[JSC] Optimize Object.keys by caching own keys results in StructureRareData
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupArithMul(Node* node, Edge& leftChild, Edge& rightChild)
80     {
81         if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
82             fixIntOrBooleanEdge(leftChild);
83             fixIntOrBooleanEdge(rightChild);
84             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
85                 node->setArithMode(Arith::Unchecked);
86             else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
87                 node->setArithMode(Arith::CheckOverflow);
88             else
89                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
90             return;
91         }
92         if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
93             fixEdge<Int52RepUse>(leftChild);
94             fixEdge<Int52RepUse>(rightChild);
95             if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) || leftChild.node() == rightChild.node())
96                 node->setArithMode(Arith::CheckOverflow);
97             else
98                 node->setArithMode(Arith::CheckOverflowAndNegativeZero);
99             node->setResult(NodeResultInt52);
100             return;
101         }
102
103         fixDoubleOrBooleanEdge(leftChild);
104         fixDoubleOrBooleanEdge(rightChild);
105         node->setResult(NodeResultDouble);
106     }
107
108     void fixupBlock(BasicBlock* block)
109     {
110         if (!block)
111             return;
112         ASSERT(block->isReachable);
113         m_block = block;
114         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
115             m_currentNode = block->at(m_indexInBlock);
116             fixupNode(m_currentNode);
117         }
118         m_insertionSet.execute(block);
119     }
120     
121     void fixupNode(Node* node)
122     {
123         NodeType op = node->op();
124
125         switch (op) {
126         case SetLocal: {
127             // This gets handled by fixupGetAndSetLocalsInBlock().
128             return;
129         }
130
131         case ValueSub: {
132             Edge& child1 = node->child1();
133             Edge& child2 = node->child2();
134
135             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
136                 fixEdge<BigIntUse>(child1);
137                 fixEdge<BigIntUse>(child2);
138                 break; 
139             }
140             
141             if (Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
142                 fixEdge<UntypedUse>(child1);
143                 fixEdge<UntypedUse>(child2);
144                 break;
145             }
146
147             if (attemptToMakeIntegerAdd(node)) {
148                 // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
149                 // https://bugs.webkit.org/show_bug.cgi?id=190607
150                 node->setOp(ArithSub);
151                 break;
152             }
153
154             fixDoubleOrBooleanEdge(node->child1());
155             fixDoubleOrBooleanEdge(node->child2());
156             node->setOp(ArithSub);
157             node->setResult(NodeResultDouble);
158
159             break;
160         }
161
162         case ValueBitXor:
163         case ValueBitOr:
164         case ValueBitAnd: {
165             if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
166                 fixEdge<BigIntUse>(node->child1());
167                 fixEdge<BigIntUse>(node->child2());
168                 break;
169             }
170
171             fixEdge<UntypedUse>(node->child1());
172             fixEdge<UntypedUse>(node->child2());
173             break;
174         }
175
176         case ArithBitNot: {
177             if (node->child1().node()->shouldSpeculateUntypedForBitOps()) {
178                 fixEdge<UntypedUse>(node->child1());
179                 break;
180             }
181
182             fixIntConvertingEdge(node->child1());
183             node->clearFlags(NodeMustGenerate);
184             break;
185         }
186
187         case ArithBitXor:
188         case ArithBitOr:
189         case ArithBitAnd: {
190             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
191                 fixEdge<UntypedUse>(node->child1());
192                 fixEdge<UntypedUse>(node->child2());
193                 switch (op) {
194                 case ArithBitXor:
195                     node->setOpAndDefaultFlags(ValueBitXor);
196                     break;
197                 case ArithBitOr:
198                     node->setOpAndDefaultFlags(ValueBitOr);
199                     break;
200                 case ArithBitAnd:
201                     node->setOpAndDefaultFlags(ValueBitAnd);
202                     break;
203                 default:
204                     DFG_CRASH(m_graph, node, "Unexpected node during ArithBit operation fixup");
205                     break;
206                 }
207                 break;
208             }
209
210             fixIntConvertingEdge(node->child1());
211             fixIntConvertingEdge(node->child2());
212             break;
213         }
214
215         case BitRShift:
216         case BitLShift:
217         case BitURShift: {
218             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
219                 fixEdge<UntypedUse>(node->child1());
220                 fixEdge<UntypedUse>(node->child2());
221                 break;
222             }
223             fixIntConvertingEdge(node->child1());
224             fixIntConvertingEdge(node->child2());
225             break;
226         }
227
228         case ArithIMul: {
229             fixIntConvertingEdge(node->child1());
230             fixIntConvertingEdge(node->child2());
231             node->setOp(ArithMul);
232             node->setArithMode(Arith::Unchecked);
233             node->child1().setUseKind(Int32Use);
234             node->child2().setUseKind(Int32Use);
235             break;
236         }
237
238         case ArithClz32: {
239             if (node->child1()->shouldSpeculateNotCell()) {
240                 fixIntConvertingEdge(node->child1());
241                 node->clearFlags(NodeMustGenerate);
242             } else
243                 fixEdge<UntypedUse>(node->child1());
244             break;
245         }
246             
247         case UInt32ToNumber: {
248             fixIntConvertingEdge(node->child1());
249             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
250                 node->convertToIdentity();
251             else if (node->canSpeculateInt32(FixupPass))
252                 node->setArithMode(Arith::CheckOverflow);
253             else {
254                 node->setArithMode(Arith::DoOverflow);
255                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
256             }
257             break;
258         }
259
260         case ValueNegate: {
261             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
262                 node->setOp(ArithNegate);
263                 fixIntOrBooleanEdge(node->child1());
264                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
265                     node->setArithMode(Arith::Unchecked);
266                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
267                     node->setArithMode(Arith::CheckOverflow);
268                 else
269                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
270                 node->setResult(NodeResultInt32);
271                 node->clearFlags(NodeMustGenerate);
272                 break;
273             }
274             
275             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
276                 node->setOp(ArithNegate);
277                 fixEdge<Int52RepUse>(node->child1());
278                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
279                     node->setArithMode(Arith::CheckOverflow);
280                 else
281                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
282                 node->setResult(NodeResultInt52);
283                 node->clearFlags(NodeMustGenerate);
284                 break;
285             }
286             if (node->child1()->shouldSpeculateNotCell()) {
287                 node->setOp(ArithNegate);
288                 fixDoubleOrBooleanEdge(node->child1());
289                 node->setResult(NodeResultDouble);
290                 node->clearFlags(NodeMustGenerate);
291             } else {
292                 fixEdge<UntypedUse>(node->child1());
293                 node->setResult(NodeResultJS);
294             }
295             break;
296         }
297
298         case ValueAdd: {
299             if (attemptToMakeIntegerAdd(node)) {
300                 node->setOp(ArithAdd);
301                 break;
302             }
303             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
304                 fixDoubleOrBooleanEdge(node->child1());
305                 fixDoubleOrBooleanEdge(node->child2());
306                 node->setOp(ArithAdd);
307                 node->setResult(NodeResultDouble);
308                 break;
309             }
310             
311             if (attemptToMakeFastStringAdd(node))
312                 break;
313
314             Edge& child1 = node->child1();
315             Edge& child2 = node->child2();
316             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
317                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
318                     auto convertString = [&](Node* node, Edge& edge) {
319                         if (edge->shouldSpeculateInt32())
320                             convertStringAddUse<Int32Use>(node, edge);
321                         else {
322                             ASSERT(edge->shouldSpeculateString());
323                             convertStringAddUse<StringUse>(node, edge);
324                         }
325                     };
326                     convertString(node, child1);
327                     convertString(node, child2);
328                     convertToMakeRope(node);
329                     break;
330                 }
331             }
332
333             if (Node::shouldSpeculateBigInt(child1.node(), child2.node())) {
334                 fixEdge<BigIntUse>(child1);
335                 fixEdge<BigIntUse>(child2);
336             } else {
337                 fixEdge<UntypedUse>(child1);
338                 fixEdge<UntypedUse>(child2);
339             }
340
341             node->setResult(NodeResultJS);
342             break;
343         }
344
345         case StrCat: {
346             if (attemptToMakeFastStringAdd(node))
347                 break;
348
349             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
350             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
351             // the implementation of StrCat doesn't dynamically optimize for empty strings.
352             // https://bugs.webkit.org/show_bug.cgi?id=148540
353             m_graph.doToChildren(
354                 node,
355                 [&] (Edge& edge) {
356                     fixEdge<KnownPrimitiveUse>(edge);
357                     // StrCat automatically coerces the values into strings before concatenating them.
358                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
359                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
360                     // our runtime functions for this slow path expect that they will never be passed
361                     // Symbols.
362                     m_insertionSet.insertNode(
363                         m_indexInBlock, SpecNone, Check, node->origin,
364                         Edge(edge.node(), NotSymbolUse));
365                 });
366             break;
367         }
368             
369         case MakeRope: {
370             fixupMakeRope(node);
371             break;
372         }
373             
374         case ArithAdd:
375         case ArithSub: {
376             // FIXME: Clear ArithSub's NodeMustGenerate when ArithMode is unchecked
377             // https://bugs.webkit.org/show_bug.cgi?id=190607
378             if (attemptToMakeIntegerAdd(node))
379                 break;
380             fixDoubleOrBooleanEdge(node->child1());
381             fixDoubleOrBooleanEdge(node->child2());
382             node->setResult(NodeResultDouble);
383             break;
384         }
385             
386         case ArithNegate: {
387             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
388                 fixIntOrBooleanEdge(node->child1());
389                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
390                     node->setArithMode(Arith::Unchecked);
391                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
392                     node->setArithMode(Arith::CheckOverflow);
393                 else
394                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
395                 node->setResult(NodeResultInt32);
396                 node->clearFlags(NodeMustGenerate);
397                 break;
398             }
399             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
400                 fixEdge<Int52RepUse>(node->child1());
401                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
402                     node->setArithMode(Arith::CheckOverflow);
403                 else
404                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
405                 node->setResult(NodeResultInt52);
406                 node->clearFlags(NodeMustGenerate);
407                 break;
408             }
409
410             fixDoubleOrBooleanEdge(node->child1());
411             node->setResult(NodeResultDouble);
412             node->clearFlags(NodeMustGenerate);
413             break;
414         }
415
416         case ValueMul: {
417             Edge& leftChild = node->child1();
418             Edge& rightChild = node->child2();
419
420             if (Node::shouldSpeculateBigInt(leftChild.node(), rightChild.node())) {
421                 fixEdge<BigIntUse>(node->child1());
422                 fixEdge<BigIntUse>(node->child2());
423                 break;
424             }
425
426             // There are cases where we can have BigInt + Int32 operands reaching ValueMul.
427             // Imagine the scenario where ValueMul was never executed, but we can predict types
428             // reaching the node:
429             //
430             // 63: GetLocal(Check:Untyped:@72, JS|MustGen, NonBoolInt32, ...)  predicting NonBoolInt32
431             // 64: GetLocal(Check:Untyped:@71, JS|MustGen, BigInt, ...)  predicting BigInt
432             // 65: ValueMul(Check:Untyped:@63, Check:Untyped:@64, BigInt|BoolInt32|NonBoolInt32, ...)
433             // 
434             // In such scenario, we need to emit ValueMul(Untyped, Untyped), so the runtime can throw 
435             // an exception whenever it gets excuted.
436             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
437                 fixEdge<UntypedUse>(leftChild);
438                 fixEdge<UntypedUse>(rightChild);
439                 break;
440             }
441
442             // At this point, all other possible specializations are only handled by ArithMul.
443             node->setOp(ArithMul);
444             node->setResult(NodeResultNumber);
445             fixupArithMul(node, leftChild, rightChild);
446             break;
447         }
448
449         case ArithMul: {
450             Edge& leftChild = node->child1();
451             Edge& rightChild = node->child2();
452
453             fixupArithMul(node, leftChild, rightChild);
454             break;
455         }
456
457         case ArithDiv:
458         case ArithMod: {
459             Edge& leftChild = node->child1();
460             Edge& rightChild = node->child2();
461             if (op == ArithDiv
462                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
463                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
464                 fixEdge<UntypedUse>(leftChild);
465                 fixEdge<UntypedUse>(rightChild);
466                 node->setResult(NodeResultJS);
467                 break;
468             }
469             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
470                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
471                     fixIntOrBooleanEdge(leftChild);
472                     fixIntOrBooleanEdge(rightChild);
473                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
474                         node->setArithMode(Arith::Unchecked);
475                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
476                         node->setArithMode(Arith::CheckOverflow);
477                     else
478                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
479                     break;
480                 }
481                 
482                 // This will cause conversion nodes to be inserted later.
483                 fixDoubleOrBooleanEdge(leftChild);
484                 fixDoubleOrBooleanEdge(rightChild);
485                 
486                 // We don't need to do ref'ing on the children because we're stealing them from
487                 // the original division.
