cd73ce298adcd726349a700c6cbbb59755ffe17e
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149
150         case ValueNegate: {
151             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
152                 node->setOp(ArithNegate);
153                 fixIntOrBooleanEdge(node->child1());
154                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
155                     node->setArithMode(Arith::Unchecked);
156                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
157                     node->setArithMode(Arith::CheckOverflow);
158                 else
159                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
160                 node->setResult(NodeResultInt32);
161                 node->clearFlags(NodeMustGenerate);
162                 break;
163             }
164             
165             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
166                 node->setOp(ArithNegate);
167                 fixEdge<Int52RepUse>(node->child1());
168                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
169                     node->setArithMode(Arith::CheckOverflow);
170                 else
171                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
172                 node->setResult(NodeResultInt52);
173                 node->clearFlags(NodeMustGenerate);
174                 break;
175             }
176             if (node->child1()->shouldSpeculateNotCell()) {
177                 node->setOp(ArithNegate);
178                 fixDoubleOrBooleanEdge(node->child1());
179                 node->setResult(NodeResultDouble);
180                 node->clearFlags(NodeMustGenerate);
181             } else {
182                 fixEdge<UntypedUse>(node->child1());
183                 node->setResult(NodeResultJS);
184             }
185             break;
186         }
187
188         case ValueAdd: {
189             if (attemptToMakeIntegerAdd(node)) {
190                 node->setOp(ArithAdd);
191                 break;
192             }
193             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
194                 fixDoubleOrBooleanEdge(node->child1());
195                 fixDoubleOrBooleanEdge(node->child2());
196                 node->setOp(ArithAdd);
197                 node->setResult(NodeResultDouble);
198                 break;
199             }
200             
201             if (attemptToMakeFastStringAdd(node))
202                 break;
203
204             Edge& child1 = node->child1();
205             Edge& child2 = node->child2();
206             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
207                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
208                     auto convertString = [&](Node* node, Edge& edge) {
209                         if (edge->shouldSpeculateInt32())
210                             convertStringAddUse<Int32Use>(node, edge);
211                         else {
212                             ASSERT(edge->shouldSpeculateString());
213                             convertStringAddUse<StringUse>(node, edge);
214                         }
215                     };
216                     convertString(node, child1);
217                     convertString(node, child2);
218                     convertToMakeRope(node);
219                     break;
220                 }
221             }
222
223             fixEdge<UntypedUse>(child1);
224             fixEdge<UntypedUse>(child2);
225             node->setResult(NodeResultJS);
226             break;
227         }
228
229         case StrCat: {
230             if (attemptToMakeFastStringAdd(node))
231                 break;
232
233             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
234             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
235             // the implementation of StrCat doesn't dynamically optimize for empty strings.
236             // https://bugs.webkit.org/show_bug.cgi?id=148540
237             m_graph.doToChildren(
238                 node,
239                 [&] (Edge& edge) {
240                     fixEdge<KnownPrimitiveUse>(edge);
241                     // StrCat automatically coerces the values into strings before concatenating them.
242                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
243                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
244                     // our runtime functions for this slow path expect that they will never be passed
245                     // Symbols.
246                     m_insertionSet.insertNode(
247                         m_indexInBlock, SpecNone, Check, node->origin,
248                         Edge(edge.node(), NotSymbolUse));
249                 });
250             break;
251         }
252             
253         case MakeRope: {
254             fixupMakeRope(node);
255             break;
256         }
257             
258         case ArithAdd:
259         case ArithSub: {
260             if (op == ArithSub
261                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
262                 fixEdge<UntypedUse>(node->child1());
263                 fixEdge<UntypedUse>(node->child2());
264                 node->setResult(NodeResultJS);
265                 break;
266             }
267             if (attemptToMakeIntegerAdd(node))
268                 break;
269             fixDoubleOrBooleanEdge(node->child1());
270             fixDoubleOrBooleanEdge(node->child2());
271             node->setResult(NodeResultDouble);
272             break;
273         }
274             
275         case ArithNegate: {
276             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
277                 fixIntOrBooleanEdge(node->child1());
278                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
279                     node->setArithMode(Arith::Unchecked);
280                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
281                     node->setArithMode(Arith::CheckOverflow);
282                 else
283                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
284                 node->setResult(NodeResultInt32);
285                 node->clearFlags(NodeMustGenerate);
286                 break;
287             }
288             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
289                 fixEdge<Int52RepUse>(node->child1());
290                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
291                     node->setArithMode(Arith::CheckOverflow);
292                 else
293                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
294                 node->setResult(NodeResultInt52);
295                 node->clearFlags(NodeMustGenerate);
296                 break;
297             }
298
299             fixDoubleOrBooleanEdge(node->child1());
300             node->setResult(NodeResultDouble);
301             node->clearFlags(NodeMustGenerate);
302             break;
303         }
304             
305         case ArithMul: {
306             Edge& leftChild = node->child1();
307             Edge& rightChild = node->child2();
308             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
309                 fixEdge<UntypedUse>(leftChild);
310                 fixEdge<UntypedUse>(rightChild);
311                 node->setResult(NodeResultJS);
312                 break;
313             }
314             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
315                 fixIntOrBooleanEdge(leftChild);
316                 fixIntOrBooleanEdge(rightChild);
317                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
318                     node->setArithMode(Arith::Unchecked);
319                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
320                     || leftChild.node() == rightChild.node())
321                     node->setArithMode(Arith::CheckOverflow);
322                 else
323                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
324                 break;
325             }
326             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
327                 fixEdge<Int52RepUse>(leftChild);
328                 fixEdge<Int52RepUse>(rightChild);
329                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
330                     || leftChild.node() == rightChild.node())
331                     node->setArithMode(Arith::CheckOverflow);
332                 else
333                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
334                 node->setResult(NodeResultInt52);
335                 break;
336             }
337             fixDoubleOrBooleanEdge(leftChild);
338             fixDoubleOrBooleanEdge(rightChild);
339             node->setResult(NodeResultDouble);
340             break;
341         }
342
343         case ArithDiv:
344         case ArithMod: {
345             Edge& leftChild = node->child1();
346             Edge& rightChild = node->child2();
347             if (op == ArithDiv
348                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
349                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
350                 fixEdge<UntypedUse>(leftChild);
351                 fixEdge<UntypedUse>(rightChild);
352                 node->setResult(NodeResultJS);
353                 break;
354             }
355             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
356                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
357                     fixIntOrBooleanEdge(leftChild);
358                     fixIntOrBooleanEdge(rightChild);
359                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
360                         node->setArithMode(Arith::Unchecked);
361                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
362                         node->setArithMode(Arith::CheckOverflow);
363                     else
364                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
365                     break;
366                 }
367                 
368                 // This will cause conversion nodes to be inserted later.
369                 fixDoubleOrBooleanEdge(leftChild);
370                 fixDoubleOrBooleanEdge(rightChild);
371                 
372                 // We don't need to do ref'ing on the children because we're stealing them from
373                 // the original division.
374                 Node* newDivision = m_insertionSet.insertNode(
375                     m_indexInBlock, SpecBytecodeDouble, *node);
376                 newDivision->setResult(NodeResultDouble);
377                 
378                 node->setOp(DoubleAsInt32);
379                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
380                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
381                     node->setArithMode(Arith::CheckOverflow);
382                 else
383                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
384                 break;
385             }
386             fixDoubleOrBooleanEdge(leftChild);
387             fixDoubleOrBooleanEdge(rightChild);
388             node->setResult(NodeResultDouble);
389             break;
390         }
391             
392         case ArithMin:
393         case ArithMax: {
394             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
395                 fixIntOrBooleanEdge(node->child1());
396                 fixIntOrBooleanEdge(node->child2());
397                 break;
398             }
399             fixDoubleOrBooleanEdge(node->child1());
400             fixDoubleOrBooleanEdge(node->child2());
401             node->setResult(NodeResultDouble);
402             break;
403         }
404             
405         case ArithAbs: {
406             if (node->child1()->shouldSpeculateInt32OrBoolean()
407                 && node->canSpeculateInt32(FixupPass)) {
408                 fixIntOrBooleanEdge(node->child1());
409                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
410                     node->setArithMode(Arith::Unchecked);
411                 else
412                     node->setArithMode(Arith::CheckOverflow);
413                 node->clearFlags(NodeMustGenerate);
414                 node->setResult(NodeResultInt32);
415                 break;
416             }
417
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420                 node->clearFlags(NodeMustGenerate);
421             } else
422                 fixEdge<UntypedUse>(node->child1());
423             node->setResult(NodeResultDouble);
424             break;
425         }
426
427         case ArithPow: {
428             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
429                 fixDoubleOrBooleanEdge(node->child1());
430                 fixIntOrBooleanEdge(node->child2());
431                 break;
432             }
433
434             fixDoubleOrBooleanEdge(node->child1());
435             fixDoubleOrBooleanEdge(node->child2());
436             break;
437         }
438
439         case ArithRandom: {
440             node->setResult(NodeResultDouble);
441             break;
442         }
443
444         case ArithRound:
445         case ArithFloor:
446         case ArithCeil:
447         case ArithTrunc: {
448             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
449                 fixIntOrBooleanEdge(node->child1());
450                 insertCheck<Int32Use>(node->child1().node());
451                 node->convertToIdentity();
452                 break;
453             }
454             if (node->child1()->shouldSpeculateNotCell()) {
455                 fixDoubleOrBooleanEdge(node->child1());
456
457                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
458                     node->setResult(NodeResultInt32);
459                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
460                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
461                     else
462                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
463                 } else {
464                     node->setResult(NodeResultDouble);
465                     node->setArithRoundingMode(Arith::RoundingMode::Double);
466                 }
467                 node->clearFlags(NodeMustGenerate);
468             } else
469                 fixEdge<UntypedUse>(node->child1());
470             break;
471         }
472
473         case ArithFRound:
474         case ArithSqrt:
475         case ArithUnary: {
476             Edge& child1 = node->child1();
477             if (child1->shouldSpeculateNotCell()) {
478                 fixDoubleOrBooleanEdge(child1);
479                 node->clearFlags(NodeMustGenerate);
480             } else
481                 fixEdge<UntypedUse>(child1);
482             break;
483         }
484             
485         case LogicalNot: {
486             if (node->child1()->shouldSpeculateBoolean()) {
487                 if (node->child1()->result() == NodeResultBoolean) {
488                     // This is necessary in case we have a bytecode instruction implemented by:
489                     //
490                     // a: CompareEq(...)
491                     // b: LogicalNot(@a)
492                     //
493                     // In that case, CompareEq might have a side-effect. Then, we need to make
494                     // sure that we know that Branch does not exit.
495                     fixEdge<KnownBooleanUse>(node->child1());
496                 } else
497                     fixEdge<BooleanUse>(node->child1());
498             } else if (node->child1()->shouldSpeculateObjectOrOther())
499                 fixEdge<ObjectOrOtherUse>(node->child1());
500             else if (node->child1()->shouldSpeculateInt32OrBoolean())
501                 fixIntOrBooleanEdge(node->child1());
502             else if (node->child1()->shouldSpeculateNumber())
503                 fixEdge<DoubleRepUse>(node->child1());
504             else if (node->child1()->shouldSpeculateString())
505                 fixEdge<StringUse>(node->child1());
506             else if (node->child1()->shouldSpeculateStringOrOther())
507                 fixEdge<StringOrOtherUse>(node->child1());
508             else {
509                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
510                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
511                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
512             }
513             break;
514         }
515
516         case CompareEq:
517         case CompareLess:
518         case CompareLessEq:
519         case CompareGreater:
520         case CompareGreaterEq: {
521             if (node->op() == CompareEq
522                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
523                 fixEdge<BooleanUse>(node->child1());
524                 fixEdge<BooleanUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
529                 fixIntOrBooleanEdge(node->child1());
530                 fixIntOrBooleanEdge(node->child2());
531                 node->clearFlags(NodeMustGenerate);
532                 break;
533             }
534             if (enableInt52()
535                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
536                 fixEdge<Int52RepUse>(node->child1());
537                 fixEdge<Int52RepUse>(node->child2());
538                 node->clearFlags(NodeMustGenerate);
539                 break;
540             }
541             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
542                 fixDoubleOrBooleanEdge(node->child1());
543                 fixDoubleOrBooleanEdge(node->child2());
544             }
545             if (node->op() != CompareEq
546                 && node->child1()->shouldSpeculateNotCell()
547                 && node->child2()->shouldSpeculateNotCell()) {
548                 if (node->child1()->shouldSpeculateNumberOrBoolean())
549                     fixDoubleOrBooleanEdge(node->child1());
550                 else
551                     fixEdge<DoubleRepUse>(node->child1());
552                 if (node->child2()->shouldSpeculateNumberOrBoolean())
553                     fixDoubleOrBooleanEdge(node->child2());
554                 else
555                     fixEdge<DoubleRepUse>(node->child2());
556                 node->clearFlags(NodeMustGenerate);
557                 break;
558             }
559             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
560                 fixEdge<StringIdentUse>(node->child1());
561                 fixEdge<StringIdentUse>(node->child2());
562                 node->clearFlags(NodeMustGenerate);
563                 break;
564             }
565             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
566                 fixEdge<StringUse>(node->child1());
567                 fixEdge<StringUse>(node->child2());
568                 node->clearFlags(NodeMustGenerate);
569                 break;
570             }
571
572             if (node->op() != CompareEq)
573                 break;
574             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
575                 fixEdge<SymbolUse>(node->child1());
576                 fixEdge<SymbolUse>(node->child2());
577                 node->clearFlags(NodeMustGenerate);
578                 break;
579             }
580             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
581                 fixEdge<ObjectUse>(node->child1());
582                 fixEdge<ObjectUse>(node->child2());
583                 node->clearFlags(NodeMustGenerate);
584                 break;
585             }
586
587             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
588             bool oneArgumentIsUsedAsSpecOther = false;
589             if (node->child1()->isUndefinedOrNullConstant()) {
590                 fixEdge<OtherUse>(node->child1());
591                 oneArgumentIsUsedAsSpecOther = true;
592             } else if (node->child1()->shouldSpeculateOther()) {
593                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
594                     Edge(node->child1().node(), OtherUse));
595                 fixEdge<OtherUse>(node->child1());
596                 oneArgumentIsUsedAsSpecOther = true;
597             }
598             if (node->child2()->isUndefinedOrNullConstant()) {
599                 fixEdge<OtherUse>(node->child2());
600                 oneArgumentIsUsedAsSpecOther = true;
601             } else if (node->child2()->shouldSpeculateOther()) {
602                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
603                     Edge(node->child2().node(), OtherUse));
604                 fixEdge<OtherUse>(node->child2());
605                 oneArgumentIsUsedAsSpecOther = true;
606             }
607             if (oneArgumentIsUsedAsSpecOther) {
608                 node->clearFlags(NodeMustGenerate);
609                 break;
610             }
611
612             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
613                 fixEdge<ObjectUse>(node->child1());
614                 fixEdge<ObjectOrOtherUse>(node->child2());
615                 node->clearFlags(NodeMustGenerate);
616                 break;
617             }
618             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
619                 fixEdge<ObjectOrOtherUse>(node->child1());
620                 fixEdge<ObjectUse>(node->child2());
621                 node->clearFlags(NodeMustGenerate);
622                 break;
623             }
624
625             break;
626         }
627             
628         case CompareStrictEq:
629         case SameValue: {
630             fixupCompareStrictEqAndSameValue(node);
631             break;
632         }
633
634         case StringFromCharCode:
635             if (node->child1()->shouldSpeculateInt32()) {
636                 fixEdge<Int32Use>(node->child1());
637                 node->clearFlags(NodeMustGenerate);
638             } else
639                 fixEdge<UntypedUse>(node->child1());
640             break;
641
642         case StringCharAt:
643         case StringCharCodeAt: {
644             // Currently we have no good way of refining these.
