[ESNext][BigInt] Implement support for "&"
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case ValueBitAnd: {
103             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
104                 fixEdge<BigIntUse>(node->child1());
105                 fixEdge<BigIntUse>(node->child2());
106                 break;
107             }
108
109             fixEdge<UntypedUse>(node->child1());
110             fixEdge<UntypedUse>(node->child2());
111             break;
112         }
113     
114         case ArithBitAnd: {
115             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
116                 fixEdge<UntypedUse>(node->child1());
117                 fixEdge<UntypedUse>(node->child2());
118                 node->setOpAndDefaultFlags(ValueBitAnd);
119                 break;
120             }
121             fixIntConvertingEdge(node->child1());
122             fixIntConvertingEdge(node->child2());
123             break;
124         }
125
126         case BitOr:
127         case BitXor:
128         case BitRShift:
129         case BitLShift:
130         case BitURShift: {
131             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
132                 fixEdge<UntypedUse>(node->child1());
133                 fixEdge<UntypedUse>(node->child2());
134                 break;
135             }
136             fixIntConvertingEdge(node->child1());
137             fixIntConvertingEdge(node->child2());
138             break;
139         }
140
141         case ArithIMul: {
142             fixIntConvertingEdge(node->child1());
143             fixIntConvertingEdge(node->child2());
144             node->setOp(ArithMul);
145             node->setArithMode(Arith::Unchecked);
146             node->child1().setUseKind(Int32Use);
147             node->child2().setUseKind(Int32Use);
148             break;
149         }
150
151         case ArithClz32: {
152             if (node->child1()->shouldSpeculateNotCell()) {
153                 fixIntConvertingEdge(node->child1());
154                 node->clearFlags(NodeMustGenerate);
155             } else
156                 fixEdge<UntypedUse>(node->child1());
157             break;
158         }
159             
160         case UInt32ToNumber: {
161             fixIntConvertingEdge(node->child1());
162             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
163                 node->convertToIdentity();
164             else if (node->canSpeculateInt32(FixupPass))
165                 node->setArithMode(Arith::CheckOverflow);
166             else {
167                 node->setArithMode(Arith::DoOverflow);
168                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
169             }
170             break;
171         }
172
173         case ValueNegate: {
174             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
175                 node->setOp(ArithNegate);
176                 fixIntOrBooleanEdge(node->child1());
177                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
178                     node->setArithMode(Arith::Unchecked);
179                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
180                     node->setArithMode(Arith::CheckOverflow);
181                 else
182                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
183                 node->setResult(NodeResultInt32);
184                 node->clearFlags(NodeMustGenerate);
185                 break;
186             }
187             
188             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
189                 node->setOp(ArithNegate);
190                 fixEdge<Int52RepUse>(node->child1());
191                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
192                     node->setArithMode(Arith::CheckOverflow);
193                 else
194                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
195                 node->setResult(NodeResultInt52);
196                 node->clearFlags(NodeMustGenerate);
197                 break;
198             }
199             if (node->child1()->shouldSpeculateNotCell()) {
200                 node->setOp(ArithNegate);
201                 fixDoubleOrBooleanEdge(node->child1());
202                 node->setResult(NodeResultDouble);
203                 node->clearFlags(NodeMustGenerate);
204             } else {
205                 fixEdge<UntypedUse>(node->child1());
206                 node->setResult(NodeResultJS);
207             }
208             break;
209         }
210
211         case ValueAdd: {
212             if (attemptToMakeIntegerAdd(node)) {
213                 node->setOp(ArithAdd);
214                 break;
215             }
216             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
217                 fixDoubleOrBooleanEdge(node->child1());
218                 fixDoubleOrBooleanEdge(node->child2());
219                 node->setOp(ArithAdd);
220                 node->setResult(NodeResultDouble);
221                 break;
222             }
223             
224             if (attemptToMakeFastStringAdd(node))
225                 break;
226
227             Edge& child1 = node->child1();
228             Edge& child2 = node->child2();
229             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
230                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
231                     auto convertString = [&](Node* node, Edge& edge) {
232                         if (edge->shouldSpeculateInt32())
233                             convertStringAddUse<Int32Use>(node, edge);
234                         else {
235                             ASSERT(edge->shouldSpeculateString());
236                             convertStringAddUse<StringUse>(node, edge);
237                         }
238                     };
239                     convertString(node, child1);
240                     convertString(node, child2);
241                     convertToMakeRope(node);
242                     break;
243                 }
244             }
245
246             fixEdge<UntypedUse>(child1);
247             fixEdge<UntypedUse>(child2);
248             node->setResult(NodeResultJS);
249             break;
250         }
251
252         case StrCat: {
253             if (attemptToMakeFastStringAdd(node))
254                 break;
255
256             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
257             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
258             // the implementation of StrCat doesn't dynamically optimize for empty strings.
259             // https://bugs.webkit.org/show_bug.cgi?id=148540
260             m_graph.doToChildren(
261                 node,
262                 [&] (Edge& edge) {
263                     fixEdge<KnownPrimitiveUse>(edge);
264                     // StrCat automatically coerces the values into strings before concatenating them.
265                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
266                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
267                     // our runtime functions for this slow path expect that they will never be passed
268                     // Symbols.
269                     m_insertionSet.insertNode(
270                         m_indexInBlock, SpecNone, Check, node->origin,
271                         Edge(edge.node(), NotSymbolUse));
272                 });
273             break;
274         }
275             
276         case MakeRope: {
277             fixupMakeRope(node);
278             break;
279         }
280             
281         case ArithAdd:
282         case ArithSub: {
283             if (op == ArithSub
284                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
285                 fixEdge<UntypedUse>(node->child1());
286                 fixEdge<UntypedUse>(node->child2());
287                 node->setResult(NodeResultJS);
288                 break;
289             }
290             if (attemptToMakeIntegerAdd(node))
291                 break;
292             fixDoubleOrBooleanEdge(node->child1());
293             fixDoubleOrBooleanEdge(node->child2());
294             node->setResult(NodeResultDouble);
295             break;
296         }
297             
298         case ArithNegate: {
299             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
300                 fixIntOrBooleanEdge(node->child1());
301                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
302                     node->setArithMode(Arith::Unchecked);
303                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
304                     node->setArithMode(Arith::CheckOverflow);
305                 else
306                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
307                 node->setResult(NodeResultInt32);
308                 node->clearFlags(NodeMustGenerate);
309                 break;
310             }
311             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
312                 fixEdge<Int52RepUse>(node->child1());
313                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
314                     node->setArithMode(Arith::CheckOverflow);
315                 else
316                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
317                 node->setResult(NodeResultInt52);
318                 node->clearFlags(NodeMustGenerate);
319                 break;
320             }
321
322             fixDoubleOrBooleanEdge(node->child1());
323             node->setResult(NodeResultDouble);
324             node->clearFlags(NodeMustGenerate);
325             break;
326         }
327             
328         case ArithMul: {
329             Edge& leftChild = node->child1();
330             Edge& rightChild = node->child2();
331             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
332                 fixEdge<UntypedUse>(leftChild);
333                 fixEdge<UntypedUse>(rightChild);
334                 node->setResult(NodeResultJS);
335                 break;
336             }
337             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
338                 fixIntOrBooleanEdge(leftChild);
339                 fixIntOrBooleanEdge(rightChild);
340                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
341                     node->setArithMode(Arith::Unchecked);
342                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
343                     || leftChild.node() == rightChild.node())
344                     node->setArithMode(Arith::CheckOverflow);
345                 else
346                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
347                 break;
348             }
349             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
350                 fixEdge<Int52RepUse>(leftChild);
351                 fixEdge<Int52RepUse>(rightChild);
352                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
353                     || leftChild.node() == rightChild.node())
354                     node->setArithMode(Arith::CheckOverflow);
355                 else
356                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
357                 node->setResult(NodeResultInt52);
358                 break;
359             }
360             fixDoubleOrBooleanEdge(leftChild);
361             fixDoubleOrBooleanEdge(rightChild);
362             node->setResult(NodeResultDouble);
363             break;
364         }
365
366         case ArithDiv:
367         case ArithMod: {
368             Edge& leftChild = node->child1();
369             Edge& rightChild = node->child2();
370             if (op == ArithDiv
371                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
372                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
373                 fixEdge<UntypedUse>(leftChild);
374                 fixEdge<UntypedUse>(rightChild);
375                 node->setResult(NodeResultJS);
376                 break;
377             }
378             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
379                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
380                     fixIntOrBooleanEdge(leftChild);
381                     fixIntOrBooleanEdge(rightChild);
382                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
383                         node->setArithMode(Arith::Unchecked);
384                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
385                         node->setArithMode(Arith::CheckOverflow);
386                     else
387                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
388                     break;
389                 }
390                 
391                 // This will cause conversion nodes to be inserted later.
392                 fixDoubleOrBooleanEdge(leftChild);
393                 fixDoubleOrBooleanEdge(rightChild);
394                 
395                 // We don't need to do ref'ing on the children because we're stealing them from
396                 // the original division.
397                 Node* newDivision = m_insertionSet.insertNode(
398                     m_indexInBlock, SpecBytecodeDouble, *node);
399                 newDivision->setResult(NodeResultDouble);
400                 
401                 node->setOp(DoubleAsInt32);
402                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
403                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
404                     node->setArithMode(Arith::CheckOverflow);
405                 else
406                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
407                 break;
408             }
409             fixDoubleOrBooleanEdge(leftChild);
410             fixDoubleOrBooleanEdge(rightChild);
411             node->setResult(NodeResultDouble);
412             break;
413         }
414             
415         case ArithMin:
416         case ArithMax: {
417             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
418                 fixIntOrBooleanEdge(node->child1());
419                 fixIntOrBooleanEdge(node->child2());
420                 break;
421             }
422             fixDoubleOrBooleanEdge(node->child1());
423             fixDoubleOrBooleanEdge(node->child2());
424             node->setResult(NodeResultDouble);
425             break;
426         }
427             
428         case ArithAbs: {
429             if (node->child1()->shouldSpeculateInt32OrBoolean()
430                 && node->canSpeculateInt32(FixupPass)) {
431                 fixIntOrBooleanEdge(node->child1());
432                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
433                     node->setArithMode(Arith::Unchecked);
434                 else
435                     node->setArithMode(Arith::CheckOverflow);
436                 node->clearFlags(NodeMustGenerate);
437                 node->setResult(NodeResultInt32);
438                 break;
439             }
440
441             if (node->child1()->shouldSpeculateNotCell()) {
442                 fixDoubleOrBooleanEdge(node->child1());
443                 node->clearFlags(NodeMustGenerate);
444             } else
445                 fixEdge<UntypedUse>(node->child1());
446             node->setResult(NodeResultDouble);
447             break;
448         }
449
450         case ArithPow: {
451             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
452                 fixDoubleOrBooleanEdge(node->child1());
453                 fixIntOrBooleanEdge(node->child2());
454                 break;
455             }
456
457             fixDoubleOrBooleanEdge(node->child1());
458             fixDoubleOrBooleanEdge(node->child2());
459             break;
460         }
461
462         case ArithRandom: {
463             node->setResult(NodeResultDouble);
464             break;
465         }
466
467         case ArithRound:
468         case ArithFloor:
469         case ArithCeil:
470         case ArithTrunc: {
471             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
472                 fixIntOrBooleanEdge(node->child1());
473                 insertCheck<Int32Use>(node->child1().node());
474                 node->convertToIdentity();
475                 break;
476             }
477             if (node->child1()->shouldSpeculateNotCell()) {
478                 fixDoubleOrBooleanEdge(node->child1());
479
480                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
481                     node->setResult(NodeResultInt32);
482                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
483                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
484                     else
485                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
486                 } else {
487                     node->setResult(NodeResultDouble);
488                     node->setArithRoundingMode(Arith::RoundingMode::Double);
489                 }
490                 node->clearFlags(NodeMustGenerate);
491             } else
492                 fixEdge<UntypedUse>(node->child1());
493             break;
494         }
495
496         case ArithFRound:
497         case ArithSqrt:
498         case ArithUnary: {
499             Edge& child1 = node->child1();
500             if (child1->shouldSpeculateNotCell()) {
501                 fixDoubleOrBooleanEdge(child1);
502                 node->clearFlags(NodeMustGenerate);
503             } else
504                 fixEdge<UntypedUse>(child1);
505             break;
506         }
507             
508         case LogicalNot: {
509             if (node->child1()->shouldSpeculateBoolean()) {
510                 if (node->child1()->result() == NodeResultBoolean) {
511                     // This is necessary in case we have a bytecode instruction implemented by:
512                     //
513                     // a: CompareEq(...)
514                     // b: LogicalNot(@a)
515                     //
516                     // In that case, CompareEq might have a side-effect. Then, we need to make
517                     // sure that we know that Branch does not exit.
