[ESNext][BigInt] Add support for BigInt in SpeculatedType
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149             
150         case ValueAdd: {
151             if (attemptToMakeIntegerAdd(node)) {
152                 node->setOp(ArithAdd);
153                 break;
154             }
155             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
156                 fixDoubleOrBooleanEdge(node->child1());
157                 fixDoubleOrBooleanEdge(node->child2());
158                 node->setOp(ArithAdd);
159                 node->setResult(NodeResultDouble);
160                 break;
161             }
162             
163             if (attemptToMakeFastStringAdd(node))
164                 break;
165
166             Edge& child1 = node->child1();
167             Edge& child2 = node->child2();
168             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
169                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
170                     auto convertString = [&](Node* node, Edge& edge) {
171                         if (edge->shouldSpeculateInt32())
172                             convertStringAddUse<Int32Use>(node, edge);
173                         else {
174                             ASSERT(edge->shouldSpeculateString());
175                             convertStringAddUse<StringUse>(node, edge);
176                         }
177                     };
178                     convertString(node, child1);
179                     convertString(node, child2);
180                     convertToMakeRope(node);
181                     break;
182                 }
183             }
184
185             fixEdge<UntypedUse>(child1);
186             fixEdge<UntypedUse>(child2);
187             node->setResult(NodeResultJS);
188             break;
189         }
190
191         case StrCat: {
192             if (attemptToMakeFastStringAdd(node))
193                 break;
194
195             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
196             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
197             // the implementation of StrCat doesn't dynamically optimize for empty strings.
198             // https://bugs.webkit.org/show_bug.cgi?id=148540
199             m_graph.doToChildren(
200                 node,
201                 [&] (Edge& edge) {
202                     fixEdge<KnownPrimitiveUse>(edge);
203                     // StrCat automatically coerces the values into strings before concatenating them.
204                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
205                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
206                     // our runtime functions for this slow path expect that they will never be passed
207                     // Symbols.
208                     m_insertionSet.insertNode(
209                         m_indexInBlock, SpecNone, Check, node->origin,
210                         Edge(edge.node(), NotSymbolUse));
211                 });
212             break;
213         }
214             
215         case MakeRope: {
216             fixupMakeRope(node);
217             break;
218         }
219             
220         case ArithAdd:
221         case ArithSub: {
222             if (op == ArithSub
223                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
224                 fixEdge<UntypedUse>(node->child1());
225                 fixEdge<UntypedUse>(node->child2());
226                 node->setResult(NodeResultJS);
227                 break;
228             }
229             if (attemptToMakeIntegerAdd(node))
230                 break;
231             fixDoubleOrBooleanEdge(node->child1());
232             fixDoubleOrBooleanEdge(node->child2());
233             node->setResult(NodeResultDouble);
234             break;
235         }
236             
237         case ArithNegate: {
238             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
239                 fixIntOrBooleanEdge(node->child1());
240                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
241                     node->setArithMode(Arith::Unchecked);
242                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
243                     node->setArithMode(Arith::CheckOverflow);
244                 else
245                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
246                 node->setResult(NodeResultInt32);
247                 node->clearFlags(NodeMustGenerate);
248                 break;
249             }
250             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
251                 fixEdge<Int52RepUse>(node->child1());
252                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
253                     node->setArithMode(Arith::CheckOverflow);
254                 else
255                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
256                 node->setResult(NodeResultInt52);
257                 node->clearFlags(NodeMustGenerate);
258                 break;
259             }
260             if (node->child1()->shouldSpeculateNotCell()) {
261                 fixDoubleOrBooleanEdge(node->child1());
262                 node->setResult(NodeResultDouble);
263                 node->clearFlags(NodeMustGenerate);
264             } else
265                 fixEdge<UntypedUse>(node->child1());
266             break;
267         }
268             
269         case ArithMul: {
270             Edge& leftChild = node->child1();
271             Edge& rightChild = node->child2();
272             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
273                 fixEdge<UntypedUse>(leftChild);
274                 fixEdge<UntypedUse>(rightChild);
275                 node->setResult(NodeResultJS);
276                 break;
277             }
278             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
279                 fixIntOrBooleanEdge(leftChild);
280                 fixIntOrBooleanEdge(rightChild);
281                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
282                     node->setArithMode(Arith::Unchecked);
283                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
284                     || leftChild.node() == rightChild.node())
285                     node->setArithMode(Arith::CheckOverflow);
286                 else
287                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
288                 break;
289             }
290             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
291                 fixEdge<Int52RepUse>(leftChild);
292                 fixEdge<Int52RepUse>(rightChild);
293                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
294                     || leftChild.node() == rightChild.node())
295                     node->setArithMode(Arith::CheckOverflow);
296                 else
297                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
298                 node->setResult(NodeResultInt52);
299                 break;
300             }
301             fixDoubleOrBooleanEdge(leftChild);
302             fixDoubleOrBooleanEdge(rightChild);
303             node->setResult(NodeResultDouble);
304             break;
305         }
306
307         case ArithDiv:
308         case ArithMod: {
309             Edge& leftChild = node->child1();
310             Edge& rightChild = node->child2();
311             if (op == ArithDiv
312                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
313                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
314                 fixEdge<UntypedUse>(leftChild);
315                 fixEdge<UntypedUse>(rightChild);
316                 node->setResult(NodeResultJS);
317                 break;
318             }
319             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
320                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
321                     fixIntOrBooleanEdge(leftChild);
322                     fixIntOrBooleanEdge(rightChild);
323                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
324                         node->setArithMode(Arith::Unchecked);
325                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
326                         node->setArithMode(Arith::CheckOverflow);
327                     else
328                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
329                     break;
330                 }
331                 
332                 // This will cause conversion nodes to be inserted later.
333                 fixDoubleOrBooleanEdge(leftChild);
334                 fixDoubleOrBooleanEdge(rightChild);
335                 
336                 // We don't need to do ref'ing on the children because we're stealing them from
337                 // the original division.
338                 Node* newDivision = m_insertionSet.insertNode(
339                     m_indexInBlock, SpecBytecodeDouble, *node);
340                 newDivision->setResult(NodeResultDouble);
341                 
342                 node->setOp(DoubleAsInt32);
343                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
344                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
345                     node->setArithMode(Arith::CheckOverflow);
346                 else
347                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
348                 break;
349             }
350             fixDoubleOrBooleanEdge(leftChild);
351             fixDoubleOrBooleanEdge(rightChild);
352             node->setResult(NodeResultDouble);
353             break;
354         }
355             
356         case ArithMin:
357         case ArithMax: {
358             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
359                 fixIntOrBooleanEdge(node->child1());
360                 fixIntOrBooleanEdge(node->child2());
361                 break;
362             }
363             fixDoubleOrBooleanEdge(node->child1());
364             fixDoubleOrBooleanEdge(node->child2());
365             node->setResult(NodeResultDouble);
366             break;
367         }
368             
369         case ArithAbs: {
370             if (node->child1()->shouldSpeculateInt32OrBoolean()
371                 && node->canSpeculateInt32(FixupPass)) {
372                 fixIntOrBooleanEdge(node->child1());
373                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
374                     node->setArithMode(Arith::Unchecked);
375                 else
376                     node->setArithMode(Arith::CheckOverflow);
377                 node->clearFlags(NodeMustGenerate);
378                 node->setResult(NodeResultInt32);
379                 break;
380             }
381
382             if (node->child1()->shouldSpeculateNotCell()) {
383                 fixDoubleOrBooleanEdge(node->child1());
384                 node->clearFlags(NodeMustGenerate);
385             } else
386                 fixEdge<UntypedUse>(node->child1());
387             node->setResult(NodeResultDouble);
388             break;
389         }
390
391         case ArithPow: {
392             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
393                 fixDoubleOrBooleanEdge(node->child1());
394                 fixIntOrBooleanEdge(node->child2());
395                 break;
396             }
397
398             fixDoubleOrBooleanEdge(node->child1());
399             fixDoubleOrBooleanEdge(node->child2());
400             break;
401         }
402
403         case ArithRandom: {
404             node->setResult(NodeResultDouble);
405             break;
406         }
407
408         case ArithRound:
409         case ArithFloor:
410         case ArithCeil:
411         case ArithTrunc: {
412             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
413                 fixIntOrBooleanEdge(node->child1());
414                 insertCheck<Int32Use>(node->child1().node());
415                 node->convertToIdentity();
416                 break;
417             }
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420
421                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
422                     node->setResult(NodeResultInt32);
423                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
424                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
425                     else
426                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
427                 } else {
428                     node->setResult(NodeResultDouble);
429                     node->setArithRoundingMode(Arith::RoundingMode::Double);
430                 }
431                 node->clearFlags(NodeMustGenerate);
432             } else
433                 fixEdge<UntypedUse>(node->child1());
434             break;
435         }
436
437         case ArithFRound:
438         case ArithSqrt:
439         case ArithUnary: {
440             Edge& child1 = node->child1();
441             if (child1->shouldSpeculateNotCell()) {
442                 fixDoubleOrBooleanEdge(child1);
443                 node->clearFlags(NodeMustGenerate);
444             } else
445                 fixEdge<UntypedUse>(child1);
446             break;
447         }
448             
449         case LogicalNot: {
450             if (node->child1()->shouldSpeculateBoolean()) {
451                 if (node->child1()->result() == NodeResultBoolean) {
452                     // This is necessary in case we have a bytecode instruction implemented by:
453                     //
454                     // a: CompareEq(...)
455                     // b: LogicalNot(@a)
456                     //
457                     // In that case, CompareEq might have a side-effect. Then, we need to make
458                     // sure that we know that Branch does not exit.
