[JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type...
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInsertionSet.h"
34 #include "DFGPhase.h"
35 #include "DFGPredictionPropagationPhase.h"
36 #include "DFGVariableAccessDataDump.h"
37 #include "JSCInlines.h"
38 #include "TypeLocation.h"
39
40 namespace JSC { namespace DFG {
41
42 class FixupPhase : public Phase {
43 public:
44     FixupPhase(Graph& graph)
45         : Phase(graph, "fixup")
46         , m_insertionSet(graph)
47     {
48     }
49     
50     bool run()
51     {
52         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
53         ASSERT(m_graph.m_form == ThreadedCPS);
54         
55         m_profitabilityChanged = false;
56         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
57             fixupBlock(m_graph.block(blockIndex));
58         
59         while (m_profitabilityChanged) {
60             m_profitabilityChanged = false;
61             
62             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
63                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
64             
65             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
66                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
67         }
68         
69         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
70             fixupChecksInBlock(m_graph.block(blockIndex));
71
72         m_graph.m_planStage = PlanStage::AfterFixup;
73
74         return true;
75     }
76
77 private:
78     void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild)
79     {
80         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
81             if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
82                 fixIntOrBooleanEdge(leftChild);
83                 fixIntOrBooleanEdge(rightChild);
84                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
85                     node->setArithMode(Arith::Unchecked);
86                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
87                     node->setArithMode(Arith::CheckOverflow);
88                 else
89                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
90                 return;
91             }
92             
93             // This will cause conversion nodes to be inserted later.
94             fixDoubleOrBooleanEdge(leftChild);
95             fixDoubleOrBooleanEdge(rightChild);
96             
97             // We don't need to do ref'ing on the children because we're stealing them from
98             // the original division.
99             Node* newDivision = m_insertionSet.insertNode(m_indexInBlock, SpecBytecodeDouble, *node);
100             newDivision->setResult(NodeResultDouble);
101             
102             node->setOp(DoubleAsInt32);
103             node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
104             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
105                 node->setArithMode(Arith::CheckOverflow);
106             else
107                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
108             return;
109         }
110         
111         fixDoubleOrBooleanEdge(leftChild);
112         fixDoubleOrBooleanEdge(rightChild);
113         node->setResult(NodeResultDouble);
114     }
115     
116     void fixupArithMul(Node* node, Edge& leftChild, Edge& rightChild)
117     {
118         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
119             fixIntOrBooleanEdge(leftChild);
120             fixIntOrBooleanEdge(rightChild);
121             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
122                 node->setArithMode(Arith::Unchecked);
123             else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
124                 node->setArithMode(Arith::CheckOverflow);
125             else
126                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
127             return;
128         }
129         if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
130             fixEdge<Int52RepUse>(leftChild);
131             fixEdge<Int52RepUse>(rightChild);
132             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
133                 node->setArithMode(Arith::CheckOverflow);
134             else
135                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
136             node->setResult(NodeResultInt52);
137             return;
138         }
139
140         fixDoubleOrBooleanEdge(leftChild);
141         fixDoubleOrBooleanEdge(rightChild);
142         node->setResult(NodeResultDouble);
143     }
144
145     void fixupBlock(BasicBlock* block)
146     {
147         if (!block)
148             return;
149         ASSERT(block->isReachable);
150         m_block = block;
151         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
152             m_currentNode = block->at(m_indexInBlock);
153             fixupNode(m_currentNode);
154         }
155         m_insertionSet.execute(block);
156     }
157     
158     void fixupNode(Node* node)
159     {
160         NodeType op = node->op();
161
162         switch (op) {
163         case SetLocal: {
164             // This gets handled by fixupGetAndSetLocalsInBlock().
165             return;
166         }
167
168         case ValueSub: {
169             Edge& child1 = node->child1();
170             Edge& child2 = node->child2();
171
172             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
173                 fixEdge<BigIntUse>(child1);
174                 fixEdge<BigIntUse>(child2);
175                 break; 
176             }
177             
178             if (Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
179                 fixEdge<UntypedUse>(child1);
180                 fixEdge<UntypedUse>(child2);
181                 break;
182             }
183
184             if (attemptToMakeIntegerAdd(node)) {
185                 // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
186                 // https://bugs.webkit.org/show_bug.cgi?id=190607
187                 node->setOp(ArithSub);
188                 break;
189             }
190
191             fixDoubleOrBooleanEdge(node->child1());
192             fixDoubleOrBooleanEdge(node->child2());
193             node->setOp(ArithSub);
194             node->setResult(NodeResultDouble);
195
196             break;
197         }
198
199         case ValueBitXor:
200         case ValueBitOr:
201         case ValueBitAnd: {
202             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
203                 fixEdge<BigIntUse>(node->child1());
204                 fixEdge<BigIntUse>(node->child2());
205                 break;
206             }
207
208             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
209                 fixEdge<UntypedUse>(node->child1());
210                 fixEdge<UntypedUse>(node->child2());
211                 break;
212             }
213
214             // In such case, we need to fallback to ArithBitOp
215             switch (op) {
216             case ValueBitXor:
217                 node->setOp(ArithBitXor);
218                 break;
219             case ValueBitOr:
220                 node->setOp(ArithBitOr);
221                 break;
222             case ValueBitAnd:
223                 node->setOp(ArithBitAnd);
224                 break;
225             default:
226                 DFG_CRASH(m_graph, node, "Unexpected node during ValueBit operation fixup");
227                 break;
228             }
229
230             node->clearFlags(NodeMustGenerate);
231             node->setResult(NodeResultInt32);
232             fixIntConvertingEdge(node->child1());
233             fixIntConvertingEdge(node->child2());
234             break;
235         }
236
237         case ArithBitNot: {
238             if (node->child1().node()->shouldSpeculateUntypedForBitOps()) {
239                 fixEdge<UntypedUse>(node->child1());
240                 break;
241             }
242
243             fixIntConvertingEdge(node->child1());
244             node->clearFlags(NodeMustGenerate);
245             break;
246         }
247
248         case ArithBitXor:
249         case ArithBitOr:
250         case ArithBitAnd: {
251             fixIntConvertingEdge(node->child1());
252             fixIntConvertingEdge(node->child2());
253             break;
254         }
255
256         case BitRShift:
257         case BitLShift:
258         case BitURShift: {
259             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
260                 fixEdge<UntypedUse>(node->child1());
261                 fixEdge<UntypedUse>(node->child2());
262                 break;
263             }
264             fixIntConvertingEdge(node->child1());
265             fixIntConvertingEdge(node->child2());
266             break;
267         }
268
269         case ArithIMul: {
270             fixIntConvertingEdge(node->child1());
271             fixIntConvertingEdge(node->child2());
272             node->setOp(ArithMul);
273             node->setArithMode(Arith::Unchecked);
274             node->child1().setUseKind(Int32Use);
275             node->child2().setUseKind(Int32Use);
276             break;
277         }
278
279         case ArithClz32: {
280             if (node->child1()->shouldSpeculateNotCell()) {
281                 fixIntConvertingEdge(node->child1());
282                 node->clearFlags(NodeMustGenerate);
283             } else
284                 fixEdge<UntypedUse>(node->child1());
285             break;
286         }
287             
288         case UInt32ToNumber: {
289             fixIntConvertingEdge(node->child1());
290             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
291                 node->convertToIdentity();
292             else if (node->canSpeculateInt32(FixupPass))
293                 node->setArithMode(Arith::CheckOverflow);
294             else {
295                 node->setArithMode(Arith::DoOverflow);
296                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
297             }
298             break;
299         }
300
301         case ValueNegate: {
302             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
303                 node->setOp(ArithNegate);
304                 fixIntOrBooleanEdge(node->child1());
305                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
306                     node->setArithMode(Arith::Unchecked);
307                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
308                     node->setArithMode(Arith::CheckOverflow);
309                 else
310                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
311                 node->setResult(NodeResultInt32);
312                 node->clearFlags(NodeMustGenerate);
313                 break;
314             }
315             
316             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
317                 node->setOp(ArithNegate);
318                 fixEdge<Int52RepUse>(node->child1());
319                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
320                     node->setArithMode(Arith::CheckOverflow);
321                 else
322                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
323                 node->setResult(NodeResultInt52);
324                 node->clearFlags(NodeMustGenerate);
325                 break;
326             }
327             if (node->child1()->shouldSpeculateNotCell()) {
328                 node->setOp(ArithNegate);
329                 fixDoubleOrBooleanEdge(node->child1());
330                 node->setResult(NodeResultDouble);
331                 node->clearFlags(NodeMustGenerate);
332             } else {
333                 fixEdge<UntypedUse>(node->child1());
334                 node->setResult(NodeResultJS);
335             }
336             break;
337         }
338
339         case ValueAdd: {
340             if (attemptToMakeIntegerAdd(node)) {
341                 node->setOp(ArithAdd);
342                 break;
343             }
344             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
345                 fixDoubleOrBooleanEdge(node->child1());
346                 fixDoubleOrBooleanEdge(node->child2());
347                 node->setOp(ArithAdd);
348                 node->setResult(NodeResultDouble);
349                 break;
350             }
351             
352             if (attemptToMakeFastStringAdd(node))
353                 break;
354
355             Edge& child1 = node->child1();
356             Edge& child2 = node->child2();
357             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
358                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
359                     auto convertString = [&](Node* node, Edge& edge) {
360                         if (edge->shouldSpeculateInt32())
361                             convertStringAddUse<Int32Use>(node, edge);
362                         else {
363                             ASSERT(edge->shouldSpeculateString());
364                             convertStringAddUse<StringUse>(node, edge);
365                         }
366                     };
367                     convertString(node, child1);
368                     convertString(node, child2);
369                     convertToMakeRope(node);
370                     break;
371                 }
372             }
373
374             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
375                 fixEdge<BigIntUse>(child1);
376                 fixEdge<BigIntUse>(child2);
377             } else {
378                 fixEdge<UntypedUse>(child1);
379                 fixEdge<UntypedUse>(child2);
380             }
381
382             node->setResult(NodeResultJS);
383             break;
384         }
385
386         case StrCat: {
387             if (attemptToMakeFastStringAdd(node))
388                 break;
389
390             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
391             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
392             // the implementation of StrCat doesn't dynamically optimize for empty strings.
393             // https://bugs.webkit.org/show_bug.cgi?id=148540
394             m_graph.doToChildren(
395                 node,
396                 [&] (Edge& edge) {
397                     fixEdge<KnownPrimitiveUse>(edge);
398                     // StrCat automatically coerces the values into strings before concatenating them.
399                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
400                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
401                     // our runtime functions for this slow path expect that they will never be passed
402                     // Symbols.
403                     m_insertionSet.insertNode(
404                         m_indexInBlock, SpecNone, Check, node->origin,
405                         Edge(edge.node(), NotSymbolUse));
406                 });
407             break;
408         }
409             
410         case MakeRope: {
411             fixupMakeRope(node);
412             break;
413         }
414             
415         case ArithAdd:
416         case ArithSub: {
417             // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
418             // https://bugs.webkit.org/show_bug.cgi?id=190607
419             if (attemptToMakeIntegerAdd(node))
420                 break;
421             fixDoubleOrBooleanEdge(node->child1());
422             fixDoubleOrBooleanEdge(node->child2());
423             node->setResult(NodeResultDouble);
424             break;
425         }
426             
427         case ArithNegate: {
428             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
429                 fixIntOrBooleanEdge(node->child1());
430                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
431                     node->setArithMode(Arith::Unchecked);
432                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
433                     node->setArithMode(Arith::CheckOverflow);
434                 else
435                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
436                 node->setResult(NodeResultInt32);
437                 node->clearFlags(NodeMustGenerate);
438                 break;
439             }
440             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
441                 fixEdge<Int52RepUse>(node->child1());
442                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
443                     node->setArithMode(Arith::CheckOverflow);
444                 else
445                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
446                 node->setResult(NodeResultInt52);
447                 node->clearFlags(NodeMustGenerate);
448                 break;
449             }
450
451             fixDoubleOrBooleanEdge(node->child1());
452             node->setResult(NodeResultDouble);
453             node->clearFlags(NodeMustGenerate);
454             break;
455         }
456
457         case ValueMul: {
458             Edge& leftChild = node->child1();
459             Edge& rightChild = node->child2();
460
461             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
462                 fixEdge<BigIntUse>(node->child1());
463                 fixEdge<BigIntUse>(node->child2());
464                 break;
465             }
466
467             // There are cases where we can have BigInt + Int32 operands reaching ValueMul.
468             // Imagine the scenario where ValueMul was never executed, but we can predict types
469             // reaching the node:
470             //
471             // 63: GetLocal(Check:Untyped:@72, JS|MustGen, NonBoolInt32, ...)  predicting NonBoolInt32
472             // 64: GetLocal(Check:Untyped:@71, JS|MustGen, BigInt, ...)  predicting BigInt
473             // 65: ValueMul(Check:Untyped:@63, Check:Untyped:@64, BigInt|BoolInt32|NonBoolInt32, ...)
474             // 
475             // In such scenario, we need to emit ValueMul(Untyped, Untyped), so the runtime can throw 
476             // an exception whenever it gets excuted.
477             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
478                 fixEdge<UntypedUse>(leftChild);
479                 fixEdge<UntypedUse>(rightChild);
480                 break;
481             }
482
483             // At this point, all other possible specializations are only handled by ArithMul.
