[FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149             
150         case ValueAdd: {
151             if (attemptToMakeIntegerAdd(node)) {
152                 node->setOp(ArithAdd);
153                 break;
154             }
155             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
156                 fixDoubleOrBooleanEdge(node->child1());
157                 fixDoubleOrBooleanEdge(node->child2());
158                 node->setOp(ArithAdd);
159                 node->setResult(NodeResultDouble);
160                 break;
161             }
162             
163             if (attemptToMakeFastStringAdd(node))
164                 break;
165
166             Edge& child1 = node->child1();
167             Edge& child2 = node->child2();
168             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
169                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
170                     auto convertString = [&](Node* node, Edge& edge) {
171                         if (edge->shouldSpeculateInt32())
172                             convertStringAddUse<Int32Use>(node, edge);
173                         else {
174                             ASSERT(edge->shouldSpeculateString());
175                             convertStringAddUse<StringUse>(node, edge);
176                         }
177                     };
178                     convertString(node, child1);
179                     convertString(node, child2);
180                     convertToMakeRope(node);
181                     break;
182                 }
183             }
184
185             fixEdge<UntypedUse>(child1);
186             fixEdge<UntypedUse>(child2);
187             node->setResult(NodeResultJS);
188             break;
189         }
190
191         case StrCat: {
192             if (attemptToMakeFastStringAdd(node))
193                 break;
194
195             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
196             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
197             // the implementation of StrCat doesn't dynamically optimize for empty strings.
198             // https://bugs.webkit.org/show_bug.cgi?id=148540
199             m_graph.doToChildren(
200                 node,
201                 [&] (Edge& edge) {
202                     fixEdge<KnownPrimitiveUse>(edge);
203                     // StrCat automatically coerces the values into strings before concatenating them.
204                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
205                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
206                     // our runtime functions for this slow path expect that they will never be passed
207                     // Symbols.
208                     m_insertionSet.insertNode(
209                         m_indexInBlock, SpecNone, Check, node->origin,
210                         Edge(edge.node(), NotSymbolUse));
211                 });
212             break;
213         }
214             
215         case MakeRope: {
216             fixupMakeRope(node);
217             break;
218         }
219             
220         case ArithAdd:
221         case ArithSub: {
222             if (op == ArithSub
223                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
224                 fixEdge<UntypedUse>(node->child1());
225                 fixEdge<UntypedUse>(node->child2());
226                 node->setResult(NodeResultJS);
227                 break;
228             }
229             if (attemptToMakeIntegerAdd(node))
230                 break;
231             fixDoubleOrBooleanEdge(node->child1());
232             fixDoubleOrBooleanEdge(node->child2());
233             node->setResult(NodeResultDouble);
234             break;
235         }
236             
237         case ArithNegate: {
238             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
239                 fixIntOrBooleanEdge(node->child1());
240                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
241                     node->setArithMode(Arith::Unchecked);
242                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
243                     node->setArithMode(Arith::CheckOverflow);
244                 else
245                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
246                 node->setResult(NodeResultInt32);
247                 node->clearFlags(NodeMustGenerate);
248                 break;
249             }
250             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
251                 fixEdge<Int52RepUse>(node->child1());
252                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
253                     node->setArithMode(Arith::CheckOverflow);
254                 else
255                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
256                 node->setResult(NodeResultInt52);
257                 node->clearFlags(NodeMustGenerate);
258                 break;
259             }
260             if (node->child1()->shouldSpeculateNotCell()) {
261                 fixDoubleOrBooleanEdge(node->child1());
262                 node->setResult(NodeResultDouble);
263                 node->clearFlags(NodeMustGenerate);
264             } else
265                 fixEdge<UntypedUse>(node->child1());
266             break;
267         }
268             
269         case ArithMul: {
270             Edge& leftChild = node->child1();
271             Edge& rightChild = node->child2();
272             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
273                 fixEdge<UntypedUse>(leftChild);
274                 fixEdge<UntypedUse>(rightChild);
275                 node->setResult(NodeResultJS);
276                 break;
277             }
278             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
279                 fixIntOrBooleanEdge(leftChild);
280                 fixIntOrBooleanEdge(rightChild);
281                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
282                     node->setArithMode(Arith::Unchecked);
283                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
284                     || leftChild.node() == rightChild.node())
285                     node->setArithMode(Arith::CheckOverflow);
286                 else
287                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
288                 break;
289             }
290             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
291                 fixEdge<Int52RepUse>(leftChild);
292                 fixEdge<Int52RepUse>(rightChild);
293                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
294                     || leftChild.node() == rightChild.node())
295                     node->setArithMode(Arith::CheckOverflow);
296                 else
297                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
298                 node->setResult(NodeResultInt52);
299                 break;
300             }
301             fixDoubleOrBooleanEdge(leftChild);
302             fixDoubleOrBooleanEdge(rightChild);
303             node->setResult(NodeResultDouble);
304             break;
305         }
306
307         case ArithDiv:
308         case ArithMod: {
309             Edge& leftChild = node->child1();
310             Edge& rightChild = node->child2();
311             if (op == ArithDiv
312                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
313                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
314                 fixEdge<UntypedUse>(leftChild);
315                 fixEdge<UntypedUse>(rightChild);
316                 node->setResult(NodeResultJS);
317                 break;
318             }
319             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
320                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
321                     fixIntOrBooleanEdge(leftChild);
322                     fixIntOrBooleanEdge(rightChild);
323                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
324                         node->setArithMode(Arith::Unchecked);
325                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
326                         node->setArithMode(Arith::CheckOverflow);
327                     else
328                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
329                     break;
330                 }
331                 
332                 // This will cause conversion nodes to be inserted later.
333                 fixDoubleOrBooleanEdge(leftChild);
334                 fixDoubleOrBooleanEdge(rightChild);
335                 
336                 // We don't need to do ref'ing on the children because we're stealing them from
337                 // the original division.
338                 Node* newDivision = m_insertionSet.insertNode(
339                     m_indexInBlock, SpecBytecodeDouble, *node);
340                 newDivision->setResult(NodeResultDouble);
341                 
342                 node->setOp(DoubleAsInt32);
343                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
344                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
345                     node->setArithMode(Arith::CheckOverflow);
346                 else
347                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
348                 break;
349             }
350             fixDoubleOrBooleanEdge(leftChild);
351             fixDoubleOrBooleanEdge(rightChild);
352             node->setResult(NodeResultDouble);
353             break;
354         }
355             
356         case ArithMin:
357         case ArithMax: {
358             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
359                 fixIntOrBooleanEdge(node->child1());
360                 fixIntOrBooleanEdge(node->child2());
361                 break;
362             }
363             fixDoubleOrBooleanEdge(node->child1());
364             fixDoubleOrBooleanEdge(node->child2());
365             node->setResult(NodeResultDouble);
366             break;
367         }
368             
369         case ArithAbs: {
370             if (node->child1()->shouldSpeculateInt32OrBoolean()
371                 && node->canSpeculateInt32(FixupPass)) {
372                 fixIntOrBooleanEdge(node->child1());
373                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
374                     node->setArithMode(Arith::Unchecked);
375                 else
376                     node->setArithMode(Arith::CheckOverflow);
377                 node->clearFlags(NodeMustGenerate);
378                 node->setResult(NodeResultInt32);
379                 break;
380             }
381
382             if (node->child1()->shouldSpeculateNotCell()) {
383                 fixDoubleOrBooleanEdge(node->child1());
384                 node->clearFlags(NodeMustGenerate);
385             } else
386                 fixEdge<UntypedUse>(node->child1());
387             node->setResult(NodeResultDouble);
388             break;
389         }
390
391         case ArithPow: {
392             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
393                 fixDoubleOrBooleanEdge(node->child1());
394                 fixIntOrBooleanEdge(node->child2());
395                 break;
396             }
397
398             fixDoubleOrBooleanEdge(node->child1());
399             fixDoubleOrBooleanEdge(node->child2());
400             break;
401         }
402
403         case ArithRandom: {
404             node->setResult(NodeResultDouble);
405             break;
406         }
407
408         case ArithRound:
409         case ArithFloor:
410         case ArithCeil:
411         case ArithTrunc: {
412             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
413                 fixIntOrBooleanEdge(node->child1());
414                 insertCheck<Int32Use>(node->child1().node());
415                 node->convertToIdentity();
416                 break;
417             }
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420
421                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
422                     node->setResult(NodeResultInt32);
423                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
424                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
425                     else
426                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
427                 } else {
428                     node->setResult(NodeResultDouble);
429                     node->setArithRoundingMode(Arith::RoundingMode::Double);
430                 }
431                 node->clearFlags(NodeMustGenerate);
432             } else
433                 fixEdge<UntypedUse>(node->child1());
434             break;
435         }
436
437         case ArithFRound:
438         case ArithSqrt:
439         case ArithUnary: {
440             Edge& child1 = node->child1();
441             if (child1->shouldSpeculateNotCell()) {
442                 fixDoubleOrBooleanEdge(child1);
443                 node->clearFlags(NodeMustGenerate);
444             } else
445                 fixEdge<UntypedUse>(child1);
446             break;
447         }
448             
449         case LogicalNot: {
450             if (node->child1()->shouldSpeculateBoolean()) {
451                 if (node->child1()->result() == NodeResultBoolean) {
452                     // This is necessary in case we have a bytecode instruction implemented by:
453                     //
454                     // a: CompareEq(...)
455                     // b: LogicalNot(@a)
456                     //
457                     // In that case, CompareEq might have a side-effect. Then, we need to make
458                     // sure that we know that Branch does not exit.
