StringObjectUse should not be a structure check for the original string object structure
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInsertionSet.h"
34 #include "DFGPhase.h"
35 #include "DFGPredictionPropagationPhase.h"
36 #include "DFGVariableAccessDataDump.h"
37 #include "JSCInlines.h"
38 #include "TypeLocation.h"
39
40 namespace JSC { namespace DFG {
41
42 class FixupPhase : public Phase {
43 public:
44     FixupPhase(Graph& graph)
45         : Phase(graph, "fixup")
46         , m_insertionSet(graph)
47     {
48     }
49     
50     bool run()
51     {
52         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
53         ASSERT(m_graph.m_form == ThreadedCPS);
54         
55         m_profitabilityChanged = false;
56         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
57             fixupBlock(m_graph.block(blockIndex));
58         
59         while (m_profitabilityChanged) {
60             m_profitabilityChanged = false;
61             
62             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
63                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
64             
65             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
66                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
67         }
68         
69         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
70             fixupChecksInBlock(m_graph.block(blockIndex));
71
72         m_graph.m_planStage = PlanStage::AfterFixup;
73
74         return true;
75     }
76
77 private:
78     void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild)
79     {
80         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
81             if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
82                 fixIntOrBooleanEdge(leftChild);
83                 fixIntOrBooleanEdge(rightChild);
84                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
85                     node->setArithMode(Arith::Unchecked);
86                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
87                     node->setArithMode(Arith::CheckOverflow);
88                 else
89                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
90                 return;
91             }
92             
93             // This will cause conversion nodes to be inserted later.
94             fixDoubleOrBooleanEdge(leftChild);
95             fixDoubleOrBooleanEdge(rightChild);
96             
97             // We don't need to do ref'ing on the children because we're stealing them from
98             // the original division.
99             Node* newDivision = m_insertionSet.insertNode(m_indexInBlock, SpecBytecodeDouble, *node);
100             newDivision->setResult(NodeResultDouble);
101             
102             node->setOp(DoubleAsInt32);
103             node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
104             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
105                 node->setArithMode(Arith::CheckOverflow);
106             else
107                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
108             return;
109         }
110         
111         fixDoubleOrBooleanEdge(leftChild);
112         fixDoubleOrBooleanEdge(rightChild);
113         node->setResult(NodeResultDouble);
114     }
115     
116     void fixupArithMul(Node* node, Edge& leftChild, Edge& rightChild)
117     {
118         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
119             fixIntOrBooleanEdge(leftChild);
120             fixIntOrBooleanEdge(rightChild);
121             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
122                 node->setArithMode(Arith::Unchecked);
123             else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
124                 node->setArithMode(Arith::CheckOverflow);
125             else
126                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
127             return;
128         }
129         if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
130             fixEdge<Int52RepUse>(leftChild);
131             fixEdge<Int52RepUse>(rightChild);
132             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
133                 node->setArithMode(Arith::CheckOverflow);
134             else
135                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
136             node->setResult(NodeResultInt52);
137             return;
138         }
139
140         fixDoubleOrBooleanEdge(leftChild);
141         fixDoubleOrBooleanEdge(rightChild);
142         node->setResult(NodeResultDouble);
143     }
144
145     void fixupBlock(BasicBlock* block)
146     {
147         if (!block)
148             return;
149         ASSERT(block->isReachable);
150         m_block = block;
151         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
152             m_currentNode = block->at(m_indexInBlock);
153             fixupNode(m_currentNode);
154         }
155         m_insertionSet.execute(block);
156     }
157     
158     void fixupNode(Node* node)
159     {
160         NodeType op = node->op();
161
162         switch (op) {
163         case SetLocal: {
164             // This gets handled by fixupGetAndSetLocalsInBlock().
165             return;
166         }
167
168         case ValueSub: {
169             Edge& child1 = node->child1();
170             Edge& child2 = node->child2();
171
172             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
173                 fixEdge<BigIntUse>(child1);
174                 fixEdge<BigIntUse>(child2);
175                 break; 
176             }
177             
178             if (Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
179                 fixEdge<UntypedUse>(child1);
180                 fixEdge<UntypedUse>(child2);
181                 break;
182             }
183
184             if (attemptToMakeIntegerAdd(node)) {
185                 // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
186                 // https://bugs.webkit.org/show_bug.cgi?id=190607
187                 node->setOp(ArithSub);
188                 break;
189             }
190
191             fixDoubleOrBooleanEdge(node->child1());
192             fixDoubleOrBooleanEdge(node->child2());
193             node->setOp(ArithSub);
194             node->setResult(NodeResultDouble);
195
196             break;
197         }
198
199         case ValueBitXor:
200         case ValueBitOr:
201         case ValueBitAnd: {
202             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
203                 fixEdge<BigIntUse>(node->child1());
204                 fixEdge<BigIntUse>(node->child2());
205                 break;
206             }
207
208             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
209                 fixEdge<UntypedUse>(node->child1());
210                 fixEdge<UntypedUse>(node->child2());
211                 break;
212             }
213
214             // In such case, we need to fallback to ArithBitOp
215             switch (op) {
216             case ValueBitXor:
217                 node->setOp(ArithBitXor);
218                 break;
219             case ValueBitOr:
220                 node->setOp(ArithBitOr);
221                 break;
222             case ValueBitAnd:
223                 node->setOp(ArithBitAnd);
224                 break;
225             default:
226                 DFG_CRASH(m_graph, node, "Unexpected node during ValueBit operation fixup");
227                 break;
228             }
229
230             node->clearFlags(NodeMustGenerate);
231             node->setResult(NodeResultInt32);
232             fixIntConvertingEdge(node->child1());
233             fixIntConvertingEdge(node->child2());
234             break;
235         }
236
237         case ArithBitNot: {
238             if (node->child1().node()->shouldSpeculateUntypedForBitOps()) {
239                 fixEdge<UntypedUse>(node->child1());
240                 break;
241             }
242
243             fixIntConvertingEdge(node->child1());
244             node->clearFlags(NodeMustGenerate);
245             break;
246         }
247
248         case ArithBitXor:
249         case ArithBitOr:
250         case ArithBitAnd: {
251             fixIntConvertingEdge(node->child1());
252             fixIntConvertingEdge(node->child2());
253             break;
254         }
255
256         case BitRShift:
257         case BitLShift:
258         case BitURShift: {
259             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
260                 fixEdge<UntypedUse>(node->child1());
261                 fixEdge<UntypedUse>(node->child2());
262                 break;
263             }
264             fixIntConvertingEdge(node->child1());
265             fixIntConvertingEdge(node->child2());
266             break;
267         }
268
269         case ArithIMul: {
270             fixIntConvertingEdge(node->child1());
271             fixIntConvertingEdge(node->child2());
272             node->setOp(ArithMul);
273             node->setArithMode(Arith::Unchecked);
274             node->child1().setUseKind(Int32Use);
275             node->child2().setUseKind(Int32Use);
276             break;
277         }
278
279         case ArithClz32: {
280             if (node->child1()->shouldSpeculateNotCell()) {
281                 fixIntConvertingEdge(node->child1());
282                 node->clearFlags(NodeMustGenerate);
283             } else
284                 fixEdge<UntypedUse>(node->child1());
285             break;
286         }
287             
288         case UInt32ToNumber: {
289             fixIntConvertingEdge(node->child1());
290             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
291                 node->convertToIdentity();
292             else if (node->canSpeculateInt32(FixupPass))
293                 node->setArithMode(Arith::CheckOverflow);
294             else {
295                 node->setArithMode(Arith::DoOverflow);
296                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
297             }
298             break;
299         }
300
301         case ValueNegate: {
302             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
303                 node->setOp(ArithNegate);
304                 fixIntOrBooleanEdge(node->child1());
305                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
306                     node->setArithMode(Arith::Unchecked);
307                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
308                     node->setArithMode(Arith::CheckOverflow);
309                 else
310                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
311                 node->setResult(NodeResultInt32);
312                 node->clearFlags(NodeMustGenerate);
313                 break;
314             }
315             
316             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
317                 node->setOp(ArithNegate);
318                 fixEdge<Int52RepUse>(node->child1());
319                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
320                     node->setArithMode(Arith::CheckOverflow);
321                 else
322                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
323                 node->setResult(NodeResultInt52);
324                 node->clearFlags(NodeMustGenerate);
325                 break;
326             }
327             if (node->child1()->shouldSpeculateNotCell()) {
328                 node->setOp(ArithNegate);
329                 fixDoubleOrBooleanEdge(node->child1());
330                 node->setResult(NodeResultDouble);
331                 node->clearFlags(NodeMustGenerate);
332             } else {
333                 fixEdge<UntypedUse>(node->child1());
334                 node->setResult(NodeResultJS);
335             }
336             break;
337         }
338
339         case ValueAdd: {
340             if (attemptToMakeIntegerAdd(node)) {
341                 node->setOp(ArithAdd);
342                 break;
343             }
344             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
345                 fixDoubleOrBooleanEdge(node->child1());
346                 fixDoubleOrBooleanEdge(node->child2());
347                 node->setOp(ArithAdd);
348                 node->setResult(NodeResultDouble);
349                 break;
350             }
351             
352             if (attemptToMakeFastStringAdd(node))
353                 break;
354
355             Edge& child1 = node->child1();
356             Edge& child2 = node->child2();
357             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
358                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
359                     auto convertString = [&](Node* node, Edge& edge) {
360                         if (edge->shouldSpeculateInt32())
361                             convertStringAddUse<Int32Use>(node, edge);
362                         else {
363                             ASSERT(edge->shouldSpeculateString());
364                             convertStringAddUse<StringUse>(node, edge);
365                         }
366                     };
367                     convertString(node, child1);
368                     convertString(node, child2);
369                     convertToMakeRope(node);
370                     break;
371                 }
372             }
373
374             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
375                 fixEdge<BigIntUse>(child1);
376                 fixEdge<BigIntUse>(child2);
377             } else {
378                 fixEdge<UntypedUse>(child1);
379                 fixEdge<UntypedUse>(child2);
380             }
381
382             node->setResult(NodeResultJS);
383             break;
384         }
385
386         case StrCat: {
387             if (attemptToMakeFastStringAdd(node))
388                 break;
389
390             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
391             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
392             // the implementation of StrCat doesn't dynamically optimize for empty strings.
393             // https://bugs.webkit.org/show_bug.cgi?id=148540
394             m_graph.doToChildren(
395                 node,
396                 [&] (Edge& edge) {
397                     fixEdge<KnownPrimitiveUse>(edge);
398                     // StrCat automatically coerces the values into strings before concatenating them.
399                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
400                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
401                     // our runtime functions for this slow path expect that they will never be passed
402                     // Symbols.
403                     m_insertionSet.insertNode(
404                         m_indexInBlock, SpecNone, Check, node->origin,
405                         Edge(edge.node(), NotSymbolUse));
406                 });
407             break;
408         }
409             
410         case MakeRope: {
411             fixupMakeRope(node);
412             break;
413         }
414             
415         case ArithAdd:
416         case ArithSub: {
417             // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
418             // https://bugs.webkit.org/show_bug.cgi?id=190607
419             if (attemptToMakeIntegerAdd(node))
420                 break;
421             fixDoubleOrBooleanEdge(node->child1());
422             fixDoubleOrBooleanEdge(node->child2());
423             node->setResult(NodeResultDouble);
424             break;
425         }
426             
427         case ArithNegate: {
428             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
429                 fixIntOrBooleanEdge(node->child1());
430                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
431                     node->setArithMode(Arith::Unchecked);
432                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
433                     node->setArithMode(Arith::CheckOverflow);
434                 else
435                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
436                 node->setResult(NodeResultInt32);
437                 node->clearFlags(NodeMustGenerate);
438                 break;
439             }
440             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
441                 fixEdge<Int52RepUse>(node->child1());
442                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
443                     node->setArithMode(Arith::CheckOverflow);
444                 else
445                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
446                 node->setResult(NodeResultInt52);
447                 node->clearFlags(NodeMustGenerate);
448                 break;
449             }
450
451             fixDoubleOrBooleanEdge(node->child1());
452             node->setResult(NodeResultDouble);
453             node->clearFlags(NodeMustGenerate);
454             break;
455         }
456
457         case ValueMul: {
458             Edge& leftChild = node->child1();
459             Edge& rightChild = node->child2();
460
461             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
462                 fixEdge<BigIntUse>(node->child1());
463                 fixEdge<BigIntUse>(node->child2());
464                 break;
465             }
466
467             // There are cases where we can have BigInt + Int32 operands reaching ValueMul.
468             // Imagine the scenario where ValueMul was never executed, but we can predict types
469             // reaching the node:
470             //
471             // 63: GetLocal(Check:Untyped:@72, JS|MustGen, NonBoolInt32, ...)  predicting NonBoolInt32
472             // 64: GetLocal(Check:Untyped:@71, JS|MustGen, BigInt, ...)  predicting BigInt
473             // 65: ValueMul(Check:Untyped:@63, Check:Untyped:@64, BigInt|BoolInt32|NonBoolInt32, ...)
474             // 
475             // In such scenario, we need to emit ValueMul(Untyped, Untyped), so the runtime can throw 
476             // an exception whenever it gets excuted.
477             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
478                 fixEdge<UntypedUse>(leftChild);
479                 fixEdge<UntypedUse>(rightChild);
480                 break;
481             }
482
483             // At this point, all other possible specializations are only handled by ArithMul.
