[JSC] Pass VM& parameter as much as possible
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149
150         case ValueNegate: {
151             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
152                 node->setOp(ArithNegate);
153                 fixIntOrBooleanEdge(node->child1());
154                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
155                     node->setArithMode(Arith::Unchecked);
156                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
157                     node->setArithMode(Arith::CheckOverflow);
158                 else
159                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
160                 node->setResult(NodeResultInt32);
161                 node->clearFlags(NodeMustGenerate);
162                 break;
163             }
164             
165             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
166                 node->setOp(ArithNegate);
167                 fixEdge<Int52RepUse>(node->child1());
168                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
169                     node->setArithMode(Arith::CheckOverflow);
170                 else
171                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
172                 node->setResult(NodeResultInt52);
173                 node->clearFlags(NodeMustGenerate);
174                 break;
175             }
176             if (node->child1()->shouldSpeculateNotCell()) {
177                 node->setOp(ArithNegate);
178                 fixDoubleOrBooleanEdge(node->child1());
179                 node->setResult(NodeResultDouble);
180                 node->clearFlags(NodeMustGenerate);
181             } else {
182                 fixEdge<UntypedUse>(node->child1());
183                 node->setResult(NodeResultJS);
184             }
185             break;
186         }
187
188         case ValueAdd: {
189             if (attemptToMakeIntegerAdd(node)) {
190                 node->setOp(ArithAdd);
191                 break;
192             }
193             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
194                 fixDoubleOrBooleanEdge(node->child1());
195                 fixDoubleOrBooleanEdge(node->child2());
196                 node->setOp(ArithAdd);
197                 node->setResult(NodeResultDouble);
198                 break;
199             }
200             
201             if (attemptToMakeFastStringAdd(node))
202                 break;
203
204             Edge& child1 = node->child1();
205             Edge& child2 = node->child2();
206             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
207                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
208                     auto convertString = [&](Node* node, Edge& edge) {
209                         if (edge->shouldSpeculateInt32())
210                             convertStringAddUse<Int32Use>(node, edge);
211                         else {
212                             ASSERT(edge->shouldSpeculateString());
213                             convertStringAddUse<StringUse>(node, edge);
214                         }
215                     };
216                     convertString(node, child1);
217                     convertString(node, child2);
218                     convertToMakeRope(node);
219                     break;
220                 }
221             }
222
223             fixEdge<UntypedUse>(child1);
224             fixEdge<UntypedUse>(child2);
225             node->setResult(NodeResultJS);
226             break;
227         }
228
229         case StrCat: {
230             if (attemptToMakeFastStringAdd(node))
231                 break;
232
233             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
234             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
235             // the implementation of StrCat doesn't dynamically optimize for empty strings.
236             // https://bugs.webkit.org/show_bug.cgi?id=148540
237             m_graph.doToChildren(
238                 node,
239                 [&] (Edge& edge) {
240                     fixEdge<KnownPrimitiveUse>(edge);
241                     // StrCat automatically coerces the values into strings before concatenating them.
242                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
243                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
244                     // our runtime functions for this slow path expect that they will never be passed
245                     // Symbols.
246                     m_insertionSet.insertNode(
247                         m_indexInBlock, SpecNone, Check, node->origin,
248                         Edge(edge.node(), NotSymbolUse));
249                 });
250             break;
251         }
252             
253         case MakeRope: {
254             fixupMakeRope(node);
255             break;
256         }
257             
258         case ArithAdd:
259         case ArithSub: {
260             if (op == ArithSub
261                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
262                 fixEdge<UntypedUse>(node->child1());
263                 fixEdge<UntypedUse>(node->child2());
264                 node->setResult(NodeResultJS);
265                 break;
266             }
267             if (attemptToMakeIntegerAdd(node))
268                 break;
269             fixDoubleOrBooleanEdge(node->child1());
270             fixDoubleOrBooleanEdge(node->child2());
271             node->setResult(NodeResultDouble);
272             break;
273         }
274             
275         case ArithNegate: {
276             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
277                 fixIntOrBooleanEdge(node->child1());
278                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
279                     node->setArithMode(Arith::Unchecked);
280                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
281                     node->setArithMode(Arith::CheckOverflow);
282                 else
283                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
284                 node->setResult(NodeResultInt32);
285                 node->clearFlags(NodeMustGenerate);
286                 break;
287             }
288             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
289                 fixEdge<Int52RepUse>(node->child1());
290                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
291                     node->setArithMode(Arith::CheckOverflow);
292                 else
293                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
294                 node->setResult(NodeResultInt52);
295                 node->clearFlags(NodeMustGenerate);
296                 break;
297             }
298
299             fixDoubleOrBooleanEdge(node->child1());
300             node->setResult(NodeResultDouble);
301             node->clearFlags(NodeMustGenerate);
302             break;
303         }
304             
305         case ArithMul: {
306             Edge& leftChild = node->child1();
307             Edge& rightChild = node->child2();
308             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
309                 fixEdge<UntypedUse>(leftChild);
310                 fixEdge<UntypedUse>(rightChild);
311                 node->setResult(NodeResultJS);
312                 break;
313             }
314             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
315                 fixIntOrBooleanEdge(leftChild);
316                 fixIntOrBooleanEdge(rightChild);
317                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
318                     node->setArithMode(Arith::Unchecked);
319                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
320                     || leftChild.node() == rightChild.node())
321                     node->setArithMode(Arith::CheckOverflow);
322                 else
323                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
324                 break;
325             }
326             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
327                 fixEdge<Int52RepUse>(leftChild);
328                 fixEdge<Int52RepUse>(rightChild);
329                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
330                     || leftChild.node() == rightChild.node())
331                     node->setArithMode(Arith::CheckOverflow);
332                 else
333                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
334                 node->setResult(NodeResultInt52);
335                 break;
336             }
337             fixDoubleOrBooleanEdge(leftChild);
338             fixDoubleOrBooleanEdge(rightChild);
339             node->setResult(NodeResultDouble);
340             break;
341         }
342
343         case ArithDiv:
344         case ArithMod: {
345             Edge& leftChild = node->child1();
346             Edge& rightChild = node->child2();
347             if (op == ArithDiv
348                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
349                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
350                 fixEdge<UntypedUse>(leftChild);
351                 fixEdge<UntypedUse>(rightChild);
352                 node->setResult(NodeResultJS);
353                 break;
354             }
355             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
356                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
357                     fixIntOrBooleanEdge(leftChild);
358                     fixIntOrBooleanEdge(rightChild);
359                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
360                         node->setArithMode(Arith::Unchecked);
361                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
362                         node->setArithMode(Arith::CheckOverflow);
363                     else
364                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
365                     break;
366                 }
367                 
368                 // This will cause conversion nodes to be inserted later.
369                 fixDoubleOrBooleanEdge(leftChild);
370                 fixDoubleOrBooleanEdge(rightChild);
371                 
372                 // We don't need to do ref'ing on the children because we're stealing them from
373                 // the original division.
