Unreviewed, rolling out r222518.
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->clearFlags(NodeMustGenerate);
146                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
147             }
148             break;
149         }
150             
151         case ValueAdd: {
152             if (attemptToMakeIntegerAdd(node)) {
153                 node->setOp(ArithAdd);
154                 break;
155             }
156             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
157                 fixDoubleOrBooleanEdge(node->child1());
158                 fixDoubleOrBooleanEdge(node->child2());
159                 node->setOp(ArithAdd);
160                 node->setResult(NodeResultDouble);
161                 break;
162             }
163             
164             if (attemptToMakeFastStringAdd(node))
165                 break;
166
167             Edge& child1 = node->child1();
168             Edge& child2 = node->child2();
169             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
170                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
171                     auto convertString = [&](Node* node, Edge& edge) {
172                         if (edge->shouldSpeculateInt32())
173                             convertStringAddUse<Int32Use>(node, edge);
174                         else {
175                             ASSERT(edge->shouldSpeculateString());
176                             convertStringAddUse<StringUse>(node, edge);
177                         }
178                     };
179                     convertString(node, child1);
180                     convertString(node, child2);
181                     convertToMakeRope(node);
182                     break;
183                 }
184             }
185
186             fixEdge<UntypedUse>(child1);
187             fixEdge<UntypedUse>(child2);
188             node->setResult(NodeResultJS);
189             break;
190         }
191
192         case StrCat: {
193             if (attemptToMakeFastStringAdd(node))
194                 break;
195
196             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
197             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
198             // the implementation of StrCat doesn't dynamically optimize for empty strings.
199             // https://bugs.webkit.org/show_bug.cgi?id=148540
200             m_graph.doToChildren(
201                 node,
202                 [&] (Edge& edge) {
203                     fixEdge<KnownPrimitiveUse>(edge);
204                 });
205             break;
206         }
207             
208         case MakeRope: {
209             fixupMakeRope(node);
210             break;
211         }
212             
213         case ArithAdd:
214         case ArithSub: {
215             if (op == ArithSub
216                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
217                 fixEdge<UntypedUse>(node->child1());
218                 fixEdge<UntypedUse>(node->child2());
219                 node->setResult(NodeResultJS);
220                 break;
221             }
222             if (attemptToMakeIntegerAdd(node))
223                 break;
224             fixDoubleOrBooleanEdge(node->child1());
225             fixDoubleOrBooleanEdge(node->child2());
226             node->setResult(NodeResultDouble);
227             break;
228         }
229             
230         case ArithNegate: {
231             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
232                 fixIntOrBooleanEdge(node->child1());
233                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
234                     node->setArithMode(Arith::Unchecked);
235                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
236                     node->setArithMode(Arith::CheckOverflow);
237                 else
238                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
239                 node->setResult(NodeResultInt32);
240                 node->clearFlags(NodeMustGenerate);
241                 break;
242             }
243             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
244                 fixEdge<Int52RepUse>(node->child1());
245                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
246                     node->setArithMode(Arith::CheckOverflow);
247                 else
248                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
249                 node->setResult(NodeResultInt52);
250                 node->clearFlags(NodeMustGenerate);
251                 break;
252             }
253             if (node->child1()->shouldSpeculateNotCell()) {
254                 fixDoubleOrBooleanEdge(node->child1());
255                 node->setResult(NodeResultDouble);
256                 node->clearFlags(NodeMustGenerate);
257             } else
258                 fixEdge<UntypedUse>(node->child1());
259             break;
260         }
261             
262         case ArithMul: {
263             Edge& leftChild = node->child1();
264             Edge& rightChild = node->child2();
265             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
266                 fixEdge<UntypedUse>(leftChild);
267                 fixEdge<UntypedUse>(rightChild);
268                 node->setResult(NodeResultJS);
269                 break;
270             }
271             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
272                 fixIntOrBooleanEdge(leftChild);
273                 fixIntOrBooleanEdge(rightChild);
274                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
275                     node->setArithMode(Arith::Unchecked);
276                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
277                     || leftChild.node() == rightChild.node())
278                     node->setArithMode(Arith::CheckOverflow);
279                 else
280                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
281                 break;
282             }
283             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
284                 fixEdge<Int52RepUse>(leftChild);
285                 fixEdge<Int52RepUse>(rightChild);
286                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
287                     || leftChild.node() == rightChild.node())
288                     node->setArithMode(Arith::CheckOverflow);
289                 else
290                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
291                 node->setResult(NodeResultInt52);
292                 break;
293             }
294             fixDoubleOrBooleanEdge(leftChild);
295             fixDoubleOrBooleanEdge(rightChild);
296             node->setResult(NodeResultDouble);
297             break;
298         }
299
300         case ArithDiv:
301         case ArithMod: {
302             Edge& leftChild = node->child1();
303             Edge& rightChild = node->child2();
304             if (op == ArithDiv
305                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
306                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
307                 fixEdge<UntypedUse>(leftChild);
308                 fixEdge<UntypedUse>(rightChild);
309                 node->setResult(NodeResultJS);
310                 break;
311             }
312             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
313                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
314                     fixIntOrBooleanEdge(leftChild);
315                     fixIntOrBooleanEdge(rightChild);
316                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
317                         node->setArithMode(Arith::Unchecked);
318                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
319                         node->setArithMode(Arith::CheckOverflow);
320                     else
321                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
322                     break;
323                 }
324                 
325                 // This will cause conversion nodes to be inserted later.
326                 fixDoubleOrBooleanEdge(leftChild);
327                 fixDoubleOrBooleanEdge(rightChild);
328                 
329                 // We don't need to do ref'ing on the children because we're stealing them from
330                 // the original division.
331                 Node* newDivision = m_insertionSet.insertNode(
332                     m_indexInBlock, SpecBytecodeDouble, *node);
333                 newDivision->setResult(NodeResultDouble);
334                 
335                 node->setOp(DoubleAsInt32);
336                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
337                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
338                     node->setArithMode(Arith::CheckOverflow);
339                 else
340                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
341                 break;
342             }
343             fixDoubleOrBooleanEdge(leftChild);
344             fixDoubleOrBooleanEdge(rightChild);
345             node->setResult(NodeResultDouble);
346             break;
347         }
348             
349         case ArithMin:
350         case ArithMax: {
351             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
352                 fixIntOrBooleanEdge(node->child1());
353                 fixIntOrBooleanEdge(node->child2());
354                 break;
355             }
356             fixDoubleOrBooleanEdge(node->child1());
357             fixDoubleOrBooleanEdge(node->child2());
358             node->setResult(NodeResultDouble);
359             break;
360         }
361             
362         case ArithAbs: {
363             if (node->child1()->shouldSpeculateInt32OrBoolean()
364                 && node->canSpeculateInt32(FixupPass)) {
365                 fixIntOrBooleanEdge(node->child1());
366                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
367                     node->setArithMode(Arith::Unchecked);
368                 else
369                     node->setArithMode(Arith::CheckOverflow);
370                 node->clearFlags(NodeMustGenerate);
371                 node->setResult(NodeResultInt32);
372                 break;
373             }
374
375             if (node->child1()->shouldSpeculateNotCell()) {
376                 fixDoubleOrBooleanEdge(node->child1());
377                 node->clearFlags(NodeMustGenerate);
378             } else
379                 fixEdge<UntypedUse>(node->child1());
380             node->setResult(NodeResultDouble);
381             break;
382         }
383
384         case ArithPow: {
385             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
386                 fixDoubleOrBooleanEdge(node->child1());
387                 fixIntOrBooleanEdge(node->child2());
388                 break;
389             }
390
391             fixDoubleOrBooleanEdge(node->child1());
392             fixDoubleOrBooleanEdge(node->child2());
393             break;
394         }
395
396         case ArithRandom: {
397             node->setResult(NodeResultDouble);
398             break;
399         }
400
401         case ArithRound:
402         case ArithFloor:
403         case ArithCeil:
404         case ArithTrunc: {
405             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
406                 fixIntOrBooleanEdge(node->child1());
407                 insertCheck<Int32Use>(node->child1().node());
408                 node->convertToIdentity();
409                 break;
410             }
411             if (node->child1()->shouldSpeculateNotCell()) {
412                 fixDoubleOrBooleanEdge(node->child1());
413
414                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
415                     node->setResult(NodeResultInt32);
416                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
417                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
418                     else
419                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
420                 } else {
421                     node->setResult(NodeResultDouble);
422                     node->setArithRoundingMode(Arith::RoundingMode::Double);
423                 }
424                 node->clearFlags(NodeMustGenerate);
425             } else
426                 fixEdge<UntypedUse>(node->child1());
427             break;
428         }
429
430         case ArithFRound:
431         case ArithSqrt:
432         case ArithUnary: {
433             Edge& child1 = node->child1();
434             if (child1->shouldSpeculateNotCell()) {
435                 fixDoubleOrBooleanEdge(child1);
436                 node->clearFlags(NodeMustGenerate);
437             } else
438                 fixEdge<UntypedUse>(child1);
439             break;
440         }
441             
442         case LogicalNot: {
443             if (node->child1()->shouldSpeculateBoolean()) {
444                 if (node->child1()->result() == NodeResultBoolean) {
445                     // This is necessary in case we have a bytecode instruction implemented by:
446                     //
447                     // a: CompareEq(...)
448                     // b: LogicalNot(@a)
449                     //
450                     // In that case, CompareEq might have a side-effect. Then, we need to make
451                     // sure that we know that Branch does not exit.