484             node->setOp(ArithMul);
485             node->setResult(NodeResultNumber);
486             fixupArithMul(node, leftChild, rightChild);
487             break;
488         }
489
490         case ArithMul: {
491             Edge& leftChild = node->child1();
492             Edge& rightChild = node->child2();
493
494             fixupArithMul(node, leftChild, rightChild);
495             break;
496         }
497
498         case ValueDiv: {
499             Edge& leftChild = node->child1();
500             Edge& rightChild = node->child2();
501
502             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
503                 fixEdge<BigIntUse>(leftChild);
504                 fixEdge<BigIntUse>(rightChild);
505                 break; 
506             }
507
508             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
509                 fixEdge<UntypedUse>(leftChild);
510                 fixEdge<UntypedUse>(rightChild);
511                 break;
512             }
513             node->setOp(ArithDiv);
514             node->setResult(NodeResultNumber);
515             fixupArithDiv(node, leftChild, rightChild);
516             break;
517
518         }
519
520         case ArithDiv:
521         case ArithMod: {
522             Edge& leftChild = node->child1();
523             Edge& rightChild = node->child2();
524
525             fixupArithDiv(node, leftChild, rightChild);
526             break;
527         }
528             
529         case ArithMin:
530         case ArithMax: {
531             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
532                 fixIntOrBooleanEdge(node->child1());
533                 fixIntOrBooleanEdge(node->child2());
534                 break;
535             }
536             fixDoubleOrBooleanEdge(node->child1());
537             fixDoubleOrBooleanEdge(node->child2());
538             node->setResult(NodeResultDouble);
539             break;
540         }
541             
542         case ArithAbs: {
543             if (node->child1()->shouldSpeculateInt32OrBoolean()
544                 && node->canSpeculateInt32(FixupPass)) {
545                 fixIntOrBooleanEdge(node->child1());
546                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
547                     node->setArithMode(Arith::Unchecked);
548                 else
549                     node->setArithMode(Arith::CheckOverflow);
550                 node->clearFlags(NodeMustGenerate);
551                 node->setResult(NodeResultInt32);
552                 break;
553             }
554
555             if (node->child1()->shouldSpeculateNotCell()) {
556                 fixDoubleOrBooleanEdge(node->child1());
557                 node->clearFlags(NodeMustGenerate);
558             } else
559                 fixEdge<UntypedUse>(node->child1());
560             node->setResult(NodeResultDouble);
561             break;
562         }
563
564         case ArithPow: {
565             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
566                 fixDoubleOrBooleanEdge(node->child1());
567                 fixIntOrBooleanEdge(node->child2());
568                 break;
569             }
570
571             fixDoubleOrBooleanEdge(node->child1());
572             fixDoubleOrBooleanEdge(node->child2());
573             break;
574         }
575
576         case ArithRandom: {
577             node->setResult(NodeResultDouble);
578             break;
579         }
580
581         case ArithRound:
582         case ArithFloor:
583         case ArithCeil:
584         case ArithTrunc: {
585             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
586                 fixIntOrBooleanEdge(node->child1());
587                 insertCheck<Int32Use>(node->child1().node());
588                 node->convertToIdentity();
589                 break;
590             }
591             if (node->child1()->shouldSpeculateNotCell()) {
592                 fixDoubleOrBooleanEdge(node->child1());
593
594                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
595                     node->setResult(NodeResultInt32);
596                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
597                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
598                     else
599                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
600                 } else {
601                     node->setResult(NodeResultDouble);
602                     node->setArithRoundingMode(Arith::RoundingMode::Double);
603                 }
604                 node->clearFlags(NodeMustGenerate);
605             } else
606                 fixEdge<UntypedUse>(node->child1());
607             break;
608         }
609
610         case ArithFRound:
611         case ArithSqrt:
612         case ArithUnary: {
613             Edge& child1 = node->child1();
614             if (child1->shouldSpeculateNotCell()) {
615                 fixDoubleOrBooleanEdge(child1);
616                 node->clearFlags(NodeMustGenerate);
617             } else
618                 fixEdge<UntypedUse>(child1);
619             break;
620         }
621             
622         case LogicalNot: {
623             if (node->child1()->shouldSpeculateBoolean()) {
624                 if (node->child1()->result() == NodeResultBoolean) {
625                     // This is necessary in case we have a bytecode instruction implemented by:
626                     //
627                     // a: CompareEq(...)
628                     // b: LogicalNot(@a)
629                     //
630                     // In that case, CompareEq might have a side-effect. Then, we need to make
631                     // sure that we know that Branch does not exit.
632                     fixEdge<KnownBooleanUse>(node->child1());
633                 } else
634                     fixEdge<BooleanUse>(node->child1());
635             } else if (node->child1()->shouldSpeculateObjectOrOther())
636                 fixEdge<ObjectOrOtherUse>(node->child1());
637             else if (node->child1()->shouldSpeculateInt32OrBoolean())
638                 fixIntOrBooleanEdge(node->child1());
639             else if (node->child1()->shouldSpeculateNumber())
640                 fixEdge<DoubleRepUse>(node->child1());
641             else if (node->child1()->shouldSpeculateString())
642                 fixEdge<StringUse>(node->child1());
643             else if (node->child1()->shouldSpeculateStringOrOther())
644                 fixEdge<StringOrOtherUse>(node->child1());
645             else {
646                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
647                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
648                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
649             }
650             break;
651         }
652
653         case CompareEq:
654         case CompareLess:
655         case CompareLessEq:
656         case CompareGreater:
657         case CompareGreaterEq: {
658             if (node->op() == CompareEq
659                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
660                 fixEdge<BooleanUse>(node->child1());
661                 fixEdge<BooleanUse>(node->child2());
662                 node->clearFlags(NodeMustGenerate);
663                 break;
664             }
665             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
666                 fixIntOrBooleanEdge(node->child1());
667                 fixIntOrBooleanEdge(node->child2());
668                 node->clearFlags(NodeMustGenerate);
669                 break;
670             }
671             if (enableInt52()
672                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
673                 fixEdge<Int52RepUse>(node->child1());
674                 fixEdge<Int52RepUse>(node->child2());
675                 node->clearFlags(NodeMustGenerate);
676                 break;
677             }
678             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
679                 fixDoubleOrBooleanEdge(node->child1());
680                 fixDoubleOrBooleanEdge(node->child2());
681             }
682             if (node->op() != CompareEq
683                 && node->child1()->shouldSpeculateNotCell()
684                 && node->child2()->shouldSpeculateNotCell()) {
685                 if (node->child1()->shouldSpeculateNumberOrBoolean())
686                     fixDoubleOrBooleanEdge(node->child1());
687                 else
688                     fixEdge<DoubleRepUse>(node->child1());
689                 if (node->child2()->shouldSpeculateNumberOrBoolean())
690                     fixDoubleOrBooleanEdge(node->child2());
691                 else
692                     fixEdge<DoubleRepUse>(node->child2());
693                 node->clearFlags(NodeMustGenerate);
694                 break;
695             }
696             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
697                 fixEdge<StringIdentUse>(node->child1());
698                 fixEdge<StringIdentUse>(node->child2());
699                 node->clearFlags(NodeMustGenerate);
700                 break;
701             }
702             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
703                 fixEdge<StringUse>(node->child1());
704                 fixEdge<StringUse>(node->child2());
705                 node->clearFlags(NodeMustGenerate);
706                 break;
707             }
708
709             if (node->op() != CompareEq)
710                 break;
711             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
712                 fixEdge<SymbolUse>(node->child1());
713                 fixEdge<SymbolUse>(node->child2());
714                 node->clearFlags(NodeMustGenerate);
715                 break;
716             }
717             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
718                 fixEdge<ObjectUse>(node->child1());
719                 fixEdge<ObjectUse>(node->child2());
720                 node->clearFlags(NodeMustGenerate);
721                 break;
722             }
723
724             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
725             bool oneArgumentIsUsedAsSpecOther = false;
726             if (node->child1()->isUndefinedOrNullConstant()) {
727                 fixEdge<KnownOtherUse>(node->child1());
728                 oneArgumentIsUsedAsSpecOther = true;
729             } else if (node->child1()->shouldSpeculateOther()) {
730                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
731                     Edge(node->child1().node(), OtherUse));
732                 fixEdge<KnownOtherUse>(node->child1());
733                 oneArgumentIsUsedAsSpecOther = true;
734             }
735             if (node->child2()->isUndefinedOrNullConstant()) {
736                 fixEdge<KnownOtherUse>(node->child2());
737                 oneArgumentIsUsedAsSpecOther = true;
738             } else if (node->child2()->shouldSpeculateOther()) {
739                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
740                     Edge(node->child2().node(), OtherUse));
741                 fixEdge<KnownOtherUse>(node->child2());
742                 oneArgumentIsUsedAsSpecOther = true;
743             }
744             if (oneArgumentIsUsedAsSpecOther) {
745                 node->clearFlags(NodeMustGenerate);
746                 break;
747             }
748
749             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
750                 fixEdge<ObjectUse>(node->child1());
751                 fixEdge<ObjectOrOtherUse>(node->child2());
752                 node->clearFlags(NodeMustGenerate);
753                 break;
754             }
755             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
756                 fixEdge<ObjectOrOtherUse>(node->child1());
757                 fixEdge<ObjectUse>(node->child2());
758                 node->clearFlags(NodeMustGenerate);
759                 break;
760             }
761
762             break;
763         }
764             
765         case CompareStrictEq:
766         case SameValue: {
767             fixupCompareStrictEqAndSameValue(node);
768             break;
769         }
770
771         case StringFromCharCode:
772             if (node->child1()->shouldSpeculateInt32()) {
773                 fixEdge<Int32Use>(node->child1());
774                 node->clearFlags(NodeMustGenerate);
775             } else
776                 fixEdge<UntypedUse>(node->child1());
777             break;
778
779         case StringCharAt:
780         case StringCharCodeAt: {
781             // Currently we have no good way of refining these.
782             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
783             blessArrayOperation(node->child1(), node->child2(), node->child3());
784             fixEdge<KnownStringUse>(node->child1());
785             fixEdge<Int32Use>(node->child2());
786             break;
787         }
788
789         case GetByVal: {
790             if (!node->prediction()) {
791                 m_insertionSet.insertNode(
792                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
793             }
794             
795             node->setArrayMode(
796                 node->arrayMode().refine(
797                     m_graph, node,
798                     m_graph.varArgChild(node, 0)->prediction(),
799                     m_graph.varArgChild(node, 1)->prediction(),
800                     SpecNone));
801             
802             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
803             
804             ArrayMode arrayMode = node->arrayMode();
805             switch (arrayMode.type()) {
806             case Array::Contiguous:
807             case Array::Double:
808                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
809                     // Check if SaneChain will work on a per-type basis. Note that:
810                     //
811                     // 1) We don't want double arrays to sometimes return undefined, since
812                     // that would require a change to the return type and it would pessimise
813                     // things a lot. So, we'd only want to do that if we actually had
814                     // evidence that we could read from a hole. That's pretty annoying.
815                     // Likely the best way to handle that case is with an equivalent of
816                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
817                     // NaN are indistinguishable according to backwards propagation, and just
818                     // use SaneChain in that case. This happens to catch a lot of cases.
819                     //
820                     // 2) We don't want int32 array loads to have to do a hole check just to
821                     // coerce to Undefined, since that would mean twice the checks.
822                     //
823                     // This has two implications. First, we have to do more checks than we'd
824                     // like. It's unfortunate that we have to do the hole check. Second,
825                     // some accesses that hit a hole will now need to take the full-blown
826                     // out-of-bounds slow path. We can fix that with:
827                     // https://bugs.webkit.org/show_bug.cgi?id=144668
828                     
829                     bool canDoSaneChain = false;
830                     switch (arrayMode.type()) {
831                     case Array::Contiguous:
832                         // This is happens to be entirely natural. We already would have
833                         // returned any JSValue, and now we'll return Undefined. We still do
834                         // the check but it doesn't require taking any kind of slow path.
835                         canDoSaneChain = true;
836                         break;
837                         
838                     case Array::Double:
839                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
840                             // Holes look like NaN already, so if the user doesn't care
841                             // about the difference between Undefined and NaN then we can
842                             // do this.
843                             canDoSaneChain = true;
844                         }
845                         break;
846                         
847                     default:
848                         break;
849                     }
850                     
851                     if (canDoSaneChain) {
852                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
853                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
854                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
855                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
856                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
857                             && globalObject->arrayPrototypeChainIsSane()) {
858                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
859                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
860                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
861                         }
862                     }
863                 }
864                 break;
865                 
866             case Array::String:
867                 if ((node->prediction() & ~SpecString)
868                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
869                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
870                 break;
871                 
872             default:
873                 break;
874             }
875             
876             arrayMode = node->arrayMode();
877             switch (arrayMode.type()) {
878             case Array::SelectUsingPredictions:
879             case Array::Unprofiled:
880                 RELEASE_ASSERT_NOT_REACHED();
881                 break;
882             case Array::Generic:
883                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
884                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
885                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
886                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
887                         break;
888                     }
889
890                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
891                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
892                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
893                         break;
894                     }
895                 }
896 #if USE(JSVALUE32_64)
897                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
898 #endif
899                 break;
900             case Array::ForceExit:
901                 break;
902             case Array::String:
903                 fixEdge<KnownStringUse>(m_graph.varArgChild(node, 0));
904                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
905                 break;
906             default:
907                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
908                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
909                 break;
910             }
911             
912             switch (arrayMode.type()) {
913             case Array::Double:
914                 if (!arrayMode.isOutOfBounds())
915                     node->setResult(NodeResultDouble);
916                 break;
917                 
918             case Array::Float32Array:
919             case Array::Float64Array:
920                 node->setResult(NodeResultDouble);
921                 break;
922                 
923             case Array::Uint32Array:
924                 if (node->shouldSpeculateInt32())
925                     break;
926                 if (node->shouldSpeculateAnyInt() && enableInt52())
927                     node->setResult(NodeResultInt52);
928                 else
929                     node->setResult(NodeResultDouble);
930                 break;
931                 
932             default:
933                 break;
934             }
935             
936             break;
937         }
938
939         case PutByValDirect:
940         case PutByVal:
941         case PutByValAlias: {
942             Edge& child1 = m_graph.varArgChild(node, 0);
943             Edge& child2 = m_graph.varArgChild(node, 1);
944             Edge& child3 = m_graph.varArgChild(node, 2);
945
946             node->setArrayMode(
947                 node->arrayMode().refine(
948                     m_graph, node,
949                     child1->prediction(),
950                     child2->prediction(),
951                     child3->prediction()));
952             
953             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
954             
955             switch (node->arrayMode().modeForPut().type()) {
956             case Array::SelectUsingPredictions:
957             case Array::SelectUsingArguments:
958             case Array::Unprofiled:
959             case Array::Undecided:
960                 RELEASE_ASSERT_NOT_REACHED();
961                 break;
962             case Array::ForceExit:
963             case Array::Generic:
964                 if (child1->shouldSpeculateCell()) {
965                     if (child2->shouldSpeculateString()) {
966                         fixEdge<CellUse>(child1);
967                         fixEdge<StringUse>(child2);
968                         break;
969                     }
970
971                     if (child2->shouldSpeculateSymbol()) {
972                         fixEdge<CellUse>(child1);
973                         fixEdge<SymbolUse>(child2);
974                         break;
975                     }
976                 }
977 #if USE(JSVALUE32_64)
978                 // Due to register pressure on 32-bit, we speculate cell and
979                 // ignore the base-is-not-cell case entirely by letting the
980                 // baseline JIT handle it.