374                 Node* newDivision = m_insertionSet.insertNode(
375                     m_indexInBlock, SpecBytecodeDouble, *node);
376                 newDivision->setResult(NodeResultDouble);
377                 
378                 node->setOp(DoubleAsInt32);
379                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
380                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
381                     node->setArithMode(Arith::CheckOverflow);
382                 else
383                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
384                 break;
385             }
386             fixDoubleOrBooleanEdge(leftChild);
387             fixDoubleOrBooleanEdge(rightChild);
388             node->setResult(NodeResultDouble);
389             break;
390         }
391             
392         case ArithMin:
393         case ArithMax: {
394             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
395                 fixIntOrBooleanEdge(node->child1());
396                 fixIntOrBooleanEdge(node->child2());
397                 break;
398             }
399             fixDoubleOrBooleanEdge(node->child1());
400             fixDoubleOrBooleanEdge(node->child2());
401             node->setResult(NodeResultDouble);
402             break;
403         }
404             
405         case ArithAbs: {
406             if (node->child1()->shouldSpeculateInt32OrBoolean()
407                 && node->canSpeculateInt32(FixupPass)) {
408                 fixIntOrBooleanEdge(node->child1());
409                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
410                     node->setArithMode(Arith::Unchecked);
411                 else
412                     node->setArithMode(Arith::CheckOverflow);
413                 node->clearFlags(NodeMustGenerate);
414                 node->setResult(NodeResultInt32);
415                 break;
416             }
417
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420                 node->clearFlags(NodeMustGenerate);
421             } else
422                 fixEdge<UntypedUse>(node->child1());
423             node->setResult(NodeResultDouble);
424             break;
425         }
426
427         case ArithPow: {
428             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
429                 fixDoubleOrBooleanEdge(node->child1());
430                 fixIntOrBooleanEdge(node->child2());
431                 break;
432             }
433
434             fixDoubleOrBooleanEdge(node->child1());
435             fixDoubleOrBooleanEdge(node->child2());
436             break;
437         }
438
439         case ArithRandom: {
440             node->setResult(NodeResultDouble);
441             break;
442         }
443
444         case ArithRound:
445         case ArithFloor:
446         case ArithCeil:
447         case ArithTrunc: {
448             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
449                 fixIntOrBooleanEdge(node->child1());
450                 insertCheck<Int32Use>(node->child1().node());
451                 node->convertToIdentity();
452                 break;
453             }
454             if (node->child1()->shouldSpeculateNotCell()) {
455                 fixDoubleOrBooleanEdge(node->child1());
456
457                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
458                     node->setResult(NodeResultInt32);
459                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
460                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
461                     else
462                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
463                 } else {
464                     node->setResult(NodeResultDouble);
465                     node->setArithRoundingMode(Arith::RoundingMode::Double);
466                 }
467                 node->clearFlags(NodeMustGenerate);
468             } else
469                 fixEdge<UntypedUse>(node->child1());
470             break;
471         }
472
473         case ArithFRound:
474         case ArithSqrt:
475         case ArithUnary: {
476             Edge& child1 = node->child1();
477             if (child1->shouldSpeculateNotCell()) {
478                 fixDoubleOrBooleanEdge(child1);
479                 node->clearFlags(NodeMustGenerate);
480             } else
481                 fixEdge<UntypedUse>(child1);
482             break;
483         }
484             
485         case LogicalNot: {
486             if (node->child1()->shouldSpeculateBoolean()) {
487                 if (node->child1()->result() == NodeResultBoolean) {
488                     // This is necessary in case we have a bytecode instruction implemented by:
489                     //
490                     // a: CompareEq(...)
491                     // b: LogicalNot(@a)
492                     //
493                     // In that case, CompareEq might have a side-effect. Then, we need to make
494                     // sure that we know that Branch does not exit.
495                     fixEdge<KnownBooleanUse>(node->child1());
496                 } else
497                     fixEdge<BooleanUse>(node->child1());
498             } else if (node->child1()->shouldSpeculateObjectOrOther())
499                 fixEdge<ObjectOrOtherUse>(node->child1());
500             else if (node->child1()->shouldSpeculateInt32OrBoolean())
501                 fixIntOrBooleanEdge(node->child1());
502             else if (node->child1()->shouldSpeculateNumber())
503                 fixEdge<DoubleRepUse>(node->child1());
504             else if (node->child1()->shouldSpeculateString())
505                 fixEdge<StringUse>(node->child1());
506             else if (node->child1()->shouldSpeculateStringOrOther())
507                 fixEdge<StringOrOtherUse>(node->child1());
508             else {
509                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
510                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
511                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
512             }
513             break;
514         }
515
516         case CompareEq:
517         case CompareLess:
518         case CompareLessEq:
519         case CompareGreater:
520         case CompareGreaterEq: {
521             if (node->op() == CompareEq
522                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
523                 fixEdge<BooleanUse>(node->child1());
524                 fixEdge<BooleanUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
529                 fixIntOrBooleanEdge(node->child1());
530                 fixIntOrBooleanEdge(node->child2());
531                 node->clearFlags(NodeMustGenerate);
532                 break;
533             }
534             if (enableInt52()
535                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
536                 fixEdge<Int52RepUse>(node->child1());
537                 fixEdge<Int52RepUse>(node->child2());
538                 node->clearFlags(NodeMustGenerate);
539                 break;
540             }
541             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
542                 fixDoubleOrBooleanEdge(node->child1());
543                 fixDoubleOrBooleanEdge(node->child2());
544             }
545             if (node->op() != CompareEq
546                 && node->child1()->shouldSpeculateNotCell()
547                 && node->child2()->shouldSpeculateNotCell()) {
548                 if (node->child1()->shouldSpeculateNumberOrBoolean())
549                     fixDoubleOrBooleanEdge(node->child1());
550                 else
551                     fixEdge<DoubleRepUse>(node->child1());
552                 if (node->child2()->shouldSpeculateNumberOrBoolean())
553                     fixDoubleOrBooleanEdge(node->child2());
554                 else
555                     fixEdge<DoubleRepUse>(node->child2());
556                 node->clearFlags(NodeMustGenerate);
557                 break;
558             }
559             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
560                 fixEdge<StringIdentUse>(node->child1());
561                 fixEdge<StringIdentUse>(node->child2());
562                 node->clearFlags(NodeMustGenerate);
563                 break;
564             }
565             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
566                 fixEdge<StringUse>(node->child1());
567                 fixEdge<StringUse>(node->child2());
568                 node->clearFlags(NodeMustGenerate);
569                 break;
570             }
571
572             if (node->op() != CompareEq)
573                 break;
574             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
575                 fixEdge<SymbolUse>(node->child1());
576                 fixEdge<SymbolUse>(node->child2());
577                 node->clearFlags(NodeMustGenerate);
578                 break;
579             }
580             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
581                 fixEdge<ObjectUse>(node->child1());
582                 fixEdge<ObjectUse>(node->child2());
583                 node->clearFlags(NodeMustGenerate);
584                 break;
585             }
586
587             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
588             bool oneArgumentIsUsedAsSpecOther = false;
589             if (node->child1()->isUndefinedOrNullConstant()) {
590                 fixEdge<OtherUse>(node->child1());
591                 oneArgumentIsUsedAsSpecOther = true;
592             } else if (node->child1()->shouldSpeculateOther()) {
593                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
594                     Edge(node->child1().node(), OtherUse));
595                 fixEdge<OtherUse>(node->child1());
596                 oneArgumentIsUsedAsSpecOther = true;
597             }
598             if (node->child2()->isUndefinedOrNullConstant()) {
599                 fixEdge<OtherUse>(node->child2());
600                 oneArgumentIsUsedAsSpecOther = true;
601             } else if (node->child2()->shouldSpeculateOther()) {
602                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
603                     Edge(node->child2().node(), OtherUse));
604                 fixEdge<OtherUse>(node->child2());
605                 oneArgumentIsUsedAsSpecOther = true;
606             }
607             if (oneArgumentIsUsedAsSpecOther) {
608                 node->clearFlags(NodeMustGenerate);
609                 break;
610             }
611
612             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
613                 fixEdge<ObjectUse>(node->child1());
614                 fixEdge<ObjectOrOtherUse>(node->child2());
615                 node->clearFlags(NodeMustGenerate);
616                 break;
617             }
618             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
619                 fixEdge<ObjectOrOtherUse>(node->child1());
620                 fixEdge<ObjectUse>(node->child2());
621                 node->clearFlags(NodeMustGenerate);
622                 break;
623             }
624
625             break;
626         }
627             
628         case CompareStrictEq:
629         case SameValue: {
630             fixupCompareStrictEqAndSameValue(node);
631             break;
632         }
633
634         case StringFromCharCode:
635             if (node->child1()->shouldSpeculateInt32()) {
636                 fixEdge<Int32Use>(node->child1());
637                 node->clearFlags(NodeMustGenerate);
638             } else
639                 fixEdge<UntypedUse>(node->child1());
640             break;
641
642         case StringCharAt:
643         case StringCharCodeAt: {
644             // Currently we have no good way of refining these.
