The watchdog sometimes fails to terminate a script.
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149
150         case ValueNegate: {
151             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
152                 node->setOp(ArithNegate);
153                 fixIntOrBooleanEdge(node->child1());
154                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
155                     node->setArithMode(Arith::Unchecked);
156                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
157                     node->setArithMode(Arith::CheckOverflow);
158                 else
159                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
160                 node->setResult(NodeResultInt32);
161                 node->clearFlags(NodeMustGenerate);
162                 break;
163             }
164             
165             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
166                 node->setOp(ArithNegate);
167                 fixEdge<Int52RepUse>(node->child1());
168                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
169                     node->setArithMode(Arith::CheckOverflow);
170                 else
171                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
172                 node->setResult(NodeResultInt52);
173                 node->clearFlags(NodeMustGenerate);
174                 break;
175             }
176             if (node->child1()->shouldSpeculateNotCell()) {
177                 node->setOp(ArithNegate);
178                 fixDoubleOrBooleanEdge(node->child1());
179                 node->setResult(NodeResultDouble);
180                 node->clearFlags(NodeMustGenerate);
181             } else {
182                 fixEdge<UntypedUse>(node->child1());
183                 node->setResult(NodeResultJS);
184             }
185             break;
186         }
187
188         case ValueAdd: {
189             if (attemptToMakeIntegerAdd(node)) {
190                 node->setOp(ArithAdd);
191                 break;
192             }
193             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
194                 fixDoubleOrBooleanEdge(node->child1());
195                 fixDoubleOrBooleanEdge(node->child2());
196                 node->setOp(ArithAdd);
197                 node->setResult(NodeResultDouble);
198                 break;
199             }
200             
201             if (attemptToMakeFastStringAdd(node))
202                 break;
203
204             Edge& child1 = node->child1();
205             Edge& child2 = node->child2();
206             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
207                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
208                     auto convertString = [&](Node* node, Edge& edge) {
209                         if (edge->shouldSpeculateInt32())
210                             convertStringAddUse<Int32Use>(node, edge);
211                         else {
212                             ASSERT(edge->shouldSpeculateString());
213                             convertStringAddUse<StringUse>(node, edge);
214                         }
215                     };
216                     convertString(node, child1);
217                     convertString(node, child2);
218                     convertToMakeRope(node);
219                     break;
220                 }
221             }
222
223             fixEdge<UntypedUse>(child1);
224             fixEdge<UntypedUse>(child2);
225             node->setResult(NodeResultJS);
226             break;
227         }
228
229         case StrCat: {
230             if (attemptToMakeFastStringAdd(node))
231                 break;
232
233             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
234             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
235             // the implementation of StrCat doesn't dynamically optimize for empty strings.
236             // https://bugs.webkit.org/show_bug.cgi?id=148540
237             m_graph.doToChildren(
238                 node,
239                 [&] (Edge& edge) {
240                     fixEdge<KnownPrimitiveUse>(edge);
241                     // StrCat automatically coerces the values into strings before concatenating them.
242                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
243                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
244                     // our runtime functions for this slow path expect that they will never be passed
245                     // Symbols.
246                     m_insertionSet.insertNode(
247                         m_indexInBlock, SpecNone, Check, node->origin,
248                         Edge(edge.node(), NotSymbolUse));
249                 });
250             break;
251         }
252             
253         case MakeRope: {
254             fixupMakeRope(node);
255             break;
256         }
257             
258         case ArithAdd:
259         case ArithSub: {
260             if (op == ArithSub
261                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
262                 fixEdge<UntypedUse>(node->child1());
263                 fixEdge<UntypedUse>(node->child2());
264                 node->setResult(NodeResultJS);
265                 break;
266             }
267             if (attemptToMakeIntegerAdd(node))
268                 break;
269             fixDoubleOrBooleanEdge(node->child1());
270             fixDoubleOrBooleanEdge(node->child2());
271             node->setResult(NodeResultDouble);
272             break;
273         }
274             
275         case ArithNegate: {
276             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
277                 fixIntOrBooleanEdge(node->child1());
278                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
279                     node->setArithMode(Arith::Unchecked);
280                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
281                     node->setArithMode(Arith::CheckOverflow);
282                 else
283                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
284                 node->setResult(NodeResultInt32);
285                 node->clearFlags(NodeMustGenerate);
286                 break;
287             }
288             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
289                 fixEdge<Int52RepUse>(node->child1());
290                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
291                     node->setArithMode(Arith::CheckOverflow);
292                 else
293                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
294                 node->setResult(NodeResultInt52);
295                 node->clearFlags(NodeMustGenerate);
296                 break;
297             }
298
299             fixDoubleOrBooleanEdge(node->child1());
300             node->setResult(NodeResultDouble);
301             node->clearFlags(NodeMustGenerate);
302             break;
303         }
304             
305         case ArithMul: {
306             Edge& leftChild = node->child1();
307             Edge& rightChild = node->child2();
308             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
309                 fixEdge<UntypedUse>(leftChild);
310                 fixEdge<UntypedUse>(rightChild);
311                 node->setResult(NodeResultJS);
312                 break;
313             }
314             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
315                 fixIntOrBooleanEdge(leftChild);
316                 fixIntOrBooleanEdge(rightChild);
317                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
318                     node->setArithMode(Arith::Unchecked);
319                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
320                     || leftChild.node() == rightChild.node())
321                     node->setArithMode(Arith::CheckOverflow);
322                 else
323                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
324                 break;
325             }
326             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
327                 fixEdge<Int52RepUse>(leftChild);
328                 fixEdge<Int52RepUse>(rightChild);
329                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
330                     || leftChild.node() == rightChild.node())
331                     node->setArithMode(Arith::CheckOverflow);
332                 else
333                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
334                 node->setResult(NodeResultInt52);
335                 break;
336             }
337             fixDoubleOrBooleanEdge(leftChild);
338             fixDoubleOrBooleanEdge(rightChild);
339             node->setResult(NodeResultDouble);
340             break;
341         }
342
343         case ArithDiv:
344         case ArithMod: {
345             Edge& leftChild = node->child1();
346             Edge& rightChild = node->child2();
347             if (op == ArithDiv
348                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
349                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
350                 fixEdge<UntypedUse>(leftChild);
351                 fixEdge<UntypedUse>(rightChild);
352                 node->setResult(NodeResultJS);
353                 break;
354             }
355             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
356                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
357                     fixIntOrBooleanEdge(leftChild);
358                     fixIntOrBooleanEdge(rightChild);
359                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
360                         node->setArithMode(Arith::Unchecked);
361                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
362                         node->setArithMode(Arith::CheckOverflow);
363                     else
364                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
365                     break;
366                 }
367                 
368                 // This will cause conversion nodes to be inserted later.
369                 fixDoubleOrBooleanEdge(leftChild);
370                 fixDoubleOrBooleanEdge(rightChild);
371                 
372                 // We don't need to do ref'ing on the children because we're stealing them from
373                 // the original division.
374                 Node* newDivision = m_insertionSet.insertNode(
375                     m_indexInBlock, SpecBytecodeDouble, *node);
376                 newDivision->setResult(NodeResultDouble);
377                 
378                 node->setOp(DoubleAsInt32);
379                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
380                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
381                     node->setArithMode(Arith::CheckOverflow);
382                 else
383                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
384                 break;
385             }
386             fixDoubleOrBooleanEdge(leftChild);
387             fixDoubleOrBooleanEdge(rightChild);
388             node->setResult(NodeResultDouble);
389             break;
390         }
391             
392         case ArithMin:
393         case ArithMax: {
394             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
395                 fixIntOrBooleanEdge(node->child1());
396                 fixIntOrBooleanEdge(node->child2());
397                 break;
398             }
399             fixDoubleOrBooleanEdge(node->child1());
400             fixDoubleOrBooleanEdge(node->child2());
401             node->setResult(NodeResultDouble);
402             break;
403         }
404             
405         case ArithAbs: {
406             if (node->child1()->shouldSpeculateInt32OrBoolean()
407                 && node->canSpeculateInt32(FixupPass)) {
408                 fixIntOrBooleanEdge(node->child1());
409                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
410                     node->setArithMode(Arith::Unchecked);
411                 else
412                     node->setArithMode(Arith::CheckOverflow);
413                 node->clearFlags(NodeMustGenerate);
414                 node->setResult(NodeResultInt32);
415                 break;
416             }
417
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420                 node->clearFlags(NodeMustGenerate);
421             } else
422                 fixEdge<UntypedUse>(node->child1());
423             node->setResult(NodeResultDouble);
424             break;
425         }
426
427         case ArithPow: {
428             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
429                 fixDoubleOrBooleanEdge(node->child1());
430                 fixIntOrBooleanEdge(node->child2());
431                 break;
432             }
433
434             fixDoubleOrBooleanEdge(node->child1());
435             fixDoubleOrBooleanEdge(node->child2());
436             break;
437         }
438
439         case ArithRandom: {
440             node->setResult(NodeResultDouble);
441             break;
442         }
443
444         case ArithRound:
445         case ArithFloor:
446         case ArithCeil:
447         case ArithTrunc: {
448             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
449                 fixIntOrBooleanEdge(node->child1());
450                 insertCheck<Int32Use>(node->child1().node());
451                 node->convertToIdentity();
452                 break;
453             }
454             if (node->child1()->shouldSpeculateNotCell()) {
455                 fixDoubleOrBooleanEdge(node->child1());
456
457                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
458                     node->setResult(NodeResultInt32);
459                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
460                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
461                     else
462                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
463                 } else {
464                     node->setResult(NodeResultDouble);
465                     node->setArithRoundingMode(Arith::RoundingMode::Double);
466                 }
467                 node->clearFlags(NodeMustGenerate);
468             } else
469                 fixEdge<UntypedUse>(node->child1());
470             break;
471         }
472
473         case ArithFRound:
474         case ArithSqrt:
475         case ArithUnary: {
476             Edge& child1 = node->child1();
477             if (child1->shouldSpeculateNotCell()) {
478                 fixDoubleOrBooleanEdge(child1);
479                 node->clearFlags(NodeMustGenerate);
480             } else
481                 fixEdge<UntypedUse>(child1);
482             break;
483         }
484             
485         case LogicalNot: {
486             if (node->child1()->shouldSpeculateBoolean()) {
487                 if (node->child1()->result() == NodeResultBoolean) {
488                     // This is necessary in case we have a bytecode instruction implemented by:
489                     //
490                     // a: CompareEq(...)
491                     // b: LogicalNot(@a)
492                     //
493                     // In that case, CompareEq might have a side-effect. Then, we need to make
494                     // sure that we know that Branch does not exit.
