ab1c539b2e2cda667b4e9bab90362724037b282b
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2016 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->clearFlags(NodeMustGenerate);
146                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
147             }
148             break;
149         }
150             
151         case ValueAdd: {
152             if (attemptToMakeIntegerAdd(node)) {
153                 node->setOp(ArithAdd);
154                 break;
155             }
156             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
157                 fixDoubleOrBooleanEdge(node->child1());
158                 fixDoubleOrBooleanEdge(node->child2());
159                 node->setOp(ArithAdd);
160                 node->setResult(NodeResultDouble);
161                 break;
162             }
163             
164             if (attemptToMakeFastStringAdd(node))
165                 break;
166
167             fixEdge<UntypedUse>(node->child1());
168             fixEdge<UntypedUse>(node->child2());
169             node->setResult(NodeResultJS);
170             break;
171         }
172
173         case StrCat: {
174             if (attemptToMakeFastStringAdd(node))
175                 break;
176
177             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
178             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
179             // the implementation of StrCat doesn't dynamically optimize for empty strings.
180             // https://bugs.webkit.org/show_bug.cgi?id=148540
181             m_graph.doToChildren(
182                 node,
183                 [&] (Edge& edge) {
184                     fixEdge<KnownPrimitiveUse>(edge);
185                 });
186             break;
187         }
188             
189         case MakeRope: {
190             fixupMakeRope(node);
191             break;
192         }
193             
194         case ArithAdd:
195         case ArithSub: {
196             if (op == ArithSub
197                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
198                 fixEdge<UntypedUse>(node->child1());
199                 fixEdge<UntypedUse>(node->child2());
200                 node->setResult(NodeResultJS);
201                 break;
202             }
203             if (attemptToMakeIntegerAdd(node))
204                 break;
205             fixDoubleOrBooleanEdge(node->child1());
206             fixDoubleOrBooleanEdge(node->child2());
207             node->setResult(NodeResultDouble);
208             break;
209         }
210             
211         case ArithNegate: {
212             if (m_graph.unaryArithShouldSpeculateInt32(node, FixupPass)) {
213                 fixIntOrBooleanEdge(node->child1());
214                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
215                     node->setArithMode(Arith::Unchecked);
216                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
217                     node->setArithMode(Arith::CheckOverflow);
218                 else
219                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
220                 break;
221             }
222             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
223                 fixEdge<Int52RepUse>(node->child1());
224                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
225                     node->setArithMode(Arith::CheckOverflow);
226                 else
227                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
228                 node->setResult(NodeResultInt52);
229                 break;
230             }
231             fixDoubleOrBooleanEdge(node->child1());
232             node->setResult(NodeResultDouble);
233             break;
234         }
235             
236         case ArithMul: {
237             Edge& leftChild = node->child1();
238             Edge& rightChild = node->child2();
239             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
240                 fixEdge<UntypedUse>(leftChild);
241                 fixEdge<UntypedUse>(rightChild);
242                 node->setResult(NodeResultJS);
243                 break;
244             }
245             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
246                 fixIntOrBooleanEdge(leftChild);
247                 fixIntOrBooleanEdge(rightChild);
248                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
249                     node->setArithMode(Arith::Unchecked);
250                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
251                     || leftChild.node() == rightChild.node())
252                     node->setArithMode(Arith::CheckOverflow);
253                 else
254                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
255                 break;
256             }
257             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
258                 fixEdge<Int52RepUse>(leftChild);
259                 fixEdge<Int52RepUse>(rightChild);
260                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
261                     || leftChild.node() == rightChild.node())
262                     node->setArithMode(Arith::CheckOverflow);
263                 else
264                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
265                 node->setResult(NodeResultInt52);
266                 break;
267             }
268             fixDoubleOrBooleanEdge(leftChild);
269             fixDoubleOrBooleanEdge(rightChild);
270             node->setResult(NodeResultDouble);
271             break;
272         }
273
274         case ArithDiv:
275         case ArithMod: {
276             Edge& leftChild = node->child1();
277             Edge& rightChild = node->child2();
278             if (op == ArithDiv
279                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
280                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
281                 fixEdge<UntypedUse>(leftChild);
282                 fixEdge<UntypedUse>(rightChild);
283                 node->setResult(NodeResultJS);
284                 break;
285             }
286             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
287                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
288                     fixIntOrBooleanEdge(leftChild);
289                     fixIntOrBooleanEdge(rightChild);
290                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
291                         node->setArithMode(Arith::Unchecked);
292                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
293                         node->setArithMode(Arith::CheckOverflow);
294                     else
295                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
296                     break;
297                 }
298                 
299                 // This will cause conversion nodes to be inserted later.
300                 fixDoubleOrBooleanEdge(leftChild);
301                 fixDoubleOrBooleanEdge(rightChild);
302                 
303                 // We don't need to do ref'ing on the children because we're stealing them from
304                 // the original division.
305                 Node* newDivision = m_insertionSet.insertNode(
306                     m_indexInBlock, SpecBytecodeDouble, *node);
307                 newDivision->setResult(NodeResultDouble);
308                 
309                 node->setOp(DoubleAsInt32);
310                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
311                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
312                     node->setArithMode(Arith::CheckOverflow);
313                 else
314                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
315                 break;
316             }
317             fixDoubleOrBooleanEdge(leftChild);
318             fixDoubleOrBooleanEdge(rightChild);
319             node->setResult(NodeResultDouble);
320             break;
321         }
322             
323         case ArithMin:
324         case ArithMax: {
325             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
326                 fixIntOrBooleanEdge(node->child1());
327                 fixIntOrBooleanEdge(node->child2());
328                 break;
329             }
330             fixDoubleOrBooleanEdge(node->child1());
331             fixDoubleOrBooleanEdge(node->child2());
332             node->setResult(NodeResultDouble);
333             break;
334         }
335             
336         case ArithAbs: {
337             if (node->child1()->shouldSpeculateInt32OrBoolean()
338                 && node->canSpeculateInt32(FixupPass)) {
339                 fixIntOrBooleanEdge(node->child1());
340                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
341                     node->setArithMode(Arith::Unchecked);
342                 else
343                     node->setArithMode(Arith::CheckOverflow);
344                 node->clearFlags(NodeMustGenerate);
345                 node->setResult(NodeResultInt32);
346                 break;
347             }
348
349             if (node->child1()->shouldSpeculateNotCell()) {
350                 fixDoubleOrBooleanEdge(node->child1());
351                 node->clearFlags(NodeMustGenerate);
352             } else
353                 fixEdge<UntypedUse>(node->child1());
354             node->setResult(NodeResultDouble);
355             break;
356         }
357
358         case ArithPow: {
359             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
360                 fixDoubleOrBooleanEdge(node->child1());
361                 fixIntOrBooleanEdge(node->child2());
362                 break;
363             }
364
365             fixDoubleOrBooleanEdge(node->child1());
366             fixDoubleOrBooleanEdge(node->child2());
367             break;
368         }
369
370         case ArithRandom: {
371             node->setResult(NodeResultDouble);
372             break;
373         }
374
375         case ArithRound:
376         case ArithFloor:
377         case ArithCeil:
378         case ArithTrunc: {
379             if (m_graph.unaryArithShouldSpeculateInt32(node, FixupPass)) {
380                 fixIntOrBooleanEdge(node->child1());
381                 insertCheck<Int32Use>(m_indexInBlock, node->child1().node());
382                 node->convertToIdentity();
383                 break;
384             }
385             fixDoubleOrBooleanEdge(node->child1());
386
387             if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
388                 node->setResult(NodeResultInt32);
389                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
390                     node->setArithRoundingMode(Arith::RoundingMode::Int32);
391                 else
392                     node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
393             } else {
394                 node->setResult(NodeResultDouble);
395                 node->setArithRoundingMode(Arith::RoundingMode::Double);
396             }
397             break;
398         }
399
400         case ArithCos:
401         case ArithFRound:
402         case ArithLog:
403         case ArithSin:
404         case ArithSqrt: {
405             Edge& child1 = node->child1();
406             if (child1->shouldSpeculateNotCell()) {
407                 fixDoubleOrBooleanEdge(child1);
408                 node->clearFlags(NodeMustGenerate);
409             } else
410                 fixEdge<UntypedUse>(child1);
411             break;
412         }
413             
414         case LogicalNot: {
415             if (node->child1()->shouldSpeculateBoolean()) {
416                 if (node->child1()->result() == NodeResultBoolean) {
417                     // This is necessary in case we have a bytecode instruction implemented by:
418                     //
419                     // a: CompareEq(...)
420                     // b: LogicalNot(@a)
421                     //
422                     // In that case, CompareEq might have a side-effect. Then, we need to make
423                     // sure that we know that Branch does not exit.
