[BigInt] Add ValueBitLShift into DFG
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInsertionSet.h"
34 #include "DFGPhase.h"
35 #include "DFGPredictionPropagationPhase.h"
36 #include "DFGVariableAccessDataDump.h"
37 #include "JSCInlines.h"
38 #include "TypeLocation.h"
39
40 namespace JSC { namespace DFG {
41
42 class FixupPhase : public Phase {
43 public:
44     FixupPhase(Graph& graph)
45         : Phase(graph, "fixup")
46         , m_insertionSet(graph)
47     {
48     }
49     
50     bool run()
51     {
52         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
53         ASSERT(m_graph.m_form == ThreadedCPS);
54         
55         m_profitabilityChanged = false;
56         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
57             fixupBlock(m_graph.block(blockIndex));
58         
59         while (m_profitabilityChanged) {
60             m_profitabilityChanged = false;
61             
62             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
63                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
64             
65             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
66                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
67         }
68         
69         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
70             fixupChecksInBlock(m_graph.block(blockIndex));
71
72         m_graph.m_planStage = PlanStage::AfterFixup;
73
74         return true;
75     }
76
77 private:
78
79     void fixupArithDivInt32(Node* node, Edge& leftChild, Edge& rightChild)
80     {
81         if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
82             fixIntOrBooleanEdge(leftChild);
83             fixIntOrBooleanEdge(rightChild);
84             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
85                 node->setArithMode(Arith::Unchecked);
86             else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
87                 node->setArithMode(Arith::CheckOverflow);
88             else
89                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
90             return;
91         }
92
93         // This will cause conversion nodes to be inserted later.
94         fixDoubleOrBooleanEdge(leftChild);
95         fixDoubleOrBooleanEdge(rightChild);
96
97         // We don't need to do ref'ing on the children because we're stealing them from
98         // the original division.
99         Node* newDivision = m_insertionSet.insertNode(m_indexInBlock, SpecBytecodeDouble, *node);
100         newDivision->setResult(NodeResultDouble);
101
102         node->setOp(DoubleAsInt32);
103         node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
104         if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
105             node->setArithMode(Arith::CheckOverflow);
106         else
107             node->setArithMode(Arith::CheckOverflowAndNegativeZero);
108
109     }
110
111     void fixupArithPow(Node* node)
112     {
113         if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
114             fixDoubleOrBooleanEdge(node->child1());
115             fixIntOrBooleanEdge(node->child2());
116             return;
117         }
118
119         fixDoubleOrBooleanEdge(node->child1());
120         fixDoubleOrBooleanEdge(node->child2());
121     }
122
123     void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild)
124     {
125         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
126             fixupArithDivInt32(node, leftChild, rightChild);
127             return;
128         }
129         
130         fixDoubleOrBooleanEdge(leftChild);
131         fixDoubleOrBooleanEdge(rightChild);
132         node->setResult(NodeResultDouble);
133     }
134     
135     void fixupArithMul(Node* node, Edge& leftChild, Edge& rightChild)
136     {
137         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
138             fixIntOrBooleanEdge(leftChild);
139             fixIntOrBooleanEdge(rightChild);
140             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
141                 node->setArithMode(Arith::Unchecked);
142             else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
143                 node->setArithMode(Arith::CheckOverflow);
144             else
145                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
146             return;
147         }
148         if (m_graph.binaryArithShouldSpeculateInt52(node, FixupPass)) {
149             fixEdge<Int52RepUse>(leftChild);
150             fixEdge<Int52RepUse>(rightChild);
151             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
152                 node->setArithMode(Arith::CheckOverflow);
153             else
154                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
155             node->setResult(NodeResultInt52);
156             return;
157         }
158
159         fixDoubleOrBooleanEdge(leftChild);
160         fixDoubleOrBooleanEdge(rightChild);
161         node->setResult(NodeResultDouble);
162     }
163
164     void fixupBlock(BasicBlock* block)
165     {
166         if (!block)
167             return;
168         ASSERT(block->isReachable);
169         m_block = block;
170         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
171             m_currentNode = block->at(m_indexInBlock);
172             fixupNode(m_currentNode);
173         }
174         m_insertionSet.execute(block);
175     }
176     
177     void fixupNode(Node* node)
178     {
179         NodeType op = node->op();
180
181         switch (op) {
182         case SetLocal: {
183             // This gets handled by fixupGetAndSetLocalsInBlock().
184             return;
185         }
186
187         case ValueSub: {
188             Edge& child1 = node->child1();
189             Edge& child2 = node->child2();
190
191             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
192                 fixEdge<BigIntUse>(child1);
193                 fixEdge<BigIntUse>(child2);
194                 break; 
195             }
196             
197             if (Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
198                 fixEdge<UntypedUse>(child1);
199                 fixEdge<UntypedUse>(child2);
200                 break;
201             }
202
203             if (attemptToMakeIntegerAdd(node)) {
204                 // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
205                 // https://bugs.webkit.org/show_bug.cgi?id=190607
206                 node->setOp(ArithSub);
207                 break;
208             }
209
210             fixDoubleOrBooleanEdge(node->child1());
211             fixDoubleOrBooleanEdge(node->child2());
212             node->setOp(ArithSub);
213             node->setResult(NodeResultDouble);
214
215             break;
216         }
217
218         case ValueBitLShift:
219         case ValueBitXor:
220         case ValueBitOr:
221         case ValueBitAnd: {
222             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
223                 fixEdge<BigIntUse>(node->child1());
224                 fixEdge<BigIntUse>(node->child2());
225                 node->clearFlags(NodeMustGenerate);
226                 break;
227             }
228
229             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
230                 fixEdge<UntypedUse>(node->child1());
231                 fixEdge<UntypedUse>(node->child2());
232                 break;
233             }
234             
235             switch (op) {
236             case ValueBitXor:
237                 node->setOp(ArithBitXor);
238                 break;
239             case ValueBitOr:
240                 node->setOp(ArithBitOr);
241                 break;
242             case ValueBitAnd:
243                 node->setOp(ArithBitAnd);
244                 break;
245             case ValueBitLShift:
246                 node->setOp(ArithBitLShift);
247                 break;
248             default:
249                 DFG_CRASH(m_graph, node, "Unexpected node during ValueBit operation fixup");
250                 break;
251             }
252
253             node->clearFlags(NodeMustGenerate);
254             node->setResult(NodeResultInt32);
255             fixIntConvertingEdge(node->child1());
256             fixIntConvertingEdge(node->child2());
257             break;
258         }
259
260         case ValueBitNot: {
261             Edge& operandEdge = node->child1();
262
263             if (operandEdge.node()->shouldSpeculateBigInt()) {
264                 node->clearFlags(NodeMustGenerate);
265                 fixEdge<BigIntUse>(operandEdge);
266             } else if (operandEdge.node()->shouldSpeculateUntypedForBitOps())
267                 fixEdge<UntypedUse>(operandEdge);
268             else {
269                 node->setOp(ArithBitNot);
270                 node->setResult(NodeResultInt32);
271                 node->clearFlags(NodeMustGenerate);
272                 fixIntConvertingEdge(operandEdge);
273             }
274             break;
275         }
276
277         case ArithBitNot: {
278             Edge& operandEdge = node->child1();
279
280             fixIntConvertingEdge(operandEdge);
281             break;
282         }
283
284         case ArithBitLShift: 
285         case ArithBitXor:
286         case ArithBitOr:
287         case ArithBitAnd: {
288             fixIntConvertingEdge(node->child1());
289             fixIntConvertingEdge(node->child2());
290             break;
291         }
292
293         case BitRShift:
294         case BitURShift: {
295             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
296                 fixEdge<UntypedUse>(node->child1());
297                 fixEdge<UntypedUse>(node->child2());
298                 break;
299             }
300             fixIntConvertingEdge(node->child1());
301             fixIntConvertingEdge(node->child2());
302             break;
303         }
304
305         case ArithIMul: {
306             fixIntConvertingEdge(node->child1());
307             fixIntConvertingEdge(node->child2());
308             node->setOp(ArithMul);
309             node->setArithMode(Arith::Unchecked);
310             node->child1().setUseKind(Int32Use);
311             node->child2().setUseKind(Int32Use);
312             break;
313         }
314
315         case ArithClz32: {
316             if (node->child1()->shouldSpeculateNotCell()) {
317                 fixIntConvertingEdge(node->child1());
318                 node->clearFlags(NodeMustGenerate);
319             } else
320                 fixEdge<UntypedUse>(node->child1());
321             break;
322         }
323             
324         case UInt32ToNumber: {
325             fixIntConvertingEdge(node->child1());
326             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
327                 node->convertToIdentity();
328             else if (node->canSpeculateInt32(FixupPass))
329                 node->setArithMode(Arith::CheckOverflow);
330             else {
331                 node->setArithMode(Arith::DoOverflow);
332                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
333             }
334             break;
335         }
336
337         case ValueNegate: {
338             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
339                 node->setOp(ArithNegate);
340                 fixIntOrBooleanEdge(node->child1());
341                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
342                     node->setArithMode(Arith::Unchecked);
343                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
344                     node->setArithMode(Arith::CheckOverflow);
345                 else
346                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
347                 node->setResult(NodeResultInt32);
348                 node->clearFlags(NodeMustGenerate);
349                 break;
350             }
351             
352             if (m_graph.unaryArithShouldSpeculateInt52(node, FixupPass)) {
353                 node->setOp(ArithNegate);
354                 fixEdge<Int52RepUse>(node->child1());
355                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
356                     node->setArithMode(Arith::CheckOverflow);
357                 else
358                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
359                 node->setResult(NodeResultInt52);
360                 node->clearFlags(NodeMustGenerate);
361                 break;
362             }
363             if (node->child1()->shouldSpeculateNotCell()) {
364                 node->setOp(ArithNegate);
365                 fixDoubleOrBooleanEdge(node->child1());
366                 node->setResult(NodeResultDouble);
367                 node->clearFlags(NodeMustGenerate);
368             } else {
369                 fixEdge<UntypedUse>(node->child1());
370                 node->setResult(NodeResultJS);
371             }
372             break;
373         }
374
375         case ValueAdd: {
376             if (attemptToMakeIntegerAdd(node)) {
377                 node->setOp(ArithAdd);
378                 break;
379             }
380             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
381                 fixDoubleOrBooleanEdge(node->child1());
382                 fixDoubleOrBooleanEdge(node->child2());
383                 node->setOp(ArithAdd);
384                 node->setResult(NodeResultDouble);
385                 break;
386             }
387             
388             if (attemptToMakeFastStringAdd(node))
389                 break;
390
391             Edge& child1 = node->child1();
392             Edge& child2 = node->child2();
393             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
394                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
395                     auto convertString = [&](Node* node, Edge& edge) {
396                         if (edge->shouldSpeculateInt32())
397                             convertStringAddUse<Int32Use>(node, edge);
398                         else {
399                             ASSERT(edge->shouldSpeculateString());
400                             convertStringAddUse<StringUse>(node, edge);
401                         }
402                     };
403                     convertString(node, child1);
404                     convertString(node, child2);
405                     convertToMakeRope(node);
406                     break;
407                 }
408             }
409
410             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
411                 fixEdge<BigIntUse>(child1);
412                 fixEdge<BigIntUse>(child2);
413             } else {
414                 fixEdge<UntypedUse>(child1);
415                 fixEdge<UntypedUse>(child2);
416             }
417
418             node->setResult(NodeResultJS);
419             break;
420         }
421
422         case StrCat: {
423             if (attemptToMakeFastStringAdd(node))
424                 break;
425
426             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
427             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
428             // the implementation of StrCat doesn't dynamically optimize for empty strings.
429             // https://bugs.webkit.org/show_bug.cgi?id=148540
430             m_graph.doToChildren(
431                 node,
432                 [&] (Edge& edge) {
433                     fixEdge<KnownPrimitiveUse>(edge);
434                     // StrCat automatically coerces the values into strings before concatenating them.
435                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
436                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
437                     // our runtime functions for this slow path expect that they will never be passed
438                     // Symbols.
