Fixup uses KnownInt32 incorrectly in some nodes
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInsertionSet.h"
34 #include "DFGPhase.h"
35 #include "DFGPredictionPropagationPhase.h"
36 #include "DFGVariableAccessDataDump.h"
37 #include "JSCInlines.h"
38 #include "TypeLocation.h"
39
40 namespace JSC { namespace DFG {
41
42 class FixupPhase : public Phase {
43 public:
44     FixupPhase(Graph& graph)
45         : Phase(graph, "fixup")
46         , m_insertionSet(graph)
47     {
48     }
49     
50     bool run()
51     {
52         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
53         ASSERT(m_graph.m_form == ThreadedCPS);
54         
55         m_profitabilityChanged = false;
56         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
57             fixupBlock(m_graph.block(blockIndex));
58         
59         while (m_profitabilityChanged) {
60             m_profitabilityChanged = false;
61             
62             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
63                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
64             
65             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
66                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
67         }
68         
69         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
70             fixupChecksInBlock(m_graph.block(blockIndex));
71
72         m_graph.m_planStage = PlanStage::AfterFixup;
73
74         return true;
75     }
76
77 private:
78     void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild)
79     {
80         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
81             if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
82                 fixIntOrBooleanEdge(leftChild);
83                 fixIntOrBooleanEdge(rightChild);
84                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
85                     node->setArithMode(Arith::Unchecked);
86                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
87                     node->setArithMode(Arith::CheckOverflow);
88                 else
89                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
90                 return;
91             }
92             
93             // This will cause conversion nodes to be inserted later.
94             fixDoubleOrBooleanEdge(leftChild);
95             fixDoubleOrBooleanEdge(rightChild);
96             
97             // We don't need to do ref'ing on the children because we're stealing them from
98             // the original division.
99             Node* newDivision = m_insertionSet.insertNode(m_indexInBlock, SpecBytecodeDouble, *node);
100             newDivision->setResult(NodeResultDouble);
101             
102             node->setOp(DoubleAsInt32);
103             node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
104             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
105                 node->setArithMode(Arith::CheckOverflow);
106             else
107                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
108             return;
109         }
110         
111         fixDoubleOrBooleanEdge(leftChild);
112         fixDoubleOrBooleanEdge(rightChild);
113         node->setResult(NodeResultDouble);
114     }
115     
116     void fixupArithMul(Node* node, Edge& leftChild, Edge& rightChild)
117     {
118         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
119             fixIntOrBooleanEdge(leftChild);
120             fixIntOrBooleanEdge(rightChild);
121             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
122                 node->setArithMode(Arith::Unchecked);
123             else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
124                 node->setArithMode(Arith::CheckOverflow);
125             else
126                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
127             return;
128         }
129         if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
130             fixEdge<Int52RepUse>(leftChild);
131             fixEdge<Int52RepUse>(rightChild);
132             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
133                 node->setArithMode(Arith::CheckOverflow);
134             else
135                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
136             node->setResult(NodeResultInt52);
137             return;
138         }
139
140         fixDoubleOrBooleanEdge(leftChild);
141         fixDoubleOrBooleanEdge(rightChild);
142         node->setResult(NodeResultDouble);
143     }
144
145     void fixupBlock(BasicBlock* block)
146     {
147         if (!block)
148             return;
149         ASSERT(block->isReachable);
150         m_block = block;
151         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
152             m_currentNode = block->at(m_indexInBlock);
153             fixupNode(m_currentNode);
154         }
155         m_insertionSet.execute(block);
156     }
157     
158     void fixupNode(Node* node)
159     {
160         NodeType op = node->op();
161
162         switch (op) {
163         case SetLocal: {
164             // This gets handled by fixupGetAndSetLocalsInBlock().
165             return;
166         }
167
168         case ValueSub: {
169             Edge& child1 = node->child1();
170             Edge& child2 = node->child2();
171
172             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
173                 fixEdge<BigIntUse>(child1);
174                 fixEdge<BigIntUse>(child2);
175                 break; 
176             }
177             
178             if (Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
179                 fixEdge<UntypedUse>(child1);
180                 fixEdge<UntypedUse>(child2);
181                 break;
182             }
183
184             if (attemptToMakeIntegerAdd(node)) {
185                 // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
186                 // https://bugs.webkit.org/show_bug.cgi?id=190607
187                 node->setOp(ArithSub);
188                 break;
189             }
190
191             fixDoubleOrBooleanEdge(node->child1());
192             fixDoubleOrBooleanEdge(node->child2());
193             node->setOp(ArithSub);
194             node->setResult(NodeResultDouble);
195
196             break;
197         }
198
199         case ValueBitXor:
200         case ValueBitOr:
201         case ValueBitAnd: {
202             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
203                 fixEdge<BigIntUse>(node->child1());
204                 fixEdge<BigIntUse>(node->child2());
205                 break;
206             }
207
208             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
209                 fixEdge<UntypedUse>(node->child1());
210                 fixEdge<UntypedUse>(node->child2());
211                 break;
212             }
213
214             // In such case, we need to fallback to ArithBitOp
215             switch (op) {
216             case ValueBitXor:
217                 node->setOp(ArithBitXor);
218                 break;
219             case ValueBitOr:
220                 node->setOp(ArithBitOr);
221                 break;
222             case ValueBitAnd:
223                 node->setOp(ArithBitAnd);
224                 break;
225             default:
226                 DFG_CRASH(m_graph, node, "Unexpected node during ValueBit operation fixup");
227                 break;
228             }
229
230             node->clearFlags(NodeMustGenerate);
231             node->setResult(NodeResultInt32);
232             fixIntConvertingEdge(node->child1());
233             fixIntConvertingEdge(node->child2());
234             break;
235         }
236
237         case ValueBitNot: {
238             Edge& operandEdge = node->child1();
239
240             if (operandEdge.node()->shouldSpeculateBigInt()) {
241                 node->clearFlags(NodeMustGenerate);
242                 fixEdge<BigIntUse>(operandEdge);
243             } else if (operandEdge.node()->shouldSpeculateUntypedForBitOps())
244                 fixEdge<UntypedUse>(operandEdge);
245             else {
246                 node->setOp(ArithBitNot);
247                 node->setResult(NodeResultInt32);
248                 node->clearFlags(NodeMustGenerate);
249                 fixIntConvertingEdge(operandEdge);
250             }
251             break;
252         }
253
254         case ArithBitNot: {
255             Edge& operandEdge = node->child1();
256
257             fixIntConvertingEdge(operandEdge);
258             break;
259         }
260
261         case ArithBitXor:
262         case ArithBitOr:
263         case ArithBitAnd: {
264             fixIntConvertingEdge(node->child1());
265             fixIntConvertingEdge(node->child2());
266             break;
267         }
268
269         case BitRShift:
270         case BitLShift:
271         case BitURShift: {
272             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
273                 fixEdge<UntypedUse>(node->child1());
274                 fixEdge<UntypedUse>(node->child2());
275                 break;
276             }
277             fixIntConvertingEdge(node->child1());
278             fixIntConvertingEdge(node->child2());
279             break;
280         }
281
282         case ArithIMul: {
283             fixIntConvertingEdge(node->child1());
284             fixIntConvertingEdge(node->child2());
285             node->setOp(ArithMul);
286             node->setArithMode(Arith::Unchecked);
287             node->child1().setUseKind(Int32Use);
288             node->child2().setUseKind(Int32Use);
289             break;
290         }
291
292         case ArithClz32: {
293             if (node->child1()->shouldSpeculateNotCell()) {
294                 fixIntConvertingEdge(node->child1());
295                 node->clearFlags(NodeMustGenerate);
296             } else
297                 fixEdge<UntypedUse>(node->child1());
298             break;
299         }
300             
301         case UInt32ToNumber: {
302             fixIntConvertingEdge(node->child1());
303             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
304                 node->convertToIdentity();
305             else if (node->canSpeculateInt32(FixupPass))
306                 node->setArithMode(Arith::CheckOverflow);
307             else {
308                 node->setArithMode(Arith::DoOverflow);
309                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
310             }
311             break;
312         }
313
314         case ValueNegate: {
315             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
316                 node->setOp(ArithNegate);
317                 fixIntOrBooleanEdge(node->child1());
318                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
319                     node->setArithMode(Arith::Unchecked);
320                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
321                     node->setArithMode(Arith::CheckOverflow);
322                 else
323                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
324                 node->setResult(NodeResultInt32);
325                 node->clearFlags(NodeMustGenerate);
326                 break;
327             }
328             
329             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
330                 node->setOp(ArithNegate);
331                 fixEdge<Int52RepUse>(node->child1());
332                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
333                     node->setArithMode(Arith::CheckOverflow);
334                 else
335                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
336                 node->setResult(NodeResultInt52);
337                 node->clearFlags(NodeMustGenerate);
338                 break;
339             }
340             if (node->child1()->shouldSpeculateNotCell()) {
341                 node->setOp(ArithNegate);
342                 fixDoubleOrBooleanEdge(node->child1());
343                 node->setResult(NodeResultDouble);
344                 node->clearFlags(NodeMustGenerate);
345             } else {
346                 fixEdge<UntypedUse>(node->child1());
347                 node->setResult(NodeResultJS);
348             }
349             break;
350         }
351
352         case ValueAdd: {
353             if (attemptToMakeIntegerAdd(node)) {
354                 node->setOp(ArithAdd);
355                 break;
356             }
357             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
358                 fixDoubleOrBooleanEdge(node->child1());
359                 fixDoubleOrBooleanEdge(node->child2());
360                 node->setOp(ArithAdd);
361                 node->setResult(NodeResultDouble);
362                 break;
363             }
364             
365             if (attemptToMakeFastStringAdd(node))
366                 break;
367
368             Edge& child1 = node->child1();
369             Edge& child2 = node->child2();
370             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
371                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
372                     auto convertString = [&](Node* node, Edge& edge) {
373                         if (edge->shouldSpeculateInt32())
374                             convertStringAddUse<Int32Use>(node, edge);
375                         else {
376                             ASSERT(edge->shouldSpeculateString());
377                             convertStringAddUse<StringUse>(node, edge);
378                         }
379                     };
380                     convertString(node, child1);
381                     convertString(node, child2);
382                     convertToMakeRope(node);
383                     break;
384                 }
385             }
386
387             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
388                 fixEdge<BigIntUse>(child1);
389                 fixEdge<BigIntUse>(child2);
390             } else {
391                 fixEdge<UntypedUse>(child1);
392                 fixEdge<UntypedUse>(child2);
393             }
394
395             node->setResult(NodeResultJS);
396             break;
397         }
398
399         case StrCat: {
400             if (attemptToMakeFastStringAdd(node))
401                 break;
402
403             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
404             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
405             // the implementation of StrCat doesn't dynamically optimize for empty strings.
406             // https://bugs.webkit.org/show_bug.cgi?id=148540
407             m_graph.doToChildren(
408                 node,
409                 [&] (Edge& edge) {
410                     fixEdge<KnownPrimitiveUse>(edge);
411                     // StrCat automatically coerces the values into strings before concatenating them.
412                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
413                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
414                     // our runtime functions for this slow path expect that they will never be passed
415                     // Symbols.
416                     m_insertionSet.insertNode(
417                         m_indexInBlock, SpecNone, Check, node->origin,
418                         Edge(edge.node(), NotSymbolUse));
419                 });
420             break;
421         }
422             
423         case MakeRope: {
424             fixupMakeRope(node);
425             break;
426         }
427             
428         case ArithAdd:
429         case ArithSub: {
430             // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
431             // https://bugs.webkit.org/show_bug.cgi?id=190607
432             if (attemptToMakeIntegerAdd(node))
433                 break;
434             fixDoubleOrBooleanEdge(node->child1());
435             fixDoubleOrBooleanEdge(node->child2());
436             node->setResult(NodeResultDouble);
437             break;
438         }
439             
440         case ArithNegate: {
441             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
442                 fixIntOrBooleanEdge(node->child1());
443                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
444                     node->setArithMode(Arith::Unchecked);
445                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
446                     node->setArithMode(Arith::CheckOverflow);
447                 else
448                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
449                 node->setResult(NodeResultInt32);
450                 node->clearFlags(NodeMustGenerate);
451                 break;
452             }
453             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
454                 fixEdge<Int52RepUse>(node->child1());
455                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
456                     node->setArithMode(Arith::CheckOverflow);
457                 else
458                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
459                 node->setResult(NodeResultInt52);
460                 node->clearFlags(NodeMustGenerate);
461                 break;
462             }
463
464             fixDoubleOrBooleanEdge(node->child1());
465             node->setResult(NodeResultDouble);
466             node->clearFlags(NodeMustGenerate);
467             break;
468         }
469
470         case ValueMul: {
471             Edge& leftChild = node->child1();
472             Edge& rightChild = node->child2();
473
474             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
475                 fixEdge<BigIntUse>(node->child1());
476                 fixEdge<BigIntUse>(node->child2());
477                 break;
478             }
479
480             // There are cases where we can have BigInt + Int32 operands reaching ValueMul.
481             // Imagine the scenario where ValueMul was never executed, but we can predict types
482             // reaching the node:
483             //
484             // 63: GetLocal(Check:Untyped:@72, JS|MustGen, NonBoolInt32, ...)  predicting NonBoolInt32
485             // 64: GetLocal(Check:Untyped:@71, JS|MustGen, BigInt, ...)  predicting BigInt
486             // 65: ValueMul(Check:Untyped:@63, Check:Untyped:@64, BigInt|BoolInt32|NonBoolInt32, ...)
487             // 
488             // In such scenario, we need to emit ValueMul(Untyped, Untyped), so the runtime can throw 
489             // an exception whenever it gets excuted.