484             node->setOp(ArithMul);
485             node->setResult(NodeResultNumber);
486             fixupArithMul(node, leftChild, rightChild);
487             break;
488         }
489
490         case ArithMul: {
491             Edge& leftChild = node->child1();
492             Edge& rightChild = node->child2();
493
494             fixupArithMul(node, leftChild, rightChild);
495             break;
496         }
497
498         case ValueDiv: {
499             Edge& leftChild = node->child1();
500             Edge& rightChild = node->child2();
501
502             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
503                 fixEdge<BigIntUse>(leftChild);
504                 fixEdge<BigIntUse>(rightChild);
505                 break; 
506             }
507
508             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
509                 fixEdge<UntypedUse>(leftChild);
510                 fixEdge<UntypedUse>(rightChild);
511                 break;
512             }
513             node->setOp(ArithDiv);
514             node->setResult(NodeResultNumber);
515             fixupArithDiv(node, leftChild, rightChild);
516             break;
517
518         }
519
520         case ArithDiv:
521         case ArithMod: {
522             Edge& leftChild = node->child1();
523             Edge& rightChild = node->child2();
524
525             fixupArithDiv(node, leftChild, rightChild);
526             break;
527         }
528             
529         case ArithMin:
530         case ArithMax: {
531             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
532                 fixIntOrBooleanEdge(node->child1());
533                 fixIntOrBooleanEdge(node->child2());
534                 break;
535             }
536             fixDoubleOrBooleanEdge(node->child1());
537             fixDoubleOrBooleanEdge(node->child2());
538             node->setResult(NodeResultDouble);
539             break;
540         }
541             
542         case ArithAbs: {
543             if (node->child1()->shouldSpeculateInt32OrBoolean()
544                 && node->canSpeculateInt32(FixupPass)) {
545                 fixIntOrBooleanEdge(node->child1());
546                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
547                     node->setArithMode(Arith::Unchecked);
548                 else
549                     node->setArithMode(Arith::CheckOverflow);
550                 node->clearFlags(NodeMustGenerate);
551                 node->setResult(NodeResultInt32);
552                 break;
553             }
554
555             if (node->child1()->shouldSpeculateNotCell()) {
556                 fixDoubleOrBooleanEdge(node->child1());
557                 node->clearFlags(NodeMustGenerate);
558             } else
559                 fixEdge<UntypedUse>(node->child1());
560             node->setResult(NodeResultDouble);
561             break;
562         }
563
564         case ArithPow: {
565             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
566                 fixDoubleOrBooleanEdge(node->child1());
567                 fixIntOrBooleanEdge(node->child2());
568                 break;
569             }
570
571             fixDoubleOrBooleanEdge(node->child1());
572             fixDoubleOrBooleanEdge(node->child2());
573             break;
574         }
575
576         case ArithRandom: {
577             node->setResult(NodeResultDouble);
578             break;
579         }
580
581         case ArithRound:
582         case ArithFloor:
583         case ArithCeil:
584         case ArithTrunc: {
585             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
586                 fixIntOrBooleanEdge(node->child1());
587                 insertCheck<Int32Use>(node->child1().node());
588                 node->convertToIdentity();
589                 break;
590             }
591             if (node->child1()->shouldSpeculateNotCell()) {
592                 fixDoubleOrBooleanEdge(node->child1());
593
594                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
595                     node->setResult(NodeResultInt32);
596                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
597                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
598                     else
599                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
600                 } else {
601                     node->setResult(NodeResultDouble);
602                     node->setArithRoundingMode(Arith::RoundingMode::Double);
603                 }
604                 node->clearFlags(NodeMustGenerate);
605             } else
606                 fixEdge<UntypedUse>(node->child1());
607             break;
608         }
609
610         case ArithFRound:
611         case ArithSqrt:
612         case ArithUnary: {
613             Edge& child1 = node->child1();
614             if (child1->shouldSpeculateNotCell()) {
615                 fixDoubleOrBooleanEdge(child1);
616                 node->clearFlags(NodeMustGenerate);
617             } else
618                 fixEdge<UntypedUse>(child1);
619             break;
620         }
621             
622         case LogicalNot: {
623             if (node->child1()->shouldSpeculateBoolean()) {
624                 if (node->child1()->result() == NodeResultBoolean) {
625                     // This is necessary in case we have a bytecode instruction implemented by:
626                     //
627                     // a: CompareEq(...)
628                     // b: LogicalNot(@a)
629                     //
630                     // In that case, CompareEq might have a side-effect. Then, we need to make
631                     // sure that we know that Branch does not exit.
632                     fixEdge<KnownBooleanUse>(node->child1());
633                 } else
634                     fixEdge<BooleanUse>(node->child1());
635             } else if (node->child1()->shouldSpeculateObjectOrOther())
636                 fixEdge<ObjectOrOtherUse>(node->child1());
637             else if (node->child1()->shouldSpeculateInt32OrBoolean())
638                 fixIntOrBooleanEdge(node->child1());
639             else if (node->child1()->shouldSpeculateNumber())
640                 fixEdge<DoubleRepUse>(node->child1());
641             else if (node->child1()->shouldSpeculateString())
642                 fixEdge<StringUse>(node->child1());
643             else if (node->child1()->shouldSpeculateStringOrOther())
644                 fixEdge<StringOrOtherUse>(node->child1());
645             else {
646                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
647                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
648                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
649             }
650             break;
651         }
652
653         case CompareEq:
654         case CompareLess:
655         case CompareLessEq:
656         case CompareGreater:
657         case CompareGreaterEq: {
658             if (node->op() == CompareEq
659                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
660                 fixEdge<BooleanUse>(node->child1());
661                 fixEdge<BooleanUse>(node->child2());
662                 node->clearFlags(NodeMustGenerate);
663                 break;
664             }
665             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
666                 fixIntOrBooleanEdge(node->child1());
667                 fixIntOrBooleanEdge(node->child2());
668                 node->clearFlags(NodeMustGenerate);
669                 break;
670             }
671             if (enableInt52()
672                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
673                 fixEdge<Int52RepUse>(node->child1());
674                 fixEdge<Int52RepUse>(node->child2());
675                 node->clearFlags(NodeMustGenerate);
676                 break;
677             }
678             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
679                 fixDoubleOrBooleanEdge(node->child1());
680                 fixDoubleOrBooleanEdge(node->child2());
681             }
682             if (node->op() != CompareEq
683                 && node->child1()->shouldSpeculateNotCell()
684                 && node->child2()->shouldSpeculateNotCell()) {
685                 if (node->child1()->shouldSpeculateNumberOrBoolean())
686                     fixDoubleOrBooleanEdge(node->child1());
687                 else
688                     fixEdge<DoubleRepUse>(node->child1());
689                 if (node->child2()->shouldSpeculateNumberOrBoolean())
690                     fixDoubleOrBooleanEdge(node->child2());
691                 else
692                     fixEdge<DoubleRepUse>(node->child2());
693                 node->clearFlags(NodeMustGenerate);
694                 break;
695             }
696             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
697                 fixEdge<StringIdentUse>(node->child1());
698                 fixEdge<StringIdentUse>(node->child2());
699                 node->clearFlags(NodeMustGenerate);
700                 break;
701             }
702             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
703                 fixEdge<StringUse>(node->child1());
704                 fixEdge<StringUse>(node->child2());
705                 node->clearFlags(NodeMustGenerate);
706                 break;
707             }
708
709             if (node->op() != CompareEq)
710                 break;
711             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
712                 fixEdge<SymbolUse>(node->child1());
713                 fixEdge<SymbolUse>(node->child2());
714                 node->clearFlags(NodeMustGenerate);
715                 break;
716             }
717             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
718                 fixEdge<ObjectUse>(node->child1());
719                 fixEdge<ObjectUse>(node->child2());
720                 node->clearFlags(NodeMustGenerate);
721                 break;
722             }
723
724             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
725             bool oneArgumentIsUsedAsSpecOther = false;
726             if (node->child1()->isUndefinedOrNullConstant()) {
727                 fixEdge<KnownOtherUse>(node->child1());
728                 oneArgumentIsUsedAsSpecOther = true;
729             } else if (node->child1()->shouldSpeculateOther()) {
730                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
731                     Edge(node->child1().node(), OtherUse));
732                 fixEdge<KnownOtherUse>(node->child1());
733                 oneArgumentIsUsedAsSpecOther = true;
734             }
735             if (node->child2()->isUndefinedOrNullConstant()) {
736                 fixEdge<KnownOtherUse>(node->child2());
737                 oneArgumentIsUsedAsSpecOther = true;
738             } else if (node->child2()->shouldSpeculateOther()) {
739                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
740                     Edge(node->child2().node(), OtherUse));
741                 fixEdge<KnownOtherUse>(node->child2());
742                 oneArgumentIsUsedAsSpecOther = true;
743             }
744             if (oneArgumentIsUsedAsSpecOther) {
745                 node->clearFlags(NodeMustGenerate);
746                 break;
747             }
748
749             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
750                 fixEdge<ObjectUse>(node->child1());
751                 fixEdge<ObjectOrOtherUse>(node->child2());
752                 node->clearFlags(NodeMustGenerate);
753                 break;
754             }
755             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
756                 fixEdge<ObjectOrOtherUse>(node->child1());
757                 fixEdge<ObjectUse>(node->child2());
758                 node->clearFlags(NodeMustGenerate);
759                 break;
760             }
761
762             break;
763         }
764             
765         case CompareStrictEq:
766         case SameValue: {
767             fixupCompareStrictEqAndSameValue(node);
768             break;
769         }
770
771         case StringFromCharCode:
772             if (node->child1()->shouldSpeculateInt32()) {
773                 fixEdge<Int32Use>(node->child1());
774                 node->clearFlags(NodeMustGenerate);
775             } else
776                 fixEdge<UntypedUse>(node->child1());
777             break;
778
779         case StringCharAt:
780         case StringCharCodeAt: {
781             // Currently we have no good way of refining these.
782             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
783             blessArrayOperation(node->child1(), node->child2(), node->child3());
784             fixEdge<KnownStringUse>(node->child1());
785             fixEdge<Int32Use>(node->child2());
786             break;
787         }
788
789         case GetByVal: {
790             if (!node->prediction()) {
791                 m_insertionSet.insertNode(
792                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
793             }
794             
795             node->setArrayMode(
796                 node->arrayMode().refine(
797                     m_graph, node,
798                     m_graph.varArgChild(node, 0)->prediction(),
799                     m_graph.varArgChild(node, 1)->prediction(),
800                     SpecNone));
801             
802             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
803             
804             ArrayMode arrayMode = node->arrayMode();
805             switch (arrayMode.type()) {
806             case Array::Contiguous:
807             case Array::Double:
808                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
809                     // Check if SaneChain will work on a per-type basis. Note that:
810                     //
811                     // 1) We don't want double arrays to sometimes return undefined, since
812                     // that would require a change to the return type and it would pessimise
813                     // things a lot. So, we'd only want to do that if we actually had
814                     // evidence that we could read from a hole. That's pretty annoying.
815                     // Likely the best way to handle that case is with an equivalent of
816                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
817                     // NaN are indistinguishable according to backwards propagation, and just
818                     // use SaneChain in that case. This happens to catch a lot of cases.
819                     //
820                     // 2) We don't want int32 array loads to have to do a hole check just to
821                     // coerce to Undefined, since that would mean twice the checks.
822                     //
823                     // This has two implications. First, we have to do more checks than we'd
824                     // like. It's unfortunate that we have to do the hole check. Second,
825                     // some accesses that hit a hole will now need to take the full-blown
826                     // out-of-bounds slow path. We can fix that with:
827                     // https://bugs.webkit.org/show_bug.cgi?id=144668
828                     
829                     bool canDoSaneChain = false;
830                     switch (arrayMode.type()) {
831                     case Array::Contiguous:
832                         // This is happens to be entirely natural. We already would have
833                         // returned any JSValue, and now we'll return Undefined. We still do
834                         // the check but it doesn't require taking any kind of slow path.
835                         canDoSaneChain = true;
836                         break;
837                         
838                     case Array::Double:
839                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
840                             // Holes look like NaN already, so if the user doesn't care
841                             // about the difference between Undefined and NaN then we can
842                             // do this.
843                             canDoSaneChain = true;
844                         }
845                         break;
846                         
847                     default:
848                         break;
849                     }
850                     
851                     if (canDoSaneChain) {
852                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
853                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
854                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
855                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
856                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
857                             && globalObject->arrayPrototypeChainIsSane()) {
858                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
859                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
860                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
861                         }
862                     }
863                 }
864                 break;
865                 
866             case Array::String:
867                 if ((node->prediction() & ~SpecString)
868                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
869                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
870                 break;
871                 
872             default:
873                 break;
874             }
875             
876             arrayMode = node->arrayMode();
877             switch (arrayMode.type()) {
878             case Array::SelectUsingPredictions:
879             case Array::Unprofiled:
880                 RELEASE_ASSERT_NOT_REACHED();
881                 break;
882             case Array::Generic:
883                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
884                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
885                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
886                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
887                         break;
888                     }
889
890                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
891                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
892                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
893                         break;
894                     }
895                 }
896 #if USE(JSVALUE32_64)
897                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
898 #endif
899                 break;
900             case Array::ForceExit:
901                 break;
902             case Array::String:
903                 fixEdge<KnownStringUse>(m_graph.varArgChild(node, 0));
904                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
905                 break;
906             default:
907                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
908                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
909                 break;
910             }
911             
912             switch (arrayMode.type()) {
913             case Array::Double:
914                 if (!arrayMode.isOutOfBounds())
915                     node->setResult(NodeResultDouble);
916                 break;
917                 
918             case Array::Float32Array:
919             case Array::Float64Array:
920                 node->setResult(NodeResultDouble);
921                 break;
922                 
923             case Array::Uint32Array:
924                 if (node->shouldSpeculateInt32())
925                     break;
926                 if (node->shouldSpeculateAnyInt() && enableInt52())
927                     node->setResult(NodeResultInt52);
928                 else
929                     node->setResult(NodeResultDouble);
930                 break;
931                 
932             default:
933                 break;
934             }
935             
936             break;
937         }
938
939         case PutByValDirect:
940         case PutByVal:
941         case PutByValAlias: {
942             Edge& child1 = m_graph.varArgChild(node, 0);
943             Edge& child2 = m_graph.varArgChild(node, 1);
944             Edge& child3 = m_graph.varArgChild(node, 2);
945
946             node->setArrayMode(
947                 node->arrayMode().refine(
948                     m_graph, node,
949                     child1->prediction(),
950                     child2->prediction(),
951                     child3->prediction()));
952             
953             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
954             
955             switch (node->arrayMode().modeForPut().type()) {
956             case Array::SelectUsingPredictions:
957             case Array::SelectUsingArguments:
958             case Array::Unprofiled:
959             case Array::Undecided:
960                 RELEASE_ASSERT_NOT_REACHED();
961                 break;
962             case Array::ForceExit:
963             case Array::Generic:
964                 if (child1->shouldSpeculateCell()) {
965                     if (child2->shouldSpeculateString()) {
966                         fixEdge<CellUse>(child1);
967                         fixEdge<StringUse>(child2);
968                         break;
969                     }
970
971                     if (child2->shouldSpeculateSymbol()) {
972                         fixEdge<CellUse>(child1);
973                         fixEdge<SymbolUse>(child2);
974                         break;
975                     }
976                 }
977 #if USE(JSVALUE32_64)
978                 // Due to register pressure on 32-bit, we speculate cell and
979                 // ignore the base-is-not-cell case entirely by letting the
980                 // baseline JIT handle it.
