We should have a CoW storage for NewArrayBuffer arrays.
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149             
150         case ValueAdd: {
151             if (attemptToMakeIntegerAdd(node)) {
152                 node->setOp(ArithAdd);
153                 break;
154             }
155             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
156                 fixDoubleOrBooleanEdge(node->child1());
157                 fixDoubleOrBooleanEdge(node->child2());
158                 node->setOp(ArithAdd);
159                 node->setResult(NodeResultDouble);
160                 break;
161             }
162             
163             if (attemptToMakeFastStringAdd(node))
164                 break;
165
166             Edge& child1 = node->child1();
167             Edge& child2 = node->child2();
168             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
169                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
170                     auto convertString = [&](Node* node, Edge& edge) {
171                         if (edge->shouldSpeculateInt32())
172                             convertStringAddUse<Int32Use>(node, edge);
173                         else {
174                             ASSERT(edge->shouldSpeculateString());
175                             convertStringAddUse<StringUse>(node, edge);
176                         }
177                     };
178                     convertString(node, child1);
179                     convertString(node, child2);
180                     convertToMakeRope(node);
181                     break;
182                 }
183             }
184
185             fixEdge<UntypedUse>(child1);
186             fixEdge<UntypedUse>(child2);
187             node->setResult(NodeResultJS);
188             break;
189         }
190
191         case StrCat: {
192             if (attemptToMakeFastStringAdd(node))
193                 break;
194
195             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
196             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
197             // the implementation of StrCat doesn't dynamically optimize for empty strings.
198             // https://bugs.webkit.org/show_bug.cgi?id=148540
199             m_graph.doToChildren(
200                 node,
201                 [&] (Edge& edge) {
202                     fixEdge<KnownPrimitiveUse>(edge);
203                     // StrCat automatically coerces the values into strings before concatenating them.
204                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
205                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
206                     // our runtime functions for this slow path expect that they will never be passed
207                     // Symbols.
208                     m_insertionSet.insertNode(
209                         m_indexInBlock, SpecNone, Check, node->origin,
210                         Edge(edge.node(), NotSymbolUse));
211                 });
212             break;
213         }
214             
215         case MakeRope: {
216             fixupMakeRope(node);
217             break;
218         }
219             
220         case ArithAdd:
221         case ArithSub: {
222             if (op == ArithSub
223                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
224                 fixEdge<UntypedUse>(node->child1());
225                 fixEdge<UntypedUse>(node->child2());
226                 node->setResult(NodeResultJS);
227                 break;
228             }
229             if (attemptToMakeIntegerAdd(node))
230                 break;
231             fixDoubleOrBooleanEdge(node->child1());
232             fixDoubleOrBooleanEdge(node->child2());
233             node->setResult(NodeResultDouble);
234             break;
235         }
236             
237         case ArithNegate: {
238             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
239                 fixIntOrBooleanEdge(node->child1());
240                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
241                     node->setArithMode(Arith::Unchecked);
242                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
243                     node->setArithMode(Arith::CheckOverflow);
244                 else
245                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
246                 node->setResult(NodeResultInt32);
247                 node->clearFlags(NodeMustGenerate);
248                 break;
249             }
250             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
251                 fixEdge<Int52RepUse>(node->child1());
252                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
253                     node->setArithMode(Arith::CheckOverflow);
254                 else
255                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
256                 node->setResult(NodeResultInt52);
257                 node->clearFlags(NodeMustGenerate);
258                 break;
259             }
260             if (node->child1()->shouldSpeculateNotCell()) {
261                 fixDoubleOrBooleanEdge(node->child1());
262                 node->setResult(NodeResultDouble);
263                 node->clearFlags(NodeMustGenerate);
264             } else
265                 fixEdge<UntypedUse>(node->child1());
266             break;
267         }
268             
269         case ArithMul: {
270             Edge& leftChild = node->child1();
271             Edge& rightChild = node->child2();
272             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
273                 fixEdge<UntypedUse>(leftChild);
274                 fixEdge<UntypedUse>(rightChild);
275                 node->setResult(NodeResultJS);
276                 break;
277             }
278             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
279                 fixIntOrBooleanEdge(leftChild);
280                 fixIntOrBooleanEdge(rightChild);
281                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
282                     node->setArithMode(Arith::Unchecked);
283                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
284                     || leftChild.node() == rightChild.node())
285                     node->setArithMode(Arith::CheckOverflow);
286                 else
287                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
288                 break;
289             }
290             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
291                 fixEdge<Int52RepUse>(leftChild);
292                 fixEdge<Int52RepUse>(rightChild);
293                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
294                     || leftChild.node() == rightChild.node())
295                     node->setArithMode(Arith::CheckOverflow);
296                 else
297                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
298                 node->setResult(NodeResultInt52);
299                 break;
300             }
301             fixDoubleOrBooleanEdge(leftChild);
302             fixDoubleOrBooleanEdge(rightChild);
303             node->setResult(NodeResultDouble);
304             break;
305         }
306
307         case ArithDiv:
308         case ArithMod: {
309             Edge& leftChild = node->child1();
310             Edge& rightChild = node->child2();
311             if (op == ArithDiv
312                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
313                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
314                 fixEdge<UntypedUse>(leftChild);
315                 fixEdge<UntypedUse>(rightChild);
316                 node->setResult(NodeResultJS);
317                 break;
318             }
319             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
320                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
321                     fixIntOrBooleanEdge(leftChild);
322                     fixIntOrBooleanEdge(rightChild);
323                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
324                         node->setArithMode(Arith::Unchecked);
325                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
326                         node->setArithMode(Arith::CheckOverflow);
327                     else
328                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
329                     break;
330                 }
331                 
332                 // This will cause conversion nodes to be inserted later.
333                 fixDoubleOrBooleanEdge(leftChild);
334                 fixDoubleOrBooleanEdge(rightChild);
335                 
336                 // We don't need to do ref'ing on the children because we're stealing them from
337                 // the original division.
338                 Node* newDivision = m_insertionSet.insertNode(
339                     m_indexInBlock, SpecBytecodeDouble, *node);
340                 newDivision->setResult(NodeResultDouble);
341                 
342                 node->setOp(DoubleAsInt32);
343                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
344                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
345                     node->setArithMode(Arith::CheckOverflow);
346                 else
347                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
348                 break;
349             }
350             fixDoubleOrBooleanEdge(leftChild);
351             fixDoubleOrBooleanEdge(rightChild);
352             node->setResult(NodeResultDouble);
353             break;
354         }
355             
356         case ArithMin:
357         case ArithMax: {
358             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
359                 fixIntOrBooleanEdge(node->child1());
360                 fixIntOrBooleanEdge(node->child2());
361                 break;
362             }
363             fixDoubleOrBooleanEdge(node->child1());
364             fixDoubleOrBooleanEdge(node->child2());
365             node->setResult(NodeResultDouble);
366             break;
367         }
368             
369         case ArithAbs: {
370             if (node->child1()->shouldSpeculateInt32OrBoolean()
371                 && node->canSpeculateInt32(FixupPass)) {
372                 fixIntOrBooleanEdge(node->child1());
373                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
374                     node->setArithMode(Arith::Unchecked);
375                 else
376                     node->setArithMode(Arith::CheckOverflow);
377                 node->clearFlags(NodeMustGenerate);
378                 node->setResult(NodeResultInt32);
379                 break;
380             }
381
382             if (node->child1()->shouldSpeculateNotCell()) {
383                 fixDoubleOrBooleanEdge(node->child1());
384                 node->clearFlags(NodeMustGenerate);
385             } else
386                 fixEdge<UntypedUse>(node->child1());
387             node->setResult(NodeResultDouble);
388             break;
389         }
390
391         case ArithPow: {
392             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
393                 fixDoubleOrBooleanEdge(node->child1());
394                 fixIntOrBooleanEdge(node->child2());
395                 break;
396             }
397
398             fixDoubleOrBooleanEdge(node->child1());
399             fixDoubleOrBooleanEdge(node->child2());
400             break;
401         }
402
403         case ArithRandom: {
404             node->setResult(NodeResultDouble);
405             break;
406         }
407
408         case ArithRound:
409         case ArithFloor:
410         case ArithCeil:
411         case ArithTrunc: {
412             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
413                 fixIntOrBooleanEdge(node->child1());
414                 insertCheck<Int32Use>(node->child1().node());
415                 node->convertToIdentity();
416                 break;
417             }
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420
421                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
422                     node->setResult(NodeResultInt32);
423                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
424                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
425                     else
426                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
427                 } else {
428                     node->setResult(NodeResultDouble);
429                     node->setArithRoundingMode(Arith::RoundingMode::Double);
430                 }
431                 node->clearFlags(NodeMustGenerate);
432             } else
433                 fixEdge<UntypedUse>(node->child1());
434             break;
435         }
436
437         case ArithFRound:
438         case ArithSqrt:
439         case ArithUnary: {
440             Edge& child1 = node->child1();
441             if (child1->shouldSpeculateNotCell()) {
442                 fixDoubleOrBooleanEdge(child1);
443                 node->clearFlags(NodeMustGenerate);
444             } else
445                 fixEdge<UntypedUse>(child1);
446             break;
447         }
448             
449         case LogicalNot: {
450             if (node->child1()->shouldSpeculateBoolean()) {
451                 if (node->child1()->result() == NodeResultBoolean) {
452                     // This is necessary in case we have a bytecode instruction implemented by:
453                     //
454                     // a: CompareEq(...)
455                     // b: LogicalNot(@a)
456                     //
457                     // In that case, CompareEq might have a side-effect. Then, we need to make
458                     // sure that we know that Branch does not exit.
459                     fixEdge<KnownBooleanUse>(node->child1());
460                 } else
461                     fixEdge<BooleanUse>(node->child1());
462             } else if (node->child1()->shouldSpeculateObjectOrOther())
463                 fixEdge<ObjectOrOtherUse>(node->child1());
464             else if (node->child1()->shouldSpeculateInt32OrBoolean())
465                 fixIntOrBooleanEdge(node->child1());
466             else if (node->child1()->shouldSpeculateNumber())
467                 fixEdge<DoubleRepUse>(node->child1());
468             else if (node->child1()->shouldSpeculateString())
469                 fixEdge<StringUse>(node->child1());
470             else if (node->child1()->shouldSpeculateStringOrOther())
471                 fixEdge<StringOrOtherUse>(node->child1());
472             else {
473                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
474                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
475                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
476             }
477             break;
478         }
479
480         case CompareEq:
481         case CompareLess:
482         case CompareLessEq:
483         case CompareGreater:
484         case CompareGreaterEq: {
485             if (node->op() == CompareEq
486                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
487                 fixEdge<BooleanUse>(node->child1());
488                 fixEdge<BooleanUse>(node->child2());
489                 node->clearFlags(NodeMustGenerate);
490                 break;
491             }
492             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
493                 fixIntOrBooleanEdge(node->child1());
494                 fixIntOrBooleanEdge(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (enableInt52()
499                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
500                 fixEdge<Int52RepUse>(node->child1());
501                 fixEdge<Int52RepUse>(node->child2());
502                 node->clearFlags(NodeMustGenerate);
503                 break;
504             }
505             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
506                 fixDoubleOrBooleanEdge(node->child1());
507                 fixDoubleOrBooleanEdge(node->child2());
508             }
509             if (node->op() != CompareEq
510                 && node->child1()->shouldSpeculateNotCell()
511                 && node->child2()->shouldSpeculateNotCell()) {
512                 if (node->child1()->shouldSpeculateNumberOrBoolean())
513                     fixDoubleOrBooleanEdge(node->child1());
514                 else
515                     fixEdge<DoubleRepUse>(node->child1());
516                 if (node->child2()->shouldSpeculateNumberOrBoolean())
517                     fixDoubleOrBooleanEdge(node->child2());
518                 else
519                     fixEdge<DoubleRepUse>(node->child2());
520                 node->clearFlags(NodeMustGenerate);
521                 break;
522             }
523             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
524                 fixEdge<StringIdentUse>(node->child1());
525                 fixEdge<StringIdentUse>(node->child2());
526                 node->clearFlags(NodeMustGenerate);
527                 break;
528             }
529             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
530                 fixEdge<StringUse>(node->child1());
531                 fixEdge<StringUse>(node->child2());
532                 node->clearFlags(NodeMustGenerate);
533                 break;
534             }
535
536             if (node->op() != CompareEq)
537                 break;
538             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
539                 fixEdge<SymbolUse>(node->child1());
540                 fixEdge<SymbolUse>(node->child2());
541                 node->clearFlags(NodeMustGenerate);
542                 break;
543             }
544             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
545                 fixEdge<ObjectUse>(node->child1());
546                 fixEdge<ObjectUse>(node->child2());
547                 node->clearFlags(NodeMustGenerate);
548                 break;
549             }
550
551             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
552             bool oneArgumentIsUsedAsSpecOther = false;
553             if (node->child1()->isUndefinedOrNullConstant()) {
554                 fixEdge<OtherUse>(node->child1());
555                 oneArgumentIsUsedAsSpecOther = true;
556             } else if (node->child1()->shouldSpeculateOther()) {
557                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
558                     Edge(node->child1().node(), OtherUse));
559                 fixEdge<OtherUse>(node->child1());
560                 oneArgumentIsUsedAsSpecOther = true;
561             }
562             if (node->child2()->isUndefinedOrNullConstant()) {
563                 fixEdge<OtherUse>(node->child2());
564                 oneArgumentIsUsedAsSpecOther = true;
565             } else if (node->child2()->shouldSpeculateOther()) {
566                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
567                     Edge(node->child2().node(), OtherUse));
568                 fixEdge<OtherUse>(node->child2());
569                 oneArgumentIsUsedAsSpecOther = true;
570             }
571             if (oneArgumentIsUsedAsSpecOther) {
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575
576             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
577                 fixEdge<ObjectUse>(node->child1());
578                 fixEdge<ObjectOrOtherUse>(node->child2());
579                 node->clearFlags(NodeMustGenerate);
580                 break;
581             }
582             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
583                 fixEdge<ObjectOrOtherUse>(node->child1());
584                 fixEdge<ObjectUse>(node->child2());
585                 node->clearFlags(NodeMustGenerate);
586                 break;
587             }
588
589             break;
590         }
591             
592         case CompareStrictEq:
593         case SameValue: {
594             fixupCompareStrictEqAndSameValue(node);
595             break;
596         }
597
598         case StringFromCharCode:
599             if (node->child1()->shouldSpeculateInt32()) {
600                 fixEdge<Int32Use>(node->child1());
601                 node->clearFlags(NodeMustGenerate);
602             } else
603                 fixEdge<UntypedUse>(node->child1());
604             break;
605
606         case StringCharAt:
607         case StringCharCodeAt: {
608             // Currently we have no good way of refining these.