459                     fixEdge<KnownBooleanUse>(node->child1());
460                 } else
461                     fixEdge<BooleanUse>(node->child1());
462             } else if (node->child1()->shouldSpeculateObjectOrOther())
463                 fixEdge<ObjectOrOtherUse>(node->child1());
464             else if (node->child1()->shouldSpeculateInt32OrBoolean())
465                 fixIntOrBooleanEdge(node->child1());
466             else if (node->child1()->shouldSpeculateNumber())
467                 fixEdge<DoubleRepUse>(node->child1());
468             else if (node->child1()->shouldSpeculateString())
469                 fixEdge<StringUse>(node->child1());
470             else if (node->child1()->shouldSpeculateStringOrOther())
471                 fixEdge<StringOrOtherUse>(node->child1());
472             else {
473                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
474                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
475                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
476             }
477             break;
478         }
479
480         case CompareEq:
481         case CompareLess:
482         case CompareLessEq:
483         case CompareGreater:
484         case CompareGreaterEq: {
485             if (node->op() == CompareEq
486                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
487                 fixEdge<BooleanUse>(node->child1());
488                 fixEdge<BooleanUse>(node->child2());
489                 node->clearFlags(NodeMustGenerate);
490                 break;
491             }
492             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
493                 fixIntOrBooleanEdge(node->child1());
494                 fixIntOrBooleanEdge(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (enableInt52()
499                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
500                 fixEdge<Int52RepUse>(node->child1());
501                 fixEdge<Int52RepUse>(node->child2());
502                 node->clearFlags(NodeMustGenerate);
503                 break;
504             }
505             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
506                 fixDoubleOrBooleanEdge(node->child1());
507                 fixDoubleOrBooleanEdge(node->child2());
508             }
509             if (node->op() != CompareEq
510                 && node->child1()->shouldSpeculateNotCell()
511                 && node->child2()->shouldSpeculateNotCell()) {
512                 if (node->child1()->shouldSpeculateNumberOrBoolean())
513                     fixDoubleOrBooleanEdge(node->child1());
514                 else
515                     fixEdge<DoubleRepUse>(node->child1());
516                 if (node->child2()->shouldSpeculateNumberOrBoolean())
517                     fixDoubleOrBooleanEdge(node->child2());
518                 else
519                     fixEdge<DoubleRepUse>(node->child2());
520                 node->clearFlags(NodeMustGenerate);
521                 break;
522             }
523             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
524                 fixEdge<StringIdentUse>(node->child1());
525                 fixEdge<StringIdentUse>(node->child2());
526                 node->clearFlags(NodeMustGenerate);
527                 break;
528             }
529             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
530                 fixEdge<StringUse>(node->child1());
531                 fixEdge<StringUse>(node->child2());
532                 node->clearFlags(NodeMustGenerate);
533                 break;
534             }
535
536             if (node->op() != CompareEq)
537                 break;
538             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
539                 fixEdge<SymbolUse>(node->child1());
540                 fixEdge<SymbolUse>(node->child2());
541                 node->clearFlags(NodeMustGenerate);
542                 break;
543             }
544             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
545                 fixEdge<ObjectUse>(node->child1());
546                 fixEdge<ObjectUse>(node->child2());
547                 node->clearFlags(NodeMustGenerate);
548                 break;
549             }
550
551             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
552             bool oneArgumentIsUsedAsSpecOther = false;
553             if (node->child1()->isUndefinedOrNullConstant()) {
554                 fixEdge<OtherUse>(node->child1());
555                 oneArgumentIsUsedAsSpecOther = true;
556             } else if (node->child1()->shouldSpeculateOther()) {
557                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
558                     Edge(node->child1().node(), OtherUse));
559                 fixEdge<OtherUse>(node->child1());
560                 oneArgumentIsUsedAsSpecOther = true;
561             }
562             if (node->child2()->isUndefinedOrNullConstant()) {
563                 fixEdge<OtherUse>(node->child2());
564                 oneArgumentIsUsedAsSpecOther = true;
565             } else if (node->child2()->shouldSpeculateOther()) {
566                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
567                     Edge(node->child2().node(), OtherUse));
568                 fixEdge<OtherUse>(node->child2());
569                 oneArgumentIsUsedAsSpecOther = true;
570             }
571             if (oneArgumentIsUsedAsSpecOther) {
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575
576             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
577                 fixEdge<ObjectUse>(node->child1());
578                 fixEdge<ObjectOrOtherUse>(node->child2());
579                 node->clearFlags(NodeMustGenerate);
580                 break;
581             }
582             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
583                 fixEdge<ObjectOrOtherUse>(node->child1());
584                 fixEdge<ObjectUse>(node->child2());
585                 node->clearFlags(NodeMustGenerate);
586                 break;
587             }
588
589             break;
590         }
591             
592         case CompareStrictEq: {
593             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
594                 fixEdge<BooleanUse>(node->child1());
595                 fixEdge<BooleanUse>(node->child2());
596                 break;
597             }
598             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
599                 fixEdge<Int32Use>(node->child1());
600                 fixEdge<Int32Use>(node->child2());
601                 break;
602             }
603             if (enableInt52()
604                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
605                 fixEdge<Int52RepUse>(node->child1());
606                 fixEdge<Int52RepUse>(node->child2());
607                 break;
608             }
609             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
610                 fixEdge<DoubleRepUse>(node->child1());
611                 fixEdge<DoubleRepUse>(node->child2());
612                 break;
613             }
614             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
615                 fixEdge<SymbolUse>(node->child1());
616                 fixEdge<SymbolUse>(node->child2());
617                 break;
618             }
619             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
620                 fixEdge<BigIntUse>(node->child1());
621                 fixEdge<BigIntUse>(node->child2());
622                 break;
623             }
624             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
625                 fixEdge<StringIdentUse>(node->child1());
626                 fixEdge<StringIdentUse>(node->child2());
627                 break;
628             }
629             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
630                 fixEdge<StringUse>(node->child1());
631                 fixEdge<StringUse>(node->child2());
632                 break;
633             }
634             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
635             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
636                 
637                 if (node->child1()->shouldSpeculateObject()) {
638                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
639                     fixEdge<ObjectUse>(node->child1());
640                     break;
641                 }
642                 if (node->child2()->shouldSpeculateObject()) {
643                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
644                     fixEdge<ObjectUse>(node->child2());
645                     break;
646                 }
647                 
648             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
649                 fixEdge<ObjectUse>(node->child1());
650                 fixEdge<ObjectUse>(node->child2());
651                 break;
652             }
653             if (node->child1()->shouldSpeculateSymbol()) {
654                 fixEdge<SymbolUse>(node->child1());
655                 break;
656             }
657             if (node->child2()->shouldSpeculateSymbol()) {
658                 fixEdge<SymbolUse>(node->child2());
659                 break;
660             }
661             if (node->child1()->shouldSpeculateMisc()) {
662                 fixEdge<MiscUse>(node->child1());
663                 break;
664             }
665             if (node->child2()->shouldSpeculateMisc()) {
666                 fixEdge<MiscUse>(node->child2());
667                 break;
668             }
669             if (node->child1()->shouldSpeculateStringIdent()
670                 && node->child2()->shouldSpeculateNotStringVar()) {
671                 fixEdge<StringIdentUse>(node->child1());
672                 fixEdge<NotStringVarUse>(node->child2());
673                 break;
674             }
675             if (node->child2()->shouldSpeculateStringIdent()
676                 && node->child1()->shouldSpeculateNotStringVar()) {
677                 fixEdge<StringIdentUse>(node->child2());
678                 fixEdge<NotStringVarUse>(node->child1());
679                 break;
680             }
681             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
682                 fixEdge<StringUse>(node->child1());
683                 break;
684             }
685             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
686                 fixEdge<StringUse>(node->child2());
687                 break;
688             }
689             break;
690         }
691             
692         case StringFromCharCode:
693             if (node->child1()->shouldSpeculateInt32()) {
694                 fixEdge<Int32Use>(node->child1());
695                 node->clearFlags(NodeMustGenerate);
696             } else
697                 fixEdge<UntypedUse>(node->child1());
698             break;
699
700         case StringCharAt:
701         case StringCharCodeAt: {
702             // Currently we have no good way of refining these.
703             ASSERT(node->arrayMode() == ArrayMode(Array::String));
704             blessArrayOperation(node->child1(), node->child2(), node->child3());
705             fixEdge<KnownCellUse>(node->child1());
706             fixEdge<Int32Use>(node->child2());
707             break;
708         }
709
710         case GetByVal: {
711             if (!node->prediction()) {
712                 m_insertionSet.insertNode(
713                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
714             }
715             
716             node->setArrayMode(
717                 node->arrayMode().refine(
718                     m_graph, node,
719                     m_graph.varArgChild(node, 0)->prediction(),
720                     m_graph.varArgChild(node, 1)->prediction(),
721                     SpecNone));
722             
723             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
724             
725             ArrayMode arrayMode = node->arrayMode();
726             switch (arrayMode.type()) {
727             case Array::Contiguous:
728             case Array::Double:
729                 if (arrayMode.arrayClass() == Array::OriginalArray
730                     && arrayMode.speculation() == Array::InBounds) {
731                     // Check if SaneChain will work on a per-type basis. Note that:
732                     //
733                     // 1) We don't want double arrays to sometimes return undefined, since
734                     // that would require a change to the return type and it would pessimise
735                     // things a lot. So, we'd only want to do that if we actually had
736                     // evidence that we could read from a hole. That's pretty annoying.
737                     // Likely the best way to handle that case is with an equivalent of
738                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
739                     // NaN are indistinguishable according to backwards propagation, and just
740                     // use SaneChain in that case. This happens to catch a lot of cases.
741                     //
742                     // 2) We don't want int32 array loads to have to do a hole check just to
743                     // coerce to Undefined, since that would mean twice the checks.
744                     //
745                     // This has two implications. First, we have to do more checks than we'd
746                     // like. It's unfortunate that we have to do the hole check. Second,
747                     // some accesses that hit a hole will now need to take the full-blown
748                     // out-of-bounds slow path. We can fix that with:
749                     // https://bugs.webkit.org/show_bug.cgi?id=144668
750                     
751                     bool canDoSaneChain = false;
752                     switch (arrayMode.type()) {
753                     case Array::Contiguous:
754                         // This is happens to be entirely natural. We already would have
755                         // returned any JSValue, and now we'll return Undefined. We still do
756                         // the check but it doesn't require taking any kind of slow path.
757                         canDoSaneChain = true;
758                         break;
759                         
760                     case Array::Double:
761                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
762                             // Holes look like NaN already, so if the user doesn't care
763                             // about the difference between Undefined and NaN then we can
764                             // do this.
765                             canDoSaneChain = true;
766                         }
767                         break;
768                         
769                     default:
770                         break;
771                     }
772                     
773                     if (canDoSaneChain) {
774                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
775                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
776                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
777                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
778                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
779                             && globalObject->arrayPrototypeChainIsSane()) {
780                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
781                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
782                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
783                         }
784                     }
785                 }
786                 break;
787                 
788             case Array::String:
789                 if ((node->prediction() & ~SpecString)
790                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
791                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
792                 break;
793                 
794             default:
795                 break;
796             }
797             
798             arrayMode = node->arrayMode();
799             switch (arrayMode.type()) {
800             case Array::SelectUsingPredictions:
801             case Array::Unprofiled:
802                 RELEASE_ASSERT_NOT_REACHED();
803                 break;
804             case Array::Generic:
805                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
806                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
807                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
808                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
809                         break;
810                     }
811
812                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
813                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
814                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
815                         break;
816                     }
817                 }
818 #if USE(JSVALUE32_64)
819                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
820 #endif
821                 break;
822             case Array::ForceExit:
823                 break;
824             default:
825                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
826                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
827                 break;
828             }
829             
830             switch (arrayMode.type()) {
831             case Array::Double:
832                 if (!arrayMode.isOutOfBounds())
833                     node->setResult(NodeResultDouble);
834                 break;
835                 
836             case Array::Float32Array:
837             case Array::Float64Array:
838                 node->setResult(NodeResultDouble);
839                 break;
840                 
841             case Array::Uint32Array:
842                 if (node->shouldSpeculateInt32())
843                     break;
844                 if (node->shouldSpeculateAnyInt() && enableInt52())
845                     node->setResult(NodeResultInt52);
846                 else
847                     node->setResult(NodeResultDouble);
848                 break;
849                 
850             default:
851                 break;
852             }
853             
854             break;
855         }
856
857         case PutByValDirect:
858         case PutByVal:
859         case PutByValAlias: {
860             Edge& child1 = m_graph.varArgChild(node, 0);
861             Edge& child2 = m_graph.varArgChild(node, 1);
862             Edge& child3 = m_graph.varArgChild(node, 2);
863
864             node->setArrayMode(
865                 node->arrayMode().refine(
866                     m_graph, node,
867                     child1->prediction(),
868                     child2->prediction(),
869                     child3->prediction()));
870             
871             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
872             
873             switch (node->arrayMode().modeForPut().type()) {
874             case Array::SelectUsingPredictions:
875             case Array::SelectUsingArguments:
876             case Array::Unprofiled:
877             case Array::Undecided:
878                 RELEASE_ASSERT_NOT_REACHED();
879                 break;
880             case Array::ForceExit:
881             case Array::Generic:
882                 if (child1->shouldSpeculateCell()) {
883                     if (child2->shouldSpeculateString()) {
884                         fixEdge<CellUse>(child1);
885                         fixEdge<StringUse>(child2);
886                         break;
887                     }
888
889                     if (child2->shouldSpeculateSymbol()) {
890                         fixEdge<CellUse>(child1);
891                         fixEdge<SymbolUse>(child2);
892                         break;
893                     }
894                 }
895 #if USE(JSVALUE32_64)
896                 // Due to register pressure on 32-bit, we speculate cell and
897                 // ignore the base-is-not-cell case entirely by letting the
898                 // baseline JIT handle it.
899                 fixEdge<CellUse>(child1);
900 #endif
901                 break;
902             case Array::Int32:
903                 fixEdge<KnownCellUse>(child1);
904                 fixEdge<Int32Use>(child2);
905                 fixEdge<Int32Use>(child3);
906                 break;
907             case Array::Double:
908                 fixEdge<KnownCellUse>(child1);
909                 fixEdge<Int32Use>(child2);
910                 fixEdge<DoubleRepRealUse>(child3);
911                 break;
912             case Array::Int8Array:
913             case Array::Int16Array:
914             case Array::Int32Array:
915             case Array::Uint8Array:
916             case Array::Uint8ClampedArray:
917             case Array::Uint16Array:
918             case Array::Uint32Array:
919                 fixEdge<KnownCellUse>(child1);
920                 fixEdge<Int32Use>(child2);
921                 if (child3->shouldSpeculateInt32())
922                     fixIntOrBooleanEdge(child3);
923                 else if (child3->shouldSpeculateAnyInt())
924                     fixEdge<Int52RepUse>(child3);
925                 else
926                     fixDoubleOrBooleanEdge(child3);
927                 break;
928             case Array::Float32Array:
929             case Array::Float64Array:
930                 fixEdge<KnownCellUse>(child1);
931                 fixEdge<Int32Use>(child2);
932                 fixDoubleOrBooleanEdge(child3);
933                 break;
934             case Array::Contiguous:
935             case Array::ArrayStorage:
936             case Array::SlowPutArrayStorage:
937                 fixEdge<KnownCellUse>(child1);
938                 fixEdge<Int32Use>(child2);
939                 speculateForBarrier(child3);
940                 break;
941             default:
942                 fixEdge<KnownCellUse>(child1);
943                 fixEdge<Int32Use>(child2);
944                 break;
945             }
946             break;
947         }
948             
949         case AtomicsAdd:
950         case AtomicsAnd:
951         case AtomicsCompareExchange:
952         case AtomicsExchange:
953         case AtomicsLoad:
954         case AtomicsOr:
955         case AtomicsStore:
956         case AtomicsSub:
957         case AtomicsXor: {
958             Edge& base = m_graph.child(node, 0);
959             Edge& index = m_graph.child(node, 1);
960             
961             bool badNews = false;
962             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
963                 Edge& child = m_graph.child(node, 2 + i);
964                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
965                 // just call the function when that happens. But the FTL is totally cool with those
966                 // conversions.
