LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabli...
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149
150         case ValueNegate: {
151             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
152                 node->setOp(ArithNegate);
153                 fixIntOrBooleanEdge(node->child1());
154                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
155                     node->setArithMode(Arith::Unchecked);
156                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
157                     node->setArithMode(Arith::CheckOverflow);
158                 else
159                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
160                 node->setResult(NodeResultInt32);
161                 node->clearFlags(NodeMustGenerate);
162                 break;
163             }
164             
165             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
166                 node->setOp(ArithNegate);
167                 fixEdge<Int52RepUse>(node->child1());
168                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
169                     node->setArithMode(Arith::CheckOverflow);
170                 else
171                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
172                 node->setResult(NodeResultInt52);
173                 node->clearFlags(NodeMustGenerate);
174                 break;
175             }
176             if (node->child1()->shouldSpeculateNotCell()) {
177                 node->setOp(ArithNegate);
178                 fixDoubleOrBooleanEdge(node->child1());
179                 node->setResult(NodeResultDouble);
180                 node->clearFlags(NodeMustGenerate);
181             } else {
182                 fixEdge<UntypedUse>(node->child1());
183                 node->setResult(NodeResultJS);
184             }
185             break;
186         }
187
188         case ValueAdd: {
189             if (attemptToMakeIntegerAdd(node)) {
190                 node->setOp(ArithAdd);
191                 break;
192             }
193             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
194                 fixDoubleOrBooleanEdge(node->child1());
195                 fixDoubleOrBooleanEdge(node->child2());
196                 node->setOp(ArithAdd);
197                 node->setResult(NodeResultDouble);
198                 break;
199             }
200             
201             if (attemptToMakeFastStringAdd(node))
202                 break;
203
204             Edge& child1 = node->child1();
205             Edge& child2 = node->child2();
206             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
207                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
208                     auto convertString = [&](Node* node, Edge& edge) {
209                         if (edge->shouldSpeculateInt32())
210                             convertStringAddUse<Int32Use>(node, edge);
211                         else {
212                             ASSERT(edge->shouldSpeculateString());
213                             convertStringAddUse<StringUse>(node, edge);
214                         }
215                     };
216                     convertString(node, child1);
217                     convertString(node, child2);
218                     convertToMakeRope(node);
219                     break;
220                 }
221             }
222
223             fixEdge<UntypedUse>(child1);
224             fixEdge<UntypedUse>(child2);
225             node->setResult(NodeResultJS);
226             break;
227         }
228
229         case StrCat: {
230             if (attemptToMakeFastStringAdd(node))
231                 break;
232
233             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
234             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
235             // the implementation of StrCat doesn't dynamically optimize for empty strings.
236             // https://bugs.webkit.org/show_bug.cgi?id=148540
237             m_graph.doToChildren(
238                 node,
239                 [&] (Edge& edge) {
240                     fixEdge<KnownPrimitiveUse>(edge);
241                     // StrCat automatically coerces the values into strings before concatenating them.
242                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
243                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
244                     // our runtime functions for this slow path expect that they will never be passed
245                     // Symbols.
246                     m_insertionSet.insertNode(
247                         m_indexInBlock, SpecNone, Check, node->origin,
248                         Edge(edge.node(), NotSymbolUse));
249                 });
250             break;
251         }
252             
253         case MakeRope: {
254             fixupMakeRope(node);
255             break;
256         }
257             
258         case ArithAdd:
259         case ArithSub: {
260             if (op == ArithSub
261                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
262                 fixEdge<UntypedUse>(node->child1());
263                 fixEdge<UntypedUse>(node->child2());
264                 node->setResult(NodeResultJS);
265                 break;
266             }
267             if (attemptToMakeIntegerAdd(node))
268                 break;
269             fixDoubleOrBooleanEdge(node->child1());
270             fixDoubleOrBooleanEdge(node->child2());
271             node->setResult(NodeResultDouble);
272             break;
273         }
274             
275         case ArithNegate: {
276             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
277                 fixIntOrBooleanEdge(node->child1());
278                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
279                     node->setArithMode(Arith::Unchecked);
280                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
281                     node->setArithMode(Arith::CheckOverflow);
282                 else
283                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
284                 node->setResult(NodeResultInt32);
285                 node->clearFlags(NodeMustGenerate);
286                 break;
287             }
288             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
289                 fixEdge<Int52RepUse>(node->child1());
290                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
291                     node->setArithMode(Arith::CheckOverflow);
292                 else
293                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
294                 node->setResult(NodeResultInt52);
295                 node->clearFlags(NodeMustGenerate);
296                 break;
297             }
298
299             fixDoubleOrBooleanEdge(node->child1());
300             node->setResult(NodeResultDouble);
301             node->clearFlags(NodeMustGenerate);
302             break;
303         }
304             
305         case ArithMul: {
306             Edge& leftChild = node->child1();
307             Edge& rightChild = node->child2();
308             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
309                 fixEdge<UntypedUse>(leftChild);
310                 fixEdge<UntypedUse>(rightChild);
311                 node->setResult(NodeResultJS);
312                 break;
313             }
314             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
315                 fixIntOrBooleanEdge(leftChild);
316                 fixIntOrBooleanEdge(rightChild);
317                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
318                     node->setArithMode(Arith::Unchecked);
319                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
320                     || leftChild.node() == rightChild.node())
321                     node->setArithMode(Arith::CheckOverflow);
322                 else
323                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
324                 break;
325             }
326             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
327                 fixEdge<Int52RepUse>(leftChild);
328                 fixEdge<Int52RepUse>(rightChild);
329                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
330                     || leftChild.node() == rightChild.node())
331                     node->setArithMode(Arith::CheckOverflow);
332                 else
333                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
334                 node->setResult(NodeResultInt52);
335                 break;
336             }
337             fixDoubleOrBooleanEdge(leftChild);
338             fixDoubleOrBooleanEdge(rightChild);
339             node->setResult(NodeResultDouble);
340             break;
341         }
342
343         case ArithDiv:
344         case ArithMod: {
345             Edge& leftChild = node->child1();
346             Edge& rightChild = node->child2();
347             if (op == ArithDiv
348                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
349                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
350                 fixEdge<UntypedUse>(leftChild);
351                 fixEdge<UntypedUse>(rightChild);
352                 node->setResult(NodeResultJS);
353                 break;
354             }
355             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
356                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
357                     fixIntOrBooleanEdge(leftChild);
358                     fixIntOrBooleanEdge(rightChild);
359                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
360                         node->setArithMode(Arith::Unchecked);
361                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
362                         node->setArithMode(Arith::CheckOverflow);
363                     else
364                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
365                     break;
366                 }
367                 
368                 // This will cause conversion nodes to be inserted later.
369                 fixDoubleOrBooleanEdge(leftChild);
370                 fixDoubleOrBooleanEdge(rightChild);
371                 
372                 // We don't need to do ref'ing on the children because we're stealing them from
373                 // the original division.
374                 Node* newDivision = m_insertionSet.insertNode(
375                     m_indexInBlock, SpecBytecodeDouble, *node);
376                 newDivision->setResult(NodeResultDouble);
377                 
378                 node->setOp(DoubleAsInt32);
379                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
380                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
381                     node->setArithMode(Arith::CheckOverflow);
382                 else
383                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
384                 break;
385             }
386             fixDoubleOrBooleanEdge(leftChild);
387             fixDoubleOrBooleanEdge(rightChild);
388             node->setResult(NodeResultDouble);
389             break;
390         }
391             
392         case ArithMin:
393         case ArithMax: {
394             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
395                 fixIntOrBooleanEdge(node->child1());
396                 fixIntOrBooleanEdge(node->child2());
397                 break;
398             }
399             fixDoubleOrBooleanEdge(node->child1());
400             fixDoubleOrBooleanEdge(node->child2());
401             node->setResult(NodeResultDouble);
402             break;
403         }
404             
405         case ArithAbs: {
406             if (node->child1()->shouldSpeculateInt32OrBoolean()
407                 && node->canSpeculateInt32(FixupPass)) {
408                 fixIntOrBooleanEdge(node->child1());
409                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
410                     node->setArithMode(Arith::Unchecked);
411                 else
412                     node->setArithMode(Arith::CheckOverflow);
413                 node->clearFlags(NodeMustGenerate);
414                 node->setResult(NodeResultInt32);
415                 break;
416             }
417
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420                 node->clearFlags(NodeMustGenerate);
421             } else
422                 fixEdge<UntypedUse>(node->child1());
423             node->setResult(NodeResultDouble);
424             break;
425         }
426
427         case ArithPow: {
428             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
429                 fixDoubleOrBooleanEdge(node->child1());
430                 fixIntOrBooleanEdge(node->child2());
431                 break;
432             }
433
434             fixDoubleOrBooleanEdge(node->child1());
435             fixDoubleOrBooleanEdge(node->child2());
436             break;
437         }
438
439         case ArithRandom: {
440             node->setResult(NodeResultDouble);
441             break;
442         }
443
444         case ArithRound:
445         case ArithFloor:
446         case ArithCeil:
447         case ArithTrunc: {
448             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
449                 fixIntOrBooleanEdge(node->child1());
450                 insertCheck<Int32Use>(node->child1().node());
451                 node->convertToIdentity();
452                 break;
453             }
454             if (node->child1()->shouldSpeculateNotCell()) {
455                 fixDoubleOrBooleanEdge(node->child1());
456
457                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
458                     node->setResult(NodeResultInt32);
459                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
460                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
461                     else
462                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
463                 } else {
464                     node->setResult(NodeResultDouble);
465                     node->setArithRoundingMode(Arith::RoundingMode::Double);
466                 }
467                 node->clearFlags(NodeMustGenerate);
468             } else
469                 fixEdge<UntypedUse>(node->child1());
470             break;
471         }
472
473         case ArithFRound:
474         case ArithSqrt:
475         case ArithUnary: {
476             Edge& child1 = node->child1();
477             if (child1->shouldSpeculateNotCell()) {
478                 fixDoubleOrBooleanEdge(child1);
479                 node->clearFlags(NodeMustGenerate);
480             } else
481                 fixEdge<UntypedUse>(child1);
482             break;
483         }
484             
485         case LogicalNot: {
486             if (node->child1()->shouldSpeculateBoolean()) {
487                 if (node->child1()->result() == NodeResultBoolean) {
488                     // This is necessary in case we have a bytecode instruction implemented by:
489                     //
490                     // a: CompareEq(...)
491                     // b: LogicalNot(@a)
492                     //
493                     // In that case, CompareEq might have a side-effect. Then, we need to make
494                     // sure that we know that Branch does not exit.
495                     fixEdge<KnownBooleanUse>(node->child1());
496                 } else
497                     fixEdge<BooleanUse>(node->child1());
498             } else if (node->child1()->shouldSpeculateObjectOrOther())
499                 fixEdge<ObjectOrOtherUse>(node->child1());
500             else if (node->child1()->shouldSpeculateInt32OrBoolean())
501                 fixIntOrBooleanEdge(node->child1());
502             else if (node->child1()->shouldSpeculateNumber())
503                 fixEdge<DoubleRepUse>(node->child1());
504             else if (node->child1()->shouldSpeculateString())
505                 fixEdge<StringUse>(node->child1());
506             else if (node->child1()->shouldSpeculateStringOrOther())
507                 fixEdge<StringOrOtherUse>(node->child1());
508             else {
509                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
510                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
511                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
512             }
513             break;
514         }
515
516         case CompareEq:
517         case CompareLess:
518         case CompareLessEq:
519         case CompareGreater:
520         case CompareGreaterEq: {
521             if (node->op() == CompareEq
522                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
523                 fixEdge<BooleanUse>(node->child1());
524                 fixEdge<BooleanUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
529                 fixIntOrBooleanEdge(node->child1());
530                 fixIntOrBooleanEdge(node->child2());
531                 node->clearFlags(NodeMustGenerate);
532                 break;
533             }
534             if (enableInt52()
535                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
536                 fixEdge<Int52RepUse>(node->child1());
537                 fixEdge<Int52RepUse>(node->child2());
538                 node->clearFlags(NodeMustGenerate);
539                 break;
540             }
541             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
542                 fixDoubleOrBooleanEdge(node->child1());
543                 fixDoubleOrBooleanEdge(node->child2());
544             }
545             if (node->op() != CompareEq
546                 && node->child1()->shouldSpeculateNotCell()
547                 && node->child2()->shouldSpeculateNotCell()) {
548                 if (node->child1()->shouldSpeculateNumberOrBoolean())
549                     fixDoubleOrBooleanEdge(node->child1());
550                 else
551                     fixEdge<DoubleRepUse>(node->child1());
552                 if (node->child2()->shouldSpeculateNumberOrBoolean())
553                     fixDoubleOrBooleanEdge(node->child2());
554                 else
555                     fixEdge<DoubleRepUse>(node->child2());
556                 node->clearFlags(NodeMustGenerate);
557                 break;
558             }
559             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
560                 fixEdge<StringIdentUse>(node->child1());
561                 fixEdge<StringIdentUse>(node->child2());
562                 node->clearFlags(NodeMustGenerate);
563                 break;
564             }
565             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
566                 fixEdge<StringUse>(node->child1());
567                 fixEdge<StringUse>(node->child2());
568                 node->clearFlags(NodeMustGenerate);
569                 break;
570             }
571
572             if (node->op() != CompareEq)
573                 break;
574             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
575                 fixEdge<SymbolUse>(node->child1());
576                 fixEdge<SymbolUse>(node->child2());
577                 node->clearFlags(NodeMustGenerate);
578                 break;
579             }
580             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
581                 fixEdge<ObjectUse>(node->child1());
582                 fixEdge<ObjectUse>(node->child2());
583                 node->clearFlags(NodeMustGenerate);
584                 break;
585             }
586
587             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
588             bool oneArgumentIsUsedAsSpecOther = false;
589             if (node->child1()->isUndefinedOrNullConstant()) {
590                 fixEdge<OtherUse>(node->child1());
591                 oneArgumentIsUsedAsSpecOther = true;
592             } else if (node->child1()->shouldSpeculateOther()) {
593                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
594                     Edge(node->child1().node(), OtherUse));
595                 fixEdge<OtherUse>(node->child1());
596                 oneArgumentIsUsedAsSpecOther = true;
597             }
598             if (node->child2()->isUndefinedOrNullConstant()) {
599                 fixEdge<OtherUse>(node->child2());
600                 oneArgumentIsUsedAsSpecOther = true;
601             } else if (node->child2()->shouldSpeculateOther()) {
602                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
603                     Edge(node->child2().node(), OtherUse));
604                 fixEdge<OtherUse>(node->child2());
605                 oneArgumentIsUsedAsSpecOther = true;
606             }
607             if (oneArgumentIsUsedAsSpecOther) {
608                 node->clearFlags(NodeMustGenerate);
609                 break;
610             }
611
612             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
613                 fixEdge<ObjectUse>(node->child1());
614                 fixEdge<ObjectOrOtherUse>(node->child2());
615                 node->clearFlags(NodeMustGenerate);
616                 break;
617             }
618             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
619                 fixEdge<ObjectOrOtherUse>(node->child1());
620                 fixEdge<ObjectUse>(node->child2());
621                 node->clearFlags(NodeMustGenerate);
622                 break;
623             }
624
625             break;
626         }
627             
628         case CompareStrictEq:
629         case SameValue: {
630             fixupCompareStrictEqAndSameValue(node);
631             break;
632         }
633
634         case StringFromCharCode:
635             if (node->child1()->shouldSpeculateInt32()) {
636                 fixEdge<Int32Use>(node->child1());
637                 node->clearFlags(NodeMustGenerate);
638             } else
639                 fixEdge<UntypedUse>(node->child1());
640             break;
641
642         case StringCharAt:
643         case StringCharCodeAt: {
644             // Currently we have no good way of refining these.