459                     fixEdge<KnownBooleanUse>(node->child1());
460                 } else
461                     fixEdge<BooleanUse>(node->child1());
462             } else if (node->child1()->shouldSpeculateObjectOrOther())
463                 fixEdge<ObjectOrOtherUse>(node->child1());
464             else if (node->child1()->shouldSpeculateInt32OrBoolean())
465                 fixIntOrBooleanEdge(node->child1());
466             else if (node->child1()->shouldSpeculateNumber())
467                 fixEdge<DoubleRepUse>(node->child1());
468             else if (node->child1()->shouldSpeculateString())
469                 fixEdge<StringUse>(node->child1());
470             else if (node->child1()->shouldSpeculateStringOrOther())
471                 fixEdge<StringOrOtherUse>(node->child1());
472             else {
473                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
474                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
475                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
476             }
477             break;
478         }
479
480         case CompareEq:
481         case CompareLess:
482         case CompareLessEq:
483         case CompareGreater:
484         case CompareGreaterEq: {
485             if (node->op() == CompareEq
486                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
487                 fixEdge<BooleanUse>(node->child1());
488                 fixEdge<BooleanUse>(node->child2());
489                 node->clearFlags(NodeMustGenerate);
490                 break;
491             }
492             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
493                 fixIntOrBooleanEdge(node->child1());
494                 fixIntOrBooleanEdge(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (enableInt52()
499                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
500                 fixEdge<Int52RepUse>(node->child1());
501                 fixEdge<Int52RepUse>(node->child2());
502                 node->clearFlags(NodeMustGenerate);
503                 break;
504             }
505             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
506                 fixDoubleOrBooleanEdge(node->child1());
507                 fixDoubleOrBooleanEdge(node->child2());
508             }
509             if (node->op() != CompareEq
510                 && node->child1()->shouldSpeculateNotCell()
511                 && node->child2()->shouldSpeculateNotCell()) {
512                 if (node->child1()->shouldSpeculateNumberOrBoolean())
513                     fixDoubleOrBooleanEdge(node->child1());
514                 else
515                     fixEdge<DoubleRepUse>(node->child1());
516                 if (node->child2()->shouldSpeculateNumberOrBoolean())
517                     fixDoubleOrBooleanEdge(node->child2());
518                 else
519                     fixEdge<DoubleRepUse>(node->child2());
520                 node->clearFlags(NodeMustGenerate);
521                 break;
522             }
523             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
524                 fixEdge<StringIdentUse>(node->child1());
525                 fixEdge<StringIdentUse>(node->child2());
526                 node->clearFlags(NodeMustGenerate);
527                 break;
528             }
529             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
530                 fixEdge<StringUse>(node->child1());
531                 fixEdge<StringUse>(node->child2());
532                 node->clearFlags(NodeMustGenerate);
533                 break;
534             }
535
536             if (node->op() != CompareEq)
537                 break;
538             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
539                 fixEdge<SymbolUse>(node->child1());
540                 fixEdge<SymbolUse>(node->child2());
541                 node->clearFlags(NodeMustGenerate);
542                 break;
543             }
544             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
545                 fixEdge<ObjectUse>(node->child1());
546                 fixEdge<ObjectUse>(node->child2());
547                 node->clearFlags(NodeMustGenerate);
548                 break;
549             }
550
551             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
552             bool oneArgumentIsUsedAsSpecOther = false;
553             if (node->child1()->isUndefinedOrNullConstant()) {
554                 fixEdge<OtherUse>(node->child1());
555                 oneArgumentIsUsedAsSpecOther = true;
556             } else if (node->child1()->shouldSpeculateOther()) {
557                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
558                     Edge(node->child1().node(), OtherUse));
559                 fixEdge<OtherUse>(node->child1());
560                 oneArgumentIsUsedAsSpecOther = true;
561             }
562             if (node->child2()->isUndefinedOrNullConstant()) {
563                 fixEdge<OtherUse>(node->child2());
564                 oneArgumentIsUsedAsSpecOther = true;
565             } else if (node->child2()->shouldSpeculateOther()) {
566                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
567                     Edge(node->child2().node(), OtherUse));
568                 fixEdge<OtherUse>(node->child2());
569                 oneArgumentIsUsedAsSpecOther = true;
570             }
571             if (oneArgumentIsUsedAsSpecOther) {
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575
576             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
577                 fixEdge<ObjectUse>(node->child1());
578                 fixEdge<ObjectOrOtherUse>(node->child2());
579                 node->clearFlags(NodeMustGenerate);
580                 break;
581             }
582             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
583                 fixEdge<ObjectOrOtherUse>(node->child1());
584                 fixEdge<ObjectUse>(node->child2());
585                 node->clearFlags(NodeMustGenerate);
586                 break;
587             }
588
589             break;
590         }
591             
592         case CompareStrictEq: {
593             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
594                 fixEdge<BooleanUse>(node->child1());
595                 fixEdge<BooleanUse>(node->child2());
596                 break;
597             }
598             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
599                 fixEdge<Int32Use>(node->child1());
600                 fixEdge<Int32Use>(node->child2());
601                 break;
602             }
603             if (enableInt52()
604                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
605                 fixEdge<Int52RepUse>(node->child1());
606                 fixEdge<Int52RepUse>(node->child2());
607                 break;
608             }
609             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
610                 fixEdge<DoubleRepUse>(node->child1());
611                 fixEdge<DoubleRepUse>(node->child2());
612                 break;
613             }
614             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
615                 fixEdge<SymbolUse>(node->child1());
616                 fixEdge<SymbolUse>(node->child2());
617                 break;
618             }
619             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
620                 fixEdge<StringIdentUse>(node->child1());
621                 fixEdge<StringIdentUse>(node->child2());
622                 break;
623             }
624             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
625                 fixEdge<StringUse>(node->child1());
626                 fixEdge<StringUse>(node->child2());
627                 break;
628             }
629             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
630             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
631                 
632                 if (node->child1()->shouldSpeculateObject()) {
633                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
634                     fixEdge<ObjectUse>(node->child1());
635                     break;
636                 }
637                 if (node->child2()->shouldSpeculateObject()) {
638                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
639                     fixEdge<ObjectUse>(node->child2());
640                     break;
641                 }
642                 
643             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
644                 fixEdge<ObjectUse>(node->child1());
645                 fixEdge<ObjectUse>(node->child2());
646                 break;
647             }
648             if (node->child1()->shouldSpeculateSymbol()) {
649                 fixEdge<SymbolUse>(node->child1());
650                 break;
651             }
652             if (node->child2()->shouldSpeculateSymbol()) {
653                 fixEdge<SymbolUse>(node->child2());
654                 break;
655             }
656             if (node->child1()->shouldSpeculateMisc()) {
657                 fixEdge<MiscUse>(node->child1());
658                 break;
659             }
660             if (node->child2()->shouldSpeculateMisc()) {
661                 fixEdge<MiscUse>(node->child2());
662                 break;
663             }
664             if (node->child1()->shouldSpeculateStringIdent()
665                 && node->child2()->shouldSpeculateNotStringVar()) {
666                 fixEdge<StringIdentUse>(node->child1());
667                 fixEdge<NotStringVarUse>(node->child2());
668                 break;
669             }
670             if (node->child2()->shouldSpeculateStringIdent()
671                 && node->child1()->shouldSpeculateNotStringVar()) {
672                 fixEdge<StringIdentUse>(node->child2());
673                 fixEdge<NotStringVarUse>(node->child1());
674                 break;
675             }
676             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
677                 fixEdge<StringUse>(node->child1());
678                 break;
679             }
680             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
681                 fixEdge<StringUse>(node->child2());
682                 break;
683             }
684             break;
685         }
686             
687         case StringFromCharCode:
688             if (node->child1()->shouldSpeculateInt32())
689                 fixEdge<Int32Use>(node->child1());
690             else
691                 fixEdge<UntypedUse>(node->child1());
692             break;
693
694         case StringCharAt:
695         case StringCharCodeAt: {
696             // Currently we have no good way of refining these.
697             ASSERT(node->arrayMode() == ArrayMode(Array::String));
698             blessArrayOperation(node->child1(), node->child2(), node->child3());
699             fixEdge<KnownCellUse>(node->child1());
700             fixEdge<Int32Use>(node->child2());
701             break;
702         }
703
704         case GetByVal: {
705             if (!node->prediction()) {
706                 m_insertionSet.insertNode(
707                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
708             }
709             
710             node->setArrayMode(
711                 node->arrayMode().refine(
712                     m_graph, node,
713                     m_graph.varArgChild(node, 0)->prediction(),
714                     m_graph.varArgChild(node, 1)->prediction(),
715                     SpecNone));
716             
717             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
718             
719             ArrayMode arrayMode = node->arrayMode();
720             switch (arrayMode.type()) {
721             case Array::Contiguous:
722             case Array::Double:
723                 if (arrayMode.arrayClass() == Array::OriginalArray
724                     && arrayMode.speculation() == Array::InBounds) {
725                     // Check if SaneChain will work on a per-type basis. Note that:
726                     //
727                     // 1) We don't want double arrays to sometimes return undefined, since
728                     // that would require a change to the return type and it would pessimise
729                     // things a lot. So, we'd only want to do that if we actually had
730                     // evidence that we could read from a hole. That's pretty annoying.
731                     // Likely the best way to handle that case is with an equivalent of
732                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
733                     // NaN are indistinguishable according to backwards propagation, and just
734                     // use SaneChain in that case. This happens to catch a lot of cases.
735                     //
736                     // 2) We don't want int32 array loads to have to do a hole check just to
737                     // coerce to Undefined, since that would mean twice the checks.
738                     //
739                     // This has two implications. First, we have to do more checks than we'd
740                     // like. It's unfortunate that we have to do the hole check. Second,
741                     // some accesses that hit a hole will now need to take the full-blown
742                     // out-of-bounds slow path. We can fix that with:
743                     // https://bugs.webkit.org/show_bug.cgi?id=144668
744                     
745                     bool canDoSaneChain = false;
746                     switch (arrayMode.type()) {
747                     case Array::Contiguous:
748                         // This is happens to be entirely natural. We already would have
749                         // returned any JSValue, and now we'll return Undefined. We still do
750                         // the check but it doesn't require taking any kind of slow path.
751                         canDoSaneChain = true;
752                         break;
753                         
754                     case Array::Double:
755                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
756                             // Holes look like NaN already, so if the user doesn't care
757                             // about the difference between Undefined and NaN then we can
758                             // do this.
759                             canDoSaneChain = true;
760                         }
761                         break;
762                         
763                     default:
764                         break;
765                     }
766                     
767                     if (canDoSaneChain) {
768                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
769                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
770                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
771                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
772                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
773                             && globalObject->arrayPrototypeChainIsSane()) {
774                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
775                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
776                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
777                         }
778                     }
779                 }
780                 break;
781                 
782             case Array::String:
783                 if ((node->prediction() & ~SpecString)
784                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
785                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
786                 break;
787                 
788             default:
789                 break;
790             }
791             
792             arrayMode = node->arrayMode();
793             switch (arrayMode.type()) {
794             case Array::SelectUsingPredictions:
795             case Array::Unprofiled:
796                 RELEASE_ASSERT_NOT_REACHED();
797                 break;
798             case Array::Generic:
799                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
800                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
801                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
802                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
803                         break;
804                     }
805
806                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
807                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
808                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
809                         break;
810                     }
811                 }
812 #if USE(JSVALUE32_64)
813                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
814 #endif
815                 break;
816             case Array::ForceExit:
817                 break;
818             default:
819                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
820                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
821                 break;
822             }
823             
824             switch (arrayMode.type()) {
825             case Array::Double:
826                 if (!arrayMode.isOutOfBounds())
827                     node->setResult(NodeResultDouble);
828                 break;
829                 
830             case Array::Float32Array:
831             case Array::Float64Array:
832                 node->setResult(NodeResultDouble);
833                 break;
834                 
835             case Array::Uint32Array:
836                 if (node->shouldSpeculateInt32())
837                     break;
838                 if (node->shouldSpeculateAnyInt() && enableInt52())
839                     node->setResult(NodeResultInt52);
840                 else
841                     node->setResult(NodeResultDouble);
842                 break;
843                 
844             default:
845                 break;
846             }
847             
848             break;
849         }
850
851         case PutByValDirect:
852         case PutByVal:
853         case PutByValAlias: {
854             Edge& child1 = m_graph.varArgChild(node, 0);
855             Edge& child2 = m_graph.varArgChild(node, 1);
856             Edge& child3 = m_graph.varArgChild(node, 2);
857
858             node->setArrayMode(
859                 node->arrayMode().refine(
860                     m_graph, node,
861                     child1->prediction(),
862                     child2->prediction(),
863                     child3->prediction()));
864             
865             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
866             
867             switch (node->arrayMode().modeForPut().type()) {
868             case Array::SelectUsingPredictions:
869             case Array::SelectUsingArguments:
870             case Array::Unprofiled:
871             case Array::Undecided:
872                 RELEASE_ASSERT_NOT_REACHED();
873                 break;
874             case Array::ForceExit:
875             case Array::Generic:
876                 if (child1->shouldSpeculateCell()) {
877                     if (child2->shouldSpeculateString()) {
878                         fixEdge<CellUse>(child1);
879                         fixEdge<StringUse>(child2);
880                         break;
881                     }
882
883                     if (child2->shouldSpeculateSymbol()) {
884                         fixEdge<CellUse>(child1);
885                         fixEdge<SymbolUse>(child2);
886                         break;
887                     }
888                 }
889 #if USE(JSVALUE32_64)
890                 // Due to register pressure on 32-bit, we speculate cell and
891                 // ignore the base-is-not-cell case entirely by letting the
892                 // baseline JIT handle it.
893                 fixEdge<CellUse>(child1);
894 #endif
895                 break;
896             case Array::Int32:
897                 fixEdge<KnownCellUse>(child1);
898                 fixEdge<Int32Use>(child2);
899                 fixEdge<Int32Use>(child3);
900                 break;
901             case Array::Double:
902                 fixEdge<KnownCellUse>(child1);
903                 fixEdge<Int32Use>(child2);
904                 fixEdge<DoubleRepRealUse>(child3);
905                 break;
906             case Array::Int8Array:
907             case Array::Int16Array:
908             case Array::Int32Array:
909             case Array::Uint8Array:
910             case Array::Uint8ClampedArray:
911             case Array::Uint16Array:
912             case Array::Uint32Array:
913                 fixEdge<KnownCellUse>(child1);
914                 fixEdge<Int32Use>(child2);
915                 if (child3->shouldSpeculateInt32())
916                     fixIntOrBooleanEdge(child3);
917                 else if (child3->shouldSpeculateAnyInt())
918                     fixEdge<Int52RepUse>(child3);
919                 else
920                     fixDoubleOrBooleanEdge(child3);
921                 break;
922             case Array::Float32Array:
923             case Array::Float64Array:
924                 fixEdge<KnownCellUse>(child1);
925                 fixEdge<Int32Use>(child2);
926                 fixDoubleOrBooleanEdge(child3);
927                 break;
928             case Array::Contiguous:
929             case Array::ArrayStorage:
930             case Array::SlowPutArrayStorage:
931                 fixEdge<KnownCellUse>(child1);
932                 fixEdge<Int32Use>(child2);
933                 speculateForBarrier(child3);
934                 break;
935             default:
936                 fixEdge<KnownCellUse>(child1);
937                 fixEdge<Int32Use>(child2);
938                 break;
939             }
940             break;
941         }
942             
943         case AtomicsAdd:
944         case AtomicsAnd:
945         case AtomicsCompareExchange:
946         case AtomicsExchange:
947         case AtomicsLoad:
948         case AtomicsOr:
949         case AtomicsStore:
950         case AtomicsSub:
951         case AtomicsXor: {
952             Edge& base = m_graph.child(node, 0);
953             Edge& index = m_graph.child(node, 1);
954             
955             bool badNews = false;
956             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
957                 Edge& child = m_graph.child(node, 2 + i);
958                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
959                 // just call the function when that happens. But the FTL is totally cool with those
960                 // conversions.
961                 if (!child->shouldSpeculateInt32()
962                     && !child->shouldSpeculateAnyInt()
963                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
964                     badNews = true;
965             }
966             
967             if (badNews) {
968                 node->setArrayMode(ArrayMode(Array::Generic));
969                 break;
970             }
971             
972             node->setArrayMode(
973                 node->arrayMode().refine(
974                     m_graph, node, base->prediction(), index->prediction()));
975             
976             if (node->arrayMode().type() == Array::Generic)
977                 break;
978             
979             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
980                 Edge& child = m_graph.child(node, 2 + i);
981                 if (child->shouldSpeculateInt32())
982                     fixIntOrBooleanEdge(child);
983                 else if (child->shouldSpeculateAnyInt())
984                     fixEdge<Int52RepUse>(child);
985                 else {
986                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
987                     fixDoubleOrBooleanEdge(child);
988                 }
989             }
990             
991             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
992             fixEdge<CellUse>(base);
993             fixEdge<Int32Use>(index);
994             
995             if (node->arrayMode().type() == Array::Uint32Array) {
996                 // NOTE: This means basically always doing Int52.
