node->child1()->shouldSpeculateCell()) {
1990                 fixEdge<CellUse>(node->child1());
1991                 break;
1992             }
1993
1994             fixEdge<UntypedUse>(node->child1());
1995 #else
1996             fixEdge<UntypedUse>(node->child1());
1997 #endif // USE(JSVALUE64)
1998             break;
1999         }
2000
2001         case NormalizeMapKey: {
2002             fixupNormalizeMapKey(node);
2003             break;
2004         }
2005
2006         case WeakMapGet: {
2007             if (node->child1().useKind() == WeakMapObjectUse)
2008                 fixEdge<WeakMapObjectUse>(node->child1());
2009             else if (node->child1().useKind() == WeakSetObjectUse)
2010                 fixEdge<WeakSetObjectUse>(node->child1());
2011             else
2012                 RELEASE_ASSERT_NOT_REACHED();
2013             fixEdge<ObjectUse>(node->child2());
2014             fixEdge<Int32Use>(node->child3());
2015             break;
2016         }
2017
2018         case SetAdd: {
2019             fixEdge<SetObjectUse>(node->child1());
2020             fixEdge<Int32Use>(node->child3());
2021             break;
2022         }
2023
2024         case MapSet: {
2025             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
2026             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2027             break;
2028         }
2029
2030         case WeakSetAdd: {
2031             fixEdge<WeakSetObjectUse>(node->child1());
2032             fixEdge<ObjectUse>(node->child2());
2033             fixEdge<Int32Use>(node->child3());
2034             break;
2035         }
2036
2037         case WeakMapSet: {
2038             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2039             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2040             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2041             break;
2042         }
2043
2044         case DefineDataProperty: {
2045             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2046             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2047             if (propertyEdge->shouldSpeculateSymbol())
2048                 fixEdge<SymbolUse>(propertyEdge);
2049             else if (propertyEdge->shouldSpeculateStringIdent())
2050                 fixEdge<StringIdentUse>(propertyEdge);
2051             else if (propertyEdge->shouldSpeculateString())
2052                 fixEdge<StringUse>(propertyEdge);
2053             else
2054                 fixEdge<UntypedUse>(propertyEdge);
2055             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2056             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2057             break;
2058         }
2059
2060         case StringValueOf: {
2061             fixupStringValueOf(node);
2062             break;
2063         }
2064
2065         case StringSlice: {
2066             fixEdge<StringUse>(node->child1());
2067             fixEdge<Int32Use>(node->child2());
2068             if (node->child3())
2069                 fixEdge<Int32Use>(node->child3());
2070             break;
2071         }
2072
2073         case ToLowerCase: {
2074             // We currently only support StringUse since that will ensure that
2075             // ToLowerCase is a pure operation. If we decide to update this with
2076             // more types in the future, we need to ensure that the clobberize rules
2077             // are correct.
2078             fixEdge<StringUse>(node->child1());
2079             break;
2080         }
2081
2082         case NumberToStringWithRadix: {
2083             if (node->child1()->shouldSpeculateInt32())
2084                 fixEdge<Int32Use>(node->child1());
2085             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2086                 fixEdge<Int52RepUse>(node->child1());
2087             else
2088                 fixEdge<DoubleRepUse>(node->child1());
2089             fixEdge<Int32Use>(node->child2());
2090             break;
2091         }
2092
2093         case DefineAccessorProperty: {
2094             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2095             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2096             if (propertyEdge->shouldSpeculateSymbol())
2097                 fixEdge<SymbolUse>(propertyEdge);
2098             else if (propertyEdge->shouldSpeculateStringIdent())
2099                 fixEdge<StringIdentUse>(propertyEdge);
2100             else if (propertyEdge->shouldSpeculateString())
2101                 fixEdge<StringUse>(propertyEdge);
2102             else
2103                 fixEdge<UntypedUse>(propertyEdge);
2104             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2105             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2106             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2107             break;
2108         }
2109
2110         case CheckSubClass: {
2111             fixupCheckSubClass(node);
2112             break;
2113         }
2114
2115         case CallDOMGetter: {
2116             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2117             fixEdge<CellUse>(node->child1()); // DOM.