488                 Node* newDivision = m_insertionSet.insertNode(
489                     m_indexInBlock, SpecBytecodeDouble, *node);
490                 newDivision->setResult(NodeResultDouble);
491                 
492                 node->setOp(DoubleAsInt32);
493                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
494                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
495                     node->setArithMode(Arith::CheckOverflow);
496                 else
497                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
498                 break;
499             }
500             fixDoubleOrBooleanEdge(leftChild);
501             fixDoubleOrBooleanEdge(rightChild);
502             node->setResult(NodeResultDouble);
503             break;
504         }
505             
506         case ArithMin:
507         case ArithMax: {
508             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
509                 fixIntOrBooleanEdge(node->child1());
510                 fixIntOrBooleanEdge(node->child2());
511                 break;
512             }
513             fixDoubleOrBooleanEdge(node->child1());
514             fixDoubleOrBooleanEdge(node->child2());
515             node->setResult(NodeResultDouble);
516             break;
517         }
518             
519         case ArithAbs: {
520             if (node->child1()->shouldSpeculateInt32OrBoolean()
521                 && node->canSpeculateInt32(FixupPass)) {
522                 fixIntOrBooleanEdge(node->child1());
523                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
524                     node->setArithMode(Arith::Unchecked);
525                 else
526                     node->setArithMode(Arith::CheckOverflow);
527                 node->clearFlags(NodeMustGenerate);
528                 node->setResult(NodeResultInt32);
529                 break;
530             }
531
532             if (node->child1()->shouldSpeculateNotCell()) {
533                 fixDoubleOrBooleanEdge(node->child1());
534                 node->clearFlags(NodeMustGenerate);
535             } else
536                 fixEdge<UntypedUse>(node->child1());
537             node->setResult(NodeResultDouble);
538             break;
539         }
540
541         case ArithPow: {
542             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
543                 fixDoubleOrBooleanEdge(node->child1());
544                 fixIntOrBooleanEdge(node->child2());
545                 break;
546             }
547
548             fixDoubleOrBooleanEdge(node->child1());
549             fixDoubleOrBooleanEdge(node->child2());
550             break;
551         }
552
553         case ArithRandom: {
554             node->setResult(NodeResultDouble);
555             break;
556         }
557
558         case ArithRound:
559         case ArithFloor:
560         case ArithCeil:
561         case ArithTrunc: {
562             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
563                 fixIntOrBooleanEdge(node->child1());
564                 insertCheck<Int32Use>(node->child1().node());
565                 node->convertToIdentity();
566                 break;
567             }
568             if (node->child1()->shouldSpeculateNotCell()) {
569                 fixDoubleOrBooleanEdge(node->child1());
570
571                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
572                     node->setResult(NodeResultInt32);
573                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
574                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
575                     else
576                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
577                 } else {
578                     node->setResult(NodeResultDouble);
579                     node->setArithRoundingMode(Arith::RoundingMode::Double);
580                 }
581                 node->clearFlags(NodeMustGenerate);
582             } else
583                 fixEdge<UntypedUse>(node->child1());
584             break;
585         }
586
587         case ArithFRound:
588         case ArithSqrt:
589         case ArithUnary: {
590             Edge& child1 = node->child1();
591             if (child1->shouldSpeculateNotCell()) {
592                 fixDoubleOrBooleanEdge(child1);
593                 node->clearFlags(NodeMustGenerate);
594             } else
595                 fixEdge<UntypedUse>(child1);
596             break;
597         }
598             
599         case LogicalNot: {
600             if (node->child1()->shouldSpeculateBoolean()) {
601                 if (node->child1()->result() == NodeResultBoolean) {
602                     // This is necessary in case we have a bytecode instruction implemented by:
603                     //
604                     // a: CompareEq(...)
605                     // b: LogicalNot(@a)
606                     //
607                     // In that case, CompareEq might have a side-effect. Then, we need to make
608                     // sure that we know that Branch does not exit.
609                     fixEdge<KnownBooleanUse>(node->child1());
610                 } else
611                     fixEdge<BooleanUse>(node->child1());
612             } else if (node->child1()->shouldSpeculateObjectOrOther())
613                 fixEdge<ObjectOrOtherUse>(node->child1());
614             else if (node->child1()->shouldSpeculateInt32OrBoolean())
615                 fixIntOrBooleanEdge(node->child1());
616             else if (node->child1()->shouldSpeculateNumber())
617                 fixEdge<DoubleRepUse>(node->child1());
618             else if (node->child1()->shouldSpeculateString())
619                 fixEdge<StringUse>(node->child1());
620             else if (node->child1()->shouldSpeculateStringOrOther())
621                 fixEdge<StringOrOtherUse>(node->child1());
622             else {
623                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
624                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
625                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
626             }
627             break;
628         }
629
630         case CompareEq:
631         case CompareLess:
632         case CompareLessEq:
633         case CompareGreater:
634         case CompareGreaterEq: {
635             if (node->op() == CompareEq
636                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
637                 fixEdge<BooleanUse>(node->child1());
638                 fixEdge<BooleanUse>(node->child2());
639                 node->clearFlags(NodeMustGenerate);
640                 break;
641             }
642             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
643                 fixIntOrBooleanEdge(node->child1());
644                 fixIntOrBooleanEdge(node->child2());
645                 node->clearFlags(NodeMustGenerate);
646                 break;
647             }
648             if (enableInt52()
649                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
650                 fixEdge<Int52RepUse>(node->child1());
651                 fixEdge<Int52RepUse>(node->child2());
652                 node->clearFlags(NodeMustGenerate);
653                 break;
654             }
655             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
656                 fixDoubleOrBooleanEdge(node->child1());
657                 fixDoubleOrBooleanEdge(node->child2());
658             }
659             if (node->op() != CompareEq
660                 && node->child1()->shouldSpeculateNotCell()
661                 && node->child2()->shouldSpeculateNotCell()) {
662                 if (node->child1()->shouldSpeculateNumberOrBoolean())
663                     fixDoubleOrBooleanEdge(node->child1());
664                 else
665                     fixEdge<DoubleRepUse>(node->child1());
666                 if (node->child2()->shouldSpeculateNumberOrBoolean())
667                     fixDoubleOrBooleanEdge(node->child2());
668                 else
669                     fixEdge<DoubleRepUse>(node->child2());
670                 node->clearFlags(NodeMustGenerate);
671                 break;
672             }
673             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
674                 fixEdge<StringIdentUse>(node->child1());
675                 fixEdge<StringIdentUse>(node->child2());
676                 node->clearFlags(NodeMustGenerate);
677                 break;
678             }
679             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
680                 fixEdge<StringUse>(node->child1());
681                 fixEdge<StringUse>(node->child2());
682                 node->clearFlags(NodeMustGenerate);
683                 break;
684             }
685
686             if (node->op() != CompareEq)
687                 break;
688             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
689                 fixEdge<SymbolUse>(node->child1());
690                 fixEdge<SymbolUse>(node->child2());
691                 node->clearFlags(NodeMustGenerate);
692                 break;
693             }
694             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
695                 fixEdge<ObjectUse>(node->child1());
696                 fixEdge<ObjectUse>(node->child2());
697                 node->clearFlags(NodeMustGenerate);
698                 break;
699             }
700
701             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
702             bool oneArgumentIsUsedAsSpecOther = false;
703             if (node->child1()->isUndefinedOrNullConstant()) {
704                 fixEdge<KnownOtherUse>(node->child1());
705                 oneArgumentIsUsedAsSpecOther = true;
706             } else if (node->child1()->shouldSpeculateOther()) {
707                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
708                     Edge(node->child1().node(), OtherUse));
709                 fixEdge<KnownOtherUse>(node->child1());
710                 oneArgumentIsUsedAsSpecOther = true;
711             }
712             if (node->child2()->isUndefinedOrNullConstant()) {
713                 fixEdge<KnownOtherUse>(node->child2());
714                 oneArgumentIsUsedAsSpecOther = true;
715             } else if (node->child2()->shouldSpeculateOther()) {
716                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
717                     Edge(node->child2().node(), OtherUse));
718                 fixEdge<KnownOtherUse>(node->child2());
719                 oneArgumentIsUsedAsSpecOther = true;
720             }
721             if (oneArgumentIsUsedAsSpecOther) {
722                 node->clearFlags(NodeMustGenerate);
723                 break;
724             }
725
726             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
727                 fixEdge<ObjectUse>(node->child1());
728                 fixEdge<ObjectOrOtherUse>(node->child2());
729                 node->clearFlags(NodeMustGenerate);
730                 break;
731             }
732             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
733                 fixEdge<ObjectOrOtherUse>(node->child1());
734                 fixEdge<ObjectUse>(node->child2());
735                 node->clearFlags(NodeMustGenerate);
736                 break;
737             }
738
739             break;
740         }
741             
742         case CompareStrictEq:
743         case SameValue: {
744             fixupCompareStrictEqAndSameValue(node);
745             break;
746         }
747
748         case StringFromCharCode:
749             if (node->child1()->shouldSpeculateInt32()) {
750                 fixEdge<Int32Use>(node->child1());
751                 node->clearFlags(NodeMustGenerate);
752             } else
753                 fixEdge<UntypedUse>(node->child1());
754             break;
755
756         case StringCharAt:
757         case StringCharCodeAt: {
758             // Currently we have no good way of refining these.
759             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
760             blessArrayOperation(node->child1(), node->child2(), node->child3());
761             fixEdge<KnownCellUse>(node->child1());
762             fixEdge<Int32Use>(node->child2());
763             break;
764         }
765
766         case GetByVal: {
767             if (!node->prediction()) {
768                 m_insertionSet.insertNode(
769                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
770             }
771             
772             node->setArrayMode(
773                 node->arrayMode().refine(
774                     m_graph, node,
775                     m_graph.varArgChild(node, 0)->prediction(),
776                     m_graph.varArgChild(node, 1)->prediction(),
777                     SpecNone));
778             
779             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
780             
781             ArrayMode arrayMode = node->arrayMode();
782             switch (arrayMode.type()) {
783             case Array::Contiguous:
784             case Array::Double:
785                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
786                     // Check if SaneChain will work on a per-type basis. Note that:
787                     //
788                     // 1) We don't want double arrays to sometimes return undefined, since
789                     // that would require a change to the return type and it would pessimise
790                     // things a lot. So, we'd only want to do that if we actually had
791                     // evidence that we could read from a hole. That's pretty annoying.
792                     // Likely the best way to handle that case is with an equivalent of
793                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
794                     // NaN are indistinguishable according to backwards propagation, and just
795                     // use SaneChain in that case. This happens to catch a lot of cases.
796                     //
797                     // 2) We don't want int32 array loads to have to do a hole check just to
798                     // coerce to Undefined, since that would mean twice the checks.
799                     //
800                     // This has two implications. First, we have to do more checks than we'd
801                     // like. It's unfortunate that we have to do the hole check. Second,
802                     // some accesses that hit a hole will now need to take the full-blown
803                     // out-of-bounds slow path. We can fix that with:
804                     // https://bugs.webkit.org/show_bug.cgi?id=144668
805                     
806                     bool canDoSaneChain = false;
807                     switch (arrayMode.type()) {
808                     case Array::Contiguous:
809                         // This is happens to be entirely natural. We already would have
810                         // returned any JSValue, and now we'll return Undefined. We still do
811                         // the check but it doesn't require taking any kind of slow path.
812                         canDoSaneChain = true;
813                         break;
814                         
815                     case Array::Double:
816                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
817                             // Holes look like NaN already, so if the user doesn't care
818                             // about the difference between Undefined and NaN then we can
819                             // do this.
820                             canDoSaneChain = true;
821                         }
822                         break;
823                         
824                     default:
825                         break;
826                     }
827                     
828                     if (canDoSaneChain) {
829                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
830                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
831                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
832                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
833                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
834                             && globalObject->arrayPrototypeChainIsSane()) {
835                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
836                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
837                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
838                         }
839                     }
840                 }
841                 break;
842                 
843             case Array::String:
844                 if ((node->prediction() & ~SpecString)
845                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
846                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
847                 break;
848                 
849             default:
850                 break;
851             }
852             
853             arrayMode = node->arrayMode();
854             switch (arrayMode.type()) {
855             case Array::SelectUsingPredictions:
856             case Array::Unprofiled:
857                 RELEASE_ASSERT_NOT_REACHED();
858                 break;
859             case Array::Generic:
860                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
861                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
862                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
863                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
864                         break;
865                     }
866
867                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
868                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
869                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
870                         break;
871                     }
872                 }
873 #if USE(JSVALUE32_64)
874                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
875 #endif
876                 break;
877             case Array::ForceExit:
878                 break;
879             default:
880                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
881                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
882                 break;
883             }
884             
885             switch (arrayMode.type()) {
886             case Array::Double:
887                 if (!arrayMode.isOutOfBounds())
888                     node->setResult(NodeResultDouble);
889                 break;
890                 
891             case Array::Float32Array:
892             case Array::Float64Array:
893                 node->setResult(NodeResultDouble);
894                 break;
895                 
896             case Array::Uint32Array:
897                 if (node->shouldSpeculateInt32())
898                     break;
899                 if (node->shouldSpeculateAnyInt() && enableInt52())
900                     node->setResult(NodeResultInt52);
901                 else
902                     node->setResult(NodeResultDouble);
903                 break;
904                 
905             default:
906                 break;
907             }
908             
909             break;
910         }
911
912         case PutByValDirect:
913         case PutByVal:
914         case PutByValAlias: {
915             Edge& child1 = m_graph.varArgChild(node, 0);
916             Edge& child2 = m_graph.varArgChild(node, 1);
917             Edge& child3 = m_graph.varArgChild(node, 2);
918
919             node->setArrayMode(
920                 node->arrayMode().refine(
921                     m_graph, node,
922                     child1->prediction(),
923                     child2->prediction(),
924                     child3->prediction()));
925             
926             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
927             
928             switch (node->arrayMode().modeForPut().type()) {
929             case Array::SelectUsingPredictions:
930             case Array::SelectUsingArguments:
931             case Array::Unprofiled:
932             case Array::Undecided:
933                 RELEASE_ASSERT_NOT_REACHED();
934                 break;
935             case Array::ForceExit:
936             case Array::Generic:
937                 if (child1->shouldSpeculateCell()) {
938                     if (child2->shouldSpeculateString()) {
939                         fixEdge<CellUse>(child1);
940                         fixEdge<StringUse>(child2);
941                         break;
942                     }
943
944                     if (child2->shouldSpeculateSymbol()) {
945                         fixEdge<CellUse>(child1);
946                         fixEdge<SymbolUse>(child2);
947                         break;
948                     }
949                 }
950 #if USE(JSVALUE32_64)
951                 // Due to register pressure on 32-bit, we speculate cell and
952                 // ignore the base-is-not-cell case entirely by letting the
953                 // baseline JIT handle it.