997                 if (node->shouldSpeculateAnyInt() && enableInt52())
998                     node->setResult(NodeResultInt52);
999                 else
1000                     node->setResult(NodeResultDouble);
1001             }
1002             break;
1003         }
1004             
1005         case AtomicsIsLockFree:
1006             if (node->child1()->shouldSpeculateInt32())
1007                 fixIntOrBooleanEdge(node->child1());
1008             break;
1009             
1010         case ArrayPush: {
1011             // May need to refine the array mode in case the value prediction contravenes
1012             // the array prediction. For example, we may have evidence showing that the
1013             // array is in Int32 mode, but the value we're storing is likely to be a double.
1014             // Then we should turn this into a conversion to Double array followed by the
1015             // push. On the other hand, we absolutely don't want to refine based on the
1016             // base prediction. If it has non-cell garbage in it, then we want that to be
1017             // ignored. That's because ArrayPush can't handle any array modes that aren't
1018             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1019             // that would break things.
1020             Edge& storageEdge = m_graph.varArgChild(node, 0);
1021             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1022             unsigned elementOffset = 2;
1023             unsigned elementCount = node->numChildren() - elementOffset;
1024             for (unsigned i = 0; i < elementCount; ++i) {
1025                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1026                 node->setArrayMode(
1027                     node->arrayMode().refine(
1028                         m_graph, node,
1029                         arrayEdge->prediction() & SpecCell,
1030                         SpecInt32Only,
1031                         element->prediction()));
1032             }
1033             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1034             fixEdge<KnownCellUse>(arrayEdge);
1035
1036             // Convert `array.push()` to GetArrayLength.
1037             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1038                 node->setOpAndDefaultFlags(GetArrayLength);
1039                 node->child1() = arrayEdge;
1040                 node->child2() = storageEdge;
1041                 fixEdge<KnownCellUse>(node->child1());
1042                 break;
1043             }
1044
1045             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1046             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1047             for (unsigned i = 0; i < elementCount; ++i) {
1048                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1049                 switch (node->arrayMode().type()) {
1050                 case Array::Int32:
1051                     insertCheck<Int32Use>(element.node());
1052                     fixEdge<KnownInt32Use>(element);
1053                     break;
1054                 case Array::Double:
1055                     insertCheck<DoubleRepRealUse>(element.node());
1056                     fixEdge<DoubleRepUse>(element);
1057                     break;
1058                 case Array::Contiguous:
1059                 case Array::ArrayStorage:
1060                     speculateForBarrier(element);
1061                     break;
1062                 default:
1063                     break;
1064                 }
1065                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1066             }
1067             break;
1068         }
1069             
1070         case ArrayPop: {
1071             blessArrayOperation(node->child1(), Edge(), node->child2());
1072             fixEdge<KnownCellUse>(node->child1());
1073             break;
1074         }
1075
1076         case ArraySlice: {
1077             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1078             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1079             if (node->numChildren() == 4)
1080                 fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1081             break;
1082         }
1083
1084         case ArrayIndexOf:
1085             fixupArrayIndexOf(node);
1086             break;
1087             
1088         case RegExpExec:
1089         case RegExpTest: {
1090             fixEdge<KnownCellUse>(node->child1());
1091             
1092             if (node->child2()->shouldSpeculateRegExpObject()) {
1093                 fixEdge<RegExpObjectUse>(node->child2());
1094
1095                 if (node->child3()->shouldSpeculateString())
1096                     fixEdge<StringUse>(node->child3());
1097             }
1098             break;
1099         }
1100
1101         case RegExpMatchFast: {
1102             fixEdge<KnownCellUse>(node->child1());
1103             fixEdge<RegExpObjectUse>(node->child2());
1104             fixEdge<StringUse>(node->child3());
1105             break;
1106         }
1107
1108         case StringReplace:
1109         case StringReplaceRegExp: {
1110             if (node->child2()->shouldSpeculateString()) {
1111                 m_insertionSet.insertNode(
1112                     m_indexInBlock, SpecNone, Check, node->origin,
1113                     Edge(node->child2().node(), StringUse));
1114                 fixEdge<StringUse>(node->child2());
1115             } else if (op == StringReplace) {
1116                 if (node->child2()->shouldSpeculateRegExpObject())
1117                     addStringReplacePrimordialChecks(node->child2().node());
1118                 else 
1119                     m_insertionSet.insertNode(
1120                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1121             }
1122
1123             if (node->child1()->shouldSpeculateString()
1124                 && node->child2()->shouldSpeculateRegExpObject()
1125                 && node->child3()->shouldSpeculateString()) {
1126
1127                 fixEdge<StringUse>(node->child1());
1128                 fixEdge<RegExpObjectUse>(node->child2());
1129                 fixEdge<StringUse>(node->child3());
1130                 break;
1131             }
1132             break;
1133         }
1134             
1135         case Branch: {
1136             if (node->child1()->shouldSpeculateBoolean()) {
1137                 if (node->child1()->result() == NodeResultBoolean) {
1138                     // This is necessary in case we have a bytecode instruction implemented by:
1139                     //
1140                     // a: CompareEq(...)
1141                     // b: Branch(@a)
1142                     //
1143                     // In that case, CompareEq might have a side-effect. Then, we need to make
1144                     // sure that we know that Branch does not exit.
1145                     fixEdge<KnownBooleanUse>(node->child1());
1146                 } else
1147                     fixEdge<BooleanUse>(node->child1());
1148             } else if (node->child1()->shouldSpeculateObjectOrOther())
1149                 fixEdge<ObjectOrOtherUse>(node->child1());
1150             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1151                 fixIntOrBooleanEdge(node->child1());
1152             else if (node->child1()->shouldSpeculateNumber())
1153                 fixEdge<DoubleRepUse>(node->child1());
1154             else if (node->child1()->shouldSpeculateString())
1155                 fixEdge<StringUse>(node->child1());
1156             else if (node->child1()->shouldSpeculateStringOrOther())
1157                 fixEdge<StringOrOtherUse>(node->child1());
1158             else {
1159                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1160                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1161                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1162             }
1163             break;
1164         }
1165             
1166         case Switch: {
1167             SwitchData* data = node->switchData();
1168             switch (data->kind) {
1169             case SwitchImm:
1170                 if (node->child1()->shouldSpeculateInt32())
1171                     fixEdge<Int32Use>(node->child1());
1172                 break;
1173             case SwitchChar:
1174                 if (node->child1()->shouldSpeculateString())
1175                     fixEdge<StringUse>(node->child1());
1176                 break;
1177             case SwitchString:
1178                 if (node->child1()->shouldSpeculateStringIdent())
1179                     fixEdge<StringIdentUse>(node->child1());
1180                 else if (node->child1()->shouldSpeculateString())
1181                     fixEdge<StringUse>(node->child1());
1182                 break;
1183             case SwitchCell:
1184                 if (node->child1()->shouldSpeculateCell())
1185                     fixEdge<CellUse>(node->child1());
1186                 // else it's fine for this to have UntypedUse; we will handle this by just making
1187                 // non-cells take the default case.
1188                 break;
1189             }
1190             break;
1191         }
1192             
1193         case ToPrimitive: {
1194             fixupToPrimitive(node);
1195             break;
1196         }
1197
1198         case ToNumber: {
1199             fixupToNumber(node);
1200             break;
1201         }
1202             
1203         case ToString:
1204         case CallStringConstructor: {
1205             fixupToStringOrCallStringConstructor(node);
1206             break;
1207         }
1208             
1209         case NewStringObject: {
1210             fixEdge<KnownStringUse>(node->child1());
1211             break;
1212         }
1213
1214         case NewArrayWithSpread: {
1215             watchHavingABadTime(node);
1216             
1217             BitVector* bitVector = node->bitVector();
1218             for (unsigned i = node->numChildren(); i--;) {
1219                 if (bitVector->get(i))
1220                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1221                 else
1222                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1223             }
1224
1225             break;
1226         }
1227
1228         case Spread: {
1229             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1230             
1231             watchHavingABadTime(node->child1().node());
1232
1233             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1234             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1235             // that it doesn't contain any indexed properties, and that any holes will result in
1236             // jsUndefined().
1237             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
1238             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
1239             if (node->child1()->shouldSpeculateArray()
1240                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1241                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1242                 && globalObject->arrayPrototypeChainIsSane()
1243                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1244                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1245                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1246                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1247                 fixEdge<ArrayUse>(node->child1());
1248             } else
1249                 fixEdge<CellUse>(node->child1());
1250             break;
1251         }
1252             
1253         case NewArray: {
1254             watchHavingABadTime(node);
1255             
1256             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1257                 node->setIndexingType(
1258                     leastUpperBoundOfIndexingTypeAndType(
1259                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1260             }
1261             switch (node->indexingType()) {
1262             case ALL_BLANK_INDEXING_TYPES:
1263                 CRASH();
1264                 break;
1265             case ALL_UNDECIDED_INDEXING_TYPES:
1266                 if (node->numChildren()) {
1267                     // This will only happen if the children have no type predictions. We
1268                     // would have already exited by now, but insert a forced exit just to
1269                     // be safe.