452                     fixEdge<KnownBooleanUse>(node->child1());
453                 } else
454                     fixEdge<BooleanUse>(node->child1());
455             } else if (node->child1()->shouldSpeculateObjectOrOther())
456                 fixEdge<ObjectOrOtherUse>(node->child1());
457             else if (node->child1()->shouldSpeculateInt32OrBoolean())
458                 fixIntOrBooleanEdge(node->child1());
459             else if (node->child1()->shouldSpeculateNumber())
460                 fixEdge<DoubleRepUse>(node->child1());
461             else if (node->child1()->shouldSpeculateString())
462                 fixEdge<StringUse>(node->child1());
463             else if (node->child1()->shouldSpeculateStringOrOther())
464                 fixEdge<StringOrOtherUse>(node->child1());
465             else {
466                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
467                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
468                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
469             }
470             break;
471         }
472
473         case CompareEq:
474         case CompareLess:
475         case CompareLessEq:
476         case CompareGreater:
477         case CompareGreaterEq: {
478             if (node->op() == CompareEq
479                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
480                 fixEdge<BooleanUse>(node->child1());
481                 fixEdge<BooleanUse>(node->child2());
482                 node->clearFlags(NodeMustGenerate);
483                 break;
484             }
485             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
486                 fixIntOrBooleanEdge(node->child1());
487                 fixIntOrBooleanEdge(node->child2());
488                 node->clearFlags(NodeMustGenerate);
489                 break;
490             }
491             if (enableInt52()
492                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
493                 fixEdge<Int52RepUse>(node->child1());
494                 fixEdge<Int52RepUse>(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
499                 fixDoubleOrBooleanEdge(node->child1());
500                 fixDoubleOrBooleanEdge(node->child2());
501             }
502             if (node->op() != CompareEq
503                 && node->child1()->shouldSpeculateNotCell()
504                 && node->child2()->shouldSpeculateNotCell()) {
505                 if (node->child1()->shouldSpeculateNumberOrBoolean())
506                     fixDoubleOrBooleanEdge(node->child1());
507                 else
508                     fixEdge<DoubleRepUse>(node->child1());
509                 if (node->child2()->shouldSpeculateNumberOrBoolean())
510                     fixDoubleOrBooleanEdge(node->child2());
511                 else
512                     fixEdge<DoubleRepUse>(node->child2());
513                 node->clearFlags(NodeMustGenerate);
514                 break;
515             }
516             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
517                 fixEdge<StringIdentUse>(node->child1());
518                 fixEdge<StringIdentUse>(node->child2());
519                 node->clearFlags(NodeMustGenerate);
520                 break;
521             }
522             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
523                 fixEdge<StringUse>(node->child1());
524                 fixEdge<StringUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528
529             if (node->op() != CompareEq)
530                 break;
531             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
532                 fixEdge<SymbolUse>(node->child1());
533                 fixEdge<SymbolUse>(node->child2());
534                 node->clearFlags(NodeMustGenerate);
535                 break;
536             }
537             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
538                 fixEdge<ObjectUse>(node->child1());
539                 fixEdge<ObjectUse>(node->child2());
540                 node->clearFlags(NodeMustGenerate);
541                 break;
542             }
543
544             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
545             bool oneArgumentIsUsedAsSpecOther = false;
546             if (node->child1()->isUndefinedOrNullConstant()) {
547                 fixEdge<OtherUse>(node->child1());
548                 oneArgumentIsUsedAsSpecOther = true;
549             } else if (node->child1()->shouldSpeculateOther()) {
550                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
551                     Edge(node->child1().node(), OtherUse));
552                 fixEdge<OtherUse>(node->child1());
553                 oneArgumentIsUsedAsSpecOther = true;
554             }
555             if (node->child2()->isUndefinedOrNullConstant()) {
556                 fixEdge<OtherUse>(node->child2());
557                 oneArgumentIsUsedAsSpecOther = true;
558             } else if (node->child2()->shouldSpeculateOther()) {
559                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
560                     Edge(node->child2().node(), OtherUse));
561                 fixEdge<OtherUse>(node->child2());
562                 oneArgumentIsUsedAsSpecOther = true;
563             }
564             if (oneArgumentIsUsedAsSpecOther) {
565                 node->clearFlags(NodeMustGenerate);
566                 break;
567             }
568
569             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
570                 fixEdge<ObjectUse>(node->child1());
571                 fixEdge<ObjectOrOtherUse>(node->child2());
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
576                 fixEdge<ObjectOrOtherUse>(node->child1());
577                 fixEdge<ObjectUse>(node->child2());
578                 node->clearFlags(NodeMustGenerate);
579                 break;
580             }
581
582             break;
583         }
584             
585         case CompareStrictEq: {
586             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
587                 fixEdge<BooleanUse>(node->child1());
588                 fixEdge<BooleanUse>(node->child2());
589                 break;
590             }
591             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
592                 fixEdge<Int32Use>(node->child1());
593                 fixEdge<Int32Use>(node->child2());
594                 break;
595             }
596             if (enableInt52()
597                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
598                 fixEdge<Int52RepUse>(node->child1());
599                 fixEdge<Int52RepUse>(node->child2());
600                 break;
601             }
602             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
603                 fixEdge<DoubleRepUse>(node->child1());
604                 fixEdge<DoubleRepUse>(node->child2());
605                 break;
606             }
607             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
608                 fixEdge<SymbolUse>(node->child1());
609                 fixEdge<SymbolUse>(node->child2());
610                 break;
611             }
612             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
613                 fixEdge<StringIdentUse>(node->child1());
614                 fixEdge<StringIdentUse>(node->child2());
615                 break;
616             }
617             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
618                 fixEdge<StringUse>(node->child1());
619                 fixEdge<StringUse>(node->child2());
620                 break;
621             }
622             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
623             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
624                 
625                 if (node->child1()->shouldSpeculateObject()) {
626                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
627                     fixEdge<ObjectUse>(node->child1());
628                     break;
629                 }
630                 if (node->child2()->shouldSpeculateObject()) {
631                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
632                     fixEdge<ObjectUse>(node->child2());
633                     break;
634                 }
635                 
636             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
637                 fixEdge<ObjectUse>(node->child1());
638                 fixEdge<ObjectUse>(node->child2());
639                 break;
640             }
641             if (node->child1()->shouldSpeculateSymbol()) {
642                 fixEdge<SymbolUse>(node->child1());
643                 break;
644             }
645             if (node->child2()->shouldSpeculateSymbol()) {
646                 fixEdge<SymbolUse>(node->child2());
647                 break;
648             }
649             if (node->child1()->shouldSpeculateMisc()) {
650                 fixEdge<MiscUse>(node->child1());
651                 break;
652             }
653             if (node->child2()->shouldSpeculateMisc()) {
654                 fixEdge<MiscUse>(node->child2());
655                 break;
656             }
657             if (node->child1()->shouldSpeculateStringIdent()
658                 && node->child2()->shouldSpeculateNotStringVar()) {
659                 fixEdge<StringIdentUse>(node->child1());
660                 fixEdge<NotStringVarUse>(node->child2());
661                 break;
662             }
663             if (node->child2()->shouldSpeculateStringIdent()
664                 && node->child1()->shouldSpeculateNotStringVar()) {
665                 fixEdge<StringIdentUse>(node->child2());
666                 fixEdge<NotStringVarUse>(node->child1());
667                 break;
668             }
669             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
670                 fixEdge<StringUse>(node->child1());
671                 break;
672             }
673             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
674                 fixEdge<StringUse>(node->child2());
675                 break;
676             }
677             break;
678         }
679             
680         case StringFromCharCode:
681             if (node->child1()->shouldSpeculateInt32())
682                 fixEdge<Int32Use>(node->child1());
683             else
684                 fixEdge<UntypedUse>(node->child1());
685             break;
686
687         case StringCharAt:
688         case StringCharCodeAt: {
689             // Currently we have no good way of refining these.
690             ASSERT(node->arrayMode() == ArrayMode(Array::String));
691             blessArrayOperation(node->child1(), node->child2(), node->child3());
692             fixEdge<KnownCellUse>(node->child1());
693             fixEdge<Int32Use>(node->child2());
694             break;
695         }
696
697         case GetByVal: {
698             if (!node->prediction()) {
699                 m_insertionSet.insertNode(
700                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
701             }
702             
703             node->setArrayMode(
704                 node->arrayMode().refine(
705                     m_graph, node,
706                     node->child1()->prediction(),
707                     node->child2()->prediction(),
708                     SpecNone));
709             
710             blessArrayOperation(node->child1(), node->child2(), node->child3());
711             
712             ArrayMode arrayMode = node->arrayMode();
713             switch (arrayMode.type()) {
714             case Array::Contiguous:
715             case Array::Double:
716                 if (arrayMode.arrayClass() == Array::OriginalArray
717                     && arrayMode.speculation() == Array::InBounds) {
718                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
719                     if (globalObject->arrayPrototypeChainIsSane()) {
720                         // Check if SaneChain will work on a per-type basis. Note that:
721                         //
722                         // 1) We don't want double arrays to sometimes return undefined, since
723                         // that would require a change to the return type and it would pessimise
724                         // things a lot. So, we'd only want to do that if we actually had
725                         // evidence that we could read from a hole. That's pretty annoying.
726                         // Likely the best way to handle that case is with an equivalent of
727                         // SaneChain for OutOfBounds. For now we just detect when Undefined and
728                         // NaN are indistinguishable according to backwards propagation, and just
729                         // use SaneChain in that case. This happens to catch a lot of cases.
730                         //
731                         // 2) We don't want int32 array loads to have to do a hole check just to
732                         // coerce to Undefined, since that would mean twice the checks.
733                         //
734                         // This has two implications. First, we have to do more checks than we'd
735                         // like. It's unfortunate that we have to do the hole check. Second,
736                         // some accesses that hit a hole will now need to take the full-blown
737                         // out-of-bounds slow path. We can fix that with:
738                         // https://bugs.webkit.org/show_bug.cgi?id=144668
739                         
740                         bool canDoSaneChain = false;
741                         switch (arrayMode.type()) {
742                         case Array::Contiguous:
743                             // This is happens to be entirely natural. We already would have
744                             // returned any JSValue, and now we'll return Undefined. We still do
745                             // the check but it doesn't require taking any kind of slow path.
746                             canDoSaneChain = true;
747                             break;
748                             
749                         case Array::Double:
750                             if (!(node->flags() & NodeBytecodeUsesAsOther)) {
751                                 // Holes look like NaN already, so if the user doesn't care
752                                 // about the difference between Undefined and NaN then we can
753                                 // do this.
754                                 canDoSaneChain = true;
755                             }
756                             break;
757                             
758                         default:
759                             break;
760                         }
761                         
762                         if (canDoSaneChain) {
763                             m_graph.watchpoints().addLazily(
764                                 globalObject->arrayPrototype()->structure()->transitionWatchpointSet());
765                             m_graph.watchpoints().addLazily(
766                                 globalObject->objectPrototype()->structure()->transitionWatchpointSet());
767                             if (globalObject->arrayPrototypeChainIsSane())
768                                 node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
769                         }
770                     }
771                 }
772                 break;
773                 
774             case Array::String:
775                 if ((node->prediction() & ~SpecString)
776                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
777                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
778                 break;
779                 
780             default:
781                 break;
782             }
783             
784             arrayMode = node->arrayMode();
785             switch (arrayMode.type()) {
786             case Array::SelectUsingPredictions:
787             case Array::Unprofiled:
788                 RELEASE_ASSERT_NOT_REACHED();
789                 break;
790             case Array::Generic:
791                 if (node->child1()->shouldSpeculateObject()) {
792                     if (node->child2()->shouldSpeculateString()) {
793                         fixEdge<ObjectUse>(node->child1());
794                         fixEdge<StringUse>(node->child2());
795                         break;
796                     }
797
798                     if (node->child2()->shouldSpeculateSymbol()) {
799                         fixEdge<ObjectUse>(node->child1());
800                         fixEdge<SymbolUse>(node->child2());
801                         break;
802                     }
803                 }
804 #if USE(JSVALUE32_64)
805                 fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit.
806 #endif
807                 break;
808             case Array::ForceExit:
809                 break;
810             default:
811                 fixEdge<KnownCellUse>(node->child1());
812                 fixEdge<Int32Use>(node->child2());
813                 break;
814             }
815             
816             switch (arrayMode.type()) {
817             case Array::Double:
818                 if (!arrayMode.isOutOfBounds())
819                     node->setResult(NodeResultDouble);
820                 break;
821                 
822             case Array::Float32Array:
823             case Array::Float64Array:
824                 node->setResult(NodeResultDouble);
825                 break;
826                 
827             case Array::Uint32Array:
828                 if (node->shouldSpeculateInt32())
829                     break;
830                 if (node->shouldSpeculateAnyInt() && enableInt52())
831                     node->setResult(NodeResultInt52);
832                 else
833                     node->setResult(NodeResultDouble);
834                 break;
835                 
836             default:
837                 break;
838             }
839             
840             break;
841         }
842
843         case PutByValDirect:
844         case PutByVal:
845         case PutByValAlias: {
846             Edge& child1 = m_graph.varArgChild(node, 0);
847             Edge& child2 = m_graph.varArgChild(node, 1);
848             Edge& child3 = m_graph.varArgChild(node, 2);
849
850             node->setArrayMode(
851                 node->arrayMode().refine(
852                     m_graph, node,
853                     child1->prediction(),
854                     child2->prediction(),
855                     child3->prediction()));
856             
857             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
858             
859             switch (node->arrayMode().modeForPut().type()) {
860             case Array::SelectUsingPredictions:
861             case Array::SelectUsingArguments:
862             case Array::Unprofiled:
863             case Array::Undecided:
864                 RELEASE_ASSERT_NOT_REACHED();
865                 break;
866             case Array::ForceExit:
867             case Array::Generic:
868                 if (child1->shouldSpeculateCell()) {
869                     if (child2->shouldSpeculateString()) {
870                         fixEdge<CellUse>(child1);
871                         fixEdge<StringUse>(child2);
872                         break;
873                     }
874
875                     if (child2->shouldSpeculateSymbol()) {
876                         fixEdge<CellUse>(child1);
877                         fixEdge<SymbolUse>(child2);
878                         break;
879                     }
880                 }
881 #if USE(JSVALUE32_64)
882                 // Due to register pressure on 32-bit, we speculate cell and
883                 // ignore the base-is-not-cell case entirely by letting the
884                 // baseline JIT handle it.
885                 fixEdge<CellUse>(child1);
886 #endif
887                 break;
888             case Array::Int32:
889                 fixEdge<KnownCellUse>(child1);
890                 fixEdge<Int32Use>(child2);
891                 fixEdge<Int32Use>(child3);
892                 break;
893             case Array::Double:
894                 fixEdge<KnownCellUse>(child1);
895                 fixEdge<Int32Use>(child2);
896                 fixEdge<DoubleRepRealUse>(child3);
897                 break;
898             case Array::Int8Array:
899             case Array::Int16Array:
900             case Array::Int32Array:
901             case Array::Uint8Array:
902             case Array::Uint8ClampedArray:
903             case Array::Uint16Array:
904             case Array::Uint32Array:
905                 fixEdge<KnownCellUse>(child1);
906                 fixEdge<Int32Use>(child2);
907                 if (child3->shouldSpeculateInt32())
908                     fixIntOrBooleanEdge(child3);
909                 else if (child3->shouldSpeculateAnyInt())
910                     fixEdge<Int52RepUse>(child3);
911                 else
912                     fixDoubleOrBooleanEdge(child3);
913                 break;
914             case Array::Float32Array:
915             case Array::Float64Array:
916                 fixEdge<KnownCellUse>(child1);
917                 fixEdge<Int32Use>(child2);
918                 fixDoubleOrBooleanEdge(child3);
919                 break;
920             case Array::Contiguous:
921             case Array::ArrayStorage:
922             case Array::SlowPutArrayStorage:
923                 fixEdge<KnownCellUse>(child1);
924                 fixEdge<Int32Use>(child2);
925                 speculateForBarrier(child3);
926                 break;
927             default:
928                 fixEdge<KnownCellUse>(child1);
929                 fixEdge<Int32Use>(child2);
930                 break;
931             }
932             break;
933         }
934             
935         case AtomicsAdd:
936         case AtomicsAnd:
937         case AtomicsCompareExchange:
938         case AtomicsExchange:
939         case AtomicsLoad:
940         case AtomicsOr:
941         case AtomicsStore:
942         case AtomicsSub:
943         case AtomicsXor: {
944             Edge& base = m_graph.child(node, 0);
945             Edge& index = m_graph.child(node, 1);
946             
947             bool badNews = false;
948             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
949                 Edge& child = m_graph.child(node, 2 + i);
950                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
951                 // just call the function when that happens. But the FTL is totally cool with those
952                 // conversions.