490             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
491                 fixEdge<UntypedUse>(leftChild);
492                 fixEdge<UntypedUse>(rightChild);
493                 break;
494             }
495
496             // At this point, all other possible specializations are only handled by ArithMul.
497             node->setOp(ArithMul);
498             node->setResult(NodeResultNumber);
499             fixupArithMul(node, leftChild, rightChild);
500             break;
501         }
502
503         case ArithMul: {
504             Edge& leftChild = node->child1();
505             Edge& rightChild = node->child2();
506
507             fixupArithMul(node, leftChild, rightChild);
508             break;
509         }
510
511         case ValueDiv: {
512             Edge& leftChild = node->child1();
513             Edge& rightChild = node->child2();
514
515             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
516                 fixEdge<BigIntUse>(leftChild);
517                 fixEdge<BigIntUse>(rightChild);
518                 break; 
519             }
520
521             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
522                 fixEdge<UntypedUse>(leftChild);
523                 fixEdge<UntypedUse>(rightChild);
524                 break;
525             }
526             node->setOp(ArithDiv);
527             node->setResult(NodeResultNumber);
528             fixupArithDiv(node, leftChild, rightChild);
529             break;
530
531         }
532
533         case ArithDiv:
534         case ArithMod: {
535             Edge& leftChild = node->child1();
536             Edge& rightChild = node->child2();
537
538             fixupArithDiv(node, leftChild, rightChild);
539             break;
540         }
541             
542         case ArithMin:
543         case ArithMax: {
544             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
545                 fixIntOrBooleanEdge(node->child1());
546                 fixIntOrBooleanEdge(node->child2());
547                 break;
548             }
549             fixDoubleOrBooleanEdge(node->child1());
550             fixDoubleOrBooleanEdge(node->child2());
551             node->setResult(NodeResultDouble);
552             break;
553         }
554             
555         case ArithAbs: {
556             if (node->child1()->shouldSpeculateInt32OrBoolean()
557                 && node->canSpeculateInt32(FixupPass)) {
558                 fixIntOrBooleanEdge(node->child1());
559                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
560                     node->setArithMode(Arith::Unchecked);
561                 else
562                     node->setArithMode(Arith::CheckOverflow);
563                 node->clearFlags(NodeMustGenerate);
564                 node->setResult(NodeResultInt32);
565                 break;
566             }
567
568             if (node->child1()->shouldSpeculateNotCell()) {
569                 fixDoubleOrBooleanEdge(node->child1());
570                 node->clearFlags(NodeMustGenerate);
571             } else
572                 fixEdge<UntypedUse>(node->child1());
573             node->setResult(NodeResultDouble);
574             break;
575         }
576
577         case ArithPow: {
578             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
579                 fixDoubleOrBooleanEdge(node->child1());
580                 fixIntOrBooleanEdge(node->child2());
581                 break;
582             }
583
584             fixDoubleOrBooleanEdge(node->child1());
585             fixDoubleOrBooleanEdge(node->child2());
586             break;
587         }
588
589         case ArithRandom: {
590             node->setResult(NodeResultDouble);
591             break;
592         }
593
594         case ArithRound:
595         case ArithFloor:
596         case ArithCeil:
597         case ArithTrunc: {
598             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
599                 fixIntOrBooleanEdge(node->child1());
600                 insertCheck<Int32Use>(node->child1().node());
601                 node->convertToIdentity();
602                 break;
603             }
604             if (node->child1()->shouldSpeculateNotCell()) {
605                 fixDoubleOrBooleanEdge(node->child1());
606
607                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
608                     node->setResult(NodeResultInt32);
609                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
610                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
611                     else
612                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
613                 } else {
614                     node->setResult(NodeResultDouble);
615                     node->setArithRoundingMode(Arith::RoundingMode::Double);
616                 }
617                 node->clearFlags(NodeMustGenerate);
618             } else
619                 fixEdge<UntypedUse>(node->child1());
620             break;
621         }
622
623         case ArithFRound:
624         case ArithSqrt:
625         case ArithUnary: {
626             Edge& child1 = node->child1();
627             if (child1->shouldSpeculateNotCell()) {
628                 fixDoubleOrBooleanEdge(child1);
629                 node->clearFlags(NodeMustGenerate);
630             } else
631                 fixEdge<UntypedUse>(child1);
632             break;
633         }
634             
635         case LogicalNot: {
636             if (node->child1()->shouldSpeculateBoolean()) {
637                 if (node->child1()->result() == NodeResultBoolean) {
638                     // This is necessary in case we have a bytecode instruction implemented by:
639                     //
640                     // a: CompareEq(...)
641                     // b: LogicalNot(@a)
642                     //
643                     // In that case, CompareEq might have a side-effect. Then, we need to make
644                     // sure that we know that Branch does not exit.
645                     fixEdge<KnownBooleanUse>(node->child1());
646                 } else
647                     fixEdge<BooleanUse>(node->child1());
648             } else if (node->child1()->shouldSpeculateObjectOrOther())
649                 fixEdge<ObjectOrOtherUse>(node->child1());
650             else if (node->child1()->shouldSpeculateInt32OrBoolean())
651                 fixIntOrBooleanEdge(node->child1());
652             else if (node->child1()->shouldSpeculateNumber())
653                 fixEdge<DoubleRepUse>(node->child1());
654             else if (node->child1()->shouldSpeculateString())
655                 fixEdge<StringUse>(node->child1());
656             else if (node->child1()->shouldSpeculateStringOrOther())
657                 fixEdge<StringOrOtherUse>(node->child1());
658             else {
659                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
660                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
661                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
662             }
663             break;
664         }
665
666         case CompareEq:
667         case CompareLess:
668         case CompareLessEq:
669         case CompareGreater:
670         case CompareGreaterEq: {
671             if (node->op() == CompareEq
672                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
673                 fixEdge<BooleanUse>(node->child1());
674                 fixEdge<BooleanUse>(node->child2());
675                 node->clearFlags(NodeMustGenerate);
676                 break;
677             }
678             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
679                 fixIntOrBooleanEdge(node->child1());
680                 fixIntOrBooleanEdge(node->child2());
681                 node->clearFlags(NodeMustGenerate);
682                 break;
683             }
684             if (enableInt52()
685                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
686                 fixEdge<Int52RepUse>(node->child1());
687                 fixEdge<Int52RepUse>(node->child2());
688                 node->clearFlags(NodeMustGenerate);
689                 break;
690             }
691             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
692                 fixDoubleOrBooleanEdge(node->child1());
693                 fixDoubleOrBooleanEdge(node->child2());
694             }
695             if (node->op() != CompareEq
696                 && node->child1()->shouldSpeculateNotCell()
697                 && node->child2()->shouldSpeculateNotCell()) {
698                 if (node->child1()->shouldSpeculateNumberOrBoolean())
699                     fixDoubleOrBooleanEdge(node->child1());
700                 else
701                     fixEdge<DoubleRepUse>(node->child1());
702                 if (node->child2()->shouldSpeculateNumberOrBoolean())
703                     fixDoubleOrBooleanEdge(node->child2());
704                 else
705                     fixEdge<DoubleRepUse>(node->child2());
706                 node->clearFlags(NodeMustGenerate);
707                 break;
708             }
709             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
710                 fixEdge<StringIdentUse>(node->child1());
711                 fixEdge<StringIdentUse>(node->child2());
712                 node->clearFlags(NodeMustGenerate);
713                 break;
714             }
715             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
716                 fixEdge<StringUse>(node->child1());
717                 fixEdge<StringUse>(node->child2());
718                 node->clearFlags(NodeMustGenerate);
719                 break;
720             }
721
722             if (node->op() != CompareEq)
723                 break;
724             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
725                 fixEdge<SymbolUse>(node->child1());
726                 fixEdge<SymbolUse>(node->child2());
727                 node->clearFlags(NodeMustGenerate);
728                 break;
729             }
730             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
731                 fixEdge<ObjectUse>(node->child1());
732                 fixEdge<ObjectUse>(node->child2());
733                 node->clearFlags(NodeMustGenerate);
734                 break;
735             }
736
737             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
738             bool oneArgumentIsUsedAsSpecOther = false;
739             if (node->child1()->isUndefinedOrNullConstant()) {
740                 fixEdge<KnownOtherUse>(node->child1());
741                 oneArgumentIsUsedAsSpecOther = true;
742             } else if (node->child1()->shouldSpeculateOther()) {
743                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
744                     Edge(node->child1().node(), OtherUse));
745                 fixEdge<KnownOtherUse>(node->child1());
746                 oneArgumentIsUsedAsSpecOther = true;
747             }
748             if (node->child2()->isUndefinedOrNullConstant()) {
749                 fixEdge<KnownOtherUse>(node->child2());
750                 oneArgumentIsUsedAsSpecOther = true;
751             } else if (node->child2()->shouldSpeculateOther()) {
752                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
753                     Edge(node->child2().node(), OtherUse));
754                 fixEdge<KnownOtherUse>(node->child2());
755                 oneArgumentIsUsedAsSpecOther = true;
756             }
757             if (oneArgumentIsUsedAsSpecOther) {
758                 node->clearFlags(NodeMustGenerate);
759                 break;
760             }
761
762             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
763                 fixEdge<ObjectUse>(node->child1());
764                 fixEdge<ObjectOrOtherUse>(node->child2());
765                 node->clearFlags(NodeMustGenerate);
766                 break;
767             }
768             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
769                 fixEdge<ObjectOrOtherUse>(node->child1());
770                 fixEdge<ObjectUse>(node->child2());
771                 node->clearFlags(NodeMustGenerate);
772                 break;
773             }
774
775             break;
776         }
777             
778         case CompareStrictEq:
779         case SameValue: {
780             fixupCompareStrictEqAndSameValue(node);
781             break;
782         }
783
784         case StringFromCharCode:
785             if (node->child1()->shouldSpeculateInt32()) {
786                 fixEdge<Int32Use>(node->child1());
787                 node->clearFlags(NodeMustGenerate);
788             } else
789                 fixEdge<UntypedUse>(node->child1());
790             break;
791
792         case StringCharAt:
793         case StringCharCodeAt: {
794             // Currently we have no good way of refining these.
795             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
796             blessArrayOperation(node->child1(), node->child2(), node->child3());
797             fixEdge<KnownStringUse>(node->child1());
798             fixEdge<Int32Use>(node->child2());
799             break;
800         }
801
802         case GetByVal: {
803             if (!node->prediction()) {
804                 m_insertionSet.insertNode(
805                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
806             }
807             
808             node->setArrayMode(
809                 node->arrayMode().refine(
810                     m_graph, node,
811                     m_graph.varArgChild(node, 0)->prediction(),
812                     m_graph.varArgChild(node, 1)->prediction(),
813                     SpecNone));
814             
815             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
816             
817             ArrayMode arrayMode = node->arrayMode();
818             switch (arrayMode.type()) {
819             case Array::Contiguous:
820             case Array::Double:
821                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
822                     // Check if SaneChain will work on a per-type basis. Note that:
823                     //
824                     // 1) We don't want double arrays to sometimes return undefined, since
825                     // that would require a change to the return type and it would pessimise
826                     // things a lot. So, we'd only want to do that if we actually had
827                     // evidence that we could read from a hole. That's pretty annoying.
828                     // Likely the best way to handle that case is with an equivalent of
829                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
830                     // NaN are indistinguishable according to backwards propagation, and just
831                     // use SaneChain in that case. This happens to catch a lot of cases.
832                     //
833                     // 2) We don't want int32 array loads to have to do a hole check just to
834                     // coerce to Undefined, since that would mean twice the checks.
835                     //
836                     // This has two implications. First, we have to do more checks than we'd
837                     // like. It's unfortunate that we have to do the hole check. Second,
838                     // some accesses that hit a hole will now need to take the full-blown
839                     // out-of-bounds slow path. We can fix that with:
840                     // https://bugs.webkit.org/show_bug.cgi?id=144668
841                     
842                     bool canDoSaneChain = false;
843                     switch (arrayMode.type()) {
844                     case Array::Contiguous:
845                         // This is happens to be entirely natural. We already would have
846                         // returned any JSValue, and now we'll return Undefined. We still do
847                         // the check but it doesn't require taking any kind of slow path.
848                         canDoSaneChain = true;
849                         break;
850                         
851                     case Array::Double:
852                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
853                             // Holes look like NaN already, so if the user doesn't care
854                             // about the difference between Undefined and NaN then we can
855                             // do this.