954                 fixEdge<CellUse>(child1);
955 #endif
956                 break;
957             case Array::Int32:
958                 fixEdge<KnownCellUse>(child1);
959                 fixEdge<Int32Use>(child2);
960                 fixEdge<Int32Use>(child3);
961                 break;
962             case Array::Double:
963                 fixEdge<KnownCellUse>(child1);
964                 fixEdge<Int32Use>(child2);
965                 fixEdge<DoubleRepRealUse>(child3);
966                 break;
967             case Array::Int8Array:
968             case Array::Int16Array:
969             case Array::Int32Array:
970             case Array::Uint8Array:
971             case Array::Uint8ClampedArray:
972             case Array::Uint16Array:
973             case Array::Uint32Array:
974                 fixEdge<KnownCellUse>(child1);
975                 fixEdge<Int32Use>(child2);
976                 if (child3->shouldSpeculateInt32())
977                     fixIntOrBooleanEdge(child3);
978                 else if (child3->shouldSpeculateAnyInt())
979                     fixEdge<Int52RepUse>(child3);
980                 else
981                     fixDoubleOrBooleanEdge(child3);
982                 break;
983             case Array::Float32Array:
984             case Array::Float64Array:
985                 fixEdge<KnownCellUse>(child1);
986                 fixEdge<Int32Use>(child2);
987                 fixDoubleOrBooleanEdge(child3);
988                 break;
989             case Array::Contiguous:
990             case Array::ArrayStorage:
991             case Array::SlowPutArrayStorage:
992                 fixEdge<KnownCellUse>(child1);
993                 fixEdge<Int32Use>(child2);
994                 speculateForBarrier(child3);
995                 break;
996             default:
997                 fixEdge<KnownCellUse>(child1);
998                 fixEdge<Int32Use>(child2);
999                 break;
1000             }
1001             break;
1002         }
1003             
1004         case AtomicsAdd:
1005         case AtomicsAnd:
1006         case AtomicsCompareExchange:
1007         case AtomicsExchange:
1008         case AtomicsLoad:
1009         case AtomicsOr:
1010         case AtomicsStore:
1011         case AtomicsSub:
1012         case AtomicsXor: {
1013             Edge& base = m_graph.child(node, 0);
1014             Edge& index = m_graph.child(node, 1);
1015             
1016             bool badNews = false;
1017             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1018                 Edge& child = m_graph.child(node, 2 + i);
1019                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
1020                 // just call the function when that happens. But the FTL is totally cool with those
1021                 // conversions.
1022                 if (!child->shouldSpeculateInt32()
1023                     && !child->shouldSpeculateAnyInt()
1024                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
1025                     badNews = true;
1026             }
1027             
1028             if (badNews) {
1029                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
1030                 break;
1031             }
1032             
1033             node->setArrayMode(
1034                 node->arrayMode().refine(
1035                     m_graph, node, base->prediction(), index->prediction()));
1036             
1037             if (node->arrayMode().type() == Array::Generic)
1038                 break;
1039             
1040             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
1041                 Edge& child = m_graph.child(node, 2 + i);
1042                 if (child->shouldSpeculateInt32())
1043                     fixIntOrBooleanEdge(child);
1044                 else if (child->shouldSpeculateAnyInt())
1045                     fixEdge<Int52RepUse>(child);
1046                 else {
1047                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
1048                     fixDoubleOrBooleanEdge(child);
1049                 }
1050             }
1051             
1052             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
1053             fixEdge<CellUse>(base);
1054             fixEdge<Int32Use>(index);
1055             
1056             if (node->arrayMode().type() == Array::Uint32Array) {
1057                 // NOTE: This means basically always doing Int52.
1058                 if (node->shouldSpeculateAnyInt() && enableInt52())
1059                     node->setResult(NodeResultInt52);
1060                 else
1061                     node->setResult(NodeResultDouble);
1062             }
1063             break;
1064         }
1065             
1066         case AtomicsIsLockFree:
1067             if (node->child1()->shouldSpeculateInt32())
1068                 fixIntOrBooleanEdge(node->child1());
1069             break;
1070             
1071         case ArrayPush: {
1072             // May need to refine the array mode in case the value prediction contravenes
1073             // the array prediction. For example, we may have evidence showing that the
1074             // array is in Int32 mode, but the value we're storing is likely to be a double.
1075             // Then we should turn this into a conversion to Double array followed by the
1076             // push. On the other hand, we absolutely don't want to refine based on the
1077             // base prediction. If it has non-cell garbage in it, then we want that to be
1078             // ignored. That's because ArrayPush can't handle any array modes that aren't
1079             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1080             // that would break things.
1081             Edge& storageEdge = m_graph.varArgChild(node, 0);
1082             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1083             unsigned elementOffset = 2;
1084             unsigned elementCount = node->numChildren() - elementOffset;
1085             for (unsigned i = 0; i < elementCount; ++i) {
1086                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1087                 node->setArrayMode(
1088                     node->arrayMode().refine(
1089                         m_graph, node,
1090                         arrayEdge->prediction() & SpecCell,
1091                         SpecInt32Only,
1092                         element->prediction()));
1093             }
1094             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1095             fixEdge<KnownCellUse>(arrayEdge);
1096
1097             // Convert `array.push()` to GetArrayLength.
1098             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1099                 node->setOpAndDefaultFlags(GetArrayLength);
1100                 node->child1() = arrayEdge;
1101                 node->child2() = storageEdge;
1102                 fixEdge<KnownCellUse>(node->child1());
1103                 break;
1104             }
1105
1106             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1107             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1108             for (unsigned i = 0; i < elementCount; ++i) {
1109                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1110                 switch (node->arrayMode().type()) {
1111                 case Array::Int32:
1112                     insertCheck<Int32Use>(element.node());
1113                     fixEdge<KnownInt32Use>(element);
1114                     break;
1115                 case Array::Double:
1116                     insertCheck<DoubleRepRealUse>(element.node());
1117                     fixEdge<DoubleRepUse>(element);
1118                     break;
1119                 case Array::Contiguous:
1120                 case Array::ArrayStorage:
1121                     speculateForBarrier(element);
1122                     break;
1123                 default:
1124                     break;
1125                 }
1126                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1127             }
1128             break;
1129         }
1130             
1131         case ArrayPop: {
1132             blessArrayOperation(node->child1(), Edge(), node->child2());
1133             fixEdge<KnownCellUse>(node->child1());
1134             break;
1135         }
1136
1137         case ArraySlice: {
1138             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1139             if (node->numChildren() >= 3) {
1140                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1141                 if (node->numChildren() == 4)
1142                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1143             }
1144             break;
1145         }
1146
1147         case ArrayIndexOf:
1148             fixupArrayIndexOf(node);
1149             break;
1150             
1151         case RegExpExec:
1152         case RegExpTest: {
1153             fixEdge<KnownCellUse>(node->child1());
1154             
1155             if (node->child2()->shouldSpeculateRegExpObject()) {
1156                 fixEdge<RegExpObjectUse>(node->child2());
1157
1158                 if (node->child3()->shouldSpeculateString())
1159                     fixEdge<StringUse>(node->child3());
1160             }
1161             break;
1162         }
1163
1164         case RegExpMatchFast: {
1165             fixEdge<KnownCellUse>(node->child1());
1166             fixEdge<RegExpObjectUse>(node->child2());
1167             fixEdge<StringUse>(node->child3());
1168             break;
1169         }
1170
1171         case StringReplace:
1172         case StringReplaceRegExp: {
1173             if (node->child2()->shouldSpeculateString()) {
1174                 m_insertionSet.insertNode(
1175                     m_indexInBlock, SpecNone, Check, node->origin,
1176                     Edge(node->child2().node(), StringUse));
1177                 fixEdge<StringUse>(node->child2());
1178             } else if (op == StringReplace) {
1179                 if (node->child2()->shouldSpeculateRegExpObject())
1180                     addStringReplacePrimordialChecks(node->child2().node());
1181                 else 
1182                     m_insertionSet.insertNode(
1183                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1184             }
1185
1186             if (node->child1()->shouldSpeculateString()
1187                 && node->child2()->shouldSpeculateRegExpObject()
1188                 && node->child3()->shouldSpeculateString()) {
1189
1190                 fixEdge<StringUse>(node->child1());
1191                 fixEdge<RegExpObjectUse>(node->child2());
1192                 fixEdge<StringUse>(node->child3());
1193                 break;
1194             }
1195             break;
1196         }
1197             
1198         case Branch: {
1199             if (node->child1()->shouldSpeculateBoolean()) {
1200                 if (node->child1()->result() == NodeResultBoolean) {
1201                     // This is necessary in case we have a bytecode instruction implemented by:
1202                     //
1203                     // a: CompareEq(...)
1204                     // b: Branch(@a)
1205                     //
1206                     // In that case, CompareEq might have a side-effect. Then, we need to make
1207                     // sure that we know that Branch does not exit.
1208                     fixEdge<KnownBooleanUse>(node->child1());
1209                 } else
1210                     fixEdge<BooleanUse>(node->child1());
1211             } else if (node->child1()->shouldSpeculateObjectOrOther())
1212                 fixEdge<ObjectOrOtherUse>(node->child1());
1213             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1214                 fixIntOrBooleanEdge(node->child1());
1215             else if (node->child1()->shouldSpeculateNumber())
1216                 fixEdge<DoubleRepUse>(node->child1());
1217             else if (node->child1()->shouldSpeculateString())
1218                 fixEdge<StringUse>(node->child1());
1219             else if (node->child1()->shouldSpeculateStringOrOther())
1220                 fixEdge<StringOrOtherUse>(node->child1());
1221             else {
1222                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1223                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1224                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1225             }
1226             break;
1227         }
1228             
1229         case Switch: {
1230             SwitchData* data = node->switchData();
1231             switch (data->kind) {
1232             case SwitchImm:
1233                 if (node->child1()->shouldSpeculateInt32())
1234                     fixEdge<Int32Use>(node->child1());
1235                 break;
1236             case SwitchChar:
1237                 if (node->child1()->shouldSpeculateString())
1238                     fixEdge<StringUse>(node->child1());
1239                 break;
1240             case SwitchString:
1241                 if (node->child1()->shouldSpeculateStringIdent())
1242                     fixEdge<StringIdentUse>(node->child1());
1243                 else if (node->child1()->shouldSpeculateString())
1244                     fixEdge<StringUse>(node->child1());
1245                 break;
1246             case SwitchCell:
1247                 if (node->child1()->shouldSpeculateCell())
1248                     fixEdge<CellUse>(node->child1());
1249                 // else it's fine for this to have UntypedUse; we will handle this by just making
1250                 // non-cells take the default case.
1251                 break;
1252             }
1253             break;
1254         }
1255             
1256         case ToPrimitive: {
1257             fixupToPrimitive(node);
1258             break;
1259         }
1260
1261         case ToNumber: {
1262             fixupToNumber(node);
1263             break;
1264         }
1265             
1266         case ToString:
1267         case CallStringConstructor: {
1268             fixupToStringOrCallStringConstructor(node);
1269             break;
1270         }
1271             
1272         case NewStringObject: {
1273             fixEdge<KnownStringUse>(node->child1());
1274             break;
1275         }
1276
1277         case NewSymbol: {
1278             if (node->child1())
1279                 fixEdge<KnownStringUse>(node->child1());
1280             break;
1281         }
1282
1283         case NewArrayWithSpread: {
1284             watchHavingABadTime(node);
1285             
1286             BitVector* bitVector = node->bitVector();
1287             for (unsigned i = node->numChildren(); i--;) {
1288                 if (bitVector->get(i))
1289                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1290                 else
1291                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1292             }
1293
1294             break;
1295         }
1296
1297         case Spread: {
1298             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1299             
1300             watchHavingABadTime(node->child1().node());
1301
1302             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1303             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1304             // that it doesn't contain any indexed properties, and that any holes will result in
1305             // jsUndefined().
1306             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1307             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1308             if (node->child1()->shouldSpeculateArray()
1309                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1310                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1311                 && globalObject->arrayPrototypeChainIsSane()
1312                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1313                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1314                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1315                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1316                 fixEdge<ArrayUse>(node->child1());
1317             } else
1318                 fixEdge<CellUse>(node->child1());
1319             break;
1320         }
1321             
1322         case NewArray: {
1323             watchHavingABadTime(node);
1324             
1325             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1326                 node->setIndexingType(
1327                     leastUpperBoundOfIndexingTypeAndType(
1328                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1329             }
1330             switch (node->indexingType()) {
1331             case ALL_BLANK_INDEXING_TYPES:
1332                 CRASH();
1333                 break;
1334             case ALL_UNDECIDED_INDEXING_TYPES:
1335                 if (node->numChildren()) {
1336                     // This will only happen if the children have no type predictions. We
1337                     // would have already exited by now, but insert a forced exit just to
1338                     // be safe.