1270                     m_insertionSet.insertNode(
1271                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1272                 }
1273                 break;
1274             case ALL_INT32_INDEXING_TYPES:
1275                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1276                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1277                 break;
1278             case ALL_DOUBLE_INDEXING_TYPES:
1279                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1280                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1281                 break;
1282             case ALL_CONTIGUOUS_INDEXING_TYPES:
1283             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1284                 break;
1285             default:
1286                 CRASH();
1287                 break;
1288             }
1289             break;
1290         }
1291             
1292         case NewTypedArray: {
1293             watchHavingABadTime(node);
1294             
1295             if (node->child1()->shouldSpeculateInt32()) {
1296                 fixEdge<Int32Use>(node->child1());
1297                 node->clearFlags(NodeMustGenerate);
1298                 break;
1299             }
1300             break;
1301         }
1302             
1303         case NewArrayWithSize: {
1304             watchHavingABadTime(node);
1305             fixEdge<Int32Use>(node->child1());
1306             break;
1307         }
1308
1309         case NewArrayBuffer: {
1310             watchHavingABadTime(node);
1311             break;
1312         }
1313
1314         case ToObject: {
1315             fixupToObject(node);
1316             break;
1317         }
1318
1319         case CallObjectConstructor: {
1320             fixupCallObjectConstructor(node);
1321             break;
1322         }
1323
1324         case ToThis: {
1325             fixupToThis(node);
1326             break;
1327         }
1328             
1329         case PutStructure: {
1330             fixEdge<KnownCellUse>(node->child1());
1331             break;
1332         }
1333             
1334         case GetClosureVar:
1335         case GetFromArguments: {
1336             fixEdge<KnownCellUse>(node->child1());
1337             break;
1338         }
1339
1340         case PutClosureVar:
1341         case PutToArguments: {
1342             fixEdge<KnownCellUse>(node->child1());
1343             speculateForBarrier(node->child2());
1344             break;
1345         }
1346
1347         case SkipScope:
1348         case GetScope:
1349         case GetGetter:
1350         case GetSetter:
1351         case GetGlobalObject: {
1352             fixEdge<KnownCellUse>(node->child1());
1353             break;
1354         }
1355             
1356         case AllocatePropertyStorage:
1357         case ReallocatePropertyStorage: {
1358             fixEdge<KnownCellUse>(node->child1());
1359             break;
1360         }
1361             
1362         case NukeStructureAndSetButterfly: {
1363             fixEdge<KnownCellUse>(node->child1());
1364             break;
1365         }
1366
1367         case TryGetById: {
1368             if (node->child1()->shouldSpeculateCell())
1369                 fixEdge<CellUse>(node->child1());
1370             break;
1371         }
1372
1373         case GetById:
1374         case GetByIdFlush: {
1375             // FIXME: This should be done in the ByteCodeParser based on reading the
1376             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1377             // https://bugs.webkit.org/show_bug.cgi?id=154990
1378             auto uid = m_graph.identifiers()[node->identifierNumber()];
1379             if (node->child1()->shouldSpeculateCellOrOther()
1380                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1381                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1382                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1383                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1384                 
1385                 if (uid == vm().propertyNames->length.impl()) {
1386                     attemptToMakeGetArrayLength(node);
1387                     break;
1388                 }
1389
1390                 if (uid == vm().propertyNames->lastIndex.impl()
1391                     && node->child1()->shouldSpeculateRegExpObject()) {
1392                     node->setOp(GetRegExpObjectLastIndex);
1393                     node->clearFlags(NodeMustGenerate);
1394                     fixEdge<RegExpObjectUse>(node->child1());
1395                     break;
1396                 }
1397             }
1398
1399             if (node->child1()->shouldSpeculateNumber()) {
1400                 if (uid == vm().propertyNames->toString.impl()) {
1401                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1402                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1403                         if (node->child1()->shouldSpeculateInt32()) {
1404                             insertCheck<Int32Use>(node->child1().node());
1405                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1406                             break;
1407                         }
1408
1409                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1410                             insertCheck<Int52RepUse>(node->child1().node());
1411                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1412                             break;
1413                         }
1414
1415                         ASSERT(node->child1()->shouldSpeculateNumber());
1416                         insertCheck<DoubleRepUse>(node->child1().node());
1417                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1418                         break;
1419                     }
1420                 }
1421             }
1422
1423             if (node->child1()->shouldSpeculateCell())
1424                 fixEdge<CellUse>(node->child1());
1425             break;
1426         }
1427         
1428         case GetByIdWithThis: {
1429             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1430                 fixEdge<CellUse>(node->child1());
1431                 fixEdge<CellUse>(node->child2());
1432             }
1433             break;
1434         }
1435
1436         case PutById:
1437         case PutByIdFlush:
1438         case PutByIdDirect: {
1439             if (node->child1()->shouldSpeculateCellOrOther()
1440                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1441                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1442                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1443                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1444                 
1445                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1446                 
1447                 if (uid == vm().propertyNames->lastIndex.impl()
1448                     && node->child1()->shouldSpeculateRegExpObject()) {
1449                     node->convertToSetRegExpObjectLastIndex();
1450                     fixEdge<RegExpObjectUse>(node->child1());
1451                     speculateForBarrier(node->child2());
1452                     break;
1453                 }
1454             }
1455             
1456             fixEdge<CellUse>(node->child1());
1457             break;
1458         }
1459
1460         case PutGetterById:
1461         case PutSetterById: {
1462             fixEdge<KnownCellUse>(node->child1());
1463             fixEdge<KnownCellUse>(node->child2());
1464             break;
1465         }
1466
1467         case PutGetterSetterById: {
1468             fixEdge<KnownCellUse>(node->child1());
1469             break;
1470         }
1471
1472         case PutGetterByVal:
1473         case PutSetterByVal: {
1474             fixEdge<KnownCellUse>(node->child1());
1475             fixEdge<KnownCellUse>(node->child3());
1476             break;
1477         }
1478
1479         case GetExecutable: {
1480             fixEdge<FunctionUse>(node->child1());
1481             break;
1482         }
1483
1484         case OverridesHasInstance:
1485         case CheckStructure:
1486         case CheckCell:
1487         case CreateThis:
1488         case GetButterfly: {
1489             fixEdge<CellUse>(node->child1());
1490             break;
1491         }
1492
1493         case CheckStringIdent: {
1494             fixEdge<StringIdentUse>(node->child1());
1495             break;
1496         }
1497             
1498         case Arrayify:
1499         case ArrayifyToStructure: {
1500             fixEdge<CellUse>(node->child1());
1501             if (node->child2())
1502                 fixEdge<Int32Use>(node->child2());
1503             break;
1504         }
1505             
1506         case GetByOffset:
1507         case GetGetterSetterByOffset: {
1508             if (!node->child1()->hasStorageResult())
1509                 fixEdge<KnownCellUse>(node->child1());
1510             fixEdge<KnownCellUse>(node->child2());
1511             break;
1512         }
1513             
1514         case MultiGetByOffset: {
1515             fixEdge<CellUse>(node->child1());
1516             break;
1517         }
1518             
1519         case PutByOffset: {
1520             if (!node->child1()->hasStorageResult())
1521                 fixEdge<KnownCellUse>(node->child1());
1522             fixEdge<KnownCellUse>(node->child2());
1523             unsigned index = indexForChecks();
1524             insertInferredTypeCheck(
1525                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1526                 node->storageAccessData().inferredType);
1527             speculateForBarrier(node->child3());
1528             break;
1529         }
1530             
1531         case MultiPutByOffset: {
1532             fixEdge<CellUse>(node->child1());
1533             break;
1534         }
1535             
1536         case InstanceOf: {
1537             if (!(node->child1()->prediction() & ~SpecCell))
1538                 fixEdge<CellUse>(node->child1());
1539             fixEdge<CellUse>(node->child2());
1540             break;
1541         }
1542
1543         case InstanceOfCustom:
1544             fixEdge<CellUse>(node->child2());
1545             break;
1546
1547         case In: {
1548             if (node->child2()->shouldSpeculateInt32()) {
1549                 convertToHasIndexedProperty(node);
1550                 break;
1551             }
1552
1553             fixEdge<CellUse>(node->child1());
1554             break;
1555         }
1556
1557         case HasOwnProperty: {
1558             fixEdge<ObjectUse>(node->child1());
1559 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1560             // We don't have enough registers to do anything interesting on x86 and mips.
1561             fixEdge<UntypedUse>(node->child2());
1562 #else
1563             if (node->child2()->shouldSpeculateString())
1564                 fixEdge<StringUse>(node->child2());
1565             else if (node->child2()->shouldSpeculateSymbol())
1566                 fixEdge<SymbolUse>(node->child2());
1567             else
1568                 fixEdge<UntypedUse>(node->child2());
1569 #endif
1570             break;
1571         }
1572
1573         case CheckVarargs:
1574         case Check: {
1575             m_graph.doToChildren(
1576                 node,
1577                 [&] (Edge& edge) {
1578                     switch (edge.useKind()) {
1579                     case NumberUse:
1580                         if (edge->shouldSpeculateInt32ForArithmetic())
1581                             edge.setUseKind(Int32Use);
1582                         break;
1583                     default:
1584                         break;
1585                     }
1586                     observeUseKindOnEdge(edge);
1587                 });
1588             break;
1589         }
1590
1591         case Phantom:
1592             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1593             node->remove(m_graph);
1594             break;
1595
1596         case FiatInt52: {
1597             RELEASE_ASSERT(enableInt52());
1598             node->convertToIdentity();
1599             fixEdge<Int52RepUse>(node->child1());
1600             node->setResult(NodeResultInt52);
1601             break;
1602         }
1603
1604         case GetArrayLength: {
1605             fixEdge<KnownCellUse>(node->child1());
1606             break;
1607         }
1608
1609         case GetTypedArrayByteOffset: {
1610             fixEdge<KnownCellUse>(node->child1());
1611             break;
1612         }
1613
1614         case CompareBelow:
1615         case CompareBelowEq: {
1616             fixEdge<Int32Use>(node->child1());
1617             fixEdge<Int32Use>(node->child2());
1618             break;
1619         }
1620
1621         case GetPrototypeOf: {
1622             fixupGetPrototypeOf(node);
1623             break;
1624         }
1625
1626         case Phi:
1627         case Upsilon:
1628         case EntrySwitch:
1629         case GetIndexedPropertyStorage:
1630         case LastNodeType:
1631         case CheckTierUpInLoop:
1632         case CheckTierUpAtReturn:
1633         case CheckTierUpAndOSREnter:
1634         case InvalidationPoint:
1635         case CheckArray:
1636         case CheckInBounds:
1637         case ConstantStoragePointer:
1638         case DoubleAsInt32:
1639         case ValueToInt32:
1640         case DoubleRep:
1641         case ValueRep:
1642         case Int52Rep:
1643         case Int52Constant:
1644         case Identity: // This should have been cleaned up.
1645         case BooleanToNumber:
1646         case PhantomNewObject:
1647         case PhantomNewFunction:
1648         case PhantomNewGeneratorFunction:
1649         case PhantomNewAsyncGeneratorFunction:
1650         case PhantomNewAsyncFunction:
1651         case PhantomCreateActivation:
1652         case PhantomDirectArguments:
1653         case PhantomCreateRest:
1654         case PhantomSpread:
1655         case PhantomNewArrayWithSpread:
1656         case PhantomNewArrayBuffer:
1657         case PhantomClonedArguments:
1658         case PhantomNewRegexp:
1659         case GetMyArgumentByVal:
1660         case GetMyArgumentByValOutOfBounds:
1661         case GetVectorLength:
1662         case PutHint:
1663         case CheckStructureImmediate:
1664         case CheckStructureOrEmpty:
1665         case MaterializeNewObject:
1666         case MaterializeCreateActivation:
1667         case PutStack:
1668         case KillStack:
1669         case GetStack:
1670         case StoreBarrier:
1671         case FencedStoreBarrier:
1672         case GetRegExpObjectLastIndex:
1673         case SetRegExpObjectLastIndex:
1674         case RecordRegExpCachedResult:
1675         case RegExpExecNonGlobalOrSticky:
1676         case RegExpMatchFastGlobal:
1677             // These are just nodes that we don't currently expect to see during fixup.
1678             // If we ever wanted to insert them prior to fixup, then we just have to create
1679             // fixup rules for them.
1680             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1681             break;
1682
1683         case PutGlobalVariable: {
1684             fixEdge<CellUse>(node->child1());
1685             speculateForBarrier(node->child2());
1686             break;
1687         }
1688
1689         case IsObject:
1690             if (node->child1()->shouldSpeculateObject()) {
1691                 m_insertionSet.insertNode(
1692                     m_indexInBlock, SpecNone, Check, node->origin,
1693                     Edge(node->child1().node(), ObjectUse));
1694                 m_graph.convertToConstant(node, jsBoolean(true));
1695                 observeUseKindOnNode<ObjectUse>(node);
1696             }
1697             break;
1698
1699         case IsCellWithType: {
1700             fixupIsCellWithType(node);
1701             break;
1702         }
1703
1704         case GetEnumerableLength: {
1705             fixEdge<CellUse>(node->child1());
1706             break;
1707         }
1708         case HasGenericProperty: {
1709             fixEdge<CellUse>(node->child2());
1710             break;
1711         }
1712         case HasStructureProperty: {
1713             fixEdge<StringUse>(node->child2());
1714             fixEdge<KnownCellUse>(node->child3());
1715             break;
1716         }
1717         case HasIndexedProperty: {
1718             node->setArrayMode(
1719                 node->arrayMode().refine(
1720                     m_graph, node,
1721                     node->child1()->prediction(),
1722                     node->child2()->prediction(),
1723                     SpecNone));
1724             
1725             blessArrayOperation(node->child1(), node->child2(), node->child3());
1726             fixEdge<CellUse>(node->child1());
1727             fixEdge<KnownInt32Use>(node->child2());
1728             break;
1729         }
1730         case GetDirectPname: {
1731             Edge& base = m_graph.varArgChild(node, 0);
1732             Edge& property = m_graph.varArgChild(node, 1);
1733             Edge& index = m_graph.varArgChild(node, 2);
1734             Edge& enumerator = m_graph.varArgChild(node, 3);
1735             fixEdge<CellUse>(base);
1736             fixEdge<KnownCellUse>(property);
1737             fixEdge<KnownInt32Use>(index);
1738             fixEdge<KnownCellUse>(enumerator);
1739             break;
1740         }
1741         case GetPropertyEnumerator: {
1742             if (node->child1()->shouldSpeculateCell())
1743                 fixEdge<CellUse>(node->child1());
1744             break;
1745         }
1746         case GetEnumeratorStructurePname: {
1747             fixEdge<KnownCellUse>(node->child1());
1748             fixEdge<KnownInt32Use>(node->child2());
1749             break;
1750         }
1751         case GetEnumeratorGenericPname: {
1752             fixEdge<KnownCellUse>(node->child1());
1753             fixEdge<KnownInt32Use>(node->child2());
1754             break;
1755         }
1756         case ToIndexString: {
1757             fixEdge<KnownInt32Use>(node->child1());
1758             break;
1759         }
1760         case ProfileType: {
1761             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1762             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1763             // type T for the instructionTypeSet, the global type set must also have information for type T.
1764             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1765             // in the globalTypeSet would've also succeeded.
1766             // (The other direction does not hold in general).
1767
1768             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1769             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1770             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1771                 if (node->child1()->shouldSpeculateInt32()) {
1772                     fixEdge<Int32Use>(node->child1());
1773                     node->remove(m_graph);
1774                     break;
1775                 }
1776
1777                 if (enableInt52()) {
1778                     fixEdge<AnyIntUse>(node->child1());
1779                     node->remove(m_graph);
1780                     break;
1781                 }
1782
1783                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1784             }
1785
1786             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1787                 fixEdge<NumberUse>(node->child1());
1788                 node->remove(m_graph);
1789             } else if (typeSet->doesTypeConformTo(TypeString)) {
1790                 fixEdge<StringUse>(node->child1());
1791                 node->remove(m_graph);
1792             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1793                 fixEdge<BooleanUse>(node->child1());
1794                 node->remove(m_graph);
1795             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1796                 fixEdge<OtherUse>(node->child1());
1797                 node->remove(m_graph);
1798             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1799                 StructureSet set;
1800                 {
1801                     ConcurrentJSLocker locker(typeSet->m_lock);
1802                     set = typeSet->structureSet(locker);
1803                 }
1804                 if (!set.isEmpty()) {
1805                     fixEdge<CellUse>(node->child1());
1806                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1807                 }
1808             }
1809
1810             break;
1811         }
1812
1813         case CreateClonedArguments: {
1814             watchHavingABadTime(node);
1815             break;
1816         }
1817
1818         case CreateScopedArguments:
1819         case CreateActivation:
1820         case NewFunction:
1821         case NewGeneratorFunction:
1822         case NewAsyncGeneratorFunction:
1823         case NewAsyncFunction: {
1824             // Child 1 is always the current scope, which is guaranteed to be an object
1825             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1826             fixEdge<KnownCellUse>(node->child1());
1827             break;
1828         }
1829
1830         case PushWithScope: {
1831             // Child 1 is always the current scope, which is guaranteed to be an object
1832             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1833             fixEdge<KnownCellUse>(node->child1());
1834             if (node->child2()->shouldSpeculateObject())
1835                 fixEdge<ObjectUse>(node->child2());
1836             break;
1837         }
1838
1839         case SetFunctionName: {
1840             // The first child is guaranteed to be a cell because op_set_function_name is only used
1841             // on a newly instantiated function object (the first child).