856                             canDoSaneChain = true;
857                         }
858                         break;
859                         
860                     default:
861                         break;
862                     }
863                     
864                     if (canDoSaneChain) {
865                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
866                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
867                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
868                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
869                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
870                             && globalObject->arrayPrototypeChainIsSane()) {
871                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
872                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
873                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
874                         }
875                     }
876                 }
877                 break;
878                 
879             case Array::String:
880                 if ((node->prediction() & ~SpecString)
881                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
882                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
883                 break;
884                 
885             default:
886                 break;
887             }
888             
889             arrayMode = node->arrayMode();
890             switch (arrayMode.type()) {
891             case Array::SelectUsingPredictions:
892             case Array::Unprofiled:
893                 RELEASE_ASSERT_NOT_REACHED();
894                 break;
895             case Array::Generic:
896                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
897                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
898                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
899                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
900                         break;
901                     }
902
903                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
904                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
905                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
906                         break;
907                     }
908                 }
909 #if USE(JSVALUE32_64)
910                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
911 #endif
912                 break;
913             case Array::ForceExit:
914                 break;
915             case Array::String:
916                 fixEdge<KnownStringUse>(m_graph.varArgChild(node, 0));
917                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
918                 break;
919             default:
920                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
921                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
922                 break;
923             }
924             
925             switch (arrayMode.type()) {
926             case Array::Double:
927                 if (!arrayMode.isOutOfBounds())
928                     node->setResult(NodeResultDouble);
929                 break;
930                 
931             case Array::Float32Array:
932             case Array::Float64Array:
933                 node->setResult(NodeResultDouble);
934                 break;
935                 
936             case Array::Uint32Array:
937                 if (node->shouldSpeculateInt32())
938                     break;
939                 if (node->shouldSpeculateAnyInt() && enableInt52())
940                     node->setResult(NodeResultInt52);
941                 else
942                     node->setResult(NodeResultDouble);
943                 break;
944                 
945             default:
946                 break;
947             }
948             
949             break;
950         }
951
952         case PutByValDirect:
953         case PutByVal:
954         case PutByValAlias: {
955             Edge& child1 = m_graph.varArgChild(node, 0);
956             Edge& child2 = m_graph.varArgChild(node, 1);
957             Edge& child3 = m_graph.varArgChild(node, 2);
958
959             node->setArrayMode(
960                 node->arrayMode().refine(
961                     m_graph, node,
962                     child1->prediction(),
963                     child2->prediction(),
964                     child3->prediction()));
965             
966             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
967             
968             switch (node->arrayMode().modeForPut().type()) {
969             case Array::SelectUsingPredictions:
970             case Array::SelectUsingArguments:
971             case Array::Unprofiled:
972             case Array::Undecided:
973                 RELEASE_ASSERT_NOT_REACHED();
974                 break;
975             case Array::ForceExit:
976             case Array::Generic:
977                 if (child1->shouldSpeculateCell()) {
978                     if (child2->shouldSpeculateString()) {
979                         fixEdge<CellUse>(child1);
980                         fixEdge<StringUse>(child2);
981                         break;
982                     }
983
984                     if (child2->shouldSpeculateSymbol()) {
985                         fixEdge<CellUse>(child1);
986                         fixEdge<SymbolUse>(child2);
987                         break;
988                     }
989                 }
990 #if USE(JSVALUE32_64)
991                 // Due to register pressure on 32-bit, we speculate cell and
992                 // ignore the base-is-not-cell case entirely by letting the
993                 // baseline JIT handle it.
994                 fixEdge<CellUse>(child1);
995 #endif
996                 break;
997             case Array::Int32:
998                 fixEdge<KnownCellUse>(child1);
999                 fixEdge<Int32Use>(child2);
1000                 fixEdge<Int32Use>(child3);
1001                 break;
1002             case Array::Double:
1003                 fixEdge<KnownCellUse>(child1);
1004                 fixEdge<Int32Use>(child2);
1005                 fixEdge<DoubleRepRealUse>(child3);
1006                 break;
1007             case Array::Int8Array:
1008             case Array::Int16Array:
1009             case Array::Int32Array:
1010             case Array::Uint8Array:
1011             case Array::Uint8ClampedArray:
1012             case Array::Uint16Array:
1013             case Array::Uint32Array:
1014                 fixEdge<KnownCellUse>(child1);
1015                 fixEdge<Int32Use>(child2);
1016                 if (child3->shouldSpeculateInt32())
1017                     fixIntOrBooleanEdge(child3);
1018                 else if (child3->shouldSpeculateAnyInt())
1019                     fixEdge<Int52RepUse>(child3);
1020                 else
1021                     fixDoubleOrBooleanEdge(child3);
1022                 break;
1023             case Array::Float32Array:
1024             case Array::Float64Array:
1025                 fixEdge<KnownCellUse>(child1);
1026                 fixEdge<Int32Use>(child2);
1027                 fixDoubleOrBooleanEdge(child3);
1028                 break;
1029             case Array::Contiguous:
1030             case Array::ArrayStorage:
1031             case Array::SlowPutArrayStorage:
1032                 fixEdge<KnownCellUse>(child1);
1033                 fixEdge<Int32Use>(child2);
1034                 speculateForBarrier(child3);
1035                 break;
1036             default:
1037                 fixEdge<KnownCellUse>(child1);
1038                 fixEdge<Int32Use>(child2);
1039                 break;
1040             }
1041             break;
1042         }
1043             
1044         case AtomicsAdd:
1045         case AtomicsAnd:
1046         case AtomicsCompareExchange:
1047         case AtomicsExchange:
1048         case AtomicsLoad:
1049         case AtomicsOr:
1050         case AtomicsStore:
1051         case AtomicsSub:
1052         case AtomicsXor: {
1053             Edge& base = m_graph.child(node, 0);
1054             Edge& index = m_graph.child(node, 1);
1055             
1056             bool badNews = false;
1057             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1058                 Edge& child = m_graph.child(node, 2 + i);
1059                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
1060                 // just call the function when that happens. But the FTL is totally cool with those
1061                 // conversions.
1062                 if (!child->shouldSpeculateInt32()
1063                     && !child->shouldSpeculateAnyInt()
1064                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
1065                     badNews = true;
1066             }
1067             
1068             if (badNews) {
1069                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
1070                 break;
1071             }
1072             
1073             node->setArrayMode(
1074                 node->arrayMode().refine(
1075                     m_graph, node, base->prediction(), index->prediction()));
1076             
1077             if (node->arrayMode().type() == Array::Generic)
1078                 break;
1079             
1080             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1081                 Edge& child = m_graph.child(node, 2 + i);
1082                 if (child->shouldSpeculateInt32())
1083                     fixIntOrBooleanEdge(child);
1084                 else if (child->shouldSpeculateAnyInt())
1085                     fixEdge<Int52RepUse>(child);
1086                 else {
1087                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
1088                     fixDoubleOrBooleanEdge(child);
1089                 }
1090             }
1091             
1092             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
1093             fixEdge<CellUse>(base);
1094             fixEdge<Int32Use>(index);
1095             
1096             if (node->arrayMode().type() == Array::Uint32Array) {
1097                 // NOTE: This means basically always doing Int52.
1098                 if (node->shouldSpeculateAnyInt() && enableInt52())
1099                     node->setResult(NodeResultInt52);
1100                 else
1101                     node->setResult(NodeResultDouble);
1102             }
1103             break;
1104         }
1105             
1106         case AtomicsIsLockFree:
1107             if (node->child1()->shouldSpeculateInt32())
1108                 fixIntOrBooleanEdge(node->child1());
1109             break;
1110             
1111         case ArrayPush: {
1112             // May need to refine the array mode in case the value prediction contravenes
1113             // the array prediction. For example, we may have evidence showing that the
1114             // array is in Int32 mode, but the value we're storing is likely to be a double.
1115             // Then we should turn this into a conversion to Double array followed by the
1116             // push. On the other hand, we absolutely don't want to refine based on the
1117             // base prediction. If it has non-cell garbage in it, then we want that to be
1118             // ignored. That's because ArrayPush can't handle any array modes that aren't
1119             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1120             // that would break things.
1121             Edge& storageEdge = m_graph.varArgChild(node, 0);
1122             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1123             unsigned elementOffset = 2;
1124             unsigned elementCount = node->numChildren() - elementOffset;
1125             for (unsigned i = 0; i < elementCount; ++i) {
1126                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1127                 node->setArrayMode(
1128                     node->arrayMode().refine(
1129                         m_graph, node,
1130                         arrayEdge->prediction() & SpecCell,
1131                         SpecInt32Only,
1132                         element->prediction()));
1133             }
1134             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1135             fixEdge<KnownCellUse>(arrayEdge);
1136
1137             // Convert `array.push()` to GetArrayLength.
1138             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1139                 node->setOpAndDefaultFlags(GetArrayLength);
1140                 node->child1() = arrayEdge;
1141                 node->child2() = storageEdge;
1142                 fixEdge<KnownCellUse>(node->child1());
1143                 break;
1144             }
1145
1146             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1147             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1148             for (unsigned i = 0; i < elementCount; ++i) {
1149                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1150                 switch (node->arrayMode().type()) {
1151                 case Array::Int32:
1152                     fixEdge<Int32Use>(element);
1153                     break;
1154                 case Array::Double:
1155                     fixEdge<DoubleRepRealUse>(element);
1156                     break;
1157                 case Array::Contiguous:
1158                 case Array::ArrayStorage:
1159                     speculateForBarrier(element);
1160                     break;
1161                 default:
1162                     break;
1163                 }
1164             }
1165             break;
1166         }
1167             
1168         case ArrayPop: {
1169             blessArrayOperation(node->child1(), Edge(), node->child2());
1170             fixEdge<KnownCellUse>(node->child1());
1171             break;
1172         }
1173
1174         case ArraySlice: {
1175             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1176             if (node->numChildren() >= 3) {
1177                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1178                 if (node->numChildren() == 4)
1179                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1180             }
1181             break;
1182         }
1183
1184         case ArrayIndexOf:
1185             fixupArrayIndexOf(node);
1186             break;
1187             
1188         case RegExpExec:
1189         case RegExpTest: {
1190             fixEdge<KnownCellUse>(node->child1());
1191             
1192             if (node->child2()->shouldSpeculateRegExpObject()) {
1193                 fixEdge<RegExpObjectUse>(node->child2());
1194
1195                 if (node->child3()->shouldSpeculateString())
1196                     fixEdge<StringUse>(node->child3());
1197             }
1198             break;
1199         }
1200
1201         case RegExpMatchFast: {
1202             fixEdge<KnownCellUse>(node->child1());
1203             fixEdge<RegExpObjectUse>(node->child2());
1204             fixEdge<StringUse>(node->child3());
1205             break;
1206         }
1207
1208         case StringReplace:
1209         case StringReplaceRegExp: {
1210             if (node->child2()->shouldSpeculateString()) {
1211                 m_insertionSet.insertNode(
1212                     m_indexInBlock, SpecNone, Check, node->origin,
1213                     Edge(node->child2().node(), StringUse));
1214                 fixEdge<StringUse>(node->child2());
1215             } else if (op == StringReplace) {
1216                 if (node->child2()->shouldSpeculateRegExpObject())
1217                     addStringReplacePrimordialChecks(node->child2().node());
1218                 else 
1219                     m_insertionSet.insertNode(
1220                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1221             }
1222
1223             if (node->child1()->shouldSpeculateString()
1224                 && node->child2()->shouldSpeculateRegExpObject()
1225                 && node->child3()->shouldSpeculateString()) {
1226
1227                 fixEdge<StringUse>(node->child1());
1228                 fixEdge<RegExpObjectUse>(node->child2());
1229                 fixEdge<StringUse>(node->child3());
1230                 break;
1231             }
1232             break;
1233         }
1234             
1235         case Branch: {
1236             if (node->child1()->shouldSpeculateBoolean()) {
1237                 if (node->child1()->result() == NodeResultBoolean) {
1238                     // This is necessary in case we have a bytecode instruction implemented by:
1239                     //
1240                     // a: CompareEq(...)
1241                     // b: Branch(@a)
1242                     //
1243                     // In that case, CompareEq might have a side-effect. Then, we need to make
1244                     // sure that we know that Branch does not exit.
1245                     fixEdge<KnownBooleanUse>(node->child1());
1246                 } else
1247                     fixEdge<BooleanUse>(node->child1());
1248             } else if (node->child1()->shouldSpeculateObjectOrOther())
1249                 fixEdge<ObjectOrOtherUse>(node->child1());
1250             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1251                 fixIntOrBooleanEdge(node->child1());
1252             else if (node->child1()->shouldSpeculateNumber())
1253                 fixEdge<DoubleRepUse>(node->child1());
1254             else if (node->child1()->shouldSpeculateString())
1255                 fixEdge<StringUse>(node->child1());
1256             else if (node->child1()->shouldSpeculateStringOrOther())
1257                 fixEdge<StringOrOtherUse>(node->child1());
1258             else {
1259                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1260                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1261                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1262             }
1263             break;
1264         }
1265             
1266         case Switch: {
1267             SwitchData* data = node->switchData();
1268             switch (data->kind) {
1269             case SwitchImm:
1270                 if (node->child1()->shouldSpeculateInt32())
1271                     fixEdge<Int32Use>(node->child1());
1272                 break;
1273             case SwitchChar:
1274                 if (node->child1()->shouldSpeculateString())
1275                     fixEdge<StringUse>(node->child1());
1276                 break;
1277             case SwitchString:
1278                 if (node->child1()->shouldSpeculateStringIdent())
1279                     fixEdge<StringIdentUse>(node->child1());
1280                 else if (node->child1()->shouldSpeculateString())
1281                     fixEdge<StringUse>(node->child1());
1282                 break;
1283             case SwitchCell:
1284                 if (node->child1()->shouldSpeculateCell())
1285                     fixEdge<CellUse>(node->child1());
1286                 // else it's fine for this to have UntypedUse; we will handle this by just making
1287                 // non-cells take the default case.
1288                 break;
1289             }
1290             break;
1291         }
1292             
1293         case ToPrimitive: {
1294             fixupToPrimitive(node);
1295             break;
1296         }
1297
1298         case ToNumber: {
1299             fixupToNumber(node);
1300             break;
1301         }
1302             
1303         case ToString:
1304         case CallStringConstructor: {
1305             fixupToStringOrCallStringConstructor(node);
1306             break;
1307         }
1308             
1309         case NewStringObject: {
1310             fixEdge<KnownStringUse>(node->child1());
1311             break;
1312         }
1313
1314         case NewSymbol: {
1315             if (node->child1())
1316                 fixEdge<KnownStringUse>(node->child1());
1317             break;
1318         }
1319
1320         case NewArrayWithSpread: {
1321             watchHavingABadTime(node);
1322             
1323             BitVector* bitVector = node->bitVector();
1324             for (unsigned i = node->numChildren(); i--;) {
1325                 if (bitVector->get(i))
1326                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1327                 else
1328                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1329             }
1330
1331             break;
1332         }
1333
1334         case Spread: {
1335             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1336             
1337             watchHavingABadTime(node->child1().node());
1338
1339             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1340             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1341             // that it doesn't contain any indexed properties, and that any holes will result in
1342             // jsUndefined().