609             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
610             blessArrayOperation(node->child1(), node->child2(), node->child3());
611             fixEdge<KnownCellUse>(node->child1());
612             fixEdge<Int32Use>(node->child2());
613             break;
614         }
615
616         case GetByVal: {
617             if (!node->prediction()) {
618                 m_insertionSet.insertNode(
619                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
620             }
621             
622             node->setArrayMode(
623                 node->arrayMode().refine(
624                     m_graph, node,
625                     m_graph.varArgChild(node, 0)->prediction(),
626                     m_graph.varArgChild(node, 1)->prediction(),
627                     SpecNone));
628             
629             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
630             
631             ArrayMode arrayMode = node->arrayMode();
632             switch (arrayMode.type()) {
633             case Array::Contiguous:
634             case Array::Double:
635                 if (arrayMode.arrayClass() == Array::OriginalArray
636                     && arrayMode.speculation() == Array::InBounds) {
637                     // Check if SaneChain will work on a per-type basis. Note that:
638                     //
639                     // 1) We don't want double arrays to sometimes return undefined, since
640                     // that would require a change to the return type and it would pessimise
641                     // things a lot. So, we'd only want to do that if we actually had
642                     // evidence that we could read from a hole. That's pretty annoying.
643                     // Likely the best way to handle that case is with an equivalent of
644                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
645                     // NaN are indistinguishable according to backwards propagation, and just
646                     // use SaneChain in that case. This happens to catch a lot of cases.
647                     //
648                     // 2) We don't want int32 array loads to have to do a hole check just to
649                     // coerce to Undefined, since that would mean twice the checks.
650                     //
651                     // This has two implications. First, we have to do more checks than we'd
652                     // like. It's unfortunate that we have to do the hole check. Second,
653                     // some accesses that hit a hole will now need to take the full-blown
654                     // out-of-bounds slow path. We can fix that with:
655                     // https://bugs.webkit.org/show_bug.cgi?id=144668
656                     
657                     bool canDoSaneChain = false;
658                     switch (arrayMode.type()) {
659                     case Array::Contiguous:
660                         // This is happens to be entirely natural. We already would have
661                         // returned any JSValue, and now we'll return Undefined. We still do
662                         // the check but it doesn't require taking any kind of slow path.
663                         canDoSaneChain = true;
664                         break;
665                         
666                     case Array::Double:
667                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
668                             // Holes look like NaN already, so if the user doesn't care
669                             // about the difference between Undefined and NaN then we can
670                             // do this.
671                             canDoSaneChain = true;
672                         }
673                         break;
674                         
675                     default:
676                         break;
677                     }
678                     
679                     if (canDoSaneChain) {
680                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
681                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
682                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
683                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
684                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
685                             && globalObject->arrayPrototypeChainIsSane()) {
686                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
687                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
688                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
689                         }
690                     }
691                 }
692                 break;
693                 
694             case Array::String:
695                 if ((node->prediction() & ~SpecString)
696                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
697                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
698                 break;
699                 
700             default:
701                 break;
702             }
703             
704             arrayMode = node->arrayMode();
705             switch (arrayMode.type()) {
706             case Array::SelectUsingPredictions:
707             case Array::Unprofiled:
708                 RELEASE_ASSERT_NOT_REACHED();
709                 break;
710             case Array::Generic:
711                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
712                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
713                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
714                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
715                         break;
716                     }
717
718                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
719                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
720                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
721                         break;
722                     }
723                 }
724 #if USE(JSVALUE32_64)
725                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
726 #endif
727                 break;
728             case Array::ForceExit:
729                 break;
730             default:
731                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
732                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
733                 break;
734             }
735             
736             switch (arrayMode.type()) {
737             case Array::Double:
738                 if (!arrayMode.isOutOfBounds())
739                     node->setResult(NodeResultDouble);
740                 break;
741                 
742             case Array::Float32Array:
743             case Array::Float64Array:
744                 node->setResult(NodeResultDouble);
745                 break;
746                 
747             case Array::Uint32Array:
748                 if (node->shouldSpeculateInt32())
749                     break;
750                 if (node->shouldSpeculateAnyInt() && enableInt52())
751                     node->setResult(NodeResultInt52);
752                 else
753                     node->setResult(NodeResultDouble);
754                 break;
755                 
756             default:
757                 break;
758             }
759             
760             break;
761         }
762
763         case PutByValDirect:
764         case PutByVal:
765         case PutByValAlias: {
766             Edge& child1 = m_graph.varArgChild(node, 0);
767             Edge& child2 = m_graph.varArgChild(node, 1);
768             Edge& child3 = m_graph.varArgChild(node, 2);
769
770             node->setArrayMode(
771                 node->arrayMode().refine(
772                     m_graph, node,
773                     child1->prediction(),
774                     child2->prediction(),
775                     child3->prediction()));
776             
777             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
778             
779             switch (node->arrayMode().modeForPut().type()) {
780             case Array::SelectUsingPredictions:
781             case Array::SelectUsingArguments:
782             case Array::Unprofiled:
783             case Array::Undecided:
784                 RELEASE_ASSERT_NOT_REACHED();
785                 break;
786             case Array::ForceExit:
787             case Array::Generic:
788                 if (child1->shouldSpeculateCell()) {
789                     if (child2->shouldSpeculateString()) {
790                         fixEdge<CellUse>(child1);
791                         fixEdge<StringUse>(child2);
792                         break;
793                     }
794
795                     if (child2->shouldSpeculateSymbol()) {
796                         fixEdge<CellUse>(child1);
797                         fixEdge<SymbolUse>(child2);
798                         break;
799                     }
800                 }
801 #if USE(JSVALUE32_64)
802                 // Due to register pressure on 32-bit, we speculate cell and
803                 // ignore the base-is-not-cell case entirely by letting the
804                 // baseline JIT handle it.
805                 fixEdge<CellUse>(child1);
806 #endif
807                 break;
808             case Array::Int32:
809                 fixEdge<KnownCellUse>(child1);
810                 fixEdge<Int32Use>(child2);
811                 fixEdge<Int32Use>(child3);
812                 break;
813             case Array::Double:
814                 fixEdge<KnownCellUse>(child1);
815                 fixEdge<Int32Use>(child2);
816                 fixEdge<DoubleRepRealUse>(child3);
817                 break;
818             case Array::Int8Array:
819             case Array::Int16Array:
820             case Array::Int32Array:
821             case Array::Uint8Array:
822             case Array::Uint8ClampedArray:
823             case Array::Uint16Array:
824             case Array::Uint32Array:
825                 fixEdge<KnownCellUse>(child1);
826                 fixEdge<Int32Use>(child2);
827                 if (child3->shouldSpeculateInt32())
828                     fixIntOrBooleanEdge(child3);
829                 else if (child3->shouldSpeculateAnyInt())
830                     fixEdge<Int52RepUse>(child3);
831                 else
832                     fixDoubleOrBooleanEdge(child3);
833                 break;
834             case Array::Float32Array:
835             case Array::Float64Array:
836                 fixEdge<KnownCellUse>(child1);
837                 fixEdge<Int32Use>(child2);
838                 fixDoubleOrBooleanEdge(child3);
839                 break;
840             case Array::Contiguous:
841             case Array::ArrayStorage:
842             case Array::SlowPutArrayStorage:
843                 fixEdge<KnownCellUse>(child1);
844                 fixEdge<Int32Use>(child2);
845                 speculateForBarrier(child3);
846                 break;
847             default:
848                 fixEdge<KnownCellUse>(child1);
849                 fixEdge<Int32Use>(child2);
850                 break;
851             }
852             break;
853         }
854             
855         case AtomicsAdd:
856         case AtomicsAnd:
857         case AtomicsCompareExchange:
858         case AtomicsExchange:
859         case AtomicsLoad:
860         case AtomicsOr:
861         case AtomicsStore:
862         case AtomicsSub:
863         case AtomicsXor: {
864             Edge& base = m_graph.child(node, 0);
865             Edge& index = m_graph.child(node, 1);
866             
867             bool badNews = false;
868             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
869                 Edge& child = m_graph.child(node, 2 + i);
870                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
871                 // just call the function when that happens. But the FTL is totally cool with those
872                 // conversions.
873                 if (!child->shouldSpeculateInt32()
874                     && !child->shouldSpeculateAnyInt()
875                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
876                     badNews = true;
877             }
878             
879             if (badNews) {
880                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
881                 break;
882             }
883             
884             node->setArrayMode(
885                 node->arrayMode().refine(
886                     m_graph, node, base->prediction(), index->prediction()));
887             
888             if (node->arrayMode().type() == Array::Generic)
889                 break;
890             
891             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
892                 Edge& child = m_graph.child(node, 2 + i);
893                 if (child->shouldSpeculateInt32())
894                     fixIntOrBooleanEdge(child);
895                 else if (child->shouldSpeculateAnyInt())
896                     fixEdge<Int52RepUse>(child);
897                 else {
898                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
899                     fixDoubleOrBooleanEdge(child);
900                 }
901             }
902             
903             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
904             fixEdge<CellUse>(base);
905             fixEdge<Int32Use>(index);
906             
907             if (node->arrayMode().type() == Array::Uint32Array) {
908                 // NOTE: This means basically always doing Int52.
909                 if (node->shouldSpeculateAnyInt() && enableInt52())
910                     node->setResult(NodeResultInt52);
911                 else
912                     node->setResult(NodeResultDouble);
913             }
914             break;
915         }
916             
917         case AtomicsIsLockFree:
918             if (node->child1()->shouldSpeculateInt32())
919                 fixIntOrBooleanEdge(node->child1());
920             break;
921             
922         case ArrayPush: {
923             // May need to refine the array mode in case the value prediction contravenes
924             // the array prediction. For example, we may have evidence showing that the
925             // array is in Int32 mode, but the value we're storing is likely to be a double.
926             // Then we should turn this into a conversion to Double array followed by the
927             // push. On the other hand, we absolutely don't want to refine based on the
928             // base prediction. If it has non-cell garbage in it, then we want that to be
929             // ignored. That's because ArrayPush can't handle any array modes that aren't
930             // array-related - so if refine() turned this into a "Generic" ArrayPush then
931             // that would break things.
932             Edge& storageEdge = m_graph.varArgChild(node, 0);
933             Edge& arrayEdge = m_graph.varArgChild(node, 1);
934             unsigned elementOffset = 2;
935             unsigned elementCount = node->numChildren() - elementOffset;
936             for (unsigned i = 0; i < elementCount; ++i) {
937                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
938                 node->setArrayMode(
939                     node->arrayMode().refine(
940                         m_graph, node,
941                         arrayEdge->prediction() & SpecCell,
942                         SpecInt32Only,
943                         element->prediction()));
944             }
945             blessArrayOperation(arrayEdge, Edge(), storageEdge);
946             fixEdge<KnownCellUse>(arrayEdge);
947
948             // Convert `array.push()` to GetArrayLength.