495                     fixEdge<KnownBooleanUse>(node->child1());
496                 } else
497                     fixEdge<BooleanUse>(node->child1());
498             } else if (node->child1()->shouldSpeculateObjectOrOther())
499                 fixEdge<ObjectOrOtherUse>(node->child1());
500             else if (node->child1()->shouldSpeculateInt32OrBoolean())
501                 fixIntOrBooleanEdge(node->child1());
502             else if (node->child1()->shouldSpeculateNumber())
503                 fixEdge<DoubleRepUse>(node->child1());
504             else if (node->child1()->shouldSpeculateString())
505                 fixEdge<StringUse>(node->child1());
506             else if (node->child1()->shouldSpeculateStringOrOther())
507                 fixEdge<StringOrOtherUse>(node->child1());
508             else {
509                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
510                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
511                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
512             }
513             break;
514         }
515
516         case CompareEq:
517         case CompareLess:
518         case CompareLessEq:
519         case CompareGreater:
520         case CompareGreaterEq: {
521             if (node->op() == CompareEq
522                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
523                 fixEdge<BooleanUse>(node->child1());
524                 fixEdge<BooleanUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
529                 fixIntOrBooleanEdge(node->child1());
530                 fixIntOrBooleanEdge(node->child2());
531                 node->clearFlags(NodeMustGenerate);
532                 break;
533             }
534             if (enableInt52()
535                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
536                 fixEdge<Int52RepUse>(node->child1());
537                 fixEdge<Int52RepUse>(node->child2());
538                 node->clearFlags(NodeMustGenerate);
539                 break;
540             }
541             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
542                 fixDoubleOrBooleanEdge(node->child1());
543                 fixDoubleOrBooleanEdge(node->child2());
544             }
545             if (node->op() != CompareEq
546                 && node->child1()->shouldSpeculateNotCell()
547                 && node->child2()->shouldSpeculateNotCell()) {
548                 if (node->child1()->shouldSpeculateNumberOrBoolean())
549                     fixDoubleOrBooleanEdge(node->child1());
550                 else
551                     fixEdge<DoubleRepUse>(node->child1());
552                 if (node->child2()->shouldSpeculateNumberOrBoolean())
553                     fixDoubleOrBooleanEdge(node->child2());
554                 else
555                     fixEdge<DoubleRepUse>(node->child2());
556                 node->clearFlags(NodeMustGenerate);
557                 break;
558             }
559             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
560                 fixEdge<StringIdentUse>(node->child1());
561                 fixEdge<StringIdentUse>(node->child2());
562                 node->clearFlags(NodeMustGenerate);
563                 break;
564             }
565             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
566                 fixEdge<StringUse>(node->child1());
567                 fixEdge<StringUse>(node->child2());
568                 node->clearFlags(NodeMustGenerate);
569                 break;
570             }
571
572             if (node->op() != CompareEq)
573                 break;
574             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
575                 fixEdge<SymbolUse>(node->child1());
576                 fixEdge<SymbolUse>(node->child2());
577                 node->clearFlags(NodeMustGenerate);
578                 break;
579             }
580             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
581                 fixEdge<ObjectUse>(node->child1());
582                 fixEdge<ObjectUse>(node->child2());
583                 node->clearFlags(NodeMustGenerate);
584                 break;
585             }
586
587             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
588             bool oneArgumentIsUsedAsSpecOther = false;
589             if (node->child1()->isUndefinedOrNullConstant()) {
590                 fixEdge<KnownOtherUse>(node->child1());
591                 oneArgumentIsUsedAsSpecOther = true;
592             } else if (node->child1()->shouldSpeculateOther()) {
593                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
594                     Edge(node->child1().node(), OtherUse));
595                 fixEdge<KnownOtherUse>(node->child1());
596                 oneArgumentIsUsedAsSpecOther = true;
597             }
598             if (node->child2()->isUndefinedOrNullConstant()) {
599                 fixEdge<KnownOtherUse>(node->child2());
600                 oneArgumentIsUsedAsSpecOther = true;
601             } else if (node->child2()->shouldSpeculateOther()) {
602                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
603                     Edge(node->child2().node(), OtherUse));
604                 fixEdge<KnownOtherUse>(node->child2());
605                 oneArgumentIsUsedAsSpecOther = true;
606             }
607             if (oneArgumentIsUsedAsSpecOther) {
608                 node->clearFlags(NodeMustGenerate);
609                 break;
610             }
611
612             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
613                 fixEdge<ObjectUse>(node->child1());
614                 fixEdge<ObjectOrOtherUse>(node->child2());
615                 node->clearFlags(NodeMustGenerate);
616                 break;
617             }
618             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
619                 fixEdge<ObjectOrOtherUse>(node->child1());
620                 fixEdge<ObjectUse>(node->child2());
621                 node->clearFlags(NodeMustGenerate);
622                 break;
623             }
624
625             break;
626         }
627             
628         case CompareStrictEq:
629         case SameValue: {
630             fixupCompareStrictEqAndSameValue(node);
631             break;
632         }
633
634         case StringFromCharCode:
635             if (node->child1()->shouldSpeculateInt32()) {
636                 fixEdge<Int32Use>(node->child1());
637                 node->clearFlags(NodeMustGenerate);
638             } else
639                 fixEdge<UntypedUse>(node->child1());
640             break;
641
642         case StringCharAt:
643         case StringCharCodeAt: {
644             // Currently we have no good way of refining these.
645             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
646             blessArrayOperation(node->child1(), node->child2(), node->child3());
647             fixEdge<KnownCellUse>(node->child1());
648             fixEdge<Int32Use>(node->child2());
649             break;
650         }
651
652         case GetByVal: {
653             if (!node->prediction()) {
654                 m_insertionSet.insertNode(
655                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
656             }
657             
658             node->setArrayMode(
659                 node->arrayMode().refine(
660                     m_graph, node,
661                     m_graph.varArgChild(node, 0)->prediction(),
662                     m_graph.varArgChild(node, 1)->prediction(),
663                     SpecNone));
664             
665             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
666             
667             ArrayMode arrayMode = node->arrayMode();
668             switch (arrayMode.type()) {
669             case Array::Contiguous:
670             case Array::Double:
671                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
672                     // Check if SaneChain will work on a per-type basis. Note that:
673                     //
674                     // 1) We don't want double arrays to sometimes return undefined, since
675                     // that would require a change to the return type and it would pessimise
676                     // things a lot. So, we'd only want to do that if we actually had
677                     // evidence that we could read from a hole. That's pretty annoying.
678                     // Likely the best way to handle that case is with an equivalent of
679                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
680                     // NaN are indistinguishable according to backwards propagation, and just
681                     // use SaneChain in that case. This happens to catch a lot of cases.
682                     //
683                     // 2) We don't want int32 array loads to have to do a hole check just to
684                     // coerce to Undefined, since that would mean twice the checks.
685                     //
686                     // This has two implications. First, we have to do more checks than we'd
687                     // like. It's unfortunate that we have to do the hole check. Second,
688                     // some accesses that hit a hole will now need to take the full-blown
689                     // out-of-bounds slow path. We can fix that with:
690                     // https://bugs.webkit.org/show_bug.cgi?id=144668
691                     
692                     bool canDoSaneChain = false;
693                     switch (arrayMode.type()) {
694                     case Array::Contiguous:
695                         // This is happens to be entirely natural. We already would have
696                         // returned any JSValue, and now we'll return Undefined. We still do
697                         // the check but it doesn't require taking any kind of slow path.
698                         canDoSaneChain = true;
699                         break;
700                         
701                     case Array::Double:
702                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
703                             // Holes look like NaN already, so if the user doesn't care
704                             // about the difference between Undefined and NaN then we can
705                             // do this.
706                             canDoSaneChain = true;
707                         }
708                         break;
709                         
710                     default:
711                         break;
712                     }
713                     
714                     if (canDoSaneChain) {
715                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
716                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
717                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
718                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
719                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
720                             && globalObject->arrayPrototypeChainIsSane()) {
721                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
722                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
723                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
724                         }
725                     }
726                 }
727                 break;
728                 
729             case Array::String:
730                 if ((node->prediction() & ~SpecString)
731                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
732                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
733                 break;
734                 
735             default:
736                 break;
737             }
738             
739             arrayMode = node->arrayMode();
740             switch (arrayMode.type()) {
741             case Array::SelectUsingPredictions:
742             case Array::Unprofiled:
743                 RELEASE_ASSERT_NOT_REACHED();
744                 break;
745             case Array::Generic:
746                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
747                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
748                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
749                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
750                         break;
751                     }
752
753                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
754                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
755                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
756                         break;
757                     }
758                 }
759 #if USE(JSVALUE32_64)
760                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
761 #endif
762                 break;
763             case Array::ForceExit:
764                 break;
765             default:
766                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
767                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
768                 break;
769             }
770             
771             switch (arrayMode.type()) {
772             case Array::Double:
773                 if (!arrayMode.isOutOfBounds())
774                     node->setResult(NodeResultDouble);
775                 break;
776                 
777             case Array::Float32Array:
778             case Array::Float64Array:
779                 node->setResult(NodeResultDouble);
780                 break;
781                 
782             case Array::Uint32Array:
783                 if (node->shouldSpeculateInt32())
784                     break;
785                 if (node->shouldSpeculateAnyInt() && enableInt52())
786                     node->setResult(NodeResultInt52);
787                 else
788                     node->setResult(NodeResultDouble);
789                 break;
790                 
791             default:
792                 break;
793             }
794             
795             break;
796         }
797
798         case PutByValDirect:
799         case PutByVal:
800         case PutByValAlias: {
801             Edge& child1 = m_graph.varArgChild(node, 0);
802             Edge& child2 = m_graph.varArgChild(node, 1);
803             Edge& child3 = m_graph.varArgChild(node, 2);
804
805             node->setArrayMode(
806                 node->arrayMode().refine(
807                     m_graph, node,
808                     child1->prediction(),
809                     child2->prediction(),
810                     child3->prediction()));
811             
812             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
813             
814             switch (node->arrayMode().modeForPut().type()) {
815             case Array::SelectUsingPredictions:
816             case Array::SelectUsingArguments:
817             case Array::Unprofiled:
818             case Array::Undecided:
819                 RELEASE_ASSERT_NOT_REACHED();
820                 break;
821             case Array::ForceExit:
822             case Array::Generic:
823                 if (child1->shouldSpeculateCell()) {
824                     if (child2->shouldSpeculateString()) {
825                         fixEdge<CellUse>(child1);
826                         fixEdge<StringUse>(child2);
827                         break;
828                     }
829
830                     if (child2->shouldSpeculateSymbol()) {
831                         fixEdge<CellUse>(child1);
832                         fixEdge<SymbolUse>(child2);
833                         break;
834                     }
835                 }
836 #if USE(JSVALUE32_64)
837                 // Due to register pressure on 32-bit, we speculate cell and
838                 // ignore the base-is-not-cell case entirely by letting the
839                 // baseline JIT handle it.
840                 fixEdge<CellUse>(child1);
841 #endif
842                 break;
843             case Array::Int32:
844                 fixEdge<KnownCellUse>(child1);
845                 fixEdge<Int32Use>(child2);
846                 fixEdge<Int32Use>(child3);
847                 break;
848             case Array::Double:
849                 fixEdge<KnownCellUse>(child1);
850                 fixEdge<Int32Use>(child2);
851                 fixEdge<DoubleRepRealUse>(child3);
852                 break;
853             case Array::Int8Array:
854             case Array::Int16Array:
855             case Array::Int32Array:
856             case Array::Uint8Array:
857             case Array::Uint8ClampedArray:
858             case Array::Uint16Array:
859             case Array::Uint32Array:
860                 fixEdge<KnownCellUse>(child1);
861                 fixEdge<Int32Use>(child2);
862                 if (child3->shouldSpeculateInt32())
863                     fixIntOrBooleanEdge(child3);
864                 else if (child3->shouldSpeculateAnyInt())
865                     fixEdge<Int52RepUse>(child3);
866                 else
867                     fixDoubleOrBooleanEdge(child3);
868                 break;
869             case Array::Float32Array:
870             case Array::Float64Array:
871                 fixEdge<KnownCellUse>(child1);
872                 fixEdge<Int32Use>(child2);
873                 fixDoubleOrBooleanEdge(child3);
874                 break;
875             case Array::Contiguous:
876             case Array::ArrayStorage:
877             case Array::SlowPutArrayStorage:
878                 fixEdge<KnownCellUse>(child1);
879                 fixEdge<Int32Use>(child2);
880                 speculateForBarrier(child3);
881                 break;
882             default:
883                 fixEdge<KnownCellUse>(child1);
884                 fixEdge<Int32Use>(child2);
885                 break;
886             }
887             break;
888         }
889             
890         case AtomicsAdd:
891         case AtomicsAnd:
892         case AtomicsCompareExchange:
893         case AtomicsExchange:
894         case AtomicsLoad:
895         case AtomicsOr:
896         case AtomicsStore:
897         case AtomicsSub:
898         case AtomicsXor: {
899             Edge& base = m_graph.child(node, 0);
900             Edge& index = m_graph.child(node, 1);
901             
902             bool badNews = false;
903             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
904                 Edge& child = m_graph.child(node, 2 + i);
905                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
906                 // just call the function when that happens. But the FTL is totally cool with those
907                 // conversions.