424                     fixEdge<KnownBooleanUse>(node->child1());
425                 } else
426                     fixEdge<BooleanUse>(node->child1());
427             } else if (node->child1()->shouldSpeculateObjectOrOther())
428                 fixEdge<ObjectOrOtherUse>(node->child1());
429             else if (node->child1()->shouldSpeculateInt32OrBoolean())
430                 fixIntOrBooleanEdge(node->child1());
431             else if (node->child1()->shouldSpeculateNumber())
432                 fixEdge<DoubleRepUse>(node->child1());
433             else if (node->child1()->shouldSpeculateString())
434                 fixEdge<StringUse>(node->child1());
435             else if (node->child1()->shouldSpeculateStringOrOther())
436                 fixEdge<StringOrOtherUse>(node->child1());
437             break;
438         }
439
440         case CompareEq:
441         case CompareLess:
442         case CompareLessEq:
443         case CompareGreater:
444         case CompareGreaterEq: {
445             if (node->op() == CompareEq
446                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
447                 fixEdge<BooleanUse>(node->child1());
448                 fixEdge<BooleanUse>(node->child2());
449                 node->clearFlags(NodeMustGenerate);
450                 break;
451             }
452             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
453                 fixIntOrBooleanEdge(node->child1());
454                 fixIntOrBooleanEdge(node->child2());
455                 node->clearFlags(NodeMustGenerate);
456                 break;
457             }
458             if (enableInt52()
459                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
460                 fixEdge<Int52RepUse>(node->child1());
461                 fixEdge<Int52RepUse>(node->child2());
462                 node->clearFlags(NodeMustGenerate);
463                 break;
464             }
465             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
466                 fixDoubleOrBooleanEdge(node->child1());
467                 fixDoubleOrBooleanEdge(node->child2());
468             }
469             if (node->op() != CompareEq
470                 && node->child1()->shouldSpeculateNotCell()
471                 && node->child2()->shouldSpeculateNotCell()) {
472                 if (node->child1()->shouldSpeculateNumberOrBoolean())
473                     fixDoubleOrBooleanEdge(node->child1());
474                 else
475                     fixEdge<DoubleRepUse>(node->child1());
476                 if (node->child2()->shouldSpeculateNumberOrBoolean())
477                     fixDoubleOrBooleanEdge(node->child2());
478                 else
479                     fixEdge<DoubleRepUse>(node->child2());
480                 node->clearFlags(NodeMustGenerate);
481                 break;
482             }
483             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
484                 fixEdge<StringIdentUse>(node->child1());
485                 fixEdge<StringIdentUse>(node->child2());
486                 node->clearFlags(NodeMustGenerate);
487                 break;
488             }
489             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
490                 fixEdge<StringUse>(node->child1());
491                 fixEdge<StringUse>(node->child2());
492                 node->clearFlags(NodeMustGenerate);
493                 break;
494             }
495
496             if (node->op() != CompareEq)
497                 break;
498             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
499                 fixEdge<SymbolUse>(node->child1());
500                 fixEdge<SymbolUse>(node->child2());
501                 node->clearFlags(NodeMustGenerate);
502                 break;
503             }
504             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
505                 fixEdge<ObjectUse>(node->child1());
506                 fixEdge<ObjectUse>(node->child2());
507                 node->clearFlags(NodeMustGenerate);
508                 break;
509             }
510
511             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
512             bool oneArgumentIsUsedAsSpecOther = false;
513             if (node->child1()->isUndefinedOrNullConstant()) {
514                 fixEdge<OtherUse>(node->child1());
515                 oneArgumentIsUsedAsSpecOther = true;
516             } else if (node->child1()->shouldSpeculateOther()) {
517                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
518                     Edge(node->child1().node(), OtherUse));
519                 fixEdge<OtherUse>(node->child1());
520                 oneArgumentIsUsedAsSpecOther = true;
521             }
522             if (node->child2()->isUndefinedOrNullConstant()) {
523                 fixEdge<OtherUse>(node->child2());
524                 oneArgumentIsUsedAsSpecOther = true;
525             } else if (node->child2()->shouldSpeculateOther()) {
526                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
527                     Edge(node->child2().node(), OtherUse));
528                 fixEdge<OtherUse>(node->child2());
529                 oneArgumentIsUsedAsSpecOther = true;
530             }
531             if (oneArgumentIsUsedAsSpecOther) {
532                 node->clearFlags(NodeMustGenerate);
533                 break;
534             }
535
536             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
537                 fixEdge<ObjectUse>(node->child1());
538                 fixEdge<ObjectOrOtherUse>(node->child2());
539                 node->clearFlags(NodeMustGenerate);
540                 break;
541             }
542             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
543                 fixEdge<ObjectOrOtherUse>(node->child1());
544                 fixEdge<ObjectUse>(node->child2());
545                 node->clearFlags(NodeMustGenerate);
546                 break;
547             }
548
549             break;
550         }
551             
552         case CompareStrictEq: {
553             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
554                 fixEdge<BooleanUse>(node->child1());
555                 fixEdge<BooleanUse>(node->child2());
556                 break;
557             }
558             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
559                 fixEdge<Int32Use>(node->child1());
560                 fixEdge<Int32Use>(node->child2());
561                 break;
562             }
563             if (enableInt52()
564                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
565                 fixEdge<Int52RepUse>(node->child1());
566                 fixEdge<Int52RepUse>(node->child2());
567                 break;
568             }
569             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
570                 fixEdge<DoubleRepUse>(node->child1());
571                 fixEdge<DoubleRepUse>(node->child2());
572                 break;
573             }
574             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
575                 fixEdge<SymbolUse>(node->child1());
576                 fixEdge<SymbolUse>(node->child2());
577                 break;
578             }
579             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
580                 fixEdge<StringIdentUse>(node->child1());
581                 fixEdge<StringIdentUse>(node->child2());
582                 break;
583             }
584             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
585                 fixEdge<StringUse>(node->child1());
586                 fixEdge<StringUse>(node->child2());
587                 break;
588             }
589             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
590             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
591                 
592                 if (node->child1()->shouldSpeculateObject()) {
593                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
594                     fixEdge<ObjectUse>(node->child1());
595                     break;
596                 }
597                 if (node->child2()->shouldSpeculateObject()) {
598                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
599                     fixEdge<ObjectUse>(node->child2());
600                     break;
601                 }
602                 
603             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
604                 fixEdge<ObjectUse>(node->child1());
605                 fixEdge<ObjectUse>(node->child2());
606                 break;
607             }
608             if (node->child1()->shouldSpeculateSymbol()) {
609                 fixEdge<SymbolUse>(node->child1());
610                 break;
611             }
612             if (node->child2()->shouldSpeculateSymbol()) {
613                 fixEdge<SymbolUse>(node->child2());
614                 break;
615             }
616             if (node->child1()->shouldSpeculateMisc()) {
617                 fixEdge<MiscUse>(node->child1());
618                 break;
619             }
620             if (node->child2()->shouldSpeculateMisc()) {
621                 fixEdge<MiscUse>(node->child2());
622                 break;
623             }
624             if (node->child1()->shouldSpeculateStringIdent()
625                 && node->child2()->shouldSpeculateNotStringVar()) {
626                 fixEdge<StringIdentUse>(node->child1());
627                 fixEdge<NotStringVarUse>(node->child2());
628                 break;
629             }
630             if (node->child2()->shouldSpeculateStringIdent()
631                 && node->child1()->shouldSpeculateNotStringVar()) {
632                 fixEdge<StringIdentUse>(node->child2());
633                 fixEdge<NotStringVarUse>(node->child1());
634                 break;
635             }
636             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
637                 fixEdge<StringUse>(node->child1());
638                 break;
639             }
640             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
641                 fixEdge<StringUse>(node->child2());
642                 break;
643             }
644             break;
645         }
646             
647         case StringFromCharCode:
648             if (node->child1()->shouldSpeculateInt32())
649                 fixEdge<Int32Use>(node->child1());
650             else
651                 fixEdge<UntypedUse>(node->child1());
652             break;
653
654         case StringCharAt:
655         case StringCharCodeAt: {
656             // Currently we have no good way of refining these.
657             ASSERT(node->arrayMode() == ArrayMode(Array::String));
658             blessArrayOperation(node->child1(), node->child2(), node->child3());
659             fixEdge<KnownCellUse>(node->child1());
660             fixEdge<Int32Use>(node->child2());
661             break;
662         }
663
664         case GetByVal: {
665             if (!node->prediction()) {
666                 m_insertionSet.insertNode(
667                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
668             }
669             
670             node->setArrayMode(
671                 node->arrayMode().refine(
672                     m_graph, node,
673                     node->child1()->prediction(),
674                     node->child2()->prediction(),
675                     SpecNone));
676             
677             blessArrayOperation(node->child1(), node->child2(), node->child3());
678             
679             ArrayMode arrayMode = node->arrayMode();
680             switch (arrayMode.type()) {
681             case Array::Contiguous:
682             case Array::Double:
683                 if (arrayMode.arrayClass() == Array::OriginalArray
684                     && arrayMode.speculation() == Array::InBounds) {
685                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
686                     if (globalObject->arrayPrototypeChainIsSane()) {
687                         // Check if SaneChain will work on a per-type basis. Note that:
688                         //
689                         // 1) We don't want double arrays to sometimes return undefined, since
690                         // that would require a change to the return type and it would pessimise
691                         // things a lot. So, we'd only want to do that if we actually had
692                         // evidence that we could read from a hole. That's pretty annoying.
693                         // Likely the best way to handle that case is with an equivalent of
694                         // SaneChain for OutOfBounds. For now we just detect when Undefined and
695                         // NaN are indistinguishable according to backwards propagation, and just
696                         // use SaneChain in that case. This happens to catch a lot of cases.
697                         //
698                         // 2) We don't want int32 array loads to have to do a hole check just to
699                         // coerce to Undefined, since that would mean twice the checks.
700                         //
701                         // This has two implications. First, we have to do more checks than we'd
702                         // like. It's unfortunate that we have to do the hole check. Second,
703                         // some accesses that hit a hole will now need to take the full-blown
704                         // out-of-bounds slow path. We can fix that with:
705                         // https://bugs.webkit.org/show_bug.cgi?id=144668
706                         
707                         bool canDoSaneChain = false;
708                         switch (arrayMode.type()) {
709                         case Array::Contiguous:
710                             // This is happens to be entirely natural. We already would have
711                             // returned any JSValue, and now we'll return Undefined. We still do
712                             // the check but it doesn't require taking any kind of slow path.
713                             canDoSaneChain = true;
714                             break;
715                             
716                         case Array::Double:
717                             if (!(node->flags() & NodeBytecodeUsesAsOther)) {
718                                 // Holes look like NaN already, so if the user doesn't care
719                                 // about the difference between Undefined and NaN then we can
720                                 // do this.