1842             fixEdge<KnownCellUse>(node->child1());
1843             fixEdge<UntypedUse>(node->child2());
1844             break;
1845         }
1846
1847         case CreateRest: {
1848             watchHavingABadTime(node);
1849             fixEdge<KnownInt32Use>(node->child1());
1850             break;
1851         }
1852
1853         case ResolveScopeForHoistingFuncDeclInEval: {
1854             fixEdge<KnownCellUse>(node->child1());
1855             break;
1856         }
1857         case ResolveScope:
1858         case GetDynamicVar:
1859         case PutDynamicVar: {
1860             fixEdge<KnownCellUse>(node->child1());
1861             break;
1862         }
1863
1864         case LogShadowChickenPrologue: {
1865             fixEdge<KnownCellUse>(node->child1());
1866             break;
1867         }
1868         case LogShadowChickenTail: {
1869             fixEdge<UntypedUse>(node->child1());
1870             fixEdge<KnownCellUse>(node->child2());
1871             break;
1872         }
1873
1874         case GetMapBucket:
1875             if (node->child1().useKind() == MapObjectUse)
1876                 fixEdge<MapObjectUse>(node->child1());
1877             else if (node->child1().useKind() == SetObjectUse)
1878                 fixEdge<SetObjectUse>(node->child1());
1879             else
1880                 RELEASE_ASSERT_NOT_REACHED();
1881
1882 #if USE(JSVALUE64)
1883             if (node->child2()->shouldSpeculateBoolean())
1884                 fixEdge<BooleanUse>(node->child2());
1885             else if (node->child2()->shouldSpeculateInt32())
1886                 fixEdge<Int32Use>(node->child2());
1887             else if (node->child2()->shouldSpeculateSymbol())
1888                 fixEdge<SymbolUse>(node->child2());
1889             else if (node->child2()->shouldSpeculateObject())
1890                 fixEdge<ObjectUse>(node->child2());
1891             else if (node->child2()->shouldSpeculateString())
1892                 fixEdge<StringUse>(node->child2());
1893             else if (node->child2()->shouldSpeculateCell())
1894                 fixEdge<CellUse>(node->child2());
1895             else
1896                 fixEdge<UntypedUse>(node->child2());
1897 #else
1898             fixEdge<UntypedUse>(node->child2());
1899 #endif // USE(JSVALUE64)
1900
1901             fixEdge<Int32Use>(node->child3());
1902             break;
1903
1904         case GetMapBucketHead:
1905             if (node->child1().useKind() == MapObjectUse)
1906                 fixEdge<MapObjectUse>(node->child1());
1907             else if (node->child1().useKind() == SetObjectUse)
1908                 fixEdge<SetObjectUse>(node->child1());
1909             else
1910                 RELEASE_ASSERT_NOT_REACHED();
1911             break;
1912
1913         case GetMapBucketNext:
1914         case LoadKeyFromMapBucket:
1915         case LoadValueFromMapBucket:
1916             fixEdge<CellUse>(node->child1());
1917             break;
1918
1919         case MapHash: {
1920 #if USE(JSVALUE64)
1921             if (node->child1()->shouldSpeculateBoolean()) {
1922                 fixEdge<BooleanUse>(node->child1());
1923                 break;
1924             }
1925
1926             if (node->child1()->shouldSpeculateInt32()) {
1927                 fixEdge<Int32Use>(node->child1());
1928                 break;
1929             }
1930
1931             if (node->child1()->shouldSpeculateSymbol()) {
1932                 fixEdge<SymbolUse>(node->child1());
1933                 break;
1934             }
1935
1936             if (node->child1()->shouldSpeculateObject()) {
1937                 fixEdge<ObjectUse>(node->child1());
1938                 break;
1939             }
1940
1941             if (node->child1()->shouldSpeculateString()) {
1942                 fixEdge<StringUse>(node->child1());
1943                 break;
1944             }
1945
1946             if (node->child1()->shouldSpeculateCell()) {
1947                 fixEdge<CellUse>(node->child1());
1948                 break;
1949             }
1950
1951             fixEdge<UntypedUse>(node->child1());
1952 #else
1953             fixEdge<UntypedUse>(node->child1());
1954 #endif // USE(JSVALUE64)
1955             break;
1956         }
1957
1958         case NormalizeMapKey: {
1959             fixupNormalizeMapKey(node);
1960             break;
1961         }
1962
1963         case WeakMapGet: {
1964             if (node->child1().useKind() == WeakMapObjectUse)
1965                 fixEdge<WeakMapObjectUse>(node->child1());
1966             else if (node->child1().useKind() == WeakSetObjectUse)
1967                 fixEdge<WeakSetObjectUse>(node->child1());
1968             else
1969                 RELEASE_ASSERT_NOT_REACHED();
1970             fixEdge<ObjectUse>(node->child2());
1971             fixEdge<Int32Use>(node->child3());
1972             break;
1973         }
1974
1975         case SetAdd: {
1976             fixEdge<SetObjectUse>(node->child1());
1977             fixEdge<Int32Use>(node->child3());
1978             break;
1979         }
1980
1981         case MapSet: {
1982             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1983             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1984             break;
1985         }
1986
1987         case WeakSetAdd: {
1988             fixEdge<WeakSetObjectUse>(node->child1());
1989             fixEdge<ObjectUse>(node->child2());
1990             fixEdge<Int32Use>(node->child3());
1991             break;
1992         }
1993
1994         case WeakMapSet: {
1995             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
1996             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
1997             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1998             break;
1999         }
2000
2001         case DefineDataProperty: {
2002             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2003             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2004             if (propertyEdge->shouldSpeculateSymbol())
2005                 fixEdge<SymbolUse>(propertyEdge);
2006             else if (propertyEdge->shouldSpeculateStringIdent())
2007                 fixEdge<StringIdentUse>(propertyEdge);
2008             else if (propertyEdge->shouldSpeculateString())
2009                 fixEdge<StringUse>(propertyEdge);
2010             else
2011                 fixEdge<UntypedUse>(propertyEdge);
2012             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2013             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2014             break;
2015         }
2016
2017         case StringSlice: {
2018             fixEdge<StringUse>(node->child1());
2019             fixEdge<Int32Use>(node->child2());
2020             if (node->child3())
2021                 fixEdge<Int32Use>(node->child3());
2022             break;
2023         }
2024
2025         case ToLowerCase: {
2026             // We currently only support StringUse since that will ensure that
2027             // ToLowerCase is a pure operation. If we decide to update this with
2028             // more types in the future, we need to ensure that the clobberize rules
2029             // are correct.
2030             fixEdge<StringUse>(node->child1());
2031             break;
2032         }
2033
2034         case NumberToStringWithRadix: {
2035             if (node->child1()->shouldSpeculateInt32())
2036                 fixEdge<Int32Use>(node->child1());
2037             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2038                 fixEdge<Int52RepUse>(node->child1());
2039             else
2040                 fixEdge<DoubleRepUse>(node->child1());
2041             fixEdge<Int32Use>(node->child2());
2042             break;
2043         }
2044
2045         case DefineAccessorProperty: {
2046             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2047             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2048             if (propertyEdge->shouldSpeculateSymbol())
2049                 fixEdge<SymbolUse>(propertyEdge);
2050             else if (propertyEdge->shouldSpeculateStringIdent())
2051                 fixEdge<StringIdentUse>(propertyEdge);
2052             else if (propertyEdge->shouldSpeculateString())
2053                 fixEdge<StringUse>(propertyEdge);
2054             else
2055                 fixEdge<UntypedUse>(propertyEdge);
2056             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2057             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2058             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2059             break;
2060         }
2061
2062         case CheckSubClass: {
2063             fixupCheckSubClass(node);
2064             break;
2065         }
2066
2067         case CallDOMGetter: {
2068             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2069             fixEdge<CellUse>(node->child1()); // DOM.
2070             if (snippet && snippet->requireGlobalObject)
2071                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2072             break;
2073         }
2074
2075         case CallDOM: {
2076             fixupCallDOM(node);
2077             break;
2078         }
2079
2080         case Call: {
2081             attemptToMakeCallDOM(node);
2082             break;
2083         }
2084
2085         case ParseInt: {
2086             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2087                 fixEdge<Int32Use>(node->child1());
2088                 node->convertToIdentity();
2089                 break;
2090             }
2091
2092             if (node->child1()->shouldSpeculateString()) {
2093                 fixEdge<StringUse>(node->child1());
2094                 node->clearFlags(NodeMustGenerate);
2095             }
2096
2097             if (node->child2())
2098                 fixEdge<Int32Use>(node->child2());
2099
2100             break;
2101         }
2102
2103         case IdentityWithProfile: {
2104             node->clearFlags(NodeMustGenerate);
2105             break;
2106         }
2107
2108         case ThrowStaticError:
2109             fixEdge<StringUse>(node->child1());
2110             break;
2111
2112         case NumberIsInteger:
2113             if (node->child1()->shouldSpeculateInt32()) {
2114                 m_insertionSet.insertNode(
2115                     m_indexInBlock, SpecNone, Check, node->origin,
2116                     Edge(node->child1().node(), Int32Use));
2117                 m_graph.convertToConstant(node, jsBoolean(true));
2118                 break;
2119             }
2120             break;
2121
2122 #if !ASSERT_DISABLED
2123         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2124         case SetArgument:
2125         case JSConstant:
2126         case LazyJSConstant:
2127         case DoubleConstant:
2128         case GetLocal:
2129         case GetCallee:
2130         case GetArgumentCountIncludingThis:
2131         case SetArgumentCountIncludingThis:
2132         case GetRestLength:
2133         case GetArgument:
2134         case Flush:
2135         case PhantomLocal:
2136         case GetGlobalVar:
2137         case GetGlobalLexicalVariable:
2138         case NotifyWrite:
2139         case DirectCall:
2140         case CheckTypeInfoFlags:
2141         case TailCallInlinedCaller:
2142         case DirectTailCallInlinedCaller:
2143         case Construct:
2144         case DirectConstruct:
2145         case CallVarargs:
2146         case CallEval:
2147         case TailCallVarargsInlinedCaller:
2148         case ConstructVarargs:
2149         case CallForwardVarargs:
2150         case ConstructForwardVarargs:
2151         case TailCallForwardVarargs:
2152         case TailCallForwardVarargsInlinedCaller:
2153         case LoadVarargs:
2154         case ForwardVarargs:
2155         case ProfileControlFlow:
2156         case NewObject:
2157         case NewRegexp:
2158         case DeleteById:
2159         case DeleteByVal:
2160         case IsTypedArrayView:
2161         case IsEmpty:
2162         case IsUndefined:
2163         case IsBoolean:
2164         case IsNumber:
2165         case IsObjectOrNull:
2166         case IsFunction:
2167         case CreateDirectArguments:
2168         case Jump:
2169         case Return:
2170         case TailCall:
2171         case DirectTailCall:
2172         case TailCallVarargs:
2173         case Throw:
2174         case CountExecution:
2175         case SuperSamplerBegin:
2176         case SuperSamplerEnd:
2177         case ForceOSRExit:
2178         case CheckBadCell:
2179         case CheckNotEmpty:
2180         case AssertNotEmpty:
2181         case CheckTraps:
2182         case Unreachable:
2183         case ExtractOSREntryLocal:
2184         case ExtractCatchLocal:
2185         case LoopHint:
2186         case MovHint:
2187         case InitializeEntrypointArguments:
2188         case ZombieHint:
2189         case ExitOK:
2190         case BottomValue:
2191         case TypeOf:
2192         case PutByIdWithThis:
2193         case PutByValWithThis:
2194         case GetByValWithThis:
2195         case CompareEqPtr:
2196         case NumberToStringWithValidRadixConstant:
2197         case GetGlobalThis:
2198         case ExtractValueFromWeakMapGet:
2199         case CPUIntrinsic:
2200         case GetArrayMask:
2201             break;
2202 #else
2203         default:
2204             break;
2205 #endif
2206         }
2207     }
2208
2209     void watchHavingABadTime(Node* node)
2210     {
2211         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2212
2213         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2214         // does an array allocation. The types of array allocations may change if we start to have a bad
2215         // time. It's easier to reason about this if we know that whenever the types change after we start
2216         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2217         // prior to this point nobody should have been doing optimizations based on the indexing type of
2218         // the allocation.
