Apply poisoning to TypedArray vector pointers.
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149             
150         case ValueAdd: {
151             if (attemptToMakeIntegerAdd(node)) {
152                 node->setOp(ArithAdd);
153                 break;
154             }
155             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
156                 fixDoubleOrBooleanEdge(node->child1());
157                 fixDoubleOrBooleanEdge(node->child2());
158                 node->setOp(ArithAdd);
159                 node->setResult(NodeResultDouble);
160                 break;
161             }
162             
163             if (attemptToMakeFastStringAdd(node))
164                 break;
165
166             Edge& child1 = node->child1();
167             Edge& child2 = node->child2();
168             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
169                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
170                     auto convertString = [&](Node* node, Edge& edge) {
171                         if (edge->shouldSpeculateInt32())
172                             convertStringAddUse<Int32Use>(node, edge);
173                         else {
174                             ASSERT(edge->shouldSpeculateString());
175                             convertStringAddUse<StringUse>(node, edge);
176                         }
177                     };
178                     convertString(node, child1);
179                     convertString(node, child2);
180                     convertToMakeRope(node);
181                     break;
182                 }
183             }
184
185             fixEdge<UntypedUse>(child1);
186             fixEdge<UntypedUse>(child2);
187             node->setResult(NodeResultJS);
188             break;
189         }
190
191         case StrCat: {
192             if (attemptToMakeFastStringAdd(node))
193                 break;
194
195             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
196             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
197             // the implementation of StrCat doesn't dynamically optimize for empty strings.
198             // https://bugs.webkit.org/show_bug.cgi?id=148540
199             m_graph.doToChildren(
200                 node,
201                 [&] (Edge& edge) {
202                     fixEdge<KnownPrimitiveUse>(edge);
203                     // StrCat automatically coerces the values into strings before concatenating them.
204                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
205                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
206                     // our runtime functions for this slow path expect that they will never be passed
207                     // Symbols.
208                     m_insertionSet.insertNode(
209                         m_indexInBlock, SpecNone, Check, node->origin,
210                         Edge(edge.node(), NotSymbolUse));
211                 });
212             break;
213         }
214             
215         case MakeRope: {
216             fixupMakeRope(node);
217             break;
218         }
219             
220         case ArithAdd:
221         case ArithSub: {
222             if (op == ArithSub
223                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
224                 fixEdge<UntypedUse>(node->child1());
225                 fixEdge<UntypedUse>(node->child2());
226                 node->setResult(NodeResultJS);
227                 break;
228             }
229             if (attemptToMakeIntegerAdd(node))
230                 break;
231             fixDoubleOrBooleanEdge(node->child1());
232             fixDoubleOrBooleanEdge(node->child2());
233             node->setResult(NodeResultDouble);
234             break;
235         }
236             
237         case ArithNegate: {
238             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
239                 fixIntOrBooleanEdge(node->child1());
240                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
241                     node->setArithMode(Arith::Unchecked);
242                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
243                     node->setArithMode(Arith::CheckOverflow);
244                 else
245                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
246                 node->setResult(NodeResultInt32);
247                 node->clearFlags(NodeMustGenerate);
248                 break;
249             }
250             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
251                 fixEdge<Int52RepUse>(node->child1());
252                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
253                     node->setArithMode(Arith::CheckOverflow);
254                 else
255                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
256                 node->setResult(NodeResultInt52);
257                 node->clearFlags(NodeMustGenerate);
258                 break;
259             }
260             if (node->child1()->shouldSpeculateNotCell()) {
261                 fixDoubleOrBooleanEdge(node->child1());
262                 node->setResult(NodeResultDouble);
263                 node->clearFlags(NodeMustGenerate);
264             } else
265                 fixEdge<UntypedUse>(node->child1());
266             break;
267         }
268             
269         case ArithMul: {
270             Edge& leftChild = node->child1();
271             Edge& rightChild = node->child2();
272             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
273                 fixEdge<UntypedUse>(leftChild);
274                 fixEdge<UntypedUse>(rightChild);
275                 node->setResult(NodeResultJS);
276                 break;
277             }
278             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
279                 fixIntOrBooleanEdge(leftChild);
280                 fixIntOrBooleanEdge(rightChild);
281                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
282                     node->setArithMode(Arith::Unchecked);
283                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
284                     || leftChild.node() == rightChild.node())
285                     node->setArithMode(Arith::CheckOverflow);
286                 else
287                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
288                 break;
289             }
290             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
291                 fixEdge<Int52RepUse>(leftChild);
292                 fixEdge<Int52RepUse>(rightChild);
293                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
294                     || leftChild.node() == rightChild.node())
295                     node->setArithMode(Arith::CheckOverflow);
296                 else
297                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
298                 node->setResult(NodeResultInt52);
299                 break;
300             }
301             fixDoubleOrBooleanEdge(leftChild);
302             fixDoubleOrBooleanEdge(rightChild);
303             node->setResult(NodeResultDouble);
304             break;
305         }
306
307         case ArithDiv:
308         case ArithMod: {
309             Edge& leftChild = node->child1();
310             Edge& rightChild = node->child2();
311             if (op == ArithDiv
312                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
313                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
314                 fixEdge<UntypedUse>(leftChild);
315                 fixEdge<UntypedUse>(rightChild);
316                 node->setResult(NodeResultJS);
317                 break;
318             }
319             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
320                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
321                     fixIntOrBooleanEdge(leftChild);
322                     fixIntOrBooleanEdge(rightChild);
323                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
324                         node->setArithMode(Arith::Unchecked);
325                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
326                         node->setArithMode(Arith::CheckOverflow);
327                     else
328                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
329                     break;
330                 }
331                 
332                 // This will cause conversion nodes to be inserted later.
333                 fixDoubleOrBooleanEdge(leftChild);
334                 fixDoubleOrBooleanEdge(rightChild);
335                 
336                 // We don't need to do ref'ing on the children because we're stealing them from
337                 // the original division.
338                 Node* newDivision = m_insertionSet.insertNode(
339                     m_indexInBlock, SpecBytecodeDouble, *node);
340                 newDivision->setResult(NodeResultDouble);
341                 
342                 node->setOp(DoubleAsInt32);
343                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
344                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
345                     node->setArithMode(Arith::CheckOverflow);
346                 else
347                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
348                 break;
349             }
350             fixDoubleOrBooleanEdge(leftChild);
351             fixDoubleOrBooleanEdge(rightChild);
352             node->setResult(NodeResultDouble);
353             break;
354         }
355             
356         case ArithMin:
357         case ArithMax: {
358             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
359                 fixIntOrBooleanEdge(node->child1());
360                 fixIntOrBooleanEdge(node->child2());
361                 break;
362             }
363             fixDoubleOrBooleanEdge(node->child1());
364             fixDoubleOrBooleanEdge(node->child2());
365             node->setResult(NodeResultDouble);
366             break;
367         }
368             
369         case ArithAbs: {
370             if (node->child1()->shouldSpeculateInt32OrBoolean()
371                 && node->canSpeculateInt32(FixupPass)) {
372                 fixIntOrBooleanEdge(node->child1());
373                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
374                     node->setArithMode(Arith::Unchecked);
375                 else
376                     node->setArithMode(Arith::CheckOverflow);
377                 node->clearFlags(NodeMustGenerate);
378                 node->setResult(NodeResultInt32);
379                 break;
380             }
381
382             if (node->child1()->shouldSpeculateNotCell()) {
383                 fixDoubleOrBooleanEdge(node->child1());
384                 node->clearFlags(NodeMustGenerate);
385             } else
386                 fixEdge<UntypedUse>(node->child1());
387             node->setResult(NodeResultDouble);
388             break;
389         }
390
391         case ArithPow: {
392             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
393                 fixDoubleOrBooleanEdge(node->child1());
394                 fixIntOrBooleanEdge(node->child2());
395                 break;
396             }
397
398             fixDoubleOrBooleanEdge(node->child1());
399             fixDoubleOrBooleanEdge(node->child2());
400             break;
401         }
402
403         case ArithRandom: {
404             node->setResult(NodeResultDouble);
405             break;
406         }
407
408         case ArithRound:
409         case ArithFloor:
410         case ArithCeil:
411         case ArithTrunc: {
412             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
413                 fixIntOrBooleanEdge(node->child1());
414                 insertCheck<Int32Use>(node->child1().node());
415                 node->convertToIdentity();
416                 break;
417             }
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420
421                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
422                     node->setResult(NodeResultInt32);
423                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
424                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
425                     else
426                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
427                 } else {
428                     node->setResult(NodeResultDouble);
429                     node->setArithRoundingMode(Arith::RoundingMode::Double);
430                 }
431                 node->clearFlags(NodeMustGenerate);
432             } else
433                 fixEdge<UntypedUse>(node->child1());
434             break;
435         }
436
437         case ArithFRound:
438         case ArithSqrt:
439         case ArithUnary: {
440             Edge& child1 = node->child1();
441             if (child1->shouldSpeculateNotCell()) {
442                 fixDoubleOrBooleanEdge(child1);
443                 node->clearFlags(NodeMustGenerate);
444             } else
445                 fixEdge<UntypedUse>(child1);
446             break;
447         }
448             
449         case LogicalNot: {
450             if (node->child1()->shouldSpeculateBoolean()) {
451                 if (node->child1()->result() == NodeResultBoolean) {
452                     // This is necessary in case we have a bytecode instruction implemented by:
453                     //
454                     // a: CompareEq(...)
455                     // b: LogicalNot(@a)
456                     //
457                     // In that case, CompareEq might have a side-effect. Then, we need to make
458                     // sure that we know that Branch does not exit.