721                                 canDoSaneChain = true;
722                             }
723                             break;
724                             
725                         default:
726                             break;
727                         }
728                         
729                         if (canDoSaneChain) {
730                             m_graph.watchpoints().addLazily(
731                                 globalObject->arrayPrototype()->structure()->transitionWatchpointSet());
732                             m_graph.watchpoints().addLazily(
733                                 globalObject->objectPrototype()->structure()->transitionWatchpointSet());
734                             if (globalObject->arrayPrototypeChainIsSane())
735                                 node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
736                         }
737                     }
738                 }
739                 break;
740                 
741             case Array::String:
742                 if ((node->prediction() & ~SpecString)
743                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
744                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
745                 break;
746                 
747             default:
748                 break;
749             }
750             
751             arrayMode = node->arrayMode();
752             switch (arrayMode.type()) {
753             case Array::SelectUsingPredictions:
754             case Array::Unprofiled:
755                 RELEASE_ASSERT_NOT_REACHED();
756                 break;
757             case Array::Generic:
758 #if USE(JSVALUE32_64)
759                 fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit.
760 #endif
761                 break;
762             case Array::ForceExit:
763                 break;
764             default:
765                 fixEdge<KnownCellUse>(node->child1());
766                 fixEdge<Int32Use>(node->child2());
767                 break;
768             }
769             
770             switch (arrayMode.type()) {
771             case Array::Double:
772                 if (!arrayMode.isOutOfBounds())
773                     node->setResult(NodeResultDouble);
774                 break;
775                 
776             case Array::Float32Array:
777             case Array::Float64Array:
778                 node->setResult(NodeResultDouble);
779                 break;
780                 
781             case Array::Uint32Array:
782                 if (node->shouldSpeculateInt32())
783                     break;
784                 if (node->shouldSpeculateAnyInt() && enableInt52())
785                     node->setResult(NodeResultInt52);
786                 else
787                     node->setResult(NodeResultDouble);
788                 break;
789                 
790             default:
791                 break;
792             }
793             
794             break;
795         }
796
797         case PutByValDirect:
798         case PutByVal:
799         case PutByValAlias: {
800             Edge& child1 = m_graph.varArgChild(node, 0);
801             Edge& child2 = m_graph.varArgChild(node, 1);
802             Edge& child3 = m_graph.varArgChild(node, 2);
803
804             node->setArrayMode(
805                 node->arrayMode().refine(
806                     m_graph, node,
807                     child1->prediction(),
808                     child2->prediction(),
809                     child3->prediction()));
810             
811             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
812             
813             switch (node->arrayMode().modeForPut().type()) {
814             case Array::SelectUsingPredictions:
815             case Array::SelectUsingArguments:
816             case Array::Unprofiled:
817             case Array::Undecided:
818                 RELEASE_ASSERT_NOT_REACHED();
819                 break;
820             case Array::ForceExit:
821             case Array::Generic:
822 #if USE(JSVALUE32_64)
823                 // Due to register pressure on 32-bit, we speculate cell and
824                 // ignore the base-is-not-cell case entirely by letting the
825                 // baseline JIT handle it.
826                 fixEdge<CellUse>(child1);
827 #endif
828                 break;
829             case Array::Int32:
830                 fixEdge<KnownCellUse>(child1);
831                 fixEdge<Int32Use>(child2);
832                 fixEdge<Int32Use>(child3);
833                 break;
834             case Array::Double:
835                 fixEdge<KnownCellUse>(child1);
836                 fixEdge<Int32Use>(child2);
837                 fixEdge<DoubleRepRealUse>(child3);
838                 break;
839             case Array::Int8Array:
840             case Array::Int16Array:
841             case Array::Int32Array:
842             case Array::Uint8Array:
843             case Array::Uint8ClampedArray:
844             case Array::Uint16Array:
845             case Array::Uint32Array:
846                 fixEdge<KnownCellUse>(child1);
847                 fixEdge<Int32Use>(child2);
848                 if (child3->shouldSpeculateInt32())
849                     fixIntOrBooleanEdge(child3);
850                 else if (child3->shouldSpeculateAnyInt())
851                     fixEdge<Int52RepUse>(child3);
852                 else
853                     fixDoubleOrBooleanEdge(child3);
854                 break;
855             case Array::Float32Array:
856             case Array::Float64Array:
857                 fixEdge<KnownCellUse>(child1);
858                 fixEdge<Int32Use>(child2);
859                 fixDoubleOrBooleanEdge(child3);
860                 break;
861             case Array::Contiguous:
862             case Array::ArrayStorage:
863             case Array::SlowPutArrayStorage:
864                 fixEdge<KnownCellUse>(child1);
865                 fixEdge<Int32Use>(child2);
866                 speculateForBarrier(child3);
867                 break;
868             default:
869                 fixEdge<KnownCellUse>(child1);
870                 fixEdge<Int32Use>(child2);
871                 break;
872             }
873             break;
874         }
875             
876         case ArrayPush: {
877             // May need to refine the array mode in case the value prediction contravenes
878             // the array prediction. For example, we may have evidence showing that the
879             // array is in Int32 mode, but the value we're storing is likely to be a double.
880             // Then we should turn this into a conversion to Double array followed by the
881             // push. On the other hand, we absolutely don't want to refine based on the
882             // base prediction. If it has non-cell garbage in it, then we want that to be
883             // ignored. That's because ArrayPush can't handle any array modes that aren't
884             // array-related - so if refine() turned this into a "Generic" ArrayPush then
885             // that would break things.
886             node->setArrayMode(
887                 node->arrayMode().refine(
888                     m_graph, node,
889                     node->child1()->prediction() & SpecCell,
890                     SpecInt32Only,
891                     node->child2()->prediction()));
892             blessArrayOperation(node->child1(), Edge(), node->child3());
893             fixEdge<KnownCellUse>(node->child1());
894             
895             switch (node->arrayMode().type()) {
896             case Array::Int32:
897                 fixEdge<Int32Use>(node->child2());
898                 break;
899             case Array::Double:
900                 fixEdge<DoubleRepRealUse>(node->child2());
901                 break;
902             case Array::Contiguous:
903             case Array::ArrayStorage:
904                 speculateForBarrier(node->child2());
905                 break;
906             default:
907                 break;
908             }
909             break;
910         }
911             
912         case ArrayPop: {
913             blessArrayOperation(node->child1(), Edge(), node->child2());
914             fixEdge<KnownCellUse>(node->child1());
915             break;
916         }
917             
918         case RegExpExec:
919         case RegExpTest: {
920             fixEdge<KnownCellUse>(node->child1());
921             
922             if (node->child2()->shouldSpeculateRegExpObject()) {
923                 fixEdge<RegExpObjectUse>(node->child2());
924
925                 if (node->child3()->shouldSpeculateString())
926                     fixEdge<StringUse>(node->child3());
927             }
928             break;
929         }
930
931         case StringReplace:
932         case StringReplaceRegExp: {
933             if (node->child2()->shouldSpeculateString()) {
934                 m_insertionSet.insertNode(
935                     m_indexInBlock, SpecNone, Check, node->origin,
936                     Edge(node->child2().node(), StringUse));
937                 fixEdge<StringUse>(node->child2());
938             } else if (op == StringReplace) {
939                 if (node->child2()->shouldSpeculateRegExpObject())
940                     addStringReplacePrimordialChecks(node->child2().node());
941                 else 
942                     m_insertionSet.insertNode(
943                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
944             }
945
946             if (node->child1()->shouldSpeculateString()
947                 && node->child2()->shouldSpeculateRegExpObject()
948                 && node->child3()->shouldSpeculateString()) {
949
950                 fixEdge<StringUse>(node->child1());
951                 fixEdge<RegExpObjectUse>(node->child2());
952                 fixEdge<StringUse>(node->child3());
953                 break;
954             }
955             break;
956         }
957             
958         case Branch: {
959             if (node->child1()->shouldSpeculateBoolean()) {
960                 if (node->child1()->result() == NodeResultBoolean) {
961                     // This is necessary in case we have a bytecode instruction implemented by:
962                     //
963                     // a: CompareEq(...)
964                     // b: Branch(@a)
965                     //
966                     // In that case, CompareEq might have a side-effect. Then, we need to make
967                     // sure that we know that Branch does not exit.
968                     fixEdge<KnownBooleanUse>(node->child1());
969                 } else
970                     fixEdge<BooleanUse>(node->child1());
971             } else if (node->child1()->shouldSpeculateObjectOrOther())
972                 fixEdge<ObjectOrOtherUse>(node->child1());
973             else if (node->child1()->shouldSpeculateInt32OrBoolean())
974                 fixIntOrBooleanEdge(node->child1());
975             else if (node->child1()->shouldSpeculateNumber())
976                 fixEdge<DoubleRepUse>(node->child1());
977             else if (node->child1()->shouldSpeculateString())
978                 fixEdge<StringUse>(node->child1());
979             else if (node->child1()->shouldSpeculateStringOrOther())
980                 fixEdge<StringOrOtherUse>(node->child1());
981             break;
982         }
983             
984         case Switch: {
985             SwitchData* data = node->switchData();
986             switch (data->kind) {
987             case SwitchImm:
988                 if (node->child1()->shouldSpeculateInt32())
989                     fixEdge<Int32Use>(node->child1());
990                 break;
991             case SwitchChar:
992                 if (node->child1()->shouldSpeculateString())
993                     fixEdge<StringUse>(node->child1());
994                 break;
995             case SwitchString:
996                 if (node->child1()->shouldSpeculateStringIdent())
997                     fixEdge<StringIdentUse>(node->child1());
998                 else if (node->child1()->shouldSpeculateString())
999                     fixEdge<StringUse>(node->child1());
1000                 break;
1001             case SwitchCell:
1002                 if (node->child1()->shouldSpeculateCell())
1003                     fixEdge<CellUse>(node->child1());
1004                 // else it's fine for this to have UntypedUse; we will handle this by just making
1005                 // non-cells take the default case.
1006                 break;
1007             }
1008             break;
1009         }
1010             
1011         case ToPrimitive: {
1012             fixupToPrimitive(node);
1013             break;
1014         }
1015
1016         case ToNumber: {
1017             fixupToNumber(node);
1018             break;
1019         }
1020             
1021         case ToString:
1022         case CallStringConstructor: {
1023             fixupToStringOrCallStringConstructor(node);
1024             break;
1025         }
1026             
1027         case NewStringObject: {
1028             fixEdge<KnownStringUse>(node->child1());
1029             break;
1030         }
1031             
1032         case NewArray: {
1033             watchHavingABadTime(node);
1034             
1035             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1036                 node->setIndexingType(
1037                     leastUpperBoundOfIndexingTypeAndType(
1038                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1039             }
1040             switch (node->indexingType()) {
1041             case ALL_BLANK_INDEXING_TYPES:
1042                 CRASH();
1043                 break;
1044             case ALL_UNDECIDED_INDEXING_TYPES:
1045                 if (node->numChildren()) {
1046                     // This will only happen if the children have no type predictions. We
1047                     // would have already exited by now, but insert a forced exit just to
1048                     // be safe.