2219         if (!globalObject->isHavingABadTime()) {
2220             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2221             m_graph.freeze(globalObject);
2222         }
2223     }
2224     
2225     template<UseKind useKind>
2226     void createToString(Node* node, Edge& edge)
2227     {
2228         Node* toString = m_insertionSet.insertNode(
2229             m_indexInBlock, SpecString, ToString, node->origin,
2230             Edge(edge.node(), useKind));
2231         switch (useKind) {
2232         case Int32Use:
2233         case Int52RepUse:
2234         case DoubleRepUse:
2235         case NotCellUse:
2236             toString->clearFlags(NodeMustGenerate);
2237             break;
2238         default:
2239             break;
2240         }
2241         edge.setNode(toString);
2242     }
2243     
2244     template<UseKind useKind>
2245     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2246     {
2247         ASSERT(arrayMode == ArrayMode(Array::Generic));
2248         
2249         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2250             return;
2251         
2252         createToString<useKind>(node, node->child1());
2253         arrayMode = ArrayMode(Array::String);
2254     }
2255     
2256     template<UseKind useKind>
2257     bool isStringObjectUse()
2258     {
2259         switch (useKind) {
2260         case StringObjectUse:
2261         case StringOrStringObjectUse:
2262             return true;
2263         default:
2264             return false;
2265         }
2266     }
2267     
2268     template<UseKind useKind>
2269     void convertStringAddUse(Node* node, Edge& edge)
2270     {
2271         if (useKind == StringUse) {
2272             observeUseKindOnNode<StringUse>(edge.node());
2273             m_insertionSet.insertNode(
2274                 m_indexInBlock, SpecNone, Check, node->origin,
2275                 Edge(edge.node(), StringUse));
2276             edge.setUseKind(KnownStringUse);
2277             return;
2278         }
2279         
2280         observeUseKindOnNode<useKind>(edge.node());
2281         createToString<useKind>(node, edge);
2282     }
2283     
2284     void convertToMakeRope(Node* node)
2285     {
2286         node->setOpAndDefaultFlags(MakeRope);
2287         fixupMakeRope(node);
2288     }
2289     
2290     void fixupMakeRope(Node* node)
2291     {
2292         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2293             Edge& edge = node->children.child(i);
2294             if (!edge)
2295                 break;
2296             edge.setUseKind(KnownStringUse);
2297             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2298             if (!string)
2299                 continue;
2300             if (string->length())
2301                 continue;
2302             
2303             // Don't allow the MakeRope to have zero children.
2304             if (!i && !node->child2())
2305                 break;
2306             
2307             node->children.removeEdge(i--);
2308         }
2309         
2310         if (!node->child2()) {
2311             ASSERT(!node->child3());
2312             node->convertToIdentity();
2313         }
2314     }
2315
2316     void fixupIsCellWithType(Node* node)
2317     {
2318         switch (node->speculatedTypeForQuery()) {
2319         case SpecString:
2320             if (node->child1()->shouldSpeculateString()) {
2321                 m_insertionSet.insertNode(
2322                     m_indexInBlock, SpecNone, Check, node->origin,
2323                     Edge(node->child1().node(), StringUse));
2324                 m_graph.convertToConstant(node, jsBoolean(true));
2325                 observeUseKindOnNode<StringUse>(node);
2326                 return;
2327             }
2328             break;
2329
2330         case SpecProxyObject:
2331             if (node->child1()->shouldSpeculateProxyObject()) {
2332                 m_insertionSet.insertNode(
2333                     m_indexInBlock, SpecNone, Check, node->origin,
2334                     Edge(node->child1().node(), ProxyObjectUse));
2335                 m_graph.convertToConstant(node, jsBoolean(true));
2336                 observeUseKindOnNode<ProxyObjectUse>(node);
2337                 return;
2338             }
2339             break;
2340
2341         case SpecRegExpObject:
2342             if (node->child1()->shouldSpeculateRegExpObject()) {
2343                 m_insertionSet.insertNode(
2344                     m_indexInBlock, SpecNone, Check, node->origin,
2345                     Edge(node->child1().node(), RegExpObjectUse));
2346                 m_graph.convertToConstant(node, jsBoolean(true));
2347                 observeUseKindOnNode<RegExpObjectUse>(node);
2348                 return;
2349             }
2350             break;
2351
2352         case SpecArray:
2353             if (node->child1()->shouldSpeculateArray()) {
2354                 m_insertionSet.insertNode(
2355                     m_indexInBlock, SpecNone, Check, node->origin,
2356                     Edge(node->child1().node(), ArrayUse));
2357                 m_graph.convertToConstant(node, jsBoolean(true));
2358                 observeUseKindOnNode<ArrayUse>(node);
2359                 return;
2360             }
2361             break;
2362
2363         case SpecDerivedArray:
2364             if (node->child1()->shouldSpeculateDerivedArray()) {
2365                 m_insertionSet.insertNode(
2366                     m_indexInBlock, SpecNone, Check, node->origin,
2367                     Edge(node->child1().node(), DerivedArrayUse));
2368                 m_graph.convertToConstant(node, jsBoolean(true));
2369                 observeUseKindOnNode<DerivedArrayUse>(node);
2370                 return;
2371             }
2372             break;
2373         }
2374
2375         if (node->child1()->shouldSpeculateCell()) {
2376             fixEdge<CellUse>(node->child1());
2377             return;
2378         }
2379
2380         if (node->child1()->shouldSpeculateNotCell()) {
2381             m_insertionSet.insertNode(
2382                 m_indexInBlock, SpecNone, Check, node->origin,
2383                 Edge(node->child1().node(), NotCellUse));
2384             m_graph.convertToConstant(node, jsBoolean(false));
2385             observeUseKindOnNode<NotCellUse>(node);
2386             return;
2387         }
2388     }
2389
2390     void fixupGetPrototypeOf(Node* node)
2391     {
2392         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2393         if (node->child1().useKind() != ObjectUse) {
2394             if (node->child1()->shouldSpeculateString()) {
2395                 insertCheck<StringUse>(node->child1().node());
2396                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2397                 return;
2398             }
2399             if (node->child1()->shouldSpeculateInt32()) {
2400                 insertCheck<Int32Use>(node->child1().node());
2401                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2402                 return;
2403             }
2404             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2405                 insertCheck<Int52RepUse>(node->child1().node());
2406                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2407                 return;
2408             }
2409             if (node->child1()->shouldSpeculateNumber()) {
2410                 insertCheck<NumberUse>(node->child1().node());
2411                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2412                 return;
2413             }
2414             if (node->child1()->shouldSpeculateSymbol()) {
2415                 insertCheck<SymbolUse>(node->child1().node());
2416                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2417                 return;
2418             }
2419             if (node->child1()->shouldSpeculateBoolean()) {
2420                 insertCheck<BooleanUse>(node->child1().node());
2421                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2422                 return;
2423             }
2424         }
2425
2426         if (node->child1()->shouldSpeculateFinalObject()) {
2427             fixEdge<FinalObjectUse>(node->child1());
2428             node->clearFlags(NodeMustGenerate);
2429             return;
2430         }
2431         if (node->child1()->shouldSpeculateArray()) {
2432             fixEdge<ArrayUse>(node->child1());
2433             node->clearFlags(NodeMustGenerate);
2434             return;
2435         }
2436         if (node->child1()->shouldSpeculateFunction()) {
2437             fixEdge<FunctionUse>(node->child1());
2438             node->clearFlags(NodeMustGenerate);
2439             return;
2440         }
2441     }
2442
2443     void fixupToThis(Node* node)
2444     {
2445         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2446
2447         if (ecmaMode == StrictMode) {
2448             if (node->child1()->shouldSpeculateBoolean()) {
2449                 fixEdge<BooleanUse>(node->child1());
2450                 node->convertToIdentity();
2451                 return;
2452             }
2453
2454             if (node->child1()->shouldSpeculateInt32()) {
2455                 fixEdge<Int32Use>(node->child1());
2456                 node->convertToIdentity();
2457                 return;
2458             }
2459
2460             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2461                 fixEdge<Int52RepUse>(node->child1());
2462                 node->convertToIdentity();
2463                 node->setResult(NodeResultInt52);
2464                 return;
2465             }
2466
2467             if (node->child1()->shouldSpeculateNumber()) {
2468                 fixEdge<DoubleRepUse>(node->child1());
2469                 node->convertToIdentity();
2470                 node->setResult(NodeResultDouble);
2471                 return;
2472             }
2473
2474             if (node->child1()->shouldSpeculateSymbol()) {
2475                 fixEdge<SymbolUse>(node->child1());
2476                 node->convertToIdentity();
2477                 return;
2478             }
2479
2480             if (node->child1()->shouldSpeculateStringIdent()) {
2481                 fixEdge<StringIdentUse>(node->child1());
2482                 node->convertToIdentity();
2483                 return;
2484             }
2485
2486             if (node->child1()->shouldSpeculateString()) {
2487                 fixEdge<StringUse>(node->child1());
2488                 node->convertToIdentity();
2489                 return;
2490             }
2491         }
2492
2493         if (node->child1()->shouldSpeculateOther()) {
2494             if (ecmaMode == StrictMode) {
2495                 fixEdge<OtherUse>(node->child1());
2496                 node->convertToIdentity();
2497                 return;
2498             }
2499
2500             m_insertionSet.insertNode(
2501                 m_indexInBlock, SpecNone, Check, node->origin,
2502                 Edge(node->child1().node(), OtherUse));
2503             observeUseKindOnNode<OtherUse>(node->child1().node());
2504             m_graph.convertToConstant(
2505                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2506             return;
2507         }
2508
2509         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2510         // however, since we cover all the missing cases in constant folding.
2511         // https://bugs.webkit.org/show_bug.cgi?id=157213
2512         if (node->child1()->shouldSpeculateStringObject()) {
2513             fixEdge<StringObjectUse>(node->child1());
2514             node->convertToIdentity();
2515             return;
2516         }
2517
2518         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2519             fixEdge<FinalObjectUse>(node->child1());
2520             node->convertToIdentity();
2521             return;
2522         }
2523     }
2524     
2525     void fixupToPrimitive(Node* node)
2526     {
2527         if (node->child1()->shouldSpeculateInt32()) {
2528             fixEdge<Int32Use>(node->child1());
2529             node->convertToIdentity();
2530             return;
2531         }
2532         
2533         if (node->child1()->shouldSpeculateString()) {
2534             fixEdge<StringUse>(node->child1());
2535             node->convertToIdentity();
2536             return;
2537         }
2538         
2539         if (node->child1()->shouldSpeculateStringObject()
2540             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2541             fixEdge<StringObjectUse>(node->child1());
2542             node->convertToToString();
2543             return;
2544         }
2545         
2546         if (node->child1()->shouldSpeculateStringOrStringObject()
2547             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2548             fixEdge<StringOrStringObjectUse>(node->child1());
2549             node->convertToToString();
2550             return;
2551         }
2552     }
2553
2554     void fixupToNumber(Node* node)
2555     {
2556         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2557         if (node->child1()->shouldSpeculateNumber()) {
2558             if (isInt32Speculation(node->getHeapPrediction())) {
2559                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2560                 if (node->child1()->shouldSpeculateInt32()) {
2561                     fixEdge<Int32Use>(node->child1());
2562                     node->convertToIdentity();
2563                     return;
2564                 }
2565
2566                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2567                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2568                 fixEdge<DoubleRepUse>(node->child1());
2569                 node->setOp(DoubleAsInt32);
2570                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2571                     node->setArithMode(Arith::CheckOverflow);
2572                 else
2573                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2574                 return;
2575             }
2576
2577             fixEdge<DoubleRepUse>(node->child1());
2578             node->convertToIdentity();
2579             node->setResult(NodeResultDouble);
2580             return;
2581         }
2582
2583         fixEdge<UntypedUse>(node->child1());
2584         node->setResult(NodeResultJS);
2585     }
2586
2587     void fixupToObject(Node* node)
2588     {
2589         if (node->child1()->shouldSpeculateObject()) {
2590             fixEdge<ObjectUse>(node->child1());
2591             node->convertToIdentity();
2592             return;
2593         }
2594
2595         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2596
2597         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2598
2599         if (node->child1()->shouldSpeculateString()) {
2600             insertCheck<StringUse>(node->child1().node());
2601             fixEdge<KnownStringUse>(node->child1());
2602             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2603             return;
2604         }
2605
2606         if (node->child1()->shouldSpeculateSymbol()) {
2607             insertCheck<SymbolUse>(node->child1().node());
2608             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2609             return;
2610         }
2611
2612         if (node->child1()->shouldSpeculateNumber()) {
2613             insertCheck<NumberUse>(node->child1().node());
2614             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2615             return;
2616         }
2617
2618         if (node->child1()->shouldSpeculateBoolean()) {
2619             insertCheck<BooleanUse>(node->child1().node());
2620             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2621             return;
2622         }
2623
2624         fixEdge<UntypedUse>(node->child1());
2625     }
2626
2627     void fixupCallObjectConstructor(Node* node)
2628     {
2629         if (node->child1()->shouldSpeculateObject()) {
2630             fixEdge<ObjectUse>(node->child1());
2631             node->convertToIdentity();
2632             return;
2633         }
2634
2635         if (node->child1()->shouldSpeculateString()) {
2636             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2637             insertCheck<StringUse>(node->child1().node());
2638             fixEdge<KnownStringUse>(node->child1());
2639             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2640             return;
2641         }
2642
2643         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2644         if (node->child1()->shouldSpeculateOther()) {
2645             insertCheck<OtherUse>(node->child1().node());
2646             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2647             return;
2648         }
2649
2650         fixEdge<UntypedUse>(node->child1());
2651     }
2652     
2653     void fixupToStringOrCallStringConstructor(Node* node)
2654     {
2655         if (node->child1()->shouldSpeculateString()) {
2656             fixEdge<StringUse>(node->child1());
2657             node->convertToIdentity();
2658             return;
2659         }
2660         
2661         if (node->child1()->shouldSpeculateStringObject()
2662             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2663             fixEdge<StringObjectUse>(node->child1());
2664             return;
2665         }
2666         
2667         if (node->child1()->shouldSpeculateStringOrStringObject()
2668             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2669             fixEdge<StringOrStringObjectUse>(node->child1());
2670             return;
2671         }
2672         
2673         if (node->child1()->shouldSpeculateCell()) {
2674             fixEdge<CellUse>(node->child1());
2675             return;
2676         }
2677
2678         if (node->child1()->shouldSpeculateInt32()) {
2679             fixEdge<Int32Use>(node->child1());
2680             node->clearFlags(NodeMustGenerate);
2681             return;
2682         }
2683
2684         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2685             fixEdge<Int52RepUse>(node->child1());
2686             node->clearFlags(NodeMustGenerate);
2687             return;
2688         }
2689
2690         if (node->child1()->shouldSpeculateNumber()) {
2691             fixEdge<DoubleRepUse>(node->child1());
2692             node->clearFlags(NodeMustGenerate);
2693             return;
2694         }
2695
2696         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2697         // we need to care about it in the clobberize. In the following case,
2698         // since NotCellUse edge filter is used and this edge filters Symbols,
2699         // we can say that ToString never throws an error!