949             if (!elementCount && node->arrayMode().supportsSelfLength()) {
950                 node->setOpAndDefaultFlags(GetArrayLength);
951                 node->child1() = arrayEdge;
952                 node->child2() = storageEdge;
953                 fixEdge<KnownCellUse>(node->child1());
954                 break;
955             }
956
957             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
958             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
959             for (unsigned i = 0; i < elementCount; ++i) {
960                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
961                 switch (node->arrayMode().type()) {
962                 case Array::Int32:
963                     insertCheck<Int32Use>(element.node());
964                     fixEdge<KnownInt32Use>(element);
965                     break;
966                 case Array::Double:
967                     insertCheck<DoubleRepRealUse>(element.node());
968                     fixEdge<DoubleRepUse>(element);
969                     break;
970                 case Array::Contiguous:
971                 case Array::ArrayStorage:
972                     speculateForBarrier(element);
973                     break;
974                 default:
975                     break;
976                 }
977                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
978             }
979             break;
980         }
981             
982         case ArrayPop: {
983             blessArrayOperation(node->child1(), Edge(), node->child2());
984             fixEdge<KnownCellUse>(node->child1());
985             break;
986         }
987
988         case ArraySlice: {
989             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
990             if (node->numChildren() >= 3) {
991                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
992                 if (node->numChildren() == 4)
993                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
994             }
995             break;
996         }
997
998         case ArrayIndexOf:
999             fixupArrayIndexOf(node);
1000             break;
1001             
1002         case RegExpExec:
1003         case RegExpTest: {
1004             fixEdge<KnownCellUse>(node->child1());
1005             
1006             if (node->child2()->shouldSpeculateRegExpObject()) {
1007                 fixEdge<RegExpObjectUse>(node->child2());
1008
1009                 if (node->child3()->shouldSpeculateString())
1010                     fixEdge<StringUse>(node->child3());
1011             }
1012             break;
1013         }
1014
1015         case RegExpMatchFast: {
1016             fixEdge<KnownCellUse>(node->child1());
1017             fixEdge<RegExpObjectUse>(node->child2());
1018             fixEdge<StringUse>(node->child3());
1019             break;
1020         }
1021
1022         case StringReplace:
1023         case StringReplaceRegExp: {
1024             if (node->child2()->shouldSpeculateString()) {
1025                 m_insertionSet.insertNode(
1026                     m_indexInBlock, SpecNone, Check, node->origin,
1027                     Edge(node->child2().node(), StringUse));
1028                 fixEdge<StringUse>(node->child2());
1029             } else if (op == StringReplace) {
1030                 if (node->child2()->shouldSpeculateRegExpObject())
1031                     addStringReplacePrimordialChecks(node->child2().node());
1032                 else 
1033                     m_insertionSet.insertNode(
1034                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1035             }
1036
1037             if (node->child1()->shouldSpeculateString()
1038                 && node->child2()->shouldSpeculateRegExpObject()
1039                 && node->child3()->shouldSpeculateString()) {
1040
1041                 fixEdge<StringUse>(node->child1());
1042                 fixEdge<RegExpObjectUse>(node->child2());
1043                 fixEdge<StringUse>(node->child3());
1044                 break;
1045             }
1046             break;
1047         }
1048             
1049         case Branch: {
1050             if (node->child1()->shouldSpeculateBoolean()) {
1051                 if (node->child1()->result() == NodeResultBoolean) {
1052                     // This is necessary in case we have a bytecode instruction implemented by:
1053                     //
1054                     // a: CompareEq(...)
1055                     // b: Branch(@a)
1056                     //
1057                     // In that case, CompareEq might have a side-effect. Then, we need to make
1058                     // sure that we know that Branch does not exit.
1059                     fixEdge<KnownBooleanUse>(node->child1());
1060                 } else
1061                     fixEdge<BooleanUse>(node->child1());
1062             } else if (node->child1()->shouldSpeculateObjectOrOther())
1063                 fixEdge<ObjectOrOtherUse>(node->child1());
1064             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1065                 fixIntOrBooleanEdge(node->child1());
1066             else if (node->child1()->shouldSpeculateNumber())
1067                 fixEdge<DoubleRepUse>(node->child1());
1068             else if (node->child1()->shouldSpeculateString())
1069                 fixEdge<StringUse>(node->child1());
1070             else if (node->child1()->shouldSpeculateStringOrOther())
1071                 fixEdge<StringOrOtherUse>(node->child1());
1072             else {
1073                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1074                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1075                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1076             }
1077             break;
1078         }
1079             
1080         case Switch: {
1081             SwitchData* data = node->switchData();
1082             switch (data->kind) {
1083             case SwitchImm:
1084                 if (node->child1()->shouldSpeculateInt32())
1085                     fixEdge<Int32Use>(node->child1());
1086                 break;
1087             case SwitchChar:
1088                 if (node->child1()->shouldSpeculateString())
1089                     fixEdge<StringUse>(node->child1());
1090                 break;
1091             case SwitchString:
1092                 if (node->child1()->shouldSpeculateStringIdent())
1093                     fixEdge<StringIdentUse>(node->child1());
1094                 else if (node->child1()->shouldSpeculateString())
1095                     fixEdge<StringUse>(node->child1());
1096                 break;
1097             case SwitchCell:
1098                 if (node->child1()->shouldSpeculateCell())
1099                     fixEdge<CellUse>(node->child1());
1100                 // else it's fine for this to have UntypedUse; we will handle this by just making
1101                 // non-cells take the default case.
1102                 break;
1103             }
1104             break;
1105         }
1106             
1107         case ToPrimitive: {
1108             fixupToPrimitive(node);
1109             break;
1110         }
1111
1112         case ToNumber: {
1113             fixupToNumber(node);
1114             break;
1115         }
1116             
1117         case ToString:
1118         case CallStringConstructor: {
1119             fixupToStringOrCallStringConstructor(node);
1120             break;
1121         }
1122             
1123         case NewStringObject: {
1124             fixEdge<KnownStringUse>(node->child1());
1125             break;
1126         }
1127
1128         case NewArrayWithSpread: {
1129             watchHavingABadTime(node);
1130             
1131             BitVector* bitVector = node->bitVector();
1132             for (unsigned i = node->numChildren(); i--;) {
1133                 if (bitVector->get(i))
1134                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1135                 else
1136                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1137             }
1138
1139             break;
1140         }
1141
1142         case Spread: {
1143             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1144             
1145             watchHavingABadTime(node->child1().node());
1146
1147             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1148             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1149             // that it doesn't contain any indexed properties, and that any holes will result in
1150             // jsUndefined().
1151             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
1152             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
1153             if (node->child1()->shouldSpeculateArray()
1154                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1155                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1156                 && globalObject->arrayPrototypeChainIsSane()
1157                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1158                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1159                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1160                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1161                 fixEdge<ArrayUse>(node->child1());
1162             } else
1163                 fixEdge<CellUse>(node->child1());
1164             break;
1165         }
1166             
1167         case NewArray: {
1168             watchHavingABadTime(node);
1169             
1170             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1171                 node->setIndexingType(
1172                     leastUpperBoundOfIndexingTypeAndType(
1173                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1174             }
1175             switch (node->indexingType()) {
1176             case ALL_BLANK_INDEXING_TYPES:
1177                 CRASH();
1178                 break;
1179             case ALL_UNDECIDED_INDEXING_TYPES:
1180                 if (node->numChildren()) {
1181                     // This will only happen if the children have no type predictions. We
1182                     // would have already exited by now, but insert a forced exit just to
1183                     // be safe.
1184                     m_insertionSet.insertNode(
1185                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1186                 }
1187                 break;
1188             case ALL_INT32_INDEXING_TYPES:
1189                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1190                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1191                 break;
1192             case ALL_DOUBLE_INDEXING_TYPES:
1193                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1194                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1195                 break;
1196             case ALL_CONTIGUOUS_INDEXING_TYPES:
1197             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1198                 break;
1199             default:
1200                 CRASH();
1201                 break;
1202             }
1203             break;
1204         }
1205             
1206         case NewTypedArray: {
1207             watchHavingABadTime(node);
1208             
1209             if (node->child1()->shouldSpeculateInt32()) {
1210                 fixEdge<Int32Use>(node->child1());
1211                 node->clearFlags(NodeMustGenerate);
1212                 break;
1213             }
1214             break;
1215         }
1216             
1217         case NewArrayWithSize: {
1218             watchHavingABadTime(node);
1219             fixEdge<Int32Use>(node->child1());
1220             break;
1221         }
1222
1223         case NewArrayBuffer: {
1224             watchHavingABadTime(node);
1225             break;
1226         }
1227
1228         case ToObject: {
1229             fixupToObject(node);
1230             break;
1231         }
1232
1233         case CallObjectConstructor: {
1234             fixupCallObjectConstructor(node);
1235             break;
1236         }
1237
1238         case ToThis: {
1239             fixupToThis(node);
1240             break;
1241         }
1242             
1243         case PutStructure: {
1244             fixEdge<KnownCellUse>(node->child1());
1245             break;
1246         }
1247             
1248         case GetClosureVar:
1249         case GetFromArguments: {
1250             fixEdge<KnownCellUse>(node->child1());
1251             break;
1252         }
1253
1254         case PutClosureVar:
1255         case PutToArguments: {
1256             fixEdge<KnownCellUse>(node->child1());
1257             speculateForBarrier(node->child2());
1258             break;
1259         }
1260
1261         case SkipScope:
1262         case GetScope:
1263         case GetGetter:
1264         case GetSetter:
1265         case GetGlobalObject: {
1266             fixEdge<KnownCellUse>(node->child1());
1267             break;
1268         }
1269             
1270         case AllocatePropertyStorage:
1271         case ReallocatePropertyStorage: {
1272             fixEdge<KnownCellUse>(node->child1());
1273             break;
1274         }
1275             
1276         case NukeStructureAndSetButterfly: {
1277             fixEdge<KnownCellUse>(node->child1());
1278             break;
1279         }
1280
1281         case TryGetById: {
1282             if (node->child1()->shouldSpeculateCell())
1283                 fixEdge<CellUse>(node->child1());
1284             break;
1285         }
1286
1287         case GetByIdDirect:
1288         case GetByIdDirectFlush: {
1289             if (node->child1()->shouldSpeculateCell())
1290                 fixEdge<CellUse>(node->child1());
1291             break;
1292         }
1293
1294         case GetById:
1295         case GetByIdFlush: {
1296             // FIXME: This should be done in the ByteCodeParser based on reading the
1297             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1298             // https://bugs.webkit.org/show_bug.cgi?id=154990
1299             auto uid = m_graph.identifiers()[node->identifierNumber()];
1300             if (node->child1()->shouldSpeculateCellOrOther()
1301                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1302                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1303                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1304                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1305                 
1306                 if (uid == vm().propertyNames->length.impl()) {
1307                     attemptToMakeGetArrayLength(node);
1308                     break;
1309                 }
1310
1311                 if (uid == vm().propertyNames->lastIndex.impl()
1312                     && node->child1()->shouldSpeculateRegExpObject()) {
1313                     node->setOp(GetRegExpObjectLastIndex);
1314                     node->clearFlags(NodeMustGenerate);
1315                     fixEdge<RegExpObjectUse>(node->child1());
1316                     break;
1317                 }
1318             }
1319
1320             if (node->child1()->shouldSpeculateNumber()) {
1321                 if (uid == vm().propertyNames->toString.impl()) {
1322                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1323                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1324                         if (node->child1()->shouldSpeculateInt32()) {
1325                             insertCheck<Int32Use>(node->child1().node());
1326                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1327                             break;
1328                         }
1329
1330                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1331                             insertCheck<Int52RepUse>(node->child1().node());
1332                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1333                             break;
1334                         }
1335
1336                         ASSERT(node->child1()->shouldSpeculateNumber());
1337                         insertCheck<DoubleRepUse>(node->child1().node());
1338                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1339                         break;
1340                     }
1341                 }
1342             }
1343
1344             if (node->child1()->shouldSpeculateCell())
1345                 fixEdge<CellUse>(node->child1());
1346             break;
1347         }
1348         
1349         case GetByIdWithThis: {
1350             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1351                 fixEdge<CellUse>(node->child1());
1352                 fixEdge<CellUse>(node->child2());
1353             }
1354             break;
1355         }
1356
1357         case PutById:
1358         case PutByIdFlush:
1359         case PutByIdDirect: {
1360             if (node->child1()->shouldSpeculateCellOrOther()
1361                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1362                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1363                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1364                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1365                 
1366                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1367                 
1368                 if (uid == vm().propertyNames->lastIndex.impl()
1369                     && node->child1()->shouldSpeculateRegExpObject()) {
1370                     node->convertToSetRegExpObjectLastIndex();
1371                     fixEdge<RegExpObjectUse>(node->child1());
1372                     speculateForBarrier(node->child2());
1373                     break;
1374                 }
1375             }
1376             
1377             fixEdge<CellUse>(node->child1());
1378             break;
1379         }
1380
1381         case PutGetterById:
1382         case PutSetterById: {
1383             fixEdge<KnownCellUse>(node->child1());
1384             fixEdge<KnownCellUse>(node->child2());
1385             break;
1386         }
1387
1388         case PutGetterSetterById: {
1389             fixEdge<KnownCellUse>(node->child1());
1390             break;
1391         }
1392
1393         case PutGetterByVal:
1394         case PutSetterByVal: {
1395             fixEdge<KnownCellUse>(node->child1());
1396             fixEdge<KnownCellUse>(node->child3());
1397             break;
1398         }
1399
1400         case GetExecutable: {
1401             fixEdge<FunctionUse>(node->child1());
1402             break;
1403         }
1404
1405         case OverridesHasInstance:
1406         case CheckStructure:
1407         case CheckCell:
1408         case CreateThis:
1409         case GetButterfly: {
1410             fixEdge<CellUse>(node->child1());
1411             break;
1412         }
1413
1414         case CheckStringIdent: {
1415             fixEdge<StringIdentUse>(node->child1());
1416             break;
1417         }
1418             
1419         case Arrayify:
1420         case ArrayifyToStructure: {
1421             fixEdge<CellUse>(node->child1());
1422             if (node->child2())
1423                 fixEdge<Int32Use>(node->child2());
1424             break;
1425         }
1426             
1427         case GetByOffset:
1428         case GetGetterSetterByOffset: {
1429             if (!node->child1()->hasStorageResult())
1430                 fixEdge<KnownCellUse>(node->child1());
1431             fixEdge<KnownCellUse>(node->child2());
1432             break;
1433         }
1434             
1435         case MultiGetByOffset: {
1436             fixEdge<CellUse>(node->child1());
1437             break;
1438         }
1439             
1440         case PutByOffset: {
1441             if (!node->child1()->hasStorageResult())
1442                 fixEdge<KnownCellUse>(node->child1());
1443             fixEdge<KnownCellUse>(node->child2());
1444             unsigned index = indexForChecks();
1445             insertInferredTypeCheck(
1446                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1447                 node->storageAccessData().inferredType);
1448             speculateForBarrier(node->child3());
1449             break;
1450         }
1451             
1452         case MultiPutByOffset: {
1453             fixEdge<CellUse>(node->child1());
1454             break;
1455         }
1456             
1457         case MatchStructure: {
1458             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1459             // https://bugs.webkit.org/show_bug.cgi?id=185784
1460             fixEdge<CellUse>(node->child1());
1461             break;
1462         }
1463             
1464         case InstanceOf: {
1465             if (node->child1()->shouldSpeculateCell()
1466                 && node->child2()->shouldSpeculateCell()
1467                 && is64Bit()) {
1468                 fixEdge<CellUse>(node->child1());
1469                 fixEdge<CellUse>(node->child2());
1470                 break;
1471             }
1472             break;
1473         }
1474
1475         case InstanceOfCustom:
1476             fixEdge<CellUse>(node->child2());
1477             break;
1478
1479         case InById: {
1480             fixEdge<CellUse>(node->child1());
1481             break;
1482         }
1483
1484         case InByVal: {
1485             if (node->child2()->shouldSpeculateInt32()) {
1486                 convertToHasIndexedProperty(node);
1487                 break;
1488             }
1489
1490             fixEdge<CellUse>(node->child1());
1491             break;
1492         }
1493
1494         case HasOwnProperty: {
1495             fixEdge<ObjectUse>(node->child1());
1496 #if CPU(X86)
1497             // We don't have enough registers to do anything interesting on x86 and mips.