439                     m_insertionSet.insertNode(
440                         m_indexInBlock, SpecNone, Check, node->origin,
441                         Edge(edge.node(), NotSymbolUse));
442                 });
443             break;
444         }
445             
446         case MakeRope: {
447             fixupMakeRope(node);
448             break;
449         }
450             
451         case ArithAdd:
452         case ArithSub: {
453             // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
454             // https://bugs.webkit.org/show_bug.cgi?id=190607
455             if (attemptToMakeIntegerAdd(node))
456                 break;
457             fixDoubleOrBooleanEdge(node->child1());
458             fixDoubleOrBooleanEdge(node->child2());
459             node->setResult(NodeResultDouble);
460             break;
461         }
462             
463         case ArithNegate: {
464             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
465                 fixIntOrBooleanEdge(node->child1());
466                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
467                     node->setArithMode(Arith::Unchecked);
468                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
469                     node->setArithMode(Arith::CheckOverflow);
470                 else
471                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
472                 node->setResult(NodeResultInt32);
473                 node->clearFlags(NodeMustGenerate);
474                 break;
475             }
476             if (m_graph.unaryArithShouldSpeculateInt52(node, FixupPass)) {
477                 fixEdge<Int52RepUse>(node->child1());
478                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
479                     node->setArithMode(Arith::CheckOverflow);
480                 else
481                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
482                 node->setResult(NodeResultInt52);
483                 node->clearFlags(NodeMustGenerate);
484                 break;
485             }
486
487             fixDoubleOrBooleanEdge(node->child1());
488             node->setResult(NodeResultDouble);
489             node->clearFlags(NodeMustGenerate);
490             break;
491         }
492
493         case ValueMul: {
494             Edge& leftChild = node->child1();
495             Edge& rightChild = node->child2();
496
497             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
498                 fixEdge<BigIntUse>(node->child1());
499                 fixEdge<BigIntUse>(node->child2());
500                 node->clearFlags(NodeMustGenerate);
501                 break;
502             }
503
504             // There are cases where we can have BigInt + Int32 operands reaching ValueMul.
505             // Imagine the scenario where ValueMul was never executed, but we can predict types
506             // reaching the node:
507             //
508             // 63: GetLocal(Check:Untyped:@72, JS|MustGen, NonBoolInt32, ...)  predicting NonBoolInt32
509             // 64: GetLocal(Check:Untyped:@71, JS|MustGen, BigInt, ...)  predicting BigInt
510             // 65: ValueMul(Check:Untyped:@63, Check:Untyped:@64, BigInt|BoolInt32|NonBoolInt32, ...)
511             // 
512             // In such scenario, we need to emit ValueMul(Untyped, Untyped), so the runtime can throw 
513             // an exception whenever it gets excuted.
514             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
515                 fixEdge<UntypedUse>(leftChild);
516                 fixEdge<UntypedUse>(rightChild);
517                 break;
518             }
519
520             // At this point, all other possible specializations are only handled by ArithMul.
521             node->setOp(ArithMul);
522             node->setResult(NodeResultNumber);
523             fixupArithMul(node, leftChild, rightChild);
524             break;
525         }
526
527         case ArithMul: {
528             Edge& leftChild = node->child1();
529             Edge& rightChild = node->child2();
530
531             fixupArithMul(node, leftChild, rightChild);
532             break;
533         }
534
535         case ValueMod: 
536         case ValueDiv: {
537             Edge& leftChild = node->child1();
538             Edge& rightChild = node->child2();
539
540             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
541                 fixEdge<BigIntUse>(leftChild);
542                 fixEdge<BigIntUse>(rightChild);
543                 node->clearFlags(NodeMustGenerate);
544                 break; 
545             }
546
547             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
548                 fixEdge<UntypedUse>(leftChild);
549                 fixEdge<UntypedUse>(rightChild);
550                 break;
551             }
552
553             if (op == ValueDiv)
554                 node->setOp(ArithDiv);
555             else
556                 node->setOp(ArithMod);
557
558             node->setResult(NodeResultNumber);
559             fixupArithDiv(node, leftChild, rightChild);
560             break;
561
562         }
563
564         case ArithDiv:
565         case ArithMod: {
566             Edge& leftChild = node->child1();
567             Edge& rightChild = node->child2();
568
569             fixupArithDiv(node, leftChild, rightChild);
570             break;
571         }
572             
573         case ArithMin:
574         case ArithMax: {
575             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
576                 fixIntOrBooleanEdge(node->child1());
577                 fixIntOrBooleanEdge(node->child2());
578                 break;
579             }
580             fixDoubleOrBooleanEdge(node->child1());
581             fixDoubleOrBooleanEdge(node->child2());
582             node->setResult(NodeResultDouble);
583             break;
584         }
585             
586         case ArithAbs: {
587             if (node->child1()->shouldSpeculateInt32OrBoolean()
588                 && node->canSpeculateInt32(FixupPass)) {
589                 fixIntOrBooleanEdge(node->child1());
590                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
591                     node->setArithMode(Arith::Unchecked);
592                 else
593                     node->setArithMode(Arith::CheckOverflow);
594                 node->clearFlags(NodeMustGenerate);
595                 node->setResult(NodeResultInt32);
596                 break;
597             }
598
599             if (node->child1()->shouldSpeculateNotCell()) {
600                 fixDoubleOrBooleanEdge(node->child1());
601                 node->clearFlags(NodeMustGenerate);
602             } else
603                 fixEdge<UntypedUse>(node->child1());
604             node->setResult(NodeResultDouble);
605             break;
606         }
607
608         case ValuePow: {
609             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
610                 fixEdge<BigIntUse>(node->child1());
611                 fixEdge<BigIntUse>(node->child2());
612                 node->clearFlags(NodeMustGenerate);
613                 break;
614             }
615
616             if (Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
617                 fixEdge<UntypedUse>(node->child1());
618                 fixEdge<UntypedUse>(node->child2());
619                 break;
620             }
621
622             node->setOp(ArithPow);
623             node->clearFlags(NodeMustGenerate);
624             node->setResult(NodeResultDouble);
625
626             fixupArithPow(node);
627             break;
628         }
629
630         case ArithPow: {
631             fixupArithPow(node);
632             break;
633         }
634
635         case ArithRandom: {
636             node->setResult(NodeResultDouble);
637             break;
638         }
639
640         case ArithRound:
641         case ArithFloor:
642         case ArithCeil:
643         case ArithTrunc: {
644             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
645                 fixIntOrBooleanEdge(node->child1());
646                 insertCheck<Int32Use>(node->child1().node());
647                 node->convertToIdentity();
648                 break;
649             }
650             if (node->child1()->shouldSpeculateNotCell()) {
651                 fixDoubleOrBooleanEdge(node->child1());
652
653                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
654                     node->setResult(NodeResultInt32);
655                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
656                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
657                     else
658                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
659                 } else {
660                     node->setResult(NodeResultDouble);
661                     node->setArithRoundingMode(Arith::RoundingMode::Double);
662                 }
663                 node->clearFlags(NodeMustGenerate);
664             } else
665                 fixEdge<UntypedUse>(node->child1());
666             break;
667         }
668
669         case ArithFRound:
670         case ArithSqrt:
671         case ArithUnary: {
672             Edge& child1 = node->child1();
673             if (child1->shouldSpeculateNotCell()) {
674                 fixDoubleOrBooleanEdge(child1);
675                 node->clearFlags(NodeMustGenerate);
676             } else
677                 fixEdge<UntypedUse>(child1);
678             break;
679         }
680             
681         case LogicalNot: {
682             if (node->child1()->shouldSpeculateBoolean()) {
683                 if (node->child1()->result() == NodeResultBoolean) {
684                     // This is necessary in case we have a bytecode instruction implemented by:
685                     //
686                     // a: CompareEq(...)
687                     // b: LogicalNot(@a)
688                     //
689                     // In that case, CompareEq might have a side-effect. Then, we need to make
690                     // sure that we know that Branch does not exit.
691                     fixEdge<KnownBooleanUse>(node->child1());
692                 } else
693                     fixEdge<BooleanUse>(node->child1());
694             } else if (node->child1()->shouldSpeculateObjectOrOther())
695                 fixEdge<ObjectOrOtherUse>(node->child1());
696             else if (node->child1()->shouldSpeculateInt32OrBoolean())
697                 fixIntOrBooleanEdge(node->child1());
698             else if (node->child1()->shouldSpeculateNumber())
699                 fixEdge<DoubleRepUse>(node->child1());
700             else if (node->child1()->shouldSpeculateString())
701                 fixEdge<StringUse>(node->child1());
702             else if (node->child1()->shouldSpeculateStringOrOther())
703                 fixEdge<StringOrOtherUse>(node->child1());
704             else {
705                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
706                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
707                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
708             }
709             break;
710         }
711
712         case CompareEq:
713         case CompareLess:
714         case CompareLessEq:
715         case CompareGreater:
716         case CompareGreaterEq: {
717             if (node->op() == CompareEq
718                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
719                 fixEdge<BooleanUse>(node->child1());
720                 fixEdge<BooleanUse>(node->child2());
721                 node->clearFlags(NodeMustGenerate);
722                 break;
723             }
724             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
725                 fixIntOrBooleanEdge(node->child1());
726                 fixIntOrBooleanEdge(node->child2());
727                 node->clearFlags(NodeMustGenerate);
728                 break;
729             }
730             if (Node::shouldSpeculateInt52(node->child1().node(), node->child2().node())) {
731                 fixEdge<Int52RepUse>(node->child1());
732                 fixEdge<Int52RepUse>(node->child2());
733                 node->clearFlags(NodeMustGenerate);
734                 break;
735             }
736             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
737                 fixDoubleOrBooleanEdge(node->child1());
738                 fixDoubleOrBooleanEdge(node->child2());
739             }
740             if (node->op() != CompareEq
741                 && node->child1()->shouldSpeculateNotCell()
742                 && node->child2()->shouldSpeculateNotCell()) {
743                 if (node->child1()->shouldSpeculateNumberOrBoolean())
744                     fixDoubleOrBooleanEdge(node->child1());
745                 else
746                     fixEdge<DoubleRepUse>(node->child1());
747                 if (node->child2()->shouldSpeculateNumberOrBoolean())
748                     fixDoubleOrBooleanEdge(node->child2());
749                 else
750                     fixEdge<DoubleRepUse>(node->child2());
751                 node->clearFlags(NodeMustGenerate);
752                 break;
753             }
754             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
755                 fixEdge<StringIdentUse>(node->child1());
756                 fixEdge<StringIdentUse>(node->child2());
757                 node->clearFlags(NodeMustGenerate);
758                 break;
759             }
760             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
761                 fixEdge<StringUse>(node->child1());
762                 fixEdge<StringUse>(node->child2());
763                 node->clearFlags(NodeMustGenerate);
764                 break;
765             }
766
767             if (node->op() != CompareEq)
768                 break;
769             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
770                 fixEdge<SymbolUse>(node->child1());
771                 fixEdge<SymbolUse>(node->child2());
772                 node->clearFlags(NodeMustGenerate);
773                 break;
774             }
775             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
776                 fixEdge<ObjectUse>(node->child1());
777                 fixEdge<ObjectUse>(node->child2());
778                 node->clearFlags(NodeMustGenerate);
779                 break;
780             }
781
782             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
783             bool oneArgumentIsUsedAsSpecOther = false;
784             if (node->child1()->isUndefinedOrNullConstant()) {
785                 fixEdge<KnownOtherUse>(node->child1());
786                 oneArgumentIsUsedAsSpecOther = true;
787             } else if (node->child1()->shouldSpeculateOther()) {
788                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
789                     Edge(node->child1().node(), OtherUse));
790                 fixEdge<KnownOtherUse>(node->child1());
791                 oneArgumentIsUsedAsSpecOther = true;
792             }
793             if (node->child2()->isUndefinedOrNullConstant()) {
794                 fixEdge<KnownOtherUse>(node->child2());
795                 oneArgumentIsUsedAsSpecOther = true;
796             } else if (node->child2()->shouldSpeculateOther()) {
797                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
798                     Edge(node->child2().node(), OtherUse));
799                 fixEdge<KnownOtherUse>(node->child2());
800                 oneArgumentIsUsedAsSpecOther = true;
801             }
802             if (oneArgumentIsUsedAsSpecOther) {
803                 node->clearFlags(NodeMustGenerate);
804                 break;
805             }
806
807             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
808                 fixEdge<ObjectUse>(node->child1());
809                 fixEdge<ObjectOrOtherUse>(node->child2());
810                 node->clearFlags(NodeMustGenerate);
811                 break;
812             }
813             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
814                 fixEdge<ObjectOrOtherUse>(node->child1());
815                 fixEdge<ObjectUse>(node->child2());
816                 node->clearFlags(NodeMustGenerate);
817                 break;
818             }
819
820             break;
821         }
822             
823         case CompareStrictEq:
824         case SameValue: {
825             fixupCompareStrictEqAndSameValue(node);
826             break;
827         }
828
829         case StringFromCharCode:
830             if (node->child1()->shouldSpeculateInt32()) {
831                 fixEdge<Int32Use>(node->child1());
832                 node->clearFlags(NodeMustGenerate);
833             } else
834                 fixEdge<UntypedUse>(node->child1());
835             break;
836
837         case StringCharAt:
838         case StringCharCodeAt: {
839             // Currently we have no good way of refining these.