645             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
646             blessArrayOperation(node->child1(), node->child2(), node->child3());
647             fixEdge<KnownCellUse>(node->child1());
648             fixEdge<Int32Use>(node->child2());
649             break;
650         }
651
652         case GetByVal: {
653             if (!node->prediction()) {
654                 m_insertionSet.insertNode(
655                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
656             }
657             
658             node->setArrayMode(
659                 node->arrayMode().refine(
660                     m_graph, node,
661                     m_graph.varArgChild(node, 0)->prediction(),
662                     m_graph.varArgChild(node, 1)->prediction(),
663                     SpecNone));
664             
665             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
666             
667             ArrayMode arrayMode = node->arrayMode();
668             switch (arrayMode.type()) {
669             case Array::Contiguous:
670             case Array::Double:
671                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
672                     // Check if SaneChain will work on a per-type basis. Note that:
673                     //
674                     // 1) We don't want double arrays to sometimes return undefined, since
675                     // that would require a change to the return type and it would pessimise
676                     // things a lot. So, we'd only want to do that if we actually had
677                     // evidence that we could read from a hole. That's pretty annoying.
678                     // Likely the best way to handle that case is with an equivalent of
679                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
680                     // NaN are indistinguishable according to backwards propagation, and just
681                     // use SaneChain in that case. This happens to catch a lot of cases.
682                     //
683                     // 2) We don't want int32 array loads to have to do a hole check just to
684                     // coerce to Undefined, since that would mean twice the checks.
685                     //
686                     // This has two implications. First, we have to do more checks than we'd
687                     // like. It's unfortunate that we have to do the hole check. Second,
688                     // some accesses that hit a hole will now need to take the full-blown
689                     // out-of-bounds slow path. We can fix that with:
690                     // https://bugs.webkit.org/show_bug.cgi?id=144668
691                     
692                     bool canDoSaneChain = false;
693                     switch (arrayMode.type()) {
694                     case Array::Contiguous:
695                         // This is happens to be entirely natural. We already would have
696                         // returned any JSValue, and now we'll return Undefined. We still do
697                         // the check but it doesn't require taking any kind of slow path.
698                         canDoSaneChain = true;
699                         break;
700                         
701                     case Array::Double:
702                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
703                             // Holes look like NaN already, so if the user doesn't care
704                             // about the difference between Undefined and NaN then we can
705                             // do this.
706                             canDoSaneChain = true;
707                         }
708                         break;
709                         
710                     default:
711                         break;
712                     }
713                     
714                     if (canDoSaneChain) {
715                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
716                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
717                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
718                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
719                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
720                             && globalObject->arrayPrototypeChainIsSane()) {
721                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
722                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
723                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
724                         }
725                     }
726                 }
727                 break;
728                 
729             case Array::String:
730                 if ((node->prediction() & ~SpecString)
731                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
732                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
733                 break;
734                 
735             default:
736                 break;
737             }
738             
739             arrayMode = node->arrayMode();
740             switch (arrayMode.type()) {
741             case Array::SelectUsingPredictions:
742             case Array::Unprofiled:
743                 RELEASE_ASSERT_NOT_REACHED();
744                 break;
745             case Array::Generic:
746                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
747                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
748                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
749                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
750                         break;
751                     }
752
753                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
754                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
755                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
756                         break;
757                     }
758                 }
759 #if USE(JSVALUE32_64)
760                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
761 #endif
762                 break;
763             case Array::ForceExit:
764                 break;
765             default:
766                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
767                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
768                 break;
769             }
770             
771             switch (arrayMode.type()) {
772             case Array::Double:
773                 if (!arrayMode.isOutOfBounds())
774                     node->setResult(NodeResultDouble);
775                 break;
776                 
777             case Array::Float32Array:
778             case Array::Float64Array:
779                 node->setResult(NodeResultDouble);
780                 break;
781                 
782             case Array::Uint32Array:
783                 if (node->shouldSpeculateInt32())
784                     break;
785                 if (node->shouldSpeculateAnyInt() && enableInt52())
786                     node->setResult(NodeResultInt52);
787                 else
788                     node->setResult(NodeResultDouble);
789                 break;
790                 
791             default:
792                 break;
793             }
794             
795             break;
796         }
797
798         case PutByValDirect:
799         case PutByVal:
800         case PutByValAlias: {
801             Edge& child1 = m_graph.varArgChild(node, 0);
802             Edge& child2 = m_graph.varArgChild(node, 1);
803             Edge& child3 = m_graph.varArgChild(node, 2);
804
805             node->setArrayMode(
806                 node->arrayMode().refine(
807                     m_graph, node,
808                     child1->prediction(),
809                     child2->prediction(),
810                     child3->prediction()));
811             
812             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
813             
814             switch (node->arrayMode().modeForPut().type()) {
815             case Array::SelectUsingPredictions:
816             case Array::SelectUsingArguments:
817             case Array::Unprofiled:
818             case Array::Undecided:
819                 RELEASE_ASSERT_NOT_REACHED();
820                 break;
821             case Array::ForceExit:
822             case Array::Generic:
823                 if (child1->shouldSpeculateCell()) {
824                     if (child2->shouldSpeculateString()) {
825                         fixEdge<CellUse>(child1);
826                         fixEdge<StringUse>(child2);
827                         break;
828                     }
829
830                     if (child2->shouldSpeculateSymbol()) {
831                         fixEdge<CellUse>(child1);
832                         fixEdge<SymbolUse>(child2);
833                         break;
834                     }
835                 }
836 #if USE(JSVALUE32_64)
837                 // Due to register pressure on 32-bit, we speculate cell and
838                 // ignore the base-is-not-cell case entirely by letting the
839                 // baseline JIT handle it.
840                 fixEdge<CellUse>(child1);
841 #endif
842                 break;
843             case Array::Int32:
844                 fixEdge<KnownCellUse>(child1);
845                 fixEdge<Int32Use>(child2);
846                 fixEdge<Int32Use>(child3);
847                 break;
848             case Array::Double:
849                 fixEdge<KnownCellUse>(child1);
850                 fixEdge<Int32Use>(child2);
851                 fixEdge<DoubleRepRealUse>(child3);
852                 break;
853             case Array::Int8Array:
854             case Array::Int16Array:
855             case Array::Int32Array:
856             case Array::Uint8Array:
857             case Array::Uint8ClampedArray:
858             case Array::Uint16Array:
859             case Array::Uint32Array:
860                 fixEdge<KnownCellUse>(child1);
861                 fixEdge<Int32Use>(child2);
862                 if (child3->shouldSpeculateInt32())
863                     fixIntOrBooleanEdge(child3);
864                 else if (child3->shouldSpeculateAnyInt())
865                     fixEdge<Int52RepUse>(child3);
866                 else
867                     fixDoubleOrBooleanEdge(child3);
868                 break;
869             case Array::Float32Array:
870             case Array::Float64Array:
871                 fixEdge<KnownCellUse>(child1);
872                 fixEdge<Int32Use>(child2);
873                 fixDoubleOrBooleanEdge(child3);
874                 break;
875             case Array::Contiguous:
876             case Array::ArrayStorage:
877             case Array::SlowPutArrayStorage:
878                 fixEdge<KnownCellUse>(child1);
879                 fixEdge<Int32Use>(child2);
880                 speculateForBarrier(child3);
881                 break;
882             default:
883                 fixEdge<KnownCellUse>(child1);
884                 fixEdge<Int32Use>(child2);
885                 break;
886             }
887             break;
888         }
889             
890         case AtomicsAdd:
891         case AtomicsAnd:
892         case AtomicsCompareExchange:
893         case AtomicsExchange:
894         case AtomicsLoad:
895         case AtomicsOr:
896         case AtomicsStore:
897         case AtomicsSub:
898         case AtomicsXor: {
899             Edge& base = m_graph.child(node, 0);
900             Edge& index = m_graph.child(node, 1);
901             
902             bool badNews = false;
903             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
904                 Edge& child = m_graph.child(node, 2 + i);
905                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
906                 // just call the function when that happens. But the FTL is totally cool with those
907                 // conversions.
908                 if (!child->shouldSpeculateInt32()
909                     && !child->shouldSpeculateAnyInt()
910                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
911                     badNews = true;
912             }
913             
914             if (badNews) {
915                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
916                 break;
917             }
918             
919             node->setArrayMode(
920                 node->arrayMode().refine(
921                     m_graph, node, base->prediction(), index->prediction()));
922             
923             if (node->arrayMode().type() == Array::Generic)
924                 break;
925             
926             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
927                 Edge& child = m_graph.child(node, 2 + i);
928                 if (child->shouldSpeculateInt32())
929                     fixIntOrBooleanEdge(child);
930                 else if (child->shouldSpeculateAnyInt())
931                     fixEdge<Int52RepUse>(child);
932                 else {
933                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
934                     fixDoubleOrBooleanEdge(child);
935                 }
936             }
937             
938             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
939             fixEdge<CellUse>(base);
940             fixEdge<Int32Use>(index);
941             
942             if (node->arrayMode().type() == Array::Uint32Array) {
943                 // NOTE: This means basically always doing Int52.
944                 if (node->shouldSpeculateAnyInt() && enableInt52())
945                     node->setResult(NodeResultInt52);
946                 else
947                     node->setResult(NodeResultDouble);
948             }
949             break;
950         }
951             
952         case AtomicsIsLockFree:
953             if (node->child1()->shouldSpeculateInt32())
954                 fixIntOrBooleanEdge(node->child1());
955             break;
956             
957         case ArrayPush: {
958             // May need to refine the array mode in case the value prediction contravenes
959             // the array prediction. For example, we may have evidence showing that the
960             // array is in Int32 mode, but the value we're storing is likely to be a double.
961             // Then we should turn this into a conversion to Double array followed by the
962             // push. On the other hand, we absolutely don't want to refine based on the
963             // base prediction. If it has non-cell garbage in it, then we want that to be
964             // ignored. That's because ArrayPush can't handle any array modes that aren't
965             // array-related - so if refine() turned this into a "Generic" ArrayPush then
966             // that would break things.
967             Edge& storageEdge = m_graph.varArgChild(node, 0);
968             Edge& arrayEdge = m_graph.varArgChild(node, 1);
969             unsigned elementOffset = 2;
970             unsigned elementCount = node->numChildren() - elementOffset;
971             for (unsigned i = 0; i < elementCount; ++i) {
972                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
973                 node->setArrayMode(
974                     node->arrayMode().refine(
975                         m_graph, node,
976                         arrayEdge->prediction() & SpecCell,
977                         SpecInt32Only,
978                         element->prediction()));
979             }
980             blessArrayOperation(arrayEdge, Edge(), storageEdge);
981             fixEdge<KnownCellUse>(arrayEdge);
982
983             // Convert `array.push()` to GetArrayLength.