908                 if (!child->shouldSpeculateInt32()
909                     && !child->shouldSpeculateAnyInt()
910                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
911                     badNews = true;
912             }
913             
914             if (badNews) {
915                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
916                 break;
917             }
918             
919             node->setArrayMode(
920                 node->arrayMode().refine(
921                     m_graph, node, base->prediction(), index->prediction()));
922             
923             if (node->arrayMode().type() == Array::Generic)
924                 break;
925             
926             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
927                 Edge& child = m_graph.child(node, 2 + i);
928                 if (child->shouldSpeculateInt32())
929                     fixIntOrBooleanEdge(child);
930                 else if (child->shouldSpeculateAnyInt())
931                     fixEdge<Int52RepUse>(child);
932                 else {
933                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
934                     fixDoubleOrBooleanEdge(child);
935                 }
936             }
937             
938             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
939             fixEdge<CellUse>(base);
940             fixEdge<Int32Use>(index);
941             
942             if (node->arrayMode().type() == Array::Uint32Array) {
943                 // NOTE: This means basically always doing Int52.
944                 if (node->shouldSpeculateAnyInt() && enableInt52())
945                     node->setResult(NodeResultInt52);
946                 else
947                     node->setResult(NodeResultDouble);
948             }
949             break;
950         }
951             
952         case AtomicsIsLockFree:
953             if (node->child1()->shouldSpeculateInt32())
954                 fixIntOrBooleanEdge(node->child1());
955             break;
956             
957         case ArrayPush: {
958             // May need to refine the array mode in case the value prediction contravenes
959             // the array prediction. For example, we may have evidence showing that the
960             // array is in Int32 mode, but the value we're storing is likely to be a double.
961             // Then we should turn this into a conversion to Double array followed by the
962             // push. On the other hand, we absolutely don't want to refine based on the
963             // base prediction. If it has non-cell garbage in it, then we want that to be
964             // ignored. That's because ArrayPush can't handle any array modes that aren't
965             // array-related - so if refine() turned this into a "Generic" ArrayPush then
966             // that would break things.
967             Edge& storageEdge = m_graph.varArgChild(node, 0);
968             Edge& arrayEdge = m_graph.varArgChild(node, 1);
969             unsigned elementOffset = 2;
970             unsigned elementCount = node->numChildren() - elementOffset;
971             for (unsigned i = 0; i < elementCount; ++i) {
972                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
973                 node->setArrayMode(
974                     node->arrayMode().refine(
975                         m_graph, node,
976                         arrayEdge->prediction() & SpecCell,
977                         SpecInt32Only,
978                         element->prediction()));
979             }
980             blessArrayOperation(arrayEdge, Edge(), storageEdge);
981             fixEdge<KnownCellUse>(arrayEdge);
982
983             // Convert `array.push()` to GetArrayLength.
984             if (!elementCount && node->arrayMode().supportsSelfLength()) {
985                 node->setOpAndDefaultFlags(GetArrayLength);
986                 node->child1() = arrayEdge;
987                 node->child2() = storageEdge;
988                 fixEdge<KnownCellUse>(node->child1());
989                 break;
990             }
991
992             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
993             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
994             for (unsigned i = 0; i < elementCount; ++i) {
995                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
996                 switch (node->arrayMode().type()) {
997                 case Array::Int32:
998                     insertCheck<Int32Use>(element.node());
999                     fixEdge<KnownInt32Use>(element);
1000                     break;
1001                 case Array::Double:
1002                     insertCheck<DoubleRepRealUse>(element.node());
1003                     fixEdge<DoubleRepUse>(element);
1004                     break;
1005                 case Array::Contiguous:
1006                 case Array::ArrayStorage:
1007                     speculateForBarrier(element);
1008                     break;
1009                 default:
1010                     break;
1011                 }
1012                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1013             }
1014             break;
1015         }
1016             
1017         case ArrayPop: {
1018             blessArrayOperation(node->child1(), Edge(), node->child2());
1019             fixEdge<KnownCellUse>(node->child1());
1020             break;
1021         }
1022
1023         case ArraySlice: {
1024             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1025             if (node->numChildren() >= 3) {
1026                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1027                 if (node->numChildren() == 4)
1028                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1029             }
1030             break;
1031         }
1032
1033         case ArrayIndexOf:
1034             fixupArrayIndexOf(node);
1035             break;
1036             
1037         case RegExpExec:
1038         case RegExpTest: {
1039             fixEdge<KnownCellUse>(node->child1());
1040             
1041             if (node->child2()->shouldSpeculateRegExpObject()) {
1042                 fixEdge<RegExpObjectUse>(node->child2());
1043
1044                 if (node->child3()->shouldSpeculateString())
1045                     fixEdge<StringUse>(node->child3());
1046             }
1047             break;
1048         }
1049
1050         case RegExpMatchFast: {
1051             fixEdge<KnownCellUse>(node->child1());
1052             fixEdge<RegExpObjectUse>(node->child2());
1053             fixEdge<StringUse>(node->child3());
1054             break;
1055         }
1056
1057         case StringReplace:
1058         case StringReplaceRegExp: {
1059             if (node->child2()->shouldSpeculateString()) {
1060                 m_insertionSet.insertNode(
1061                     m_indexInBlock, SpecNone, Check, node->origin,
1062                     Edge(node->child2().node(), StringUse));
1063                 fixEdge<StringUse>(node->child2());
1064             } else if (op == StringReplace) {
1065                 if (node->child2()->shouldSpeculateRegExpObject())
1066                     addStringReplacePrimordialChecks(node->child2().node());
1067                 else 
1068                     m_insertionSet.insertNode(
1069                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1070             }
1071
1072             if (node->child1()->shouldSpeculateString()
1073                 && node->child2()->shouldSpeculateRegExpObject()
1074                 && node->child3()->shouldSpeculateString()) {
1075
1076                 fixEdge<StringUse>(node->child1());
1077                 fixEdge<RegExpObjectUse>(node->child2());
1078                 fixEdge<StringUse>(node->child3());
1079                 break;
1080             }
1081             break;
1082         }
1083             
1084         case Branch: {
1085             if (node->child1()->shouldSpeculateBoolean()) {
1086                 if (node->child1()->result() == NodeResultBoolean) {
1087                     // This is necessary in case we have a bytecode instruction implemented by:
1088                     //
1089                     // a: CompareEq(...)
1090                     // b: Branch(@a)
1091                     //
1092                     // In that case, CompareEq might have a side-effect. Then, we need to make
1093                     // sure that we know that Branch does not exit.
1094                     fixEdge<KnownBooleanUse>(node->child1());
1095                 } else
1096                     fixEdge<BooleanUse>(node->child1());
1097             } else if (node->child1()->shouldSpeculateObjectOrOther())
1098                 fixEdge<ObjectOrOtherUse>(node->child1());
1099             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1100                 fixIntOrBooleanEdge(node->child1());
1101             else if (node->child1()->shouldSpeculateNumber())
1102                 fixEdge<DoubleRepUse>(node->child1());
1103             else if (node->child1()->shouldSpeculateString())
1104                 fixEdge<StringUse>(node->child1());
1105             else if (node->child1()->shouldSpeculateStringOrOther())
1106                 fixEdge<StringOrOtherUse>(node->child1());
1107             else {
1108                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1109                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1110                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1111             }
1112             break;
1113         }
1114             
1115         case Switch: {
1116             SwitchData* data = node->switchData();
1117             switch (data->kind) {
1118             case SwitchImm:
1119                 if (node->child1()->shouldSpeculateInt32())
1120                     fixEdge<Int32Use>(node->child1());
1121                 break;
1122             case SwitchChar:
1123                 if (node->child1()->shouldSpeculateString())
1124                     fixEdge<StringUse>(node->child1());
1125                 break;
1126             case SwitchString:
1127                 if (node->child1()->shouldSpeculateStringIdent())
1128                     fixEdge<StringIdentUse>(node->child1());
1129                 else if (node->child1()->shouldSpeculateString())
1130                     fixEdge<StringUse>(node->child1());
1131                 break;
1132             case SwitchCell:
1133                 if (node->child1()->shouldSpeculateCell())
1134                     fixEdge<CellUse>(node->child1());
1135                 // else it's fine for this to have UntypedUse; we will handle this by just making
1136                 // non-cells take the default case.
1137                 break;
1138             }
1139             break;
1140         }
1141             
1142         case ToPrimitive: {
1143             fixupToPrimitive(node);
1144             break;
1145         }
1146
1147         case ToNumber: {
1148             fixupToNumber(node);
1149             break;
1150         }
1151             
1152         case ToString:
1153         case CallStringConstructor: {
1154             fixupToStringOrCallStringConstructor(node);
1155             break;
1156         }
1157             
1158         case NewStringObject: {
1159             fixEdge<KnownStringUse>(node->child1());
1160             break;
1161         }
1162
1163         case NewArrayWithSpread: {
1164             watchHavingABadTime(node);
1165             
1166             BitVector* bitVector = node->bitVector();
1167             for (unsigned i = node->numChildren(); i--;) {
1168                 if (bitVector->get(i))
1169                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1170                 else
1171                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1172             }
1173
1174             break;
1175         }
1176
1177         case Spread: {
1178             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1179             
1180             watchHavingABadTime(node->child1().node());
1181
1182             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1183             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1184             // that it doesn't contain any indexed properties, and that any holes will result in
1185             // jsUndefined().
1186             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1187             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1188             if (node->child1()->shouldSpeculateArray()
1189                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1190                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1191                 && globalObject->arrayPrototypeChainIsSane()
1192                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1193                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1194                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1195                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1196                 fixEdge<ArrayUse>(node->child1());
1197             } else
1198                 fixEdge<CellUse>(node->child1());
1199             break;
1200         }
1201             
1202         case NewArray: {
1203             watchHavingABadTime(node);
1204             
1205             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1206                 node->setIndexingType(
1207                     leastUpperBoundOfIndexingTypeAndType(
1208                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1209             }
1210             switch (node->indexingType()) {
1211             case ALL_BLANK_INDEXING_TYPES:
1212                 CRASH();
1213                 break;
1214             case ALL_UNDECIDED_INDEXING_TYPES:
1215                 if (node->numChildren()) {
1216                     // This will only happen if the children have no type predictions. We
1217                     // would have already exited by now, but insert a forced exit just to
1218                     // be safe.