2118             if (snippet && snippet->requireGlobalObject)
2119                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2120             break;
2121         }
2122
2123         case CallDOM: {
2124             fixupCallDOM(node);
2125             break;
2126         }
2127
2128         case Call: {
2129             attemptToMakeCallDOM(node);
2130             break;
2131         }
2132
2133         case ParseInt: {
2134             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2135                 fixEdge<Int32Use>(node->child1());
2136                 node->convertToIdentity();
2137                 break;
2138             }
2139
2140             if (node->child1()->shouldSpeculateString()) {
2141                 fixEdge<StringUse>(node->child1());
2142                 node->clearFlags(NodeMustGenerate);
2143             }
2144
2145             if (node->child2())
2146                 fixEdge<Int32Use>(node->child2());
2147
2148             break;
2149         }
2150
2151         case IdentityWithProfile: {
2152             node->clearFlags(NodeMustGenerate);
2153             break;
2154         }
2155
2156         case ThrowStaticError:
2157             fixEdge<StringUse>(node->child1());
2158             break;
2159
2160         case NumberIsInteger:
2161             if (node->child1()->shouldSpeculateInt32()) {
2162                 m_insertionSet.insertNode(
2163                     m_indexInBlock, SpecNone, Check, node->origin,
2164                     Edge(node->child1().node(), Int32Use));
2165                 m_graph.convertToConstant(node, jsBoolean(true));
2166                 break;
2167             }
2168             break;
2169
2170         case SetCallee:
2171             fixEdge<CellUse>(node->child1());
2172             break;
2173
2174         case DataViewGetInt:
2175         case DataViewGetFloat: {
2176             fixEdge<DataViewObjectUse>(node->child1());
2177             fixEdge<Int32Use>(node->child2());
2178             if (node->child3())
2179                 fixEdge<BooleanUse>(node->child3());
2180
2181             if (node->op() == DataViewGetInt) {
2182                 DataViewData data = node->dataViewData();
2183                 switch (data.byteSize) {
2184                 case 1:
2185                 case 2:
2186                     node->setResult(NodeResultInt32);
2187                     break;
2188                 case 4:
2189                     if (data.isSigned)
2190                         node->setResult(NodeResultInt32);
2191                     else
2192                         node->setResult(NodeResultInt52);
2193                     break;
2194                 default:
2195                     RELEASE_ASSERT_NOT_REACHED();
2196                 }
2197             }
2198             break;
2199         }
2200
2201         case DataViewSet: {
2202             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2203             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2204             if (m_graph.varArgChild(node, 3))
2205                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2206             
2207             DataViewData data = node->dataViewData();
2208             Edge& valueToStore = m_graph.varArgChild(node, 2);
2209             if (data.isFloatingPoint)
2210                 fixEdge<DoubleRepUse>(valueToStore);
2211             else {
2212                 switch (data.byteSize) {
2213                 case 1:
2214                 case 2:
2215                     fixEdge<Int32Use>(valueToStore);
2216                     break;
2217                 case 4:
2218                     if (data.isSigned)
2219                         fixEdge<Int32Use>(valueToStore);
2220                     else
2221                         fixEdge<Int52RepUse>(valueToStore);
2222                     break;
2223                 }
2224             }
2225             break;
2226         }
2227
2228 #if !ASSERT_DISABLED
2229         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2230         case SetArgument:
2231         case JSConstant:
2232         case LazyJSConstant:
2233         case DoubleConstant:
2234         case GetLocal:
2235         case GetCallee:
2236         case GetArgumentCountIncludingThis:
2237         case SetArgumentCountIncludingThis:
2238         case GetRestLength:
2239         case GetArgument:
2240         case Flush:
2241         case PhantomLocal:
2242         case GetGlobalVar:
2243         case GetGlobalLexicalVariable:
2244         case NotifyWrite:
2245         case DirectCall:
2246         case CheckTypeInfoFlags:
2247         case TailCallInlinedCaller:
2248         case DirectTailCallInlinedCaller:
2249         case Construct:
2250         case DirectConstruct:
2251         case CallVarargs:
2252         case CallEval:
2253         case TailCallVarargsInlinedCaller:
2254         case ConstructVarargs:
2255         case CallForwardVarargs:
2256         case ConstructForwardVarargs:
2257         case TailCallForwardVarargs:
2258         case TailCallForwardVarargsInlinedCaller:
2259         case LoadVarargs:
2260         case ForwardVarargs:
2261         case ProfileControlFlow:
2262         case NewObject:
2263         case NewRegexp:
2264         case DeleteById:
2265         case DeleteByVal:
2266         case IsTypedArrayView:
2267         case IsEmpty:
2268         case IsUndefined:
2269         case IsBoolean:
2270         case IsNumber:
2271         case IsObjectOrNull:
2272         case IsFunction:
2273         case CreateDirectArguments:
2274         case Jump:
2275         case Return:
2276         case TailCall:
2277         case DirectTailCall:
2278         case TailCallVarargs:
2279         case Throw:
2280         case CountExecution:
2281         case SuperSamplerBegin:
2282         case SuperSamplerEnd:
2283         case ForceOSRExit:
2284         case CheckBadCell:
2285         case CheckNotEmpty:
2286         case AssertNotEmpty:
2287         case CheckTraps:
2288         case Unreachable:
2289         case ExtractOSREntryLocal:
2290         case ExtractCatchLocal:
2291         case ClearCatchLocals:
2292         case LoopHint:
2293         case MovHint:
2294         case InitializeEntrypointArguments:
2295         case ZombieHint:
2296         case ExitOK:
2297         case BottomValue:
2298         case TypeOf:
2299         case PutByIdWithThis:
2300         case PutByValWithThis:
2301         case GetByValWithThis:
2302         case CompareEqPtr:
2303         case NumberToStringWithValidRadixConstant:
2304         case GetGlobalThis:
2305         case ExtractValueFromWeakMapGet:
2306         case CPUIntrinsic:
2307         case FilterCallLinkStatus:
2308         case FilterGetByIdStatus:
2309         case FilterPutByIdStatus:
2310         case FilterInByIdStatus:
2311         case InvalidationPoint:
2312             break;
2313 #else
2314         default:
2315             break;
2316 #endif
2317         }
2318     }
2319
2320     void watchHavingABadTime(Node* node)
2321     {
2322         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2323
2324         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2325         // does an array allocation. The types of array allocations may change if we start to have a bad
2326         // time. It's easier to reason about this if we know that whenever the types change after we start
2327         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2328         // prior to this point nobody should have been doing optimizations based on the indexing type of
2329         // the allocation.
2330         if (!globalObject->isHavingABadTime()) {
2331             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2332             m_graph.freeze(globalObject);
2333         }
2334     }
2335     
2336     template<UseKind useKind>
2337     void createToString(Node* node, Edge& edge)
2338     {
2339         Node* toString = m_insertionSet.insertNode(
2340             m_indexInBlock, SpecString, ToString, node->origin,
2341             Edge(edge.node(), useKind));
2342         switch (useKind) {
2343         case Int32Use:
2344         case Int52RepUse:
2345         case DoubleRepUse:
2346         case NotCellUse:
2347             toString->clearFlags(NodeMustGenerate);
2348             break;
2349         default:
2350             break;
2351         }
2352         edge.setNode(toString);
2353     }
2354     
2355     template<UseKind useKind>
2356     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2357     {
2358         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2359         
2360         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2361             return;
2362         
2363         createToString<useKind>(node, node->child1());
2364         arrayMode = ArrayMode(Array::String, Array::Read);
2365     }
2366     
2367     template<UseKind useKind>
2368     bool isStringObjectUse()
2369     {
2370         switch (useKind) {
2371         case StringObjectUse:
2372         case StringOrStringObjectUse:
2373             return true;
2374         default:
2375             return false;
2376         }
2377     }
2378     
2379     template<UseKind useKind>
2380     void convertStringAddUse(Node* node, Edge& edge)
2381     {
2382         if (useKind == StringUse) {
2383             observeUseKindOnNode<StringUse>(edge.node());
2384             m_insertionSet.insertNode(
2385                 m_indexInBlock, SpecNone, Check, node->origin,
2386                 Edge(edge.node(), StringUse));
2387             edge.setUseKind(KnownStringUse);
2388             return;
2389         }
2390         
2391         observeUseKindOnNode<useKind>(edge.node());
2392         createToString<useKind>(node, edge);
2393     }
2394     
2395     void convertToMakeRope(Node* node)
2396     {
2397         node->setOpAndDefaultFlags(MakeRope);
2398         fixupMakeRope(node);
2399     }
2400     
2401     void fixupMakeRope(Node* node)
2402     {
2403         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2404             Edge& edge = node->children.child(i);
2405             if (!edge)
2406                 break;
2407             edge.setUseKind(KnownStringUse);
2408             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2409             if (!string)
2410                 continue;
2411             if (string->length())
2412                 continue;
2413             
2414             // Don't allow the MakeRope to have zero children.