981                 fixEdge<CellUse>(child1);
982 #endif
983                 break;
984             case Array::Int32:
985                 fixEdge<KnownCellUse>(child1);
986                 fixEdge<Int32Use>(child2);
987                 fixEdge<Int32Use>(child3);
988                 break;
989             case Array::Double:
990                 fixEdge<KnownCellUse>(child1);
991                 fixEdge<Int32Use>(child2);
992                 fixEdge<DoubleRepRealUse>(child3);
993                 break;
994             case Array::Int8Array:
995             case Array::Int16Array:
996             case Array::Int32Array:
997             case Array::Uint8Array:
998             case Array::Uint8ClampedArray:
999             case Array::Uint16Array:
1000             case Array::Uint32Array:
1001                 fixEdge<KnownCellUse>(child1);
1002                 fixEdge<Int32Use>(child2);
1003                 if (child3->shouldSpeculateInt32())
1004                     fixIntOrBooleanEdge(child3);
1005                 else if (child3->shouldSpeculateAnyInt())
1006                     fixEdge<Int52RepUse>(child3);
1007                 else
1008                     fixDoubleOrBooleanEdge(child3);
1009                 break;
1010             case Array::Float32Array:
1011             case Array::Float64Array:
1012                 fixEdge<KnownCellUse>(child1);
1013                 fixEdge<Int32Use>(child2);
1014                 fixDoubleOrBooleanEdge(child3);
1015                 break;
1016             case Array::Contiguous:
1017             case Array::ArrayStorage:
1018             case Array::SlowPutArrayStorage:
1019                 fixEdge<KnownCellUse>(child1);
1020                 fixEdge<Int32Use>(child2);
1021                 speculateForBarrier(child3);
1022                 break;
1023             default:
1024                 fixEdge<KnownCellUse>(child1);
1025                 fixEdge<Int32Use>(child2);
1026                 break;
1027             }
1028             break;
1029         }
1030             
1031         case AtomicsAdd:
1032         case AtomicsAnd:
1033         case AtomicsCompareExchange:
1034         case AtomicsExchange:
1035         case AtomicsLoad:
1036         case AtomicsOr:
1037         case AtomicsStore:
1038         case AtomicsSub:
1039         case AtomicsXor: {
1040             Edge& base = m_graph.child(node, 0);
1041             Edge& index = m_graph.child(node, 1);
1042             
1043             bool badNews = false;
1044             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1045                 Edge& child = m_graph.child(node, 2 + i);
1046                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
1047                 // just call the function when that happens. But the FTL is totally cool with those
1048                 // conversions.
1049                 if (!child->shouldSpeculateInt32()
1050                     && !child->shouldSpeculateAnyInt()
1051                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
1052                     badNews = true;
1053             }
1054             
1055             if (badNews) {
1056                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
1057                 break;
1058             }
1059             
1060             node->setArrayMode(
1061                 node->arrayMode().refine(
1062                     m_graph, node, base->prediction(), index->prediction()));
1063             
1064             if (node->arrayMode().type() == Array::Generic)
1065                 break;
1066             
1067             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1068                 Edge& child = m_graph.child(node, 2 + i);
1069                 if (child->shouldSpeculateInt32())
1070                     fixIntOrBooleanEdge(child);
1071                 else if (child->shouldSpeculateAnyInt())
1072                     fixEdge<Int52RepUse>(child);
1073                 else {
1074                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
1075                     fixDoubleOrBooleanEdge(child);
1076                 }
1077             }
1078             
1079             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
1080             fixEdge<CellUse>(base);
1081             fixEdge<Int32Use>(index);
1082             
1083             if (node->arrayMode().type() == Array::Uint32Array) {
1084                 // NOTE: This means basically always doing Int52.
1085                 if (node->shouldSpeculateAnyInt() && enableInt52())
1086                     node->setResult(NodeResultInt52);
1087                 else
1088                     node->setResult(NodeResultDouble);
1089             }
1090             break;
1091         }
1092             
1093         case AtomicsIsLockFree:
1094             if (node->child1()->shouldSpeculateInt32())
1095                 fixIntOrBooleanEdge(node->child1());
1096             break;
1097             
1098         case ArrayPush: {
1099             // May need to refine the array mode in case the value prediction contravenes
1100             // the array prediction. For example, we may have evidence showing that the
1101             // array is in Int32 mode, but the value we're storing is likely to be a double.
1102             // Then we should turn this into a conversion to Double array followed by the
1103             // push. On the other hand, we absolutely don't want to refine based on the
1104             // base prediction. If it has non-cell garbage in it, then we want that to be
1105             // ignored. That's because ArrayPush can't handle any array modes that aren't
1106             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1107             // that would break things.
1108             Edge& storageEdge = m_graph.varArgChild(node, 0);
1109             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1110             unsigned elementOffset = 2;
1111             unsigned elementCount = node->numChildren() - elementOffset;
1112             for (unsigned i = 0; i < elementCount; ++i) {
1113                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1114                 node->setArrayMode(
1115                     node->arrayMode().refine(
1116                         m_graph, node,
1117                         arrayEdge->prediction() & SpecCell,
1118                         SpecInt32Only,
1119                         element->prediction()));
1120             }
1121             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1122             fixEdge<KnownCellUse>(arrayEdge);
1123
1124             // Convert `array.push()` to GetArrayLength.
1125             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1126                 node->setOpAndDefaultFlags(GetArrayLength);
1127                 node->child1() = arrayEdge;
1128                 node->child2() = storageEdge;
1129                 fixEdge<KnownCellUse>(node->child1());
1130                 break;
1131             }
1132
1133             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1134             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1135             for (unsigned i = 0; i < elementCount; ++i) {
1136                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1137                 switch (node->arrayMode().type()) {
1138                 case Array::Int32:
1139                     insertCheck<Int32Use>(element.node());
1140                     fixEdge<KnownInt32Use>(element);
1141                     break;
1142                 case Array::Double:
1143                     insertCheck<DoubleRepRealUse>(element.node());
1144                     fixEdge<DoubleRepUse>(element);
1145                     break;
1146                 case Array::Contiguous:
1147                 case Array::ArrayStorage:
1148                     speculateForBarrier(element);
1149                     break;
1150                 default:
1151                     break;
1152                 }
1153                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1154             }
1155             break;
1156         }
1157             
1158         case ArrayPop: {
1159             blessArrayOperation(node->child1(), Edge(), node->child2());
1160             fixEdge<KnownCellUse>(node->child1());
1161             break;
1162         }
1163
1164         case ArraySlice: {
1165             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1166             if (node->numChildren() >= 3) {
1167                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1168                 if (node->numChildren() == 4)
1169                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1170             }
1171             break;
1172         }
1173
1174         case ArrayIndexOf:
1175             fixupArrayIndexOf(node);
1176             break;
1177             
1178         case RegExpExec:
1179         case RegExpTest: {
1180             fixEdge<KnownCellUse>(node->child1());
1181             
1182             if (node->child2()->shouldSpeculateRegExpObject()) {
1183                 fixEdge<RegExpObjectUse>(node->child2());
1184
1185                 if (node->child3()->shouldSpeculateString())
1186                     fixEdge<StringUse>(node->child3());
1187             }
1188             break;
1189         }
1190
1191         case RegExpMatchFast: {
1192             fixEdge<KnownCellUse>(node->child1());
1193             fixEdge<RegExpObjectUse>(node->child2());
1194             fixEdge<StringUse>(node->child3());
1195             break;
1196         }
1197
1198         case StringReplace:
1199         case StringReplaceRegExp: {
1200             if (node->child2()->shouldSpeculateString()) {
1201                 m_insertionSet.insertNode(
1202                     m_indexInBlock, SpecNone, Check, node->origin,
1203                     Edge(node->child2().node(), StringUse));
1204                 fixEdge<StringUse>(node->child2());
1205             } else if (op == StringReplace) {
1206                 if (node->child2()->shouldSpeculateRegExpObject())
1207                     addStringReplacePrimordialChecks(node->child2().node());
1208                 else 
1209                     m_insertionSet.insertNode(
1210                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1211             }
1212
1213             if (node->child1()->shouldSpeculateString()
1214                 && node->child2()->shouldSpeculateRegExpObject()
1215                 && node->child3()->shouldSpeculateString()) {
1216
1217                 fixEdge<StringUse>(node->child1());
1218                 fixEdge<RegExpObjectUse>(node->child2());
1219                 fixEdge<StringUse>(node->child3());
1220                 break;
1221             }
1222             break;
1223         }
1224             
1225         case Branch: {
1226             if (node->child1()->shouldSpeculateBoolean()) {
1227                 if (node->child1()->result() == NodeResultBoolean) {
1228                     // This is necessary in case we have a bytecode instruction implemented by:
1229                     //
1230                     // a: CompareEq(...)
1231                     // b: Branch(@a)
1232                     //
1233                     // In that case, CompareEq might have a side-effect. Then, we need to make
1234                     // sure that we know that Branch does not exit.
1235                     fixEdge<KnownBooleanUse>(node->child1());
1236                 } else
1237                     fixEdge<BooleanUse>(node->child1());
1238             } else if (node->child1()->shouldSpeculateObjectOrOther())
1239                 fixEdge<ObjectOrOtherUse>(node->child1());
1240             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1241                 fixIntOrBooleanEdge(node->child1());
1242             else if (node->child1()->shouldSpeculateNumber())
1243                 fixEdge<DoubleRepUse>(node->child1());
1244             else if (node->child1()->shouldSpeculateString())
1245                 fixEdge<StringUse>(node->child1());
1246             else if (node->child1()->shouldSpeculateStringOrOther())
1247                 fixEdge<StringOrOtherUse>(node->child1());
1248             else {
1249                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1250                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1251                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1252             }
1253             break;
1254         }
1255             
1256         case Switch: {
1257             SwitchData* data = node->switchData();
1258             switch (data->kind) {
1259             case SwitchImm:
1260                 if (node->child1()->shouldSpeculateInt32())
1261                     fixEdge<Int32Use>(node->child1());
1262                 break;
1263             case SwitchChar:
1264                 if (node->child1()->shouldSpeculateString())
1265                     fixEdge<StringUse>(node->child1());
1266                 break;
1267             case SwitchString:
1268                 if (node->child1()->shouldSpeculateStringIdent())
1269                     fixEdge<StringIdentUse>(node->child1());
1270                 else if (node->child1()->shouldSpeculateString())
1271                     fixEdge<StringUse>(node->child1());
1272                 break;
1273             case SwitchCell:
1274                 if (node->child1()->shouldSpeculateCell())
1275                     fixEdge<CellUse>(node->child1());
1276                 // else it's fine for this to have UntypedUse; we will handle this by just making
1277                 // non-cells take the default case.
1278                 break;
1279             }
1280             break;
1281         }
1282             
1283         case ToPrimitive: {
1284             fixupToPrimitive(node);
1285             break;
1286         }
1287
1288         case ToNumber: {
1289             fixupToNumber(node);
1290             break;
1291         }
1292             
1293         case ToString:
1294         case CallStringConstructor: {
1295             fixupToStringOrCallStringConstructor(node);
1296             break;
1297         }
1298             
1299         case NewStringObject: {
1300             fixEdge<KnownStringUse>(node->child1());
1301             break;
1302         }
1303
1304         case NewSymbol: {
1305             if (node->child1())
1306                 fixEdge<KnownStringUse>(node->child1());
1307             break;
1308         }
1309
1310         case NewArrayWithSpread: {
1311             watchHavingABadTime(node);
1312             
1313             BitVector* bitVector = node->bitVector();
1314             for (unsigned i = node->numChildren(); i--;) {
1315                 if (bitVector->get(i))
1316                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1317                 else
1318                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1319             }
1320
1321             break;
1322         }
1323
1324         case Spread: {
1325             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1326             
1327             watchHavingABadTime(node->child1().node());
1328
1329             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1330             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1331             // that it doesn't contain any indexed properties, and that any holes will result in
1332             // jsUndefined().