984             if (!elementCount && node->arrayMode().supportsSelfLength()) {
985                 node->setOpAndDefaultFlags(GetArrayLength);
986                 node->child1() = arrayEdge;
987                 node->child2() = storageEdge;
988                 fixEdge<KnownCellUse>(node->child1());
989                 break;
990             }
991
992             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
993             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
994             for (unsigned i = 0; i < elementCount; ++i) {
995                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
996                 switch (node->arrayMode().type()) {
997                 case Array::Int32:
998                     insertCheck<Int32Use>(element.node());
999                     fixEdge<KnownInt32Use>(element);
1000                     break;
1001                 case Array::Double:
1002                     insertCheck<DoubleRepRealUse>(element.node());
1003                     fixEdge<DoubleRepUse>(element);
1004                     break;
1005                 case Array::Contiguous:
1006                 case Array::ArrayStorage:
1007                     speculateForBarrier(element);
1008                     break;
1009                 default:
1010                     break;
1011                 }
1012                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1013             }
1014             break;
1015         }
1016             
1017         case ArrayPop: {
1018             blessArrayOperation(node->child1(), Edge(), node->child2());
1019             fixEdge<KnownCellUse>(node->child1());
1020             break;
1021         }
1022
1023         case ArraySlice: {
1024             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1025             if (node->numChildren() >= 3) {
1026                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1027                 if (node->numChildren() == 4)
1028                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1029             }
1030             break;
1031         }
1032
1033         case ArrayIndexOf:
1034             fixupArrayIndexOf(node);
1035             break;
1036             
1037         case RegExpExec:
1038         case RegExpTest: {
1039             fixEdge<KnownCellUse>(node->child1());
1040             
1041             if (node->child2()->shouldSpeculateRegExpObject()) {
1042                 fixEdge<RegExpObjectUse>(node->child2());
1043
1044                 if (node->child3()->shouldSpeculateString())
1045                     fixEdge<StringUse>(node->child3());
1046             }
1047             break;
1048         }
1049
1050         case RegExpMatchFast: {
1051             fixEdge<KnownCellUse>(node->child1());
1052             fixEdge<RegExpObjectUse>(node->child2());
1053             fixEdge<StringUse>(node->child3());
1054             break;
1055         }
1056
1057         case StringReplace:
1058         case StringReplaceRegExp: {
1059             if (node->child2()->shouldSpeculateString()) {
1060                 m_insertionSet.insertNode(
1061                     m_indexInBlock, SpecNone, Check, node->origin,
1062                     Edge(node->child2().node(), StringUse));
1063                 fixEdge<StringUse>(node->child2());
1064             } else if (op == StringReplace) {
1065                 if (node->child2()->shouldSpeculateRegExpObject())
1066                     addStringReplacePrimordialChecks(node->child2().node());
1067                 else 
1068                     m_insertionSet.insertNode(
1069                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1070             }
1071
1072             if (node->child1()->shouldSpeculateString()
1073                 && node->child2()->shouldSpeculateRegExpObject()
1074                 && node->child3()->shouldSpeculateString()) {
1075
1076                 fixEdge<StringUse>(node->child1());
1077                 fixEdge<RegExpObjectUse>(node->child2());
1078                 fixEdge<StringUse>(node->child3());
1079                 break;
1080             }
1081             break;
1082         }
1083             
1084         case Branch: {
1085             if (node->child1()->shouldSpeculateBoolean()) {
1086                 if (node->child1()->result() == NodeResultBoolean) {
1087                     // This is necessary in case we have a bytecode instruction implemented by:
1088                     //
1089                     // a: CompareEq(...)
1090                     // b: Branch(@a)
1091                     //
1092                     // In that case, CompareEq might have a side-effect. Then, we need to make
1093                     // sure that we know that Branch does not exit.
1094                     fixEdge<KnownBooleanUse>(node->child1());
1095                 } else
1096                     fixEdge<BooleanUse>(node->child1());
1097             } else if (node->child1()->shouldSpeculateObjectOrOther())
1098                 fixEdge<ObjectOrOtherUse>(node->child1());
1099             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1100                 fixIntOrBooleanEdge(node->child1());
1101             else if (node->child1()->shouldSpeculateNumber())
1102                 fixEdge<DoubleRepUse>(node->child1());
1103             else if (node->child1()->shouldSpeculateString())
1104                 fixEdge<StringUse>(node->child1());
1105             else if (node->child1()->shouldSpeculateStringOrOther())
1106                 fixEdge<StringOrOtherUse>(node->child1());
1107             else {
1108                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1109                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1110                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1111             }
1112             break;
1113         }
1114             
1115         case Switch: {
1116             SwitchData* data = node->switchData();
1117             switch (data->kind) {
1118             case SwitchImm:
1119                 if (node->child1()->shouldSpeculateInt32())
1120                     fixEdge<Int32Use>(node->child1());
1121                 break;
1122             case SwitchChar:
1123                 if (node->child1()->shouldSpeculateString())
1124                     fixEdge<StringUse>(node->child1());
1125                 break;
1126             case SwitchString:
1127                 if (node->child1()->shouldSpeculateStringIdent())
1128                     fixEdge<StringIdentUse>(node->child1());
1129                 else if (node->child1()->shouldSpeculateString())
1130                     fixEdge<StringUse>(node->child1());
1131                 break;
1132             case SwitchCell:
1133                 if (node->child1()->shouldSpeculateCell())
1134                     fixEdge<CellUse>(node->child1());
1135                 // else it's fine for this to have UntypedUse; we will handle this by just making
1136                 // non-cells take the default case.
1137                 break;
1138             }
1139             break;
1140         }
1141             
1142         case ToPrimitive: {
1143             fixupToPrimitive(node);
1144             break;
1145         }
1146
1147         case ToNumber: {
1148             fixupToNumber(node);
1149             break;
1150         }
1151             
1152         case ToString:
1153         case CallStringConstructor: {
1154             fixupToStringOrCallStringConstructor(node);
1155             break;
1156         }
1157             
1158         case NewStringObject: {
1159             fixEdge<KnownStringUse>(node->child1());
1160             break;
1161         }
1162
1163         case NewArrayWithSpread: {
1164             watchHavingABadTime(node);
1165             
1166             BitVector* bitVector = node->bitVector();
1167             for (unsigned i = node->numChildren(); i--;) {
1168                 if (bitVector->get(i))
1169                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1170                 else
1171                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1172             }
1173
1174             break;
1175         }
1176
1177         case Spread: {
1178             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1179             
1180             watchHavingABadTime(node->child1().node());
1181
1182             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1183             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1184             // that it doesn't contain any indexed properties, and that any holes will result in
1185             // jsUndefined().
1186             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1187             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1188             if (node->child1()->shouldSpeculateArray()
1189                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1190                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1191                 && globalObject->arrayPrototypeChainIsSane()
1192                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1193                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1194                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1195                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1196                 fixEdge<ArrayUse>(node->child1());
1197             } else
1198                 fixEdge<CellUse>(node->child1());
1199             break;
1200         }
1201             
1202         case NewArray: {
1203             watchHavingABadTime(node);
1204             
1205             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1206                 node->setIndexingType(
1207                     leastUpperBoundOfIndexingTypeAndType(
1208                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1209             }
1210             switch (node->indexingType()) {
1211             case ALL_BLANK_INDEXING_TYPES:
1212                 CRASH();
1213                 break;
1214             case ALL_UNDECIDED_INDEXING_TYPES:
1215                 if (node->numChildren()) {
1216                     // This will only happen if the children have no type predictions. We
1217                     // would have already exited by now, but insert a forced exit just to
1218                     // be safe.
1219                     m_insertionSet.insertNode(
1220                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1221                 }
1222                 break;
1223             case ALL_INT32_INDEXING_TYPES:
1224                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1225                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1226                 break;
1227             case ALL_DOUBLE_INDEXING_TYPES:
1228                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1229                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1230                 break;
1231             case ALL_CONTIGUOUS_INDEXING_TYPES:
1232             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1233                 break;
1234             default:
1235                 CRASH();
1236                 break;
1237             }
1238             break;
1239         }
1240             
1241         case NewTypedArray: {
1242             watchHavingABadTime(node);
1243             
1244             if (node->child1()->shouldSpeculateInt32()) {
1245                 fixEdge<Int32Use>(node->child1());
1246                 node->clearFlags(NodeMustGenerate);
1247                 break;
1248             }
1249             break;
1250         }
1251             
1252         case NewArrayWithSize: {
1253             watchHavingABadTime(node);
1254             fixEdge<Int32Use>(node->child1());
1255             break;
1256         }
1257
1258         case NewArrayBuffer: {
1259             watchHavingABadTime(node);
1260             break;
1261         }
1262
1263         case ToObject: {
1264             fixupToObject(node);
1265             break;
1266         }
1267
1268         case CallObjectConstructor: {
1269             fixupCallObjectConstructor(node);
1270             break;
1271         }
1272
1273         case ToThis: {
1274             fixupToThis(node);
1275             break;
1276         }
1277             
1278         case PutStructure: {
1279             fixEdge<KnownCellUse>(node->child1());
1280             break;
1281         }
1282             
1283         case GetClosureVar:
1284         case GetFromArguments: {
1285             fixEdge<KnownCellUse>(node->child1());
1286             break;
1287         }
1288
1289         case PutClosureVar:
1290         case PutToArguments: {
1291             fixEdge<KnownCellUse>(node->child1());
1292             speculateForBarrier(node->child2());
1293             break;
1294         }
1295
1296         case SkipScope:
1297         case GetScope:
1298         case GetGetter:
1299         case GetSetter:
1300         case GetGlobalObject: {
1301             fixEdge<KnownCellUse>(node->child1());
1302             break;
1303         }
1304             
1305         case AllocatePropertyStorage:
1306         case ReallocatePropertyStorage: {
1307             fixEdge<KnownCellUse>(node->child1());
1308             break;
1309         }
1310             
1311         case NukeStructureAndSetButterfly: {
1312             fixEdge<KnownCellUse>(node->child1());
1313             break;
1314         }
1315
1316         case TryGetById: {
1317             if (node->child1()->shouldSpeculateCell())
1318                 fixEdge<CellUse>(node->child1());
1319             break;
1320         }
1321
1322         case GetByIdDirect:
1323         case GetByIdDirectFlush: {
1324             if (node->child1()->shouldSpeculateCell())
1325                 fixEdge<CellUse>(node->child1());
1326             break;
1327         }
1328
1329         case GetById:
1330         case GetByIdFlush: {
1331             // FIXME: This should be done in the ByteCodeParser based on reading the
1332             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1333             // https://bugs.webkit.org/show_bug.cgi?id=154990
1334             auto uid = m_graph.identifiers()[node->identifierNumber()];
1335             if (node->child1()->shouldSpeculateCellOrOther()
1336                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1337                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1338                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1339                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1340                 
1341                 if (uid == vm().propertyNames->length.impl()) {
1342                     attemptToMakeGetArrayLength(node);
1343                     break;
1344                 }
1345
1346                 if (uid == vm().propertyNames->lastIndex.impl()
1347                     && node->child1()->shouldSpeculateRegExpObject()) {
1348                     node->setOp(GetRegExpObjectLastIndex);
1349                     node->clearFlags(NodeMustGenerate);
1350                     fixEdge<RegExpObjectUse>(node->child1());
1351                     break;
1352                 }
1353             }
1354
1355             if (node->child1()->shouldSpeculateNumber()) {
1356                 if (uid == vm().propertyNames->toString.impl()) {
1357                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1358                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1359                         if (node->child1()->shouldSpeculateInt32()) {
1360                             insertCheck<Int32Use>(node->child1().node());
1361                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1362                             break;
1363                         }
1364
1365                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1366                             insertCheck<Int52RepUse>(node->child1().node());
1367                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1368                             break;
1369                         }
1370
1371                         ASSERT(node->child1()->shouldSpeculateNumber());
1372                         insertCheck<DoubleRepUse>(node->child1().node());
1373                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1374                         break;
1375                     }
1376                 }
1377             }
1378
1379             if (node->child1()->shouldSpeculateCell())
1380                 fixEdge<CellUse>(node->child1());
1381             break;
1382         }
1383         
1384         case GetByIdWithThis: {
1385             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1386                 fixEdge<CellUse>(node->child1());
1387                 fixEdge<CellUse>(node->child2());
1388             }
1389             break;
1390         }
1391
1392         case PutById:
1393         case PutByIdFlush:
1394         case PutByIdDirect: {
1395             if (node->child1()->shouldSpeculateCellOrOther()
1396                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1397                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1398                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1399                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1400                 
1401                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1402                 
1403                 if (uid == vm().propertyNames->lastIndex.impl()
1404                     && node->child1()->shouldSpeculateRegExpObject()) {
1405                     node->convertToSetRegExpObjectLastIndex();
1406                     fixEdge<RegExpObjectUse>(node->child1());
1407                     speculateForBarrier(node->child2());
1408                     break;
1409                 }
1410             }
1411             
1412             fixEdge<CellUse>(node->child1());
1413             break;
1414         }
1415
1416         case PutGetterById:
1417         case PutSetterById: {
1418             fixEdge<KnownCellUse>(node->child1());
1419             fixEdge<KnownCellUse>(node->child2());
1420             break;
1421         }
1422
1423         case PutGetterSetterById: {
1424             fixEdge<KnownCellUse>(node->child1());
1425             break;
1426         }
1427
1428         case PutGetterByVal:
1429         case PutSetterByVal: {
1430             fixEdge<KnownCellUse>(node->child1());
1431             fixEdge<KnownCellUse>(node->child3());
1432             break;
1433         }
1434
1435         case GetExecutable: {
1436             fixEdge<FunctionUse>(node->child1());
1437             break;
1438         }
1439
1440         case OverridesHasInstance:
1441         case CheckStructure:
1442         case CheckCell:
1443         case CreateThis:
1444         case GetButterfly: {
1445             fixEdge<CellUse>(node->child1());
1446             break;
1447         }
1448
1449         case CheckStringIdent: {
1450             fixEdge<StringIdentUse>(node->child1());
1451             break;
1452         }
1453             
1454         case Arrayify:
1455         case ArrayifyToStructure: {
1456             fixEdge<CellUse>(node->child1());
1457             if (node->child2())
1458                 fixEdge<Int32Use>(node->child2());
1459             break;
1460         }
1461             
1462         case GetByOffset:
1463         case GetGetterSetterByOffset: {
1464             if (!node->child1()->hasStorageResult())
1465                 fixEdge<KnownCellUse>(node->child1());
1466             fixEdge<KnownCellUse>(node->child2());
1467             break;
1468         }
1469             
1470         case MultiGetByOffset: {
1471             fixEdge<CellUse>(node->child1());
1472             break;
1473         }
1474             
1475         case PutByOffset: {
1476             if (!node->child1()->hasStorageResult())
1477                 fixEdge<KnownCellUse>(node->child1());
1478             fixEdge<KnownCellUse>(node->child2());
1479             unsigned index = indexForChecks();
1480             insertInferredTypeCheck(
1481                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1482                 node->storageAccessData().inferredType);
1483             speculateForBarrier(node->child3());
1484             break;
1485         }
1486             
1487         case MultiPutByOffset: {
1488             fixEdge<CellUse>(node->child1());
1489             break;
1490         }
1491             
1492         case MatchStructure: {
1493             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1494             // https://bugs.webkit.org/show_bug.cgi?id=185784
1495             fixEdge<CellUse>(node->child1());
1496             break;
1497         }
1498             
1499         case InstanceOf: {
1500             if (node->child1()->shouldSpeculateCell()
1501                 && node->child2()->shouldSpeculateCell()
1502                 && is64Bit()) {
1503                 fixEdge<CellUse>(node->child1());
1504                 fixEdge<CellUse>(node->child2());
1505                 break;
1506             }
1507             break;
1508         }
1509
1510         case InstanceOfCustom:
1511             fixEdge<CellUse>(node->child2());
1512             break;
1513
1514         case InById: {
1515             fixEdge<CellUse>(node->child1());
1516             break;
1517         }
1518
1519         case InByVal: {
1520             if (node->child2()->shouldSpeculateInt32()) {
1521                 convertToHasIndexedProperty(node);
1522                 break;
1523             }
1524
1525             fixEdge<CellUse>(node->child1());
1526             break;
1527         }
1528
1529         case HasOwnProperty: {
1530             fixEdge<ObjectUse>(node->child1());
1531 #if CPU(X86)
1532             // We don't have enough registers to do anything interesting on x86 and mips.