645             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
646             blessArrayOperation(node->child1(), node->child2(), node->child3());
647             fixEdge<KnownCellUse>(node->child1());
648             fixEdge<Int32Use>(node->child2());
649             break;
650         }
651
652         case GetByVal: {
653             if (!node->prediction()) {
654                 m_insertionSet.insertNode(
655                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
656             }
657             
658             node->setArrayMode(
659                 node->arrayMode().refine(
660                     m_graph, node,
661                     m_graph.varArgChild(node, 0)->prediction(),
662                     m_graph.varArgChild(node, 1)->prediction(),
663                     SpecNone));
664             
665             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
666             
667             ArrayMode arrayMode = node->arrayMode();
668             switch (arrayMode.type()) {
669             case Array::Contiguous:
670             case Array::Double:
671                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
672                     // Check if SaneChain will work on a per-type basis. Note that:
673                     //
674                     // 1) We don't want double arrays to sometimes return undefined, since
675                     // that would require a change to the return type and it would pessimise
676                     // things a lot. So, we'd only want to do that if we actually had
677                     // evidence that we could read from a hole. That's pretty annoying.
678                     // Likely the best way to handle that case is with an equivalent of
679                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
680                     // NaN are indistinguishable according to backwards propagation, and just
681                     // use SaneChain in that case. This happens to catch a lot of cases.
682                     //
683                     // 2) We don't want int32 array loads to have to do a hole check just to
684                     // coerce to Undefined, since that would mean twice the checks.
685                     //
686                     // This has two implications. First, we have to do more checks than we'd
687                     // like. It's unfortunate that we have to do the hole check. Second,
688                     // some accesses that hit a hole will now need to take the full-blown
689                     // out-of-bounds slow path. We can fix that with:
690                     // https://bugs.webkit.org/show_bug.cgi?id=144668
691                     
692                     bool canDoSaneChain = false;
693                     switch (arrayMode.type()) {
694                     case Array::Contiguous:
695                         // This is happens to be entirely natural. We already would have
696                         // returned any JSValue, and now we'll return Undefined. We still do
697                         // the check but it doesn't require taking any kind of slow path.
698                         canDoSaneChain = true;
699                         break;
700                         
701                     case Array::Double:
702                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
703                             // Holes look like NaN already, so if the user doesn't care
704                             // about the difference between Undefined and NaN then we can
705                             // do this.
706                             canDoSaneChain = true;
707                         }
708                         break;
709                         
710                     default:
711                         break;
712                     }
713                     
714                     if (canDoSaneChain) {
715                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
716                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
717                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
718                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
719                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
720                             && globalObject->arrayPrototypeChainIsSane()) {
721                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
722                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
723                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
724                         }
725                     }
726                 }
727                 break;
728                 
729             case Array::String:
730                 if ((node->prediction() & ~SpecString)
731                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
732                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
733                 break;
734                 
735             default:
736                 break;
737             }
738             
739             arrayMode = node->arrayMode();
740             switch (arrayMode.type()) {
741             case Array::SelectUsingPredictions:
742             case Array::Unprofiled:
743                 RELEASE_ASSERT_NOT_REACHED();
744                 break;
745             case Array::Generic:
746                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
747                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
748                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
749                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
750                         break;
751                     }
752
753                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
754                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
755                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
756                         break;
757                     }
758                 }
759 #if USE(JSVALUE32_64)
760                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
761 #endif
762                 break;
763             case Array::ForceExit:
764                 break;
765             default:
766                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
767                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
768                 break;
769             }
770             
771             switch (arrayMode.type()) {
772             case Array::Double:
773                 if (!arrayMode.isOutOfBounds())
774                     node->setResult(NodeResultDouble);
775                 break;
776                 
777             case Array::Float32Array:
778             case Array::Float64Array:
779                 node->setResult(NodeResultDouble);
780                 break;
781                 
782             case Array::Uint32Array:
783                 if (node->shouldSpeculateInt32())
784                     break;
785                 if (node->shouldSpeculateAnyInt() && enableInt52())
786                     node->setResult(NodeResultInt52);
787                 else
788                     node->setResult(NodeResultDouble);
789                 break;
790                 
791             default:
792                 break;
793             }
794             
795             break;
796         }
797
798         case PutByValDirect:
799         case PutByVal:
800         case PutByValAlias: {
801             Edge& child1 = m_graph.varArgChild(node, 0);
802             Edge& child2 = m_graph.varArgChild(node, 1);
803             Edge& child3 = m_graph.varArgChild(node, 2);
804
805             node->setArrayMode(
806                 node->arrayMode().refine(
807                     m_graph, node,
808                     child1->prediction(),
809                     child2->prediction(),
810                     child3->prediction()));
811             
812             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
813             
814             switch (node->arrayMode().modeForPut().type()) {
815             case Array::SelectUsingPredictions:
816             case Array::SelectUsingArguments:
817             case Array::Unprofiled:
818             case Array::Undecided:
819                 RELEASE_ASSERT_NOT_REACHED();
820                 break;
821             case Array::ForceExit:
822             case Array::Generic:
823                 if (child1->shouldSpeculateCell()) {
824                     if (child2->shouldSpeculateString()) {
825                         fixEdge<CellUse>(child1);
826                         fixEdge<StringUse>(child2);
827                         break;
828                     }
829
830                     if (child2->shouldSpeculateSymbol()) {
831                         fixEdge<CellUse>(child1);
832                         fixEdge<SymbolUse>(child2);
833                         break;
834                     }
835                 }
836 #if USE(JSVALUE32_64)
837                 // Due to register pressure on 32-bit, we speculate cell and
838                 // ignore the base-is-not-cell case entirely by letting the
839                 // baseline JIT handle it.
840                 fixEdge<CellUse>(child1);
841 #endif
842                 break;
843             case Array::Int32:
844                 fixEdge<KnownCellUse>(child1);
845                 fixEdge<Int32Use>(child2);
846                 fixEdge<Int32Use>(child3);
847                 break;
848             case Array::Double:
849                 fixEdge<KnownCellUse>(child1);
850                 fixEdge<Int32Use>(child2);
851                 fixEdge<DoubleRepRealUse>(child3);
852                 break;
853             case Array::Int8Array:
854             case Array::Int16Array:
855             case Array::Int32Array:
856             case Array::Uint8Array:
857             case Array::Uint8ClampedArray:
858             case Array::Uint16Array:
859             case Array::Uint32Array:
860                 fixEdge<KnownCellUse>(child1);
861                 fixEdge<Int32Use>(child2);
862                 if (child3->shouldSpeculateInt32())
863                     fixIntOrBooleanEdge(child3);
864                 else if (child3->shouldSpeculateAnyInt())
865                     fixEdge<Int52RepUse>(child3);
866                 else
867                     fixDoubleOrBooleanEdge(child3);
868                 break;
869             case Array::Float32Array:
870             case Array::Float64Array:
871                 fixEdge<KnownCellUse>(child1);
872                 fixEdge<Int32Use>(child2);
873                 fixDoubleOrBooleanEdge(child3);
874                 break;
875             case Array::Contiguous:
876             case Array::ArrayStorage:
877             case Array::SlowPutArrayStorage:
878                 fixEdge<KnownCellUse>(child1);
879                 fixEdge<Int32Use>(child2);
880                 speculateForBarrier(child3);
881                 break;
882             default:
883                 fixEdge<KnownCellUse>(child1);
884                 fixEdge<Int32Use>(child2);
885                 break;
886             }
887             break;
888         }
889             
890         case AtomicsAdd:
891         case AtomicsAnd:
892         case AtomicsCompareExchange:
893         case AtomicsExchange:
894         case AtomicsLoad:
895         case AtomicsOr:
896         case AtomicsStore:
897         case AtomicsSub:
898         case AtomicsXor: {
899             Edge& base = m_graph.child(node, 0);
900             Edge& index = m_graph.child(node, 1);
901             
902             bool badNews = false;
903             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
904                 Edge& child = m_graph.child(node, 2 + i);
905                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
906                 // just call the function when that happens. But the FTL is totally cool with those
907                 // conversions.
908                 if (!child->shouldSpeculateInt32()
909                     && !child->shouldSpeculateAnyInt()
910                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
911                     badNews = true;
912             }
913             
914             if (badNews) {
915                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
916                 break;
917             }
918             
919             node->setArrayMode(
920                 node->arrayMode().refine(
921                     m_graph, node, base->prediction(), index->prediction()));
922             
923             if (node->arrayMode().type() == Array::Generic)
924                 break;
925             
926             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
927                 Edge& child = m_graph.child(node, 2 + i);
928                 if (child->shouldSpeculateInt32())
929                     fixIntOrBooleanEdge(child);
930                 else if (child->shouldSpeculateAnyInt())
931                     fixEdge<Int52RepUse>(child);
932                 else {
933                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
934                     fixDoubleOrBooleanEdge(child);
935                 }
936             }
937             
938             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
939             fixEdge<CellUse>(base);
940             fixEdge<Int32Use>(index);
941             
942             if (node->arrayMode().type() == Array::Uint32Array) {
943                 // NOTE: This means basically always doing Int52.
944                 if (node->shouldSpeculateAnyInt() && enableInt52())
945                     node->setResult(NodeResultInt52);
946                 else
947                     node->setResult(NodeResultDouble);
948             }
949             break;
950         }
951             
952         case AtomicsIsLockFree:
953             if (node->child1()->shouldSpeculateInt32())
954                 fixIntOrBooleanEdge(node->child1());
955             break;
956             
957         case ArrayPush: {
958             // May need to refine the array mode in case the value prediction contravenes
959             // the array prediction. For example, we may have evidence showing that the
960             // array is in Int32 mode, but the value we're storing is likely to be a double.
961             // Then we should turn this into a conversion to Double array followed by the
962             // push. On the other hand, we absolutely don't want to refine based on the
963             // base prediction. If it has non-cell garbage in it, then we want that to be
964             // ignored. That's because ArrayPush can't handle any array modes that aren't
965             // array-related - so if refine() turned this into a "Generic" ArrayPush then
966             // that would break things.
967             Edge& storageEdge = m_graph.varArgChild(node, 0);
968             Edge& arrayEdge = m_graph.varArgChild(node, 1);
969             unsigned elementOffset = 2;
970             unsigned elementCount = node->numChildren() - elementOffset;
971             for (unsigned i = 0; i < elementCount; ++i) {
972                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
973                 node->setArrayMode(
974                     node->arrayMode().refine(
975                         m_graph, node,
976                         arrayEdge->prediction() & SpecCell,
977                         SpecInt32Only,
978                         element->prediction()));
979             }
980             blessArrayOperation(arrayEdge, Edge(), storageEdge);
981             fixEdge<KnownCellUse>(arrayEdge);
982
983             // Convert `array.push()` to GetArrayLength.