645             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
646             blessArrayOperation(node->child1(), node->child2(), node->child3());
647             fixEdge<KnownCellUse>(node->child1());
648             fixEdge<Int32Use>(node->child2());
649             break;
650         }
651
652         case GetByVal: {
653             if (!node->prediction()) {
654                 m_insertionSet.insertNode(
655                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
656             }
657             
658             node->setArrayMode(
659                 node->arrayMode().refine(
660                     m_graph, node,
661                     m_graph.varArgChild(node, 0)->prediction(),
662                     m_graph.varArgChild(node, 1)->prediction(),
663                     SpecNone));
664             
665             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
666             
667             ArrayMode arrayMode = node->arrayMode();
668             switch (arrayMode.type()) {
669             case Array::Contiguous:
670             case Array::Double:
671                 if (arrayMode.arrayClass() == Array::OriginalArray
672                     && arrayMode.speculation() == Array::InBounds) {
673                     // Check if SaneChain will work on a per-type basis. Note that:
674                     //
675                     // 1) We don't want double arrays to sometimes return undefined, since
676                     // that would require a change to the return type and it would pessimise
677                     // things a lot. So, we'd only want to do that if we actually had
678                     // evidence that we could read from a hole. That's pretty annoying.
679                     // Likely the best way to handle that case is with an equivalent of
680                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
681                     // NaN are indistinguishable according to backwards propagation, and just
682                     // use SaneChain in that case. This happens to catch a lot of cases.
683                     //
684                     // 2) We don't want int32 array loads to have to do a hole check just to
685                     // coerce to Undefined, since that would mean twice the checks.
686                     //
687                     // This has two implications. First, we have to do more checks than we'd
688                     // like. It's unfortunate that we have to do the hole check. Second,
689                     // some accesses that hit a hole will now need to take the full-blown
690                     // out-of-bounds slow path. We can fix that with:
691                     // https://bugs.webkit.org/show_bug.cgi?id=144668
692                     
693                     bool canDoSaneChain = false;
694                     switch (arrayMode.type()) {
695                     case Array::Contiguous:
696                         // This is happens to be entirely natural. We already would have
697                         // returned any JSValue, and now we'll return Undefined. We still do
698                         // the check but it doesn't require taking any kind of slow path.
699                         canDoSaneChain = true;
700                         break;
701                         
702                     case Array::Double:
703                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
704                             // Holes look like NaN already, so if the user doesn't care
705                             // about the difference between Undefined and NaN then we can
706                             // do this.
707                             canDoSaneChain = true;
708                         }
709                         break;
710                         
711                     default:
712                         break;
713                     }
714                     
715                     if (canDoSaneChain) {
716                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
717                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
718                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
719                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
720                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
721                             && globalObject->arrayPrototypeChainIsSane()) {
722                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
723                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
724                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
725                         }
726                     }
727                 }
728                 break;
729                 
730             case Array::String:
731                 if ((node->prediction() & ~SpecString)
732                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
733                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
734                 break;
735                 
736             default:
737                 break;
738             }
739             
740             arrayMode = node->arrayMode();
741             switch (arrayMode.type()) {
742             case Array::SelectUsingPredictions:
743             case Array::Unprofiled:
744                 RELEASE_ASSERT_NOT_REACHED();
745                 break;
746             case Array::Generic:
747                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
748                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
749                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
750                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
751                         break;
752                     }
753
754                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
755                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
756                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
757                         break;
758                     }
759                 }
760 #if USE(JSVALUE32_64)
761                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
762 #endif
763                 break;
764             case Array::ForceExit:
765                 break;
766             default:
767                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
768                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
769                 break;
770             }
771             
772             switch (arrayMode.type()) {
773             case Array::Double:
774                 if (!arrayMode.isOutOfBounds())
775                     node->setResult(NodeResultDouble);
776                 break;
777                 
778             case Array::Float32Array:
779             case Array::Float64Array:
780                 node->setResult(NodeResultDouble);
781                 break;
782                 
783             case Array::Uint32Array:
784                 if (node->shouldSpeculateInt32())
785                     break;
786                 if (node->shouldSpeculateAnyInt() && enableInt52())
787                     node->setResult(NodeResultInt52);
788                 else
789                     node->setResult(NodeResultDouble);
790                 break;
791                 
792             default:
793                 break;
794             }
795             
796             break;
797         }
798
799         case PutByValDirect:
800         case PutByVal:
801         case PutByValAlias: {
802             Edge& child1 = m_graph.varArgChild(node, 0);
803             Edge& child2 = m_graph.varArgChild(node, 1);
804             Edge& child3 = m_graph.varArgChild(node, 2);
805
806             node->setArrayMode(
807                 node->arrayMode().refine(
808                     m_graph, node,
809                     child1->prediction(),
810                     child2->prediction(),
811                     child3->prediction()));
812             
813             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
814             
815             switch (node->arrayMode().modeForPut().type()) {
816             case Array::SelectUsingPredictions:
817             case Array::SelectUsingArguments:
818             case Array::Unprofiled:
819             case Array::Undecided:
820                 RELEASE_ASSERT_NOT_REACHED();
821                 break;
822             case Array::ForceExit:
823             case Array::Generic:
824                 if (child1->shouldSpeculateCell()) {
825                     if (child2->shouldSpeculateString()) {
826                         fixEdge<CellUse>(child1);
827                         fixEdge<StringUse>(child2);
828                         break;
829                     }
830
831                     if (child2->shouldSpeculateSymbol()) {
832                         fixEdge<CellUse>(child1);
833                         fixEdge<SymbolUse>(child2);
834                         break;
835                     }
836                 }
837 #if USE(JSVALUE32_64)
838                 // Due to register pressure on 32-bit, we speculate cell and
839                 // ignore the base-is-not-cell case entirely by letting the
840                 // baseline JIT handle it.
841                 fixEdge<CellUse>(child1);
842 #endif
843                 break;
844             case Array::Int32:
845                 fixEdge<KnownCellUse>(child1);
846                 fixEdge<Int32Use>(child2);
847                 fixEdge<Int32Use>(child3);
848                 break;
849             case Array::Double:
850                 fixEdge<KnownCellUse>(child1);
851                 fixEdge<Int32Use>(child2);
852                 fixEdge<DoubleRepRealUse>(child3);
853                 break;
854             case Array::Int8Array:
855             case Array::Int16Array:
856             case Array::Int32Array:
857             case Array::Uint8Array:
858             case Array::Uint8ClampedArray:
859             case Array::Uint16Array:
860             case Array::Uint32Array:
861                 fixEdge<KnownCellUse>(child1);
862                 fixEdge<Int32Use>(child2);
863                 if (child3->shouldSpeculateInt32())
864                     fixIntOrBooleanEdge(child3);
865                 else if (child3->shouldSpeculateAnyInt())
866                     fixEdge<Int52RepUse>(child3);
867                 else
868                     fixDoubleOrBooleanEdge(child3);
869                 break;
870             case Array::Float32Array:
871             case Array::Float64Array:
872                 fixEdge<KnownCellUse>(child1);
873                 fixEdge<Int32Use>(child2);
874                 fixDoubleOrBooleanEdge(child3);
875                 break;
876             case Array::Contiguous:
877             case Array::ArrayStorage:
878             case Array::SlowPutArrayStorage:
879                 fixEdge<KnownCellUse>(child1);
880                 fixEdge<Int32Use>(child2);
881                 speculateForBarrier(child3);
882                 break;
883             default:
884                 fixEdge<KnownCellUse>(child1);
885                 fixEdge<Int32Use>(child2);
886                 break;
887             }
888             break;
889         }
890             
891         case AtomicsAdd:
892         case AtomicsAnd:
893         case AtomicsCompareExchange:
894         case AtomicsExchange:
895         case AtomicsLoad:
896         case AtomicsOr:
897         case AtomicsStore:
898         case AtomicsSub:
899         case AtomicsXor: {
900             Edge& base = m_graph.child(node, 0);
901             Edge& index = m_graph.child(node, 1);
902             
903             bool badNews = false;
904             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
905                 Edge& child = m_graph.child(node, 2 + i);
906                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
907                 // just call the function when that happens. But the FTL is totally cool with those
908                 // conversions.