981                 fixEdge<CellUse>(child1);
982 #endif
983                 break;
984             case Array::Int32:
985                 fixEdge<KnownCellUse>(child1);
986                 fixEdge<Int32Use>(child2);
987                 fixEdge<Int32Use>(child3);
988                 break;
989             case Array::Double:
990                 fixEdge<KnownCellUse>(child1);
991                 fixEdge<Int32Use>(child2);
992                 fixEdge<DoubleRepRealUse>(child3);
993                 break;
994             case Array::Int8Array:
995             case Array::Int16Array:
996             case Array::Int32Array:
997             case Array::Uint8Array:
998             case Array::Uint8ClampedArray:
999             case Array::Uint16Array:
1000             case Array::Uint32Array:
1001                 fixEdge<KnownCellUse>(child1);
1002                 fixEdge<Int32Use>(child2);
1003                 if (child3->shouldSpeculateInt32())
1004                     fixIntOrBooleanEdge(child3);
1005                 else if (child3->shouldSpeculateAnyInt())
1006                     fixEdge<Int52RepUse>(child3);
1007                 else
1008                     fixDoubleOrBooleanEdge(child3);
1009                 break;
1010             case Array::Float32Array:
1011             case Array::Float64Array:
1012                 fixEdge<KnownCellUse>(child1);
1013                 fixEdge<Int32Use>(child2);
1014                 fixDoubleOrBooleanEdge(child3);
1015                 break;
1016             case Array::Contiguous:
1017             case Array::ArrayStorage:
1018             case Array::SlowPutArrayStorage:
1019                 fixEdge<KnownCellUse>(child1);
1020                 fixEdge<Int32Use>(child2);
1021                 speculateForBarrier(child3);
1022                 break;
1023             default:
1024                 fixEdge<KnownCellUse>(child1);
1025                 fixEdge<Int32Use>(child2);
1026                 break;
1027             }
1028             break;
1029         }
1030             
1031         case AtomicsAdd:
1032         case AtomicsAnd:
1033         case AtomicsCompareExchange:
1034         case AtomicsExchange:
1035         case AtomicsLoad:
1036         case AtomicsOr:
1037         case AtomicsStore:
1038         case AtomicsSub:
1039         case AtomicsXor: {
1040             Edge& base = m_graph.child(node, 0);
1041             Edge& index = m_graph.child(node, 1);
1042             
1043             bool badNews = false;
1044             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1045                 Edge& child = m_graph.child(node, 2 + i);
1046                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
1047                 // just call the function when that happens. But the FTL is totally cool with those
1048                 // conversions.
1049                 if (!child->shouldSpeculateInt32()
1050                     && !child->shouldSpeculateAnyInt()
1051                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
1052                     badNews = true;
1053             }
1054             
1055             if (badNews) {
1056                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
1057                 break;
1058             }
1059             
1060             node->setArrayMode(
1061                 node->arrayMode().refine(
1062                     m_graph, node, base->prediction(), index->prediction()));
1063             
1064             if (node->arrayMode().type() == Array::Generic)
1065                 break;
1066             
1067             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1068                 Edge& child = m_graph.child(node, 2 + i);
1069                 if (child->shouldSpeculateInt32())
1070                     fixIntOrBooleanEdge(child);
1071                 else if (child->shouldSpeculateAnyInt())
1072                     fixEdge<Int52RepUse>(child);
1073                 else {
1074                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
1075                     fixDoubleOrBooleanEdge(child);
1076                 }
1077             }
1078             
1079             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
1080             fixEdge<CellUse>(base);
1081             fixEdge<Int32Use>(index);
1082             
1083             if (node->arrayMode().type() == Array::Uint32Array) {
1084                 // NOTE: This means basically always doing Int52.
1085                 if (node->shouldSpeculateAnyInt() && enableInt52())
1086                     node->setResult(NodeResultInt52);
1087                 else
1088                     node->setResult(NodeResultDouble);
1089             }
1090             break;
1091         }
1092             
1093         case AtomicsIsLockFree:
1094             if (node->child1()->shouldSpeculateInt32())
1095                 fixIntOrBooleanEdge(node->child1());
1096             break;
1097             
1098         case ArrayPush: {
1099             // May need to refine the array mode in case the value prediction contravenes
1100             // the array prediction. For example, we may have evidence showing that the
1101             // array is in Int32 mode, but the value we're storing is likely to be a double.
1102             // Then we should turn this into a conversion to Double array followed by the
1103             // push. On the other hand, we absolutely don't want to refine based on the
1104             // base prediction. If it has non-cell garbage in it, then we want that to be
1105             // ignored. That's because ArrayPush can't handle any array modes that aren't
1106             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1107             // that would break things.
1108             Edge& storageEdge = m_graph.varArgChild(node, 0);
1109             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1110             unsigned elementOffset = 2;
1111             unsigned elementCount = node->numChildren() - elementOffset;
1112             for (unsigned i = 0; i < elementCount; ++i) {
1113                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1114                 node->setArrayMode(
1115                     node->arrayMode().refine(
1116                         m_graph, node,
1117                         arrayEdge->prediction() & SpecCell,
1118                         SpecInt32Only,
1119                         element->prediction()));
1120             }
1121             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1122             fixEdge<KnownCellUse>(arrayEdge);
1123
1124             // Convert `array.push()` to GetArrayLength.
1125             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1126                 node->setOpAndDefaultFlags(GetArrayLength);
1127                 node->child1() = arrayEdge;
1128                 node->child2() = storageEdge;
1129                 fixEdge<KnownCellUse>(node->child1());
1130                 break;
1131             }
1132
1133             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1134             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1135             for (unsigned i = 0; i < elementCount; ++i) {
1136                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1137                 switch (node->arrayMode().type()) {
1138                 case Array::Int32:
1139                     insertCheck<Int32Use>(element.node());
1140                     fixEdge<KnownInt32Use>(element);
1141                     break;
1142                 case Array::Double:
1143                     insertCheck<DoubleRepRealUse>(element.node());
1144                     fixEdge<DoubleRepUse>(element);
1145                     break;
1146                 case Array::Contiguous:
1147                 case Array::ArrayStorage:
1148                     speculateForBarrier(element);
1149                     break;
1150                 default:
1151                     break;
1152                 }
1153                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1154             }
1155             break;
1156         }
1157             
1158         case ArrayPop: {
1159             blessArrayOperation(node->child1(), Edge(), node->child2());
1160             fixEdge<KnownCellUse>(node->child1());
1161             break;
1162         }
1163
1164         case ArraySlice: {
1165             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1166             if (node->numChildren() >= 3) {
1167                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1168                 if (node->numChildren() == 4)
1169                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1170             }
1171             break;
1172         }
1173
1174         case ArrayIndexOf:
1175             fixupArrayIndexOf(node);
1176             break;
1177             
1178         case RegExpExec:
1179         case RegExpTest: {
1180             fixEdge<KnownCellUse>(node->child1());
1181             
1182             if (node->child2()->shouldSpeculateRegExpObject()) {
1183                 fixEdge<RegExpObjectUse>(node->child2());
1184
1185                 if (node->child3()->shouldSpeculateString())
1186                     fixEdge<StringUse>(node->child3());
1187             }
1188             break;
1189         }
1190
1191         case RegExpMatchFast: {
1192             fixEdge<KnownCellUse>(node->child1());
1193             fixEdge<RegExpObjectUse>(node->child2());
1194             fixEdge<StringUse>(node->child3());
1195             break;
1196         }
1197
1198         case StringReplace:
1199         case StringReplaceRegExp: {
1200             if (node->child2()->shouldSpeculateString()) {
1201                 m_insertionSet.insertNode(
1202                     m_indexInBlock, SpecNone, Check, node->origin,
1203                     Edge(node->child2().node(), StringUse));
1204                 fixEdge<StringUse>(node->child2());
1205             } else if (op == StringReplace) {
1206                 if (node->child2()->shouldSpeculateRegExpObject())
1207                     addStringReplacePrimordialChecks(node->child2().node());
1208                 else 
1209                     m_insertionSet.insertNode(
1210                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1211             }
1212
1213             if (node->child1()->shouldSpeculateString()
1214                 && node->child2()->shouldSpeculateRegExpObject()
1215                 && node->child3()->shouldSpeculateString()) {
1216
1217                 fixEdge<StringUse>(node->child1());
1218                 fixEdge<RegExpObjectUse>(node->child2());
1219                 fixEdge<StringUse>(node->child3());
1220                 break;
1221             }
1222             break;
1223         }
1224             
1225         case Branch: {
1226             if (node->child1()->shouldSpeculateBoolean()) {
1227                 if (node->child1()->result() == NodeResultBoolean) {
1228                     // This is necessary in case we have a bytecode instruction implemented by:
1229                     //
1230                     // a: CompareEq(...)
1231                     // b: Branch(@a)
1232                     //
1233                     // In that case, CompareEq might have a side-effect. Then, we need to make
1234                     // sure that we know that Branch does not exit.
1235                     fixEdge<KnownBooleanUse>(node->child1());
1236                 } else
1237                     fixEdge<BooleanUse>(node->child1());
1238             } else if (node->child1()->shouldSpeculateObjectOrOther())
1239                 fixEdge<ObjectOrOtherUse>(node->child1());
1240             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1241                 fixIntOrBooleanEdge(node->child1());
1242             else if (node->child1()->shouldSpeculateNumber())
1243                 fixEdge<DoubleRepUse>(node->child1());
1244             else if (node->child1()->shouldSpeculateString())
1245                 fixEdge<StringUse>(node->child1());
1246             else if (node->child1()->shouldSpeculateStringOrOther())
1247                 fixEdge<StringOrOtherUse>(node->child1());
1248             else {
1249                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1250                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1251                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1252             }
1253             break;
1254         }
1255             
1256         case Switch: {
1257             SwitchData* data = node->switchData();
1258             switch (data->kind) {
1259             case SwitchImm:
1260                 if (node->child1()->shouldSpeculateInt32())
1261                     fixEdge<Int32Use>(node->child1());
1262                 break;
1263             case SwitchChar:
1264                 if (node->child1()->shouldSpeculateString())
1265                     fixEdge<StringUse>(node->child1());
1266                 break;
1267             case SwitchString:
1268                 if (node->child1()->shouldSpeculateStringIdent())
1269                     fixEdge<StringIdentUse>(node->child1());
1270                 else if (node->child1()->shouldSpeculateString())
1271                     fixEdge<StringUse>(node->child1());
1272                 break;
1273             case SwitchCell:
1274                 if (node->child1()->shouldSpeculateCell())
1275                     fixEdge<CellUse>(node->child1());
1276                 // else it's fine for this to have UntypedUse; we will handle this by just making
1277                 // non-cells take the default case.
1278                 break;
1279             }
1280             break;
1281         }
1282             
1283         case ToPrimitive: {
1284             fixupToPrimitive(node);
1285             break;
1286         }
1287
1288         case ToNumber: {
1289             fixupToNumber(node);
1290             break;
1291         }
1292             
1293         case ToString:
1294         case CallStringConstructor: {
1295             fixupToStringOrCallStringConstructor(node);
1296             break;
1297         }
1298             
1299         case NewStringObject: {
1300             fixEdge<KnownStringUse>(node->child1());
1301             break;
1302         }
1303
1304         case NewSymbol: {
1305             if (node->child1())
1306                 fixEdge<KnownStringUse>(node->child1());
1307             break;
1308         }
1309
1310         case NewArrayWithSpread: {
1311             watchHavingABadTime(node);
1312             
1313             BitVector* bitVector = node->bitVector();
1314             for (unsigned i = node->numChildren(); i--;) {
1315                 if (bitVector->get(i))
1316                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1317                 else
1318                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1319             }
1320
1321             break;
1322         }
1323
1324         case Spread: {
1325             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1326             
1327             watchHavingABadTime(node->child1().node());
1328
1329             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1330             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1331             // that it doesn't contain any indexed properties, and that any holes will result in
1332             // jsUndefined().