2415             if (!i && !node->child2())
2416                 break;
2417             
2418             node->children.removeEdge(i--);
2419         }
2420         
2421         if (!node->child2()) {
2422             ASSERT(!node->child3());
2423             node->convertToIdentity();
2424         }
2425     }
2426
2427     void fixupIsCellWithType(Node* node)
2428     {
2429         switch (node->speculatedTypeForQuery()) {
2430         case SpecString:
2431             if (node->child1()->shouldSpeculateString()) {
2432                 m_insertionSet.insertNode(
2433                     m_indexInBlock, SpecNone, Check, node->origin,
2434                     Edge(node->child1().node(), StringUse));
2435                 m_graph.convertToConstant(node, jsBoolean(true));
2436                 observeUseKindOnNode<StringUse>(node);
2437                 return;
2438             }
2439             break;
2440
2441         case SpecProxyObject:
2442             if (node->child1()->shouldSpeculateProxyObject()) {
2443                 m_insertionSet.insertNode(
2444                     m_indexInBlock, SpecNone, Check, node->origin,
2445                     Edge(node->child1().node(), ProxyObjectUse));
2446                 m_graph.convertToConstant(node, jsBoolean(true));
2447                 observeUseKindOnNode<ProxyObjectUse>(node);
2448                 return;
2449             }
2450             break;
2451
2452         case SpecRegExpObject:
2453             if (node->child1()->shouldSpeculateRegExpObject()) {
2454                 m_insertionSet.insertNode(
2455                     m_indexInBlock, SpecNone, Check, node->origin,
2456                     Edge(node->child1().node(), RegExpObjectUse));
2457                 m_graph.convertToConstant(node, jsBoolean(true));
2458                 observeUseKindOnNode<RegExpObjectUse>(node);
2459                 return;
2460             }
2461             break;
2462
2463         case SpecArray:
2464             if (node->child1()->shouldSpeculateArray()) {
2465                 m_insertionSet.insertNode(
2466                     m_indexInBlock, SpecNone, Check, node->origin,
2467                     Edge(node->child1().node(), ArrayUse));
2468                 m_graph.convertToConstant(node, jsBoolean(true));
2469                 observeUseKindOnNode<ArrayUse>(node);
2470                 return;
2471             }
2472             break;
2473
2474         case SpecDerivedArray:
2475             if (node->child1()->shouldSpeculateDerivedArray()) {
2476                 m_insertionSet.insertNode(
2477                     m_indexInBlock, SpecNone, Check, node->origin,
2478                     Edge(node->child1().node(), DerivedArrayUse));
2479                 m_graph.convertToConstant(node, jsBoolean(true));
2480                 observeUseKindOnNode<DerivedArrayUse>(node);
2481                 return;
2482             }
2483             break;
2484         }
2485
2486         if (node->child1()->shouldSpeculateCell()) {
2487             fixEdge<CellUse>(node->child1());
2488             return;
2489         }
2490
2491         if (node->child1()->shouldSpeculateNotCell()) {
2492             m_insertionSet.insertNode(
2493                 m_indexInBlock, SpecNone, Check, node->origin,
2494                 Edge(node->child1().node(), NotCellUse));
2495             m_graph.convertToConstant(node, jsBoolean(false));
2496             observeUseKindOnNode<NotCellUse>(node);
2497             return;
2498         }
2499     }
2500
2501     void fixupGetPrototypeOf(Node* node)
2502     {
2503         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2504         if (node->child1().useKind() != ObjectUse) {
2505             if (node->child1()->shouldSpeculateString()) {
2506                 insertCheck<StringUse>(node->child1().node());
2507                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2508                 return;
2509             }
2510             if (node->child1()->shouldSpeculateInt32()) {
2511                 insertCheck<Int32Use>(node->child1().node());
2512                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2513                 return;
2514             }
2515             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2516                 insertCheck<Int52RepUse>(node->child1().node());
2517                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2518                 return;