1343             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1344             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1345             if (node->child1()->shouldSpeculateArray()
1346                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1347                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1348                 && globalObject->arrayPrototypeChainIsSane()
1349                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1350                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1351                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1352                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1353                 fixEdge<ArrayUse>(node->child1());
1354             } else
1355                 fixEdge<CellUse>(node->child1());
1356             break;
1357         }
1358             
1359         case NewArray: {
1360             watchHavingABadTime(node);
1361             
1362             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1363                 node->setIndexingType(
1364                     leastUpperBoundOfIndexingTypeAndType(
1365                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1366             }
1367             switch (node->indexingType()) {
1368             case ALL_BLANK_INDEXING_TYPES:
1369                 CRASH();
1370                 break;
1371             case ALL_UNDECIDED_INDEXING_TYPES:
1372                 if (node->numChildren()) {
1373                     // This will only happen if the children have no type predictions. We
1374                     // would have already exited by now, but insert a forced exit just to
1375                     // be safe.
1376                     m_insertionSet.insertNode(
1377                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1378                 }
1379                 break;
1380             case ALL_INT32_INDEXING_TYPES:
1381                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1382                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1383                 break;
1384             case ALL_DOUBLE_INDEXING_TYPES:
1385                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1386                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1387                 break;
1388             case ALL_CONTIGUOUS_INDEXING_TYPES:
1389             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1390                 break;
1391             default:
1392                 CRASH();
1393                 break;
1394             }
1395             break;
1396         }
1397             
1398         case NewTypedArray: {
1399             watchHavingABadTime(node);
1400             
1401             if (node->child1()->shouldSpeculateInt32()) {
1402                 fixEdge<Int32Use>(node->child1());
1403                 node->clearFlags(NodeMustGenerate);
1404                 break;
1405             }
1406             break;
1407         }
1408             
1409         case NewArrayWithSize: {
1410             watchHavingABadTime(node);
1411             fixEdge<Int32Use>(node->child1());
1412             break;
1413         }
1414
1415         case NewArrayBuffer: {
1416             watchHavingABadTime(node);
1417             break;
1418         }
1419
1420         case ToObject: {
1421             fixupToObject(node);
1422             break;
1423         }
1424
1425         case CallObjectConstructor: {
1426             fixupCallObjectConstructor(node);
1427             break;
1428         }
1429
1430         case ToThis: {
1431             fixupToThis(node);
1432             break;
1433         }
1434             
1435         case PutStructure: {
1436             fixEdge<KnownCellUse>(node->child1());
1437             break;
1438         }
1439             
1440         case GetClosureVar:
1441         case GetFromArguments: {
1442             fixEdge<KnownCellUse>(node->child1());
1443             break;
1444         }
1445
1446         case PutClosureVar:
1447         case PutToArguments: {
1448             fixEdge<KnownCellUse>(node->child1());
1449             speculateForBarrier(node->child2());
1450             break;
1451         }
1452
1453         case SkipScope:
1454         case GetScope:
1455         case GetGetter:
1456         case GetSetter:
1457         case GetGlobalObject: {
1458             fixEdge<KnownCellUse>(node->child1());
1459             break;
1460         }
1461             
1462         case AllocatePropertyStorage:
1463         case ReallocatePropertyStorage: {
1464             fixEdge<KnownCellUse>(node->child1());
1465             break;
1466         }
1467             
1468         case NukeStructureAndSetButterfly: {
1469             fixEdge<KnownCellUse>(node->child1());
1470             break;
1471         }
1472
1473         case TryGetById: {
1474             if (node->child1()->shouldSpeculateCell())
1475                 fixEdge<CellUse>(node->child1());
1476             break;
1477         }
1478
1479         case GetByIdDirect:
1480         case GetByIdDirectFlush: {
1481             if (node->child1()->shouldSpeculateCell())
1482                 fixEdge<CellUse>(node->child1());
1483             break;
1484         }
1485
1486         case GetById:
1487         case GetByIdFlush: {
1488             // FIXME: This should be done in the ByteCodeParser based on reading the
1489             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1490             // https://bugs.webkit.org/show_bug.cgi?id=154990
1491             auto uid = m_graph.identifiers()[node->identifierNumber()];
1492             if (node->child1()->shouldSpeculateCellOrOther()
1493                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1494                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1495                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1496                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1497                 
1498                 if (uid == vm().propertyNames->length.impl()) {
1499                     attemptToMakeGetArrayLength(node);
1500                     break;
1501                 }
1502
1503                 if (uid == vm().propertyNames->lastIndex.impl()
1504                     && node->child1()->shouldSpeculateRegExpObject()) {
1505                     node->setOp(GetRegExpObjectLastIndex);
1506                     node->clearFlags(NodeMustGenerate);
1507                     fixEdge<RegExpObjectUse>(node->child1());
1508                     break;
1509                 }
1510             }
1511
1512             if (node->child1()->shouldSpeculateNumber()) {
1513                 if (uid == vm().propertyNames->toString.impl()) {
1514                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1515                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1516                         if (node->child1()->shouldSpeculateInt32()) {
1517                             insertCheck<Int32Use>(node->child1().node());
1518                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1519                             break;
1520                         }
1521
1522                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1523                             insertCheck<Int52RepUse>(node->child1().node());
1524                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1525                             break;
1526                         }
1527
1528                         ASSERT(node->child1()->shouldSpeculateNumber());
1529                         insertCheck<DoubleRepUse>(node->child1().node());
1530                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1531                         break;
1532                     }
1533                 }
1534             }
1535
1536             if (node->child1()->shouldSpeculateCell())
1537                 fixEdge<CellUse>(node->child1());
1538             break;
1539         }
1540         
1541         case GetByIdWithThis: {
1542             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1543                 fixEdge<CellUse>(node->child1());
1544                 fixEdge<CellUse>(node->child2());
1545             }
1546             break;
1547         }
1548
1549         case PutById:
1550         case PutByIdFlush:
1551         case PutByIdDirect: {
1552             if (node->child1()->shouldSpeculateCellOrOther()
1553                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1554                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1555                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1556                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1557                 
1558                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1559                 
1560                 if (uid == vm().propertyNames->lastIndex.impl()
1561                     && node->child1()->shouldSpeculateRegExpObject()) {
1562                     node->convertToSetRegExpObjectLastIndex();
1563                     fixEdge<RegExpObjectUse>(node->child1());
1564                     speculateForBarrier(node->child2());
1565                     break;
1566                 }
1567             }
1568             
1569             fixEdge<CellUse>(node->child1());
1570             break;
1571         }
1572
1573         case PutGetterById:
1574         case PutSetterById: {
1575             fixEdge<KnownCellUse>(node->child1());
1576             fixEdge<KnownCellUse>(node->child2());
1577             break;
1578         }
1579
1580         case PutGetterSetterById: {
1581             fixEdge<KnownCellUse>(node->child1());
1582             break;
1583         }
1584
1585         case PutGetterByVal:
1586         case PutSetterByVal: {
1587             fixEdge<KnownCellUse>(node->child1());
1588             fixEdge<KnownCellUse>(node->child3());
1589             break;
1590         }
1591
1592         case GetExecutable: {
1593             fixEdge<FunctionUse>(node->child1());
1594             break;
1595         }
1596
1597         case OverridesHasInstance:
1598         case CheckStructure:
1599         case CheckCell:
1600         case CreateThis:
1601         case GetButterfly: {
1602             fixEdge<CellUse>(node->child1());
1603             break;
1604         }
1605
1606         case ObjectCreate: {
1607             if (node->child1()->shouldSpeculateObject()) {
1608                 fixEdge<ObjectUse>(node->child1());
1609                 node->clearFlags(NodeMustGenerate);
1610                 break;
1611             }
1612             break;
1613         }
1614
1615         case ObjectKeys: {
1616             if (node->child1()->shouldSpeculateObject()) {
1617                 watchHavingABadTime(node);
1618                 fixEdge<ObjectUse>(node->child1());
1619             }
1620             break;
1621         }
1622
1623         case CheckStringIdent: {
1624             fixEdge<StringIdentUse>(node->child1());
1625             break;
1626         }
1627             
1628         case Arrayify:
1629         case ArrayifyToStructure: {
1630             fixEdge<CellUse>(node->child1());
1631             if (node->child2())
1632                 fixEdge<Int32Use>(node->child2());
1633             break;
1634         }
1635             
1636         case GetByOffset:
1637         case GetGetterSetterByOffset: {
1638             if (!node->child1()->hasStorageResult())
1639                 fixEdge<KnownCellUse>(node->child1());
1640             fixEdge<KnownCellUse>(node->child2());
1641             break;
1642         }
1643             
1644         case MultiGetByOffset: {
1645             fixEdge<CellUse>(node->child1());
1646             break;
1647         }
1648             
1649         case PutByOffset: {
1650             if (!node->child1()->hasStorageResult())
1651                 fixEdge<KnownCellUse>(node->child1());
1652             fixEdge<KnownCellUse>(node->child2());
1653             speculateForBarrier(node->child3());
1654             break;
1655         }
1656             
1657         case MultiPutByOffset: {
1658             fixEdge<CellUse>(node->child1());
1659             break;
1660         }
1661             
1662         case MatchStructure: {
1663             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1664             // https://bugs.webkit.org/show_bug.cgi?id=185784
1665             fixEdge<CellUse>(node->child1());
1666             break;
1667         }
1668             
1669         case InstanceOf: {
1670             if (node->child1()->shouldSpeculateCell()
1671                 && node->child2()->shouldSpeculateCell()
1672                 && is64Bit()) {
1673                 fixEdge<CellUse>(node->child1());
1674                 fixEdge<CellUse>(node->child2());
1675                 break;
1676             }
1677             break;
1678         }
1679
1680         case InstanceOfCustom:
1681             fixEdge<CellUse>(node->child2());
1682             break;
1683
1684         case InById: {
1685             fixEdge<CellUse>(node->child1());
1686             break;
1687         }
1688
1689         case InByVal: {
1690             if (node->child2()->shouldSpeculateInt32()) {
1691                 convertToHasIndexedProperty(node);
1692                 break;
1693             }
1694
1695             fixEdge<CellUse>(node->child1());
1696             break;
1697         }
1698
1699         case HasOwnProperty: {
1700             fixEdge<ObjectUse>(node->child1());
1701 #if CPU(X86)
1702             // We don't have enough registers to do anything interesting on x86 and mips.
1703             fixEdge<UntypedUse>(node->child2());
1704 #else
1705             if (node->child2()->shouldSpeculateString())
1706                 fixEdge<StringUse>(node->child2());
1707             else if (node->child2()->shouldSpeculateSymbol())
1708                 fixEdge<SymbolUse>(node->child2());
1709             else
1710                 fixEdge<UntypedUse>(node->child2());
1711 #endif
1712             break;
1713         }
1714
1715         case CheckVarargs:
1716         case Check: {
1717             m_graph.doToChildren(
1718                 node,
1719                 [&] (Edge& edge) {
1720                     switch (edge.useKind()) {
1721                     case NumberUse:
1722                         if (edge->shouldSpeculateInt32ForArithmetic())
1723                             edge.setUseKind(Int32Use);
1724                         break;
1725                     default:
1726                         break;
1727                     }
1728                     observeUseKindOnEdge(edge);
1729                 });
1730             break;
1731         }
1732
1733         case Phantom:
1734             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1735             node->remove(m_graph);
1736             break;
1737
1738         case FiatInt52: {
1739             RELEASE_ASSERT(enableInt52());
1740             node->convertToIdentity();
1741             fixEdge<Int52RepUse>(node->child1());
1742             node->setResult(NodeResultInt52);
1743             break;
1744         }
1745
1746         case GetArrayLength: {
1747             fixEdge<KnownCellUse>(node->child1());
1748             break;
1749         }
1750
1751         case GetTypedArrayByteOffset: {
1752             fixEdge<KnownCellUse>(node->child1());
1753             break;
1754         }
1755
1756         case CompareBelow:
1757         case CompareBelowEq: {
1758             fixEdge<Int32Use>(node->child1());
1759             fixEdge<Int32Use>(node->child2());
1760             break;
1761         }
1762
1763         case GetPrototypeOf: {
1764             fixupGetPrototypeOf(node);
1765             break;
1766         }
1767
1768         case Phi:
1769         case Upsilon:
1770         case EntrySwitch:
1771         case GetIndexedPropertyStorage:
1772         case LastNodeType:
1773         case CheckTierUpInLoop:
1774         case CheckTierUpAtReturn:
1775         case CheckTierUpAndOSREnter:
1776         case CheckArray:
1777         case CheckInBounds:
1778         case ConstantStoragePointer:
1779         case DoubleAsInt32:
1780         case ValueToInt32:
1781         case DoubleRep:
1782         case ValueRep:
1783         case Int52Rep:
1784         case Int52Constant:
1785         case Identity: // This should have been cleaned up.
1786         case BooleanToNumber:
1787         case PhantomNewObject:
1788         case PhantomNewFunction:
1789         case PhantomNewGeneratorFunction:
1790         case PhantomNewAsyncGeneratorFunction:
1791         case PhantomNewAsyncFunction:
1792         case PhantomCreateActivation:
1793         case PhantomDirectArguments:
1794         case PhantomCreateRest:
1795         case PhantomSpread:
1796         case PhantomNewArrayWithSpread:
1797         case PhantomNewArrayBuffer:
1798         case PhantomClonedArguments:
1799         case PhantomNewRegexp:
1800         case GetMyArgumentByVal:
1801         case GetMyArgumentByValOutOfBounds:
1802         case GetVectorLength:
1803         case PutHint:
1804         case CheckStructureImmediate:
1805         case CheckStructureOrEmpty:
1806         case MaterializeNewObject:
1807         case MaterializeCreateActivation:
1808         case PutStack:
1809         case KillStack:
1810         case GetStack:
1811         case StoreBarrier:
1812         case FencedStoreBarrier:
1813         case GetRegExpObjectLastIndex:
1814         case SetRegExpObjectLastIndex:
1815         case RecordRegExpCachedResult:
1816         case RegExpExecNonGlobalOrSticky:
1817         case RegExpMatchFastGlobal:
1818             // These are just nodes that we don't currently expect to see during fixup.