1533             fixEdge<UntypedUse>(node->child2());
1534 #else
1535             if (node->child2()->shouldSpeculateString())
1536                 fixEdge<StringUse>(node->child2());
1537             else if (node->child2()->shouldSpeculateSymbol())
1538                 fixEdge<SymbolUse>(node->child2());
1539             else
1540                 fixEdge<UntypedUse>(node->child2());
1541 #endif
1542             break;
1543         }
1544
1545         case CheckVarargs:
1546         case Check: {
1547             m_graph.doToChildren(
1548                 node,
1549                 [&] (Edge& edge) {
1550                     switch (edge.useKind()) {
1551                     case NumberUse:
1552                         if (edge->shouldSpeculateInt32ForArithmetic())
1553                             edge.setUseKind(Int32Use);
1554                         break;
1555                     default:
1556                         break;
1557                     }
1558                     observeUseKindOnEdge(edge);
1559                 });
1560             break;
1561         }
1562
1563         case Phantom:
1564             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1565             node->remove(m_graph);
1566             break;
1567
1568         case FiatInt52: {
1569             RELEASE_ASSERT(enableInt52());
1570             node->convertToIdentity();
1571             fixEdge<Int52RepUse>(node->child1());
1572             node->setResult(NodeResultInt52);
1573             break;
1574         }
1575
1576         case GetArrayLength: {
1577             fixEdge<KnownCellUse>(node->child1());
1578             break;
1579         }
1580
1581         case GetTypedArrayByteOffset: {
1582             fixEdge<KnownCellUse>(node->child1());
1583             break;
1584         }
1585
1586         case CompareBelow:
1587         case CompareBelowEq: {
1588             fixEdge<Int32Use>(node->child1());
1589             fixEdge<Int32Use>(node->child2());
1590             break;
1591         }
1592
1593         case GetPrototypeOf: {
1594             fixupGetPrototypeOf(node);
1595             break;
1596         }
1597
1598         case Phi:
1599         case Upsilon:
1600         case EntrySwitch:
1601         case GetIndexedPropertyStorage:
1602         case LastNodeType:
1603         case CheckTierUpInLoop:
1604         case CheckTierUpAtReturn:
1605         case CheckTierUpAndOSREnter:
1606         case InvalidationPoint:
1607         case CheckArray:
1608         case CheckInBounds:
1609         case ConstantStoragePointer:
1610         case DoubleAsInt32:
1611         case ValueToInt32:
1612         case DoubleRep:
1613         case ValueRep:
1614         case Int52Rep:
1615         case Int52Constant:
1616         case Identity: // This should have been cleaned up.
1617         case BooleanToNumber:
1618         case PhantomNewObject:
1619         case PhantomNewFunction:
1620         case PhantomNewGeneratorFunction:
1621         case PhantomNewAsyncGeneratorFunction:
1622         case PhantomNewAsyncFunction:
1623         case PhantomCreateActivation:
1624         case PhantomDirectArguments:
1625         case PhantomCreateRest:
1626         case PhantomSpread:
1627         case PhantomNewArrayWithSpread:
1628         case PhantomNewArrayBuffer:
1629         case PhantomClonedArguments:
1630         case PhantomNewRegexp:
1631         case GetMyArgumentByVal:
1632         case GetMyArgumentByValOutOfBounds:
1633         case GetVectorLength:
1634         case PutHint:
1635         case CheckStructureImmediate:
1636         case CheckStructureOrEmpty:
1637         case MaterializeNewObject:
1638         case MaterializeCreateActivation:
1639         case PutStack:
1640         case KillStack:
1641         case GetStack:
1642         case StoreBarrier:
1643         case FencedStoreBarrier:
1644         case GetRegExpObjectLastIndex:
1645         case SetRegExpObjectLastIndex:
1646         case RecordRegExpCachedResult:
1647         case RegExpExecNonGlobalOrSticky:
1648         case RegExpMatchFastGlobal:
1649             // These are just nodes that we don't currently expect to see during fixup.
1650             // If we ever wanted to insert them prior to fixup, then we just have to create
1651             // fixup rules for them.
1652             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1653             break;
1654
1655         case PutGlobalVariable: {
1656             fixEdge<CellUse>(node->child1());
1657             speculateForBarrier(node->child2());
1658             break;
1659         }
1660
1661         case IsObject:
1662             if (node->child1()->shouldSpeculateObject()) {
1663                 m_insertionSet.insertNode(
1664                     m_indexInBlock, SpecNone, Check, node->origin,
1665                     Edge(node->child1().node(), ObjectUse));
1666                 m_graph.convertToConstant(node, jsBoolean(true));
1667                 observeUseKindOnNode<ObjectUse>(node);
1668             }
1669             break;
1670
1671         case IsCellWithType: {
1672             fixupIsCellWithType(node);
1673             break;
1674         }
1675
1676         case GetEnumerableLength: {
1677             fixEdge<CellUse>(node->child1());
1678             break;
1679         }
1680         case HasGenericProperty: {
1681             fixEdge<CellUse>(node->child2());
1682             break;
1683         }
1684         case HasStructureProperty: {
1685             fixEdge<StringUse>(node->child2());
1686             fixEdge<KnownCellUse>(node->child3());
1687             break;
1688         }
1689         case HasIndexedProperty: {
1690             node->setArrayMode(
1691                 node->arrayMode().refine(
1692                     m_graph, node,
1693                     node->child1()->prediction(),
1694                     node->child2()->prediction(),
1695                     SpecNone));
1696             
1697             blessArrayOperation(node->child1(), node->child2(), node->child3());
1698             fixEdge<CellUse>(node->child1());
1699             fixEdge<KnownInt32Use>(node->child2());
1700             break;
1701         }
1702         case GetDirectPname: {
1703             Edge& base = m_graph.varArgChild(node, 0);
1704             Edge& property = m_graph.varArgChild(node, 1);
1705             Edge& index = m_graph.varArgChild(node, 2);
1706             Edge& enumerator = m_graph.varArgChild(node, 3);
1707             fixEdge<CellUse>(base);
1708             fixEdge<KnownCellUse>(property);
1709             fixEdge<KnownInt32Use>(index);
1710             fixEdge<KnownCellUse>(enumerator);
1711             break;
1712         }
1713         case GetPropertyEnumerator: {
1714             if (node->child1()->shouldSpeculateCell())
1715                 fixEdge<CellUse>(node->child1());
1716             break;
1717         }
1718         case GetEnumeratorStructurePname: {
1719             fixEdge<KnownCellUse>(node->child1());
1720             fixEdge<KnownInt32Use>(node->child2());
1721             break;
1722         }
1723         case GetEnumeratorGenericPname: {
1724             fixEdge<KnownCellUse>(node->child1());
1725             fixEdge<KnownInt32Use>(node->child2());
1726             break;
1727         }
1728         case ToIndexString: {
1729             fixEdge<KnownInt32Use>(node->child1());
1730             break;
1731         }
1732         case ProfileType: {
1733             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1734             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1735             // type T for the instructionTypeSet, the global type set must also have information for type T.
1736             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1737             // in the globalTypeSet would've also succeeded.
1738             // (The other direction does not hold in general).
1739
1740             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1741             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1742             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1743                 if (node->child1()->shouldSpeculateInt32()) {
1744                     fixEdge<Int32Use>(node->child1());
1745                     node->remove(m_graph);
1746                     break;
1747                 }
1748
1749                 if (enableInt52()) {
1750                     fixEdge<AnyIntUse>(node->child1());
1751                     node->remove(m_graph);
1752                     break;
1753                 }
1754
1755                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1756             }
1757
1758             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1759                 fixEdge<NumberUse>(node->child1());
1760                 node->remove(m_graph);
1761             } else if (typeSet->doesTypeConformTo(TypeString)) {
1762                 fixEdge<StringUse>(node->child1());
1763                 node->remove(m_graph);
1764             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1765                 fixEdge<BooleanUse>(node->child1());
1766                 node->remove(m_graph);
1767             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1768                 fixEdge<OtherUse>(node->child1());
1769                 node->remove(m_graph);
1770             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1771                 StructureSet set;
1772                 {
1773                     ConcurrentJSLocker locker(typeSet->m_lock);
1774                     set = typeSet->structureSet(locker);
1775                 }
1776                 if (!set.isEmpty()) {
1777                     fixEdge<CellUse>(node->child1());
1778                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1779                 }
1780             }
1781
1782             break;
1783         }
1784
1785         case CreateClonedArguments: {
1786             watchHavingABadTime(node);
1787             break;
1788         }
1789
1790         case CreateScopedArguments:
1791         case CreateActivation:
1792         case NewFunction:
1793         case NewGeneratorFunction:
1794         case NewAsyncGeneratorFunction:
1795         case NewAsyncFunction: {
1796             // Child 1 is always the current scope, which is guaranteed to be an object
1797             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1798             fixEdge<KnownCellUse>(node->child1());
1799             break;
1800         }
1801
1802         case PushWithScope: {
1803             // Child 1 is always the current scope, which is guaranteed to be an object
1804             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1805             fixEdge<KnownCellUse>(node->child1());
1806             if (node->child2()->shouldSpeculateObject())
1807                 fixEdge<ObjectUse>(node->child2());
1808             break;
1809         }
1810
1811         case SetFunctionName: {
1812             // The first child is guaranteed to be a cell because op_set_function_name is only used
1813             // on a newly instantiated function object (the first child).