459                     fixEdge<KnownBooleanUse>(node->child1());
460                 } else
461                     fixEdge<BooleanUse>(node->child1());
462             } else if (node->child1()->shouldSpeculateObjectOrOther())
463                 fixEdge<ObjectOrOtherUse>(node->child1());
464             else if (node->child1()->shouldSpeculateInt32OrBoolean())
465                 fixIntOrBooleanEdge(node->child1());
466             else if (node->child1()->shouldSpeculateNumber())
467                 fixEdge<DoubleRepUse>(node->child1());
468             else if (node->child1()->shouldSpeculateString())
469                 fixEdge<StringUse>(node->child1());
470             else if (node->child1()->shouldSpeculateStringOrOther())
471                 fixEdge<StringOrOtherUse>(node->child1());
472             else {
473                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
474                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
475                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
476             }
477             break;
478         }
479
480         case CompareEq:
481         case CompareLess:
482         case CompareLessEq:
483         case CompareGreater:
484         case CompareGreaterEq: {
485             if (node->op() == CompareEq
486                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
487                 fixEdge<BooleanUse>(node->child1());
488                 fixEdge<BooleanUse>(node->child2());
489                 node->clearFlags(NodeMustGenerate);
490                 break;
491             }
492             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
493                 fixIntOrBooleanEdge(node->child1());
494                 fixIntOrBooleanEdge(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (enableInt52()
499                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
500                 fixEdge<Int52RepUse>(node->child1());
501                 fixEdge<Int52RepUse>(node->child2());
502                 node->clearFlags(NodeMustGenerate);
503                 break;
504             }
505             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
506                 fixDoubleOrBooleanEdge(node->child1());
507                 fixDoubleOrBooleanEdge(node->child2());
508             }
509             if (node->op() != CompareEq
510                 && node->child1()->shouldSpeculateNotCell()
511                 && node->child2()->shouldSpeculateNotCell()) {
512                 if (node->child1()->shouldSpeculateNumberOrBoolean())
513                     fixDoubleOrBooleanEdge(node->child1());
514                 else
515                     fixEdge<DoubleRepUse>(node->child1());
516                 if (node->child2()->shouldSpeculateNumberOrBoolean())
517                     fixDoubleOrBooleanEdge(node->child2());
518                 else
519                     fixEdge<DoubleRepUse>(node->child2());
520                 node->clearFlags(NodeMustGenerate);
521                 break;
522             }
523             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
524                 fixEdge<StringIdentUse>(node->child1());
525                 fixEdge<StringIdentUse>(node->child2());
526                 node->clearFlags(NodeMustGenerate);
527                 break;
528             }
529             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
530                 fixEdge<StringUse>(node->child1());
531                 fixEdge<StringUse>(node->child2());
532                 node->clearFlags(NodeMustGenerate);
533                 break;
534             }
535
536             if (node->op() != CompareEq)
537                 break;
538             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
539                 fixEdge<SymbolUse>(node->child1());
540                 fixEdge<SymbolUse>(node->child2());
541                 node->clearFlags(NodeMustGenerate);
542                 break;
543             }
544             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
545                 fixEdge<ObjectUse>(node->child1());
546                 fixEdge<ObjectUse>(node->child2());
547                 node->clearFlags(NodeMustGenerate);
548                 break;
549             }
550
551             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
552             bool oneArgumentIsUsedAsSpecOther = false;
553             if (node->child1()->isUndefinedOrNullConstant()) {
554                 fixEdge<OtherUse>(node->child1());
555                 oneArgumentIsUsedAsSpecOther = true;
556             } else if (node->child1()->shouldSpeculateOther()) {
557                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
558                     Edge(node->child1().node(), OtherUse));
559                 fixEdge<OtherUse>(node->child1());
560                 oneArgumentIsUsedAsSpecOther = true;
561             }
562             if (node->child2()->isUndefinedOrNullConstant()) {
563                 fixEdge<OtherUse>(node->child2());
564                 oneArgumentIsUsedAsSpecOther = true;
565             } else if (node->child2()->shouldSpeculateOther()) {
566                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
567                     Edge(node->child2().node(), OtherUse));
568                 fixEdge<OtherUse>(node->child2());
569                 oneArgumentIsUsedAsSpecOther = true;
570             }
571             if (oneArgumentIsUsedAsSpecOther) {
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575
576             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
577                 fixEdge<ObjectUse>(node->child1());
578                 fixEdge<ObjectOrOtherUse>(node->child2());
579                 node->clearFlags(NodeMustGenerate);
580                 break;
581             }
582             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
583                 fixEdge<ObjectOrOtherUse>(node->child1());
584                 fixEdge<ObjectUse>(node->child2());
585                 node->clearFlags(NodeMustGenerate);
586                 break;
587             }
588
589             break;
590         }
591             
592         case CompareStrictEq: {
593             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
594                 fixEdge<BooleanUse>(node->child1());
595                 fixEdge<BooleanUse>(node->child2());
596                 break;
597             }
598             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
599                 fixEdge<Int32Use>(node->child1());
600                 fixEdge<Int32Use>(node->child2());
601                 break;
602             }
603             if (enableInt52()
604                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
605                 fixEdge<Int52RepUse>(node->child1());
606                 fixEdge<Int52RepUse>(node->child2());
607                 break;
608             }
609             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
610                 fixEdge<DoubleRepUse>(node->child1());
611                 fixEdge<DoubleRepUse>(node->child2());
612                 break;
613             }
614             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
615                 fixEdge<SymbolUse>(node->child1());
616                 fixEdge<SymbolUse>(node->child2());
617                 break;
618             }
619             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
620                 fixEdge<StringIdentUse>(node->child1());
621                 fixEdge<StringIdentUse>(node->child2());
622                 break;
623             }
624             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
625                 fixEdge<StringUse>(node->child1());
626                 fixEdge<StringUse>(node->child2());
627                 break;
628             }
629             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
630             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
631                 
632                 if (node->child1()->shouldSpeculateObject()) {
633                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
634                     fixEdge<ObjectUse>(node->child1());
635                     break;
636                 }
637                 if (node->child2()->shouldSpeculateObject()) {
638                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
639                     fixEdge<ObjectUse>(node->child2());
640                     break;
641                 }
642                 
643             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
644                 fixEdge<ObjectUse>(node->child1());
645                 fixEdge<ObjectUse>(node->child2());
646                 break;
647             }
648             if (node->child1()->shouldSpeculateSymbol()) {
649                 fixEdge<SymbolUse>(node->child1());
650                 break;
651             }
652             if (node->child2()->shouldSpeculateSymbol()) {
653                 fixEdge<SymbolUse>(node->child2());
654                 break;
655             }
656             if (node->child1()->shouldSpeculateMisc()) {
657                 fixEdge<MiscUse>(node->child1());
658                 break;
659             }
660             if (node->child2()->shouldSpeculateMisc()) {
661                 fixEdge<MiscUse>(node->child2());
662                 break;
663             }
664             if (node->child1()->shouldSpeculateStringIdent()
665                 && node->child2()->shouldSpeculateNotStringVar()) {
666                 fixEdge<StringIdentUse>(node->child1());
667                 fixEdge<NotStringVarUse>(node->child2());
668                 break;
669             }
670             if (node->child2()->shouldSpeculateStringIdent()
671                 && node->child1()->shouldSpeculateNotStringVar()) {
672                 fixEdge<StringIdentUse>(node->child2());
673                 fixEdge<NotStringVarUse>(node->child1());
674                 break;
675             }
676             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
677                 fixEdge<StringUse>(node->child1());
678                 break;
679             }
680             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
681                 fixEdge<StringUse>(node->child2());
682                 break;
683             }
684             break;
685         }
686             
687         case StringFromCharCode:
688             if (node->child1()->shouldSpeculateInt32())
689                 fixEdge<Int32Use>(node->child1());
690             else
691                 fixEdge<UntypedUse>(node->child1());
692             break;
693
694         case StringCharAt:
695         case StringCharCodeAt: {
696             // Currently we have no good way of refining these.
697             ASSERT(node->arrayMode() == ArrayMode(Array::String));
698             blessArrayOperation(node->child1(), node->child2(), node->child3());
699             fixEdge<KnownCellUse>(node->child1());
700             fixEdge<Int32Use>(node->child2());
701             break;
702         }
703
704         case GetByVal: {
705             if (!node->prediction()) {
706                 m_insertionSet.insertNode(
707                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
708             }
709             
710             node->setArrayMode(
711                 node->arrayMode().refine(
712                     m_graph, node,
713                     node->child1()->prediction(),
714                     node->child2()->prediction(),
715                     SpecNone));
716             
717             blessArrayOperation(node->child1(), node->child2(), node->child3());
718             
719             ArrayMode arrayMode = node->arrayMode();
720             switch (arrayMode.type()) {
721             case Array::Contiguous:
722             case Array::Double:
723                 if (arrayMode.arrayClass() == Array::OriginalArray
724                     && arrayMode.speculation() == Array::InBounds) {
725                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
726                     if (globalObject->arrayPrototypeChainIsSane()) {
727                         // Check if SaneChain will work on a per-type basis. Note that:
728                         //
729                         // 1) We don't want double arrays to sometimes return undefined, since
730                         // that would require a change to the return type and it would pessimise
731                         // things a lot. So, we'd only want to do that if we actually had
732                         // evidence that we could read from a hole. That's pretty annoying.
733                         // Likely the best way to handle that case is with an equivalent of
734                         // SaneChain for OutOfBounds. For now we just detect when Undefined and
735                         // NaN are indistinguishable according to backwards propagation, and just
736                         // use SaneChain in that case. This happens to catch a lot of cases.
737                         //
738                         // 2) We don't want int32 array loads to have to do a hole check just to
739                         // coerce to Undefined, since that would mean twice the checks.
740                         //
741                         // This has two implications. First, we have to do more checks than we'd
742                         // like. It's unfortunate that we have to do the hole check. Second,
743                         // some accesses that hit a hole will now need to take the full-blown
744                         // out-of-bounds slow path. We can fix that with:
745                         // https://bugs.webkit.org/show_bug.cgi?id=144668
746                         
747                         bool canDoSaneChain = false;
748                         switch (arrayMode.type()) {
749                         case Array::Contiguous:
750                             // This is happens to be entirely natural. We already would have
751                             // returned any JSValue, and now we'll return Undefined. We still do
752                             // the check but it doesn't require taking any kind of slow path.
753                             canDoSaneChain = true;
754                             break;
755                             
756                         case Array::Double:
757                             if (!(node->flags() & NodeBytecodeUsesAsOther)) {
758                                 // Holes look like NaN already, so if the user doesn't care
759                                 // about the difference between Undefined and NaN then we can
760                                 // do this.
761                                 canDoSaneChain = true;
762                             }
763                             break;
764                             
765                         default:
766                             break;
767                         }
768                         
769                         if (canDoSaneChain) {
770                             m_graph.registerAndWatchStructureTransition(globalObject->arrayPrototype()->structure());
771                             m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure());
772                             if (globalObject->arrayPrototypeChainIsSane())
773                                 node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
774                         }
775                     }
776                 }
777                 break;
778                 
779             case Array::String:
780                 if ((node->prediction() & ~SpecString)
781                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
782                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
783                 break;
784                 
785             default:
786                 break;
787             }
788             
789             arrayMode = node->arrayMode();
790             switch (arrayMode.type()) {
791             case Array::SelectUsingPredictions:
792             case Array::Unprofiled:
793                 RELEASE_ASSERT_NOT_REACHED();
794                 break;
795             case Array::Generic:
796                 if (node->child1()->shouldSpeculateObject()) {
797                     if (node->child2()->shouldSpeculateString()) {
798                         fixEdge<ObjectUse>(node->child1());
799                         fixEdge<StringUse>(node->child2());
800                         break;
801                     }
802
803                     if (node->child2()->shouldSpeculateSymbol()) {
804                         fixEdge<ObjectUse>(node->child1());
805                         fixEdge<SymbolUse>(node->child2());
806                         break;
807                     }
808                 }
809 #if USE(JSVALUE32_64)
810                 fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit.
811 #endif
812                 break;
813             case Array::ForceExit:
814                 break;
815             default:
816                 fixEdge<KnownCellUse>(node->child1());
817                 fixEdge<Int32Use>(node->child2());
818                 break;
819             }
820             
821             switch (arrayMode.type()) {
822             case Array::Double:
823                 if (!arrayMode.isOutOfBounds())
824                     node->setResult(NodeResultDouble);
825                 break;
826                 
827             case Array::Float32Array:
828             case Array::Float64Array:
829                 node->setResult(NodeResultDouble);
830                 break;
831                 
832             case Array::Uint32Array:
833                 if (node->shouldSpeculateInt32())
834                     break;
835                 if (node->shouldSpeculateAnyInt() && enableInt52())
836                     node->setResult(NodeResultInt52);
837                 else
838                     node->setResult(NodeResultDouble);
839                 break;
840                 
841             default:
842                 break;
843             }
844             
845             break;
846         }
847
848         case PutByValDirect:
849         case PutByVal:
850         case PutByValAlias: {
851             Edge& child1 = m_graph.varArgChild(node, 0);
852             Edge& child2 = m_graph.varArgChild(node, 1);
853             Edge& child3 = m_graph.varArgChild(node, 2);
854
855             node->setArrayMode(
856                 node->arrayMode().refine(
857                     m_graph, node,
858                     child1->prediction(),
859                     child2->prediction(),
860                     child3->prediction()));
861             
862             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
863             
864             switch (node->arrayMode().modeForPut().type()) {
865             case Array::SelectUsingPredictions:
866             case Array::SelectUsingArguments:
867             case Array::Unprofiled:
868             case Array::Undecided:
869                 RELEASE_ASSERT_NOT_REACHED();
870                 break;
871             case Array::ForceExit:
872             case Array::Generic:
873                 if (child1->shouldSpeculateCell()) {
874                     if (child2->shouldSpeculateString()) {
875                         fixEdge<CellUse>(child1);
876                         fixEdge<StringUse>(child2);
877                         break;
878                     }
879
880                     if (child2->shouldSpeculateSymbol()) {
881                         fixEdge<CellUse>(child1);
882                         fixEdge<SymbolUse>(child2);
883                         break;
884                     }
885                 }
886 #if USE(JSVALUE32_64)
887                 // Due to register pressure on 32-bit, we speculate cell and
888                 // ignore the base-is-not-cell case entirely by letting the
889                 // baseline JIT handle it.
890                 fixEdge<CellUse>(child1);
891 #endif
892                 break;
893             case Array::Int32:
894                 fixEdge<KnownCellUse>(child1);
895                 fixEdge<Int32Use>(child2);
896                 fixEdge<Int32Use>(child3);
897                 break;
898             case Array::Double:
899                 fixEdge<KnownCellUse>(child1);
900                 fixEdge<Int32Use>(child2);
901                 fixEdge<DoubleRepRealUse>(child3);
902                 break;
903             case Array::Int8Array:
904             case Array::Int16Array:
905             case Array::Int32Array:
906             case Array::Uint8Array:
907             case Array::Uint8ClampedArray:
908             case Array::Uint16Array:
909             case Array::Uint32Array:
910                 fixEdge<KnownCellUse>(child1);
911                 fixEdge<Int32Use>(child2);
912                 if (child3->shouldSpeculateInt32())
913                     fixIntOrBooleanEdge(child3);
914                 else if (child3->shouldSpeculateAnyInt())
915                     fixEdge<Int52RepUse>(child3);
916                 else
917                     fixDoubleOrBooleanEdge(child3);
918                 break;
919             case Array::Float32Array:
920             case Array::Float64Array:
921                 fixEdge<KnownCellUse>(child1);
922                 fixEdge<Int32Use>(child2);
923                 fixDoubleOrBooleanEdge(child3);
924                 break;
925             case Array::Contiguous:
926             case Array::ArrayStorage:
927             case Array::SlowPutArrayStorage:
928                 fixEdge<KnownCellUse>(child1);
929                 fixEdge<Int32Use>(child2);
930                 speculateForBarrier(child3);
931                 break;
932             default:
933                 fixEdge<KnownCellUse>(child1);
934                 fixEdge<Int32Use>(child2);
935                 break;
936             }
937             break;
938         }
939             
940         case AtomicsAdd:
941         case AtomicsAnd:
942         case AtomicsCompareExchange:
943         case AtomicsExchange:
944         case AtomicsLoad:
945         case AtomicsOr:
946         case AtomicsStore:
947         case AtomicsSub:
948         case AtomicsXor: {
949             Edge& base = m_graph.child(node, 0);
950             Edge& index = m_graph.child(node, 1);
951             
952             bool badNews = false;
953             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
954                 Edge& child = m_graph.child(node, 2 + i);
955                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
956                 // just call the function when that happens. But the FTL is totally cool with those
957                 // conversions.