840             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
841             blessArrayOperation(node->child1(), node->child2(), node->child3());
842             fixEdge<KnownStringUse>(node->child1());
843             fixEdge<Int32Use>(node->child2());
844             break;
845         }
846
847         case GetByVal: {
848             if (!node->prediction()) {
849                 m_insertionSet.insertNode(
850                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
851             }
852             
853             node->setArrayMode(
854                 node->arrayMode().refine(
855                     m_graph, node,
856                     m_graph.varArgChild(node, 0)->prediction(),
857                     m_graph.varArgChild(node, 1)->prediction(),
858                     SpecNone));
859             
860             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
861             
862             ArrayMode arrayMode = node->arrayMode();
863             switch (arrayMode.type()) {
864             case Array::Contiguous:
865             case Array::Double:
866                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
867                     // Check if SaneChain will work on a per-type basis. Note that:
868                     //
869                     // 1) We don't want double arrays to sometimes return undefined, since
870                     // that would require a change to the return type and it would pessimise
871                     // things a lot. So, we'd only want to do that if we actually had
872                     // evidence that we could read from a hole. That's pretty annoying.
873                     // Likely the best way to handle that case is with an equivalent of
874                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
875                     // NaN are indistinguishable according to backwards propagation, and just
876                     // use SaneChain in that case. This happens to catch a lot of cases.
877                     //
878                     // 2) We don't want int32 array loads to have to do a hole check just to
879                     // coerce to Undefined, since that would mean twice the checks.
880                     //
881                     // This has two implications. First, we have to do more checks than we'd
882                     // like. It's unfortunate that we have to do the hole check. Second,
883                     // some accesses that hit a hole will now need to take the full-blown
884                     // out-of-bounds slow path. We can fix that with:
885                     // https://bugs.webkit.org/show_bug.cgi?id=144668
886                     
887                     bool canDoSaneChain = false;
888                     switch (arrayMode.type()) {
889                     case Array::Contiguous:
890                         // This is happens to be entirely natural. We already would have
891                         // returned any JSValue, and now we'll return Undefined. We still do
892                         // the check but it doesn't require taking any kind of slow path.
893                         canDoSaneChain = true;
894                         break;
895                         
896                     case Array::Double:
897                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
898                             // Holes look like NaN already, so if the user doesn't care
899                             // about the difference between Undefined and NaN then we can
900                             // do this.
901                             canDoSaneChain = true;
902                         }
903                         break;
904                         
905                     default:
906                         break;
907                     }
908                     
909                     if (canDoSaneChain) {
910                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
911                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
912                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
913                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
914                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
915                             && globalObject->arrayPrototypeChainIsSane()) {
916                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
917                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
918                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
919                         }
920                     }
921                 }
922                 break;
923                 
924             case Array::String:
925                 if ((node->prediction() & ~SpecString)
926                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
927                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
928                 break;
929                 
930             default:
931                 break;
932             }
933             
934             arrayMode = node->arrayMode();
935             switch (arrayMode.type()) {
936             case Array::SelectUsingPredictions:
937             case Array::Unprofiled:
938                 RELEASE_ASSERT_NOT_REACHED();
939                 break;
940             case Array::Generic:
941                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
942                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
943                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
944                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
945                         break;
946                     }
947
948                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
949                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
950                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
951                         break;
952                     }
953                 }
954 #if USE(JSVALUE32_64)
955                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
956 #endif
957                 break;
958             case Array::ForceExit:
959                 break;
960             case Array::String:
961                 fixEdge<KnownStringUse>(m_graph.varArgChild(node, 0));
962                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
963                 break;
964             default:
965                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
966                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
967                 break;
968             }
969             
970             switch (arrayMode.type()) {
971             case Array::Double:
972                 if (!arrayMode.isOutOfBounds())
973                     node->setResult(NodeResultDouble);
974                 break;
975                 
976             case Array::Float32Array:
977             case Array::Float64Array:
978                 node->setResult(NodeResultDouble);
979                 break;
980                 
981             case Array::Uint32Array:
982                 if (node->shouldSpeculateInt32())
983                     break;
984                 if (node->shouldSpeculateInt52())
985                     node->setResult(NodeResultInt52);
986                 else
987                     node->setResult(NodeResultDouble);
988                 break;
989                 
990             default:
991                 break;
992             }
993             
994             break;
995         }
996
997         case PutByValDirect:
998         case PutByVal:
999         case PutByValAlias: {
1000             Edge& child1 = m_graph.varArgChild(node, 0);
1001             Edge& child2 = m_graph.varArgChild(node, 1);
1002             Edge& child3 = m_graph.varArgChild(node, 2);
1003
1004             node->setArrayMode(
1005                 node->arrayMode().refine(
1006                     m_graph, node,
1007                     child1->prediction(),
1008                     child2->prediction(),
1009                     child3->prediction()));
1010             
1011             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
1012             
1013             switch (node->arrayMode().modeForPut().type()) {
1014             case Array::SelectUsingPredictions:
1015             case Array::SelectUsingArguments:
1016             case Array::Unprofiled:
1017             case Array::Undecided:
1018                 RELEASE_ASSERT_NOT_REACHED();
1019                 break;
1020             case Array::ForceExit:
1021             case Array::Generic:
1022                 if (child1->shouldSpeculateCell()) {
1023                     if (child2->shouldSpeculateString()) {
1024                         fixEdge<CellUse>(child1);
1025                         fixEdge<StringUse>(child2);
1026                         break;
1027                     }
1028
1029                     if (child2->shouldSpeculateSymbol()) {
1030                         fixEdge<CellUse>(child1);
1031                         fixEdge<SymbolUse>(child2);
1032                         break;
1033                     }
1034                 }
1035 #if USE(JSVALUE32_64)
1036                 // Due to register pressure on 32-bit, we speculate cell and
1037                 // ignore the base-is-not-cell case entirely by letting the
1038                 // baseline JIT handle it.
1039                 fixEdge<CellUse>(child1);
1040 #endif
1041                 break;
1042             case Array::Int32:
1043                 fixEdge<KnownCellUse>(child1);
1044                 fixEdge<Int32Use>(child2);
1045                 fixEdge<Int32Use>(child3);
1046                 break;
1047             case Array::Double:
1048                 fixEdge<KnownCellUse>(child1);
1049                 fixEdge<Int32Use>(child2);
1050                 fixEdge<DoubleRepRealUse>(child3);
1051                 break;
1052             case Array::Int8Array:
1053             case Array::Int16Array:
1054             case Array::Int32Array:
1055             case Array::Uint8Array:
1056             case Array::Uint8ClampedArray:
1057             case Array::Uint16Array:
1058             case Array::Uint32Array:
1059                 fixEdge<KnownCellUse>(child1);
1060                 fixEdge<Int32Use>(child2);
1061                 if (child3->shouldSpeculateInt32())
1062                     fixIntOrBooleanEdge(child3);
1063                 else if (child3->shouldSpeculateInt52())
1064                     fixEdge<Int52RepUse>(child3);
1065                 else
1066                     fixDoubleOrBooleanEdge(child3);
1067                 break;
1068             case Array::Float32Array:
1069             case Array::Float64Array:
1070                 fixEdge<KnownCellUse>(child1);
1071                 fixEdge<Int32Use>(child2);
1072                 fixDoubleOrBooleanEdge(child3);
1073                 break;
1074             case Array::Contiguous:
1075             case Array::ArrayStorage:
1076             case Array::SlowPutArrayStorage:
1077                 fixEdge<KnownCellUse>(child1);
1078                 fixEdge<Int32Use>(child2);
1079                 speculateForBarrier(child3);
1080                 break;
1081             default:
1082                 fixEdge<KnownCellUse>(child1);
1083                 fixEdge<Int32Use>(child2);
1084                 break;
1085             }
1086             break;
1087         }
1088             
1089         case AtomicsAdd:
1090         case AtomicsAnd:
1091         case AtomicsCompareExchange:
1092         case AtomicsExchange:
1093         case AtomicsLoad:
1094         case AtomicsOr:
1095         case AtomicsStore:
1096         case AtomicsSub:
1097         case AtomicsXor: {
1098             Edge& base = m_graph.child(node, 0);
1099             Edge& index = m_graph.child(node, 1);
1100             
1101             bool badNews = false;
1102             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1103                 Edge& child = m_graph.child(node, 2 + i);
1104                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
1105                 // just call the function when that happens. But the FTL is totally cool with those
1106                 // conversions.
1107                 if (!child->shouldSpeculateInt32()
1108                     && !child->shouldSpeculateInt52()
1109                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
1110                     badNews = true;
1111             }
1112             
1113             if (badNews) {
1114                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
1115                 break;
1116             }
1117             
1118             node->setArrayMode(
1119                 node->arrayMode().refine(
1120                     m_graph, node, base->prediction(), index->prediction()));
1121             
1122             if (node->arrayMode().type() == Array::Generic)
1123                 break;
1124             
1125             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1126                 Edge& child = m_graph.child(node, 2 + i);
1127                 if (child->shouldSpeculateInt32())
1128                     fixIntOrBooleanEdge(child);
1129                 else if (child->shouldSpeculateInt52())
1130                     fixEdge<Int52RepUse>(child);
1131                 else {
1132                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
1133                     fixDoubleOrBooleanEdge(child);
1134                 }
1135             }
1136             
1137             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
1138             fixEdge<CellUse>(base);
1139             fixEdge<Int32Use>(index);
1140             
1141             if (node->arrayMode().type() == Array::Uint32Array) {
1142                 // NOTE: This means basically always doing Int52.
1143                 if (node->shouldSpeculateInt52())
1144                     node->setResult(NodeResultInt52);
1145                 else
1146                     node->setResult(NodeResultDouble);
1147             }
1148             break;
1149         }
1150             
1151         case AtomicsIsLockFree:
1152             if (node->child1()->shouldSpeculateInt32())
1153                 fixIntOrBooleanEdge(node->child1());
1154             break;
1155             
1156         case ArrayPush: {
1157             // May need to refine the array mode in case the value prediction contravenes
1158             // the array prediction. For example, we may have evidence showing that the
1159             // array is in Int32 mode, but the value we're storing is likely to be a double.
1160             // Then we should turn this into a conversion to Double array followed by the
1161             // push. On the other hand, we absolutely don't want to refine based on the
1162             // base prediction. If it has non-cell garbage in it, then we want that to be
1163             // ignored. That's because ArrayPush can't handle any array modes that aren't
1164             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1165             // that would break things.
1166             Edge& storageEdge = m_graph.varArgChild(node, 0);
1167             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1168             unsigned elementOffset = 2;
1169             unsigned elementCount = node->numChildren() - elementOffset;
1170             for (unsigned i = 0; i < elementCount; ++i) {
1171                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1172                 node->setArrayMode(
1173                     node->arrayMode().refine(
1174                         m_graph, node,
1175                         arrayEdge->prediction() & SpecCell,
1176                         SpecInt32Only,
1177                         element->prediction()));
1178             }
1179             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1180             fixEdge<KnownCellUse>(arrayEdge);
1181
1182             // Convert `array.push()` to GetArrayLength.