518                     fixEdge<KnownBooleanUse>(node->child1());
519                 } else
520                     fixEdge<BooleanUse>(node->child1());
521             } else if (node->child1()->shouldSpeculateObjectOrOther())
522                 fixEdge<ObjectOrOtherUse>(node->child1());
523             else if (node->child1()->shouldSpeculateInt32OrBoolean())
524                 fixIntOrBooleanEdge(node->child1());
525             else if (node->child1()->shouldSpeculateNumber())
526                 fixEdge<DoubleRepUse>(node->child1());
527             else if (node->child1()->shouldSpeculateString())
528                 fixEdge<StringUse>(node->child1());
529             else if (node->child1()->shouldSpeculateStringOrOther())
530                 fixEdge<StringOrOtherUse>(node->child1());
531             else {
532                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
533                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
534                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
535             }
536             break;
537         }
538
539         case CompareEq:
540         case CompareLess:
541         case CompareLessEq:
542         case CompareGreater:
543         case CompareGreaterEq: {
544             if (node->op() == CompareEq
545                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
546                 fixEdge<BooleanUse>(node->child1());
547                 fixEdge<BooleanUse>(node->child2());
548                 node->clearFlags(NodeMustGenerate);
549                 break;
550             }
551             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
552                 fixIntOrBooleanEdge(node->child1());
553                 fixIntOrBooleanEdge(node->child2());
554                 node->clearFlags(NodeMustGenerate);
555                 break;
556             }
557             if (enableInt52()
558                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
559                 fixEdge<Int52RepUse>(node->child1());
560                 fixEdge<Int52RepUse>(node->child2());
561                 node->clearFlags(NodeMustGenerate);
562                 break;
563             }
564             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
565                 fixDoubleOrBooleanEdge(node->child1());
566                 fixDoubleOrBooleanEdge(node->child2());
567             }
568             if (node->op() != CompareEq
569                 && node->child1()->shouldSpeculateNotCell()
570                 && node->child2()->shouldSpeculateNotCell()) {
571                 if (node->child1()->shouldSpeculateNumberOrBoolean())
572                     fixDoubleOrBooleanEdge(node->child1());
573                 else
574                     fixEdge<DoubleRepUse>(node->child1());
575                 if (node->child2()->shouldSpeculateNumberOrBoolean())
576                     fixDoubleOrBooleanEdge(node->child2());
577                 else
578                     fixEdge<DoubleRepUse>(node->child2());
579                 node->clearFlags(NodeMustGenerate);
580                 break;
581             }
582             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
583                 fixEdge<StringIdentUse>(node->child1());
584                 fixEdge<StringIdentUse>(node->child2());
585                 node->clearFlags(NodeMustGenerate);
586                 break;
587             }
588             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
589                 fixEdge<StringUse>(node->child1());
590                 fixEdge<StringUse>(node->child2());
591                 node->clearFlags(NodeMustGenerate);
592                 break;
593             }
594
595             if (node->op() != CompareEq)
596                 break;
597             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
598                 fixEdge<SymbolUse>(node->child1());
599                 fixEdge<SymbolUse>(node->child2());
600                 node->clearFlags(NodeMustGenerate);
601                 break;
602             }
603             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
604                 fixEdge<ObjectUse>(node->child1());
605                 fixEdge<ObjectUse>(node->child2());
606                 node->clearFlags(NodeMustGenerate);
607                 break;
608             }
609
610             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
611             bool oneArgumentIsUsedAsSpecOther = false;
612             if (node->child1()->isUndefinedOrNullConstant()) {
613                 fixEdge<KnownOtherUse>(node->child1());
614                 oneArgumentIsUsedAsSpecOther = true;
615             } else if (node->child1()->shouldSpeculateOther()) {
616                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
617                     Edge(node->child1().node(), OtherUse));
618                 fixEdge<KnownOtherUse>(node->child1());
619                 oneArgumentIsUsedAsSpecOther = true;
620             }
621             if (node->child2()->isUndefinedOrNullConstant()) {
622                 fixEdge<KnownOtherUse>(node->child2());
623                 oneArgumentIsUsedAsSpecOther = true;
624             } else if (node->child2()->shouldSpeculateOther()) {
625                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
626                     Edge(node->child2().node(), OtherUse));
627                 fixEdge<KnownOtherUse>(node->child2());
628                 oneArgumentIsUsedAsSpecOther = true;
629             }
630             if (oneArgumentIsUsedAsSpecOther) {
631                 node->clearFlags(NodeMustGenerate);
632                 break;
633             }
634
635             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
636                 fixEdge<ObjectUse>(node->child1());
637                 fixEdge<ObjectOrOtherUse>(node->child2());
638                 node->clearFlags(NodeMustGenerate);
639                 break;
640             }
641             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
642                 fixEdge<ObjectOrOtherUse>(node->child1());
643                 fixEdge<ObjectUse>(node->child2());
644                 node->clearFlags(NodeMustGenerate);
645                 break;
646             }
647
648             break;
649         }
650             
651         case CompareStrictEq:
652         case SameValue: {
653             fixupCompareStrictEqAndSameValue(node);
654             break;
655         }
656
657         case StringFromCharCode:
658             if (node->child1()->shouldSpeculateInt32()) {
659                 fixEdge<Int32Use>(node->child1());
660                 node->clearFlags(NodeMustGenerate);
661             } else
662                 fixEdge<UntypedUse>(node->child1());
663             break;
664
665         case StringCharAt:
666         case StringCharCodeAt: {
667             // Currently we have no good way of refining these.
668             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
669             blessArrayOperation(node->child1(), node->child2(), node->child3());
670             fixEdge<KnownCellUse>(node->child1());
671             fixEdge<Int32Use>(node->child2());
672             break;
673         }
674
675         case GetByVal: {
676             if (!node->prediction()) {
677                 m_insertionSet.insertNode(
678                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
679             }
680             
681             node->setArrayMode(
682                 node->arrayMode().refine(
683                     m_graph, node,
684                     m_graph.varArgChild(node, 0)->prediction(),
685                     m_graph.varArgChild(node, 1)->prediction(),
686                     SpecNone));
687             
688             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
689             
690             ArrayMode arrayMode = node->arrayMode();
691             switch (arrayMode.type()) {
692             case Array::Contiguous:
693             case Array::Double:
694                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
695                     // Check if SaneChain will work on a per-type basis. Note that:
696                     //
697                     // 1) We don't want double arrays to sometimes return undefined, since
698                     // that would require a change to the return type and it would pessimise
699                     // things a lot. So, we'd only want to do that if we actually had
700                     // evidence that we could read from a hole. That's pretty annoying.
701                     // Likely the best way to handle that case is with an equivalent of
702                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
703                     // NaN are indistinguishable according to backwards propagation, and just
704                     // use SaneChain in that case. This happens to catch a lot of cases.
705                     //
706                     // 2) We don't want int32 array loads to have to do a hole check just to
707                     // coerce to Undefined, since that would mean twice the checks.
708                     //
709                     // This has two implications. First, we have to do more checks than we'd
710                     // like. It's unfortunate that we have to do the hole check. Second,
711                     // some accesses that hit a hole will now need to take the full-blown
712                     // out-of-bounds slow path. We can fix that with:
713                     // https://bugs.webkit.org/show_bug.cgi?id=144668
714                     
715                     bool canDoSaneChain = false;
716                     switch (arrayMode.type()) {
717                     case Array::Contiguous:
718                         // This is happens to be entirely natural. We already would have
719                         // returned any JSValue, and now we'll return Undefined. We still do
720                         // the check but it doesn't require taking any kind of slow path.
721                         canDoSaneChain = true;
722                         break;
723                         
724                     case Array::Double:
725                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
726                             // Holes look like NaN already, so if the user doesn't care
727                             // about the difference between Undefined and NaN then we can
728                             // do this.
729                             canDoSaneChain = true;
730                         }
731                         break;
732                         
733                     default:
734                         break;
735                     }
736                     
737                     if (canDoSaneChain) {
738                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
739                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
740                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
741                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
742                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
743                             && globalObject->arrayPrototypeChainIsSane()) {
744                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
745                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
746                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
747                         }
748                     }
749                 }
750                 break;
751                 
752             case Array::String:
753                 if ((node->prediction() & ~SpecString)
754                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
755                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
756                 break;
757                 
758             default:
759                 break;
760             }
761             
762             arrayMode = node->arrayMode();
763             switch (arrayMode.type()) {
764             case Array::SelectUsingPredictions:
765             case Array::Unprofiled:
766                 RELEASE_ASSERT_NOT_REACHED();
767                 break;
768             case Array::Generic:
769                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
770                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
771                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
772                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
773                         break;
774                     }
775
776                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
777                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
778                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
779                         break;
780                     }
781                 }
782 #if USE(JSVALUE32_64)
783                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
784 #endif
785                 break;
786             case Array::ForceExit:
787                 break;
788             default:
789                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
790                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
791                 break;
792             }
793             
794             switch (arrayMode.type()) {
795             case Array::Double:
796                 if (!arrayMode.isOutOfBounds())
797                     node->setResult(NodeResultDouble);
798                 break;
799                 
800             case Array::Float32Array:
801             case Array::Float64Array:
802                 node->setResult(NodeResultDouble);
803                 break;
804                 
805             case Array::Uint32Array:
806                 if (node->shouldSpeculateInt32())
807                     break;
808                 if (node->shouldSpeculateAnyInt() && enableInt52())
809                     node->setResult(NodeResultInt52);
810                 else
811                     node->setResult(NodeResultDouble);
812                 break;
813                 
814             default:
815                 break;
816             }
817             
818             break;
819         }
820
821         case PutByValDirect:
822         case PutByVal:
823         case PutByValAlias: {
824             Edge& child1 = m_graph.varArgChild(node, 0);
825             Edge& child2 = m_graph.varArgChild(node, 1);
826             Edge& child3 = m_graph.varArgChild(node, 2);
827
828             node->setArrayMode(
829                 node->arrayMode().refine(
830                     m_graph, node,
831                     child1->prediction(),
832                     child2->prediction(),
833                     child3->prediction()));
834             
835             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
836             
837             switch (node->arrayMode().modeForPut().type()) {
838             case Array::SelectUsingPredictions:
839             case Array::SelectUsingArguments:
840             case Array::Unprofiled:
841             case Array::Undecided:
842                 RELEASE_ASSERT_NOT_REACHED();
843                 break;
844             case Array::ForceExit:
845             case Array::Generic:
846                 if (child1->shouldSpeculateCell()) {
847                     if (child2->shouldSpeculateString()) {
848                         fixEdge<CellUse>(child1);
849                         fixEdge<StringUse>(child2);
850                         break;
851                     }
852
853                     if (child2->shouldSpeculateSymbol()) {
854                         fixEdge<CellUse>(child1);
855                         fixEdge<SymbolUse>(child2);
856                         break;
857                     }
858                 }
859 #if USE(JSVALUE32_64)
860                 // Due to register pressure on 32-bit, we speculate cell and
861                 // ignore the base-is-not-cell case entirely by letting the
862                 // baseline JIT handle it.
863                 fixEdge<CellUse>(child1);
864 #endif
865                 break;
866             case Array::Int32:
867                 fixEdge<KnownCellUse>(child1);
868                 fixEdge<Int32Use>(child2);
869                 fixEdge<Int32Use>(child3);
870                 break;
871             case Array::Double:
872                 fixEdge<KnownCellUse>(child1);
873                 fixEdge<Int32Use>(child2);
874                 fixEdge<DoubleRepRealUse>(child3);
875                 break;
876             case Array::Int8Array:
877             case Array::Int16Array:
878             case Array::Int32Array:
879             case Array::Uint8Array:
880             case Array::Uint8ClampedArray:
881             case Array::Uint16Array:
882             case Array::Uint32Array:
883                 fixEdge<KnownCellUse>(child1);
884                 fixEdge<Int32Use>(child2);
885                 if (child3->shouldSpeculateInt32())
886                     fixIntOrBooleanEdge(child3);
887                 else if (child3->shouldSpeculateAnyInt())
888                     fixEdge<Int52RepUse>(child3);
889                 else
890                     fixDoubleOrBooleanEdge(child3);
891                 break;
892             case Array::Float32Array:
893             case Array::Float64Array:
894                 fixEdge<KnownCellUse>(child1);
895                 fixEdge<Int32Use>(child2);
896                 fixDoubleOrBooleanEdge(child3);
897                 break;
898             case Array::Contiguous:
899             case Array::ArrayStorage:
900             case Array::SlowPutArrayStorage:
901                 fixEdge<KnownCellUse>(child1);
902                 fixEdge<Int32Use>(child2);
903                 speculateForBarrier(child3);
904                 break;
905             default:
906                 fixEdge<KnownCellUse>(child1);
907                 fixEdge<Int32Use>(child2);
908                 break;
909             }
910             break;
911         }
912             
913         case AtomicsAdd:
914         case AtomicsAnd:
915         case AtomicsCompareExchange:
916         case AtomicsExchange:
917         case AtomicsLoad:
918         case AtomicsOr:
919         case AtomicsStore:
920         case AtomicsSub:
921         case AtomicsXor: {
922             Edge& base = m_graph.child(node, 0);
923             Edge& index = m_graph.child(node, 1);
924             
925             bool badNews = false;
926             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
927                 Edge& child = m_graph.child(node, 2 + i);
928                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
929                 // just call the function when that happens. But the FTL is totally cool with those
930                 // conversions.
931                 if (!child->shouldSpeculateInt32()
932                     && !child->shouldSpeculateAnyInt()
933                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
934                     badNews = true;
935             }
936             
937             if (badNews) {
938                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
939                 break;
940             }
941             
942             node->setArrayMode(
943                 node->arrayMode().refine(
944                     m_graph, node, base->prediction(), index->prediction()));
945             
946             if (node->arrayMode().type() == Array::Generic)
947                 break;
948             
949             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
950                 Edge& child = m_graph.child(node, 2 + i);
951                 if (child->shouldSpeculateInt32())
952                     fixIntOrBooleanEdge(child);
953                 else if (child->shouldSpeculateAnyInt())
954                     fixEdge<Int52RepUse>(child);
955                 else {
956                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
957                     fixDoubleOrBooleanEdge(child);
958                 }
959             }
960             
961             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
962             fixEdge<CellUse>(base);
963             fixEdge<Int32Use>(index);
964             
965             if (node->arrayMode().type() == Array::Uint32Array) {
966                 // NOTE: This means basically always doing Int52.