1498             fixEdge<UntypedUse>(node->child2());
1499 #else
1500             if (node->child2()->shouldSpeculateString())
1501                 fixEdge<StringUse>(node->child2());
1502             else if (node->child2()->shouldSpeculateSymbol())
1503                 fixEdge<SymbolUse>(node->child2());
1504             else
1505                 fixEdge<UntypedUse>(node->child2());
1506 #endif
1507             break;
1508         }
1509
1510         case CheckVarargs:
1511         case Check: {
1512             m_graph.doToChildren(
1513                 node,
1514                 [&] (Edge& edge) {
1515                     switch (edge.useKind()) {
1516                     case NumberUse:
1517                         if (edge->shouldSpeculateInt32ForArithmetic())
1518                             edge.setUseKind(Int32Use);
1519                         break;
1520                     default:
1521                         break;
1522                     }
1523                     observeUseKindOnEdge(edge);
1524                 });
1525             break;
1526         }
1527
1528         case Phantom:
1529             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1530             node->remove(m_graph);
1531             break;
1532
1533         case FiatInt52: {
1534             RELEASE_ASSERT(enableInt52());
1535             node->convertToIdentity();
1536             fixEdge<Int52RepUse>(node->child1());
1537             node->setResult(NodeResultInt52);
1538             break;
1539         }
1540
1541         case GetArrayLength: {
1542             fixEdge<KnownCellUse>(node->child1());
1543             break;
1544         }
1545
1546         case GetTypedArrayByteOffset: {
1547             fixEdge<KnownCellUse>(node->child1());
1548             break;
1549         }
1550
1551         case CompareBelow:
1552         case CompareBelowEq: {
1553             fixEdge<Int32Use>(node->child1());
1554             fixEdge<Int32Use>(node->child2());
1555             break;
1556         }
1557
1558         case GetPrototypeOf: {
1559             fixupGetPrototypeOf(node);
1560             break;
1561         }
1562
1563         case Phi:
1564         case Upsilon:
1565         case EntrySwitch:
1566         case GetIndexedPropertyStorage:
1567         case LastNodeType:
1568         case CheckTierUpInLoop:
1569         case CheckTierUpAtReturn:
1570         case CheckTierUpAndOSREnter:
1571         case InvalidationPoint:
1572         case CheckArray:
1573         case CheckInBounds:
1574         case ConstantStoragePointer:
1575         case DoubleAsInt32:
1576         case ValueToInt32:
1577         case DoubleRep:
1578         case ValueRep:
1579         case Int52Rep:
1580         case Int52Constant:
1581         case Identity: // This should have been cleaned up.
1582         case BooleanToNumber:
1583         case PhantomNewObject:
1584         case PhantomNewFunction:
1585         case PhantomNewGeneratorFunction:
1586         case PhantomNewAsyncGeneratorFunction:
1587         case PhantomNewAsyncFunction:
1588         case PhantomCreateActivation:
1589         case PhantomDirectArguments:
1590         case PhantomCreateRest:
1591         case PhantomSpread:
1592         case PhantomNewArrayWithSpread:
1593         case PhantomNewArrayBuffer:
1594         case PhantomClonedArguments:
1595         case PhantomNewRegexp:
1596         case GetMyArgumentByVal:
1597         case GetMyArgumentByValOutOfBounds:
1598         case GetVectorLength:
1599         case PutHint:
1600         case CheckStructureImmediate:
1601         case CheckStructureOrEmpty:
1602         case MaterializeNewObject:
1603         case MaterializeCreateActivation:
1604         case PutStack:
1605         case KillStack:
1606         case GetStack:
1607         case StoreBarrier:
1608         case FencedStoreBarrier:
1609         case GetRegExpObjectLastIndex:
1610         case SetRegExpObjectLastIndex:
1611         case RecordRegExpCachedResult:
1612         case RegExpExecNonGlobalOrSticky:
1613         case RegExpMatchFastGlobal:
1614             // These are just nodes that we don't currently expect to see during fixup.
1615             // If we ever wanted to insert them prior to fixup, then we just have to create
1616             // fixup rules for them.
1617             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1618             break;
1619
1620         case PutGlobalVariable: {
1621             fixEdge<CellUse>(node->child1());
1622             speculateForBarrier(node->child2());
1623             break;
1624         }
1625
1626         case IsObject:
1627             if (node->child1()->shouldSpeculateObject()) {
1628                 m_insertionSet.insertNode(
1629                     m_indexInBlock, SpecNone, Check, node->origin,
1630                     Edge(node->child1().node(), ObjectUse));
1631                 m_graph.convertToConstant(node, jsBoolean(true));
1632                 observeUseKindOnNode<ObjectUse>(node);
1633             }
1634             break;
1635
1636         case IsCellWithType: {
1637             fixupIsCellWithType(node);
1638             break;
1639         }
1640
1641         case GetEnumerableLength: {
1642             fixEdge<CellUse>(node->child1());
1643             break;
1644         }
1645         case HasGenericProperty: {
1646             fixEdge<CellUse>(node->child2());
1647             break;
1648         }
1649         case HasStructureProperty: {
1650             fixEdge<StringUse>(node->child2());
1651             fixEdge<KnownCellUse>(node->child3());
1652             break;
1653         }
1654         case HasIndexedProperty: {
1655             node->setArrayMode(
1656                 node->arrayMode().refine(
1657                     m_graph, node,
1658                     node->child1()->prediction(),
1659                     node->child2()->prediction(),
1660                     SpecNone));
1661             
1662             blessArrayOperation(node->child1(), node->child2(), node->child3());
1663             fixEdge<CellUse>(node->child1());
1664             fixEdge<KnownInt32Use>(node->child2());
1665             break;
1666         }
1667         case GetDirectPname: {
1668             Edge& base = m_graph.varArgChild(node, 0);
1669             Edge& property = m_graph.varArgChild(node, 1);
1670             Edge& index = m_graph.varArgChild(node, 2);
1671             Edge& enumerator = m_graph.varArgChild(node, 3);
1672             fixEdge<CellUse>(base);
1673             fixEdge<KnownCellUse>(property);
1674             fixEdge<KnownInt32Use>(index);
1675             fixEdge<KnownCellUse>(enumerator);
1676             break;
1677         }
1678         case GetPropertyEnumerator: {
1679             if (node->child1()->shouldSpeculateCell())
1680                 fixEdge<CellUse>(node->child1());
1681             break;
1682         }
1683         case GetEnumeratorStructurePname: {
1684             fixEdge<KnownCellUse>(node->child1());
1685             fixEdge<KnownInt32Use>(node->child2());
1686             break;
1687         }
1688         case GetEnumeratorGenericPname: {
1689             fixEdge<KnownCellUse>(node->child1());
1690             fixEdge<KnownInt32Use>(node->child2());
1691             break;
1692         }
1693         case ToIndexString: {
1694             fixEdge<KnownInt32Use>(node->child1());
1695             break;
1696         }
1697         case ProfileType: {
1698             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1699             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1700             // type T for the instructionTypeSet, the global type set must also have information for type T.
1701             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1702             // in the globalTypeSet would've also succeeded.
1703             // (The other direction does not hold in general).
1704
1705             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1706             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1707             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1708                 if (node->child1()->shouldSpeculateInt32()) {
1709                     fixEdge<Int32Use>(node->child1());
1710                     node->remove(m_graph);
1711                     break;
1712                 }
1713
1714                 if (enableInt52()) {
1715                     fixEdge<AnyIntUse>(node->child1());
1716                     node->remove(m_graph);
1717                     break;
1718                 }
1719
1720                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1721             }
1722
1723             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1724                 fixEdge<NumberUse>(node->child1());
1725                 node->remove(m_graph);
1726             } else if (typeSet->doesTypeConformTo(TypeString)) {
1727                 fixEdge<StringUse>(node->child1());
1728                 node->remove(m_graph);
1729             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1730                 fixEdge<BooleanUse>(node->child1());
1731                 node->remove(m_graph);
1732             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1733                 fixEdge<OtherUse>(node->child1());
1734                 node->remove(m_graph);
1735             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1736                 StructureSet set;
1737                 {
1738                     ConcurrentJSLocker locker(typeSet->m_lock);
1739                     set = typeSet->structureSet(locker);
1740                 }
1741                 if (!set.isEmpty()) {
1742                     fixEdge<CellUse>(node->child1());
1743                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1744                 }
1745             }
1746
1747             break;
1748         }
1749
1750         case CreateClonedArguments: {
1751             watchHavingABadTime(node);
1752             break;
1753         }
1754
1755         case CreateScopedArguments:
1756         case CreateActivation:
1757         case NewFunction:
1758         case NewGeneratorFunction:
1759         case NewAsyncGeneratorFunction:
1760         case NewAsyncFunction: {
1761             // Child 1 is always the current scope, which is guaranteed to be an object
1762             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1763             fixEdge<KnownCellUse>(node->child1());
1764             break;
1765         }
1766
1767         case PushWithScope: {
1768             // Child 1 is always the current scope, which is guaranteed to be an object
1769             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1770             fixEdge<KnownCellUse>(node->child1());
1771             if (node->child2()->shouldSpeculateObject())
1772                 fixEdge<ObjectUse>(node->child2());
1773             break;
1774         }
1775
1776         case SetFunctionName: {
1777             // The first child is guaranteed to be a cell because op_set_function_name is only used
1778             // on a newly instantiated function object (the first child).