1183             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1184                 node->setOpAndDefaultFlags(GetArrayLength);
1185                 node->child1() = arrayEdge;
1186                 node->child2() = storageEdge;
1187                 fixEdge<KnownCellUse>(node->child1());
1188                 break;
1189             }
1190
1191             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1192             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1193             for (unsigned i = 0; i < elementCount; ++i) {
1194                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1195                 switch (node->arrayMode().type()) {
1196                 case Array::Int32:
1197                     fixEdge<Int32Use>(element);
1198                     break;
1199                 case Array::Double:
1200                     fixEdge<DoubleRepRealUse>(element);
1201                     break;
1202                 case Array::Contiguous:
1203                 case Array::ArrayStorage:
1204                     speculateForBarrier(element);
1205                     break;
1206                 default:
1207                     break;
1208                 }
1209             }
1210             break;
1211         }
1212             
1213         case ArrayPop: {
1214             blessArrayOperation(node->child1(), Edge(), node->child2());
1215             fixEdge<KnownCellUse>(node->child1());
1216             break;
1217         }
1218
1219         case ArraySlice: {
1220             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1221             if (node->numChildren() >= 3) {
1222                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1223                 if (node->numChildren() == 4)
1224                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1225             }
1226             break;
1227         }
1228
1229         case ArrayIndexOf:
1230             fixupArrayIndexOf(node);
1231             break;
1232             
1233         case RegExpExec:
1234         case RegExpTest: {
1235             fixEdge<KnownCellUse>(node->child1());
1236             
1237             if (node->child2()->shouldSpeculateRegExpObject()) {
1238                 fixEdge<RegExpObjectUse>(node->child2());
1239
1240                 if (node->child3()->shouldSpeculateString())
1241                     fixEdge<StringUse>(node->child3());
1242             }
1243             break;
1244         }
1245
1246         case RegExpMatchFast: {
1247             fixEdge<KnownCellUse>(node->child1());
1248             fixEdge<RegExpObjectUse>(node->child2());
1249             fixEdge<StringUse>(node->child3());
1250             break;
1251         }
1252
1253         case StringReplace:
1254         case StringReplaceRegExp: {
1255             if (node->child2()->shouldSpeculateString()) {
1256                 m_insertionSet.insertNode(
1257                     m_indexInBlock, SpecNone, Check, node->origin,
1258                     Edge(node->child2().node(), StringUse));
1259                 fixEdge<StringUse>(node->child2());
1260             } else if (op == StringReplace) {
1261                 if (node->child2()->shouldSpeculateRegExpObject())
1262                     addStringReplacePrimordialChecks(node->child2().node());
1263                 else 
1264                     m_insertionSet.insertNode(
1265                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1266             }
1267
1268             if (node->child1()->shouldSpeculateString()
1269                 && node->child2()->shouldSpeculateRegExpObject()
1270                 && node->child3()->shouldSpeculateString()) {
1271
1272                 fixEdge<StringUse>(node->child1());
1273                 fixEdge<RegExpObjectUse>(node->child2());
1274                 fixEdge<StringUse>(node->child3());
1275                 break;
1276             }
1277             break;
1278         }
1279             
1280         case Branch: {
1281             if (node->child1()->shouldSpeculateBoolean()) {
1282                 if (node->child1()->result() == NodeResultBoolean) {
1283                     // This is necessary in case we have a bytecode instruction implemented by:
1284                     //
1285                     // a: CompareEq(...)
1286                     // b: Branch(@a)
1287                     //
1288                     // In that case, CompareEq might have a side-effect. Then, we need to make
1289                     // sure that we know that Branch does not exit.
1290                     fixEdge<KnownBooleanUse>(node->child1());
1291                 } else
1292                     fixEdge<BooleanUse>(node->child1());
1293             } else if (node->child1()->shouldSpeculateObjectOrOther())
1294                 fixEdge<ObjectOrOtherUse>(node->child1());
1295             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1296                 fixIntOrBooleanEdge(node->child1());
1297             else if (node->child1()->shouldSpeculateNumber())
1298                 fixEdge<DoubleRepUse>(node->child1());
1299             else if (node->child1()->shouldSpeculateString())
1300                 fixEdge<StringUse>(node->child1());
1301             else if (node->child1()->shouldSpeculateStringOrOther())
1302                 fixEdge<StringOrOtherUse>(node->child1());
1303             else {
1304                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1305                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1306                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1307             }
1308             break;
1309         }
1310             
1311         case Switch: {
1312             SwitchData* data = node->switchData();
1313             switch (data->kind) {
1314             case SwitchImm:
1315                 if (node->child1()->shouldSpeculateInt32())
1316                     fixEdge<Int32Use>(node->child1());
1317                 break;
1318             case SwitchChar:
1319                 if (node->child1()->shouldSpeculateString())
1320                     fixEdge<StringUse>(node->child1());
1321                 break;
1322             case SwitchString:
1323                 if (node->child1()->shouldSpeculateStringIdent())
1324                     fixEdge<StringIdentUse>(node->child1());
1325                 else if (node->child1()->shouldSpeculateString())
1326                     fixEdge<StringUse>(node->child1());
1327                 break;
1328             case SwitchCell:
1329                 if (node->child1()->shouldSpeculateCell())
1330                     fixEdge<CellUse>(node->child1());
1331                 // else it's fine for this to have UntypedUse; we will handle this by just making
1332                 // non-cells take the default case.
1333                 break;
1334             }
1335             break;
1336         }
1337             
1338         case ToPrimitive: {
1339             fixupToPrimitive(node);
1340             break;
1341         }
1342
1343         case ToNumber: {
1344             fixupToNumber(node);
1345             break;
1346         }
1347             
1348         case ToString:
1349         case CallStringConstructor: {
1350             fixupToStringOrCallStringConstructor(node);
1351             break;
1352         }
1353             
1354         case NewStringObject: {
1355             fixEdge<KnownStringUse>(node->child1());
1356             break;
1357         }
1358
1359         case NewSymbol: {
1360             if (node->child1())
1361                 fixEdge<KnownStringUse>(node->child1());
1362             break;
1363         }
1364
1365         case NewArrayWithSpread: {
1366             watchHavingABadTime(node);
1367             
1368             BitVector* bitVector = node->bitVector();
1369             for (unsigned i = node->numChildren(); i--;) {
1370                 if (bitVector->get(i))
1371                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1372                 else
1373                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1374             }
1375
1376             break;
1377         }
1378
1379         case Spread: {
1380             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1381             
1382             watchHavingABadTime(node->child1().node());
1383
1384             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1385             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1386             // that it doesn't contain any indexed properties, and that any holes will result in
1387             // jsUndefined().
1388             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1389             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1390             if (node->child1()->shouldSpeculateArray()
1391                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1392                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1393                 && globalObject->arrayPrototypeChainIsSane()
1394                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1395                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1396                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1397                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1398                 fixEdge<ArrayUse>(node->child1());
1399             } else
1400                 fixEdge<CellUse>(node->child1());
1401             break;
1402         }
1403             
1404         case NewArray: {
1405             watchHavingABadTime(node);
1406             
1407             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1408                 node->setIndexingType(
1409                     leastUpperBoundOfIndexingTypeAndType(
1410                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1411             }
1412             switch (node->indexingType()) {
1413             case ALL_BLANK_INDEXING_TYPES:
1414                 CRASH();
1415                 break;
1416             case ALL_UNDECIDED_INDEXING_TYPES:
1417                 if (node->numChildren()) {
1418                     // This will only happen if the children have no type predictions. We
1419                     // would have already exited by now, but insert a forced exit just to
1420                     // be safe.
1421                     m_insertionSet.insertNode(
1422                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1423                 }
1424                 break;
1425             case ALL_INT32_INDEXING_TYPES:
1426                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1427                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1428                 break;
1429             case ALL_DOUBLE_INDEXING_TYPES:
1430                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1431                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1432                 break;
1433             case ALL_CONTIGUOUS_INDEXING_TYPES:
1434             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1435                 break;
1436             default:
1437                 CRASH();
1438                 break;
1439             }
1440             break;
1441         }
1442             
1443         case NewTypedArray: {
1444             watchHavingABadTime(node);
1445             
1446             if (node->child1()->shouldSpeculateInt32()) {
1447                 fixEdge<Int32Use>(node->child1());
1448                 node->clearFlags(NodeMustGenerate);
1449                 break;
1450             }
1451             break;
1452         }
1453             
1454         case NewArrayWithSize: {
1455             watchHavingABadTime(node);
1456             fixEdge<Int32Use>(node->child1());
1457             break;
1458         }
1459
1460         case NewArrayBuffer: {
1461             watchHavingABadTime(node);
1462             break;
1463         }
1464
1465         case ToObject: {
1466             fixupToObject(node);
1467             break;
1468         }
1469
1470         case CallObjectConstructor: {
1471             fixupCallObjectConstructor(node);
1472             break;
1473         }
1474
1475         case ToThis: {
1476             fixupToThis(node);
1477             break;
1478         }
1479             
1480         case PutStructure: {
1481             fixEdge<KnownCellUse>(node->child1());
1482             break;
1483         }
1484             
1485         case GetClosureVar:
1486         case GetFromArguments: {
1487             fixEdge<KnownCellUse>(node->child1());
1488             break;
1489         }
1490
1491         case PutClosureVar:
1492         case PutToArguments: {
1493             fixEdge<KnownCellUse>(node->child1());
1494             speculateForBarrier(node->child2());
1495             break;
1496         }
1497
1498         case SkipScope:
1499         case GetScope:
1500         case GetGetter:
1501         case GetSetter:
1502         case GetGlobalObject: {
1503             fixEdge<KnownCellUse>(node->child1());
1504             break;
1505         }
1506             
1507         case AllocatePropertyStorage:
1508         case ReallocatePropertyStorage: {
1509             fixEdge<KnownCellUse>(node->child1());
1510             break;
1511         }
1512             
1513         case NukeStructureAndSetButterfly: {
1514             fixEdge<KnownCellUse>(node->child1());
1515             break;
1516         }
1517
1518         case TryGetById: {
1519             if (node->child1()->shouldSpeculateCell())
1520                 fixEdge<CellUse>(node->child1());
1521             break;
1522         }
1523
1524         case GetByIdDirect:
1525         case GetByIdDirectFlush: {
1526             if (node->child1()->shouldSpeculateCell())
1527                 fixEdge<CellUse>(node->child1());
1528             break;
1529         }
1530
1531         case GetById:
1532         case GetByIdFlush: {
1533             // FIXME: This should be done in the ByteCodeParser based on reading the
1534             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1535             // https://bugs.webkit.org/show_bug.cgi?id=154990
1536             auto uid = m_graph.identifiers()[node->identifierNumber()];
1537             if (node->child1()->shouldSpeculateCellOrOther()
1538                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1539                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1540                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1541                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1542                 
1543                 if (uid == vm().propertyNames->length.impl()) {
1544                     attemptToMakeGetArrayLength(node);
1545                     break;
1546                 }
1547
1548                 if (uid == vm().propertyNames->lastIndex.impl()
1549                     && node->child1()->shouldSpeculateRegExpObject()) {
1550                     node->setOp(GetRegExpObjectLastIndex);
1551                     node->clearFlags(NodeMustGenerate);