1333             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1334             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1335             if (node->child1()->shouldSpeculateArray()
1336                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1337                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1338                 && globalObject->arrayPrototypeChainIsSane()
1339                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1340                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1341                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1342                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1343                 fixEdge<ArrayUse>(node->child1());
1344             } else
1345                 fixEdge<CellUse>(node->child1());
1346             break;
1347         }
1348             
1349         case NewArray: {
1350             watchHavingABadTime(node);
1351             
1352             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1353                 node->setIndexingType(
1354                     leastUpperBoundOfIndexingTypeAndType(
1355                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1356             }
1357             switch (node->indexingType()) {
1358             case ALL_BLANK_INDEXING_TYPES:
1359                 CRASH();
1360                 break;
1361             case ALL_UNDECIDED_INDEXING_TYPES:
1362                 if (node->numChildren()) {
1363                     // This will only happen if the children have no type predictions. We
1364                     // would have already exited by now, but insert a forced exit just to
1365                     // be safe.
1366                     m_insertionSet.insertNode(
1367                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1368                 }
1369                 break;
1370             case ALL_INT32_INDEXING_TYPES:
1371                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1372                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1373                 break;
1374             case ALL_DOUBLE_INDEXING_TYPES:
1375                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1376                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1377                 break;
1378             case ALL_CONTIGUOUS_INDEXING_TYPES:
1379             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1380                 break;
1381             default:
1382                 CRASH();
1383                 break;
1384             }
1385             break;
1386         }
1387             
1388         case NewTypedArray: {
1389             watchHavingABadTime(node);
1390             
1391             if (node->child1()->shouldSpeculateInt32()) {
1392                 fixEdge<Int32Use>(node->child1());
1393                 node->clearFlags(NodeMustGenerate);
1394                 break;
1395             }
1396             break;
1397         }
1398             
1399         case NewArrayWithSize: {
1400             watchHavingABadTime(node);
1401             fixEdge<Int32Use>(node->child1());
1402             break;
1403         }
1404
1405         case NewArrayBuffer: {
1406             watchHavingABadTime(node);
1407             break;
1408         }
1409
1410         case ToObject: {
1411             fixupToObject(node);
1412             break;
1413         }
1414
1415         case CallObjectConstructor: {
1416             fixupCallObjectConstructor(node);
1417             break;
1418         }
1419
1420         case ToThis: {
1421             fixupToThis(node);
1422             break;
1423         }
1424             
1425         case PutStructure: {
1426             fixEdge<KnownCellUse>(node->child1());
1427             break;
1428         }
1429             
1430         case GetClosureVar:
1431         case GetFromArguments: {
1432             fixEdge<KnownCellUse>(node->child1());
1433             break;
1434         }
1435
1436         case PutClosureVar:
1437         case PutToArguments: {
1438             fixEdge<KnownCellUse>(node->child1());
1439             speculateForBarrier(node->child2());
1440             break;
1441         }
1442
1443         case SkipScope:
1444         case GetScope:
1445         case GetGetter:
1446         case GetSetter:
1447         case GetGlobalObject: {
1448             fixEdge<KnownCellUse>(node->child1());
1449             break;
1450         }
1451             
1452         case AllocatePropertyStorage:
1453         case ReallocatePropertyStorage: {
1454             fixEdge<KnownCellUse>(node->child1());
1455             break;
1456         }
1457             
1458         case NukeStructureAndSetButterfly: {
1459             fixEdge<KnownCellUse>(node->child1());
1460             break;
1461         }
1462
1463         case TryGetById: {
1464             if (node->child1()->shouldSpeculateCell())
1465                 fixEdge<CellUse>(node->child1());
1466             break;
1467         }
1468
1469         case GetByIdDirect:
1470         case GetByIdDirectFlush: {
1471             if (node->child1()->shouldSpeculateCell())
1472                 fixEdge<CellUse>(node->child1());
1473             break;
1474         }
1475
1476         case GetById:
1477         case GetByIdFlush: {
1478             // FIXME: This should be done in the ByteCodeParser based on reading the
1479             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1480             // https://bugs.webkit.org/show_bug.cgi?id=154990
1481             auto uid = m_graph.identifiers()[node->identifierNumber()];
1482             if (node->child1()->shouldSpeculateCellOrOther()
1483                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1484                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1485                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1486                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1487                 
1488                 if (uid == vm().propertyNames->length.impl()) {
1489                     attemptToMakeGetArrayLength(node);
1490                     break;
1491                 }
1492
1493                 if (uid == vm().propertyNames->lastIndex.impl()
1494                     && node->child1()->shouldSpeculateRegExpObject()) {
1495                     node->setOp(GetRegExpObjectLastIndex);
1496                     node->clearFlags(NodeMustGenerate);
1497                     fixEdge<RegExpObjectUse>(node->child1());
1498                     break;
1499                 }
1500             }
1501
1502             if (node->child1()->shouldSpeculateNumber()) {
1503                 if (uid == vm().propertyNames->toString.impl()) {
1504                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1505                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1506                         if (node->child1()->shouldSpeculateInt32()) {
1507                             insertCheck<Int32Use>(node->child1().node());
1508                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1509                             break;
1510                         }
1511
1512                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1513                             insertCheck<Int52RepUse>(node->child1().node());
1514                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1515                             break;
1516                         }
1517
1518                         ASSERT(node->child1()->shouldSpeculateNumber());
1519                         insertCheck<DoubleRepUse>(node->child1().node());
1520                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1521                         break;
1522                     }
1523                 }
1524             }
1525
1526             if (node->child1()->shouldSpeculateCell())
1527                 fixEdge<CellUse>(node->child1());
1528             break;
1529         }
1530         
1531         case GetByIdWithThis: {
1532             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1533                 fixEdge<CellUse>(node->child1());
1534                 fixEdge<CellUse>(node->child2());
1535             }
1536             break;
1537         }
1538
1539         case PutById:
1540         case PutByIdFlush:
1541         case PutByIdDirect: {
1542             if (node->child1()->shouldSpeculateCellOrOther()
1543                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1544                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1545                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1546                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1547                 
1548                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1549                 
1550                 if (uid == vm().propertyNames->lastIndex.impl()
1551                     && node->child1()->shouldSpeculateRegExpObject()) {
1552                     node->convertToSetRegExpObjectLastIndex();
1553                     fixEdge<RegExpObjectUse>(node->child1());
1554                     speculateForBarrier(node->child2());
1555                     break;
1556                 }
1557             }
1558             
1559             fixEdge<CellUse>(node->child1());
1560             break;
1561         }
1562
1563         case PutGetterById:
1564         case PutSetterById: {
1565             fixEdge<KnownCellUse>(node->child1());
1566             fixEdge<KnownCellUse>(node->child2());
1567             break;
1568         }
1569
1570         case PutGetterSetterById: {
1571             fixEdge<KnownCellUse>(node->child1());
1572             break;
1573         }
1574
1575         case PutGetterByVal:
1576         case PutSetterByVal: {
1577             fixEdge<KnownCellUse>(node->child1());
1578             fixEdge<KnownCellUse>(node->child3());
1579             break;
1580         }
1581
1582         case GetExecutable: {
1583             fixEdge<FunctionUse>(node->child1());
1584             break;
1585         }
1586
1587         case OverridesHasInstance:
1588         case CheckStructure:
1589         case CheckCell:
1590         case CreateThis:
1591         case GetButterfly: {
1592             fixEdge<CellUse>(node->child1());
1593             break;
1594         }
1595
1596         case ObjectCreate: {
1597             if (node->child1()->shouldSpeculateObject()) {
1598                 fixEdge<ObjectUse>(node->child1());
1599                 node->clearFlags(NodeMustGenerate);
1600                 break;
1601             }
1602             break;
1603         }
1604
1605         case ObjectKeys: {
1606             if (node->child1()->shouldSpeculateObject()) {
1607                 watchHavingABadTime(node);
1608                 fixEdge<ObjectUse>(node->child1());
1609             }
1610             break;
1611         }
1612
1613         case CheckStringIdent: {
1614             fixEdge<StringIdentUse>(node->child1());
1615             break;
1616         }
1617             
1618         case Arrayify:
1619         case ArrayifyToStructure: {
1620             fixEdge<CellUse>(node->child1());
1621             if (node->child2())
1622                 fixEdge<Int32Use>(node->child2());
1623             break;
1624         }
1625             
1626         case GetByOffset:
1627         case GetGetterSetterByOffset: {
1628             if (!node->child1()->hasStorageResult())
1629                 fixEdge<KnownCellUse>(node->child1());
1630             fixEdge<KnownCellUse>(node->child2());
1631             break;
1632         }
1633             
1634         case MultiGetByOffset: {
1635             fixEdge<CellUse>(node->child1());
1636             break;
1637         }
1638             
1639         case PutByOffset: {
1640             if (!node->child1()->hasStorageResult())
1641                 fixEdge<KnownCellUse>(node->child1());
1642             fixEdge<KnownCellUse>(node->child2());
1643             speculateForBarrier(node->child3());
1644             break;
1645         }
1646             
1647         case MultiPutByOffset: {
1648             fixEdge<CellUse>(node->child1());
1649             break;
1650         }
1651             
1652         case MatchStructure: {
1653             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1654             // https://bugs.webkit.org/show_bug.cgi?id=185784
1655             fixEdge<CellUse>(node->child1());
1656             break;
1657         }
1658             
1659         case InstanceOf: {
1660             if (node->child1()->shouldSpeculateCell()
1661                 && node->child2()->shouldSpeculateCell()
1662                 && is64Bit()) {
1663                 fixEdge<CellUse>(node->child1());
1664                 fixEdge<CellUse>(node->child2());
1665                 break;
1666             }
1667             break;
1668         }
1669
1670         case InstanceOfCustom:
1671             fixEdge<CellUse>(node->child2());
1672             break;
1673
1674         case InById: {
1675             fixEdge<CellUse>(node->child1());
1676             break;
1677         }
1678
1679         case InByVal: {
1680             if (node->child2()->shouldSpeculateInt32()) {
1681                 convertToHasIndexedProperty(node);
1682                 break;
1683             }
1684
1685             fixEdge<CellUse>(node->child1());
1686             break;
1687         }
1688
1689         case HasOwnProperty: {
1690             fixEdge<ObjectUse>(node->child1());
1691 #if CPU(X86)
1692             // We don't have enough registers to do anything interesting on x86 and mips.
1693             fixEdge<UntypedUse>(node->child2());
1694 #else
1695             if (node->child2()->shouldSpeculateString())
1696                 fixEdge<StringUse>(node->child2());
1697             else if (node->child2()->shouldSpeculateSymbol())
1698                 fixEdge<SymbolUse>(node->child2());
1699             else
1700                 fixEdge<UntypedUse>(node->child2());
1701 #endif
1702             break;
1703         }
1704
1705         case CheckVarargs:
1706         case Check: {
1707             m_graph.doToChildren(
1708                 node,
1709                 [&] (Edge& edge) {
1710                     switch (edge.useKind()) {
1711                     case NumberUse:
1712                         if (edge->shouldSpeculateInt32ForArithmetic())
1713                             edge.setUseKind(Int32Use);
1714                         break;
1715                     default:
1716                         break;
1717                     }
1718                     observeUseKindOnEdge(edge);
1719                 });
1720             break;
1721         }
1722
1723         case Phantom:
1724             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1725             node->remove(m_graph);
1726             break;
1727
1728         case FiatInt52: {
1729             RELEASE_ASSERT(enableInt52());
1730             node->convertToIdentity();
1731             fixEdge<Int52RepUse>(node->child1());
1732             node->setResult(NodeResultInt52);
1733             break;
1734         }
1735
1736         case GetArrayLength: {
1737             fixEdge<KnownCellUse>(node->child1());
1738             break;
1739         }
1740
1741         case GetTypedArrayByteOffset: {
1742             fixEdge<KnownCellUse>(node->child1());
1743             break;
1744         }
1745
1746         case CompareBelow:
1747         case CompareBelowEq: {
1748             fixEdge<Int32Use>(node->child1());
1749             fixEdge<Int32Use>(node->child2());
1750             break;
1751         }
1752
1753         case GetPrototypeOf: {
1754             fixupGetPrototypeOf(node);
1755             break;
1756         }
1757
1758         case Phi:
1759         case Upsilon:
1760         case EntrySwitch:
1761         case GetIndexedPropertyStorage:
1762         case LastNodeType:
1763         case CheckTierUpInLoop:
1764         case CheckTierUpAtReturn:
1765         case CheckTierUpAndOSREnter:
1766         case CheckArray:
1767         case CheckInBounds:
1768         case ConstantStoragePointer:
1769         case DoubleAsInt32:
1770         case ValueToInt32:
1771         case DoubleRep:
1772         case ValueRep:
1773         case Int52Rep:
1774         case Int52Constant:
1775         case Identity: // This should have been cleaned up.
1776         case BooleanToNumber:
1777         case PhantomNewObject:
1778         case PhantomNewFunction:
1779         case PhantomNewGeneratorFunction:
1780         case PhantomNewAsyncGeneratorFunction:
1781         case PhantomNewAsyncFunction:
1782         case PhantomCreateActivation:
1783         case PhantomDirectArguments:
1784         case PhantomCreateRest:
1785         case PhantomSpread:
1786         case PhantomNewArrayWithSpread:
1787         case PhantomNewArrayBuffer:
1788         case PhantomClonedArguments:
1789         case PhantomNewRegexp:
1790         case GetMyArgumentByVal:
1791         case GetMyArgumentByValOutOfBounds:
1792         case GetVectorLength:
1793         case PutHint:
1794         case CheckStructureImmediate:
1795         case CheckStructureOrEmpty:
1796         case MaterializeNewObject:
1797         case MaterializeCreateActivation:
1798         case PutStack:
1799         case KillStack:
1800         case GetStack:
1801         case StoreBarrier:
1802         case FencedStoreBarrier:
1803         case GetRegExpObjectLastIndex:
1804         case SetRegExpObjectLastIndex:
1805         case RecordRegExpCachedResult:
1806         case RegExpExecNonGlobalOrSticky:
1807         case RegExpMatchFastGlobal:
1808             // These are just nodes that we don't currently expect to see during fixup.