1814             fixEdge<KnownCellUse>(node->child1());
1815             fixEdge<UntypedUse>(node->child2());
1816             break;
1817         }
1818
1819         case CreateRest: {
1820             watchHavingABadTime(node);
1821             fixEdge<KnownInt32Use>(node->child1());
1822             break;
1823         }
1824
1825         case ResolveScopeForHoistingFuncDeclInEval: {
1826             fixEdge<KnownCellUse>(node->child1());
1827             break;
1828         }
1829         case ResolveScope:
1830         case GetDynamicVar:
1831         case PutDynamicVar: {
1832             fixEdge<KnownCellUse>(node->child1());
1833             break;
1834         }
1835
1836         case LogShadowChickenPrologue: {
1837             fixEdge<KnownCellUse>(node->child1());
1838             break;
1839         }
1840         case LogShadowChickenTail: {
1841             fixEdge<UntypedUse>(node->child1());
1842             fixEdge<KnownCellUse>(node->child2());
1843             break;
1844         }
1845
1846         case GetMapBucket:
1847             if (node->child1().useKind() == MapObjectUse)
1848                 fixEdge<MapObjectUse>(node->child1());
1849             else if (node->child1().useKind() == SetObjectUse)
1850                 fixEdge<SetObjectUse>(node->child1());
1851             else
1852                 RELEASE_ASSERT_NOT_REACHED();
1853
1854 #if USE(JSVALUE64)
1855             if (node->child2()->shouldSpeculateBoolean())
1856                 fixEdge<BooleanUse>(node->child2());
1857             else if (node->child2()->shouldSpeculateInt32())
1858                 fixEdge<Int32Use>(node->child2());
1859             else if (node->child2()->shouldSpeculateSymbol())
1860                 fixEdge<SymbolUse>(node->child2());
1861             else if (node->child2()->shouldSpeculateObject())
1862                 fixEdge<ObjectUse>(node->child2());
1863             else if (node->child2()->shouldSpeculateString())
1864                 fixEdge<StringUse>(node->child2());
1865             else if (node->child2()->shouldSpeculateCell())
1866                 fixEdge<CellUse>(node->child2());
1867             else
1868                 fixEdge<UntypedUse>(node->child2());
1869 #else
1870             fixEdge<UntypedUse>(node->child2());
1871 #endif // USE(JSVALUE64)
1872
1873             fixEdge<Int32Use>(node->child3());
1874             break;
1875
1876         case GetMapBucketHead:
1877             if (node->child1().useKind() == MapObjectUse)
1878                 fixEdge<MapObjectUse>(node->child1());
1879             else if (node->child1().useKind() == SetObjectUse)
1880                 fixEdge<SetObjectUse>(node->child1());
1881             else
1882                 RELEASE_ASSERT_NOT_REACHED();
1883             break;
1884
1885         case GetMapBucketNext:
1886         case LoadKeyFromMapBucket:
1887         case LoadValueFromMapBucket:
1888             fixEdge<CellUse>(node->child1());
1889             break;
1890
1891         case MapHash: {
1892 #if USE(JSVALUE64)
1893             if (node->child1()->shouldSpeculateBoolean()) {
1894                 fixEdge<BooleanUse>(node->child1());
1895                 break;
1896             }
1897
1898             if (node->child1()->shouldSpeculateInt32()) {
1899                 fixEdge<Int32Use>(node->child1());
1900                 break;
1901             }
1902
1903             if (node->child1()->shouldSpeculateSymbol()) {
1904                 fixEdge<SymbolUse>(node->child1());
1905                 break;
1906             }
1907
1908             if (node->child1()->shouldSpeculateObject()) {
1909                 fixEdge<ObjectUse>(node->child1());
1910                 break;
1911             }
1912
1913             if (node->child1()->shouldSpeculateString()) {
1914                 fixEdge<StringUse>(node->child1());
1915                 break;
1916             }
1917
1918             if (node->child1()->shouldSpeculateCell()) {
1919                 fixEdge<CellUse>(node->child1());
1920                 break;
1921             }
1922
1923             fixEdge<UntypedUse>(node->child1());
1924 #else
1925             fixEdge<UntypedUse>(node->child1());
1926 #endif // USE(JSVALUE64)
1927             break;
1928         }
1929
1930         case NormalizeMapKey: {
1931             fixupNormalizeMapKey(node);
1932             break;
1933         }
1934
1935         case WeakMapGet: {
1936             if (node->child1().useKind() == WeakMapObjectUse)
1937                 fixEdge<WeakMapObjectUse>(node->child1());
1938             else if (node->child1().useKind() == WeakSetObjectUse)
1939                 fixEdge<WeakSetObjectUse>(node->child1());
1940             else
1941                 RELEASE_ASSERT_NOT_REACHED();
1942             fixEdge<ObjectUse>(node->child2());
1943             fixEdge<Int32Use>(node->child3());
1944             break;
1945         }
1946
1947         case SetAdd: {
1948             fixEdge<SetObjectUse>(node->child1());
1949             fixEdge<Int32Use>(node->child3());
1950             break;
1951         }
1952
1953         case MapSet: {
1954             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1955             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1956             break;
1957         }
1958
1959         case WeakSetAdd: {
1960             fixEdge<WeakSetObjectUse>(node->child1());
1961             fixEdge<ObjectUse>(node->child2());
1962             fixEdge<Int32Use>(node->child3());
1963             break;
1964         }
1965
1966         case WeakMapSet: {
1967             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
1968             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
1969             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1970             break;
1971         }
1972
1973         case DefineDataProperty: {
1974             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1975             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1976             if (propertyEdge->shouldSpeculateSymbol())
1977                 fixEdge<SymbolUse>(propertyEdge);
1978             else if (propertyEdge->shouldSpeculateStringIdent())
1979                 fixEdge<StringIdentUse>(propertyEdge);
1980             else if (propertyEdge->shouldSpeculateString())
1981                 fixEdge<StringUse>(propertyEdge);
1982             else
1983                 fixEdge<UntypedUse>(propertyEdge);
1984             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1985             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1986             break;
1987         }
1988
1989         case StringSlice: {
1990             fixEdge<StringUse>(node->child1());
1991             fixEdge<Int32Use>(node->child2());
1992             if (node->child3())
1993                 fixEdge<Int32Use>(node->child3());
1994             break;
1995         }
1996
1997         case ToLowerCase: {
1998             // We currently only support StringUse since that will ensure that
1999             // ToLowerCase is a pure operation. If we decide to update this with
2000             // more types in the future, we need to ensure that the clobberize rules
2001             // are correct.
2002             fixEdge<StringUse>(node->child1());
2003             break;
2004         }
2005
2006         case NumberToStringWithRadix: {
2007             if (node->child1()->shouldSpeculateInt32())
2008                 fixEdge<Int32Use>(node->child1());
2009             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2010                 fixEdge<Int52RepUse>(node->child1());
2011             else
2012                 fixEdge<DoubleRepUse>(node->child1());
2013             fixEdge<Int32Use>(node->child2());
2014             break;
2015         }
2016
2017         case DefineAccessorProperty: {
2018             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2019             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2020             if (propertyEdge->shouldSpeculateSymbol())
2021                 fixEdge<SymbolUse>(propertyEdge);
2022             else if (propertyEdge->shouldSpeculateStringIdent())
2023                 fixEdge<StringIdentUse>(propertyEdge);
2024             else if (propertyEdge->shouldSpeculateString())
2025                 fixEdge<StringUse>(propertyEdge);
2026             else
2027                 fixEdge<UntypedUse>(propertyEdge);
2028             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2029             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2030             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2031             break;
2032         }
2033
2034         case CheckSubClass: {
2035             fixupCheckSubClass(node);
2036             break;
2037         }
2038
2039         case CallDOMGetter: {
2040             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2041             fixEdge<CellUse>(node->child1()); // DOM.
2042             if (snippet && snippet->requireGlobalObject)
2043                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2044             break;
2045         }
2046
2047         case CallDOM: {
2048             fixupCallDOM(node);
2049             break;
2050         }
2051
2052         case Call: {
2053             attemptToMakeCallDOM(node);
2054             break;
2055         }
2056
2057         case ParseInt: {
2058             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2059                 fixEdge<Int32Use>(node->child1());
2060                 node->convertToIdentity();
2061                 break;
2062             }
2063
2064             if (node->child1()->shouldSpeculateString()) {
2065                 fixEdge<StringUse>(node->child1());
2066                 node->clearFlags(NodeMustGenerate);
2067             }
2068
2069             if (node->child2())
2070                 fixEdge<Int32Use>(node->child2());
2071
2072             break;
2073         }
2074
2075         case IdentityWithProfile: {
2076             node->clearFlags(NodeMustGenerate);
2077             break;
2078         }
2079
2080         case ThrowStaticError:
2081             fixEdge<StringUse>(node->child1());
2082             break;
2083
2084         case NumberIsInteger:
2085             if (node->child1()->shouldSpeculateInt32()) {
2086                 m_insertionSet.insertNode(
2087                     m_indexInBlock, SpecNone, Check, node->origin,
2088                     Edge(node->child1().node(), Int32Use));
2089                 m_graph.convertToConstant(node, jsBoolean(true));
2090                 break;
2091             }
2092             break;
2093
2094         case SetCallee:
2095             fixEdge<CellUse>(node->child1());
2096             break;
2097
2098 #if !ASSERT_DISABLED
2099         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2100         case SetArgument:
2101         case JSConstant:
2102         case LazyJSConstant:
2103         case DoubleConstant:
2104         case GetLocal:
2105         case GetCallee:
2106         case GetArgumentCountIncludingThis:
2107         case SetArgumentCountIncludingThis:
2108         case GetRestLength:
2109         case GetArgument:
2110         case Flush:
2111         case PhantomLocal:
2112         case GetGlobalVar:
2113         case GetGlobalLexicalVariable:
2114         case NotifyWrite:
2115         case DirectCall:
2116         case CheckTypeInfoFlags:
2117         case TailCallInlinedCaller:
2118         case DirectTailCallInlinedCaller:
2119         case Construct:
2120         case DirectConstruct:
2121         case CallVarargs:
2122         case CallEval:
2123         case TailCallVarargsInlinedCaller:
2124         case ConstructVarargs:
2125         case CallForwardVarargs:
2126         case ConstructForwardVarargs:
2127         case TailCallForwardVarargs:
2128         case TailCallForwardVarargsInlinedCaller:
2129         case LoadVarargs:
2130         case ForwardVarargs:
2131         case ProfileControlFlow:
2132         case NewObject:
2133         case NewRegexp:
2134         case DeleteById:
2135         case DeleteByVal:
2136         case IsTypedArrayView:
2137         case IsEmpty:
2138         case IsUndefined:
2139         case IsBoolean:
2140         case IsNumber:
2141         case IsObjectOrNull:
2142         case IsFunction:
2143         case CreateDirectArguments:
2144         case Jump:
2145         case Return:
2146         case TailCall:
2147         case DirectTailCall:
2148         case TailCallVarargs:
2149         case Throw:
2150         case CountExecution:
2151         case SuperSamplerBegin:
2152         case SuperSamplerEnd:
2153         case ForceOSRExit:
2154         case CheckBadCell:
2155         case CheckNotEmpty:
2156         case AssertNotEmpty:
2157         case CheckTraps:
2158         case Unreachable:
2159         case ExtractOSREntryLocal:
2160         case ExtractCatchLocal:
2161         case LoopHint:
2162         case MovHint:
2163         case InitializeEntrypointArguments:
2164         case ZombieHint:
2165         case ExitOK:
2166         case BottomValue:
2167         case TypeOf:
2168         case PutByIdWithThis:
2169         case PutByValWithThis:
2170         case GetByValWithThis:
2171         case CompareEqPtr:
2172         case NumberToStringWithValidRadixConstant:
2173         case GetGlobalThis:
2174         case ExtractValueFromWeakMapGet:
2175         case CPUIntrinsic:
2176             break;
2177 #else
2178         default:
2179             break;
2180 #endif
2181         }
2182     }
2183
2184     void watchHavingABadTime(Node* node)
2185     {
2186         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2187
2188         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2189         // does an array allocation. The types of array allocations may change if we start to have a bad
2190         // time. It's easier to reason about this if we know that whenever the types change after we start
2191         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2192         // prior to this point nobody should have been doing optimizations based on the indexing type of
2193         // the allocation.
2194         if (!globalObject->isHavingABadTime()) {
2195             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2196             m_graph.freeze(globalObject);
2197         }
2198     }
2199     
2200     template<UseKind useKind>
2201     void createToString(Node* node, Edge& edge)
2202     {
2203         Node* toString = m_insertionSet.insertNode(
2204             m_indexInBlock, SpecString, ToString, node->origin,
2205             Edge(edge.node(), useKind));
2206         switch (useKind) {
2207         case Int32Use:
2208         case Int52RepUse:
2209         case DoubleRepUse:
2210         case NotCellUse:
2211             toString->clearFlags(NodeMustGenerate);
2212             break;
2213         default:
2214             break;
2215         }
2216         edge.setNode(toString);
2217     }
2218     
2219     template<UseKind useKind>
2220     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2221     {
2222         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2223         
2224         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2225             return;
2226         
2227         createToString<useKind>(node, node->child1());
2228         arrayMode = ArrayMode(Array::String, Array::Read);
2229     }
2230     
2231     template<UseKind useKind>
2232     bool isStringObjectUse()
2233     {
2234         switch (useKind) {
2235         case StringObjectUse:
2236         case StringOrStringObjectUse:
2237             return true;
2238         default:
2239             return false;
2240         }
2241     }
2242     
2243     template<UseKind useKind>
2244     void convertStringAddUse(Node* node, Edge& edge)
2245     {
2246         if (useKind == StringUse) {
2247             observeUseKindOnNode<StringUse>(edge.node());
2248             m_insertionSet.insertNode(
2249                 m_indexInBlock, SpecNone, Check, node->origin,
2250                 Edge(edge.node(), StringUse));
2251             edge.setUseKind(KnownStringUse);
2252             return;
2253         }
2254         
2255         observeUseKindOnNode<useKind>(edge.node());
2256         createToString<useKind>(node, edge);
2257     }
2258     
2259     void convertToMakeRope(Node* node)
2260     {
2261         node->setOpAndDefaultFlags(MakeRope);
2262         fixupMakeRope(node);
2263     }
2264     
2265     void fixupMakeRope(Node* node)
2266     {
2267         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2268             Edge& edge = node->children.child(i);
2269             if (!edge)
2270                 break;
2271             edge.setUseKind(KnownStringUse);
2272             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2273             if (!string)
2274                 continue;
2275             if (string->length())
2276                 continue;
2277             
2278             // Don't allow the MakeRope to have zero children.