1552                     fixEdge<RegExpObjectUse>(node->child1());
1553                     break;
1554                 }
1555             }
1556
1557             if (node->child1()->shouldSpeculateNumber()) {
1558                 if (uid == vm().propertyNames->toString.impl()) {
1559                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1560                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1561                         if (node->child1()->shouldSpeculateInt32()) {
1562                             insertCheck<Int32Use>(node->child1().node());
1563                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1564                             break;
1565                         }
1566
1567                         if (node->child1()->shouldSpeculateInt52()) {
1568                             insertCheck<Int52RepUse>(node->child1().node());
1569                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1570                             break;
1571                         }
1572
1573                         ASSERT(node->child1()->shouldSpeculateNumber());
1574                         insertCheck<DoubleRepUse>(node->child1().node());
1575                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1576                         break;
1577                     }
1578                 }
1579             }
1580
1581             if (node->child1()->shouldSpeculateCell())
1582                 fixEdge<CellUse>(node->child1());
1583             break;
1584         }
1585         
1586         case GetByIdWithThis: {
1587             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1588                 fixEdge<CellUse>(node->child1());
1589                 fixEdge<CellUse>(node->child2());
1590             }
1591             break;
1592         }
1593
1594         case PutById:
1595         case PutByIdFlush:
1596         case PutByIdDirect: {
1597             if (node->child1()->shouldSpeculateCellOrOther()
1598                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1599                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1600                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1601                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1602                 
1603                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1604                 
1605                 if (uid == vm().propertyNames->lastIndex.impl()
1606                     && node->child1()->shouldSpeculateRegExpObject()) {
1607                     node->convertToSetRegExpObjectLastIndex();
1608                     fixEdge<RegExpObjectUse>(node->child1());
1609                     speculateForBarrier(node->child2());
1610                     break;
1611                 }
1612             }
1613             
1614             fixEdge<CellUse>(node->child1());
1615             break;
1616         }
1617
1618         case PutGetterById:
1619         case PutSetterById: {
1620             fixEdge<KnownCellUse>(node->child1());
1621             fixEdge<KnownCellUse>(node->child2());
1622             break;
1623         }
1624
1625         case PutGetterSetterById: {
1626             fixEdge<KnownCellUse>(node->child1());
1627             break;
1628         }
1629
1630         case PutGetterByVal:
1631         case PutSetterByVal: {
1632             fixEdge<KnownCellUse>(node->child1());
1633             fixEdge<KnownCellUse>(node->child3());
1634             break;
1635         }
1636
1637         case GetExecutable: {
1638             fixEdge<FunctionUse>(node->child1());
1639             break;
1640         }
1641
1642         case OverridesHasInstance:
1643         case CheckStructure:
1644         case CheckCell:
1645         case CreateThis:
1646         case GetButterfly: {
1647             fixEdge<CellUse>(node->child1());
1648             break;
1649         }
1650
1651         case ObjectCreate: {
1652             if (node->child1()->shouldSpeculateObject()) {
1653                 fixEdge<ObjectUse>(node->child1());
1654                 node->clearFlags(NodeMustGenerate);
1655                 break;
1656             }
1657             break;
1658         }
1659
1660         case ObjectKeys: {
1661             if (node->child1()->shouldSpeculateObject()) {
1662                 watchHavingABadTime(node);
1663                 fixEdge<ObjectUse>(node->child1());
1664             }
1665             break;
1666         }
1667
1668         case CheckStringIdent: {
1669             fixEdge<StringIdentUse>(node->child1());
1670             break;
1671         }
1672             
1673         case Arrayify:
1674         case ArrayifyToStructure: {
1675             fixEdge<CellUse>(node->child1());
1676             if (node->child2())
1677                 fixEdge<Int32Use>(node->child2());
1678             break;
1679         }
1680             
1681         case GetByOffset:
1682         case GetGetterSetterByOffset: {
1683             if (!node->child1()->hasStorageResult())
1684                 fixEdge<KnownCellUse>(node->child1());
1685             fixEdge<KnownCellUse>(node->child2());
1686             break;
1687         }
1688             
1689         case MultiGetByOffset: {
1690             fixEdge<CellUse>(node->child1());
1691             break;
1692         }
1693             
1694         case PutByOffset: {
1695             if (!node->child1()->hasStorageResult())
1696                 fixEdge<KnownCellUse>(node->child1());
1697             fixEdge<KnownCellUse>(node->child2());
1698             speculateForBarrier(node->child3());
1699             break;
1700         }
1701             
1702         case MultiPutByOffset: {
1703             fixEdge<CellUse>(node->child1());
1704             break;
1705         }
1706             
1707         case MatchStructure: {
1708             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1709             // https://bugs.webkit.org/show_bug.cgi?id=185784
1710             fixEdge<CellUse>(node->child1());
1711             break;
1712         }
1713             
1714         case InstanceOf: {
1715             if (node->child1()->shouldSpeculateCell()
1716                 && node->child2()->shouldSpeculateCell()
1717                 && is64Bit()) {
1718                 fixEdge<CellUse>(node->child1());
1719                 fixEdge<CellUse>(node->child2());
1720                 break;
1721             }
1722             break;
1723         }
1724
1725         case InstanceOfCustom:
1726             fixEdge<CellUse>(node->child2());
1727             break;
1728
1729         case InById: {
1730             fixEdge<CellUse>(node->child1());
1731             break;
1732         }
1733
1734         case InByVal: {
1735             if (node->child2()->shouldSpeculateInt32()) {
1736                 convertToHasIndexedProperty(node);
1737                 break;
1738             }
1739
1740             fixEdge<CellUse>(node->child1());
1741             break;
1742         }
1743
1744         case HasOwnProperty: {
1745             fixEdge<ObjectUse>(node->child1());
1746 #if CPU(X86)
1747             // We don't have enough registers to do anything interesting on x86 and mips.
1748             fixEdge<UntypedUse>(node->child2());
1749 #else
1750             if (node->child2()->shouldSpeculateString())
1751                 fixEdge<StringUse>(node->child2());
1752             else if (node->child2()->shouldSpeculateSymbol())
1753                 fixEdge<SymbolUse>(node->child2());
1754             else
1755                 fixEdge<UntypedUse>(node->child2());
1756 #endif
1757             break;
1758         }
1759
1760         case CheckVarargs:
1761         case Check: {
1762             m_graph.doToChildren(
1763                 node,
1764                 [&] (Edge& edge) {
1765                     switch (edge.useKind()) {
1766                     case NumberUse:
1767                         if (edge->shouldSpeculateInt32ForArithmetic())
1768                             edge.setUseKind(Int32Use);
1769                         break;
1770                     default:
1771                         break;
1772                     }
1773                     observeUseKindOnEdge(edge);
1774                 });
1775             break;
1776         }
1777
1778         case Phantom:
1779             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1780             node->remove(m_graph);
1781             break;
1782
1783         case FiatInt52: {
1784             RELEASE_ASSERT(enableInt52());
1785             node->convertToIdentity();
1786             fixEdge<Int52RepUse>(node->child1());
1787             node->setResult(NodeResultInt52);
1788             break;
1789         }
1790
1791         case GetArrayLength: {
1792             fixEdge<KnownCellUse>(node->child1());
1793             break;
1794         }
1795
1796         case GetTypedArrayByteOffset: {
1797             fixEdge<KnownCellUse>(node->child1());
1798             break;
1799         }
1800
1801         case CompareBelow:
1802         case CompareBelowEq: {
1803             fixEdge<Int32Use>(node->child1());
1804             fixEdge<Int32Use>(node->child2());
1805             break;
1806         }
1807
1808         case GetPrototypeOf: {
1809             fixupGetPrototypeOf(node);
1810             break;
1811         }
1812
1813         case Phi:
1814         case Upsilon:
1815         case EntrySwitch:
1816         case GetIndexedPropertyStorage:
1817         case LastNodeType:
1818         case CheckTierUpInLoop:
1819         case CheckTierUpAtReturn:
1820         case CheckTierUpAndOSREnter:
1821         case CheckArray:
1822         case CheckInBounds:
1823         case ConstantStoragePointer:
1824         case DoubleAsInt32:
1825         case ValueToInt32:
1826         case DoubleRep:
1827         case ValueRep:
1828         case Int52Rep:
1829         case Int52Constant:
1830         case Identity: // This should have been cleaned up.
1831         case BooleanToNumber:
1832         case PhantomNewObject:
1833         case PhantomNewFunction:
1834         case PhantomNewGeneratorFunction:
1835         case PhantomNewAsyncGeneratorFunction:
1836         case PhantomNewAsyncFunction:
1837         case PhantomCreateActivation:
1838         case PhantomDirectArguments:
1839         case PhantomCreateRest:
1840         case PhantomSpread:
1841         case PhantomNewArrayWithSpread:
1842         case PhantomNewArrayBuffer:
1843         case PhantomClonedArguments:
1844         case PhantomNewRegexp:
1845         case GetMyArgumentByVal:
1846         case GetMyArgumentByValOutOfBounds:
1847         case GetVectorLength:
1848         case PutHint:
1849         case CheckStructureImmediate:
1850         case CheckStructureOrEmpty:
1851         case MaterializeNewObject:
1852         case MaterializeCreateActivation:
1853         case PutStack:
1854         case KillStack:
1855         case GetStack:
1856         case StoreBarrier:
1857         case FencedStoreBarrier:
1858         case GetRegExpObjectLastIndex:
1859         case SetRegExpObjectLastIndex:
1860         case RecordRegExpCachedResult:
1861         case RegExpExecNonGlobalOrSticky:
1862         case RegExpMatchFastGlobal:
1863             // These are just nodes that we don't currently expect to see during fixup.
1864             // If we ever wanted to insert them prior to fixup, then we just have to create
1865             // fixup rules for them.
1866             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1867             break;
1868
1869         case PutGlobalVariable: {
1870             fixEdge<CellUse>(node->child1());
1871             speculateForBarrier(node->child2());
1872             break;
1873         }
1874
1875         case IsObject:
1876             if (node->child1()->shouldSpeculateObject()) {
1877                 m_insertionSet.insertNode(
1878                     m_indexInBlock, SpecNone, Check, node->origin,
1879                     Edge(node->child1().node(), ObjectUse));
1880                 m_graph.convertToConstant(node, jsBoolean(true));
1881                 observeUseKindOnNode<ObjectUse>(node);
1882             }
1883             break;
1884
1885         case IsCellWithType: {
1886             fixupIsCellWithType(node);
1887             break;
1888         }
1889
1890         case GetEnumerableLength: {
1891             fixEdge<CellUse>(node->child1());
1892             break;
1893         }
1894         case HasGenericProperty: {
1895             fixEdge<CellUse>(node->child2());
1896             break;
1897         }
1898         case HasStructureProperty: {
1899             fixEdge<StringUse>(node->child2());
1900             fixEdge<KnownCellUse>(node->child3());
1901             break;
1902         }
1903         case HasIndexedProperty: {
1904             node->setArrayMode(
1905                 node->arrayMode().refine(
1906                     m_graph, node,
1907                     m_graph.varArgChild(node, 0)->prediction(),
1908                     m_graph.varArgChild(node, 1)->prediction(),
1909                     SpecNone));
1910             
1911             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
1912             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1913             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1914             break;
1915         }
1916         case GetDirectPname: {
1917             Edge& base = m_graph.varArgChild(node, 0);
1918             Edge& property = m_graph.varArgChild(node, 1);
1919             Edge& index = m_graph.varArgChild(node, 2);
1920             Edge& enumerator = m_graph.varArgChild(node, 3);
1921             fixEdge<CellUse>(base);
1922             fixEdge<KnownCellUse>(property);
1923             fixEdge<Int32Use>(index);
1924             fixEdge<KnownCellUse>(enumerator);
1925             break;
1926         }
1927         case GetPropertyEnumerator: {
1928             if (node->child1()->shouldSpeculateCell())
1929                 fixEdge<CellUse>(node->child1());
1930             break;
1931         }
1932         case GetEnumeratorStructurePname: {
1933             fixEdge<KnownCellUse>(node->child1());
1934             fixEdge<Int32Use>(node->child2());
1935             break;
1936         }
1937         case GetEnumeratorGenericPname: {
1938             fixEdge<KnownCellUse>(node->child1());
1939             fixEdge<Int32Use>(node->child2());
1940             break;
1941         }
1942         case ToIndexString: {
1943             fixEdge<Int32Use>(node->child1());
1944             break;
1945         }
1946         case ProfileType: {
1947             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1948             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1949             // type T for the instructionTypeSet, the global type set must also have information for type T.
1950             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1951             // in the globalTypeSet would've also succeeded.
1952             // (The other direction does not hold in general).