953                 if (!child->shouldSpeculateInt32()
954                     && !child->shouldSpeculateAnyInt()
955                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
956                     badNews = true;
957             }
958             
959             if (badNews) {
960                 node->setArrayMode(ArrayMode(Array::Generic));
961                 break;
962             }
963             
964             node->setArrayMode(
965                 node->arrayMode().refine(
966                     m_graph, node, base->prediction(), index->prediction()));
967             
968             if (node->arrayMode().type() == Array::Generic)
969                 break;
970             
971             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
972                 Edge& child = m_graph.child(node, 2 + i);
973                 if (child->shouldSpeculateInt32())
974                     fixIntOrBooleanEdge(child);
975                 else if (child->shouldSpeculateAnyInt())
976                     fixEdge<Int52RepUse>(child);
977                 else {
978                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
979                     fixDoubleOrBooleanEdge(child);
980                 }
981             }
982             
983             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
984             fixEdge<CellUse>(base);
985             fixEdge<Int32Use>(index);
986             
987             if (node->arrayMode().type() == Array::Uint32Array) {
988                 // NOTE: This means basically always doing Int52.
989                 if (node->shouldSpeculateAnyInt() && enableInt52())
990                     node->setResult(NodeResultInt52);
991                 else
992                     node->setResult(NodeResultDouble);
993             }
994             break;
995         }
996             
997         case AtomicsIsLockFree:
998             if (node->child1()->shouldSpeculateInt32())
999                 fixIntOrBooleanEdge(node->child1());
1000             break;
1001             
1002         case ArrayPush: {
1003             // May need to refine the array mode in case the value prediction contravenes
1004             // the array prediction. For example, we may have evidence showing that the
1005             // array is in Int32 mode, but the value we're storing is likely to be a double.
1006             // Then we should turn this into a conversion to Double array followed by the
1007             // push. On the other hand, we absolutely don't want to refine based on the
1008             // base prediction. If it has non-cell garbage in it, then we want that to be
1009             // ignored. That's because ArrayPush can't handle any array modes that aren't
1010             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1011             // that would break things.
1012             node->setArrayMode(
1013                 node->arrayMode().refine(
1014                     m_graph, node,
1015                     node->child1()->prediction() & SpecCell,
1016                     SpecInt32Only,
1017                     node->child2()->prediction()));
1018             blessArrayOperation(node->child1(), Edge(), node->child3());
1019             fixEdge<KnownCellUse>(node->child1());
1020             
1021             switch (node->arrayMode().type()) {
1022             case Array::Int32:
1023                 fixEdge<Int32Use>(node->child2());
1024                 break;
1025             case Array::Double:
1026                 fixEdge<DoubleRepRealUse>(node->child2());
1027                 break;
1028             case Array::Contiguous:
1029             case Array::ArrayStorage:
1030                 speculateForBarrier(node->child2());
1031                 break;
1032             default:
1033                 break;
1034             }
1035             break;
1036         }
1037             
1038         case ArrayPop: {
1039             blessArrayOperation(node->child1(), Edge(), node->child2());
1040             fixEdge<KnownCellUse>(node->child1());
1041             break;
1042         }
1043
1044         case ArraySlice: {
1045             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1046             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1047             if (node->numChildren() == 4)
1048                 fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1049             break;
1050         }
1051
1052         case ArrayIndexOf:
1053             fixupArrayIndexOf(node);
1054             break;
1055             
1056         case RegExpExec:
1057         case RegExpTest: {
1058             fixEdge<KnownCellUse>(node->child1());
1059             
1060             if (node->child2()->shouldSpeculateRegExpObject()) {
1061                 fixEdge<RegExpObjectUse>(node->child2());
1062
1063                 if (node->child3()->shouldSpeculateString())
1064                     fixEdge<StringUse>(node->child3());
1065             }
1066             break;
1067         }
1068
1069         case StringReplace:
1070         case StringReplaceRegExp: {
1071             if (node->child2()->shouldSpeculateString()) {
1072                 m_insertionSet.insertNode(
1073                     m_indexInBlock, SpecNone, Check, node->origin,
1074                     Edge(node->child2().node(), StringUse));
1075                 fixEdge<StringUse>(node->child2());
1076             } else if (op == StringReplace) {
1077                 if (node->child2()->shouldSpeculateRegExpObject())
1078                     addStringReplacePrimordialChecks(node->child2().node());
1079                 else 
1080                     m_insertionSet.insertNode(
1081                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1082             }
1083
1084             if (node->child1()->shouldSpeculateString()
1085                 && node->child2()->shouldSpeculateRegExpObject()
1086                 && node->child3()->shouldSpeculateString()) {
1087
1088                 fixEdge<StringUse>(node->child1());
1089                 fixEdge<RegExpObjectUse>(node->child2());
1090                 fixEdge<StringUse>(node->child3());
1091                 break;
1092             }
1093             break;
1094         }
1095             
1096         case Branch: {
1097             if (node->child1()->shouldSpeculateBoolean()) {
1098                 if (node->child1()->result() == NodeResultBoolean) {
1099                     // This is necessary in case we have a bytecode instruction implemented by:
1100                     //
1101                     // a: CompareEq(...)
1102                     // b: Branch(@a)
1103                     //
1104                     // In that case, CompareEq might have a side-effect. Then, we need to make
1105                     // sure that we know that Branch does not exit.
1106                     fixEdge<KnownBooleanUse>(node->child1());
1107                 } else
1108                     fixEdge<BooleanUse>(node->child1());
1109             } else if (node->child1()->shouldSpeculateObjectOrOther())
1110                 fixEdge<ObjectOrOtherUse>(node->child1());
1111             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1112                 fixIntOrBooleanEdge(node->child1());
1113             else if (node->child1()->shouldSpeculateNumber())
1114                 fixEdge<DoubleRepUse>(node->child1());
1115             else if (node->child1()->shouldSpeculateString())
1116                 fixEdge<StringUse>(node->child1());
1117             else if (node->child1()->shouldSpeculateStringOrOther())
1118                 fixEdge<StringOrOtherUse>(node->child1());
1119             else {
1120                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1121                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1122                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1123             }
1124             break;
1125         }
1126             
1127         case Switch: {
1128             SwitchData* data = node->switchData();
1129             switch (data->kind) {
1130             case SwitchImm:
1131                 if (node->child1()->shouldSpeculateInt32())
1132                     fixEdge<Int32Use>(node->child1());
1133                 break;
1134             case SwitchChar:
1135                 if (node->child1()->shouldSpeculateString())
1136                     fixEdge<StringUse>(node->child1());
1137                 break;
1138             case SwitchString:
1139                 if (node->child1()->shouldSpeculateStringIdent())
1140                     fixEdge<StringIdentUse>(node->child1());
1141                 else if (node->child1()->shouldSpeculateString())
1142                     fixEdge<StringUse>(node->child1());
1143                 break;
1144             case SwitchCell:
1145                 if (node->child1()->shouldSpeculateCell())
1146                     fixEdge<CellUse>(node->child1());
1147                 // else it's fine for this to have UntypedUse; we will handle this by just making
1148                 // non-cells take the default case.
1149                 break;
1150             }
1151             break;
1152         }
1153             
1154         case ToPrimitive: {
1155             fixupToPrimitive(node);
1156             break;
1157         }
1158
1159         case ToNumber: {
1160             fixupToNumber(node);
1161             break;
1162         }
1163             
1164         case ToString:
1165         case CallStringConstructor: {
1166             fixupToStringOrCallStringConstructor(node);
1167             break;
1168         }
1169             
1170         case NewStringObject: {
1171             fixEdge<KnownStringUse>(node->child1());
1172             break;
1173         }
1174
1175         case NewArrayWithSpread: {
1176             watchHavingABadTime(node);
1177             
1178             BitVector* bitVector = node->bitVector();
1179             for (unsigned i = node->numChildren(); i--;) {
1180                 if (bitVector->get(i))
1181                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1182                 else
1183                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1184             }
1185
1186             break;
1187         }
1188
1189         case Spread: {
1190             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1191             
1192             watchHavingABadTime(node->child1().node());
1193
1194             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1195             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1196             // that it doesn't contain any indexed properties, and that any holes will result in
1197             // jsUndefined().
1198             InlineWatchpointSet& objectPrototypeTransition = globalObject->objectPrototype()->structure()->transitionWatchpointSet();
1199             InlineWatchpointSet& arrayPrototypeTransition = globalObject->arrayPrototype()->structure()->transitionWatchpointSet();
1200             if (node->child1()->shouldSpeculateArray() 
1201                 && arrayPrototypeTransition.isStillValid() 
1202                 && objectPrototypeTransition.isStillValid() 
1203                 && globalObject->arrayPrototypeChainIsSane()
1204                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1205                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1206                 m_graph.watchpoints().addLazily(objectPrototypeTransition);
1207                 m_graph.watchpoints().addLazily(arrayPrototypeTransition);
1208                 fixEdge<ArrayUse>(node->child1());
1209             } else
1210                 fixEdge<CellUse>(node->child1());
1211             break;
1212         }
1213             
1214         case NewArray: {
1215             watchHavingABadTime(node);
1216             
1217             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1218                 node->setIndexingType(
1219                     leastUpperBoundOfIndexingTypeAndType(
1220                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1221             }
1222             switch (node->indexingType()) {
1223             case ALL_BLANK_INDEXING_TYPES:
1224                 CRASH();
1225                 break;
1226             case ALL_UNDECIDED_INDEXING_TYPES:
1227                 if (node->numChildren()) {
1228                     // This will only happen if the children have no type predictions. We
1229                     // would have already exited by now, but insert a forced exit just to
1230                     // be safe.