967                 if (node->shouldSpeculateAnyInt() && enableInt52())
968                     node->setResult(NodeResultInt52);
969                 else
970                     node->setResult(NodeResultDouble);
971             }
972             break;
973         }
974             
975         case AtomicsIsLockFree:
976             if (node->child1()->shouldSpeculateInt32())
977                 fixIntOrBooleanEdge(node->child1());
978             break;
979             
980         case ArrayPush: {
981             // May need to refine the array mode in case the value prediction contravenes
982             // the array prediction. For example, we may have evidence showing that the
983             // array is in Int32 mode, but the value we're storing is likely to be a double.
984             // Then we should turn this into a conversion to Double array followed by the
985             // push. On the other hand, we absolutely don't want to refine based on the
986             // base prediction. If it has non-cell garbage in it, then we want that to be
987             // ignored. That's because ArrayPush can't handle any array modes that aren't
988             // array-related - so if refine() turned this into a "Generic" ArrayPush then
989             // that would break things.
990             Edge& storageEdge = m_graph.varArgChild(node, 0);
991             Edge& arrayEdge = m_graph.varArgChild(node, 1);
992             unsigned elementOffset = 2;
993             unsigned elementCount = node->numChildren() - elementOffset;
994             for (unsigned i = 0; i < elementCount; ++i) {
995                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
996                 node->setArrayMode(
997                     node->arrayMode().refine(
998                         m_graph, node,
999                         arrayEdge->prediction() & SpecCell,
1000                         SpecInt32Only,
1001                         element->prediction()));
1002             }
1003             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1004             fixEdge<KnownCellUse>(arrayEdge);
1005
1006             // Convert `array.push()` to GetArrayLength.
1007             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1008                 node->setOpAndDefaultFlags(GetArrayLength);
1009                 node->child1() = arrayEdge;
1010                 node->child2() = storageEdge;
1011                 fixEdge<KnownCellUse>(node->child1());
1012                 break;
1013             }
1014
1015             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1016             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1017             for (unsigned i = 0; i < elementCount; ++i) {
1018                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1019                 switch (node->arrayMode().type()) {
1020                 case Array::Int32:
1021                     insertCheck<Int32Use>(element.node());
1022                     fixEdge<KnownInt32Use>(element);
1023                     break;
1024                 case Array::Double:
1025                     insertCheck<DoubleRepRealUse>(element.node());
1026                     fixEdge<DoubleRepUse>(element);
1027                     break;
1028                 case Array::Contiguous:
1029                 case Array::ArrayStorage:
1030                     speculateForBarrier(element);
1031                     break;
1032                 default:
1033                     break;
1034                 }
1035                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1036             }
1037             break;
1038         }
1039             
1040         case ArrayPop: {
1041             blessArrayOperation(node->child1(), Edge(), node->child2());
1042             fixEdge<KnownCellUse>(node->child1());
1043             break;
1044         }
1045
1046         case ArraySlice: {
1047             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1048             if (node->numChildren() >= 3) {
1049                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1050                 if (node->numChildren() == 4)
1051                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1052             }
1053             break;
1054         }
1055
1056         case ArrayIndexOf:
1057             fixupArrayIndexOf(node);
1058             break;
1059             
1060         case RegExpExec:
1061         case RegExpTest: {
1062             fixEdge<KnownCellUse>(node->child1());
1063             
1064             if (node->child2()->shouldSpeculateRegExpObject()) {
1065                 fixEdge<RegExpObjectUse>(node->child2());
1066
1067                 if (node->child3()->shouldSpeculateString())
1068                     fixEdge<StringUse>(node->child3());
1069             }
1070             break;
1071         }
1072
1073         case RegExpMatchFast: {
1074             fixEdge<KnownCellUse>(node->child1());
1075             fixEdge<RegExpObjectUse>(node->child2());
1076             fixEdge<StringUse>(node->child3());
1077             break;
1078         }
1079
1080         case StringReplace:
1081         case StringReplaceRegExp: {
1082             if (node->child2()->shouldSpeculateString()) {
1083                 m_insertionSet.insertNode(
1084                     m_indexInBlock, SpecNone, Check, node->origin,
1085                     Edge(node->child2().node(), StringUse));
1086                 fixEdge<StringUse>(node->child2());
1087             } else if (op == StringReplace) {
1088                 if (node->child2()->shouldSpeculateRegExpObject())
1089                     addStringReplacePrimordialChecks(node->child2().node());
1090                 else 
1091                     m_insertionSet.insertNode(
1092                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1093             }
1094
1095             if (node->child1()->shouldSpeculateString()
1096                 && node->child2()->shouldSpeculateRegExpObject()
1097                 && node->child3()->shouldSpeculateString()) {
1098
1099                 fixEdge<StringUse>(node->child1());
1100                 fixEdge<RegExpObjectUse>(node->child2());
1101                 fixEdge<StringUse>(node->child3());
1102                 break;
1103             }
1104             break;
1105         }
1106             
1107         case Branch: {
1108             if (node->child1()->shouldSpeculateBoolean()) {
1109                 if (node->child1()->result() == NodeResultBoolean) {
1110                     // This is necessary in case we have a bytecode instruction implemented by:
1111                     //
1112                     // a: CompareEq(...)
1113                     // b: Branch(@a)
1114                     //
1115                     // In that case, CompareEq might have a side-effect. Then, we need to make
1116                     // sure that we know that Branch does not exit.
1117                     fixEdge<KnownBooleanUse>(node->child1());
1118                 } else
1119                     fixEdge<BooleanUse>(node->child1());
1120             } else if (node->child1()->shouldSpeculateObjectOrOther())
1121                 fixEdge<ObjectOrOtherUse>(node->child1());
1122             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1123                 fixIntOrBooleanEdge(node->child1());
1124             else if (node->child1()->shouldSpeculateNumber())
1125                 fixEdge<DoubleRepUse>(node->child1());
1126             else if (node->child1()->shouldSpeculateString())
1127                 fixEdge<StringUse>(node->child1());
1128             else if (node->child1()->shouldSpeculateStringOrOther())
1129                 fixEdge<StringOrOtherUse>(node->child1());
1130             else {
1131                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1132                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1133                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1134             }
1135             break;
1136         }
1137             
1138         case Switch: {
1139             SwitchData* data = node->switchData();
1140             switch (data->kind) {
1141             case SwitchImm:
1142                 if (node->child1()->shouldSpeculateInt32())
1143                     fixEdge<Int32Use>(node->child1());
1144                 break;
1145             case SwitchChar:
1146                 if (node->child1()->shouldSpeculateString())
1147                     fixEdge<StringUse>(node->child1());
1148                 break;
1149             case SwitchString:
1150                 if (node->child1()->shouldSpeculateStringIdent())
1151                     fixEdge<StringIdentUse>(node->child1());
1152                 else if (node->child1()->shouldSpeculateString())
1153                     fixEdge<StringUse>(node->child1());
1154                 break;
1155             case SwitchCell:
1156                 if (node->child1()->shouldSpeculateCell())
1157                     fixEdge<CellUse>(node->child1());
1158                 // else it's fine for this to have UntypedUse; we will handle this by just making
1159                 // non-cells take the default case.
1160                 break;
1161             }
1162             break;
1163         }
1164             
1165         case ToPrimitive: {
1166             fixupToPrimitive(node);
1167             break;
1168         }
1169
1170         case ToNumber: {
1171             fixupToNumber(node);
1172             break;
1173         }
1174             
1175         case ToString:
1176         case CallStringConstructor: {
1177             fixupToStringOrCallStringConstructor(node);
1178             break;
1179         }
1180             
1181         case NewStringObject: {
1182             fixEdge<KnownStringUse>(node->child1());
1183             break;
1184         }
1185
1186         case NewArrayWithSpread: {
1187             watchHavingABadTime(node);
1188             
1189             BitVector* bitVector = node->bitVector();
1190             for (unsigned i = node->numChildren(); i--;) {
1191                 if (bitVector->get(i))
1192                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1193                 else
1194                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1195             }
1196
1197             break;
1198         }
1199
1200         case Spread: {
1201             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1202             
1203             watchHavingABadTime(node->child1().node());
1204
1205             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1206             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1207             // that it doesn't contain any indexed properties, and that any holes will result in
1208             // jsUndefined().
1209             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1210             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1211             if (node->child1()->shouldSpeculateArray()
1212                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1213                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1214                 && globalObject->arrayPrototypeChainIsSane()
1215                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1216                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1217                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1218                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1219                 fixEdge<ArrayUse>(node->child1());
1220             } else
1221                 fixEdge<CellUse>(node->child1());
1222             break;
1223         }
1224             
1225         case NewArray: {
1226             watchHavingABadTime(node);
1227             
1228             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1229                 node->setIndexingType(
1230                     leastUpperBoundOfIndexingTypeAndType(
1231                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1232             }
1233             switch (node->indexingType()) {
1234             case ALL_BLANK_INDEXING_TYPES:
1235                 CRASH();
1236                 break;
1237             case ALL_UNDECIDED_INDEXING_TYPES:
1238                 if (node->numChildren()) {
1239                     // This will only happen if the children have no type predictions. We
1240                     // would have already exited by now, but insert a forced exit just to
1241                     // be safe.