1339                     m_insertionSet.insertNode(
1340                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1341                 }
1342                 break;
1343             case ALL_INT32_INDEXING_TYPES:
1344                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1345                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1346                 break;
1347             case ALL_DOUBLE_INDEXING_TYPES:
1348                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1349                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1350                 break;
1351             case ALL_CONTIGUOUS_INDEXING_TYPES:
1352             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1353                 break;
1354             default:
1355                 CRASH();
1356                 break;
1357             }
1358             break;
1359         }
1360             
1361         case NewTypedArray: {
1362             watchHavingABadTime(node);
1363             
1364             if (node->child1()->shouldSpeculateInt32()) {
1365                 fixEdge<Int32Use>(node->child1());
1366                 node->clearFlags(NodeMustGenerate);
1367                 break;
1368             }
1369             break;
1370         }
1371             
1372         case NewArrayWithSize: {
1373             watchHavingABadTime(node);
1374             fixEdge<Int32Use>(node->child1());
1375             break;
1376         }
1377
1378         case NewArrayBuffer: {
1379             watchHavingABadTime(node);
1380             break;
1381         }
1382
1383         case ToObject: {
1384             fixupToObject(node);
1385             break;
1386         }
1387
1388         case CallObjectConstructor: {
1389             fixupCallObjectConstructor(node);
1390             break;
1391         }
1392
1393         case ToThis: {
1394             fixupToThis(node);
1395             break;
1396         }
1397             
1398         case PutStructure: {
1399             fixEdge<KnownCellUse>(node->child1());
1400             break;
1401         }
1402             
1403         case GetClosureVar:
1404         case GetFromArguments: {
1405             fixEdge<KnownCellUse>(node->child1());
1406             break;
1407         }
1408
1409         case PutClosureVar:
1410         case PutToArguments: {
1411             fixEdge<KnownCellUse>(node->child1());
1412             speculateForBarrier(node->child2());
1413             break;
1414         }
1415
1416         case SkipScope:
1417         case GetScope:
1418         case GetGetter:
1419         case GetSetter:
1420         case GetGlobalObject: {
1421             fixEdge<KnownCellUse>(node->child1());
1422             break;
1423         }
1424             
1425         case AllocatePropertyStorage:
1426         case ReallocatePropertyStorage: {
1427             fixEdge<KnownCellUse>(node->child1());
1428             break;
1429         }
1430             
1431         case NukeStructureAndSetButterfly: {
1432             fixEdge<KnownCellUse>(node->child1());
1433             break;
1434         }
1435
1436         case TryGetById: {
1437             if (node->child1()->shouldSpeculateCell())
1438                 fixEdge<CellUse>(node->child1());
1439             break;
1440         }
1441
1442         case GetByIdDirect:
1443         case GetByIdDirectFlush: {
1444             if (node->child1()->shouldSpeculateCell())
1445                 fixEdge<CellUse>(node->child1());
1446             break;
1447         }
1448
1449         case GetById:
1450         case GetByIdFlush: {
1451             // FIXME: This should be done in the ByteCodeParser based on reading the
1452             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1453             // https://bugs.webkit.org/show_bug.cgi?id=154990
1454             auto uid = m_graph.identifiers()[node->identifierNumber()];
1455             if (node->child1()->shouldSpeculateCellOrOther()
1456                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1457                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1458                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1459                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1460                 
1461                 if (uid == vm().propertyNames->length.impl()) {
1462                     attemptToMakeGetArrayLength(node);
1463                     break;
1464                 }
1465
1466                 if (uid == vm().propertyNames->lastIndex.impl()
1467                     && node->child1()->shouldSpeculateRegExpObject()) {
1468                     node->setOp(GetRegExpObjectLastIndex);
1469                     node->clearFlags(NodeMustGenerate);
1470                     fixEdge<RegExpObjectUse>(node->child1());
1471                     break;
1472                 }
1473             }
1474
1475             if (node->child1()->shouldSpeculateNumber()) {
1476                 if (uid == vm().propertyNames->toString.impl()) {
1477                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1478                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1479                         if (node->child1()->shouldSpeculateInt32()) {
1480                             insertCheck<Int32Use>(node->child1().node());
1481                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1482                             break;
1483                         }
1484
1485                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1486                             insertCheck<Int52RepUse>(node->child1().node());
1487                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1488                             break;
1489                         }
1490
1491                         ASSERT(node->child1()->shouldSpeculateNumber());
1492                         insertCheck<DoubleRepUse>(node->child1().node());
1493                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1494                         break;
1495                     }
1496                 }
1497             }
1498
1499             if (node->child1()->shouldSpeculateCell())
1500                 fixEdge<CellUse>(node->child1());
1501             break;
1502         }
1503         
1504         case GetByIdWithThis: {
1505             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1506                 fixEdge<CellUse>(node->child1());
1507                 fixEdge<CellUse>(node->child2());
1508             }
1509             break;
1510         }
1511
1512         case PutById:
1513         case PutByIdFlush:
1514         case PutByIdDirect: {
1515             if (node->child1()->shouldSpeculateCellOrOther()
1516                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1517                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1518                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1519                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1520                 
1521                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1522                 
1523                 if (uid == vm().propertyNames->lastIndex.impl()
1524                     && node->child1()->shouldSpeculateRegExpObject()) {
1525                     node->convertToSetRegExpObjectLastIndex();
1526                     fixEdge<RegExpObjectUse>(node->child1());
1527                     speculateForBarrier(node->child2());
1528                     break;
1529                 }
1530             }
1531             
1532             fixEdge<CellUse>(node->child1());
1533             break;
1534         }
1535
1536         case PutGetterById:
1537         case PutSetterById: {
1538             fixEdge<KnownCellUse>(node->child1());
1539             fixEdge<KnownCellUse>(node->child2());
1540             break;
1541         }
1542
1543         case PutGetterSetterById: {
1544             fixEdge<KnownCellUse>(node->child1());
1545             break;
1546         }
1547
1548         case PutGetterByVal:
1549         case PutSetterByVal: {
1550             fixEdge<KnownCellUse>(node->child1());
1551             fixEdge<KnownCellUse>(node->child3());
1552             break;
1553         }
1554
1555         case GetExecutable: {
1556             fixEdge<FunctionUse>(node->child1());
1557             break;
1558         }
1559
1560         case OverridesHasInstance:
1561         case CheckStructure:
1562         case CheckCell:
1563         case CreateThis:
1564         case GetButterfly: {
1565             fixEdge<CellUse>(node->child1());
1566             break;
1567         }
1568
1569         case ObjectCreate: {
1570             if (node->child1()->shouldSpeculateObject()) {
1571                 fixEdge<ObjectUse>(node->child1());
1572                 node->clearFlags(NodeMustGenerate);
1573                 break;
1574             }
1575             break;
1576         }
1577
1578         case ObjectKeys: {
1579             if (node->child1()->shouldSpeculateObject()) {
1580                 watchHavingABadTime(node);
1581                 fixEdge<ObjectUse>(node->child1());
1582             }
1583             break;
1584         }
1585
1586         case CheckStringIdent: {
1587             fixEdge<StringIdentUse>(node->child1());
1588             break;
1589         }
1590             
1591         case Arrayify:
1592         case ArrayifyToStructure: {
1593             fixEdge<CellUse>(node->child1());
1594             if (node->child2())
1595                 fixEdge<Int32Use>(node->child2());
1596             break;
1597         }
1598             
1599         case GetByOffset:
1600         case GetGetterSetterByOffset: {
1601             if (!node->child1()->hasStorageResult())
1602                 fixEdge<KnownCellUse>(node->child1());
1603             fixEdge<KnownCellUse>(node->child2());
1604             break;
1605         }
1606             
1607         case MultiGetByOffset: {
1608             fixEdge<CellUse>(node->child1());
1609             break;
1610         }
1611             
1612         case PutByOffset: {
1613             if (!node->child1()->hasStorageResult())
1614                 fixEdge<KnownCellUse>(node->child1());
1615             fixEdge<KnownCellUse>(node->child2());
1616             unsigned index = indexForChecks();
1617             insertInferredTypeCheck(
1618                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1619                 node->storageAccessData().inferredType);
1620             speculateForBarrier(node->child3());
1621             break;
1622         }
1623             
1624         case MultiPutByOffset: {
1625             fixEdge<CellUse>(node->child1());
1626             break;
1627         }
1628             
1629         case MatchStructure: {
1630             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1631             // https://bugs.webkit.org/show_bug.cgi?id=185784
1632             fixEdge<CellUse>(node->child1());
1633             break;
1634         }
1635             
1636         case InstanceOf: {
1637             if (node->child1()->shouldSpeculateCell()
1638                 && node->child2()->shouldSpeculateCell()
1639                 && is64Bit()) {
1640                 fixEdge<CellUse>(node->child1());
1641                 fixEdge<CellUse>(node->child2());
1642                 break;
1643             }
1644             break;
1645         }
1646
1647         case InstanceOfCustom:
1648             fixEdge<CellUse>(node->child2());
1649             break;
1650
1651         case InById: {
1652             fixEdge<CellUse>(node->child1());
1653             break;
1654         }
1655
1656         case InByVal: {
1657             if (node->child2()->shouldSpeculateInt32()) {
1658                 convertToHasIndexedProperty(node);
1659                 break;
1660             }
1661
1662             fixEdge<CellUse>(node->child1());
1663             break;
1664         }
1665
1666         case HasOwnProperty: {
1667             fixEdge<ObjectUse>(node->child1());
1668 #if CPU(X86)
1669             // We don't have enough registers to do anything interesting on x86 and mips.
1670             fixEdge<UntypedUse>(node->child2());
1671 #else
1672             if (node->child2()->shouldSpeculateString())
1673                 fixEdge<StringUse>(node->child2());
1674             else if (node->child2()->shouldSpeculateSymbol())
1675                 fixEdge<SymbolUse>(node->child2());
1676             else
1677                 fixEdge<UntypedUse>(node->child2());
1678 #endif
1679             break;
1680         }
1681
1682         case CheckVarargs:
1683         case Check: {
1684             m_graph.doToChildren(
1685                 node,
1686                 [&] (Edge& edge) {
1687                     switch (edge.useKind()) {
1688                     case NumberUse:
1689                         if (edge->shouldSpeculateInt32ForArithmetic())
1690                             edge.setUseKind(Int32Use);
1691                         break;
1692                     default:
1693                         break;
1694                     }
1695                     observeUseKindOnEdge(edge);
1696                 });
1697             break;
1698         }
1699
1700         case Phantom:
1701             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1702             node->remove(m_graph);
1703             break;
1704
1705         case FiatInt52: {
1706             RELEASE_ASSERT(enableInt52());
1707             node->convertToIdentity();
1708             fixEdge<Int52RepUse>(node->child1());
1709             node->setResult(NodeResultInt52);
1710             break;
1711         }
1712
1713         case GetArrayLength: {
1714             fixEdge<KnownCellUse>(node->child1());
1715             break;
1716         }
1717
1718         case GetTypedArrayByteOffset: {
1719             fixEdge<KnownCellUse>(node->child1());
1720             break;
1721         }
1722
1723         case CompareBelow:
1724         case CompareBelowEq: {
1725             fixEdge<Int32Use>(node->child1());
1726             fixEdge<Int32Use>(node->child2());
1727             break;
1728         }
1729
1730         case GetPrototypeOf: {
1731             fixupGetPrototypeOf(node);
1732             break;
1733         }
1734
1735         case Phi:
1736         case Upsilon:
1737         case EntrySwitch:
1738         case GetIndexedPropertyStorage:
1739         case LastNodeType:
1740         case CheckTierUpInLoop:
1741         case CheckTierUpAtReturn:
1742         case CheckTierUpAndOSREnter:
1743         case CheckArray:
1744         case CheckInBounds:
1745         case ConstantStoragePointer:
1746         case DoubleAsInt32:
1747         case ValueToInt32:
1748         case DoubleRep:
1749         case ValueRep:
1750         case Int52Rep:
1751         case Int52Constant:
1752         case Identity: // This should have been cleaned up.
1753         case BooleanToNumber:
1754         case PhantomNewObject:
1755         case PhantomNewFunction:
1756         case PhantomNewGeneratorFunction:
1757         case PhantomNewAsyncGeneratorFunction:
1758         case PhantomNewAsyncFunction:
1759         case PhantomCreateActivation:
1760         case PhantomDirectArguments:
1761         case PhantomCreateRest:
1762         case PhantomSpread:
1763         case PhantomNewArrayWithSpread:
1764         case PhantomNewArrayBuffer:
1765         case PhantomClonedArguments:
1766         case PhantomNewRegexp:
1767         case GetMyArgumentByVal:
1768         case GetMyArgumentByValOutOfBounds:
1769         case GetVectorLength:
1770         case PutHint:
1771         case CheckStructureImmediate:
1772         case CheckStructureOrEmpty:
1773         case MaterializeNewObject:
1774         case MaterializeCreateActivation:
1775         case PutStack:
1776         case KillStack:
1777         case GetStack:
1778         case StoreBarrier:
1779         case FencedStoreBarrier:
1780         case GetRegExpObjectLastIndex:
1781         case SetRegExpObjectLastIndex:
1782         case RecordRegExpCachedResult:
1783         case RegExpExecNonGlobalOrSticky:
1784         case RegExpMatchFastGlobal:
1785             // These are just nodes that we don't currently expect to see during fixup.
1786             // If we ever wanted to insert them prior to fixup, then we just have to create
1787             // fixup rules for them.