984             if (!elementCount && node->arrayMode().supportsSelfLength()) {
985                 node->setOpAndDefaultFlags(GetArrayLength);
986                 node->child1() = arrayEdge;
987                 node->child2() = storageEdge;
988                 fixEdge<KnownCellUse>(node->child1());
989                 break;
990             }
991
992             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
993             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
994             for (unsigned i = 0; i < elementCount; ++i) {
995                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
996                 switch (node->arrayMode().type()) {
997                 case Array::Int32:
998                     insertCheck<Int32Use>(element.node());
999                     fixEdge<KnownInt32Use>(element);
1000                     break;
1001                 case Array::Double:
1002                     insertCheck<DoubleRepRealUse>(element.node());
1003                     fixEdge<DoubleRepUse>(element);
1004                     break;
1005                 case Array::Contiguous:
1006                 case Array::ArrayStorage:
1007                     speculateForBarrier(element);
1008                     break;
1009                 default:
1010                     break;
1011                 }
1012                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1013             }
1014             break;
1015         }
1016             
1017         case ArrayPop: {
1018             blessArrayOperation(node->child1(), Edge(), node->child2());
1019             fixEdge<KnownCellUse>(node->child1());
1020             break;
1021         }
1022
1023         case ArraySlice: {
1024             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1025             if (node->numChildren() >= 3) {
1026                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1027                 if (node->numChildren() == 4)
1028                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1029             }
1030             break;
1031         }
1032
1033         case ArrayIndexOf:
1034             fixupArrayIndexOf(node);
1035             break;
1036             
1037         case RegExpExec:
1038         case RegExpTest: {
1039             fixEdge<KnownCellUse>(node->child1());
1040             
1041             if (node->child2()->shouldSpeculateRegExpObject()) {
1042                 fixEdge<RegExpObjectUse>(node->child2());
1043
1044                 if (node->child3()->shouldSpeculateString())
1045                     fixEdge<StringUse>(node->child3());
1046             }
1047             break;
1048         }
1049
1050         case RegExpMatchFast: {
1051             fixEdge<KnownCellUse>(node->child1());
1052             fixEdge<RegExpObjectUse>(node->child2());
1053             fixEdge<StringUse>(node->child3());
1054             break;
1055         }
1056
1057         case StringReplace:
1058         case StringReplaceRegExp: {
1059             if (node->child2()->shouldSpeculateString()) {
1060                 m_insertionSet.insertNode(
1061                     m_indexInBlock, SpecNone, Check, node->origin,
1062                     Edge(node->child2().node(), StringUse));
1063                 fixEdge<StringUse>(node->child2());
1064             } else if (op == StringReplace) {
1065                 if (node->child2()->shouldSpeculateRegExpObject())
1066                     addStringReplacePrimordialChecks(node->child2().node());
1067                 else 
1068                     m_insertionSet.insertNode(
1069                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1070             }
1071
1072             if (node->child1()->shouldSpeculateString()
1073                 && node->child2()->shouldSpeculateRegExpObject()
1074                 && node->child3()->shouldSpeculateString()) {
1075
1076                 fixEdge<StringUse>(node->child1());
1077                 fixEdge<RegExpObjectUse>(node->child2());
1078                 fixEdge<StringUse>(node->child3());
1079                 break;
1080             }
1081             break;
1082         }
1083             
1084         case Branch: {
1085             if (node->child1()->shouldSpeculateBoolean()) {
1086                 if (node->child1()->result() == NodeResultBoolean) {
1087                     // This is necessary in case we have a bytecode instruction implemented by:
1088                     //
1089                     // a: CompareEq(...)
1090                     // b: Branch(@a)
1091                     //
1092                     // In that case, CompareEq might have a side-effect. Then, we need to make
1093                     // sure that we know that Branch does not exit.
1094                     fixEdge<KnownBooleanUse>(node->child1());
1095                 } else
1096                     fixEdge<BooleanUse>(node->child1());
1097             } else if (node->child1()->shouldSpeculateObjectOrOther())
1098                 fixEdge<ObjectOrOtherUse>(node->child1());
1099             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1100                 fixIntOrBooleanEdge(node->child1());
1101             else if (node->child1()->shouldSpeculateNumber())
1102                 fixEdge<DoubleRepUse>(node->child1());
1103             else if (node->child1()->shouldSpeculateString())
1104                 fixEdge<StringUse>(node->child1());
1105             else if (node->child1()->shouldSpeculateStringOrOther())
1106                 fixEdge<StringOrOtherUse>(node->child1());
1107             else {
1108                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1109                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1110                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1111             }
1112             break;
1113         }
1114             
1115         case Switch: {
1116             SwitchData* data = node->switchData();
1117             switch (data->kind) {
1118             case SwitchImm:
1119                 if (node->child1()->shouldSpeculateInt32())
1120                     fixEdge<Int32Use>(node->child1());
1121                 break;
1122             case SwitchChar:
1123                 if (node->child1()->shouldSpeculateString())
1124                     fixEdge<StringUse>(node->child1());
1125                 break;
1126             case SwitchString:
1127                 if (node->child1()->shouldSpeculateStringIdent())
1128                     fixEdge<StringIdentUse>(node->child1());
1129                 else if (node->child1()->shouldSpeculateString())
1130                     fixEdge<StringUse>(node->child1());
1131                 break;
1132             case SwitchCell:
1133                 if (node->child1()->shouldSpeculateCell())
1134                     fixEdge<CellUse>(node->child1());
1135                 // else it's fine for this to have UntypedUse; we will handle this by just making
1136                 // non-cells take the default case.
1137                 break;
1138             }
1139             break;
1140         }
1141             
1142         case ToPrimitive: {
1143             fixupToPrimitive(node);
1144             break;
1145         }
1146
1147         case ToNumber: {
1148             fixupToNumber(node);
1149             break;
1150         }
1151             
1152         case ToString:
1153         case CallStringConstructor: {
1154             fixupToStringOrCallStringConstructor(node);
1155             break;
1156         }
1157             
1158         case NewStringObject: {
1159             fixEdge<KnownStringUse>(node->child1());
1160             break;
1161         }
1162
1163         case NewArrayWithSpread: {
1164             watchHavingABadTime(node);
1165             
1166             BitVector* bitVector = node->bitVector();
1167             for (unsigned i = node->numChildren(); i--;) {
1168                 if (bitVector->get(i))
1169                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1170                 else
1171                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1172             }
1173
1174             break;
1175         }
1176
1177         case Spread: {
1178             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1179             
1180             watchHavingABadTime(node->child1().node());
1181
1182             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1183             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1184             // that it doesn't contain any indexed properties, and that any holes will result in
1185             // jsUndefined().
1186             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1187             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1188             if (node->child1()->shouldSpeculateArray()
1189                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1190                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1191                 && globalObject->arrayPrototypeChainIsSane()
1192                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1193                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1194                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1195                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1196                 fixEdge<ArrayUse>(node->child1());
1197             } else
1198                 fixEdge<CellUse>(node->child1());
1199             break;
1200         }
1201             
1202         case NewArray: {
1203             watchHavingABadTime(node);
1204             
1205             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1206                 node->setIndexingType(
1207                     leastUpperBoundOfIndexingTypeAndType(
1208                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1209             }
1210             switch (node->indexingType()) {
1211             case ALL_BLANK_INDEXING_TYPES:
1212                 CRASH();
1213                 break;
1214             case ALL_UNDECIDED_INDEXING_TYPES:
1215                 if (node->numChildren()) {
1216                     // This will only happen if the children have no type predictions. We
1217                     // would have already exited by now, but insert a forced exit just to
1218                     // be safe.
1219                     m_insertionSet.insertNode(
1220                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1221                 }
1222                 break;
1223             case ALL_INT32_INDEXING_TYPES:
1224                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1225                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1226                 break;
1227             case ALL_DOUBLE_INDEXING_TYPES:
1228                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1229                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1230                 break;
1231             case ALL_CONTIGUOUS_INDEXING_TYPES:
1232             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1233                 break;
1234             default:
1235                 CRASH();
1236                 break;
1237             }
1238             break;
1239         }
1240             
1241         case NewTypedArray: {
1242             watchHavingABadTime(node);
1243             
1244             if (node->child1()->shouldSpeculateInt32()) {
1245                 fixEdge<Int32Use>(node->child1());
1246                 node->clearFlags(NodeMustGenerate);
1247                 break;
1248             }
1249             break;
1250         }
1251             
1252         case NewArrayWithSize: {
1253             watchHavingABadTime(node);
1254             fixEdge<Int32Use>(node->child1());
1255             break;
1256         }
1257
1258         case NewArrayBuffer: {
1259             watchHavingABadTime(node);
1260             break;
1261         }
1262
1263         case ToObject: {
1264             fixupToObject(node);
1265             break;
1266         }
1267
1268         case CallObjectConstructor: {
1269             fixupCallObjectConstructor(node);
1270             break;
1271         }
1272
1273         case ToThis: {
1274             fixupToThis(node);
1275             break;
1276         }
1277             
1278         case PutStructure: {
1279             fixEdge<KnownCellUse>(node->child1());
1280             break;
1281         }
1282             
1283         case GetClosureVar:
1284         case GetFromArguments: {
1285             fixEdge<KnownCellUse>(node->child1());
1286             break;
1287         }
1288
1289         case PutClosureVar:
1290         case PutToArguments: {
1291             fixEdge<KnownCellUse>(node->child1());
1292             speculateForBarrier(node->child2());
1293             break;
1294         }
1295
1296         case SkipScope:
1297         case GetScope:
1298         case GetGetter:
1299         case GetSetter:
1300         case GetGlobalObject: {
1301             fixEdge<KnownCellUse>(node->child1());
1302             break;
1303         }
1304             
1305         case AllocatePropertyStorage:
1306         case ReallocatePropertyStorage: {
1307             fixEdge<KnownCellUse>(node->child1());
1308             break;
1309         }
1310             
1311         case NukeStructureAndSetButterfly: {
1312             fixEdge<KnownCellUse>(node->child1());
1313             break;
1314         }
1315
1316         case TryGetById: {
1317             if (node->child1()->shouldSpeculateCell())
1318                 fixEdge<CellUse>(node->child1());
1319             break;
1320         }
1321
1322         case GetByIdDirect:
1323         case GetByIdDirectFlush: {
1324             if (node->child1()->shouldSpeculateCell())
1325                 fixEdge<CellUse>(node->child1());
1326             break;
1327         }
1328
1329         case GetById:
1330         case GetByIdFlush: {
1331             // FIXME: This should be done in the ByteCodeParser based on reading the
1332             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1333             // https://bugs.webkit.org/show_bug.cgi?id=154990
1334             auto uid = m_graph.identifiers()[node->identifierNumber()];
1335             if (node->child1()->shouldSpeculateCellOrOther()
1336                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1337                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1338                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1339                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1340                 
1341                 if (uid == vm().propertyNames->length.impl()) {
1342                     attemptToMakeGetArrayLength(node);
1343                     break;
1344                 }
1345
1346                 if (uid == vm().propertyNames->lastIndex.impl()
1347                     && node->child1()->shouldSpeculateRegExpObject()) {
1348                     node->setOp(GetRegExpObjectLastIndex);
1349                     node->clearFlags(NodeMustGenerate);
1350                     fixEdge<RegExpObjectUse>(node->child1());
1351                     break;
1352                 }
1353             }
1354
1355             if (node->child1()->shouldSpeculateNumber()) {
1356                 if (uid == vm().propertyNames->toString.impl()) {
1357                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1358                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1359                         if (node->child1()->shouldSpeculateInt32()) {
1360                             insertCheck<Int32Use>(node->child1().node());
1361                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1362                             break;
1363                         }
1364
1365                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1366                             insertCheck<Int52RepUse>(node->child1().node());
1367                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1368                             break;
1369                         }
1370
1371                         ASSERT(node->child1()->shouldSpeculateNumber());
1372                         insertCheck<DoubleRepUse>(node->child1().node());
1373                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1374                         break;
1375                     }
1376                 }
1377             }
1378
1379             if (node->child1()->shouldSpeculateCell())
1380                 fixEdge<CellUse>(node->child1());
1381             break;
1382         }
1383         
1384         case GetByIdWithThis: {
1385             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1386                 fixEdge<CellUse>(node->child1());
1387                 fixEdge<CellUse>(node->child2());
1388             }
1389             break;
1390         }
1391
1392         case PutById:
1393         case PutByIdFlush:
1394         case PutByIdDirect: {
1395             if (node->child1()->shouldSpeculateCellOrOther()
1396                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1397                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1398                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1399                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1400                 
1401                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1402                 
1403                 if (uid == vm().propertyNames->lastIndex.impl()
1404                     && node->child1()->shouldSpeculateRegExpObject()) {
1405                     node->convertToSetRegExpObjectLastIndex();
1406                     fixEdge<RegExpObjectUse>(node->child1());
1407                     speculateForBarrier(node->child2());
1408                     break;
1409                 }
1410             }
1411             
1412             fixEdge<CellUse>(node->child1());
1413             break;
1414         }
1415
1416         case PutGetterById:
1417         case PutSetterById: {
1418             fixEdge<KnownCellUse>(node->child1());
1419             fixEdge<KnownCellUse>(node->child2());
1420             break;
1421         }
1422
1423         case PutGetterSetterById: {
1424             fixEdge<KnownCellUse>(node->child1());
1425             break;
1426         }
1427
1428         case PutGetterByVal:
1429         case PutSetterByVal: {
1430             fixEdge<KnownCellUse>(node->child1());
1431             fixEdge<KnownCellUse>(node->child3());
1432             break;
1433         }
1434
1435         case GetExecutable: {
1436             fixEdge<FunctionUse>(node->child1());
1437             break;
1438         }
1439
1440         case OverridesHasInstance:
1441         case CheckStructure:
1442         case CheckCell:
1443         case CreateThis:
1444         case GetButterfly: {
1445             fixEdge<CellUse>(node->child1());
1446             break;
1447         }
1448
1449         case ObjectCreate: {
1450             if (node->child1()->shouldSpeculateObject()) {
1451                 fixEdge<ObjectUse>(node->child1());
1452                 node->clearFlags(NodeMustGenerate);
1453                 break;
1454             }
1455             break;
1456         }
1457
1458         case CheckStringIdent: {
1459             fixEdge<StringIdentUse>(node->child1());
1460             break;
1461         }
1462             
1463         case Arrayify:
1464         case ArrayifyToStructure: {
1465             fixEdge<CellUse>(node->child1());
1466             if (node->child2())
1467                 fixEdge<Int32Use>(node->child2());
1468             break;
1469         }
1470             
1471         case GetByOffset:
1472         case GetGetterSetterByOffset: {
1473             if (!node->child1()->hasStorageResult())
1474                 fixEdge<KnownCellUse>(node->child1());
1475             fixEdge<KnownCellUse>(node->child2());
1476             break;
1477         }
1478             
1479         case MultiGetByOffset: {
1480             fixEdge<CellUse>(node->child1());
1481             break;
1482         }
1483             
1484         case PutByOffset: {
1485             if (!node->child1()->hasStorageResult())
1486                 fixEdge<KnownCellUse>(node->child1());
1487             fixEdge<KnownCellUse>(node->child2());
1488             unsigned index = indexForChecks();
1489             insertInferredTypeCheck(
1490                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1491                 node->storageAccessData().inferredType);
1492             speculateForBarrier(node->child3());
1493             break;
1494         }
1495             
1496         case MultiPutByOffset: {
1497             fixEdge<CellUse>(node->child1());
1498             break;
1499         }
1500             
1501         case MatchStructure: {
1502             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1503             // https://bugs.webkit.org/show_bug.cgi?id=185784
1504             fixEdge<CellUse>(node->child1());
1505             break;
1506         }
1507             
1508         case InstanceOf: {
1509             if (node->child1()->shouldSpeculateCell()
1510                 && node->child2()->shouldSpeculateCell()
1511                 && is64Bit()) {
1512                 fixEdge<CellUse>(node->child1());
1513                 fixEdge<CellUse>(node->child2());
1514                 break;
1515             }
1516             break;
1517         }
1518
1519         case InstanceOfCustom:
1520             fixEdge<CellUse>(node->child2());
1521             break;
1522
1523         case InById: {
1524             fixEdge<CellUse>(node->child1());
1525             break;
1526         }
1527
1528         case InByVal: {
1529             if (node->child2()->shouldSpeculateInt32()) {
1530                 convertToHasIndexedProperty(node);
1531                 break;
1532             }
1533
1534             fixEdge<CellUse>(node->child1());
1535             break;
1536         }
1537
1538         case HasOwnProperty: {
1539             fixEdge<ObjectUse>(node->child1());
1540 #if CPU(X86)
1541             // We don't have enough registers to do anything interesting on x86 and mips.