1779             fixEdge<KnownCellUse>(node->child1());
1780             fixEdge<UntypedUse>(node->child2());
1781             break;
1782         }
1783
1784         case CreateRest: {
1785             watchHavingABadTime(node);
1786             fixEdge<KnownInt32Use>(node->child1());
1787             break;
1788         }
1789
1790         case ResolveScopeForHoistingFuncDeclInEval: {
1791             fixEdge<KnownCellUse>(node->child1());
1792             break;
1793         }
1794         case ResolveScope:
1795         case GetDynamicVar:
1796         case PutDynamicVar: {
1797             fixEdge<KnownCellUse>(node->child1());
1798             break;
1799         }
1800
1801         case LogShadowChickenPrologue: {
1802             fixEdge<KnownCellUse>(node->child1());
1803             break;
1804         }
1805         case LogShadowChickenTail: {
1806             fixEdge<UntypedUse>(node->child1());
1807             fixEdge<KnownCellUse>(node->child2());
1808             break;
1809         }
1810
1811         case GetMapBucket:
1812             if (node->child1().useKind() == MapObjectUse)
1813                 fixEdge<MapObjectUse>(node->child1());
1814             else if (node->child1().useKind() == SetObjectUse)
1815                 fixEdge<SetObjectUse>(node->child1());
1816             else
1817                 RELEASE_ASSERT_NOT_REACHED();
1818
1819 #if USE(JSVALUE64)
1820             if (node->child2()->shouldSpeculateBoolean())
1821                 fixEdge<BooleanUse>(node->child2());
1822             else if (node->child2()->shouldSpeculateInt32())
1823                 fixEdge<Int32Use>(node->child2());
1824             else if (node->child2()->shouldSpeculateSymbol())
1825                 fixEdge<SymbolUse>(node->child2());
1826             else if (node->child2()->shouldSpeculateObject())
1827                 fixEdge<ObjectUse>(node->child2());
1828             else if (node->child2()->shouldSpeculateString())
1829                 fixEdge<StringUse>(node->child2());
1830             else if (node->child2()->shouldSpeculateCell())
1831                 fixEdge<CellUse>(node->child2());
1832             else
1833                 fixEdge<UntypedUse>(node->child2());
1834 #else
1835             fixEdge<UntypedUse>(node->child2());
1836 #endif // USE(JSVALUE64)
1837
1838             fixEdge<Int32Use>(node->child3());
1839             break;
1840
1841         case GetMapBucketHead:
1842             if (node->child1().useKind() == MapObjectUse)
1843                 fixEdge<MapObjectUse>(node->child1());
1844             else if (node->child1().useKind() == SetObjectUse)
1845                 fixEdge<SetObjectUse>(node->child1());
1846             else
1847                 RELEASE_ASSERT_NOT_REACHED();
1848             break;
1849
1850         case GetMapBucketNext:
1851         case LoadKeyFromMapBucket:
1852         case LoadValueFromMapBucket:
1853             fixEdge<CellUse>(node->child1());
1854             break;
1855
1856         case MapHash: {
1857 #if USE(JSVALUE64)
1858             if (node->child1()->shouldSpeculateBoolean()) {
1859                 fixEdge<BooleanUse>(node->child1());
1860                 break;
1861             }
1862
1863             if (node->child1()->shouldSpeculateInt32()) {
1864                 fixEdge<Int32Use>(node->child1());
1865                 break;
1866             }
1867
1868             if (node->child1()->shouldSpeculateSymbol()) {
1869                 fixEdge<SymbolUse>(node->child1());
1870                 break;
1871             }
1872
1873             if (node->child1()->shouldSpeculateObject()) {
1874                 fixEdge<ObjectUse>(node->child1());
1875                 break;
1876             }
1877
1878             if (node->child1()->shouldSpeculateString()) {
1879                 fixEdge<StringUse>(node->child1());
1880                 break;
1881             }
1882
1883             if (node->child1()->shouldSpeculateCell()) {
1884                 fixEdge<CellUse>(node->child1());
1885                 break;
1886             }
1887
1888             fixEdge<UntypedUse>(node->child1());
1889 #else
1890             fixEdge<UntypedUse>(node->child1());
1891 #endif // USE(JSVALUE64)
1892             break;
1893         }
1894
1895         case NormalizeMapKey: {
1896             fixupNormalizeMapKey(node);
1897             break;
1898         }
1899
1900         case WeakMapGet: {
1901             if (node->child1().useKind() == WeakMapObjectUse)
1902                 fixEdge<WeakMapObjectUse>(node->child1());
1903             else if (node->child1().useKind() == WeakSetObjectUse)
1904                 fixEdge<WeakSetObjectUse>(node->child1());
1905             else
1906                 RELEASE_ASSERT_NOT_REACHED();
1907             fixEdge<ObjectUse>(node->child2());
1908             fixEdge<Int32Use>(node->child3());
1909             break;
1910         }
1911
1912         case SetAdd: {
1913             fixEdge<SetObjectUse>(node->child1());
1914             fixEdge<Int32Use>(node->child3());
1915             break;
1916         }
1917
1918         case MapSet: {
1919             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1920             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1921             break;
1922         }
1923
1924         case WeakSetAdd: {
1925             fixEdge<WeakSetObjectUse>(node->child1());
1926             fixEdge<ObjectUse>(node->child2());
1927             fixEdge<Int32Use>(node->child3());
1928             break;
1929         }
1930
1931         case WeakMapSet: {
1932             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
1933             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
1934             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1935             break;
1936         }
1937
1938         case DefineDataProperty: {
1939             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1940             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1941             if (propertyEdge->shouldSpeculateSymbol())
1942                 fixEdge<SymbolUse>(propertyEdge);
1943             else if (propertyEdge->shouldSpeculateStringIdent())
1944                 fixEdge<StringIdentUse>(propertyEdge);
1945             else if (propertyEdge->shouldSpeculateString())
1946                 fixEdge<StringUse>(propertyEdge);
1947             else
1948                 fixEdge<UntypedUse>(propertyEdge);
1949             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1950             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1951             break;
1952         }
1953
1954         case StringSlice: {
1955             fixEdge<StringUse>(node->child1());
1956             fixEdge<Int32Use>(node->child2());
1957             if (node->child3())
1958                 fixEdge<Int32Use>(node->child3());
1959             break;
1960         }
1961
1962         case ToLowerCase: {
1963             // We currently only support StringUse since that will ensure that
1964             // ToLowerCase is a pure operation. If we decide to update this with
1965             // more types in the future, we need to ensure that the clobberize rules
1966             // are correct.
1967             fixEdge<StringUse>(node->child1());
1968             break;
1969         }
1970
1971         case NumberToStringWithRadix: {
1972             if (node->child1()->shouldSpeculateInt32())
1973                 fixEdge<Int32Use>(node->child1());
1974             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
1975                 fixEdge<Int52RepUse>(node->child1());
1976             else
1977                 fixEdge<DoubleRepUse>(node->child1());
1978             fixEdge<Int32Use>(node->child2());
1979             break;
1980         }
1981
1982         case DefineAccessorProperty: {
1983             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1984             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1985             if (propertyEdge->shouldSpeculateSymbol())
1986                 fixEdge<SymbolUse>(propertyEdge);
1987             else if (propertyEdge->shouldSpeculateStringIdent())
1988                 fixEdge<StringIdentUse>(propertyEdge);
1989             else if (propertyEdge->shouldSpeculateString())
1990                 fixEdge<StringUse>(propertyEdge);
1991             else
1992                 fixEdge<UntypedUse>(propertyEdge);
1993             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
1994             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
1995             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
1996             break;
1997         }
1998
1999         case CheckSubClass: {
2000             fixupCheckSubClass(node);
2001             break;
2002         }
2003
2004         case CallDOMGetter: {
2005             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2006             fixEdge<CellUse>(node->child1()); // DOM.
2007             if (snippet && snippet->requireGlobalObject)
2008                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2009             break;
2010         }
2011
2012         case CallDOM: {
2013             fixupCallDOM(node);
2014             break;
2015         }
2016
2017         case Call: {
2018             attemptToMakeCallDOM(node);
2019             break;
2020         }
2021
2022         case ParseInt: {
2023             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2024                 fixEdge<Int32Use>(node->child1());
2025                 node->convertToIdentity();
2026                 break;
2027             }
2028
2029             if (node->child1()->shouldSpeculateString()) {
2030                 fixEdge<StringUse>(node->child1());
2031                 node->clearFlags(NodeMustGenerate);
2032             }
2033
2034             if (node->child2())
2035                 fixEdge<Int32Use>(node->child2());
2036
2037             break;
2038         }
2039
2040         case IdentityWithProfile: {
2041             node->clearFlags(NodeMustGenerate);
2042             break;
2043         }
2044
2045         case ThrowStaticError:
2046             fixEdge<StringUse>(node->child1());
2047             break;
2048
2049         case NumberIsInteger:
2050             if (node->child1()->shouldSpeculateInt32()) {
2051                 m_insertionSet.insertNode(
2052                     m_indexInBlock, SpecNone, Check, node->origin,
2053                     Edge(node->child1().node(), Int32Use));
2054                 m_graph.convertToConstant(node, jsBoolean(true));
2055                 break;
2056             }
2057             break;
2058
2059         case SetCallee:
2060             fixEdge<CellUse>(node->child1());
2061             break;
2062
2063 #if !ASSERT_DISABLED
2064         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2065         case SetArgument:
2066         case JSConstant:
2067         case LazyJSConstant:
2068         case DoubleConstant:
2069         case GetLocal:
2070         case GetCallee:
2071         case GetArgumentCountIncludingThis:
2072         case SetArgumentCountIncludingThis:
2073         case GetRestLength:
2074         case GetArgument:
2075         case Flush:
2076         case PhantomLocal:
2077         case GetGlobalVar:
2078         case GetGlobalLexicalVariable:
2079         case NotifyWrite:
2080         case DirectCall:
2081         case CheckTypeInfoFlags:
2082         case TailCallInlinedCaller:
2083         case DirectTailCallInlinedCaller:
2084         case Construct:
2085         case DirectConstruct:
2086         case CallVarargs:
2087         case CallEval:
2088         case TailCallVarargsInlinedCaller:
2089         case ConstructVarargs:
2090         case CallForwardVarargs:
2091         case ConstructForwardVarargs:
2092         case TailCallForwardVarargs:
2093         case TailCallForwardVarargsInlinedCaller:
2094         case LoadVarargs:
2095         case ForwardVarargs:
2096         case ProfileControlFlow:
2097         case NewObject:
2098         case NewRegexp:
2099         case DeleteById:
2100         case DeleteByVal:
2101         case IsTypedArrayView:
2102         case IsEmpty:
2103         case IsUndefined:
2104         case IsBoolean:
2105         case IsNumber:
2106         case IsObjectOrNull:
2107         case IsFunction:
2108         case CreateDirectArguments:
2109         case Jump:
2110         case Return:
2111         case TailCall:
2112         case DirectTailCall:
2113         case TailCallVarargs:
2114         case Throw:
2115         case CountExecution:
2116         case SuperSamplerBegin:
2117         case SuperSamplerEnd:
2118         case ForceOSRExit:
2119         case CheckBadCell:
2120         case CheckNotEmpty:
2121         case AssertNotEmpty:
2122         case CheckTraps:
2123         case Unreachable:
2124         case ExtractOSREntryLocal:
2125         case ExtractCatchLocal:
2126         case LoopHint:
2127         case MovHint:
2128         case InitializeEntrypointArguments:
2129         case ZombieHint:
2130         case ExitOK:
2131         case BottomValue:
2132         case TypeOf:
2133         case PutByIdWithThis:
2134         case PutByValWithThis:
2135         case GetByValWithThis:
2136         case CompareEqPtr:
2137         case NumberToStringWithValidRadixConstant:
2138         case GetGlobalThis:
2139         case ExtractValueFromWeakMapGet:
2140         case CPUIntrinsic:
2141             break;
2142 #else
2143         default:
2144             break;
2145 #endif
2146         }
2147     }
2148
2149     void watchHavingABadTime(Node* node)
2150     {
2151         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2152
2153         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2154         // does an array allocation. The types of array allocations may change if we start to have a bad
2155         // time. It's easier to reason about this if we know that whenever the types change after we start
2156         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2157         // prior to this point nobody should have been doing optimizations based on the indexing type of
2158         // the allocation.
2159         if (!globalObject->isHavingABadTime()) {
2160             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2161             m_graph.freeze(globalObject);
2162         }
2163     }
2164     
2165     template<UseKind useKind>
2166     void createToString(Node* node, Edge& edge)
2167     {
2168         Node* toString = m_insertionSet.insertNode(
2169             m_indexInBlock, SpecString, ToString, node->origin,
2170             Edge(edge.node(), useKind));
2171         switch (useKind) {
2172         case Int32Use:
2173         case Int52RepUse:
2174         case DoubleRepUse:
2175         case NotCellUse:
2176             toString->clearFlags(NodeMustGenerate);
2177             break;
2178         default:
2179             break;
2180         }
2181         edge.setNode(toString);
2182     }
2183     
2184     template<UseKind useKind>
2185     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2186     {
2187         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2188         
2189         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2190             return;
2191         
2192         createToString<useKind>(node, node->child1());
2193         arrayMode = ArrayMode(Array::String, Array::Read);
2194     }
2195     
2196     template<UseKind useKind>
2197     bool isStringObjectUse()
2198     {
2199         switch (useKind) {
2200         case StringObjectUse:
2201         case StringOrStringObjectUse:
2202             return true;
2203         default:
2204             return false;
2205         }
2206     }
2207     
2208     template<UseKind useKind>
2209     void convertStringAddUse(Node* node, Edge& edge)
2210     {
2211         if (useKind == StringUse) {
2212             observeUseKindOnNode<StringUse>(edge.node());
2213             m_insertionSet.insertNode(
2214                 m_indexInBlock, SpecNone, Check, node->origin,
2215                 Edge(edge.node(), StringUse));
2216             edge.setUseKind(KnownStringUse);
2217             return;
2218         }
2219         
2220         observeUseKindOnNode<useKind>(edge.node());
2221         createToString<useKind>(node, edge);
2222     }
2223     
2224     void convertToMakeRope(Node* node)
2225     {
2226         node->setOpAndDefaultFlags(MakeRope);
2227         fixupMakeRope(node);
2228     }
2229     
2230     void fixupMakeRope(Node* node)
2231     {
2232         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2233             Edge& edge = node->children.child(i);
2234             if (!edge)
2235                 break;
2236             edge.setUseKind(KnownStringUse);
2237             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2238             if (!string)
2239                 continue;
2240             if (string->length())
2241                 continue;
2242             
2243             // Don't allow the MakeRope to have zero children.