1788             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1789             break;
1790
1791         case PutGlobalVariable: {
1792             fixEdge<CellUse>(node->child1());
1793             speculateForBarrier(node->child2());
1794             break;
1795         }
1796
1797         case IsObject:
1798             if (node->child1()->shouldSpeculateObject()) {
1799                 m_insertionSet.insertNode(
1800                     m_indexInBlock, SpecNone, Check, node->origin,
1801                     Edge(node->child1().node(), ObjectUse));
1802                 m_graph.convertToConstant(node, jsBoolean(true));
1803                 observeUseKindOnNode<ObjectUse>(node);
1804             }
1805             break;
1806
1807         case IsCellWithType: {
1808             fixupIsCellWithType(node);
1809             break;
1810         }
1811
1812         case GetEnumerableLength: {
1813             fixEdge<CellUse>(node->child1());
1814             break;
1815         }
1816         case HasGenericProperty: {
1817             fixEdge<CellUse>(node->child2());
1818             break;
1819         }
1820         case HasStructureProperty: {
1821             fixEdge<StringUse>(node->child2());
1822             fixEdge<KnownCellUse>(node->child3());
1823             break;
1824         }
1825         case HasIndexedProperty: {
1826             node->setArrayMode(
1827                 node->arrayMode().refine(
1828                     m_graph, node,
1829                     node->child1()->prediction(),
1830                     node->child2()->prediction(),
1831                     SpecNone));
1832             
1833             blessArrayOperation(node->child1(), node->child2(), node->child3());
1834             fixEdge<CellUse>(node->child1());
1835             fixEdge<KnownInt32Use>(node->child2());
1836             break;
1837         }
1838         case GetDirectPname: {
1839             Edge& base = m_graph.varArgChild(node, 0);
1840             Edge& property = m_graph.varArgChild(node, 1);
1841             Edge& index = m_graph.varArgChild(node, 2);
1842             Edge& enumerator = m_graph.varArgChild(node, 3);
1843             fixEdge<CellUse>(base);
1844             fixEdge<KnownCellUse>(property);
1845             fixEdge<KnownInt32Use>(index);
1846             fixEdge<KnownCellUse>(enumerator);
1847             break;
1848         }
1849         case GetPropertyEnumerator: {
1850             if (node->child1()->shouldSpeculateCell())
1851                 fixEdge<CellUse>(node->child1());
1852             break;
1853         }
1854         case GetEnumeratorStructurePname: {
1855             fixEdge<KnownCellUse>(node->child1());
1856             fixEdge<KnownInt32Use>(node->child2());
1857             break;
1858         }
1859         case GetEnumeratorGenericPname: {
1860             fixEdge<KnownCellUse>(node->child1());
1861             fixEdge<KnownInt32Use>(node->child2());
1862             break;
1863         }
1864         case ToIndexString: {
1865             fixEdge<KnownInt32Use>(node->child1());
1866             break;
1867         }
1868         case ProfileType: {
1869             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1870             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1871             // type T for the instructionTypeSet, the global type set must also have information for type T.
1872             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1873             // in the globalTypeSet would've also succeeded.
1874             // (The other direction does not hold in general).
1875
1876             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1877             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1878             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1879                 if (node->child1()->shouldSpeculateInt32()) {
1880                     fixEdge<Int32Use>(node->child1());
1881                     node->remove(m_graph);
1882                     break;
1883                 }
1884
1885                 if (enableInt52()) {
1886                     fixEdge<AnyIntUse>(node->child1());
1887                     node->remove(m_graph);
1888                     break;
1889                 }
1890
1891                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1892             }
1893
1894             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1895                 fixEdge<NumberUse>(node->child1());
1896                 node->remove(m_graph);
1897             } else if (typeSet->doesTypeConformTo(TypeString)) {
1898                 fixEdge<StringUse>(node->child1());
1899                 node->remove(m_graph);
1900             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1901                 fixEdge<BooleanUse>(node->child1());
1902                 node->remove(m_graph);
1903             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1904                 fixEdge<OtherUse>(node->child1());
1905                 node->remove(m_graph);
1906             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1907                 StructureSet set;
1908                 {
1909                     ConcurrentJSLocker locker(typeSet->m_lock);
1910                     set = typeSet->structureSet(locker);
1911                 }
1912                 if (!set.isEmpty()) {
1913                     fixEdge<CellUse>(node->child1());
1914                     node->convertToCheckStructureOrEmpty(m_graph.addStructureSet(set));
1915                 }
1916             }
1917
1918             break;
1919         }
1920
1921         case CreateClonedArguments: {
1922             watchHavingABadTime(node);
1923             break;
1924         }
1925
1926         case CreateScopedArguments:
1927         case CreateActivation:
1928         case NewFunction:
1929         case NewGeneratorFunction:
1930         case NewAsyncGeneratorFunction:
1931         case NewAsyncFunction: {
1932             // Child 1 is always the current scope, which is guaranteed to be an object
1933             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1934             fixEdge<KnownCellUse>(node->child1());
1935             break;
1936         }
1937
1938         case PushWithScope: {
1939             // Child 1 is always the current scope, which is guaranteed to be an object
1940             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1941             fixEdge<KnownCellUse>(node->child1());
1942             if (node->child2()->shouldSpeculateObject())
1943                 fixEdge<ObjectUse>(node->child2());
1944             break;
1945         }
1946
1947         case SetFunctionName: {
1948             // The first child is guaranteed to be a cell because op_set_function_name is only used
1949             // on a newly instantiated function object (the first child).
1950             fixEdge<KnownCellUse>(node->child1());
1951             fixEdge<UntypedUse>(node->child2());
1952             break;
1953         }
1954
1955         case CreateRest: {
1956             watchHavingABadTime(node);
1957             fixEdge<KnownInt32Use>(node->child1());
1958             break;
1959         }
1960
1961         case ResolveScopeForHoistingFuncDeclInEval: {
1962             fixEdge<KnownCellUse>(node->child1());
1963             break;
1964         }
1965         case ResolveScope:
1966         case GetDynamicVar:
1967         case PutDynamicVar: {
1968             fixEdge<KnownCellUse>(node->child1());
1969             break;
1970         }
1971
1972         case LogShadowChickenPrologue: {
1973             fixEdge<KnownCellUse>(node->child1());
1974             break;
1975         }
1976         case LogShadowChickenTail: {
1977             fixEdge<UntypedUse>(node->child1());
1978             fixEdge<KnownCellUse>(node->child2());
1979             break;
1980         }
1981
1982         case GetMapBucket:
1983             if (node->child1().useKind() == MapObjectUse)
1984                 fixEdge<MapObjectUse>(node->child1());
1985             else if (node->child1().useKind() == SetObjectUse)
1986                 fixEdge<SetObjectUse>(node->child1());
1987             else
1988                 RELEASE_ASSERT_NOT_REACHED();
1989
1990 #if USE(JSVALUE64)
1991             if (node->child2()->shouldSpeculateBoolean())
1992                 fixEdge<BooleanUse>(node->child2());
1993             else if (node->child2()->shouldSpeculateInt32())
1994                 fixEdge<Int32Use>(node->child2());
1995             else if (node->child2()->shouldSpeculateSymbol())
1996                 fixEdge<SymbolUse>(node->child2());
1997             else if (node->child2()->shouldSpeculateObject())
1998                 fixEdge<ObjectUse>(node->child2());
1999             else if (node->child2()->shouldSpeculateString())
2000                 fixEdge<StringUse>(node->child2());
2001             else if (node->child2()->shouldSpeculateCell())
2002                 fixEdge<CellUse>(node->child2());
2003             else
2004                 fixEdge<UntypedUse>(node->child2());
2005 #else
2006             fixEdge<UntypedUse>(node->child2());
2007 #endif // USE(JSVALUE64)
2008
2009             fixEdge<Int32Use>(node->child3());
2010             break;
2011
2012         case GetMapBucketHead:
2013             if (node->child1().useKind() == MapObjectUse)
2014                 fixEdge<MapObjectUse>(node->child1());
2015             else if (node->child1().useKind() == SetObjectUse)
2016                 fixEdge<SetObjectUse>(node->child1());
2017             else
2018                 RELEASE_ASSERT_NOT_REACHED();
2019             break;
2020
2021         case GetMapBucketNext:
2022         case LoadKeyFromMapBucket:
2023         case LoadValueFromMapBucket:
2024             fixEdge<CellUse>(node->child1());
2025             break;
2026
2027         case MapHash: {
2028 #if USE(JSVALUE64)
2029             if (node->child1()->shouldSpeculateBoolean()) {
2030                 fixEdge<BooleanUse>(node->child1());
2031                 break;
2032             }
2033
2034             if (node->child1()->shouldSpeculateInt32()) {
2035                 fixEdge<Int32Use>(node->child1());
2036                 break;
2037             }
2038
2039             if (node->child1()->shouldSpeculateSymbol()) {
2040                 fixEdge<SymbolUse>(node->child1());
2041                 break;
2042             }
2043
2044             if (node->child1()->shouldSpeculateObject()) {
2045                 fixEdge<ObjectUse>(node->child1());
2046                 break;
2047             }
2048
2049             if (node->child1()->shouldSpeculateString()) {
2050                 fixEdge<StringUse>(node->child1());
2051                 break;
2052             }
2053
2054             if (node->child1()->shouldSpeculateCell()) {
2055                 fixEdge<CellUse>(node->child1());
2056                 break;
2057             }
2058
2059             fixEdge<UntypedUse>(node->child1());
2060 #else
2061             fixEdge<UntypedUse>(node->child1());
2062 #endif // USE(JSVALUE64)
2063             break;
2064         }
2065
2066         case NormalizeMapKey: {
2067             fixupNormalizeMapKey(node);
2068             break;
2069         }
2070
2071         case WeakMapGet: {
2072             if (node->child1().useKind() == WeakMapObjectUse)
2073                 fixEdge<WeakMapObjectUse>(node->child1());
2074             else if (node->child1().useKind() == WeakSetObjectUse)
2075                 fixEdge<WeakSetObjectUse>(node->child1());
2076             else
2077                 RELEASE_ASSERT_NOT_REACHED();
2078             fixEdge<ObjectUse>(node->child2());
2079             fixEdge<Int32Use>(node->child3());
2080             break;
2081         }
2082
2083         case SetAdd: {
2084             fixEdge<SetObjectUse>(node->child1());
2085             fixEdge<Int32Use>(node->child3());
2086             break;
2087         }
2088
2089         case MapSet: {
2090             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
2091             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2092             break;
2093         }
2094
2095         case WeakSetAdd: {
2096             fixEdge<WeakSetObjectUse>(node->child1());
2097             fixEdge<ObjectUse>(node->child2());
2098             fixEdge<Int32Use>(node->child3());
2099             break;
2100         }
2101
2102         case WeakMapSet: {
2103             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2104             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2105             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2106             break;
2107         }
2108
2109         case DefineDataProperty: {
2110             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2111             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2112             if (propertyEdge->shouldSpeculateSymbol())
2113                 fixEdge<SymbolUse>(propertyEdge);
2114             else if (propertyEdge->shouldSpeculateStringIdent())
2115                 fixEdge<StringIdentUse>(propertyEdge);
2116             else if (propertyEdge->shouldSpeculateString())
2117                 fixEdge<StringUse>(propertyEdge);
2118             else
2119                 fixEdge<UntypedUse>(propertyEdge);
2120             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2121             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2122             break;
2123         }
2124
2125         case StringValueOf: {
2126             fixupStringValueOf(node);
2127             break;
2128         }
2129
2130         case StringSlice: {
2131             fixEdge<StringUse>(node->child1());
2132             fixEdge<Int32Use>(node->child2());
2133             if (node->child3())
2134                 fixEdge<Int32Use>(node->child3());
2135             break;
2136         }
2137
2138         case ToLowerCase: {
2139             // We currently only support StringUse since that will ensure that
2140             // ToLowerCase is a pure operation. If we decide to update this with
2141             // more types in the future, we need to ensure that the clobberize rules
2142             // are correct.
2143             fixEdge<StringUse>(node->child1());
2144             break;
2145         }
2146
2147         case NumberToStringWithRadix: {
2148             if (node->child1()->shouldSpeculateInt32())
2149                 fixEdge<Int32Use>(node->child1());
2150             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2151                 fixEdge<Int52RepUse>(node->child1());
2152             else
2153                 fixEdge<DoubleRepUse>(node->child1());
2154             fixEdge<Int32Use>(node->child2());
2155             break;
2156         }
2157
2158         case DefineAccessorProperty: {
2159             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2160             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2161             if (propertyEdge->shouldSpeculateSymbol())
2162                 fixEdge<SymbolUse>(propertyEdge);
2163             else if (propertyEdge->shouldSpeculateStringIdent())
2164                 fixEdge<StringIdentUse>(propertyEdge);
2165             else if (propertyEdge->shouldSpeculateString())
2166                 fixEdge<StringUse>(propertyEdge);
2167             else
2168                 fixEdge<UntypedUse>(propertyEdge);
2169             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2170             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2171             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2172             break;
2173         }
2174
2175         case CheckSubClass: {
2176             fixupCheckSubClass(node);
2177             break;
2178         }
2179
2180         case CallDOMGetter: {
2181             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2182             fixEdge<CellUse>(node->child1()); // DOM.