1231                     m_insertionSet.insertNode(
1232                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1233                 }
1234                 break;
1235             case ALL_INT32_INDEXING_TYPES:
1236                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1237                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1238                 break;
1239             case ALL_DOUBLE_INDEXING_TYPES:
1240                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1241                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1242                 break;
1243             case ALL_CONTIGUOUS_INDEXING_TYPES:
1244             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1245                 break;
1246             default:
1247                 CRASH();
1248                 break;
1249             }
1250             break;
1251         }
1252             
1253         case NewTypedArray: {
1254             watchHavingABadTime(node);
1255             
1256             if (node->child1()->shouldSpeculateInt32()) {
1257                 fixEdge<Int32Use>(node->child1());
1258                 node->clearFlags(NodeMustGenerate);
1259                 break;
1260             }
1261             break;
1262         }
1263             
1264         case NewArrayWithSize: {
1265             watchHavingABadTime(node);
1266             fixEdge<Int32Use>(node->child1());
1267             break;
1268         }
1269
1270         case NewArrayBuffer: {
1271             watchHavingABadTime(node);
1272             break;
1273         }
1274
1275         case CallObjectConstructor: {
1276             if (node->child1()->shouldSpeculateObject()) {
1277                 fixEdge<ObjectUse>(node->child1());
1278                 node->convertToIdentity();
1279                 break;
1280             }
1281
1282             fixEdge<UntypedUse>(node->child1());
1283             break;
1284         }
1285
1286         case ToThis: {
1287             fixupToThis(node);
1288             break;
1289         }
1290             
1291         case PutStructure: {
1292             fixEdge<KnownCellUse>(node->child1());
1293             break;
1294         }
1295             
1296         case GetClosureVar:
1297         case GetFromArguments: {
1298             fixEdge<KnownCellUse>(node->child1());
1299             break;
1300         }
1301
1302         case PutClosureVar:
1303         case PutToArguments: {
1304             fixEdge<KnownCellUse>(node->child1());
1305             speculateForBarrier(node->child2());
1306             break;
1307         }
1308
1309         case SkipScope:
1310         case GetScope:
1311         case GetGetter:
1312         case GetSetter:
1313         case GetGlobalObject: {
1314             fixEdge<KnownCellUse>(node->child1());
1315             break;
1316         }
1317             
1318         case AllocatePropertyStorage:
1319         case ReallocatePropertyStorage: {
1320             fixEdge<KnownCellUse>(node->child1());
1321             break;
1322         }
1323             
1324         case NukeStructureAndSetButterfly: {
1325             fixEdge<KnownCellUse>(node->child1());
1326             break;
1327         }
1328
1329         case TryGetById: {
1330             if (node->child1()->shouldSpeculateCell())
1331                 fixEdge<CellUse>(node->child1());
1332             break;
1333         }
1334
1335         case GetById:
1336         case GetByIdFlush: {
1337             // FIXME: This should be done in the ByteCodeParser based on reading the
1338             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1339             // https://bugs.webkit.org/show_bug.cgi?id=154990
1340             auto uid = m_graph.identifiers()[node->identifierNumber()];
1341             if (node->child1()->shouldSpeculateCellOrOther()
1342                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1343                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1344                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1345                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1346                 
1347                 if (uid == vm().propertyNames->length.impl()) {
1348                     attemptToMakeGetArrayLength(node);
1349                     break;
1350                 }
1351
1352                 if (uid == vm().propertyNames->lastIndex.impl()
1353                     && node->child1()->shouldSpeculateRegExpObject()) {
1354                     node->setOp(GetRegExpObjectLastIndex);
1355                     node->clearFlags(NodeMustGenerate);
1356                     fixEdge<RegExpObjectUse>(node->child1());
1357                     break;
1358                 }
1359             }
1360
1361             if (node->child1()->shouldSpeculateNumber()) {
1362                 if (uid == vm().propertyNames->toString.impl()) {
1363                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1364                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1365                         if (node->child1()->shouldSpeculateInt32()) {
1366                             insertCheck<Int32Use>(node->child1().node());
1367                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1368                             break;
1369                         }
1370
1371                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1372                             insertCheck<Int52RepUse>(node->child1().node());
1373                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1374                             break;
1375                         }
1376
1377                         ASSERT(node->child1()->shouldSpeculateNumber());
1378                         insertCheck<DoubleRepUse>(node->child1().node());
1379                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1380                         break;
1381                     }
1382                 }
1383             }
1384
1385             if (node->child1()->shouldSpeculateCell())
1386                 fixEdge<CellUse>(node->child1());
1387             break;
1388         }
1389         
1390         case GetByIdWithThis: {
1391             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1392                 fixEdge<CellUse>(node->child1());
1393                 fixEdge<CellUse>(node->child2());
1394             }
1395             break;
1396         }
1397
1398         case PutById:
1399         case PutByIdFlush:
1400         case PutByIdDirect: {
1401             if (node->child1()->shouldSpeculateCellOrOther()
1402                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1403                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1404                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1405                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1406                 
1407                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1408                 
1409                 if (uid == vm().propertyNames->lastIndex.impl()
1410                     && node->child1()->shouldSpeculateRegExpObject()) {
1411                     node->setOp(SetRegExpObjectLastIndex);
1412                     fixEdge<RegExpObjectUse>(node->child1());
1413                     speculateForBarrier(node->child2());
1414                     break;
1415                 }
1416             }
1417             
1418             fixEdge<CellUse>(node->child1());
1419             break;
1420         }
1421
1422         case PutGetterById:
1423         case PutSetterById: {
1424             fixEdge<KnownCellUse>(node->child1());
1425             fixEdge<KnownCellUse>(node->child2());
1426             break;
1427         }
1428
1429         case PutGetterSetterById: {
1430             fixEdge<KnownCellUse>(node->child1());
1431             break;
1432         }
1433
1434         case PutGetterByVal:
1435         case PutSetterByVal: {
1436             fixEdge<KnownCellUse>(node->child1());
1437             fixEdge<KnownCellUse>(node->child3());
1438             break;
1439         }
1440
1441         case GetExecutable: {
1442             fixEdge<FunctionUse>(node->child1());
1443             break;
1444         }
1445
1446         case OverridesHasInstance:
1447         case CheckStructure:
1448         case CheckCell:
1449         case CreateThis:
1450         case GetButterfly:
1451         case GetButterflyWithoutCaging: {
1452             fixEdge<CellUse>(node->child1());
1453             break;
1454         }
1455
1456         case CheckStringIdent: {
1457             fixEdge<StringIdentUse>(node->child1());
1458             break;
1459         }
1460             
1461         case Arrayify:
1462         case ArrayifyToStructure: {
1463             fixEdge<CellUse>(node->child1());
1464             if (node->child2())
1465                 fixEdge<Int32Use>(node->child2());
1466             break;
1467         }
1468             
1469         case GetByOffset:
1470         case GetGetterSetterByOffset: {
1471             if (!node->child1()->hasStorageResult())
1472                 fixEdge<KnownCellUse>(node->child1());
1473             fixEdge<KnownCellUse>(node->child2());
1474             break;
1475         }
1476             
1477         case MultiGetByOffset: {
1478             fixEdge<CellUse>(node->child1());
1479             break;
1480         }
1481             
1482         case PutByOffset: {
1483             if (!node->child1()->hasStorageResult())
1484                 fixEdge<KnownCellUse>(node->child1());
1485             fixEdge<KnownCellUse>(node->child2());
1486             unsigned index = indexForChecks();
1487             insertInferredTypeCheck(
1488                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1489                 node->storageAccessData().inferredType);
1490             speculateForBarrier(node->child3());
1491             break;
1492         }
1493             
1494         case MultiPutByOffset: {
1495             fixEdge<CellUse>(node->child1());
1496             break;
1497         }
1498             
1499         case InstanceOf: {
1500             if (!(node->child1()->prediction() & ~SpecCell))
1501                 fixEdge<CellUse>(node->child1());
1502             fixEdge<CellUse>(node->child2());
1503             break;
1504         }
1505
1506         case InstanceOfCustom:
1507             fixEdge<CellUse>(node->child2());
1508             break;
1509
1510         case In: {
1511             if (node->child2()->shouldSpeculateInt32()) {
1512                 convertToHasIndexedProperty(node);
1513                 break;
1514             }
1515
1516             fixEdge<CellUse>(node->child1());
1517             break;
1518         }
1519
1520         case HasOwnProperty: {
1521             fixEdge<ObjectUse>(node->child1());
1522 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1523             // We don't have enough registers to do anything interesting on x86 and mips.
1524             fixEdge<UntypedUse>(node->child2());
1525 #else
1526             if (node->child2()->shouldSpeculateString())
1527                 fixEdge<StringUse>(node->child2());
1528             else if (node->child2()->shouldSpeculateSymbol())
1529                 fixEdge<SymbolUse>(node->child2());
1530             else
1531                 fixEdge<UntypedUse>(node->child2());
1532 #endif
1533             break;
1534         }
1535
1536         case Check: {
1537             m_graph.doToChildren(
1538                 node,
1539                 [&] (Edge& edge) {
1540                     switch (edge.useKind()) {
1541                     case NumberUse:
1542                         if (edge->shouldSpeculateInt32ForArithmetic())
1543                             edge.setUseKind(Int32Use);
1544                         break;
1545                     default:
1546                         break;
1547                     }
1548                     observeUseKindOnEdge(edge);
1549                 });
1550             break;
1551         }
1552
1553         case Phantom:
1554             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1555             node->remove();
1556             break;
1557
1558         case FiatInt52: {
1559             RELEASE_ASSERT(enableInt52());
1560             node->convertToIdentity();
1561             fixEdge<Int52RepUse>(node->child1());
1562             node->setResult(NodeResultInt52);
1563             break;
1564         }
1565
1566         case GetArrayLength: {
1567             fixEdge<KnownCellUse>(node->child1());
1568             break;
1569         }
1570
1571         case GetTypedArrayByteOffset: {
1572             fixEdge<KnownCellUse>(node->child1());
1573             break;
1574         }
1575
1576         case Phi:
1577         case Upsilon:
1578         case EntrySwitch:
1579         case GetIndexedPropertyStorage:
1580         case LastNodeType:
1581         case CheckTierUpInLoop:
1582         case CheckTierUpAtReturn:
1583         case CheckTierUpAndOSREnter:
1584         case InvalidationPoint:
1585         case CheckArray:
1586         case CheckInBounds:
1587         case ConstantStoragePointer:
1588         case DoubleAsInt32:
1589         case ValueToInt32:
1590         case DoubleRep:
1591         case ValueRep:
1592         case Int52Rep:
1593         case Int52Constant:
1594         case Identity: // This should have been cleaned up.
1595         case BooleanToNumber:
1596         case PhantomNewObject:
1597         case PhantomNewFunction:
1598         case PhantomNewGeneratorFunction:
1599         case PhantomNewAsyncGeneratorFunction:
1600         case PhantomNewAsyncFunction:
1601         case PhantomCreateActivation:
1602         case PhantomDirectArguments:
1603         case PhantomCreateRest:
1604         case PhantomSpread:
1605         case PhantomNewArrayWithSpread:
1606         case PhantomClonedArguments:
1607         case GetMyArgumentByVal:
1608         case GetMyArgumentByValOutOfBounds:
1609         case GetVectorLength:
1610         case PutHint:
1611         case CheckStructureImmediate:
1612         case CheckStructureOrEmpty:
1613         case MaterializeNewObject:
1614         case MaterializeCreateActivation:
1615         case PutStack:
1616         case KillStack:
1617         case GetStack:
1618         case StoreBarrier:
1619         case FencedStoreBarrier:
1620         case GetRegExpObjectLastIndex:
1621         case SetRegExpObjectLastIndex:
1622         case RecordRegExpCachedResult:
1623             // These are just nodes that we don't currently expect to see during fixup.
1624             // If we ever wanted to insert them prior to fixup, then we just have to create
1625             // fixup rules for them.
1626             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1627             break;
1628
1629         case PutGlobalVariable: {
1630             fixEdge<CellUse>(node->child1());
1631             speculateForBarrier(node->child2());
1632             break;
1633         }
1634
1635         case IsObject:
1636             if (node->child1()->shouldSpeculateObject()) {
1637                 m_insertionSet.insertNode(
1638                     m_indexInBlock, SpecNone, Check, node->origin,
1639                     Edge(node->child1().node(), ObjectUse));
1640                 m_graph.convertToConstant(node, jsBoolean(true));
1641                 observeUseKindOnNode<ObjectUse>(node);
1642             }
1643             break;
1644
1645         case IsCellWithType: {
1646             fixupIsCellWithType(node);
1647             break;
1648         }
1649
1650         case GetEnumerableLength: {
1651             fixEdge<CellUse>(node->child1());
1652             break;
1653         }
1654         case HasGenericProperty: {
1655             fixEdge<CellUse>(node->child2());
1656             break;
1657         }
1658         case HasStructureProperty: {
1659             fixEdge<StringUse>(node->child2());
1660             fixEdge<KnownCellUse>(node->child3());
1661             break;
1662         }
1663         case HasIndexedProperty: {
1664             node->setArrayMode(
1665                 node->arrayMode().refine(
1666                     m_graph, node,
1667                     node->child1()->prediction(),
1668                     node->child2()->prediction(),
1669                     SpecNone));
1670             
1671             blessArrayOperation(node->child1(), node->child2(), node->child3());
1672             fixEdge<CellUse>(node->child1());
1673             fixEdge<KnownInt32Use>(node->child2());
1674             break;
1675         }
1676         case GetDirectPname: {
1677             Edge& base = m_graph.varArgChild(node, 0);
1678             Edge& property = m_graph.varArgChild(node, 1);
1679             Edge& index = m_graph.varArgChild(node, 2);
1680             Edge& enumerator = m_graph.varArgChild(node, 3);
1681             fixEdge<CellUse>(base);
1682             fixEdge<KnownCellUse>(property);
1683             fixEdge<KnownInt32Use>(index);
1684             fixEdge<KnownCellUse>(enumerator);
1685             break;
1686         }
1687         case GetPropertyEnumerator: {
1688             fixEdge<CellUse>(node->child1());
1689             break;
1690         }
1691         case GetEnumeratorStructurePname: {
1692             fixEdge<KnownCellUse>(node->child1());
1693             fixEdge<KnownInt32Use>(node->child2());
1694             break;
1695         }
1696         case GetEnumeratorGenericPname: {
1697             fixEdge<KnownCellUse>(node->child1());
1698             fixEdge<KnownInt32Use>(node->child2());
1699             break;
1700         }
1701         case ToIndexString: {
1702             fixEdge<KnownInt32Use>(node->child1());
1703             break;
1704         }
1705         case ProfileType: {
1706             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1707             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1708             // type T for the instructionTypeSet, the global type set must also have information for type T.
1709             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1710             // in the globalTypeSet would've also succeeded.
1711             // (The other direction does not hold in general).
1712
1713             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1714             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1715             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1716                 if (node->child1()->shouldSpeculateInt32()) {
1717                     fixEdge<Int32Use>(node->child1());
1718                     node->remove();
1719                     break;
1720                 }
1721
1722                 if (enableInt52()) {
1723                     fixEdge<AnyIntUse>(node->child1());
1724                     node->remove();
1725                     break;
1726                 }
1727
1728                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1729             }
1730
1731             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1732                 fixEdge<NumberUse>(node->child1());
1733                 node->remove();
1734             } else if (typeSet->doesTypeConformTo(TypeString)) {
1735                 fixEdge<StringUse>(node->child1());
1736                 node->remove();
1737             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1738                 fixEdge<BooleanUse>(node->child1());
1739                 node->remove();
1740             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1741                 fixEdge<OtherUse>(node->child1());
1742                 node->remove();
1743             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1744                 StructureSet set;
1745                 {
1746                     ConcurrentJSLocker locker(typeSet->m_lock);
1747                     set = typeSet->structureSet(locker);
1748                 }
1749                 if (!set.isEmpty()) {
1750                     fixEdge<CellUse>(node->child1());
1751                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1752                 }
1753             }
1754
1755             break;
1756         }
1757
1758         case CreateClonedArguments: {
1759             watchHavingABadTime(node);
1760             break;
1761         }
1762
1763         case CreateScopedArguments:
1764         case CreateActivation:
1765         case NewFunction:
1766         case NewGeneratorFunction:
1767         case NewAsyncGeneratorFunction:
1768         case NewAsyncFunction: {
1769             // Child 1 is always the current scope, which is guaranteed to be an object
1770             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1771             fixEdge<KnownCellUse>(node->child1());
1772             break;
1773         }
1774
1775         case PushWithScope: {
1776             // Child 1 is always the current scope, which is guaranteed to be an object
1777             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1778             fixEdge<KnownCellUse>(node->child1());
1779             if (node->child2()->shouldSpeculateObject())
1780                 fixEdge<ObjectUse>(node->child2());
1781             break;
1782         }
1783
1784         case SetFunctionName: {
1785             // The first child is guaranteed to be a cell because op_set_function_name is only used
1786             // on a newly instantiated function object (the first child).