958                 if (!child->shouldSpeculateInt32()
959                     && !child->shouldSpeculateAnyInt()
960                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
961                     badNews = true;
962             }
963             
964             if (badNews) {
965                 node->setArrayMode(ArrayMode(Array::Generic));
966                 break;
967             }
968             
969             node->setArrayMode(
970                 node->arrayMode().refine(
971                     m_graph, node, base->prediction(), index->prediction()));
972             
973             if (node->arrayMode().type() == Array::Generic)
974                 break;
975             
976             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
977                 Edge& child = m_graph.child(node, 2 + i);
978                 if (child->shouldSpeculateInt32())
979                     fixIntOrBooleanEdge(child);
980                 else if (child->shouldSpeculateAnyInt())
981                     fixEdge<Int52RepUse>(child);
982                 else {
983                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
984                     fixDoubleOrBooleanEdge(child);
985                 }
986             }
987             
988             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
989             fixEdge<CellUse>(base);
990             fixEdge<Int32Use>(index);
991             
992             if (node->arrayMode().type() == Array::Uint32Array) {
993                 // NOTE: This means basically always doing Int52.
994                 if (node->shouldSpeculateAnyInt() && enableInt52())
995                     node->setResult(NodeResultInt52);
996                 else
997                     node->setResult(NodeResultDouble);
998             }
999             break;
1000         }
1001             
1002         case AtomicsIsLockFree:
1003             if (node->child1()->shouldSpeculateInt32())
1004                 fixIntOrBooleanEdge(node->child1());
1005             break;
1006             
1007         case ArrayPush: {
1008             // May need to refine the array mode in case the value prediction contravenes
1009             // the array prediction. For example, we may have evidence showing that the
1010             // array is in Int32 mode, but the value we're storing is likely to be a double.
1011             // Then we should turn this into a conversion to Double array followed by the
1012             // push. On the other hand, we absolutely don't want to refine based on the
1013             // base prediction. If it has non-cell garbage in it, then we want that to be
1014             // ignored. That's because ArrayPush can't handle any array modes that aren't
1015             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1016             // that would break things.
1017             Edge& storageEdge = m_graph.varArgChild(node, 0);
1018             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1019             unsigned elementOffset = 2;
1020             unsigned elementCount = node->numChildren() - elementOffset;
1021             for (unsigned i = 0; i < elementCount; ++i) {
1022                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1023                 node->setArrayMode(
1024                     node->arrayMode().refine(
1025                         m_graph, node,
1026                         arrayEdge->prediction() & SpecCell,
1027                         SpecInt32Only,
1028                         element->prediction()));
1029             }
1030             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1031             fixEdge<KnownCellUse>(arrayEdge);
1032
1033             // Convert `array.push()` to GetArrayLength.
1034             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1035                 node->setOpAndDefaultFlags(GetArrayLength);
1036                 node->child1() = arrayEdge;
1037                 node->child2() = storageEdge;
1038                 fixEdge<KnownCellUse>(node->child1());
1039                 break;
1040             }
1041
1042             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1043             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1044             for (unsigned i = 0; i < elementCount; ++i) {
1045                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1046                 switch (node->arrayMode().type()) {
1047                 case Array::Int32:
1048                     insertCheck<Int32Use>(element.node());
1049                     fixEdge<KnownInt32Use>(element);
1050                     break;
1051                 case Array::Double:
1052                     insertCheck<DoubleRepRealUse>(element.node());
1053                     fixEdge<DoubleRepUse>(element);
1054                     break;
1055                 case Array::Contiguous:
1056                 case Array::ArrayStorage:
1057                     speculateForBarrier(element);
1058                     break;
1059                 default:
1060                     break;
1061                 }
1062                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1063             }
1064             break;
1065         }
1066             
1067         case ArrayPop: {
1068             blessArrayOperation(node->child1(), Edge(), node->child2());
1069             fixEdge<KnownCellUse>(node->child1());
1070             break;
1071         }
1072
1073         case ArraySlice: {
1074             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1075             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1076             if (node->numChildren() == 4)
1077                 fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1078             break;
1079         }
1080
1081         case ArrayIndexOf:
1082             fixupArrayIndexOf(node);
1083             break;
1084             
1085         case RegExpExec:
1086         case RegExpTest: {
1087             fixEdge<KnownCellUse>(node->child1());
1088             
1089             if (node->child2()->shouldSpeculateRegExpObject()) {
1090                 fixEdge<RegExpObjectUse>(node->child2());
1091
1092                 if (node->child3()->shouldSpeculateString())
1093                     fixEdge<StringUse>(node->child3());
1094             }
1095             break;
1096         }
1097
1098         case RegExpMatchFast: {
1099             fixEdge<KnownCellUse>(node->child1());
1100             fixEdge<RegExpObjectUse>(node->child2());
1101             fixEdge<StringUse>(node->child3());
1102             break;
1103         }
1104
1105         case StringReplace:
1106         case StringReplaceRegExp: {
1107             if (node->child2()->shouldSpeculateString()) {
1108                 m_insertionSet.insertNode(
1109                     m_indexInBlock, SpecNone, Check, node->origin,
1110                     Edge(node->child2().node(), StringUse));
1111                 fixEdge<StringUse>(node->child2());
1112             } else if (op == StringReplace) {
1113                 if (node->child2()->shouldSpeculateRegExpObject())
1114                     addStringReplacePrimordialChecks(node->child2().node());
1115                 else 
1116                     m_insertionSet.insertNode(
1117                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1118             }
1119
1120             if (node->child1()->shouldSpeculateString()
1121                 && node->child2()->shouldSpeculateRegExpObject()
1122                 && node->child3()->shouldSpeculateString()) {
1123
1124                 fixEdge<StringUse>(node->child1());
1125                 fixEdge<RegExpObjectUse>(node->child2());
1126                 fixEdge<StringUse>(node->child3());
1127                 break;
1128             }
1129             break;
1130         }
1131             
1132         case Branch: {
1133             if (node->child1()->shouldSpeculateBoolean()) {
1134                 if (node->child1()->result() == NodeResultBoolean) {
1135                     // This is necessary in case we have a bytecode instruction implemented by:
1136                     //
1137                     // a: CompareEq(...)
1138                     // b: Branch(@a)
1139                     //
1140                     // In that case, CompareEq might have a side-effect. Then, we need to make
1141                     // sure that we know that Branch does not exit.
1142                     fixEdge<KnownBooleanUse>(node->child1());
1143                 } else
1144                     fixEdge<BooleanUse>(node->child1());
1145             } else if (node->child1()->shouldSpeculateObjectOrOther())
1146                 fixEdge<ObjectOrOtherUse>(node->child1());
1147             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1148                 fixIntOrBooleanEdge(node->child1());
1149             else if (node->child1()->shouldSpeculateNumber())
1150                 fixEdge<DoubleRepUse>(node->child1());
1151             else if (node->child1()->shouldSpeculateString())
1152                 fixEdge<StringUse>(node->child1());
1153             else if (node->child1()->shouldSpeculateStringOrOther())
1154                 fixEdge<StringOrOtherUse>(node->child1());
1155             else {
1156                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1157                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1158                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1159             }
1160             break;
1161         }
1162             
1163         case Switch: {
1164             SwitchData* data = node->switchData();
1165             switch (data->kind) {
1166             case SwitchImm:
1167                 if (node->child1()->shouldSpeculateInt32())
1168                     fixEdge<Int32Use>(node->child1());
1169                 break;
1170             case SwitchChar:
1171                 if (node->child1()->shouldSpeculateString())
1172                     fixEdge<StringUse>(node->child1());
1173                 break;
1174             case SwitchString:
1175                 if (node->child1()->shouldSpeculateStringIdent())
1176                     fixEdge<StringIdentUse>(node->child1());
1177                 else if (node->child1()->shouldSpeculateString())
1178                     fixEdge<StringUse>(node->child1());
1179                 break;
1180             case SwitchCell:
1181                 if (node->child1()->shouldSpeculateCell())
1182                     fixEdge<CellUse>(node->child1());
1183                 // else it's fine for this to have UntypedUse; we will handle this by just making
1184                 // non-cells take the default case.
1185                 break;
1186             }
1187             break;
1188         }
1189             
1190         case ToPrimitive: {
1191             fixupToPrimitive(node);
1192             break;
1193         }
1194
1195         case ToNumber: {
1196             fixupToNumber(node);
1197             break;
1198         }
1199             
1200         case ToString:
1201         case CallStringConstructor: {
1202             fixupToStringOrCallStringConstructor(node);
1203             break;
1204         }
1205             
1206         case NewStringObject: {
1207             fixEdge<KnownStringUse>(node->child1());
1208             break;
1209         }
1210
1211         case NewArrayWithSpread: {
1212             watchHavingABadTime(node);
1213             
1214             BitVector* bitVector = node->bitVector();
1215             for (unsigned i = node->numChildren(); i--;) {
1216                 if (bitVector->get(i))
1217                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1218                 else
1219                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1220             }
1221
1222             break;
1223         }
1224
1225         case Spread: {
1226             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1227             
1228             watchHavingABadTime(node->child1().node());
1229
1230             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1231             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1232             // that it doesn't contain any indexed properties, and that any holes will result in
1233             // jsUndefined().
1234             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
1235             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
1236             if (node->child1()->shouldSpeculateArray()
1237                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1238                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1239                 && globalObject->arrayPrototypeChainIsSane()
1240                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1241                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1242                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1243                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1244                 fixEdge<ArrayUse>(node->child1());
1245             } else
1246                 fixEdge<CellUse>(node->child1());
1247             break;
1248         }
1249             
1250         case NewArray: {
1251             watchHavingABadTime(node);
1252             
1253             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1254                 node->setIndexingType(
1255                     leastUpperBoundOfIndexingTypeAndType(
1256                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1257             }
1258             switch (node->indexingType()) {
1259             case ALL_BLANK_INDEXING_TYPES:
1260                 CRASH();
1261                 break;
1262             case ALL_UNDECIDED_INDEXING_TYPES:
1263                 if (node->numChildren()) {
1264                     // This will only happen if the children have no type predictions. We
1265                     // would have already exited by now, but insert a forced exit just to
1266                     // be safe.