1049                     m_insertionSet.insertNode(
1050                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1051                 }
1052                 break;
1053             case ALL_INT32_INDEXING_TYPES:
1054                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1055                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1056                 break;
1057             case ALL_DOUBLE_INDEXING_TYPES:
1058                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1059                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1060                 break;
1061             case ALL_CONTIGUOUS_INDEXING_TYPES:
1062             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1063                 break;
1064             default:
1065                 CRASH();
1066                 break;
1067             }
1068             break;
1069         }
1070             
1071         case NewTypedArray: {
1072             watchHavingABadTime(node);
1073             
1074             if (node->child1()->shouldSpeculateInt32()) {
1075                 fixEdge<Int32Use>(node->child1());
1076                 node->clearFlags(NodeMustGenerate);
1077                 break;
1078             }
1079             break;
1080         }
1081             
1082         case NewArrayWithSize: {
1083             watchHavingABadTime(node);
1084             fixEdge<Int32Use>(node->child1());
1085             break;
1086         }
1087
1088         case CallObjectConstructor: {
1089             if (node->child1()->shouldSpeculateObject()) {
1090                 fixEdge<ObjectUse>(node->child1());
1091                 node->convertToIdentity();
1092                 break;
1093             }
1094
1095             fixEdge<UntypedUse>(node->child1());
1096             break;
1097         }
1098
1099         case ToThis: {
1100             fixupToThis(node);
1101             break;
1102         }
1103             
1104         case PutStructure: {
1105             fixEdge<KnownCellUse>(node->child1());
1106             break;
1107         }
1108             
1109         case GetClosureVar:
1110         case GetFromArguments: {
1111             fixEdge<KnownCellUse>(node->child1());
1112             break;
1113         }
1114
1115         case PutClosureVar:
1116         case PutToArguments: {
1117             fixEdge<KnownCellUse>(node->child1());
1118             speculateForBarrier(node->child2());
1119             break;
1120         }
1121
1122         case SkipScope:
1123         case GetScope:
1124         case GetGetter:
1125         case GetSetter:
1126         case GetGlobalObject: {
1127             fixEdge<KnownCellUse>(node->child1());
1128             break;
1129         }
1130             
1131         case AllocatePropertyStorage:
1132         case ReallocatePropertyStorage: {
1133             fixEdge<KnownCellUse>(node->child1());
1134             break;
1135         }
1136
1137         case TryGetById: {
1138             if (node->child1()->shouldSpeculateCell())
1139                 fixEdge<CellUse>(node->child1());
1140             break;
1141         }
1142
1143         case GetById:
1144         case GetByIdFlush: {
1145             // FIXME: This should be done in the ByteCodeParser based on reading the
1146             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1147             // https://bugs.webkit.org/show_bug.cgi?id=154990
1148             if (node->child1()->shouldSpeculateCellOrOther()
1149                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1150                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1151                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1152                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1153                 
1154                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1155                 
1156                 if (uid == vm().propertyNames->length.impl()) {
1157                     attemptToMakeGetArrayLength(node);
1158                     break;
1159                 }
1160
1161                 if (uid == vm().propertyNames->lastIndex.impl()
1162                     && node->child1()->shouldSpeculateRegExpObject()) {
1163                     node->setOp(GetRegExpObjectLastIndex);
1164                     node->clearFlags(NodeMustGenerate);
1165                     fixEdge<RegExpObjectUse>(node->child1());
1166                     break;
1167                 }
1168             }
1169
1170             if (node->child1()->shouldSpeculateCell())
1171                 fixEdge<CellUse>(node->child1());
1172             break;
1173         }
1174
1175         case PutById:
1176         case PutByIdFlush:
1177         case PutByIdDirect: {
1178             if (node->child1()->shouldSpeculateCellOrOther()
1179                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1180                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1181                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1182                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1183                 
1184                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1185                 
1186                 if (uid == vm().propertyNames->lastIndex.impl()
1187                     && node->child1()->shouldSpeculateRegExpObject()) {
1188                     node->setOp(SetRegExpObjectLastIndex);
1189                     fixEdge<RegExpObjectUse>(node->child1());
1190                     speculateForBarrier(node->child2());
1191                     break;
1192                 }
1193             }
1194             
1195             fixEdge<CellUse>(node->child1());
1196             break;
1197         }
1198
1199         case PutGetterById:
1200         case PutSetterById: {
1201             fixEdge<KnownCellUse>(node->child1());
1202             fixEdge<KnownCellUse>(node->child2());
1203             break;
1204         }
1205
1206         case PutGetterSetterById: {
1207             fixEdge<KnownCellUse>(node->child1());
1208             break;
1209         }
1210
1211         case PutGetterByVal:
1212         case PutSetterByVal: {
1213             fixEdge<KnownCellUse>(node->child1());
1214             fixEdge<KnownCellUse>(node->child3());
1215             break;
1216         }
1217
1218         case GetExecutable: {
1219             fixEdge<FunctionUse>(node->child1());
1220             break;
1221         }
1222
1223         case OverridesHasInstance:
1224         case CheckStructure:
1225         case CheckCell:
1226         case CreateThis:
1227         case GetButterfly: {
1228             fixEdge<CellUse>(node->child1());
1229             break;
1230         }
1231
1232         case CheckStringIdent: {
1233             fixEdge<StringIdentUse>(node->child1());
1234             break;
1235         }
1236             
1237         case Arrayify:
1238         case ArrayifyToStructure: {
1239             fixEdge<CellUse>(node->child1());
1240             if (node->child2())
1241                 fixEdge<Int32Use>(node->child2());
1242             break;
1243         }
1244             
1245         case GetByOffset:
1246         case GetGetterSetterByOffset: {
1247             if (!node->child1()->hasStorageResult())
1248                 fixEdge<KnownCellUse>(node->child1());
1249             fixEdge<KnownCellUse>(node->child2());
1250             break;
1251         }
1252             
1253         case MultiGetByOffset: {
1254             fixEdge<CellUse>(node->child1());
1255             break;
1256         }
1257             
1258         case PutByOffset: {
1259             if (!node->child1()->hasStorageResult())
1260                 fixEdge<KnownCellUse>(node->child1());
1261             fixEdge<KnownCellUse>(node->child2());
1262             insertInferredTypeCheck(
1263                 m_insertionSet, m_indexInBlock, node->origin, node->child3().node(),
1264                 node->storageAccessData().inferredType);
1265             speculateForBarrier(node->child3());
1266             break;
1267         }
1268             
1269         case MultiPutByOffset: {
1270             fixEdge<CellUse>(node->child1());
1271             speculateForBarrier(node->child2());
1272             break;
1273         }
1274             
1275         case InstanceOf: {
1276             if (!(node->child1()->prediction() & ~SpecCell))
1277                 fixEdge<CellUse>(node->child1());
1278             fixEdge<CellUse>(node->child2());
1279             break;
1280         }
1281
1282         case InstanceOfCustom:
1283             fixEdge<CellUse>(node->child2());
1284             break;
1285
1286         case In: {
1287             // FIXME: We should at some point have array profiling on op_in, in which
1288             // case we would be able to turn this into a kind of GetByVal.
1289             
1290             fixEdge<CellUse>(node->child2());
1291             break;
1292         }
1293
1294         case Check: {
1295             m_graph.doToChildren(
1296                 node,
1297                 [&] (Edge& edge) {
1298                     switch (edge.useKind()) {
1299                     case NumberUse:
1300                         if (edge->shouldSpeculateInt32ForArithmetic())
1301                             edge.setUseKind(Int32Use);
1302                         break;
1303                     default:
1304                         break;
1305                     }
1306                     observeUseKindOnEdge(edge);
1307                 });
1308             break;
1309         }
1310
1311         case Phantom:
1312             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1313             node->remove();
1314             break;
1315
1316         case FiatInt52: {
1317             RELEASE_ASSERT(enableInt52());
1318             node->convertToIdentity();
1319             fixEdge<Int52RepUse>(node->child1());
1320             node->setResult(NodeResultInt52);
1321             break;
1322         }
1323
1324         case GetArrayLength: {
1325             fixEdge<KnownCellUse>(node->child1());
1326             break;
1327         }
1328
1329         case GetTypedArrayByteOffset: {
1330             fixEdge<KnownCellUse>(node->child1());
1331             break;
1332         }
1333
1334         case Phi:
1335         case Upsilon:
1336         case GetIndexedPropertyStorage:
1337         case LastNodeType:
1338         case CheckTierUpInLoop:
1339         case CheckTierUpAtReturn:
1340         case CheckTierUpAndOSREnter:
1341         case InvalidationPoint:
1342         case CheckArray:
1343         case CheckInBounds:
1344         case ConstantStoragePointer:
1345         case DoubleAsInt32:
1346         case ValueToInt32:
1347         case DoubleRep:
1348         case ValueRep:
1349         case Int52Rep:
1350         case Int52Constant:
1351         case Identity: // This should have been cleaned up.
1352         case BooleanToNumber:
1353         case PhantomNewObject:
1354         case PhantomNewFunction:
1355         case PhantomNewGeneratorFunction:
1356         case PhantomCreateActivation:
1357         case PhantomDirectArguments:
1358         case PhantomClonedArguments:
1359         case GetMyArgumentByVal:
1360         case GetMyArgumentByValOutOfBounds:
1361         case PutHint:
1362         case CheckStructureImmediate:
1363         case MaterializeNewObject:
1364         case MaterializeCreateActivation:
1365         case PutStack:
1366         case KillStack:
1367         case GetStack:
1368         case StoreBarrier:
1369         case GetRegExpObjectLastIndex:
1370         case SetRegExpObjectLastIndex:
1371         case RecordRegExpCachedResult:
1372             // These are just nodes that we don't currently expect to see during fixup.