1787             fixEdge<KnownCellUse>(node->child1());
1788             fixEdge<UntypedUse>(node->child2());
1789             break;
1790         }
1791
1792         case CreateRest: {
1793             watchHavingABadTime(node);
1794             fixEdge<KnownInt32Use>(node->child1());
1795             break;
1796         }
1797
1798         case ResolveScopeForHoistingFuncDeclInEval: {
1799             fixEdge<KnownCellUse>(node->child1());
1800             break;
1801         }
1802         case ResolveScope:
1803         case GetDynamicVar:
1804         case PutDynamicVar: {
1805             fixEdge<KnownCellUse>(node->child1());
1806             break;
1807         }
1808
1809         case LogShadowChickenPrologue: {
1810             fixEdge<KnownCellUse>(node->child1());
1811             break;
1812         }
1813         case LogShadowChickenTail: {
1814             fixEdge<UntypedUse>(node->child1());
1815             fixEdge<KnownCellUse>(node->child2());
1816             break;
1817         }
1818
1819         case GetMapBucket:
1820             if (node->child1().useKind() == MapObjectUse)
1821                 fixEdge<MapObjectUse>(node->child1());
1822             else if (node->child1().useKind() == SetObjectUse)
1823                 fixEdge<SetObjectUse>(node->child1());
1824             else
1825                 RELEASE_ASSERT_NOT_REACHED();
1826
1827 #if USE(JSVALUE64)
1828             if (node->child2()->shouldSpeculateBoolean())
1829                 fixEdge<BooleanUse>(node->child2());
1830             else if (node->child2()->shouldSpeculateInt32())
1831                 fixEdge<Int32Use>(node->child2());
1832             else if (node->child2()->shouldSpeculateSymbol())
1833                 fixEdge<SymbolUse>(node->child2());
1834             else if (node->child2()->shouldSpeculateObject())
1835                 fixEdge<ObjectUse>(node->child2());
1836             else if (node->child2()->shouldSpeculateString())
1837                 fixEdge<StringUse>(node->child2());
1838             else if (node->child2()->shouldSpeculateCell())
1839                 fixEdge<CellUse>(node->child2());
1840             else
1841                 fixEdge<UntypedUse>(node->child2());
1842 #else
1843             fixEdge<UntypedUse>(node->child2());
1844 #endif // USE(JSVALUE64)
1845
1846             fixEdge<Int32Use>(node->child3());
1847             break;
1848
1849         case GetMapBucketHead:
1850             if (node->child1().useKind() == MapObjectUse)
1851                 fixEdge<MapObjectUse>(node->child1());
1852             else if (node->child1().useKind() == SetObjectUse)
1853                 fixEdge<SetObjectUse>(node->child1());
1854             else
1855                 RELEASE_ASSERT_NOT_REACHED();
1856             break;
1857
1858         case GetMapBucketNext:
1859         case LoadKeyFromMapBucket:
1860         case LoadValueFromMapBucket:
1861             fixEdge<CellUse>(node->child1());
1862             break;
1863
1864         case MapHash: {
1865 #if USE(JSVALUE64)
1866             if (node->child1()->shouldSpeculateBoolean()) {
1867                 fixEdge<BooleanUse>(node->child1());
1868                 break;
1869             }
1870
1871             if (node->child1()->shouldSpeculateInt32()) {
1872                 fixEdge<Int32Use>(node->child1());
1873                 break;
1874             }
1875
1876             if (node->child1()->shouldSpeculateSymbol()) {
1877                 fixEdge<SymbolUse>(node->child1());
1878                 break;
1879             }
1880
1881             if (node->child1()->shouldSpeculateObject()) {
1882                 fixEdge<ObjectUse>(node->child1());
1883                 break;
1884             }
1885
1886             if (node->child1()->shouldSpeculateString()) {
1887                 fixEdge<StringUse>(node->child1());
1888                 break;
1889             }
1890
1891             if (node->child1()->shouldSpeculateCell()) {
1892                 fixEdge<CellUse>(node->child1());
1893                 break;
1894             }
1895
1896             fixEdge<UntypedUse>(node->child1());
1897 #else
1898             fixEdge<UntypedUse>(node->child1());
1899 #endif // USE(JSVALUE64)
1900             break;
1901         }
1902
1903         case WeakMapGet: {
1904             fixEdge<WeakMapObjectUse>(node->child1());
1905             fixEdge<ObjectUse>(node->child2());
1906             fixEdge<Int32Use>(node->child3());
1907             break;
1908         }
1909
1910         case DefineDataProperty: {
1911             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1912             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1913             if (propertyEdge->shouldSpeculateSymbol())
1914                 fixEdge<SymbolUse>(propertyEdge);
1915             else if (propertyEdge->shouldSpeculateStringIdent())
1916                 fixEdge<StringIdentUse>(propertyEdge);
1917             else if (propertyEdge->shouldSpeculateString())
1918                 fixEdge<StringUse>(propertyEdge);
1919             else
1920                 fixEdge<UntypedUse>(propertyEdge);
1921             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1922             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1923             break;
1924         }
1925
1926         case ToLowerCase: {
1927             // We currently only support StringUse since that will ensure that
1928             // ToLowerCase is a pure operation. If we decide to update this with
1929             // more types in the future, we need to ensure that the clobberize rules
1930             // are correct.
1931             fixEdge<StringUse>(node->child1());
1932             break;
1933         }
1934
1935         case NumberToStringWithRadix: {
1936             if (node->child1()->shouldSpeculateInt32())
1937                 fixEdge<Int32Use>(node->child1());
1938             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
1939                 fixEdge<Int52RepUse>(node->child1());
1940             else
1941                 fixEdge<DoubleRepUse>(node->child1());
1942             fixEdge<Int32Use>(node->child2());
1943             break;
1944         }
1945
1946         case DefineAccessorProperty: {
1947             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1948             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1949             if (propertyEdge->shouldSpeculateSymbol())
1950                 fixEdge<SymbolUse>(propertyEdge);
1951             else if (propertyEdge->shouldSpeculateStringIdent())
1952                 fixEdge<StringIdentUse>(propertyEdge);
1953             else if (propertyEdge->shouldSpeculateString())
1954                 fixEdge<StringUse>(propertyEdge);
1955             else
1956                 fixEdge<UntypedUse>(propertyEdge);
1957             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
1958             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
1959             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
1960             break;
1961         }
1962
1963         case CheckSubClass: {
1964             fixupCheckSubClass(node);
1965             break;
1966         }
1967
1968         case CallDOMGetter: {
1969             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
1970             fixEdge<CellUse>(node->child1()); // DOM.
1971             if (snippet && snippet->requireGlobalObject)
1972                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
1973             break;
1974         }
1975
1976         case CallDOM: {
1977             fixupCallDOM(node);
1978             break;
1979         }
1980
1981         case Call: {
1982             attemptToMakeCallDOM(node);
1983             break;
1984         }
1985
1986         case ParseInt: {
1987             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
1988                 fixEdge<Int32Use>(node->child1());
1989                 node->convertToIdentity();
1990                 break;
1991             }
1992
1993             if (node->child1()->shouldSpeculateString()) {
1994                 fixEdge<StringUse>(node->child1());
1995                 node->clearFlags(NodeMustGenerate);
1996             }
1997
1998             if (node->child2())
1999                 fixEdge<Int32Use>(node->child2());
2000
2001             break;
2002         }
2003
2004         case IdentityWithProfile: {
2005             node->clearFlags(NodeMustGenerate);
2006             break;
2007         }
2008
2009         case ThrowStaticError:
2010             fixEdge<StringUse>(node->child1());
2011             break;
2012
2013 #if !ASSERT_DISABLED
2014         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2015         case SetArgument:
2016         case JSConstant:
2017         case LazyJSConstant:
2018         case DoubleConstant:
2019         case GetLocal:
2020         case GetCallee:
2021         case GetArgumentCountIncludingThis:
2022         case GetRestLength:
2023         case GetArgument:
2024         case Flush:
2025         case PhantomLocal:
2026         case GetLocalUnlinked:
2027         case GetGlobalVar:
2028         case GetGlobalLexicalVariable:
2029         case NotifyWrite:
2030         case DirectCall:
2031         case CheckTypeInfoFlags:
2032         case TailCallInlinedCaller:
2033         case DirectTailCallInlinedCaller:
2034         case Construct:
2035         case DirectConstruct:
2036         case CallVarargs:
2037         case CallEval:
2038         case TailCallVarargsInlinedCaller:
2039         case ConstructVarargs:
2040         case CallForwardVarargs:
2041         case ConstructForwardVarargs:
2042         case TailCallForwardVarargs:
2043         case TailCallForwardVarargsInlinedCaller:
2044         case LoadVarargs:
2045         case ForwardVarargs:
2046         case ProfileControlFlow:
2047         case NewObject:
2048         case NewRegexp:
2049         case DeleteById:
2050         case DeleteByVal:
2051         case IsTypedArrayView:
2052         case IsEmpty:
2053         case IsUndefined:
2054         case IsBoolean:
2055         case IsNumber:
2056         case IsObjectOrNull:
2057         case IsFunction:
2058         case CreateDirectArguments:
2059         case Jump:
2060         case Return:
2061         case TailCall:
2062         case DirectTailCall:
2063         case TailCallVarargs:
2064         case Throw:
2065         case CountExecution:
2066         case ForceOSRExit:
2067         case CheckBadCell:
2068         case CheckNotEmpty:
2069         case CheckTraps:
2070         case Unreachable:
2071         case ExtractOSREntryLocal:
2072         case ExtractCatchLocal:
2073         case LoopHint:
2074         case MovHint:
2075         case InitializeEntrypointArguments:
2076         case ZombieHint:
2077         case ExitOK:
2078         case BottomValue:
2079         case TypeOf:
2080         case PutByIdWithThis:
2081         case PutByValWithThis:
2082         case GetByValWithThis:
2083         case CompareEqPtr:
2084         case NumberToStringWithValidRadixConstant:
2085         case GetGlobalThis:
2086             break;
2087 #else
2088         default:
2089             break;
2090 #endif
2091         }
2092     }
2093
2094     void watchHavingABadTime(Node* node)
2095     {
2096         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2097
2098         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2099         // does an array allocation. The types of array allocations may change if we start to have a bad
2100         // time. It's easier to reason about this if we know that whenever the types change after we start
2101         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2102         // prior to this point nobody should have been doing optimizations based on the indexing type of
2103         // the allocation.
2104         if (!globalObject->isHavingABadTime()) {
2105             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2106             m_graph.freeze(globalObject);
2107         }
2108     }
2109     
2110     template<UseKind useKind>
2111     void createToString(Node* node, Edge& edge)
2112     {
2113         Node* toString = m_insertionSet.insertNode(
2114             m_indexInBlock, SpecString, ToString, node->origin,
2115             Edge(edge.node(), useKind));
2116         switch (useKind) {
2117         case Int32Use:
2118         case Int52RepUse:
2119         case DoubleRepUse:
2120         case NotCellUse:
2121             toString->clearFlags(NodeMustGenerate);
2122             break;
2123         default:
2124             break;
2125         }
2126         edge.setNode(toString);
2127     }
2128     
2129     template<UseKind useKind>
2130     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2131     {
2132         ASSERT(arrayMode == ArrayMode(Array::Generic));
2133         
2134         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2135             return;
2136         
2137         createToString<useKind>(node, node->child1());
2138         arrayMode = ArrayMode(Array::String);
2139     }
2140     
2141     template<UseKind useKind>
2142     bool isStringObjectUse()
2143     {
2144         switch (useKind) {
2145         case StringObjectUse:
2146         case StringOrStringObjectUse:
2147             return true;
2148         default:
2149             return false;
2150         }
2151     }
2152     
2153     template<UseKind useKind>
2154     void convertStringAddUse(Node* node, Edge& edge)
2155     {
2156         if (useKind == StringUse) {
2157             observeUseKindOnNode<StringUse>(edge.node());
2158             m_insertionSet.insertNode(
2159                 m_indexInBlock, SpecNone, Check, node->origin,
2160                 Edge(edge.node(), StringUse));
2161             edge.setUseKind(KnownStringUse);
2162             return;
2163         }
2164         
2165         observeUseKindOnNode<useKind>(edge.node());
2166         createToString<useKind>(node, edge);
2167     }
2168     
2169     void convertToMakeRope(Node* node)
2170     {
2171         node->setOpAndDefaultFlags(MakeRope);
2172         fixupMakeRope(node);
2173     }
2174     
2175     void fixupMakeRope(Node* node)
2176     {
2177         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2178             Edge& edge = node->children.child(i);
2179             if (!edge)
2180                 break;
2181             edge.setUseKind(KnownStringUse);
2182             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2183             if (!string)
2184                 continue;
2185             if (string->length())
2186                 continue;
2187             
2188             // Don't allow the MakeRope to have zero children.