1953
1954             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1955             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1956             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1957                 if (node->child1()->shouldSpeculateInt32()) {
1958                     fixEdge<Int32Use>(node->child1());
1959                     node->remove(m_graph);
1960                     break;
1961                 }
1962
1963                 if (enableInt52()) {
1964                     fixEdge<AnyIntUse>(node->child1());
1965                     node->remove(m_graph);
1966                     break;
1967                 }
1968
1969                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1970             }
1971
1972             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1973                 fixEdge<NumberUse>(node->child1());
1974                 node->remove(m_graph);
1975             } else if (typeSet->doesTypeConformTo(TypeString)) {
1976                 fixEdge<StringUse>(node->child1());
1977                 node->remove(m_graph);
1978             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1979                 fixEdge<BooleanUse>(node->child1());
1980                 node->remove(m_graph);
1981             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1982                 fixEdge<OtherUse>(node->child1());
1983                 node->remove(m_graph);
1984             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1985                 StructureSet set;
1986                 {
1987                     ConcurrentJSLocker locker(typeSet->m_lock);
1988                     set = typeSet->structureSet(locker);
1989                 }
1990                 if (!set.isEmpty()) {
1991                     fixEdge<CellUse>(node->child1());
1992                     node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
1993                 }
1994             }
1995
1996             break;
1997         }
1998
1999         case CreateClonedArguments: {
2000             watchHavingABadTime(node);
2001             break;
2002         }
2003
2004         case CreateScopedArguments:
2005         case CreateActivation:
2006         case NewFunction:
2007         case NewGeneratorFunction:
2008         case NewAsyncGeneratorFunction:
2009         case NewAsyncFunction: {
2010             // Child 1 is always the current scope, which is guaranteed to be an object
2011             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
2012             fixEdge<KnownCellUse>(node->child1());
2013             break;
2014         }
2015
2016         case PushWithScope: {
2017             // Child 1 is always the current scope, which is guaranteed to be an object
2018             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
2019             fixEdge<KnownCellUse>(node->child1());
2020             if (node->child2()->shouldSpeculateObject())
2021                 fixEdge<ObjectUse>(node->child2());
2022             break;
2023         }
2024
2025         case SetFunctionName: {
2026             // The first child is guaranteed to be a cell because op_set_function_name is only used
2027             // on a newly instantiated function object (the first child).
2028             fixEdge<KnownCellUse>(node->child1());
2029             fixEdge<UntypedUse>(node->child2());
2030             break;
2031         }
2032
2033         case CreateRest: {
2034             watchHavingABadTime(node);
2035             fixEdge<Int32Use>(node->child1());
2036             break;
2037         }
2038
2039         case ResolveScopeForHoistingFuncDeclInEval: {
2040             fixEdge<KnownCellUse>(node->child1());
2041             break;
2042         }
2043         case ResolveScope:
2044         case GetDynamicVar:
2045         case PutDynamicVar: {
2046             fixEdge<KnownCellUse>(node->child1());
2047             break;
2048         }
2049
2050         case LogShadowChickenPrologue: {
2051             fixEdge<KnownCellUse>(node->child1());
2052             break;
2053         }
2054         case LogShadowChickenTail: {
2055             fixEdge<UntypedUse>(node->child1());
2056             fixEdge<KnownCellUse>(node->child2());
2057             break;
2058         }
2059
2060         case GetMapBucket:
2061             if (node->child1().useKind() == MapObjectUse)
2062                 fixEdge<MapObjectUse>(node->child1());
2063             else if (node->child1().useKind() == SetObjectUse)
2064                 fixEdge<SetObjectUse>(node->child1());
2065             else
2066                 RELEASE_ASSERT_NOT_REACHED();
2067
2068 #if USE(JSVALUE64)
2069             if (node->child2()->shouldSpeculateBoolean())
2070                 fixEdge<BooleanUse>(node->child2());
2071             else if (node->child2()->shouldSpeculateInt32())
2072                 fixEdge<Int32Use>(node->child2());
2073             else if (node->child2()->shouldSpeculateSymbol())
2074                 fixEdge<SymbolUse>(node->child2());
2075             else if (node->child2()->shouldSpeculateObject())
2076                 fixEdge<ObjectUse>(node->child2());
2077             else if (node->child2()->shouldSpeculateString())
2078                 fixEdge<StringUse>(node->child2());
2079             else if (node->child2()->shouldSpeculateCell())
2080                 fixEdge<CellUse>(node->child2());
2081             else
2082                 fixEdge<UntypedUse>(node->child2());
2083 #else
2084             fixEdge<UntypedUse>(node->child2());
2085 #endif // USE(JSVALUE64)
2086
2087             fixEdge<Int32Use>(node->child3());
2088             break;
2089
2090         case GetMapBucketHead:
2091             if (node->child1().useKind() == MapObjectUse)
2092                 fixEdge<MapObjectUse>(node->child1());
2093             else if (node->child1().useKind() == SetObjectUse)
2094                 fixEdge<SetObjectUse>(node->child1());
2095             else
2096                 RELEASE_ASSERT_NOT_REACHED();
2097             break;
2098
2099         case GetMapBucketNext:
2100         case LoadKeyFromMapBucket:
2101         case LoadValueFromMapBucket:
2102             fixEdge<CellUse>(node->child1());
2103             break;
2104
2105         case MapHash: {
2106 #if USE(JSVALUE64)
2107             if (node->child1()->shouldSpeculateBoolean()) {
2108                 fixEdge<BooleanUse>(node->child1());
2109                 break;
2110             }
2111
2112             if (node->child1()->shouldSpeculateInt32()) {
2113                 fixEdge<Int32Use>(node->child1());
2114                 break;
2115             }
2116
2117             if (node->child1()->shouldSpeculateSymbol()) {
2118                 fixEdge<SymbolUse>(node->child1());
2119                 break;
2120             }
2121
2122             if (node->child1()->shouldSpeculateObject()) {
2123                 fixEdge<ObjectUse>(node->child1());
2124                 break;
2125             }
2126
2127             if (node->child1()->shouldSpeculateString()) {
2128                 fixEdge<StringUse>(node->child1());
2129                 break;
2130             }
2131
2132             if (node->child1()->shouldSpeculateCell()) {
2133                 fixEdge<CellUse>(node->child1());
2134                 break;
2135             }
2136
2137             fixEdge<UntypedUse>(node->child1());
2138 #else
2139             fixEdge<UntypedUse>(node->child1());
2140 #endif // USE(JSVALUE64)
2141             break;
2142         }
2143
2144         case NormalizeMapKey: {
2145             fixupNormalizeMapKey(node);
2146             break;
2147         }
2148
2149         case WeakMapGet: {
2150             if (node->child1().useKind() == WeakMapObjectUse)
2151                 fixEdge<WeakMapObjectUse>(node->child1());
2152             else if (node->child1().useKind() == WeakSetObjectUse)
2153                 fixEdge<WeakSetObjectUse>(node->child1());
2154             else
2155                 RELEASE_ASSERT_NOT_REACHED();
2156             fixEdge<ObjectUse>(node->child2());
2157             fixEdge<Int32Use>(node->child3());
2158             break;
2159         }
2160
2161         case SetAdd: {
2162             fixEdge<SetObjectUse>(node->child1());
2163             fixEdge<Int32Use>(node->child3());
2164             break;
2165         }
2166
2167         case MapSet: {
2168             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
2169             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2170             break;
2171         }
2172
2173         case WeakSetAdd: {
2174             fixEdge<WeakSetObjectUse>(node->child1());
2175             fixEdge<ObjectUse>(node->child2());
2176             fixEdge<Int32Use>(node->child3());
2177             break;
2178         }
2179
2180         case WeakMapSet: {
2181             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2182             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2183             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2184             break;
2185         }
2186
2187         case DefineDataProperty: {
2188             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2189             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2190             if (propertyEdge->shouldSpeculateSymbol())
2191                 fixEdge<SymbolUse>(propertyEdge);
2192             else if (propertyEdge->shouldSpeculateStringIdent())
2193                 fixEdge<StringIdentUse>(propertyEdge);
2194             else if (propertyEdge->shouldSpeculateString())
2195                 fixEdge<StringUse>(propertyEdge);
2196             else
2197                 fixEdge<UntypedUse>(propertyEdge);
2198             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2199             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2200             break;
2201         }
2202
2203         case StringValueOf: {
2204             fixupStringValueOf(node);
2205             break;
2206         }
2207
2208         case StringSlice: {
2209             fixEdge<StringUse>(node->child1());
2210             fixEdge<Int32Use>(node->child2());
2211             if (node->child3())
2212                 fixEdge<Int32Use>(node->child3());
2213             break;
2214         }
2215
2216         case ToLowerCase: {
2217             // We currently only support StringUse since that will ensure that
2218             // ToLowerCase is a pure operation. If we decide to update this with
2219             // more types in the future, we need to ensure that the clobberize rules
2220             // are correct.
2221             fixEdge<StringUse>(node->child1());
2222             break;
2223         }
2224
2225         case NumberToStringWithRadix: {
2226             if (node->child1()->shouldSpeculateInt32())
2227                 fixEdge<Int32Use>(node->child1());
2228             else if (node->child1()->shouldSpeculateInt52())
2229                 fixEdge<Int52RepUse>(node->child1());
2230             else
2231                 fixEdge<DoubleRepUse>(node->child1());
2232             fixEdge<Int32Use>(node->child2());
2233             break;
2234         }
2235
2236         case DefineAccessorProperty: {
2237             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2238             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2239             if (propertyEdge->shouldSpeculateSymbol())
2240                 fixEdge<SymbolUse>(propertyEdge);
2241             else if (propertyEdge->shouldSpeculateStringIdent())
2242                 fixEdge<StringIdentUse>(propertyEdge);
2243             else if (propertyEdge->shouldSpeculateString())
2244                 fixEdge<StringUse>(propertyEdge);
2245             else
2246                 fixEdge<UntypedUse>(propertyEdge);
2247             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2248             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2249             fixEdge<Int32Use>(m_graph.varArgChild(node, 4));
2250             break;
2251         }
2252
2253         case CheckSubClass: {
2254             fixupCheckSubClass(node);
2255             break;
2256         }
2257
2258         case CallDOMGetter: {
2259             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2260             fixEdge<CellUse>(node->child1()); // DOM.