1242                     m_insertionSet.insertNode(
1243                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1244                 }
1245                 break;
1246             case ALL_INT32_INDEXING_TYPES:
1247                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1248                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1249                 break;
1250             case ALL_DOUBLE_INDEXING_TYPES:
1251                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1252                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1253                 break;
1254             case ALL_CONTIGUOUS_INDEXING_TYPES:
1255             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1256                 break;
1257             default:
1258                 CRASH();
1259                 break;
1260             }
1261             break;
1262         }
1263             
1264         case NewTypedArray: {
1265             watchHavingABadTime(node);
1266             
1267             if (node->child1()->shouldSpeculateInt32()) {
1268                 fixEdge<Int32Use>(node->child1());
1269                 node->clearFlags(NodeMustGenerate);
1270                 break;
1271             }
1272             break;
1273         }
1274             
1275         case NewArrayWithSize: {
1276             watchHavingABadTime(node);
1277             fixEdge<Int32Use>(node->child1());
1278             break;
1279         }
1280
1281         case NewArrayBuffer: {
1282             watchHavingABadTime(node);
1283             break;
1284         }
1285
1286         case ToObject: {
1287             fixupToObject(node);
1288             break;
1289         }
1290
1291         case CallObjectConstructor: {
1292             fixupCallObjectConstructor(node);
1293             break;
1294         }
1295
1296         case ToThis: {
1297             fixupToThis(node);
1298             break;
1299         }
1300             
1301         case PutStructure: {
1302             fixEdge<KnownCellUse>(node->child1());
1303             break;
1304         }
1305             
1306         case GetClosureVar:
1307         case GetFromArguments: {
1308             fixEdge<KnownCellUse>(node->child1());
1309             break;
1310         }
1311
1312         case PutClosureVar:
1313         case PutToArguments: {
1314             fixEdge<KnownCellUse>(node->child1());
1315             speculateForBarrier(node->child2());
1316             break;
1317         }
1318
1319         case SkipScope:
1320         case GetScope:
1321         case GetGetter:
1322         case GetSetter:
1323         case GetGlobalObject: {
1324             fixEdge<KnownCellUse>(node->child1());
1325             break;
1326         }
1327             
1328         case AllocatePropertyStorage:
1329         case ReallocatePropertyStorage: {
1330             fixEdge<KnownCellUse>(node->child1());
1331             break;
1332         }
1333             
1334         case NukeStructureAndSetButterfly: {
1335             fixEdge<KnownCellUse>(node->child1());
1336             break;
1337         }
1338
1339         case TryGetById: {
1340             if (node->child1()->shouldSpeculateCell())
1341                 fixEdge<CellUse>(node->child1());
1342             break;
1343         }
1344
1345         case GetByIdDirect:
1346         case GetByIdDirectFlush: {
1347             if (node->child1()->shouldSpeculateCell())
1348                 fixEdge<CellUse>(node->child1());
1349             break;
1350         }
1351
1352         case GetById:
1353         case GetByIdFlush: {
1354             // FIXME: This should be done in the ByteCodeParser based on reading the
1355             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1356             // https://bugs.webkit.org/show_bug.cgi?id=154990
1357             auto uid = m_graph.identifiers()[node->identifierNumber()];
1358             if (node->child1()->shouldSpeculateCellOrOther()
1359                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1360                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1361                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1362                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1363                 
1364                 if (uid == vm().propertyNames->length.impl()) {
1365                     attemptToMakeGetArrayLength(node);
1366                     break;
1367                 }
1368
1369                 if (uid == vm().propertyNames->lastIndex.impl()
1370                     && node->child1()->shouldSpeculateRegExpObject()) {
1371                     node->setOp(GetRegExpObjectLastIndex);
1372                     node->clearFlags(NodeMustGenerate);
1373                     fixEdge<RegExpObjectUse>(node->child1());
1374                     break;
1375                 }
1376             }
1377
1378             if (node->child1()->shouldSpeculateNumber()) {
1379                 if (uid == vm().propertyNames->toString.impl()) {
1380                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1381                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1382                         if (node->child1()->shouldSpeculateInt32()) {
1383                             insertCheck<Int32Use>(node->child1().node());
1384                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1385                             break;
1386                         }
1387
1388                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1389                             insertCheck<Int52RepUse>(node->child1().node());
1390                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1391                             break;
1392                         }
1393
1394                         ASSERT(node->child1()->shouldSpeculateNumber());
1395                         insertCheck<DoubleRepUse>(node->child1().node());
1396                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1397                         break;
1398                     }
1399                 }
1400             }
1401
1402             if (node->child1()->shouldSpeculateCell())
1403                 fixEdge<CellUse>(node->child1());
1404             break;
1405         }
1406         
1407         case GetByIdWithThis: {
1408             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1409                 fixEdge<CellUse>(node->child1());
1410                 fixEdge<CellUse>(node->child2());
1411             }
1412             break;
1413         }
1414
1415         case PutById:
1416         case PutByIdFlush:
1417         case PutByIdDirect: {
1418             if (node->child1()->shouldSpeculateCellOrOther()
1419                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1420                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1421                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1422                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1423                 
1424                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1425                 
1426                 if (uid == vm().propertyNames->lastIndex.impl()
1427                     && node->child1()->shouldSpeculateRegExpObject()) {
1428                     node->convertToSetRegExpObjectLastIndex();
1429                     fixEdge<RegExpObjectUse>(node->child1());
1430                     speculateForBarrier(node->child2());
1431                     break;
1432                 }
1433             }
1434             
1435             fixEdge<CellUse>(node->child1());
1436             break;
1437         }
1438
1439         case PutGetterById:
1440         case PutSetterById: {
1441             fixEdge<KnownCellUse>(node->child1());
1442             fixEdge<KnownCellUse>(node->child2());
1443             break;
1444         }
1445
1446         case PutGetterSetterById: {
1447             fixEdge<KnownCellUse>(node->child1());
1448             break;
1449         }
1450
1451         case PutGetterByVal:
1452         case PutSetterByVal: {
1453             fixEdge<KnownCellUse>(node->child1());
1454             fixEdge<KnownCellUse>(node->child3());
1455             break;
1456         }
1457
1458         case GetExecutable: {
1459             fixEdge<FunctionUse>(node->child1());
1460             break;
1461         }
1462
1463         case OverridesHasInstance:
1464         case CheckStructure:
1465         case CheckCell:
1466         case CreateThis:
1467         case GetButterfly: {
1468             fixEdge<CellUse>(node->child1());
1469             break;
1470         }
1471
1472         case ObjectCreate: {
1473             if (node->child1()->shouldSpeculateObject()) {
1474                 fixEdge<ObjectUse>(node->child1());
1475                 node->clearFlags(NodeMustGenerate);
1476                 break;
1477             }
1478             break;
1479         }
1480
1481         case CheckStringIdent: {
1482             fixEdge<StringIdentUse>(node->child1());
1483             break;
1484         }
1485             
1486         case Arrayify:
1487         case ArrayifyToStructure: {
1488             fixEdge<CellUse>(node->child1());
1489             if (node->child2())
1490                 fixEdge<Int32Use>(node->child2());
1491             break;
1492         }
1493             
1494         case GetByOffset:
1495         case GetGetterSetterByOffset: {
1496             if (!node->child1()->hasStorageResult())
1497                 fixEdge<KnownCellUse>(node->child1());
1498             fixEdge<KnownCellUse>(node->child2());
1499             break;
1500         }
1501             
1502         case MultiGetByOffset: {
1503             fixEdge<CellUse>(node->child1());
1504             break;
1505         }
1506             
1507         case PutByOffset: {
1508             if (!node->child1()->hasStorageResult())
1509                 fixEdge<KnownCellUse>(node->child1());
1510             fixEdge<KnownCellUse>(node->child2());
1511             unsigned index = indexForChecks();
1512             insertInferredTypeCheck(
1513                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1514                 node->storageAccessData().inferredType);
1515             speculateForBarrier(node->child3());
1516             break;
1517         }
1518             
1519         case MultiPutByOffset: {
1520             fixEdge<CellUse>(node->child1());
1521             break;
1522         }
1523             
1524         case MatchStructure: {
1525             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1526             // https://bugs.webkit.org/show_bug.cgi?id=185784
1527             fixEdge<CellUse>(node->child1());
1528             break;
1529         }
1530             
1531         case InstanceOf: {
1532             if (node->child1()->shouldSpeculateCell()
1533                 && node->child2()->shouldSpeculateCell()
1534                 && is64Bit()) {
1535                 fixEdge<CellUse>(node->child1());
1536                 fixEdge<CellUse>(node->child2());
1537                 break;
1538             }
1539             break;
1540         }
1541
1542         case InstanceOfCustom:
1543             fixEdge<CellUse>(node->child2());
1544             break;
1545
1546         case InById: {
1547             fixEdge<CellUse>(node->child1());
1548             break;
1549         }
1550
1551         case InByVal: {
1552             if (node->child2()->shouldSpeculateInt32()) {
1553                 convertToHasIndexedProperty(node);
1554                 break;
1555             }
1556
1557             fixEdge<CellUse>(node->child1());
1558             break;
1559         }
1560
1561         case HasOwnProperty: {
1562             fixEdge<ObjectUse>(node->child1());
1563 #if CPU(X86)
1564             // We don't have enough registers to do anything interesting on x86 and mips.
1565             fixEdge<UntypedUse>(node->child2());
1566 #else
1567             if (node->child2()->shouldSpeculateString())
1568                 fixEdge<StringUse>(node->child2());
1569             else if (node->child2()->shouldSpeculateSymbol())
1570                 fixEdge<SymbolUse>(node->child2());
1571             else
1572                 fixEdge<UntypedUse>(node->child2());
1573 #endif
1574             break;
1575         }
1576
1577         case CheckVarargs:
1578         case Check: {
1579             m_graph.doToChildren(
1580                 node,
1581                 [&] (Edge& edge) {
1582                     switch (edge.useKind()) {
1583                     case NumberUse:
1584                         if (edge->shouldSpeculateInt32ForArithmetic())
1585                             edge.setUseKind(Int32Use);
1586                         break;
1587                     default:
1588                         break;
1589                     }
1590                     observeUseKindOnEdge(edge);
1591                 });
1592             break;
1593         }
1594
1595         case Phantom:
1596             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1597             node->remove(m_graph);
1598             break;
1599
1600         case FiatInt52: {
1601             RELEASE_ASSERT(enableInt52());
1602             node->convertToIdentity();
1603             fixEdge<Int52RepUse>(node->child1());
1604             node->setResult(NodeResultInt52);
1605             break;
1606         }
1607
1608         case GetArrayLength: {
1609             fixEdge<KnownCellUse>(node->child1());
1610             break;
1611         }
1612
1613         case GetTypedArrayByteOffset: {
1614             fixEdge<KnownCellUse>(node->child1());
1615             break;
1616         }
1617
1618         case CompareBelow:
1619         case CompareBelowEq: {
1620             fixEdge<Int32Use>(node->child1());
1621             fixEdge<Int32Use>(node->child2());
1622             break;
1623         }
1624
1625         case GetPrototypeOf: {
1626             fixupGetPrototypeOf(node);
1627             break;
1628         }
1629
1630         case Phi:
1631         case Upsilon:
1632         case EntrySwitch:
1633         case GetIndexedPropertyStorage:
1634         case LastNodeType:
1635         case CheckTierUpInLoop:
1636         case CheckTierUpAtReturn:
1637         case CheckTierUpAndOSREnter:
1638         case CheckArray:
1639         case CheckInBounds:
1640         case ConstantStoragePointer:
1641         case DoubleAsInt32:
1642         case ValueToInt32:
1643         case DoubleRep:
1644         case ValueRep:
1645         case Int52Rep:
1646         case Int52Constant:
1647         case Identity: // This should have been cleaned up.
1648         case BooleanToNumber:
1649         case PhantomNewObject:
1650         case PhantomNewFunction:
1651         case PhantomNewGeneratorFunction:
1652         case PhantomNewAsyncGeneratorFunction:
1653         case PhantomNewAsyncFunction:
1654         case PhantomCreateActivation:
1655         case PhantomDirectArguments:
1656         case PhantomCreateRest:
1657         case PhantomSpread:
1658         case PhantomNewArrayWithSpread:
1659         case PhantomNewArrayBuffer:
1660         case PhantomClonedArguments:
1661         case PhantomNewRegexp:
1662         case GetMyArgumentByVal:
1663         case GetMyArgumentByValOutOfBounds:
1664         case GetVectorLength:
1665         case PutHint:
1666         case CheckStructureImmediate:
1667         case CheckStructureOrEmpty:
1668         case MaterializeNewObject:
1669         case MaterializeCreateActivation:
1670         case PutStack:
1671         case KillStack:
1672         case GetStack:
1673         case StoreBarrier:
1674         case FencedStoreBarrier:
1675         case GetRegExpObjectLastIndex:
1676         case SetRegExpObjectLastIndex:
1677         case RecordRegExpCachedResult:
1678         case RegExpExecNonGlobalOrSticky:
1679         case RegExpMatchFastGlobal:
1680             // These are just nodes that we don't currently expect to see during fixup.
1681             // If we ever wanted to insert them prior to fixup, then we just have to create
1682             // fixup rules for them.
1683             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1684             break;
1685
1686         case PutGlobalVariable: {
1687             fixEdge<CellUse>(node->child1());
1688             speculateForBarrier(node->child2());
1689             break;
1690         }
1691
1692         case IsObject:
1693             if (node->child1()->shouldSpeculateObject()) {
1694                 m_insertionSet.insertNode(
1695                     m_indexInBlock, SpecNone, Check, node->origin,
1696                     Edge(node->child1().node(), ObjectUse));
1697                 m_graph.convertToConstant(node, jsBoolean(true));
1698                 observeUseKindOnNode<ObjectUse>(node);
1699             }
1700             break;
1701
1702         case IsCellWithType: {
1703             fixupIsCellWithType(node);
1704             break;
1705         }
1706
1707         case GetEnumerableLength: {
1708             fixEdge<CellUse>(node->child1());
1709             break;
1710         }
1711         case HasGenericProperty: {
1712             fixEdge<CellUse>(node->child2());
1713             break;
1714         }
1715         case HasStructureProperty: {
1716             fixEdge<StringUse>(node->child2());
1717             fixEdge<KnownCellUse>(node->child3());
1718             break;
1719         }
1720         case HasIndexedProperty: {
1721             node->setArrayMode(
1722                 node->arrayMode().refine(
1723                     m_graph, node,
1724                     node->child1()->prediction(),
1725                     node->child2()->prediction(),
1726                     SpecNone));
1727             
1728             blessArrayOperation(node->child1(), node->child2(), node->child3());
1729             fixEdge<CellUse>(node->child1());
1730             fixEdge<KnownInt32Use>(node->child2());
1731             break;
1732         }
1733         case GetDirectPname: {
1734             Edge& base = m_graph.varArgChild(node, 0);
1735             Edge& property = m_graph.varArgChild(node, 1);
1736             Edge& index = m_graph.varArgChild(node, 2);
1737             Edge& enumerator = m_graph.varArgChild(node, 3);
1738             fixEdge<CellUse>(base);
1739             fixEdge<KnownCellUse>(property);
1740             fixEdge<KnownInt32Use>(index);
1741             fixEdge<KnownCellUse>(enumerator);
1742             break;
1743         }
1744         case GetPropertyEnumerator: {
1745             if (node->child1()->shouldSpeculateCell())
1746                 fixEdge<CellUse>(node->child1());
1747             break;
1748         }
1749         case GetEnumeratorStructurePname: {
1750             fixEdge<KnownCellUse>(node->child1());
1751             fixEdge<KnownInt32Use>(node->child2());
1752             break;
1753         }
1754         case GetEnumeratorGenericPname: {
1755             fixEdge<KnownCellUse>(node->child1());
1756             fixEdge<KnownInt32Use>(node->child2());
1757             break;
1758         }
1759         case ToIndexString: {
1760             fixEdge<KnownInt32Use>(node->child1());
1761             break;
1762         }
1763         case ProfileType: {
1764             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1765             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1766             // type T for the instructionTypeSet, the global type set must also have information for type T.
1767             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1768             // in the globalTypeSet would've also succeeded.
1769             // (The other direction does not hold in general).