1219                     m_insertionSet.insertNode(
1220                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1221                 }
1222                 break;
1223             case ALL_INT32_INDEXING_TYPES:
1224                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1225                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1226                 break;
1227             case ALL_DOUBLE_INDEXING_TYPES:
1228                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1229                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1230                 break;
1231             case ALL_CONTIGUOUS_INDEXING_TYPES:
1232             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1233                 break;
1234             default:
1235                 CRASH();
1236                 break;
1237             }
1238             break;
1239         }
1240             
1241         case NewTypedArray: {
1242             watchHavingABadTime(node);
1243             
1244             if (node->child1()->shouldSpeculateInt32()) {
1245                 fixEdge<Int32Use>(node->child1());
1246                 node->clearFlags(NodeMustGenerate);
1247                 break;
1248             }
1249             break;
1250         }
1251             
1252         case NewArrayWithSize: {
1253             watchHavingABadTime(node);
1254             fixEdge<Int32Use>(node->child1());
1255             break;
1256         }
1257
1258         case NewArrayBuffer: {
1259             watchHavingABadTime(node);
1260             break;
1261         }
1262
1263         case ToObject: {
1264             fixupToObject(node);
1265             break;
1266         }
1267
1268         case CallObjectConstructor: {
1269             fixupCallObjectConstructor(node);
1270             break;
1271         }
1272
1273         case ToThis: {
1274             fixupToThis(node);
1275             break;
1276         }
1277             
1278         case PutStructure: {
1279             fixEdge<KnownCellUse>(node->child1());
1280             break;
1281         }
1282             
1283         case GetClosureVar:
1284         case GetFromArguments: {
1285             fixEdge<KnownCellUse>(node->child1());
1286             break;
1287         }
1288
1289         case PutClosureVar:
1290         case PutToArguments: {
1291             fixEdge<KnownCellUse>(node->child1());
1292             speculateForBarrier(node->child2());
1293             break;
1294         }
1295
1296         case SkipScope:
1297         case GetScope:
1298         case GetGetter:
1299         case GetSetter:
1300         case GetGlobalObject: {
1301             fixEdge<KnownCellUse>(node->child1());
1302             break;
1303         }
1304             
1305         case AllocatePropertyStorage:
1306         case ReallocatePropertyStorage: {
1307             fixEdge<KnownCellUse>(node->child1());
1308             break;
1309         }
1310             
1311         case NukeStructureAndSetButterfly: {
1312             fixEdge<KnownCellUse>(node->child1());
1313             break;
1314         }
1315
1316         case TryGetById: {
1317             if (node->child1()->shouldSpeculateCell())
1318                 fixEdge<CellUse>(node->child1());
1319             break;
1320         }
1321
1322         case GetByIdDirect:
1323         case GetByIdDirectFlush: {
1324             if (node->child1()->shouldSpeculateCell())
1325                 fixEdge<CellUse>(node->child1());
1326             break;
1327         }
1328
1329         case GetById:
1330         case GetByIdFlush: {
1331             // FIXME: This should be done in the ByteCodeParser based on reading the
1332             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1333             // https://bugs.webkit.org/show_bug.cgi?id=154990
1334             auto uid = m_graph.identifiers()[node->identifierNumber()];
1335             if (node->child1()->shouldSpeculateCellOrOther()
1336                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1337                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1338                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1339                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1340                 
1341                 if (uid == vm().propertyNames->length.impl()) {
1342                     attemptToMakeGetArrayLength(node);
1343                     break;
1344                 }
1345
1346                 if (uid == vm().propertyNames->lastIndex.impl()
1347                     && node->child1()->shouldSpeculateRegExpObject()) {
1348                     node->setOp(GetRegExpObjectLastIndex);
1349                     node->clearFlags(NodeMustGenerate);
1350                     fixEdge<RegExpObjectUse>(node->child1());
1351                     break;
1352                 }
1353             }
1354
1355             if (node->child1()->shouldSpeculateNumber()) {
1356                 if (uid == vm().propertyNames->toString.impl()) {
1357                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1358                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1359                         if (node->child1()->shouldSpeculateInt32()) {
1360                             insertCheck<Int32Use>(node->child1().node());
1361                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1362                             break;
1363                         }
1364
1365                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1366                             insertCheck<Int52RepUse>(node->child1().node());
1367                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1368                             break;
1369                         }
1370
1371                         ASSERT(node->child1()->shouldSpeculateNumber());
1372                         insertCheck<DoubleRepUse>(node->child1().node());
1373                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1374                         break;
1375                     }
1376                 }
1377             }
1378
1379             if (node->child1()->shouldSpeculateCell())
1380                 fixEdge<CellUse>(node->child1());
1381             break;
1382         }
1383         
1384         case GetByIdWithThis: {
1385             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1386                 fixEdge<CellUse>(node->child1());
1387                 fixEdge<CellUse>(node->child2());
1388             }
1389             break;
1390         }
1391
1392         case PutById:
1393         case PutByIdFlush:
1394         case PutByIdDirect: {
1395             if (node->child1()->shouldSpeculateCellOrOther()
1396                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1397                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1398                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1399                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1400                 
1401                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1402                 
1403                 if (uid == vm().propertyNames->lastIndex.impl()
1404                     && node->child1()->shouldSpeculateRegExpObject()) {
1405                     node->convertToSetRegExpObjectLastIndex();
1406                     fixEdge<RegExpObjectUse>(node->child1());
1407                     speculateForBarrier(node->child2());
1408                     break;
1409                 }
1410             }
1411             
1412             fixEdge<CellUse>(node->child1());
1413             break;
1414         }
1415
1416         case PutGetterById:
1417         case PutSetterById: {
1418             fixEdge<KnownCellUse>(node->child1());
1419             fixEdge<KnownCellUse>(node->child2());
1420             break;
1421         }
1422
1423         case PutGetterSetterById: {
1424             fixEdge<KnownCellUse>(node->child1());
1425             break;
1426         }
1427
1428         case PutGetterByVal:
1429         case PutSetterByVal: {
1430             fixEdge<KnownCellUse>(node->child1());
1431             fixEdge<KnownCellUse>(node->child3());
1432             break;
1433         }
1434
1435         case GetExecutable: {
1436             fixEdge<FunctionUse>(node->child1());
1437             break;
1438         }
1439
1440         case OverridesHasInstance:
1441         case CheckStructure:
1442         case CheckCell:
1443         case CreateThis:
1444         case GetButterfly: {
1445             fixEdge<CellUse>(node->child1());
1446             break;
1447         }
1448
1449         case ObjectCreate: {
1450             if (node->child1()->shouldSpeculateObject()) {
1451                 fixEdge<ObjectUse>(node->child1());
1452                 node->clearFlags(NodeMustGenerate);
1453                 break;
1454             }
1455             break;
1456         }
1457
1458         case CheckStringIdent: {
1459             fixEdge<StringIdentUse>(node->child1());
1460             break;
1461         }
1462             
1463         case Arrayify:
1464         case ArrayifyToStructure: {
1465             fixEdge<CellUse>(node->child1());
1466             if (node->child2())
1467                 fixEdge<Int32Use>(node->child2());
1468             break;
1469         }
1470             
1471         case GetByOffset:
1472         case GetGetterSetterByOffset: {
1473             if (!node->child1()->hasStorageResult())
1474                 fixEdge<KnownCellUse>(node->child1());
1475             fixEdge<KnownCellUse>(node->child2());
1476             break;
1477         }
1478             
1479         case MultiGetByOffset: {
1480             fixEdge<CellUse>(node->child1());
1481             break;
1482         }
1483             
1484         case PutByOffset: {
1485             if (!node->child1()->hasStorageResult())
1486                 fixEdge<KnownCellUse>(node->child1());
1487             fixEdge<KnownCellUse>(node->child2());
1488             unsigned index = indexForChecks();
1489             insertInferredTypeCheck(
1490                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1491                 node->storageAccessData().inferredType);
1492             speculateForBarrier(node->child3());
1493             break;
1494         }
1495             
1496         case MultiPutByOffset: {
1497             fixEdge<CellUse>(node->child1());
1498             break;
1499         }
1500             
1501         case MatchStructure: {
1502             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1503             // https://bugs.webkit.org/show_bug.cgi?id=185784
1504             fixEdge<CellUse>(node->child1());
1505             break;
1506         }
1507             
1508         case InstanceOf: {
1509             if (node->child1()->shouldSpeculateCell()
1510                 && node->child2()->shouldSpeculateCell()
1511                 && is64Bit()) {
1512                 fixEdge<CellUse>(node->child1());
1513                 fixEdge<CellUse>(node->child2());
1514                 break;
1515             }
1516             break;
1517         }
1518
1519         case InstanceOfCustom:
1520             fixEdge<CellUse>(node->child2());
1521             break;
1522
1523         case InById: {
1524             fixEdge<CellUse>(node->child1());
1525             break;
1526         }
1527
1528         case InByVal: {
1529             if (node->child2()->shouldSpeculateInt32()) {
1530                 convertToHasIndexedProperty(node);
1531                 break;
1532             }
1533
1534             fixEdge<CellUse>(node->child1());
1535             break;
1536         }
1537
1538         case HasOwnProperty: {
1539             fixEdge<ObjectUse>(node->child1());
1540 #if CPU(X86)
1541             // We don't have enough registers to do anything interesting on x86 and mips.
1542             fixEdge<UntypedUse>(node->child2());
1543 #else
1544             if (node->child2()->shouldSpeculateString())
1545                 fixEdge<StringUse>(node->child2());
1546             else if (node->child2()->shouldSpeculateSymbol())
1547                 fixEdge<SymbolUse>(node->child2());
1548             else
1549                 fixEdge<UntypedUse>(node->child2());
1550 #endif
1551             break;
1552         }
1553
1554         case CheckVarargs:
1555         case Check: {
1556             m_graph.doToChildren(
1557                 node,
1558                 [&] (Edge& edge) {
1559                     switch (edge.useKind()) {
1560                     case NumberUse:
1561                         if (edge->shouldSpeculateInt32ForArithmetic())
1562                             edge.setUseKind(Int32Use);
1563                         break;
1564                     default:
1565                         break;
1566                     }
1567                     observeUseKindOnEdge(edge);
1568                 });
1569             break;
1570         }
1571
1572         case Phantom:
1573             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1574             node->remove(m_graph);
1575             break;
1576
1577         case FiatInt52: {
1578             RELEASE_ASSERT(enableInt52());
1579             node->convertToIdentity();
1580             fixEdge<Int52RepUse>(node->child1());
1581             node->setResult(NodeResultInt52);
1582             break;
1583         }
1584
1585         case GetArrayLength: {
1586             fixEdge<KnownCellUse>(node->child1());
1587             break;
1588         }
1589
1590         case GetTypedArrayByteOffset: {
1591             fixEdge<KnownCellUse>(node->child1());
1592             break;
1593         }
1594
1595         case CompareBelow:
1596         case CompareBelowEq: {
1597             fixEdge<Int32Use>(node->child1());
1598             fixEdge<Int32Use>(node->child2());
1599             break;
1600         }
1601
1602         case GetPrototypeOf: {
1603             fixupGetPrototypeOf(node);
1604             break;
1605         }
1606
1607         case Phi:
1608         case Upsilon:
1609         case EntrySwitch:
1610         case GetIndexedPropertyStorage:
1611         case LastNodeType:
1612         case CheckTierUpInLoop:
1613         case CheckTierUpAtReturn:
1614         case CheckTierUpAndOSREnter:
1615         case CheckArray:
1616         case CheckInBounds:
1617         case ConstantStoragePointer:
1618         case DoubleAsInt32:
1619         case ValueToInt32:
1620         case DoubleRep:
1621         case ValueRep:
1622         case Int52Rep:
1623         case Int52Constant:
1624         case Identity: // This should have been cleaned up.