2261             if (snippet && snippet->requireGlobalObject)
2262                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2263             break;
2264         }
2265
2266         case CallDOM: {
2267             fixupCallDOM(node);
2268             break;
2269         }
2270
2271         case Call: {
2272             attemptToMakeCallDOM(node);
2273             break;
2274         }
2275
2276         case ParseInt: {
2277             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2278                 fixEdge<Int32Use>(node->child1());
2279                 node->convertToIdentity();
2280                 break;
2281             }
2282
2283             if (node->child1()->shouldSpeculateString()) {
2284                 fixEdge<StringUse>(node->child1());
2285                 node->clearFlags(NodeMustGenerate);
2286             }
2287
2288             if (node->child2())
2289                 fixEdge<Int32Use>(node->child2());
2290
2291             break;
2292         }
2293
2294         case IdentityWithProfile: {
2295             node->clearFlags(NodeMustGenerate);
2296             break;
2297         }
2298
2299         case ThrowStaticError:
2300             fixEdge<StringUse>(node->child1());
2301             break;
2302
2303         case NumberIsInteger:
2304             if (node->child1()->shouldSpeculateInt32()) {
2305                 m_insertionSet.insertNode(
2306                     m_indexInBlock, SpecNone, Check, node->origin,
2307                     Edge(node->child1().node(), Int32Use));
2308                 m_graph.convertToConstant(node, jsBoolean(true));
2309                 break;
2310             }
2311             break;
2312
2313         case SetCallee:
2314             fixEdge<CellUse>(node->child1());
2315             break;
2316
2317         case DataViewGetInt:
2318         case DataViewGetFloat: {
2319             fixEdge<DataViewObjectUse>(node->child1());
2320             fixEdge<Int32Use>(node->child2());
2321             if (node->child3())
2322                 fixEdge<BooleanUse>(node->child3());
2323
2324             if (node->op() == DataViewGetInt) {
2325                 DataViewData data = node->dataViewData();
2326                 switch (data.byteSize) {
2327                 case 1:
2328                 case 2:
2329                     node->setResult(NodeResultInt32);
2330                     break;
2331                 case 4:
2332                     if (data.isSigned)
2333                         node->setResult(NodeResultInt32);
2334                     else
2335                         node->setResult(NodeResultInt52);
2336                     break;
2337                 default:
2338                     RELEASE_ASSERT_NOT_REACHED();
2339                 }
2340             }
2341             break;
2342         }
2343
2344         case DataViewSet: {
2345             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2346             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2347             if (m_graph.varArgChild(node, 3))
2348                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2349             
2350             DataViewData data = node->dataViewData();
2351             Edge& valueToStore = m_graph.varArgChild(node, 2);
2352             if (data.isFloatingPoint)
2353                 fixEdge<DoubleRepUse>(valueToStore);
2354             else {
2355                 switch (data.byteSize) {
2356                 case 1:
2357                 case 2:
2358                     fixEdge<Int32Use>(valueToStore);
2359                     break;
2360                 case 4:
2361                     if (data.isSigned)
2362                         fixEdge<Int32Use>(valueToStore);
2363                     else
2364                         fixEdge<Int52RepUse>(valueToStore);
2365                     break;
2366                 }
2367             }
2368             break;
2369         }
2370
2371 #if !ASSERT_DISABLED
2372         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2373         case SetArgumentDefinitely:
2374         case SetArgumentMaybe:
2375         case JSConstant:
2376         case LazyJSConstant:
2377         case DoubleConstant:
2378         case GetLocal:
2379         case GetCallee:
2380         case GetArgumentCountIncludingThis:
2381         case SetArgumentCountIncludingThis:
2382         case GetRestLength:
2383         case GetArgument:
2384         case Flush:
2385         case PhantomLocal:
2386         case GetGlobalVar:
2387         case GetGlobalLexicalVariable:
2388         case NotifyWrite:
2389         case DirectCall:
2390         case CheckTypeInfoFlags:
2391         case TailCallInlinedCaller:
2392         case DirectTailCallInlinedCaller:
2393         case Construct:
2394         case DirectConstruct:
2395         case CallVarargs:
2396         case CallEval:
2397         case TailCallVarargsInlinedCaller:
2398         case ConstructVarargs:
2399         case CallForwardVarargs:
2400         case ConstructForwardVarargs:
2401         case TailCallForwardVarargs:
2402         case TailCallForwardVarargsInlinedCaller:
2403         case LoadVarargs:
2404         case ForwardVarargs:
2405         case ProfileControlFlow:
2406         case NewObject:
2407         case NewRegexp:
2408         case DeleteById:
2409         case DeleteByVal:
2410         case IsTypedArrayView:
2411         case IsEmpty:
2412         case IsUndefined:
2413         case IsUndefinedOrNull:
2414         case IsBoolean:
2415         case IsNumber:
2416         case IsObjectOrNull:
2417         case IsFunction:
2418         case CreateDirectArguments:
2419         case Jump:
2420         case Return:
2421         case TailCall:
2422         case DirectTailCall:
2423         case TailCallVarargs:
2424         case Throw:
2425         case CountExecution:
2426         case SuperSamplerBegin:
2427         case SuperSamplerEnd:
2428         case ForceOSRExit:
2429         case CheckBadCell:
2430         case CheckNotEmpty:
2431         case AssertNotEmpty:
2432         case CheckTraps:
2433         case Unreachable:
2434         case ExtractOSREntryLocal:
2435         case ExtractCatchLocal:
2436         case ClearCatchLocals:
2437         case LoopHint:
2438         case MovHint:
2439         case InitializeEntrypointArguments:
2440         case ZombieHint:
2441         case ExitOK:
2442         case BottomValue:
2443         case TypeOf:
2444         case PutByIdWithThis:
2445         case PutByValWithThis:
2446         case GetByValWithThis:
2447         case CompareEqPtr:
2448         case NumberToStringWithValidRadixConstant:
2449         case GetGlobalThis:
2450         case ExtractValueFromWeakMapGet:
2451         case CPUIntrinsic:
2452         case FilterCallLinkStatus:
2453         case FilterGetByIdStatus:
2454         case FilterPutByIdStatus:
2455         case FilterInByIdStatus:
2456         case InvalidationPoint:
2457             break;
2458 #else
2459         default:
2460             break;
2461 #endif
2462         }
2463     }
2464
2465     void watchHavingABadTime(Node* node)
2466     {
2467         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2468
2469         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2470         // does an array allocation. The types of array allocations may change if we start to have a bad
2471         // time. It's easier to reason about this if we know that whenever the types change after we start
2472         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2473         // prior to this point nobody should have been doing optimizations based on the indexing type of
2474         // the allocation.
2475         if (!globalObject->isHavingABadTime()) {
2476             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2477             m_graph.freeze(globalObject);
2478         }
2479     }
2480     
2481     template<UseKind useKind>
2482     void createToString(Node* node, Edge& edge)
2483     {
2484         Node* toString = m_insertionSet.insertNode(
2485             m_indexInBlock, SpecString, ToString, node->origin,
2486             Edge(edge.node(), useKind));
2487         switch (useKind) {
2488         case Int32Use:
2489         case Int52RepUse:
2490         case DoubleRepUse:
2491         case NotCellUse:
2492             toString->clearFlags(NodeMustGenerate);
2493             break;
2494         default:
2495             break;
2496         }
2497         edge.setNode(toString);
2498     }
2499     
2500     template<UseKind useKind>
2501     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2502     {
2503         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read) || arrayMode == ArrayMode(Array::Generic, Array::OriginalNonArray, Array::Read));
2504         
2505         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2506             return;
2507         
2508         addCheckStructureForOriginalStringObjectUse(useKind, node->origin, node->child1().node());
2509         createToString<useKind>(node, node->child1());
2510         arrayMode = ArrayMode(Array::String, Array::Read);
2511     }
2512
2513     void addCheckStructureForOriginalStringObjectUse(UseKind useKind, const NodeOrigin& origin, Node* node)
2514     {
2515         RELEASE_ASSERT(useKind == StringObjectUse || useKind == StringOrStringObjectUse);
2516
2517         StructureSet set;
2518         set.add(m_graph.globalObjectFor(node->origin.semantic)->stringObjectStructure());
2519         if (useKind == StringOrStringObjectUse)
2520             set.add(vm().stringStructure.get());
2521
2522         m_insertionSet.insertNode(
2523             m_indexInBlock, SpecNone, CheckStructure, origin,
2524             OpInfo(m_graph.addStructureSet(set)), Edge(node, CellUse));
2525     }
2526     
2527     template<UseKind useKind>
2528     void convertStringAddUse(Node* node, Edge& edge)
2529     {
2530         if (useKind == StringUse) {
2531             observeUseKindOnNode<StringUse>(edge.node());
2532             m_insertionSet.insertNode(
2533                 m_indexInBlock, SpecNone, Check, node->origin,
2534                 Edge(edge.node(), StringUse));
2535             edge.setUseKind(KnownStringUse);
2536             return;
2537         }
2538         
2539         observeUseKindOnNode<useKind>(edge.node());
2540         createToString<useKind>(node, edge);
2541     }
2542     
2543     void convertToMakeRope(Node* node)
2544     {
2545         node->setOpAndDefaultFlags(MakeRope);
2546         fixupMakeRope(node);
2547     }
2548     
2549     void fixupMakeRope(Node* node)
2550     {
2551         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2552             Edge& edge = node->children.child(i);
2553             if (!edge)
2554                 break;
2555             edge.setUseKind(KnownStringUse);
2556             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2557             if (!string)
2558                 continue;
2559             if (string->length())
2560                 continue;
2561             
2562             // Don't allow the MakeRope to have zero children.
2563             if (!i && !node->child2())
2564                 break;
2565             
2566             node->children.removeEdge(i--);
2567         }
2568         
2569         if (!node->child2()) {
2570             ASSERT(!node->child3());
2571             node->convertToIdentity();
2572         }
2573     }
2574
2575     void fixupIsCellWithType(Node* node)
2576     {
2577         switch (node->speculatedTypeForQuery()) {
2578         case SpecString:
2579             if (node->child1()->shouldSpeculateString()) {
2580                 m_insertionSet.insertNode(
2581                     m_indexInBlock, SpecNone, Check, node->origin,
2582                     Edge(node->child1().node(), StringUse));
2583                 m_graph.convertToConstant(node, jsBoolean(true));
2584                 observeUseKindOnNode<StringUse>(node);
2585                 return;
2586             }
2587             break;
2588
2589         case SpecProxyObject:
2590             if (node->child1()->shouldSpeculateProxyObject()) {
2591                 m_insertionSet.insertNode(
2592                     m_indexInBlock, SpecNone, Check, node->origin,
2593                     Edge(node->child1().node(), ProxyObjectUse));
2594                 m_graph.convertToConstant(node, jsBoolean(true));
2595                 observeUseKindOnNode<ProxyObjectUse>(node);
2596                 return;
2597             }
2598             break;
2599
2600         case SpecRegExpObject:
2601             if (node->child1()->shouldSpeculateRegExpObject()) {
2602                 m_insertionSet.insertNode(
2603                     m_indexInBlock, SpecNone, Check, node->origin,
2604                     Edge(node->child1().node(), RegExpObjectUse));
2605                 m_graph.convertToConstant(node, jsBoolean(true));
2606                 observeUseKindOnNode<RegExpObjectUse>(node);
2607                 return;
2608             }
2609             break;
2610
2611         case SpecArray:
2612             if (node->child1()->shouldSpeculateArray()) {
2613                 m_insertionSet.insertNode(
2614                     m_indexInBlock, SpecNone, Check, node->origin,
2615                     Edge(node->child1().node(), ArrayUse));
2616                 m_graph.convertToConstant(node, jsBoolean(true));
2617                 observeUseKindOnNode<ArrayUse>(node);
2618                 return;
2619             }
2620             break;
2621
2622         case SpecDerivedArray:
2623             if (node->child1()->shouldSpeculateDerivedArray()) {
2624                 m_insertionSet.insertNode(
2625                     m_indexInBlock, SpecNone, Check, node->origin,
2626                     Edge(node->child1().node(), DerivedArrayUse));
2627                 m_graph.convertToConstant(node, jsBoolean(true));
2628                 observeUseKindOnNode<DerivedArrayUse>(node);
2629                 return;
2630             }
2631             break;
2632         }
2633
2634         if (node->child1()->shouldSpeculateCell()) {
2635             fixEdge<CellUse>(node->child1());
2636             return;
2637         }
2638
2639         if (node->child1()->shouldSpeculateNotCell()) {
2640             m_insertionSet.insertNode(
2641                 m_indexInBlock, SpecNone, Check, node->origin,
2642                 Edge(node->child1().node(), NotCellUse));
2643             m_graph.convertToConstant(node, jsBoolean(false));
2644             observeUseKindOnNode<NotCellUse>(node);
2645             return;
2646         }
2647     }
2648
2649     void fixupGetPrototypeOf(Node* node)
2650     {
2651         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2652         if (node->child1().useKind() != ObjectUse) {
2653             if (node->child1()->shouldSpeculateString()) {
2654                 insertCheck<StringUse>(node->child1().node());
2655                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2656                 return;
2657             }
2658             if (node->child1()->shouldSpeculateInt32()) {
2659                 insertCheck<Int32Use>(node->child1().node());
2660                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2661                 return;
2662             }
2663             if (node->child1()->shouldSpeculateInt52()) {
2664                 insertCheck<Int52RepUse>(node->child1().node());
2665                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2666                 return;
2667             }
2668             if (node->child1()->shouldSpeculateNumber()) {
2669                 insertCheck<NumberUse>(node->child1().node());
2670                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2671                 return;
2672             }
2673             if (node->child1()->shouldSpeculateSymbol()) {
2674                 insertCheck<SymbolUse>(node->child1().node());
2675                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2676                 return;
2677             }
2678             if (node->child1()->shouldSpeculateBoolean()) {
2679                 insertCheck<BooleanUse>(node->child1().node());
2680                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2681                 return;
2682             }
2683         }
2684
2685         if (node->child1()->shouldSpeculateFinalObject()) {
2686             fixEdge<FinalObjectUse>(node->child1());
2687             node->clearFlags(NodeMustGenerate);
2688             return;
2689         }
2690         if (node->child1()->shouldSpeculateArray()) {
2691             fixEdge<ArrayUse>(node->child1());
2692             node->clearFlags(NodeMustGenerate);
2693             return;
2694         }
2695         if (node->child1()->shouldSpeculateFunction()) {
2696             fixEdge<FunctionUse>(node->child1());
2697             node->clearFlags(NodeMustGenerate);
2698             return;
2699         }
2700     }
2701
2702     void fixupToThis(Node* node)
2703     {
2704         bool isStrictMode = m_graph.isStrictModeFor(node->origin.semantic);
2705
2706         if (isStrictMode) {
2707             if (node->child1()->shouldSpeculateBoolean()) {
2708                 fixEdge<BooleanUse>(node->child1());
2709                 node->convertToIdentity();
2710                 return;
2711             }
2712
2713             if (node->child1()->shouldSpeculateInt32()) {
2714                 fixEdge<Int32Use>(node->child1());
2715                 node->convertToIdentity();
2716                 return;
2717             }
2718
2719             if (node->child1()->shouldSpeculateInt52()) {
2720                 fixEdge<Int52RepUse>(node->child1());
2721                 node->convertToIdentity();
2722                 node->setResult(NodeResultInt52);
2723                 return;
2724             }
2725
2726             if (node->child1()->shouldSpeculateNumber()) {
2727                 fixEdge<DoubleRepUse>(node->child1());
2728                 node->convertToIdentity();
2729                 node->setResult(NodeResultDouble);
2730                 return;
2731             }
2732
2733             if (node->child1()->shouldSpeculateSymbol()) {
2734                 fixEdge<SymbolUse>(node->child1());
2735                 node->convertToIdentity();
2736                 return;
2737             }
2738
2739             if (node->child1()->shouldSpeculateStringIdent()) {
2740                 fixEdge<StringIdentUse>(node->child1());
2741                 node->convertToIdentity();
2742                 return;
2743             }
2744
2745             if (node->child1()->shouldSpeculateString()) {
2746                 fixEdge<StringUse>(node->child1());
2747                 node->convertToIdentity();
2748                 return;
2749             }
2750             
2751             if (node->child1()->shouldSpeculateBigInt()) {
2752                 fixEdge<BigIntUse>(node->child1());
2753                 node->convertToIdentity();
2754                 return;
2755             }
2756         }
2757
2758         if (node->child1()->shouldSpeculateOther()) {
2759             if (isStrictMode) {
2760                 fixEdge<OtherUse>(node->child1());
2761                 node->convertToIdentity();
2762                 return;
2763             }
2764
2765             m_insertionSet.insertNode(
2766                 m_indexInBlock, SpecNone, Check, node->origin,
2767                 Edge(node->child1().node(), OtherUse));
2768             observeUseKindOnNode<OtherUse>(node->child1().node());
2769             m_graph.convertToConstant(
2770                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2771             return;
2772         }
2773
2774         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2775         // however, since we cover all the missing cases in constant folding.