1267                     m_insertionSet.insertNode(
1268                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1269                 }
1270                 break;
1271             case ALL_INT32_INDEXING_TYPES:
1272                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1273                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1274                 break;
1275             case ALL_DOUBLE_INDEXING_TYPES:
1276                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1277                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1278                 break;
1279             case ALL_CONTIGUOUS_INDEXING_TYPES:
1280             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1281                 break;
1282             default:
1283                 CRASH();
1284                 break;
1285             }
1286             break;
1287         }
1288             
1289         case NewTypedArray: {
1290             watchHavingABadTime(node);
1291             
1292             if (node->child1()->shouldSpeculateInt32()) {
1293                 fixEdge<Int32Use>(node->child1());
1294                 node->clearFlags(NodeMustGenerate);
1295                 break;
1296             }
1297             break;
1298         }
1299             
1300         case NewArrayWithSize: {
1301             watchHavingABadTime(node);
1302             fixEdge<Int32Use>(node->child1());
1303             break;
1304         }
1305
1306         case NewArrayBuffer: {
1307             watchHavingABadTime(node);
1308             break;
1309         }
1310
1311         case ToObject: {
1312             fixupToObject(node);
1313             break;
1314         }
1315
1316         case CallObjectConstructor: {
1317             fixupCallObjectConstructor(node);
1318             break;
1319         }
1320
1321         case ToThis: {
1322             fixupToThis(node);
1323             break;
1324         }
1325             
1326         case PutStructure: {
1327             fixEdge<KnownCellUse>(node->child1());
1328             break;
1329         }
1330             
1331         case GetClosureVar:
1332         case GetFromArguments: {
1333             fixEdge<KnownCellUse>(node->child1());
1334             break;
1335         }
1336
1337         case PutClosureVar:
1338         case PutToArguments: {
1339             fixEdge<KnownCellUse>(node->child1());
1340             speculateForBarrier(node->child2());
1341             break;
1342         }
1343
1344         case SkipScope:
1345         case GetScope:
1346         case GetGetter:
1347         case GetSetter:
1348         case GetGlobalObject: {
1349             fixEdge<KnownCellUse>(node->child1());
1350             break;
1351         }
1352             
1353         case AllocatePropertyStorage:
1354         case ReallocatePropertyStorage: {
1355             fixEdge<KnownCellUse>(node->child1());
1356             break;
1357         }
1358             
1359         case NukeStructureAndSetButterfly: {
1360             fixEdge<KnownCellUse>(node->child1());
1361             break;
1362         }
1363
1364         case TryGetById: {
1365             if (node->child1()->shouldSpeculateCell())
1366                 fixEdge<CellUse>(node->child1());
1367             break;
1368         }
1369
1370         case GetById:
1371         case GetByIdFlush: {
1372             // FIXME: This should be done in the ByteCodeParser based on reading the
1373             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1374             // https://bugs.webkit.org/show_bug.cgi?id=154990
1375             auto uid = m_graph.identifiers()[node->identifierNumber()];
1376             if (node->child1()->shouldSpeculateCellOrOther()
1377                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1378                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1379                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1380                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1381                 
1382                 if (uid == vm().propertyNames->length.impl()) {
1383                     attemptToMakeGetArrayLength(node);
1384                     break;
1385                 }
1386
1387                 if (uid == vm().propertyNames->lastIndex.impl()
1388                     && node->child1()->shouldSpeculateRegExpObject()) {
1389                     node->setOp(GetRegExpObjectLastIndex);
1390                     node->clearFlags(NodeMustGenerate);
1391                     fixEdge<RegExpObjectUse>(node->child1());
1392                     break;
1393                 }
1394             }
1395
1396             if (node->child1()->shouldSpeculateNumber()) {
1397                 if (uid == vm().propertyNames->toString.impl()) {
1398                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1399                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1400                         if (node->child1()->shouldSpeculateInt32()) {
1401                             insertCheck<Int32Use>(node->child1().node());
1402                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1403                             break;
1404                         }
1405
1406                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1407                             insertCheck<Int52RepUse>(node->child1().node());
1408                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1409                             break;
1410                         }
1411
1412                         ASSERT(node->child1()->shouldSpeculateNumber());
1413                         insertCheck<DoubleRepUse>(node->child1().node());
1414                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1415                         break;
1416                     }
1417                 }
1418             }
1419
1420             if (node->child1()->shouldSpeculateCell())
1421                 fixEdge<CellUse>(node->child1());
1422             break;
1423         }
1424         
1425         case GetByIdWithThis: {
1426             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1427                 fixEdge<CellUse>(node->child1());
1428                 fixEdge<CellUse>(node->child2());
1429             }
1430             break;
1431         }
1432
1433         case PutById:
1434         case PutByIdFlush:
1435         case PutByIdDirect: {
1436             if (node->child1()->shouldSpeculateCellOrOther()
1437                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1438                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1439                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1440                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1441                 
1442                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1443                 
1444                 if (uid == vm().propertyNames->lastIndex.impl()
1445                     && node->child1()->shouldSpeculateRegExpObject()) {
1446                     node->convertToSetRegExpObjectLastIndex();
1447                     fixEdge<RegExpObjectUse>(node->child1());
1448                     speculateForBarrier(node->child2());
1449                     break;
1450                 }
1451             }
1452             
1453             fixEdge<CellUse>(node->child1());
1454             break;
1455         }
1456
1457         case PutGetterById:
1458         case PutSetterById: {
1459             fixEdge<KnownCellUse>(node->child1());
1460             fixEdge<KnownCellUse>(node->child2());
1461             break;
1462         }
1463
1464         case PutGetterSetterById: {
1465             fixEdge<KnownCellUse>(node->child1());
1466             break;
1467         }
1468
1469         case PutGetterByVal:
1470         case PutSetterByVal: {
1471             fixEdge<KnownCellUse>(node->child1());
1472             fixEdge<KnownCellUse>(node->child3());
1473             break;
1474         }
1475
1476         case GetExecutable: {
1477             fixEdge<FunctionUse>(node->child1());
1478             break;
1479         }
1480
1481         case OverridesHasInstance:
1482         case CheckStructure:
1483         case CheckCell:
1484         case CreateThis:
1485         case GetButterfly: {
1486             fixEdge<CellUse>(node->child1());
1487             break;
1488         }
1489
1490         case CheckStringIdent: {
1491             fixEdge<StringIdentUse>(node->child1());
1492             break;
1493         }
1494             
1495         case Arrayify:
1496         case ArrayifyToStructure: {
1497             fixEdge<CellUse>(node->child1());
1498             if (node->child2())
1499                 fixEdge<Int32Use>(node->child2());
1500             break;
1501         }
1502             
1503         case GetByOffset:
1504         case GetGetterSetterByOffset: {
1505             if (!node->child1()->hasStorageResult())
1506                 fixEdge<KnownCellUse>(node->child1());
1507             fixEdge<KnownCellUse>(node->child2());
1508             break;
1509         }
1510             
1511         case MultiGetByOffset: {
1512             fixEdge<CellUse>(node->child1());
1513             break;
1514         }
1515             
1516         case PutByOffset: {
1517             if (!node->child1()->hasStorageResult())
1518                 fixEdge<KnownCellUse>(node->child1());
1519             fixEdge<KnownCellUse>(node->child2());
1520             unsigned index = indexForChecks();
1521             insertInferredTypeCheck(
1522                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1523                 node->storageAccessData().inferredType);
1524             speculateForBarrier(node->child3());
1525             break;
1526         }
1527             
1528         case MultiPutByOffset: {
1529             fixEdge<CellUse>(node->child1());
1530             break;
1531         }
1532             
1533         case InstanceOf: {
1534             if (!(node->child1()->prediction() & ~SpecCell))
1535                 fixEdge<CellUse>(node->child1());
1536             fixEdge<CellUse>(node->child2());
1537             break;
1538         }
1539
1540         case InstanceOfCustom:
1541             fixEdge<CellUse>(node->child2());
1542             break;
1543
1544         case In: {
1545             if (node->child2()->shouldSpeculateInt32()) {
1546                 convertToHasIndexedProperty(node);
1547                 break;
1548             }
1549
1550             fixEdge<CellUse>(node->child1());
1551             break;
1552         }
1553
1554         case HasOwnProperty: {
1555             fixEdge<ObjectUse>(node->child1());
1556 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1557             // We don't have enough registers to do anything interesting on x86 and mips.
1558             fixEdge<UntypedUse>(node->child2());
1559 #else
1560             if (node->child2()->shouldSpeculateString())
1561                 fixEdge<StringUse>(node->child2());
1562             else if (node->child2()->shouldSpeculateSymbol())
1563                 fixEdge<SymbolUse>(node->child2());
1564             else
1565                 fixEdge<UntypedUse>(node->child2());
1566 #endif
1567             break;
1568         }
1569
1570         case Check: {
1571             m_graph.doToChildren(
1572                 node,
1573                 [&] (Edge& edge) {
1574                     switch (edge.useKind()) {
1575                     case NumberUse:
1576                         if (edge->shouldSpeculateInt32ForArithmetic())
1577                             edge.setUseKind(Int32Use);
1578                         break;
1579                     default:
1580                         break;
1581                     }
1582                     observeUseKindOnEdge(edge);
1583                 });
1584             break;
1585         }
1586
1587         case Phantom:
1588             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1589             node->remove();
1590             break;
1591
1592         case FiatInt52: {
1593             RELEASE_ASSERT(enableInt52());
1594             node->convertToIdentity();
1595             fixEdge<Int52RepUse>(node->child1());
1596             node->setResult(NodeResultInt52);
1597             break;
1598         }
1599
1600         case GetArrayLength: {
1601             fixEdge<KnownCellUse>(node->child1());
1602             break;
1603         }
1604
1605         case GetTypedArrayByteOffset: {
1606             fixEdge<KnownCellUse>(node->child1());
1607             break;
1608         }
1609
1610         case CompareBelow:
1611         case CompareBelowEq: {
1612             fixEdge<Int32Use>(node->child1());
1613             fixEdge<Int32Use>(node->child2());
1614             break;
1615         }
1616
1617         case GetPrototypeOf: {
1618             fixupGetPrototypeOf(node);
1619             break;
1620         }
1621
1622         case Phi:
1623         case Upsilon:
1624         case EntrySwitch:
1625         case GetIndexedPropertyStorage:
1626         case LastNodeType:
1627         case CheckTierUpInLoop:
1628         case CheckTierUpAtReturn:
1629         case CheckTierUpAndOSREnter:
1630         case InvalidationPoint:
1631         case CheckArray:
1632         case CheckInBounds:
1633         case ConstantStoragePointer:
1634         case DoubleAsInt32:
1635         case ValueToInt32:
1636         case DoubleRep:
1637         case ValueRep:
1638         case Int52Rep:
1639         case Int52Constant:
1640         case Identity: // This should have been cleaned up.
1641         case BooleanToNumber:
1642         case PhantomNewObject:
1643         case PhantomNewFunction:
1644         case PhantomNewGeneratorFunction:
1645         case PhantomNewAsyncGeneratorFunction:
1646         case PhantomNewAsyncFunction:
1647         case PhantomCreateActivation:
1648         case PhantomDirectArguments:
1649         case PhantomCreateRest:
1650         case PhantomSpread:
1651         case PhantomNewArrayWithSpread:
1652         case PhantomNewArrayBuffer:
1653         case PhantomClonedArguments:
1654         case PhantomNewRegexp:
1655         case GetMyArgumentByVal:
1656         case GetMyArgumentByValOutOfBounds:
1657         case GetVectorLength:
1658         case PutHint:
1659         case CheckStructureImmediate:
1660         case CheckStructureOrEmpty:
1661         case MaterializeNewObject:
1662         case MaterializeCreateActivation:
1663         case PutStack:
1664         case KillStack:
1665         case GetStack:
1666         case StoreBarrier:
1667         case FencedStoreBarrier:
1668         case GetRegExpObjectLastIndex:
1669         case SetRegExpObjectLastIndex:
1670         case RecordRegExpCachedResult:
1671         case RegExpExecNonGlobalOrSticky:
1672             // These are just nodes that we don't currently expect to see during fixup.
1673             // If we ever wanted to insert them prior to fixup, then we just have to create
1674             // fixup rules for them.
1675             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1676             break;
1677
1678         case PutGlobalVariable: {
1679             fixEdge<CellUse>(node->child1());
1680             speculateForBarrier(node->child2());
1681             break;
1682         }
1683
1684         case IsObject:
1685             if (node->child1()->shouldSpeculateObject()) {
1686                 m_insertionSet.insertNode(
1687                     m_indexInBlock, SpecNone, Check, node->origin,
1688                     Edge(node->child1().node(), ObjectUse));
1689                 m_graph.convertToConstant(node, jsBoolean(true));
1690                 observeUseKindOnNode<ObjectUse>(node);
1691             }
1692             break;
1693
1694         case IsCellWithType: {
1695             fixupIsCellWithType(node);
1696             break;
1697         }
1698
1699         case GetEnumerableLength: {
1700             fixEdge<CellUse>(node->child1());
1701             break;
1702         }
1703         case HasGenericProperty: {
1704             fixEdge<CellUse>(node->child2());
1705             break;
1706         }
1707         case HasStructureProperty: {
1708             fixEdge<StringUse>(node->child2());
1709             fixEdge<KnownCellUse>(node->child3());
1710             break;
1711         }
1712         case HasIndexedProperty: {
1713             node->setArrayMode(
1714                 node->arrayMode().refine(
1715                     m_graph, node,
1716                     node->child1()->prediction(),
1717                     node->child2()->prediction(),
1718                     SpecNone));
1719             
1720             blessArrayOperation(node->child1(), node->child2(), node->child3());
1721             fixEdge<CellUse>(node->child1());
1722             fixEdge<KnownInt32Use>(node->child2());
1723             break;
1724         }
1725         case GetDirectPname: {
1726             Edge& base = m_graph.varArgChild(node, 0);
1727             Edge& property = m_graph.varArgChild(node, 1);
1728             Edge& index = m_graph.varArgChild(node, 2);
1729             Edge& enumerator = m_graph.varArgChild(node, 3);
1730             fixEdge<CellUse>(base);
1731             fixEdge<KnownCellUse>(property);
1732             fixEdge<KnownInt32Use>(index);
1733             fixEdge<KnownCellUse>(enumerator);
1734             break;
1735         }
1736         case GetPropertyEnumerator: {
1737             if (node->child1()->shouldSpeculateCell())
1738                 fixEdge<CellUse>(node->child1());
1739             break;
1740         }
1741         case GetEnumeratorStructurePname: {
1742             fixEdge<KnownCellUse>(node->child1());
1743             fixEdge<KnownInt32Use>(node->child2());
1744             break;
1745         }
1746         case GetEnumeratorGenericPname: {
1747             fixEdge<KnownCellUse>(node->child1());
1748             fixEdge<KnownInt32Use>(node->child2());
1749             break;
1750         }
1751         case ToIndexString: {
1752             fixEdge<KnownInt32Use>(node->child1());
1753             break;
1754         }
1755         case ProfileType: {
1756             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1757             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1758             // type T for the instructionTypeSet, the global type set must also have information for type T.
1759             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1760             // in the globalTypeSet would've also succeeded.
1761             // (The other direction does not hold in general).
1762
1763             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1764             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1765             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1766                 if (node->child1()->shouldSpeculateInt32()) {
1767                     fixEdge<Int32Use>(node->child1());
1768                     node->remove();
1769                     break;
1770                 }
1771
1772                 if (enableInt52()) {
1773                     fixEdge<AnyIntUse>(node->child1());
1774                     node->remove();
1775                     break;
1776                 }
1777
1778                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1779             }
1780
1781             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1782                 fixEdge<NumberUse>(node->child1());
1783                 node->remove();
1784             } else if (typeSet->doesTypeConformTo(TypeString)) {
1785                 fixEdge<StringUse>(node->child1());
1786                 node->remove();
1787             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1788                 fixEdge<BooleanUse>(node->child1());
1789                 node->remove();
1790             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1791                 fixEdge<OtherUse>(node->child1());
1792                 node->remove();
1793             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1794                 StructureSet set;
1795                 {
1796                     ConcurrentJSLocker locker(typeSet->m_lock);
1797                     set = typeSet->structureSet(locker);
1798                 }
1799                 if (!set.isEmpty()) {
1800                     fixEdge<CellUse>(node->child1());
1801                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1802                 }
1803             }
1804
1805             break;
1806         }
1807
1808         case CreateClonedArguments: {
1809             watchHavingABadTime(node);
1810             break;
1811         }
1812
1813         case CreateScopedArguments:
1814         case CreateActivation:
1815         case NewFunction:
1816         case NewGeneratorFunction:
1817         case NewAsyncGeneratorFunction:
1818         case NewAsyncFunction: {
1819             // Child 1 is always the current scope, which is guaranteed to be an object
1820             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1821             fixEdge<KnownCellUse>(node->child1());
1822             break;
1823         }
1824
1825         case PushWithScope: {
1826             // Child 1 is always the current scope, which is guaranteed to be an object
1827             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1828             fixEdge<KnownCellUse>(node->child1());
1829             if (node->child2()->shouldSpeculateObject())
1830                 fixEdge<ObjectUse>(node->child2());
1831             break;
1832         }
1833
1834         case SetFunctionName: {
1835             // The first child is guaranteed to be a cell because op_set_function_name is only used
1836             // on a newly instantiated function object (the first child).