1333             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1334             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1335             if (node->child1()->shouldSpeculateArray()
1336                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1337                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1338                 && globalObject->arrayPrototypeChainIsSane()
1339                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1340                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1341                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1342                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1343                 fixEdge<ArrayUse>(node->child1());
1344             } else
1345                 fixEdge<CellUse>(node->child1());
1346             break;
1347         }
1348             
1349         case NewArray: {
1350             watchHavingABadTime(node);
1351             
1352             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1353                 node->setIndexingType(
1354                     leastUpperBoundOfIndexingTypeAndType(
1355                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1356             }
1357             switch (node->indexingType()) {
1358             case ALL_BLANK_INDEXING_TYPES:
1359                 CRASH();
1360                 break;
1361             case ALL_UNDECIDED_INDEXING_TYPES:
1362                 if (node->numChildren()) {
1363                     // This will only happen if the children have no type predictions. We
1364                     // would have already exited by now, but insert a forced exit just to
1365                     // be safe.
1366                     m_insertionSet.insertNode(
1367                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1368                 }
1369                 break;
1370             case ALL_INT32_INDEXING_TYPES:
1371                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1372                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1373                 break;
1374             case ALL_DOUBLE_INDEXING_TYPES:
1375                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1376                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1377                 break;
1378             case ALL_CONTIGUOUS_INDEXING_TYPES:
1379             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1380                 break;
1381             default:
1382                 CRASH();
1383                 break;
1384             }
1385             break;
1386         }
1387             
1388         case NewTypedArray: {
1389             watchHavingABadTime(node);
1390             
1391             if (node->child1()->shouldSpeculateInt32()) {
1392                 fixEdge<Int32Use>(node->child1());
1393                 node->clearFlags(NodeMustGenerate);
1394                 break;
1395             }
1396             break;
1397         }
1398             
1399         case NewArrayWithSize: {
1400             watchHavingABadTime(node);
1401             fixEdge<Int32Use>(node->child1());
1402             break;
1403         }
1404
1405         case NewArrayBuffer: {
1406             watchHavingABadTime(node);
1407             break;
1408         }
1409
1410         case ToObject: {
1411             fixupToObject(node);
1412             break;
1413         }
1414
1415         case CallObjectConstructor: {
1416             fixupCallObjectConstructor(node);
1417             break;
1418         }
1419
1420         case ToThis: {
1421             fixupToThis(node);
1422             break;
1423         }
1424             
1425         case PutStructure: {
1426             fixEdge<KnownCellUse>(node->child1());
1427             break;
1428         }
1429             
1430         case GetClosureVar:
1431         case GetFromArguments: {
1432             fixEdge<KnownCellUse>(node->child1());
1433             break;
1434         }
1435
1436         case PutClosureVar:
1437         case PutToArguments: {
1438             fixEdge<KnownCellUse>(node->child1());
1439             speculateForBarrier(node->child2());
1440             break;
1441         }
1442
1443         case SkipScope:
1444         case GetScope:
1445         case GetGetter:
1446         case GetSetter:
1447         case GetGlobalObject: {
1448             fixEdge<KnownCellUse>(node->child1());
1449             break;
1450         }
1451             
1452         case AllocatePropertyStorage:
1453         case ReallocatePropertyStorage: {
1454             fixEdge<KnownCellUse>(node->child1());
1455             break;
1456         }
1457             
1458         case NukeStructureAndSetButterfly: {
1459             fixEdge<KnownCellUse>(node->child1());
1460             break;
1461         }
1462
1463         case TryGetById: {
1464             if (node->child1()->shouldSpeculateCell())
1465                 fixEdge<CellUse>(node->child1());
1466             break;
1467         }
1468
1469         case GetByIdDirect:
1470         case GetByIdDirectFlush: {
1471             if (node->child1()->shouldSpeculateCell())
1472                 fixEdge<CellUse>(node->child1());
1473             break;
1474         }
1475
1476         case GetById:
1477         case GetByIdFlush: {
1478             // FIXME: This should be done in the ByteCodeParser based on reading the
1479             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1480             // https://bugs.webkit.org/show_bug.cgi?id=154990
1481             auto uid = m_graph.identifiers()[node->identifierNumber()];
1482             if (node->child1()->shouldSpeculateCellOrOther()
1483                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1484                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1485                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1486                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1487                 
1488                 if (uid == vm().propertyNames->length.impl()) {
1489                     attemptToMakeGetArrayLength(node);
1490                     break;
1491                 }
1492
1493                 if (uid == vm().propertyNames->lastIndex.impl()
1494                     && node->child1()->shouldSpeculateRegExpObject()) {
1495                     node->setOp(GetRegExpObjectLastIndex);
1496                     node->clearFlags(NodeMustGenerate);
1497                     fixEdge<RegExpObjectUse>(node->child1());
1498                     break;
1499                 }
1500             }
1501
1502             if (node->child1()->shouldSpeculateNumber()) {
1503                 if (uid == vm().propertyNames->toString.impl()) {
1504                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1505                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1506                         if (node->child1()->shouldSpeculateInt32()) {
1507                             insertCheck<Int32Use>(node->child1().node());
1508                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1509                             break;
1510                         }
1511
1512                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1513                             insertCheck<Int52RepUse>(node->child1().node());
1514                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1515                             break;
1516                         }
1517
1518                         ASSERT(node->child1()->shouldSpeculateNumber());
1519                         insertCheck<DoubleRepUse>(node->child1().node());
1520                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1521                         break;
1522                     }
1523                 }
1524             }
1525
1526             if (node->child1()->shouldSpeculateCell())
1527                 fixEdge<CellUse>(node->child1());
1528             break;
1529         }
1530         
1531         case GetByIdWithThis: {
1532             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1533                 fixEdge<CellUse>(node->child1());
1534                 fixEdge<CellUse>(node->child2());
1535             }
1536             break;
1537         }
1538
1539         case PutById:
1540         case PutByIdFlush:
1541         case PutByIdDirect: {
1542             if (node->child1()->shouldSpeculateCellOrOther()
1543                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1544                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1545                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1546                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1547                 
1548                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1549                 
1550                 if (uid == vm().propertyNames->lastIndex.impl()
1551                     && node->child1()->shouldSpeculateRegExpObject()) {
1552                     node->convertToSetRegExpObjectLastIndex();
1553                     fixEdge<RegExpObjectUse>(node->child1());
1554                     speculateForBarrier(node->child2());
1555                     break;
1556                 }
1557             }
1558             
1559             fixEdge<CellUse>(node->child1());
1560             break;
1561         }
1562
1563         case PutGetterById:
1564         case PutSetterById: {
1565             fixEdge<KnownCellUse>(node->child1());
1566             fixEdge<KnownCellUse>(node->child2());
1567             break;
1568         }
1569
1570         case PutGetterSetterById: {
1571             fixEdge<KnownCellUse>(node->child1());
1572             break;
1573         }
1574
1575         case PutGetterByVal:
1576         case PutSetterByVal: {
1577             fixEdge<KnownCellUse>(node->child1());
1578             fixEdge<KnownCellUse>(node->child3());
1579             break;
1580         }
1581
1582         case GetExecutable: {
1583             fixEdge<FunctionUse>(node->child1());
1584             break;
1585         }
1586
1587         case OverridesHasInstance:
1588         case CheckStructure:
1589         case CheckCell:
1590         case CreateThis:
1591         case GetButterfly: {
1592             fixEdge<CellUse>(node->child1());
1593             break;
1594         }
1595
1596         case ObjectCreate: {
1597             if (node->child1()->shouldSpeculateObject()) {
1598                 fixEdge<ObjectUse>(node->child1());
1599                 node->clearFlags(NodeMustGenerate);
1600                 break;
1601             }
1602             break;
1603         }
1604
1605         case ObjectKeys: {
1606             if (node->child1()->shouldSpeculateObject()) {
1607                 watchHavingABadTime(node);
1608                 fixEdge<ObjectUse>(node->child1());
1609             }
1610             break;
1611         }
1612
1613         case CheckStringIdent: {
1614             fixEdge<StringIdentUse>(node->child1());
1615             break;
1616         }
1617             
1618         case Arrayify:
1619         case ArrayifyToStructure: {
1620             fixEdge<CellUse>(node->child1());
1621             if (node->child2())
1622                 fixEdge<Int32Use>(node->child2());
1623             break;
1624         }
1625             
1626         case GetByOffset:
1627         case GetGetterSetterByOffset: {
1628             if (!node->child1()->hasStorageResult())
1629                 fixEdge<KnownCellUse>(node->child1());
1630             fixEdge<KnownCellUse>(node->child2());
1631             break;
1632         }
1633             
1634         case MultiGetByOffset: {
1635             fixEdge<CellUse>(node->child1());
1636             break;
1637         }
1638             
1639         case PutByOffset: {
1640             if (!node->child1()->hasStorageResult())
1641                 fixEdge<KnownCellUse>(node->child1());
1642             fixEdge<KnownCellUse>(node->child2());
1643             speculateForBarrier(node->child3());
1644             break;
1645         }
1646             
1647         case MultiPutByOffset: {
1648             fixEdge<CellUse>(node->child1());
1649             break;
1650         }
1651             
1652         case MatchStructure: {
1653             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1654             // https://bugs.webkit.org/show_bug.cgi?id=185784
1655             fixEdge<CellUse>(node->child1());
1656             break;
1657         }
1658             
1659         case InstanceOf: {
1660             if (node->child1()->shouldSpeculateCell()
1661                 && node->child2()->shouldSpeculateCell()
1662                 && is64Bit()) {
1663                 fixEdge<CellUse>(node->child1());
1664                 fixEdge<CellUse>(node->child2());
1665                 break;
1666             }
1667             break;
1668         }
1669
1670         case InstanceOfCustom:
1671             fixEdge<CellUse>(node->child2());
1672             break;
1673
1674         case InById: {
1675             fixEdge<CellUse>(node->child1());
1676             break;
1677         }
1678
1679         case InByVal: {
1680             if (node->child2()->shouldSpeculateInt32()) {
1681                 convertToHasIndexedProperty(node);
1682                 break;
1683             }
1684
1685             fixEdge<CellUse>(node->child1());
1686             break;
1687         }
1688
1689         case HasOwnProperty: {
1690             fixEdge<ObjectUse>(node->child1());
1691 #if CPU(X86)
1692             // We don't have enough registers to do anything interesting on x86 and mips.
1693             fixEdge<UntypedUse>(node->child2());
1694 #else
1695             if (node->child2()->shouldSpeculateString())
1696                 fixEdge<StringUse>(node->child2());
1697             else if (node->child2()->shouldSpeculateSymbol())
1698                 fixEdge<SymbolUse>(node->child2());
1699             else
1700                 fixEdge<UntypedUse>(node->child2());
1701 #endif
1702             break;
1703         }
1704
1705         case CheckVarargs:
1706         case Check: {
1707             m_graph.doToChildren(
1708                 node,
1709                 [&] (Edge& edge) {
1710                     switch (edge.useKind()) {
1711                     case NumberUse:
1712                         if (edge->shouldSpeculateInt32ForArithmetic())
1713                             edge.setUseKind(Int32Use);
1714                         break;
1715                     default:
1716                         break;
1717                     }
1718                     observeUseKindOnEdge(edge);
1719                 });
1720             break;
1721         }
1722
1723         case Phantom:
1724             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1725             node->remove(m_graph);
1726             break;
1727
1728         case FiatInt52: {
1729             RELEASE_ASSERT(enableInt52());
1730             node->convertToIdentity();
1731             fixEdge<Int52RepUse>(node->child1());
1732             node->setResult(NodeResultInt52);
1733             break;
1734         }
1735
1736         case GetArrayLength: {
1737             fixEdge<KnownCellUse>(node->child1());
1738             break;
1739         }
1740
1741         case GetTypedArrayByteOffset: {
1742             fixEdge<KnownCellUse>(node->child1());
1743             break;
1744         }
1745
1746         case CompareBelow:
1747         case CompareBelowEq: {
1748             fixEdge<Int32Use>(node->child1());
1749             fixEdge<Int32Use>(node->child2());
1750             break;
1751         }
1752
1753         case GetPrototypeOf: {
1754             fixupGetPrototypeOf(node);
1755             break;
1756         }
1757
1758         case Phi:
1759         case Upsilon:
1760         case EntrySwitch:
1761         case GetIndexedPropertyStorage:
1762         case LastNodeType:
1763         case CheckTierUpInLoop:
1764         case CheckTierUpAtReturn:
1765         case CheckTierUpAndOSREnter:
1766         case CheckArray:
1767         case CheckInBounds:
1768         case ConstantStoragePointer:
1769         case DoubleAsInt32:
1770         case ValueToInt32:
1771         case DoubleRep:
1772         case ValueRep:
1773         case Int52Rep:
1774         case Int52Constant:
1775         case Identity: // This should have been cleaned up.
1776         case BooleanToNumber:
1777         case PhantomNewObject:
1778         case PhantomNewFunction:
1779         case PhantomNewGeneratorFunction:
1780         case PhantomNewAsyncGeneratorFunction:
1781         case PhantomNewAsyncFunction:
1782         case PhantomCreateActivation:
1783         case PhantomDirectArguments:
1784         case PhantomCreateRest:
1785         case PhantomSpread:
1786         case PhantomNewArrayWithSpread:
1787         case PhantomNewArrayBuffer:
1788         case PhantomClonedArguments:
1789         case PhantomNewRegexp:
1790         case GetMyArgumentByVal:
1791         case GetMyArgumentByValOutOfBounds:
1792         case GetVectorLength:
1793         case PutHint:
1794         case CheckStructureImmediate:
1795         case CheckStructureOrEmpty:
1796         case MaterializeNewObject:
1797         case MaterializeCreateActivation:
1798         case PutStack:
1799         case KillStack:
1800         case GetStack:
1801         case StoreBarrier:
1802         case FencedStoreBarrier:
1803         case GetRegExpObjectLastIndex:
1804         case SetRegExpObjectLastIndex:
1805         case RecordRegExpCachedResult:
1806         case RegExpExecNonGlobalOrSticky:
1807         case RegExpMatchFastGlobal:
1808             // These are just nodes that we don't currently expect to see during fixup.