1819             // If we ever wanted to insert them prior to fixup, then we just have to create
1820             // fixup rules for them.
1821             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1822             break;
1823
1824         case PutGlobalVariable: {
1825             fixEdge<CellUse>(node->child1());
1826             speculateForBarrier(node->child2());
1827             break;
1828         }
1829
1830         case IsObject:
1831             if (node->child1()->shouldSpeculateObject()) {
1832                 m_insertionSet.insertNode(
1833                     m_indexInBlock, SpecNone, Check, node->origin,
1834                     Edge(node->child1().node(), ObjectUse));
1835                 m_graph.convertToConstant(node, jsBoolean(true));
1836                 observeUseKindOnNode<ObjectUse>(node);
1837             }
1838             break;
1839
1840         case IsCellWithType: {
1841             fixupIsCellWithType(node);
1842             break;
1843         }
1844
1845         case GetEnumerableLength: {
1846             fixEdge<CellUse>(node->child1());
1847             break;
1848         }
1849         case HasGenericProperty: {
1850             fixEdge<CellUse>(node->child2());
1851             break;
1852         }
1853         case HasStructureProperty: {
1854             fixEdge<StringUse>(node->child2());
1855             fixEdge<KnownCellUse>(node->child3());
1856             break;
1857         }
1858         case HasIndexedProperty: {
1859             node->setArrayMode(
1860                 node->arrayMode().refine(
1861                     m_graph, node,
1862                     m_graph.varArgChild(node, 0)->prediction(),
1863                     m_graph.varArgChild(node, 1)->prediction(),
1864                     SpecNone));
1865             
1866             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
1867             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1868             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1869             break;
1870         }
1871         case GetDirectPname: {
1872             Edge& base = m_graph.varArgChild(node, 0);
1873             Edge& property = m_graph.varArgChild(node, 1);
1874             Edge& index = m_graph.varArgChild(node, 2);
1875             Edge& enumerator = m_graph.varArgChild(node, 3);
1876             fixEdge<CellUse>(base);
1877             fixEdge<KnownCellUse>(property);
1878             fixEdge<Int32Use>(index);
1879             fixEdge<KnownCellUse>(enumerator);
1880             break;
1881         }
1882         case GetPropertyEnumerator: {
1883             if (node->child1()->shouldSpeculateCell())
1884                 fixEdge<CellUse>(node->child1());
1885             break;
1886         }
1887         case GetEnumeratorStructurePname: {
1888             fixEdge<KnownCellUse>(node->child1());
1889             fixEdge<Int32Use>(node->child2());
1890             break;
1891         }
1892         case GetEnumeratorGenericPname: {
1893             fixEdge<KnownCellUse>(node->child1());
1894             fixEdge<Int32Use>(node->child2());
1895             break;
1896         }
1897         case ToIndexString: {
1898             fixEdge<Int32Use>(node->child1());
1899             break;
1900         }
1901         case ProfileType: {
1902             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1903             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1904             // type T for the instructionTypeSet, the global type set must also have information for type T.
1905             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1906             // in the globalTypeSet would've also succeeded.
1907             // (The other direction does not hold in general).
1908
1909             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1910             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1911             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1912                 if (node->child1()->shouldSpeculateInt32()) {
1913                     fixEdge<Int32Use>(node->child1());
1914                     node->remove(m_graph);
1915                     break;
1916                 }
1917
1918                 if (enableInt52()) {
1919                     fixEdge<AnyIntUse>(node->child1());
1920                     node->remove(m_graph);
1921                     break;
1922                 }
1923
1924                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1925             }
1926
1927             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1928                 fixEdge<NumberUse>(node->child1());
1929                 node->remove(m_graph);
1930             } else if (typeSet->doesTypeConformTo(TypeString)) {
1931                 fixEdge<StringUse>(node->child1());
1932                 node->remove(m_graph);
1933             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1934                 fixEdge<BooleanUse>(node->child1());
1935                 node->remove(m_graph);
1936             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1937                 fixEdge<OtherUse>(node->child1());
1938                 node->remove(m_graph);
1939             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1940                 StructureSet set;
1941                 {
1942                     ConcurrentJSLocker locker(typeSet->m_lock);
1943                     set = typeSet->structureSet(locker);
1944                 }
1945                 if (!set.isEmpty()) {
1946                     fixEdge<CellUse>(node->child1());
1947                     node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
1948                 }
1949             }
1950
1951             break;
1952         }
1953
1954         case CreateClonedArguments: {
1955             watchHavingABadTime(node);
1956             break;
1957         }
1958
1959         case CreateScopedArguments:
1960         case CreateActivation:
1961         case NewFunction:
1962         case NewGeneratorFunction:
1963         case NewAsyncGeneratorFunction:
1964         case NewAsyncFunction: {
1965             // Child 1 is always the current scope, which is guaranteed to be an object
1966             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1967             fixEdge<KnownCellUse>(node->child1());
1968             break;
1969         }
1970
1971         case PushWithScope: {
1972             // Child 1 is always the current scope, which is guaranteed to be an object
1973             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1974             fixEdge<KnownCellUse>(node->child1());
1975             if (node->child2()->shouldSpeculateObject())
1976                 fixEdge<ObjectUse>(node->child2());
1977             break;
1978         }
1979
1980         case SetFunctionName: {
1981             // The first child is guaranteed to be a cell because op_set_function_name is only used
1982             // on a newly instantiated function object (the first child).
1983             fixEdge<KnownCellUse>(node->child1());
1984             fixEdge<UntypedUse>(node->child2());
1985             break;
1986         }
1987
1988         case CreateRest: {
1989             watchHavingABadTime(node);
1990             fixEdge<Int32Use>(node->child1());
1991             break;
1992         }
1993
1994         case ResolveScopeForHoistingFuncDeclInEval: {
1995             fixEdge<KnownCellUse>(node->child1());
1996             break;
1997         }
1998         case ResolveScope:
1999         case GetDynamicVar:
2000         case PutDynamicVar: {
2001             fixEdge<KnownCellUse>(node->child1());
2002             break;
2003         }
2004
2005         case LogShadowChickenPrologue: {
2006             fixEdge<KnownCellUse>(node->child1());
2007             break;
2008         }
2009         case LogShadowChickenTail: {
2010             fixEdge<UntypedUse>(node->child1());
2011             fixEdge<KnownCellUse>(node->child2());
2012             break;
2013         }
2014
2015         case GetMapBucket:
2016             if (node->child1().useKind() == MapObjectUse)
2017                 fixEdge<MapObjectUse>(node->child1());
2018             else if (node->child1().useKind() == SetObjectUse)
2019                 fixEdge<SetObjectUse>(node->child1());
2020             else
2021                 RELEASE_ASSERT_NOT_REACHED();
2022
2023 #if USE(JSVALUE64)
2024             if (node->child2()->shouldSpeculateBoolean())
2025                 fixEdge<BooleanUse>(node->child2());
2026             else if (node->child2()->shouldSpeculateInt32())
2027                 fixEdge<Int32Use>(node->child2());
2028             else if (node->child2()->shouldSpeculateSymbol())
2029                 fixEdge<SymbolUse>(node->child2());
2030             else if (node->child2()->shouldSpeculateObject())
2031                 fixEdge<ObjectUse>(node->child2());
2032             else if (node->child2()->shouldSpeculateString())
2033                 fixEdge<StringUse>(node->child2());
2034             else if (node->child2()->shouldSpeculateCell())
2035                 fixEdge<CellUse>(node->child2());
2036             else
2037                 fixEdge<UntypedUse>(node->child2());
2038 #else
2039             fixEdge<UntypedUse>(node->child2());
2040 #endif // USE(JSVALUE64)
2041
2042             fixEdge<Int32Use>(node->child3());
2043             break;
2044
2045         case GetMapBucketHead:
2046             if (node->child1().useKind() == MapObjectUse)
2047                 fixEdge<MapObjectUse>(node->child1());
2048             else if (node->child1().useKind() == SetObjectUse)
2049                 fixEdge<SetObjectUse>(node->child1());
2050             else
2051                 RELEASE_ASSERT_NOT_REACHED();
2052             break;
2053
2054         case GetMapBucketNext:
2055         case LoadKeyFromMapBucket:
2056         case LoadValueFromMapBucket:
2057             fixEdge<CellUse>(node->child1());
2058             break;
2059
2060         case MapHash: {
2061 #if USE(JSVALUE64)
2062             if (node->child1()->shouldSpeculateBoolean()) {
2063                 fixEdge<BooleanUse>(node->child1());
2064                 break;
2065             }
2066
2067             if (node->child1()->shouldSpeculateInt32()) {
2068                 fixEdge<Int32Use>(node->child1());
2069                 break;
2070             }
2071
2072             if (node->child1()->shouldSpeculateSymbol()) {
2073                 fixEdge<SymbolUse>(node->child1());
2074                 break;
2075             }
2076
2077             if (node->child1()->shouldSpeculateObject()) {
2078                 fixEdge<ObjectUse>(node->child1());
2079                 break;
2080             }
2081
2082             if (node->child1()->shouldSpeculateString()) {
2083                 fixEdge<StringUse>(node->child1());
2084                 break;
2085             }
2086
2087             if (node->child1()->shouldSpeculateCell()) {
2088                 fixEdge<CellUse>(node->child1());
2089                 break;
2090             }
2091
2092             fixEdge<UntypedUse>(node->child1());
2093 #else
2094             fixEdge<UntypedUse>(node->child1());
2095 #endif // USE(JSVALUE64)
2096             break;
2097         }
2098
2099         case NormalizeMapKey: {
2100             fixupNormalizeMapKey(node);
2101             break;
2102         }
2103
2104         case WeakMapGet: {
2105             if (node->child1().useKind() == WeakMapObjectUse)
2106                 fixEdge<WeakMapObjectUse>(node->child1());
2107             else if (node->child1().useKind() == WeakSetObjectUse)
2108                 fixEdge<WeakSetObjectUse>(node->child1());
2109             else
2110                 RELEASE_ASSERT_NOT_REACHED();
2111             fixEdge<ObjectUse>(node->child2());
2112             fixEdge<Int32Use>(node->child3());
2113             break;
2114         }
2115
2116         case SetAdd: {
2117             fixEdge<SetObjectUse>(node->child1());
2118             fixEdge<Int32Use>(node->child3());
2119             break;
2120         }
2121
2122         case MapSet: {
2123             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
2124             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2125             break;
2126         }
2127
2128         case WeakSetAdd: {
2129             fixEdge<WeakSetObjectUse>(node->child1());
2130             fixEdge<ObjectUse>(node->child2());
2131             fixEdge<Int32Use>(node->child3());
2132             break;
2133         }
2134
2135         case WeakMapSet: {
2136             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2137             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2138             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2139             break;
2140         }
2141
2142         case DefineDataProperty: {
2143             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2144             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2145             if (propertyEdge->shouldSpeculateSymbol())
2146                 fixEdge<SymbolUse>(propertyEdge);
2147             else if (propertyEdge->shouldSpeculateStringIdent())
2148                 fixEdge<StringIdentUse>(propertyEdge);
2149             else if (propertyEdge->shouldSpeculateString())
2150                 fixEdge<StringUse>(propertyEdge);
2151             else
2152                 fixEdge<UntypedUse>(propertyEdge);
2153             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2154             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2155             break;
2156         }
2157
2158         case StringValueOf: {
2159             fixupStringValueOf(node);
2160             break;
2161         }
2162
2163         case StringSlice: {
2164             fixEdge<StringUse>(node->child1());
2165             fixEdge<Int32Use>(node->child2());
2166             if (node->child3())
2167                 fixEdge<Int32Use>(node->child3());
2168             break;
2169         }
2170
2171         case ToLowerCase: {
2172             // We currently only support StringUse since that will ensure that
2173             // ToLowerCase is a pure operation. If we decide to update this with
2174             // more types in the future, we need to ensure that the clobberize rules
2175             // are correct.
2176             fixEdge<StringUse>(node->child1());
2177             break;
2178         }
2179
2180         case NumberToStringWithRadix: {
2181             if (node->child1()->shouldSpeculateInt32())
2182                 fixEdge<Int32Use>(node->child1());
2183             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2184                 fixEdge<Int52RepUse>(node->child1());
2185             else
2186                 fixEdge<DoubleRepUse>(node->child1());
2187             fixEdge<Int32Use>(node->child2());
2188             break;
2189         }
2190
2191         case DefineAccessorProperty: {
2192             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2193             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2194             if (propertyEdge->shouldSpeculateSymbol())
2195                 fixEdge<SymbolUse>(propertyEdge);
2196             else if (propertyEdge->shouldSpeculateStringIdent())
2197                 fixEdge<StringIdentUse>(propertyEdge);
2198             else if (propertyEdge->shouldSpeculateString())
2199                 fixEdge<StringUse>(propertyEdge);
2200             else
2201                 fixEdge<UntypedUse>(propertyEdge);
2202             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2203             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2204             fixEdge<Int32Use>(m_graph.varArgChild(node, 4));
2205             break;
2206         }
2207
2208         case CheckSubClass: {
2209             fixupCheckSubClass(node);
2210             break;
2211         }
2212
2213         case CallDOMGetter: {
2214             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2215             fixEdge<CellUse>(node->child1()); // DOM.