2519             }
2520             if (node->child1()->shouldSpeculateNumber()) {
2521                 insertCheck<NumberUse>(node->child1().node());
2522                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2523                 return;
2524             }
2525             if (node->child1()->shouldSpeculateSymbol()) {
2526                 insertCheck<SymbolUse>(node->child1().node());
2527                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2528                 return;
2529             }
2530             if (node->child1()->shouldSpeculateBoolean()) {
2531                 insertCheck<BooleanUse>(node->child1().node());
2532                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2533                 return;
2534             }
2535         }
2536
2537         if (node->child1()->shouldSpeculateFinalObject()) {
2538             fixEdge<FinalObjectUse>(node->child1());
2539             node->clearFlags(NodeMustGenerate);
2540             return;
2541         }
2542         if (node->child1()->shouldSpeculateArray()) {
2543             fixEdge<ArrayUse>(node->child1());
2544             node->clearFlags(NodeMustGenerate);
2545             return;
2546         }
2547         if (node->child1()->shouldSpeculateFunction()) {
2548             fixEdge<FunctionUse>(node->child1());
2549             node->clearFlags(NodeMustGenerate);
2550             return;
2551         }
2552     }
2553
2554     void fixupToThis(Node* node)
2555     {
2556         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2557
2558         if (ecmaMode == StrictMode) {
2559             if (node->child1()->shouldSpeculateBoolean()) {
2560                 fixEdge<BooleanUse>(node->child1());
2561                 node->convertToIdentity();
2562                 return;
2563             }
2564
2565             if (node->child1()->shouldSpeculateInt32()) {
2566                 fixEdge<Int32Use>(node->child1());
2567                 node->convertToIdentity();
2568                 return;
2569             }
2570
2571             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2572                 fixEdge<Int52RepUse>(node->child1());
2573                 node->convertToIdentity();
2574                 node->setResult(NodeResultInt52);
2575                 return;
2576             }
2577
2578             if (node->child1()->shouldSpeculateNumber()) {
2579                 fixEdge<DoubleRepUse>(node->child1());
2580                 node->convertToIdentity();
2581                 node->setResult(NodeResultDouble);
2582                 return;
2583             }
2584
2585             if (node->child1()->shouldSpeculateSymbol()) {
2586                 fixEdge<SymbolUse>(node->child1());
2587                 node->convertToIdentity();
2588                 return;
2589             }
2590
2591             if (node->child1()->shouldSpeculateStringIdent()) {
2592                 fixEdge<StringIdentUse>(node->child1());
2593                 node->convertToIdentity();
2594                 return;
2595             }
2596
2597             if (node->child1()->shouldSpeculateString()) {
2598                 fixEdge<StringUse>(node->child1());
2599                 node->convertToIdentity();
2600                 return;
2601             }
2602             
2603             if (node->child1()->shouldSpeculateBigInt()) {
2604                 fixEdge<BigIntUse>(node->child1());
2605                 node->convertToIdentity();
2606                 return;
2607             }
2608         }
2609
2610         if (node->child1()->shouldSpeculateOther()) {
2611             if (ecmaMode == StrictMode) {
2612                 fixEdge<OtherUse>(node->child1());
2613                 node->convertToIdentity();
2614                 return;
2615             }
2616
2617             m_insertionSet.insertNode(
2618                 m_indexInBlock, SpecNone, Check, node->origin,
2619                 Edge(node->child1().node(), OtherUse));
2620             observeUseKindOnNode<OtherUse>(node->child1().node());
2621             m_graph.convertToConstant(
2622                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2623             return;
2624         }
2625
2626         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2627         // however, since we cover all the missing cases in constant folding.