1837             fixEdge<KnownCellUse>(node->child1());
1838             fixEdge<UntypedUse>(node->child2());
1839             break;
1840         }
1841
1842         case CreateRest: {
1843             watchHavingABadTime(node);
1844             fixEdge<KnownInt32Use>(node->child1());
1845             break;
1846         }
1847
1848         case ResolveScopeForHoistingFuncDeclInEval: {
1849             fixEdge<KnownCellUse>(node->child1());
1850             break;
1851         }
1852         case ResolveScope:
1853         case GetDynamicVar:
1854         case PutDynamicVar: {
1855             fixEdge<KnownCellUse>(node->child1());
1856             break;
1857         }
1858
1859         case LogShadowChickenPrologue: {
1860             fixEdge<KnownCellUse>(node->child1());
1861             break;
1862         }
1863         case LogShadowChickenTail: {
1864             fixEdge<UntypedUse>(node->child1());
1865             fixEdge<KnownCellUse>(node->child2());
1866             break;
1867         }
1868
1869         case GetMapBucket:
1870             if (node->child1().useKind() == MapObjectUse)
1871                 fixEdge<MapObjectUse>(node->child1());
1872             else if (node->child1().useKind() == SetObjectUse)
1873                 fixEdge<SetObjectUse>(node->child1());
1874             else
1875                 RELEASE_ASSERT_NOT_REACHED();
1876
1877 #if USE(JSVALUE64)
1878             if (node->child2()->shouldSpeculateBoolean())
1879                 fixEdge<BooleanUse>(node->child2());
1880             else if (node->child2()->shouldSpeculateInt32())
1881                 fixEdge<Int32Use>(node->child2());
1882             else if (node->child2()->shouldSpeculateSymbol())
1883                 fixEdge<SymbolUse>(node->child2());
1884             else if (node->child2()->shouldSpeculateObject())
1885                 fixEdge<ObjectUse>(node->child2());
1886             else if (node->child2()->shouldSpeculateString())
1887                 fixEdge<StringUse>(node->child2());
1888             else if (node->child2()->shouldSpeculateCell())
1889                 fixEdge<CellUse>(node->child2());
1890             else
1891                 fixEdge<UntypedUse>(node->child2());
1892 #else
1893             fixEdge<UntypedUse>(node->child2());
1894 #endif // USE(JSVALUE64)
1895
1896             fixEdge<Int32Use>(node->child3());
1897             break;
1898
1899         case GetMapBucketHead:
1900             if (node->child1().useKind() == MapObjectUse)
1901                 fixEdge<MapObjectUse>(node->child1());
1902             else if (node->child1().useKind() == SetObjectUse)
1903                 fixEdge<SetObjectUse>(node->child1());
1904             else
1905                 RELEASE_ASSERT_NOT_REACHED();
1906             break;
1907
1908         case GetMapBucketNext:
1909         case LoadKeyFromMapBucket:
1910         case LoadValueFromMapBucket:
1911             fixEdge<CellUse>(node->child1());
1912             break;
1913
1914         case MapHash: {
1915 #if USE(JSVALUE64)
1916             if (node->child1()->shouldSpeculateBoolean()) {
1917                 fixEdge<BooleanUse>(node->child1());
1918                 break;
1919             }
1920
1921             if (node->child1()->shouldSpeculateInt32()) {
1922                 fixEdge<Int32Use>(node->child1());
1923                 break;
1924             }
1925
1926             if (node->child1()->shouldSpeculateSymbol()) {
1927                 fixEdge<SymbolUse>(node->child1());
1928                 break;
1929             }
1930
1931             if (node->child1()->shouldSpeculateObject()) {
1932                 fixEdge<ObjectUse>(node->child1());
1933                 break;
1934             }
1935
1936             if (node->child1()->shouldSpeculateString()) {
1937                 fixEdge<StringUse>(node->child1());
1938                 break;
1939             }
1940
1941             if (node->child1()->shouldSpeculateCell()) {
1942                 fixEdge<CellUse>(node->child1());
1943                 break;
1944             }
1945
1946             fixEdge<UntypedUse>(node->child1());
1947 #else
1948             fixEdge<UntypedUse>(node->child1());
1949 #endif // USE(JSVALUE64)
1950             break;
1951         }
1952
1953         case NormalizeMapKey: {
1954             fixupNormalizeMapKey(node);
1955             break;
1956         }
1957
1958         case WeakMapGet: {
1959             if (node->child1().useKind() == WeakMapObjectUse)
1960                 fixEdge<WeakMapObjectUse>(node->child1());
1961             else if (node->child1().useKind() == WeakSetObjectUse)
1962                 fixEdge<WeakSetObjectUse>(node->child1());
1963             else
1964                 RELEASE_ASSERT_NOT_REACHED();
1965             fixEdge<ObjectUse>(node->child2());
1966             fixEdge<Int32Use>(node->child3());
1967             break;
1968         }
1969
1970         case SetAdd: {
1971             fixEdge<SetObjectUse>(node->child1());
1972             fixEdge<Int32Use>(node->child3());
1973             break;
1974         }
1975
1976         case MapSet: {
1977             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1978             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1979             break;
1980         }
1981
1982         case WeakSetAdd: {
1983             fixEdge<WeakSetObjectUse>(node->child1());
1984             fixEdge<ObjectUse>(node->child2());
1985             fixEdge<Int32Use>(node->child3());
1986             break;
1987         }
1988
1989         case WeakMapSet: {
1990             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
1991             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
1992             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1993             break;
1994         }
1995
1996         case DefineDataProperty: {
1997             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1998             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1999             if (propertyEdge->shouldSpeculateSymbol())
2000                 fixEdge<SymbolUse>(propertyEdge);
2001             else if (propertyEdge->shouldSpeculateStringIdent())
2002                 fixEdge<StringIdentUse>(propertyEdge);
2003             else if (propertyEdge->shouldSpeculateString())
2004                 fixEdge<StringUse>(propertyEdge);
2005             else
2006                 fixEdge<UntypedUse>(propertyEdge);
2007             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2008             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2009             break;
2010         }
2011
2012         case StringSlice: {
2013             fixEdge<StringUse>(node->child1());
2014             fixEdge<Int32Use>(node->child2());
2015             if (node->child3())
2016                 fixEdge<Int32Use>(node->child3());
2017             break;
2018         }
2019
2020         case ToLowerCase: {
2021             // We currently only support StringUse since that will ensure that
2022             // ToLowerCase is a pure operation. If we decide to update this with
2023             // more types in the future, we need to ensure that the clobberize rules
2024             // are correct.
2025             fixEdge<StringUse>(node->child1());
2026             break;
2027         }
2028
2029         case NumberToStringWithRadix: {
2030             if (node->child1()->shouldSpeculateInt32())
2031                 fixEdge<Int32Use>(node->child1());
2032             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2033                 fixEdge<Int52RepUse>(node->child1());
2034             else
2035                 fixEdge<DoubleRepUse>(node->child1());
2036             fixEdge<Int32Use>(node->child2());
2037             break;
2038         }
2039
2040         case DefineAccessorProperty: {
2041             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2042             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2043             if (propertyEdge->shouldSpeculateSymbol())
2044                 fixEdge<SymbolUse>(propertyEdge);
2045             else if (propertyEdge->shouldSpeculateStringIdent())
2046                 fixEdge<StringIdentUse>(propertyEdge);
2047             else if (propertyEdge->shouldSpeculateString())
2048                 fixEdge<StringUse>(propertyEdge);
2049             else
2050                 fixEdge<UntypedUse>(propertyEdge);
2051             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2052             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2053             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2054             break;
2055         }
2056
2057         case CheckSubClass: {
2058             fixupCheckSubClass(node);
2059             break;
2060         }
2061
2062         case CallDOMGetter: {
2063             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2064             fixEdge<CellUse>(node->child1()); // DOM.
2065             if (snippet && snippet->requireGlobalObject)
2066                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2067             break;
2068         }
2069
2070         case CallDOM: {
2071             fixupCallDOM(node);
2072             break;
2073         }
2074
2075         case Call: {
2076             attemptToMakeCallDOM(node);
2077             break;
2078         }
2079
2080         case ParseInt: {
2081             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2082                 fixEdge<Int32Use>(node->child1());
2083                 node->convertToIdentity();
2084                 break;
2085             }
2086
2087             if (node->child1()->shouldSpeculateString()) {
2088                 fixEdge<StringUse>(node->child1());
2089                 node->clearFlags(NodeMustGenerate);
2090             }
2091
2092             if (node->child2())
2093                 fixEdge<Int32Use>(node->child2());
2094
2095             break;
2096         }
2097
2098         case IdentityWithProfile: {
2099             node->clearFlags(NodeMustGenerate);
2100             break;
2101         }
2102
2103         case ThrowStaticError:
2104             fixEdge<StringUse>(node->child1());
2105             break;
2106
2107 #if !ASSERT_DISABLED
2108         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2109         case SetArgument:
2110         case JSConstant:
2111         case LazyJSConstant:
2112         case DoubleConstant:
2113         case GetLocal:
2114         case GetCallee:
2115         case GetArgumentCountIncludingThis:
2116         case SetArgumentCountIncludingThis:
2117         case GetRestLength:
2118         case GetArgument:
2119         case Flush:
2120         case PhantomLocal:
2121         case GetGlobalVar:
2122         case GetGlobalLexicalVariable:
2123         case NotifyWrite:
2124         case DirectCall:
2125         case CheckTypeInfoFlags:
2126         case TailCallInlinedCaller:
2127         case DirectTailCallInlinedCaller:
2128         case Construct:
2129         case DirectConstruct:
2130         case CallVarargs:
2131         case CallEval:
2132         case TailCallVarargsInlinedCaller:
2133         case ConstructVarargs:
2134         case CallForwardVarargs:
2135         case ConstructForwardVarargs:
2136         case TailCallForwardVarargs:
2137         case TailCallForwardVarargsInlinedCaller:
2138         case LoadVarargs:
2139         case ForwardVarargs:
2140         case ProfileControlFlow:
2141         case NewObject:
2142         case NewRegexp:
2143         case DeleteById:
2144         case DeleteByVal:
2145         case IsTypedArrayView:
2146         case IsEmpty:
2147         case IsUndefined:
2148         case IsBoolean:
2149         case IsNumber:
2150         case IsObjectOrNull:
2151         case IsFunction:
2152         case CreateDirectArguments:
2153         case Jump:
2154         case Return:
2155         case TailCall:
2156         case DirectTailCall:
2157         case TailCallVarargs:
2158         case Throw:
2159         case CountExecution:
2160         case SuperSamplerBegin:
2161         case SuperSamplerEnd:
2162         case ForceOSRExit:
2163         case CheckBadCell:
2164         case CheckNotEmpty:
2165         case AssertNotEmpty:
2166         case CheckTraps:
2167         case Unreachable:
2168         case ExtractOSREntryLocal:
2169         case ExtractCatchLocal:
2170         case LoopHint:
2171         case MovHint:
2172         case InitializeEntrypointArguments:
2173         case ZombieHint:
2174         case ExitOK:
2175         case BottomValue:
2176         case TypeOf:
2177         case PutByIdWithThis:
2178         case PutByValWithThis:
2179         case GetByValWithThis:
2180         case CompareEqPtr:
2181         case NumberToStringWithValidRadixConstant:
2182         case GetGlobalThis:
2183         case ExtractValueFromWeakMapGet:
2184         case CPUIntrinsic:
2185             break;
2186 #else
2187         default:
2188             break;
2189 #endif
2190         }
2191     }
2192
2193     void watchHavingABadTime(Node* node)
2194     {
2195         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2196
2197         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2198         // does an array allocation. The types of array allocations may change if we start to have a bad
2199         // time. It's easier to reason about this if we know that whenever the types change after we start
2200         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2201         // prior to this point nobody should have been doing optimizations based on the indexing type of
2202         // the allocation.