2189             if (!i && !node->child2())
2190                 break;
2191             
2192             node->children.removeEdge(i--);
2193         }
2194         
2195         if (!node->child2()) {
2196             ASSERT(!node->child3());
2197             node->convertToIdentity();
2198         }
2199     }
2200
2201     void fixupIsCellWithType(Node* node)
2202     {
2203         switch (node->speculatedTypeForQuery()) {
2204         case SpecString:
2205             if (node->child1()->shouldSpeculateString()) {
2206                 m_insertionSet.insertNode(
2207                     m_indexInBlock, SpecNone, Check, node->origin,
2208                     Edge(node->child1().node(), StringUse));
2209                 m_graph.convertToConstant(node, jsBoolean(true));
2210                 observeUseKindOnNode<StringUse>(node);
2211                 return;
2212             }
2213             break;
2214
2215         case SpecProxyObject:
2216             if (node->child1()->shouldSpeculateProxyObject()) {
2217                 m_insertionSet.insertNode(
2218                     m_indexInBlock, SpecNone, Check, node->origin,
2219                     Edge(node->child1().node(), ProxyObjectUse));
2220                 m_graph.convertToConstant(node, jsBoolean(true));
2221                 observeUseKindOnNode<ProxyObjectUse>(node);
2222                 return;
2223             }
2224             break;
2225
2226         case SpecRegExpObject:
2227             if (node->child1()->shouldSpeculateRegExpObject()) {
2228                 m_insertionSet.insertNode(
2229                     m_indexInBlock, SpecNone, Check, node->origin,
2230                     Edge(node->child1().node(), RegExpObjectUse));
2231                 m_graph.convertToConstant(node, jsBoolean(true));
2232                 observeUseKindOnNode<RegExpObjectUse>(node);
2233                 return;
2234             }
2235             break;
2236
2237         case SpecArray:
2238             if (node->child1()->shouldSpeculateArray()) {
2239                 m_insertionSet.insertNode(
2240                     m_indexInBlock, SpecNone, Check, node->origin,
2241                     Edge(node->child1().node(), ArrayUse));
2242                 m_graph.convertToConstant(node, jsBoolean(true));
2243                 observeUseKindOnNode<ArrayUse>(node);
2244                 return;
2245             }
2246             break;
2247
2248         case SpecDerivedArray:
2249             if (node->child1()->shouldSpeculateDerivedArray()) {
2250                 m_insertionSet.insertNode(
2251                     m_indexInBlock, SpecNone, Check, node->origin,
2252                     Edge(node->child1().node(), DerivedArrayUse));
2253                 m_graph.convertToConstant(node, jsBoolean(true));
2254                 observeUseKindOnNode<DerivedArrayUse>(node);
2255                 return;
2256             }
2257             break;
2258         }
2259
2260         if (node->child1()->shouldSpeculateCell()) {
2261             fixEdge<CellUse>(node->child1());
2262             return;
2263         }
2264
2265         if (node->child1()->shouldSpeculateNotCell()) {
2266             m_insertionSet.insertNode(
2267                 m_indexInBlock, SpecNone, Check, node->origin,
2268                 Edge(node->child1().node(), NotCellUse));
2269             m_graph.convertToConstant(node, jsBoolean(false));
2270             observeUseKindOnNode<NotCellUse>(node);
2271             return;
2272         }
2273     }
2274
2275     void fixupToThis(Node* node)
2276     {
2277         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2278
2279         if (ecmaMode == StrictMode) {
2280             if (node->child1()->shouldSpeculateBoolean()) {
2281                 fixEdge<BooleanUse>(node->child1());
2282                 node->convertToIdentity();
2283                 return;
2284             }
2285
2286             if (node->child1()->shouldSpeculateInt32()) {
2287                 fixEdge<Int32Use>(node->child1());
2288                 node->convertToIdentity();
2289                 return;
2290             }
2291
2292             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2293                 fixEdge<Int52RepUse>(node->child1());
2294                 node->convertToIdentity();
2295                 node->setResult(NodeResultInt52);
2296                 return;
2297             }
2298
2299             if (node->child1()->shouldSpeculateNumber()) {
2300                 fixEdge<DoubleRepUse>(node->child1());
2301                 node->convertToIdentity();
2302                 node->setResult(NodeResultDouble);
2303                 return;
2304             }
2305
2306             if (node->child1()->shouldSpeculateSymbol()) {
2307                 fixEdge<SymbolUse>(node->child1());
2308                 node->convertToIdentity();
2309                 return;
2310             }
2311
2312             if (node->child1()->shouldSpeculateStringIdent()) {
2313                 fixEdge<StringIdentUse>(node->child1());
2314                 node->convertToIdentity();
2315                 return;
2316             }
2317
2318             if (node->child1()->shouldSpeculateString()) {
2319                 fixEdge<StringUse>(node->child1());
2320                 node->convertToIdentity();
2321                 return;
2322             }
2323         }
2324
2325         if (node->child1()->shouldSpeculateOther()) {
2326             if (ecmaMode == StrictMode) {
2327                 fixEdge<OtherUse>(node->child1());
2328                 node->convertToIdentity();
2329                 return;
2330             }
2331
2332             m_insertionSet.insertNode(
2333                 m_indexInBlock, SpecNone, Check, node->origin,
2334                 Edge(node->child1().node(), OtherUse));
2335             observeUseKindOnNode<OtherUse>(node->child1().node());
2336             m_graph.convertToConstant(
2337                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2338             return;
2339         }
2340
2341         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2342         // however, since we cover all the missing cases in constant folding.
2343         // https://bugs.webkit.org/show_bug.cgi?id=157213
2344         if (node->child1()->shouldSpeculateStringObject()) {
2345             fixEdge<StringObjectUse>(node->child1());
2346             node->convertToIdentity();
2347             return;
2348         }
2349
2350         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2351             fixEdge<FinalObjectUse>(node->child1());
2352             node->convertToIdentity();
2353             return;
2354         }
2355     }
2356     
2357     void fixupToPrimitive(Node* node)
2358     {
2359         if (node->child1()->shouldSpeculateInt32()) {
2360             fixEdge<Int32Use>(node->child1());
2361             node->convertToIdentity();
2362             return;
2363         }
2364         
2365         if (node->child1()->shouldSpeculateString()) {
2366             fixEdge<StringUse>(node->child1());
2367             node->convertToIdentity();
2368             return;
2369         }
2370         
2371         if (node->child1()->shouldSpeculateStringObject()
2372             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2373             fixEdge<StringObjectUse>(node->child1());
2374             node->convertToToString();
2375             return;
2376         }
2377         
2378         if (node->child1()->shouldSpeculateStringOrStringObject()
2379             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2380             fixEdge<StringOrStringObjectUse>(node->child1());
2381             node->convertToToString();
2382             return;
2383         }
2384     }
2385
2386     void fixupToNumber(Node* node)
2387     {
2388         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2389         if (node->child1()->shouldSpeculateNumber()) {
2390             if (isInt32Speculation(node->getHeapPrediction())) {
2391                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2392                 if (node->child1()->shouldSpeculateInt32()) {
2393                     fixEdge<Int32Use>(node->child1());
2394                     node->convertToIdentity();
2395                     return;
2396                 }
2397
2398                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2399                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2400                 fixEdge<DoubleRepUse>(node->child1());
2401                 node->setOp(DoubleAsInt32);
2402                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2403                     node->setArithMode(Arith::CheckOverflow);
2404                 else
2405                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2406                 return;
2407             }
2408
2409             fixEdge<DoubleRepUse>(node->child1());
2410             node->convertToIdentity();
2411             node->setResult(NodeResultDouble);
2412             return;
2413         }
2414
2415         fixEdge<UntypedUse>(node->child1());
2416         node->setResult(NodeResultJS);
2417     }
2418     
2419     void fixupToStringOrCallStringConstructor(Node* node)
2420     {
2421         if (node->child1()->shouldSpeculateString()) {
2422             fixEdge<StringUse>(node->child1());
2423             node->convertToIdentity();
2424             return;
2425         }
2426         
2427         if (node->child1()->shouldSpeculateStringObject()
2428             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2429             fixEdge<StringObjectUse>(node->child1());
2430             return;
2431         }
2432         
2433         if (node->child1()->shouldSpeculateStringOrStringObject()
2434             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2435             fixEdge<StringOrStringObjectUse>(node->child1());
2436             return;
2437         }
2438         
2439         if (node->child1()->shouldSpeculateCell()) {
2440             fixEdge<CellUse>(node->child1());
2441             return;
2442         }
2443
2444         if (node->child1()->shouldSpeculateInt32()) {
2445             fixEdge<Int32Use>(node->child1());
2446             node->clearFlags(NodeMustGenerate);
2447             return;
2448         }
2449
2450         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2451             fixEdge<Int52RepUse>(node->child1());
2452             node->clearFlags(NodeMustGenerate);
2453             return;
2454         }
2455
2456         if (node->child1()->shouldSpeculateNumber()) {
2457             fixEdge<DoubleRepUse>(node->child1());
2458             node->clearFlags(NodeMustGenerate);
2459             return;
2460         }
2461
2462         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2463         // we need to care about it in the clobberize. In the following case,
2464         // since NotCellUse edge filter is used and this edge filters Symbols,
2465         // we can say that ToString never throws an error!
2466         if (node->child1()->shouldSpeculateNotCell()) {
2467             fixEdge<NotCellUse>(node->child1());
2468             node->clearFlags(NodeMustGenerate);
2469             return;
2470         }
2471     }
2472
2473     bool attemptToMakeFastStringAdd(Node* node)
2474     {
2475         bool goodToGo = true;
2476         m_graph.doToChildren(
2477             node,
2478             [&] (Edge& edge) {
2479                 if (edge->shouldSpeculateString())
2480                     return;
2481                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2482                     if (edge->shouldSpeculateStringObject())
2483                         return;
2484                     if (edge->shouldSpeculateStringOrStringObject())
2485                         return;
2486                 }
2487                 goodToGo = false;
2488             });
2489         if (!goodToGo)
2490             return false;
2491
2492         m_graph.doToChildren(
2493             node,
2494             [&] (Edge& edge) {
2495                 if (edge->shouldSpeculateString()) {
2496                     convertStringAddUse<StringUse>(node, edge);
2497                     return;
2498                 }
2499                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2500                 if (edge->shouldSpeculateStringObject()) {
2501                     convertStringAddUse<StringObjectUse>(node, edge);
2502                     return;
2503                 }
2504                 if (edge->shouldSpeculateStringOrStringObject()) {
2505                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2506                     return;
2507                 }
2508                 RELEASE_ASSERT_NOT_REACHED();
2509             });
2510         
2511         convertToMakeRope(node);
2512         return true;
2513     }
2514
2515     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2516     {
2517         if (!block)
2518             return;
2519         ASSERT(block->isReachable);
2520         m_block = block;
2521         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2522             Node* node = m_currentNode = block->at(m_indexInBlock);
2523             if (node->op() != SetLocal && node->op() != GetLocal)
2524                 continue;
2525             
2526             VariableAccessData* variable = node->variableAccessData();
2527             switch (node->op()) {
2528             case GetLocal:
2529                 switch (variable->flushFormat()) {
2530                 case FlushedDouble:
2531                     node->setResult(NodeResultDouble);
2532                     break;
2533                 case FlushedInt52:
2534                     node->setResult(NodeResultInt52);
2535                     break;
2536                 default:
2537                     break;
2538                 }
2539                 break;
2540                 
2541             case SetLocal:
2542                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2543                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2544                 
2545                 switch (variable->flushFormat()) {
2546                 case FlushedJSValue:
2547                     break;
2548                 case FlushedDouble:
2549                     fixEdge<DoubleRepUse>(node->child1());
2550                     break;
2551                 case FlushedInt32:
2552                     fixEdge<Int32Use>(node->child1());
2553                     break;
2554                 case FlushedInt52:
2555                     fixEdge<Int52RepUse>(node->child1());
2556                     break;
2557                 case FlushedCell:
2558                     fixEdge<CellUse>(node->child1());
2559                     break;
2560                 case FlushedBoolean:
2561                     fixEdge<BooleanUse>(node->child1());
2562                     break;
2563                 default:
2564                     RELEASE_ASSERT_NOT_REACHED();
2565                     break;
2566                 }
2567                 break;
2568                 
2569             default:
2570                 RELEASE_ASSERT_NOT_REACHED();
2571                 break;
2572             }
2573         }
2574         m_insertionSet.execute(block);
2575     }
2576     
2577     void addStringReplacePrimordialChecks(Node* searchRegExp)
2578     {
2579         Node* node = m_currentNode;
2580
2581         // Check that structure of searchRegExp is RegExp object
2582         m_insertionSet.insertNode(
2583             m_indexInBlock, SpecNone, Check, node->origin,
2584             Edge(searchRegExp, RegExpObjectUse));
2585
2586         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2587             unsigned index = m_graph.identifiers().ensure(propertyUID);
2588
2589             Node* actualProperty = m_insertionSet.insertNode(
2590                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2591                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2592
2593             m_insertionSet.insertNode(
2594                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2595                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2596         };
2597
2598         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2599
2600         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2601         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2602         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2603         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2604         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2605         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2606         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2607         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2608     }
2609
2610     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2611     {
2612         ASSERT(arrayMode.isSpecific());
2613         
2614         if (arrayMode.type() == Array::String) {
2615             m_insertionSet.insertNode(
2616                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2617         } else {
2618             // Note that we only need to be using a structure check if we opt for SaneChain, since
2619             // that needs to protect against JSArray's __proto__ being changed.