2628         // https://bugs.webkit.org/show_bug.cgi?id=157213
2629         if (node->child1()->shouldSpeculateStringObject()) {
2630             fixEdge<StringObjectUse>(node->child1());
2631             node->convertToIdentity();
2632             return;
2633         }
2634
2635         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2636             fixEdge<FinalObjectUse>(node->child1());
2637             node->convertToIdentity();
2638             return;
2639         }
2640     }
2641     
2642     void fixupToPrimitive(Node* node)
2643     {
2644         if (node->child1()->shouldSpeculateInt32()) {
2645             fixEdge<Int32Use>(node->child1());
2646             node->convertToIdentity();
2647             return;
2648         }
2649         
2650         if (node->child1()->shouldSpeculateString()) {
2651             fixEdge<StringUse>(node->child1());
2652             node->convertToIdentity();
2653             return;
2654         }
2655         
2656         if (node->child1()->shouldSpeculateStringObject()
2657             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2658             fixEdge<StringObjectUse>(node->child1());
2659             node->convertToToString();
2660             return;
2661         }
2662         
2663         if (node->child1()->shouldSpeculateStringOrStringObject()
2664             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2665             fixEdge<StringOrStringObjectUse>(node->child1());
2666             node->convertToToString();
2667             return;
2668         }
2669     }
2670
2671     void fixupToNumber(Node* node)
2672     {
2673         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2674         if (node->child1()->shouldSpeculateNumber()) {
2675             if (isInt32Speculation(node->getHeapPrediction())) {
2676                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2677                 if (node->child1()->shouldSpeculateInt32()) {
2678                     fixEdge<Int32Use>(node->child1());
2679                     node->convertToIdentity();
2680                     return;
2681                 }
2682
2683                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2684                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2685                 fixEdge<DoubleRepUse>(node->child1());
2686                 node->setOp(DoubleAsInt32);
2687                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2688                     node->setArithMode(Arith::CheckOverflow);
2689                 else
2690                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2691                 return;
2692             }
2693
2694             fixEdge<DoubleRepUse>(node->child1());
2695             node->convertToIdentity();
2696             node->setResult(NodeResultDouble);
2697             return;
2698         }
2699
2700         fixEdge<UntypedUse>(node->child1());
2701         node->setResult(NodeResultJS);
2702     }
2703
2704     void fixupToObject(Node* node)
2705     {
2706         if (node->child1()->shouldSpeculateObject()) {
2707             fixEdge<ObjectUse>(node->child1());
2708             node->convertToIdentity();
2709             return;
2710         }
2711
2712         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2713
2714         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2715
2716         if (node->child1()->shouldSpeculateString()) {
2717             insertCheck<StringUse>(node->child1().node());
2718             fixEdge<KnownStringUse>(node->child1());
2719             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2720             return;
2721         }
2722
2723         if (node->child1()->shouldSpeculateSymbol()) {
2724             insertCheck<SymbolUse>(node->child1().node());
2725             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2726             return;
2727         }
2728
2729         if (node->child1()->shouldSpeculateNumber()) {
2730             insertCheck<NumberUse>(node->child1().node());
2731             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2732             return;
2733         }
2734
2735         if (node->child1()->shouldSpeculateBoolean()) {
2736             insertCheck<BooleanUse>(node->child1().node());
2737             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2738             return;
2739         }
2740
2741         fixEdge<UntypedUse>(node->child1());
2742     }
2743
2744     void fixupCallObjectConstructor(Node* node)
2745     {
2746         if (node->child1()->shouldSpeculateObject()) {
2747             fixEdge<ObjectUse>(node->child1());
2748             node->convertToIdentity();
2749             return;
2750         }
2751
2752         if (node->child1()->shouldSpeculateString()) {
2753             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2754             insertCheck<StringUse>(node->child1().node());
2755             fixEdge<KnownStringUse>(node->child1());
2756             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2757             return;
2758         }
2759
2760         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2761         if (node->child1()->shouldSpeculateOther()) {
2762             insertCheck<OtherUse>(node->child1().node());
2763             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2764             return;
2765         }
2766
2767         fixEdge<UntypedUse>(node->child1());
2768     }
2769     
2770     void fixupToStringOrCallStringConstructor(Node* node)
2771     {
2772         if (node->child1()->shouldSpeculateString()) {
2773             fixEdge<StringUse>(node->child1());
2774             node->convertToIdentity();
2775             return;
2776         }
2777         
2778         if (node->child1()->shouldSpeculateStringObject()