1770
1771             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1772             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1773             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1774                 if (node->child1()->shouldSpeculateInt32()) {
1775                     fixEdge<Int32Use>(node->child1());
1776                     node->remove(m_graph);
1777                     break;
1778                 }
1779
1780                 if (enableInt52()) {
1781                     fixEdge<AnyIntUse>(node->child1());
1782                     node->remove(m_graph);
1783                     break;
1784                 }
1785
1786                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1787             }
1788
1789             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1790                 fixEdge<NumberUse>(node->child1());
1791                 node->remove(m_graph);
1792             } else if (typeSet->doesTypeConformTo(TypeString)) {
1793                 fixEdge<StringUse>(node->child1());
1794                 node->remove(m_graph);
1795             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1796                 fixEdge<BooleanUse>(node->child1());
1797                 node->remove(m_graph);
1798             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1799                 fixEdge<OtherUse>(node->child1());
1800                 node->remove(m_graph);
1801             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1802                 StructureSet set;
1803                 {
1804                     ConcurrentJSLocker locker(typeSet->m_lock);
1805                     set = typeSet->structureSet(locker);
1806                 }
1807                 if (!set.isEmpty()) {
1808                     fixEdge<CellUse>(node->child1());
1809                     node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
1810                 }
1811             }
1812
1813             break;
1814         }
1815
1816         case CreateClonedArguments: {
1817             watchHavingABadTime(node);
1818             break;
1819         }
1820
1821         case CreateScopedArguments:
1822         case CreateActivation:
1823         case NewFunction:
1824         case NewGeneratorFunction:
1825         case NewAsyncGeneratorFunction:
1826         case NewAsyncFunction: {
1827             // Child 1 is always the current scope, which is guaranteed to be an object
1828             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1829             fixEdge<KnownCellUse>(node->child1());
1830             break;
1831         }
1832
1833         case PushWithScope: {
1834             // Child 1 is always the current scope, which is guaranteed to be an object
1835             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1836             fixEdge<KnownCellUse>(node->child1());
1837             if (node->child2()->shouldSpeculateObject())
1838                 fixEdge<ObjectUse>(node->child2());
1839             break;
1840         }
1841
1842         case SetFunctionName: {
1843             // The first child is guaranteed to be a cell because op_set_function_name is only used
1844             // on a newly instantiated function object (the first child).
1845             fixEdge<KnownCellUse>(node->child1());
1846             fixEdge<UntypedUse>(node->child2());
1847             break;
1848         }
1849
1850         case CreateRest: {
1851             watchHavingABadTime(node);
1852             fixEdge<KnownInt32Use>(node->child1());
1853             break;
1854         }
1855
1856         case ResolveScopeForHoistingFuncDeclInEval: {
1857             fixEdge<KnownCellUse>(node->child1());
1858             break;
1859         }
1860         case ResolveScope:
1861         case GetDynamicVar:
1862         case PutDynamicVar: {
1863             fixEdge<KnownCellUse>(node->child1());
1864             break;
1865         }
1866
1867         case LogShadowChickenPrologue: {
1868             fixEdge<KnownCellUse>(node->child1());
1869             break;
1870         }
1871         case LogShadowChickenTail: {
1872             fixEdge<UntypedUse>(node->child1());
1873             fixEdge<KnownCellUse>(node->child2());
1874             break;
1875         }
1876
1877         case GetMapBucket:
1878             if (node->child1().useKind() == MapObjectUse)
1879                 fixEdge<MapObjectUse>(node->child1());
1880             else if (node->child1().useKind() == SetObjectUse)
1881                 fixEdge<SetObjectUse>(node->child1());
1882             else
1883                 RELEASE_ASSERT_NOT_REACHED();
1884
1885 #if USE(JSVALUE64)
1886             if (node->child2()->shouldSpeculateBoolean())
1887                 fixEdge<BooleanUse>(node->child2());
1888             else if (node->child2()->shouldSpeculateInt32())
1889                 fixEdge<Int32Use>(node->child2());
1890             else if (node->child2()->shouldSpeculateSymbol())
1891                 fixEdge<SymbolUse>(node->child2());
1892             else if (node->child2()->shouldSpeculateObject())
1893                 fixEdge<ObjectUse>(node->child2());
1894             else if (node->child2()->shouldSpeculateString())
1895                 fixEdge<StringUse>(node->child2());
1896             else if (node->child2()->shouldSpeculateCell())
1897                 fixEdge<CellUse>(node->child2());
1898             else
1899                 fixEdge<UntypedUse>(node->child2());
1900 #else
1901             fixEdge<UntypedUse>(node->child2());
1902 #endif // USE(JSVALUE64)
1903
1904             fixEdge<Int32Use>(node->child3());
1905             break;
1906
1907         case GetMapBucketHead:
1908             if (node->child1().useKind() == MapObjectUse)
1909                 fixEdge<MapObjectUse>(node->child1());
1910             else if (node->child1().useKind() == SetObjectUse)
1911                 fixEdge<SetObjectUse>(node->child1());
1912             else
1913                 RELEASE_ASSERT_NOT_REACHED();
1914             break;
1915
1916         case GetMapBucketNext:
1917         case LoadKeyFromMapBucket:
1918         case LoadValueFromMapBucket:
1919             fixEdge<CellUse>(node->child1());
1920             break;
1921
1922         case MapHash: {
1923 #if USE(JSVALUE64)
1924             if (node->child1()->shouldSpeculateBoolean()) {
1925                 fixEdge<BooleanUse>(node->child1());
1926                 break;
1927             }
1928
1929             if (node->child1()->shouldSpeculateInt32()) {
1930                 fixEdge<Int32Use>(node->child1());
1931                 break;
1932             }
1933
1934             if (node->child1()->shouldSpeculateSymbol()) {
1935                 fixEdge<SymbolUse>(node->child1());
1936                 break;
1937             }
1938
1939             if (node->child1()->shouldSpeculateObject()) {
1940                 fixEdge<ObjectUse>(node->child1());
1941                 break;
1942             }
1943
1944             if (node->child1()->shouldSpeculateString()) {
1945                 fixEdge<StringUse>(node->child1());
1946                 break;
1947             }
1948
1949             if (node->child1()->shouldSpeculateCell()) {
1950                 fixEdge<CellUse>(node->child1());
1951                 break;
1952             }
1953
1954             fixEdge<UntypedUse>(node->child1());
1955 #else
1956             fixEdge<UntypedUse>(node->child1());
1957 #endif // USE(JSVALUE64)
1958             break;
1959         }
1960
1961         case NormalizeMapKey: {
1962             fixupNormalizeMapKey(node);
1963             break;
1964         }
1965
1966         case WeakMapGet: {
1967             if (node->child1().useKind() == WeakMapObjectUse)
1968                 fixEdge<WeakMapObjectUse>(node->child1());
1969             else if (node->child1().useKind() == WeakSetObjectUse)
1970                 fixEdge<WeakSetObjectUse>(node->child1());
1971             else
1972                 RELEASE_ASSERT_NOT_REACHED();
1973             fixEdge<ObjectUse>(node->child2());
1974             fixEdge<Int32Use>(node->child3());
1975             break;
1976         }
1977
1978         case SetAdd: {
1979             fixEdge<SetObjectUse>(node->child1());
1980             fixEdge<Int32Use>(node->child3());
1981             break;
1982         }
1983
1984         case MapSet: {
1985             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1986             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1987             break;
1988         }
1989
1990         case WeakSetAdd: {
1991             fixEdge<WeakSetObjectUse>(node->child1());
1992             fixEdge<ObjectUse>(node->child2());
1993             fixEdge<Int32Use>(node->child3());
1994             break;
1995         }
1996
1997         case WeakMapSet: {
1998             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
1999             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2000             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2001             break;
2002         }
2003
2004         case DefineDataProperty: {
2005             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2006             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2007             if (propertyEdge->shouldSpeculateSymbol())
2008                 fixEdge<SymbolUse>(propertyEdge);
2009             else if (propertyEdge->shouldSpeculateStringIdent())
2010                 fixEdge<StringIdentUse>(propertyEdge);
2011             else if (propertyEdge->shouldSpeculateString())
2012                 fixEdge<StringUse>(propertyEdge);
2013             else
2014                 fixEdge<UntypedUse>(propertyEdge);
2015             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2016             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2017             break;
2018         }
2019
2020         case StringValueOf: {
2021             fixupStringValueOf(node);
2022             break;
2023         }
2024
2025         case StringSlice: {
2026             fixEdge<StringUse>(node->child1());
2027             fixEdge<Int32Use>(node->child2());
2028             if (node->child3())
2029                 fixEdge<Int32Use>(node->child3());
2030             break;
2031         }
2032
2033         case ToLowerCase: {
2034             // We currently only support StringUse since that will ensure that
2035             // ToLowerCase is a pure operation. If we decide to update this with
2036             // more types in the future, we need to ensure that the clobberize rules
2037             // are correct.
2038             fixEdge<StringUse>(node->child1());
2039             break;
2040         }
2041
2042         case NumberToStringWithRadix: {
2043             if (node->child1()->shouldSpeculateInt32())
2044                 fixEdge<Int32Use>(node->child1());
2045             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2046                 fixEdge<Int52RepUse>(node->child1());
2047             else
2048                 fixEdge<DoubleRepUse>(node->child1());
2049             fixEdge<Int32Use>(node->child2());
2050             break;
2051         }
2052
2053         case DefineAccessorProperty: {
2054             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2055             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2056             if (propertyEdge->shouldSpeculateSymbol())
2057                 fixEdge<SymbolUse>(propertyEdge);
2058             else if (propertyEdge->shouldSpeculateStringIdent())
2059                 fixEdge<StringIdentUse>(propertyEdge);
2060             else if (propertyEdge->shouldSpeculateString())
2061                 fixEdge<StringUse>(propertyEdge);
2062             else
2063                 fixEdge<UntypedUse>(propertyEdge);
2064             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2065             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2066             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2067             break;
2068         }
2069
2070         case CheckSubClass: {
2071             fixupCheckSubClass(node);
2072             break;
2073         }
2074
2075         case CallDOMGetter: {
2076             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2077             fixEdge<CellUse>(node->child1()); // DOM.
2078             if (snippet && snippet->requireGlobalObject)
2079                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2080             break;
2081         }
2082
2083         case CallDOM: {
2084             fixupCallDOM(node);
2085             break;
2086         }
2087
2088         case Call: {
2089             attemptToMakeCallDOM(node);
2090             break;
2091         }
2092
2093         case ParseInt: {
2094             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2095                 fixEdge<Int32Use>(node->child1());
2096                 node->convertToIdentity();
2097                 break;
2098             }
2099
2100             if (node->child1()->shouldSpeculateString()) {
2101                 fixEdge<StringUse>(node->child1());
2102                 node->clearFlags(NodeMustGenerate);
2103             }
2104
2105             if (node->child2())
2106                 fixEdge<Int32Use>(node->child2());
2107
2108             break;
2109         }
2110
2111         case IdentityWithProfile: {
2112             node->clearFlags(NodeMustGenerate);
2113             break;
2114         }
2115
2116         case ThrowStaticError:
2117             fixEdge<StringUse>(node->child1());
2118             break;
2119
2120         case NumberIsInteger:
2121             if (node->child1()->shouldSpeculateInt32()) {
2122                 m_insertionSet.insertNode(
2123                     m_indexInBlock, SpecNone, Check, node->origin,
2124                     Edge(node->child1().node(), Int32Use));
2125                 m_graph.convertToConstant(node, jsBoolean(true));
2126                 break;
2127             }
2128             break;
2129
2130         case SetCallee:
2131             fixEdge<CellUse>(node->child1());
2132             break;
2133
2134         case DataViewGetInt:
2135         case DataViewGetFloat: {
2136             fixEdge<DataViewObjectUse>(node->child1());
2137             fixEdge<Int32Use>(node->child2());
2138             if (node->child3())
2139                 fixEdge<BooleanUse>(node->child3());
2140
2141             if (node->op() == DataViewGetInt) {
2142                 DataViewData data = node->dataViewData();
2143                 switch (data.byteSize) {
2144                 case 1:
2145                 case 2:
2146                     node->setResult(NodeResultInt32);
2147                     break;
2148                 case 4:
2149                     if (data.isSigned)
2150                         node->setResult(NodeResultInt32);
2151                     else
2152                         node->setResult(NodeResultInt52);
2153                     break;
2154                 default:
2155                     RELEASE_ASSERT_NOT_REACHED();
2156                 }
2157             }
2158             break;
2159         }
2160
2161         case DataViewSet: {
2162             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2163             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2164             if (m_graph.varArgChild(node, 3))
2165                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2166             
2167             DataViewData data = node->dataViewData();
2168             Edge& valueToStore = m_graph.varArgChild(node, 2);
2169             if (data.isFloatingPoint)
2170                 fixEdge<DoubleRepUse>(valueToStore);
2171             else {
2172                 switch (data.byteSize) {
2173                 case 1:
2174                 case 2:
2175                     fixEdge<Int32Use>(valueToStore);
2176                     break;
2177                 case 4:
2178                     if (data.isSigned)
2179                         fixEdge<Int32Use>(valueToStore);
2180                     else
2181                         fixEdge<Int52RepUse>(valueToStore);
2182                     break;
2183                 }
2184             }
2185             break;
2186         }
2187
2188 #if !ASSERT_DISABLED
2189         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2190         case SetArgument:
2191         case JSConstant:
2192         case LazyJSConstant:
2193         case DoubleConstant:
2194         case GetLocal:
2195         case GetCallee:
2196         case GetArgumentCountIncludingThis:
2197         case SetArgumentCountIncludingThis:
2198         case GetRestLength:
2199         case GetArgument:
2200         case Flush:
2201         case PhantomLocal:
2202         case GetGlobalVar:
2203         case GetGlobalLexicalVariable:
2204         case NotifyWrite:
2205         case DirectCall:
2206         case CheckTypeInfoFlags:
2207         case TailCallInlinedCaller:
2208         case DirectTailCallInlinedCaller:
2209         case Construct:
2210         case DirectConstruct:
2211         case CallVarargs:
2212         case CallEval:
2213         case TailCallVarargsInlinedCaller:
2214         case ConstructVarargs:
2215         case CallForwardVarargs:
2216         case ConstructForwardVarargs:
2217         case TailCallForwardVarargs:
2218         case TailCallForwardVarargsInlinedCaller:
2219         case LoadVarargs:
2220         case ForwardVarargs:
2221         case ProfileControlFlow:
2222         case NewObject:
2223         case NewRegexp:
2224         case DeleteById:
2225         case DeleteByVal:
2226         case IsTypedArrayView:
2227         case IsEmpty:
2228         case IsUndefined:
2229         case IsBoolean:
2230         case IsNumber:
2231         case IsObjectOrNull:
2232         case IsFunction:
2233         case CreateDirectArguments:
2234         case Jump:
2235         case Return:
2236         case TailCall:
2237         case DirectTailCall:
2238         case TailCallVarargs:
2239         case Throw:
2240         case CountExecution:
2241         case SuperSamplerBegin:
2242         case SuperSamplerEnd:
2243         case ForceOSRExit:
2244         case CheckBadCell:
2245         case CheckNotEmpty:
2246         case AssertNotEmpty:
2247         case CheckTraps:
2248         case Unreachable:
2249         case ExtractOSREntryLocal:
2250         case ExtractCatchLocal:
2251         case ClearCatchLocals:
2252         case LoopHint:
2253         case MovHint:
2254         case InitializeEntrypointArguments:
2255         case ZombieHint:
2256         case ExitOK:
2257         case BottomValue:
2258         case TypeOf:
2259         case PutByIdWithThis:
2260         case PutByValWithThis:
2261         case GetByValWithThis:
2262         case CompareEqPtr:
2263         case NumberToStringWithValidRadixConstant:
2264         case GetGlobalThis:
2265         case ExtractValueFromWeakMapGet:
2266         case CPUIntrinsic:
2267         case FilterCallLinkStatus:
2268         case FilterGetByIdStatus:
2269         case FilterPutByIdStatus:
2270         case FilterInByIdStatus:
2271         case InvalidationPoint:
2272             break;
2273 #else
2274         default:
2275             break;
2276 #endif
2277         }
2278     }
2279
2280     void watchHavingABadTime(Node* node)
2281     {
2282         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2283
2284         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2285         // does an array allocation. The types of array allocations may change if we start to have a bad
2286         // time. It's easier to reason about this if we know that whenever the types change after we start
2287         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2288         // prior to this point nobody should have been doing optimizations based on the indexing type of
2289         // the allocation.