2183             if (snippet && snippet->requireGlobalObject)
2184                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2185             break;
2186         }
2187
2188         case CallDOM: {
2189             fixupCallDOM(node);
2190             break;
2191         }
2192
2193         case Call: {
2194             attemptToMakeCallDOM(node);
2195             break;
2196         }
2197
2198         case ParseInt: {
2199             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2200                 fixEdge<Int32Use>(node->child1());
2201                 node->convertToIdentity();
2202                 break;
2203             }
2204
2205             if (node->child1()->shouldSpeculateString()) {
2206                 fixEdge<StringUse>(node->child1());
2207                 node->clearFlags(NodeMustGenerate);
2208             }
2209
2210             if (node->child2())
2211                 fixEdge<Int32Use>(node->child2());
2212
2213             break;
2214         }
2215
2216         case IdentityWithProfile: {
2217             node->clearFlags(NodeMustGenerate);
2218             break;
2219         }
2220
2221         case ThrowStaticError:
2222             fixEdge<StringUse>(node->child1());
2223             break;
2224
2225         case NumberIsInteger:
2226             if (node->child1()->shouldSpeculateInt32()) {
2227                 m_insertionSet.insertNode(
2228                     m_indexInBlock, SpecNone, Check, node->origin,
2229                     Edge(node->child1().node(), Int32Use));
2230                 m_graph.convertToConstant(node, jsBoolean(true));
2231                 break;
2232             }
2233             break;
2234
2235         case SetCallee:
2236             fixEdge<CellUse>(node->child1());
2237             break;
2238
2239         case DataViewGetInt:
2240         case DataViewGetFloat: {
2241             fixEdge<DataViewObjectUse>(node->child1());
2242             fixEdge<Int32Use>(node->child2());
2243             if (node->child3())
2244                 fixEdge<BooleanUse>(node->child3());
2245
2246             if (node->op() == DataViewGetInt) {
2247                 DataViewData data = node->dataViewData();
2248                 switch (data.byteSize) {
2249                 case 1:
2250                 case 2:
2251                     node->setResult(NodeResultInt32);
2252                     break;
2253                 case 4:
2254                     if (data.isSigned)
2255                         node->setResult(NodeResultInt32);
2256                     else
2257                         node->setResult(NodeResultInt52);
2258                     break;
2259                 default:
2260                     RELEASE_ASSERT_NOT_REACHED();
2261                 }
2262             }
2263             break;
2264         }
2265
2266         case DataViewSet: {
2267             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2268             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2269             if (m_graph.varArgChild(node, 3))
2270                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2271             
2272             DataViewData data = node->dataViewData();
2273             Edge& valueToStore = m_graph.varArgChild(node, 2);
2274             if (data.isFloatingPoint)
2275                 fixEdge<DoubleRepUse>(valueToStore);
2276             else {
2277                 switch (data.byteSize) {
2278                 case 1:
2279                 case 2:
2280                     fixEdge<Int32Use>(valueToStore);
2281                     break;
2282                 case 4:
2283                     if (data.isSigned)
2284                         fixEdge<Int32Use>(valueToStore);
2285                     else
2286                         fixEdge<Int52RepUse>(valueToStore);
2287                     break;
2288                 }
2289             }
2290             break;
2291         }
2292
2293 #if !ASSERT_DISABLED
2294         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2295         case SetArgument:
2296         case JSConstant:
2297         case LazyJSConstant:
2298         case DoubleConstant:
2299         case GetLocal:
2300         case GetCallee:
2301         case GetArgumentCountIncludingThis:
2302         case SetArgumentCountIncludingThis:
2303         case GetRestLength:
2304         case GetArgument:
2305         case Flush:
2306         case PhantomLocal:
2307         case GetGlobalVar:
2308         case GetGlobalLexicalVariable:
2309         case NotifyWrite:
2310         case DirectCall:
2311         case CheckTypeInfoFlags:
2312         case TailCallInlinedCaller:
2313         case DirectTailCallInlinedCaller:
2314         case Construct:
2315         case DirectConstruct:
2316         case CallVarargs:
2317         case CallEval:
2318         case TailCallVarargsInlinedCaller:
2319         case ConstructVarargs:
2320         case CallForwardVarargs:
2321         case ConstructForwardVarargs:
2322         case TailCallForwardVarargs:
2323         case TailCallForwardVarargsInlinedCaller:
2324         case LoadVarargs:
2325         case ForwardVarargs:
2326         case ProfileControlFlow:
2327         case NewObject:
2328         case NewRegexp:
2329         case DeleteById:
2330         case DeleteByVal:
2331         case IsTypedArrayView:
2332         case IsEmpty:
2333         case IsUndefined:
2334         case IsBoolean:
2335         case IsNumber:
2336         case IsObjectOrNull:
2337         case IsFunction:
2338         case CreateDirectArguments:
2339         case Jump:
2340         case Return:
2341         case TailCall:
2342         case DirectTailCall:
2343         case TailCallVarargs:
2344         case Throw:
2345         case CountExecution:
2346         case SuperSamplerBegin:
2347         case SuperSamplerEnd:
2348         case ForceOSRExit:
2349         case CheckBadCell:
2350         case CheckNotEmpty:
2351         case AssertNotEmpty:
2352         case CheckTraps:
2353         case Unreachable:
2354         case ExtractOSREntryLocal:
2355         case ExtractCatchLocal:
2356         case ClearCatchLocals:
2357         case LoopHint:
2358         case MovHint:
2359         case InitializeEntrypointArguments:
2360         case ZombieHint:
2361         case ExitOK:
2362         case BottomValue:
2363         case TypeOf:
2364         case PutByIdWithThis:
2365         case PutByValWithThis:
2366         case GetByValWithThis:
2367         case CompareEqPtr:
2368         case NumberToStringWithValidRadixConstant:
2369         case GetGlobalThis:
2370         case ExtractValueFromWeakMapGet:
2371         case CPUIntrinsic:
2372         case FilterCallLinkStatus:
2373         case FilterGetByIdStatus:
2374         case FilterPutByIdStatus:
2375         case FilterInByIdStatus:
2376         case InvalidationPoint:
2377             break;
2378 #else
2379         default:
2380             break;
2381 #endif
2382         }
2383     }
2384
2385     void watchHavingABadTime(Node* node)
2386     {
2387         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2388
2389         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2390         // does an array allocation. The types of array allocations may change if we start to have a bad
2391         // time. It's easier to reason about this if we know that whenever the types change after we start
2392         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2393         // prior to this point nobody should have been doing optimizations based on the indexing type of
2394         // the allocation.
2395         if (!globalObject->isHavingABadTime()) {
2396             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2397             m_graph.freeze(globalObject);
2398         }
2399     }
2400     
2401     template<UseKind useKind>
2402     void createToString(Node* node, Edge& edge)
2403     {
2404         Node* toString = m_insertionSet.insertNode(
2405             m_indexInBlock, SpecString, ToString, node->origin,
2406             Edge(edge.node(), useKind));
2407         switch (useKind) {
2408         case Int32Use:
2409         case Int52RepUse:
2410         case DoubleRepUse:
2411         case NotCellUse:
2412             toString->clearFlags(NodeMustGenerate);
2413             break;
2414         default:
2415             break;
2416         }
2417         edge.setNode(toString);
2418     }
2419     
2420     template<UseKind useKind>
2421     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2422     {
2423         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2424         
2425         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2426             return;
2427         
2428         createToString<useKind>(node, node->child1());
2429         arrayMode = ArrayMode(Array::String, Array::Read);
2430     }
2431     
2432     template<UseKind useKind>
2433     bool isStringObjectUse()
2434     {
2435         switch (useKind) {
2436         case StringObjectUse:
2437         case StringOrStringObjectUse:
2438             return true;
2439         default:
2440             return false;
2441         }
2442     }
2443     
2444     template<UseKind useKind>
2445     void convertStringAddUse(Node* node, Edge& edge)
2446     {
2447         if (useKind == StringUse) {
2448             observeUseKindOnNode<StringUse>(edge.node());
2449             m_insertionSet.insertNode(
2450                 m_indexInBlock, SpecNone, Check, node->origin,
2451                 Edge(edge.node(), StringUse));
2452             edge.setUseKind(KnownStringUse);
2453             return;
2454         }
2455         
2456         observeUseKindOnNode<useKind>(edge.node());
2457         createToString<useKind>(node, edge);
2458     }
2459     
2460     void convertToMakeRope(Node* node)
2461     {
2462         node->setOpAndDefaultFlags(MakeRope);
2463         fixupMakeRope(node);
2464     }
2465     
2466     void fixupMakeRope(Node* node)
2467     {
2468         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2469             Edge& edge = node->children.child(i);
2470             if (!edge)
2471                 break;
2472             edge.setUseKind(KnownStringUse);
2473             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2474             if (!string)
2475                 continue;
2476             if (string->length())
2477                 continue;
2478             
2479             // Don't allow the MakeRope to have zero children.
2480             if (!i && !node->child2())
2481                 break;
2482             
2483             node->children.removeEdge(i--);
2484         }
2485         
2486         if (!node->child2()) {
2487             ASSERT(!node->child3());
2488             node->convertToIdentity();
2489         }
2490     }
2491
2492     void fixupIsCellWithType(Node* node)
2493     {
2494         switch (node->speculatedTypeForQuery()) {
2495         case SpecString:
2496             if (node->child1()->shouldSpeculateString()) {
2497                 m_insertionSet.insertNode(
2498                     m_indexInBlock, SpecNone, Check, node->origin,
2499                     Edge(node->child1().node(), StringUse));
2500                 m_graph.convertToConstant(node, jsBoolean(true));
2501                 observeUseKindOnNode<StringUse>(node);
2502                 return;
2503             }
2504             break;
2505
2506         case SpecProxyObject:
2507             if (node->child1()->shouldSpeculateProxyObject()) {
2508                 m_insertionSet.insertNode(
2509                     m_indexInBlock, SpecNone, Check, node->origin,
2510                     Edge(node->child1().node(), ProxyObjectUse));
2511                 m_graph.convertToConstant(node, jsBoolean(true));
2512                 observeUseKindOnNode<ProxyObjectUse>(node);
2513                 return;
2514             }
2515             break;
2516
2517         case SpecRegExpObject:
2518             if (node->child1()->shouldSpeculateRegExpObject()) {
2519                 m_insertionSet.insertNode(
2520                     m_indexInBlock, SpecNone, Check, node->origin,
2521                     Edge(node->child1().node(), RegExpObjectUse));
2522                 m_graph.convertToConstant(node, jsBoolean(true));
2523                 observeUseKindOnNode<RegExpObjectUse>(node);
2524                 return;
2525             }
2526             break;
2527
2528         case SpecArray:
2529             if (node->child1()->shouldSpeculateArray()) {
2530                 m_insertionSet.insertNode(
2531                     m_indexInBlock, SpecNone, Check, node->origin,
2532                     Edge(node->child1().node(), ArrayUse));
2533                 m_graph.convertToConstant(node, jsBoolean(true));
2534                 observeUseKindOnNode<ArrayUse>(node);
2535                 return;
2536             }
2537             break;
2538
2539         case SpecDerivedArray:
2540             if (node->child1()->shouldSpeculateDerivedArray()) {
2541                 m_insertionSet.insertNode(
2542                     m_indexInBlock, SpecNone, Check, node->origin,
2543                     Edge(node->child1().node(), DerivedArrayUse));
2544                 m_graph.convertToConstant(node, jsBoolean(true));
2545                 observeUseKindOnNode<DerivedArrayUse>(node);
2546                 return;
2547             }
2548             break;
2549         }
2550
2551         if (node->child1()->shouldSpeculateCell()) {
2552             fixEdge<CellUse>(node->child1());
2553             return;
2554         }
2555
2556         if (node->child1()->shouldSpeculateNotCell()) {
2557             m_insertionSet.insertNode(
2558                 m_indexInBlock, SpecNone, Check, node->origin,
2559                 Edge(node->child1().node(), NotCellUse));
2560             m_graph.convertToConstant(node, jsBoolean(false));
2561             observeUseKindOnNode<NotCellUse>(node);
2562             return;
2563         }
2564     }
2565
2566     void fixupGetPrototypeOf(Node* node)
2567     {
2568         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2569         if (node->child1().useKind() != ObjectUse) {
2570             if (node->child1()->shouldSpeculateString()) {
2571                 insertCheck<StringUse>(node->child1().node());
2572                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2573                 return;
2574             }
2575             if (node->child1()->shouldSpeculateInt32()) {
2576                 insertCheck<Int32Use>(node->child1().node());
2577                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2578                 return;
2579             }
2580             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2581                 insertCheck<Int52RepUse>(node->child1().node());
2582                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2583                 return;
2584             }
2585             if (node->child1()->shouldSpeculateNumber()) {
2586                 insertCheck<NumberUse>(node->child1().node());
2587                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2588                 return;
2589             }
2590             if (node->child1()->shouldSpeculateSymbol()) {
2591                 insertCheck<SymbolUse>(node->child1().node());
2592                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2593                 return;
2594             }
2595             if (node->child1()->shouldSpeculateBoolean()) {
2596                 insertCheck<BooleanUse>(node->child1().node());
2597                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2598                 return;
2599             }
2600         }
2601
2602         if (node->child1()->shouldSpeculateFinalObject()) {
2603             fixEdge<FinalObjectUse>(node->child1());
2604             node->clearFlags(NodeMustGenerate);
2605             return;
2606         }
2607         if (node->child1()->shouldSpeculateArray()) {
2608             fixEdge<ArrayUse>(node->child1());
2609             node->clearFlags(NodeMustGenerate);
2610             return;
2611         }
2612         if (node->child1()->shouldSpeculateFunction()) {
2613             fixEdge<FunctionUse>(node->child1());
2614             node->clearFlags(NodeMustGenerate);
2615             return;
2616         }
2617     }
2618
2619     void fixupToThis(Node* node)
2620     {
2621         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2622
2623         if (ecmaMode == StrictMode) {
2624             if (node->child1()->shouldSpeculateBoolean()) {
2625                 fixEdge<BooleanUse>(node->child1());
2626                 node->convertToIdentity();
2627                 return;
2628             }
2629
2630             if (node->child1()->shouldSpeculateInt32()) {
2631                 fixEdge<Int32Use>(node->child1());
2632                 node->convertToIdentity();
2633                 return;
2634             }
2635
2636             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2637                 fixEdge<Int52RepUse>(node->child1());
2638                 node->convertToIdentity();
2639                 node->setResult(NodeResultInt52);
2640                 return;
2641             }
2642
2643             if (node->child1()->shouldSpeculateNumber()) {
2644                 fixEdge<DoubleRepUse>(node->child1());
2645                 node->convertToIdentity();
2646                 node->setResult(NodeResultDouble);
2647                 return;
2648             }
2649
2650             if (node->child1()->shouldSpeculateSymbol()) {
2651                 fixEdge<SymbolUse>(node->child1());
2652                 node->convertToIdentity();
2653                 return;
2654             }
2655
2656             if (node->child1()->shouldSpeculateStringIdent()) {
2657                 fixEdge<StringIdentUse>(node->child1());
2658                 node->convertToIdentity();
2659                 return;
2660             }
2661
2662             if (node->child1()->shouldSpeculateString()) {
2663                 fixEdge<StringUse>(node->child1());
2664                 node->convertToIdentity();
2665                 return;
2666             }
2667             
2668             if (node->child1()->shouldSpeculateBigInt()) {
2669                 fixEdge<BigIntUse>(node->child1());
2670                 node->convertToIdentity();
2671                 return;
2672             }
2673         }
2674
2675         if (node->child1()->shouldSpeculateOther()) {
2676             if (ecmaMode == StrictMode) {
2677                 fixEdge<OtherUse>(node->child1());
2678                 node->convertToIdentity();
2679                 return;
2680             }
2681
2682             m_insertionSet.insertNode(
2683                 m_indexInBlock, SpecNone, Check, node->origin,
2684                 Edge(node->child1().node(), OtherUse));
2685             observeUseKindOnNode<OtherUse>(node->child1().node());
2686             m_graph.convertToConstant(
2687                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2688             return;
2689         }
2690
2691         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2692         // however, since we cover all the missing cases in constant folding.