2203         if (!globalObject->isHavingABadTime()) {
2204             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2205             m_graph.freeze(globalObject);
2206         }
2207     }
2208     
2209     template<UseKind useKind>
2210     void createToString(Node* node, Edge& edge)
2211     {
2212         Node* toString = m_insertionSet.insertNode(
2213             m_indexInBlock, SpecString, ToString, node->origin,
2214             Edge(edge.node(), useKind));
2215         switch (useKind) {
2216         case Int32Use:
2217         case Int52RepUse:
2218         case DoubleRepUse:
2219         case NotCellUse:
2220             toString->clearFlags(NodeMustGenerate);
2221             break;
2222         default:
2223             break;
2224         }
2225         edge.setNode(toString);
2226     }
2227     
2228     template<UseKind useKind>
2229     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2230     {
2231         ASSERT(arrayMode == ArrayMode(Array::Generic));
2232         
2233         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2234             return;
2235         
2236         createToString<useKind>(node, node->child1());
2237         arrayMode = ArrayMode(Array::String);
2238     }
2239     
2240     template<UseKind useKind>
2241     bool isStringObjectUse()
2242     {
2243         switch (useKind) {
2244         case StringObjectUse:
2245         case StringOrStringObjectUse:
2246             return true;
2247         default:
2248             return false;
2249         }
2250     }
2251     
2252     template<UseKind useKind>
2253     void convertStringAddUse(Node* node, Edge& edge)
2254     {
2255         if (useKind == StringUse) {
2256             observeUseKindOnNode<StringUse>(edge.node());
2257             m_insertionSet.insertNode(
2258                 m_indexInBlock, SpecNone, Check, node->origin,
2259                 Edge(edge.node(), StringUse));
2260             edge.setUseKind(KnownStringUse);
2261             return;
2262         }
2263         
2264         observeUseKindOnNode<useKind>(edge.node());
2265         createToString<useKind>(node, edge);
2266     }
2267     
2268     void convertToMakeRope(Node* node)
2269     {
2270         node->setOpAndDefaultFlags(MakeRope);
2271         fixupMakeRope(node);
2272     }
2273     
2274     void fixupMakeRope(Node* node)
2275     {
2276         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2277             Edge& edge = node->children.child(i);
2278             if (!edge)
2279                 break;
2280             edge.setUseKind(KnownStringUse);
2281             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2282             if (!string)
2283                 continue;
2284             if (string->length())
2285                 continue;
2286             
2287             // Don't allow the MakeRope to have zero children.
2288             if (!i && !node->child2())
2289                 break;
2290             
2291             node->children.removeEdge(i--);
2292         }
2293         
2294         if (!node->child2()) {
2295             ASSERT(!node->child3());
2296             node->convertToIdentity();
2297         }
2298     }
2299
2300     void fixupIsCellWithType(Node* node)
2301     {
2302         switch (node->speculatedTypeForQuery()) {
2303         case SpecString:
2304             if (node->child1()->shouldSpeculateString()) {
2305                 m_insertionSet.insertNode(
2306                     m_indexInBlock, SpecNone, Check, node->origin,
2307                     Edge(node->child1().node(), StringUse));
2308                 m_graph.convertToConstant(node, jsBoolean(true));
2309                 observeUseKindOnNode<StringUse>(node);
2310                 return;
2311             }
2312             break;
2313
2314         case SpecProxyObject:
2315             if (node->child1()->shouldSpeculateProxyObject()) {
2316                 m_insertionSet.insertNode(
2317                     m_indexInBlock, SpecNone, Check, node->origin,
2318                     Edge(node->child1().node(), ProxyObjectUse));
2319                 m_graph.convertToConstant(node, jsBoolean(true));
2320                 observeUseKindOnNode<ProxyObjectUse>(node);
2321                 return;
2322             }
2323             break;
2324
2325         case SpecRegExpObject:
2326             if (node->child1()->shouldSpeculateRegExpObject()) {
2327                 m_insertionSet.insertNode(
2328                     m_indexInBlock, SpecNone, Check, node->origin,
2329                     Edge(node->child1().node(), RegExpObjectUse));
2330                 m_graph.convertToConstant(node, jsBoolean(true));
2331                 observeUseKindOnNode<RegExpObjectUse>(node);
2332                 return;
2333             }
2334             break;
2335
2336         case SpecArray:
2337             if (node->child1()->shouldSpeculateArray()) {
2338                 m_insertionSet.insertNode(
2339                     m_indexInBlock, SpecNone, Check, node->origin,
2340                     Edge(node->child1().node(), ArrayUse));
2341                 m_graph.convertToConstant(node, jsBoolean(true));
2342                 observeUseKindOnNode<ArrayUse>(node);
2343                 return;
2344             }
2345             break;
2346
2347         case SpecDerivedArray:
2348             if (node->child1()->shouldSpeculateDerivedArray()) {
2349                 m_insertionSet.insertNode(
2350                     m_indexInBlock, SpecNone, Check, node->origin,
2351                     Edge(node->child1().node(), DerivedArrayUse));
2352                 m_graph.convertToConstant(node, jsBoolean(true));
2353                 observeUseKindOnNode<DerivedArrayUse>(node);
2354                 return;
2355             }
2356             break;
2357         }
2358
2359         if (node->child1()->shouldSpeculateCell()) {
2360             fixEdge<CellUse>(node->child1());
2361             return;
2362         }
2363
2364         if (node->child1()->shouldSpeculateNotCell()) {
2365             m_insertionSet.insertNode(
2366                 m_indexInBlock, SpecNone, Check, node->origin,
2367                 Edge(node->child1().node(), NotCellUse));
2368             m_graph.convertToConstant(node, jsBoolean(false));
2369             observeUseKindOnNode<NotCellUse>(node);
2370             return;
2371         }
2372     }
2373
2374     void fixupGetPrototypeOf(Node* node)
2375     {
2376         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2377         if (node->child1().useKind() != ObjectUse) {
2378             if (node->child1()->shouldSpeculateString()) {
2379                 insertCheck<StringUse>(node->child1().node());
2380                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2381                 return;
2382             }
2383             if (node->child1()->shouldSpeculateInt32()) {
2384                 insertCheck<Int32Use>(node->child1().node());
2385                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2386                 return;
2387             }
2388             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2389                 insertCheck<Int52RepUse>(node->child1().node());
2390                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2391                 return;
2392             }
2393             if (node->child1()->shouldSpeculateNumber()) {
2394                 insertCheck<NumberUse>(node->child1().node());
2395                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2396                 return;
2397             }
2398             if (node->child1()->shouldSpeculateSymbol()) {
2399                 insertCheck<SymbolUse>(node->child1().node());
2400                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2401                 return;
2402             }
2403             if (node->child1()->shouldSpeculateBoolean()) {
2404                 insertCheck<BooleanUse>(node->child1().node());
2405                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2406                 return;
2407             }
2408         }
2409
2410         if (node->child1()->shouldSpeculateFinalObject()) {
2411             fixEdge<FinalObjectUse>(node->child1());
2412             node->clearFlags(NodeMustGenerate);
2413             return;
2414         }
2415         if (node->child1()->shouldSpeculateArray()) {
2416             fixEdge<ArrayUse>(node->child1());
2417             node->clearFlags(NodeMustGenerate);
2418             return;
2419         }
2420         if (node->child1()->shouldSpeculateFunction()) {
2421             fixEdge<FunctionUse>(node->child1());
2422             node->clearFlags(NodeMustGenerate);
2423             return;
2424         }
2425     }
2426
2427     void fixupToThis(Node* node)
2428     {
2429         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2430
2431         if (ecmaMode == StrictMode) {
2432             if (node->child1()->shouldSpeculateBoolean()) {
2433                 fixEdge<BooleanUse>(node->child1());
2434                 node->convertToIdentity();
2435                 return;
2436             }
2437
2438             if (node->child1()->shouldSpeculateInt32()) {
2439                 fixEdge<Int32Use>(node->child1());
2440                 node->convertToIdentity();
2441                 return;
2442             }
2443
2444             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2445                 fixEdge<Int52RepUse>(node->child1());
2446                 node->convertToIdentity();
2447                 node->setResult(NodeResultInt52);
2448                 return;
2449             }
2450
2451             if (node->child1()->shouldSpeculateNumber()) {
2452                 fixEdge<DoubleRepUse>(node->child1());
2453                 node->convertToIdentity();
2454                 node->setResult(NodeResultDouble);
2455                 return;
2456             }
2457
2458             if (node->child1()->shouldSpeculateSymbol()) {
2459                 fixEdge<SymbolUse>(node->child1());
2460                 node->convertToIdentity();
2461                 return;
2462             }
2463
2464             if (node->child1()->shouldSpeculateStringIdent()) {
2465                 fixEdge<StringIdentUse>(node->child1());
2466                 node->convertToIdentity();
2467                 return;
2468             }
2469
2470             if (node->child1()->shouldSpeculateString()) {
2471                 fixEdge<StringUse>(node->child1());
2472                 node->convertToIdentity();
2473                 return;
2474             }
2475         }
2476
2477         if (node->child1()->shouldSpeculateOther()) {
2478             if (ecmaMode == StrictMode) {
2479                 fixEdge<OtherUse>(node->child1());
2480                 node->convertToIdentity();
2481                 return;
2482             }
2483
2484             m_insertionSet.insertNode(
2485                 m_indexInBlock, SpecNone, Check, node->origin,
2486                 Edge(node->child1().node(), OtherUse));
2487             observeUseKindOnNode<OtherUse>(node->child1().node());
2488             m_graph.convertToConstant(
2489                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2490             return;
2491         }
2492
2493         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2494         // however, since we cover all the missing cases in constant folding.
2495         // https://bugs.webkit.org/show_bug.cgi?id=157213
2496         if (node->child1()->shouldSpeculateStringObject()) {
2497             fixEdge<StringObjectUse>(node->child1());
2498             node->convertToIdentity();
2499             return;
2500         }
2501
2502         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2503             fixEdge<FinalObjectUse>(node->child1());
2504             node->convertToIdentity();
2505             return;
2506         }
2507     }
2508     
2509     void fixupToPrimitive(Node* node)
2510     {
2511         if (node->child1()->shouldSpeculateInt32()) {
2512             fixEdge<Int32Use>(node->child1());
2513             node->convertToIdentity();
2514             return;
2515         }
2516         
2517         if (node->child1()->shouldSpeculateString()) {
2518             fixEdge<StringUse>(node->child1());
2519             node->convertToIdentity();
2520             return;
2521         }
2522         
2523         if (node->child1()->shouldSpeculateStringObject()
2524             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2525             fixEdge<StringObjectUse>(node->child1());
2526             node->convertToToString();
2527             return;
2528         }
2529         
2530         if (node->child1()->shouldSpeculateStringOrStringObject()
2531             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2532             fixEdge<StringOrStringObjectUse>(node->child1());
2533             node->convertToToString();
2534             return;
2535         }
2536     }
2537
2538     void fixupToNumber(Node* node)
2539     {
2540         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2541         if (node->child1()->shouldSpeculateNumber()) {
2542             if (isInt32Speculation(node->getHeapPrediction())) {
2543                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2544                 if (node->child1()->shouldSpeculateInt32()) {
2545                     fixEdge<Int32Use>(node->child1());
2546                     node->convertToIdentity();
2547                     return;
2548                 }
2549
2550                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2551                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2552                 fixEdge<DoubleRepUse>(node->child1());
2553                 node->setOp(DoubleAsInt32);
2554                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2555                     node->setArithMode(Arith::CheckOverflow);
2556                 else
2557                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2558                 return;
2559             }
2560
2561             fixEdge<DoubleRepUse>(node->child1());
2562             node->convertToIdentity();
2563             node->setResult(NodeResultDouble);
2564             return;
2565         }
2566
2567         fixEdge<UntypedUse>(node->child1());
2568         node->setResult(NodeResultJS);
2569     }
2570
2571     void fixupToObject(Node* node)
2572     {
2573         if (node->child1()->shouldSpeculateObject()) {
2574             fixEdge<ObjectUse>(node->child1());
2575             node->convertToIdentity();
2576             return;
2577         }
2578
2579         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2580
2581         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2582
2583         if (node->child1()->shouldSpeculateString()) {
2584             insertCheck<StringUse>(node->child1().node());
2585             fixEdge<KnownStringUse>(node->child1());
2586             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2587             return;
2588         }
2589
2590         if (node->child1()->shouldSpeculateSymbol()) {
2591             insertCheck<SymbolUse>(node->child1().node());
2592             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2593             return;
2594         }
2595
2596         if (node->child1()->shouldSpeculateNumber()) {
2597             insertCheck<NumberUse>(node->child1().node());
2598             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2599             return;
2600         }
2601
2602         if (node->child1()->shouldSpeculateBoolean()) {
2603             insertCheck<BooleanUse>(node->child1().node());
2604             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2605             return;
2606         }
2607
2608         fixEdge<UntypedUse>(node->child1());
2609     }
2610
2611     void fixupCallObjectConstructor(Node* node)
2612     {
2613         if (node->child1()->shouldSpeculateObject()) {
2614             fixEdge<ObjectUse>(node->child1());
2615             node->convertToIdentity();
2616             return;
2617         }
2618
2619         if (node->child1()->shouldSpeculateString()) {
2620             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2621             insertCheck<StringUse>(node->child1().node());
2622             fixEdge<KnownStringUse>(node->child1());
2623             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2624             return;
2625         }
2626
2627         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2628         if (node->child1()->shouldSpeculateOther()) {
2629             insertCheck<OtherUse>(node->child1().node());
2630             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2631             return;
2632         }
2633
2634         fixEdge<UntypedUse>(node->child1());
2635     }
2636     
2637     void fixupToStringOrCallStringConstructor(Node* node)
2638     {
2639         if (node->child1()->shouldSpeculateString()) {
2640             fixEdge<StringUse>(node->child1());
2641             node->convertToIdentity();
2642             return;
2643         }
2644         
2645         if (node->child1()->shouldSpeculateStringObject()
2646             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2647             fixEdge<StringObjectUse>(node->child1());
2648             return;
2649         }
2650         
2651         if (node->child1()->shouldSpeculateStringOrStringObject()
2652             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2653             fixEdge<StringOrStringObjectUse>(node->child1());
2654             return;
2655         }
2656         
2657         if (node->child1()->shouldSpeculateCell()) {
2658             fixEdge<CellUse>(node->child1());
2659             return;
2660         }
2661
2662         if (node->child1()->shouldSpeculateInt32()) {
2663             fixEdge<Int32Use>(node->child1());
2664             node->clearFlags(NodeMustGenerate);
2665             return;
2666         }
2667
2668         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2669             fixEdge<Int52RepUse>(node->child1());
2670             node->clearFlags(NodeMustGenerate);
2671             return;
2672         }
2673
2674         if (node->child1()->shouldSpeculateNumber()) {
2675             fixEdge<DoubleRepUse>(node->child1());
2676             node->clearFlags(NodeMustGenerate);
2677             return;
2678         }
2679
2680         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2681         // we need to care about it in the clobberize. In the following case,
2682         // since NotCellUse edge filter is used and this edge filters Symbols,
2683         // we can say that ToString never throws an error!