2620             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2621         
2622             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2623             
2624             if (arrayMode.doesConversion()) {
2625                 if (structure) {
2626                     m_insertionSet.insertNode(
2627                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2628                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2629                 } else {
2630                     m_insertionSet.insertNode(
2631                         m_indexInBlock, SpecNone, Arrayify, origin,
2632                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2633                 }
2634             } else {
2635                 if (structure) {
2636                     m_insertionSet.insertNode(
2637                         m_indexInBlock, SpecNone, CheckStructure, origin,
2638                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2639                 } else {
2640                     m_insertionSet.insertNode(
2641                         m_indexInBlock, SpecNone, CheckArray, origin,
2642                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2643                 }
2644             }
2645         }
2646         
2647         if (!storageCheck(arrayMode))
2648             return nullptr;
2649         
2650         if (arrayMode.usesButterfly()) {
2651             return m_insertionSet.insertNode(
2652                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2653         }
2654         
2655         return m_insertionSet.insertNode(
2656             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2657             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2658     }
2659     
2660     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2661     {
2662         Node* node = m_currentNode;
2663         
2664         switch (node->arrayMode().type()) {
2665         case Array::ForceExit: {
2666             m_insertionSet.insertNode(
2667                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2668             return;
2669         }
2670             
2671         case Array::SelectUsingPredictions:
2672         case Array::Unprofiled:
2673             RELEASE_ASSERT_NOT_REACHED();
2674             return;
2675             
2676         case Array::Generic:
2677             return;
2678             
2679         default: {
2680             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2681             if (!storage)
2682                 return;
2683             
2684             storageChild = Edge(storage);
2685             return;
2686         } }
2687     }
2688     
2689     bool alwaysUnboxSimplePrimitives()
2690     {
2691 #if USE(JSVALUE64)
2692         return false;
2693 #else
2694         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2695         // reduces traffic.
2696         return true;
2697 #endif
2698     }
2699
2700     template<UseKind useKind>
2701     void observeUseKindOnNode(Node* node)
2702     {
2703         if (useKind == UntypedUse)
2704             return;
2705         observeUseKindOnNode(node, useKind);
2706     }
2707
2708     void observeUseKindOnEdge(Edge edge)
2709     {
2710         observeUseKindOnNode(edge.node(), edge.useKind());
2711     }
2712
2713     void observeUseKindOnNode(Node* node, UseKind useKind)
2714     {
2715         if (node->op() != GetLocal)
2716             return;
2717         
2718         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2719         // https://bugs.webkit.org/show_bug.cgi?id=121518
2720         
2721         VariableAccessData* variable = node->variableAccessData();
2722         switch (useKind) {
2723         case Int32Use:
2724         case KnownInt32Use:
2725             if (alwaysUnboxSimplePrimitives()
2726                 || isInt32Speculation(variable->prediction()))
2727                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2728             break;
2729         case NumberUse:
2730         case RealNumberUse:
2731         case DoubleRepUse:
2732         case DoubleRepRealUse:
2733             if (variable->doubleFormatState() == UsingDoubleFormat)
2734                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2735             break;
2736         case BooleanUse:
2737         case KnownBooleanUse:
2738             if (alwaysUnboxSimplePrimitives()
2739                 || isBooleanSpeculation(variable->prediction()))
2740                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2741             break;
2742         case Int52RepUse:
2743             if (isAnyIntSpeculation(variable->prediction()))
2744                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2745             break;
2746         case CellUse:
2747         case KnownCellUse:
2748         case ObjectUse:
2749         case FunctionUse:
2750         case StringUse:
2751         case KnownStringUse:
2752         case SymbolUse:
2753         case StringObjectUse:
2754         case StringOrStringObjectUse:
2755             if (alwaysUnboxSimplePrimitives()
2756                 || isCellSpeculation(variable->prediction()))
2757                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2758             break;
2759         default:
2760             break;
2761         }
2762     }
2763     
2764     template<UseKind useKind>
2765     void fixEdge(Edge& edge)
2766     {
2767         observeUseKindOnNode<useKind>(edge.node());
2768         edge.setUseKind(useKind);
2769     }
2770     
2771     unsigned indexForChecks()
2772     {
2773         unsigned index = m_indexInBlock;
2774         while (!m_block->at(index)->origin.exitOK)
2775             index--;
2776         return index;
2777     }
2778     
2779     NodeOrigin originForCheck(unsigned index)
2780     {
2781         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
2782     }
2783     
2784     void speculateForBarrier(Edge value)
2785     {
2786         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
2787         // the DFG anyway because if such a speculation would be wrong, we want to know before
2788         // we do an expensive compile.
2789         
2790         if (value->shouldSpeculateInt32()) {
2791             insertCheck<Int32Use>(value.node());
2792             return;
2793         }
2794             
2795         if (value->shouldSpeculateBoolean()) {
2796             insertCheck<BooleanUse>(value.node());
2797             return;
2798         }
2799             
2800         if (value->shouldSpeculateOther()) {
2801             insertCheck<OtherUse>(value.node());
2802             return;
2803         }
2804             
2805         if (value->shouldSpeculateNumber()) {
2806             insertCheck<NumberUse>(value.node());
2807             return;
2808         }
2809             
2810         if (value->shouldSpeculateNotCell()) {
2811             insertCheck<NotCellUse>(value.node());
2812             return;
2813         }
2814     }
2815     
2816     template<UseKind useKind>
2817     void insertCheck(Node* node)
2818     {
2819         observeUseKindOnNode<useKind>(node);
2820         unsigned index = indexForChecks();
2821         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
2822     }
2823
2824     void fixIntConvertingEdge(Edge& edge)
2825     {
2826         Node* node = edge.node();
2827         if (node->shouldSpeculateInt32OrBoolean()) {
2828             fixIntOrBooleanEdge(edge);
2829             return;
2830         }
2831         
2832         UseKind useKind;
2833         if (node->shouldSpeculateAnyInt())
2834             useKind = Int52RepUse;
2835         else if (node->shouldSpeculateNumber())
2836             useKind = DoubleRepUse;
2837         else
2838             useKind = NotCellUse;
2839         Node* newNode = m_insertionSet.insertNode(
2840             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
2841             Edge(node, useKind));
2842         observeUseKindOnNode(node, useKind);
2843         
2844         edge = Edge(newNode, KnownInt32Use);
2845     }
2846     
2847     void fixIntOrBooleanEdge(Edge& edge)
2848     {
2849         Node* node = edge.node();
2850         if (!node->sawBooleans()) {
2851             fixEdge<Int32Use>(edge);
2852             return;
2853         }
2854         
2855         UseKind useKind;
2856         if (node->shouldSpeculateBoolean())
2857             useKind = BooleanUse;
2858         else
2859             useKind = UntypedUse;
2860         Node* newNode = m_insertionSet.insertNode(
2861             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2862             Edge(node, useKind));
2863         observeUseKindOnNode(node, useKind);
2864         
2865         edge = Edge(newNode, Int32Use);
2866     }
2867     
2868     void fixDoubleOrBooleanEdge(Edge& edge)
2869     {
2870         Node* node = edge.node();
2871         if (!node->sawBooleans()) {
2872             fixEdge<DoubleRepUse>(edge);
2873             return;
2874         }
2875         
2876         UseKind useKind;
2877         if (node->shouldSpeculateBoolean())
2878             useKind = BooleanUse;
2879         else
2880             useKind = UntypedUse;
2881         Node* newNode = m_insertionSet.insertNode(
2882             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2883             Edge(node, useKind));
2884         observeUseKindOnNode(node, useKind);
2885         
2886         edge = Edge(newNode, DoubleRepUse);
2887     }
2888     
2889     void truncateConstantToInt32(Edge& edge)
2890     {
2891         Node* oldNode = edge.node();
2892         
2893         JSValue value = oldNode->asJSValue();
2894         if (value.isInt32())
2895             return;
2896         
2897         value = jsNumber(JSC::toInt32(value.asNumber()));
2898         ASSERT(value.isInt32());
2899         edge.setNode(m_insertionSet.insertNode(
2900             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
2901             OpInfo(m_graph.freeze(value))));
2902     }
2903     
2904     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
2905     {
2906         if (mode != SpeculateInt32AndTruncateConstants)
2907             return;
2908         
2909         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
2910         if (node->child1()->hasConstant())
2911             truncateConstantToInt32(node->child1());
2912         else
2913             truncateConstantToInt32(node->child2());
2914     }
2915
2916     bool attemptToMakeIntegerAdd(Node* node)
2917     {
2918         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
2919         if (mode != DontSpeculateInt32) {
2920             truncateConstantsIfNecessary(node, mode);
2921             fixIntOrBooleanEdge(node->child1());
2922             fixIntOrBooleanEdge(node->child2());
2923             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
2924                 node->setArithMode(Arith::Unchecked);
2925             else
2926                 node->setArithMode(Arith::CheckOverflow);
2927             return true;
2928         }
2929         
2930         if (m_graph.addShouldSpeculateAnyInt(node)) {
2931             fixEdge<Int52RepUse>(node->child1());
2932             fixEdge<Int52RepUse>(node->child2());
2933             node->setArithMode(Arith::CheckOverflow);
2934             node->setResult(NodeResultInt52);
2935             return true;
2936         }
2937         
2938         return false;
2939     }
2940     
2941     bool attemptToMakeGetArrayLength(Node* node)
2942     {
2943         if (!isInt32Speculation(node->prediction()))
2944             return false;
2945         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
2946         ArrayProfile* arrayProfile = 
2947             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
2948         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
2949         if (arrayProfile) {
2950             ConcurrentJSLocker locker(profiledBlock->m_lock);
2951             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
2952             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
2953             if (arrayMode.type() == Array::Unprofiled) {
2954                 // For normal array operations, it makes sense to treat Unprofiled
2955                 // accesses as ForceExit and get more data rather than using
2956                 // predictions and then possibly ending up with a Generic. But here,
2957                 // we treat anything that is Unprofiled as Generic and keep the
2958                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
2959                 // profit - from treating the Unprofiled case as
2960                 // SelectUsingPredictions.
2961                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
2962             }
2963         }
2964             
2965         arrayMode = arrayMode.refine(
2966             m_graph, node, node->child1()->prediction(), node->prediction());
2967             
2968         if (arrayMode.type() == Array::Generic) {
2969             // Check if the input is something that we can't get array length for, but for which we
2970             // could insert some conversions in order to transform it into something that we can do it
2971             // for.
2972             if (node->child1()->shouldSpeculateStringObject())
2973                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
2974             else if (node->child1()->shouldSpeculateStringOrStringObject())
2975                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
2976         }
2977             
2978         if (!arrayMode.supportsSelfLength())
2979             return false;
2980         
2981         convertToGetArrayLength(node, arrayMode);
2982         return true;
2983     }
2984
2985     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
2986     {
2987         node->setOp(GetArrayLength);
2988         node->clearFlags(NodeMustGenerate);
2989         fixEdge<KnownCellUse>(node->child1());
2990         node->setArrayMode(arrayMode);
2991             
2992         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
2993         if (!storage)
2994             return;
2995             
2996         node->child2() = Edge(storage);
2997     }
2998     
2999     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3000     {
3001         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3002         return m_insertionSet.insertNode(
3003             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3004             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3005     }
3006
3007     void convertToHasIndexedProperty(Node* node)
3008     {
3009         node->setOp(HasIndexedProperty);
3010         node->clearFlags(NodeMustGenerate);
3011         node->setArrayMode(
3012             node->arrayMode().refine(
3013                 m_graph, node,
3014                 node->child1()->prediction(),
3015                 node->child2()->prediction(),
3016                 SpecNone));
3017         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3018
3019         blessArrayOperation(node->child1(), node->child2(), node->child3());
3020
3021         fixEdge<CellUse>(node->child1());
3022         fixEdge<Int32Use>(node->child2());
3023     }
3024
3025     bool attemptToMakeCallDOM(Node* node)
3026     {
3027         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3028             return false;
3029
3030         const DOMJIT::Signature* signature = node->signature();
3031         if (!signature)
3032             return false;
3033
3034         {
3035             unsigned index = 0;
3036             bool shouldConvertToCallDOM = true;
3037             m_graph.doToChildren(node, [&](Edge& edge) {
3038                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3039                 if (!index)
3040                     return;
3041
3042                 if (index == 1) {
3043                     // DOM node case.