2693         // https://bugs.webkit.org/show_bug.cgi?id=157213
2694         if (node->child1()->shouldSpeculateStringObject()) {
2695             fixEdge<StringObjectUse>(node->child1());
2696             node->convertToIdentity();
2697             return;
2698         }
2699
2700         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2701             fixEdge<FinalObjectUse>(node->child1());
2702             node->convertToIdentity();
2703             return;
2704         }
2705     }
2706     
2707     void fixupToPrimitive(Node* node)
2708     {
2709         if (node->child1()->shouldSpeculateInt32()) {
2710             fixEdge<Int32Use>(node->child1());
2711             node->convertToIdentity();
2712             return;
2713         }
2714         
2715         if (node->child1()->shouldSpeculateString()) {
2716             fixEdge<StringUse>(node->child1());
2717             node->convertToIdentity();
2718             return;
2719         }
2720         
2721         if (node->child1()->shouldSpeculateStringObject()
2722             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2723             fixEdge<StringObjectUse>(node->child1());
2724             node->convertToToString();
2725             return;
2726         }
2727         
2728         if (node->child1()->shouldSpeculateStringOrStringObject()
2729             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2730             fixEdge<StringOrStringObjectUse>(node->child1());
2731             node->convertToToString();
2732             return;
2733         }
2734     }
2735
2736     void fixupToNumber(Node* node)
2737     {
2738         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2739         if (node->child1()->shouldSpeculateNumber()) {
2740             if (isInt32Speculation(node->getHeapPrediction())) {
2741                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2742                 if (node->child1()->shouldSpeculateInt32()) {
2743                     fixEdge<Int32Use>(node->child1());
2744                     node->convertToIdentity();
2745                     return;
2746                 }
2747
2748                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2749                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2750                 fixEdge<DoubleRepUse>(node->child1());
2751                 node->setOp(DoubleAsInt32);
2752                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2753                     node->setArithMode(Arith::CheckOverflow);
2754                 else
2755                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2756                 return;
2757             }
2758
2759             fixEdge<DoubleRepUse>(node->child1());
2760             node->convertToIdentity();
2761             node->setResult(NodeResultDouble);
2762             return;
2763         }
2764
2765         fixEdge<UntypedUse>(node->child1());
2766         node->setResult(NodeResultJS);
2767     }
2768
2769     void fixupToObject(Node* node)
2770     {
2771         if (node->child1()->shouldSpeculateObject()) {
2772             fixEdge<ObjectUse>(node->child1());
2773             node->convertToIdentity();
2774             return;
2775         }
2776
2777         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2778
2779         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2780
2781         if (node->child1()->shouldSpeculateString()) {
2782             insertCheck<StringUse>(node->child1().node());
2783             fixEdge<KnownStringUse>(node->child1());
2784             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2785             return;
2786         }
2787
2788         if (node->child1()->shouldSpeculateSymbol()) {
2789             insertCheck<SymbolUse>(node->child1().node());
2790             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2791             return;
2792         }
2793
2794         if (node->child1()->shouldSpeculateNumber()) {
2795             insertCheck<NumberUse>(node->child1().node());
2796             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2797             return;
2798         }
2799
2800         if (node->child1()->shouldSpeculateBoolean()) {
2801             insertCheck<BooleanUse>(node->child1().node());
2802             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2803             return;
2804         }
2805
2806         fixEdge<UntypedUse>(node->child1());
2807     }
2808
2809     void fixupCallObjectConstructor(Node* node)
2810     {
2811         if (node->child1()->shouldSpeculateObject()) {
2812             fixEdge<ObjectUse>(node->child1());
2813             node->convertToIdentity();
2814             return;
2815         }
2816
2817         if (node->child1()->shouldSpeculateString()) {
2818             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2819             insertCheck<StringUse>(node->child1().node());
2820             fixEdge<KnownStringUse>(node->child1());
2821             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2822             return;
2823         }
2824
2825         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2826         if (node->child1()->shouldSpeculateOther()) {
2827             insertCheck<OtherUse>(node->child1().node());
2828             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2829             return;
2830         }
2831
2832         fixEdge<UntypedUse>(node->child1());
2833     }
2834     
2835     void fixupToStringOrCallStringConstructor(Node* node)
2836     {
2837         if (node->child1()->shouldSpeculateString()) {
2838             fixEdge<StringUse>(node->child1());
2839             node->convertToIdentity();
2840             return;
2841         }
2842         
2843         if (node->child1()->shouldSpeculateStringObject()
2844             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2845             fixEdge<StringObjectUse>(node->child1());
2846             return;
2847         }
2848         
2849         if (node->child1()->shouldSpeculateStringOrStringObject()
2850             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2851             fixEdge<StringOrStringObjectUse>(node->child1());
2852             return;
2853         }
2854         
2855         if (node->child1()->shouldSpeculateCell()) {
2856             fixEdge<CellUse>(node->child1());
2857             return;
2858         }
2859
2860         if (node->child1()->shouldSpeculateInt32()) {
2861             fixEdge<Int32Use>(node->child1());
2862             node->clearFlags(NodeMustGenerate);
2863             return;
2864         }
2865
2866         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2867             fixEdge<Int52RepUse>(node->child1());
2868             node->clearFlags(NodeMustGenerate);
2869             return;
2870         }
2871
2872         if (node->child1()->shouldSpeculateNumber()) {
2873             fixEdge<DoubleRepUse>(node->child1());
2874             node->clearFlags(NodeMustGenerate);
2875             return;
2876         }
2877
2878         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2879         // we need to care about it in the clobberize. In the following case,
2880         // since NotCellUse edge filter is used and this edge filters Symbols,
2881         // we can say that ToString never throws an error!
2882         if (node->child1()->shouldSpeculateNotCell()) {
2883             fixEdge<NotCellUse>(node->child1());
2884             node->clearFlags(NodeMustGenerate);
2885             return;
2886         }
2887     }
2888
2889     void fixupStringValueOf(Node* node)
2890     {
2891         if (node->child1()->shouldSpeculateString()) {
2892             fixEdge<StringUse>(node->child1());
2893             node->convertToIdentity();
2894             return;
2895         }
2896
2897         if (node->child1()->shouldSpeculateStringObject()) {
2898             fixEdge<StringObjectUse>(node->child1());
2899             node->convertToToString();
2900             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2901             node->clearFlags(NodeMustGenerate);
2902             return;
2903         }
2904
2905         if (node->child1()->shouldSpeculateStringOrStringObject()) {
2906             fixEdge<StringOrStringObjectUse>(node->child1());
2907             node->convertToToString();
2908             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2909             node->clearFlags(NodeMustGenerate);
2910             return;
2911         }
2912     }
2913
2914     bool attemptToMakeFastStringAdd(Node* node)
2915     {
2916         bool goodToGo = true;
2917         m_graph.doToChildren(
2918             node,
2919             [&] (Edge& edge) {
2920                 if (edge->shouldSpeculateString())
2921                     return;
2922                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2923                     if (edge->shouldSpeculateStringObject())
2924                         return;
2925                     if (edge->shouldSpeculateStringOrStringObject())
2926                         return;
2927                 }
2928                 goodToGo = false;
2929             });
2930         if (!goodToGo)
2931             return false;
2932
2933         m_graph.doToChildren(
2934             node,
2935             [&] (Edge& edge) {
2936                 if (edge->shouldSpeculateString()) {
2937                     convertStringAddUse<StringUse>(node, edge);
2938                     return;
2939                 }
2940                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2941                 if (edge->shouldSpeculateStringObject()) {
2942                     convertStringAddUse<StringObjectUse>(node, edge);
2943                     return;
2944                 }
2945                 if (edge->shouldSpeculateStringOrStringObject()) {
2946                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2947                     return;
2948                 }
2949                 RELEASE_ASSERT_NOT_REACHED();
2950             });
2951         
2952         convertToMakeRope(node);
2953         return true;
2954     }
2955
2956     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2957     {
2958         if (!block)
2959             return;
2960         ASSERT(block->isReachable);
2961         m_block = block;
2962         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2963             Node* node = m_currentNode = block->at(m_indexInBlock);
2964             if (node->op() != SetLocal && node->op() != GetLocal)
2965                 continue;
2966             
2967             VariableAccessData* variable = node->variableAccessData();
2968             switch (node->op()) {
2969             case GetLocal:
2970                 switch (variable->flushFormat()) {
2971                 case FlushedDouble:
2972                     node->setResult(NodeResultDouble);
2973                     break;
2974                 case FlushedInt52:
2975                     node->setResult(NodeResultInt52);
2976                     break;
2977                 default:
2978                     break;
2979                 }
2980                 break;
2981                 
2982             case SetLocal:
2983                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2984                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2985                 
2986                 switch (variable->flushFormat()) {
2987                 case FlushedJSValue:
2988                     break;
2989                 case FlushedDouble:
2990                     fixEdge<DoubleRepUse>(node->child1());
2991                     break;
2992                 case FlushedInt32:
2993                     fixEdge<Int32Use>(node->child1());
2994                     break;
2995                 case FlushedInt52:
2996                     fixEdge<Int52RepUse>(node->child1());
2997                     break;
2998                 case FlushedCell:
2999                     fixEdge<CellUse>(node->child1());
3000                     break;
3001                 case FlushedBoolean:
3002                     fixEdge<BooleanUse>(node->child1());
3003                     break;
3004                 default:
3005                     RELEASE_ASSERT_NOT_REACHED();
3006                     break;
3007                 }
3008                 break;
3009                 
3010             default:
3011                 RELEASE_ASSERT_NOT_REACHED();
3012                 break;
3013             }
3014         }
3015         m_insertionSet.execute(block);
3016     }
3017     
3018     void addStringReplacePrimordialChecks(Node* searchRegExp)
3019     {
3020         Node* node = m_currentNode;
3021
3022         // Check that structure of searchRegExp is RegExp object
3023         m_insertionSet.insertNode(
3024             m_indexInBlock, SpecNone, Check, node->origin,
3025             Edge(searchRegExp, RegExpObjectUse));
3026
3027         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
3028             unsigned index = m_graph.identifiers().ensure(propertyUID);
3029
3030             Node* actualProperty = m_insertionSet.insertNode(
3031                 m_indexInBlock, SpecNone, TryGetById, node->origin,
3032                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
3033
3034             m_insertionSet.insertNode(
3035                 m_indexInBlock, SpecNone, CheckCell, node->origin,
3036                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
3037         };
3038
3039         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
3040
3041         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
3042         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
3043         // Check that searchRegExp.global is the primordial RegExp.prototype.global
3044         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
3045         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
3046         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
3047         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
3048         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
3049     }
3050
3051     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
3052     {
3053         ASSERT(arrayMode.isSpecific());
3054         
3055         if (arrayMode.type() == Array::String) {
3056             m_insertionSet.insertNode(
3057                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
3058         } else {
3059             // Note that we only need to be using a structure check if we opt for SaneChain, since
3060             // that needs to protect against JSArray's __proto__ being changed.