1542             fixEdge<UntypedUse>(node->child2());
1543 #else
1544             if (node->child2()->shouldSpeculateString())
1545                 fixEdge<StringUse>(node->child2());
1546             else if (node->child2()->shouldSpeculateSymbol())
1547                 fixEdge<SymbolUse>(node->child2());
1548             else
1549                 fixEdge<UntypedUse>(node->child2());
1550 #endif
1551             break;
1552         }
1553
1554         case CheckVarargs:
1555         case Check: {
1556             m_graph.doToChildren(
1557                 node,
1558                 [&] (Edge& edge) {
1559                     switch (edge.useKind()) {
1560                     case NumberUse:
1561                         if (edge->shouldSpeculateInt32ForArithmetic())
1562                             edge.setUseKind(Int32Use);
1563                         break;
1564                     default:
1565                         break;
1566                     }
1567                     observeUseKindOnEdge(edge);
1568                 });
1569             break;
1570         }
1571
1572         case Phantom:
1573             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1574             node->remove(m_graph);
1575             break;
1576
1577         case FiatInt52: {
1578             RELEASE_ASSERT(enableInt52());
1579             node->convertToIdentity();
1580             fixEdge<Int52RepUse>(node->child1());
1581             node->setResult(NodeResultInt52);
1582             break;
1583         }
1584
1585         case GetArrayLength: {
1586             fixEdge<KnownCellUse>(node->child1());
1587             break;
1588         }
1589
1590         case GetTypedArrayByteOffset: {
1591             fixEdge<KnownCellUse>(node->child1());
1592             break;
1593         }
1594
1595         case CompareBelow:
1596         case CompareBelowEq: {
1597             fixEdge<Int32Use>(node->child1());
1598             fixEdge<Int32Use>(node->child2());
1599             break;
1600         }
1601
1602         case GetPrototypeOf: {
1603             fixupGetPrototypeOf(node);
1604             break;
1605         }
1606
1607         case Phi:
1608         case Upsilon:
1609         case EntrySwitch:
1610         case GetIndexedPropertyStorage:
1611         case LastNodeType:
1612         case CheckTierUpInLoop:
1613         case CheckTierUpAtReturn:
1614         case CheckTierUpAndOSREnter:
1615         case InvalidationPoint:
1616         case CheckArray:
1617         case CheckInBounds:
1618         case ConstantStoragePointer:
1619         case DoubleAsInt32:
1620         case ValueToInt32:
1621         case DoubleRep:
1622         case ValueRep:
1623         case Int52Rep:
1624         case Int52Constant:
1625         case Identity: // This should have been cleaned up.
1626         case BooleanToNumber:
1627         case PhantomNewObject:
1628         case PhantomNewFunction:
1629         case PhantomNewGeneratorFunction:
1630         case PhantomNewAsyncGeneratorFunction:
1631         case PhantomNewAsyncFunction:
1632         case PhantomCreateActivation:
1633         case PhantomDirectArguments:
1634         case PhantomCreateRest:
1635         case PhantomSpread:
1636         case PhantomNewArrayWithSpread:
1637         case PhantomNewArrayBuffer:
1638         case PhantomClonedArguments:
1639         case PhantomNewRegexp:
1640         case GetMyArgumentByVal:
1641         case GetMyArgumentByValOutOfBounds:
1642         case GetVectorLength:
1643         case PutHint:
1644         case CheckStructureImmediate:
1645         case CheckStructureOrEmpty:
1646         case MaterializeNewObject:
1647         case MaterializeCreateActivation:
1648         case PutStack:
1649         case KillStack:
1650         case GetStack:
1651         case StoreBarrier:
1652         case FencedStoreBarrier:
1653         case GetRegExpObjectLastIndex:
1654         case SetRegExpObjectLastIndex:
1655         case RecordRegExpCachedResult:
1656         case RegExpExecNonGlobalOrSticky:
1657         case RegExpMatchFastGlobal:
1658             // These are just nodes that we don't currently expect to see during fixup.
1659             // If we ever wanted to insert them prior to fixup, then we just have to create
1660             // fixup rules for them.
1661             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1662             break;
1663
1664         case PutGlobalVariable: {
1665             fixEdge<CellUse>(node->child1());
1666             speculateForBarrier(node->child2());
1667             break;
1668         }
1669
1670         case IsObject:
1671             if (node->child1()->shouldSpeculateObject()) {
1672                 m_insertionSet.insertNode(
1673                     m_indexInBlock, SpecNone, Check, node->origin,
1674                     Edge(node->child1().node(), ObjectUse));
1675                 m_graph.convertToConstant(node, jsBoolean(true));
1676                 observeUseKindOnNode<ObjectUse>(node);
1677             }
1678             break;
1679
1680         case IsCellWithType: {
1681             fixupIsCellWithType(node);
1682             break;
1683         }
1684
1685         case GetEnumerableLength: {
1686             fixEdge<CellUse>(node->child1());
1687             break;
1688         }
1689         case HasGenericProperty: {
1690             fixEdge<CellUse>(node->child2());
1691             break;
1692         }
1693         case HasStructureProperty: {
1694             fixEdge<StringUse>(node->child2());
1695             fixEdge<KnownCellUse>(node->child3());
1696             break;
1697         }
1698         case HasIndexedProperty: {
1699             node->setArrayMode(
1700                 node->arrayMode().refine(
1701                     m_graph, node,
1702                     node->child1()->prediction(),
1703                     node->child2()->prediction(),
1704                     SpecNone));
1705             
1706             blessArrayOperation(node->child1(), node->child2(), node->child3());
1707             fixEdge<CellUse>(node->child1());
1708             fixEdge<KnownInt32Use>(node->child2());
1709             break;
1710         }
1711         case GetDirectPname: {
1712             Edge& base = m_graph.varArgChild(node, 0);
1713             Edge& property = m_graph.varArgChild(node, 1);
1714             Edge& index = m_graph.varArgChild(node, 2);
1715             Edge& enumerator = m_graph.varArgChild(node, 3);
1716             fixEdge<CellUse>(base);
1717             fixEdge<KnownCellUse>(property);
1718             fixEdge<KnownInt32Use>(index);
1719             fixEdge<KnownCellUse>(enumerator);
1720             break;
1721         }
1722         case GetPropertyEnumerator: {
1723             if (node->child1()->shouldSpeculateCell())
1724                 fixEdge<CellUse>(node->child1());
1725             break;
1726         }
1727         case GetEnumeratorStructurePname: {
1728             fixEdge<KnownCellUse>(node->child1());
1729             fixEdge<KnownInt32Use>(node->child2());
1730             break;
1731         }
1732         case GetEnumeratorGenericPname: {
1733             fixEdge<KnownCellUse>(node->child1());
1734             fixEdge<KnownInt32Use>(node->child2());
1735             break;
1736         }
1737         case ToIndexString: {
1738             fixEdge<KnownInt32Use>(node->child1());
1739             break;
1740         }
1741         case ProfileType: {
1742             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1743             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1744             // type T for the instructionTypeSet, the global type set must also have information for type T.
1745             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1746             // in the globalTypeSet would've also succeeded.
1747             // (The other direction does not hold in general).
1748
1749             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1750             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1751             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1752                 if (node->child1()->shouldSpeculateInt32()) {
1753                     fixEdge<Int32Use>(node->child1());
1754                     node->remove(m_graph);
1755                     break;
1756                 }
1757
1758                 if (enableInt52()) {
1759                     fixEdge<AnyIntUse>(node->child1());
1760                     node->remove(m_graph);
1761                     break;
1762                 }
1763
1764                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1765             }
1766
1767             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1768                 fixEdge<NumberUse>(node->child1());
1769                 node->remove(m_graph);
1770             } else if (typeSet->doesTypeConformTo(TypeString)) {
1771                 fixEdge<StringUse>(node->child1());
1772                 node->remove(m_graph);
1773             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1774                 fixEdge<BooleanUse>(node->child1());
1775                 node->remove(m_graph);
1776             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1777                 fixEdge<OtherUse>(node->child1());
1778                 node->remove(m_graph);
1779             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1780                 StructureSet set;
1781                 {
1782                     ConcurrentJSLocker locker(typeSet->m_lock);
1783                     set = typeSet->structureSet(locker);
1784                 }
1785                 if (!set.isEmpty()) {
1786                     fixEdge<CellUse>(node->child1());
1787                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1788                 }
1789             }
1790
1791             break;
1792         }
1793
1794         case CreateClonedArguments: {
1795             watchHavingABadTime(node);
1796             break;
1797         }
1798
1799         case CreateScopedArguments:
1800         case CreateActivation:
1801         case NewFunction:
1802         case NewGeneratorFunction:
1803         case NewAsyncGeneratorFunction:
1804         case NewAsyncFunction: {
1805             // Child 1 is always the current scope, which is guaranteed to be an object
1806             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1807             fixEdge<KnownCellUse>(node->child1());
1808             break;
1809         }
1810
1811         case PushWithScope: {
1812             // Child 1 is always the current scope, which is guaranteed to be an object
1813             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1814             fixEdge<KnownCellUse>(node->child1());
1815             if (node->child2()->shouldSpeculateObject())
1816                 fixEdge<ObjectUse>(node->child2());
1817             break;
1818         }
1819
1820         case SetFunctionName: {
1821             // The first child is guaranteed to be a cell because op_set_function_name is only used
1822             // on a newly instantiated function object (the first child).