2700         if (node->child1()->shouldSpeculateNotCell()) {
2701             fixEdge<NotCellUse>(node->child1());
2702             node->clearFlags(NodeMustGenerate);
2703             return;
2704         }
2705     }
2706
2707     bool attemptToMakeFastStringAdd(Node* node)
2708     {
2709         bool goodToGo = true;
2710         m_graph.doToChildren(
2711             node,
2712             [&] (Edge& edge) {
2713                 if (edge->shouldSpeculateString())
2714                     return;
2715                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2716                     if (edge->shouldSpeculateStringObject())
2717                         return;
2718                     if (edge->shouldSpeculateStringOrStringObject())
2719                         return;
2720                 }
2721                 goodToGo = false;
2722             });
2723         if (!goodToGo)
2724             return false;
2725
2726         m_graph.doToChildren(
2727             node,
2728             [&] (Edge& edge) {
2729                 if (edge->shouldSpeculateString()) {
2730                     convertStringAddUse<StringUse>(node, edge);
2731                     return;
2732                 }
2733                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2734                 if (edge->shouldSpeculateStringObject()) {
2735                     convertStringAddUse<StringObjectUse>(node, edge);
2736                     return;
2737                 }
2738                 if (edge->shouldSpeculateStringOrStringObject()) {
2739                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2740                     return;
2741                 }
2742                 RELEASE_ASSERT_NOT_REACHED();
2743             });
2744         
2745         convertToMakeRope(node);
2746         return true;
2747     }
2748
2749     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2750     {
2751         if (!block)
2752             return;
2753         ASSERT(block->isReachable);
2754         m_block = block;
2755         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2756             Node* node = m_currentNode = block->at(m_indexInBlock);
2757             if (node->op() != SetLocal && node->op() != GetLocal)
2758                 continue;
2759             
2760             VariableAccessData* variable = node->variableAccessData();
2761             switch (node->op()) {
2762             case GetLocal:
2763                 switch (variable->flushFormat()) {
2764                 case FlushedDouble:
2765                     node->setResult(NodeResultDouble);
2766                     break;
2767                 case FlushedInt52:
2768                     node->setResult(NodeResultInt52);
2769                     break;
2770                 default:
2771                     break;
2772                 }
2773                 break;
2774                 
2775             case SetLocal:
2776                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2777                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2778                 
2779                 switch (variable->flushFormat()) {
2780                 case FlushedJSValue:
2781                     break;
2782                 case FlushedDouble:
2783                     fixEdge<DoubleRepUse>(node->child1());
2784                     break;
2785                 case FlushedInt32:
2786                     fixEdge<Int32Use>(node->child1());
2787                     break;
2788                 case FlushedInt52:
2789                     fixEdge<Int52RepUse>(node->child1());
2790                     break;
2791                 case FlushedCell:
2792                     fixEdge<CellUse>(node->child1());
2793                     break;
2794                 case FlushedBoolean:
2795                     fixEdge<BooleanUse>(node->child1());
2796                     break;
2797                 default:
2798                     RELEASE_ASSERT_NOT_REACHED();
2799                     break;
2800                 }
2801                 break;
2802                 
2803             default:
2804                 RELEASE_ASSERT_NOT_REACHED();
2805                 break;
2806             }
2807         }
2808         m_insertionSet.execute(block);
2809     }
2810     
2811     void addStringReplacePrimordialChecks(Node* searchRegExp)
2812     {
2813         Node* node = m_currentNode;
2814
2815         // Check that structure of searchRegExp is RegExp object
2816         m_insertionSet.insertNode(
2817             m_indexInBlock, SpecNone, Check, node->origin,
2818             Edge(searchRegExp, RegExpObjectUse));
2819
2820         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2821             unsigned index = m_graph.identifiers().ensure(propertyUID);
2822
2823             Node* actualProperty = m_insertionSet.insertNode(
2824                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2825                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2826
2827             m_insertionSet.insertNode(
2828                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2829                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2830         };
2831
2832         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2833
2834         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2835         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2836         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2837         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2838         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2839         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2840         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2841         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2842     }
2843
2844     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2845     {
2846         ASSERT(arrayMode.isSpecific());
2847         
2848         if (arrayMode.type() == Array::String) {
2849             m_insertionSet.insertNode(
2850                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2851         } else {
2852             // Note that we only need to be using a structure check if we opt for SaneChain, since
2853             // that needs to protect against JSArray's __proto__ being changed.
2854             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2855         
2856             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2857             
2858             if (arrayMode.doesConversion()) {
2859                 if (structure) {
2860                     m_insertionSet.insertNode(
2861                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2862                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2863                 } else {
2864                     m_insertionSet.insertNode(
2865                         m_indexInBlock, SpecNone, Arrayify, origin,
2866                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2867                 }
2868             } else {
2869                 if (structure) {
2870                     m_insertionSet.insertNode(
2871                         m_indexInBlock, SpecNone, CheckStructure, origin,
2872                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2873                 } else {
2874                     m_insertionSet.insertNode(
2875                         m_indexInBlock, SpecNone, CheckArray, origin,
2876                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2877                 }
2878             }
2879         }
2880         
2881         if (!storageCheck(arrayMode))
2882             return nullptr;
2883         
2884         if (arrayMode.usesButterfly()) {
2885             return m_insertionSet.insertNode(
2886                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2887         }
2888         
2889         ASSERT(arrayMode.type() == Array::String || arrayMode.typedArrayType() != NotTypedArray);
2890         return m_insertionSet.insertNode(
2891             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2892             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2893     }
2894     
2895     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2896     {
2897         Node* node = m_currentNode;
2898         
2899         switch (node->arrayMode().type()) {
2900         case Array::ForceExit: {
2901             m_insertionSet.insertNode(
2902                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2903             return;
2904         }
2905             
2906         case Array::SelectUsingPredictions:
2907         case Array::Unprofiled:
2908             RELEASE_ASSERT_NOT_REACHED();
2909             return;
2910             
2911         case Array::Generic:
2912             return;
2913             
2914         default: {
2915             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2916             if (!storage)
2917                 return;
2918             
2919             storageChild = Edge(storage);
2920             return;
2921         } }
2922     }
2923     
2924     bool alwaysUnboxSimplePrimitives()
2925     {
2926 #if USE(JSVALUE64)
2927         return false;
2928 #else
2929         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2930         // reduces traffic.
2931         return true;
2932 #endif
2933     }
2934
2935     template<UseKind useKind>
2936     void observeUseKindOnNode(Node* node)
2937     {
2938         if (useKind == UntypedUse)
2939             return;
2940         observeUseKindOnNode(node, useKind);
2941     }
2942
2943     void observeUseKindOnEdge(Edge edge)
2944     {
2945         observeUseKindOnNode(edge.node(), edge.useKind());
2946     }
2947
2948     void observeUseKindOnNode(Node* node, UseKind useKind)
2949     {
2950         if (node->op() != GetLocal)
2951             return;
2952         
2953         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2954         // https://bugs.webkit.org/show_bug.cgi?id=121518
2955         
2956         VariableAccessData* variable = node->variableAccessData();
2957         switch (useKind) {
2958         case Int32Use:
2959         case KnownInt32Use:
2960             if (alwaysUnboxSimplePrimitives()
2961                 || isInt32Speculation(variable->prediction()))
2962                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2963             break;
2964         case NumberUse:
2965         case RealNumberUse:
2966         case DoubleRepUse:
2967         case DoubleRepRealUse:
2968             if (variable->doubleFormatState() == UsingDoubleFormat)
2969                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2970             break;
2971         case BooleanUse:
2972         case KnownBooleanUse:
2973             if (alwaysUnboxSimplePrimitives()
2974                 || isBooleanSpeculation(variable->prediction()))
2975                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2976             break;
2977         case Int52RepUse:
2978             if (isAnyIntSpeculation(variable->prediction()))
2979                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2980             break;
2981         case CellUse:
2982         case KnownCellUse:
2983         case ObjectUse:
2984         case FunctionUse:
2985         case StringUse:
2986         case KnownStringUse:
2987         case SymbolUse:
2988         case StringObjectUse:
2989         case StringOrStringObjectUse:
2990             if (alwaysUnboxSimplePrimitives()
2991                 || isCellSpeculation(variable->prediction()))
2992                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2993             break;
2994         default:
2995             break;
2996         }
2997     }
2998     
2999     template<UseKind useKind>
3000     void fixEdge(Edge& edge)
3001     {
3002         observeUseKindOnNode<useKind>(edge.node());
3003         edge.setUseKind(useKind);
3004     }
3005     
3006     unsigned indexForChecks()
3007     {
3008         unsigned index = m_indexInBlock;
3009         while (!m_block->at(index)->origin.exitOK)
3010             index--;
3011         return index;
3012     }
3013     
3014     NodeOrigin originForCheck(unsigned index)
3015     {
3016         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3017     }
3018     
3019     void speculateForBarrier(Edge value)
3020     {
3021         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3022         // the DFG anyway because if such a speculation would be wrong, we want to know before
3023         // we do an expensive compile.