967                 if (!child->shouldSpeculateInt32()
968                     && !child->shouldSpeculateAnyInt()
969                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
970                     badNews = true;
971             }
972             
973             if (badNews) {
974                 node->setArrayMode(ArrayMode(Array::Generic));
975                 break;
976             }
977             
978             node->setArrayMode(
979                 node->arrayMode().refine(
980                     m_graph, node, base->prediction(), index->prediction()));
981             
982             if (node->arrayMode().type() == Array::Generic)
983                 break;
984             
985             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
986                 Edge& child = m_graph.child(node, 2 + i);
987                 if (child->shouldSpeculateInt32())
988                     fixIntOrBooleanEdge(child);
989                 else if (child->shouldSpeculateAnyInt())
990                     fixEdge<Int52RepUse>(child);
991                 else {
992                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
993                     fixDoubleOrBooleanEdge(child);
994                 }
995             }
996             
997             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
998             fixEdge<CellUse>(base);
999             fixEdge<Int32Use>(index);
1000             
1001             if (node->arrayMode().type() == Array::Uint32Array) {
1002                 // NOTE: This means basically always doing Int52.
1003                 if (node->shouldSpeculateAnyInt() && enableInt52())
1004                     node->setResult(NodeResultInt52);
1005                 else
1006                     node->setResult(NodeResultDouble);
1007             }
1008             break;
1009         }
1010             
1011         case AtomicsIsLockFree:
1012             if (node->child1()->shouldSpeculateInt32())
1013                 fixIntOrBooleanEdge(node->child1());
1014             break;
1015             
1016         case ArrayPush: {
1017             // May need to refine the array mode in case the value prediction contravenes
1018             // the array prediction. For example, we may have evidence showing that the
1019             // array is in Int32 mode, but the value we're storing is likely to be a double.
1020             // Then we should turn this into a conversion to Double array followed by the
1021             // push. On the other hand, we absolutely don't want to refine based on the
1022             // base prediction. If it has non-cell garbage in it, then we want that to be
1023             // ignored. That's because ArrayPush can't handle any array modes that aren't
1024             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1025             // that would break things.
1026             Edge& storageEdge = m_graph.varArgChild(node, 0);
1027             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1028             unsigned elementOffset = 2;
1029             unsigned elementCount = node->numChildren() - elementOffset;
1030             for (unsigned i = 0; i < elementCount; ++i) {
1031                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1032                 node->setArrayMode(
1033                     node->arrayMode().refine(
1034                         m_graph, node,
1035                         arrayEdge->prediction() & SpecCell,
1036                         SpecInt32Only,
1037                         element->prediction()));
1038             }
1039             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1040             fixEdge<KnownCellUse>(arrayEdge);
1041
1042             // Convert `array.push()` to GetArrayLength.
1043             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1044                 node->setOpAndDefaultFlags(GetArrayLength);
1045                 node->child1() = arrayEdge;
1046                 node->child2() = storageEdge;
1047                 fixEdge<KnownCellUse>(node->child1());
1048                 break;
1049             }
1050
1051             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1052             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1053             for (unsigned i = 0; i < elementCount; ++i) {
1054                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1055                 switch (node->arrayMode().type()) {
1056                 case Array::Int32:
1057                     insertCheck<Int32Use>(element.node());
1058                     fixEdge<KnownInt32Use>(element);
1059                     break;
1060                 case Array::Double:
1061                     insertCheck<DoubleRepRealUse>(element.node());
1062                     fixEdge<DoubleRepUse>(element);
1063                     break;
1064                 case Array::Contiguous:
1065                 case Array::ArrayStorage:
1066                     speculateForBarrier(element);
1067                     break;
1068                 default:
1069                     break;
1070                 }
1071                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1072             }
1073             break;
1074         }
1075             
1076         case ArrayPop: {
1077             blessArrayOperation(node->child1(), Edge(), node->child2());
1078             fixEdge<KnownCellUse>(node->child1());
1079             break;
1080         }
1081
1082         case ArraySlice: {
1083             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1084             if (node->numChildren() >= 3) {
1085                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1086                 if (node->numChildren() == 4)
1087                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1088             }
1089             break;
1090         }
1091
1092         case ArrayIndexOf:
1093             fixupArrayIndexOf(node);
1094             break;
1095             
1096         case RegExpExec:
1097         case RegExpTest: {
1098             fixEdge<KnownCellUse>(node->child1());
1099             
1100             if (node->child2()->shouldSpeculateRegExpObject()) {
1101                 fixEdge<RegExpObjectUse>(node->child2());
1102
1103                 if (node->child3()->shouldSpeculateString())
1104                     fixEdge<StringUse>(node->child3());
1105             }
1106             break;
1107         }
1108
1109         case RegExpMatchFast: {
1110             fixEdge<KnownCellUse>(node->child1());
1111             fixEdge<RegExpObjectUse>(node->child2());
1112             fixEdge<StringUse>(node->child3());
1113             break;
1114         }
1115
1116         case StringReplace:
1117         case StringReplaceRegExp: {
1118             if (node->child2()->shouldSpeculateString()) {
1119                 m_insertionSet.insertNode(
1120                     m_indexInBlock, SpecNone, Check, node->origin,
1121                     Edge(node->child2().node(), StringUse));
1122                 fixEdge<StringUse>(node->child2());
1123             } else if (op == StringReplace) {
1124                 if (node->child2()->shouldSpeculateRegExpObject())
1125                     addStringReplacePrimordialChecks(node->child2().node());
1126                 else 
1127                     m_insertionSet.insertNode(
1128                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1129             }
1130
1131             if (node->child1()->shouldSpeculateString()
1132                 && node->child2()->shouldSpeculateRegExpObject()
1133                 && node->child3()->shouldSpeculateString()) {
1134
1135                 fixEdge<StringUse>(node->child1());
1136                 fixEdge<RegExpObjectUse>(node->child2());
1137                 fixEdge<StringUse>(node->child3());
1138                 break;
1139             }
1140             break;
1141         }
1142             
1143         case Branch: {
1144             if (node->child1()->shouldSpeculateBoolean()) {
1145                 if (node->child1()->result() == NodeResultBoolean) {
1146                     // This is necessary in case we have a bytecode instruction implemented by:
1147                     //
1148                     // a: CompareEq(...)
1149                     // b: Branch(@a)
1150                     //
1151                     // In that case, CompareEq might have a side-effect. Then, we need to make
1152                     // sure that we know that Branch does not exit.
1153                     fixEdge<KnownBooleanUse>(node->child1());
1154                 } else
1155                     fixEdge<BooleanUse>(node->child1());
1156             } else if (node->child1()->shouldSpeculateObjectOrOther())
1157                 fixEdge<ObjectOrOtherUse>(node->child1());
1158             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1159                 fixIntOrBooleanEdge(node->child1());
1160             else if (node->child1()->shouldSpeculateNumber())
1161                 fixEdge<DoubleRepUse>(node->child1());
1162             else if (node->child1()->shouldSpeculateString())
1163                 fixEdge<StringUse>(node->child1());
1164             else if (node->child1()->shouldSpeculateStringOrOther())
1165                 fixEdge<StringOrOtherUse>(node->child1());
1166             else {
1167                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1168                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1169                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1170             }
1171             break;
1172         }
1173             
1174         case Switch: {
1175             SwitchData* data = node->switchData();
1176             switch (data->kind) {
1177             case SwitchImm:
1178                 if (node->child1()->shouldSpeculateInt32())
1179                     fixEdge<Int32Use>(node->child1());
1180                 break;
1181             case SwitchChar:
1182                 if (node->child1()->shouldSpeculateString())
1183                     fixEdge<StringUse>(node->child1());
1184                 break;
1185             case SwitchString:
1186                 if (node->child1()->shouldSpeculateStringIdent())
1187                     fixEdge<StringIdentUse>(node->child1());
1188                 else if (node->child1()->shouldSpeculateString())
1189                     fixEdge<StringUse>(node->child1());
1190                 break;
1191             case SwitchCell:
1192                 if (node->child1()->shouldSpeculateCell())
1193                     fixEdge<CellUse>(node->child1());
1194                 // else it's fine for this to have UntypedUse; we will handle this by just making
1195                 // non-cells take the default case.
1196                 break;
1197             }
1198             break;
1199         }
1200             
1201         case ToPrimitive: {
1202             fixupToPrimitive(node);
1203             break;
1204         }
1205
1206         case ToNumber: {
1207             fixupToNumber(node);
1208             break;
1209         }
1210             
1211         case ToString:
1212         case CallStringConstructor: {
1213             fixupToStringOrCallStringConstructor(node);
1214             break;
1215         }
1216             
1217         case NewStringObject: {
1218             fixEdge<KnownStringUse>(node->child1());
1219             break;
1220         }
1221
1222         case NewArrayWithSpread: {
1223             watchHavingABadTime(node);
1224             
1225             BitVector* bitVector = node->bitVector();
1226             for (unsigned i = node->numChildren(); i--;) {
1227                 if (bitVector->get(i))
1228                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1229                 else
1230                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1231             }
1232
1233             break;
1234         }
1235
1236         case Spread: {
1237             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1238             
1239             watchHavingABadTime(node->child1().node());
1240
1241             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1242             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1243             // that it doesn't contain any indexed properties, and that any holes will result in
1244             // jsUndefined().
1245             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
1246             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
1247             if (node->child1()->shouldSpeculateArray()
1248                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1249                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1250                 && globalObject->arrayPrototypeChainIsSane()
1251                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1252                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1253                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1254                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1255                 fixEdge<ArrayUse>(node->child1());
1256             } else
1257                 fixEdge<CellUse>(node->child1());
1258             break;
1259         }
1260             
1261         case NewArray: {
1262             watchHavingABadTime(node);
1263             
1264             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1265                 node->setIndexingType(
1266                     leastUpperBoundOfIndexingTypeAndType(
1267                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1268             }
1269             switch (node->indexingType()) {
1270             case ALL_BLANK_INDEXING_TYPES:
1271                 CRASH();
1272                 break;
1273             case ALL_UNDECIDED_INDEXING_TYPES:
1274                 if (node->numChildren()) {
1275                     // This will only happen if the children have no type predictions. We
1276                     // would have already exited by now, but insert a forced exit just to
1277                     // be safe.