1823             fixEdge<KnownCellUse>(node->child1());
1824             fixEdge<UntypedUse>(node->child2());
1825             break;
1826         }
1827
1828         case CreateRest: {
1829             watchHavingABadTime(node);
1830             fixEdge<KnownInt32Use>(node->child1());
1831             break;
1832         }
1833
1834         case ResolveScopeForHoistingFuncDeclInEval: {
1835             fixEdge<KnownCellUse>(node->child1());
1836             break;
1837         }
1838         case ResolveScope:
1839         case GetDynamicVar:
1840         case PutDynamicVar: {
1841             fixEdge<KnownCellUse>(node->child1());
1842             break;
1843         }
1844
1845         case LogShadowChickenPrologue: {
1846             fixEdge<KnownCellUse>(node->child1());
1847             break;
1848         }
1849         case LogShadowChickenTail: {
1850             fixEdge<UntypedUse>(node->child1());
1851             fixEdge<KnownCellUse>(node->child2());
1852             break;
1853         }
1854
1855         case GetMapBucket:
1856             if (node->child1().useKind() == MapObjectUse)
1857                 fixEdge<MapObjectUse>(node->child1());
1858             else if (node->child1().useKind() == SetObjectUse)
1859                 fixEdge<SetObjectUse>(node->child1());
1860             else
1861                 RELEASE_ASSERT_NOT_REACHED();
1862
1863 #if USE(JSVALUE64)
1864             if (node->child2()->shouldSpeculateBoolean())
1865                 fixEdge<BooleanUse>(node->child2());
1866             else if (node->child2()->shouldSpeculateInt32())
1867                 fixEdge<Int32Use>(node->child2());
1868             else if (node->child2()->shouldSpeculateSymbol())
1869                 fixEdge<SymbolUse>(node->child2());
1870             else if (node->child2()->shouldSpeculateObject())
1871                 fixEdge<ObjectUse>(node->child2());
1872             else if (node->child2()->shouldSpeculateString())
1873                 fixEdge<StringUse>(node->child2());
1874             else if (node->child2()->shouldSpeculateCell())
1875                 fixEdge<CellUse>(node->child2());
1876             else
1877                 fixEdge<UntypedUse>(node->child2());
1878 #else
1879             fixEdge<UntypedUse>(node->child2());
1880 #endif // USE(JSVALUE64)
1881
1882             fixEdge<Int32Use>(node->child3());
1883             break;
1884
1885         case GetMapBucketHead:
1886             if (node->child1().useKind() == MapObjectUse)
1887                 fixEdge<MapObjectUse>(node->child1());
1888             else if (node->child1().useKind() == SetObjectUse)
1889                 fixEdge<SetObjectUse>(node->child1());
1890             else
1891                 RELEASE_ASSERT_NOT_REACHED();
1892             break;
1893
1894         case GetMapBucketNext:
1895         case LoadKeyFromMapBucket:
1896         case LoadValueFromMapBucket:
1897             fixEdge<CellUse>(node->child1());
1898             break;
1899
1900         case MapHash: {
1901 #if USE(JSVALUE64)
1902             if (node->child1()->shouldSpeculateBoolean()) {
1903                 fixEdge<BooleanUse>(node->child1());
1904                 break;
1905             }
1906
1907             if (node->child1()->shouldSpeculateInt32()) {
1908                 fixEdge<Int32Use>(node->child1());
1909                 break;
1910             }
1911
1912             if (node->child1()->shouldSpeculateSymbol()) {
1913                 fixEdge<SymbolUse>(node->child1());
1914                 break;
1915             }
1916
1917             if (node->child1()->shouldSpeculateObject()) {
1918                 fixEdge<ObjectUse>(node->child1());
1919                 break;
1920             }
1921
1922             if (node->child1()->shouldSpeculateString()) {
1923                 fixEdge<StringUse>(node->child1());
1924                 break;
1925             }
1926
1927             if (node->child1()->shouldSpeculateCell()) {
1928                 fixEdge<CellUse>(node->child1());
1929                 break;
1930             }
1931
1932             fixEdge<UntypedUse>(node->child1());
1933 #else
1934             fixEdge<UntypedUse>(node->child1());
1935 #endif // USE(JSVALUE64)
1936             break;
1937         }
1938
1939         case NormalizeMapKey: {
1940             fixupNormalizeMapKey(node);
1941             break;
1942         }
1943
1944         case WeakMapGet: {
1945             if (node->child1().useKind() == WeakMapObjectUse)
1946                 fixEdge<WeakMapObjectUse>(node->child1());
1947             else if (node->child1().useKind() == WeakSetObjectUse)
1948                 fixEdge<WeakSetObjectUse>(node->child1());
1949             else
1950                 RELEASE_ASSERT_NOT_REACHED();
1951             fixEdge<ObjectUse>(node->child2());
1952             fixEdge<Int32Use>(node->child3());
1953             break;
1954         }
1955
1956         case SetAdd: {
1957             fixEdge<SetObjectUse>(node->child1());
1958             fixEdge<Int32Use>(node->child3());
1959             break;
1960         }
1961
1962         case MapSet: {
1963             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1964             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1965             break;
1966         }
1967
1968         case WeakSetAdd: {
1969             fixEdge<WeakSetObjectUse>(node->child1());
1970             fixEdge<ObjectUse>(node->child2());
1971             fixEdge<Int32Use>(node->child3());
1972             break;
1973         }
1974
1975         case WeakMapSet: {
1976             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
1977             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
1978             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1979             break;
1980         }
1981
1982         case DefineDataProperty: {
1983             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1984             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1985             if (propertyEdge->shouldSpeculateSymbol())
1986                 fixEdge<SymbolUse>(propertyEdge);
1987             else if (propertyEdge->shouldSpeculateStringIdent())
1988                 fixEdge<StringIdentUse>(propertyEdge);
1989             else if (propertyEdge->shouldSpeculateString())
1990                 fixEdge<StringUse>(propertyEdge);
1991             else
1992                 fixEdge<UntypedUse>(propertyEdge);
1993             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1994             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1995             break;
1996         }
1997
1998         case StringSlice: {
1999             fixEdge<StringUse>(node->child1());
2000             fixEdge<Int32Use>(node->child2());
2001             if (node->child3())
2002                 fixEdge<Int32Use>(node->child3());
2003             break;
2004         }
2005
2006         case ToLowerCase: {
2007             // We currently only support StringUse since that will ensure that
2008             // ToLowerCase is a pure operation. If we decide to update this with
2009             // more types in the future, we need to ensure that the clobberize rules
2010             // are correct.
2011             fixEdge<StringUse>(node->child1());
2012             break;
2013         }
2014
2015         case NumberToStringWithRadix: {
2016             if (node->child1()->shouldSpeculateInt32())
2017                 fixEdge<Int32Use>(node->child1());
2018             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2019                 fixEdge<Int52RepUse>(node->child1());
2020             else
2021                 fixEdge<DoubleRepUse>(node->child1());
2022             fixEdge<Int32Use>(node->child2());
2023             break;
2024         }
2025
2026         case DefineAccessorProperty: {
2027             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2028             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2029             if (propertyEdge->shouldSpeculateSymbol())
2030                 fixEdge<SymbolUse>(propertyEdge);
2031             else if (propertyEdge->shouldSpeculateStringIdent())
2032                 fixEdge<StringIdentUse>(propertyEdge);
2033             else if (propertyEdge->shouldSpeculateString())
2034                 fixEdge<StringUse>(propertyEdge);
2035             else
2036                 fixEdge<UntypedUse>(propertyEdge);
2037             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2038             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2039             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2040             break;
2041         }
2042
2043         case CheckSubClass: {
2044             fixupCheckSubClass(node);
2045             break;
2046         }
2047
2048         case CallDOMGetter: {
2049             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2050             fixEdge<CellUse>(node->child1()); // DOM.
2051             if (snippet && snippet->requireGlobalObject)
2052                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2053             break;
2054         }
2055
2056         case CallDOM: {
2057             fixupCallDOM(node);
2058             break;
2059         }
2060
2061         case Call: {
2062             attemptToMakeCallDOM(node);
2063             break;
2064         }
2065
2066         case ParseInt: {
2067             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2068                 fixEdge<Int32Use>(node->child1());
2069                 node->convertToIdentity();
2070                 break;
2071             }
2072
2073             if (node->child1()->shouldSpeculateString()) {
2074                 fixEdge<StringUse>(node->child1());
2075                 node->clearFlags(NodeMustGenerate);
2076             }
2077
2078             if (node->child2())
2079                 fixEdge<Int32Use>(node->child2());
2080
2081             break;
2082         }
2083
2084         case IdentityWithProfile: {
2085             node->clearFlags(NodeMustGenerate);
2086             break;
2087         }
2088
2089         case ThrowStaticError:
2090             fixEdge<StringUse>(node->child1());
2091             break;
2092
2093         case NumberIsInteger:
2094             if (node->child1()->shouldSpeculateInt32()) {
2095                 m_insertionSet.insertNode(
2096                     m_indexInBlock, SpecNone, Check, node->origin,
2097                     Edge(node->child1().node(), Int32Use));
2098                 m_graph.convertToConstant(node, jsBoolean(true));
2099                 break;
2100             }
2101             break;
2102
2103         case SetCallee:
2104             fixEdge<CellUse>(node->child1());
2105             break;
2106
2107 #if !ASSERT_DISABLED
2108         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2109         case SetArgument:
2110         case JSConstant:
2111         case LazyJSConstant:
2112         case DoubleConstant:
2113         case GetLocal:
2114         case GetCallee:
2115         case GetArgumentCountIncludingThis:
2116         case SetArgumentCountIncludingThis:
2117         case GetRestLength:
2118         case GetArgument:
2119         case Flush:
2120         case PhantomLocal:
2121         case GetGlobalVar:
2122         case GetGlobalLexicalVariable:
2123         case NotifyWrite:
2124         case DirectCall:
2125         case CheckTypeInfoFlags:
2126         case TailCallInlinedCaller:
2127         case DirectTailCallInlinedCaller:
2128         case Construct:
2129         case DirectConstruct:
2130         case CallVarargs:
2131         case CallEval:
2132         case TailCallVarargsInlinedCaller:
2133         case ConstructVarargs:
2134         case CallForwardVarargs:
2135         case ConstructForwardVarargs:
2136         case TailCallForwardVarargs:
2137         case TailCallForwardVarargsInlinedCaller:
2138         case LoadVarargs:
2139         case ForwardVarargs:
2140         case ProfileControlFlow:
2141         case NewObject:
2142         case NewRegexp:
2143         case DeleteById:
2144         case DeleteByVal:
2145         case IsTypedArrayView:
2146         case IsEmpty:
2147         case IsUndefined:
2148         case IsBoolean:
2149         case IsNumber:
2150         case IsObjectOrNull:
2151         case IsFunction:
2152         case CreateDirectArguments:
2153         case Jump:
2154         case Return:
2155         case TailCall:
2156         case DirectTailCall:
2157         case TailCallVarargs:
2158         case Throw:
2159         case CountExecution:
2160         case SuperSamplerBegin:
2161         case SuperSamplerEnd:
2162         case ForceOSRExit:
2163         case CheckBadCell:
2164         case CheckNotEmpty:
2165         case AssertNotEmpty:
2166         case CheckTraps:
2167         case Unreachable:
2168         case ExtractOSREntryLocal:
2169         case ExtractCatchLocal:
2170         case ClearCatchLocals:
2171         case LoopHint:
2172         case MovHint:
2173         case InitializeEntrypointArguments:
2174         case ZombieHint:
2175         case ExitOK:
2176         case BottomValue:
2177         case TypeOf:
2178         case PutByIdWithThis:
2179         case PutByValWithThis:
2180         case GetByValWithThis:
2181         case CompareEqPtr:
2182         case NumberToStringWithValidRadixConstant:
2183         case GetGlobalThis:
2184         case ExtractValueFromWeakMapGet:
2185         case CPUIntrinsic:
2186             break;
2187 #else
2188         default:
2189             break;
2190 #endif
2191         }
2192     }
2193
2194     void watchHavingABadTime(Node* node)
2195     {
2196         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2197
2198         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2199         // does an array allocation. The types of array allocations may change if we start to have a bad
2200         // time. It's easier to reason about this if we know that whenever the types change after we start
2201         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2202         // prior to this point nobody should have been doing optimizations based on the indexing type of
2203         // the allocation.
2204         if (!globalObject->isHavingABadTime()) {
2205             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2206             m_graph.freeze(globalObject);
2207         }
2208     }
2209     
2210     template<UseKind useKind>
2211     void createToString(Node* node, Edge& edge)
2212     {
2213         Node* toString = m_insertionSet.insertNode(
2214             m_indexInBlock, SpecString, ToString, node->origin,
2215             Edge(edge.node(), useKind));
2216         switch (useKind) {
2217         case Int32Use:
2218         case Int52RepUse:
2219         case DoubleRepUse:
2220         case NotCellUse:
2221             toString->clearFlags(NodeMustGenerate);
2222             break;
2223         default:
2224             break;
2225         }
2226         edge.setNode(toString);
2227     }
2228     
2229     template<UseKind useKind>
2230     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2231     {
2232         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2233         
2234         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2235             return;
2236         
2237         createToString<useKind>(node, node->child1());
2238         arrayMode = ArrayMode(Array::String, Array::Read);
2239     }
2240     
2241     template<UseKind useKind>
2242     bool isStringObjectUse()
2243     {
2244         switch (useKind) {
2245         case StringObjectUse:
2246         case StringOrStringObjectUse:
2247             return true;
2248         default:
2249             return false;
2250         }
2251     }
2252     
2253     template<UseKind useKind>
2254     void convertStringAddUse(Node* node, Edge& edge)
2255     {
2256         if (useKind == StringUse) {
2257             observeUseKindOnNode<StringUse>(edge.node());
2258             m_insertionSet.insertNode(
2259                 m_indexInBlock, SpecNone, Check, node->origin,
2260                 Edge(edge.node(), StringUse));
2261             edge.setUseKind(KnownStringUse);
2262             return;
2263         }
2264         
2265         observeUseKindOnNode<useKind>(edge.node());
2266         createToString<useKind>(node, edge);
2267     }
2268     
2269     void convertToMakeRope(Node* node)
2270     {
2271         node->setOpAndDefaultFlags(MakeRope);
2272         fixupMakeRope(node);
2273     }
2274     
2275     void fixupMakeRope(Node* node)
2276     {
2277         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2278             Edge& edge = node->children.child(i);
2279             if (!edge)
2280                 break;
2281             edge.setUseKind(KnownStringUse);
2282             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2283             if (!string)
2284                 continue;
2285             if (string->length())
2286                 continue;
2287             
2288             // Don't allow the MakeRope to have zero children.