2216             if (snippet && snippet->requireGlobalObject)
2217                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2218             break;
2219         }
2220
2221         case CallDOM: {
2222             fixupCallDOM(node);
2223             break;
2224         }
2225
2226         case Call: {
2227             attemptToMakeCallDOM(node);
2228             break;
2229         }
2230
2231         case ParseInt: {
2232             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2233                 fixEdge<Int32Use>(node->child1());
2234                 node->convertToIdentity();
2235                 break;
2236             }
2237
2238             if (node->child1()->shouldSpeculateString()) {
2239                 fixEdge<StringUse>(node->child1());
2240                 node->clearFlags(NodeMustGenerate);
2241             }
2242
2243             if (node->child2())
2244                 fixEdge<Int32Use>(node->child2());
2245
2246             break;
2247         }
2248
2249         case IdentityWithProfile: {
2250             node->clearFlags(NodeMustGenerate);
2251             break;
2252         }
2253
2254         case ThrowStaticError:
2255             fixEdge<StringUse>(node->child1());
2256             break;
2257
2258         case NumberIsInteger:
2259             if (node->child1()->shouldSpeculateInt32()) {
2260                 m_insertionSet.insertNode(
2261                     m_indexInBlock, SpecNone, Check, node->origin,
2262                     Edge(node->child1().node(), Int32Use));
2263                 m_graph.convertToConstant(node, jsBoolean(true));
2264                 break;
2265             }
2266             break;
2267
2268         case SetCallee:
2269             fixEdge<CellUse>(node->child1());
2270             break;
2271
2272         case DataViewGetInt:
2273         case DataViewGetFloat: {
2274             fixEdge<DataViewObjectUse>(node->child1());
2275             fixEdge<Int32Use>(node->child2());
2276             if (node->child3())
2277                 fixEdge<BooleanUse>(node->child3());
2278
2279             if (node->op() == DataViewGetInt) {
2280                 DataViewData data = node->dataViewData();
2281                 switch (data.byteSize) {
2282                 case 1:
2283                 case 2:
2284                     node->setResult(NodeResultInt32);
2285                     break;
2286                 case 4:
2287                     if (data.isSigned)
2288                         node->setResult(NodeResultInt32);
2289                     else
2290                         node->setResult(NodeResultInt52);
2291                     break;
2292                 default:
2293                     RELEASE_ASSERT_NOT_REACHED();
2294                 }
2295             }
2296             break;
2297         }
2298
2299         case DataViewSet: {
2300             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2301             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2302             if (m_graph.varArgChild(node, 3))
2303                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2304             
2305             DataViewData data = node->dataViewData();
2306             Edge& valueToStore = m_graph.varArgChild(node, 2);
2307             if (data.isFloatingPoint)
2308                 fixEdge<DoubleRepUse>(valueToStore);
2309             else {
2310                 switch (data.byteSize) {
2311                 case 1:
2312                 case 2:
2313                     fixEdge<Int32Use>(valueToStore);
2314                     break;
2315                 case 4:
2316                     if (data.isSigned)
2317                         fixEdge<Int32Use>(valueToStore);
2318                     else
2319                         fixEdge<Int52RepUse>(valueToStore);
2320                     break;
2321                 }
2322             }
2323             break;
2324         }
2325
2326 #if !ASSERT_DISABLED
2327         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2328         case SetArgument:
2329         case JSConstant:
2330         case LazyJSConstant:
2331         case DoubleConstant:
2332         case GetLocal:
2333         case GetCallee:
2334         case GetArgumentCountIncludingThis:
2335         case SetArgumentCountIncludingThis:
2336         case GetRestLength:
2337         case GetArgument:
2338         case Flush:
2339         case PhantomLocal:
2340         case GetGlobalVar:
2341         case GetGlobalLexicalVariable:
2342         case NotifyWrite:
2343         case DirectCall:
2344         case CheckTypeInfoFlags:
2345         case TailCallInlinedCaller:
2346         case DirectTailCallInlinedCaller:
2347         case Construct:
2348         case DirectConstruct:
2349         case CallVarargs:
2350         case CallEval:
2351         case TailCallVarargsInlinedCaller:
2352         case ConstructVarargs:
2353         case CallForwardVarargs:
2354         case ConstructForwardVarargs:
2355         case TailCallForwardVarargs:
2356         case TailCallForwardVarargsInlinedCaller:
2357         case LoadVarargs:
2358         case ForwardVarargs:
2359         case ProfileControlFlow:
2360         case NewObject:
2361         case NewRegexp:
2362         case DeleteById:
2363         case DeleteByVal:
2364         case IsTypedArrayView:
2365         case IsEmpty:
2366         case IsUndefined:
2367         case IsUndefinedOrNull:
2368         case IsBoolean:
2369         case IsNumber:
2370         case IsObjectOrNull:
2371         case IsFunction:
2372         case CreateDirectArguments:
2373         case Jump:
2374         case Return:
2375         case TailCall:
2376         case DirectTailCall:
2377         case TailCallVarargs:
2378         case Throw:
2379         case CountExecution:
2380         case SuperSamplerBegin:
2381         case SuperSamplerEnd:
2382         case ForceOSRExit:
2383         case CheckBadCell:
2384         case CheckNotEmpty:
2385         case AssertNotEmpty:
2386         case CheckTraps:
2387         case Unreachable:
2388         case ExtractOSREntryLocal:
2389         case ExtractCatchLocal:
2390         case ClearCatchLocals:
2391         case LoopHint:
2392         case MovHint:
2393         case InitializeEntrypointArguments:
2394         case ZombieHint:
2395         case ExitOK:
2396         case BottomValue:
2397         case TypeOf:
2398         case PutByIdWithThis:
2399         case PutByValWithThis:
2400         case GetByValWithThis:
2401         case CompareEqPtr:
2402         case NumberToStringWithValidRadixConstant:
2403         case GetGlobalThis:
2404         case ExtractValueFromWeakMapGet:
2405         case CPUIntrinsic:
2406         case FilterCallLinkStatus:
2407         case FilterGetByIdStatus:
2408         case FilterPutByIdStatus:
2409         case FilterInByIdStatus:
2410         case InvalidationPoint:
2411             break;
2412 #else
2413         default:
2414             break;
2415 #endif
2416         }
2417     }
2418
2419     void watchHavingABadTime(Node* node)
2420     {
2421         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2422
2423         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2424         // does an array allocation. The types of array allocations may change if we start to have a bad
2425         // time. It's easier to reason about this if we know that whenever the types change after we start
2426         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2427         // prior to this point nobody should have been doing optimizations based on the indexing type of
2428         // the allocation.
2429         if (!globalObject->isHavingABadTime()) {
2430             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2431             m_graph.freeze(globalObject);
2432         }
2433     }
2434     
2435     template<UseKind useKind>
2436     void createToString(Node* node, Edge& edge)
2437     {
2438         Node* toString = m_insertionSet.insertNode(
2439             m_indexInBlock, SpecString, ToString, node->origin,
2440             Edge(edge.node(), useKind));
2441         switch (useKind) {
2442         case Int32Use:
2443         case Int52RepUse:
2444         case DoubleRepUse:
2445         case NotCellUse:
2446             toString->clearFlags(NodeMustGenerate);
2447             break;
2448         default:
2449             break;
2450         }
2451         edge.setNode(toString);
2452     }
2453     
2454     template<UseKind useKind>
2455     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2456     {
2457         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read) || arrayMode == ArrayMode(Array::Generic, Array::OriginalNonArray, Array::Read));
2458         
2459         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2460             return;
2461         
2462         addCheckStructureForOriginalStringObjectUse(useKind, node->origin, node->child1().node());
2463         createToString<useKind>(node, node->child1());
2464         arrayMode = ArrayMode(Array::String, Array::Read);
2465     }
2466
2467     void addCheckStructureForOriginalStringObjectUse(UseKind useKind, const NodeOrigin& origin, Node* node)
2468     {
2469         RELEASE_ASSERT(useKind == StringObjectUse || useKind == StringOrStringObjectUse);
2470
2471         StructureSet set;
2472         set.add(m_graph.globalObjectFor(node->origin.semantic)->stringObjectStructure());
2473         if (useKind == StringOrStringObjectUse)
2474             set.add(vm().stringStructure.get());
2475
2476         m_insertionSet.insertNode(
2477             m_indexInBlock, SpecNone, CheckStructure, origin,
2478             OpInfo(m_graph.addStructureSet(set)), Edge(node, CellUse));
2479     }
2480     
2481     template<UseKind useKind>
2482     void convertStringAddUse(Node* node, Edge& edge)
2483     {
2484         if (useKind == StringUse) {
2485             observeUseKindOnNode<StringUse>(edge.node());
2486             m_insertionSet.insertNode(
2487                 m_indexInBlock, SpecNone, Check, node->origin,
2488                 Edge(edge.node(), StringUse));
2489             edge.setUseKind(KnownStringUse);
2490             return;
2491         }
2492         
2493         observeUseKindOnNode<useKind>(edge.node());
2494         createToString<useKind>(node, edge);
2495     }
2496     
2497     void convertToMakeRope(Node* node)
2498     {
2499         node->setOpAndDefaultFlags(MakeRope);
2500         fixupMakeRope(node);
2501     }
2502     
2503     void fixupMakeRope(Node* node)
2504     {
2505         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2506             Edge& edge = node->children.child(i);
2507             if (!edge)
2508                 break;
2509             edge.setUseKind(KnownStringUse);
2510             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2511             if (!string)
2512                 continue;
2513             if (string->length())
2514                 continue;
2515             
2516             // Don't allow the MakeRope to have zero children.
2517             if (!i && !node->child2())
2518                 break;
2519             
2520             node->children.removeEdge(i--);
2521         }
2522         
2523         if (!node->child2()) {
2524             ASSERT(!node->child3());
2525             node->convertToIdentity();
2526         }
2527     }
2528
2529     void fixupIsCellWithType(Node* node)
2530     {
2531         switch (node->speculatedTypeForQuery()) {
2532         case SpecString:
2533             if (node->child1()->shouldSpeculateString()) {
2534                 m_insertionSet.insertNode(
2535                     m_indexInBlock, SpecNone, Check, node->origin,
2536                     Edge(node->child1().node(), StringUse));
2537                 m_graph.convertToConstant(node, jsBoolean(true));
2538                 observeUseKindOnNode<StringUse>(node);
2539                 return;
2540             }
2541             break;
2542
2543         case SpecProxyObject:
2544             if (node->child1()->shouldSpeculateProxyObject()) {
2545                 m_insertionSet.insertNode(
2546                     m_indexInBlock, SpecNone, Check, node->origin,
2547                     Edge(node->child1().node(), ProxyObjectUse));
2548                 m_graph.convertToConstant(node, jsBoolean(true));
2549                 observeUseKindOnNode<ProxyObjectUse>(node);
2550                 return;
2551             }
2552             break;
2553
2554         case SpecRegExpObject:
2555             if (node->child1()->shouldSpeculateRegExpObject()) {
2556                 m_insertionSet.insertNode(
2557                     m_indexInBlock, SpecNone, Check, node->origin,
2558                     Edge(node->child1().node(), RegExpObjectUse));
2559                 m_graph.convertToConstant(node, jsBoolean(true));
2560                 observeUseKindOnNode<RegExpObjectUse>(node);
2561                 return;
2562             }
2563             break;
2564
2565         case SpecArray:
2566             if (node->child1()->shouldSpeculateArray()) {
2567                 m_insertionSet.insertNode(
2568                     m_indexInBlock, SpecNone, Check, node->origin,
2569                     Edge(node->child1().node(), ArrayUse));
2570                 m_graph.convertToConstant(node, jsBoolean(true));
2571                 observeUseKindOnNode<ArrayUse>(node);
2572                 return;
2573             }
2574             break;
2575
2576         case SpecDerivedArray:
2577             if (node->child1()->shouldSpeculateDerivedArray()) {
2578                 m_insertionSet.insertNode(
2579                     m_indexInBlock, SpecNone, Check, node->origin,
2580                     Edge(node->child1().node(), DerivedArrayUse));
2581                 m_graph.convertToConstant(node, jsBoolean(true));
2582                 observeUseKindOnNode<DerivedArrayUse>(node);
2583                 return;
2584             }
2585             break;
2586         }
2587
2588         if (node->child1()->shouldSpeculateCell()) {
2589             fixEdge<CellUse>(node->child1());
2590             return;
2591         }
2592
2593         if (node->child1()->shouldSpeculateNotCell()) {
2594             m_insertionSet.insertNode(
2595                 m_indexInBlock, SpecNone, Check, node->origin,
2596                 Edge(node->child1().node(), NotCellUse));
2597             m_graph.convertToConstant(node, jsBoolean(false));
2598             observeUseKindOnNode<NotCellUse>(node);
2599             return;
2600         }
2601     }
2602
2603     void fixupGetPrototypeOf(Node* node)
2604     {
2605         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2606         if (node->child1().useKind() != ObjectUse) {
2607             if (node->child1()->shouldSpeculateString()) {
2608                 insertCheck<StringUse>(node->child1().node());
2609                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2610                 return;
2611             }
2612             if (node->child1()->shouldSpeculateInt32()) {
2613                 insertCheck<Int32Use>(node->child1().node());
2614                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2615                 return;
2616             }
2617             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2618                 insertCheck<Int52RepUse>(node->child1().node());
2619                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2620                 return;
2621             }
2622             if (node->child1()->shouldSpeculateNumber()) {
2623                 insertCheck<NumberUse>(node->child1().node());
2624                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2625                 return;
2626             }
2627             if (node->child1()->shouldSpeculateSymbol()) {
2628                 insertCheck<SymbolUse>(node->child1().node());
2629                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2630                 return;
2631             }
2632             if (node->child1()->shouldSpeculateBoolean()) {
2633                 insertCheck<BooleanUse>(node->child1().node());
2634                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2635                 return;
2636             }
2637         }
2638
2639         if (node->child1()->shouldSpeculateFinalObject()) {
2640             fixEdge<FinalObjectUse>(node->child1());
2641             node->clearFlags(NodeMustGenerate);
2642             return;
2643         }
2644         if (node->child1()->shouldSpeculateArray()) {
2645             fixEdge<ArrayUse>(node->child1());
2646             node->clearFlags(NodeMustGenerate);
2647             return;
2648         }
2649         if (node->child1()->shouldSpeculateFunction()) {
2650             fixEdge<FunctionUse>(node->child1());
2651             node->clearFlags(NodeMustGenerate);
2652             return;
2653         }
2654     }
2655
2656     void fixupToThis(Node* node)
2657     {
2658         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2659
2660         if (ecmaMode == StrictMode) {
2661             if (node->child1()->shouldSpeculateBoolean()) {
2662                 fixEdge<BooleanUse>(node->child1());
2663                 node->convertToIdentity();
2664                 return;
2665             }
2666
2667             if (node->child1()->shouldSpeculateInt32()) {
2668                 fixEdge<Int32Use>(node->child1());
2669                 node->convertToIdentity();
2670                 return;
2671             }
2672
2673             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2674                 fixEdge<Int52RepUse>(node->child1());
2675                 node->convertToIdentity();
2676                 node->setResult(NodeResultInt52);
2677                 return;
2678             }
2679
2680             if (node->child1()->shouldSpeculateNumber()) {
2681                 fixEdge<DoubleRepUse>(node->child1());
2682                 node->convertToIdentity();
2683                 node->setResult(NodeResultDouble);
2684                 return;
2685             }
2686
2687             if (node->child1()->shouldSpeculateSymbol()) {
2688                 fixEdge<SymbolUse>(node->child1());
2689                 node->convertToIdentity();
2690                 return;
2691             }
2692
2693             if (node->child1()->shouldSpeculateStringIdent()) {
2694                 fixEdge<StringIdentUse>(node->child1());
2695                 node->convertToIdentity();
2696                 return;
2697             }
2698
2699             if (node->child1()->shouldSpeculateString()) {
2700                 fixEdge<StringUse>(node->child1());
2701                 node->convertToIdentity();
2702                 return;
2703             }
2704             
2705             if (node->child1()->shouldSpeculateBigInt()) {
2706                 fixEdge<BigIntUse>(node->child1());
2707                 node->convertToIdentity();
2708                 return;
2709             }
2710         }
2711
2712         if (node->child1()->shouldSpeculateOther()) {
2713             if (ecmaMode == StrictMode) {
2714                 fixEdge<OtherUse>(node->child1());
2715                 node->convertToIdentity();
2716                 return;
2717             }
2718
2719             m_insertionSet.insertNode(
2720                 m_indexInBlock, SpecNone, Check, node->origin,
2721                 Edge(node->child1().node(), OtherUse));
2722             observeUseKindOnNode<OtherUse>(node->child1().node());
2723             m_graph.convertToConstant(
2724                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2725             return;
2726         }
2727
2728         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2729         // however, since we cover all the missing cases in constant folding.