909                 if (!child->shouldSpeculateInt32()
910                     && !child->shouldSpeculateAnyInt()
911                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
912                     badNews = true;
913             }
914             
915             if (badNews) {
916                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
917                 break;
918             }
919             
920             node->setArrayMode(
921                 node->arrayMode().refine(
922                     m_graph, node, base->prediction(), index->prediction()));
923             
924             if (node->arrayMode().type() == Array::Generic)
925                 break;
926             
927             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
928                 Edge& child = m_graph.child(node, 2 + i);
929                 if (child->shouldSpeculateInt32())
930                     fixIntOrBooleanEdge(child);
931                 else if (child->shouldSpeculateAnyInt())
932                     fixEdge<Int52RepUse>(child);
933                 else {
934                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
935                     fixDoubleOrBooleanEdge(child);
936                 }
937             }
938             
939             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
940             fixEdge<CellUse>(base);
941             fixEdge<Int32Use>(index);
942             
943             if (node->arrayMode().type() == Array::Uint32Array) {
944                 // NOTE: This means basically always doing Int52.
945                 if (node->shouldSpeculateAnyInt() && enableInt52())
946                     node->setResult(NodeResultInt52);
947                 else
948                     node->setResult(NodeResultDouble);
949             }
950             break;
951         }
952             
953         case AtomicsIsLockFree:
954             if (node->child1()->shouldSpeculateInt32())
955                 fixIntOrBooleanEdge(node->child1());
956             break;
957             
958         case ArrayPush: {
959             // May need to refine the array mode in case the value prediction contravenes
960             // the array prediction. For example, we may have evidence showing that the
961             // array is in Int32 mode, but the value we're storing is likely to be a double.
962             // Then we should turn this into a conversion to Double array followed by the
963             // push. On the other hand, we absolutely don't want to refine based on the
964             // base prediction. If it has non-cell garbage in it, then we want that to be
965             // ignored. That's because ArrayPush can't handle any array modes that aren't
966             // array-related - so if refine() turned this into a "Generic" ArrayPush then
967             // that would break things.
968             Edge& storageEdge = m_graph.varArgChild(node, 0);
969             Edge& arrayEdge = m_graph.varArgChild(node, 1);
970             unsigned elementOffset = 2;
971             unsigned elementCount = node->numChildren() - elementOffset;
972             for (unsigned i = 0; i < elementCount; ++i) {
973                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
974                 node->setArrayMode(
975                     node->arrayMode().refine(
976                         m_graph, node,
977                         arrayEdge->prediction() & SpecCell,
978                         SpecInt32Only,
979                         element->prediction()));
980             }
981             blessArrayOperation(arrayEdge, Edge(), storageEdge);
982             fixEdge<KnownCellUse>(arrayEdge);
983
984             // Convert `array.push()` to GetArrayLength.
985             if (!elementCount && node->arrayMode().supportsSelfLength()) {
986                 node->setOpAndDefaultFlags(GetArrayLength);
987                 node->child1() = arrayEdge;
988                 node->child2() = storageEdge;
989                 fixEdge<KnownCellUse>(node->child1());
990                 break;
991             }
992
993             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
994             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
995             for (unsigned i = 0; i < elementCount; ++i) {
996                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
997                 switch (node->arrayMode().type()) {
998                 case Array::Int32:
999                     insertCheck<Int32Use>(element.node());
1000                     fixEdge<KnownInt32Use>(element);
1001                     break;
1002                 case Array::Double:
1003                     insertCheck<DoubleRepRealUse>(element.node());
1004                     fixEdge<DoubleRepUse>(element);
1005                     break;
1006                 case Array::Contiguous:
1007                 case Array::ArrayStorage:
1008                     speculateForBarrier(element);
1009                     break;
1010                 default:
1011                     break;
1012                 }
1013                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1014             }
1015             break;
1016         }
1017             
1018         case ArrayPop: {
1019             blessArrayOperation(node->child1(), Edge(), node->child2());
1020             fixEdge<KnownCellUse>(node->child1());
1021             break;
1022         }
1023
1024         case ArraySlice: {
1025             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1026             if (node->numChildren() >= 3) {
1027                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1028                 if (node->numChildren() == 4)
1029                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1030             }
1031             break;
1032         }
1033
1034         case ArrayIndexOf:
1035             fixupArrayIndexOf(node);
1036             break;
1037             
1038         case RegExpExec:
1039         case RegExpTest: {
1040             fixEdge<KnownCellUse>(node->child1());
1041             
1042             if (node->child2()->shouldSpeculateRegExpObject()) {
1043                 fixEdge<RegExpObjectUse>(node->child2());
1044
1045                 if (node->child3()->shouldSpeculateString())
1046                     fixEdge<StringUse>(node->child3());
1047             }
1048             break;
1049         }
1050
1051         case RegExpMatchFast: {
1052             fixEdge<KnownCellUse>(node->child1());
1053             fixEdge<RegExpObjectUse>(node->child2());
1054             fixEdge<StringUse>(node->child3());
1055             break;
1056         }
1057
1058         case StringReplace:
1059         case StringReplaceRegExp: {
1060             if (node->child2()->shouldSpeculateString()) {
1061                 m_insertionSet.insertNode(
1062                     m_indexInBlock, SpecNone, Check, node->origin,
1063                     Edge(node->child2().node(), StringUse));
1064                 fixEdge<StringUse>(node->child2());
1065             } else if (op == StringReplace) {
1066                 if (node->child2()->shouldSpeculateRegExpObject())
1067                     addStringReplacePrimordialChecks(node->child2().node());
1068                 else 
1069                     m_insertionSet.insertNode(
1070                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1071             }
1072
1073             if (node->child1()->shouldSpeculateString()
1074                 && node->child2()->shouldSpeculateRegExpObject()
1075                 && node->child3()->shouldSpeculateString()) {
1076
1077                 fixEdge<StringUse>(node->child1());
1078                 fixEdge<RegExpObjectUse>(node->child2());
1079                 fixEdge<StringUse>(node->child3());
1080                 break;
1081             }
1082             break;
1083         }
1084             
1085         case Branch: {
1086             if (node->child1()->shouldSpeculateBoolean()) {
1087                 if (node->child1()->result() == NodeResultBoolean) {
1088                     // This is necessary in case we have a bytecode instruction implemented by:
1089                     //
1090                     // a: CompareEq(...)
1091                     // b: Branch(@a)
1092                     //
1093                     // In that case, CompareEq might have a side-effect. Then, we need to make
1094                     // sure that we know that Branch does not exit.
1095                     fixEdge<KnownBooleanUse>(node->child1());
1096                 } else
1097                     fixEdge<BooleanUse>(node->child1());
1098             } else if (node->child1()->shouldSpeculateObjectOrOther())
1099                 fixEdge<ObjectOrOtherUse>(node->child1());
1100             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1101                 fixIntOrBooleanEdge(node->child1());
1102             else if (node->child1()->shouldSpeculateNumber())
1103                 fixEdge<DoubleRepUse>(node->child1());
1104             else if (node->child1()->shouldSpeculateString())
1105                 fixEdge<StringUse>(node->child1());
1106             else if (node->child1()->shouldSpeculateStringOrOther())
1107                 fixEdge<StringOrOtherUse>(node->child1());
1108             else {
1109                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1110                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1111                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1112             }
1113             break;
1114         }
1115             
1116         case Switch: {
1117             SwitchData* data = node->switchData();
1118             switch (data->kind) {
1119             case SwitchImm:
1120                 if (node->child1()->shouldSpeculateInt32())
1121                     fixEdge<Int32Use>(node->child1());
1122                 break;
1123             case SwitchChar:
1124                 if (node->child1()->shouldSpeculateString())
1125                     fixEdge<StringUse>(node->child1());
1126                 break;
1127             case SwitchString:
1128                 if (node->child1()->shouldSpeculateStringIdent())
1129                     fixEdge<StringIdentUse>(node->child1());
1130                 else if (node->child1()->shouldSpeculateString())
1131                     fixEdge<StringUse>(node->child1());
1132                 break;
1133             case SwitchCell:
1134                 if (node->child1()->shouldSpeculateCell())
1135                     fixEdge<CellUse>(node->child1());
1136                 // else it's fine for this to have UntypedUse; we will handle this by just making
1137                 // non-cells take the default case.