3061             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
3062         
3063             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
3064             
3065             if (arrayMode.doesConversion()) {
3066                 if (structure) {
3067                     m_insertionSet.insertNode(
3068                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
3069                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3070                 } else {
3071                     m_insertionSet.insertNode(
3072                         m_indexInBlock, SpecNone, Arrayify, origin,
3073                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
3074                 }
3075             } else {
3076                 if (structure) {
3077                     m_insertionSet.insertNode(
3078                         m_indexInBlock, SpecNone, CheckStructure, origin,
3079                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
3080                 } else {
3081                     m_insertionSet.insertNode(
3082                         m_indexInBlock, SpecNone, CheckArray, origin,
3083                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
3084                 }
3085             }
3086         }
3087         
3088         if (!storageCheck(arrayMode))
3089             return nullptr;
3090         
3091         if (arrayMode.usesButterfly()) {
3092             return m_insertionSet.insertNode(
3093                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
3094         }
3095         
3096         return m_insertionSet.insertNode(
3097             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
3098             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
3099     }
3100     
3101     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
3102     {
3103         Node* node = m_currentNode;
3104         
3105         switch (node->arrayMode().type()) {
3106         case Array::ForceExit: {
3107             m_insertionSet.insertNode(
3108                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
3109             return;
3110         }
3111             
3112         case Array::SelectUsingPredictions:
3113         case Array::Unprofiled:
3114             RELEASE_ASSERT_NOT_REACHED();
3115             return;
3116             
3117         case Array::Generic:
3118             return;
3119             
3120         default: {
3121             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
3122             if (!storage)
3123                 return;
3124             
3125             storageChild = Edge(storage);
3126             return;
3127         } }
3128     }
3129     
3130     bool alwaysUnboxSimplePrimitives()
3131     {
3132 #if USE(JSVALUE64)
3133         return false;
3134 #else
3135         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
3136         // reduces traffic.
3137         return true;
3138 #endif
3139     }
3140
3141     template<UseKind useKind>
3142     void observeUseKindOnNode(Node* node)
3143     {
3144         if (useKind == UntypedUse)
3145             return;
3146         observeUseKindOnNode(node, useKind);
3147     }
3148
3149     void observeUseKindOnEdge(Edge edge)
3150     {
3151         observeUseKindOnNode(edge.node(), edge.useKind());
3152     }
3153
3154     void observeUseKindOnNode(Node* node, UseKind useKind)
3155     {
3156         if (node->op() != GetLocal)
3157             return;
3158         
3159         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
3160         // https://bugs.webkit.org/show_bug.cgi?id=121518
3161         
3162         VariableAccessData* variable = node->variableAccessData();
3163         switch (useKind) {
3164         case Int32Use:
3165         case KnownInt32Use:
3166             if (alwaysUnboxSimplePrimitives()
3167                 || isInt32Speculation(variable->prediction()))
3168                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3169             break;
3170         case NumberUse:
3171         case RealNumberUse:
3172         case DoubleRepUse:
3173         case DoubleRepRealUse:
3174             if (variable->doubleFormatState() == UsingDoubleFormat)
3175                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3176             break;
3177         case BooleanUse:
3178         case KnownBooleanUse:
3179             if (alwaysUnboxSimplePrimitives()
3180                 || isBooleanSpeculation(variable->prediction()))
3181                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3182             break;
3183         case Int52RepUse:
3184             if (isAnyIntSpeculation(variable->prediction()))
3185                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3186             break;
3187         case CellUse:
3188         case KnownCellUse:
3189         case ObjectUse:
3190         case FunctionUse:
3191         case StringUse:
3192         case KnownStringUse:
3193         case SymbolUse:
3194         case BigIntUse:
3195         case StringObjectUse:
3196         case StringOrStringObjectUse:
3197             if (alwaysUnboxSimplePrimitives()
3198                 || isCellSpeculation(variable->prediction()))
3199                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3200             break;
3201         default:
3202             break;
3203         }
3204     }
3205     
3206     template<UseKind useKind>
3207     void fixEdge(Edge& edge)
3208     {
3209         observeUseKindOnNode<useKind>(edge.node());
3210         edge.setUseKind(useKind);
3211     }
3212     
3213     unsigned indexForChecks()
3214     {
3215         unsigned index = m_indexInBlock;
3216         while (!m_block->at(index)->origin.exitOK)
3217             index--;
3218         return index;
3219     }
3220     
3221     NodeOrigin originForCheck(unsigned index)
3222     {
3223         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3224     }
3225     
3226     void speculateForBarrier(Edge value)
3227     {
3228         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3229         // the DFG anyway because if such a speculation would be wrong, we want to know before
3230         // we do an expensive compile.
3231         
3232         if (value->shouldSpeculateInt32()) {
3233             insertCheck<Int32Use>(value.node());
3234             return;
3235         }
3236             
3237         if (value->shouldSpeculateBoolean()) {
3238             insertCheck<BooleanUse>(value.node());
3239             return;
3240         }
3241             
3242         if (value->shouldSpeculateOther()) {
3243             insertCheck<OtherUse>(value.node());
3244             return;
3245         }
3246             
3247         if (value->shouldSpeculateNumber()) {
3248             insertCheck<NumberUse>(value.node());
3249             return;
3250         }
3251             
3252         if (value->shouldSpeculateNotCell()) {
3253             insertCheck<NotCellUse>(value.node());
3254             return;
3255         }
3256     }
3257     
3258     template<UseKind useKind>
3259     void insertCheck(Node* node)
3260     {
3261         observeUseKindOnNode<useKind>(node);
3262         unsigned index = indexForChecks();
3263         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3264     }
3265
3266     void fixIntConvertingEdge(Edge& edge)
3267     {
3268         Node* node = edge.node();
3269         if (node->shouldSpeculateInt32OrBoolean()) {
3270             fixIntOrBooleanEdge(edge);
3271             return;
3272         }
3273         
3274         UseKind useKind;
3275         if (node->shouldSpeculateAnyInt())
3276             useKind = Int52RepUse;
3277         else if (node->shouldSpeculateNumber())
3278             useKind = DoubleRepUse;
3279         else
3280             useKind = NotCellUse;
3281         Node* newNode = m_insertionSet.insertNode(
3282             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3283             Edge(node, useKind));
3284         observeUseKindOnNode(node, useKind);
3285         
3286         edge = Edge(newNode, KnownInt32Use);
3287     }
3288     
3289     void fixIntOrBooleanEdge(Edge& edge)
3290     {
3291         Node* node = edge.node();
3292         if (!node->sawBooleans()) {
3293             fixEdge<Int32Use>(edge);
3294             return;
3295         }
3296         
3297         UseKind useKind;
3298         if (node->shouldSpeculateBoolean())
3299             useKind = BooleanUse;
3300         else
3301             useKind = UntypedUse;
3302         Node* newNode = m_insertionSet.insertNode(
3303             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3304             Edge(node, useKind));
3305         observeUseKindOnNode(node, useKind);
3306         
3307         edge = Edge(newNode, Int32Use);
3308     }
3309     
3310     void fixDoubleOrBooleanEdge(Edge& edge)
3311     {
3312         Node* node = edge.node();
3313         if (!node->sawBooleans()) {
3314             fixEdge<DoubleRepUse>(edge);
3315             return;
3316         }
3317         
3318         UseKind useKind;
3319         if (node->shouldSpeculateBoolean())
3320             useKind = BooleanUse;
3321         else
3322             useKind = UntypedUse;
3323         Node* newNode = m_insertionSet.insertNode(
3324             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3325             Edge(node, useKind));
3326         observeUseKindOnNode(node, useKind);
3327         
3328         edge = Edge(newNode, DoubleRepUse);
3329     }
3330     
3331     void truncateConstantToInt32(Edge& edge)
3332     {
3333         Node* oldNode = edge.node();
3334         
3335         JSValue value = oldNode->asJSValue();
3336         if (value.isInt32())
3337             return;
3338         
3339         value = jsNumber(JSC::toInt32(value.asNumber()));
3340         ASSERT(value.isInt32());
3341         edge.setNode(m_insertionSet.insertNode(
3342             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3343             OpInfo(m_graph.freeze(value))));
3344     }
3345     
3346     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3347     {
3348         if (mode != SpeculateInt32AndTruncateConstants)
3349             return;
3350         
3351         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3352         if (node->child1()->hasConstant())
3353             truncateConstantToInt32(node->child1());
3354         else
3355             truncateConstantToInt32(node->child2());
3356     }
3357
3358     bool attemptToMakeIntegerAdd(Node* node)
3359     {
3360         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3361         if (mode != DontSpeculateInt32) {
3362             truncateConstantsIfNecessary(node, mode);
3363             fixIntOrBooleanEdge(node->child1());
3364             fixIntOrBooleanEdge(node->child2());
3365             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3366                 node->setArithMode(Arith::Unchecked);
3367             else
3368                 node->setArithMode(Arith::CheckOverflow);
3369             return true;
3370         }
3371         
3372         if (m_graph.addShouldSpeculateAnyInt(node)) {
3373             fixEdge<Int52RepUse>(node->child1());
3374             fixEdge<Int52RepUse>(node->child2());
3375             node->setArithMode(Arith::CheckOverflow);
3376             node->setResult(NodeResultInt52);
3377             return true;
3378         }
3379         
3380         return false;
3381     }
3382     
3383     bool attemptToMakeGetArrayLength(Node* node)
3384     {
3385         if (!isInt32Speculation(node->prediction()))
3386             return false;
3387         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3388         ArrayProfile* arrayProfile = 
3389             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3390         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3391         if (arrayProfile) {
3392             ConcurrentJSLocker locker(profiledBlock->m_lock);
3393             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3394             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3395             if (arrayMode.type() == Array::Unprofiled) {
3396                 // For normal array operations, it makes sense to treat Unprofiled
3397                 // accesses as ForceExit and get more data rather than using
3398                 // predictions and then possibly ending up with a Generic. But here,
3399                 // we treat anything that is Unprofiled as Generic and keep the
3400                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3401                 // profit - from treating the Unprofiled case as
3402                 // SelectUsingPredictions.
3403                 arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3404             }
3405         }
3406             
3407         arrayMode = arrayMode.refine(
3408             m_graph, node, node->child1()->prediction(), node->prediction());
3409             
3410         if (arrayMode.type() == Array::Generic) {
3411             // Check if the input is something that we can't get array length for, but for which we
3412             // could insert some conversions in order to transform it into something that we can do it
3413             // for.
3414             if (node->child1()->shouldSpeculateStringObject())
3415                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3416             else if (node->child1()->shouldSpeculateStringOrStringObject())
3417                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3418         }
3419             
3420         if (!arrayMode.supportsSelfLength())
3421             return false;
3422         
3423         convertToGetArrayLength(node, arrayMode);
3424         return true;
3425     }
3426
3427     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3428     {
3429         node->setOp(GetArrayLength);
3430         node->clearFlags(NodeMustGenerate);
3431         fixEdge<KnownCellUse>(node->child1());
3432         node->setArrayMode(arrayMode);
3433             
3434         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3435         if (!storage)
3436             return;
3437             
3438         node->child2() = Edge(storage);
3439     }
3440     
3441     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3442     {
3443         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3444         return m_insertionSet.insertNode(
3445             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3446             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3447     }
3448
3449     void convertToHasIndexedProperty(Node* node)
3450     {
3451         node->setOp(HasIndexedProperty);
3452         node->clearFlags(NodeMustGenerate);
3453         node->setArrayMode(
3454             node->arrayMode().refine(
3455                 m_graph, node,
3456                 node->child1()->prediction(),
3457                 node->child2()->prediction(),
3458                 SpecNone));
3459         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3460
3461         blessArrayOperation(node->child1(), node->child2(), node->child3());
3462
3463         fixEdge<CellUse>(node->child1());
3464         fixEdge<Int32Use>(node->child2());
3465     }
3466
3467     void fixupNormalizeMapKey(Node* node)
3468     {
3469         if (node->child1()->shouldSpeculateBoolean()) {
3470             fixEdge<BooleanUse>(node->child1());
3471             node->convertToIdentity();
3472             return;
3473         }
3474
3475         if (node->child1()->shouldSpeculateInt32()) {
3476             fixEdge<Int32Use>(node->child1());
3477             node->convertToIdentity();
3478             return;
3479         }
3480
3481         if (node->child1()->shouldSpeculateSymbol()) {
3482             fixEdge<SymbolUse>(node->child1());
3483             node->convertToIdentity();
3484             return;
3485         }
3486
3487         if (node->child1()->shouldSpeculateObject()) {
3488             fixEdge<ObjectUse>(node->child1());
3489             node->convertToIdentity();
3490             return;
3491         }
3492
3493         if (node->child1()->shouldSpeculateString()) {
3494             fixEdge<StringUse>(node->child1());
3495             node->convertToIdentity();
3496             return;
3497         }
3498
3499         if (node->child1()->shouldSpeculateCell()) {
3500             fixEdge<CellUse>(node->child1());
3501             node->convertToIdentity();
3502             return;
3503         }
3504
3505         fixEdge<UntypedUse>(node->child1());
3506     }
3507
3508     bool attemptToMakeCallDOM(Node* node)
3509     {
3510         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3511             return false;
3512
3513         const DOMJIT::Signature* signature = node->signature();
3514         if (!signature)
3515             return false;
3516
3517         {
3518             unsigned index = 0;
3519             bool shouldConvertToCallDOM = true;
3520             m_graph.doToChildren(node, [&](Edge& edge) {
3521                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3522                 if (!index)
3523                     return;
3524
3525                 if (index == 1) {
3526                     // DOM node case.
3527                     if (edge->shouldSpeculateNotCell())
3528                         shouldConvertToCallDOM = false;
3529                 } else {
3530                     switch (signature->arguments[index - 2]) {
3531                     case SpecString:
3532                         if (edge->shouldSpeculateNotString())
3533                             shouldConvertToCallDOM = false;
3534                         break;
3535                     case SpecInt32Only:
3536                         if (edge->shouldSpeculateNotInt32())
3537                             shouldConvertToCallDOM = false;
3538                         break;
3539                     case SpecBoolean:
3540                         if (edge->shouldSpeculateNotBoolean())
3541                           &n