1278                     m_insertionSet.insertNode(
1279                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1280                 }
1281                 break;
1282             case ALL_INT32_INDEXING_TYPES:
1283                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1284                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1285                 break;
1286             case ALL_DOUBLE_INDEXING_TYPES:
1287                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1288                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1289                 break;
1290             case ALL_CONTIGUOUS_INDEXING_TYPES:
1291             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1292                 break;
1293             default:
1294                 CRASH();
1295                 break;
1296             }
1297             break;
1298         }
1299             
1300         case NewTypedArray: {
1301             watchHavingABadTime(node);
1302             
1303             if (node->child1()->shouldSpeculateInt32()) {
1304                 fixEdge<Int32Use>(node->child1());
1305                 node->clearFlags(NodeMustGenerate);
1306                 break;
1307             }
1308             break;
1309         }
1310             
1311         case NewArrayWithSize: {
1312             watchHavingABadTime(node);
1313             fixEdge<Int32Use>(node->child1());
1314             break;
1315         }
1316
1317         case NewArrayBuffer: {
1318             watchHavingABadTime(node);
1319             break;
1320         }
1321
1322         case ToObject: {
1323             fixupToObject(node);
1324             break;
1325         }
1326
1327         case CallObjectConstructor: {
1328             fixupCallObjectConstructor(node);
1329             break;
1330         }
1331
1332         case ToThis: {
1333             fixupToThis(node);
1334             break;
1335         }
1336             
1337         case PutStructure: {
1338             fixEdge<KnownCellUse>(node->child1());
1339             break;
1340         }
1341             
1342         case GetClosureVar:
1343         case GetFromArguments: {
1344             fixEdge<KnownCellUse>(node->child1());
1345             break;
1346         }
1347
1348         case PutClosureVar:
1349         case PutToArguments: {
1350             fixEdge<KnownCellUse>(node->child1());
1351             speculateForBarrier(node->child2());
1352             break;
1353         }
1354
1355         case SkipScope:
1356         case GetScope:
1357         case GetGetter:
1358         case GetSetter:
1359         case GetGlobalObject: {
1360             fixEdge<KnownCellUse>(node->child1());
1361             break;
1362         }
1363             
1364         case AllocatePropertyStorage:
1365         case ReallocatePropertyStorage: {
1366             fixEdge<KnownCellUse>(node->child1());
1367             break;
1368         }
1369             
1370         case NukeStructureAndSetButterfly: {
1371             fixEdge<KnownCellUse>(node->child1());
1372             break;
1373         }
1374
1375         case TryGetById: {
1376             if (node->child1()->shouldSpeculateCell())
1377                 fixEdge<CellUse>(node->child1());
1378             break;
1379         }
1380
1381         case GetByIdDirect:
1382         case GetByIdDirectFlush: {
1383             if (node->child1()->shouldSpeculateCell())
1384                 fixEdge<CellUse>(node->child1());
1385             break;
1386         }
1387
1388         case GetById:
1389         case GetByIdFlush: {
1390             // FIXME: This should be done in the ByteCodeParser based on reading the
1391             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1392             // https://bugs.webkit.org/show_bug.cgi?id=154990
1393             auto uid = m_graph.identifiers()[node->identifierNumber()];
1394             if (node->child1()->shouldSpeculateCellOrOther()
1395                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1396                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1397                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1398                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1399                 
1400                 if (uid == vm().propertyNames->length.impl()) {
1401                     attemptToMakeGetArrayLength(node);
1402                     break;
1403                 }
1404
1405                 if (uid == vm().propertyNames->lastIndex.impl()
1406                     && node->child1()->shouldSpeculateRegExpObject()) {
1407                     node->setOp(GetRegExpObjectLastIndex);
1408                     node->clearFlags(NodeMustGenerate);
1409                     fixEdge<RegExpObjectUse>(node->child1());
1410                     break;
1411                 }
1412             }
1413
1414             if (node->child1()->shouldSpeculateNumber()) {
1415                 if (uid == vm().propertyNames->toString.impl()) {
1416                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1417                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1418                         if (node->child1()->shouldSpeculateInt32()) {
1419                             insertCheck<Int32Use>(node->child1().node());
1420                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1421                             break;
1422                         }
1423
1424                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1425                             insertCheck<Int52RepUse>(node->child1().node());
1426                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1427                             break;
1428                         }
1429
1430                         ASSERT(node->child1()->shouldSpeculateNumber());
1431                         insertCheck<DoubleRepUse>(node->child1().node());
1432                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1433                         break;
1434                     }
1435                 }
1436             }
1437
1438             if (node->child1()->shouldSpeculateCell())
1439                 fixEdge<CellUse>(node->child1());
1440             break;
1441         }
1442         
1443         case GetByIdWithThis: {
1444             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1445                 fixEdge<CellUse>(node->child1());
1446                 fixEdge<CellUse>(node->child2());
1447             }
1448             break;
1449         }
1450
1451         case PutById:
1452         case PutByIdFlush:
1453         case PutByIdDirect: {
1454             if (node->child1()->shouldSpeculateCellOrOther()
1455                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1456                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1457                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1458                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1459                 
1460                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1461                 
1462                 if (uid == vm().propertyNames->lastIndex.impl()
1463                     && node->child1()->shouldSpeculateRegExpObject()) {
1464                     node->convertToSetRegExpObjectLastIndex();
1465                     fixEdge<RegExpObjectUse>(node->child1());
1466                     speculateForBarrier(node->child2());
1467                     break;
1468                 }
1469             }
1470             
1471             fixEdge<CellUse>(node->child1());
1472             break;
1473         }
1474
1475         case PutGetterById:
1476         case PutSetterById: {
1477             fixEdge<KnownCellUse>(node->child1());
1478             fixEdge<KnownCellUse>(node->child2());
1479             break;
1480         }
1481
1482         case PutGetterSetterById: {
1483             fixEdge<KnownCellUse>(node->child1());
1484             break;
1485         }
1486
1487         case PutGetterByVal:
1488         case PutSetterByVal: {
1489             fixEdge<KnownCellUse>(node->child1());
1490             fixEdge<KnownCellUse>(node->child3());
1491             break;
1492         }
1493
1494         case GetExecutable: {
1495             fixEdge<FunctionUse>(node->child1());
1496             break;
1497         }
1498
1499         case OverridesHasInstance:
1500         case CheckStructure:
1501         case CheckCell:
1502         case CreateThis:
1503         case GetButterfly: {
1504             fixEdge<CellUse>(node->child1());
1505             break;
1506         }
1507
1508         case CheckStringIdent: {
1509             fixEdge<StringIdentUse>(node->child1());
1510             break;
1511         }
1512             
1513         case Arrayify:
1514         case ArrayifyToStructure: {
1515             fixEdge<CellUse>(node->child1());
1516             if (node->child2())
1517                 fixEdge<Int32Use>(node->child2());
1518             break;
1519         }
1520             
1521         case GetByOffset:
1522         case GetGetterSetterByOffset: {
1523             if (!node->child1()->hasStorageResult())
1524                 fixEdge<KnownCellUse>(node->child1());
1525             fixEdge<KnownCellUse>(node->child2());
1526             break;
1527         }
1528             
1529         case MultiGetByOffset: {
1530             fixEdge<CellUse>(node->child1());
1531             break;
1532         }
1533             
1534         case PutByOffset: {
1535             if (!node->child1()->hasStorageResult())
1536                 fixEdge<KnownCellUse>(node->child1());
1537             fixEdge<KnownCellUse>(node->child2());
1538             unsigned index = indexForChecks();
1539             insertInferredTypeCheck(
1540                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1541                 node->storageAccessData().inferredType);
1542             speculateForBarrier(node->child3());
1543             break;
1544         }
1545             
1546         case MultiPutByOffset: {
1547             fixEdge<CellUse>(node->child1());
1548             break;
1549         }
1550             
1551         case InstanceOf: {
1552             if (!(node->child1()->prediction() & ~SpecCell))
1553                 fixEdge<CellUse>(node->child1());
1554             fixEdge<CellUse>(node->child2());
1555             break;
1556         }
1557
1558         case InstanceOfCustom:
1559             fixEdge<CellUse>(node->child2());
1560             break;
1561
1562         case In: {
1563             if (node->child2()->shouldSpeculateInt32()) {
1564                 convertToHasIndexedProperty(node);
1565                 break;
1566             }
1567
1568             fixEdge<CellUse>(node->child1());
1569             break;
1570         }
1571
1572         case HasOwnProperty: {
1573             fixEdge<ObjectUse>(node->child1());
1574 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1575             // We don't have enough registers to do anything interesting on x86 and mips.
1576             fixEdge<UntypedUse>(node->child2());
1577 #else
1578             if (node->child2()->shouldSpeculateString())
1579                 fixEdge<StringUse>(node->child2());
1580             else if (node->child2()->shouldSpeculateSymbol())
1581                 fixEdge<SymbolUse>(node->child2());
1582             else
1583                 fixEdge<UntypedUse>(node->child2());
1584 #endif
1585             break;
1586         }
1587
1588         case CheckVarargs:
1589         case Check: {
1590             m_graph.doToChildren(
1591                 node,
1592                 [&] (Edge& edge) {
1593                     switch (edge.useKind()) {
1594                     case NumberUse:
1595                         if (edge->shouldSpeculateInt32ForArithmetic())
1596                             edge.setUseKind(Int32Use);
1597                         break;
1598                     default:
1599                         break;
1600                     }
1601                     observeUseKindOnEdge(edge);
1602                 });
1603             break;
1604         }
1605
1606         case Phantom:
1607             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1608             node->remove(m_graph);
1609             break;
1610
1611         case FiatInt52: {
1612             RELEASE_ASSERT(enableInt52());
1613             node->convertToIdentity();
1614             fixEdge<Int52RepUse>(node->child1());
1615             node->setResult(NodeResultInt52);
1616             break;
1617         }
1618
1619         case GetArrayLength: {
1620             fixEdge<KnownCellUse>(node->child1());
1621             break;
1622         }
1623
1624         case GetTypedArrayByteOffset: {
1625             fixEdge<KnownCellUse>(node->child1());
1626             break;
1627         }
1628
1629         case CompareBelow:
1630         case CompareBelowEq: {
1631             fixEdge<Int32Use>(node->child1());
1632             fixEdge<Int32Use>(node->child2());
1633             break;
1634         }
1635
1636         case GetPrototypeOf: {
1637             fixupGetPrototypeOf(node);
1638             break;
1639         }
1640
1641         case Phi:
1642         case Upsilon:
1643         case EntrySwitch:
1644         case GetIndexedPropertyStorage:
1645         case LastNodeType:
1646         case CheckTierUpInLoop:
1647         case CheckTierUpAtReturn:
1648         case CheckTierUpAndOSREnter:
1649         case InvalidationPoint:
1650         case CheckArray:
1651         case CheckInBounds:
1652         case ConstantStoragePointer:
1653         case DoubleAsInt32:
1654         case ValueToInt32:
1655         case DoubleRep:
1656         case ValueRep:
1657         case Int52Rep:
1658         case Int52Constant:
1659         case Identity: // This should have been cleaned up.
1660         case BooleanToNumber:
1661         case PhantomNewObject:
1662         case PhantomNewFunction:
1663         case PhantomNewGeneratorFunction:
1664         case PhantomNewAsyncGeneratorFunction:
1665         case PhantomNewAsyncFunction:
1666         case PhantomCreateActivation:
1667         case PhantomDirectArguments:
1668         case PhantomCreateRest:
1669         case PhantomSpread:
1670         case PhantomNewArrayWithSpread:
1671         case PhantomNewArrayBuffer:
1672         case PhantomClonedArguments:
1673         case PhantomNewRegexp:
1674         case GetMyArgumentByVal:
1675         case GetMyArgumentByValOutOfBounds:
1676         case GetVectorLength:
1677         case PutHint:
1678         case CheckStructureImmediate:
1679         case CheckStructureOrEmpty:
1680         case MaterializeNewObject:
1681         case MaterializeCreateActivation:
1682         case PutStack:
1683         case KillStack:
1684         case GetStack:
1685         case StoreBarrier:
1686         case FencedStoreBarrier:
1687         case GetRegExpObjectLastIndex:
1688         case SetRegExpObjectLastIndex:
1689         case RecordRegExpCachedResult:
1690         case RegExpExecNonGlobalOrSticky:
1691         case RegExpMatchFastGlobal:
1692             // These are just nodes that we don't currently expect to see during fixup.
1693             // If we ever wanted to insert them prior to fixup, then we just have to create
1694             // fixup rules for them.
1695             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1696             break;
1697
1698         case PutGlobalVariable: {
1699             fixEdge<CellUse>(node->child1());
1700             speculateForBarrier(node->child2());
1701             break;
1702         }
1703
1704         case IsObject:
1705             if (node->child1()->shouldSpeculateObject()) {
1706                 m_insertionSet.insertNode(
1707                     m_indexInBlock, SpecNone, Check, node->origin,
1708                     Edge(node->child1().node(), ObjectUse));
1709                 m_graph.convertToConstant(node, jsBoolean(true));
1710                 observeUseKindOnNode<ObjectUse>(node);
1711             }
1712             break;
1713
1714         case IsCellWithType: {
1715             fixupIsCellWithType(node);
1716             break;
1717         }
1718
1719         case GetEnumerableLength: {
1720             fixEdge<CellUse>(node->child1());
1721             break;
1722         }
1723         case HasGenericProperty: {
1724             fixEdge<CellUse>(node->child2());
1725             break;
1726         }
1727         case HasStructureProperty: {
1728             fixEdge<StringUse>(node->child2());
1729             fixEdge<KnownCellUse>(node->child3());
1730             break;
1731         }
1732         case HasIndexedProperty: {
1733             node->setArrayMode(
1734                 node->arrayMode().refine(
1735                     m_graph, node,
1736                     node->child1()->prediction(),
1737                     node->child2()->prediction(),
1738                     SpecNone));
1739             
1740             blessArrayOperation(node->child1(), node->child2(), node->child3());
1741             fixEdge<CellUse>(node->child1());
1742             fixEdge<KnownInt32Use>(node->child2());
1743             break;
1744         }
1745         case GetDirectPname: {
1746             Edge& base = m_graph.varArgChild(node, 0);
1747             Edge& property = m_graph.varArgChild(node, 1);
1748             Edge& index = m_graph.varArgChild(node, 2);
1749             Edge& enumerator = m_graph.varArgChild(node, 3);
1750             fixEdge<CellUse>(base);
1751             fixEdge<KnownCellUse>(property);
1752             fixEdge<KnownInt32Use>(index);
1753             fixEdge<KnownCellUse>(enumerator);
1754             break;
1755         }
1756         case GetPropertyEnumerator: {
1757             if (node->child1()->shouldSpeculateCell())
1758                 fixEdge<CellUse>(node->child1());
1759             break;
1760         }
1761         case GetEnumeratorStructurePname: {
1762             fixEdge<KnownCellUse>(node->child1());
1763             fixEdge<KnownInt32Use>(node->child2());
1764             break;
1765         }
1766         case GetEnumeratorGenericPname: {
1767             fixEdge<KnownCellUse>(node->child1());
1768             fixEdge<KnownInt32Use>(node->child2());
1769             break;
1770         }
1771         case ToIndexString: {
1772             fixEdge<KnownInt32Use>(node->child1());
1773             break;
1774         }
1775         case ProfileType: {
1776             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1777             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1778             // type T for the instructionTypeSet, the global type set must also have information for type T.
1779             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1780             // in the globalTypeSet would've also succeeded.
1781             // (The other direction does not hold in general).