2279             if (!i && !node->child2())
2280                 break;
2281             
2282             node->children.removeEdge(i--);
2283         }
2284         
2285         if (!node->child2()) {
2286             ASSERT(!node->child3());
2287             node->convertToIdentity();
2288         }
2289     }
2290
2291     void fixupIsCellWithType(Node* node)
2292     {
2293         switch (node->speculatedTypeForQuery()) {
2294         case SpecString:
2295             if (node->child1()->shouldSpeculateString()) {
2296                 m_insertionSet.insertNode(
2297                     m_indexInBlock, SpecNone, Check, node->origin,
2298                     Edge(node->child1().node(), StringUse));
2299                 m_graph.convertToConstant(node, jsBoolean(true));
2300                 observeUseKindOnNode<StringUse>(node);
2301                 return;
2302             }
2303             break;
2304
2305         case SpecProxyObject:
2306             if (node->child1()->shouldSpeculateProxyObject()) {
2307                 m_insertionSet.insertNode(
2308                     m_indexInBlock, SpecNone, Check, node->origin,
2309                     Edge(node->child1().node(), ProxyObjectUse));
2310                 m_graph.convertToConstant(node, jsBoolean(true));
2311                 observeUseKindOnNode<ProxyObjectUse>(node);
2312                 return;
2313             }
2314             break;
2315
2316         case SpecRegExpObject:
2317             if (node->child1()->shouldSpeculateRegExpObject()) {
2318                 m_insertionSet.insertNode(
2319                     m_indexInBlock, SpecNone, Check, node->origin,
2320                     Edge(node->child1().node(), RegExpObjectUse));
2321                 m_graph.convertToConstant(node, jsBoolean(true));
2322                 observeUseKindOnNode<RegExpObjectUse>(node);
2323                 return;
2324             }
2325             break;
2326
2327         case SpecArray:
2328             if (node->child1()->shouldSpeculateArray()) {
2329                 m_insertionSet.insertNode(
2330                     m_indexInBlock, SpecNone, Check, node->origin,
2331                     Edge(node->child1().node(), ArrayUse));
2332                 m_graph.convertToConstant(node, jsBoolean(true));
2333                 observeUseKindOnNode<ArrayUse>(node);
2334                 return;
2335             }
2336             break;
2337
2338         case SpecDerivedArray:
2339             if (node->child1()->shouldSpeculateDerivedArray()) {
2340                 m_insertionSet.insertNode(
2341                     m_indexInBlock, SpecNone, Check, node->origin,
2342                     Edge(node->child1().node(), DerivedArrayUse));
2343                 m_graph.convertToConstant(node, jsBoolean(true));
2344                 observeUseKindOnNode<DerivedArrayUse>(node);
2345                 return;
2346             }
2347             break;
2348         }
2349
2350         if (node->child1()->shouldSpeculateCell()) {
2351             fixEdge<CellUse>(node->child1());
2352             return;
2353         }
2354
2355         if (node->child1()->shouldSpeculateNotCell()) {
2356             m_insertionSet.insertNode(
2357                 m_indexInBlock, SpecNone, Check, node->origin,
2358                 Edge(node->child1().node(), NotCellUse));
2359             m_graph.convertToConstant(node, jsBoolean(false));
2360             observeUseKindOnNode<NotCellUse>(node);
2361             return;
2362         }
2363     }
2364
2365     void fixupGetPrototypeOf(Node* node)
2366     {
2367         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2368         if (node->child1().useKind() != ObjectUse) {
2369             if (node->child1()->shouldSpeculateString()) {
2370                 insertCheck<StringUse>(node->child1().node());
2371                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2372                 return;
2373             }
2374             if (node->child1()->shouldSpeculateInt32()) {
2375                 insertCheck<Int32Use>(node->child1().node());
2376                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2377                 return;
2378             }
2379             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2380                 insertCheck<Int52RepUse>(node->child1().node());
2381                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2382                 return;
2383             }
2384             if (node->child1()->shouldSpeculateNumber()) {
2385                 insertCheck<NumberUse>(node->child1().node());
2386                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2387                 return;
2388             }
2389             if (node->child1()->shouldSpeculateSymbol()) {
2390                 insertCheck<SymbolUse>(node->child1().node());
2391                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2392                 return;
2393             }
2394             if (node->child1()->shouldSpeculateBoolean()) {
2395                 insertCheck<BooleanUse>(node->child1().node());
2396                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2397                 return;
2398             }
2399         }
2400
2401         if (node->child1()->shouldSpeculateFinalObject()) {
2402             fixEdge<FinalObjectUse>(node->child1());
2403             node->clearFlags(NodeMustGenerate);
2404             return;
2405         }
2406         if (node->child1()->shouldSpeculateArray()) {
2407             fixEdge<ArrayUse>(node->child1());
2408             node->clearFlags(NodeMustGenerate);
2409             return;
2410         }
2411         if (node->child1()->shouldSpeculateFunction()) {
2412             fixEdge<FunctionUse>(node->child1());
2413             node->clearFlags(NodeMustGenerate);
2414             return;
2415         }
2416     }
2417
2418     void fixupToThis(Node* node)
2419     {
2420         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2421
2422         if (ecmaMode == StrictMode) {
2423             if (node->child1()->shouldSpeculateBoolean()) {
2424                 fixEdge<BooleanUse>(node->child1());
2425                 node->convertToIdentity();
2426                 return;
2427             }
2428
2429             if (node->child1()->shouldSpeculateInt32()) {
2430                 fixEdge<Int32Use>(node->child1());
2431                 node->convertToIdentity();
2432                 return;
2433             }
2434
2435             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2436                 fixEdge<Int52RepUse>(node->child1());
2437                 node->convertToIdentity();
2438                 node->setResult(NodeResultInt52);
2439                 return;
2440             }
2441
2442             if (node->child1()->shouldSpeculateNumber()) {
2443                 fixEdge<DoubleRepUse>(node->child1());
2444                 node->convertToIdentity();
2445                 node->setResult(NodeResultDouble);
2446                 return;
2447             }
2448
2449             if (node->child1()->shouldSpeculateSymbol()) {
2450                 fixEdge<SymbolUse>(node->child1());
2451                 node->convertToIdentity();
2452                 return;
2453             }
2454
2455             if (node->child1()->shouldSpeculateStringIdent()) {
2456                 fixEdge<StringIdentUse>(node->child1());
2457                 node->convertToIdentity();
2458                 return;
2459             }
2460
2461             if (node->child1()->shouldSpeculateString()) {
2462                 fixEdge<StringUse>(node->child1());
2463                 node->convertToIdentity();
2464                 return;
2465             }
2466             
2467             if (node->child1()->shouldSpeculateBigInt()) {
2468                 fixEdge<BigIntUse>(node->child1());
2469                 node->convertToIdentity();
2470                 return;
2471             }
2472         }
2473
2474         if (node->child1()->shouldSpeculateOther()) {
2475             if (ecmaMode == StrictMode) {
2476                 fixEdge<OtherUse>(node->child1());
2477                 node->convertToIdentity();
2478                 return;
2479             }
2480
2481             m_insertionSet.insertNode(
2482                 m_indexInBlock, SpecNone, Check, node->origin,
2483                 Edge(node->child1().node(), OtherUse));
2484             observeUseKindOnNode<OtherUse>(node->child1().node());
2485             m_graph.convertToConstant(
2486                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2487             return;
2488         }
2489
2490         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2491         // however, since we cover all the missing cases in constant folding.
2492         // https://bugs.webkit.org/show_bug.cgi?id=157213
2493         if (node->child1()->shouldSpeculateStringObject()) {
2494             fixEdge<StringObjectUse>(node->child1());
2495             node->convertToIdentity();
2496             return;
2497         }
2498
2499         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2500             fixEdge<FinalObjectUse>(node->child1());
2501             node->convertToIdentity();
2502             return;
2503         }
2504     }
2505     
2506     void fixupToPrimitive(Node* node)
2507     {
2508         if (node->child1()->shouldSpeculateInt32()) {
2509             fixEdge<Int32Use>(node->child1());
2510             node->convertToIdentity();
2511             return;
2512         }
2513         
2514         if (node->child1()->shouldSpeculateString()) {
2515             fixEdge<StringUse>(node->child1());
2516             node->convertToIdentity();
2517             return;
2518         }
2519         
2520         if (node->child1()->shouldSpeculateStringObject()
2521             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2522             fixEdge<StringObjectUse>(node->child1());
2523             node->convertToToString();
2524             return;
2525         }
2526         
2527         if (node->child1()->shouldSpeculateStringOrStringObject()
2528             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2529             fixEdge<StringOrStringObjectUse>(node->child1());
2530             node->convertToToString();
2531             return;
2532         }
2533     }
2534
2535     void fixupToNumber(Node* node)
2536     {
2537         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2538         if (node->child1()->shouldSpeculateNumber()) {
2539             if (isInt32Speculation(node->getHeapPrediction())) {
2540                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2541                 if (node->child1()->shouldSpeculateInt32()) {
2542                     fixEdge<Int32Use>(node->child1());
2543                     node->convertToIdentity();
2544                     return;
2545                 }
2546
2547                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2548                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2549                 fixEdge<DoubleRepUse>(node->child1());
2550                 node->setOp(DoubleAsInt32);
2551                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2552                     node->setArithMode(Arith::CheckOverflow);
2553                 else
2554                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2555                 return;
2556             }
2557
2558             fixEdge<DoubleRepUse>(node->child1());
2559             node->convertToIdentity();
2560             node->setResult(NodeResultDouble);
2561             return;
2562         }
2563
2564         fixEdge<UntypedUse>(node->child1());
2565         node->setResult(NodeResultJS);
2566     }
2567
2568     void fixupToObject(Node* node)
2569     {
2570         if (node->child1()->shouldSpeculateObject()) {
2571             fixEdge<ObjectUse>(node->child1());
2572             node->convertToIdentity();
2573             return;
2574         }
2575
2576         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2577
2578         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2579
2580         if (node->child1()->shouldSpeculateString()) {
2581             insertCheck<StringUse>(node->child1().node());
2582             fixEdge<KnownStringUse>(node->child1());
2583             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2584             return;
2585         }
2586
2587         if (node->child1()->shouldSpeculateSymbol()) {
2588             insertCheck<SymbolUse>(node->child1().node());
2589             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2590             return;
2591         }
2592
2593         if (node->child1()->shouldSpeculateNumber()) {
2594             insertCheck<NumberUse>(node->child1().node());
2595             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2596             return;
2597         }
2598
2599         if (node->child1()->shouldSpeculateBoolean()) {
2600             insertCheck<BooleanUse>(node->child1().node());
2601             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2602             return;
2603         }
2604
2605         fixEdge<UntypedUse>(node->child1());
2606     }
2607
2608     void fixupCallObjectConstructor(Node* node)
2609     {
2610         if (node->child1()->shouldSpeculateObject()) {
2611             fixEdge<ObjectUse>(node->child1());
2612             node->convertToIdentity();
2613             return;
2614         }
2615
2616         if (node->child1()->shouldSpeculateString()) {
2617             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2618             insertCheck<StringUse>(node->child1().node());
2619             fixEdge<KnownStringUse>(node->child1());
2620             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2621             return;
2622         }
2623
2624         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2625         if (node->child1()->shouldSpeculateOther()) {
2626             insertCheck<OtherUse>(node->child1().node());
2627             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2628             return;
2629         }
2630
2631         fixEdge<UntypedUse>(node->child1());
2632     }
2633     
2634     void fixupToStringOrCallStringConstructor(Node* node)
2635     {
2636         if (node->child1()->shouldSpeculateString()) {
2637             fixEdge<StringUse>(node->child1());
2638             node->convertToIdentity();
2639             return;
2640         }
2641         
2642         if (node->child1()->shouldSpeculateStringObject()
2643             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2644             fixEdge<StringObjectUse>(node->child1());
2645             return;
2646         }
2647         
2648         if (node->child1()->shouldSpeculateStringOrStringObject()
2649             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2650             fixEdge<StringOrStringObjectUse>(node->child1());
2651             return;
2652         }
2653         
2654         if (node->child1()->shouldSpeculateCell()) {
2655             fixEdge<CellUse>(node->child1());
2656             return;
2657         }
2658
2659         if (node->child1()->shouldSpeculateInt32()) {
2660             fixEdge<Int32Use>(node->child1());
2661             node->clearFlags(NodeMustGenerate);
2662             return;
2663         }
2664
2665         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2666             fixEdge<Int52RepUse>(node->child1());
2667             node->clearFlags(NodeMustGenerate);
2668             return;
2669         }
2670
2671         if (node->child1()->shouldSpeculateNumber()) {
2672             fixEdge<DoubleRepUse>(node->child1());
2673             node->clearFlags(NodeMustGenerate);
2674             return;
2675         }
2676
2677         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2678         // we need to care about it in the clobberize. In the following case,
2679         // since NotCellUse edge filter is used and this edge filters Symbols,
2680         // we can say that ToString never throws an error!