1373             // If we ever wanted to insert them prior to fixup, then we just have to create
1374             // fixup rules for them.
1375             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1376             break;
1377         
1378         case PutGlobalVariable: {
1379             fixEdge<CellUse>(node->child1());
1380             speculateForBarrier(node->child2());
1381             break;
1382         }
1383
1384         case IsString:
1385             if (node->child1()->shouldSpeculateString()) {
1386                 m_insertionSet.insertNode(
1387                     m_indexInBlock, SpecNone, Check, node->origin,
1388                     Edge(node->child1().node(), StringUse));
1389                 m_graph.convertToConstant(node, jsBoolean(true));
1390                 observeUseKindOnNode<StringUse>(node);
1391             }
1392             break;
1393
1394         case IsObject:
1395             if (node->child1()->shouldSpeculateObject()) {
1396                 m_insertionSet.insertNode(
1397                     m_indexInBlock, SpecNone, Check, node->origin,
1398                     Edge(node->child1().node(), ObjectUse));
1399                 m_graph.convertToConstant(node, jsBoolean(true));
1400                 observeUseKindOnNode<ObjectUse>(node);
1401             }
1402             break;
1403
1404         case GetEnumerableLength: {
1405             fixEdge<CellUse>(node->child1());
1406             break;
1407         }
1408         case HasGenericProperty: {
1409             fixEdge<CellUse>(node->child2());
1410             break;
1411         }
1412         case HasStructureProperty: {
1413             fixEdge<StringUse>(node->child2());
1414             fixEdge<KnownCellUse>(node->child3());
1415             break;
1416         }
1417         case HasIndexedProperty: {
1418             node->setArrayMode(
1419                 node->arrayMode().refine(
1420                     m_graph, node,
1421                     node->child1()->prediction(),
1422                     node->child2()->prediction(),
1423                     SpecNone));
1424             
1425             blessArrayOperation(node->child1(), node->child2(), node->child3());
1426             fixEdge<CellUse>(node->child1());
1427             fixEdge<KnownInt32Use>(node->child2());
1428             break;
1429         }
1430         case GetDirectPname: {
1431             Edge& base = m_graph.varArgChild(node, 0);
1432             Edge& property = m_graph.varArgChild(node, 1);
1433             Edge& index = m_graph.varArgChild(node, 2);
1434             Edge& enumerator = m_graph.varArgChild(node, 3);
1435             fixEdge<CellUse>(base);
1436             fixEdge<KnownCellUse>(property);
1437             fixEdge<KnownInt32Use>(index);
1438             fixEdge<KnownCellUse>(enumerator);
1439             break;
1440         }
1441         case GetPropertyEnumerator: {
1442             fixEdge<CellUse>(node->child1());
1443             break;
1444         }
1445         case GetEnumeratorStructurePname: {
1446             fixEdge<KnownCellUse>(node->child1());
1447             fixEdge<KnownInt32Use>(node->child2());
1448             break;
1449         }
1450         case GetEnumeratorGenericPname: {
1451             fixEdge<KnownCellUse>(node->child1());
1452             fixEdge<KnownInt32Use>(node->child2());
1453             break;
1454         }
1455         case ToIndexString: {
1456             fixEdge<KnownInt32Use>(node->child1());
1457             break;
1458         }
1459         case ProfileType: {
1460             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1461             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1462             // type T for the instructionTypeSet, the global type set must also have information for type T.
1463             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1464             // in the globalTypeSet would've also succeeded.
1465             // (The other direction does not hold in general).
1466
1467             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1468             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1469             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1470                 if (node->child1()->shouldSpeculateInt32()) {
1471                     fixEdge<Int32Use>(node->child1());
1472                     node->remove();
1473                     break;
1474                 }
1475
1476                 if (enableInt52()) {
1477                     fixEdge<AnyIntUse>(node->child1());
1478                     node->remove();
1479                     break;
1480                 }
1481
1482                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1483             }
1484
1485             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1486                 fixEdge<NumberUse>(node->child1());
1487                 node->remove();
1488             } else if (typeSet->doesTypeConformTo(TypeString)) {
1489                 fixEdge<StringUse>(node->child1());
1490                 node->remove();
1491             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1492                 fixEdge<BooleanUse>(node->child1());
1493                 node->remove();
1494             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1495                 fixEdge<OtherUse>(node->child1());
1496                 node->remove();
1497             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1498                 StructureSet set;
1499                 {
1500                     ConcurrentJITLocker locker(typeSet->m_lock);
1501                     set = typeSet->structureSet(locker);
1502                 }
1503                 if (!set.isEmpty()) {
1504                     fixEdge<CellUse>(node->child1());
1505                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1506                 }
1507             }
1508
1509             break;
1510         }
1511
1512         case CreateScopedArguments:
1513         case CreateActivation:
1514         case NewFunction:
1515         case NewGeneratorFunction: {
1516             fixEdge<CellUse>(node->child1());
1517             break;
1518         }
1519
1520         case SetFunctionName: {
1521             // The first child is guaranteed to be a cell because op_set_function_name is only used
1522             // on a newly instantiated function object (the first child).
1523             fixEdge<KnownCellUse>(node->child1());
1524             fixEdge<UntypedUse>(node->child2());
1525             break;
1526         }
1527
1528         case CreateRest: {
1529             watchHavingABadTime(node);
1530             fixEdge<KnownInt32Use>(node->child1());
1531             break;
1532         }
1533
1534         case ResolveScope:
1535         case GetDynamicVar:
1536         case PutDynamicVar: {
1537             fixEdge<KnownCellUse>(node->child1());
1538             break;
1539         }
1540
1541         case LogShadowChickenPrologue: {
1542             fixEdge<KnownCellUse>(node->child1());
1543             break;
1544         }
1545         case LogShadowChickenTail: {
1546             fixEdge<UntypedUse>(node->child1());
1547             fixEdge<KnownCellUse>(node->child2());
1548             break;
1549         }
1550
1551 #if !ASSERT_DISABLED
1552         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
1553         case SetArgument:
1554         case JSConstant:
1555         case LazyJSConstant:
1556         case DoubleConstant:
1557         case GetLocal:
1558         case GetCallee:
1559         case GetArgumentCountIncludingThis:
1560         case GetRestLength:
1561         case Flush:
1562         case PhantomLocal:
1563         case GetLocalUnlinked:
1564         case GetGlobalVar:
1565         case GetGlobalLexicalVariable:
1566         case NotifyWrite:
1567         case Call:
1568         case CheckTypeInfoFlags:
1569         case TailCallInlinedCaller:
1570         case Construct:
1571         case CallVarargs:
1572         case CallEval:
1573         case TailCallVarargsInlinedCaller:
1574         case ConstructVarargs:
1575         case CallForwardVarargs:
1576         case ConstructForwardVarargs:
1577         case TailCallForwardVarargs:
1578         case TailCallForwardVarargsInlinedCaller:
1579         case LoadVarargs:
1580         case ForwardVarargs:
1581         case ProfileControlFlow:
1582         case NewObject:
1583         case NewArrayBuffer:
1584         case NewRegexp:
1585         case DeleteById:
1586         case DeleteByVal:
1587         case IsJSArray:
1588         case IsTypedArrayView:
1589         case IsEmpty:
1590         case IsUndefined:
1591         case IsBoolean:
1592         case IsNumber:
1593         case IsObjectOrNull:
1594         case IsFunction:
1595         case IsRegExpObject:
1596         case CreateDirectArguments:
1597         case CreateClonedArguments:
1598         case Jump:
1599         case Return:
1600         case TailCall:
1601         case TailCallVarargs:
1602         case Throw:
1603         case ThrowReferenceError:
1604         case CountExecution:
1605         case ForceOSRExit:
1606         case CheckBadCell:
1607         case CheckNotEmpty:
1608         case CheckWatchdogTimer:
1609         case Unreachable:
1610         case ExtractOSREntryLocal:
1611         case LoopHint:
1612         case MovHint:
1613         case ZombieHint:
1614         case ExitOK:
1615         case BottomValue:
1616         case TypeOf:
1617         case GetByIdWithThis:
1618         case PutByIdWithThis:
1619         case PutByValWithThis:
1620         case GetByValWithThis:
1621         case CompareEqPtr:
1622             break;
1623             
1624             break;
1625 #else
1626         default:
1627             break;
1628 #endif
1629         }
1630     }
1631
1632     void watchHavingABadTime(Node* node)
1633     {
1634         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1635
1636         // If this global object is not having a bad time, watch it. We go down this path anytime the code
1637         // does an array allocation. The types of array allocations may change if we start to have a bad
1638         // time. It's easier to reason about this if we know that whenever the types change after we start
1639         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
1640         // prior to this point nobody should have been doing optimizations based on the indexing type of
1641         // the allocation.