2776         // https://bugs.webkit.org/show_bug.cgi?id=157213
2777         if (node->child1()->shouldSpeculateStringObject()) {
2778             fixEdge<StringObjectUse>(node->child1());
2779             node->convertToIdentity();
2780             return;
2781         }
2782
2783         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2784             fixEdge<FinalObjectUse>(node->child1());
2785             node->convertToIdentity();
2786             return;
2787         }
2788     }
2789     
2790     void fixupToPrimitive(Node* node)
2791     {
2792         if (node->child1()->shouldSpeculateInt32()) {
2793             fixEdge<Int32Use>(node->child1());
2794             node->convertToIdentity();
2795             return;
2796         }
2797         
2798         if (node->child1()->shouldSpeculateString()) {
2799             fixEdge<StringUse>(node->child1());
2800             node->convertToIdentity();
2801             return;
2802         }
2803         
2804         if (node->child1()->shouldSpeculateStringObject()
2805             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2806             addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, node->child1().node());
2807             fixEdge<StringObjectUse>(node->child1());
2808             node->convertToToString();
2809             return;
2810         }
2811         
2812         if (node->child1()->shouldSpeculateStringOrStringObject()
2813             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2814             addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, node->child1().node());
2815             fixEdge<StringOrStringObjectUse>(node->child1());
2816             node->convertToToString();
2817             return;
2818         }
2819     }
2820
2821     void fixupToNumber(Node* node)
2822     {
2823         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2824         if (node->child1()->shouldSpeculateNumber()) {
2825             if (isInt32Speculation(node->getHeapPrediction())) {
2826                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2827                 if (node->child1()->shouldSpeculateInt32()) {
2828                     fixEdge<Int32Use>(node->child1());
2829                     node->convertToIdentity();
2830                     return;
2831                 }
2832
2833                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2834                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2835                 fixEdge<DoubleRepUse>(node->child1());
2836                 node->setOp(DoubleAsInt32);
2837                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2838                     node->setArithMode(Arith::CheckOverflow);
2839                 else
2840                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2841                 return;
2842             }
2843
2844             fixEdge<DoubleRepUse>(node->child1());
2845             node->convertToIdentity();
2846             node->setResult(NodeResultDouble);
2847             return;
2848         }
2849
2850         fixEdge<UntypedUse>(node->child1());
2851         node->setResult(NodeResultJS);
2852     }
2853
2854     void fixupToObject(Node* node)
2855     {
2856         if (node->child1()->shouldSpeculateObject()) {
2857             fixEdge<ObjectUse>(node->child1());
2858             node->convertToIdentity();
2859             return;
2860         }
2861
2862         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2863
2864         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2865
2866         if (node->child1()->shouldSpeculateString()) {
2867             insertCheck<StringUse>(node->child1().node());
2868             fixEdge<KnownStringUse>(node->child1());
2869             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2870             return;
2871         }
2872
2873         if (node->child1()->shouldSpeculateSymbol()) {
2874             insertCheck<SymbolUse>(node->child1().node());
2875             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2876             return;
2877         }
2878
2879         if (node->child1()->shouldSpeculateNumber()) {
2880             insertCheck<NumberUse>(node->child1().node());
2881             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2882             return;
2883         }
2884
2885         if (node->child1()->shouldSpeculateBoolean()) {
2886             insertCheck<BooleanUse>(node->child1().node());
2887             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2888             return;
2889         }
2890
2891         fixEdge<UntypedUse>(node->child1());
2892     }
2893
2894     void fixupCallObjectConstructor(Node* node)
2895     {
2896         if (node->child1()->shouldSpeculateObject()) {
2897             fixEdge<ObjectUse>(node->child1());
2898             node->convertToIdentity();
2899             return;
2900         }
2901
2902         if (node->child1()->shouldSpeculateString()) {
2903             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2904             insertCheck<StringUse>(node->child1().node());
2905             fixEdge<KnownStringUse>(node->child1());
2906             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2907             return;
2908         }
2909
2910         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2911         if (node->child1()->shouldSpeculateOther()) {
2912             insertCheck<OtherUse>(node->child1().node());
2913             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2914             return;
2915         }
2916
2917         fixEdge<UntypedUse>(node->child1());
2918     }
2919     
2920     void fixupToStringOrCallStringConstructor(Node* node)
2921     {
2922         if (node->child1()->shouldSpeculateString()) {
2923             fixEdge<StringUse>(node->child1());
2924             node->convertToIdentity();
2925             return;
2926         }
2927         
2928         if (node->child1()->shouldSpeculateStringObject()
2929             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2930             addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, node->child1().node());
2931             fixEdge<StringObjectUse>(node->child1());
2932             return;
2933         }
2934         
2935         if (node->child1()->shouldSpeculateStringOrStringObject()
2936             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2937             addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, node->child1().node());
2938             fixEdge<StringOrStringObjectUse>(node->child1());
2939             return;
2940         }
2941         
2942         if (node->child1()->shouldSpeculateCell()) {
2943             fixEdge<CellUse>(node->child1());
2944             return;
2945         }
2946
2947         if (node->child1()->shouldSpeculateInt32()) {
2948             fixEdge<Int32Use>(node->child1());
2949             node->clearFlags(NodeMustGenerate);
2950             return;
2951         }
2952
2953         if (node->child1()->shouldSpeculateInt52()) {
2954             fixEdge<Int52RepUse>(node->child1());
2955             node->clearFlags(NodeMustGenerate);
2956             return;
2957         }
2958
2959         if (node->child1()->shouldSpeculateNumber()) {
2960             fixEdge<DoubleRepUse>(node->child1());
2961             node->clearFlags(NodeMustGenerate);
2962             return;
2963         }
2964
2965         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2966         // we need to care about it in the clobberize. In the following case,
2967         // since NotCellUse edge filter is used and this edge filters Symbols,
2968         // we can say that ToString never throws an error!
2969         if (node->child1()->shouldSpeculateNotCell()) {
2970             fixEdge<NotCellUse>(node->child1());
2971             node->clearFlags(NodeMustGenerate);
2972             return;
2973         }
2974     }
2975
2976     void fixupStringValueOf(Node* node)
2977     {
2978         if (node->child1()->shouldSpeculateString()) {
2979             fixEdge<StringUse>(node->child1());
2980             node->convertToIdentity();
2981             return;
2982         }
2983
2984         if (node->child1()->shouldSpeculateStringObject()) {
2985             fixEdge<StringObjectUse>(node->child1());
2986             node->convertToToString();
2987             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2988             node->clearFlags(NodeMustGenerate);
2989             return;
2990         }
2991
2992         if (node->child1()->shouldSpeculateStringOrStringObject()) {
2993             fixEdge<StringOrStringObjectUse>(node->child1());
2994             node->convertToToString();
2995             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2996             node->clearFlags(NodeMustGenerate);
2997             return;
2998         }
2999     }
3000
3001     bool attemptToMakeFastStringAdd(Node* node)
3002     {
3003         bool goodToGo = true;
3004         m_graph.doToChildren(
3005             node,
3006             [&] (Edge& edge) {
3007                 if (edge->shouldSpeculateString())
3008                     return;
3009                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
3010                     if (edge->shouldSpeculateStringObject())
3011                         return;
3012                     if (edge->shouldSpeculateStringOrStringObject())
3013                         return;
3014                 }
3015                 goodToGo = false;
3016             });
3017         if (!goodToGo)
3018             return false;
3019
3020         m_graph.doToChildren(
3021             node,
3022             [&] (Edge& edge) {
3023                 if (edge->shouldSpeculateString()) {
3024                     convertStringAddUse<StringUse>(node, edge);
3025                     return;
3026                 }
3027                 if (!Options::useConcurrentJIT())
3028                     ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
3029                 if (edge->shouldSpeculateStringObject()) {
3030                     addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, edge.node());
3031                     convertStringAddUse<StringObjectUse>(node, edge);
3032                     return;
3033                 }
3034                 if (edge->shouldSpeculateStringOrStringObject()) {
3035                     addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, edge.node());
3036                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
3037                     return;
3038                 }
3039                 RELEASE_ASSERT_NOT_REACHED();
3040             });
3041         
3042         convertToMakeRope(node);
3043         return true;
3044     }
3045
3046     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
3047     {
3048         if (!block)
3049             return;
3050         ASSERT(block->isReachable);
3051         m_block = block;
3052         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
3053             Node* node = m_currentNode = block->at(m_indexInBlock);
3054             if (node->op() != SetLocal && node->op() != GetLocal)
3055                 continue;
3056             
3057             VariableAccessData* variable = node->variableAccessData();
3058             switch (node->op()) {
3059             case GetLocal:
3060                 switch (variable->flushFormat()) {
3061                 case FlushedDouble:
3062                     node->setResult(NodeResultDouble);
3063                     break;
3064                 case FlushedInt52:
3065                     node->setResult(NodeResultInt52);
3066                     break;
3067                 default:
3068                     break;
3069                 }
3070                 break;
3071                 
3072             case SetLocal:
3073                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
3074                 // add new type checking use kind for SetLocals, we need to modify that code as well.
3075                 
3076                 switch (variable->flushFormat()) {
3077                 case FlushedJSValue:
3078                     break;
3079                 case FlushedDouble:
3080                     fixEdge<DoubleRepUse>(node->child1());
3081                     break;
3082                 case FlushedInt32:
3083                     fixEdge<Int32Use>(node->child1());
3084                 &nbs