1809             // If we ever wanted to insert them prior to fixup, then we just have to create
1810             // fixup rules for them.
1811             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1812             break;
1813
1814         case PutGlobalVariable: {
1815             fixEdge<CellUse>(node->child1());
1816             speculateForBarrier(node->child2());
1817             break;
1818         }
1819
1820         case IsObject:
1821             if (node->child1()->shouldSpeculateObject()) {
1822                 m_insertionSet.insertNode(
1823                     m_indexInBlock, SpecNone, Check, node->origin,
1824                     Edge(node->child1().node(), ObjectUse));
1825                 m_graph.convertToConstant(node, jsBoolean(true));
1826                 observeUseKindOnNode<ObjectUse>(node);
1827             }
1828             break;
1829
1830         case IsCellWithType: {
1831             fixupIsCellWithType(node);
1832             break;
1833         }
1834
1835         case GetEnumerableLength: {
1836             fixEdge<CellUse>(node->child1());
1837             break;
1838         }
1839         case HasGenericProperty: {
1840             fixEdge<CellUse>(node->child2());
1841             break;
1842         }
1843         case HasStructureProperty: {
1844             fixEdge<StringUse>(node->child2());
1845             fixEdge<KnownCellUse>(node->child3());
1846             break;
1847         }
1848         case HasIndexedProperty: {
1849             node->setArrayMode(
1850                 node->arrayMode().refine(
1851                     m_graph, node,
1852                     node->child1()->prediction(),
1853                     node->child2()->prediction(),
1854                     SpecNone));
1855             
1856             blessArrayOperation(node->child1(), node->child2(), node->child3());
1857             fixEdge<CellUse>(node->child1());
1858             fixEdge<KnownInt32Use>(node->child2());
1859             break;
1860         }
1861         case GetDirectPname: {
1862             Edge& base = m_graph.varArgChild(node, 0);
1863             Edge& property = m_graph.varArgChild(node, 1);
1864             Edge& index = m_graph.varArgChild(node, 2);
1865             Edge& enumerator = m_graph.varArgChild(node, 3);
1866             fixEdge<CellUse>(base);
1867             fixEdge<KnownCellUse>(property);
1868             fixEdge<KnownInt32Use>(index);
1869             fixEdge<KnownCellUse>(enumerator);
1870             break;
1871         }
1872         case GetPropertyEnumerator: {
1873             if (node->child1()->shouldSpeculateCell())
1874                 fixEdge<CellUse>(node->child1());
1875             break;
1876         }
1877         case GetEnumeratorStructurePname: {
1878             fixEdge<KnownCellUse>(node->child1());
1879             fixEdge<KnownInt32Use>(node->child2());
1880             break;
1881         }
1882         case GetEnumeratorGenericPname: {
1883             fixEdge<KnownCellUse>(node->child1());
1884             fixEdge<KnownInt32Use>(node->child2());
1885             break;
1886         }
1887         case ToIndexString: {
1888             fixEdge<KnownInt32Use>(node->child1());
1889             break;
1890         }
1891         case ProfileType: {
1892             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1893             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1894             // type T for the instructionTypeSet, the global type set must also have information for type T.
1895             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1896             // in the globalTypeSet would've also succeeded.
1897             // (The other direction does not hold in general).
1898
1899             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1900             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1901             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1902                 if (node->child1()->shouldSpeculateInt32()) {
1903                     fixEdge<Int32Use>(node->child1());
1904                     node->remove(m_graph);
1905                     break;
1906                 }
1907
1908                 if (enableInt52()) {
1909                     fixEdge<AnyIntUse>(node->child1());
1910                     node->remove(m_graph);
1911                     break;
1912                 }
1913
1914                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1915             }
1916
1917             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1918                 fixEdge<NumberUse>(node->child1());
1919                 node->remove(m_graph);
1920             } else if (typeSet->doesTypeConformTo(TypeString)) {
1921                 fixEdge<StringUse>(node->child1());
1922                 node->remove(m_graph);
1923             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1924                 fixEdge<BooleanUse>(node->child1());
1925                 node->remove(m_graph);
1926             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1927                 fixEdge<OtherUse>(node->child1());
1928                 node->remove(m_graph);
1929             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1930                 StructureSet set;
1931                 {
1932                     ConcurrentJSLocker locker(typeSet->m_lock);
1933                     set = typeSet->structureSet(locker);
1934                 }
1935                 if (!set.isEmpty()) {
1936                     fixEdge<CellUse>(node->child1());
1937                     node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
1938                 }
1939             }
1940
1941             break;
1942         }
1943
1944         case CreateClonedArguments: {
1945             watchHavingABadTime(node);
1946             break;
1947         }
1948
1949         case CreateScopedArguments:
1950         case CreateActivation:
1951         case NewFunction:
1952         case NewGeneratorFunction:
1953         case NewAsyncGeneratorFunction:
1954         case NewAsyncFunction: {
1955             // Child 1 is always the current scope, which is guaranteed to be an object
1956             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1957             fixEdge<KnownCellUse>(node->child1());
1958             break;
1959         }
1960
1961         case PushWithScope: {
1962             // Child 1 is always the current scope, which is guaranteed to be an object
1963             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1964             fixEdge<KnownCellUse>(node->child1());
1965             if (node->child2()->shouldSpeculateObject())
1966                 fixEdge<ObjectUse>(node->child2());
1967             break;
1968         }
1969
1970         case SetFunctionName: {
1971             // The first child is guaranteed to be a cell because op_set_function_name is only used
1972             // on a newly instantiated function object (the first child).
1973             fixEdge<KnownCellUse>(node->child1());
1974             fixEdge<UntypedUse>(node->child2());
1975             break;
1976         }
1977
1978         case CreateRest: {
1979             watchHavingABadTime(node);
1980             fixEdge<KnownInt32Use>(node->child1());
1981             break;
1982         }
1983
1984         case ResolveScopeForHoistingFuncDeclInEval: {
1985             fixEdge<KnownCellUse>(node->child1());
1986             break;
1987         }
1988         case ResolveScope:
1989         case GetDynamicVar:
1990         case PutDynamicVar: {
1991             fixEdge<KnownCellUse>(node->child1());
1992             break;
1993         }
1994
1995         case LogShadowChickenPrologue: {
1996             fixEdge<KnownCellUse>(node->child1());
1997             break;
1998         }
1999         case LogShadowChickenTail: {
2000             fixEdge<UntypedUse>(node->child1());
2001             fixEdge<KnownCellUse>(node->child2());
2002             break;
2003         }
2004
2005         case GetMapBucket:
2006             if (node->child1().useKind() == MapObjectUse)
2007                 fixEdge<MapObjectUse>(node->child1());
2008             else if (node->child1().useKind() == SetObjectUse)
2009                 fixEdge<SetObjectUse>(node->child1());
2010             else
2011                 RELEASE_ASSERT_NOT_REACHED();
2012
2013 #if USE(JSVALUE64)
2014             if (node->child2()->shouldSpeculateBoolean())
2015                 fixEdge<BooleanUse>(node->child2());
2016             else if (node->child2()->shouldSpeculateInt32())
2017                 fixEdge<Int32Use>(node->child2());
2018             else if (node->child2()->shouldSpeculateSymbol())
2019                 fixEdge<SymbolUse>(node->child2());
2020             else if (node->child2()->shouldSpeculateObject())
2021                 fixEdge<ObjectUse>(node->child2());
2022             else if (node->child2()->shouldSpeculateString())
2023                 fixEdge<StringUse>(node->child2());
2024             else if (node->child2()->shouldSpeculateCell())
2025                 fixEdge<CellUse>(node->child2());
2026             else
2027                 fixEdge<UntypedUse>(node->child2());
2028 #else
2029             fixEdge<UntypedUse>(node->child2());
2030 #endif // USE(JSVALUE64)
2031
2032             fixEdge<Int32Use>(node->child3());
2033             break;
2034
2035         case GetMapBucketHead:
2036             if (node->child1().useKind() == MapObjectUse)
2037                 fixEdge<MapObjectUse>(node->child1());
2038             else if (node->child1().useKind() == SetObjectUse)
2039                 fixEdge<SetObjectUse>(node->child1());
2040             else
2041                 RELEASE_ASSERT_NOT_REACHED();
2042             break;
2043
2044         case GetMapBucketNext:
2045         case LoadKeyFromMapBucket:
2046         case LoadValueFromMapBucket:
2047             fixEdge<CellUse>(node->child1());
2048             break;
2049
2050         case MapHash: {
2051 #if USE(JSVALUE64)
2052             if (node->child1()->shouldSpeculateBoolean()) {
2053                 fixEdge<BooleanUse>(node->child1());
2054                 break;
2055             }
2056
2057             if (node->child1()->shouldSpeculateInt32()) {
2058                 fixEdge<Int32Use>(node->child1());
2059                 break;
2060             }
2061
2062             if (node->child1()->shouldSpeculateSymbol()) {
2063                 fixEdge<SymbolUse>(node->child1());
2064                 break;
2065             }
2066
2067             if (node->child1()->shouldSpeculateObject()) {
2068                 fixEdge<ObjectUse>(node->child1());
2069                 break;
2070             }
2071
2072             if (node->child1()->shouldSpeculateString()) {
2073                 fixEdge<StringUse>(node->child1());
2074                 break;
2075             }
2076
2077             if (node->child1()->shouldSpeculateCell()) {
2078                 fixEdge<CellUse>(node->child1());
2079                 break;
2080             }
2081
2082             fixEdge<UntypedUse>(node->child1());
2083 #else
2084             fixEdge<UntypedUse>(node->child1());
2085 #endif // USE(JSVALUE64)
2086             break;
2087         }
2088
2089         case NormalizeMapKey: {
2090             fixupNormalizeMapKey(node);
2091             break;
2092         }
2093
2094         case WeakMapGet: {
2095             if (node->child1().useKind() == WeakMapObjectUse)
2096                 fixEdge<WeakMapObjectUse>(node->child1());
2097             else if (node->child1().useKind() == WeakSetObjectUse)
2098                 fixEdge<WeakSetObjectUse>(node->child1());
2099             else
2100                 RELEASE_ASSERT_NOT_REACHED();
2101             fixEdge<ObjectUse>(node->child2());
2102             fixEdge<Int32Use>(node->child3());
2103             break;
2104         }
2105
2106         case SetAdd: {
2107             fixEdge<SetObjectUse>(node->child1());
2108             fixEdge<Int32Use>(node->child3());
2109             break;
2110         }
2111
2112         case MapSet: {
2113             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
2114             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2115             break;
2116         }
2117
2118         case WeakSetAdd: {
2119             fixEdge<WeakSetObjectUse>(node->child1());
2120             fixEdge<ObjectUse>(node->child2());
2121             fixEdge<Int32Use>(node->child3());
2122             break;
2123         }
2124
2125         case WeakMapSet: {
2126             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2127             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2128             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2129             break;
2130         }
2131
2132         case DefineDataProperty: {
2133             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2134             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2135             if (propertyEdge->shouldSpeculateSymbol())
2136                 fixEdge<SymbolUse>(propertyEdge);
2137             else if (propertyEdge->shouldSpeculateStringIdent())
2138                 fixEdge<StringIdentUse>(propertyEdge);
2139             else if (propertyEdge->shouldSpeculateString())
2140                 fixEdge<StringUse>(propertyEdge);
2141             else
2142                 fixEdge<UntypedUse>(propertyEdge);
2143             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2144             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2145             break;
2146         }
2147
2148         case StringValueOf: {
2149             fixupStringValueOf(node);
2150             break;
2151         }
2152
2153         case ObjectToString: {
2154             fixupObjectToString(node);
2155             break;
2156         }
2157
2158         case StringSlice: {
2159             fixEdge<StringUse>(node->child1());
2160             fixEdge<Int32Use>(node->child2());
2161             if (node->child3())
2162                 fixEdge<Int32Use>(node->child3());
2163             break;
2164         }
2165
2166         case ToLowerCase: {
2167             // We currently only support StringUse since that will ensure that
2168             // ToLowerCase is a pure operation. If we decide to update this with
2169             // more types in the future, we need to ensure that the clobberize rules
2170             // are correct.
2171             fixEdge<StringUse>(node->child1());
2172             break;
2173         }
2174
2175         case NumberToStringWithRadix: {
2176             if (node->child1()->shouldSpeculateInt32())
2177                 fixEdge<Int32Use>(node->child1());
2178             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2179                 fixEdge<Int52RepUse>(node->child1());
2180             else
2181                 fixEdge<DoubleRepUse>(node->child1());
2182             fixEdge<Int32Use>(node->child2());
2183             break;
2184         }
2185
2186         case DefineAccessorProperty: {
2187             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2188             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2189             if (propertyEdge->shouldSpeculateSymbol())
2190                 fixEdge<SymbolUse>(propertyEdge);
2191             else if (propertyEdge->shouldSpeculateStringIdent())
2192                 fixEdge<StringIdentUse>(propertyEdge);
2193             else if (propertyEdge->shouldSpeculateString())
2194                 fixEdge<StringUse>(propertyEdge);
2195             else
2196                 fixEdge<UntypedUse>(propertyEdge);
2197             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2198             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2199             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2200             break;
2201         }
2202
2203         case CheckSubClass: {
2204             fixupCheckSubClass(node);
2205             break;
2206         }
2207
2208         case CallDOMGetter: {
2209             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2210             fixEdge<CellUse>(node->child1()); // DOM.