1642         if (!globalObject->isHavingABadTime())
1643             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
1644     }
1645     
1646     template<UseKind useKind>
1647     void createToString(Node* node, Edge& edge)
1648     {
1649         edge.setNode(m_insertionSet.insertNode(
1650             m_indexInBlock, SpecString, ToString, node->origin,
1651             Edge(edge.node(), useKind)));
1652     }
1653     
1654     template<UseKind useKind>
1655     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
1656     {
1657         ASSERT(arrayMode == ArrayMode(Array::Generic));
1658         
1659         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
1660             return;
1661         
1662         createToString<useKind>(node, node->child1());
1663         arrayMode = ArrayMode(Array::String);
1664     }
1665     
1666     template<UseKind useKind>
1667     bool isStringObjectUse()
1668     {
1669         switch (useKind) {
1670         case StringObjectUse:
1671         case StringOrStringObjectUse:
1672             return true;
1673         default:
1674             return false;
1675         }
1676     }
1677     
1678     template<UseKind useKind>
1679     void convertStringAddUse(Node* node, Edge& edge)
1680     {
1681         if (useKind == StringUse) {
1682             observeUseKindOnNode<StringUse>(edge.node());
1683             m_insertionSet.insertNode(
1684                 m_indexInBlock, SpecNone, Check, node->origin,
1685                 Edge(edge.node(), StringUse));
1686             edge.setUseKind(KnownStringUse);
1687             return;
1688         }
1689         
1690         observeUseKindOnNode<useKind>(edge.node());
1691         createToString<useKind>(node, edge);
1692     }
1693     
1694     void convertToMakeRope(Node* node)
1695     {
1696         node->setOpAndDefaultFlags(MakeRope);
1697         fixupMakeRope(node);
1698     }
1699     
1700     void fixupMakeRope(Node* node)
1701     {
1702         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
1703             Edge& edge = node->children.child(i);
1704             if (!edge)
1705                 break;
1706             edge.setUseKind(KnownStringUse);
1707             JSString* string = edge->dynamicCastConstant<JSString*>();
1708             if (!string)
1709                 continue;
1710             if (string->length())
1711                 continue;
1712             
1713             // Don't allow the MakeRope to have zero children.
1714             if (!i && !node->child2())
1715                 break;
1716             
1717             node->children.removeEdge(i--);
1718         }
1719         
1720         if (!node->child2()) {
1721             ASSERT(!node->child3());
1722             node->convertToIdentity();
1723         }
1724     }
1725
1726     void fixupToThis(Node* node)
1727     {
1728         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
1729
1730         if (ecmaMode == StrictMode) {
1731             if (node->child1()->shouldSpeculateBoolean()) {
1732                 fixEdge<BooleanUse>(node->child1());
1733                 node->convertToIdentity();
1734                 return;
1735             }
1736
1737             if (node->child1()->shouldSpeculateInt32()) {
1738                 fixEdge<Int32Use>(node->child1());
1739                 node->convertToIdentity();
1740                 return;
1741             }
1742
1743             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1744                 fixEdge<Int52RepUse>(node->child1());
1745                 node->convertToIdentity();
1746                 node->setResult(NodeResultInt52);
1747                 return;
1748             }
1749
1750             if (node->child1()->shouldSpeculateNumber()) {
1751                 fixEdge<DoubleRepUse>(node->child1());
1752                 node->convertToIdentity();
1753                 node->setResult(NodeResultDouble);
1754                 return;
1755             }
1756
1757             if (node->child1()->shouldSpeculateSymbol()) {
1758                 fixEdge<SymbolUse>(node->child1());
1759                 node->convertToIdentity();
1760                 return;
1761             }
1762
1763             if (node->child1()->shouldSpeculateStringIdent()) {
1764                 fixEdge<StringIdentUse>(node->child1());
1765                 node->convertToIdentity();
1766                 return;
1767             }
1768
1769             if (node->child1()->shouldSpeculateString()) {
1770                 fixEdge<StringUse>(node->child1());
1771                 node->convertToIdentity();
1772                 return;
1773             }
1774         }
1775
1776         if (node->child1()->shouldSpeculateOther()) {
1777             if (ecmaMode == StrictMode) {
1778                 fixEdge<OtherUse>(node->child1());
1779                 node->convertToIdentity();
1780                 return;
1781             }
1782
1783             m_insertionSet.insertNode(
1784                 m_indexInBlock, SpecNone, Check, node->origin,
1785                 Edge(node->child1().node(), OtherUse));
1786             observeUseKindOnNode<OtherUse>(node->child1().node());
1787             m_graph.convertToConstant(
1788                 node, m_graph.globalThisObjectFor(node->origin.semantic));
1789             return;
1790         }
1791
1792         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
1793         // however, since we cover all the missing cases in constant folding.
1794         // https://bugs.webkit.org/show_bug.cgi?id=157213
1795         if (node->child1()->shouldSpeculateStringObject()) {
1796             fixEdge<StringObjectUse>(node->child1());
1797             node->convertToIdentity();
1798             return;
1799         }
1800
1801         if (isFinalObjectSpeculation(node->child1()->prediction())) {
1802             fixEdge<FinalObjectUse>(node->child1());
1803             node->convertToIdentity();
1804             return;
1805         }
1806     }
1807     
1808     void fixupToPrimitive(Node* node)
1809     {
1810         if (node->child1()->shouldSpeculateInt32()) {
1811             fixEdge<Int32Use>(node->child1());
1812             node->convertToIdentity();
1813             return;
1814         }
1815         
1816         if (node->child1()->shouldSpeculateString()) {
1817             fixEdge<StringUse>(node->child1());
1818             node->convertToIdentity();
1819             return;
1820         }
1821         
1822         if (node->child1()->shouldSpeculateStringObject()
1823             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
1824             fixEdge<StringObjectUse>(node->child1());
1825             node->convertToToString();
1826             return;
1827         }
1828         
1829         if (node->child1()->shouldSpeculateStringOrStringObject()
1830             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
1831             fixEdge<StringOrStringObjectUse>(node->child1());
1832             node->convertToToString();
1833             return;
1834         }
1835     }
1836
1837     void fixupToNumber(Node* node)
1838     {
1839         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
1840         if (node->child1()->shouldSpeculateNumber()) {
1841             if (isInt32Speculation(node->getHeapPrediction())) {
1842                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
1843                 if (node->child1()->shouldSpeculateInt32()) {
1844                     fixEdge<Int32Use>(node->child1());
1845                     node->convertToIdentity();
1846                     return;
1847                 }
1848
1849                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
1850                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
1851                 fixEdge<DoubleRepUse>(node->child1());
1852                 node->setOp(DoubleAsInt32);
1853                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
1854                     node->setArithMode(Arith::CheckOverflow);
1855                 else
1856                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
1857                 return;
1858             }
1859
1860             fixEdge<DoubleRepUse>(node->child1());
1861             node->convertToIdentity();
1862             node->setResult(NodeResultDouble);
1863             return;
1864         }
1865
1866         fixEdge<UntypedUse>(node->child1());
1867         node->setResult(NodeResultJS);
1868     }
1869     
1870     void fixupToStringOrCallStringConstructor(Node* node)
1871     {
1872         if (node->child1()->shouldSpeculateString()) {
1873             fixEdge<StringUse>(node->child1());
1874             node->convertToIdentity();
1875             return;
1876         }
1877         
1878         if (node->child1()->shouldSpeculateStringObject()
1879             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
1880             fixEdge<StringObjectUse>(node->child1());
1881             return;
1882         }
1883         
1884         if (node->child1()->shouldSpeculateStringOrStringObject()
1885             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
1886             fixEdge<StringOrStringObjectUse>(node->child1());
1887             return;
1888         }
1889         
1890         if (node->child1()->shouldSpeculateCell()) {
1891             fixEdge<CellUse>(node->child1());
1892             return;
1893         }
1894     }
1895
1896     bool attemptToMakeFastStringAdd(Node* node)
1897     {
1898         bool goodToGo = true;
1899         m_graph.doToChildren(
1900             node,
1901             [&] (Edge& edge) {
1902                 if (edge->shouldSpeculateString())
1903                     return;
1904                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
1905                     if (edge->shouldSpeculateStringObject())
1906                         return;
1907                     if (edge->shouldSpeculateStringOrStringObject())
1908                         return;
1909                 }
1910                 goodToGo = false;
1911             });
1912         if (!goodToGo)
1913             return false;
1914
1915         m_graph.doToChildren(
1916             node,
1917             [&] (Edge& edge) {
1918                 if (edge->shouldSpeculateString()) {
1919                     convertStringAddUse<StringUse>(node, edge);
1920                     return;
1921                 }
1922                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
1923                 if (edge->shouldSpeculateStringObject()) {
1924                     convertStringAddUse<StringObjectUse>(node, edge);
1925                     return;
1926                 }
1927                 if (edge->shouldSpeculateStringOrStringObject()) {
1928                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
1929                     return;
1930                 }
1931                 RELEASE_ASSERT_NOT_REACHED();
1932             });
1933         
1934         convertToMakeRope(node);
1935         return true;
1936     }
1937
1938     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
1939     {
1940         if (!block)
1941             return;
1942         ASSERT(block->isReachable);
1943         m_block = block;
1944         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
1945             Node* node = m_currentNode = block->at(m_indexInBlock);
1946             if (node->op() != SetLocal && node->op() != GetLocal)
1947                 continue;
1948             
1949             VariableAccessData* variable = node->variableAccessData();
1950             switch (node->op()) {
1951             case GetLocal:
1952                 switch (variable->flushFormat()) {
1953                 case FlushedDouble:
1954                     node->setResult(NodeResultDouble);
1955                     break;
1956                 case FlushedInt52:
1957                     node->setResult(NodeResultInt52);
1958                     break;
1959                 default:
1960                     break;
1961                 }
1962                 break;
1963                 
1964             case SetLocal:
1965                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
1966                 // add new type checking use kind for SetLocals, we need to modify that code as well.
1967                 
1968                 switch (variable->flushFormat()) {
1969                 case FlushedJSValue:
1970                     break;
1971                 case FlushedDouble:
1972                     fixEdge<DoubleRepUse>(node->child1());
1973                     break;
1974                 case FlushedInt32:
1975                     fixEdge<Int32Use>(node->child1());
1976                     break;
1977                 case FlushedInt52:
1978                     fixEdge<Int52RepUse>(node->child1());
1979                     break;
1980                 case FlushedCell:
1981                     fixEdge<CellUse>(node->child1());
1982                     break;
1983                 case FlushedBoolean:
1984                     fixEdge<BooleanUse>(node->child1());
1985                     break;
1986                 default:
1987                     RELEASE_ASSERT_NOT_REACHED();
1988                     break;
1989                 }
1990                 break;
1991                 
1992             default:
1993                 RELEASE_ASSERT_NOT_REACHED();
1994                 break;
1995             }
1996         }
1997         m_insertionSet.execute(block);
1998     }
1999     
2000     void addStringReplacePrimordialChecks(Node* searchRegExp)
2001     {
2002         Node* node = m_currentNode;
2003
2004         // Check that structure of searchRegExp is RegExp object
2005         m_insertionSet.insertNode(
2006             m_indexInBlock, SpecNone, Check, node->origin,
2007             Edge(searchRegExp, RegExpObjectUse));
2008
2009         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2010             unsigned index = m_graph.identifiers().ensure(propertyUID);
2011
2012             Node* actualProperty = m_insertionSet.insertNode(
2013                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2014                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2015
2016             m_insertionSet.insertNode(
2017                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2018                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2019         };
2020
2021         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2022
2023         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2024         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2025         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2026         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2027         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2028         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2029         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2030         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2031     }
2032
2033     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2034     {
2035         ASSERT(arrayMode.isSpecific());
2036         
2037         if (arrayMode.type() == Array::String) {
2038             m_insertionSet.insertNode(
2039                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2040         } else {
2041             // Note that we only need to be using a structure check if we opt for SaneChain, since
2042             // that needs to protect against JSArray's __proto__ being changed.