2244             if (!i && !node->child2())
2245                 break;
2246             
2247             node->children.removeEdge(i--);
2248         }
2249         
2250         if (!node->child2()) {
2251             ASSERT(!node->child3());
2252             node->convertToIdentity();
2253         }
2254     }
2255
2256     void fixupIsCellWithType(Node* node)
2257     {
2258         switch (node->speculatedTypeForQuery()) {
2259         case SpecString:
2260             if (node->child1()->shouldSpeculateString()) {
2261                 m_insertionSet.insertNode(
2262                     m_indexInBlock, SpecNone, Check, node->origin,
2263                     Edge(node->child1().node(), StringUse));
2264                 m_graph.convertToConstant(node, jsBoolean(true));
2265                 observeUseKindOnNode<StringUse>(node);
2266                 return;
2267             }
2268             break;
2269
2270         case SpecProxyObject:
2271             if (node->child1()->shouldSpeculateProxyObject()) {
2272                 m_insertionSet.insertNode(
2273                     m_indexInBlock, SpecNone, Check, node->origin,
2274                     Edge(node->child1().node(), ProxyObjectUse));
2275                 m_graph.convertToConstant(node, jsBoolean(true));
2276                 observeUseKindOnNode<ProxyObjectUse>(node);
2277                 return;
2278             }
2279             break;
2280
2281         case SpecRegExpObject:
2282             if (node->child1()->shouldSpeculateRegExpObject()) {
2283                 m_insertionSet.insertNode(
2284                     m_indexInBlock, SpecNone, Check, node->origin,
2285                     Edge(node->child1().node(), RegExpObjectUse));
2286                 m_graph.convertToConstant(node, jsBoolean(true));
2287                 observeUseKindOnNode<RegExpObjectUse>(node);
2288                 return;
2289             }
2290             break;
2291
2292         case SpecArray:
2293             if (node->child1()->shouldSpeculateArray()) {
2294                 m_insertionSet.insertNode(
2295                     m_indexInBlock, SpecNone, Check, node->origin,
2296                     Edge(node->child1().node(), ArrayUse));
2297                 m_graph.convertToConstant(node, jsBoolean(true));
2298                 observeUseKindOnNode<ArrayUse>(node);
2299                 return;
2300             }
2301             break;
2302
2303         case SpecDerivedArray:
2304             if (node->child1()->shouldSpeculateDerivedArray()) {
2305                 m_insertionSet.insertNode(
2306                     m_indexInBlock, SpecNone, Check, node->origin,
2307                     Edge(node->child1().node(), DerivedArrayUse));
2308                 m_graph.convertToConstant(node, jsBoolean(true));
2309                 observeUseKindOnNode<DerivedArrayUse>(node);
2310                 return;
2311             }
2312             break;
2313         }
2314
2315         if (node->child1()->shouldSpeculateCell()) {
2316             fixEdge<CellUse>(node->child1());
2317             return;
2318         }
2319
2320         if (node->child1()->shouldSpeculateNotCell()) {
2321             m_insertionSet.insertNode(
2322                 m_indexInBlock, SpecNone, Check, node->origin,
2323                 Edge(node->child1().node(), NotCellUse));
2324             m_graph.convertToConstant(node, jsBoolean(false));
2325             observeUseKindOnNode<NotCellUse>(node);
2326             return;
2327         }
2328     }
2329
2330     void fixupGetPrototypeOf(Node* node)
2331     {
2332         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2333         if (node->child1().useKind() != ObjectUse) {
2334             if (node->child1()->shouldSpeculateString()) {
2335                 insertCheck<StringUse>(node->child1().node());
2336                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2337                 return;
2338             }
2339             if (node->child1()->shouldSpeculateInt32()) {
2340                 insertCheck<Int32Use>(node->child1().node());
2341                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2342                 return;
2343             }
2344             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2345                 insertCheck<Int52RepUse>(node->child1().node());
2346                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2347                 return;
2348             }
2349             if (node->child1()->shouldSpeculateNumber()) {
2350                 insertCheck<NumberUse>(node->child1().node());
2351                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2352                 return;
2353             }
2354             if (node->child1()->shouldSpeculateSymbol()) {
2355                 insertCheck<SymbolUse>(node->child1().node());
2356                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2357                 return;
2358             }
2359             if (node->child1()->shouldSpeculateBoolean()) {
2360                 insertCheck<BooleanUse>(node->child1().node());
2361                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2362                 return;
2363             }
2364         }
2365
2366         if (node->child1()->shouldSpeculateFinalObject()) {
2367             fixEdge<FinalObjectUse>(node->child1());
2368             node->clearFlags(NodeMustGenerate);
2369             return;
2370         }
2371         if (node->child1()->shouldSpeculateArray()) {
2372             fixEdge<ArrayUse>(node->child1());
2373             node->clearFlags(NodeMustGenerate);
2374             return;
2375         }
2376         if (node->child1()->shouldSpeculateFunction()) {
2377             fixEdge<FunctionUse>(node->child1());
2378             node->clearFlags(NodeMustGenerate);
2379             return;
2380         }
2381     }
2382
2383     void fixupToThis(Node* node)
2384     {
2385         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2386
2387         if (ecmaMode == StrictMode) {
2388             if (node->child1()->shouldSpeculateBoolean()) {
2389                 fixEdge<BooleanUse>(node->child1());
2390                 node->convertToIdentity();
2391                 return;
2392             }
2393
2394             if (node->child1()->shouldSpeculateInt32()) {
2395                 fixEdge<Int32Use>(node->child1());
2396                 node->convertToIdentity();
2397                 return;
2398             }
2399
2400             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2401                 fixEdge<Int52RepUse>(node->child1());
2402                 node->convertToIdentity();
2403                 node->setResult(NodeResultInt52);
2404                 return;
2405             }
2406
2407             if (node->child1()->shouldSpeculateNumber()) {
2408                 fixEdge<DoubleRepUse>(node->child1());
2409                 node->convertToIdentity();
2410                 node->setResult(NodeResultDouble);
2411                 return;
2412             }
2413
2414             if (node->child1()->shouldSpeculateSymbol()) {
2415                 fixEdge<SymbolUse>(node->child1());
2416                 node->convertToIdentity();
2417                 return;
2418             }
2419
2420             if (node->child1()->shouldSpeculateStringIdent()) {
2421                 fixEdge<StringIdentUse>(node->child1());
2422                 node->convertToIdentity();
2423                 return;
2424             }
2425
2426             if (node->child1()->shouldSpeculateString()) {
2427                 fixEdge<StringUse>(node->child1());
2428                 node->convertToIdentity();
2429                 return;
2430             }
2431             
2432             if (node->child1()->shouldSpeculateBigInt()) {
2433                 fixEdge<BigIntUse>(node->child1());
2434                 node->convertToIdentity();
2435                 return;
2436             }
2437         }
2438
2439         if (node->child1()->shouldSpeculateOther()) {
2440             if (ecmaMode == StrictMode) {
2441                 fixEdge<OtherUse>(node->child1());
2442                 node->convertToIdentity();
2443                 return;
2444             }
2445
2446             m_insertionSet.insertNode(
2447                 m_indexInBlock, SpecNone, Check, node->origin,
2448                 Edge(node->child1().node(), OtherUse));
2449             observeUseKindOnNode<OtherUse>(node->child1().node());
2450             m_graph.convertToConstant(
2451                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2452             return;
2453         }
2454
2455         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2456         // however, since we cover all the missing cases in constant folding.
2457         // https://bugs.webkit.org/show_bug.cgi?id=157213
2458         if (node->child1()->shouldSpeculateStringObject()) {
2459             fixEdge<StringObjectUse>(node->child1());
2460             node->convertToIdentity();
2461             return;
2462         }
2463
2464         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2465             fixEdge<FinalObjectUse>(node->child1());
2466             node->convertToIdentity();
2467             return;
2468         }
2469     }
2470     
2471     void fixupToPrimitive(Node* node)
2472     {
2473         if (node->child1()->shouldSpeculateInt32()) {
2474             fixEdge<Int32Use>(node->child1());
2475             node->convertToIdentity();
2476             return;
2477         }
2478         
2479         if (node->child1()->shouldSpeculateString()) {
2480             fixEdge<StringUse>(node->child1());
2481             node->convertToIdentity();
2482             return;
2483         }
2484         
2485         if (node->child1()->shouldSpeculateStringObject()
2486             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2487             fixEdge<StringObjectUse>(node->child1());
2488             node->convertToToString();
2489             return;
2490         }
2491         
2492         if (node->child1()->shouldSpeculateStringOrStringObject()
2493             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2494             fixEdge<StringOrStringObjectUse>(node->child1());
2495             node->convertToToString();
2496             return;
2497         }
2498     }
2499
2500     void fixupToNumber(Node* node)
2501     {
2502         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2503         if (node->child1()->shouldSpeculateNumber()) {
2504             if (isInt32Speculation(node->getHeapPrediction())) {
2505                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2506                 if (node->child1()->shouldSpeculateInt32()) {
2507                     fixEdge<Int32Use>(node->child1());
2508                     node->convertToIdentity();
2509                     return;
2510                 }
2511
2512                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2513                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2514                 fixEdge<DoubleRepUse>(node->child1());
2515                 node->setOp(DoubleAsInt32);
2516                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2517                     node->setArithMode(Arith::CheckOverflow);
2518                 else
2519                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2520                 return;
2521             }
2522
2523             fixEdge<DoubleRepUse>(node->child1());
2524             node->convertToIdentity();
2525             node->setResult(NodeResultDouble);
2526             return;
2527         }
2528
2529         fixEdge<UntypedUse>(node->child1());
2530         node->setResult(NodeResultJS);
2531     }
2532
2533     void fixupToObject(Node* node)
2534     {
2535         if (node->child1()->shouldSpeculateObject()) {
2536             fixEdge<ObjectUse>(node->child1());
2537             node->convertToIdentity();
2538             return;
2539         }
2540
2541         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2542
2543         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2544
2545         if (node->child1()->shouldSpeculateString()) {
2546             insertCheck<StringUse>(node->child1().node());
2547             fixEdge<KnownStringUse>(node->child1());
2548             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2549             return;
2550         }
2551
2552         if (node->child1()->shouldSpeculateSymbol()) {
2553             insertCheck<SymbolUse>(node->child1().node());
2554             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2555             return;
2556         }
2557
2558         if (node->child1()->shouldSpeculateNumber()) {
2559             insertCheck<NumberUse>(node->child1().node());
2560             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2561             return;
2562         }
2563
2564         if (node->child1()->shouldSpeculateBoolean()) {
2565             insertCheck<BooleanUse>(node->child1().node());
2566             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2567             return;
2568         }
2569
2570         fixEdge<UntypedUse>(node->child1());
2571     }
2572
2573     void fixupCallObjectConstructor(Node* node)
2574     {
2575         if (node->child1()->shouldSpeculateObject()) {
2576             fixEdge<ObjectUse>(node->child1());
2577             node->convertToIdentity();
2578             return;
2579         }
2580
2581         if (node->child1()->shouldSpeculateString()) {
2582             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2583             insertCheck<StringUse>(node->child1().node());
2584             fixEdge<KnownStringUse>(node->child1());
2585             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2586             return;
2587         }
2588
2589         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2590         if (node->child1()->shouldSpeculateOther()) {
2591             insertCheck<OtherUse>(node->child1().node());
2592             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2593             return;
2594         }
2595
2596         fixEdge<UntypedUse>(node->child1());
2597     }
2598     
2599     void fixupToStringOrCallStringConstructor(Node* node)
2600     {
2601         if (node->child1()->shouldSpeculateString()) {
2602             fixEdge<StringUse>(node->child1());
2603             node->convertToIdentity();
2604             return;
2605         }
2606         
2607         if (node->child1()->shouldSpeculateStringObject()
2608             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2609             fixEdge<StringObjectUse>(node->child1());
2610             return;
2611         }
2612         
2613         if (node->child1()->shouldSpeculateStringOrStringObject()
2614             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2615             fixEdge<StringOrStringObjectUse>(node->child1());
2616             return;
2617         }
2618         
2619         if (node->child1()->shouldSpeculateCell()) {
2620             fixEdge<CellUse>(node->child1());
2621             return;
2622         }
2623
2624         if (node->child1()->shouldSpeculateInt32()) {
2625             fixEdge<Int32Use>(node->child1());
2626             node->clearFlags(NodeMustGenerate);
2627             return;
2628         }
2629
2630         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2631             fixEdge<Int52RepUse>(node->child1());
2632             node->clearFlags(NodeMustGenerate);
2633             return;
2634         }
2635
2636         if (node->child1()->shouldSpeculateNumber()) {
2637             fixEdge<DoubleRepUse>(node->child1());
2638             node->clearFlags(NodeMustGenerate);
2639             return;
2640         }
2641
2642         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2643         // we need to care about it in the clobberize. In the following case,
2644         // since NotCellUse edge filter is used and this edge filters Symbols,
2645         // we can say that ToString never throws an error!