2290         if (!globalObject->isHavingABadTime()) {
2291             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2292             m_graph.freeze(globalObject);
2293         }
2294     }
2295     
2296     template<UseKind useKind>
2297     void createToString(Node* node, Edge& edge)
2298     {
2299         Node* toString = m_insertionSet.insertNode(
2300             m_indexInBlock, SpecString, ToString, node->origin,
2301             Edge(edge.node(), useKind));
2302         switch (useKind) {
2303         case Int32Use:
2304         case Int52RepUse:
2305         case DoubleRepUse:
2306         case NotCellUse:
2307             toString->clearFlags(NodeMustGenerate);
2308             break;
2309         default:
2310             break;
2311         }
2312         edge.setNode(toString);
2313     }
2314     
2315     template<UseKind useKind>
2316     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2317     {
2318         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2319         
2320         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2321             return;
2322         
2323         createToString<useKind>(node, node->child1());
2324         arrayMode = ArrayMode(Array::String, Array::Read);
2325     }
2326     
2327     template<UseKind useKind>
2328     bool isStringObjectUse()
2329     {
2330         switch (useKind) {
2331         case StringObjectUse:
2332         case StringOrStringObjectUse:
2333             return true;
2334         default:
2335             return false;
2336         }
2337     }
2338     
2339     template<UseKind useKind>
2340     void convertStringAddUse(Node* node, Edge& edge)
2341     {
2342         if (useKind == StringUse) {
2343             observeUseKindOnNode<StringUse>(edge.node());
2344             m_insertionSet.insertNode(
2345                 m_indexInBlock, SpecNone, Check, node->origin,
2346                 Edge(edge.node(), StringUse));
2347             edge.setUseKind(KnownStringUse);
2348             return;
2349         }
2350         
2351         observeUseKindOnNode<useKind>(edge.node());
2352         createToString<useKind>(node, edge);
2353     }
2354     
2355     void convertToMakeRope(Node* node)
2356     {
2357         node->setOpAndDefaultFlags(MakeRope);
2358         fixupMakeRope(node);
2359     }
2360     
2361     void fixupMakeRope(Node* node)
2362     {
2363         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2364             Edge& edge = node->children.child(i);
2365             if (!edge)
2366                 break;
2367             edge.setUseKind(KnownStringUse);
2368             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2369             if (!string)
2370                 continue;
2371             if (string->length())
2372                 continue;
2373             
2374             // Don't allow the MakeRope to have zero children.
2375             if (!i && !node->child2())
2376                 break;
2377             
2378             node->children.removeEdge(i--);
2379         }
2380         
2381         if (!node->child2()) {
2382             ASSERT(!node->child3());
2383             node->convertToIdentity();
2384         }
2385     }
2386
2387     void fixupIsCellWithType(Node* node)
2388     {
2389         switch (node->speculatedTypeForQuery()) {
2390         case SpecString:
2391             if (node->child1()->shouldSpeculateString()) {
2392                 m_insertionSet.insertNode(
2393                     m_indexInBlock, SpecNone, Check, node->origin,
2394                     Edge(node->child1().node(), StringUse));
2395                 m_graph.convertToConstant(node, jsBoolean(true));
2396                 observeUseKindOnNode<StringUse>(node);
2397                 return;
2398             }
2399             break;
2400
2401         case SpecProxyObject:
2402             if (node->child1()->shouldSpeculateProxyObject()) {
2403                 m_insertionSet.insertNode(
2404                     m_indexInBlock, SpecNone, Check, node->origin,
2405                     Edge(node->child1().node(), ProxyObjectUse));
2406                 m_graph.convertToConstant(node, jsBoolean(true));
2407                 observeUseKindOnNode<ProxyObjectUse>(node);
2408                 return;
2409             }
2410             break;
2411
2412         case SpecRegExpObject:
2413             if (node->child1()->shouldSpeculateRegExpObject()) {
2414                 m_insertionSet.insertNode(
2415                     m_indexInBlock, SpecNone, Check, node->origin,
2416                     Edge(node->child1().node(), RegExpObjectUse));
2417                 m_graph.convertToConstant(node, jsBoolean(true));
2418                 observeUseKindOnNode<RegExpObjectUse>(node);
2419                 return;
2420             }
2421             break;
2422
2423         case SpecArray:
2424             if (node->child1()->shouldSpeculateArray()) {
2425                 m_insertionSet.insertNode(
2426                     m_indexInBlock, SpecNone, Check, node->origin,
2427                     Edge(node->child1().node(), ArrayUse));
2428                 m_graph.convertToConstant(node, jsBoolean(true));
2429                 observeUseKindOnNode<ArrayUse>(node);
2430                 return;
2431             }
2432             break;
2433
2434         case SpecDerivedArray:
2435             if (node->child1()->shouldSpeculateDerivedArray()) {
2436                 m_insertionSet.insertNode(
2437                     m_indexInBlock, SpecNone, Check, node->origin,
2438                     Edge(node->child1().node(), DerivedArrayUse));
2439                 m_graph.convertToConstant(node, jsBoolean(true));
2440                 observeUseKindOnNode<DerivedArrayUse>(node);
2441                 return;
2442             }
2443             break;
2444         }
2445
2446         if (node->child1()->shouldSpeculateCell()) {
2447             fixEdge<CellUse>(node->child1());
2448             return;
2449         }
2450
2451         if (node->child1()->shouldSpeculateNotCell()) {
2452             m_insertionSet.insertNode(
2453                 m_indexInBlock, SpecNone, Check, node->origin,
2454                 Edge(node->child1().node(), NotCellUse));
2455             m_graph.convertToConstant(node, jsBoolean(false));
2456             observeUseKindOnNode<NotCellUse>(node);
2457             return;
2458         }
2459     }
2460
2461     void fixupGetPrototypeOf(Node* node)
2462     {
2463         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2464         if (node->child1().useKind() != ObjectUse) {
2465             if (node->child1()->shouldSpeculateString()) {
2466                 insertCheck<StringUse>(node->child1().node());
2467                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2468                 return;
2469             }
2470             if (node->child1()->shouldSpeculateInt32()) {
2471                 insertCheck<Int32Use>(node->child1().node());
2472                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2473                 return;
2474             }
2475             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2476                 insertCheck<Int52RepUse>(node->child1().node());
2477                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2478                 return;
2479             }
2480             if (node->child1()->shouldSpeculateNumber()) {
2481                 insertCheck<NumberUse>(node->child1().node());
2482                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2483                 return;
2484             }
2485             if (node->child1()->shouldSpeculateSymbol()) {
2486                 insertCheck<SymbolUse>(node->child1().node());
2487                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2488                 return;
2489             }
2490             if (node->child1()->shouldSpeculateBoolean()) {
2491                 insertCheck<BooleanUse>(node->child1().node());
2492                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2493                 return;
2494             }
2495         }
2496
2497         if (node->child1()->shouldSpeculateFinalObject()) {
2498             fixEdge<FinalObjectUse>(node->child1());
2499             node->clearFlags(NodeMustGenerate);
2500             return;
2501         }
2502         if (node->child1()->shouldSpeculateArray()) {
2503             fixEdge<ArrayUse>(node->child1());
2504             node->clearFlags(NodeMustGenerate);
2505             return;
2506         }
2507         if (node->child1()->shouldSpeculateFunction()) {
2508             fixEdge<FunctionUse>(node->child1());
2509             node->clearFlags(NodeMustGenerate);
2510             return;
2511         }
2512     }
2513
2514     void fixupToThis(Node* node)
2515     {
2516         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2517
2518         if (ecmaMode == StrictMode) {
2519             if (node->child1()->shouldSpeculateBoolean()) {
2520                 fixEdge<BooleanUse>(node->child1());
2521                 node->convertToIdentity();
2522                 return;
2523             }
2524
2525             if (node->child1()->shouldSpeculateInt32()) {
2526                 fixEdge<Int32Use>(node->child1());
2527                 node->convertToIdentity();
2528                 return;
2529             }
2530
2531             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2532                 fixEdge<Int52RepUse>(node->child1());
2533                 node->convertToIdentity();
2534                 node->setResult(NodeResultInt52);
2535                 return;
2536             }
2537
2538             if (node->child1()->shouldSpeculateNumber()) {
2539                 fixEdge<DoubleRepUse>(node->child1());
2540                 node->convertToIdentity();
2541                 node->setResult(NodeResultDouble);
2542                 return;
2543             }
2544
2545             if (node->child1()->shouldSpeculateSymbol()) {
2546                 fixEdge<SymbolUse>(node->child1());
2547                 node->convertToIdentity();
2548                 return;
2549             }
2550
2551             if (node->child1()->shouldSpeculateStringIdent()) {
2552                 fixEdge<StringIdentUse>(node->child1());
2553                 node->convertToIdentity();
2554                 return;
2555             }
2556
2557             if (node->child1()->shouldSpeculateString()) {
2558                 fixEdge<StringUse>(node->child1());
2559                 node->convertToIdentity();
2560                 return;
2561             }
2562             
2563             if (node->child1()->shouldSpeculateBigInt()) {
2564                 fixEdge<BigIntUse>(node->child1());
2565                 node->convertToIdentity();
2566                 return;
2567             }
2568         }
2569
2570         if (node->child1()->shouldSpeculateOther()) {
2571             if (ecmaMode == StrictMode) {
2572                 fixEdge<OtherUse>(node->child1());
2573                 node->convertToIdentity();
2574                 return;
2575             }
2576
2577             m_insertionSet.insertNode(
2578                 m_indexInBlock, SpecNone, Check, node->origin,
2579                 Edge(node->child1().node(), OtherUse));
2580             observeUseKindOnNode<OtherUse>(node->child1().node());
2581             m_graph.convertToConstant(
2582                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2583             return;
2584         }
2585
2586         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2587         // however, since we cover all the missing cases in constant folding.