1809             // If we ever wanted to insert them prior to fixup, then we just have to create
1810             // fixup rules for them.
1811             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1812             break;
1813
1814         case PutGlobalVariable: {
1815             fixEdge<CellUse>(node->child1());
1816             speculateForBarrier(node->child2());
1817             break;
1818         }
1819
1820         case IsObject:
1821             if (node->child1()->shouldSpeculateObject()) {
1822                 m_insertionSet.insertNode(
1823                     m_indexInBlock, SpecNone, Check, node->origin,
1824                     Edge(node->child1().node(), ObjectUse));
1825                 m_graph.convertToConstant(node, jsBoolean(true));
1826                 observeUseKindOnNode<ObjectUse>(node);
1827             }
1828             break;
1829
1830         case IsCellWithType: {
1831             fixupIsCellWithType(node);
1832             break;
1833         }
1834
1835         case GetEnumerableLength: {
1836             fixEdge<CellUse>(node->child1());
1837             break;
1838         }
1839         case HasGenericProperty: {
1840             fixEdge<CellUse>(node->child2());
1841             break;
1842         }
1843         case HasStructureProperty: {
1844             fixEdge<StringUse>(node->child2());
1845             fixEdge<KnownCellUse>(node->child3());
1846             break;
1847         }
1848         case HasIndexedProperty: {
1849             node->setArrayMode(
1850                 node->arrayMode().refine(
1851                     m_graph, node,
1852                     node->child1()->prediction(),
1853                     node->child2()->prediction(),
1854                     SpecNone));
1855             
1856             blessArrayOperation(node->child1(), node->child2(), node->child3());
1857             fixEdge<CellUse>(node->child1());
1858             fixEdge<KnownInt32Use>(node->child2());
1859             break;
1860         }
1861         case GetDirectPname: {
1862             Edge& base = m_graph.varArgChild(node, 0);
1863             Edge& property = m_graph.varArgChild(node, 1);
1864             Edge& index = m_graph.varArgChild(node, 2);
1865             Edge& enumerator = m_graph.varArgChild(node, 3);
1866             fixEdge<CellUse>(base);
1867             fixEdge<KnownCellUse>(property);
1868             fixEdge<KnownInt32Use>(index);
1869             fixEdge<KnownCellUse>(enumerator);
1870             break;
1871         }
1872         case GetPropertyEnumerator: {
1873             if (node->child1()->shouldSpeculateCell())
1874                 fixEdge<CellUse>(node->child1());
1875             break;
1876         }
1877         case GetEnumeratorStructurePname: {
1878             fixEdge<KnownCellUse>(node->child1());
1879             fixEdge<KnownInt32Use>(node->child2());
1880             break;
1881         }
1882         case GetEnumeratorGenericPname: {
1883             fixEdge<KnownCellUse>(node->child1());
1884             fixEdge<KnownInt32Use>(node->child2());
1885             break;
1886         }
1887         case ToIndexString: {
1888             fixEdge<KnownInt32Use>(node->child1());
1889             break;
1890         }
1891         case ProfileType: {
1892             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1893             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1894             // type T for the instructionTypeSet, the global type set must also have information for type T.
1895             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1896             // in the globalTypeSet would've also succeeded.
1897             // (The other direction does not hold in general).
1898
1899             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1900             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1901             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1902                 if (node->child1()->shouldSpeculateInt32()) {
1903                     fixEdge<Int32Use>(node->child1());
1904                     node->remove(m_graph);
1905                     break;
1906                 }
1907
1908                 if (enableInt52()) {
1909                     fixEdge<AnyIntUse>(node->child1());
1910                     node->remove(m_graph);
1911                     break;
1912                 }
1913
1914                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1915             }
1916
1917             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1918                 fixEdge<NumberUse>(node->child1());
1919                 node->remove(m_graph);
1920             } else if (typeSet->doesTypeConformTo(TypeString)) {
1921                 fixEdge<StringUse>(node->child1());
1922                 node->remove(m_graph);
1923             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1924                 fixEdge<BooleanUse>(node->child1());
1925                 node->remove(m_graph);
1926             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1927                 fixEdge<OtherUse>(node->child1());
1928                 node->remove(m_graph);
1929             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1930                 StructureSet set;
1931                 {
1932                     ConcurrentJSLocker locker(typeSet->m_lock);
1933                     set = typeSet->structureSet(locker);
1934                 }
1935                 if (!set.isEmpty()) {
1936                     fixEdge<CellUse>(node->child1());
1937                     node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
1938                 }
1939             }
1940
1941             break;
1942         }
1943
1944         case CreateClonedArguments: {
1945             watchHavingABadTime(node);
1946             break;
1947         }
1948
1949         case CreateScopedArguments:
1950         case CreateActivation:
1951         case NewFunction:
1952         case NewGeneratorFunction:
1953         case NewAsyncGeneratorFunction:
1954         case NewAsyncFunction: {
1955             // Child 1 is always the current scope, which is guaranteed to be an object
1956             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1957             fixEdge<KnownCellUse>(node->child1());
1958             break;
1959         }
1960
1961         case PushWithScope: {
1962             // Child 1 is always the current scope, which is guaranteed to be an object
1963             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1964             fixEdge<KnownCellUse>(node->child1());
1965             if (node->child2()->shouldSpeculateObject())
1966                 fixEdge<ObjectUse>(node->child2());
1967             break;
1968         }
1969
1970         case SetFunctionName: {
1971             // The first child is guaranteed to be a cell because op_set_function_name is only used
1972             // on a newly instantiated function object (the first child).
1973             fixEdge<KnownCellUse>(node->child1());
1974             fixEdge<UntypedUse>(node->child2());
1975             break;
1976         }
1977
1978         case CreateRest: {
1979             watchHavingABadTime(node);
1980             fixEdge<KnownInt32Use>(node->child1());
1981             break;
1982         }
1983
1984         case ResolveScopeForHoistingFuncDeclInEval: {
1985             fixEdge<KnownCellUse>(node->child1());
1986             break;
1987         }
1988         case ResolveScope:
1989         case GetDynamicVar:
1990         case PutDynamicVar: {
1991             fixEdge<KnownCellUse>(node->child1());
1992             break;
1993         }
1994
1995         case LogShadowChickenPrologue: {
1996             fixEdge<KnownCellUse>(node->child1());
1997             break;
1998         }
1999         case LogShadowChickenTail: {
2000             fixEdge<UntypedUse>(node->child1());
2001             fixEdge<KnownCellUse>(node->child2());
2002             break;
2003         }
2004
2005         case GetMapBucket:
2006             if (node->child1().useKind() == MapObjectUse)
2007                 fixEdge<MapObjectUse>(node->child1());
2008             else if (node->child1().useKind() == SetObjectUse)
2009                 fixEdge<SetObjectUse>(node->child1());
2010             else
2011                 RELEASE_ASSERT_NOT_REACHED();
2012
2013 #if USE(JSVALUE64)
2014             if (node->child2()->shouldSpeculateBoolean())
2015                 fixEdge<BooleanUse>(node->child2());
2016             else if (node->child2()->shouldSpeculateInt32())
2017                 fixEdge<Int32Use>(node->child2());
2018             else if (node->child2()->shouldSpeculateSymbol())
2019                 fixEdge<SymbolUse>(node->child2());
2020             else if (node->child2()->shouldSpeculateObject())
2021                 fixEdge<ObjectUse>(node->child2());
2022             else if (node->child2()->shouldSpeculateString())
2023                 fixEdge<StringUse>(node->child2());
2024             else if (node->child2()->shouldSpeculateCell())
2025                 fixEdge<CellUse>(node->child2());
2026             else
2027                 fixEdge<UntypedUse>(node->child2());
2028 #else
2029             fixEdge<UntypedUse>(node->child2());
2030 #endif // USE(JSVALUE64)
2031
2032             fixEdge<Int32Use>(node->child3());
2033             break;
2034
2035         case GetMapBucketHead:
2036             if (node->child1().useKind() == MapObjectUse)
2037                 fixEdge<MapObjectUse>(node->child1());
2038             else if (node->child1().useKind() == SetObjectUse)
2039                 fixEdge<SetObjectUse>(node->child1());
2040             else
2041                 RELEASE_ASSERT_NOT_REACHED();
2042             break;
2043
2044         case GetMapBucketNext:
2045         case LoadKeyFromMapBucket:
2046         case LoadValueFromMapBucket:
2047             fixEdge<CellUse>(node->child1());
2048             break;
2049
2050         case MapHash: {
2051 #if USE(JSVALUE64)
2052             if (node->child1()->shouldSpeculateBoolean()) {
2053                 fixEdge<BooleanUse>(node->child1());
2054                 break;
2055             }
2056
2057             if (node->child1()->shouldSpeculateInt32()) {
2058                 fixEdge<Int32Use>(node->child1());
2059                 break;
2060             }
2061
2062             if (node->child1()->shouldSpeculateSymbol()) {
2063                 fixEdge<SymbolUse>(node->child1());
2064                 break;
2065             }
2066
2067             if (node->child1()->shouldSpeculateObject()) {
2068                 fixEdge<ObjectUse>(node->child1());
2069                 break;
2070             }
2071
2072             if (node->child1()->shouldSpeculateString()) {
2073                 fixEdge<StringUse>(node->child1());
2074                 break;
2075             }
2076
2077             if (node->child1()->shouldSpeculateCell()) {
2078                 fixEdge<CellUse>(node->child1());
2079                 break;
2080             }
2081
2082             fixEdge<UntypedUse>(node->child1());
2083 #else
2084             fixEdge<UntypedUse>(node->child1());
2085 #endif // USE(JSVALUE64)
2086             break;
2087         }
2088
2089         case NormalizeMapKey: {
2090             fixupNormalizeMapKey(node);
2091             break;
2092         }
2093
2094         case WeakMapGet: {
2095             if (node->child1().useKind() == WeakMapObjectUse)
2096                 fixEdge<WeakMapObjectUse>(node->child1());
2097             else if (node->child1().useKind() == WeakSetObjectUse)
2098                 fixEdge<WeakSetObjectUse>(node->child1());
2099             else
2100                 RELEASE_ASSERT_NOT_REACHED();
2101             fixEdge<ObjectUse>(node->child2());
2102             fixEdge<Int32Use>(node->child3());
2103             break;
2104         }
2105
2106         case SetAdd: {
2107             fixEdge<SetObjectUse>(node->child1());
2108             fixEdge<Int32Use>(node->child3());
2109             break;
2110         }
2111
2112         case MapSet: {
2113             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
2114             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2115             break;
2116         }
2117
2118         case WeakSetAdd: {
2119             fixEdge<WeakSetObjectUse>(node->child1());
2120             fixEdge<ObjectUse>(node->child2());
2121             fixEdge<Int32Use>(node->child3());
2122             break;
2123         }
2124
2125         case WeakMapSet: {
2126             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2127             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2128             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2129             break;
2130         }
2131
2132         case DefineDataProperty: {
2133             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2134             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2135             if (propertyEdge->shouldSpeculateSymbol())
2136                 fixEdge<SymbolUse>(propertyEdge);
2137             else if (propertyEdge->shouldSpeculateStringIdent())
2138                 fixEdge<StringIdentUse>(propertyEdge);
2139             else if (propertyEdge->shouldSpeculateString())
2140                 fixEdge<StringUse>(propertyEdge);
2141             else
2142                 fixEdge<UntypedUse>(propertyEdge);
2143             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2144             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2145             break;
2146         }
2147
2148         case StringValueOf: {
2149             fixupStringValueOf(node);
2150             break;
2151         }
2152
2153         case ObjectToString: {
2154             fixupObjectToString(node);
2155             break;
2156         }
2157
2158         case StringSlice: {
2159             fixEdge<StringUse>(node->child1());
2160             fixEdge<Int32Use>(node->child2());
2161             if (node->child3())
2162                 fixEdge<Int32Use>(node->child3());
2163             break;
2164         }
2165
2166         case ToLowerCase: {
2167             // We currently only support StringUse since that will ensure that
2168             // ToLowerCase is a pure operation. If we decide to update this with
2169             // more types in the future, we need to ensure that the clobberize rules
2170             // are correct.
2171             fixEdge<StringUse>(node->child1());
2172             break;
2173         }
2174
2175         case NumberToStringWithRadix: {
2176             if (node->child1()->shouldSpeculateInt32())
2177                 fixEdge<Int32Use>(node->child1());
2178             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2179                 fixEdge<Int52RepUse>(node->child1());
2180             else
2181                 fixEdge<DoubleRepUse>(node->child1());
2182             fixEdge<Int32Use>(node->child2());
2183             break;
2184         }
2185
2186         case DefineAccessorProperty: {
2187             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2188             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2189             if (propertyEdge->shouldSpeculateSymbol())
2190                 fixEdge<SymbolUse>(propertyEdge);
2191             else if (propertyEdge->shouldSpeculateStringIdent())
2192                 fixEdge<StringIdentUse>(propertyEdge);
2193             else if (propertyEdge->shouldSpeculateString())
2194                 fixEdge<StringUse>(propertyEdge);
2195             else
2196                 fixEdge<UntypedUse>(propertyEdge);
2197             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2198             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2199             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2200             break;
2201         }
2202
2203         case CheckSubClass: {
2204             fixupCheckSubClass(node);
2205             break;
2206         }
2207
2208         case CallDOMGetter: {
2209             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2210             fixEdge<CellUse>(node->child1()); // DOM.