2211             if (snippet && snippet->requireGlobalObject)
2212                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2213             break;
2214         }
2215
2216         case CallDOM: {
2217             fixupCallDOM(node);
2218             break;
2219         }
2220
2221         case Call: {
2222             attemptToMakeCallDOM(node);
2223             break;
2224         }
2225
2226         case ParseInt: {
2227             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2228                 fixEdge<Int32Use>(node->child1());
2229                 node->convertToIdentity();
2230                 break;
2231             }
2232
2233             if (node->child1()->shouldSpeculateString()) {
2234                 fixEdge<StringUse>(node->child1());
2235                 node->clearFlags(NodeMustGenerate);
2236             }
2237
2238             if (node->child2())
2239                 fixEdge<Int32Use>(node->child2());
2240
2241             break;
2242         }
2243
2244         case IdentityWithProfile: {
2245             node->clearFlags(NodeMustGenerate);
2246             break;
2247         }
2248
2249         case ThrowStaticError:
2250             fixEdge<StringUse>(node->child1());
2251             break;
2252
2253         case NumberIsInteger:
2254             if (node->child1()->shouldSpeculateInt32()) {
2255                 m_insertionSet.insertNode(
2256                     m_indexInBlock, SpecNone, Check, node->origin,
2257                     Edge(node->child1().node(), Int32Use));
2258                 m_graph.convertToConstant(node, jsBoolean(true));
2259                 break;
2260             }
2261             break;
2262
2263         case SetCallee:
2264             fixEdge<CellUse>(node->child1());
2265             break;
2266
2267         case DataViewGetInt:
2268         case DataViewGetFloat: {
2269             fixEdge<DataViewObjectUse>(node->child1());
2270             fixEdge<Int32Use>(node->child2());
2271             if (node->child3())
2272                 fixEdge<BooleanUse>(node->child3());
2273
2274             if (node->op() == DataViewGetInt) {
2275                 DataViewData data = node->dataViewData();
2276                 switch (data.byteSize) {
2277                 case 1:
2278                 case 2:
2279                     node->setResult(NodeResultInt32);
2280                     break;
2281                 case 4:
2282                     if (data.isSigned)
2283                         node->setResult(NodeResultInt32);
2284                     else
2285                         node->setResult(NodeResultInt52);
2286                     break;
2287                 default:
2288                     RELEASE_ASSERT_NOT_REACHED();
2289                 }
2290             }
2291             break;
2292         }
2293
2294         case DataViewSet: {
2295             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2296             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2297             if (m_graph.varArgChild(node, 3))
2298                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2299             
2300             DataViewData data = node->dataViewData();
2301             Edge& valueToStore = m_graph.varArgChild(node, 2);
2302             if (data.isFloatingPoint)
2303                 fixEdge<DoubleRepUse>(valueToStore);
2304             else {
2305                 switch (data.byteSize) {
2306                 case 1:
2307                 case 2:
2308                     fixEdge<Int32Use>(valueToStore);
2309                     break;
2310                 case 4:
2311                     if (data.isSigned)
2312                         fixEdge<Int32Use>(valueToStore);
2313                     else
2314                         fixEdge<Int52RepUse>(valueToStore);
2315                     break;
2316                 }
2317             }
2318             break;
2319         }
2320
2321 #if !ASSERT_DISABLED
2322         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2323         case SetArgument:
2324         case JSConstant:
2325         case LazyJSConstant:
2326         case DoubleConstant:
2327         case GetLocal:
2328         case GetCallee:
2329         case GetArgumentCountIncludingThis:
2330         case SetArgumentCountIncludingThis:
2331         case GetRestLength:
2332         case GetArgument:
2333         case Flush:
2334         case PhantomLocal:
2335         case GetGlobalVar:
2336         case GetGlobalLexicalVariable:
2337         case NotifyWrite:
2338         case DirectCall:
2339         case CheckTypeInfoFlags:
2340         case TailCallInlinedCaller:
2341         case DirectTailCallInlinedCaller:
2342         case Construct:
2343         case DirectConstruct:
2344         case CallVarargs:
2345         case CallEval:
2346         case TailCallVarargsInlinedCaller:
2347         case ConstructVarargs:
2348         case CallForwardVarargs:
2349         case ConstructForwardVarargs:
2350         case TailCallForwardVarargs:
2351         case TailCallForwardVarargsInlinedCaller:
2352         case LoadVarargs:
2353         case ForwardVarargs:
2354         case ProfileControlFlow:
2355         case NewObject:
2356         case NewRegexp:
2357         case DeleteById:
2358         case DeleteByVal:
2359         case IsTypedArrayView:
2360         case IsEmpty:
2361         case IsUndefined:
2362         case IsUndefinedOrNull:
2363         case IsBoolean:
2364         case IsNumber:
2365         case IsObjectOrNull:
2366         case IsFunction:
2367         case CreateDirectArguments:
2368         case Jump:
2369         case Return:
2370         case TailCall:
2371         case DirectTailCall:
2372         case TailCallVarargs:
2373         case Throw:
2374         case CountExecution:
2375         case SuperSamplerBegin:
2376         case SuperSamplerEnd:
2377         case ForceOSRExit:
2378         case CheckBadCell:
2379         case CheckNotEmpty:
2380         case AssertNotEmpty:
2381         case CheckTraps:
2382         case Unreachable:
2383         case ExtractOSREntryLocal:
2384         case ExtractCatchLocal:
2385         case ClearCatchLocals:
2386         case LoopHint:
2387         case MovHint:
2388         case InitializeEntrypointArguments:
2389         case ZombieHint:
2390         case ExitOK:
2391         case BottomValue:
2392         case TypeOf:
2393         case PutByIdWithThis:
2394         case PutByValWithThis:
2395         case GetByValWithThis:
2396         case CompareEqPtr:
2397         case NumberToStringWithValidRadixConstant:
2398         case GetGlobalThis:
2399         case ExtractValueFromWeakMapGet:
2400         case CPUIntrinsic:
2401         case FilterCallLinkStatus:
2402         case FilterGetByIdStatus:
2403         case FilterPutByIdStatus:
2404         case FilterInByIdStatus:
2405         case InvalidationPoint:
2406             break;
2407 #else
2408         default:
2409             break;
2410 #endif
2411         }
2412     }
2413
2414     void watchHavingABadTime(Node* node)
2415     {
2416         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2417
2418         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2419         // does an array allocation. The types of array allocations may change if we start to have a bad
2420         // time. It's easier to reason about this if we know that whenever the types change after we start
2421         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2422         // prior to this point nobody should have been doing optimizations based on the indexing type of
2423         // the allocation.
2424         if (!globalObject->isHavingABadTime()) {
2425             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2426             m_graph.freeze(globalObject);
2427         }
2428     }
2429     
2430     template<UseKind useKind>
2431     void createToString(Node* node, Edge& edge)
2432     {
2433         Node* toString = m_insertionSet.insertNode(
2434             m_indexInBlock, SpecString, ToString, node->origin,
2435             Edge(edge.node(), useKind));
2436         switch (useKind) {
2437         case Int32Use:
2438         case Int52RepUse:
2439         case DoubleRepUse:
2440         case NotCellUse:
2441             toString->clearFlags(NodeMustGenerate);
2442             break;
2443         default:
2444             break;
2445         }
2446         edge.setNode(toString);
2447     }
2448     
2449     template<UseKind useKind>
2450     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2451     {
2452         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read) || arrayMode == ArrayMode(Array::Generic, Array::OriginalNonArray, Array::Read));
2453         
2454         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2455             return;
2456         
2457         createToString<useKind>(node, node->child1());
2458         arrayMode = ArrayMode(Array::String, Array::Read);
2459     }
2460     
2461     template<UseKind useKind>
2462     bool isStringObjectUse()
2463     {
2464         switch (useKind) {
2465         case StringObjectUse:
2466         case StringOrStringObjectUse:
2467             return true;
2468         default:
2469             return false;
2470         }
2471     }
2472     
2473     template<UseKind useKind>
2474     void convertStringAddUse(Node* node, Edge& edge)
2475     {
2476         if (useKind == StringUse) {
2477             observeUseKindOnNode<StringUse>(edge.node());
2478             m_insertionSet.insertNode(
2479                 m_indexInBlock, SpecNone, Check, node->origin,
2480                 Edge(edge.node(), StringUse));
2481             edge.setUseKind(KnownStringUse);
2482             return;
2483         }
2484         
2485         observeUseKindOnNode<useKind>(edge.node());
2486         createToString<useKind>(node, edge);
2487     }
2488     
2489     void convertToMakeRope(Node* node)
2490     {
2491         node->setOpAndDefaultFlags(MakeRope);
2492         fixupMakeRope(node);
2493     }
2494     
2495     void fixupMakeRope(Node* node)
2496     {
2497         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2498             Edge& edge = node->children.child(i);
2499             if (!edge)
2500                 break;
2501             edge.setUseKind(KnownStringUse);
2502             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2503             if (!string)
2504                 continue;
2505             if (string->length())
2506                 continue;
2507             
2508             // Don't allow the MakeRope to have zero children.
2509             if (!i && !node->child2())
2510                 break;
2511             
2512             node->children.removeEdge(i--);
2513         }
2514         
2515         if (!node->child2()) {
2516             ASSERT(!node->child3());
2517             node->convertToIdentity();
2518         }
2519     }
2520
2521     void fixupIsCellWithType(Node* node)
2522     {
2523         switch (node->speculatedTypeForQuery()) {
2524         case SpecString:
2525             if (node->child1()->shouldSpeculateString()) {
2526                 m_insertionSet.insertNode(
2527                     m_indexInBlock, SpecNone, Check, node->origin,
2528                     Edge(node->child1().node(), StringUse));
2529                 m_graph.convertToConstant(node, jsBoolean(true));
2530                 observeUseKindOnNode<StringUse>(node);
2531                 return;
2532             }
2533             break;
2534
2535         case SpecProxyObject:
2536             if (node->child1()->shouldSpeculateProxyObject()) {
2537                 m_insertionSet.insertNode(
2538                     m_indexInBlock, SpecNone, Check, node->origin,
2539                     Edge(node->child1().node(), ProxyObjectUse));
2540                 m_graph.convertToConstant(node, jsBoolean(true));
2541                 observeUseKindOnNode<ProxyObjectUse>(node);
2542                 return;
2543             }
2544             break;
2545
2546         case SpecRegExpObject:
2547             if (node->child1()->shouldSpeculateRegExpObject()) {
2548                 m_insertionSet.insertNode(
2549                     m_indexInBlock, SpecNone, Check, node->origin,
2550                     Edge(node->child1().node(), RegExpObjectUse));
2551                 m_graph.convertToConstant(node, jsBoolean(true));
2552                 observeUseKindOnNode<RegExpObjectUse>(node);
2553                 return;
2554             }
2555             break;
2556
2557         case SpecArray:
2558             if (node->child1()->shouldSpeculateArray()) {
2559                 m_insertionSet.insertNode(
2560                     m_indexInBlock, SpecNone, Check, node->origin,
2561                     Edge(node->child1().node(), ArrayUse));
2562                 m_graph.convertToConstant(node, jsBoolean(true));
2563                 observeUseKindOnNode<ArrayUse>(node);
2564                 return;
2565             }
2566             break;
2567
2568         case SpecDerivedArray:
2569             if (node->child1()->shouldSpeculateDerivedArray()) {
2570                 m_insertionSet.insertNode(
2571                     m_indexInBlock, SpecNone, Check, node->origin,
2572                     Edge(node->child1().node(), DerivedArrayUse));
2573                 m_graph.convertToConstant(node, jsBoolean(true));
2574                 observeUseKindOnNode<DerivedArrayUse>(node);
2575                 return;
2576             }
2577             break;
2578         }
2579
2580         if (node->child1()->shouldSpeculateCell()) {
2581             fixEdge<CellUse>(node->child1());
2582             return;
2583         }
2584
2585         if (node->child1()->shouldSpeculateNotCell()) {
2586             m_insertionSet.insertNode(
2587                 m_indexInBlock, SpecNone, Check, node->origin,
2588                 Edge(node->child1().node(), NotCellUse));
2589             m_graph.convertToConstant(node, jsBoolean(false));
2590             observeUseKindOnNode<NotCellUse>(node);
2591             return;
2592         }
2593     }
2594
2595     void fixupGetPrototypeOf(Node* node)
2596     {
2597         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2598         if (node->child1().useKind() != ObjectUse) {
2599             if (node->child1()->shouldSpeculateString()) {
2600                 insertCheck<StringUse>(node->child1().node());
2601                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2602                 return;
2603             }
2604             if (node->child1()->shouldSpeculateInt32()) {
2605                 insertCheck<Int32Use>(node->child1().node());
2606                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2607                 return;
2608             }
2609             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2610                 insertCheck<Int52RepUse>(node->child1().node());
2611                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2612                 return;
2613             }
2614             if (node->child1()->shouldSpeculateNumber()) {
2615                 insertCheck<NumberUse>(node->child1().node());
2616                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2617                 return;
2618             }
2619             if (node->child1()->shouldSpeculateSymbol()) {
2620                 insertCheck<SymbolUse>(node->child1().node());
2621                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2622                 return;
2623             }
2624             if (node->child1()->shouldSpeculateBoolean()) {
2625                 insertCheck<BooleanUse>(node->child1().node());
2626                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2627                 return;
2628             }
2629         }
2630
2631         if (node->child1()->shouldSpeculateFinalObject()) {
2632             fixEdge<FinalObjectUse>(node->child1());
2633             node->clearFlags(NodeMustGenerate);
2634             return;
2635         }
2636         if (node->child1()->shouldSpeculateArray()) {
2637             fixEdge<ArrayUse>(node->child1());
2638             node->clearFlags(NodeMustGenerate);
2639             return;
2640         }
2641         if (node->child1()->shouldSpeculateFunction()) {
2642             fixEdge<FunctionUse>(node->child1());
2643             node->clearFlags(NodeMustGenerate);
2644             return;
2645         }
2646     }
2647
2648     void fixupToThis(Node* node)
2649     {
2650         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2651
2652         if (ecmaMode == StrictMode) {
2653             if (node->child1()->shouldSpeculateBoolean()) {
2654                 fixEdge<BooleanUse>(node->child1());
2655                 node->convertToIdentity();
2656                 return;
2657             }
2658
2659             if (node->child1()->shouldSpeculateInt32()) {
2660                 fixEdge<Int32Use>(node->child1());
2661                 node->convertToIdentity();
2662                 return;
2663             }
2664
2665             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2666                 fixEdge<Int52RepUse>(node->child1());
2667                 node->convertToIdentity();
2668                 node->setResult(NodeResultInt52);
2669                 return;
2670             }
2671
2672             if (node->child1()->shouldSpeculateNumber()) {
2673                 fixEdge<DoubleRepUse>(node->child1());
2674                 node->convertToIdentity();
2675                 node->setResult(NodeResultDouble);
2676                 return;
2677             }
2678
2679             if (node->child1()->shouldSpeculateSymbol()) {
2680                 fixEdge<SymbolUse>(node->child1());
2681                 node->convertToIdentity();
2682                 return;
2683             }
2684
2685             if (node->child1()->shouldSpeculateStringIdent()) {
2686                 fixEdge<StringIdentUse>(node->child1());
2687                 node->convertToIdentity();
2688                 return;
2689             }
2690
2691             if (node->child1()->shouldSpeculateString()) {
2692                 fixEdge<StringUse>(node->child1());
2693                 node->convertToIdentity();
2694                 return;
2695             }
2696             
2697             if (node->child1()->shouldSpeculateBigInt()) {
2698                 fixEdge<BigIntUse>(node->child1());
2699                 node->convertToIdentity();
2700                 return;
2701             }
2702         }
2703
2704         if (node->child1()->shouldSpeculateOther()) {
2705             if (ecmaMode == StrictMode) {
2706                 fixEdge<OtherUse>(node->child1());
2707                 node->convertToIdentity();
2708                 return;
2709             }
2710
2711             m_insertionSet.insertNode(
2712                 m_indexInBlock, SpecNone, Check, node->origin,
2713                 Edge(node->child1().node(), OtherUse));
2714             observeUseKindOnNode<OtherUse>(node->child1().node());
2715             m_graph.convertToConstant(
2716                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2717             return;
2718         }
2719
2720         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2721         // however, since we cover all the missing cases in constant folding.