2646         if (node->child1()->shouldSpeculateNotCell()) {
2647             fixEdge<NotCellUse>(node->child1());
2648             node->clearFlags(NodeMustGenerate);
2649             return;
2650         }
2651     }
2652
2653     bool attemptToMakeFastStringAdd(Node* node)
2654     {
2655         bool goodToGo = true;
2656         m_graph.doToChildren(
2657             node,
2658             [&] (Edge& edge) {
2659                 if (edge->shouldSpeculateString())
2660                     return;
2661                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2662                     if (edge->shouldSpeculateStringObject())
2663                         return;
2664                     if (edge->shouldSpeculateStringOrStringObject())
2665                         return;
2666                 }
2667                 goodToGo = false;
2668             });
2669         if (!goodToGo)
2670             return false;
2671
2672         m_graph.doToChildren(
2673             node,
2674             [&] (Edge& edge) {
2675                 if (edge->shouldSpeculateString()) {
2676                     convertStringAddUse<StringUse>(node, edge);
2677                     return;
2678                 }
2679                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2680                 if (edge->shouldSpeculateStringObject()) {
2681                     convertStringAddUse<StringObjectUse>(node, edge);
2682                     return;
2683                 }
2684                 if (edge->shouldSpeculateStringOrStringObject()) {
2685                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2686                     return;
2687                 }
2688                 RELEASE_ASSERT_NOT_REACHED();
2689             });
2690         
2691         convertToMakeRope(node);
2692         return true;
2693     }
2694
2695     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2696     {
2697         if (!block)
2698             return;
2699         ASSERT(block->isReachable);
2700         m_block = block;
2701         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2702             Node* node = m_currentNode = block->at(m_indexInBlock);
2703             if (node->op() != SetLocal && node->op() != GetLocal)
2704                 continue;
2705             
2706             VariableAccessData* variable = node->variableAccessData();
2707             switch (node->op()) {
2708             case GetLocal:
2709                 switch (variable->flushFormat()) {
2710                 case FlushedDouble:
2711                     node->setResult(NodeResultDouble);
2712                     break;
2713                 case FlushedInt52:
2714                     node->setResult(NodeResultInt52);
2715                     break;
2716                 default:
2717                     break;
2718                 }
2719                 break;
2720                 
2721             case SetLocal:
2722                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2723                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2724                 
2725                 switch (variable->flushFormat()) {
2726                 case FlushedJSValue:
2727                     break;
2728                 case FlushedDouble:
2729                     fixEdge<DoubleRepUse>(node->child1());
2730                     break;
2731                 case FlushedInt32:
2732                     fixEdge<Int32Use>(node->child1());
2733                     break;
2734                 case FlushedInt52:
2735                     fixEdge<Int52RepUse>(node->child1());
2736                     break;
2737                 case FlushedCell:
2738                     fixEdge<CellUse>(node->child1());
2739                     break;
2740                 case FlushedBoolean:
2741                     fixEdge<BooleanUse>(node->child1());
2742                     break;
2743                 default:
2744                     RELEASE_ASSERT_NOT_REACHED();
2745                     break;
2746                 }
2747                 break;
2748                 
2749             default:
2750                 RELEASE_ASSERT_NOT_REACHED();
2751                 break;
2752             }
2753         }
2754         m_insertionSet.execute(block);
2755     }
2756     
2757     void addStringReplacePrimordialChecks(Node* searchRegExp)
2758     {
2759         Node* node = m_currentNode;
2760
2761         // Check that structure of searchRegExp is RegExp object
2762         m_insertionSet.insertNode(
2763             m_indexInBlock, SpecNone, Check, node->origin,
2764             Edge(searchRegExp, RegExpObjectUse));
2765
2766         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2767             unsigned index = m_graph.identifiers().ensure(propertyUID);
2768
2769             Node* actualProperty = m_insertionSet.insertNode(
2770                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2771                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2772
2773             m_insertionSet.insertNode(
2774                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2775                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2776         };
2777
2778         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2779
2780         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2781         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2782         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2783         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2784         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2785         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2786         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2787         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2788     }
2789
2790     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2791     {
2792         ASSERT(arrayMode.isSpecific());
2793         
2794         if (arrayMode.type() == Array::String) {
2795             m_insertionSet.insertNode(
2796                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2797         } else {
2798             // Note that we only need to be using a structure check if we opt for SaneChain, since
2799             // that needs to protect against JSArray's __proto__ being changed.
2800             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2801         
2802             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2803             
2804             if (arrayMode.doesConversion()) {
2805                 if (structure) {
2806                     m_insertionSet.insertNode(
2807                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2808                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2809                 } else {
2810                     m_insertionSet.insertNode(
2811                         m_indexInBlock, SpecNone, Arrayify, origin,
2812                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2813                 }
2814             } else {
2815                 if (structure) {
2816                     m_insertionSet.insertNode(
2817                         m_indexInBlock, SpecNone, CheckStructure, origin,
2818                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2819                 } else {
2820                     m_insertionSet.insertNode(
2821                         m_indexInBlock, SpecNone, CheckArray, origin,
2822                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2823                 }
2824             }
2825         }
2826         
2827         if (!storageCheck(arrayMode))
2828             return nullptr;
2829         
2830         if (arrayMode.usesButterfly()) {
2831             return m_insertionSet.insertNode(
2832                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2833         }
2834         
2835         return m_insertionSet.insertNode(
2836             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2837             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2838     }
2839     
2840     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2841     {
2842         Node* node = m_currentNode;
2843         
2844         switch (node->arrayMode().type()) {
2845         case Array::ForceExit: {
2846             m_insertionSet.insertNode(
2847                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2848             return;
2849         }
2850             
2851         case Array::SelectUsingPredictions:
2852         case Array::Unprofiled:
2853             RELEASE_ASSERT_NOT_REACHED();
2854             return;
2855             
2856         case Array::Generic:
2857             return;
2858             
2859         default: {
2860             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2861             if (!storage)
2862                 return;
2863             
2864             storageChild = Edge(storage);
2865             return;
2866         } }
2867     }
2868     
2869     bool alwaysUnboxSimplePrimitives()
2870     {
2871 #if USE(JSVALUE64)
2872         return false;
2873 #else
2874         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2875         // reduces traffic.
2876         return true;
2877 #endif
2878     }
2879
2880     template<UseKind useKind>
2881     void observeUseKindOnNode(Node* node)
2882     {
2883         if (useKind == UntypedUse)
2884             return;
2885         observeUseKindOnNode(node, useKind);
2886     }
2887
2888     void observeUseKindOnEdge(Edge edge)
2889     {
2890         observeUseKindOnNode(edge.node(), edge.useKind());
2891     }
2892
2893     void observeUseKindOnNode(Node* node, UseKind useKind)
2894     {
2895         if (node->op() != GetLocal)
2896             return;
2897         
2898         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2899         // https://bugs.webkit.org/show_bug.cgi?id=121518
2900         
2901         VariableAccessData* variable = node->variableAccessData();
2902         switch (useKind) {
2903         case Int32Use:
2904         case KnownInt32Use:
2905             if (alwaysUnboxSimplePrimitives()
2906                 || isInt32Speculation(variable->prediction()))
2907                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2908             break;
2909         case NumberUse:
2910         case RealNumberUse:
2911         case DoubleRepUse:
2912         case DoubleRepRealUse:
2913             if (variable->doubleFormatState() == UsingDoubleFormat)
2914                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2915             break;
2916         case BooleanUse:
2917         case KnownBooleanUse:
2918             if (alwaysUnboxSimplePrimitives()
2919                 || isBooleanSpeculation(variable->prediction()))
2920                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2921             break;
2922         case Int52RepUse:
2923             if (isAnyIntSpeculation(variable->prediction()))
2924                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2925             break;
2926         case CellUse:
2927         case KnownCellUse:
2928         case ObjectUse:
2929         case FunctionUse:
2930         case StringUse:
2931         case KnownStringUse:
2932         case SymbolUse:
2933         case BigIntUse:
2934         case StringObjectUse:
2935         case StringOrStringObjectUse:
2936             if (alwaysUnboxSimplePrimitives()
2937                 || isCellSpeculation(variable->prediction()))
2938                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2939             break;
2940         default:
2941             break;
2942         }
2943     }
2944     
2945     template<UseKind useKind>
2946     void fixEdge(Edge& edge)
2947     {
2948         observeUseKindOnNode<useKind>(edge.node());
2949         edge.setUseKind(useKind);
2950     }
2951     
2952     unsigned indexForChecks()
2953     {
2954         unsigned index = m_indexInBlock;
2955         while (!m_block->at(index)->origin.exitOK)
2956             index--;
2957         return index;
2958     }
2959     
2960     NodeOrigin originForCheck(unsigned index)
2961     {
2962         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
2963     }
2964     
2965     void speculateForBarrier(Edge value)
2966     {
2967         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
2968         // the DFG anyway because if such a speculation would be wrong, we want to know before
2969         // we do an expensive compile.
2970         
2971         if (value->shouldSpeculateInt32()) {
2972             insertCheck<Int32Use>(value.node());
2973             return;
2974         }
2975             
2976         if (value->shouldSpeculateBoolean()) {
2977             insertCheck<BooleanUse>(value.node());
2978             return;
2979         }
2980             
2981         if (value->shouldSpeculateOther()) {
2982             insertCheck<OtherUse>(value.node());
2983             return;
2984         }
2985             
2986         if (value->shouldSpeculateNumber()) {
2987             insertCheck<NumberUse>(value.node());
2988             return;
2989         }
2990             
2991         if (value->shouldSpeculateNotCell()) {
2992             insertCheck<NotCellUse>(value.node());
2993             return;
2994         }
2995     }
2996     
2997     template<UseKind useKind>
2998     void insertCheck(Node* node)
2999     {
3000         observeUseKindOnNode<useKind>(node);
3001         unsigned index = indexForChecks();
3002         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3003     }
3004
3005     void fixIntConvertingEdge(Edge& edge)
3006     {
3007         Node* node = edge.node();
3008         if (node->shouldSpeculateInt32OrBoolean()) {
3009             fixIntOrBooleanEdge(edge);
3010             return;
3011         }
3012         
3013         UseKind useKind;
3014         if (node->shouldSpeculateAnyInt())
3015             useKind = Int52RepUse;
3016         else if (node->shouldSpeculateNumber())
3017             useKind = DoubleRepUse;
3018         else
3019             useKind = NotCellUse;
3020         Node* newNode = m_insertionSet.insertNode(
3021             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3022             Edge(node, useKind));
3023         observeUseKindOnNode(node, useKind);
3024         
3025         edge = Edge(newNode, KnownInt32Use);
3026     }
3027     
3028     void fixIntOrBooleanEdge(Edge& edge)
3029     {
3030         Node* node = edge.node();
3031         if (!node->sawBooleans()) {
3032             fixEdge<Int32Use>(edge);
3033             return;
3034         }
3035         
3036         UseKind useKind;
3037         if (node->shouldSpeculateBoolean())
3038             useKind = BooleanUse;
3039         else
3040             useKind = UntypedUse;
3041         Node* newNode = m_insertionSet.insertNode(
3042             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3043             Edge(node, useKind));
3044         observeUseKindOnNode(node, useKind);
3045         
3046         edge = Edge(newNode, Int32Use);
3047     }
3048     
3049     void fixDoubleOrBooleanEdge(Edge& edge)
3050     {
3051         Node* node = edge.node();
3052         if (!node->sawBooleans()) {
3053             fixEdge<DoubleRepUse>(edge);
3054             return;
3055         }
3056         
3057         UseKind useKind;
3058         if (node->shouldSpeculateBoolean())
3059             useKind = BooleanUse;
3060         else
3061             useKind = UntypedUse;
3062         Node* newNode = m_insertionSet.insertNode(
3063             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3064             Edge(node, useKind));
3065         observeUseKindOnNode(node, useKind);
3066         
3067         edge = Edge(newNode, DoubleRepUse);
3068     }
3069     
3070     void truncateConstantToInt32(Edge& edge)
3071     {
3072         Node* oldNode = edge.node();
3073         
3074         JSValue value = oldNode->asJSValue();
3075         if (value.isInt32())
3076             return;
3077         
3078         value = jsNumber(JSC::toInt32(value.asNumber()));
3079         ASSERT(value.isInt32());
3080         edge.setNode(m_insertionSet.insertNode(
3081             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3082             OpInfo(m_graph.freeze(value))));
3083     }
3084     
3085     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3086     {
3087         if (mode != SpeculateInt32AndTruncateConstants)
3088             return;
3089         
3090         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3091         if (node->child1()->hasConstant())
3092             truncateConstantToInt32(node->child1());
3093         else
3094             truncateConstantToInt32(node->child2());
3095     }
3096
3097     bool attemptToMakeIntegerAdd(Node* node)
3098     {
3099         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3100         if (mode != DontSpeculateInt32) {
3101             truncateConstantsIfNecessary(node, mode);
3102             fixIntOrBooleanEdge(node->child1());
3103             fixIntOrBooleanEdge(node->child2());
3104             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3105                 node->setArithMode(Arith::Unchecked);
3106             else
3107                 node->setArithMode(Arith::CheckOverflow);
3108             return true;
3109         }
3110         
3111         if (m_graph.addShouldSpeculateAnyInt(node)) {
3112             fixEdge<Int52RepUse>(node->child1());
3113             fixEdge<Int52RepUse>(node->child2());
3114             node->setArithMode(Arith::CheckOverflow);
3115             node->setResult(NodeResultInt52);
3116             return true;
3117         }
3118         
3119         return false;
3120     }
3121     
3122     bool attemptToMakeGetArrayLength(Node* node)
3123     {
3124         if (!isInt32Speculation(node->prediction()))
3125             return false;
3126         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3127         ArrayProfile* arrayProfile = 
3128             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3129         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3130         if (arrayProfile) {
3131             ConcurrentJSLocker locker(profiledBlock->m_lock);
3132             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3133             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3134             if (arrayMode.type() == Array::Unprofiled) {
3135                 // For normal array operations, it makes sense to treat Unprofiled
3136                 // accesses as ForceExit and get more data rather than using
3137                 // predictions and then possibly ending up with a Generic. But here,
3138                 // we treat anything that is Unprofiled as Generic and keep the
3139                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3140                 // profit - from treating the Unprofiled case as
3141                 // SelectUsingPredictions.