1138                 break;
1139             }
1140             break;
1141         }
1142             
1143         case ToPrimitive: {
1144             fixupToPrimitive(node);
1145             break;
1146         }
1147
1148         case ToNumber: {
1149             fixupToNumber(node);
1150             break;
1151         }
1152             
1153         case ToString:
1154         case CallStringConstructor: {
1155             fixupToStringOrCallStringConstructor(node);
1156             break;
1157         }
1158             
1159         case NewStringObject: {
1160             fixEdge<KnownStringUse>(node->child1());
1161             break;
1162         }
1163
1164         case NewArrayWithSpread: {
1165             watchHavingABadTime(node);
1166             
1167             BitVector* bitVector = node->bitVector();
1168             for (unsigned i = node->numChildren(); i--;) {
1169                 if (bitVector->get(i))
1170                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1171                 else
1172                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1173             }
1174
1175             break;
1176         }
1177
1178         case Spread: {
1179             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1180             
1181             watchHavingABadTime(node->child1().node());
1182
1183             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1184             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1185             // that it doesn't contain any indexed properties, and that any holes will result in
1186             // jsUndefined().
1187             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1188             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1189             if (node->child1()->shouldSpeculateArray()
1190                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1191                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1192                 && globalObject->arrayPrototypeChainIsSane()
1193                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1194                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1195                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1196                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1197                 fixEdge<ArrayUse>(node->child1());
1198             } else
1199                 fixEdge<CellUse>(node->child1());
1200             break;
1201         }
1202             
1203         case NewArray: {
1204             watchHavingABadTime(node);
1205             
1206             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1207                 node->setIndexingType(
1208                     leastUpperBoundOfIndexingTypeAndType(
1209                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1210             }
1211             switch (node->indexingType()) {
1212             case ALL_BLANK_INDEXING_TYPES:
1213                 CRASH();
1214                 break;
1215             case ALL_UNDECIDED_INDEXING_TYPES:
1216                 if (node->numChildren()) {
1217                     // This will only happen if the children have no type predictions. We
1218                     // would have already exited by now, but insert a forced exit just to
1219                     // be safe.
1220                     m_insertionSet.insertNode(
1221                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1222                 }
1223                 break;
1224             case ALL_INT32_INDEXING_TYPES:
1225                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1226                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1227                 break;
1228             case ALL_DOUBLE_INDEXING_TYPES:
1229                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1230                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1231                 break;
1232             case ALL_CONTIGUOUS_INDEXING_TYPES:
1233             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1234                 break;
1235             default:
1236                 CRASH();
1237                 break;
1238             }
1239             break;
1240         }
1241             
1242         case NewTypedArray: {
1243             watchHavingABadTime(node);
1244             
1245             if (node->child1()->shouldSpeculateInt32()) {
1246                 fixEdge<Int32Use>(node->child1());
1247                 node->clearFlags(NodeMustGenerate);
1248                 break;
1249             }
1250             break;
1251         }
1252             
1253         case NewArrayWithSize: {
1254             watchHavingABadTime(node);
1255             fixEdge<Int32Use>(node->child1());
1256             break;
1257         }
1258
1259         case NewArrayBuffer: {
1260             watchHavingABadTime(node);
1261             break;
1262         }
1263
1264         case ToObject: {
1265             fixupToObject(node);
1266             break;
1267         }
1268
1269         case CallObjectConstructor: {
1270             fixupCallObjectConstructor(node);
1271             break;
1272         }
1273
1274         case ToThis: {
1275             fixupToThis(node);
1276             break;
1277         }
1278             
1279         case PutStructure: {
1280             fixEdge<KnownCellUse>(node->child1());
1281             break;
1282         }
1283             
1284         case GetClosureVar:
1285         case GetFromArguments: {
1286             fixEdge<KnownCellUse>(node->child1());
1287             break;
1288         }
1289
1290         case PutClosureVar:
1291         case PutToArguments: {
1292             fixEdge<KnownCellUse>(node->child1());
1293             speculateForBarrier(node->child2());
1294             break;
1295         }
1296
1297         case SkipScope:
1298         case GetScope:
1299         case GetGetter:
1300         case GetSetter:
1301         case GetGlobalObject: {
1302             fixEdge<KnownCellUse>(node->child1());
1303             break;
1304         }
1305             
1306         case AllocatePropertyStorage:
1307         case ReallocatePropertyStorage: {
1308             fixEdge<KnownCellUse>(node->child1());
1309             break;
1310         }
1311             
1312         case NukeStructureAndSetButterfly: {
1313             fixEdge<KnownCellUse>(node->child1());
1314             break;
1315         }
1316
1317         case TryGetById: {
1318             if (node->child1()->shouldSpeculateCell())
1319                 fixEdge<CellUse>(node->child1());
1320             break;
1321         }
1322
1323         case GetByIdDirect:
1324         case GetByIdDirectFlush: {
1325             if (node->child1()->shouldSpeculateCell())
1326                 fixEdge<CellUse>(node->child1());
1327             break;
1328         }
1329
1330         case GetById:
1331         case GetByIdFlush: {
1332             // FIXME: This should be done in the ByteCodeParser based on reading the
1333             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1334             // https://bugs.webkit.org/show_bug.cgi?id=154990
1335             auto uid = m_graph.identifiers()[node->identifierNumber()];
1336             if (node->child1()->shouldSpeculateCellOrOther()
1337                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1338                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1339                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1340                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1341                 
1342                 if (uid == vm().propertyNames->length.impl()) {
1343                     attemptToMakeGetArrayLength(node);
1344                     break;
1345                 }
1346
1347                 if (uid == vm().propertyNames->lastIndex.impl()
1348                     && node->child1()->shouldSpeculateRegExpObject()) {
1349                     node->setOp(GetRegExpObjectLastIndex);
1350                     node->clearFlags(NodeMustGenerate);
1351                     fixEdge<RegExpObjectUse>(node->child1());
1352                     break;
1353                 }
1354             }
1355
1356             if (node->child1()->shouldSpeculateNumber()) {
1357                 if (uid == vm().propertyNames->toString.impl()) {
1358                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1359                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1360                         if (node->child1()->shouldSpeculateInt32()) {
1361                             insertCheck<Int32Use>(node->child1().node());
1362                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1363                             break;
1364                         }
1365
1366                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1367                             insertCheck<Int52RepUse>(node->child1().node());
1368                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1369                             break;
1370                         }
1371
1372                         ASSERT(node->child1()->shouldSpeculateNumber());
1373                         insertCheck<DoubleRepUse>(node->child1().node());
1374                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1375                         break;
1376                     }
1377                 }
1378             }
1379
1380             if (node->child1()->shouldSpeculateCell())
1381                 fixEdge<CellUse>(node->child1());
1382             break;
1383         }