2681         if (node->child1()->shouldSpeculateNotCell()) {
2682             fixEdge<NotCellUse>(node->child1());
2683             node->clearFlags(NodeMustGenerate);
2684             return;
2685         }
2686     }
2687
2688     bool attemptToMakeFastStringAdd(Node* node)
2689     {
2690         bool goodToGo = true;
2691         m_graph.doToChildren(
2692             node,
2693             [&] (Edge& edge) {
2694                 if (edge->shouldSpeculateString())
2695                     return;
2696                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2697                     if (edge->shouldSpeculateStringObject())
2698                         return;
2699                     if (edge->shouldSpeculateStringOrStringObject())
2700                         return;
2701                 }
2702                 goodToGo = false;
2703             });
2704         if (!goodToGo)
2705             return false;
2706
2707         m_graph.doToChildren(
2708             node,
2709             [&] (Edge& edge) {
2710                 if (edge->shouldSpeculateString()) {
2711                     convertStringAddUse<StringUse>(node, edge);
2712                     return;
2713                 }
2714                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2715                 if (edge->shouldSpeculateStringObject()) {
2716                     convertStringAddUse<StringObjectUse>(node, edge);
2717                     return;
2718                 }
2719                 if (edge->shouldSpeculateStringOrStringObject()) {
2720                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2721                     return;
2722                 }
2723                 RELEASE_ASSERT_NOT_REACHED();
2724             });
2725         
2726         convertToMakeRope(node);
2727         return true;
2728     }
2729
2730     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2731     {
2732         if (!block)
2733             return;
2734         ASSERT(block->isReachable);
2735         m_block = block;
2736         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2737             Node* node = m_currentNode = block->at(m_indexInBlock);
2738             if (node->op() != SetLocal && node->op() != GetLocal)
2739                 continue;
2740             
2741             VariableAccessData* variable = node->variableAccessData();
2742             switch (node->op()) {
2743             case GetLocal:
2744                 switch (variable->flushFormat()) {
2745                 case FlushedDouble:
2746                     node->setResult(NodeResultDouble);
2747                     break;
2748                 case FlushedInt52:
2749                     node->setResult(NodeResultInt52);
2750                     break;
2751                 default:
2752                     break;
2753                 }
2754                 break;
2755                 
2756             case SetLocal:
2757                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2758                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2759                 
2760                 switch (variable->flushFormat()) {
2761                 case FlushedJSValue:
2762                     break;
2763                 case FlushedDouble:
2764                     fixEdge<DoubleRepUse>(node->child1());
2765                     break;
2766                 case FlushedInt32:
2767                     fixEdge<Int32Use>(node->child1());
2768                     break;
2769                 case FlushedInt52:
2770                     fixEdge<Int52RepUse>(node->child1());
2771                     break;
2772                 case FlushedCell:
2773                     fixEdge<CellUse>(node->child1());
2774                     break;
2775                 case FlushedBoolean:
2776                     fixEdge<BooleanUse>(node->child1());
2777                     break;
2778                 default:
2779                     RELEASE_ASSERT_NOT_REACHED();
2780                     break;
2781                 }
2782                 break;
2783                 
2784             default:
2785                 RELEASE_ASSERT_NOT_REACHED();
2786                 break;
2787             }
2788         }
2789         m_insertionSet.execute(block);
2790     }
2791     
2792     void addStringReplacePrimordialChecks(Node* searchRegExp)
2793     {
2794         Node* node = m_currentNode;
2795
2796         // Check that structure of searchRegExp is RegExp object
2797         m_insertionSet.insertNode(
2798             m_indexInBlock, SpecNone, Check, node->origin,
2799             Edge(searchRegExp, RegExpObjectUse));
2800
2801         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2802             unsigned index = m_graph.identifiers().ensure(propertyUID);
2803
2804             Node* actualProperty = m_insertionSet.insertNode(
2805                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2806                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2807
2808             m_insertionSet.insertNode(
2809                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2810                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2811         };
2812
2813         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2814
2815         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2816         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2817         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2818         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2819         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2820         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2821         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2822         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2823     }
2824
2825     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2826     {
2827         ASSERT(arrayMode.isSpecific());
2828         
2829         if (arrayMode.type() == Array::String) {
2830             m_insertionSet.insertNode(
2831                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2832         } else {
2833             // Note that we only need to be using a structure check if we opt for SaneChain, since
2834             // that needs to protect against JSArray's __proto__ being changed.
2835             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2836         
2837             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2838             
2839             if (arrayMode.doesConversion()) {
2840                 if (structure) {
2841                     m_insertionSet.insertNode(
2842                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2843                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2844                 } else {
2845                     m_insertionSet.insertNode(
2846                         m_indexInBlock, SpecNone, Arrayify, origin,
2847                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2848                 }
2849             } else {
2850                 if (structure) {
2851                     m_insertionSet.insertNode(
2852                         m_indexInBlock, SpecNone, CheckStructure, origin,
2853                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2854                 } else {
2855                     m_insertionSet.insertNode(
2856                         m_indexInBlock, SpecNone, CheckArray, origin,
2857                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2858                 }
2859             }
2860         }
2861         
2862         if (!storageCheck(arrayMode))
2863             return nullptr;
2864         
2865         if (arrayMode.usesButterfly()) {
2866             return m_insertionSet.insertNode(
2867                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2868         }
2869         
2870         return m_insertionSet.insertNode(
2871             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2872             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2873     }
2874     
2875     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2876     {
2877         Node* node = m_currentNode;
2878         
2879         switch (node->arrayMode().type()) {
2880         case Array::ForceExit: {
2881             m_insertionSet.insertNode(
2882                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2883             return;
2884         }
2885             
2886         case Array::SelectUsingPredictions:
2887         case Array::Unprofiled:
2888             RELEASE_ASSERT_NOT_REACHED();
2889             return;
2890             
2891         case Array::Generic:
2892             return;
2893             
2894         default: {
2895             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2896             if (!storage)
2897                 return;
2898             
2899             storageChild = Edge(storage);
2900             return;
2901         } }
2902     }
2903     
2904     bool alwaysUnboxSimplePrimitives()
2905     {
2906 #if USE(JSVALUE64)
2907         return false;
2908 #else
2909         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2910         // reduces traffic.
2911         return true;
2912 #endif
2913     }
2914
2915     template<UseKind useKind>
2916     void observeUseKindOnNode(Node* node)
2917     {
2918         if (useKind == UntypedUse)
2919             return;
2920         observeUseKindOnNode(node, useKind);
2921     }
2922
2923     void observeUseKindOnEdge(Edge edge)
2924     {
2925         observeUseKindOnNode(edge.node(), edge.useKind());
2926     }
2927
2928     void observeUseKindOnNode(Node* node, UseKind useKind)
2929     {
2930         if (node->op() != GetLocal)
2931             return;
2932         
2933         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2934         // https://bugs.webkit.org/show_bug.cgi?id=121518
2935         
2936         VariableAccessData* variable = node->variableAccessData();
2937         switch (useKind) {
2938         case Int32Use:
2939         case KnownInt32Use:
2940             if (alwaysUnboxSimplePrimitives()
2941                 || isInt32Speculation(variable->prediction()))
2942                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2943             break;
2944         case NumberUse:
2945         case RealNumberUse:
2946         case DoubleRepUse:
2947         case DoubleRepRealUse:
2948             if (variable->doubleFormatState() == UsingDoubleFormat)
2949                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2950             break;
2951         case BooleanUse:
2952         case KnownBooleanUse:
2953             if (alwaysUnboxSimplePrimitives()
2954                 || isBooleanSpeculation(variable->prediction()))
2955                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2956             break;
2957         case Int52RepUse:
2958             if (isAnyIntSpeculation(variable->prediction()))
2959                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2960             break;
2961         case CellUse:
2962         case KnownCellUse:
2963         case ObjectUse:
2964         case FunctionUse:
2965         case StringUse:
2966         case KnownStringUse:
2967         case SymbolUse:
2968         case BigIntUse:
2969         case StringObjectUse:
2970         case StringOrStringObjectUse:
2971             if (alwaysUnboxSimplePrimitives()
2972                 || isCellSpeculation(variable->prediction()))
2973                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2974             break;
2975         default:
2976             break;
2977         }
2978     }
2979     
2980     template<UseKind useKind>
2981     void fixEdge(Edge& edge)
2982     {
2983         observeUseKindOnNode<useKind>(edge.node());
2984         edge.setUseKind(useKind);
2985     }
2986     
2987     unsigned indexForChecks()
2988     {
2989         unsigned index = m_indexInBlock;
2990         while (!m_block->at(index)->origin.exitOK)
2991             index--;
2992         return index;
2993     }
2994     
2995     NodeOrigin originForCheck(unsigned index)
2996     {
2997         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
2998     }
2999     
3000     void speculateForBarrier(Edge value)
3001     {
3002         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3003         // the DFG anyway because if such a speculation would be wrong, we want to know before
3004         // we do an expensive compile.
3005         
3006         if (value->shouldSpeculateInt32()) {
3007             insertCheck<Int32Use>(value.node());
3008             return;
3009         }
3010             
3011         if (value->shouldSpeculateBoolean()) {
3012             insertCheck<BooleanUse>(value.node());
3013             return;
3014         }
3015             
3016         if (value->shouldSpeculateOther()) {
3017             insertCheck<OtherUse>(value.node());
3018             return;
3019         }
3020             
3021         if (value->shouldSpeculateNumber()) {
3022             insertCheck<NumberUse>(value.node());
3023             return;
3024         }
3025             
3026         if (value->shouldSpeculateNotCell()) {
3027             insertCheck<NotCellUse>(value.node());
3028             return;
3029         }
3030     }
3031     
3032     template<UseKind useKind>
3033     void insertCheck(Node* node)
3034     {
3035         observeUseKindOnNode<useKind>(node);
3036         unsigned index = indexForChecks();
3037         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3038     }
3039
3040     void fixIntConvertingEdge(Edge& edge)
3041     {
3042         Node* node = edge.node();
3043         if (node->shouldSpeculateInt32OrBoolean()) {
3044             fixIntOrBooleanEdge(edge);
3045             return;
3046         }
3047         
3048         UseKind useKind;
3049         if (node->shouldSpeculateAnyInt())
3050             useKind = Int52RepUse;
3051         else if (node->shouldSpeculateNumber())
3052             useKind = DoubleRepUse;
3053         else
3054             useKind = NotCellUse;
3055         Node* newNode = m_insertionSet.insertNode(
3056             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3057             Edge(node, useKind));
3058         observeUseKindOnNode(node, useKind);
3059         
3060         edge = Edge(newNode, KnownInt32Use);
3061     }
3062     
3063     void fixIntOrBooleanEdge(Edge& edge)
3064     {
3065         Node* node = edge.node();
3066         if (!node->sawBooleans()) {
3067             fixEdge<Int32Use>(edge);
3068             return;
3069         }
3070         
3071         UseKind useKind;
3072         if (node->shouldSpeculateBoolean())
3073             useKind = BooleanUse;
3074         else
3075             useKind = UntypedUse;
3076         Node* newNode = m_insertionSet.insertNode(
3077             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3078             Edge(node, useKind));
3079         observeUseKindOnNode(node, useKind);
3080         
3081         edge = Edge(newNode, Int32Use);
3082     }
3083     
3084     void fixDoubleOrBooleanEdge(Edge& edge)
3085     {
3086         Node* node = edge.node();
3087         if (!node->sawBooleans()) {
3088             fixEdge<DoubleRepUse>(edge);
3089             return;
3090         }
3091         
3092         UseKind useKind;
3093         if (node->shouldSpeculateBoolean())
3094             useKind = BooleanUse;
3095         else
3096             useKind = UntypedUse;
3097         Node* newNode = m_insertionSet.insertNode(
3098             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3099             Edge(node, useKind));
3100         observeUseKindOnNode(node, useKind);
3101         
3102         edge = Edge(newNode, DoubleRepUse);
3103     }
3104     
3105     void truncateConstantToInt32(Edge& edge)
3106     {
3107         Node* oldNode = edge.node();
3108         
3109         JSValue value = oldNode->asJSValue();
3110         if (value.isInt32())
3111             return;
3112         
3113         value = jsNumber(JSC::toInt32(value.asNumber()));
3114         ASSERT(value.isInt32());
3115         edge.setNode(m_insertionSet.insertNode(
3116             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3117             OpInfo(m_graph.freeze(value))));
3118     }
3119     
3120     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3121     {
3122         if (mode != SpeculateInt32AndTruncateConstants)
3123             return;
3124         
3125         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3126         if (node->child1()->hasConstant())
3127             truncateConstantToInt32(node->child1());
3128         else
3129             truncateConstantToInt32(node->child2());
3130     }
3131
3132     bool attemptToMakeIntegerAdd(Node* node)
3133     {
3134         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3135         if (mode != DontSpeculateInt32) {
3136             truncateConstantsIfNecessary(node, mode);
3137             fixIntOrBooleanEdge(node->child1());
3138             fixIntOrBooleanEdge(node->child2());
3139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3140                 node->setArithMode(Arith::Unchecked);
3141             else
3142                 node->setArithMode(Arith::CheckOverflow);
3143             return true;
3144         }
3145         
3146         if (m_graph.addShouldSpeculateAnyInt(node)) {
3147             fixEdge<Int52RepUse>(node->child1());
3148             fixEdge<Int52RepUse>(node->child2());
3149             node->setArithMode(Arith::CheckOverflow);
3150             node->setResult(NodeResultInt52);
3151             return true;
3152         }
3153         
3154         return false;
3155     }
3156     
3157     bool attemptToMakeGetArrayLength(Node* node)
3158     {
3159         if (!isInt32Speculation(node->prediction()))
3160             return false;
3161         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3162         ArrayProfile* arrayProfile = 
3163             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3164         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3165         if (arrayProfile) {
3166             ConcurrentJSLocker locker(profiledBlock->m_lock);
3167             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3168             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3169             if (arrayMode.type() == Array::Unprofiled) {
3170                 // For normal array operations, it makes sense to treat Unprofiled
3171                 // accesses as ForceExit and get more data rather than using
3172                 // predictions and then possibly ending up with a Generic. But here,
3173                 // we treat anything that is Unprofiled as Generic and keep the
3174                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3175                 // profit - from treating the Unprofiled case as
3176                 // SelectUsingPredictions.