2289             if (!i && !node->child2())
2290                 break;
2291             
2292             node->children.removeEdge(i--);
2293         }
2294         
2295         if (!node->child2()) {
2296             ASSERT(!node->child3());
2297             node->convertToIdentity();
2298         }
2299     }
2300
2301     void fixupIsCellWithType(Node* node)
2302     {
2303         switch (node->speculatedTypeForQuery()) {
2304         case SpecString:
2305             if (node->child1()->shouldSpeculateString()) {
2306                 m_insertionSet.insertNode(
2307                     m_indexInBlock, SpecNone, Check, node->origin,
2308                     Edge(node->child1().node(), StringUse));
2309                 m_graph.convertToConstant(node, jsBoolean(true));
2310                 observeUseKindOnNode<StringUse>(node);
2311                 return;
2312             }
2313             break;
2314
2315         case SpecProxyObject:
2316             if (node->child1()->shouldSpeculateProxyObject()) {
2317                 m_insertionSet.insertNode(
2318                     m_indexInBlock, SpecNone, Check, node->origin,
2319                     Edge(node->child1().node(), ProxyObjectUse));
2320                 m_graph.convertToConstant(node, jsBoolean(true));
2321                 observeUseKindOnNode<ProxyObjectUse>(node);
2322                 return;
2323             }
2324             break;
2325
2326         case SpecRegExpObject:
2327             if (node->child1()->shouldSpeculateRegExpObject()) {
2328                 m_insertionSet.insertNode(
2329                     m_indexInBlock, SpecNone, Check, node->origin,
2330                     Edge(node->child1().node(), RegExpObjectUse));
2331                 m_graph.convertToConstant(node, jsBoolean(true));
2332                 observeUseKindOnNode<RegExpObjectUse>(node);
2333                 return;
2334             }
2335             break;
2336
2337         case SpecArray:
2338             if (node->child1()->shouldSpeculateArray()) {
2339                 m_insertionSet.insertNode(
2340                     m_indexInBlock, SpecNone, Check, node->origin,
2341                     Edge(node->child1().node(), ArrayUse));
2342                 m_graph.convertToConstant(node, jsBoolean(true));
2343                 observeUseKindOnNode<ArrayUse>(node);
2344                 return;
2345             }
2346             break;
2347
2348         case SpecDerivedArray:
2349             if (node->child1()->shouldSpeculateDerivedArray()) {
2350                 m_insertionSet.insertNode(
2351                     m_indexInBlock, SpecNone, Check, node->origin,
2352                     Edge(node->child1().node(), DerivedArrayUse));
2353                 m_graph.convertToConstant(node, jsBoolean(true));
2354                 observeUseKindOnNode<DerivedArrayUse>(node);
2355                 return;
2356             }
2357             break;
2358         }
2359
2360         if (node->child1()->shouldSpeculateCell()) {
2361             fixEdge<CellUse>(node->child1());
2362             return;
2363         }
2364
2365         if (node->child1()->shouldSpeculateNotCell()) {
2366             m_insertionSet.insertNode(
2367                 m_indexInBlock, SpecNone, Check, node->origin,
2368                 Edge(node->child1().node(), NotCellUse));
2369             m_graph.convertToConstant(node, jsBoolean(false));
2370             observeUseKindOnNode<NotCellUse>(node);
2371             return;
2372         }
2373     }
2374
2375     void fixupGetPrototypeOf(Node* node)
2376     {
2377         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2378         if (node->child1().useKind() != ObjectUse) {
2379             if (node->child1()->shouldSpeculateString()) {
2380                 insertCheck<StringUse>(node->child1().node());
2381                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2382                 return;
2383             }
2384             if (node->child1()->shouldSpeculateInt32()) {
2385                 insertCheck<Int32Use>(node->child1().node());
2386                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2387                 return;
2388             }
2389             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2390                 insertCheck<Int52RepUse>(node->child1().node());
2391                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2392                 return;
2393             }
2394             if (node->child1()->shouldSpeculateNumber()) {
2395                 insertCheck<NumberUse>(node->child1().node());
2396                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2397                 return;
2398             }
2399             if (node->child1()->shouldSpeculateSymbol()) {
2400                 insertCheck<SymbolUse>(node->child1().node());
2401                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2402                 return;
2403             }
2404             if (node->child1()->shouldSpeculateBoolean()) {
2405                 insertCheck<BooleanUse>(node->child1().node());
2406                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2407                 return;
2408             }
2409         }
2410
2411         if (node->child1()->shouldSpeculateFinalObject()) {
2412             fixEdge<FinalObjectUse>(node->child1());
2413             node->clearFlags(NodeMustGenerate);
2414             return;
2415         }
2416         if (node->child1()->shouldSpeculateArray()) {
2417             fixEdge<ArrayUse>(node->child1());
2418             node->clearFlags(NodeMustGenerate);
2419             return;
2420         }
2421         if (node->child1()->shouldSpeculateFunction()) {
2422             fixEdge<FunctionUse>(node->child1());
2423             node->clearFlags(NodeMustGenerate);
2424             return;
2425         }
2426     }
2427
2428     void fixupToThis(Node* node)
2429     {
2430         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2431
2432         if (ecmaMode == StrictMode) {
2433             if (node->child1()->shouldSpeculateBoolean()) {
2434                 fixEdge<BooleanUse>(node->child1());
2435                 node->convertToIdentity();
2436                 return;
2437             }
2438
2439             if (node->child1()->shouldSpeculateInt32()) {
2440                 fixEdge<Int32Use>(node->child1());
2441                 node->convertToIdentity();
2442                 return;
2443             }
2444
2445             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2446                 fixEdge<Int52RepUse>(node->child1());
2447                 node->convertToIdentity();
2448                 node->setResult(NodeResultInt52);
2449                 return;
2450             }
2451
2452             if (node->child1()->shouldSpeculateNumber()) {
2453                 fixEdge<DoubleRepUse>(node->child1());
2454                 node->convertToIdentity();
2455                 node->setResult(NodeResultDouble);
2456                 return;
2457             }
2458
2459             if (node->child1()->shouldSpeculateSymbol()) {
2460                 fixEdge<SymbolUse>(node->child1());
2461                 node->convertToIdentity();
2462                 return;
2463             }
2464
2465             if (node->child1()->shouldSpeculateStringIdent()) {
2466                 fixEdge<StringIdentUse>(node->child1());
2467                 node->convertToIdentity();
2468                 return;
2469             }
2470
2471             if (node->child1()->shouldSpeculateString()) {
2472                 fixEdge<StringUse>(node->child1());
2473                 node->convertToIdentity();
2474                 return;
2475             }
2476             
2477             if (node->child1()->shouldSpeculateBigInt()) {
2478                 fixEdge<BigIntUse>(node->child1());
2479                 node->convertToIdentity();
2480                 return;
2481             }
2482         }
2483
2484         if (node->child1()->shouldSpeculateOther()) {
2485             if (ecmaMode == StrictMode) {
2486                 fixEdge<OtherUse>(node->child1());
2487                 node->convertToIdentity();
2488                 return;
2489             }
2490
2491             m_insertionSet.insertNode(
2492                 m_indexInBlock, SpecNone, Check, node->origin,
2493                 Edge(node->child1().node(), OtherUse));
2494             observeUseKindOnNode<OtherUse>(node->child1().node());
2495             m_graph.convertToConstant(
2496                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2497             return;
2498         }
2499
2500         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2501         // however, since we cover all the missing cases in constant folding.
2502         // https://bugs.webkit.org/show_bug.cgi?id=157213
2503         if (node->child1()->shouldSpeculateStringObject()) {
2504             fixEdge<StringObjectUse>(node->child1());
2505             node->convertToIdentity();
2506             return;
2507         }
2508
2509         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2510             fixEdge<FinalObjectUse>(node->child1());
2511             node->convertToIdentity();
2512             return;
2513         }
2514     }
2515     
2516     void fixupToPrimitive(Node* node)
2517     {
2518         if (node->child1()->shouldSpeculateInt32()) {
2519             fixEdge<Int32Use>(node->child1());
2520             node->convertToIdentity();
2521             return;
2522         }
2523         
2524         if (node->child1()->shouldSpeculateString()) {
2525             fixEdge<StringUse>(node->child1());
2526             node->convertToIdentity();
2527             return;
2528         }
2529         
2530         if (node->child1()->shouldSpeculateStringObject()
2531             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2532             fixEdge<StringObjectUse>(node->child1());
2533             node->convertToToString();
2534             return;
2535         }
2536         
2537         if (node->child1()->shouldSpeculateStringOrStringObject()
2538             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2539             fixEdge<StringOrStringObjectUse>(node->child1());
2540             node->convertToToString();
2541             return;
2542         }
2543     }
2544
2545     void fixupToNumber(Node* node)
2546     {
2547         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2548         if (node->child1()->shouldSpeculateNumber()) {
2549             if (isInt32Speculation(node->getHeapPrediction())) {
2550                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2551                 if (node->child1()->shouldSpeculateInt32()) {
2552                     fixEdge<Int32Use>(node->child1());
2553                     node->convertToIdentity();
2554                     return;
2555                 }
2556
2557                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2558                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2559                 fixEdge<DoubleRepUse>(node->child1());
2560                 node->setOp(DoubleAsInt32);
2561                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2562                     node->setArithMode(Arith::CheckOverflow);
2563                 else
2564                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2565                 return;
2566             }
2567
2568             fixEdge<DoubleRepUse>(node->child1());
2569             node->convertToIdentity();
2570             node->setResult(NodeResultDouble);
2571             return;
2572         }
2573
2574         fixEdge<UntypedUse>(node->child1());
2575         node->setResult(NodeResultJS);
2576     }
2577
2578     void fixupToObject(Node* node)
2579     {
2580         if (node->child1()->shouldSpeculateObject()) {
2581             fixEdge<ObjectUse>(node->child1());
2582             node->convertToIdentity();
2583             return;
2584         }
2585
2586         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2587
2588         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2589
2590         if (node->child1()->shouldSpeculateString()) {
2591             insertCheck<StringUse>(node->child1().node());
2592             fixEdge<KnownStringUse>(node->child1());
2593             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2594             return;
2595         }
2596
2597         if (node->child1()->shouldSpeculateSymbol()) {
2598             insertCheck<SymbolUse>(node->child1().node());
2599             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2600             return;
2601         }
2602
2603         if (node->child1()->shouldSpeculateNumber()) {
2604             insertCheck<NumberUse>(node->child1().node());
2605             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2606             return;
2607         }
2608
2609         if (node->child1()->shouldSpeculateBoolean()) {
2610             insertCheck<BooleanUse>(node->child1().node());
2611             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2612             return;
2613         }
2614
2615         fixEdge<UntypedUse>(node->child1());
2616     }
2617
2618     void fixupCallObjectConstructor(Node* node)
2619     {
2620         if (node->child1()->shouldSpeculateObject()) {
2621             fixEdge<ObjectUse>(node->child1());
2622             node->convertToIdentity();
2623             return;
2624         }
2625
2626         if (node->child1()->shouldSpeculateString()) {
2627             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2628             insertCheck<StringUse>(node->child1().node());
2629             fixEdge<KnownStringUse>(node->child1());
2630             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2631             return;
2632         }
2633
2634         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2635         if (node->child1()->shouldSpeculateOther()) {
2636             insertCheck<OtherUse>(node->child1().node());
2637             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2638             return;
2639         }
2640
2641         fixEdge<UntypedUse>(node->child1());
2642     }
2643     
2644     void fixupToStringOrCallStringConstructor(Node* node)
2645     {
2646         if (node->child1()->shouldSpeculateString()) {
2647             fixEdge<StringUse>(node->child1());
2648             node->convertToIdentity();
2649             return;
2650         }
2651         
2652         if (node->child1()->shouldSpeculateStringObject()
2653             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2654             fixEdge<StringObjectUse>(node->child1());
2655             return;
2656         }
2657         
2658         if (node->child1()->shouldSpeculateStringOrStringObject()
2659             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2660             fixEdge<StringOrStringObjectUse>(node->child1());
2661             return;
2662         }
2663         
2664         if (node->child1()->shouldSpeculateCell()) {
2665             fixEdge<CellUse>(node->child1());
2666             return;
2667         }
2668
2669         if (node->child1()->shouldSpeculateInt32()) {
2670             fixEdge<Int32Use>(node->child1());
2671             node->clearFlags(NodeMustGenerate);
2672             return;
2673         }
2674
2675         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2676             fixEdge<Int52RepUse>(node->child1());
2677             node->clearFlags(NodeMustGenerate);
2678             return;
2679         }
2680
2681         if (node->child1()->shouldSpeculateNumber()) {
2682             fixEdge<DoubleRepUse>(node->child1());
2683             node->clearFlags(NodeMustGenerate);
2684             return;
2685         }
2686
2687         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2688         // we need to care about it in the clobberize. In the following case,
2689         // since NotCellUse edge filter is used and this edge filters Symbols,
2690         // we can say that ToString never throws an error!