3142                 arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3143             }
3144         }
3145             
3146         arrayMode = arrayMode.refine(
3147             m_graph, node, node->child1()->prediction(), node->prediction());
3148             
3149         if (arrayMode.type() == Array::Generic) {
3150             // Check if the input is something that we can't get array length for, but for which we
3151             // could insert some conversions in order to transform it into something that we can do it
3152             // for.
3153             if (node->child1()->shouldSpeculateStringObject())
3154                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3155             else if (node->child1()->shouldSpeculateStringOrStringObject())
3156                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3157         }
3158             
3159         if (!arrayMode.supportsSelfLength())
3160             return false;
3161         
3162         convertToGetArrayLength(node, arrayMode);
3163         return true;
3164     }
3165
3166     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3167     {
3168         node->setOp(GetArrayLength);
3169         node->clearFlags(NodeMustGenerate);
3170         fixEdge<KnownCellUse>(node->child1());
3171         node->setArrayMode(arrayMode);
3172             
3173         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3174         if (!storage)
3175             return;
3176             
3177         node->child2() = Edge(storage);
3178     }
3179     
3180     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3181     {
3182         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3183         return m_insertionSet.insertNode(
3184             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3185             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3186     }
3187
3188     void convertToHasIndexedProperty(Node* node)
3189     {
3190         node->setOp(HasIndexedProperty);
3191         node->clearFlags(NodeMustGenerate);
3192         node->setArrayMode(
3193             node->arrayMode().refine(
3194                 m_graph, node,
3195                 node->child1()->prediction(),
3196                 node->child2()->prediction(),
3197                 SpecNone));
3198         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3199
3200         blessArrayOperation(node->child1(), node->child2(), node->child3());
3201
3202         fixEdge<CellUse>(node->child1());
3203         fixEdge<Int32Use>(node->child2());
3204     }
3205
3206     void fixupNormalizeMapKey(Node* node)
3207     {
3208         if (node->child1()->shouldSpeculateBoolean()) {
3209             fixEdge<BooleanUse>(node->child1());
3210             node->convertToIdentity();
3211             return;
3212         }
3213
3214         if (node->child1()->shouldSpeculateInt32()) {
3215             fixEdge<Int32Use>(node->child1());
3216             node->convertToIdentity();
3217             return;
3218         }
3219
3220         if (node->child1()->shouldSpeculateSymbol()) {
3221             fixEdge<SymbolUse>(node->child1());
3222             node->convertToIdentity();
3223             return;
3224         }
3225
3226         if (node->child1()->shouldSpeculateObject()) {
3227             fixEdge<ObjectUse>(node->child1());
3228             node->convertToIdentity();
3229             return;
3230         }
3231
3232         if (node->child1()->shouldSpeculateString()) {
3233             fixEdge<StringUse>(node->child1());
3234             node->convertToIdentity();
3235             return;
3236         }
3237
3238         if (node->child1()->shouldSpeculateCell()) {
3239             fixEdge<CellUse>(node->child1());
3240             node->convertToIdentity();
3241             return;
3242         }
3243
3244         fixEdge<UntypedUse>(node->child1());
3245     }
3246
3247     bool attemptToMakeCallDOM(Node* node)
3248     {
3249         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3250             return false;
3251
3252         const DOMJIT::Signature* signature = node->signature();
3253         if (!signature)
3254             return false;
3255
3256         {
3257             unsigned index = 0;
3258             bool shouldConvertToCallDOM = true;
3259             m_graph.doToChildren(node, [&](Edge& edge) {
3260                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3261                 if (!index)
3262                     return;
3263
3264                 if (index == 1) {
3265                     // DOM node case.
3266                     if (edge->shouldSpeculateNotCell())
3267                         shouldConvertToCallDOM = false;
3268                 } else {
3269                     switch (signature->arguments[index - 2]) {
3270                     case SpecString:
3271                         if (edge->shouldSpeculateNotString())
3272                             shouldConvertToCallDOM = false;
3273                         break;
3274                     case SpecInt32Only:
3275                         if (edge->shouldSpeculateNotInt32())
3276                             shouldConvertToCallDOM = false;
3277                         break;
3278                     case SpecBoolean:
3279                         if (edge->shouldSpeculateNotBoolean())
3280                             shouldConvertToCallDOM = false;
3281                         break;
3282                     default:
3283                         RELEASE_ASSERT_NOT_REACHED();
3284                         break;
3285                     }
3286                 }
3287                 ++index;
3288             });
3289             if (!shouldConvertToCallDOM)
3290                 return false;
3291         }
3292
3293         Node* thisNode = m_graph.varArgChild(node, 1).node();
3294         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3295         node->convertToCallDOM(m_graph);
3296         fixupCheckSubClass(checkSubClass);
3297         fixupCallDOM(node);
3298         return true;
3299     }
3300
3301     void fixupCheckSubClass(Node* node)
3302     {
3303         fixEdge<CellUse>(node->child1());
3304     }
3305
3306     void fixupCallDOM(Node* node)
3307     {
3308         const DOMJIT::Signature* signature = node->signature();
3309         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3310             if (!edge)
3311                 return;
3312             switch (signature->arguments[argumentIndex]) {
3313             case SpecString:
3314                 fixEdge<StringUse>(edge);
3315                 break;
3316             case SpecInt32Only:
3317                 fixEdge<Int32Use>(edge);
3318                 break;
3319             case SpecBoolean:
3320                 fixEdge<BooleanUse>(edge);
3321                 break;
3322             default:
3323                 RELEASE_ASSERT_NOT_REACHED();
3324                 break;
3325             }
3326         };
3327         fixEdge<CellUse>(node->child1()); // DOM.
3328         fixup(node->child2(), 0);
3329         fixup(node->child3(), 1);
3330     }
3331
3332     void fixupArrayIndexOf(Node* node)
3333     {
3334         Edge& array = m_graph.varArgChild(node, 0);
3335         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3336         blessArrayOperation(array, Edge(), storage);
3337         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3338
3339         Edge& searchElement = m_graph.varArgChild(node, 1);
3340
3341         // Constant folding.
3342         switch (node->arrayMode().type()) {
3343         case Array::Double:
3344         case Array::Int32: {
3345             if (searchElement->shouldSpeculateCell()) {
3346                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3347                 m_graph.convertToConstant(node, jsNumber(-1));
3348                 observeUseKindOnNode<CellUse>(searchElement.node());
3349                 return;
3350             }
3351
3352             if (searchElement->shouldSpeculateOther()) {
3353                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3354                 m_graph.convertToConstant(node, jsNumber(-1));
3355                 observeUseKindOnNode<OtherUse>(searchElement.node());
3356                 return;
3357             }
3358
3359             if (searchElement->shouldSpeculateBoolean()) {
3360                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3361                 m_graph.convertToConstant(node, jsNumber(-1));
3362                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3363                 return;
3364             }
3365             break;
3366         }
3367         default:
3368             break;
3369         }
3370
3371         fixEdge<KnownCellUse>(array);
3372         if (node->numChildren() == 4)
3373             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3374
3375         switch (node->arrayMode().type()) {
3376         case Array::Double: {
3377             if (searchElement->shouldSpeculateNumber())
3378                 fixEdge<DoubleRepUse>(searchElement);
3379             return;
3380         }
3381         case Array::Int32: {
3382             if (searchElement->shouldSpeculateInt32())
3383                 fixEdge<Int32Use>(searchElement);
3384             return;
3385         }
3386         case Array::Contiguous: {
3387             if (searchElement->shouldSpeculateString())
3388                 fixEdge<StringUse>(searchElement);
3389             else if (searchElement->shouldSpeculateSymbol())
3390                 fixEdge<SymbolUse>(searchElement);
3391             else if (searchElement->shouldSpeculateOther())
3392                 fixEdge<OtherUse>(searchElement);
3393             else if (searchElement->shouldSpeculateObject())
3394                 fixEdge<ObjectUse>(searchElement);
3395             return;
3396         }
3397         default:
3398             RELEASE_ASSERT_NOT_REACHED();
3399             return;
3400         }
3401     }
3402
3403     void fixupCompareStrictEqAndSameValue(Node* node)
3404     {
3405         ASSERT(node->op() == SameValue || node->op() == CompareStrictEq);
3406
3407         if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
3408             fixEdge<BooleanUse>(node->child1());
3409             fixEdge<BooleanUse>(node->child2());
3410             node->setOpAndDefaultFlags(CompareStrictEq);
3411             return;
3412         }
3413         if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
3414             fixEdge<Int32Use>(node->child1());
3415             fixEdge<Int32Use>(node->child2());
3416             node->setOpAndDefaultFlags(CompareStrictEq);
3417             return;
3418         }
3419         if (enableInt52()
3420             && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
3421             fixEdge<Int52RepUse>(node->child1());
3422             fixEdge<Int52RepUse>(node->child2());
3423             node->setOpAndDefaultFlags(CompareStrictEq);
3424             return;
3425         }
3426         if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
3427             fixEdge<DoubleRepUse>(node->child1());
3428             fixEdge<DoubleRepUse>(node->child2());
3429             // Do not convert SameValue to CompareStrictEq in this case since SameValue(NaN, NaN) and SameValue(-0, +0)
3430             // are not the same to CompareStrictEq(NaN, NaN) and CompareStrictEq(-0, +0).
3431             return;
3432         }
3433         if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
3434             fixEdge<SymbolUse>(node->child1());
3435             fixEdge<SymbolUse>(node->child2());
3436             node->setOpAndDefaultFlags(CompareStrictEq);
3437             return;
3438         }
3439         if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
3440             fixEdge<BigIntUse>(node->child1());
3441             fixEdge<BigIntUse>(node->child2());
3442             node->setOpAndDefaultFlags(CompareStrictEq);
3443             return;
3444         }
3445         if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
3446             fixEdge<StringIdentUse>(node->child1());
3447             fixEdge<StringIdentUse>(node->child2());
3448             node->setOpAndDefaultFlags(CompareStrictEq);
3449             return;
3450         }
3451         if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
3452             fixEdge<StringUse>(node->child1());
3453             fixEdge<StringUse>(node->child2());
3454             node->setOpAndDefaultFlags(CompareStrictEq);
3455             return;
3456         }
3457
3458         if (node->op() == SameValue) {
3459             if (node->child1()->shouldSpeculateObject()) {
3460                 fixEdge<ObjectUse>(node->child1());
3461                 node->setOpAndDefaultFlags(CompareStrictEq);
3462                 return;
3463             }
3464             if (node->child2()->shouldSpeculateObject()) {
3465                 fixEdge<ObjectUse>(node->child2());
3466                 node->setOpAndDefaultFlags(CompareStrictEq);
3467                 return;
3468             }
3469         } else {
3470             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
3471             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
3472                 if (node->child1()->shouldSpeculateObject()) {
3473                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
3474                     fixEdge<ObjectUse>(node->child1());
3475                     return;
3476                 }
3477                 if (node->child2()->shouldSpeculateObject()) {
3478                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
3479                     fixEdge<ObjectUse>(node->child2());
3480                     return;
3481                 }
3482             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
3483                 fixEdge<ObjectUse>(node->child1());
3484                 fixEdge<ObjectUse>(node->child2());
3485                 return;
3486             }
3487         }
3488
3489         if (node->child1()->shouldSpeculateSymbol()) {
3490             fixEdge<SymbolUse>(node->child1());
3491             node->setOpAndDefaultFlags(CompareStrictEq);
3492             return;
3493         }
3494         if (node->child2()->shouldSpeculateSymbol()) {
3495             fixEdge<SymbolUse>(node->child2());
3496             node->setOpAndDefaultFlags(CompareStrictEq);
3497             return;
3498         }
3499         if (node->child1()->shouldSpeculateMisc()) {
3500             fixEdge<MiscUse>(node->child1());
3501             node->setOpAndDefaultFlags(CompareStrictEq);
3502             return;
3503         }
3504         if (node->child2()->shouldSpeculateMisc()) {
3505             fixEdge<MiscUse>(node->child2());
3506             node->setOpAndDefaultFlags(CompareStrictEq);
3507             return;
3508         }
3509         if (node->child1()->shouldSpeculateStringIdent()
3510             && node->child2()->shouldSpeculateNotStringVar()) {
3511             fixEdge<StringIdentUse>(node->child1());
3512             fixEdge<NotStringVarUse>(node->child2());
3513             node->setOpAndDefaultFlags(CompareStrictEq);
3514             return;
3515         }
3516         if (node->child2()->shouldSpeculateStringIdent()
3517             && node->child1()->shouldSpeculateNotStringVar()) {
3518             fixEdge<StringIdentUse>(node->child2());
3519             fixEdge<NotStringVarUse>(node->child1());
3520             node->setOpAndDefaultFlags(CompareStrictEq);
3521             return;
3522         }
3523         if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
3524             fixEdge<StringUse>(node->child1());
3525             node->setOpAndDefaultFlags(CompareStrictEq);
3526             return;
3527         }
3528         if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
3529             fixEdge<StringUse>(node->child2());
3530             node->setOpAndDefaultFlags(CompareStrictEq);
3531             return;
3532         }
3533     }
3534
3535     void fixupChecksInBlock(BasicBlock* block)
3536     {
3537         if (!block)
3538       &n