1782
1783             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1784             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1785             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1786                 if (node->child1()->shouldSpeculateInt32()) {
1787                     fixEdge<Int32Use>(node->child1());
1788                     node->remove(m_graph);
1789                     break;
1790                 }
1791
1792                 if (enableInt52()) {
1793                     fixEdge<AnyIntUse>(node->child1());
1794                     node->remove(m_graph);
1795                     break;
1796                 }
1797
1798                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1799             }
1800
1801             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1802                 fixEdge<NumberUse>(node->child1());
1803                 node->remove(m_graph);
1804             } else if (typeSet->doesTypeConformTo(TypeString)) {
1805                 fixEdge<StringUse>(node->child1());
1806                 node->remove(m_graph);
1807             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1808                 fixEdge<BooleanUse>(node->child1());
1809                 node->remove(m_graph);
1810             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1811                 fixEdge<OtherUse>(node->child1());
1812                 node->remove(m_graph);
1813             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1814                 StructureSet set;
1815                 {
1816                     ConcurrentJSLocker locker(typeSet->m_lock);
1817                     set = typeSet->structureSet(locker);
1818                 }
1819                 if (!set.isEmpty()) {
1820                     fixEdge<CellUse>(node->child1());
1821                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1822                 }
1823             }
1824
1825             break;
1826         }
1827
1828         case CreateClonedArguments: {
1829             watchHavingABadTime(node);
1830             break;
1831         }
1832
1833         case CreateScopedArguments:
1834         case CreateActivation:
1835         case NewFunction:
1836         case NewGeneratorFunction:
1837         case NewAsyncGeneratorFunction:
1838         case NewAsyncFunction: {
1839             // Child 1 is always the current scope, which is guaranteed to be an object
1840             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1841             fixEdge<KnownCellUse>(node->child1());
1842             break;
1843         }
1844
1845         case PushWithScope: {
1846             // Child 1 is always the current scope, which is guaranteed to be an object
1847             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1848             fixEdge<KnownCellUse>(node->child1());
1849             if (node->child2()->shouldSpeculateObject())
1850                 fixEdge<ObjectUse>(node->child2());
1851             break;
1852         }
1853
1854         case SetFunctionName: {
1855             // The first child is guaranteed to be a cell because op_set_function_name is only used
1856             // on a newly instantiated function object (the first child).
1857             fixEdge<KnownCellUse>(node->child1());
1858             fixEdge<UntypedUse>(node->child2());
1859             break;
1860         }
1861
1862         case CreateRest: {
1863             watchHavingABadTime(node);
1864             fixEdge<KnownInt32Use>(node->child1());
1865             break;
1866         }
1867
1868         case ResolveScopeForHoistingFuncDeclInEval: {
1869             fixEdge<KnownCellUse>(node->child1());
1870             break;
1871         }
1872         case ResolveScope:
1873         case GetDynamicVar:
1874         case PutDynamicVar: {
1875             fixEdge<KnownCellUse>(node->child1());
1876             break;
1877         }
1878
1879         case LogShadowChickenPrologue: {
1880             fixEdge<KnownCellUse>(node->child1());
1881             break;
1882         }
1883         case LogShadowChickenTail: {
1884             fixEdge<UntypedUse>(node->child1());
1885             fixEdge<KnownCellUse>(node->child2());
1886             break;
1887         }
1888
1889         case GetMapBucket:
1890             if (node->child1().useKind() == MapObjectUse)
1891                 fixEdge<MapObjectUse>(node->child1());
1892             else if (node->child1().useKind() == SetObjectUse)
1893                 fixEdge<SetObjectUse>(node->child1());
1894             else
1895                 RELEASE_ASSERT_NOT_REACHED();
1896
1897 #if USE(JSVALUE64)
1898             if (node->child2()->shouldSpeculateBoolean())
1899                 fixEdge<BooleanUse>(node->child2());
1900             else if (node->child2()->shouldSpeculateInt32())
1901                 fixEdge<Int32Use>(node->child2());
1902             else if (node->child2()->shouldSpeculateSymbol())
1903                 fixEdge<SymbolUse>(node->child2());
1904             else if (node->child2()->shouldSpeculateObject())
1905                 fixEdge<ObjectUse>(node->child2());
1906             else if (node->child2()->shouldSpeculateString())
1907                 fixEdge<StringUse>(node->child2());
1908             else if (node->child2()->shouldSpeculateCell())
1909                 fixEdge<CellUse>(node->child2());
1910             else
1911                 fixEdge<UntypedUse>(node->child2());
1912 #else
1913             fixEdge<UntypedUse>(node->child2());
1914 #endif // USE(JSVALUE64)
1915
1916             fixEdge<Int32Use>(node->child3());
1917             break;
1918
1919         case GetMapBucketHead:
1920             if (node->child1().useKind() == MapObjectUse)
1921                 fixEdge<MapObjectUse>(node->child1());
1922             else if (node->child1().useKind() == SetObjectUse)
1923                 fixEdge<SetObjectUse>(node->child1());
1924             else
1925                 RELEASE_ASSERT_NOT_REACHED();
1926             break;
1927
1928         case GetMapBucketNext:
1929         case LoadKeyFromMapBucket:
1930         case LoadValueFromMapBucket:
1931             fixEdge<CellUse>(node->child1());
1932             break;
1933
1934         case MapHash: {
1935 #if USE(JSVALUE64)
1936             if (node->child1()->shouldSpeculateBoolean()) {
1937                 fixEdge<BooleanUse>(node->child1());
1938                 break;
1939             }
1940
1941             if (node->child1()->shouldSpeculateInt32()) {
1942                 fixEdge<Int32Use>(node->child1());
1943                 break;
1944             }
1945
1946             if (node->child1()->shouldSpeculateSymbol()) {
1947                 fixEdge<SymbolUse>(node->child1());
1948                 break;
1949             }
1950
1951             if (node->child1()->shouldSpeculateObject()) {
1952                 fixEdge<ObjectUse>(node->child1());
1953                 break;
1954             }
1955
1956             if (node->child1()->shouldSpeculateString()) {
1957                 fixEdge<StringUse>(node->child1());
1958                 break;
1959             }
1960
1961             if (node->child1()->shouldSpeculateCell()) {
1962                 fixEdge<CellUse>(node->child1());
1963                 break;
1964             }
1965
1966             fixEdge<UntypedUse>(node->child1());
1967 #else
1968             fixEdge<UntypedUse>(node->child1());
1969 #endif // USE(JSVALUE64)
1970             break;
1971         }
1972
1973         case NormalizeMapKey: {
1974             fixupNormalizeMapKey(node);
1975             break;
1976         }
1977
1978         case WeakMapGet: {
1979             if (node->child1().useKind() == WeakMapObjectUse)
1980                 fixEdge<WeakMapObjectUse>(node->child1());
1981             else if (node->child1().useKind() == WeakSetObjectUse)
1982                 fixEdge<WeakSetObjectUse>(node->child1());
1983             else
1984                 RELEASE_ASSERT_NOT_REACHED();
1985             fixEdge<ObjectUse>(node->child2());
1986             fixEdge<Int32Use>(node->child3());
1987             break;
1988         }
1989
1990         case SetAdd: {
1991             fixEdge<SetObjectUse>(node->child1());
1992             fixEdge<Int32Use>(node->child3());
1993             break;
1994         }
1995
1996         case MapSet: {
1997             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1998             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1999             break;
2000         }
2001
2002         case WeakSetAdd: {
2003             fixEdge<WeakSetObjectUse>(node->child1());
2004             fixEdge<ObjectUse>(node->child2());
2005             fixEdge<Int32Use>(node->child3());
2006             break;
2007         }
2008
2009         case WeakMapSet: {
2010             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2011             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2012             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2013             break;
2014         }
2015
2016         case DefineDataProperty: {
2017             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2018             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2019             if (propertyEdge->shouldSpeculateSymbol())
2020                 fixEdge<SymbolUse>(propertyEdge);
2021             else if (propertyEdge->shouldSpeculateStringIdent())
2022                 fixEdge<StringIdentUse>(propertyEdge);
2023             else if (propertyEdge->shouldSpeculateString())
2024                 fixEdge<StringUse>(propertyEdge);
2025             else
2026                 fixEdge<UntypedUse>(propertyEdge);
2027             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2028             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2029             break;
2030         }
2031
2032         case StringSlice: {
2033             fixEdge<StringUse>(node->child1());
2034             fixEdge<Int32Use>(node->child2());
2035             if (node->child3())
2036                 fixEdge<Int32Use>(node->child3());
2037             break;
2038         }
2039
2040         case ToLowerCase: {
2041             // We currently only support StringUse since that will ensure that
2042             // ToLowerCase is a pure operation. If we decide to update this with
2043             // more types in the future, we need to ensure that the clobberize rules
2044             // are correct.
2045             fixEdge<StringUse>(node->child1());
2046             break;
2047         }
2048
2049         case NumberToStringWithRadix: {
2050             if (node->child1()->shouldSpeculateInt32())
2051                 fixEdge<Int32Use>(node->child1());
2052             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2053                 fixEdge<Int52RepUse>(node->child1());
2054             else
2055                 fixEdge<DoubleRepUse>(node->child1());
2056             fixEdge<Int32Use>(node->child2());
2057             break;
2058         }
2059
2060         case DefineAccessorProperty: {
2061             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2062             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2063             if (propertyEdge->shouldSpeculateSymbol())
2064                 fixEdge<SymbolUse>(propertyEdge);
2065             else if (propertyEdge->shouldSpeculateStringIdent())
2066                 fixEdge<StringIdentUse>(propertyEdge);
2067             else if (propertyEdge->shouldSpeculateString())
2068                 fixEdge<StringUse>(propertyEdge);
2069             else
2070                 fixEdge<UntypedUse>(propertyEdge);
2071             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2072             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2073             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2074             break;
2075         }
2076
2077         case CheckSubClass: {
2078             fixupCheckSubClass(node);
2079             break;
2080         }
2081
2082         case CallDOMGetter: {
2083             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2084             fixEdge<CellUse>(node->child1()); // DOM.
2085             if (snippet && snippet->requireGlobalObject)
2086                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2087             break;
2088         }
2089
2090         case CallDOM: {
2091             fixupCallDOM(node);
2092             break;
2093         }
2094
2095         case Call: {
2096             attemptToMakeCallDOM(node);
2097             break;
2098         }
2099
2100         case ParseInt: {
2101             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2102                 fixEdge<Int32Use>(node->child1());
2103                 node->convertToIdentity();
2104                 break;
2105             }
2106
2107             if (node->child1()->shouldSpeculateString()) {
2108                 fixEdge<StringUse>(node->child1());
2109                 node->clearFlags(NodeMustGenerate);
2110             }
2111
2112             if (node->child2())
2113                 fixEdge<Int32Use>(node->child2());
2114
2115             break;
2116         }
2117
2118         case IdentityWithProfile: {
2119             node->clearFlags(NodeMustGenerate);
2120             break;
2121         }
2122
2123         case ThrowStaticError:
2124             fixEdge<StringUse>(node->child1());
2125             break;
2126
2127         case NumberIsInteger:
2128             if (node->child1()->shouldSpeculateInt32()) {
2129                 m_insertionSet.insertNode(
2130                     m_indexInBlock, SpecNone, Check, node->origin,
2131                     Edge(node->child1().node(), Int32Use));
2132                 m_graph.convertToConstant(node, jsBoolean(true));
2133                 break;
2134             }
2135             break;
2136
2137 #if !ASSERT_DISABLED
2138         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2139         case SetArgument:
2140         case JSConstant:
2141         case LazyJSConstant:
2142         case DoubleConstant:
2143         case GetLocal:
2144         case GetCallee:
2145         case GetArgumentCountIncludingThis:
2146         case SetArgumentCountIncludingThis:
2147         case GetRestLength:
2148         case GetArgument:
2149         case Flush:
2150         case PhantomLocal:
2151         case GetGlobalVar:
2152         case GetGlobalLexicalVariable:
2153         case NotifyWrite:
2154         case DirectCall:
2155         case CheckTypeInfoFlags:
2156         case TailCallInlinedCaller:
2157         case DirectTailCallInlinedCaller:
2158         case Construct:
2159         case DirectConstruct:
2160         case CallVarargs:
2161         case CallEval:
2162         case TailCallVarargsInlinedCaller:
2163         case ConstructVarargs:
2164         case CallForwardVarargs:
2165         case ConstructForwardVarargs:
2166         case TailCallForwardVarargs:
2167         case TailCallForwardVarargsInlinedCaller:
2168         case LoadVarargs:
2169         case ForwardVarargs:
2170         case ProfileControlFlow:
2171         case NewObject:
2172         case NewRegexp:
2173         case DeleteById:
2174         case DeleteByVal:
2175         case IsTypedArrayView:
2176         case IsEmpty:
2177         case IsUndefined:
2178         case IsBoolean:
2179         case IsNumber:
2180         case IsObjectOrNull:
2181         case IsFunction:
2182         case CreateDirectArguments:
2183         case Jump:
2184         case Return:
2185         case TailCall:
2186         case DirectTailCall:
2187         case TailCallVarargs:
2188         case Throw:
2189         case CountExecution:
2190         case SuperSamplerBegin:
2191         case SuperSamplerEnd:
2192         case ForceOSRExit:
2193         case CheckBadCell:
2194         case CheckNotEmpty:
2195         case AssertNotEmpty:
2196         case CheckTraps:
2197         case Unreachable:
2198         case ExtractOSREntryLocal:
2199         case ExtractCatchLocal:
2200         case LoopHint:
2201         case MovHint:
2202         case InitializeEntrypointArguments:
2203         case ZombieHint:
2204         case ExitOK:
2205         case BottomValue:
2206         case TypeOf:
2207         case PutByIdWithThis:
2208         case PutByValWithThis:
2209         case GetByValWithThis:
2210         case CompareEqPtr:
2211         case NumberToStringWithValidRadixConstant:
2212         case GetGlobalThis:
2213         case ExtractValueFromWeakMapGet:
2214         case CPUIntrinsic:
2215             break;
2216 #else
2217         default:
2218             break;
2219 #endif
2220         }
2221     }
2222
2223     void watchHavingABadTime(Node* node)
2224     {
2225         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2226
2227         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2228         // does an array allocation. The types of array allocations may change if we start to have a bad
2229         // time. It's easier to reason about this if we know that whenever the types change after we start
2230         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2231         // prior to this point nobody should have been doing optimizations based on the indexing type of
2232         // the allocation.