2722         // https://bugs.webkit.org/show_bug.cgi?id=157213
2723         if (node->child1()->shouldSpeculateStringObject()) {
2724             fixEdge<StringObjectUse>(node->child1());
2725             node->convertToIdentity();
2726             return;
2727         }
2728
2729         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2730             fixEdge<FinalObjectUse>(node->child1());
2731             node->convertToIdentity();
2732             return;
2733         }
2734     }
2735     
2736     void fixupToPrimitive(Node* node)
2737     {
2738         if (node->child1()->shouldSpeculateInt32()) {
2739             fixEdge<Int32Use>(node->child1());
2740             node->convertToIdentity();
2741             return;
2742         }
2743         
2744         if (node->child1()->shouldSpeculateString()) {
2745             fixEdge<StringUse>(node->child1());
2746             node->convertToIdentity();
2747             return;
2748         }
2749         
2750         if (node->child1()->shouldSpeculateStringObject()
2751             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2752             fixEdge<StringObjectUse>(node->child1());
2753             node->convertToToString();
2754             return;
2755         }
2756         
2757         if (node->child1()->shouldSpeculateStringOrStringObject()
2758             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2759             fixEdge<StringOrStringObjectUse>(node->child1());
2760             node->convertToToString();
2761             return;
2762         }
2763     }
2764
2765     void fixupToNumber(Node* node)
2766     {
2767         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2768         if (node->child1()->shouldSpeculateNumber()) {
2769             if (isInt32Speculation(node->getHeapPrediction())) {
2770                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2771                 if (node->child1()->shouldSpeculateInt32()) {
2772                     fixEdge<Int32Use>(node->child1());
2773                     node->convertToIdentity();
2774                     return;
2775                 }
2776
2777                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2778                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2779                 fixEdge<DoubleRepUse>(node->child1());
2780                 node->setOp(DoubleAsInt32);
2781                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2782                     node->setArithMode(Arith::CheckOverflow);
2783                 else
2784                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2785                 return;
2786             }
2787
2788             fixEdge<DoubleRepUse>(node->child1());
2789             node->convertToIdentity();
2790             node->setResult(NodeResultDouble);
2791             return;
2792         }
2793
2794         fixEdge<UntypedUse>(node->child1());
2795         node->setResult(NodeResultJS);
2796     }
2797
2798     void fixupToObject(Node* node)
2799     {
2800         if (node->child1()->shouldSpeculateObject()) {
2801             fixEdge<ObjectUse>(node->child1());
2802             node->convertToIdentity();
2803             return;
2804         }
2805
2806         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2807
2808         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2809
2810         if (node->child1()->shouldSpeculateString()) {
2811             insertCheck<StringUse>(node->child1().node());
2812             fixEdge<KnownStringUse>(node->child1());
2813             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2814             return;
2815         }
2816
2817         if (node->child1()->shouldSpeculateSymbol()) {
2818             insertCheck<SymbolUse>(node->child1().node());
2819             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2820             return;
2821         }
2822
2823         if (node->child1()->shouldSpeculateNumber()) {
2824             insertCheck<NumberUse>(node->child1().node());
2825             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2826             return;
2827         }
2828
2829         if (node->child1()->shouldSpeculateBoolean()) {
2830             insertCheck<BooleanUse>(node->child1().node());
2831             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2832             return;
2833         }
2834
2835         fixEdge<UntypedUse>(node->child1());
2836     }
2837
2838     void fixupCallObjectConstructor(Node* node)
2839     {
2840         if (node->child1()->shouldSpeculateObject()) {
2841             fixEdge<ObjectUse>(node->child1());
2842             node->convertToIdentity();
2843             return;
2844         }
2845
2846         if (node->child1()->shouldSpeculateString()) {
2847             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2848             insertCheck<StringUse>(node->child1().node());
2849             fixEdge<KnownStringUse>(node->child1());
2850             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2851             return;
2852         }
2853
2854         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2855         if (node->child1()->shouldSpeculateOther()) {
2856             insertCheck<OtherUse>(node->child1().node());
2857             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2858             return;
2859         }
2860
2861         fixEdge<UntypedUse>(node->child1());
2862     }
2863     
2864     void fixupToStringOrCallStringConstructor(Node* node)
2865     {
2866         if (node->child1()->shouldSpeculateString()) {
2867             fixEdge<StringUse>(node->child1());
2868             node->convertToIdentity();
2869             return;
2870         }
2871         
2872         if (node->child1()->shouldSpeculateStringObject()
2873             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2874             fixEdge<StringObjectUse>(node->child1());
2875             return;
2876         }
2877         
2878         if (node->child1()->shouldSpeculateStringOrStringObject()
2879             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2880             fixEdge<StringOrStringObjectUse>(node->child1());
2881             return;
2882         }
2883         
2884         if (node->child1()->shouldSpeculateCell()) {
2885             fixEdge<CellUse>(node->child1());
2886             return;
2887         }
2888
2889         if (node->child1()->shouldSpeculateInt32()) {
2890             fixEdge<Int32Use>(node->child1());
2891             node->clearFlags(NodeMustGenerate);
2892             return;
2893         }
2894
2895         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2896             fixEdge<Int52RepUse>(node->child1());
2897             node->clearFlags(NodeMustGenerate);
2898             return;
2899         }
2900
2901         if (node->child1()->shouldSpeculateNumber()) {
2902             fixEdge<DoubleRepUse>(node->child1());
2903             node->clearFlags(NodeMustGenerate);
2904             return;
2905         }
2906
2907         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2908         // we need to care about it in the clobberize. In the following case,
2909         // since NotCellUse edge filter is used and this edge filters Symbols,
2910         // we can say that ToString never throws an error!
2911         if (node->child1()->shouldSpeculateNotCell()) {
2912             fixEdge<NotCellUse>(node->child1());
2913             node->clearFlags(NodeMustGenerate);
2914             return;
2915         }
2916     }
2917
2918     void fixupStringValueOf(Node* node)
2919     {
2920         if (node->child1()->shouldSpeculateString()) {
2921             fixEdge<StringUse>(node->child1());
2922             node->convertToIdentity();
2923             return;
2924         }
2925
2926         if (node->child1()->shouldSpeculateStringObject()) {
2927             fixEdge<StringObjectUse>(node->child1());
2928             node->convertToToString();
2929             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2930             node->clearFlags(NodeMustGenerate);
2931             return;
2932         }
2933
2934         if (node->child1()->shouldSpeculateStringOrStringObject()) {
2935             fixEdge<StringOrStringObjectUse>(node->child1());
2936             node->convertToToString();
2937             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2938             node->clearFlags(NodeMustGenerate);
2939             return;
2940         }
2941     }
2942
2943     void fixupObjectToString(Node* node)
2944     {
2945         if (node->child1()->shouldSpeculateOther()) {
2946             fixEdge<OtherUse>(node->child1());
2947             node->clearFlags(NodeMustGenerate);
2948             return;
2949         }
2950     }
2951
2952     bool attemptToMakeFastStringAdd(Node* node)
2953     {
2954         bool goodToGo = true;
2955         m_graph.doToChildren(
2956             node,
2957             [&] (Edge& edge) {
2958                 if (edge->shouldSpeculateString())
2959                     return;
2960                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2961                     if (edge->shouldSpeculateStringObject())
2962                         return;
2963                     if (edge->shouldSpeculateStringOrStringObject())
2964                         return;
2965                 }
2966                 goodToGo = false;
2967             });
2968         if (!goodToGo)
2969             return false;
2970
2971         m_graph.doToChildren(
2972             node,
2973             [&] (Edge& edge) {
2974                 if (edge->shouldSpeculateString()) {
2975                     convertStringAddUse<StringUse>(node, edge);
2976                     return;
2977                 }
2978                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2979                 if (edge->shouldSpeculateStringObject()) {
2980                     convertStringAddUse<StringObjectUse>(node, edge);
2981                     return;
2982                 }
2983                 if (edge->shouldSpeculateStringOrStringObject()) {
2984                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2985                     return;
2986                 }
2987                 RELEASE_ASSERT_NOT_REACHED();
2988             });
2989         
2990         convertToMakeRope(node);
2991         return true;
2992     }
2993
2994     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2995     {
2996         if (!block)
2997             return;
2998         ASSERT(block->isReachable);
2999         m_block = block;
3000         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
3001             Node* node = m_currentNode = block->at(m_indexInBlock);
3002             if (node->op() != SetLocal && node->op() != GetLocal)
3003                 continue;
3004             
3005             VariableAccessData* variable = node->variableAccessData();
3006             switch (node->op()) {
3007             case GetLocal:
3008                 switch (variable->flushFormat()) {
3009                 case FlushedDouble:
3010                     node->setResult(NodeResultDouble);
3011                     break;
3012                 case FlushedInt52:
3013                     node->setResult(NodeResultInt52);
3014                     break;
3015                 default:
3016                     break;
3017                 }
3018                 break;
3019                 
3020             case SetLocal:
3021                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
3022                 // add new type checking use kind for SetLocals, we need to modify that code as well.
3023                 
3024                 switch (variable->flushFormat()) {
3025                 case FlushedJSValue:
3026                     break;
3027                 case FlushedDouble:
3028                     fixEdge<DoubleRepUse>(node->child1());
3029                     break;
3030                 case FlushedInt32:
3031                     fixEdge<Int32Use>(node->child1());
3032                     break;
3033                 case FlushedInt52:
3034                     fixEdge<Int52RepUse>(node->child1());
3035                     break;
3036                 case FlushedCell:
3037                     fixEdge<CellUse>(node->child1());
3038                     break;
3039                 case FlushedBoolean:
3040                     fixEdge<BooleanUse>(node->child1());
3041                     break;
3042                 default:
3043                     RELEASE_ASSERT_NOT_REACHED();
3044                     break;
3045                 }
3046                 break;
3047                 
3048             default:
3049                 RELEASE_ASSERT_NOT_REACHED();
3050                 break;
3051             }
3052         }
3053         m_insertionSet.execute(block);
3054     }
3055     
3056     void addStringReplacePrimordialChecks(Node* searchRegExp)
3057     {
3058         Node* node = m_currentNode;
3059
3060         // Check that structure of searchRegExp is RegExp object
3061         m_insertionSet.insertNode(
3062             m_indexInBlock, SpecNone, Check, node->origin,
3063             Edge(searchRegExp, RegExpObjectUse));
3064
3065         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
3066             unsigned index = m_graph.identifiers().ensure(propertyUID);
3067
3068             Node* actualProperty = m_insertionSet.insertNode(
3069                 m_indexInBlock, SpecNone, TryGetById, node->origin,
3070                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
3071
3072             m_insertionSet.insertNode(
3073                 m_indexInBlock, SpecNone, CheckCell, node->origin,
3074                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
3075         };
3076
3077         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
3078
3079         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
3080         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
3081         // Check that searchRegExp.global is the primordial RegExp.prototype.global
3082         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
3083         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
3084         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
3085         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
3086         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
3087     }
3088
3089     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
3090     {
3091         ASSERT(arrayMode.isSpecific());
3092         
3093         if (arrayMode.type() == Array::String) {
3094             m_insertionSet.insertNode(
3095                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
3096         } else {
3097             // Note that we only need to be using a structure check if we opt for SaneChain, since
3098             // that needs to protect against JSArray's __proto__ being changed.