2588         // https://bugs.webkit.org/show_bug.cgi?id=157213
2589         if (node->child1()->shouldSpeculateStringObject()) {
2590             fixEdge<StringObjectUse>(node->child1());
2591             node->convertToIdentity();
2592             return;
2593         }
2594
2595         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2596             fixEdge<FinalObjectUse>(node->child1());
2597             node->convertToIdentity();
2598             return;
2599         }
2600     }
2601     
2602     void fixupToPrimitive(Node* node)
2603     {
2604         if (node->child1()->shouldSpeculateInt32()) {
2605             fixEdge<Int32Use>(node->child1());
2606             node->convertToIdentity();
2607             return;
2608         }
2609         
2610         if (node->child1()->shouldSpeculateString()) {
2611             fixEdge<StringUse>(node->child1());
2612             node->convertToIdentity();
2613             return;
2614         }
2615         
2616         if (node->child1()->shouldSpeculateStringObject()
2617             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2618             fixEdge<StringObjectUse>(node->child1());
2619             node->convertToToString();
2620             return;
2621         }
2622         
2623         if (node->child1()->shouldSpeculateStringOrStringObject()
2624             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2625             fixEdge<StringOrStringObjectUse>(node->child1());
2626             node->convertToToString();
2627             return;
2628         }
2629     }
2630
2631     void fixupToNumber(Node* node)
2632     {
2633         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2634         if (node->child1()->shouldSpeculateNumber()) {
2635             if (isInt32Speculation(node->getHeapPrediction())) {
2636                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2637                 if (node->child1()->shouldSpeculateInt32()) {
2638                     fixEdge<Int32Use>(node->child1());
2639                     node->convertToIdentity();
2640                     return;
2641                 }
2642
2643                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2644                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2645                 fixEdge<DoubleRepUse>(node->child1());
2646                 node->setOp(DoubleAsInt32);
2647                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2648                     node->setArithMode(Arith::CheckOverflow);
2649                 else
2650                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2651                 return;
2652             }
2653
2654             fixEdge<DoubleRepUse>(node->child1());
2655             node->convertToIdentity();
2656             node->setResult(NodeResultDouble);
2657             return;
2658         }
2659
2660         fixEdge<UntypedUse>(node->child1());
2661         node->setResult(NodeResultJS);
2662     }
2663
2664     void fixupToObject(Node* node)
2665     {
2666         if (node->child1()->shouldSpeculateObject()) {
2667             fixEdge<ObjectUse>(node->child1());
2668             node->convertToIdentity();
2669             return;
2670         }
2671
2672         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2673
2674         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2675
2676         if (node->child1()->shouldSpeculateString()) {
2677             insertCheck<StringUse>(node->child1().node());
2678             fixEdge<KnownStringUse>(node->child1());
2679             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2680             return;
2681         }
2682
2683         if (node->child1()->shouldSpeculateSymbol()) {
2684             insertCheck<SymbolUse>(node->child1().node());
2685             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2686             return;
2687         }
2688
2689         if (node->child1()->shouldSpeculateNumber()) {
2690             insertCheck<NumberUse>(node->child1().node());
2691             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2692             return;
2693         }
2694
2695         if (node->child1()->shouldSpeculateBoolean()) {
2696             insertCheck<BooleanUse>(node->child1().node());
2697             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2698             return;
2699         }
2700
2701         fixEdge<UntypedUse>(node->child1());
2702     }
2703
2704     void fixupCallObjectConstructor(Node* node)
2705     {
2706         if (node->child1()->shouldSpeculateObject()) {
2707             fixEdge<ObjectUse>(node->child1());
2708             node->convertToIdentity();
2709             return;
2710         }
2711
2712         if (node->child1()->shouldSpeculateString()) {
2713             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2714             insertCheck<StringUse>(node->child1().node());
2715             fixEdge<KnownStringUse>(node->child1());
2716             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2717             return;
2718         }
2719
2720         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2721         if (node->child1()->shouldSpeculateOther()) {
2722             insertCheck<OtherUse>(node->child1().node());
2723             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2724             return;
2725         }
2726
2727         fixEdge<UntypedUse>(node->child1());
2728     }
2729     
2730     void fixupToStringOrCallStringConstructor(Node* node)
2731     {
2732         if (node->child1()->shouldSpeculateString()) {
2733             fixEdge<StringUse>(node->child1());
2734             node->convertToIdentity();
2735             return;
2736         }
2737         
2738         if (node->child1()->shouldSpeculateStringObject()
2739             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2740             fixEdge<StringObjectUse>(node->child1());
2741             return;
2742         }
2743         
2744         if (node->child1()->shouldSpeculateStringOrStringObject()
2745             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2746             fixEdge<StringOrStringObjectUse>(node->child1());
2747             return;
2748         }
2749         
2750         if (node->child1()->shouldSpeculateCell()) {
2751             fixEdge<CellUse>(node->child1());
2752             return;
2753         }
2754
2755         if (node->child1()->shouldSpeculateInt32()) {
2756             fixEdge<Int32Use>(node->child1());
2757             node->clearFlags(NodeMustGenerate);
2758             return;
2759         }
2760
2761         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2762             fixEdge<Int52RepUse>(node->child1());
2763             node->clearFlags(NodeMustGenerate);
2764             return;
2765         }
2766
2767         if (node->child1()->shouldSpeculateNumber()) {
2768             fixEdge<DoubleRepUse>(node->child1());
2769             node->clearFlags(NodeMustGenerate);
2770             return;
2771         }
2772
2773         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2774         // we need to care about it in the clobberize. In the following case,
2775         // since NotCellUse edge filter is used and this edge filters Symbols,
2776         // we can say that ToString never throws an error!
2777         if (node->child1()->shouldSpeculateNotCell()) {
2778             fixEdge<NotCellUse>(node->child1());
2779             node->clearFlags(NodeMustGenerate);
2780             return;
2781         }
2782     }
2783
2784     void fixupStringValueOf(Node* node)
2785     {
2786         if (node->child1()->shouldSpeculateString()) {
2787             fixEdge<StringUse>(node->child1());
2788             node->convertToIdentity();
2789             return;
2790         }
2791
2792         if (node->child1()->shouldSpeculateStringObject()) {
2793             fixEdge<StringObjectUse>(node->child1());
2794             node->convertToToString();
2795             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2796             node->clearFlags(NodeMustGenerate);
2797             return;
2798         }
2799
2800         if (node->child1()->shouldSpeculateStringOrStringObject()) {
2801             fixEdge<StringOrStringObjectUse>(node->child1());
2802             node->convertToToString();
2803             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2804             node->clearFlags(NodeMustGenerate);
2805             return;
2806         }
2807     }
2808
2809     bool attemptToMakeFastStringAdd(Node* node)
2810     {
2811         bool goodToGo = true;
2812         m_graph.doToChildren(
2813             node,
2814             [&] (Edge& edge) {
2815                 if (edge->shouldSpeculateString())
2816                     return;
2817                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2818                     if (edge->shouldSpeculateStringObject())
2819                         return;
2820                     if (edge->shouldSpeculateStringOrStringObject())
2821                         return;
2822                 }
2823                 goodToGo = false;
2824             });
2825         if (!goodToGo)
2826             return false;
2827
2828         m_graph.doToChildren(
2829             node,
2830             [&] (Edge& edge) {
2831                 if (edge->shouldSpeculateString()) {
2832                     convertStringAddUse<StringUse>(node, edge);
2833                     return;
2834                 }
2835                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2836                 if (edge->shouldSpeculateStringObject()) {
2837                     convertStringAddUse<StringObjectUse>(node, edge);
2838                     return;
2839                 }
2840                 if (edge->shouldSpeculateStringOrStringObject()) {
2841                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2842                     return;
2843                 }
2844                 RELEASE_ASSERT_NOT_REACHED();
2845             });
2846         
2847         convertToMakeRope(node);
2848         return true;
2849     }
2850
2851     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2852     {
2853         if (!block)
2854             return;
2855         ASSERT(block->isReachable);
2856         m_block = block;
2857         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2858             Node* node = m_currentNode = block->at(m_indexInBlock);
2859             if (node->op() != SetLocal && node->op() != GetLocal)
2860                 continue;
2861             
2862             VariableAccessData* variable = node->variableAccessData();
2863             switch (node->op()) {
2864             case GetLocal:
2865                 switch (variable->flushFormat()) {
2866                 case FlushedDouble:
2867                     node->setResult(NodeResultDouble);
2868                     break;
2869                 case FlushedInt52:
2870                     node->setResult(NodeResultInt52);
2871                     break;
2872                 default:
2873                     break;
2874                 }
2875                 break;
2876                 
2877             case SetLocal:
2878                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2879                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2880                 
2881                 switch (variable->flushFormat()) {
2882                 case FlushedJSValue:
2883                     break;
2884                 case FlushedDouble:
2885                     fixEdge<DoubleRepUse>(node->child1());
2886                     break;
2887                 case FlushedInt32:
2888                     fixEdge<Int32Use>(node->child1());
2889                     break;
2890                 case FlushedInt52:
2891                     fixEdge<Int52RepUse>(node->child1());
2892                     break;
2893                 case FlushedCell:
2894                     fixEdge<CellUse>(node->child1());
2895                     break;
2896                 case FlushedBoolean:
2897                     fixEdge<BooleanUse>(node->child1());
2898                     break;
2899                 default:
2900                     RELEASE_ASSERT_NOT_REACHED();
2901                     break;
2902                 }
2903                 break;
2904                 
2905             default:
2906                 RELEASE_ASSERT_NOT_REACHED();
2907                 break;
2908             }
2909         }
2910         m_insertionSet.execute(block);
2911     }
2912     
2913     void addStringReplacePrimordialChecks(Node* searchRegExp)
2914     {
2915         Node* node = m_currentNode;
2916
2917         // Check that structure of searchRegExp is RegExp object
2918         m_insertionSet.insertNode(
2919             m_indexInBlock, SpecNone, Check, node->origin,
2920             Edge(searchRegExp, RegExpObjectUse));
2921
2922         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2923             unsigned index = m_graph.identifiers().ensure(propertyUID);
2924
2925             Node* actualProperty = m_insertionSet.insertNode(
2926                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2927                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2928
2929             m_insertionSet.insertNode(
2930                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2931                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2932         };
2933
2934         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2935
2936         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2937         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2938         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2939         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2940         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2941         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2942         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2943         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2944     }
2945
2946     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2947     {
2948         ASSERT(arrayMode.isSpecific());
2949         
2950         if (arrayMode.type() == Array::String) {
2951             m_insertionSet.insertNode(
2952                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2953         } else {
2954             // Note that we only need to be using a structure check if we opt for SaneChain, since
2955             // that needs to protect against JSArray's __proto__ being changed.
2956             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2957         
2958             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2959             
2960             if (arrayMode.doesConversion()) {
2961                 if (structure) {
2962                     m_insertionSet.insertNode(
2963                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2964                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2965                 } else {
2966                     m_insertionSet.insertNode(
2967                         m_indexInBlock, SpecNone, Arrayify, origin,
2968                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2969                 }
2970             } else {
2971                 if (structure) {
2972                     m_insertionSet.insertNode(
2973                         m_indexInBlock, SpecNone, CheckStructure, origin,
2974                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2975                 } else {
2976                     m_insertionSet.insertNode(
2977                         m_indexInBlock, SpecNone, CheckArray, origin,
2978                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2979                 }
2980             }
2981         }
2982         
2983         if (!storageCheck(arrayMode))
2984             return nullptr;
2985         
2986         if (arrayMode.usesButterfly()) {
2987             return m_insertionSet.insertNode(
2988                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2989         }
2990         
2991         return m_insertionSet.insertNode(
2992             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2993             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2994     }
2995     
2996     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2997     {
2998         Node* node = m_currentNode;
2999         
3000         switch (node->arrayMode().type()) {
3001         case Array::ForceExit: {
3002             m_insertionSet.insertNode(
3003                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
3004             return;
3005         }
3006             
3007         case Array::SelectUsingPredictions:
3008         case Array::Unprofiled:
3009             RELEASE_ASSERT_NOT_REACHED();
3010             return;
3011             
3012         case Array::Generic:
3013             return;
3014             
3015         default: {
3016             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
3017             if (!storage)
3018                 return;
3019             
3020             storageChild = Edge(storage);
3021             return;
3022         } }
3023     }
3024     
3025     bool alwaysUnboxSimplePrimitives()
3026     {
3027 #if USE(JSVALUE64)
3028         return false;
3029 #else
3030         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
3031         // reduces traffic.
3032         return true;
3033 #endif
3034     }
3035
3036     template<UseKind useKind>
3037     void observeUseKindOnNode(Node* node)
3038     {
3039         if (useKind == UntypedUse)
3040             return;
3041         observeUseKindOnNode(node, useKind);
3042     }
3043
3044     void observeUseKindOnEdge(Edge edge)
3045     {
3046         observeUseKindOnNode(edge.node(), edge.useKind());
3047     }
3048
3049     void observeUseKindOnNode(Node* node, UseKind useKind)
3050     {
3051         if (node->op() != GetLocal)
3052             return;
3053         
3054         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
3055         // https://bugs.webkit.org/show_bug.cgi?id=121518
3056         
3057         VariableAccessData* variable = node->variableAccessData();
3058         switch (useKind) {
3059         case Int32Use:
3060         case KnownInt32Use:
3061             if (alwaysUnboxSimplePrimitives()
3062                 || isInt32Speculation(variable->prediction()))
3063                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3064             break;
3065         case NumberUse:
3066         case RealNumberUse:
3067         case DoubleRepUse:
3068         case DoubleRepRealUse:
3069             if (variable->doubleFormatState() == UsingDoubleFormat)
3070                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3071             break;
3072         case BooleanUse:
3073         case KnownBooleanUse:
3074             if (alwaysUnboxSimplePrimitives()
3075                 || isBooleanSpeculation(variable->prediction()))
3076                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3077             break;
3078         case Int52RepUse:
3079             if (isAnyIntSpeculation(variable->prediction()))
3080                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3081             break;
3082         case CellUse:
3083         case KnownCellUse:
3084         case ObjectUse:
3085         case FunctionUse:
3086         case StringUse:
3087         case KnownStringUse:
3088         case SymbolUse:
3089         case BigIntUse:
3090         case StringObjectUse:
3091         case StringOrStringObjectUse:
3092             if (alwaysUnboxSimplePrimitives()
3093                 || isCellSpeculation(variable->prediction()))
3094                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3095             break;
3096         default:
3097             break;
3098         }
3099     }
3100     
3101     template<UseKind useKind>
3102     void fixEdge(Edge& edge)
3103     {
3104         observeUseKindOnNode<useKind>(edge.node());
3105         edge.setUseKind(useKind);
3106     }
3107     
3108     unsigned indexForChecks()
3109     {
3110         unsigned index = m_indexInBlock;
3111         while (!m_block->at(index)->origin.exitOK)
3112             index--;
3113         return index;
3114     }
3115     
3116     NodeOrigin originForCheck(unsigned index)
3117     {
3118         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3119     }
3120     
3121     void speculateForBarrier(Edge value)
3122     {
3123         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3124         // the DFG anyway because if such a speculation would be wrong, we want to know before
3125         // we do an expensive compile.