2730         // https://bugs.webkit.org/show_bug.cgi?id=157213
2731         if (node->child1()->shouldSpeculateStringObject()) {
2732             fixEdge<StringObjectUse>(node->child1());
2733             node->convertToIdentity();
2734             return;
2735         }
2736
2737         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2738             fixEdge<FinalObjectUse>(node->child1());
2739             node->convertToIdentity();
2740             return;
2741         }
2742     }
2743     
2744     void fixupToPrimitive(Node* node)
2745     {
2746         if (node->child1()->shouldSpeculateInt32()) {
2747             fixEdge<Int32Use>(node->child1());
2748             node->convertToIdentity();
2749             return;
2750         }
2751         
2752         if (node->child1()->shouldSpeculateString()) {
2753             fixEdge<StringUse>(node->child1());
2754             node->convertToIdentity();
2755             return;
2756         }
2757         
2758         if (node->child1()->shouldSpeculateStringObject()
2759             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2760             addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, node->child1().node());
2761             fixEdge<StringObjectUse>(node->child1());
2762             node->convertToToString();
2763             return;
2764         }
2765         
2766         if (node->child1()->shouldSpeculateStringOrStringObject()
2767             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2768             addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, node->child1().node());
2769             fixEdge<StringOrStringObjectUse>(node->child1());
2770             node->convertToToString();
2771             return;
2772         }
2773     }
2774
2775     void fixupToNumber(Node* node)
2776     {
2777         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2778         if (node->child1()->shouldSpeculateNumber()) {
2779             if (isInt32Speculation(node->getHeapPrediction())) {
2780                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2781                 if (node->child1()->shouldSpeculateInt32()) {
2782                     fixEdge<Int32Use>(node->child1());
2783                     node->convertToIdentity();
2784                     return;
2785                 }
2786
2787                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2788                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2789                 fixEdge<DoubleRepUse>(node->child1());
2790                 node->setOp(DoubleAsInt32);
2791                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2792                     node->setArithMode(Arith::CheckOverflow);
2793                 else
2794                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2795                 return;
2796             }
2797
2798             fixEdge<DoubleRepUse>(node->child1());
2799             node->convertToIdentity();
2800             node->setResult(NodeResultDouble);
2801             return;
2802         }
2803
2804         fixEdge<UntypedUse>(node->child1());
2805         node->setResult(NodeResultJS);
2806     }
2807
2808     void fixupToObject(Node* node)
2809     {
2810         if (node->child1()->shouldSpeculateObject()) {
2811             fixEdge<ObjectUse>(node->child1());
2812             node->convertToIdentity();
2813             return;
2814         }
2815
2816         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2817
2818         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2819
2820         if (node->child1()->shouldSpeculateString()) {
2821             insertCheck<StringUse>(node->child1().node());
2822             fixEdge<KnownStringUse>(node->child1());
2823             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2824             return;
2825         }
2826
2827         if (node->child1()->shouldSpeculateSymbol()) {
2828             insertCheck<SymbolUse>(node->child1().node());
2829             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2830             return;
2831         }
2832
2833         if (node->child1()->shouldSpeculateNumber()) {
2834             insertCheck<NumberUse>(node->child1().node());
2835             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2836             return;
2837         }
2838
2839         if (node->child1()->shouldSpeculateBoolean()) {
2840             insertCheck<BooleanUse>(node->child1().node());
2841             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2842             return;
2843         }
2844
2845         fixEdge<UntypedUse>(node->child1());
2846     }
2847
2848     void fixupCallObjectConstructor(Node* node)
2849     {
2850         if (node->child1()->shouldSpeculateObject()) {
2851             fixEdge<ObjectUse>(node->child1());
2852             node->convertToIdentity();
2853             return;
2854         }
2855
2856         if (node->child1()->shouldSpeculateString()) {
2857             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2858             insertCheck<StringUse>(node->child1().node());
2859             fixEdge<KnownStringUse>(node->child1());
2860             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2861             return;
2862         }
2863
2864         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2865         if (node->child1()->shouldSpeculateOther()) {
2866             insertCheck<OtherUse>(node->child1().node());
2867             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2868             return;
2869         }
2870
2871         fixEdge<UntypedUse>(node->child1());
2872     }
2873     
2874     void fixupToStringOrCallStringConstructor(Node* node)
2875     {
2876         if (node->child1()->shouldSpeculateString()) {
2877             fixEdge<StringUse>(node->child1());
2878             node->convertToIdentity();
2879             return;
2880         }
2881         
2882         if (node->child1()->shouldSpeculateStringObject()
2883             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2884             addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, node->child1().node());
2885             fixEdge<StringObjectUse>(node->child1());
2886             return;
2887         }
2888         
2889         if (node->child1()->shouldSpeculateStringOrStringObject()
2890             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2891             addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, node->child1().node());
2892             fixEdge<StringOrStringObjectUse>(node->child1());
2893             return;
2894         }
2895         
2896         if (node->child1()->shouldSpeculateCell()) {
2897             fixEdge<CellUse>(node->child1());
2898             return;
2899         }
2900
2901         if (node->child1()->shouldSpeculateInt32()) {
2902             fixEdge<Int32Use>(node->child1());
2903             node->clearFlags(NodeMustGenerate);
2904             return;
2905         }
2906
2907         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2908             fixEdge<Int52RepUse>(node->child1());
2909             node->clearFlags(NodeMustGenerate);
2910             return;
2911         }
2912
2913         if (node->child1()->shouldSpeculateNumber()) {
2914             fixEdge<DoubleRepUse>(node->child1());
2915             node->clearFlags(NodeMustGenerate);
2916             return;
2917         }
2918
2919         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2920         // we need to care about it in the clobberize. In the following case,
2921         // since NotCellUse edge filter is used and this edge filters Symbols,
2922         // we can say that ToString never throws an error!
2923         if (node->child1()->shouldSpeculateNotCell()) {
2924             fixEdge<NotCellUse>(node->child1());
2925             node->clearFlags(NodeMustGenerate);
2926             return;
2927         }
2928     }
2929
2930     void fixupStringValueOf(Node* node)
2931     {
2932         if (node->child1()->shouldSpeculateString()) {
2933             fixEdge<StringUse>(node->child1());
2934             node->convertToIdentity();
2935             return;
2936         }
2937
2938         if (node->child1()->shouldSpeculateStringObject()) {
2939             fixEdge<StringObjectUse>(node->child1());
2940             node->convertToToString();
2941             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2942             node->clearFlags(NodeMustGenerate);
2943             return;
2944         }
2945
2946         if (node->child1()->shouldSpeculateStringOrStringObject()) {
2947             fixEdge<StringOrStringObjectUse>(node->child1());
2948             node->convertToToString();
2949             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2950             node->clearFlags(NodeMustGenerate);
2951             return;
2952         }
2953     }
2954
2955     bool attemptToMakeFastStringAdd(Node* node)
2956     {
2957         bool goodToGo = true;
2958         m_graph.doToChildren(
2959             node,
2960             [&] (Edge& edge) {
2961                 if (edge->shouldSpeculateString())
2962                     return;
2963                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2964                     if (edge->shouldSpeculateStringObject())
2965                         return;
2966                     if (edge->shouldSpeculateStringOrStringObject())
2967                         return;
2968                 }
2969                 goodToGo = false;
2970             });
2971         if (!goodToGo)
2972             return false;
2973
2974         m_graph.doToChildren(
2975             node,
2976             [&] (Edge& edge) {
2977                 if (edge->shouldSpeculateString()) {
2978                     convertStringAddUse<StringUse>(node, edge);
2979                     return;
2980                 }
2981                 if (!Options::useConcurrentJIT())
2982                     ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2983                 if (edge->shouldSpeculateStringObject()) {
2984                     addCheckStructureForOriginalStringObjectUse(StringObjectUse, node->origin, edge.node());
2985                     convertStringAddUse<StringObjectUse>(node, edge);
2986                     return;
2987                 }
2988                 if (edge->shouldSpeculateStringOrStringObject()) {
2989                     addCheckStructureForOriginalStringObjectUse(StringOrStringObjectUse, node->origin, edge.node());
2990                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2991                     return;
2992                 }
2993                 RELEASE_ASSERT_NOT_REACHED();
2994             });
2995         
2996         convertToMakeRope(node);
2997         return true;
2998     }
2999
3000     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
3001     {
3002         if (!block)
3003             return;
3004         ASSERT(block->isReachable);
3005         m_block = block;
3006         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
3007             Node* node = m_currentNode = block->at(m_indexInBlock);
3008             if (node->op() != SetLocal && node->op() != GetLocal)
3009                 continue;
3010             
3011             VariableAccessData* variable = node->variableAccessData();
3012             switch (node->op()) {
3013             case GetLocal:
3014                 switch (variable->flushFormat()) {
3015                 case FlushedDouble:
3016                     node->setResult(NodeResultDouble);
3017                     break;
3018                 case FlushedInt52:
3019                     node->setResult(NodeResultInt52);
3020                     break;
3021                 default:
3022                     break;
3023                 }
3024                 break;
3025                 
3026             case SetLocal:
3027                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
3028                 // add new type checking use kind for SetLocals, we need to modify that code as well.
3029                 
3030                 switch (variable->flushFormat()) {
3031                 case FlushedJSValue:
3032                     break;
3033                 case FlushedDouble:
3034                     fixEdge<DoubleRepUse>(node->child1());
3035                     break;
3036                 case FlushedInt32:
3037                     fixEdge<Int32Use>(node->child1());
3038                     break;
3039                 case FlushedInt52:
3040                     fixEdge<Int52RepUse>(node->child1());
3041                     break;
3042                 case FlushedCell:
3043                     fixEdge<CellUse>(node->child1());
3044                     break;
3045                 case FlushedBoolean:
3046                     fixEdge<BooleanUse>(node->child1());
3047                     break;
3048                 default:
3049                     RELEASE_ASSERT_NOT_REACHED();
3050                     break;
3051                 }
3052                 break;
3053                 
3054             default:
3055                 RELEASE_ASSERT_NOT_REACHED();
3056                 break;
3057             }
3058         }
3059         m_insertionSet.execute(block);
3060     }
3061     
3062     void addStringReplacePrimordialChecks(Node* searchRegExp)
3063     {
3064         Node* node = m_currentNode;
3065
3066         // Check that structure of searchRegExp is RegExp object
3067         m_insertionSet.insertNode(
3068             m_indexInBlock, SpecNone, Check, node->origin,
3069             Edge(searchRegExp, RegExpObjectUse));
3070
3071         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
3072             unsigned index = m_graph.identifiers().ensure(propertyUID);
3073
3074             Node* actualProperty = m_insertionSet.insertNode(
3075                 m_indexInBlock, SpecNone, TryGetById, node->origin,
3076                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
3077
3078             m_insertionSet.insertNode(
3079                 m_indexInBlock, SpecNone, CheckCell, node->origin,
3080                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
3081         };
3082
3083         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
3084
3085         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
3086         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
3087         // Check that searchRegExp.global is the primordial RegExp.prototype.global
3088         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
3089         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
3090         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
3091         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
3092         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
3093     }
3094
3095     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
3096     {
3097         ASSERT(arrayMode.isSpecific());
3098         
3099         if (arrayMode.type() == Array::String) {
3100             m_insertionSet.insertNode(
3101                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
3102         } else {
3103             // Note that we only need to be using a structure check if we opt for SaneChain, since
3104             // that needs to protect against JSArray's __proto__ being changed.