2233         if (!globalObject->isHavingABadTime()) {
2234             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2235             m_graph.freeze(globalObject);
2236         }
2237     }
2238     
2239     template<UseKind useKind>
2240     void createToString(Node* node, Edge& edge)
2241     {
2242         Node* toString = m_insertionSet.insertNode(
2243             m_indexInBlock, SpecString, ToString, node->origin,
2244             Edge(edge.node(), useKind));
2245         switch (useKind) {
2246         case Int32Use:
2247         case Int52RepUse:
2248         case DoubleRepUse:
2249         case NotCellUse:
2250             toString->clearFlags(NodeMustGenerate);
2251             break;
2252         default:
2253             break;
2254         }
2255         edge.setNode(toString);
2256     }
2257     
2258     template<UseKind useKind>
2259     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2260     {
2261         ASSERT(arrayMode == ArrayMode(Array::Generic));
2262         
2263         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2264             return;
2265         
2266         createToString<useKind>(node, node->child1());
2267         arrayMode = ArrayMode(Array::String);
2268     }
2269     
2270     template<UseKind useKind>
2271     bool isStringObjectUse()
2272     {
2273         switch (useKind) {
2274         case StringObjectUse:
2275         case StringOrStringObjectUse:
2276             return true;
2277         default:
2278             return false;
2279         }
2280     }
2281     
2282     template<UseKind useKind>
2283     void convertStringAddUse(Node* node, Edge& edge)
2284     {
2285         if (useKind == StringUse) {
2286             observeUseKindOnNode<StringUse>(edge.node());
2287             m_insertionSet.insertNode(
2288                 m_indexInBlock, SpecNone, Check, node->origin,
2289                 Edge(edge.node(), StringUse));
2290             edge.setUseKind(KnownStringUse);
2291             return;
2292         }
2293         
2294         observeUseKindOnNode<useKind>(edge.node());
2295         createToString<useKind>(node, edge);
2296     }
2297     
2298     void convertToMakeRope(Node* node)
2299     {
2300         node->setOpAndDefaultFlags(MakeRope);
2301         fixupMakeRope(node);
2302     }
2303     
2304     void fixupMakeRope(Node* node)
2305     {
2306         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2307             Edge& edge = node->children.child(i);
2308             if (!edge)
2309                 break;
2310             edge.setUseKind(KnownStringUse);
2311             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2312             if (!string)
2313                 continue;
2314             if (string->length())
2315                 continue;
2316             
2317             // Don't allow the MakeRope to have zero children.
2318             if (!i && !node->child2())
2319                 break;
2320             
2321             node->children.removeEdge(i--);
2322         }
2323         
2324         if (!node->child2()) {
2325             ASSERT(!node->child3());
2326             node->convertToIdentity();
2327         }
2328     }
2329
2330     void fixupIsCellWithType(Node* node)
2331     {
2332         switch (node->speculatedTypeForQuery()) {
2333         case SpecString:
2334             if (node->child1()->shouldSpeculateString()) {
2335                 m_insertionSet.insertNode(
2336                     m_indexInBlock, SpecNone, Check, node->origin,
2337                     Edge(node->child1().node(), StringUse));
2338                 m_graph.convertToConstant(node, jsBoolean(true));
2339                 observeUseKindOnNode<StringUse>(node);
2340                 return;
2341             }
2342             break;
2343
2344         case SpecProxyObject:
2345             if (node->child1()->shouldSpeculateProxyObject()) {
2346                 m_insertionSet.insertNode(
2347                     m_indexInBlock, SpecNone, Check, node->origin,
2348                     Edge(node->child1().node(), ProxyObjectUse));
2349                 m_graph.convertToConstant(node, jsBoolean(true));
2350                 observeUseKindOnNode<ProxyObjectUse>(node);
2351                 return;
2352             }
2353             break;
2354
2355         case SpecRegExpObject:
2356             if (node->child1()->shouldSpeculateRegExpObject()) {
2357                 m_insertionSet.insertNode(
2358                     m_indexInBlock, SpecNone, Check, node->origin,
2359                     Edge(node->child1().node(), RegExpObjectUse));
2360                 m_graph.convertToConstant(node, jsBoolean(true));
2361                 observeUseKindOnNode<RegExpObjectUse>(node);
2362                 return;
2363             }
2364             break;
2365
2366         case SpecArray:
2367             if (node->child1()->shouldSpeculateArray()) {
2368                 m_insertionSet.insertNode(
2369                     m_indexInBlock, SpecNone, Check, node->origin,
2370                     Edge(node->child1().node(), ArrayUse));
2371                 m_graph.convertToConstant(node, jsBoolean(true));
2372                 observeUseKindOnNode<ArrayUse>(node);
2373                 return;
2374             }
2375             break;
2376
2377         case SpecDerivedArray:
2378             if (node->child1()->shouldSpeculateDerivedArray()) {
2379                 m_insertionSet.insertNode(
2380                     m_indexInBlock, SpecNone, Check, node->origin,
2381                     Edge(node->child1().node(), DerivedArrayUse));
2382                 m_graph.convertToConstant(node, jsBoolean(true));
2383                 observeUseKindOnNode<DerivedArrayUse>(node);
2384                 return;
2385             }
2386             break;
2387         }
2388
2389         if (node->child1()->shouldSpeculateCell()) {
2390             fixEdge<CellUse>(node->child1());
2391             return;
2392         }
2393
2394         if (node->child1()->shouldSpeculateNotCell()) {
2395             m_insertionSet.insertNode(
2396                 m_indexInBlock, SpecNone, Check, node->origin,
2397                 Edge(node->child1().node(), NotCellUse));
2398             m_graph.convertToConstant(node, jsBoolean(false));
2399             observeUseKindOnNode<NotCellUse>(node);
2400             return;
2401         }
2402     }
2403
2404     void fixupGetPrototypeOf(Node* node)
2405     {
2406         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2407         if (node->child1().useKind() != ObjectUse) {
2408             if (node->child1()->shouldSpeculateString()) {
2409                 insertCheck<StringUse>(node->child1().node());
2410                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2411                 return;
2412             }
2413             if (node->child1()->shouldSpeculateInt32()) {
2414                 insertCheck<Int32Use>(node->child1().node());
2415                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2416                 return;
2417             }
2418             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2419                 insertCheck<Int52RepUse>(node->child1().node());
2420                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2421                 return;
2422             }
2423             if (node->child1()->shouldSpeculateNumber()) {
2424                 insertCheck<NumberUse>(node->child1().node());
2425                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2426                 return;
2427             }
2428             if (node->child1()->shouldSpeculateSymbol()) {
2429                 insertCheck<SymbolUse>(node->child1().node());
2430                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2431                 return;
2432             }
2433             if (node->child1()->shouldSpeculateBoolean()) {
2434                 insertCheck<BooleanUse>(node->child1().node());
2435                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2436                 return;
2437             }
2438         }
2439
2440         if (node->child1()->shouldSpeculateFinalObject()) {
2441             fixEdge<FinalObjectUse>(node->child1());
2442             node->clearFlags(NodeMustGenerate);
2443             return;
2444         }
2445         if (node->child1()->shouldSpeculateArray()) {
2446             fixEdge<ArrayUse>(node->child1());
2447             node->clearFlags(NodeMustGenerate);
2448             return;
2449         }
2450         if (node->child1()->shouldSpeculateFunction()) {
2451             fixEdge<FunctionUse>(node->child1());
2452             node->clearFlags(NodeMustGenerate);
2453             return;
2454         }
2455     }
2456
2457     void fixupToThis(Node* node)
2458     {
2459         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2460
2461         if (ecmaMode == StrictMode) {
2462             if (node->child1()->shouldSpeculateBoolean()) {
2463                 fixEdge<BooleanUse>(node->child1());
2464                 node->convertToIdentity();
2465                 return;
2466             }
2467
2468             if (node->child1()->shouldSpeculateInt32()) {
2469                 fixEdge<Int32Use>(node->child1());
2470                 node->convertToIdentity();
2471                 return;
2472             }
2473
2474             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2475                 fixEdge<Int52RepUse>(node->child1());
2476                 node->convertToIdentity();
2477                 node->setResult(NodeResultInt52);
2478                 return;
2479             }
2480
2481             if (node->child1()->shouldSpeculateNumber()) {
2482                 fixEdge<DoubleRepUse>(node->child1());
2483                 node->convertToIdentity();
2484                 node->setResult(NodeResultDouble);
2485                 return;
2486             }
2487
2488             if (node->child1()->shouldSpeculateSymbol()) {
2489                 fixEdge<SymbolUse>(node->child1());
2490                 node->convertToIdentity();
2491                 return;
2492             }
2493
2494             if (node->child1()->shouldSpeculateStringIdent()) {
2495                 fixEdge<StringIdentUse>(node->child1());
2496                 node->convertToIdentity();
2497                 return;
2498             }
2499
2500             if (node->child1()->shouldSpeculateString()) {
2501                 fixEdge<StringUse>(node->child1());
2502                 node->convertToIdentity();
2503                 return;
2504             }
2505             
2506             if (node->child1()->shouldSpeculateBigInt()) {
2507                 fixEdge<BigIntUse>(node->child1());
2508                 node->convertToIdentity();
2509                 return;
2510             }
2511         }
2512
2513         if (node->child1()->shouldSpeculateOther()) {
2514             if (ecmaMode == StrictMode) {
2515                 fixEdge<OtherUse>(node->child1());
2516                 node->convertToIdentity();
2517                 return;
2518             }
2519
2520             m_insertionSet.insertNode(
2521                 m_indexInBlock, SpecNone, Check, node->origin,
2522                 Edge(node->child1().node(), OtherUse));
2523             observeUseKindOnNode<OtherUse>(node->child1().node());
2524             m_graph.convertToConstant(
2525                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2526             return;
2527         }
2528
2529         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2530         // however, since we cover all the missing cases in constant folding.
2531         // https://bugs.webkit.org/show_bug.cgi?id=157213
2532         if (node->child1()->shouldSpeculateStringObject()) {
2533             fixEdge<StringObjectUse>(node->child1());
2534             node->convertToIdentity();
2535             return;
2536         }
2537
2538         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2539             fixEdge<FinalObjectUse>(node->child1());
2540             node->convertToIdentity();
2541             return;
2542         }
2543     }
2544     
2545     void fixupToPrimitive(Node* node)
2546     {
2547         if (node->child1()->shouldSpeculateInt32()) {
2548             fixEdge<Int32Use>(node->child1());
2549             node->convertToIdentity();
2550             return;
2551         }
2552         
2553         if (node->child1()->shouldSpeculateString()) {
2554             fixEdge<StringUse>(node->child1());
2555             node->convertToIdentity();
2556             return;
2557         }
2558         
2559         if (node->child1()->shouldSpeculateStringObject()
2560             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2561             fixEdge<StringObjectUse>(node->child1());
2562             node->convertToToString();
2563             return;
2564         }
2565         
2566         if (node->child1()->shouldSpeculateStringOrStringObject()
2567             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2568             fixEdge<StringOrStringObjectUse>(node->child1());
2569             node->convertToToString();
2570             return;
2571         }
2572     }
2573
2574     void fixupToNumber(Node* node)
2575     {
2576         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2577         if (node->child1()->shouldSpeculateNumber()) {
2578             if (isInt32Speculation(node->getHeapPrediction())) {
2579                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2580                 if (node->child1()->shouldSpeculateInt32()) {
2581                     fixEdge<Int32Use>(node->child1());
2582                     node->convertToIdentity();
2583                     return;
2584                 }
2585
2586                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2587                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2588                 fixEdge<DoubleRepUse>(node->child1());
2589                 node->setOp(DoubleAsInt32);
2590                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2591                     node->setArithMode(Arith::CheckOverflow);
2592                 else
2593                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2594                 return;
2595             }
2596
2597             fixEdge<DoubleRepUse>(node->child1());
2598             node->convertToIdentity();
2599             node->setResult(NodeResultDouble);
2600             return;
2601         }
2602
2603         fixEdge<UntypedUse>(node->child1());
2604         node->setResult(NodeResultJS);
2605     }
2606
2607     void fixupToObject(Node* node)
2608     {
2609         if (node->child1()->shouldSpeculateObject()) {
2610             fixEdge<ObjectUse>(node->child1());
2611             node->convertToIdentity();
2612             return;
2613         }
2614
2615         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2616
2617         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2618
2619         if (node->child1()->shouldSpeculateString()) {
2620             insertCheck<StringUse>(node->child1().node());
2621             fixEdge<KnownStringUse>(node->child1());
2622             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2623             return;
2624         }
2625
2626         if (node->child1()->shouldSpeculateSymbol()) {
2627             insertCheck<SymbolUse>(node->child1().node());
2628             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2629             return;
2630         }
2631
2632         if (node->child1()->shouldSpeculateNumber()) {
2633             insertCheck<NumberUse>(node->child1().node());
2634             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2635             return;
2636         }
2637
2638         if (node->child1()->shouldSpeculateBoolean()) {
2639             insertCheck<BooleanUse>(node->child1().node());
2640             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2641             return;
2642         }
2643
2644         fixEdge<UntypedUse>(node->child1());
2645     }
2646
2647     void fixupCallObjectConstructor(Node* node)
2648     {
2649         if (node->child1()->shouldSpeculateObject()) {
2650             fixEdge<ObjectUse>(node->child1());
2651             node->convertToIdentity();
2652             return;
2653         }
2654
2655         if (node->child1()->shouldSpeculateString()) {
2656             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2657             insertCheck<StringUse>(node->child1().node());
2658             fixEdge<KnownStringUse>(node->child1());
2659             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2660             return;
2661         }
2662
2663         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2664         if (node->child1()->shouldSpeculateOther()) {
2665             insertCheck<OtherUse>(node->child1().node());
2666             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2667             return;
2668         }
2669
2670         fixEdge<UntypedUse>(node->child1());
2671     }
2672     
2673     void fixupToStringOrCallStringConstructor(Node* node)
2674     {
2675         if (node->child1()->shouldSpeculateString()) {
2676             fixEdge<StringUse>(node->child1());
2677             node->convertToIdentity();
2678             return;
2679         }
2680         
2681         if (node->child1()->shouldSpeculateStringObject()
2682             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2683             fixEdge<StringObjectUse>(node->child1());
2684             return;
2685         }
2686         
2687         if (node->child1()->shouldSpeculateStringOrStringObject()
2688             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2689             fixEdge<StringOrStringObjectUse>(node->child1());
2690             return;
2691         }
2692         
2693         if (node->child1()->shouldSpeculateCell()) {
2694             fixEdge<CellUse>(node->child1());
2695             return;
2696         }
2697
2698         if (node->child1()->shouldSpeculateInt32()) {
2699             fixEdge<Int32Use>(node->child1());
2700             node->clearFlags(NodeMustGenerate);
2701             return;
2702         }
2703
2704         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2705             fixEdge<Int52RepUse>(node->child1());
2706             node->clearFlags(NodeMustGenerate);
2707             return;
2708         }
2709
2710         if (node->child1()->shouldSpeculateNumber()) {
2711             fixEdge<DoubleRepUse>(node->child1());
2712             node->clearFlags(NodeMustGenerate);
2713             return;
2714         }
2715
2716         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2717         // we need to care about it in the clobberize. In the following case,
2718         // since NotCellUse edge filter is used and this edge filters Symbols,
2719         // we can say that ToString never throws an error!