1625         case BooleanToNumber:
1626         case PhantomNewObject:
1627         case PhantomNewFunction:
1628         case PhantomNewGeneratorFunction:
1629         case PhantomNewAsyncGeneratorFunction:
1630         case PhantomNewAsyncFunction:
1631         case PhantomCreateActivation:
1632         case PhantomDirectArguments:
1633         case PhantomCreateRest:
1634         case PhantomSpread:
1635         case PhantomNewArrayWithSpread:
1636         case PhantomNewArrayBuffer:
1637         case PhantomClonedArguments:
1638         case PhantomNewRegexp:
1639         case GetMyArgumentByVal:
1640         case GetMyArgumentByValOutOfBounds:
1641         case GetVectorLength:
1642         case PutHint:
1643         case CheckStructureImmediate:
1644         case CheckStructureOrEmpty:
1645         case MaterializeNewObject:
1646         case MaterializeCreateActivation:
1647         case PutStack:
1648         case KillStack:
1649         case GetStack:
1650         case StoreBarrier:
1651         case FencedStoreBarrier:
1652         case GetRegExpObjectLastIndex:
1653         case SetRegExpObjectLastIndex:
1654         case RecordRegExpCachedResult:
1655         case RegExpExecNonGlobalOrSticky:
1656         case RegExpMatchFastGlobal:
1657             // These are just nodes that we don't currently expect to see during fixup.
1658             // If we ever wanted to insert them prior to fixup, then we just have to create
1659             // fixup rules for them.
1660             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1661             break;
1662
1663         case PutGlobalVariable: {
1664             fixEdge<CellUse>(node->child1());
1665             speculateForBarrier(node->child2());
1666             break;
1667         }
1668
1669         case IsObject:
1670             if (node->child1()->shouldSpeculateObject()) {
1671                 m_insertionSet.insertNode(
1672                     m_indexInBlock, SpecNone, Check, node->origin,
1673                     Edge(node->child1().node(), ObjectUse));
1674                 m_graph.convertToConstant(node, jsBoolean(true));
1675                 observeUseKindOnNode<ObjectUse>(node);
1676             }
1677             break;
1678
1679         case IsCellWithType: {
1680             fixupIsCellWithType(node);
1681             break;
1682         }
1683
1684         case GetEnumerableLength: {
1685             fixEdge<CellUse>(node->child1());
1686             break;
1687         }
1688         case HasGenericProperty: {
1689             fixEdge<CellUse>(node->child2());
1690             break;
1691         }
1692         case HasStructureProperty: {
1693             fixEdge<StringUse>(node->child2());
1694             fixEdge<KnownCellUse>(node->child3());
1695             break;
1696         }
1697         case HasIndexedProperty: {
1698             node->setArrayMode(
1699                 node->arrayMode().refine(
1700                     m_graph, node,
1701                     node->child1()->prediction(),
1702                     node->child2()->prediction(),
1703                     SpecNone));
1704             
1705             blessArrayOperation(node->child1(), node->child2(), node->child3());
1706             fixEdge<CellUse>(node->child1());
1707             fixEdge<KnownInt32Use>(node->child2());
1708             break;
1709         }
1710         case GetDirectPname: {
1711             Edge& base = m_graph.varArgChild(node, 0);
1712             Edge& property = m_graph.varArgChild(node, 1);
1713             Edge& index = m_graph.varArgChild(node, 2);
1714             Edge& enumerator = m_graph.varArgChild(node, 3);
1715             fixEdge<CellUse>(base);
1716             fixEdge<KnownCellUse>(property);
1717             fixEdge<KnownInt32Use>(index);
1718             fixEdge<KnownCellUse>(enumerator);
1719             break;
1720         }
1721         case GetPropertyEnumerator: {
1722             if (node->child1()->shouldSpeculateCell())
1723                 fixEdge<CellUse>(node->child1());
1724             break;
1725         }
1726         case GetEnumeratorStructurePname: {
1727             fixEdge<KnownCellUse>(node->child1());
1728             fixEdge<KnownInt32Use>(node->child2());
1729             break;
1730         }
1731         case GetEnumeratorGenericPname: {
1732             fixEdge<KnownCellUse>(node->child1());
1733             fixEdge<KnownInt32Use>(node->child2());
1734             break;
1735         }
1736         case ToIndexString: {
1737             fixEdge<KnownInt32Use>(node->child1());
1738             break;
1739         }
1740         case ProfileType: {
1741             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1742             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1743             // type T for the instructionTypeSet, the global type set must also have information for type T.
1744             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1745             // in the globalTypeSet would've also succeeded.
1746             // (The other direction does not hold in general).
1747
1748             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1749             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1750             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1751                 if (node->child1()->shouldSpeculateInt32()) {
1752                     fixEdge<Int32Use>(node->child1());
1753                     node->remove(m_graph);
1754                     break;
1755                 }
1756
1757                 if (enableInt52()) {
1758                     fixEdge<AnyIntUse>(node->child1());
1759                     node->remove(m_graph);
1760                     break;
1761                 }
1762
1763                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1764             }
1765
1766             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1767                 fixEdge<NumberUse>(node->child1());
1768                 node->remove(m_graph);
1769             } else if (typeSet->doesTypeConformTo(TypeString)) {
1770                 fixEdge<StringUse>(node->child1());
1771                 node->remove(m_graph);
1772             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1773                 fixEdge<BooleanUse>(node->child1());
1774                 node->remove(m_graph);
1775             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1776                 fixEdge<OtherUse>(node->child1());
1777                 node->remove(m_graph);
1778             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1779                 StructureSet set;
1780                 {
1781                     ConcurrentJSLocker locker(typeSet->m_lock);
1782                     set = typeSet->structureSet(locker);
1783                 }
1784                 if (!set.isEmpty()) {
1785                     fixEdge<CellUse>(node->child1());
1786                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1787                 }
1788             }
1789
1790             break;
1791         }
1792
1793         case CreateClonedArguments: {
1794             watchHavingABadTime(node);
1795             break;
1796         }
1797
1798         case CreateScopedArguments:
1799         case CreateActivation:
1800         case NewFunction:
1801         case NewGeneratorFunction:
1802         case NewAsyncGeneratorFunction:
1803         case NewAsyncFunction: {
1804             // Child 1 is always the current scope, which is guaranteed to be an object
1805             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1806             fixEdge<KnownCellUse>(node->child1());
1807             break;
1808         }
1809
1810         case PushWithScope: {
1811             // Child 1 is always the current scope, which is guaranteed to be an object
1812             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1813             fixEdge<KnownCellUse>(node->child1());
1814             if (node->child2()->shouldSpeculateObject())
1815                 fixEdge<ObjectUse>(node->child2());
1816             break;
1817         }
1818
1819         case SetFunctionName: {
1820             // The first child is guaranteed to be a cell because op_set_function_name is only used
1821             // on a newly instantiated function object (the first child).
1822             fixEdge<KnownCellUse>(node->child1());
1823             fixEdge<UntypedUse>(node->child2());
1824             break;
1825         }
1826
1827         case CreateRest: {
1828             watchHavingABadTime(node);
1829             fixEdge<KnownInt32Use>(node->child1());
1830             break;
1831         }
1832
1833         case ResolveScopeForHoistingFuncDeclInEval: {
1834             fixEdge<KnownCellUse>(node->child1());
1835             break;
1836         }
1837         case ResolveScope:
1838         case GetDynamicVar:
1839         case PutDynamicVar: {
1840             fixEdge<KnownCellUse>(node->child1());
1841             break;
1842         }
1843
1844         case LogShadowChickenPrologue: {
1845             fixEdge<KnownCellUse>(node->child1());
1846             break;
1847         }
1848         case LogShadowChickenTail: {
1849             fixEdge<UntypedUse>(node->child1());
1850             fixEdge<KnownCellUse>(node->child2());
1851             break;
1852         }
1853
1854         case GetMapBucket:
1855             if (node->child1().useKind() == MapObjectUse)
1856                 fixEdge<MapObjectUse>(node->child1());
1857             else if (node->child1().useKind() == SetObjectUse)
1858                 fixEdge<SetObjectUse>(node->child1());
1859             else
1860                 RELEASE_ASSERT_NOT_REACHED();
1861
1862 #if USE(JSVALUE64)
1863             if (node->child2()->shouldSpeculateBoolean())
1864                 fixEdge<BooleanUse>(node->child2());
1865             else if (node->child2()->shouldSpeculateInt32())
1866                 fixEdge<Int32Use>(node->child2());
1867             else if (node->child2()->shouldSpeculateSymbol())
1868                 fixEdge<SymbolUse>(node->child2());
1869             else if (node->child2()->shouldSpeculateObject())
1870                 fixEdge<ObjectUse>(node->child2());
1871             else if (node->child2()->shouldSpeculateString())
1872                 fixEdge<StringUse>(node->child2());
1873             else if (node->child2()->shouldSpeculateCell())
1874                 fixEdge<CellUse>(node->child2());
1875             else
1876                 fixEdge<UntypedUse>(node->child2());
1877 #else
1878             fixEdge<UntypedUse>(node->child2());
1879 #endif // USE(JSVALUE64)
1880
1881             fixEdge<Int32Use>(node->child3());
1882             break;
1883
1884         case GetMapBucketHead:
1885             if (node->child1().useKind() == MapObjectUse)
1886                 fixEdge<MapObjectUse>(node->child1());
1887             else if (node->child1().useKind() == SetObjectUse)
1888                 fixEdge<SetObjectUse>(node->child1());
1889             else
1890                 RELEASE_ASSERT_NOT_REACHED();
1891             break;
1892
1893         case GetMapBucketNext:
1894         case LoadKeyFromMapBucket:
1895         case LoadValueFromMapBucket:
1896             fixEdge<CellUse>(node->child1());
1897             break;
1898
1899         case MapHash: {
1900 #if USE(JSVALUE64)
1901             if (node->child1()->shouldSpeculateBoolean()) {
1902                 fixEdge<BooleanUse>(node->child1());
1903                 break;
1904             }
1905
1906             if (node->child1()->shouldSpeculateInt32()) {
1907                 fixEdge<Int32Use>(node->child1());
1908                 break;
1909             }
1910
1911             if (node->child1()->shouldSpeculateSymbol()) {
1912                 fixEdge<SymbolUse>(node->child1());
1913                 break;
1914             }
1915
1916             if (node->child1()->shouldSpeculateObject()) {
1917                 fixEdge<ObjectUse>(node->child1());
1918                 break;
1919             }
1920
1921             if (node->child1()->shouldSpeculateString()) {
1922                 fixEdge<StringUse>(node->child1());
1923                 break;
1924             }
1925
1926             if (node->child1()->shouldSpeculateCell()) {
1927                 fixEdge<CellUse>(node->child1());
1928                 break;
1929             }
1930
1931             fixEdge<UntypedUse>(node->child1());
1932 #else
1933             fixEdge<UntypedUse>(node->child1());
1934 #endif // USE(JSVALUE64)
1935             break;
1936         }
1937
1938         case NormalizeMapKey: {
1939             fixupNormalizeMapKey(node);
1940             break;
1941         }
1942
1943         case WeakMapGet: {
1944             if (node->child1().useKind() == WeakMapObjectUse)
1945                 fixEdge<WeakMapObjectUse>(node->child1());
1946             else if (node->child1().useKind() == WeakSetObjectUse)
1947                 fixEdge<WeakSetObjectUse>(node->child1());
1948             else
1949                 RELEASE_ASSERT_NOT_REACHED();
1950             fixEdge<ObjectUse>(node->child2());
1951             fixEdge<Int32Use>(node->child3());
1952             break;
1953         }
1954
1955         case SetAdd: {
1956             fixEdge<SetObjectUse>(node->child1());
1957             fixEdge<Int32Use>(node->child3());
1958             break;
1959         }
1960
1961         case MapSet: {
1962             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1963             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1964             break;
1965         }
1966
1967         case WeakSetAdd: {
1968             fixEdge<WeakSetObjectUse>(node->child1());
1969             fixEdge<ObjectUse>(node->child2());
1970             fixEdge<Int32Use>(node->child3());
1971             break;
1972         }
1973
1974         case WeakMapSet: {
1975             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
1976             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
1977             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1978             break;
1979         }
1980
1981         case DefineDataProperty: {
1982             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1983             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1984             if (propertyEdge->shouldSpeculateSymbol())
1985                 fixEdge<SymbolUse>(propertyEdge);
1986             else if (propertyEdge->shouldSpeculateStringIdent())
1987                 fixEdge<StringIdentUse>(propertyEdge);
1988             else if (propertyEdge->shouldSpeculateString())
1989                 fixEdge<StringUse>(propertyEdge);
1990             else
1991                 fixEdge<UntypedUse>(propertyEdge);
1992             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1993             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1994             break;
1995         }
1996
1997         case StringSlice: {
1998             fixEdge<StringUse>(node->child1());
1999             fixEdge<Int32Use>(node->child2());
2000             if (node->child3())
2001                 fixEdge<Int32Use>(node->child3());
2002             break;
2003         }
2004
2005         case ToLowerCase: {
2006             // We currently only support StringUse since that will ensure that
2007             // ToLowerCase is a pure operation. If we decide to update this with
2008             // more types in the future, we need to ensure that the clobberize rules
2009             // are correct.