2779             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2780             fixEdge<StringObjectUse>(node->child1());
2781             return;
2782         }
2783         
2784         if (node->child1()->shouldSpeculateStringOrStringObject()
2785             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2786             fixEdge<StringOrStringObjectUse>(node->child1());
2787             return;
2788         }
2789         
2790         if (node->child1()->shouldSpeculateCell()) {
2791             fixEdge<CellUse>(node->child1());
2792             return;
2793         }
2794
2795         if (node->child1()->shouldSpeculateInt32()) {
2796             fixEdge<Int32Use>(node->child1());
2797             node->clearFlags(NodeMustGenerate);
2798             return;
2799         }
2800
2801         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2802             fixEdge<Int52RepUse>(node->child1());
2803             node->clearFlags(NodeMustGenerate);
2804             return;
2805         }
2806
2807         if (node->child1()->shouldSpeculateNumber()) {
2808             fixEdge<DoubleRepUse>(node->child1());
2809             node->clearFlags(NodeMustGenerate);
2810             return;
2811         }
2812
2813         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2814         // we need to care about it in the clobberize. In the following case,
2815         // since NotCellUse edge filter is used and this edge filters Symbols,
2816         // we can say that ToString never throws an error!
2817         if (node->child1()->shouldSpeculateNotCell()) {
2818             fixEdge<NotCellUse>(node->child1());
2819             node->clearFlags(NodeMustGenerate);
2820             return;
2821         }
2822     }
2823
2824     void fixupStringValueOf(Node* node)
2825     {
2826         if (node->child1()->shouldSpeculateString()) {
2827             fixEdge<StringUse>(node->child1());
2828             node->convertToIdentity();
2829             return;
2830         }
2831
2832         if (node->child1()->shouldSpeculateStringObject()) {
2833             fixEdge<StringObjectUse>(node->child1());
2834             node->convertToToString();
2835             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2836             node->clearFlags(NodeMustGenerate);
2837             return;
2838         }
2839
2840         if (node->child1()->shouldSpeculateStringOrStringObject()) {
2841             fixEdge<StringOrStringObjectUse>(node->child1());
2842             node->convertToToString();
2843             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2844             node->clearFlags(NodeMustGenerate);
2845             return;
2846         }
2847     }
2848
2849     bool attemptToMakeFastStringAdd(Node* node)
2850     {
2851         bool goodToGo = true;
2852         m_graph.doToChildren(
2853             node,
2854             [&] (Edge& edge) {
2855                 if (edge->shouldSpeculateString())
2856                     return;
2857                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2858                     if (edge->shouldSpeculateStringObject())
2859                         return;
2860                     if (edge->shouldSpeculateStringOrStringObject())
2861                         return;
2862                 }
2863                 goodToGo = false;
2864             });
2865         if (!goodToGo)
2866             return false;
2867
2868         m_graph.doToChildren(
2869             node,
2870             [&] (Edge& edge) {
2871                 if (edge->shouldSpeculateString()) {
2872                     convertStringAddUse<StringUse>(node, edge);
2873                     return;
2874                 }
2875                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2876                 if (edge->shouldSpeculateStringObject()) {
2877                     convertStringAddUse<StringObjectUse>(node, edge);
2878                     return;
2879                 }
2880                 if (edge->shouldSpeculateStringOrStringObject()) {
2881                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2882                     return;
2883                 }
2884                 RELEASE_ASSERT_NOT_REACHED();
2885             });
2886         
2887         convertToMakeRope(node);
2888         return true;
2889     }
2890
2891     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2892     {
2893         if (!block)
2894             return;
2895         ASSERT(block->isReachable);
2896         m_block = block;
2897         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2898             Node* node = m_currentNode = block->at(m_indexInBlock);
2899             if (node->op() != SetLocal && node->op() != GetLocal)
2900                 continue;
2901             
2902             VariableAccessData* variable = node->variableAccessData();
2903             switch (node->op()) {
2904             case GetLocal:
2905                 switch (variable->flushFormat()) {
2906                 case FlushedDouble:
2907                     node->setResult(NodeResultDouble);
2908                     break;
2909                 case FlushedInt52:
2910                     node->setResult(NodeResultInt52);
2911                     break;
2912                 default:
2913                     break;
2914                 }
2915                 break;
2916                 
2917             case SetLocal:
2918                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2919                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2920                 
2921                 switch (variable->flushFormat()) {
2922                 case FlushedJSValue:
2923                     break;
2924                 case FlushedDouble:
2925                     fixEdge<DoubleRepUse>(node->child1());