3177                 arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3178             }
3179         }
3180             
3181         arrayMode = arrayMode.refine(
3182             m_graph, node, node->child1()->prediction(), node->prediction());
3183             
3184         if (arrayMode.type() == Array::Generic) {
3185             // Check if the input is something that we can't get array length for, but for which we
3186             // could insert some conversions in order to transform it into something that we can do it
3187             // for.
3188             if (node->child1()->shouldSpeculateStringObject())
3189                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3190             else if (node->child1()->shouldSpeculateStringOrStringObject())
3191                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3192         }
3193             
3194         if (!arrayMode.supportsSelfLength())
3195             return false;
3196         
3197         convertToGetArrayLength(node, arrayMode);
3198         return true;
3199     }
3200
3201     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3202     {
3203         node->setOp(GetArrayLength);
3204         node->clearFlags(NodeMustGenerate);
3205         fixEdge<KnownCellUse>(node->child1());
3206         node->setArrayMode(arrayMode);
3207             
3208         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3209         if (!storage)
3210             return;
3211             
3212         node->child2() = Edge(storage);
3213     }
3214     
3215     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3216     {
3217         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3218         return m_insertionSet.insertNode(
3219             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3220             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3221     }
3222
3223     void convertToHasIndexedProperty(Node* node)
3224     {
3225         node->setOp(HasIndexedProperty);
3226         node->clearFlags(NodeMustGenerate);
3227         node->setArrayMode(
3228             node->arrayMode().refine(
3229                 m_graph, node,
3230                 node->child1()->prediction(),
3231                 node->child2()->prediction(),
3232                 SpecNone));
3233         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3234
3235         blessArrayOperation(node->child1(), node->child2(), node->child3());
3236
3237         fixEdge<CellUse>(node->child1());
3238         fixEdge<Int32Use>(node->child2());
3239     }
3240
3241     void fixupNormalizeMapKey(Node* node)
3242     {
3243         if (node->child1()->shouldSpeculateBoolean()) {
3244             fixEdge<BooleanUse>(node->child1());
3245             node->convertToIdentity();
3246             return;
3247         }
3248
3249         if (node->child1()->shouldSpeculateInt32()) {
3250             fixEdge<Int32Use>(node->child1());
3251             node->convertToIdentity();
3252             return;
3253         }
3254
3255         if (node->child1()->shouldSpeculateSymbol()) {
3256             fixEdge<SymbolUse>(node->child1());
3257             node->convertToIdentity();
3258             return;
3259         }
3260
3261         if (node->child1()->shouldSpeculateObject()) {
3262             fixEdge<ObjectUse>(node->child1());
3263             node->convertToIdentity();
3264             return;
3265         }
3266
3267         if (node->child1()->shouldSpeculateString()) {
3268             fixEdge<StringUse>(node->child1());
3269             node->convertToIdentity();
3270             return;
3271         }
3272
3273         if (node->child1()->shouldSpeculateCell()) {
3274             fixEdge<CellUse>(node->child1());
3275             node->convertToIdentity();
3276             return;
3277         }
3278
3279         fixEdge<UntypedUse>(node->child1());
3280     }
3281
3282     bool attemptToMakeCallDOM(Node* node)
3283     {
3284         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3285             return false;
3286
3287         const DOMJIT::Signature* signature = node->signature();
3288         if (!signature)
3289             return false;
3290
3291         {
3292             unsigned index = 0;
3293             bool shouldConvertToCallDOM = true;
3294             m_graph.doToChildren(node, [&](Edge& edge) {
3295                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3296                 if (!index)
3297                     return;
3298
3299                 if (index == 1) {
3300                     // DOM node case.
3301                     if (edge->shouldSpeculateNotCell())
3302                         shouldConvertToCallDOM = false;
3303                 } else {
3304                     switch (signature->arguments[index - 2]) {
3305                     case SpecString:
3306                         if (edge->shouldSpeculateNotString())
3307                             shouldConvertToCallDOM = false;
3308                         break;
3309                     case SpecInt32Only:
3310                         if (edge->shouldSpeculateNotInt32())
3311                             shouldConvertToCallDOM = false;
3312                         break;
3313                     case SpecBoolean:
3314                         if (edge->shouldSpeculateNotBoolean())
3315                             shouldConvertToCallDOM = false;
3316                         break;
3317                     default:
3318                         RELEASE_ASSERT_NOT_REACHED();
3319                         break;
3320                     }
3321                 }
3322                 ++index;
3323             });
3324             if (!shouldConvertToCallDOM)
3325                 return false;
3326         }
3327
3328         Node* thisNode = m_graph.varArgChild(node, 1).node();
3329         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3330         node->convertToCallDOM(m_graph);
3331         fixupCheckSubClass(checkSubClass);
3332         fixupCallDOM(node);
3333         return true;
3334     }
3335
3336     void fixupCheckSubClass(Node* node)
3337     {
3338         fixEdge<CellUse>(node->child1());
3339     }
3340
3341     void fixupCallDOM(Node* node)
3342     {
3343         const DOMJIT::Signature* signature = node->signature();
3344         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3345             if (!edge)
3346                 return;
3347             switch (signature->arguments[argumentIndex]) {
3348             case SpecString:
3349                 fixEdge<StringUse>(edge);
3350                 break;
3351             case SpecInt32Only:
3352                 fixEdge<Int32Use>(edge);
3353                 break;
3354             case SpecBoolean:
3355                 fixEdge<BooleanUse>(edge);
3356                 break;
3357             default:
3358                 RELEASE_ASSERT_NOT_REACHED();
3359                 break;
3360             }
3361         };
3362         fixEdge<CellUse>(node->child1()); // DOM.
3363         fixup(node->child2(), 0);
3364         fixup(node->child3(), 1);
3365     }
3366
3367     void fixupArrayIndexOf(Node* node)
3368     {
3369         Edge& array = m_graph.varArgChild(node, 0);
3370         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3371         blessArrayOperation(array, Edge(), storage);
3372         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3373
3374         Edge& searchElement = m_graph.varArgChild(node, 1);
3375
3376         // Constant folding.
3377         switch (node->arrayMode().type()) {
3378         case Array::Double:
3379         case Array::Int32: {
3380             if (searchElement->shouldSpeculateCell()) {
3381                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3382                 m_graph.convertToConstant(node, jsNumber(-1));
3383                 observeUseKindOnNode<CellUse>(searchElement.node());
3384                 return;
3385             }
3386
3387             if (searchElement->shouldSpeculateOther()) {
3388                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3389                 m_graph.convertToConstant(node, jsNumber(-1));
3390                 observeUseKindOnNode<OtherUse>(searchElement.node());
3391                 return;
3392             }
3393
3394             if (searchElement->shouldSpeculateBoolean()) {
3395                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3396                 m_graph.convertToConstant(node, jsNumber(-1));
3397                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3398                 return;
3399             }
3400             break;
3401         }
3402         default:
3403             break;
3404         }
3405
3406         fixEdge<KnownCellUse>(array);
3407         if (node->numChildren() == 4)
3408             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3409
3410         switch (node->arrayMode().type()) {
3411         case Array::Double: {
3412             if (searchElement->shouldSpeculateNumber())
3413                 fixEdge<DoubleRepUse>(searchElement);
3414             return;
3415         }
3416         case Array::Int32: {
3417             if (searchElement->shouldSpeculateInt32())
3418                 fixEdge<Int32Use>(searchElement);
3419             return;
3420         }
3421         case Array::Contiguous: {
3422             if (searchElement->shouldSpeculateString())
3423                 fixEdge<StringUse>(searchElement);
3424             else if (searchElement->shouldSpeculateSymbol())
3425                 fixEdge<SymbolUse>(searchElement);
3426             else if (searchElement->shouldSpeculateOther())
3427                 fixEdge<OtherUse>(searchElement);
3428             else if (searchElement->shouldSpeculateObject())
3429                 fixEdge<ObjectUse>(searchElement);
3430             return;
3431         }
3432         default:
3433             RELEASE_ASSERT_NOT_REACHED();
3434             return;
3435         }
3436     }
3437
3438     void fixupCompareStrictEqAndSameValue(Node* node)
3439     {
3440         ASSERT(node->op() == SameValue || node->op() == CompareStrictEq);
3441
3442         if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
3443             fixEdge<BooleanUse>(node->child1());
3444             fixEdge<BooleanUse>(node->child2());
3445             node->setOpAndDefaultFlags(CompareStrictEq);
3446             return;
3447         }
3448         if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
3449             fixEdge<Int32Use>(node->child1());
3450             fixEdge<Int32Use>(node->child2());
3451             node->setOpAndDefaultFlags(CompareStrictEq);
3452             return;
3453         }
3454         if (enableInt52()
3455             && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
3456             fixEdge<Int52RepUse>(node->child1());
3457             fixEdge<Int52RepUse>(node->child2());
3458             node->setOpAndDefaultFlags(CompareStrictEq);
3459             return;
3460         }
3461         if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
3462             fixEdge<DoubleRepUse>(node->child1());
3463             fixEdge<DoubleRepUse>(node->child2());
3464             // Do not convert SameValue to CompareStrictEq in this case since SameValue(NaN, NaN) and SameValue(-0, +0)
3465             // are not the same to CompareStrictEq(NaN, NaN) and CompareStrictEq(-0, +0).
3466             return;
3467         }
3468         if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
3469             fixEdge<SymbolUse>(node->child1());
3470             fixEdge<SymbolUse>(node->child2());
3471             node->setOpAndDefaultFlags(CompareStrictEq);
3472             return;
3473         }
3474         if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
3475             fixEdge<BigIntUse>(node->child1());
3476             fixEdge<BigIntUse>(node->child2());
3477             node->setOpAndDefaultFlags(CompareStrictEq);
3478             return;
3479         }
3480         if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
3481             fixEdge<StringIdentUse>(node->child1());
3482             fixEdge<StringIdentUse>(node->child2());
3483             node->setOpAndDefaultFlags(CompareStrictEq);
3484             return;
3485         }
3486         if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
3487             fixEdge<StringUse>(node->child1());
3488             fixEdge<StringUse>(node->child2());
3489             node->setOpAndDefaultFlags(CompareStrictEq);
3490             return;
3491         }
3492
3493         if (node->op() == SameValue) {
3494             if (node->child1()->shouldSpeculateObject()) {
3495                 fixEdge<ObjectUse>(node->child1());
3496                 node->setOpAndDefaultFlags(CompareStrictEq);
3497                 return;
3498             }
3499             if (node->child2()->shouldSpeculateObject()) {
3500                 fixEdge<ObjectUse>(node->child2());
3501                 node->setOpAndDefaultFlags(CompareStrictEq);
3502                 return;
3503             }
3504         } else {
3505             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
3506             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
3507                 if (node->child1()->shouldSpeculateObject()) {
3508                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
3509                     fixEdge<ObjectUse>(node->child1());
3510                     return;
3511                 }
3512                 if (node->child2()->shouldSpeculateObject()) {
3513                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
3514                     fixEdge<ObjectUse>(node->child2());
3515                     return;
3516                 }
3517             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
3518                 fixEdge<ObjectUse>(node->child1());
3519                 fixEdge<ObjectUse>(node->child2());
3520                 return;
3521             }
3522         }
3523
3524         if (node->child1()->shouldSpeculateSymbol()) {
3525             fixEdge<SymbolUse>(node->child1());
3526             node->setOpAndDefaultFlags(CompareStrictEq);
3527             return;
3528         }
3529         if (node->child2()->shouldSpeculateSymbol()) {
3530             fixEdge<SymbolUse>(node->child2());
3531             node->setOpAndDefaultFlags(CompareStrictEq);
3532             return;
3533         }
3534         if (node->child1()->shouldSpeculateMisc()) {
3535             fixEdge<MiscUse>(node->child1());
3536             node->setOpAndDefaultFlags(CompareStrictEq);
3537             return;
3538         }
3539         if (node->child2()->shouldSpeculateMisc()) {
3540             fixEdge<MiscUse>(node->child2());
3541             node->setOpAndDefaultFlags(CompareStrictEq);
3542             return;
3543         }
3544         if (node->child1()->shouldSpeculateStringIdent()
3545             && node->child2()->shouldSpeculateNotStringVar()) {
3546             fixEdge<StringIdentUse>(node->child1());
3547             fixEdge<NotStringVarUse>(node->child2());
3548             node->setOpAndDefaultFlags(CompareStrictEq);
3549             return;
3550         }
3551         if (node->child2()->shouldSpeculateStringIdent()
3552