2684         if (node->child1()->shouldSpeculateNotCell()) {
2685             fixEdge<NotCellUse>(node->child1());
2686             node->clearFlags(NodeMustGenerate);
2687             return;
2688         }
2689     }
2690
2691     bool attemptToMakeFastStringAdd(Node* node)
2692     {
2693         bool goodToGo = true;
2694         m_graph.doToChildren(
2695             node,
2696             [&] (Edge& edge) {
2697                 if (edge->shouldSpeculateString())
2698                     return;
2699                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2700                     if (edge->shouldSpeculateStringObject())
2701                         return;
2702                     if (edge->shouldSpeculateStringOrStringObject())
2703                         return;
2704                 }
2705                 goodToGo = false;
2706             });
2707         if (!goodToGo)
2708             return false;
2709
2710         m_graph.doToChildren(
2711             node,
2712             [&] (Edge& edge) {
2713                 if (edge->shouldSpeculateString()) {
2714                     convertStringAddUse<StringUse>(node, edge);
2715                     return;
2716                 }
2717                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2718                 if (edge->shouldSpeculateStringObject()) {
2719                     convertStringAddUse<StringObjectUse>(node, edge);
2720                     return;
2721                 }
2722                 if (edge->shouldSpeculateStringOrStringObject()) {
2723                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2724                     return;
2725                 }
2726                 RELEASE_ASSERT_NOT_REACHED();
2727             });
2728         
2729         convertToMakeRope(node);
2730         return true;
2731     }
2732
2733     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2734     {
2735         if (!block)
2736             return;
2737         ASSERT(block->isReachable);
2738         m_block = block;
2739         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2740             Node* node = m_currentNode = block->at(m_indexInBlock);
2741             if (node->op() != SetLocal && node->op() != GetLocal)
2742                 continue;
2743             
2744             VariableAccessData* variable = node->variableAccessData();
2745             switch (node->op()) {
2746             case GetLocal:
2747                 switch (variable->flushFormat()) {
2748                 case FlushedDouble:
2749                     node->setResult(NodeResultDouble);
2750                     break;
2751                 case FlushedInt52:
2752                     node->setResult(NodeResultInt52);
2753                     break;
2754                 default:
2755                     break;
2756                 }
2757                 break;
2758                 
2759             case SetLocal:
2760                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2761                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2762                 
2763                 switch (variable->flushFormat()) {
2764                 case FlushedJSValue:
2765                     break;
2766                 case FlushedDouble:
2767                     fixEdge<DoubleRepUse>(node->child1());
2768                     break;
2769                 case FlushedInt32:
2770                     fixEdge<Int32Use>(node->child1());
2771                     break;
2772                 case FlushedInt52:
2773                     fixEdge<Int52RepUse>(node->child1());
2774                     break;
2775                 case FlushedCell:
2776                     fixEdge<CellUse>(node->child1());
2777                     break;
2778                 case FlushedBoolean:
2779                     fixEdge<BooleanUse>(node->child1());
2780                     break;
2781                 default:
2782                     RELEASE_ASSERT_NOT_REACHED();
2783                     break;
2784                 }
2785                 break;
2786                 
2787             default:
2788                 RELEASE_ASSERT_NOT_REACHED();
2789                 break;
2790             }
2791         }
2792         m_insertionSet.execute(block);
2793     }
2794     
2795     void addStringReplacePrimordialChecks(Node* searchRegExp)
2796     {
2797         Node* node = m_currentNode;
2798
2799         // Check that structure of searchRegExp is RegExp object
2800         m_insertionSet.insertNode(
2801             m_indexInBlock, SpecNone, Check, node->origin,
2802             Edge(searchRegExp, RegExpObjectUse));
2803
2804         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2805             unsigned index = m_graph.identifiers().ensure(propertyUID);
2806
2807             Node* actualProperty = m_insertionSet.insertNode(
2808                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2809                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2810
2811             m_insertionSet.insertNode(
2812                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2813                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2814         };
2815
2816         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2817
2818         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2819         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2820         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2821         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2822         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2823         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2824         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2825         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2826     }
2827
2828     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2829     {
2830         ASSERT(arrayMode.isSpecific());
2831         
2832         if (arrayMode.type() == Array::String) {
2833             m_insertionSet.insertNode(
2834                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2835         } else {
2836             // Note that we only need to be using a structure check if we opt for SaneChain, since
2837             // that needs to protect against JSArray's __proto__ being changed.
2838             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2839         
2840             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2841             
2842             if (arrayMode.doesConversion()) {
2843                 if (structure) {
2844                     m_insertionSet.insertNode(
2845                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2846                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2847                 } else {
2848                     m_insertionSet.insertNode(
2849                         m_indexInBlock, SpecNone, Arrayify, origin,
2850                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2851                 }
2852             } else {
2853                 if (structure) {
2854                     m_insertionSet.insertNode(
2855                         m_indexInBlock, SpecNone, CheckStructure, origin,
2856                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2857                 } else {
2858                     m_insertionSet.insertNode(
2859                         m_indexInBlock, SpecNone, CheckArray, origin,
2860                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2861                 }
2862             }
2863         }
2864         
2865         if (!storageCheck(arrayMode))
2866             return nullptr;
2867         
2868         if (arrayMode.usesButterfly()) {
2869             return m_insertionSet.insertNode(
2870                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2871         }
2872         
2873         ASSERT(arrayMode.type() == Array::String || arrayMode.typedArrayType() != NotTypedArray);
2874         return m_insertionSet.insertNode(
2875             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2876             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2877     }
2878     
2879     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2880     {
2881         Node* node = m_currentNode;
2882         
2883         switch (node->arrayMode().type()) {
2884         case Array::ForceExit: {
2885             m_insertionSet.insertNode(
2886                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2887             return;
2888         }
2889             
2890         case Array::SelectUsingPredictions:
2891         case Array::Unprofiled:
2892             RELEASE_ASSERT_NOT_REACHED();
2893             return;
2894             
2895         case Array::Generic:
2896             return;
2897             
2898         default: {
2899             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2900             if (!storage)
2901                 return;
2902             
2903             storageChild = Edge(storage);
2904             return;
2905         } }
2906     }
2907     
2908     bool alwaysUnboxSimplePrimitives()
2909     {
2910 #if USE(JSVALUE64)
2911         return false;
2912 #else
2913         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2914         // reduces traffic.
2915         return true;
2916 #endif
2917     }
2918
2919     template<UseKind useKind>
2920     void observeUseKindOnNode(Node* node)
2921     {
2922         if (useKind == UntypedUse)
2923             return;
2924         observeUseKindOnNode(node, useKind);
2925     }
2926
2927     void observeUseKindOnEdge(Edge edge)
2928     {
2929         observeUseKindOnNode(edge.node(), edge.useKind());
2930     }
2931
2932     void observeUseKindOnNode(Node* node, UseKind useKind)
2933     {
2934         if (node->op() != GetLocal)
2935             return;
2936         
2937         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2938         // https://bugs.webkit.org/show_bug.cgi?id=121518
2939         
2940         VariableAccessData* variable = node->variableAccessData();
2941         switch (useKind) {
2942         case Int32Use:
2943         case KnownInt32Use:
2944             if (alwaysUnboxSimplePrimitives()
2945                 || isInt32Speculation(variable->prediction()))
2946                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2947             break;
2948         case NumberUse:
2949         case RealNumberUse:
2950         case DoubleRepUse:
2951         case DoubleRepRealUse:
2952             if (variable->doubleFormatState() == UsingDoubleFormat)
2953                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2954             break;
2955         case BooleanUse:
2956         case KnownBooleanUse:
2957             if (alwaysUnboxSimplePrimitives()
2958                 || isBooleanSpeculation(variable->prediction()))
2959                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2960             break;
2961         case Int52RepUse:
2962             if (isAnyIntSpeculation(variable->prediction()))
2963                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2964             break;
2965         case CellUse:
2966         case KnownCellUse:
2967         case ObjectUse:
2968         case FunctionUse:
2969         case StringUse:
2970         case KnownStringUse:
2971         case SymbolUse:
2972         case StringObjectUse:
2973         case StringOrStringObjectUse:
2974             if (alwaysUnboxSimplePrimitives()
2975                 || isCellSpeculation(variable->prediction()))
2976                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2977             break;
2978         default:
2979             break;
2980         }
2981     }
2982     
2983     template<UseKind useKind>
2984     void fixEdge(Edge& edge)
2985     {
2986         observeUseKindOnNode<useKind>(edge.node());
2987         edge.setUseKind(useKind);
2988     }
2989     
2990     unsigned indexForChecks()
2991     {
2992         unsigned index = m_indexInBlock;
2993         while (!m_block->at(index)->origin.exitOK)
2994             index--;
2995         return index;
2996     }
2997     
2998     NodeOrigin originForCheck(unsigned index)
2999     {
3000         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3001     }
3002     
3003     void speculateForBarrier(Edge value)
3004     {
3005         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3006         // the DFG anyway because if such a speculation would be wrong, we want to know before
3007         // we do an expensive compile.
3008         
3009         if (value->shouldSpeculateInt32()) {
3010             insertCheck<Int32Use>(value.node());
3011             return;
3012         }
3013             
3014         if (value->shouldSpeculateBoolean()) {
3015             insertCheck<BooleanUse>(value.node());
3016             return;
3017         }
3018             
3019         if (value->shouldSpeculateOther()) {
3020             insertCheck<OtherUse>(value.node());
3021             return;
3022         }
3023             
3024         if (value->shouldSpeculateNumber()) {
3025             insertCheck<NumberUse>(value.node());
3026             return;
3027         }
3028             
3029         if (value->shouldSpeculateNotCell()) {
3030             insertCheck<NotCellUse>(value.node());
3031             return;
3032         }
3033     }
3034     
3035     template<UseKind useKind>
3036     void insertCheck(Node* node)
3037     {
3038         observeUseKindOnNode<useKind>(node);
3039         unsigned index = indexForChecks();
3040         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3041     }
3042
3043     void fixIntConvertingEdge(Edge& edge)
3044     {
3045         Node* node = edge.node();
3046         if (node->shouldSpeculateInt32OrBoolean()) {
3047             fixIntOrBooleanEdge(edge);
3048             return;
3049         }
3050         
3051         UseKind useKind;
3052         if (node->shouldSpeculateAnyInt())
3053             useKind = Int52RepUse;
3054         else if (node->shouldSpeculateNumber())
3055             useKind = DoubleRepUse;
3056         else
3057             useKind = NotCellUse;
3058         Node* newNode = m_insertionSet.insertNode(
3059             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3060             Edge(node, useKind));
3061         observeUseKindOnNode(node, useKind);
3062         
3063         edge = Edge(newNode, KnownInt32Use);
3064     }
3065     
3066     void fixIntOrBooleanEdge(Edge& edge)
3067     {
3068         Node* node = edge.node();
3069         if (!node->sawBooleans()) {
3070             fixEdge<Int32Use>(edge);
3071             return;
3072         }
3073         
3074         UseKind useKind;
3075         if (node->shouldSpeculateBoolean())
3076             useKind = BooleanUse;
3077         else
3078             useKind = UntypedUse;
3079         Node* newNode = m_insertionSet.insertNode(
3080             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3081             Edge(node, useKind));
3082         observeUseKindOnNode(node, useKind);
3083         
3084         edge = Edge(newNode, Int32Use);
3085     }
3086     
3087     void fixDoubleOrBooleanEdge(Edge& edge)
3088     {
3089         Node* node = edge.node();
3090         if (!node->sawBooleans()) {
3091             fixEdge<DoubleRepUse>(edge);
3092             return;
3093         }
3094         
3095         UseKind useKind;
3096         if (node->shouldSpeculateBoolean())
3097             useKind = BooleanUse;
3098         else
3099             useKind = UntypedUse;
3100         Node* newNode = m_insertionSet.insertNode(
3101             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3102             Edge(node, useKind));
3103         observeUseKindOnNode(node, useKind);
3104         
3105         edge = Edge(newNode, DoubleRepUse);
3106     }
3107     
3108     void truncateConstantToInt32(Edge& edge)
3109     {
3110         Node* oldNode = edge.node();
3111         
3112         JSValue value = oldNode->asJSValue();
3113         if (value.isInt32())
3114             return;
3115         
3116         value = jsNumber(JSC::toInt32(value.asNumber()));
3117         ASSERT(value.isInt32());
3118         edge.setNode(m_insertionSet.insertNode(
3119             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3120             OpInfo(m_graph.freeze(value))));
3121     }
3122     
3123     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3124     {
3125         if (mode != SpeculateInt32AndTruncateConstants)
3126             return;
3127         
3128         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3129         if (node->child1()->hasConstant())
3130             truncateConstantToInt32(node->child1());
3131         else
3132             truncateConstantToInt32(node->child2());
3133     }
3134
3135     bool attemptToMakeIntegerAdd(Node* node)
3136     {
3137         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3138         if (mode != DontSpeculateInt32) {
3139             truncateConstantsIfNecessary(node, mode);
3140             fixIntOrBooleanEdge(node->child1());
3141             fixIntOrBooleanEdge(node->child2());
3142             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3143                 node->setArithMode(Arith::Unchecked);
3144             else
3145                 node->setArithMode(Arith::CheckOverflow);
3146             return true;
3147         }
3148         
3149         if (m_graph.addShouldSpeculateAnyInt(node)) {
3150             fixEdge<Int52RepUse>(node->child1());
3151             fixEdge<Int52RepUse>(node->child2());
3152             node->setArithMode(Arith::CheckOverflow);
3153             node->setResult(NodeResultInt52);
3154             return true;
3155         }
3156         
3157         return false;
3158     }
3159     
3160     bool attemptToMakeGetArrayLength(Node* node)
3161     {
3162         if (!isInt32Speculation(node->prediction()))
3163             return false;
3164         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3165         ArrayProfile* arrayProfile = 
3166             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3167         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
3168         if (arrayProfile) {
3169             ConcurrentJSLocker locker(profiledBlock->m_lock);
3170             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3171             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3172             if (arrayMode.type() == Array::Unprofiled) {
3173                 // For normal array operations, it makes sense to treat Unprofiled
3174                 // accesses as ForceExit and get more data rather than using
3175                 // predictions and then possibly ending up with a Generic. But here,
3176                 // we treat anything that is Unprofiled as Generic and keep the
3177                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3178                 // profit - from treating the Unprofiled case as
3179                 // SelectUsingPredictions.