1384         
1385         case GetByIdWithThis: {
1386             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1387                 fixEdge<CellUse>(node->child1());
1388                 fixEdge<CellUse>(node->child2());
1389             }
1390             break;
1391         }
1392
1393         case PutById:
1394         case PutByIdFlush:
1395         case PutByIdDirect: {
1396             if (node->child1()->shouldSpeculateCellOrOther()
1397                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1398                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1399                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1400                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1401                 
1402                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1403                 
1404                 if (uid == vm().propertyNames->lastIndex.impl()
1405                     && node->child1()->shouldSpeculateRegExpObject()) {
1406                     node->convertToSetRegExpObjectLastIndex();
1407                     fixEdge<RegExpObjectUse>(node->child1());
1408                     speculateForBarrier(node->child2());
1409                     break;
1410                 }
1411             }
1412             
1413             fixEdge<CellUse>(node->child1());
1414             break;
1415         }
1416
1417         case PutGetterById:
1418         case PutSetterById: {
1419             fixEdge<KnownCellUse>(node->child1());
1420             fixEdge<KnownCellUse>(node->child2());
1421             break;
1422         }
1423
1424         case PutGetterSetterById: {
1425             fixEdge<KnownCellUse>(node->child1());
1426             break;
1427         }
1428
1429         case PutGetterByVal:
1430         case PutSetterByVal: {
1431             fixEdge<KnownCellUse>(node->child1());
1432             fixEdge<KnownCellUse>(node->child3());
1433             break;
1434         }
1435
1436         case GetExecutable: {
1437             fixEdge<FunctionUse>(node->child1());
1438             break;
1439         }
1440
1441         case OverridesHasInstance:
1442         case CheckStructure:
1443         case CheckCell:
1444         case CreateThis:
1445         case GetButterfly: {
1446             fixEdge<CellUse>(node->child1());
1447             break;
1448         }
1449
1450         case CheckStringIdent: {
1451             fixEdge<StringIdentUse>(node->child1());
1452             break;
1453         }
1454             
1455         case Arrayify:
1456         case ArrayifyToStructure: {
1457             fixEdge<CellUse>(node->child1());
1458             if (node->child2())
1459                 fixEdge<Int32Use>(node->child2());
1460             break;
1461         }
1462             
1463         case GetByOffset:
1464         case GetGetterSetterByOffset: {
1465             if (!node->child1()->hasStorageResult())
1466                 fixEdge<KnownCellUse>(node->child1());
1467             fixEdge<KnownCellUse>(node->child2());
1468             break;
1469         }
1470             
1471         case MultiGetByOffset: {
1472             fixEdge<CellUse>(node->child1());
1473             break;
1474         }
1475             
1476         case PutByOffset: {
1477             if (!node->child1()->hasStorageResult())
1478                 fixEdge<KnownCellUse>(node->child1());
1479             fixEdge<KnownCellUse>(node->child2());
1480             unsigned index = indexForChecks();
1481             insertInferredTypeCheck(
1482                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1483                 node->storageAccessData().inferredType);
1484             speculateForBarrier(node->child3());
1485             break;
1486         }
1487             
1488         case MultiPutByOffset: {
1489             fixEdge<CellUse>(node->child1());
1490             break;
1491         }
1492             
1493         case MatchStructure: {
1494             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1495             // https://bugs.webkit.org/show_bug.cgi?id=185784
1496             fixEdge<CellUse>(node->child1());
1497             break;
1498         }
1499             
1500         case InstanceOf: {
1501             if (node->child1()->shouldSpeculateCell()
1502                 && node->child2()->shouldSpeculateCell()
1503                 && is64Bit()) {
1504                 fixEdge<CellUse>(node->child1());
1505                 fixEdge<CellUse>(node->child2());
1506                 break;
1507             }
1508             break;
1509         }
1510
1511         case InstanceOfCustom:
1512             fixEdge<CellUse>(node->child2());
1513             break;
1514
1515         case InById: {
1516             fixEdge<CellUse>(node->child1());
1517             break;
1518         }
1519
1520         case InByVal: {
1521             if (node->child2()->shouldSpeculateInt32()) {
1522                 convertToHasIndexedProperty(node);
1523                 break;
1524             }
1525
1526             fixEdge<CellUse>(node->child1());
1527             break;
1528         }
1529
1530         case HasOwnProperty: {
1531             fixEdge<ObjectUse>(node->child1());
1532 #if CPU(X86)
1533             // We don't have enough registers to do anything interesting on x86 and mips.
1534             fixEdge<UntypedUse>(node->child2());
1535 #else
1536             if (node->child2()->shouldSpeculateString())
1537                 fixEdge<StringUse>(node->child2());
1538             else if (node->child2()->shouldSpeculateSymbol())
1539                 fixEdge<SymbolUse>(node->child2());
1540             else
1541                 fixEdge<UntypedUse>(node->child2());
1542 #endif
1543             break;
1544         }
1545
1546         case CheckVarargs:
1547         case Check: {
1548             m_graph.doToChildren(
1549                 node,
1550                 [&] (Edge& edge) {
1551                     switch (edge.useKind()) {
1552                     case NumberUse:
1553                         if (edge->shouldSpeculateInt32ForArithmetic())
1554                             edge.setUseKind(Int32Use);
1555                         break;
1556                     default:
1557                         break;
1558                     }
1559                     observeUseKindOnEdge(edge);
1560                 });
1561             break;
1562         }
1563
1564         case Phantom:
1565             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1566             node->remove(m_graph);
1567             break;
1568
1569         case FiatInt52: {
1570             RELEASE_ASSERT(enableInt52());
1571             node->convertToIdentity();
1572             fixEdge<Int52RepUse>(node->child1());
1573             node->setResult(NodeResultInt52);
1574             break;
1575         }
1576
1577         case GetArrayLength: {
1578             fixEdge<KnownCellUse>(node->child1());
1579             break;
1580         }
1581
1582         case GetTypedArrayByteOffset: {
1583             fixEdge<KnownCellUse>(node->child1());
1584             break;
1585         }
1586
1587         case CompareBelow:
1588         case CompareBelowEq: {
1589             fixEdge<Int32Use>(node->child1());
1590             fixEdge<Int32Use>(node->child2());
1591             break;
1592         }
1593
1594         case GetPrototypeOf: {
1595             fixupGetPrototypeOf(node);
1596             break;
1597         }
1598
1599         case Phi:
1600         case Upsilon:
1601         case EntrySwitch:
1602         case GetIndexedPropertyStorage:
1603         case LastNodeType:
1604         case CheckTierUpInLoop:
1605         case CheckTierUpAtReturn:
1606         case CheckTierUpAndOSREnter:
1607         case InvalidationPoint:
1608         case CheckArray:
1609         case CheckInBounds:
1610         case ConstantStoragePointer:
1611         case DoubleAsInt32:
1612         case ValueToInt32:
1613         case DoubleRep:
1614         case ValueRep:
1615         case Int52Rep:
1616         case Int52Constant:
1617         case Identity: // This should have been cleaned up.
1618         case BooleanToNumber:
1619         case PhantomNewObject:
1620         case PhantomNewFunction:
1621         case PhantomNewGeneratorFunction:
1622         case PhantomNewAsyncGeneratorFunction:
1623         case PhantomNewAsyncFunction:
1624         case PhantomCreateActivation:
1625         case PhantomDirectArguments:
1626         case PhantomCreateRest:
1627         case PhantomSpread:
1628         case PhantomNewArrayWithSpread:
1629         case PhantomNewArrayBuffer:
1630         case PhantomClonedArguments:
1631         case PhantomNewRegexp:
1632         case GetMyArgumentByVal:
1633         case GetMyArgumentByValOutOfBounds:
1634         case GetVectorLength:
1635         case PutHint:
1636         case CheckStructureImmediate:
1637         case CheckStructureOrEmpty:
1638         case MaterializeNewObject:
1639         case MaterializeCreateActivation:
1640         case PutStack:
1641         case KillStack:
1642         case GetStack:
1643         case StoreBarrier:
1644         case FencedStoreBarrier:
1645         case GetRegExpObjectLastIndex:
1646         case SetRegExpObjectLastIndex:
1647         case RecordRegExpCachedResult:
1648         case RegExpExecNonGlobalOrSticky:
1649         case RegExpMatchFastGlobal:
1650             // These are just nodes that we don't currently expect to see during fixup.
1651             // If we ever wanted to insert them prior to fixup, then we just have to create
1652             // fixup rules for them.