2010             fixEdge<StringUse>(node->child1());
2011             break;
2012         }
2013
2014         case NumberToStringWithRadix: {
2015             if (node->child1()->shouldSpeculateInt32())
2016                 fixEdge<Int32Use>(node->child1());
2017             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2018                 fixEdge<Int52RepUse>(node->child1());
2019             else
2020                 fixEdge<DoubleRepUse>(node->child1());
2021             fixEdge<Int32Use>(node->child2());
2022             break;
2023         }
2024
2025         case DefineAccessorProperty: {
2026             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2027             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2028             if (propertyEdge->shouldSpeculateSymbol())
2029                 fixEdge<SymbolUse>(propertyEdge);
2030             else if (propertyEdge->shouldSpeculateStringIdent())
2031                 fixEdge<StringIdentUse>(propertyEdge);
2032             else if (propertyEdge->shouldSpeculateString())
2033                 fixEdge<StringUse>(propertyEdge);
2034             else
2035                 fixEdge<UntypedUse>(propertyEdge);
2036             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2037             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2038             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2039             break;
2040         }
2041
2042         case CheckSubClass: {
2043             fixupCheckSubClass(node);
2044             break;
2045         }
2046
2047         case CallDOMGetter: {
2048             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2049             fixEdge<CellUse>(node->child1()); // DOM.
2050             if (snippet && snippet->requireGlobalObject)
2051                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2052             break;
2053         }
2054
2055         case CallDOM: {
2056             fixupCallDOM(node);
2057             break;
2058         }
2059
2060         case Call: {
2061             attemptToMakeCallDOM(node);
2062             break;
2063         }
2064
2065         case ParseInt: {
2066             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2067                 fixEdge<Int32Use>(node->child1());
2068                 node->convertToIdentity();
2069                 break;
2070             }
2071
2072             if (node->child1()->shouldSpeculateString()) {
2073                 fixEdge<StringUse>(node->child1());
2074                 node->clearFlags(NodeMustGenerate);
2075             }
2076
2077             if (node->child2())
2078                 fixEdge<Int32Use>(node->child2());
2079
2080             break;
2081         }
2082
2083         case IdentityWithProfile: {
2084             node->clearFlags(NodeMustGenerate);
2085             break;
2086         }
2087
2088         case ThrowStaticError:
2089             fixEdge<StringUse>(node->child1());
2090             break;
2091
2092         case NumberIsInteger:
2093             if (node->child1()->shouldSpeculateInt32()) {
2094                 m_insertionSet.insertNode(
2095                     m_indexInBlock, SpecNone, Check, node->origin,
2096                     Edge(node->child1().node(), Int32Use));
2097                 m_graph.convertToConstant(node, jsBoolean(true));
2098                 break;
2099             }
2100             break;
2101
2102         case SetCallee:
2103             fixEdge<CellUse>(node->child1());
2104             break;
2105
2106         case DataViewGetInt:
2107         case DataViewGetFloat: {
2108             fixEdge<DataViewObjectUse>(node->child1());
2109             fixEdge<Int32Use>(node->child2());
2110             if (node->child3())
2111                 fixEdge<BooleanUse>(node->child3());
2112
2113             if (node->op() == DataViewGetInt) {
2114                 DataViewData data = node->dataViewData();
2115                 switch (data.byteSize) {
2116                 case 1:
2117                 case 2:
2118                     node->setResult(NodeResultInt32);
2119                     break;
2120                 case 4:
2121                     if (data.isSigned)
2122                         node->setResult(NodeResultInt32);
2123                     else
2124                         node->setResult(NodeResultInt52);
2125                     break;
2126                 default:
2127                     RELEASE_ASSERT_NOT_REACHED();
2128                 }
2129             }
2130             break;
2131         }
2132
2133         case DataViewSet: {
2134             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2135             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2136             if (m_graph.varArgChild(node, 3))
2137                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2138             
2139             DataViewData data = node->dataViewData();
2140             Edge& valueToStore = m_graph.varArgChild(node, 2);
2141             if (data.isFloatingPoint)
2142                 fixEdge<DoubleRepUse>(valueToStore);
2143             else {
2144                 switch (data.byteSize) {
2145                 case 1:
2146                 case 2:
2147                     fixEdge<Int32Use>(valueToStore);
2148                     break;
2149                 case 4:
2150                     if (data.isSigned)
2151                         fixEdge<Int32Use>(valueToStore);
2152                     else
2153                         fixEdge<Int52RepUse>(valueToStore);
2154                     break;
2155                 }
2156             }
2157             break;
2158         }
2159
2160 #if !ASSERT_DISABLED
2161         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2162         case SetArgument:
2163         case JSConstant:
2164         case LazyJSConstant:
2165         case DoubleConstant:
2166         case GetLocal:
2167         case GetCallee:
2168         case GetArgumentCountIncludingThis:
2169         case SetArgumentCountIncludingThis:
2170         case GetRestLength:
2171         case GetArgument:
2172         case Flush:
2173         case PhantomLocal:
2174         case GetGlobalVar:
2175         case GetGlobalLexicalVariable:
2176         case NotifyWrite:
2177         case DirectCall:
2178         case CheckTypeInfoFlags:
2179         case TailCallInlinedCaller:
2180         case DirectTailCallInlinedCaller:
2181         case Construct:
2182         case DirectConstruct:
2183         case CallVarargs:
2184         case CallEval:
2185         case TailCallVarargsInlinedCaller:
2186         case ConstructVarargs:
2187         case CallForwardVarargs:
2188         case ConstructForwardVarargs:
2189         case TailCallForwardVarargs:
2190         case TailCallForwardVarargsInlinedCaller:
2191         case LoadVarargs:
2192         case ForwardVarargs:
2193         case ProfileControlFlow:
2194         case NewObject:
2195         case NewRegexp:
2196         case DeleteById:
2197         case DeleteByVal:
2198         case IsTypedArrayView:
2199         case IsEmpty:
2200         case IsUndefined:
2201         case IsBoolean:
2202         case IsNumber:
2203         case IsObjectOrNull:
2204         case IsFunction:
2205         case CreateDirectArguments:
2206         case Jump:
2207         case Return:
2208         case TailCall:
2209         case DirectTailCall:
2210         case TailCallVarargs:
2211         case Throw:
2212         case CountExecution:
2213         case SuperSamplerBegin:
2214         case SuperSamplerEnd:
2215         case ForceOSRExit:
2216         case CheckBadCell:
2217         case CheckNotEmpty:
2218         case AssertNotEmpty:
2219         case CheckTraps:
2220         case Unreachable:
2221         case ExtractOSREntryLocal:
2222         case ExtractCatchLocal:
2223         case ClearCatchLocals:
2224         case LoopHint:
2225         case MovHint:
2226         case InitializeEntrypointArguments:
2227         case ZombieHint:
2228         case ExitOK:
2229         case BottomValue:
2230         case TypeOf:
2231         case PutByIdWithThis:
2232         case PutByValWithThis:
2233         case GetByValWithThis:
2234         case CompareEqPtr:
2235         case NumberToStringWithValidRadixConstant:
2236         case GetGlobalThis:
2237         case ExtractValueFromWeakMapGet:
2238         case CPUIntrinsic:
2239         case FilterCallLinkStatus:
2240         case FilterGetByIdStatus:
2241         case FilterPutByIdStatus:
2242         case FilterInByIdStatus:
2243         case InvalidationPoint:
2244             break;
2245 #else
2246         default:
2247             break;
2248 #endif
2249         }
2250     }
2251
2252     void watchHavingABadTime(Node* node)
2253     {
2254         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2255
2256         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2257         // does an array allocation. The types of array allocations may change if we start to have a bad
2258         // time. It's easier to reason about this if we know that whenever the types change after we start
2259         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2260         // prior to this point nobody should have been doing optimizations based on the indexing type of
2261         // the allocation.
2262         if (!globalObject->isHavingABadTime()) {
2263             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2264             m_graph.freeze(globalObject);
2265         }
2266     }
2267     
2268     template<UseKind useKind>
2269     void createToString(Node* node, Edge& edge)
2270     {
2271         Node* toString = m_insertionSet.insertNode(
2272             m_indexInBlock, SpecString, ToString, node->origin,
2273             Edge(edge.node(), useKind));
2274         switch (useKind) {
2275         case Int32Use:
2276         case Int52RepUse:
2277         case DoubleRepUse:
2278         case NotCellUse:
2279             toString->clearFlags(NodeMustGenerate);
2280             break;
2281         default:
2282             break;
2283         }
2284         edge.setNode(toString);
2285     }
2286     
2287     template<UseKind useKind>
2288     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2289     {
2290         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2291         
2292         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2293             return;
2294         
2295         createToString<useKind>(node, node->child1());
2296         arrayMode = ArrayMode(Array::String, Array::Read);
2297     }
2298     
2299     template<UseKind useKind>
2300     bool isStringObjectUse()
2301     {
2302         switch (useKind) {
2303         case StringObjectUse:
2304         case StringOrStringObjectUse:
2305             return true;
2306         default:
2307             return false;
2308         }
2309     }
2310     
2311     template<UseKind useKind>
2312     void convertStringAddUse(Node* node, Edge& edge)
2313     {
2314         if (useKind == StringUse) {
2315             observeUseKindOnNode<StringUse>(edge.node());
2316             m_insertionSet.insertNode(
2317                 m_indexInBlock, SpecNone, Check, node->origin,
2318                 Edge(edge.node(), StringUse));
2319             edge.setUseKind(KnownStringUse);
2320             return;
2321         }
2322         
2323         observeUseKindOnNode<useKind>(edge.node());
2324         createToString<useKind>(node, edge);
2325     }
2326     
2327     void convertToMakeRope(Node* node)
2328     {
2329         node->setOpAndDefaultFlags(MakeRope);
2330         fixupMakeRope(node);
2331     }
2332     
2333     void fixupMakeRope(Node* node)
2334     {
2335         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2336             Edge& edge = node->children.child(i);
2337             if (!edge)
2338                 break;
2339             edge.setUseKind(KnownStringUse);
2340             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2341             if (!string)
2342                 continue;
2343             if (string->length())
2344                 continue;
2345             
2346             // Don't allow the MakeRope to have zero children.