3044                     if (edge->shouldSpeculateNotCell())
3045                         shouldConvertToCallDOM = false;
3046                 } else {
3047                     switch (signature->arguments[index - 2]) {
3048                     case SpecString:
3049                         if (edge->shouldSpeculateNotString())
3050                             shouldConvertToCallDOM = false;
3051                         break;
3052                     case SpecInt32Only:
3053                         if (edge->shouldSpeculateNotInt32())
3054                             shouldConvertToCallDOM = false;
3055                         break;
3056                     case SpecBoolean:
3057                         if (edge->shouldSpeculateNotBoolean())
3058                             shouldConvertToCallDOM = false;
3059                         break;
3060                     default:
3061                         RELEASE_ASSERT_NOT_REACHED();
3062                         break;
3063                     }
3064                 }
3065                 ++index;
3066             });
3067             if (!shouldConvertToCallDOM)
3068                 return false;
3069         }
3070
3071         Node* thisNode = m_graph.varArgChild(node, 1).node();
3072         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3073         node->convertToCallDOM(m_graph);
3074         fixupCheckSubClass(checkSubClass);
3075         fixupCallDOM(node);
3076         return true;
3077     }
3078
3079     void fixupCheckSubClass(Node* node)
3080     {
3081         fixEdge<CellUse>(node->child1());
3082     }
3083
3084     void fixupCallDOM(Node* node)
3085     {
3086         const DOMJIT::Signature* signature = node->signature();
3087         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3088             if (!edge)
3089                 return;
3090             switch (signature->arguments[argumentIndex]) {
3091             case SpecString:
3092                 fixEdge<StringUse>(edge);
3093                 break;
3094             case SpecInt32Only:
3095                 fixEdge<Int32Use>(edge);
3096                 break;
3097             case SpecBoolean:
3098                 fixEdge<BooleanUse>(edge);
3099                 break;
3100             default:
3101                 RELEASE_ASSERT_NOT_REACHED();
3102                 break;
3103             }
3104         };
3105         fixEdge<CellUse>(node->child1()); // DOM.
3106         fixup(node->child2(), 0);
3107         fixup(node->child3(), 1);
3108     }
3109
3110     void fixupArrayIndexOf(Node* node)
3111     {
3112         Edge& array = m_graph.varArgChild(node, 0);
3113         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3114         blessArrayOperation(array, Edge(), storage);
3115         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3116
3117         Edge& searchElement = m_graph.varArgChild(node, 1);
3118
3119         // Constant folding.
3120         switch (node->arrayMode().type()) {
3121         case Array::Double:
3122         case Array::Int32: {
3123             if (searchElement->shouldSpeculateCell()) {
3124                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3125                 m_graph.convertToConstant(node, jsNumber(-1));
3126                 observeUseKindOnNode<CellUse>(searchElement.node());
3127                 return;
3128             }
3129
3130             if (searchElement->shouldSpeculateOther()) {
3131                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3132                 m_graph.convertToConstant(node, jsNumber(-1));
3133                 observeUseKindOnNode<OtherUse>(searchElement.node());
3134                 return;
3135             }
3136
3137             if (searchElement->shouldSpeculateBoolean()) {
3138                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3139                 m_graph.convertToConstant(node, jsNumber(-1));
3140                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3141                 return;
3142             }
3143             break;
3144         }
3145         default:
3146             break;
3147         }
3148
3149         fixEdge<KnownCellUse>(array);
3150         if (node->numChildren() == 4)
3151             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3152
3153         switch (node->arrayMode().type()) {
3154         case Array::Double: {
3155             if (searchElement->shouldSpeculateNumber())
3156                 fixEdge<DoubleRepUse>(searchElement);
3157             return;
3158         }
3159         case Array::Int32: {
3160             if (searchElement->shouldSpeculateInt32())
3161                 fixEdge<Int32Use>(searchElement);
3162             return;
3163         }
3164         case Array::Contiguous: {
3165             if (searchElement->shouldSpeculateString())
3166                 fixEdge<StringUse>(searchElement);
3167             else if (searchElement->shouldSpeculateSymbol())
3168                 fixEdge<SymbolUse>(searchElement);
3169             else if (searchElement->shouldSpeculateOther())
3170                 fixEdge<OtherUse>(searchElement);
3171             else if (searchElement->shouldSpeculateObject())
3172                 fixEdge<ObjectUse>(searchElement);
3173             return;
3174         }
3175         default:
3176             RELEASE_ASSERT_NOT_REACHED();
3177             return;
3178         }
3179     }
3180
3181     void fixupChecksInBlock(BasicBlock* block)
3182     {
3183         if (!block)
3184             return;
3185         ASSERT(block->isReachable);
3186         m_block = block;
3187         unsigned indexForChecks = UINT_MAX;
3188         NodeOrigin originForChecks;
3189         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
3190             Node* node = block->at(indexInBlock);
3191
3192             // If this is a node at which we could exit, then save its index. If nodes after this one
3193             // cannot exit, then we will hoist checks to here.
3194             if (node->origin.exitOK) {
3195                 indexForChecks = indexInBlock;
3196                 originForChecks = node->origin;
3197             }
3198
3199             originForChecks = originForChecks.withSemantic(node->origin.semantic);
3200             
3201             // First, try to relax the representational demands of each node, in order to have
3202             // fewer conversions.
3203             switch (node->op()) {
3204             case MovHint:
3205             case Check:
3206                 m_graph.doToChildren(
3207                     node,
3208                     [&] (Edge& edge) {
3209                         switch (edge.useKind()) {
3210                         case DoubleRepUse:
3211                         case DoubleRepRealUse:
3212                             if (edge->hasDoubleResult())
3213                                 break;
3214             
3215                             if (edge->hasInt52Result())
3216                                 edge.setUseKind(Int52RepUse);
3217                             else if (edge.useKind() == DoubleRepUse)
3218                                 edge.setUseKind(NumberUse);
3219                             break;
3220             
3221                         case Int52RepUse:
3222                             // Nothing we can really do.
3223                             break;
3224             
3225                         case UntypedUse:
3226                         case NumberUse:
3227                             if (edge->hasDoubleResult())
3228                                 edge.setUseKind(DoubleRepUse);
3229                             else if (edge->hasInt52Result())
3230                                 edge.setUseKind(Int52RepUse);
3231                             break;
3232             
3233                         case RealNumberUse:
3234                             if (edge->hasDoubleResult())
3235                                 edge.setUseKind(DoubleRepRealUse);
3236                             else if (edge->hasInt52Result())
3237                                 edge.setUseKind(Int52RepUse);
3238                             break;
3239             
3240                         default:
3241                             break;
3242                         }
3243                     });
3244                 break;
3245                 
3246             case ValueToInt32:
3247                 if (node->child1().useKind() == DoubleRepUse
3248                     && !node->child1()->hasDoubleResult()) {
3249                     node->child1().setUseKind(NumberUse);
3250                     break;
3251                 }
3252                 break;
3253                 
3254             default:
3255                 break;
3256             }
3257
3258             // Now, insert type conversions if necessary.
3259             m_graph.doToChildren(
3260                 node,
3261                 [&] (Edge& edge) {
3262                     Node* result = nullptr;
3263
3264                     switch (edge.useKind()) {
3265                     case DoubleRepUse:
3266                     case DoubleRepRealUse:
3267                     case DoubleRepAnyIntUse: {
3268                         if (edge->hasDoubleResult())
3269                             break;
3270             
3271                         ASSERT(indexForChecks != UINT_MAX);
3272                         if (edge->isNumberConstant()) {
3273                             result = m_insertionSet.insertNode(
3274                                 indexForChecks, SpecBytecodeDouble, DoubleConstant, originForChecks,
3275                                 OpInfo(m_graph.freeze(jsDoubleNumber(edge->asNumber()))));
3276                         } else if (edge->hasInt52Result()) {
3277                             result = m_insertionSet.insertNode(
3278                                 indexForChecks, SpecAnyIntAsDouble, DoubleRep, originForChecks,
3279                                 Edge(edge.node(), Int52RepUse));
3280                         } else {
3281                             UseKind useKind;
3282                             if (edge->shouldSpeculateDoubleReal())
3283                                 useKind = RealNumberUse;
3284                             else if (edge->shouldSpeculateNumber())
3285                                 useKind = NumberUse;
3286                             else
3287                                 useKind = NotCellUse;
3288
3289                             result = m_insertionSet.insertNode(
3290                                 indexForChecks, SpecBytecodeDouble, DoubleRep, originForChecks,
3291                                 Edge(edge.node(), useKind));
3292                         }
3293
3294                         edge.setNode(result);
3295                         break;
3296                     }
3297             
3298                     case Int52RepUse: {
3299                         if (edge->hasInt52Result())
3300                             break;
3301             
3302                         ASSERT(indexForChecks != UINT_MAX);
3303                         if (edge->isAnyIntConstant()) {
3304                             result = m_insertionSet.insertNode(
3305                                 indexForChecks, SpecAnyInt, Int52Constant, originForChecks,
3306                                 OpInfo(edge->constant()));
3307                         } else if (edge->hasDoubleResult()) {
3308                             result = m_insertionSet.insertNode(
3309                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3310                                 Edge(edge.node(), DoubleRepAnyIntUse));
3311                         } else if (edge->shouldSpeculateInt32ForArithmetic()) {
3312                             result = m_insertionSet.insertNode(
3313                                 indexForChecks, SpecInt32Only, Int52Rep, originForChecks,
3314                                 Edge(edge.node(), Int32Use));
3315                         } else {
3316                             result = m_insertionSet.insertNode(
3317                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3318                                 Edge(edge.node(), AnyIntUse));
3319                         }
3320
3321                         edge.setNode(result);
3322                         break;
3323                     }
3324
3325                     default: {
3326                         if (!edge->hasDoubleResult() && !edge->hasInt52Result())
3327                             break;
3328             
3329                         ASSERT(indexForChecks != UINT_MAX);
3330                         if (edge->hasDoubleResult()) {
3331                             result = m_insertionSet.insertNode(
3332                                 indexForChecks, SpecBytecodeDouble, ValueRep, originForChecks,
3333                                 Edge(edge.node(), DoubleRepUse));
3334                         } else {
3335                             result = m_insertionSet.insertNode(
3336                                 indexForChecks, SpecInt32Only | SpecAnyIntAsDouble, ValueRep,
3337                                 originForChecks, Edge(edge.node(), Int52RepUse));
3338                         }
3339
3340                         edge.setNode(result);
3341                         break;
3342                     } }
3343
3344                     // It's remotely possible that this node cannot do type checks, but we now have a
3345                     // type check on this node. We don't have to handle the general form of this
3346                     // problem. It only arises when ByteCodeParser emits an immediate SetLocal, rather
3347                     // than a delayed one. So, we only worry about those checks that we may have put on
3348                     // a SetLocal. Note that "indexForChecks != indexInBlock" is just another way of
3349                     // saying "!node->origin.exitOK".
3350                     if (indexForChecks != indexInBlock && mayHaveTypeCheck(edge.useKind())) {
3351                         UseKind knownUseKind;
3352                         
3353                         switch (edge.useKind()) {
3354                         case Int32Use:
3355                             knownUseKind = KnownInt32Use;
3356                             break;
3357                         case CellUse:
3358                             knownUseKind = KnownCellUse;
3359                             break;
3360                         case BooleanUse:
3361                             knownUseKind = KnownBooleanUse;
3362                             break;
3363                         default:
3364                             // This can only arise if we have a Check node, and in that case, we can
3365                             // just remove the original check.
3366                             DFG_ASSERT(m_graph, node, node->op() == Check);
3367                             knownUseKind = UntypedUse;
3368                             break;
3369                         }
3370
3371                         ASSERT(indexForChecks != UINT_MAX);
3372                         m_insertionSet.insertNode(
3373                             indexForChecks, SpecNone, Check, originForChecks, edge);
3374
3375                         edge.setUseKind(knownUseKind);
3376                     }
3377                 });
3378         }
3379         
3380         m_insertionSet.execute(block);
3381     }
3382     
3383     BasicBlock* m_block;
3384     unsigned m_indexInBlock;
3385     Node* m_currentNode;
3386     InsertionSet m_insertionSet;
3387     bool m_profitabilityChanged;
3388 };
3389     
3390 bool performFixup(Graph& graph)
3391 {
3392     return runPhase<FixupPhase>(graph);
3393 }
3394
3395 } } // namespace JSC::DFG
3396
3397 #endif // ENABLE(DFG_JIT)
3398