2691         if (node->child1()->shouldSpeculateNotCell()) {
2692             fixEdge<NotCellUse>(node->child1());
2693             node->clearFlags(NodeMustGenerate);
2694             return;
2695         }
2696     }
2697
2698     bool attemptToMakeFastStringAdd(Node* node)
2699     {
2700         bool goodToGo = true;
2701         m_graph.doToChildren(
2702             node,
2703             [&] (Edge& edge) {
2704                 if (edge->shouldSpeculateString())
2705                     return;
2706                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2707                     if (edge->shouldSpeculateStringObject())
2708                         return;
2709                     if (edge->shouldSpeculateStringOrStringObject())
2710                         return;
2711                 }
2712                 goodToGo = false;
2713             });
2714         if (!goodToGo)
2715             return false;
2716
2717         m_graph.doToChildren(
2718             node,
2719             [&] (Edge& edge) {
2720                 if (edge->shouldSpeculateString()) {
2721                     convertStringAddUse<StringUse>(node, edge);
2722                     return;
2723                 }
2724                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2725                 if (edge->shouldSpeculateStringObject()) {
2726                     convertStringAddUse<StringObjectUse>(node, edge);
2727                     return;
2728                 }
2729                 if (edge->shouldSpeculateStringOrStringObject()) {
2730                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2731                     return;
2732                 }
2733                 RELEASE_ASSERT_NOT_REACHED();
2734             });
2735         
2736         convertToMakeRope(node);
2737         return true;
2738     }
2739
2740     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2741     {
2742         if (!block)
2743             return;
2744         ASSERT(block->isReachable);
2745         m_block = block;
2746         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2747             Node* node = m_currentNode = block->at(m_indexInBlock);
2748             if (node->op() != SetLocal && node->op() != GetLocal)
2749                 continue;
2750             
2751             VariableAccessData* variable = node->variableAccessData();
2752             switch (node->op()) {
2753             case GetLocal:
2754                 switch (variable->flushFormat()) {
2755                 case FlushedDouble:
2756                     node->setResult(NodeResultDouble);
2757                     break;
2758                 case FlushedInt52:
2759                     node->setResult(NodeResultInt52);
2760                     break;
2761                 default:
2762                     break;
2763                 }
2764                 break;
2765                 
2766             case SetLocal:
2767                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2768                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2769                 
2770                 switch (variable->flushFormat()) {
2771                 case FlushedJSValue:
2772                     break;
2773                 case FlushedDouble:
2774                     fixEdge<DoubleRepUse>(node->child1());
2775                     break;
2776                 case FlushedInt32:
2777                     fixEdge<Int32Use>(node->child1());
2778                     break;
2779                 case FlushedInt52:
2780                     fixEdge<Int52RepUse>(node->child1());
2781                     break;
2782                 case FlushedCell:
2783                     fixEdge<CellUse>(node->child1());
2784                     break;
2785                 case FlushedBoolean:
2786                     fixEdge<BooleanUse>(node->child1());
2787                     break;
2788                 default:
2789                     RELEASE_ASSERT_NOT_REACHED();
2790                     break;
2791                 }
2792                 break;
2793                 
2794             default:
2795                 RELEASE_ASSERT_NOT_REACHED();
2796                 break;
2797             }
2798         }
2799         m_insertionSet.execute(block);
2800     }
2801     
2802     void addStringReplacePrimordialChecks(Node* searchRegExp)
2803     {
2804         Node* node = m_currentNode;
2805
2806         // Check that structure of searchRegExp is RegExp object
2807         m_insertionSet.insertNode(
2808             m_indexInBlock, SpecNone, Check, node->origin,
2809             Edge(searchRegExp, RegExpObjectUse));
2810
2811         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2812             unsigned index = m_graph.identifiers().ensure(propertyUID);
2813
2814             Node* actualProperty = m_insertionSet.insertNode(
2815                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2816                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2817
2818             m_insertionSet.insertNode(
2819                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2820                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2821         };
2822
2823         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2824
2825         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2826         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2827         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2828         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2829         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2830         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2831         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2832         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2833     }
2834
2835     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2836     {
2837         ASSERT(arrayMode.isSpecific());
2838         
2839         if (arrayMode.type() == Array::String) {
2840             m_insertionSet.insertNode(
2841                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2842         } else {
2843             // Note that we only need to be using a structure check if we opt for SaneChain, since
2844             // that needs to protect against JSArray's __proto__ being changed.
2845             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2846         
2847             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2848             
2849             if (arrayMode.doesConversion()) {
2850                 if (structure) {
2851                     m_insertionSet.insertNode(
2852                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2853                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2854                 } else {
2855                     m_insertionSet.insertNode(
2856                         m_indexInBlock, SpecNone, Arrayify, origin,
2857                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2858                 }
2859             } else {
2860                 if (structure) {
2861                     m_insertionSet.insertNode(
2862                         m_indexInBlock, SpecNone, CheckStructure, origin,
2863                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2864                 } else {
2865                     m_insertionSet.insertNode(
2866                         m_indexInBlock, SpecNone, CheckArray, origin,
2867                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2868                 }
2869             }
2870         }
2871         
2872         if (!storageCheck(arrayMode))
2873             return nullptr;
2874         
2875         if (arrayMode.usesButterfly()) {
2876             return m_insertionSet.insertNode(
2877                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2878         }
2879         
2880         return m_insertionSet.insertNode(
2881             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2882             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2883     }
2884     
2885     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2886     {
2887         Node* node = m_currentNode;
2888         
2889         switch (node->arrayMode().type()) {
2890         case Array::ForceExit: {
2891             m_insertionSet.insertNode(
2892                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2893             return;
2894         }
2895             
2896         case Array::SelectUsingPredictions:
2897         case Array::Unprofiled:
2898             RELEASE_ASSERT_NOT_REACHED();
2899             return;
2900             
2901         case Array::Generic:
2902             return;
2903             
2904         default: {
2905             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2906             if (!storage)
2907                 return;
2908             
2909             storageChild = Edge(storage);
2910             return;
2911         } }
2912     }
2913     
2914     bool alwaysUnboxSimplePrimitives()
2915     {
2916 #if USE(JSVALUE64)
2917         return false;
2918 #else
2919         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2920         // reduces traffic.
2921         return true;
2922 #endif
2923     }
2924
2925     template<UseKind useKind>
2926     void observeUseKindOnNode(Node* node)
2927     {
2928         if (useKind == UntypedUse)
2929             return;
2930         observeUseKindOnNode(node, useKind);
2931     }
2932
2933     void observeUseKindOnEdge(Edge edge)
2934     {
2935         observeUseKindOnNode(edge.node(), edge.useKind());
2936     }
2937
2938     void observeUseKindOnNode(Node* node, UseKind useKind)
2939     {
2940         if (node->op() != GetLocal)
2941             return;
2942         
2943         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2944         // https://bugs.webkit.org/show_bug.cgi?id=121518
2945         
2946         VariableAccessData* variable = node->variableAccessData();
2947         switch (useKind) {
2948         case Int32Use:
2949         case KnownInt32Use:
2950             if (alwaysUnboxSimplePrimitives()
2951                 || isInt32Speculation(variable->prediction()))
2952                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2953             break;
2954         case NumberUse:
2955         case RealNumberUse:
2956         case DoubleRepUse:
2957         case DoubleRepRealUse:
2958             if (variable->doubleFormatState() == UsingDoubleFormat)
2959                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2960             break;
2961         case BooleanUse:
2962         case KnownBooleanUse:
2963             if (alwaysUnboxSimplePrimitives()
2964                 || isBooleanSpeculation(variable->prediction()))
2965                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2966             break;
2967         case Int52RepUse:
2968             if (isAnyIntSpeculation(variable->prediction()))
2969                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2970             break;
2971         case CellUse:
2972         case KnownCellUse:
2973         case ObjectUse:
2974         case FunctionUse:
2975         case StringUse:
2976         case KnownStringUse:
2977         case SymbolUse:
2978         case BigIntUse:
2979         case StringObjectUse:
2980         case StringOrStringObjectUse:
2981             if (alwaysUnboxSimplePrimitives()
2982                 || isCellSpeculation(variable->prediction()))
2983                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2984             break;
2985         default:
2986             break;
2987         }
2988     }
2989     
2990     template<UseKind useKind>
2991     void fixEdge(Edge& edge)
2992     {
2993         observeUseKindOnNode<useKind>(edge.node());
2994         edge.setUseKind(useKind);
2995     }
2996     
2997     unsigned indexForChecks()
2998     {
2999         unsigned index = m_indexInBlock;
3000         while (!m_block->at(index)->origin.exitOK)
3001             index--;
3002         return index;
3003     }
3004     
3005     NodeOrigin originForCheck(unsigned index)
3006     {
3007         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3008     }
3009     
3010     void speculateForBarrier(Edge value)
3011     {
3012         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3013         // the DFG anyway because if such a speculation would be wrong, we want to know before
3014         // we do an expensive compile.
3015         
3016         if (value->shouldSpeculateInt32()) {
3017             insertCheck<Int32Use>(value.node());
3018             return;
3019         }
3020             
3021         if (value->shouldSpeculateBoolean()) {
3022             insertCheck<BooleanUse>(value.node());
3023             return;
3024         }
3025             
3026         if (value->shouldSpeculateOther()) {
3027             insertCheck<OtherUse>(value.node());
3028             return;
3029         }
3030             
3031         if (value->shouldSpeculateNumber()) {
3032             insertCheck<NumberUse>(value.node());
3033             return;
3034         }
3035             
3036         if (value->shouldSpeculateNotCell()) {
3037             insertCheck<NotCellUse>(value.node());
3038             return;
3039         }
3040     }
3041     
3042     template<UseKind useKind>
3043     void insertCheck(Node* node)
3044     {
3045         observeUseKindOnNode<useKind>(node);
3046         unsigned index = indexForChecks();
3047         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3048     }
3049
3050     void fixIntConvertingEdge(Edge& edge)
3051     {
3052         Node* node = edge.node();
3053         if (node->shouldSpeculateInt32OrBoolean()) {
3054             fixIntOrBooleanEdge(edge);
3055             return;
3056         }
3057         
3058         UseKind useKind;
3059         if (node->shouldSpeculateAnyInt())
3060             useKind = Int52RepUse;
3061         else if (node->shouldSpeculateNumber())
3062             useKind = DoubleRepUse;
3063         else
3064             useKind = NotCellUse;
3065         Node* newNode = m_insertionSet.insertNode(
3066             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3067             Edge(node, useKind));
3068         observeUseKindOnNode(node, useKind);
3069         
3070         edge = Edge(newNode, KnownInt32Use);
3071     }
3072     
3073     void fixIntOrBooleanEdge(Edge& edge)
3074     {
3075         Node* node = edge.node();
3076         if (!node->sawBooleans()) {
3077             fixEdge<Int32Use>(edge);
3078             return;
3079         }
3080         
3081         UseKind useKind;
3082         if (node->shouldSpeculateBoolean())
3083             useKind = BooleanUse;
3084         else
3085             useKind = UntypedUse;
3086         Node* newNode = m_insertionSet.insertNode(
3087             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3088             Edge(node, useKind));
3089         observeUseKindOnNode(node, useKind);
3090         
3091         edge = Edge(newNode, Int32Use);
3092     }
3093     
3094     void fixDoubleOrBooleanEdge(Edge& edge)
3095     {
3096         Node* node = edge.node();
3097         if (!node->sawBooleans()) {
3098             fixEdge<DoubleRepUse>(edge);
3099             return;
3100         }
3101         
3102         UseKind useKind;
3103         if (node->shouldSpeculateBoolean())
3104             useKind = BooleanUse;
3105         else
3106             useKind = UntypedUse;
3107         Node* newNode = m_insertionSet.insertNode(
3108             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3109             Edge(node, useKind));
3110         observeUseKindOnNode(node, useKind);
3111         
3112         edge = Edge(newNode, DoubleRepUse);
3113     }
3114     
3115     void truncateConstantToInt32(Edge& edge)
3116     {
3117         Node* oldNode = edge.node();
3118         
3119         JSValue value = oldNode->asJSValue();
3120         if (value.isInt32())
3121             return;
3122         
3123         value = jsNumber(JSC::toInt32(value.asNumber()));
3124         ASSERT(value.isInt32());
3125         edge.setNode(m_insertionSet.insertNode(
3126             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3127             OpInfo(m_graph.freeze(value))));
3128     }
3129     
3130     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3131     {
3132         if (mode != SpeculateInt32AndTruncateConstants)
3133             return;
3134         
3135         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3136         if (node->child1()->hasConstant())
3137             truncateConstantToInt32(node->child1());
3138         else
3139             truncateConstantToInt32(node->child2());
3140     }
3141
3142     bool attemptToMakeIntegerAdd(Node* node)
3143     {
3144         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3145         if (mode != DontSpeculateInt32) {
3146             truncateConstantsIfNecessary(node, mode);
3147             fixIntOrBooleanEdge(node->child1());
3148             fixIntOrBooleanEdge(node->child2());
3149             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3150                 node->setArithMode(Arith::Unchecked);
3151             else
3152                 node->setArithMode(Arith::CheckOverflow);
3153             return true;
3154         }
3155         
3156         if (m_graph.addShouldSpeculateAnyInt(node)) {
3157             fixEdge<Int52RepUse>(node->child1());
3158             fixEdge<Int52RepUse>(node->child2());
3159             node->setArithMode(Arith::CheckOverflow);
3160             node->setResult(NodeResultInt52);
3161             return true;
3162         }
3163         
3164         return false;
3165     }
3166     
3167     bool attemptToMakeGetArrayLength(Node* node)
3168     {
3169         if (!isInt32Speculation(node->prediction()))
3170             return false;
3171         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3172         ArrayProfile* arrayProfile = 
3173             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3174         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3175         if (arrayProfile) {
3176             ConcurrentJSLocker locker(profiledBlock->m_lock);
3177             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3178             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3179             if (arrayMode.type() == Array::Unprofiled) {
3180                 // For normal array operations, it makes sense to treat Unprofiled
3181                 // accesses as ForceExit and get more data rather than using
3182                 // predictions and then possibly ending up with a Generic. But here,
3183                 // we treat anything that is Unprofiled as Generic and keep the
3184                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3185                 // profit - from treating the Unprofiled case as
3186                 // SelectUsingPredictions.