2720         if (node->child1()->shouldSpeculateNotCell()) {
2721             fixEdge<NotCellUse>(node->child1());
2722             node->clearFlags(NodeMustGenerate);
2723             return;
2724         }
2725     }
2726
2727     bool attemptToMakeFastStringAdd(Node* node)
2728     {
2729         bool goodToGo = true;
2730         m_graph.doToChildren(
2731             node,
2732             [&] (Edge& edge) {
2733                 if (edge->shouldSpeculateString())
2734                     return;
2735                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2736                     if (edge->shouldSpeculateStringObject())
2737                         return;
2738                     if (edge->shouldSpeculateStringOrStringObject())
2739                         return;
2740                 }
2741                 goodToGo = false;
2742             });
2743         if (!goodToGo)
2744             return false;
2745
2746         m_graph.doToChildren(
2747             node,
2748             [&] (Edge& edge) {
2749                 if (edge->shouldSpeculateString()) {
2750                     convertStringAddUse<StringUse>(node, edge);
2751                     return;
2752                 }
2753                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2754                 if (edge->shouldSpeculateStringObject()) {
2755                     convertStringAddUse<StringObjectUse>(node, edge);
2756                     return;
2757                 }
2758                 if (edge->shouldSpeculateStringOrStringObject()) {
2759                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2760                     return;
2761                 }
2762                 RELEASE_ASSERT_NOT_REACHED();
2763             });
2764         
2765         convertToMakeRope(node);
2766         return true;
2767     }
2768
2769     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2770     {
2771         if (!block)
2772             return;
2773         ASSERT(block->isReachable);
2774         m_block = block;
2775         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2776             Node* node = m_currentNode = block->at(m_indexInBlock);
2777             if (node->op() != SetLocal && node->op() != GetLocal)
2778                 continue;
2779             
2780             VariableAccessData* variable = node->variableAccessData();
2781             switch (node->op()) {
2782             case GetLocal:
2783                 switch (variable->flushFormat()) {
2784                 case FlushedDouble:
2785                     node->setResult(NodeResultDouble);
2786                     break;
2787                 case FlushedInt52:
2788                     node->setResult(NodeResultInt52);
2789                     break;
2790                 default:
2791                     break;
2792                 }
2793                 break;
2794                 
2795             case SetLocal:
2796                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2797                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2798                 
2799                 switch (variable->flushFormat()) {
2800                 case FlushedJSValue:
2801                     break;
2802                 case FlushedDouble:
2803                     fixEdge<DoubleRepUse>(node->child1());
2804                     break;
2805                 case FlushedInt32:
2806                     fixEdge<Int32Use>(node->child1());
2807                     break;
2808                 case FlushedInt52:
2809                     fixEdge<Int52RepUse>(node->child1());
2810                     break;
2811                 case FlushedCell:
2812                     fixEdge<CellUse>(node->child1());
2813                     break;
2814                 case FlushedBoolean:
2815                     fixEdge<BooleanUse>(node->child1());
2816                     break;
2817                 default:
2818                     RELEASE_ASSERT_NOT_REACHED();
2819                     break;
2820                 }
2821                 break;
2822                 
2823             default:
2824                 RELEASE_ASSERT_NOT_REACHED();
2825                 break;
2826             }
2827         }
2828         m_insertionSet.execute(block);
2829     }
2830     
2831     void addStringReplacePrimordialChecks(Node* searchRegExp)
2832     {
2833         Node* node = m_currentNode;
2834
2835         // Check that structure of searchRegExp is RegExp object
2836         m_insertionSet.insertNode(
2837             m_indexInBlock, SpecNone, Check, node->origin,
2838             Edge(searchRegExp, RegExpObjectUse));
2839
2840         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2841             unsigned index = m_graph.identifiers().ensure(propertyUID);
2842
2843             Node* actualProperty = m_insertionSet.insertNode(
2844                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2845                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2846
2847             m_insertionSet.insertNode(
2848                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2849                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2850         };
2851
2852         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2853
2854         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2855         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2856         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2857         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2858         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2859         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2860         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2861         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2862     }
2863
2864     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2865     {
2866         ASSERT(arrayMode.isSpecific());
2867         
2868         if (arrayMode.type() == Array::String) {
2869             m_insertionSet.insertNode(
2870                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2871         } else {
2872             // Note that we only need to be using a structure check if we opt for SaneChain, since
2873             // that needs to protect against JSArray's __proto__ being changed.
2874             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2875         
2876             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2877             
2878             if (arrayMode.doesConversion()) {
2879                 if (structure) {
2880                     m_insertionSet.insertNode(
2881                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2882                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2883                 } else {
2884                     m_insertionSet.insertNode(
2885                         m_indexInBlock, SpecNone, Arrayify, origin,
2886                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2887                 }
2888             } else {
2889                 if (structure) {
2890                     m_insertionSet.insertNode(
2891                         m_indexInBlock, SpecNone, CheckStructure, origin,
2892                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2893                 } else {
2894                     m_insertionSet.insertNode(
2895                         m_indexInBlock, SpecNone, CheckArray, origin,
2896                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2897                 }
2898             }
2899         }
2900         
2901         if (!storageCheck(arrayMode))
2902             return nullptr;
2903         
2904         if (arrayMode.usesButterfly()) {
2905             return m_insertionSet.insertNode(
2906                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2907         }
2908         
2909         return m_insertionSet.insertNode(
2910             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2911             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2912     }
2913     
2914     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2915     {
2916         Node* node = m_currentNode;
2917         
2918         switch (node->arrayMode().type()) {
2919         case Array::ForceExit: {
2920             m_insertionSet.insertNode(
2921                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2922             return;
2923         }
2924             
2925         case Array::SelectUsingPredictions:
2926         case Array::Unprofiled:
2927             RELEASE_ASSERT_NOT_REACHED();
2928             return;
2929             
2930         case Array::Generic:
2931             return;
2932             
2933         default: {
2934             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2935             if (!storage)
2936                 return;
2937             
2938             storageChild = Edge(storage);
2939             return;
2940         } }
2941     }
2942     
2943     bool alwaysUnboxSimplePrimitives()
2944     {
2945 #if USE(JSVALUE64)
2946         return false;
2947 #else
2948         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2949         // reduces traffic.
2950         return true;
2951 #endif
2952     }
2953
2954     template<UseKind useKind>
2955     void observeUseKindOnNode(Node* node)
2956     {
2957         if (useKind == UntypedUse)
2958             return;
2959         observeUseKindOnNode(node, useKind);
2960     }
2961
2962     void observeUseKindOnEdge(Edge edge)
2963     {
2964         observeUseKindOnNode(edge.node(), edge.useKind());
2965     }
2966
2967     void observeUseKindOnNode(Node* node, UseKind useKind)
2968     {
2969         if (node->op() != GetLocal)
2970             return;
2971         
2972         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2973         // https://bugs.webkit.org/show_bug.cgi?id=121518
2974         
2975         VariableAccessData* variable = node->variableAccessData();
2976         switch (useKind) {
2977         case Int32Use:
2978         case KnownInt32Use:
2979             if (alwaysUnboxSimplePrimitives()
2980                 || isInt32Speculation(variable->prediction()))
2981                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2982             break;
2983         case NumberUse:
2984         case RealNumberUse:
2985         case DoubleRepUse:
2986         case DoubleRepRealUse:
2987             if (variable->doubleFormatState() == UsingDoubleFormat)
2988                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2989             break;
2990         case BooleanUse:
2991         case KnownBooleanUse:
2992             if (alwaysUnboxSimplePrimitives()
2993                 || isBooleanSpeculation(variable->prediction()))
2994                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2995             break;
2996         case Int52RepUse:
2997             if (isAnyIntSpeculation(variable->prediction()))
2998                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2999             break;
3000         case CellUse:
3001         case KnownCellUse:
3002         case ObjectUse:
3003         case FunctionUse:
3004         case StringUse:
3005         case KnownStringUse:
3006         case SymbolUse:
3007         case BigIntUse:
3008         case StringObjectUse:
3009         case StringOrStringObjectUse:
3010             if (alwaysUnboxSimplePrimitives()
3011                 || isCellSpeculation(variable->prediction()))
3012                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3013             break;
3014         default:
3015             break;
3016         }
3017     }
3018     
3019     template<UseKind useKind>
3020     void fixEdge(Edge& edge)
3021     {
3022         observeUseKindOnNode<useKind>(edge.node());
3023         edge.setUseKind(useKind);
3024     }
3025     
3026     unsigned indexForChecks()
3027     {
3028         unsigned index = m_indexInBlock;
3029         while (!m_block->at(index)->origin.exitOK)
3030             index--;
3031         return index;
3032     }
3033     
3034     NodeOrigin originForCheck(unsigned index)
3035     {
3036         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3037     }
3038     
3039     void speculateForBarrier(Edge value)
3040     {
3041         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3042         // the DFG anyway because if such a speculation would be wrong, we want to know before
3043         // we do an expensive compile.