3105             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
3106         
3107             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
3108             
3109             if (arrayMode.doesConversion()) {
3110                 if (structure) {
3111                     m_insertionSet.insertNode(
3112                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
3113                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3114                 } else {
3115                     m_insertionSet.insertNode(
3116                         m_indexInBlock, SpecNone, Arrayify, origin,
3117                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3118                 }
3119             } else {
3120                 if (structure) {
3121                     m_insertionSet.insertNode(
3122                         m_indexInBlock, SpecNone, CheckStructure, origin,
3123                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
3124                 } else {
3125                     m_insertionSet.insertNode(
3126                         m_indexInBlock, SpecNone, CheckArray, origin,
3127                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
3128                 }
3129             }
3130         }
3131         
3132         if (!storageCheck(arrayMode))
3133             return nullptr;
3134         
3135         if (arrayMode.usesButterfly()) {
3136             return m_insertionSet.insertNode(
3137                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
3138         }
3139         
3140         return m_insertionSet.insertNode(
3141             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
3142             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
3143     }
3144     
3145     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
3146     {
3147         Node* node = m_currentNode;
3148         
3149         switch (node->arrayMode().type()) {
3150         case Array::ForceExit: {
3151             m_insertionSet.insertNode(
3152                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
3153             return;
3154         }
3155             
3156         case Array::SelectUsingPredictions:
3157         case Array::Unprofiled:
3158             RELEASE_ASSERT_NOT_REACHED();
3159             return;
3160             
3161         case Array::Generic:
3162             return;
3163             
3164         default: {
3165             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
3166             if (!storage)
3167                 return;
3168             
3169             storageChild = Edge(storage);
3170             return;
3171         } }
3172     }
3173     
3174     bool alwaysUnboxSimplePrimitives()
3175     {
3176 #if USE(JSVALUE64)
3177         return false;
3178 #else
3179         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
3180         // reduces traffic.
3181         return true;
3182 #endif
3183     }
3184
3185     template<UseKind useKind>
3186     void observeUseKindOnNode(Node* node)
3187     {
3188         if (useKind == UntypedUse)
3189             return;
3190         observeUseKindOnNode(node, useKind);
3191     }
3192
3193     void observeUseKindOnEdge(Edge edge)
3194     {
3195         observeUseKindOnNode(edge.node(), edge.useKind());
3196     }
3197
3198     void observeUseKindOnNode(Node* node, UseKind useKind)
3199     {
3200         if (node->op() != GetLocal)
3201             return;
3202         
3203         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
3204         // https://bugs.webkit.org/show_bug.cgi?id=121518
3205         
3206         VariableAccessData* variable = node->variableAccessData();
3207         switch (useKind) {
3208         case Int32Use:
3209         case KnownInt32Use:
3210             if (alwaysUnboxSimplePrimitives()
3211                 || isInt32Speculation(variable->prediction()))
3212                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3213             break;
3214         case NumberUse:
3215         case RealNumberUse:
3216         case DoubleRepUse:
3217         case DoubleRepRealUse:
3218             if (variable->doubleFormatState() == UsingDoubleFormat)
3219                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3220             break;
3221         case BooleanUse:
3222         case KnownBooleanUse:
3223             if (alwaysUnboxSimplePrimitives()
3224                 || isBooleanSpeculation(variable->prediction()))
3225                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3226             break;
3227         case Int52RepUse:
3228             if (isAnyIntSpeculation(variable->prediction()))
3229                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3230             break;
3231         case CellUse:
3232         case KnownCellUse:
3233         case ObjectUse:
3234         case FunctionUse:
3235         case StringUse:
3236         case KnownStringUse:
3237         case SymbolUse:
3238         case BigIntUse:
3239         case StringObjectUse:
3240         case StringOrStringObjectUse:
3241             if (alwaysUnboxSimplePrimitives()
3242                 || isCellSpeculation(variable->prediction()))
3243                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3244             break;
3245         default:
3246             break;
3247         }
3248     }
3249     
3250     template<UseKind useKind>
3251     void fixEdge(Edge& edge)
3252     {
3253         observeUseKindOnNode<useKind>(edge.node());
3254         edge.setUseKind(useKind);
3255     }
3256     
3257     unsigned indexForChecks()
3258     {
3259         unsigned index = m_indexInBlock;
3260         while (!m_block->at(index)->origin.exitOK)
3261             index--;
3262         return index;
3263     }
3264     
3265     NodeOrigin originForCheck(unsigned index)
3266     {
3267         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3268     }
3269     
3270     void speculateForBarrier(Edge value)
3271     {
3272         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3273         // the DFG anyway because if such a speculation would be wrong, we want to know before
3274         // we do an expensive compile.
3275         
3276         if (value->shouldSpeculateInt32()) {
3277             insertCheck<Int32Use>(value.node());
3278             return;
3279         }
3280             
3281         if (value->shouldSpeculateBoolean()) {
3282             insertCheck<BooleanUse>(value.node());
3283             return;
3284         }
3285             
3286         if (value->shouldSpeculateOther()) {
3287             insertCheck<OtherUse>(value.node());
3288             return;
3289         }
3290             
3291         if (value->shouldSpeculateNumber()) {
3292             insertCheck<NumberUse>(value.node());
3293             return;
3294         }
3295             
3296         if (value->shouldSpeculateNotCell()) {
3297             insertCheck<NotCellUse>(value.node());
3298             return;
3299         }
3300     }
3301     
3302     template<UseKind useKind>
3303     void insertCheck(Node* node)
3304     {
3305         observeUseKindOnNode<useKind>(node);
3306         unsigned index = indexForChecks();
3307         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3308     }
3309
3310     void fixIntConvertingEdge(Edge& edge)
3311     {
3312         Node* node = edge.node();
3313         if (node->shouldSpeculateInt32OrBoolean()) {
3314             fixIntOrBooleanEdge(edge);
3315             return;
3316         }
3317         
3318         UseKind useKind;
3319         if (node->shouldSpeculateAnyInt())
3320             useKind = Int52RepUse;
3321         else if (node->shouldSpeculateNumber())
3322             useKind = DoubleRepUse;
3323         else
3324             useKind = NotCellUse;
3325         Node* newNode = m_insertionSet.insertNode(
3326             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3327             Edge(node, useKind));
3328         observeUseKindOnNode(node, useKind);
3329         
3330         edge = Edge(newNode, KnownInt32Use);
3331     }
3332     
3333     void fixIntOrBooleanEdge(Edge& edge)
3334     {
3335         Node* node = edge.node();
3336         if (!node->sawBooleans()) {
3337             fixEdge<Int32Use>(edge);
3338             return;
3339         }
3340         
3341         UseKind useKind;
3342         if (node->shouldSpeculateBoolean())
3343             useKind = BooleanUse;
3344         else
3345             useKind = UntypedUse;
3346         Node* newNode = m_insertionSet.insertNode(
3347             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3348             Edge(node, useKind));
3349         observeUseKindOnNode(node, useKind);
3350         
3351         edge = Edge(newNode, Int32Use);
3352     }
3353     
3354     void fixDoubleOrBooleanEdge(Edge& edge)
3355     {
3356         Node* node = edge.node();
3357         if (!node->sawBooleans()) {
3358             fixEdge<DoubleRepUse>(edge);
3359             return;
3360         }
3361         
3362         UseKind useKind;
3363         if (node->shouldSpeculateBoolean())
3364             useKind = BooleanUse;
3365         else
3366             useKind = UntypedUse;
3367         Node* newNode = m_insertionSet.insertNode(
3368             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3369             Edge(node, useKind));
3370         observeUseKindOnNode(node, useKind);
3371         
3372         edge = Edge(newNode, DoubleRepUse);
3373     }
3374     
3375     void truncateConstantToInt32(Edge& edge)
3376     {
3377         Node* oldNode = edge.node();
3378         
3379         JSValue value = oldNode->asJSValue();
3380         if (value.isInt32())
3381             return;
3382         
3383         value = jsNumber(JSC::toInt32(value.asNumber()));
3384         ASSERT(value.isInt32());
3385         edge.setNode(m_insertionSet.insertNode(
3386             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3387             OpInfo(m_graph.freeze(value))));
3388     }
3389     
3390     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3391     {
3392         if (mode != SpeculateInt32AndTruncateConstants)
3393             return;
3394         
3395         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3396         if (node->child1()->hasConstant())
3397             truncateConstantToInt32(node->child1());
3398         else
3399             truncateConstantToInt32(node->child2());
3400     }
3401
3402     bool attemptToMakeIntegerAdd(Node* node)
3403     {
3404         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3405         if (mode != DontSpeculateInt32) {
3406             truncateConstantsIfNecessary(node, mode);
3407             fixIntOrBooleanEdge(node->child1());
3408             fixIntOrBooleanEdge(node->child2());
3409             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3410                 node->setArithMode(Arith::Unchecked);
3411             else
3412                 node->setArithMode(Arith::CheckOverflow);
3413             return true;
3414         }
3415         
3416         if (m_graph.addShouldSpeculateAnyInt(node)) {
3417             fixEdge<Int52RepUse>(node->child1());
3418             fixEdge<Int52RepUse>(node->child2());
3419             node->setArithMode(Arith::CheckOverflow);
3420             node->setResult(NodeResultInt52);
3421             return true;
3422         }
3423         
3424         return false;
3425     }
3426     
3427     bool attemptToMakeGetArrayLength(Node* node)
3428     {
3429         if (!isInt32Speculation(node->prediction()))
3430             return false;
3431         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3432         ArrayProfile* arrayProfile = 
3433             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3434         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3435         if (arrayProfile) {
3436             ConcurrentJSLocker locker(profiledBlock->m_lock);
3437             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3438             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3439             if (arrayMode.type() == Array::Unprofiled) {
3440                 // For normal array operations, it makes sense to treat Unprofiled
3441                 // accesses as ForceExit and get more data rather than using
3442                 // predictions and then possibly ending up with a Generic. But here,
3443                 // we treat anything that is Unprofiled as Generic and keep the
3444                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3445                 // profit - from treating the Unprofiled case as
3446                 // SelectUsingPredictions.
3447                 arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3448             }
3449         }
3450             
3451         arrayMode = arrayMode.refine(
3452             m_graph, node, node->child1()->prediction(), node->prediction());
3453             
3454         if (arrayMode.type() == Array::Generic) {
3455             // Check if the input is something that we can't get array length for, but for which we
3456             // could insert some conversions in order to transform it into something that we can do it
3457             // for.
3458             if (node->child1()->shouldSpeculateStringObject())
3459                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3460             else if (node->child1()->shouldSpeculateStringOrStringObject())
3461                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3462         }
3463             
3464         if (!arrayMode.supportsSelfLength())
3465             return false;
3466         
3467         convertToGetArrayLength(node, arrayMode);
3468         return true;
3469     }
3470
3471     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3472     {
3473         node->setOp(GetArrayLength);
3474         node->clearFlags(NodeMustGenerate);
3475         fixEdge<KnownCellUse>(node->child1());
3476         node->setArrayMode(arrayMode);
3477             
3478         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3479         if (!storage)
3480             return;
3481             
3482         node->child2() = Edge(storage);
3483     }
3484     
3485     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3486     {
3487         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3488         return m_insertionSet.insertNode(
3489             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3490             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3491     }
3492
3493     void convertToHasIndexedProperty(Node* node)
3494     {
3495         node->setOp(HasIndexedProperty);
3496         node->clearFlags(NodeMustGenerate);
3497
3498         {
3499             unsigned firstChild = m_graph.m_varArgChildren.size();
3500             unsigned numChildren = 3;
3501             m_graph.m_varArgChildren.append(node->child1());
3502             m_graph.m_varArgChildren.append(node->child2());
3503             m_graph.m_varArgChildren.append(Edge());
3504             node->mergeFlags(NodeHasVarArgs);
3505             node->children = AdjacencyList(AdjacencyList::Variable, firstChild, numChildren);
3506         }
3507
3508         node->setArrayMode(
3509             node->arrayMode().refine(
3510                 m_graph, node,
3511                 m_graph.varArgChild(node, 0)->prediction(),
3512                 m_graph.varArgChild(node, 1)->prediction(),
3513                 SpecNone));
3514         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3515
3516         blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
3517
3518         fixEdge<CellUse>(m_graph.varArgChild(node, 0));
3519         fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
3520     }
3521
3522     void fixupNormalizeMapKey(Node* node)
3523     {
3524         if (node->child1()->shouldSpeculateBoolean()) {
3525             fixEdge<BooleanUse>(node->child1());
3526             node->convertToIdentity();
3527             return;
3528         }
3529
3530         if (node->child1()->shouldSpeculateInt32()) {
3531             fixEdge<Int32Use>(node->child1());
3532             node->convertToIdentity();
3533             return;
3534         }
3535
3536         if (node->child1()->shouldSpeculateSymbol()) {
3537             fixEdge<SymbolUse>(node->child1());
3538             node->convertToIdentity();
3539             return;
3540         }
3541
3542         if (node->child1()->shouldSpeculateObject()) {
3543             fixEdge<ObjectUse>(node->child1());
3544             node->convertToIdentity();
3545             return;