2347             if (!i && !node->child2())
2348                 break;
2349             
2350             node->children.removeEdge(i--);
2351         }
2352         
2353         if (!node->child2()) {
2354             ASSERT(!node->child3());
2355             node->convertToIdentity();
2356         }
2357     }
2358
2359     void fixupIsCellWithType(Node* node)
2360     {
2361         switch (node->speculatedTypeForQuery()) {
2362         case SpecString:
2363             if (node->child1()->shouldSpeculateString()) {
2364                 m_insertionSet.insertNode(
2365                     m_indexInBlock, SpecNone, Check, node->origin,
2366                     Edge(node->child1().node(), StringUse));
2367                 m_graph.convertToConstant(node, jsBoolean(true));
2368                 observeUseKindOnNode<StringUse>(node);
2369                 return;
2370             }
2371             break;
2372
2373         case SpecProxyObject:
2374             if (node->child1()->shouldSpeculateProxyObject()) {
2375                 m_insertionSet.insertNode(
2376                     m_indexInBlock, SpecNone, Check, node->origin,
2377                     Edge(node->child1().node(), ProxyObjectUse));
2378                 m_graph.convertToConstant(node, jsBoolean(true));
2379                 observeUseKindOnNode<ProxyObjectUse>(node);
2380                 return;
2381             }
2382             break;
2383
2384         case SpecRegExpObject:
2385             if (node->child1()->shouldSpeculateRegExpObject()) {
2386                 m_insertionSet.insertNode(
2387                     m_indexInBlock, SpecNone, Check, node->origin,
2388                     Edge(node->child1().node(), RegExpObjectUse));
2389                 m_graph.convertToConstant(node, jsBoolean(true));
2390                 observeUseKindOnNode<RegExpObjectUse>(node);
2391                 return;
2392             }
2393             break;
2394
2395         case SpecArray:
2396             if (node->child1()->shouldSpeculateArray()) {
2397                 m_insertionSet.insertNode(
2398                     m_indexInBlock, SpecNone, Check, node->origin,
2399                     Edge(node->child1().node(), ArrayUse));
2400                 m_graph.convertToConstant(node, jsBoolean(true));
2401                 observeUseKindOnNode<ArrayUse>(node);
2402                 return;
2403             }
2404             break;
2405
2406         case SpecDerivedArray:
2407             if (node->child1()->shouldSpeculateDerivedArray()) {
2408                 m_insertionSet.insertNode(
2409                     m_indexInBlock, SpecNone, Check, node->origin,
2410                     Edge(node->child1().node(), DerivedArrayUse));
2411                 m_graph.convertToConstant(node, jsBoolean(true));
2412                 observeUseKindOnNode<DerivedArrayUse>(node);
2413                 return;
2414             }
2415             break;
2416         }
2417
2418         if (node->child1()->shouldSpeculateCell()) {
2419             fixEdge<CellUse>(node->child1());
2420             return;
2421         }
2422
2423         if (node->child1()->shouldSpeculateNotCell()) {
2424             m_insertionSet.insertNode(
2425                 m_indexInBlock, SpecNone, Check, node->origin,
2426                 Edge(node->child1().node(), NotCellUse));
2427             m_graph.convertToConstant(node, jsBoolean(false));
2428             observeUseKindOnNode<NotCellUse>(node);
2429             return;
2430         }
2431     }
2432
2433     void fixupGetPrototypeOf(Node* node)
2434     {
2435         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2436         if (node->child1().useKind() != ObjectUse) {
2437             if (node->child1()->shouldSpeculateString()) {
2438                 insertCheck<StringUse>(node->child1().node());
2439                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2440                 return;
2441             }
2442             if (node->child1()->shouldSpeculateInt32()) {
2443                 insertCheck<Int32Use>(node->child1().node());
2444                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2445                 return;
2446             }
2447             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2448                 insertCheck<Int52RepUse>(node->child1().node());
2449                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2450                 return;
2451             }
2452             if (node->child1()->shouldSpeculateNumber()) {
2453                 insertCheck<NumberUse>(node->child1().node());
2454                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2455                 return;
2456             }
2457             if (node->child1()->shouldSpeculateSymbol()) {
2458                 insertCheck<SymbolUse>(node->child1().node());
2459                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2460                 return;
2461             }
2462             if (node->child1()->shouldSpeculateBoolean()) {
2463                 insertCheck<BooleanUse>(node->child1().node());
2464                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2465                 return;
2466             }
2467         }
2468
2469         if (node->child1()->shouldSpeculateFinalObject()) {
2470             fixEdge<FinalObjectUse>(node->child1());
2471             node->clearFlags(NodeMustGenerate);
2472             return;
2473         }
2474         if (node->child1()->shouldSpeculateArray()) {
2475             fixEdge<ArrayUse>(node->child1());
2476             node->clearFlags(NodeMustGenerate);
2477             return;
2478         }
2479         if (node->child1()->shouldSpeculateFunction()) {
2480             fixEdge<FunctionUse>(node->child1());
2481             node->clearFlags(NodeMustGenerate);
2482             return;
2483         }
2484     }
2485
2486     void fixupToThis(Node* node)
2487     {
2488         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2489
2490         if (ecmaMode == StrictMode) {
2491             if (node->child1()->shouldSpeculateBoolean()) {
2492                 fixEdge<BooleanUse>(node->child1());
2493                 node->convertToIdentity();
2494                 return;
2495             }
2496
2497             if (node->child1()->shouldSpeculateInt32()) {
2498                 fixEdge<Int32Use>(node->child1());
2499                 node->convertToIdentity();
2500                 return;
2501             }
2502
2503             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2504                 fixEdge<Int52RepUse>(node->child1());
2505                 node->convertToIdentity();
2506                 node->setResult(NodeResultInt52);
2507                 return;
2508             }
2509
2510             if (node->child1()->shouldSpeculateNumber()) {
2511                 fixEdge<DoubleRepUse>(node->child1());
2512                 node->convertToIdentity();
2513                 node->setResult(NodeResultDouble);
2514                 return;
2515             }
2516
2517             if (node->child1()->shouldSpeculateSymbol()) {
2518                 fixEdge<SymbolUse>(node->child1());
2519                 node->convertToIdentity();
2520                 return;
2521             }
2522
2523             if (node->child1()->shouldSpeculateStringIdent()) {
2524                 fixEdge<StringIdentUse>(node->child1());
2525                 node->convertToIdentity();
2526                 return;
2527             }
2528
2529             if (node->child1()->shouldSpeculateString()) {
2530                 fixEdge<StringUse>(node->child1());
2531                 node->convertToIdentity();
2532                 return;
2533             }
2534             
2535             if (node->child1()->shouldSpeculateBigInt()) {
2536                 fixEdge<BigIntUse>(node->child1());
2537                 node->convertToIdentity();
2538                 return;
2539             }
2540         }
2541
2542         if (node->child1()->shouldSpeculateOther()) {
2543             if (ecmaMode == StrictMode) {
2544                 fixEdge<OtherUse>(node->child1());
2545                 node->convertToIdentity();
2546                 return;
2547             }
2548
2549             m_insertionSet.insertNode(
2550                 m_indexInBlock, SpecNone, Check, node->origin,
2551                 Edge(node->child1().node(), OtherUse));
2552             observeUseKindOnNode<OtherUse>(node->child1().node());
2553             m_graph.convertToConstant(
2554                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2555             return;
2556         }
2557
2558         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2559         // however, since we cover all the missing cases in constant folding.
2560         // https://bugs.webkit.org/show_bug.cgi?id=157213
2561         if (node->child1()->shouldSpeculateStringObject()) {
2562             fixEdge<StringObjectUse>(node->child1());
2563             node->convertToIdentity();
2564             return;
2565         }
2566
2567         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2568             fixEdge<FinalObjectUse>(node->child1());
2569             node->convertToIdentity();
2570             return;
2571         }
2572     }
2573     
2574     void fixupToPrimitive(Node* node)
2575     {
2576         if (node->child1()->shouldSpeculateInt32()) {
2577             fixEdge<Int32Use>(node->child1());
2578             node->convertToIdentity();
2579             return;
2580         }
2581         
2582         if (node->child1()->shouldSpeculateString()) {
2583             fixEdge<StringUse>(node->child1());
2584             node->convertToIdentity();
2585             return;
2586         }
2587         
2588         if (node->child1()->shouldSpeculateStringObject()
2589             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2590             fixEdge<StringObjectUse>(node->child1());
2591             node->convertToToString();
2592             return;
2593         }
2594         
2595         if (node->child1()->shouldSpeculateStringOrStringObject()
2596             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2597             fixEdge<StringOrStringObjectUse>(node->child1());
2598             node->convertToToString();
2599             return;
2600         }
2601     }
2602
2603     void fixupToNumber(Node* node)
2604     {
2605         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2606         if (node->child1()->shouldSpeculateNumber()) {
2607             if (isInt32Speculation(node->getHeapPrediction())) {
2608                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2609                 if (node->child1()->shouldSpeculateInt32()) {
2610                     fixEdge<Int32Use>(node->child1());
2611                     node->convertToIdentity();
2612                     return;
2613                 }
2614
2615                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2616                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2617                 fixEdge<DoubleRepUse>(node->child1());
2618                 node->setOp(DoubleAsInt32);
2619                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2620                     node->setArithMode(Arith::CheckOverflow);
2621                 else
2622                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2623                 return;
2624             }
2625
2626             fixEdge<DoubleRepUse>(node->child1());
2627             node->convertToIdentity();
2628             node->setResult(NodeResultDouble);
2629             return;
2630         }
2631
2632         fixEdge<UntypedUse>(node->child1());
2633         node->setResult(NodeResultJS);
2634     }
2635
2636     void fixupToObject(Node* node)
2637     {
2638         if (node->child1()->shouldSpeculateObject()) {
2639             fixEdge<ObjectUse>(node->child1());
2640             node->convertToIdentity();
2641             return;
2642         }
2643
2644         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2645
2646         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2647
2648         if (node->child1()->shouldSpeculateString()) {
2649             insertCheck<StringUse>(node->child1().node());
2650             fixEdge<KnownStringUse>(node->child1());
2651             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2652             return;
2653         }
2654
2655         if (node->child1()->shouldSpeculateSymbol()) {
2656             insertCheck<SymbolUse>(node->child1().node());
2657             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2658             return;
2659         }
2660
2661         if (node->child1()->shouldSpeculateNumber()) {
2662             insertCheck<NumberUse>(node->child1().node());
2663             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2664             return;
2665         }
2666
2667         if (node->child1()->shouldSpeculateBoolean()) {
2668             insertCheck<BooleanUse>(node->child1().node());
2669             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2670             return;
2671         }
2672
2673         fixEdge<UntypedUse>(node->child1());
2674     }
2675
2676     void fixupCallObjectConstructor(Node* node)
2677     {
2678         if (node->child1()->shouldSpeculateObject()) {
2679             fixEdge<ObjectUse>(node->child1());
2680             node->convertToIdentity();
2681             return;
2682         }
2683
2684         if (node->child1()->shouldSpeculateString()) {
2685             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2686             insertCheck<StringUse>(node->child1().node());
2687             fixEdge<KnownStringUse>(node->child1());
2688             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2689             return;
2690         }
2691
2692         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2693         if (node->child1()->shouldSpeculateOther()) {
2694             insertCheck<OtherUse>(node->child1().node());
2695             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2696             return;
2697         }
2698
2699         fixEdge<UntypedUse>(node->child1());
2700     }
2701     
2702     void fixupToStringOrCallStringConstructor(Node* node)
2703     {
2704         if (node->child1()->shouldSpeculateString()) {
2705             fixEdge<StringUse>(node->child1());
2706             node->convertToIdentity();
2707             return;
2708         }
2709         
2710         if (node->child1()->shouldSpeculateStringObject()
2711             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2712             fixEdge<StringObjectUse>(node->child1());
2713             return;
2714         }
2715         
2716         if (node->child1()->shouldSpeculateStringOrStringObject()
2717             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2718             fixEdge<StringOrStringObjectUse>(node->child1());
2719             return;
2720         }
2721         
2722         if (node->child1()->shouldSpeculateCell()) {
2723             fixEdge<CellUse>(node->child1());
2724             return;
2725         }
2726
2727         if (node->child1()->shouldSpeculateInt32()) {
2728             fixEdge<Int32Use>(node->child1());
2729             node->clearFlags(NodeMustGenerate);
2730             return;
2731         }
2732
2733         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2734             fixEdge<Int52RepUse>(node->child1());
2735             node->clearFlags(NodeMustGenerate);
2736             return;
2737         }
2738
2739         if (node->child1()->shouldSpeculateNumber()) {
2740             fixEdge<DoubleRepUse>(node->child1());
2741             node->clearFlags(NodeMustGenerate);
2742             return;
2743         }
2744
2745         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2746         // we need to care about it in the clobberize. In the following case,
2747         // since NotCellUse edge filter is used and this edge filters Symbols,
2748         // we can say that ToString never throws an error!