2211             if (snippet && snippet->requireGlobalObject)
2212                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2213             break;
2214         }
2215
2216         case CallDOM: {
2217             fixupCallDOM(node);
2218             break;
2219         }
2220
2221         case Call: {
2222             attemptToMakeCallDOM(node);
2223             break;
2224         }
2225
2226         case ParseInt: {
2227             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2228                 fixEdge<Int32Use>(node->child1());
2229                 node->convertToIdentity();
2230                 break;
2231             }
2232
2233             if (node->child1()->shouldSpeculateString()) {
2234                 fixEdge<StringUse>(node->child1());
2235                 node->clearFlags(NodeMustGenerate);
2236             }
2237
2238             if (node->child2())
2239                 fixEdge<Int32Use>(node->child2());
2240
2241             break;
2242         }
2243
2244         case IdentityWithProfile: {
2245             node->clearFlags(NodeMustGenerate);
2246             break;
2247         }
2248
2249         case ThrowStaticError:
2250             fixEdge<StringUse>(node->child1());
2251             break;
2252
2253         case NumberIsInteger:
2254             if (node->child1()->shouldSpeculateInt32()) {
2255                 m_insertionSet.insertNode(
2256                     m_indexInBlock, SpecNone, Check, node->origin,
2257                     Edge(node->child1().node(), Int32Use));
2258                 m_graph.convertToConstant(node, jsBoolean(true));
2259                 break;
2260             }
2261             break;
2262
2263         case SetCallee:
2264             fixEdge<CellUse>(node->child1());
2265             break;
2266
2267         case DataViewGetInt:
2268         case DataViewGetFloat: {
2269             fixEdge<DataViewObjectUse>(node->child1());
2270             fixEdge<Int32Use>(node->child2());
2271             if (node->child3())
2272                 fixEdge<BooleanUse>(node->child3());
2273
2274             if (node->op() == DataViewGetInt) {
2275                 DataViewData data = node->dataViewData();
2276                 switch (data.byteSize) {
2277                 case 1:
2278                 case 2:
2279                     node->setResult(NodeResultInt32);
2280                     break;
2281                 case 4:
2282                     if (data.isSigned)
2283                         node->setResult(NodeResultInt32);
2284                     else
2285                         node->setResult(NodeResultInt52);
2286                     break;
2287                 default:
2288                     RELEASE_ASSERT_NOT_REACHED();
2289                 }
2290             }
2291             break;
2292         }
2293
2294         case DataViewSet: {
2295             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2296             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2297             if (m_graph.varArgChild(node, 3))
2298                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2299             
2300             DataViewData data = node->dataViewData();
2301             Edge& valueToStore = m_graph.varArgChild(node, 2);
2302             if (data.isFloatingPoint)
2303                 fixEdge<DoubleRepUse>(valueToStore);
2304             else {
2305                 switch (data.byteSize) {
2306                 case 1:
2307                 case 2:
2308                     fixEdge<Int32Use>(valueToStore);
2309                     break;
2310                 case 4:
2311                     if (data.isSigned)
2312                         fixEdge<Int32Use>(valueToStore);
2313                     else
2314                         fixEdge<Int52RepUse>(valueToStore);
2315                     break;
2316                 }
2317             }
2318             break;
2319         }
2320
2321 #if !ASSERT_DISABLED
2322         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2323         case SetArgument:
2324         case JSConstant:
2325         case LazyJSConstant:
2326         case DoubleConstant:
2327         case GetLocal:
2328         case GetCallee:
2329         case GetArgumentCountIncludingThis:
2330         case SetArgumentCountIncludingThis:
2331         case GetRestLength:
2332         case GetArgument:
2333         case Flush:
2334         case PhantomLocal:
2335         case GetGlobalVar:
2336         case GetGlobalLexicalVariable:
2337         case NotifyWrite:
2338         case DirectCall:
2339         case CheckTypeInfoFlags:
2340         case TailCallInlinedCaller:
2341         case DirectTailCallInlinedCaller:
2342         case Construct:
2343         case DirectConstruct:
2344         case CallVarargs:
2345         case CallEval:
2346         case TailCallVarargsInlinedCaller:
2347         case ConstructVarargs:
2348         case CallForwardVarargs:
2349         case ConstructForwardVarargs:
2350         case TailCallForwardVarargs:
2351         case TailCallForwardVarargsInlinedCaller:
2352         case LoadVarargs:
2353         case ForwardVarargs:
2354         case ProfileControlFlow:
2355         case NewObject:
2356         case NewRegexp:
2357         case DeleteById:
2358         case DeleteByVal:
2359         case IsTypedArrayView:
2360         case IsEmpty:
2361         case IsUndefined:
2362         case IsUndefinedOrNull:
2363         case IsBoolean:
2364         case IsNumber:
2365         case IsObjectOrNull:
2366         case IsFunction:
2367         case CreateDirectArguments:
2368         case Jump:
2369         case Return:
2370         case TailCall:
2371         case DirectTailCall:
2372         case TailCallVarargs:
2373         case Throw:
2374         case CountExecution:
2375         case SuperSamplerBegin:
2376         case SuperSamplerEnd:
2377         case ForceOSRExit:
2378         case CheckBadCell:
2379         case CheckNotEmpty:
2380         case AssertNotEmpty:
2381         case CheckTraps:
2382         case Unreachable:
2383         case ExtractOSREntryLocal:
2384         case ExtractCatchLocal:
2385         case ClearCatchLocals:
2386         case LoopHint:
2387         case MovHint:
2388         case InitializeEntrypointArguments:
2389         case ZombieHint:
2390         case ExitOK:
2391         case BottomValue:
2392         case TypeOf:
2393         case PutByIdWithThis:
2394         case PutByValWithThis:
2395         case GetByValWithThis:
2396         case CompareEqPtr:
2397         case NumberToStringWithValidRadixConstant:
2398         case GetGlobalThis:
2399         case ExtractValueFromWeakMapGet:
2400         case CPUIntrinsic:
2401         case FilterCallLinkStatus:
2402         case FilterGetByIdStatus:
2403         case FilterPutByIdStatus:
2404         case FilterInByIdStatus:
2405         case InvalidationPoint:
2406             break;
2407 #else
2408         default:
2409             break;
2410 #endif
2411         }
2412     }
2413
2414     void watchHavingABadTime(Node* node)
2415     {
2416         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2417
2418         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2419         // does an array allocation. The types of array allocations may change if we start to have a bad
2420         // time. It's easier to reason about this if we know that whenever the types change after we start
2421         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2422         // prior to this point nobody should have been doing optimizations based on the indexing type of
2423         // the allocation.
2424         if (!globalObject->isHavingABadTime()) {
2425             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2426             m_graph.freeze(globalObject);
2427         }
2428     }
2429     
2430     template<UseKind useKind>
2431     void createToString(Node* node, Edge& edge)
2432     {
2433         Node* toString = m_insertionSet.insertNode(
2434             m_indexInBlock, SpecString, ToString, node->origin,
2435             Edge(edge.node(), useKind));
2436         switch (useKind) {
2437         case Int32Use:
2438         case Int52RepUse:
2439         case DoubleRepUse:
2440         case NotCellUse:
2441             toString->clearFlags(NodeMustGenerate);
2442             break;
2443         default:
2444             break;
2445         }
2446         edge.setNode(toString);
2447     }
2448     
2449     template<UseKind useKind>
2450     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2451     {
2452         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read) || arrayMode == ArrayMode(Array::Generic, Array::OriginalNonArray, Array::Read));
2453         
2454         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2455             return;
2456         
2457         addCheckStructureForOriginalStringObjectUse(useKind, node->origin, node->child1().node());
2458         createToString<useKind>(node, node->child1());
2459         arrayMode = ArrayMode(Array::String, Array::Read);
2460     }
2461
2462     void addCheckStructureForOriginalStringObjectUse(UseKind useKind, const NodeOrigin& origin, Node* node)
2463     {
2464         RELEASE_ASSERT(useKind == StringObjectUse || StringOrStringObjectUse);
2465
2466         StructureSet set;
2467         set.add(m_graph.globalObjectFor(node->origin.semantic)->stringObjectStructure());
2468         if (useKind == StringOrStringObjectUse)
2469             set.add(vm().stringStructure.get());
2470
2471         m_insertionSet.insertNode(
2472             m_indexInBlock, SpecNone, CheckStructure, origin,
2473             OpInfo(m_graph.addStructureSet(set)), Edge(node, CellUse));
2474     }
2475     
2476     template<UseKind useKind>
2477     void convertStringAddUse(Node* node, Edge& edge)
2478     {
2479         if (useKind == StringUse) {
2480             observeUseKindOnNode<StringUse>(edge.node());
2481             m_insertionSet.insertNode(
2482                 m_indexInBlock, SpecNone, Check, node->origin,
2483                 Edge(edge.node(), StringUse));
2484             edge.setUseKind(KnownStringUse);
2485             return;
2486         }
2487         
2488         observeUseKindOnNode<useKind>(edge.node());
2489         createToString<useKind>(node, edge);
2490     }
2491     
2492     void convertToMakeRope(Node* node)
2493     {
2494         node->setOpAndDefaultFlags(MakeRope);
2495         fixupMakeRope(node);
2496     }
2497     
2498     void fixupMakeRope(Node* node)
2499     {
2500         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2501             Edge& edge = node->children.child(i);
2502             if (!edge)
2503                 break;
2504             edge.setUseKind(KnownStringUse);
2505             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2506             if (!string)
2507                 continue;
2508             if (string->length())
2509                 continue;
2510             
2511             // Don't allow the MakeRope to have zero children.
2512             if (!i && !node->child2())
2513                 break;
2514             
2515             node->children.removeEdge(i--);
2516         }
2517         
2518         if (!node->child2()) {
2519             ASSERT(!node->child3());
2520             node->convertToIdentity();
2521         }
2522     }
2523
2524     void fixupIsCellWithType(Node* node)
2525     {
2526         switch (node->speculatedTypeForQuery()) {
2527         case SpecString:
2528             if (node->child1()->shouldSpeculateString()) {
2529                 m_insertionSet.insertNode(
2530                     m_indexInBlock, SpecNone, Check, node->origin,
2531                     Edge(node->child1().node(), StringUse));
2532                 m_graph.convertToConstant(node, jsBoolean(true));
2533                 observeUseKindOnNode<StringUse>(node);
2534                 return;
2535             }
2536             break;
2537
2538         case SpecProxyObject:
2539             if (node->child1()->shouldSpeculateProxyObject()) {
2540                 m_insertionSet.insertNode(
2541                     m_indexInBlock, SpecNone, Check, node->origin,
2542                     Edge(node->child1().node(), ProxyObjectUse));
2543                 m_graph.convertToConstant(node, jsBoolean(true));
2544                 observeUseKindOnNode<ProxyObjectUse>(node);
2545                 return;
2546             }
2547             break;
2548
2549         case SpecRegExpObject:
2550             if (node->child1()->shouldSpeculateRegExpObject()) {
2551                 m_insertionSet.insertNode(
2552                     m_indexInBlock, SpecNone, Check, node->origin,
2553                     Edge(node->child1().node(), RegExpObjectUse));
2554                 m_graph.convertToConstant(node, jsBoolean(true));
2555                 observeUseKindOnNode<RegExpObjectUse>(node);
2556                 return;
2557             }
2558             break;
2559
2560         case SpecArray:
2561             if (node->child1()->shouldSpeculateArray()) {
2562                 m_insertionSet.insertNode(
2563                     m_indexInBlock, SpecNone, Check, node->origin,
2564                     Edge(node->child1().node(), ArrayUse));
2565                 m_graph.convertToConstant(node, jsBoolean(true));
2566                 observeUseKindOnNode<ArrayUse>(node);
2567                 return;
2568             }
2569             break;
2570
2571         case SpecDerivedArray:
2572             if (node->child1()->shouldSpeculateDerivedArray()) {
2573                 m_insertionSet.insertNode(
2574                     m_indexInBlock, SpecNone, Check, node->origin,
2575                     Edge(node->child1().node(), DerivedArrayUse));
2576                 m_graph.convertToConstant(node, jsBoolean(true));
2577                 observeUseKindOnNode<DerivedArrayUse>(node);
2578                 return;
2579             }
2580             break;
2581         }
2582
2583         if (node->child1()->shouldSpeculateCell()) {
2584             fixEdge<CellUse>(node->child1());
2585             return;
2586         }
2587
2588         if (node->child1()->shouldSpeculateNotCell()) {
2589             m_insertionSet.insertNode(
2590                 m_indexInBlock, SpecNone, Check, node->origin,
2591                 Edge(node->child1().node(), NotCellUse));
2592             m_graph.convertToConstant(node, jsBoolean(false));
2593             observeUseKindOnNode<NotCellUse>(node);
2594             return;
2595         }
2596     }
2597
2598     void fixupGetPrototypeOf(Node* node)
2599     {
2600         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2601         if (node->child1().useKind() != ObjectUse) {
2602             if (node->child1()->shouldSpeculateString()) {
2603                 insertCheck<StringUse>(node->child1().node());
2604                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2605                 return;
2606             }
2607             if (node->child1()->shouldSpeculateInt32()) {
2608                 insertCheck<Int32Use>(node->child1().node());
2609                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2610                 return;
2611             }
2612             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2613                 insertCheck<Int52RepUse>(node->child1().node());
2614                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2615                 return;
2616             }
2617             if (node->child1()->shouldSpeculateNumber()) {
2618                 insertCheck<NumberUse>(node->child1().node());
2619                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2620                 return;
2621             }
2622             if (node->child1()->shouldSpeculateSymbol()) {
2623                 insertCheck<SymbolUse>(node->child1().node());
2624                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2625                 return;
2626             }
2627             if (node->child1()->shouldSpeculateBoolean()) {
2628                 insertCheck<BooleanUse>(node->child1().node());
2629                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2630                 return;
2631             }
2632         }
2633
2634         if (node->child1()->shouldSpeculateFinalObject()) {
2635             fixEdge<FinalObjectUse>(node->child1());
2636             node->clearFlags(NodeMustGenerate);
2637             return;
2638         }
2639         if (node->child1()->shouldSpeculateArray()) {
2640             fixEdge<ArrayUse>(node->child1());
2641             node->clearFlags(NodeMustGenerate);
2642             return;
2643         }
2644         if (node->child1()->shouldSpeculateFunction()) {
2645             fixEdge<FunctionUse>(node->child1());
2646             node->clearFlags(NodeMustGenerate);
2647             return;
2648         }
2649     }
2650
2651     void fixupToThis(Node* node)
2652     {
2653         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2654
2655         if (ecmaMode == StrictMode) {
2656             if (node->child1()->shouldSpeculateBoolean()) {
2657                 fixEdge<BooleanUse>(node->child1());
2658                 node->convertToIdentity();
2659                 return;
2660             }
2661
2662             if (node->child1()->shouldSpeculateInt32()) {
2663                 fixEdge<Int32Use>(node->child1());
2664                 node->convertToIdentity();
2665                 return;
2666             }
2667
2668             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2669                 fixEdge<Int52RepUse>(node->child1());
2670                 node->convertToIdentity();
2671                 node->setResult(NodeResultInt52);
2672                 return;
2673             }
2674
2675             if (node->child1()->shouldSpeculateNumber()) {
2676                 fixEdge<DoubleRepUse>(node->child1());
2677                 node->convertToIdentity();
2678                 node->setResult(NodeResultDouble);
2679                 return;
2680             }
2681
2682             if (node->child1()->shouldSpeculateSymbol()) {
2683                 fixEdge<SymbolUse>(node->child1());
2684                 node->convertToIdentity();
2685                 return;
2686             }
2687
2688             if (node->child1()->shouldSpeculateStringIdent()) {
2689                 fixEdge<StringIdentUse>(node->child1());
2690                 node->convertToIdentity();
2691                 return;
2692             }
2693
2694             if (node->child1()->shouldSpeculateString()) {
2695                 fixEdge<StringUse>(node->child1());
2696                 node->convertToIdentity();
2697                 return;
2698             }
2699             
2700             if (node->child1()->shouldSpeculateBigInt()) {
2701                 fixEdge<BigIntUse>(node->child1());
2702                 node->convertToIdentity();
2703                 return;
2704             }
2705         }
2706
2707         if (node->child1()->shouldSpeculateOther()) {
2708             if (ecmaMode == StrictMode) {
2709                 fixEdge<OtherUse>(node->child1());
2710                 node->convertToIdentity();
2711                 return;
2712             }
2713
2714             m_insertionSet.insertNode(
2715                 m_indexInBlock, SpecNone, Check, node->origin,
2716                 Edge(node->child1().node(), OtherUse));
2717             observeUseKindOnNode<OtherUse>(node->child1().node());
2718             m_graph.convertToConstant(
2719                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2720             return;
2721         }
2722
2723         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2724         // however, since we cover all the missing cases in constant folding.