2043             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2044         
2045             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2046             
2047             if (arrayMode.doesConversion()) {
2048                 if (structure) {
2049                     m_insertionSet.insertNode(
2050                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2051                         OpInfo(structure), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2052                 } else {
2053                     m_insertionSet.insertNode(
2054                         m_indexInBlock, SpecNone, Arrayify, origin,
2055                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2056                 }
2057             } else {
2058                 if (structure) {
2059                     m_insertionSet.insertNode(
2060                         m_indexInBlock, SpecNone, CheckStructure, origin,
2061                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2062                 } else {
2063                     m_insertionSet.insertNode(
2064                         m_indexInBlock, SpecNone, CheckArray, origin,
2065                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2066                 }
2067             }
2068         }
2069         
2070         if (!storageCheck(arrayMode))
2071             return 0;
2072         
2073         if (arrayMode.usesButterfly()) {
2074             return m_insertionSet.insertNode(
2075                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2076         }
2077         
2078         return m_insertionSet.insertNode(
2079             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2080             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2081     }
2082     
2083     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2084     {
2085         Node* node = m_currentNode;
2086         
2087         switch (node->arrayMode().type()) {
2088         case Array::ForceExit: {
2089             m_insertionSet.insertNode(
2090                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2091             return;
2092         }
2093             
2094         case Array::SelectUsingPredictions:
2095         case Array::Unprofiled:
2096             RELEASE_ASSERT_NOT_REACHED();
2097             return;
2098             
2099         case Array::Generic:
2100             return;
2101             
2102         default: {
2103             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2104             if (!storage)
2105                 return;
2106             
2107             storageChild = Edge(storage);
2108             return;
2109         } }
2110     }
2111     
2112     bool alwaysUnboxSimplePrimitives()
2113     {
2114 #if USE(JSVALUE64)
2115         return false;
2116 #else
2117         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2118         // reduces traffic.
2119         return true;
2120 #endif
2121     }
2122
2123     template<UseKind useKind>
2124     void observeUseKindOnNode(Node* node)
2125     {
2126         if (useKind == UntypedUse)
2127             return;
2128         observeUseKindOnNode(node, useKind);
2129     }
2130
2131     void observeUseKindOnEdge(Edge edge)
2132     {
2133         observeUseKindOnNode(edge.node(), edge.useKind());
2134     }
2135
2136     void observeUseKindOnNode(Node* node, UseKind useKind)
2137     {
2138         if (node->op() != GetLocal)
2139             return;
2140         
2141         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2142         // https://bugs.webkit.org/show_bug.cgi?id=121518
2143         
2144         VariableAccessData* variable = node->variableAccessData();
2145         switch (useKind) {
2146         case Int32Use:
2147         case KnownInt32Use:
2148             if (alwaysUnboxSimplePrimitives()
2149                 || isInt32Speculation(variable->prediction()))
2150                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2151             break;
2152         case NumberUse:
2153         case RealNumberUse:
2154         case DoubleRepUse:
2155         case DoubleRepRealUse:
2156             if (variable->doubleFormatState() == UsingDoubleFormat)
2157                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2158             break;
2159         case BooleanUse:
2160         case KnownBooleanUse:
2161             if (alwaysUnboxSimplePrimitives()
2162                 || isBooleanSpeculation(variable->prediction()))
2163                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2164             break;
2165         case Int52RepUse:
2166             if (isAnyIntSpeculation(variable->prediction()))
2167                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2168             break;
2169         case CellUse:
2170         case KnownCellUse:
2171         case ObjectUse:
2172         case FunctionUse:
2173         case StringUse:
2174         case KnownStringUse:
2175         case SymbolUse:
2176         case StringObjectUse:
2177         case StringOrStringObjectUse:
2178             if (alwaysUnboxSimplePrimitives()
2179                 || isCellSpeculation(variable->prediction()))
2180                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2181             break;
2182         default:
2183             break;
2184         }
2185     }
2186     
2187     template<UseKind useKind>
2188     void fixEdge(Edge& edge)
2189     {
2190         observeUseKindOnNode<useKind>(edge.node());
2191         edge.setUseKind(useKind);
2192     }
2193     
2194     void speculateForBarrier(Edge value)
2195     {
2196         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
2197         // the DFG anyway because if such a speculation would be wrong, we want to know before
2198         // we do an expensive compile.
2199         
2200         if (value->shouldSpeculateInt32()) {
2201             insertCheck<Int32Use>(m_indexInBlock, value.node());
2202             return;
2203         }
2204             
2205         if (value->shouldSpeculateBoolean()) {
2206             insertCheck<BooleanUse>(m_indexInBlock, value.node());
2207             return;
2208         }
2209             
2210         if (value->shouldSpeculateOther()) {
2211             insertCheck<OtherUse>(m_indexInBlock, value.node());
2212             return;
2213         }
2214             
2215         if (value->shouldSpeculateNumber()) {
2216             insertCheck<NumberUse>(m_indexInBlock, value.node());
2217             return;
2218         }
2219             
2220         if (value->shouldSpeculateNotCell()) {
2221             insertCheck<NotCellUse>(m_indexInBlock, value.node());
2222             return;
2223         }
2224     }
2225     
2226     template<UseKind useKind>
2227     void insertCheck(unsigned indexInBlock, Node* node)
2228     {
2229         observeUseKindOnNode<useKind>(node);
2230         m_insertionSet.insertNode(
2231             indexInBlock, SpecNone, Check, m_currentNode->origin, Edge(node, useKind));
2232     }
2233
2234     void fixIntConvertingEdge(Edge& edge)
2235     {
2236         Node* node = edge.node();
2237         if (node->shouldSpeculateInt32OrBoolean()) {
2238             fixIntOrBooleanEdge(edge);
2239             return;
2240         }
2241         
2242         UseKind useKind;
2243         if (node->shouldSpeculateAnyInt())
2244             useKind = Int52RepUse;
2245         else if (node->shouldSpeculateNumber())
2246             useKind = DoubleRepUse;
2247         else
2248             useKind = NotCellUse;
2249         Node* newNode = m_insertionSet.insertNode(
2250             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
2251             Edge(node, useKind));
2252         observeUseKindOnNode(node, useKind);
2253         
2254         edge = Edge(newNode, KnownInt32Use);
2255     }
2256     
2257     void fixIntOrBooleanEdge(Edge& edge)
2258     {
2259         Node* node = edge.node();
2260         if (!node->sawBooleans()) {
2261             fixEdge<Int32Use>(edge);
2262             return;
2263         }
2264         
2265         UseKind useKind;
2266         if (node->shouldSpeculateBoolean())
2267             useKind = BooleanUse;
2268         else
2269             useKind = UntypedUse;
2270         Node* newNode = m_insertionSet.insertNode(
2271             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2272             Edge(node, useKind));
2273         observeUseKindOnNode(node, useKind);
2274         
2275         edge = Edge(newNode, Int32Use);
2276     }
2277     
2278     void fixDoubleOrBooleanEdge(Edge& edge)
2279     {
2280         Node* node = edge.node();
2281         if (!node->sawBooleans()) {
2282             fixEdge<DoubleRepUse>(edge);
2283             return;
2284         }
2285         
2286         UseKind useKind;
2287         if (node->shouldSpeculateBoolean())
2288             useKind = BooleanUse;
2289         else
2290             useKind = UntypedUse;
2291         Node* newNode = m_insertionSet.insertNode(
2292             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2293             Edge(node, useKind));
2294         observeUseKindOnNode(node, useKind);
2295         
2296         edge = Edge(newNode, DoubleRepUse);
2297     }
2298     
2299     void truncateConstantToInt32(Edge& edge)
2300     {
2301         Node* oldNode = edge.node();
2302         
2303         JSValue value = oldNode->asJSValue();
2304         if (value.isInt32())
2305             return;
2306         
2307         value = jsNumber(JSC::toInt32(value.asNumber()));
2308         ASSERT(value.isInt32());
2309         edge.setNode(m_insertionSet.insertNode(
2310             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
2311             OpInfo(m_graph.freeze(value))));
2312     }
2313     
2314     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
2315     {
2316         if (mode != SpeculateInt32AndTruncateConstants)
2317             return;
2318         
2319         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
2320         if (node->child1()->hasConstant())
2321             truncateConstantToInt32(node->child1());
2322         else
2323             truncateConstantToInt32(node->child2());
2324     }
2325     
2326     bool attemptToMakeIntegerAdd(Node* node)
2327     {
2328         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
2329         if (mode != DontSpeculateInt32) {
2330             truncateConstantsIfNecessary(node, mode);
2331             fixIntOrBooleanEdge(node->child1());
2332             fixIntOrBooleanEdge(node->child2());
2333             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
2334                 node->setArithMode(Arith::Unchecked);
2335             else
2336                 node->setArithMode(Arith::CheckOverflow);
2337             return true;
2338         }
2339         
2340         if (m_graph.addShouldSpeculateAnyInt(node)) {
2341             fixEdge<Int52RepUse>(node->child1());
2342             fixEdge<Int52RepUse>(node->child2());
2343             node->setArithMode(Arith::CheckOverflow);
2344             node->setResult(NodeResultInt52);
2345             return true;
2346         }
2347         
2348         return false;
2349     }
2350     
2351     bool attemptToMakeGetArrayLength(Node* node)
2352     {
2353         if (!isInt32Speculation(node->prediction()))
2354             return false;
2355         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
2356         ArrayProfile* arrayProfile = 
2357             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
2358         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
2359         if (arrayProfile) {
2360             ConcurrentJITLocker locker(profiledBlock->m_lock);
2361             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
2362             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
2363             if (arrayMode.type() == Array::Unprofiled) {
2364                 // For normal array operations, it makes sense to treat Unprofiled
2365                 // accesses as ForceExit and get more data rather than using
2366                 // predictions and then possibly ending up with a Generic. But here,
2367                 // we treat anything that is Unprofiled as Generic and keep the
2368                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
2369                 // profit - from treating the Unprofiled case as
2370                 // SelectUsingPredictions.