3044         
3045         if (value->shouldSpeculateInt32()) {
3046             insertCheck<Int32Use>(value.node());
3047             return;
3048         }
3049             
3050         if (value->shouldSpeculateBoolean()) {
3051             insertCheck<BooleanUse>(value.node());
3052             return;
3053         }
3054             
3055         if (value->shouldSpeculateOther()) {
3056             insertCheck<OtherUse>(value.node());
3057             return;
3058         }
3059             
3060         if (value->shouldSpeculateNumber()) {
3061             insertCheck<NumberUse>(value.node());
3062             return;
3063         }
3064             
3065         if (value->shouldSpeculateNotCell()) {
3066             insertCheck<NotCellUse>(value.node());
3067             return;
3068         }
3069     }
3070     
3071     template<UseKind useKind>
3072     void insertCheck(Node* node)
3073     {
3074         observeUseKindOnNode<useKind>(node);
3075         unsigned index = indexForChecks();
3076         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3077     }
3078
3079     void fixIntConvertingEdge(Edge& edge)
3080     {
3081         Node* node = edge.node();
3082         if (node->shouldSpeculateInt32OrBoolean()) {
3083             fixIntOrBooleanEdge(edge);
3084             return;
3085         }
3086         
3087         UseKind useKind;
3088         if (node->shouldSpeculateAnyInt())
3089             useKind = Int52RepUse;
3090         else if (node->shouldSpeculateNumber())
3091             useKind = DoubleRepUse;
3092         else
3093             useKind = NotCellUse;
3094         Node* newNode = m_insertionSet.insertNode(
3095             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3096             Edge(node, useKind));
3097         observeUseKindOnNode(node, useKind);
3098         
3099         edge = Edge(newNode, KnownInt32Use);
3100     }
3101     
3102     void fixIntOrBooleanEdge(Edge& edge)
3103     {
3104         Node* node = edge.node();
3105         if (!node->sawBooleans()) {
3106             fixEdge<Int32Use>(edge);
3107             return;
3108         }
3109         
3110         UseKind useKind;
3111         if (node->shouldSpeculateBoolean())
3112             useKind = BooleanUse;
3113         else
3114             useKind = UntypedUse;
3115         Node* newNode = m_insertionSet.insertNode(
3116             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3117             Edge(node, useKind));
3118         observeUseKindOnNode(node, useKind);
3119         
3120         edge = Edge(newNode, Int32Use);
3121     }
3122     
3123     void fixDoubleOrBooleanEdge(Edge& edge)
3124     {
3125         Node* node = edge.node();
3126         if (!node->sawBooleans()) {
3127             fixEdge<DoubleRepUse>(edge);
3128             return;
3129         }
3130         
3131         UseKind useKind;
3132         if (node->shouldSpeculateBoolean())
3133             useKind = BooleanUse;
3134         else
3135             useKind = UntypedUse;
3136         Node* newNode = m_insertionSet.insertNode(
3137             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3138             Edge(node, useKind));
3139         observeUseKindOnNode(node, useKind);
3140         
3141         edge = Edge(newNode, DoubleRepUse);
3142     }
3143     
3144     void truncateConstantToInt32(Edge& edge)
3145     {
3146         Node* oldNode = edge.node();
3147         
3148         JSValue value = oldNode->asJSValue();
3149         if (value.isInt32())
3150             return;
3151         
3152         value = jsNumber(JSC::toInt32(value.asNumber()));
3153         ASSERT(value.isInt32());
3154         edge.setNode(m_insertionSet.insertNode(
3155             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3156             OpInfo(m_graph.freeze(value))));
3157     }
3158     
3159     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3160     {
3161         if (mode != SpeculateInt32AndTruncateConstants)
3162             return;
3163         
3164         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3165         if (node->child1()->hasConstant())
3166             truncateConstantToInt32(node->child1());
3167         else
3168             truncateConstantToInt32(node->child2());
3169     }
3170
3171     bool attemptToMakeIntegerAdd(Node* node)
3172     {
3173         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3174         if (mode != DontSpeculateInt32) {
3175             truncateConstantsIfNecessary(node, mode);
3176             fixIntOrBooleanEdge(node->child1());
3177             fixIntOrBooleanEdge(node->child2());
3178             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3179                 node->setArithMode(Arith::Unchecked);
3180             else
3181                 node->setArithMode(Arith::CheckOverflow);
3182             return true;
3183         }
3184         
3185         if (m_graph.addShouldSpeculateAnyInt(node)) {
3186             fixEdge<Int52RepUse>(node->child1());
3187             fixEdge<Int52RepUse>(node->child2());
3188             node->setArithMode(Arith::CheckOverflow);
3189             node->setResult(NodeResultInt52);
3190             return true;
3191         }
3192         
3193         return false;
3194     }
3195     
3196     bool attemptToMakeGetArrayLength(Node* node)
3197     {
3198         if (!isInt32Speculation(node->prediction()))
3199             return false;
3200         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3201         ArrayProfile* arrayProfile = 
3202             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3203         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
3204         if (arrayProfile) {
3205             ConcurrentJSLocker locker(profiledBlock->m_lock);
3206             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3207             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3208             if (arrayMode.type() == Array::Unprofiled) {
3209                 // For normal array operations, it makes sense to treat Unprofiled
3210                 // accesses as ForceExit and get more data rather than using
3211                 // predictions and then possibly ending up with a Generic. But here,
3212                 // we treat anything that is Unprofiled as Generic and keep the
3213                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3214                 // profit - from treating the Unprofiled case as
3215                 // SelectUsingPredictions.
3216                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
3217             }
3218         }
3219             
3220         arrayMode = arrayMode.refine(
3221             m_graph, node, node->child1()->prediction(), node->prediction());
3222             
3223         if (arrayMode.type() == Array::Generic) {
3224             // Check if the input is something that we can't get array length for, but for which we
3225             // could insert some conversions in order to transform it into something that we can do it
3226             // for.
3227             if (node->child1()->shouldSpeculateStringObject())
3228                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3229             else if (node->child1()->shouldSpeculateStringOrStringObject())
3230                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3231         }
3232             
3233         if (!arrayMode.supportsSelfLength())
3234             return false;
3235         
3236         convertToGetArrayLength(node, arrayMode);
3237         return true;
3238     }
3239
3240     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3241     {
3242         node->setOp(GetArrayLength);
3243         node->clearFlags(NodeMustGenerate);
3244         fixEdge<KnownCellUse>(node->child1());
3245         node->setArrayMode(arrayMode);
3246             
3247         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3248         if (!storage)
3249             return;
3250             
3251         node->child2() = Edge(storage);
3252     }
3253     
3254     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3255     {
3256         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3257         return m_insertionSet.insertNode(
3258             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3259             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3260     }
3261
3262     void convertToHasIndexedProperty(Node* node)
3263     {
3264         node->setOp(HasIndexedProperty);
3265         node->clearFlags(NodeMustGenerate);
3266         node->setArrayMode(
3267             node->arrayMode().refine(
3268                 m_graph, node,
3269                 node->child1()->prediction(),
3270                 node->child2()->prediction(),
3271                 SpecNone));
3272         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3273
3274         blessArrayOperation(node->child1(), node->child2(), node->child3());
3275
3276         fixEdge<CellUse>(node->child1());
3277         fixEdge<Int32Use>(node->child2());
3278     }
3279
3280     void fixupNormalizeMapKey(Node* node)
3281     {
3282         if (node->child1()->shouldSpeculateBoolean()) {
3283             fixEdge<BooleanUse>(node->child1());
3284             node->convertToIdentity();
3285             return;
3286         }
3287
3288         if (node->child1()->shouldSpeculateInt32()) {
3289             fixEdge<Int32Use>(node->child1());
3290             node->convertToIdentity();
3291             return;
3292         }
3293
3294         if (node->child1()->shouldSpeculateSymbol()) {
3295             fixEdge<SymbolUse>(node->child1());
3296             node->convertToIdentity();
3297             return;
3298         }
3299
3300         if (node->child1()->shouldSpeculateObject()) {
3301             fixEdge<ObjectUse>(node->child1());
3302             node->convertToIdentity();
3303             return;
3304         }
3305
3306         if (node->child1()->shouldSpeculateString()) {
3307             fixEdge<StringUse>(node->child1());
3308             node->convertToIdentity();
3309             return;
3310         }
3311
3312         if (node->child1()->shouldSpeculateCell()) {
3313             fixEdge<CellUse>(node->child1());
3314             node->convertToIdentity();
3315             return;
3316         }
3317
3318         fixEdge<UntypedUse>(node->child1());
3319     }
3320
3321     bool attemptToMakeCallDOM(Node* node)
3322     {
3323         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3324             return false;
3325
3326         const DOMJIT::Signature* signature = node->signature();
3327         if (!signature)
3328             return false;
3329
3330         {
3331             unsigned index = 0;
3332             bool shouldConvertToCallDOM = true;
3333             m_graph.doToChildren(node, [&](Edge& edge) {
3334                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3335                 if (!index)
3336                     return;
3337
3338                 if (index == 1) {
3339                     // DOM node case.
3340                     if (edge->shouldSpeculateNotCell())
3341                         shouldConvertToCallDOM = false;
3342                 } else {
3343                     switch (signature->arguments[index - 2]) {
3344                     case SpecString:
3345                         if (edge->shouldSpeculateNotString())
3346                             shouldConvertToCallDOM = false;
3347                         break;
3348                     case SpecInt32Only:
3349                         if (edge->shouldSpeculateNotInt32())
3350                             shouldConvertToCallDOM = false;
3351                         break;
3352                     case SpecBoolean:
3353                         if (edge->shouldSpeculateNotBoolean())
3354                             shouldConvertToCallDOM = false;
3355                         break;
3356                     default:
3357                         RELEASE_ASSERT_NOT_REACHED();
3358                         break;
3359                     }
3360                 }
3361                 ++index;
3362             });
3363             if (!shouldConvertToCallDOM)
3364                 return false;
3365         }
3366
3367         Node* thisNode = m_graph.varArgChild(node, 1).node();
3368         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3369         node->convertToCallDOM(m_graph);
3370         fixupCheckSubClass(checkSubClass);
3371         fixupCallDOM(node);
3372         return true;
3373     }
3374
3375     void fixupCheckSubClass(Node* node)
3376     {
3377         fixEdge<CellUse>(node->child1());
3378     }
3379
3380     void fixupCallDOM(Node* node)
3381     {
3382         const DOMJIT::Signature* signature = node->signature();
3383         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3384             if (!edge)
3385                 return;
3386             switch (signature->arguments[argumentIndex]) {
3387             case SpecString:
3388                 fixEdge<StringUse>(edge);
3389                 break;
3390             case SpecInt32Only:
3391                 fixEdge<Int32Use>(edge);
3392                 break;
3393             case SpecBoolean:
3394                 fixEdge<BooleanUse>(edge);
3395                 break;
3396             default:
3397                 RELEASE_ASSERT_NOT_REACHED();
3398                 break;
3399             }
3400         };
3401         fixEdge<CellUse>(node->child1()); // DOM.
3402         fixup(node->child2(), 0);
3403         fixup(node->child3(), 1);
3404     }
3405
3406     void fixupArrayIndexOf(Node* node)
3407     {
3408         Edge& array = m_graph.varArgChild(node, 0);
3409         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3410         blessArrayOperation(array, Edge(), storage);
3411         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3412
3413         Edge& searchElement = m_graph.varArgChild(node, 1);
3414
3415         // Constant folding.
3416         switch (node->arrayMode().type()) {
3417         case Array::Double:
3418         case Array::Int32: {
3419             if (searchElement->shouldSpeculateCell()) {
3420                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3421                 m_graph.convertToConstant(node, jsNumber(-1));
3422                 observeUseKindOnNode<CellUse>(searchElement.node());
3423                 return;
3424             }
3425
3426             if (searchElement->shouldSpeculateOther()) {
3427                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3428                 m_graph.convertToConstant(node, jsNumber(-1));
3429                 observeUseKindOnNode<OtherUse>(searchElement.node());
3430                 return;
3431             }
3432
3433             if (searchElement->shouldSpeculateBoolean()) {
3434                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3435                 m_graph.convertToConstant(node, jsNumber(-1));
3436                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3437                 return;
3438             }
3439             break;
3440         }
3441         default:
3442             break;
3443         }
3444
3445         fixEdge<KnownCellUse>(array);
3446         if (node->numChildren() == 4)
3447             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3448
3449         switch (node->arrayMode().type()) {
3450         case Array::Double: {
3451             if (searchElement->shouldSpeculateNumber())
3452                 fixEdge<DoubleRepUse>(searchElement);
3453             return;
3454         }
3455         case Array::Int32: {
3456             if (searchElement->shouldSpeculateInt32())
3457                 fixEdge<Int32Use>(searchElement);
3458             return;
3459         }
3460         case Array::Contiguous: {
3461             if (searchElement->shouldSpeculateString())
3462                 fixEdge<StringUse>(searchElement);
3463             else if (searchElement->shouldSpeculateSymbol())
3464                 fixEdge<SymbolUse>(searchElement);
3465             else if (searchElement->shouldSpeculateOther())
3466                 fixEdge<OtherUse>(searchElement);
3467             else if (searchElement->shouldSpeculateObject())
3468                 fixEdge<ObjectUse>(searchElement);
3469             return;
3470         }
3471         default:
3472             RELEASE_ASSERT_NOT_REACHED();
3473             return;
3474         }
3475     }
3476
3477     void fixupChecksInBlock(BasicBlock* block)
3478     {
3479         if (!block)
3480             return;
3481         ASSERT(block->isReachable);
3482         m_block = block;
3483         unsigned indexForChecks = UINT_MAX;
3484         NodeOrigin originForChecks;
3485         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
3486             Node* node = block->at(indexInBlock);
3487
3488             // If this is a node at which we could exit, then save its index. If nodes after this one
3489             // cannot exit, then we will hoist checks to here.
3490             if (node->origin.exitOK) {
3491                 indexForChecks = indexInBlock;
3492                 originForChecks = node->origin;
3493             }
3494
3495             originForChecks = originForChecks.withSemantic(node->origin.semantic);
3496             
3497             // First, try to relax the representational demands of each node, in order to have
3498             // fewer conversions.
3499             switch (node->op()) {
3500             case MovHint:
3501             case Check:
3502             case CheckVarargs:
3503                 m_graph.doToChildren(
3504                     node,
3505                     [&] (Edge& edge) {
3506                         switch (edge.useKind()) {
3507                         case DoubleRepUse:
3508                         case DoubleRepRealUse:
3509                             if (edge->hasDoubleResult())
3510                                 break;
3511             
3512                             if (edge->hasInt52Result())
3513                                 edge.setUseKind(Int52RepUse);
3514                             else if (edge.useKind() == DoubleRepUse)
3515                                 edge.setUseKind(NumberUse);
3516                             break;
3517             
3518                         case Int52RepUse:
3519                             // Nothing we can really do.
3520                             break;
3521             
3522                         case UntypedUse:
3523                         case NumberUse:
3524                             if (edge->hasDoubleResult())
3525                              &n