2749         if (node->child1()->shouldSpeculateNotCell()) {
2750             fixEdge<NotCellUse>(node->child1());
2751             node->clearFlags(NodeMustGenerate);
2752             return;
2753         }
2754     }
2755
2756     bool attemptToMakeFastStringAdd(Node* node)
2757     {
2758         bool goodToGo = true;
2759         m_graph.doToChildren(
2760             node,
2761             [&] (Edge& edge) {
2762                 if (edge->shouldSpeculateString())
2763                     return;
2764                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2765                     if (edge->shouldSpeculateStringObject())
2766                         return;
2767                     if (edge->shouldSpeculateStringOrStringObject())
2768                         return;
2769                 }
2770                 goodToGo = false;
2771             });
2772         if (!goodToGo)
2773             return false;
2774
2775         m_graph.doToChildren(
2776             node,
2777             [&] (Edge& edge) {
2778                 if (edge->shouldSpeculateString()) {
2779                     convertStringAddUse<StringUse>(node, edge);
2780                     return;
2781                 }
2782                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2783                 if (edge->shouldSpeculateStringObject()) {
2784                     convertStringAddUse<StringObjectUse>(node, edge);
2785                     return;
2786                 }
2787                 if (edge->shouldSpeculateStringOrStringObject()) {
2788                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2789                     return;
2790                 }
2791                 RELEASE_ASSERT_NOT_REACHED();
2792             });
2793         
2794         convertToMakeRope(node);
2795         return true;
2796     }
2797
2798     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2799     {
2800         if (!block)
2801             return;
2802         ASSERT(block->isReachable);
2803         m_block = block;
2804         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2805             Node* node = m_currentNode = block->at(m_indexInBlock);
2806             if (node->op() != SetLocal && node->op() != GetLocal)
2807                 continue;
2808             
2809             VariableAccessData* variable = node->variableAccessData();
2810             switch (node->op()) {
2811             case GetLocal:
2812                 switch (variable->flushFormat()) {
2813                 case FlushedDouble:
2814                     node->setResult(NodeResultDouble);
2815                     break;
2816                 case FlushedInt52:
2817                     node->setResult(NodeResultInt52);
2818                     break;
2819                 default:
2820                     break;
2821                 }
2822                 break;
2823                 
2824             case SetLocal:
2825                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2826                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2827                 
2828                 switch (variable->flushFormat()) {
2829                 case FlushedJSValue:
2830                     break;
2831                 case FlushedDouble:
2832                     fixEdge<DoubleRepUse>(node->child1());
2833                     break;
2834                 case FlushedInt32:
2835                     fixEdge<Int32Use>(node->child1());
2836                     break;
2837                 case FlushedInt52:
2838                     fixEdge<Int52RepUse>(node->child1());
2839                     break;
2840                 case FlushedCell:
2841                     fixEdge<CellUse>(node->child1());
2842                     break;
2843                 case FlushedBoolean:
2844                     fixEdge<BooleanUse>(node->child1());
2845                     break;
2846                 default:
2847                     RELEASE_ASSERT_NOT_REACHED();
2848                     break;
2849                 }
2850                 break;
2851                 
2852             default:
2853                 RELEASE_ASSERT_NOT_REACHED();
2854                 break;
2855             }
2856         }
2857         m_insertionSet.execute(block);
2858     }
2859     
2860     void addStringReplacePrimordialChecks(Node* searchRegExp)
2861     {
2862         Node* node = m_currentNode;
2863
2864         // Check that structure of searchRegExp is RegExp object
2865         m_insertionSet.insertNode(
2866             m_indexInBlock, SpecNone, Check, node->origin,
2867             Edge(searchRegExp, RegExpObjectUse));
2868
2869         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2870             unsigned index = m_graph.identifiers().ensure(propertyUID);
2871
2872             Node* actualProperty = m_insertionSet.insertNode(
2873                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2874                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2875
2876             m_insertionSet.insertNode(
2877                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2878                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2879         };
2880
2881         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2882
2883         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2884         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2885         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2886         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2887         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2888         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2889         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2890         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2891     }
2892
2893     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2894     {
2895         ASSERT(arrayMode.isSpecific());
2896         
2897         if (arrayMode.type() == Array::String) {
2898             m_insertionSet.insertNode(
2899                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2900         } else {
2901             // Note that we only need to be using a structure check if we opt for SaneChain, since
2902             // that needs to protect against JSArray's __proto__ being changed.
2903             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2904         
2905             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2906             
2907             if (arrayMode.doesConversion()) {
2908                 if (structure) {
2909                     m_insertionSet.insertNode(
2910                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2911                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2912                 } else {
2913                     m_insertionSet.insertNode(
2914                         m_indexInBlock, SpecNone, Arrayify, origin,
2915                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2916                 }
2917             } else {
2918                 if (structure) {
2919                     m_insertionSet.insertNode(
2920                         m_indexInBlock, SpecNone, CheckStructure, origin,
2921                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2922                 } else {
2923                     m_insertionSet.insertNode(
2924                         m_indexInBlock, SpecNone, CheckArray, origin,
2925                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2926                 }
2927             }
2928         }
2929         
2930         if (!storageCheck(arrayMode))
2931             return nullptr;
2932         
2933         if (arrayMode.usesButterfly()) {
2934             return m_insertionSet.insertNode(
2935                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2936         }
2937         
2938         return m_insertionSet.insertNode(
2939             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2940             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2941     }
2942     
2943     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2944     {
2945         Node* node = m_currentNode;
2946         
2947         switch (node->arrayMode().type()) {
2948         case Array::ForceExit: {
2949             m_insertionSet.insertNode(
2950                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2951             return;
2952         }
2953             
2954         case Array::SelectUsingPredictions:
2955         case Array::Unprofiled:
2956             RELEASE_ASSERT_NOT_REACHED();
2957             return;
2958             
2959         case Array::Generic:
2960             return;
2961             
2962         default: {
2963             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2964             if (!storage)
2965                 return;
2966             
2967             storageChild = Edge(storage);
2968             return;
2969         } }
2970     }
2971     
2972     bool alwaysUnboxSimplePrimitives()
2973     {
2974 #if USE(JSVALUE64)
2975         return false;
2976 #else
2977         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2978         // reduces traffic.
2979         return true;
2980 #endif
2981     }
2982
2983     template<UseKind useKind>
2984     void observeUseKindOnNode(Node* node)
2985     {
2986         if (useKind == UntypedUse)
2987             return;
2988         observeUseKindOnNode(node, useKind);
2989     }
2990
2991     void observeUseKindOnEdge(Edge edge)
2992     {
2993         observeUseKindOnNode(edge.node(), edge.useKind());
2994     }
2995
2996     void observeUseKindOnNode(Node* node, UseKind useKind)
2997     {
2998         if (node->op() != GetLocal)
2999             return;
3000         
3001         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
3002         // https://bugs.webkit.org/show_bug.cgi?id=121518
3003         
3004         VariableAccessData* variable = node->variableAccessData();
3005         switch (useKind) {
3006         case Int32Use:
3007         case KnownInt32Use:
3008             if (alwaysUnboxSimplePrimitives()
3009                 || isInt32Speculation(variable->prediction()))
3010                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3011             break;
3012         case NumberUse:
3013         case RealNumberUse:
3014         case DoubleRepUse:
3015         case DoubleRepRealUse:
3016             if (variable->doubleFormatState() == UsingDoubleFormat)
3017                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3018             break;
3019         case BooleanUse:
3020         case KnownBooleanUse:
3021             if (alwaysUnboxSimplePrimitives()
3022                 || isBooleanSpeculation(variable->prediction()))
3023                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3024             break;
3025         case Int52RepUse:
3026             if (isAnyIntSpeculation(variable->prediction()))
3027                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3028             break;
3029         case CellUse:
3030         case KnownCellUse:
3031         case ObjectUse:
3032         case FunctionUse:
3033         case StringUse:
3034         case KnownStringUse:
3035         case SymbolUse:
3036         case BigIntUse:
3037         case StringObjectUse:
3038         case StringOrStringObjectUse:
3039             if (alwaysUnboxSimplePrimitives()
3040                 || isCellSpeculation(variable->prediction()))
3041                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3042             break;
3043         default:
3044             break;
3045         }
3046     }
3047     
3048     template<UseKind useKind>
3049     void fixEdge(Edge& edge)
3050     {
3051         observeUseKindOnNode<useKind>(edge.node());
3052         edge.setUseKind(useKind);
3053     }
3054     
3055     unsigned indexForChecks()
3056     {
3057         unsigned index = m_indexInBlock;
3058         while (!m_block->at(index)->origin.exitOK)
3059             index--;
3060         return index;
3061     }
3062     
3063     NodeOrigin originForCheck(unsigned index)
3064     {
3065         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3066     }
3067     
3068     void speculateForBarrier(Edge value)
3069     {
3070         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3071         // the DFG anyway because if such a speculation would be wrong, we want to know before
3072         // we do an expensive compile.
3073