3126         
3127         if (value->shouldSpeculateInt32()) {
3128             insertCheck<Int32Use>(value.node());
3129             return;
3130         }
3131             
3132         if (value->shouldSpeculateBoolean()) {
3133             insertCheck<BooleanUse>(value.node());
3134             return;
3135         }
3136             
3137         if (value->shouldSpeculateOther()) {
3138             insertCheck<OtherUse>(value.node());
3139             return;
3140         }
3141             
3142         if (value->shouldSpeculateNumber()) {
3143             insertCheck<NumberUse>(value.node());
3144             return;
3145         }
3146             
3147         if (value->shouldSpeculateNotCell()) {
3148             insertCheck<NotCellUse>(value.node());
3149             return;
3150         }
3151     }
3152     
3153     template<UseKind useKind>
3154     void insertCheck(Node* node)
3155     {
3156         observeUseKindOnNode<useKind>(node);
3157         unsigned index = indexForChecks();
3158         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3159     }
3160
3161     void fixIntConvertingEdge(Edge& edge)
3162     {
3163         Node* node = edge.node();
3164         if (node->shouldSpeculateInt32OrBoolean()) {
3165             fixIntOrBooleanEdge(edge);
3166             return;
3167         }
3168         
3169         UseKind useKind;
3170         if (node->shouldSpeculateAnyInt())
3171             useKind = Int52RepUse;
3172         else if (node->shouldSpeculateNumber())
3173             useKind = DoubleRepUse;
3174         else
3175             useKind = NotCellUse;
3176         Node* newNode = m_insertionSet.insertNode(
3177             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3178             Edge(node, useKind));
3179         observeUseKindOnNode(node, useKind);
3180         
3181         edge = Edge(newNode, KnownInt32Use);
3182     }
3183     
3184     void fixIntOrBooleanEdge(Edge& edge)
3185     {
3186         Node* node = edge.node();
3187         if (!node->sawBooleans()) {
3188             fixEdge<Int32Use>(edge);
3189             return;
3190         }
3191         
3192         UseKind useKind;
3193         if (node->shouldSpeculateBoolean())
3194             useKind = BooleanUse;
3195         else
3196             useKind = UntypedUse;
3197         Node* newNode = m_insertionSet.insertNode(
3198             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3199             Edge(node, useKind));
3200         observeUseKindOnNode(node, useKind);
3201         
3202         edge = Edge(newNode, Int32Use);
3203     }
3204     
3205     void fixDoubleOrBooleanEdge(Edge& edge)
3206     {
3207         Node* node = edge.node();
3208         if (!node->sawBooleans()) {
3209             fixEdge<DoubleRepUse>(edge);
3210             return;
3211         }
3212         
3213         UseKind useKind;
3214         if (node->shouldSpeculateBoolean())
3215             useKind = BooleanUse;
3216         else
3217             useKind = UntypedUse;
3218         Node* newNode = m_insertionSet.insertNode(
3219             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3220             Edge(node, useKind));
3221         observeUseKindOnNode(node, useKind);
3222         
3223         edge = Edge(newNode, DoubleRepUse);
3224     }
3225     
3226     void truncateConstantToInt32(Edge& edge)
3227     {
3228         Node* oldNode = edge.node();
3229         
3230         JSValue value = oldNode->asJSValue();
3231         if (value.isInt32())
3232             return;
3233         
3234         value = jsNumber(JSC::toInt32(value.asNumber()));
3235         ASSERT(value.isInt32());
3236         edge.setNode(m_insertionSet.insertNode(
3237             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3238             OpInfo(m_graph.freeze(value))));
3239     }
3240     
3241     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3242     {
3243         if (mode != SpeculateInt32AndTruncateConstants)
3244             return;
3245         
3246         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3247         if (node->child1()->hasConstant())
3248             truncateConstantToInt32(node->child1());
3249         else
3250             truncateConstantToInt32(node->child2());
3251     }
3252
3253     bool attemptToMakeIntegerAdd(Node* node)
3254     {
3255         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3256         if (mode != DontSpeculateInt32) {
3257             truncateConstantsIfNecessary(node, mode);
3258             fixIntOrBooleanEdge(node->child1());
3259             fixIntOrBooleanEdge(node->child2());
3260             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3261                 node->setArithMode(Arith::Unchecked);
3262             else
3263                 node->setArithMode(Arith::CheckOverflow);
3264             return true;
3265         }
3266         
3267         if (m_graph.addShouldSpeculateAnyInt(node)) {
3268             fixEdge<Int52RepUse>(node->child1());
3269             fixEdge<Int52RepUse>(node->child2());
3270             node->setArithMode(Arith::CheckOverflow);
3271             node->setResult(NodeResultInt52);
3272             return true;
3273         }
3274         
3275         return false;
3276     }
3277     
3278     bool attemptToMakeGetArrayLength(Node* node)
3279     {
3280         if (!isInt32Speculation(node->prediction()))
3281             return false;
3282         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3283         ArrayProfile* arrayProfile = 
3284             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3285         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3286         if (arrayProfile) {
3287             ConcurrentJSLocker locker(profiledBlock->m_lock);
3288             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3289             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3290             if (arrayMode.type() == Array::Unprofiled) {
3291                 // For normal array operations, it makes sense to treat Unprofiled
3292                 // accesses as ForceExit and get more data rather than using
3293                 // predictions and then possibly ending up with a Generic. But here,
3294                 // we treat anything that is Unprofiled as Generic and keep the
3295                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3296                 // profit - from treating the Unprofiled case as
3297                 // SelectUsingPredictions.
3298                 arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3299             }
3300         }
3301             
3302         arrayMode = arrayMode.refine(
3303             m_graph, node, node->child1()->prediction(), node->prediction());
3304             
3305         if (arrayMode.type() == Array::Generic) {
3306             // Check if the input is something that we can't get array length for, but for which we
3307             // could insert some conversions in order to transform it into something that we can do it
3308             // for.
3309             if (node->child1()->shouldSpeculateStringObject())
3310                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3311             else if (node->child1()->shouldSpeculateStringOrStringObject())
3312                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3313         }
3314             
3315         if (!arrayMode.supportsSelfLength())
3316             return false;
3317         
3318         convertToGetArrayLength(node, arrayMode);
3319         return true;
3320     }
3321
3322     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3323     {
3324         node->setOp(GetArrayLength);
3325         node->clearFlags(NodeMustGenerate);
3326         fixEdge<KnownCellUse>(node->child1());
3327         node->setArrayMode(arrayMode);
3328             
3329         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3330         if (!storage)
3331             return;
3332             
3333         node->child2() = Edge(storage);
3334     }
3335     
3336     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3337     {
3338         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3339         return m_insertionSet.insertNode(
3340             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3341             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3342     }
3343
3344     void convertToHasIndexedProperty(Node* node)
3345     {
3346         node->setOp(HasIndexedProperty);
3347         node->clearFlags(NodeMustGenerate);
3348         node->setArrayMode(
3349             node->arrayMode().refine(
3350                 m_graph, node,
3351                 node->child1()->prediction(),
3352                 node->child2()->prediction(),
3353                 SpecNone));
3354         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3355
3356         blessArrayOperation(node->child1(), node->child2(), node->child3());
3357
3358         fixEdge<CellUse>(node->child1());
3359         fixEdge<Int32Use>(node->child2());
3360     }
3361
3362     void fixupNormalizeMapKey(Node* node)
3363     {
3364         if (node->child1()->shouldSpeculateBoolean()) {
3365             fixEdge<BooleanUse>(node->child1());
3366             node->convertToIdentity();
3367             return;
3368         }
3369
3370         if (node->child1()->shouldSpeculateInt32()) {
3371             fixEdge<Int32Use>(node->child1());
3372             node->convertToIdentity();
3373             return;
3374         }
3375
3376         if (node->child1()->shouldSpeculateSymbol()) {
3377             fixEdge<SymbolUse>(node->child1());
3378             node->convertToIdentity();
3379             return;
3380         }
3381
3382         if (node->child1()->shouldSpeculateObject()) {
3383             fixEdge<ObjectUse>(node->child1());
3384             node->convertToIdentity();
3385             return;
3386         }
3387
3388         if (node->child1()->shouldSpeculateString()) {
3389             fixEdge<StringUse>(node->child1());
3390             node->convertToIdentity();
3391             return;
3392         }
3393
3394         if (node->child1()->shouldSpeculateCell()) {
3395             fixEdge<CellUse>(node->child1());
3396             node->convertToIdentity();
3397             return;
3398         }
3399
3400         fixEdge<UntypedUse>(node->child1());
3401     }
3402
3403     bool attemptToMakeCallDOM(Node* node)
3404     {
3405         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3406             return false;
3407
3408         const DOMJIT::Signature* signature = node->signature();
3409         if (!signature)
3410             return false;
3411
3412         {
3413             unsigned index = 0;
3414             bool shouldConvertToCallDOM = true;
3415             m_graph.doToChildren(node, [&](Edge& edge) {
3416                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3417                 if (!index)
3418                     return;
3419
3420                 if (index == 1) {
3421                     // DOM node case.
3422                     if (edge->shouldSpeculateNotCell())
3423                         shouldConvertToCallDOM = false;
3424                 } else {
3425                     switch (signature->arguments[index - 2]) {
3426                     case SpecString:
3427                         if (edge->shouldSpeculateNotString())
3428                             shouldConvertToCallDOM = false;
3429                         break;
3430                     case SpecInt32Only:
3431                         if (edge->shouldSpeculateNotInt32())
3432                             shouldConvertToCallDOM = false;
3433                         break;
3434                     case SpecBoolean:
3435                         if (edge->shouldSpeculateNotBoolean())
3436                             shouldConvertToCallDOM = false;
3437                         break;
3438                     default:
3439                         RELEASE_ASSERT_NOT_REACHED();
3440                         break;
3441                     }
3442                 }
3443                 ++index;
3444             });
3445             if (!shouldConvertToCallDOM)
3446                 return false;
3447         }
3448
3449         Node* thisNode = m_graph.varArgChild(node, 1).node();
3450         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3451         node->convertToCallDOM(m_graph);
3452         fixupCheckSubClass(checkSubClass);
3453         fixupCallDOM(node);
3454         return true;
3455     }
3456
3457     void fixupCheckSubClass(Node* node)
3458     {
3459         fixEdge<CellUse>(node->child1());
3460     }
3461
3462     void fixupCallDOM(Node* node)
3463     {
3464         const DOMJIT::Signature* signature = node->signature();
3465         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3466             if (!edge)
3467                 return;
3468             switch (signature->arguments[argumentIndex]) {
3469             case SpecString:
3470                 fixEdge<StringUse>(edge);
3471                 break;
3472             case SpecInt32Only:
3473                 fixEdge<Int32Use>(edge);
3474                 break;
3475             case SpecBoolean:
3476                 fixEdge<BooleanUse>(edge);
3477                 break;
3478             default:
3479                 RELEASE_ASSERT_NOT_REACHED();
3480                 break;
3481             }
3482         };
3483         fixEdge<CellUse>(node->child1()); // DOM.
3484         fixup(node->child2(), 0);
3485         fixup(node->child3(), 1);
3486     }
3487
3488     void fixupArrayIndexOf(Node* node)
3489     {
3490         Edge& array = m_graph.varArgChild(node, 0);
3491         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3492         blessArrayOperation(array, Edge(), storage);
3493         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3494
3495         Edge& searchElement = m_graph.varArgChild(node, 1);
3496
3497         // Constant folding.
3498         switch (node->arrayMode().type()) {
3499         case Array::Double:
3500         case Array::Int32: {
3501             if (searchElement->shouldSpeculateCell()) {
3502                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3503                 m_graph.convertToConstant(node, jsNumber(-1));
3504                 observeUseKindOnNode<CellUse>(searchElement.node());
3505                 return;
3506             }
3507
3508             if (searchElement->shouldSpeculateOther()) {
3509                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3510                 m_graph.convertToConstant(node, jsNumber(-1));
3511                 observeUseKindOnNode<OtherUse>(searchElement.node());
3512                 return;
3513             }
3514
3515             if (searchElement->shouldSpeculateBoolean()) {
3516                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3517                 m_graph.convertToConstant(node, jsNumber(-1));
3518                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3519                 return;
3520             }
3521             break;
3522         }
3523         default:
3524             break;
3525         }
3526
3527         fixEdge<KnownCellUse>(array);
3528         if (node->numChildren() == 4)
3529             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3530
3531         switch (node->arrayMode().type()) {
3532         case Array::Double: {
3533             if (searchElement->shouldSpeculateNumber())
3534                 fixEdge<DoubleRepUse>(searchElement);
3535             return;
3536         }
3537         case Array::Int32: {
3538             if (searchElement->shouldSpeculateInt32())
3539                 fixEdge<In