3024         
3025         if (value->shouldSpeculateInt32()) {
3026             insertCheck<Int32Use>(value.node());
3027             return;
3028         }
3029             
3030         if (value->shouldSpeculateBoolean()) {
3031             insertCheck<BooleanUse>(value.node());
3032             return;
3033         }
3034             
3035         if (value->shouldSpeculateOther()) {
3036             insertCheck<OtherUse>(value.node());
3037             return;
3038         }
3039             
3040         if (value->shouldSpeculateNumber()) {
3041             insertCheck<NumberUse>(value.node());
3042             return;
3043         }
3044             
3045         if (value->shouldSpeculateNotCell()) {
3046             insertCheck<NotCellUse>(value.node());
3047             return;
3048         }
3049     }
3050     
3051     template<UseKind useKind>
3052     void insertCheck(Node* node)
3053     {
3054         observeUseKindOnNode<useKind>(node);
3055         unsigned index = indexForChecks();
3056         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3057     }
3058
3059     void fixIntConvertingEdge(Edge& edge)
3060     {
3061         Node* node = edge.node();
3062         if (node->shouldSpeculateInt32OrBoolean()) {
3063             fixIntOrBooleanEdge(edge);
3064             return;
3065         }
3066         
3067         UseKind useKind;
3068         if (node->shouldSpeculateAnyInt())
3069             useKind = Int52RepUse;
3070         else if (node->shouldSpeculateNumber())
3071             useKind = DoubleRepUse;
3072         else
3073             useKind = NotCellUse;
3074         Node* newNode = m_insertionSet.insertNode(
3075             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3076             Edge(node, useKind));
3077         observeUseKindOnNode(node, useKind);
3078         
3079         edge = Edge(newNode, KnownInt32Use);
3080     }
3081     
3082     void fixIntOrBooleanEdge(Edge& edge)
3083     {
3084         Node* node = edge.node();
3085         if (!node->sawBooleans()) {
3086             fixEdge<Int32Use>(edge);
3087             return;
3088         }
3089         
3090         UseKind useKind;
3091         if (node->shouldSpeculateBoolean())
3092             useKind = BooleanUse;
3093         else
3094             useKind = UntypedUse;
3095         Node* newNode = m_insertionSet.insertNode(
3096             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3097             Edge(node, useKind));
3098         observeUseKindOnNode(node, useKind);
3099         
3100         edge = Edge(newNode, Int32Use);
3101     }
3102     
3103     void fixDoubleOrBooleanEdge(Edge& edge)
3104     {
3105         Node* node = edge.node();
3106         if (!node->sawBooleans()) {
3107             fixEdge<DoubleRepUse>(edge);
3108             return;
3109         }
3110         
3111         UseKind useKind;
3112         if (node->shouldSpeculateBoolean())
3113             useKind = BooleanUse;
3114         else
3115             useKind = UntypedUse;
3116         Node* newNode = m_insertionSet.insertNode(
3117             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3118             Edge(node, useKind));
3119         observeUseKindOnNode(node, useKind);
3120         
3121         edge = Edge(newNode, DoubleRepUse);
3122     }
3123     
3124     void truncateConstantToInt32(Edge& edge)
3125     {
3126         Node* oldNode = edge.node();
3127         
3128         JSValue value = oldNode->asJSValue();
3129         if (value.isInt32())
3130             return;
3131         
3132         value = jsNumber(JSC::toInt32(value.asNumber()));
3133         ASSERT(value.isInt32());
3134         edge.setNode(m_insertionSet.insertNode(
3135             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3136             OpInfo(m_graph.freeze(value))));
3137     }
3138     
3139     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3140     {
3141         if (mode != SpeculateInt32AndTruncateConstants)
3142             return;
3143         
3144         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3145         if (node->child1()->hasConstant())
3146             truncateConstantToInt32(node->child1());
3147         else
3148             truncateConstantToInt32(node->child2());
3149     }
3150
3151     bool attemptToMakeIntegerAdd(Node* node)
3152     {
3153         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3154         if (mode != DontSpeculateInt32) {
3155             truncateConstantsIfNecessary(node, mode);
3156             fixIntOrBooleanEdge(node->child1());
3157             fixIntOrBooleanEdge(node->child2());
3158             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3159                 node->setArithMode(Arith::Unchecked);
3160             else
3161                 node->setArithMode(Arith::CheckOverflow);
3162             return true;
3163         }
3164         
3165         if (m_graph.addShouldSpeculateAnyInt(node)) {
3166             fixEdge<Int52RepUse>(node->child1());
3167             fixEdge<Int52RepUse>(node->child2());
3168             node->setArithMode(Arith::CheckOverflow);
3169             node->setResult(NodeResultInt52);
3170             return true;
3171         }
3172         
3173         return false;
3174     }
3175     
3176     bool attemptToMakeGetArrayLength(Node* node)
3177     {
3178         if (!isInt32Speculation(node->prediction()))
3179             return false;
3180         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3181         ArrayProfile* arrayProfile = 
3182             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3183         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
3184         if (arrayProfile) {
3185             ConcurrentJSLocker locker(profiledBlock->m_lock);
3186             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3187             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3188             if (arrayMode.type() == Array::Unprofiled) {
3189                 // For normal array operations, it makes sense to treat Unprofiled
3190                 // accesses as ForceExit and get more data rather than using
3191                 // predictions and then possibly ending up with a Generic. But here,
3192                 // we treat anything that is Unprofiled as Generic and keep the
3193                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3194                 // profit - from treating the Unprofiled case as
3195                 // SelectUsingPredictions.
3196                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
3197             }
3198         }
3199             
3200         arrayMode = arrayMode.refine(
3201             m_graph, node, node->child1()->prediction(), node->prediction());
3202             
3203         if (arrayMode.type() == Array::Generic) {
3204             // Check if the input is something that we can't get array length for, but for which we
3205             // could insert some conversions in order to transform it into something that we can do it
3206             // for.
3207             if (node->child1()->shouldSpeculateStringObject())
3208                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3209             else if (node->child1()->shouldSpeculateStringOrStringObject())
3210                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3211         }
3212             
3213         if (!arrayMode.supportsSelfLength())
3214             return false;
3215         
3216         convertToGetArrayLength(node, arrayMode);
3217         return true;
3218     }
3219
3220     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3221     {
3222         node->setOp(GetArrayLength);
3223         node->clearFlags(NodeMustGenerate);
3224         fixEdge<KnownCellUse>(node->child1());
3225         node->setArrayMode(arrayMode);
3226             
3227         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3228         if (!storage)
3229             return;
3230             
3231         node->child2() = Edge(storage);
3232     }
3233     
3234     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3235     {
3236         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3237         return m_insertionSet.insertNode(
3238             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3239             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3240     }
3241
3242     void convertToHasIndexedProperty(Node* node)
3243     {
3244         node->setOp(HasIndexedProperty);
3245         node->clearFlags(NodeMustGenerate);
3246         node->setArrayMode(
3247             node->arrayMode().refine(
3248                 m_graph, node,
3249                 node->child1()->prediction(),
3250                 node->child2()->prediction(),
3251                 SpecNone));
3252         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3253
3254         blessArrayOperation(node->child1(), node->child2(), node->child3());
3255
3256         fixEdge<CellUse>(node->child1());
3257         fixEdge<Int32Use>(node->child2());
3258     }
3259
3260     void fixupNormalizeMapKey(Node* node)
3261     {
3262         if (node->child1()->shouldSpeculateBoolean()) {
3263             fixEdge<BooleanUse>(node->child1());
3264             node->convertToIdentity();
3265             return;
3266         }
3267
3268         if (node->child1()->shouldSpeculateInt32()) {
3269             fixEdge<Int32Use>(node->child1());
3270             node->convertToIdentity();
3271             return;
3272         }
3273
3274         if (node->child1()->shouldSpeculateSymbol()) {
3275             fixEdge<SymbolUse>(node->child1());
3276             node->convertToIdentity();
3277             return;
3278         }
3279
3280         if (node->child1()->shouldSpeculateObject()) {
3281             fixEdge<ObjectUse>(node->child1());
3282             node->convertToIdentity();
3283             return;
3284         }
3285
3286         if (node->child1()->shouldSpeculateString()) {
3287             fixEdge<StringUse>(node->child1());
3288             node->convertToIdentity();
3289             return;
3290         }
3291
3292         if (node->child1()->shouldSpeculateCell()) {
3293             fixEdge<CellUse>(node->child1());
3294             node->convertToIdentity();
3295             return;
3296         }
3297
3298         fixEdge<UntypedUse>(node->child1());
3299     }
3300
3301     bool attemptToMakeCallDOM(Node* node)
3302     {
3303         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3304             return false;
3305
3306         const DOMJIT::Signature* signature = node->signature();
3307         if (!signature)
3308             return false;
3309
3310         {
3311             unsigned index = 0;
3312             bool shouldConvertToCallDOM = true;
3313             m_graph.doToChildren(node, [&](Edge& edge) {
3314                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3315                 if (!index)
3316                     return;
3317
3318                 if (index == 1) {
3319                     // DOM node case.
3320                     if (edge->shouldSpeculateNotCell())
3321                         shouldConvertToCallDOM = false;
3322                 } else {
3323                     switch (signature->arguments[index - 2]) {
3324                     case SpecString:
3325                         if (edge->shouldSpeculateNotString())
3326                             shouldConvertToCallDOM = false;
3327                         break;
3328                     case SpecInt32Only:
3329                         if (edge->shouldSpeculateNotInt32())
3330                             shouldConvertToCallDOM = false;
3331                         break;
3332                     case SpecBoolean:
3333                         if (edge->shouldSpeculateNotBoolean())
3334                             shouldConvertToCallDOM = false;
3335                         break;
3336                     default:
3337                         RELEASE_ASSERT_NOT_REACHED();
3338                         break;
3339                     }
3340                 }
3341                 ++index;
3342             });
3343             if (!shouldConvertToCallDOM)
3344                 return false;
3345         }
3346
3347         Node* thisNode = m_graph.varArgChild(node, 1).node();
3348         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3349         node->convertToCallDOM(m_graph);
3350         fixupCheckSubClass(checkSubClass);
3351         fixupCallDOM(node);
3352         return true;
3353     }
3354
3355     void fixupCheckSubClass(Node* node)
3356     {
3357         fixEdge<CellUse>(node->child1());
3358     }
3359
3360     void fixupCallDOM(Node* node)
3361     {
3362         const DOMJIT::Signature* signature = node->signature();
3363         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3364             if (!edge)
3365                 return;
3366             switch (signature->arguments[argumentIndex]) {
3367             case SpecString:
3368                 fixEdge<StringUse>(edge);
3369                 break;
3370             case SpecInt32Only:
3371                 fixEdge<Int32Use>(edge);
3372                 break;
3373             case SpecBoolean:
3374                 fixEdge<BooleanUse>(edge);
3375                 break;
3376             default:
3377                 RELEASE_ASSERT_NOT_REACHED();
3378                 break;
3379             }
3380         };
3381         fixEdge<CellUse>(node->child1()); // DOM.
3382         fixup(node->child2(), 0);
3383         fixup(node->child3(), 1);
3384     }
3385
3386     void fixupArrayIndexOf(Node* node)
3387     {
3388         Edge& array = m_graph.varArgChild(node, 0);
3389         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3390         blessArrayOperation(array, Edge(), storage);
3391         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3392
3393         Edge& searchElement = m_graph.varArgChild(node, 1);
3394
3395         // Constant folding.
3396         switch (node->arrayMode().type()) {
3397         case Array::Double:
3398         case Array::Int32: {
3399             if (searchElement->shouldSpeculateCell()) {
3400                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3401                 m_graph.convertToConstant(node, jsNumber(-1));
3402                 observeUseKindOnNode<CellUse>(searchElement.node());
3403                 return;
3404             }
3405
3406             if (searchElement->shouldSpeculateOther()) {
3407                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3408                 m_graph.convertToConstant(node, jsNumber(-1));
3409                 observeUseKindOnNode<OtherUse>(searchElement.node());
3410                 return;
3411             }
3412
3413             if (searchElement->shouldSpeculateBoolean()) {
3414                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3415                 m_graph.convertToConstant(node, jsNumber(-1));
3416                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3417                 return;
3418             }
3419             break;
3420         }
3421         default:
3422             break;
3423         }
3424
3425         fixEdge<KnownCellUse>(array);
3426         if (node->numChildren() == 4)
3427             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3428
3429         switch (node->arrayMode().type()) {
3430         case Array::Double: {
3431             if (searchElement->shouldSpeculateNumber())
3432                 fixEdge<DoubleRepUse>(searchElement);
3433             return;
3434         }
3435         case Array::Int32: {
3436             if (searchElement->shouldSpeculateInt32())
3437                 fixEdge<Int32Use>(searchElement);
3438             return;
3439         }
3440         case Array::Contiguous: {
3441             if (searchElement->shouldSpeculateString())
3442                 fixEdge<StringUse>(searchElement);
3443             else if (searchElement->shouldSpeculateSymbol())
3444                 fixEdge<SymbolUse>(searchElement);
3445             else if (searchElement->shouldSpeculateOther())
3446                 fixEdge<OtherUse>(searchElement);
3447             else if (searchElement->shouldSpeculateObject())
3448                 fixEdge<ObjectUse>(searchElement);
3449             return;
3450         }
3451         default:
3452             RELEASE_ASSERT_NOT_REACHED();
3453             return;
3454         }
3455     }
3456
3457     void fixupChecksInBlock(BasicBlock* block)
3458     {
3459         if (!block)
3460             return;
3461         ASSERT(block->isReachable);
3462         m_block = block;
3463         unsigned indexForChecks = UINT_MAX;
3464         NodeOrigin originForChecks;
3465         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
3466             Node* node = block->at(indexInBlock);
3467
3468             // If this is a node at which we could exit, then save its index. If nodes after this one
3469             // cannot exit, then we will hoist checks to here.
3470             if (node->origin.exitOK) {
3471                 indexForChecks = indexInBlock;
3472                 originForChecks = node->origin;
3473             }
3474
3475             originForChecks = originForChecks.withSemantic(node->origin.semantic);
3476             
3477             // First, try to relax the representational demands of each node, in order to have
3478             // fewer conversions.
3479             switch (node->op()) {
3480             case MovHint:
3481             case Check:
3482             case CheckVarargs:
3483                 m_graph.doToChildren(
3484                     node,
3485                     [&] (Edge& edge) {
3486                         switch (edge.useKind()) {
3487                         case DoubleRepUse:
3488                         case DoubleRepRealUse:
3489                             if (edge->hasDoubleResult())
3490                                 break;
3491             
3492                             if (edge->hasInt52Result())
3493                                 edge.setUseKind(Int52RepUse);
3494                             else if (edge.useKind() == DoubleRepUse)
3495                                 edge.setUseKind(NumberUse);
3496                             break;
3497             
3498                         case Int52RepUse:
3499                             // Nothing we can really do.
3500                             break;
3501             
3502                         case UntypedUse:
3503                         case NumberUse:
3504                             if (edge->hasDoubleResult())
3505                                 edge.setUseKind(DoubleRepUse);
3506                             else if (edge->hasInt52Result())
3507                                 edge.setUseKind(Int52RepUse);
3508                             break;
3509             
3510                         case RealNumberUse:
3511                             if (edge->hasDoubleResult())
3512                                 edge.setUseKind(DoubleRepRealUse);
3513                             else if (edge->hasInt52Result())
3514                                 edge.setUseKind(Int52RepUse);
3515                             break;
3516             
3517                         default:
3518                             break;
3519                         }
3520                     });
3521                 break;