3099             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
3100         
3101             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
3102             
3103             if (arrayMode.doesConversion()) {
3104                 if (structure) {
3105                     m_insertionSet.insertNode(
3106                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
3107                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3108                 } else {
3109                     m_insertionSet.insertNode(
3110                         m_indexInBlock, SpecNone, Arrayify, origin,
3111                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3112                 }
3113             } else {
3114                 if (structure) {
3115                     m_insertionSet.insertNode(
3116                         m_indexInBlock, SpecNone, CheckStructure, origin,
3117                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
3118                 } else {
3119                     m_insertionSet.insertNode(
3120                         m_indexInBlock, SpecNone, CheckArray, origin,
3121                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
3122                 }
3123             }
3124         }
3125         
3126         if (!storageCheck(arrayMode))
3127             return nullptr;
3128         
3129         if (arrayMode.usesButterfly()) {
3130             return m_insertionSet.insertNode(
3131                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
3132         }
3133         
3134         return m_insertionSet.insertNode(
3135             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
3136             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
3137     }
3138     
3139     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
3140     {
3141         Node* node = m_currentNode;
3142         
3143         switch (node->arrayMode().type()) {
3144         case Array::ForceExit: {
3145             m_insertionSet.insertNode(
3146                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
3147             return;
3148         }
3149             
3150         case Array::SelectUsingPredictions:
3151         case Array::Unprofiled:
3152             RELEASE_ASSERT_NOT_REACHED();
3153             return;
3154             
3155         case Array::Generic:
3156             return;
3157             
3158         default: {
3159             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
3160             if (!storage)
3161                 return;
3162             
3163             storageChild = Edge(storage);
3164             return;
3165         } }
3166     }
3167     
3168     bool alwaysUnboxSimplePrimitives()
3169     {
3170 #if USE(JSVALUE64)
3171         return false;
3172 #else
3173         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
3174         // reduces traffic.
3175         return true;
3176 #endif
3177     }
3178
3179     template<UseKind useKind>
3180     void observeUseKindOnNode(Node* node)
3181     {
3182         if (useKind == UntypedUse)
3183             return;
3184         observeUseKindOnNode(node, useKind);
3185     }
3186
3187     void observeUseKindOnEdge(Edge edge)
3188     {
3189         observeUseKindOnNode(edge.node(), edge.useKind());
3190     }
3191
3192     void observeUseKindOnNode(Node* node, UseKind useKind)
3193     {
3194         if (node->op() != GetLocal)
3195             return;
3196         
3197         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
3198         // https://bugs.webkit.org/show_bug.cgi?id=121518
3199         
3200         VariableAccessData* variable = node->variableAccessData();
3201         switch (useKind) {
3202         case Int32Use:
3203         case KnownInt32Use:
3204             if (alwaysUnboxSimplePrimitives()
3205                 || isInt32Speculation(variable->prediction()))
3206                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3207             break;
3208         case NumberUse:
3209         case RealNumberUse:
3210         case DoubleRepUse:
3211         case DoubleRepRealUse:
3212             if (variable->doubleFormatState() == UsingDoubleFormat)
3213                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3214             break;
3215         case BooleanUse:
3216         case KnownBooleanUse:
3217             if (alwaysUnboxSimplePrimitives()
3218                 || isBooleanSpeculation(variable->prediction()))
3219                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3220             break;
3221         case Int52RepUse:
3222             if (isAnyIntSpeculation(variable->prediction()))
3223                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3224             break;
3225         case CellUse:
3226         case KnownCellUse:
3227         case ObjectUse:
3228         case FunctionUse:
3229         case StringUse:
3230         case KnownStringUse:
3231         case SymbolUse:
3232         case BigIntUse:
3233         case StringObjectUse:
3234         case StringOrStringObjectUse:
3235             if (alwaysUnboxSimplePrimitives()
3236                 || isCellSpeculation(variable->prediction()))
3237                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3238             break;
3239         default:
3240             break;
3241         }
3242     }
3243     
3244     template<UseKind useKind>
3245     void fixEdge(Edge& edge)
3246     {
3247         observeUseKindOnNode<useKind>(edge.node());
3248         edge.setUseKind(useKind);
3249     }
3250     
3251     unsigned indexForChecks()
3252     {
3253         unsigned index = m_indexInBlock;
3254         while (!m_block->at(index)->origin.exitOK)
3255             index--;
3256         return index;
3257     }
3258     
3259     NodeOrigin originForCheck(unsigned index)
3260     {
3261         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3262     }
3263     
3264     void speculateForBarrier(Edge value)
3265     {
3266         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3267         // the DFG anyway because if such a speculation would be wrong, we want to know before
3268         // we do an expensive compile.
3269         
3270         if (value->shouldSpeculateInt32()) {
3271             insertCheck<Int32Use>(value.node());
3272             return;
3273         }
3274             
3275         if (value->shouldSpeculateBoolean()) {
3276             insertCheck<BooleanUse>(value.node());
3277             return;
3278         }
3279             
3280         if (value->shouldSpeculateOther()) {
3281             insertCheck<OtherUse>(value.node());
3282             return;
3283         }
3284             
3285         if (value->shouldSpeculateNumber()) {
3286             insertCheck<NumberUse>(value.node());
3287             return;
3288         }
3289             
3290         if (value->shouldSpeculateNotCell()) {
3291             insertCheck<NotCellUse>(value.node());
3292             return;
3293         }
3294     }
3295     
3296     template<UseKind useKind>
3297     void insertCheck(Node* node)
3298     {
3299         observeUseKindOnNode<useKind>(node);
3300         unsigned index = indexForChecks();
3301         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3302     }
3303
3304     void fixIntConvertingEdge(Edge& edge)
3305     {
3306         Node* node = edge.node();
3307         if (node->shouldSpeculateInt32OrBoolean()) {
3308             fixIntOrBooleanEdge(edge);
3309             return;
3310         }
3311         
3312         UseKind useKind;
3313         if (node->shouldSpeculateAnyInt())
3314             useKind = Int52RepUse;
3315         else if (node->shouldSpeculateNumber())
3316             useKind = DoubleRepUse;
3317         else
3318             useKind = NotCellUse;
3319         Node* newNode = m_insertionSet.insertNode(
3320             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3321             Edge(node, useKind));
3322         observeUseKindOnNode(node, useKind);
3323         
3324         edge = Edge(newNode, KnownInt32Use);
3325     }
3326     
3327     void fixIntOrBooleanEdge(Edge& edge)
3328     {
3329         Node* node = edge.node();
3330         if (!node->sawBooleans()) {
3331             fixEdge<Int32Use>(edge);
3332             return;
3333         }
3334         
3335         UseKind useKind;
3336         if (node->shouldSpeculateBoolean())
3337             useKind = BooleanUse;
3338         else
3339             useKind = UntypedUse;
3340         Node* newNode = m_insertionSet.insertNode(
3341             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3342             Edge(node, useKind));
3343         observeUseKindOnNode(node, useKind);
3344         
3345         edge = Edge(newNode, Int32Use);
3346     }
3347     
3348     void fixDoubleOrBooleanEdge(Edge& edge)
3349     {
3350         Node* node = edge.node();
3351         if (!node->sawBooleans()) {
3352             fixEdge<DoubleRepUse>(edge);
3353             return;
3354         }
3355         
3356         UseKind useKind;
3357         if (node->shouldSpeculateBoolean())
3358             useKind = BooleanUse;
3359         else
3360             useKind = UntypedUse;
3361         Node* newNode = m_insertionSet.insertNode(
3362             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3363             Edge(node, useKind));
3364         observeUseKindOnNode(node, useKind);
3365         
3366         edge = Edge(newNode, DoubleRepUse);
3367     }
3368     
3369     void truncateConstantToInt32(Edge& edge)
3370     {
3371         Node* oldNode = edge.node();
3372         
3373         JSValue value = oldNode->asJSValue();
3374         if (value.isInt32())
3375             return;
3376         
3377         value = jsNumber(JSC::toInt32(value.asNumber()));
3378         ASSERT(value.isInt32());
3379         edge.setNode(m_insertionSet.insertNode(
3380             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3381             OpInfo(m_graph.freeze(value))));
3382     }
3383     
3384     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3385     {
3386         if (mode != SpeculateInt32AndTruncateConstants)
3387             return;
3388         
3389         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3390         if (node->child1()->hasConstant())
3391             truncateConstantToInt32(node->child1());
3392         else
3393             truncateConstantToInt32(node->child2());
3394     }
3395
3396     bool attemptToMakeIntegerAdd(Node* node)
3397     {
3398         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3399         if (mode != DontSpeculateInt32) {
3400             truncateConstantsIfNecessary(node, mode);
3401             fixIntOrBooleanEdge(node->child1());
3402             fixIntOrBooleanEdge(node->child2());
3403             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3404                 node->setArithMode(Arith::Unchecked);
3405             else
3406                 node->setArithMode(Arith::CheckOverflow);
3407             return true;
3408         }
3409         
3410         if (m_graph.addShouldSpeculateAnyInt(node)) {
3411             fixEdge<Int52RepUse>(node->child1());
3412             fixEdge<Int52RepUse>(node->child2());
3413             node->setArithMode(Arith::CheckOverflow);
3414             node->setResult(NodeResultInt52);
3415             return true;
3416         }
3417         
3418         return false;
3419     }
3420     
3421     bool attemptToMakeGetArrayLength(Node* node)
3422     {
3423         if (!isInt32Speculation(node->prediction()))
3424             return false;
3425         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3426         ArrayProfile* arrayProfile = 
3427             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3428         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3429         if (arrayProfile) {
3430             ConcurrentJSLocker locker(profiledBlock->m_lock);
3431             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3432             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3433             if (arrayMode.type() == Array::Unprofiled) {
3434                 // For normal array operations, it makes sense to treat Unprofiled
3435                 // accesses as ForceExit and get more data rather than using
3436                 // predictions and then possibly ending up with a Generic. But here,
3437                 // we treat anything that is Unprofiled as Generic and keep the
3438                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3439                 // profit - from treating the Unprofiled case as
3440                 // SelectUsingPredictions.
3441                 arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3442             }
3443         }
3444             
3445         arrayMode = arrayMode.refine(
3446             m_graph, node, node->child1()->prediction(), node->prediction());
3447             
3448         if (arrayMode.type() == Array::Generic) {
3449             // Check if the input is something that we can't get array length for, but for which we
3450             // could insert some conversions in order to transform it into something that we can do it
3451             // for.
3452             if (node->child1()->shouldSpeculateStringObject())
3453                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3454             else if (node->child1()->shouldSpeculateStringOrStringObject())
3455                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3456         }
3457             
3458         if (!arrayMode.supportsSelfLength())
3459             return false;
3460         
3461         convertToGetArrayLength(node, arrayMode);
3462         return true;
3463     }
3464
3465     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3466     {
3467         node->setOp(GetArrayLength);
3468         node->clearFlags(NodeMustGenerate);
3469         fixEdge<KnownCellUse>(node->child1());
3470         node->setArrayMode(arrayMode);
3471             
3472         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3473         if (!storage)
3474             return;
3475             
3476         node->child2() = Edge(storage);
3477     }
3478     
3479     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3480     {
3481         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3482         return m_insertionSet.insertNode(
3483             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3484             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3485     }
3486
3487     void convertToHasIndexedProperty(Node* node)
3488     {
3489         node->setOp(HasIndexedProperty);
3490         node->clearFlags(NodeMustGenerate);
3491         node->setArrayMode(
3492             node->arrayMode().refine(
3493                 m_graph, node,
3494                 node->child1()->prediction(),
3495                 node->child2()->prediction(),
3496                 SpecNone));
3497         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3498
3499         blessArrayOperation(node->child1(), node->child2(), node->child3());
3500
3501         fixEdge<CellUse>(node->child1());
3502         fixEdge<Int32Use>(node->child2());
3503     }
3504
3505     void fixupNormalizeMapKey(Node* node)
3506     {
3507         if (node->child1()->shouldSpeculateBoolean()) {
3508             fixEdge<BooleanUse>(node->child1());
3509             node->convertToIdentity();
3510             return;
3511         }
3512
3513         if (node->child1()->shouldSpeculateInt32()) {
3514             fixEdge<Int32Use>(node->child1());
3515             node->convertToIdentity();
3516             return;
3517         }
3518
3519         if (node->child1()->shouldSpeculateSymbol()) {
3520             fixEdge<SymbolUse>(node->child1());
3521             node->convertToIdentity();
3522             return;
3523         }
3524
3525         if (node->child1()->shouldSpeculateObject()) {
3526             fixEdge<ObjectUse>(node->child1());
3527             node->convertToIdentity();
3528             return;
3529         }
3530
3531         if (node->child1()->shouldSpeculateString()) {
3532             fixEdge<StringUse>(node->child1());
3533             node->convertToIdentity();
3534             return;
3535         }
3536
3537         if (node->child1()->shouldSpeculateCell()) {
3538             fixEdge<CellUse>(node->child1());
3539             node->convertToIdentity();
3540             return;
3541         }
3542
3543         fixEdge<UntypedUse>(node->child1());
3544     }
3545
3546     bool attemptToMakeCallDOM(Node* node)
3547     {
3548         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3549             return false;
3550
3551         const DOMJIT::Signature* signature = node->signature();
3552         if (!signature)
3553