2926                     break;
2927                 case FlushedInt32:
2928                     fixEdge<Int32Use>(node->child1());
2929                     break;
2930                 case FlushedInt52:
2931                     fixEdge<Int52RepUse>(node->child1());
2932                     break;
2933                 case FlushedCell:
2934                     fixEdge<CellUse>(node->child1());
2935                     break;
2936                 case FlushedBoolean:
2937                     fixEdge<BooleanUse>(node->child1());
2938                     break;
2939                 default:
2940                     RELEASE_ASSERT_NOT_REACHED();
2941                     break;
2942                 }
2943                 break;
2944                 
2945             default:
2946                 RELEASE_ASSERT_NOT_REACHED();
2947                 break;
2948             }
2949         }
2950         m_insertionSet.execute(block);
2951     }
2952     
2953     void addStringReplacePrimordialChecks(Node* searchRegExp)
2954     {
2955         Node* node = m_currentNode;
2956
2957         // Check that structure of searchRegExp is RegExp object
2958         m_insertionSet.insertNode(
2959             m_indexInBlock, SpecNone, Check, node->origin,
2960             Edge(searchRegExp, RegExpObjectUse));
2961
2962         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2963             unsigned index = m_graph.identifiers().ensure(propertyUID);
2964
2965             Node* actualProperty = m_insertionSet.insertNode(
2966                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2967                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2968
2969             m_insertionSet.insertNode(
2970                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2971                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2972         };
2973
2974         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2975
2976         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2977         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2978         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2979         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2980         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2981         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2982         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2983         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2984     }
2985
2986     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2987     {
2988         ASSERT(arrayMode.isSpecific());
2989         
2990         if (arrayMode.type() == Array::String) {
2991             m_insertionSet.insertNode(
2992                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2993         } else {
2994             // Note that we only need to be using a structure check if we opt for SaneChain, since
2995             // that needs to protect against JSArray's __proto__ being changed.
2996             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2997         
2998             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2999             
3000             if (arrayMode.doesConversion()) {
3001                 if (structure) {
3002                     m_insertionSet.insertNode(
3003                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
3004                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3005                 } else {
3006                     m_insertionSet.insertNode(
3007                         m_indexInBlock, SpecNone, Arrayify, origin,
3008                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3009                 }
3010             } else {
3011                 if (structure) {
3012                     m_insertionSet.insertNode(
3013                         m_indexInBlock, SpecNone, CheckStructure, origin,
3014                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
3015                 } else {
3016                     m_insertionSet.insertNode(
3017                         m_indexInBlock, SpecNone, CheckArray, origin,
3018                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
3019                 }
3020             }
3021         }
3022         
3023         if (!storageCheck(arrayMode))
3024             return nullptr;
3025         
3026         if (arrayMode.usesButterfly()) {
3027             return m_insertionSet.insertNode(
3028                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
3029         }
3030         
3031         return m_insertionSet.insertNode(
3032             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
3033             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
3034     }
3035     
3036     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
3037     {
3038         Node* node = m_currentNode;
3039         
3040         switch (node->arrayMode().type()) {
3041         case Array::ForceExit: {
3042             m_insertionSet.insertNode(
3043                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
3044             return;
3045         }
3046             
3047         case Array::SelectUsingPredictions:
3048         case Array::Unprofiled:
3049             RELEASE_ASSERT_NOT_REACHED();
3050             return;
3051             
3052         case Array::Generic:
3053             return;
3054             
3055         default: {
3056             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
3057             if (!storage)
3058                 return;
3059             
3060             storageChild = Edge(storage);
3061             return;
3062         } }
3063     }
3064     
3065     bool alwaysUnboxSimplePrimitives()
3066     {
3067 #if USE(JSVALUE64)
3068         return false;