2371                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
2372             }
2373         }
2374             
2375         arrayMode = arrayMode.refine(
2376             m_graph, node, node->child1()->prediction(), node->prediction());
2377             
2378         if (arrayMode.type() == Array::Generic) {
2379             // Check if the input is something that we can't get array length for, but for which we
2380             // could insert some conversions in order to transform it into something that we can do it
2381             // for.
2382             if (node->child1()->shouldSpeculateStringObject())
2383                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
2384             else if (node->child1()->shouldSpeculateStringOrStringObject())
2385                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
2386         }
2387             
2388         if (!arrayMode.supportsSelfLength())
2389             return false;
2390         
2391         convertToGetArrayLength(node, arrayMode);
2392         return true;
2393     }
2394
2395     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
2396     {
2397         node->setOp(GetArrayLength);
2398         node->clearFlags(NodeMustGenerate);
2399         fixEdge<KnownCellUse>(node->child1());
2400         node->setArrayMode(arrayMode);
2401             
2402         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
2403         if (!storage)
2404             return;
2405             
2406         node->child2() = Edge(storage);
2407     }
2408     
2409     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
2410     {
2411         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
2412         return m_insertionSet.insertNode(
2413             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
2414             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
2415     }
2416     
2417     void fixupChecksInBlock(BasicBlock* block)
2418     {
2419         if (!block)
2420             return;
2421         ASSERT(block->isReachable);
2422         m_block = block;
2423         unsigned indexForChecks = UINT_MAX;
2424         NodeOrigin originForChecks;
2425         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
2426             Node* node = block->at(indexInBlock);
2427
2428             // If this is a node at which we could exit, then save its index. If nodes after this one
2429             // cannot exit, then we will hoist checks to here.
2430             if (node->origin.exitOK) {
2431                 indexForChecks = indexInBlock;
2432                 originForChecks = node->origin;
2433             }
2434
2435             originForChecks = originForChecks.withSemantic(node->origin.semantic);
2436
2437             // First, try to relax the representational demands of each node, in order to have
2438             // fewer conversions.
2439             switch (node->op()) {
2440             case MovHint:
2441             case Check:
2442                 m_graph.doToChildren(
2443                     node,
2444                     [&] (Edge& edge) {
2445                         switch (edge.useKind()) {
2446                         case DoubleRepUse:
2447                         case DoubleRepRealUse:
2448                             if (edge->hasDoubleResult())
2449                                 break;
2450             
2451                             if (edge->hasInt52Result())
2452                                 edge.setUseKind(Int52RepUse);
2453                             else if (edge.useKind() == DoubleRepUse)
2454                                 edge.setUseKind(NumberUse);
2455                             break;
2456             
2457                         case Int52RepUse:
2458                             // Nothing we can really do.
2459                             break;
2460             
2461                         case UntypedUse:
2462                         case NumberUse:
2463                             if (edge->hasDoubleResult())
2464                                 edge.setUseKind(DoubleRepUse);
2465                             else if (edge->hasInt52Result())
2466                                 edge.setUseKind(Int52RepUse);
2467                             break;
2468             
2469                         case RealNumberUse:
2470                             if (edge->hasDoubleResult())
2471                                 edge.setUseKind(DoubleRepRealUse);
2472                             else if (edge->hasInt52Result())
2473                                 edge.setUseKind(Int52RepUse);
2474                             break;
2475             
2476                         default:
2477                             break;
2478                         }
2479                     });
2480                 break;
2481                 
2482             case ValueToInt32:
2483                 if (node->child1().useKind() == DoubleRepUse
2484                     && !node->child1()->hasDoubleResult()) {
2485                     node->child1().setUseKind(NumberUse);
2486                     break;
2487                 }
2488                 break;
2489                 
2490             default:
2491                 break;
2492             }
2493
2494             // Now, insert type conversions if necessary.
2495             m_graph.doToChildren(
2496                 node,
2497                 [&] (Edge& edge) {
2498                     Node* result = nullptr;
2499
2500                     switch (edge.useKind()) {
2501                     case DoubleRepUse:
2502                     case DoubleRepRealUse:
2503                     case DoubleRepAnyIntUse: {
2504                         if (edge->hasDoubleResult())
2505                             break;
2506             
2507                         if (edge->isNumberConstant()) {
2508                             result = m_insertionSet.insertNode(
2509                                 indexForChecks, SpecBytecodeDouble, DoubleConstant, originForChecks,
2510                                 OpInfo(m_graph.freeze(jsDoubleNumber(edge->asNumber()))));
2511                         } else if (edge->hasInt52Result()) {
2512                             result = m_insertionSet.insertNode(
2513                                 indexForChecks, SpecAnyIntAsDouble, DoubleRep, originForChecks,
2514                                 Edge(edge.node(), Int52RepUse));
2515                         } else {
2516                             UseKind useKind;
2517                             if (edge->shouldSpeculateDoubleReal())
2518                                 useKind = RealNumberUse;
2519                             else if (edge->shouldSpeculateNumber())
2520                                 useKind = NumberUse;
2521                             else
2522                                 useKind = NotCellUse;
2523
2524                             result = m_insertionSet.insertNode(
2525                                 indexForChecks, SpecBytecodeDouble, DoubleRep, originForChecks,
2526                                 Edge(edge.node(), useKind));
2527                         }
2528
2529                         edge.setNode(result);
2530                         break;
2531                     }
2532             
2533                     case Int52RepUse: {
2534                         if (edge->hasInt52Result())
2535                             break;
2536             
2537                         if (edge->isAnyIntConstant()) {
2538                             result = m_insertionSet.insertNode(
2539                                 indexForChecks, SpecAnyInt, Int52Constant, originForChecks,
2540                                 OpInfo(edge->constant()));
2541                         } else if (edge->hasDoubleResult()) {
2542                             result = m_insertionSet.insertNode(
2543                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
2544                                 Edge(edge.node(), DoubleRepAnyIntUse));
2545                         } else if (edge->shouldSpeculateInt32ForArithmetic()) {
2546                             result = m_insertionSet.insertNode(
2547                                 indexForChecks, SpecInt32Only, Int52Rep, originForChecks,
2548                                 Edge(edge.node(), Int32Use));
2549                         } else {
2550                             result = m_insertionSet.insertNode(
2551                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
2552                                 Edge(edge.node(), AnyIntUse));
2553                         }
2554
2555                         edge.setNode(result);
2556                         break;
2557                     }
2558
2559                     default: {
2560                         if (!edge->hasDoubleResult() && !edge->hasInt52Result())
2561                             break;
2562             
2563                         if (edge->hasDoubleResult()) {
2564                             result = m_insertionSet.insertNode(
2565                                 indexForChecks, SpecBytecodeDouble, ValueRep, originForChecks,
2566                                 Edge(edge.node(), DoubleRepUse));
2567                         } else {
2568                             result = m_insertionSet.insertNode(
2569                                 indexForChecks, SpecInt32Only | SpecAnyIntAsDouble, ValueRep,
2570                                 originForChecks, Edge(edge.node(), Int52RepUse));
2571                         }
2572
2573                         edge.setNode(result);
2574                         break;
2575                     } }
2576
2577                     // It's remotely possible that this node cannot do type checks, but we now have a
2578                     // type check on this node. We don't have to handle the general form of this
2579                     // problem. It only arises when ByteCodeParser emits an immediate SetLocal, rather
2580                     // than a delayed one. So, we only worry about those checks that we may have put on
2581                     // a SetLocal. Note that "indexForChecks != indexInBlock" is just another way of
2582                     // saying "!node->origin.exitOK".
2583                     if (indexForChecks != indexInBlock && mayHaveTypeCheck(edge.useKind())) {
2584                         UseKind knownUseKind;
2585                         
2586                         switch (edge.useKind()) {
2587                         case Int32Use:
2588                             knownUseKind = KnownInt32Use;
2589                             break;
2590                         case CellUse:
2591                             knownUseKind = KnownCellUse;
2592                             break;
2593                         case BooleanUse:
2594                             knownUseKind = KnownBooleanUse;
2595                             break;
2596                         default:
2597                             // This can only arise if we have a Check node, and in that case, we can
2598                             // just remove the original check.
2599                             DFG_ASSERT(m_graph, node, node->op() == Check);
2600                             knownUseKind = UntypedUse;
2601                             break;
2602                         }
2603
2604                         m_insertionSet.insertNode(
2605                             indexForChecks, SpecNone, Check, originForChecks, edge);
2606
2607                         edge.setUseKind(knownUseKind);
2608                     }
2609                 });
2610         }
2611         
2612         m_insertionSet.execute(block);
2613     }
2614     
2615     BasicBlock* m_block;
2616     unsigned m_indexInBlock;
2617     Node* m_currentNode;
2618     InsertionSet m_insertionSet;
2619     bool m_profitabilityChanged;
2620 };
2621     
2622 bool performFixup(Graph& graph)
2623 {
2624     return runPhase<FixupPhase>(graph);
2625 }
2626
2627 } } // namespace JSC::DFG
2628
2629 #endif // ENABLE(DFG_JIT)
2630