2725         // https://bugs.webkit.org/show_bug.cgi?id=157213
2726         if (node->child1()->shouldSpeculateStringObject()) {
2727             fixEdge<StringObjectUse>(node->child1());
2728             node->convertToIdentity();
2729             return;
2730         }
2731
2732         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2733             fixEdge<FinalObjectUse>(node->child1());
2734             node->convertToIdentity();
2735             return;
2736         }
2737     }
2738     
2739     void fixupToPrimitive(Node* node)
2740     {
2741         if (node->child1()->shouldSpeculateInt32()) {
2742             fixEdge<Int32Use>(node->child1());
2743             node->convertToIdentity();
2744             return;
2745         }
2746         
2747         if (node->child1()->shouldSpeculateString()) {
2748             fixEdge<StringUse>(node->child1());
2749             node->convertToIdentity();
2750             return;
2751         }
2752         
2753         if (node->child1()->shouldSpeculateStringObject()
2754             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2755             addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, node->child1().node());
2756             fixEdge<StringObjectUse>(node->child1());
2757             node->convertToToString();
2758             return;
2759         }
2760         
2761         if (node->child1()->shouldSpeculateStringOrStringObject()
2762             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2763             addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, node->child1().node());
2764             fixEdge<StringOrStringObjectUse>(node->child1());
2765             node->convertToToString();
2766             return;
2767         }
2768     }
2769
2770     void fixupToNumber(Node* node)
2771     {
2772         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2773         if (node->child1()->shouldSpeculateNumber()) {
2774             if (isInt32Speculation(node->getHeapPrediction())) {
2775                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2776                 if (node->child1()->shouldSpeculateInt32()) {
2777                     fixEdge<Int32Use>(node->child1());
2778                     node->convertToIdentity();
2779                     return;
2780                 }
2781
2782                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2783                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2784                 fixEdge<DoubleRepUse>(node->child1());
2785                 node->setOp(DoubleAsInt32);
2786                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2787                     node->setArithMode(Arith::CheckOverflow);
2788                 else
2789                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2790                 return;
2791             }
2792
2793             fixEdge<DoubleRepUse>(node->child1());
2794             node->convertToIdentity();
2795             node->setResult(NodeResultDouble);
2796             return;
2797         }
2798
2799         fixEdge<UntypedUse>(node->child1());
2800         node->setResult(NodeResultJS);
2801     }
2802
2803     void fixupToObject(Node* node)
2804     {
2805         if (node->child1()->shouldSpeculateObject()) {
2806             fixEdge<ObjectUse>(node->child1());
2807             node->convertToIdentity();
2808             return;
2809         }
2810
2811         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2812
2813         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2814
2815         if (node->child1()->shouldSpeculateString()) {
2816             insertCheck<StringUse>(node->child1().node());
2817             fixEdge<KnownStringUse>(node->child1());
2818             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2819             return;
2820         }
2821
2822         if (node->child1()->shouldSpeculateSymbol()) {
2823             insertCheck<SymbolUse>(node->child1().node());
2824             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2825             return;
2826         }
2827
2828         if (node->child1()->shouldSpeculateNumber()) {
2829             insertCheck<NumberUse>(node->child1().node());
2830             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2831             return;
2832         }
2833
2834         if (node->child1()->shouldSpeculateBoolean()) {
2835             insertCheck<BooleanUse>(node->child1().node());
2836             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2837             return;
2838         }
2839
2840         fixEdge<UntypedUse>(node->child1());
2841     }
2842
2843     void fixupCallObjectConstructor(Node* node)
2844     {
2845         if (node->child1()->shouldSpeculateObject()) {
2846             fixEdge<ObjectUse>(node->child1());
2847             node->convertToIdentity();
2848             return;
2849         }
2850
2851         if (node->child1()->shouldSpeculateString()) {
2852             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2853             insertCheck<StringUse>(node->child1().node());
2854             fixEdge<KnownStringUse>(node->child1());
2855             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2856             return;
2857         }
2858
2859         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2860         if (node->child1()->shouldSpeculateOther()) {
2861             insertCheck<OtherUse>(node->child1().node());
2862             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2863             return;
2864         }
2865
2866         fixEdge<UntypedUse>(node->child1());
2867     }
2868     
2869     void fixupToStringOrCallStringConstructor(Node* node)
2870     {
2871         if (node->child1()->shouldSpeculateString()) {
2872             fixEdge<StringUse>(node->child1());
2873             node->convertToIdentity();
2874             return;
2875         }
2876         
2877         if (node->child1()->shouldSpeculateStringObject()
2878             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2879             addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, node->child1().node());
2880             fixEdge<StringObjectUse>(node->child1());
2881             return;
2882         }
2883         
2884         if (node->child1()->shouldSpeculateStringOrStringObject()
2885             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2886             addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, node->child1().node());
2887             fixEdge<StringOrStringObjectUse>(node->child1());
2888             return;
2889         }
2890         
2891         if (node->child1()->shouldSpeculateCell()) {
2892             fixEdge<CellUse>(node->child1());
2893             return;
2894         }
2895
2896         if (node->child1()->shouldSpeculateInt32()) {
2897             fixEdge<Int32Use>(node->child1());
2898             node->clearFlags(NodeMustGenerate);
2899             return;
2900         }
2901
2902         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2903             fixEdge<Int52RepUse>(node->child1());
2904             node->clearFlags(NodeMustGenerate);
2905             return;
2906         }
2907
2908         if (node->child1()->shouldSpeculateNumber()) {
2909             fixEdge<DoubleRepUse>(node->child1());
2910             node->clearFlags(NodeMustGenerate);
2911             return;
2912         }
2913
2914         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2915         // we need to care about it in the clobberize. In the following case,
2916         // since NotCellUse edge filter is used and this edge filters Symbols,
2917         // we can say that ToString never throws an error!
2918         if (node->child1()->shouldSpeculateNotCell()) {
2919             fixEdge<NotCellUse>(node->child1());
2920             node->clearFlags(NodeMustGenerate);
2921             return;
2922         }
2923     }
2924
2925     void fixupStringValueOf(Node* node)
2926     {
2927         if (node->child1()->shouldSpeculateString()) {
2928             fixEdge<StringUse>(node->child1());
2929             node->convertToIdentity();
2930             return;
2931         }
2932
2933         if (node->child1()->shouldSpeculateStringObject()) {
2934             fixEdge<StringObjectUse>(node->child1());
2935             node->convertToToString();
2936             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2937             node->clearFlags(NodeMustGenerate);
2938             return;
2939         }
2940
2941         if (node->child1()->shouldSpeculateStringOrStringObject()) {
2942             fixEdge<StringOrStringObjectUse>(node->child1());
2943             node->convertToToString();
2944             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2945             node->clearFlags(NodeMustGenerate);
2946             return;
2947         }
2948     }
2949
2950     void fixupObjectToString(Node* node)
2951     {
2952         if (node->child1()->shouldSpeculateOther()) {
2953             fixEdge<OtherUse>(node->child1());
2954             node->clearFlags(NodeMustGenerate);
2955             return;
2956         }
2957     }
2958
2959     bool attemptToMakeFastStringAdd(Node* node)
2960     {
2961         bool goodToGo = true;
2962         m_graph.doToChildren(
2963             node,
2964             [&] (Edge& edge) {
2965                 if (edge->shouldSpeculateString())
2966                     return;
2967                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2968                     if (edge->shouldSpeculateStringObject())
2969                         return;
2970                     if (edge->shouldSpeculateStringOrStringObject())
2971                         return;
2972                 }
2973                 goodToGo = false;
2974             });
2975         if (!goodToGo)
2976             return false;
2977
2978         m_graph.doToChildren(
2979             node,
2980             [&] (Edge& edge) {
2981                 if (edge->shouldSpeculateString()) {
2982                     convertStringAddUse<StringUse>(node, edge);
2983                     return;
2984                 }
2985                 if (!Options::useConcurrentJIT())
2986                     ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2987                 if (edge->shouldSpeculateStringObject()) {
2988                     addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, edge.node());
2989                     convertStringAddUse<StringObjectUse>(node, edge);
2990                     return;
2991                 }
2992                 if (edge->shouldSpeculateStringOrStringObject()) {
2993                     addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, edge.node());
2994                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2995                     return;
2996                 }
2997                 RELEASE_ASSERT_NOT_REACHED();
2998             });
2999         
3000         convertToMakeRope(node);
3001         return true;
3002     }
3003
3004     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
3005     {
3006         if (!block)
3007             return;
3008         ASSERT(block->isReachable);
3009         m_block = block;
3010         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
3011             Node* node = m_currentNode = block->at(m_indexInBlock);
3012             if (node->op() != SetLocal && node->op() != GetLocal)
3013                 continue;
3014             
3015             VariableAccessData* variable = node->variableAccessData();
3016             switch (node->op()) {
3017             case GetLocal:
3018                 switch (variable->flushFormat()) {
3019                 case FlushedDouble:
3020                     node->setResult(NodeResultDouble);
3021                     break;
3022                 case FlushedInt52:
3023                     node->setResult(NodeResultInt52);
3024                     break;
3025                 default:
3026                     break;
3027                 }
3028                 break;
3029                 
3030             case SetLocal:
3031                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
3032                 // add new type checking use kind for SetLocals, we need to modify that code as well.
3033                 
3034                 switch (variable->flushFormat()) {
3035                 case FlushedJSValue:
3036                     break;
3037                 case FlushedDouble:
3038                     fixEdge<DoubleRepUse>(node->child1());
3039                     break;
3040                 case FlushedInt32:
3041                     fixEdge<Int32Use>(node->child1());
3042                     break;
3043                 case FlushedInt52:
3044                     fixEdge<Int52RepUse>(node->child1());
3045                     break;
3046                 case FlushedCell:
3047                     fixEdge<CellUse>(node->child1());
3048                     break;
3049                 case FlushedBoolean:
3050                     fixEdge<BooleanUse>(node->child1());
3051                     break;
3052                 default:
3053                     RELEASE_ASSERT_NOT_REACHED();
3054                     break;
3055                 }
3056                 break;
3057                 
3058             default:
3059                 RELEASE_ASSERT_NOT_REACHED();
3060                 break;
3061             }
3062         }
3063         m_insertionSet.execute(block);
3064     }
3065     
3066     void addStringReplacePrimordialChecks(Node* searchRegExp)
3067     {
3068         Node* node = m_currentNode;
3069
3070         // Check that structure of searchRegExp is RegExp object
3071         m_insertionSet.insertNode(
3072             m_indexInBlock, SpecNone, Check, node->origin,
3073             Edge(searchRegExp, RegExpObjectUse));
3074
3075         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
3076             unsigned index = m_graph.identifiers().ensure(propertyUID);
3077
3078             Node* actualProperty = m_insertionSet.insertNode(
3079                 m_indexInBlock, SpecNone, TryGetById, node->origin,
3080                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
3081
3082             m_insertionSet.insertNode(
3083                 m_indexInBlock, SpecNone, CheckCell, node->origin,
3084                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
3085         };
3086
3087         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
3088
3089         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
3090         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
3091         // Check that searchRegExp.global is the primordial RegExp.prototype.global
3092         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
3093         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
3094         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
3095         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
3096         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
3097     }
3098
3099     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
3100     {
3101         ASSERT(arrayMode.isSpecific());
3102         
3103         if (arrayMode.type() == Array::String) {
3104             m_insertionSet.insertNode(
3105                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
3106         } else {
3107             // Note that we only need to be using a structure check if we opt for SaneChain, since
3108             // that needs to protect against JSArray's __proto__ being changed.