3187                 arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3188             }
3189         }
3190             
3191         arrayMode = arrayMode.refine(
3192             m_graph, node, node->child1()->prediction(), node->prediction());
3193             
3194         if (arrayMode.type() == Array::Generic) {
3195             // Check if the input is something that we can't get array length for, but for which we
3196             // could insert some conversions in order to transform it into something that we can do it
3197             // for.
3198             if (node->child1()->shouldSpeculateStringObject())
3199                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3200             else if (node->child1()->shouldSpeculateStringOrStringObject())
3201                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3202         }
3203             
3204         if (!arrayMode.supportsSelfLength())
3205             return false;
3206         
3207         convertToGetArrayLength(node, arrayMode);
3208         return true;
3209     }
3210
3211     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3212     {
3213         node->setOp(GetArrayLength);
3214         node->clearFlags(NodeMustGenerate);
3215         fixEdge<KnownCellUse>(node->child1());
3216         node->setArrayMode(arrayMode);
3217             
3218         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3219         if (!storage)
3220             return;
3221             
3222         node->child2() = Edge(storage);
3223     }
3224     
3225     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3226     {
3227         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3228         return m_insertionSet.insertNode(
3229             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3230             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3231     }
3232
3233     void convertToHasIndexedProperty(Node* node)
3234     {
3235         node->setOp(HasIndexedProperty);
3236         node->clearFlags(NodeMustGenerate);
3237         node->setArrayMode(
3238             node->arrayMode().refine(
3239                 m_graph, node,
3240                 node->child1()->prediction(),
3241                 node->child2()->prediction(),
3242                 SpecNone));
3243         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3244
3245         blessArrayOperation(node->child1(), node->child2(), node->child3());
3246
3247         fixEdge<CellUse>(node->child1());
3248         fixEdge<Int32Use>(node->child2());
3249     }
3250
3251     void fixupNormalizeMapKey(Node* node)
3252     {
3253         if (node->child1()->shouldSpeculateBoolean()) {
3254             fixEdge<BooleanUse>(node->child1());
3255             node->convertToIdentity();
3256             return;
3257         }
3258
3259         if (node->child1()->shouldSpeculateInt32()) {
3260             fixEdge<Int32Use>(node->child1());
3261             node->convertToIdentity();
3262             return;
3263         }
3264
3265         if (node->child1()->shouldSpeculateSymbol()) {
3266             fixEdge<SymbolUse>(node->child1());
3267             node->convertToIdentity();
3268             return;
3269         }
3270
3271         if (node->child1()->shouldSpeculateObject()) {
3272             fixEdge<ObjectUse>(node->child1());
3273             node->convertToIdentity();
3274             return;
3275         }
3276
3277         if (node->child1()->shouldSpeculateString()) {
3278             fixEdge<StringUse>(node->child1());
3279             node->convertToIdentity();
3280             return;
3281         }
3282
3283         if (node->child1()->shouldSpeculateCell()) {
3284             fixEdge<CellUse>(node->child1());
3285             node->convertToIdentity();
3286             return;
3287         }
3288
3289         fixEdge<UntypedUse>(node->child1());
3290     }
3291
3292     bool attemptToMakeCallDOM(Node* node)
3293     {
3294         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3295             return false;
3296
3297         const DOMJIT::Signature* signature = node->signature();
3298         if (!signature)
3299             return false;
3300
3301         {
3302             unsigned index = 0;
3303             bool shouldConvertToCallDOM = true;
3304             m_graph.doToChildren(node, [&](Edge& edge) {
3305                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3306                 if (!index)
3307                     return;
3308
3309                 if (index == 1) {
3310                     // DOM node case.
3311                     if (edge->shouldSpeculateNotCell())
3312                         shouldConvertToCallDOM = false;
3313                 } else {
3314                     switch (signature->arguments[index - 2]) {
3315                     case SpecString:
3316                         if (edge->shouldSpeculateNotString())
3317                             shouldConvertToCallDOM = false;
3318                         break;
3319                     case SpecInt32Only:
3320                         if (edge->shouldSpeculateNotInt32())
3321                             shouldConvertToCallDOM = false;
3322                         break;
3323                     case SpecBoolean:
3324                         if (edge->shouldSpeculateNotBoolean())
3325                             shouldConvertToCallDOM = false;
3326                         break;
3327                     default:
3328                         RELEASE_ASSERT_NOT_REACHED();
3329                         break;
3330                     }
3331                 }
3332                 ++index;
3333             });
3334             if (!shouldConvertToCallDOM)
3335                 return false;
3336         }
3337
3338         Node* thisNode = m_graph.varArgChild(node, 1).node();
3339         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3340         node->convertToCallDOM(m_graph);
3341         fixupCheckSubClass(checkSubClass);
3342         fixupCallDOM(node);
3343         return true;
3344     }
3345
3346     void fixupCheckSubClass(Node* node)
3347     {
3348         fixEdge<CellUse>(node->child1());
3349     }
3350
3351     void fixupCallDOM(Node* node)
3352     {
3353         const DOMJIT::Signature* signature = node->signature();
3354         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3355             if (!edge)
3356                 return;
3357             switch (signature->arguments[argumentIndex]) {
3358             case SpecString:
3359                 fixEdge<StringUse>(edge);
3360                 break;
3361             case SpecInt32Only:
3362                 fixEdge<Int32Use>(edge);
3363                 break;
3364             case SpecBoolean:
3365                 fixEdge<BooleanUse>(edge);
3366                 break;
3367             default:
3368                 RELEASE_ASSERT_NOT_REACHED();
3369                 break;
3370             }
3371         };
3372         fixEdge<CellUse>(node->child1()); // DOM.
3373         fixup(node->child2(), 0);
3374         fixup(node->child3(), 1);
3375     }
3376
3377     void fixupArrayIndexOf(Node* node)
3378     {
3379         Edge& array = m_graph.varArgChild(node, 0);
3380         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3381         blessArrayOperation(array, Edge(), storage);
3382         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3383
3384         Edge& searchElement = m_graph.varArgChild(node, 1);
3385
3386         // Constant folding.
3387         switch (node->arrayMode().type()) {
3388         case Array::Double:
3389         case Array::Int32: {
3390             if (searchElement->shouldSpeculateCell()) {
3391                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3392                 m_graph.convertToConstant(node, jsNumber(-1));
3393                 observeUseKindOnNode<CellUse>(searchElement.node());
3394                 return;
3395             }
3396
3397             if (searchElement->shouldSpeculateOther()) {
3398                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3399                 m_graph.convertToConstant(node, jsNumber(-1));
3400                 observeUseKindOnNode<OtherUse>(searchElement.node());
3401                 return;
3402             }
3403
3404             if (searchElement->shouldSpeculateBoolean()) {
3405                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3406                 m_graph.convertToConstant(node, jsNumber(-1));
3407                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3408                 return;
3409             }
3410             break;
3411         }
3412         default:
3413             break;
3414         }
3415
3416         fixEdge<KnownCellUse>(array);
3417         if (node->numChildren() == 4)
3418             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3419
3420         switch (node->arrayMode().type()) {
3421         case Array::Double: {
3422             if (searchElement->shouldSpeculateNumber())
3423                 fixEdge<DoubleRepUse>(searchElement);
3424             return;
3425         }
3426         case Array::Int32: {
3427             if (searchElement->shouldSpeculateInt32())
3428                 fixEdge<Int32Use>(searchElement);
3429             return;
3430         }
3431         case Array::Contiguous: {
3432             if (searchElement->shouldSpeculateString())
3433                 fixEdge<StringUse>(searchElement);
3434             else if (searchElement->shouldSpeculateSymbol())
3435                 fixEdge<SymbolUse>(searchElement);
3436             else if (searchElement->shouldSpeculateOther())
3437                 fixEdge<OtherUse>(searchElement);
3438             else if (searchElement->shouldSpeculateObject())
3439                 fixEdge<ObjectUse>(searchElement);
3440             return;
3441         }
3442         default:
3443             RELEASE_ASSERT_NOT_REACHED();
3444             return;
3445         }
3446     }
3447
3448     void fixupCompareStrictEqAndSameValue(Node* node)
3449     {
3450         ASSERT(node->op() == SameValue || node->op() == CompareStrictEq);
3451
3452         if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
3453             fixEdge<BooleanUse>(node->child1());
3454             fixEdge<BooleanUse>(node->child2());
3455             node->setOpAndDefaultFlags(CompareStrictEq);
3456             return;
3457         }
3458         if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
3459             fixEdge<Int32Use>(node->child1());
3460             fixEdge<Int32Use>(node->child2());
3461             node->setOpAndDefaultFlags(CompareStrictEq);
3462             return;
3463         }
3464         if (enableInt52()
3465             && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
3466             fixEdge<Int52RepUse>(node->child1());
3467             fixEdge<Int52RepUse>(node->child2());
3468             node->setOpAndDefaultFlags(CompareStrictEq);
3469             return;
3470         }
3471         if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
3472             fixEdge<DoubleRepUse>(node->child1());
3473             fixEdge<DoubleRepUse>(node->child2());
3474             // Do not convert SameValue to CompareStrictEq in this case since SameValue(NaN, NaN) and SameValue(-0, +0)
3475             // are not the same to CompareStrictEq(NaN, NaN) and CompareStrictEq(-0, +0).
3476             return;
3477         }
3478         if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
3479             fixEdge<SymbolUse>(node->child1());
3480             fixEdge<SymbolUse>(node->child2());
3481             node->setOpAndDefaultFlags(CompareStrictEq);
3482             return;
3483         }
3484         if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
3485             fixEdge<BigIntUse>(node->child1());
3486             fixEdge<BigIntUse>(node->child2());
3487             node->setOpAndDefaultFlags(CompareStrictEq);
3488             return;
3489         }
3490         if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
3491             fixEdge<StringIdentUse>(node->child1());
3492             fixEdge<StringIdentUse>(node->child2());
3493             node->setOpAndDefaultFlags(CompareStrictEq);
3494             return;
3495         }
3496         if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
3497             fixEdge<StringUse>(node->child1());
3498             fixEdge<StringUse>(node->child2());
3499             node->setOpAndDefaultFlags(CompareStrictEq);
3500             return;
3501         }
3502
3503         if (node->op() == SameValue) {
3504             if (node->child1()->shouldSpeculateObject()) {
3505                 fixEdge<ObjectUse>(node->child1());
3506                 node->setOpAndDefaultFlags(CompareStrictEq);
3507                 return;
3508             }
3509             if (node->child2()->shouldSpeculateObject()) {
3510                 fixEdge<ObjectUse>(node->child2());
3511                 node->setOpAndDefaultFlags(CompareStrictEq);
3512                 return;
3513             }
3514         } else {
3515             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
3516             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
3517                 if (node->child1()->shouldSpeculateObject()) {
3518                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
3519                     fixEdge<ObjectUse>(node->child1());
3520                     return;
3521                 }
3522                 if (node->child2()->shouldSpeculateObject()) {
3523                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
3524                     fixEdge<ObjectUse>(node->child2());
3525                     return;
3526                 }
3527             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
3528                 fixEdge<ObjectUse>(node->child1());
3529                 fixEdge<ObjectUse>(node->child2());
3530                 return;
3531             }
3532         }
3533
3534         if (node->child1()->shouldSpeculateSymbol()) {
3535             fixEdge<SymbolUse>(node->child1());