3180                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
3181             }
3182         }
3183             
3184         arrayMode = arrayMode.refine(
3185             m_graph, node, node->child1()->prediction(), node->prediction());
3186             
3187         if (arrayMode.type() == Array::Generic) {
3188             // Check if the input is something that we can't get array length for, but for which we
3189             // could insert some conversions in order to transform it into something that we can do it
3190             // for.
3191             if (node->child1()->shouldSpeculateStringObject())
3192                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3193             else if (node->child1()->shouldSpeculateStringOrStringObject())
3194                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3195         }
3196             
3197         if (!arrayMode.supportsSelfLength())
3198             return false;
3199         
3200         convertToGetArrayLength(node, arrayMode);
3201         return true;
3202     }
3203
3204     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3205     {
3206         node->setOp(GetArrayLength);
3207         node->clearFlags(NodeMustGenerate);
3208         fixEdge<KnownCellUse>(node->child1());
3209         node->setArrayMode(arrayMode);
3210             
3211         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3212         if (!storage)
3213             return;
3214             
3215         node->child2() = Edge(storage);
3216     }
3217     
3218     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3219     {
3220         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3221         return m_insertionSet.insertNode(
3222             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3223             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3224     }
3225
3226     void convertToHasIndexedProperty(Node* node)
3227     {
3228         node->setOp(HasIndexedProperty);
3229         node->clearFlags(NodeMustGenerate);
3230         node->setArrayMode(
3231             node->arrayMode().refine(
3232                 m_graph, node,
3233                 node->child1()->prediction(),
3234                 node->child2()->prediction(),
3235                 SpecNone));
3236         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3237
3238         blessArrayOperation(node->child1(), node->child2(), node->child3());
3239
3240         fixEdge<CellUse>(node->child1());
3241         fixEdge<Int32Use>(node->child2());
3242     }
3243
3244     void fixupNormalizeMapKey(Node* node)
3245     {
3246         if (node->child1()->shouldSpeculateBoolean()) {
3247             fixEdge<BooleanUse>(node->child1());
3248             node->convertToIdentity();
3249             return;
3250         }
3251
3252         if (node->child1()->shouldSpeculateInt32()) {
3253             fixEdge<Int32Use>(node->child1());
3254             node->convertToIdentity();
3255             return;
3256         }
3257
3258         if (node->child1()->shouldSpeculateSymbol()) {
3259             fixEdge<SymbolUse>(node->child1());
3260             node->convertToIdentity();
3261             return;
3262         }
3263
3264         if (node->child1()->shouldSpeculateObject()) {
3265             fixEdge<ObjectUse>(node->child1());
3266             node->convertToIdentity();
3267             return;
3268         }
3269
3270         if (node->child1()->shouldSpeculateString()) {
3271             fixEdge<StringUse>(node->child1());
3272             node->convertToIdentity();
3273             return;
3274         }
3275
3276         if (node->child1()->shouldSpeculateCell()) {
3277             fixEdge<CellUse>(node->child1());
3278             node->convertToIdentity();
3279             return;
3280         }
3281
3282         fixEdge<UntypedUse>(node->child1());
3283     }
3284
3285     bool attemptToMakeCallDOM(Node* node)
3286     {
3287         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3288             return false;
3289
3290         const DOMJIT::Signature* signature = node->signature();
3291         if (!signature)
3292             return false;
3293
3294         {
3295             unsigned index = 0;
3296             bool shouldConvertToCallDOM = true;
3297             m_graph.doToChildren(node, [&](Edge& edge) {
3298                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3299                 if (!index)
3300                     return;
3301
3302                 if (index == 1) {
3303                     // DOM node case.
3304                     if (edge->shouldSpeculateNotCell())
3305                         shouldConvertToCallDOM = false;
3306                 } else {
3307                     switch (signature->arguments[index - 2]) {
3308                     case SpecString:
3309                         if (edge->shouldSpeculateNotString())
3310                             shouldConvertToCallDOM = false;
3311                         break;
3312                     case SpecInt32Only:
3313                         if (edge->shouldSpeculateNotInt32())
3314                             shouldConvertToCallDOM = false;
3315                         break;
3316                     case SpecBoolean:
3317                         if (edge->shouldSpeculateNotBoolean())
3318                             shouldConvertToCallDOM = false;
3319                         break;
3320                     default:
3321                         RELEASE_ASSERT_NOT_REACHED();
3322                         break;
3323                     }
3324                 }
3325                 ++index;
3326             });
3327             if (!shouldConvertToCallDOM)
3328                 return false;
3329         }
3330
3331         Node* thisNode = m_graph.varArgChild(node, 1).node();
3332         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3333         node->convertToCallDOM(m_graph);
3334         fixupCheckSubClass(checkSubClass);
3335         fixupCallDOM(node);
3336         return true;
3337     }
3338
3339     void fixupCheckSubClass(Node* node)
3340     {
3341         fixEdge<CellUse>(node->child1());
3342     }
3343
3344     void fixupCallDOM(Node* node)
3345     {
3346         const DOMJIT::Signature* signature = node->signature();
3347         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3348             if (!edge)
3349                 return;
3350             switch (signature->arguments[argumentIndex]) {
3351             case SpecString:
3352                 fixEdge<StringUse>(edge);
3353                 break;
3354             case SpecInt32Only:
3355                 fixEdge<Int32Use>(edge);
3356                 break;
3357             case SpecBoolean:
3358                 fixEdge<BooleanUse>(edge);
3359                 break;
3360             default:
3361                 RELEASE_ASSERT_NOT_REACHED();
3362                 break;
3363             }
3364         };
3365         fixEdge<CellUse>(node->child1()); // DOM.
3366         fixup(node->child2(), 0);
3367         fixup(node->child3(), 1);
3368     }
3369
3370     void fixupArrayIndexOf(Node* node)
3371     {
3372         Edge& array = m_graph.varArgChild(node, 0);
3373         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3374         blessArrayOperation(array, Edge(), storage);
3375         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3376
3377         Edge& searchElement = m_graph.varArgChild(node, 1);
3378
3379         // Constant folding.
3380         switch (node->arrayMode().type()) {
3381         case Array::Double:
3382         case Array::Int32: {
3383             if (searchElement->shouldSpeculateCell()) {
3384                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3385                 m_graph.convertToConstant(node, jsNumber(-1));
3386                 observeUseKindOnNode<CellUse>(searchElement.node());
3387                 return;
3388             }
3389
3390             if (searchElement->shouldSpeculateOther()) {
3391                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3392                 m_graph.convertToConstant(node, jsNumber(-1));
3393                 observeUseKindOnNode<OtherUse>(searchElement.node());
3394                 return;
3395             }
3396
3397             if (searchElement->shouldSpeculateBoolean()) {
3398                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3399                 m_graph.convertToConstant(node, jsNumber(-1));
3400                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3401                 return;
3402             }
3403             break;
3404         }
3405         default:
3406             break;
3407         }
3408
3409         fixEdge<KnownCellUse>(array);
3410         if (node->numChildren() == 4)
3411             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3412
3413         switch (node->arrayMode().type()) {
3414         case Array::Double: {
3415             if (searchElement->shouldSpeculateNumber())
3416                 fixEdge<DoubleRepUse>(searchElement);
3417             return;
3418         }
3419         case Array::Int32: {
3420             if (searchElement->shouldSpeculateInt32())
3421                 fixEdge<Int32Use>(searchElement);
3422             return;
3423         }
3424         case Array::Contiguous: {
3425             if (searchElement->shouldSpeculateString())
3426                 fixEdge<StringUse>(searchElement);
3427             else if (searchElement->shouldSpeculateSymbol())
3428                 fixEdge<SymbolUse>(searchElement);
3429             else if (searchElement->shouldSpeculateOther())
3430                 fixEdge<OtherUse>(searchElement);
3431             else if (searchElement->shouldSpeculateObject())
3432                 fixEdge<ObjectUse>(searchElement);
3433             return;
3434         }
3435         default:
3436             RELEASE_ASSERT_NOT_REACHED();
3437             return;
3438         }
3439     }
3440
3441     void fixupChecksInBlock(BasicBlock* block)
3442     {
3443         if (!block)
3444             return;
3445         ASSERT(block->isReachable);
3446         m_block = block;
3447         unsigned indexForChecks = UINT_MAX;
3448         NodeOrigin originForChecks;
3449         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
3450             Node* node = block->at(indexInBlock);
3451
3452             // If this is a node at which we could exit, then save its index. If nodes after this one
3453             // cannot exit, then we will hoist checks to here.
3454             if (node->origin.exitOK) {
3455                 indexForChecks = indexInBlock;
3456                 originForChecks = node->origin;
3457             }
3458
3459             originForChecks = originForChecks.withSemantic(node->origin.semantic);
3460             
3461             // First, try to relax the representational demands of each node, in order to have
3462             // fewer conversions.
3463             switch (node->op()) {
3464             case MovHint:
3465             case Check:
3466                 m_graph.doToChildren(
3467                     node,
3468                     [&] (Edge& edge) {
3469                         switch (edge.useKind()) {
3470                         case DoubleRepUse:
3471                         case DoubleRepRealUse:
3472                             if (edge->hasDoubleResult())
3473                                 break;
3474             
3475                             if (edge->hasInt52Result())
3476                                 edge.setUseKind(Int52RepUse);
3477                             else if (edge.useKind() == DoubleRepUse)
3478                                 edge.setUseKind(NumberUse);
3479                             break;
3480             
3481                         case Int52RepUse:
3482                             // Nothing we can really do.
3483                             break;
3484             
3485                         case UntypedUse:
3486                         case NumberUse:
3487                             if (edge->hasDoubleResult())
3488                                 edge.setUseKind(DoubleRepUse);
3489                             else if (edge->hasInt52Result())
3490                                 edge.setUseKind(Int52RepUse);
3491                             break;
3492             
3493                         case RealNumberUse:
3494                             if (edge->hasDoubleResult())
3495                                 edge.setUseKind(DoubleRepRealUse);
3496                             else if (edge->hasInt52Result())
3497                                 edge.setUseKind(Int52RepUse);
3498                             break;
3499             
3500                         default:
3501                             break;
3502                         }
3503                     });
3504                 break;
3505                 
3506             case ValueToInt32:
3507                 if (node->child1().useKind() == DoubleRepUse
3508                     && !node->child1()->hasDoubleResult()) {
3509                     node->child1().setUseKind(NumberUse);
3510                     break;
3511                 }
3512                 break;
3513                 
3514             default:
3515                 break;
3516             }
3517
3518             // Now, insert type conversions if necessary.
3519             m_graph.doToChildren(
3520                 node,