3109             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
3110         
3111             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
3112             
3113             if (arrayMode.doesConversion()) {
3114                 if (structure) {
3115                     m_insertionSet.insertNode(
3116                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
3117                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3118                 } else {
3119                     m_insertionSet.insertNode(
3120                         m_indexInBlock, SpecNone, Arrayify, origin,
3121                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3122                 }
3123             } else {
3124                 if (structure) {
3125                     m_insertionSet.insertNode(
3126                         m_indexInBlock, SpecNone, CheckStructure, origin,
3127                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
3128                 } else {
3129                     m_insertionSet.insertNode(
3130                         m_indexInBlock, SpecNone, CheckArray, origin,
3131                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
3132                 }
3133             }
3134         }
3135         
3136         if (!storageCheck(arrayMode))
3137             return nullptr;
3138         
3139         if (arrayMode.usesButterfly()) {
3140             return m_insertionSet.insertNode(
3141                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
3142         }
3143         
3144         return m_insertionSet.insertNode(
3145             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
3146             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
3147     }
3148     
3149     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
3150     {
3151         Node* node = m_currentNode;
3152         
3153         switch (node->arrayMode().type()) {
3154         case Array::ForceExit: {
3155             m_insertionSet.insertNode(
3156                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
3157             return;
3158         }
3159             
3160         case Array::SelectUsingPredictions:
3161         case Array::Unprofiled:
3162             RELEASE_ASSERT_NOT_REACHED();
3163             return;
3164             
3165         case Array::Generic:
3166             return;
3167             
3168         default: {
3169             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
3170             if (!storage)
3171                 return;
3172             
3173             storageChild = Edge(storage);
3174             return;
3175         } }
3176     }
3177     
3178     bool alwaysUnboxSimplePrimitives()
3179     {
3180 #if USE(JSVALUE64)
3181         return false;
3182 #else
3183         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
3184         // reduces traffic.
3185         return true;
3186 #endif
3187     }
3188
3189     template<UseKind useKind>
3190     void observeUseKindOnNode(Node* node)
3191     {
3192         if (useKind == UntypedUse)
3193             return;
3194         observeUseKindOnNode(node, useKind);
3195     }
3196
3197     void observeUseKindOnEdge(Edge edge)
3198     {
3199         observeUseKindOnNode(edge.node(), edge.useKind());
3200     }
3201
3202     void observeUseKindOnNode(Node* node, UseKind useKind)
3203     {
3204         if (node->op() != GetLocal)
3205             return;
3206         
3207         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
3208         // https://bugs.webkit.org/show_bug.cgi?id=121518
3209         
3210         VariableAccessData* variable = node->variableAccessData();
3211         switch (useKind) {
3212         case Int32Use:
3213         case KnownInt32Use:
3214             if (alwaysUnboxSimplePrimitives()
3215                 || isInt32Speculation(variable->prediction()))
3216                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3217             break;
3218         case NumberUse:
3219         case RealNumberUse:
3220         case DoubleRepUse:
3221         case DoubleRepRealUse:
3222             if (variable->doubleFormatState() == UsingDoubleFormat)
3223                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3224             break;
3225         case BooleanUse:
3226         case KnownBooleanUse:
3227             if (alwaysUnboxSimplePrimitives()
3228                 || isBooleanSpeculation(variable->prediction()))
3229                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3230             break;
3231         case Int52RepUse:
3232             if (isAnyIntSpeculation(variable->prediction()))
3233                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3234             break;
3235         case CellUse:
3236         case KnownCellUse:
3237         case ObjectUse:
3238         case FunctionUse:
3239         case StringUse:
3240         case KnownStringUse:
3241         case SymbolUse:
3242         case BigIntUse:
3243         case StringObjectUse:
3244         case StringOrStringObjectUse:
3245             if (alwaysUnboxSimplePrimitives()
3246                 || isCellSpeculation(variable->prediction()))
3247                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3248             break;
3249         default:
3250             break;
3251         }
3252     }
3253     
3254     template<UseKind useKind>
3255     void fixEdge(Edge& edge)
3256     {
3257         observeUseKindOnNode<useKind>(edge.node());
3258         edge.setUseKind(useKind);
3259     }
3260     
3261     unsigned indexForChecks()
3262     {
3263         unsigned index = m_indexInBlock;
3264         while (!m_block->at(index)->origin.exitOK)
3265             index--;
3266         return index;
3267     }
3268     
3269     NodeOrigin originForCheck(unsigned index)
3270     {
3271         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3272     }
3273     
3274     void speculateForBarrier(Edge value)
3275     {
3276         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3277         // the DFG anyway because if such a speculation would be wrong, we want to know before
3278         // we do an expensive compile.
3279         
3280         if (value->shouldSpeculateInt32()) {
3281             insertCheck<Int32Use>(value.node());
3282             return;
3283         }
3284             
3285         if (value->shouldSpeculateBoolean()) {
3286             insertCheck<BooleanUse>(value.node());
3287             return;
3288         }
3289             
3290         if (value->shouldSpeculateOther()) {
3291             insertCheck<OtherUse>(value.node());
3292             return;
3293         }
3294             
3295         if (value->shouldSpeculateNumber()) {
3296             insertCheck<NumberUse>(value.node());
3297             return;
3298         }
3299             
3300         if (value->shouldSpeculateNotCell()) {
3301             insertCheck<NotCellUse>(value.node());
3302             return;
3303         }
3304     }
3305     
3306     template<UseKind useKind>
3307     void insertCheck(Node* node)
3308     {
3309         observeUseKindOnNode<useKind>(node);
3310         unsigned index = indexForChecks();
3311         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3312     }
3313
3314     void fixIntConvertingEdge(Edge& edge)
3315     {
3316         Node* node = edge.node();
3317         if (node->shouldSpeculateInt32OrBoolean()) {
3318             fixIntOrBooleanEdge(edge);
3319             return;
3320         }
3321         
3322         UseKind useKind;
3323         if (node->shouldSpeculateAnyInt())
3324             useKind = Int52RepUse;
3325         else if (node->shouldSpeculateNumber())
3326             useKind = DoubleRepUse;
3327         else
3328             useKind = NotCellUse;
3329         Node* newNode = m_insertionSet.insertNode(
3330             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3331             Edge(node, useKind));
3332         observeUseKindOnNode(node, useKind);
3333         
3334         edge = Edge(newNode, KnownInt32Use);
3335     }
3336     
3337     void fixIntOrBooleanEdge(Edge& edge)
3338     {
3339         Node* node = edge.node();
3340         if (!node->sawBooleans()) {
3341             fixEdge<Int32Use>(edge);
3342             return;
3343         }
3344         
3345         UseKind useKind;
3346         if (node->shouldSpeculateBoolean())
3347             useKind = BooleanUse;
3348         else
3349             useKind = UntypedUse;
3350         Node* newNode = m_insertionSet.insertNode(
3351             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3352             Edge(node, useKind));
3353         observeUseKindOnNode(node, useKind);
3354         
3355         edge = Edge(newNode, Int32Use);
3356     }
3357     
3358     void fixDoubleOrBooleanEdge(Edge& edge)
3359     {
3360         Node* node = edge.node();
3361         if (!node->sawBooleans()) {
3362             fixEdge<DoubleRepUse>(edge);
3363             return;
3364         }
3365         
3366         UseKind useKind;
3367         if (node->shouldSpeculateBoolean())
3368             useKind = BooleanUse;
3369         else
3370             useKind = UntypedUse;
3371         Node* newNode = m_insertionSet.insertNode(
3372             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3373             Edge(node, useKind));
3374         observeUseKindOnNode(node, useKind);
3375         
3376         edge = Edge(newNode, DoubleRepUse);
3377     }
3378     
3379     void truncateConstantToInt32(Edge& edge)
3380     {
3381         Node* oldNode = edge.node();
3382         
3383         JSValue value = oldNode->asJSValue();
3384         if (value.isInt32())
3385             return;
3386         
3387         value = jsNumber(JSC::toInt32(value.asNumber()));
3388         ASSERT(value.isInt32());
3389         edge.setNode(m_insertionSet.insertNode(
3390             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3391             OpInfo(m_graph.freeze(value))));
3392     }
3393     
3394     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3395     {
3396         if (mode != SpeculateInt32AndTruncateConstants)
3397             return;
3398         
3399         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3400         if (node->child1()->hasConstant())
3401             truncateConstantToInt32(node->child1());
3402         else
3403             truncateConstantToInt32(node->child2());
3404     }
3405
3406     bool attemptToMakeIntegerAdd(Node* node)
3407     {
3408         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3409         if (mode != DontSpeculateInt32) {
3410             truncateConstantsIfNecessary(node, mode);
3411             fixIntOrBooleanEdge(node->child1());
3412             fixIntOrBooleanEdge(node->child2());
3413             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3414                 node->setArithMode(Arith::Unchecked);
3415             else
3416                 node->setArithMode(Arith::CheckOverflow);
3417             return true;
3418         }
3419         
3420         if (m_graph.addShouldSpeculateAnyInt(node)) {
3421             fixEdge<Int52RepUse>(node->child1());
3422             fixEdge<Int52RepUse>(node->child2());
3423             node->setArithMode(Arith::CheckOverflow);
3424             node->setResult(NodeResultInt52);
3425             return true;
3426         }
3427         
3428         return false;
3429     }
3430     
3431     bool attemptToMakeGetArrayLength(Node* node)
3432     {
3433         if (!isInt32Speculation(node->prediction()))
3434             return false;
3435         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3436         ArrayProfile* arrayProfile = 
3437             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3438         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3439         if (arrayProfile) {
3440             ConcurrentJSLocker locker(profiledBlock->m_lock);
3441             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3442             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3443             if (arrayMode.type() == Array::Unprofiled) {
3444                 // For normal array operations, it makes sense to treat Unprofiled
3445                 // accesses as ForceExit and get more data rather than using
3446                 // predictions and then possibly ending up with a Generic. But here,
3447                 // we treat anything that is Unprofiled as Generic and keep the
3448                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3449                 // profit - from treating the Unprofiled case as
3450                 // SelectUsingPredictions.
3451                 arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3452             }
3453         }
3454             
3455         arrayMode = arrayMode.refine(
3456             m_graph, node, node->child1()->prediction(), node->prediction());
3457             
3458         if (arrayMode.type() == Array::Generic) {
3459             // Check if the input is something that we can't get array length for, but for which we
3460             // could insert some conversions in order to transform it into something that we can do it
3461             // for.
3462             if (node->child1()->shouldSpeculateStringObject())
3463                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3464             else if (node->child1()->shouldSpeculateStringOrStringObject())
3465                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3466         }
3467             
3468         if (!arrayMode.supportsSelfLength())
3469             return false;
3470         
3471         convertToGetArrayLength(node, arrayMode);
3472         return true;
3473     }
3474
3475     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3476     {
3477         node->setOp(GetArrayLength);
3478         node->clearFlags(NodeMustGenerate);
3479         fixEdge<KnownCellUse>(node->child1());
3480         node->setArrayMode(arrayMode);
3481             
3482         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3483         if (!storage)
3484             return;
3485             
3486         node->child2() = Edge(storage);
3487     }
3488     
3489     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3490     {
3491         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3492         return m_insertionSet.insertNode(
3493             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3494             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3495     }
3496
3497     void convertToHasIndexedProperty(Node* node)
3498     {
3499         node->setOp(HasIndexedProperty);
3500         node->clearFlags(NodeMustGenerate);
3501         node->setArrayMode(
3502             node->arrayMode().refine(
3503                 m_graph, node,
3504                 node->child1()->prediction(),
3505                 node->child2()->prediction(),
3506                 SpecNone));
3507         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3508
3509         blessArrayOperation(node->child1(), node->child2(), node->child3());
3510
3511         fixEdge<CellUse>(node->child1());
3512         fixEdge<Int32Use>(node->child2());
3513     }
3514
3515     void fixupNormalizeMapKey(Node* node)
3516     {
3517         if (node->child1()->shouldSpeculateBoolean()) {
3518             fixEdge<BooleanUse>(node->child1());
3519             node->convertToIdentity();
3520             return;
3521         }
3522
3523         if (node->child1()->shouldSpeculateInt32()) {
3524             fixEdge<Int32Use>(node->child1());
3525             node->convertToIdentity();
3526             return;
3527         }
3528
3529         if (node->child1()->shouldSpeculateSymbol()) {
3530             fixEdge<SymbolUse>(node->child1());
3531             node->convertToIdentity();
3532             return;
3533         }
3534
3535         if (node->child1()->shouldSpeculateObject()) {
3536             fixEdge<ObjectUse>(node->child1());
3537             node->convertToIdentity();
3538             return;
3539         }
3540
3541         if (node->child1()->shouldSpeculateString()) {
3542             fixEdge<StringUse>(node->child1());
3543             node->convertToIdentity();
3544             return;
3545         }
3546
3547         if (node->child1()->shouldSpeculateCell()) {
3548<