1653             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1654             break;
1655
1656         case PutGlobalVariable: {
1657             fixEdge<CellUse>(node->child1());
1658             speculateForBarrier(node->child2());
1659             break;
1660         }
1661
1662         case IsObject:
1663             if (node->child1()->shouldSpeculateObject()) {
1664                 m_insertionSet.insertNode(
1665                     m_indexInBlock, SpecNone, Check, node->origin,
1666                     Edge(node->child1().node(), ObjectUse));
1667                 m_graph.convertToConstant(node, jsBoolean(true));
1668                 observeUseKindOnNode<ObjectUse>(node);
1669             }
1670             break;
1671
1672         case IsCellWithType: {
1673             fixupIsCellWithType(node);
1674             break;
1675         }
1676
1677         case GetEnumerableLength: {
1678             fixEdge<CellUse>(node->child1());
1679             break;
1680         }
1681         case HasGenericProperty: {
1682             fixEdge<CellUse>(node->child2());
1683             break;
1684         }
1685         case HasStructureProperty: {
1686             fixEdge<StringUse>(node->child2());
1687             fixEdge<KnownCellUse>(node->child3());
1688             break;
1689         }
1690         case HasIndexedProperty: {
1691             node->setArrayMode(
1692                 node->arrayMode().refine(
1693                     m_graph, node,
1694                     node->child1()->prediction(),
1695                     node->child2()->prediction(),
1696                     SpecNone));
1697             
1698             blessArrayOperation(node->child1(), node->child2(), node->child3());
1699             fixEdge<CellUse>(node->child1());
1700             fixEdge<KnownInt32Use>(node->child2());
1701             break;
1702         }
1703         case GetDirectPname: {
1704             Edge& base = m_graph.varArgChild(node, 0);
1705             Edge& property = m_graph.varArgChild(node, 1);
1706             Edge& index = m_graph.varArgChild(node, 2);
1707             Edge& enumerator = m_graph.varArgChild(node, 3);
1708             fixEdge<CellUse>(base);
1709             fixEdge<KnownCellUse>(property);
1710             fixEdge<KnownInt32Use>(index);
1711             fixEdge<KnownCellUse>(enumerator);
1712             break;
1713         }
1714         case GetPropertyEnumerator: {
1715             if (node->child1()->shouldSpeculateCell())
1716                 fixEdge<CellUse>(node->child1());
1717             break;
1718         }
1719         case GetEnumeratorStructurePname: {
1720             fixEdge<KnownCellUse>(node->child1());
1721             fixEdge<KnownInt32Use>(node->child2());
1722             break;
1723         }
1724         case GetEnumeratorGenericPname: {
1725             fixEdge<KnownCellUse>(node->child1());
1726             fixEdge<KnownInt32Use>(node->child2());
1727             break;
1728         }
1729         case ToIndexString: {
1730             fixEdge<KnownInt32Use>(node->child1());
1731             break;
1732         }
1733         case ProfileType: {
1734             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1735             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1736             // type T for the instructionTypeSet, the global type set must also have information for type T.
1737             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1738             // in the globalTypeSet would've also succeeded.
1739             // (The other direction does not hold in general).
1740
1741             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1742             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1743             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1744                 if (node->child1()->shouldSpeculateInt32()) {
1745                     fixEdge<Int32Use>(node->child1());
1746                     node->remove(m_graph);
1747                     break;
1748                 }
1749
1750                 if (enableInt52()) {
1751                     fixEdge<AnyIntUse>(node->child1());
1752                     node->remove(m_graph);
1753                     break;
1754                 }
1755
1756                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1757             }
1758
1759             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1760                 fixEdge<NumberUse>(node->child1());
1761                 node->remove(m_graph);
1762             } else if (typeSet->doesTypeConformTo(TypeString)) {
1763                 fixEdge<StringUse>(node->child1());
1764                 node->remove(m_graph);
1765             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1766                 fixEdge<BooleanUse>(node->child1());
1767                 node->remove(m_graph);
1768             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1769                 fixEdge<OtherUse>(node->child1());
1770                 node->remove(m_graph);
1771             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1772                 StructureSet set;
1773                 {
1774                     ConcurrentJSLocker locker(typeSet->m_lock);
1775                     set = typeSet->structureSet(locker);
1776                 }
1777                 if (!set.isEmpty()) {
1778                     fixEdge<CellUse>(node->child1());
1779                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1780                 }
1781             }
1782
1783             break;
1784         }
1785
1786         case CreateClonedArguments: {
1787             watchHavingABadTime(node);
1788             break;
1789         }
1790
1791         case CreateScopedArguments:
1792         case CreateActivation:
1793         case NewFunction:
1794         case NewGeneratorFunction:
1795         case NewAsyncGeneratorFunction:
1796         case NewAsyncFunction: {
1797             // Child 1 is always the current scope, which is guaranteed to be an object
1798             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1799             fixEdge<KnownCellUse>(node->child1());
1800             break;
1801         }
1802
1803         case PushWithScope: {
1804             // Child 1 is always the current scope, which is guaranteed to be an object
1805             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1806             fixEdge<KnownCellUse>(node->child1());
1807             if (node->child2()->shouldSpeculateObject())
1808                 fixEdge<ObjectUse>(node->child2());
1809             break;
1810         }
1811
1812         case SetFunctionName: {
1813             // The first child is guaranteed to be a cell because op_set_function_name is only used
1814             // on a newly instantiated function object (the first child).
1815             fixEdge<KnownCellUse>(node->child1());
1816             fixEdge<UntypedUse>(node->child2());
1817             break;
1818         }
1819
1820         case CreateRest: {
1821             watchHavingABadTime(node);
1822             fixEdge<KnownInt32Use>(node->child1());
1823             break;
1824         }
1825
1826         case ResolveScopeForHoistingFuncDeclInEval: {
1827             fixEdge<KnownCellUse>(node->child1());
1828             break;
1829         }
1830         case ResolveScope:
1831         case GetDynamicVar:
1832         case PutDynamicVar: {
1833             fixEdge<KnownCellUse>(node->child1());
1834             break;
1835         }
1836
1837         case LogShadowChickenPrologue: {
1838             fixEdge<KnownCellUse>(node->child1());
1839             break;
1840         }
1841         case LogShadowChickenTail: {
1842             fixEdge<UntypedUse>(node->child1());
1843             fixEdge<KnownCellUse>(node->child2());
1844             break;
1845         }
1846
1847         case GetMapBucket:
1848             if (node->child1().useKind() == MapObjectUse)
1849                 fixEdge<MapObjectUse>(node->child1());
1850             else if (node->child1().useKind() == SetObjectUse)
1851                 fixEdge<SetObjectUse>(node->child1());
1852             else
1853                 RELEASE_ASSERT_NOT_REACHED();
1854
1855 #if USE(JSVALUE64)
1856             if (node->child2()->shouldSpeculateBoolean())
1857                 fixEdge<BooleanUse>(node->child2());
1858             else if (node->child2()->shouldSpeculateInt32())
1859                 fixEdge<Int32Use>(node->child2());
1860             else if (node->child2()->shouldSpeculateSymbol())
1861                 fixEdge<SymbolUse>(node->child2());
1862             else if (node->child2()->shouldSpeculateObject())
1863                 fixEdge<ObjectUse>(node->child2());
1864             else if (node->child2()->shouldSpeculateString())
1865                 fixEdge<StringUse>(node->child2());
1866             else if (node->child2()->shouldSpeculateCell())
1867                 fixEdge<CellUse>(node->child2());
1868             else
1869                 fixEdge<UntypedUse>(node->child2());
1870 #else
1871             fixEdge<UntypedUse>(node->child2());
1872 #endif // USE(JSVALUE64)
1873
1874             fixEdge<Int32Use>(node->child3());
1875             break;
1876
1877         case GetMapBucketHead:
1878             if (node->child1().useKind() == MapObjectUse)
1879                 fixEdge<MapObjectUse>(node->child1());
1880             else if (node->child1().useKind() == SetObjectUse)
1881                 fixEdge<SetObjectUse>(node->child1());
1882             else
1883                 RELEASE_ASSERT_NOT_REACHED();
1884             break;
1885
1886         case GetMapBucketNext:
1887         case LoadKeyFromMapBucket:
1888         case LoadValueFromMapBucket:
1889             fixEdge<CellUse>(node->child1());
1890             break;
1891
1892         case MapHash: {
1893 #if USE(JSVALUE64)
1894             if (node->child1()->shouldSpeculateBoolean()) {
1895                 fixEdge<BooleanUse>(node->child1());
1896                 break;
1897             }
1898
1899             if (node->child1()->shouldSpeculateInt32()) {
1900                 fixEdge<Int32Use>(node->child1());
1901                 break;
1902             }
1903
1904             if (node->child1()->shouldSpeculateSymbol()) {
1905                 fixEdge<SymbolUse>(node->child1());
1906                 break;
1907             }
1908
1909             if (node->child1()->shouldSpeculateObject()) {
1910                 fixEdge<ObjectUse>(node->child1());
1911                 break;
1912             }
1913
1914             if (node->child1()->shouldSpeculateString()) {
1915                 fixEdge<StringUse>(node->child1());
1916                 break;
1917             }
1918
1919             if (node->child1()->shouldSpeculateCell()) {
1920                 fixEdge<CellUse>(node->child1());
1921                 break;
1922             }
1923
1924             fixEdge<UntypedUse>(node->child1());
1925 #else
1926             fixEdge<UntypedUse>(node->child1());
1927 #endif // USE(JSVALUE64)
1928             break;
1929         }
1930
1931         case NormalizeMapKey: {
1932             fixupNormalizeMapKey(node);
1933             break;
1934         }
1935
1936         case WeakMapGet: {
1937             if (node->child1().useKind() == WeakMapObjectUse)
1938                 fixEdge<WeakMapObjectUse>(node->child1());
1939             else if (node->child1().useKind() == WeakSetObjectUse)
1940                 fixEdge<WeakSetObjectUse>(node->child1());
1941             else
1942                 RELEASE_ASSERT_NOT_REACHED();
1943             fixEdge<ObjectUse>(node->child2());
1944             fixEdge<Int32Use>(node->child3());
1945             break;
1946         }
1947
1948         case SetAdd: {
1949             fixEdge<SetObjectUse>(node->child1());
1950             fixEdge<Int32Use>(node->child3());
1951             break;
1952         }
1953
1954         case MapSet: {
1955             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1956             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1957             break;
1958         }
1959
1960         case WeakSetAdd: {
1961             fixEdge<WeakSetObjectUse>(node->child1());
1962             fixEdge<ObjectUse>(node->child2());
1963             fixEdge<Int32Use>(node->child3());
1964             break;
1965         }
1966
1967         case WeakMapSet: {
1968             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
1969             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
1970             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1971             break;
1972         }
1973
1974         case DefineDataProperty: {
1975             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1976             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1977             if (propertyEdge->shouldSpeculateSymbol())
1978                 fixEdge<SymbolUse>(propertyEdge);
1979             else if (propertyEdge->shouldSpeculateStringIdent())
1980                 fixEdge<StringIdentUse>(propertyEdge);
1981             else if (propertyEdge->shouldSpeculateString())
1982                 fixEdge<StringUse>(propertyEdge);
1983             else
1984                 fixEdge<UntypedUse>(propertyEdge);
1985             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1986             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1987             break;
1988         }
1989
1990         case StringSlice: {
1991             fixEdge<StringUse>(node->child1());
1992             fixEdge<Int32Use>(node->child2());
1993             if (node->child3())
1994                 fixEdge<Int32Use>(node->child3());
1995             break;
1996         }
1997
1998         case ToLowerCase: {
1999             // We currently only support StringUse since that will ensure that
2000             // ToLowerCase is a pure operation. If we decide to update this with
2001             // more types in the future, we need to ensure that the clobberize rules
2002             // are correct.
2003             fixEdge<StringUse>(node->child1());
2004             break;
2005         }
2006
2007         case NumberToStringWithRadix: {
2008             if (node->child1()->shouldSpeculateInt32())
2009                 fixEdge<Int32Use>(node->child1());
2010             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2011                 fixEdge<Int52RepUse>(node->child1());
2012             else
2013                 fixEdge<DoubleRepUse>(node->child1());
2014             fixEdge<Int32Use>(node->child2());
2015             break;
2016         }
2017
2018         case DefineAccessorProperty: {
2019             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2020             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2021             if (propertyEdge->shouldSpeculateSymbol())
2022                 fixEdge<SymbolUse>(propertyEdge);
2023             else if (propertyEdge->shouldSpeculateStringIdent())
2024                 fixEdge<StringIdentUse>(propertyEdge);
2025             else if (propertyEdge->shouldSpeculateString())
2026                 fixEdge<StringUse>(propertyEdge);
2027             else
2028                 fixEdge<UntypedUse>(propertyEdge);
2029             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2030             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2031             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2032             break;
2033         }
2034
2035         case CheckSubClass: {
2036             fixupCheckSubClass(node);
2037             break;
2038         }
2039
2040         case CallDOMGetter: {
2041             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2042             fixEdge<CellUse>(node->child1()); // DOM.
2043             if (snippet && snippet->requireGlobalObject)
2044                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2045             break;
2046         }
2047
2048         case CallDOM: {
2049             fixupCallDOM(node);
2050             break;
2051         }
2052
2053         case Call: {
2054             attemptToMakeCallDOM(node);
2055             break;
2056         }
2057
2058         case ParseInt: {
2059             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2060                 fixEdge<Int32Use>(node->child1());
2061                 node->convertToIdentity();
2062                 break;
2063             }
2064
2065             if (node->child1()->shouldSpeculateString()) {
2066                 fixEdge<StringUse>(node->child1());
2067                 node->clearFlags(NodeMustGenerate);
2068             }
2069
2070             if (node->child2())
2071                 fixEdge<Int32Use>(node->child2());
2072
2073             break;
2074         }
2075
2076         case IdentityWithProfile: {
2077             node->clearFlags(NodeMustGenerate);
2078             break;
2079         }
2080
2081         case ThrowStaticError:
2082             fixEdge<StringUse>(node->child1());
2083             break;
2084
2085         case NumberIsInteger:
2086             if (node->child1()->shouldSpeculateInt32()) {
2087                 m_insertionSet.insertNode(
2088                     m_indexInBlock, SpecNone, Check, node->origin,
2089                     Edge(node->child1().node(), Int32Use));
2090                 m_graph.convertToConstant(node, jsBoolean(true));
2091                 break;
2092             }
2093             break;
2094
2095         case SetCallee:
2096             fixEdge<CellUse>(node->child1());
2097             break;
2098
2099 #if !ASSERT_DISABLED
2100         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2101         case SetArgument:
2102         case JSConstant:
2103         case LazyJSConstant:
2104         case DoubleConstant:
2105         case GetLocal:
2106         case GetCallee:
2107         case GetArgumentCountIncludingThis:
2108         case SetArgumentCountIncludingThis:
2109         case GetRestLength:
2110         case GetArgument:
2111         case Flush:
2112         case PhantomLocal:
2113         case GetGlobalVar:
2114         case GetGlobalLexicalVariable:
2115         case NotifyWrite:
2116         case DirectCall:
2117         case CheckTypeInfoFlags:
2118         case TailCallInlinedCaller:
2119         case DirectTailCallInlinedCaller:
2120         case Construct:
2121         case DirectConstruct:
2122         case CallVarargs:
2123         case CallEval:
2124         case TailCallVarargsInlinedCaller:
2125         case ConstructVarargs:
2126         case CallForwardVarargs:
2127         case ConstructForwardVarargs:
2128         case TailCallForwardVarargs:
2129         case TailCallForwardVarargsInlinedCaller:
2130         case LoadVarargs:
2131         case ForwardVarargs:
2132         case ProfileControlFlow:
2133         case NewObject:
2134         case NewRegexp:
2135         case DeleteById:
2136         case DeleteByVal:
2137         case IsTypedArrayView:
2138         case IsEmpty:
2139         case IsUndefined:
2140         case IsBoolean:
2141         case IsNumber:
2142         case IsObjectOrNull:
2143         case IsFunction:
2144         case CreateDirectArguments:
2145         case Jump:
2146         case Return:
2147         case TailCall:
2148         case DirectTailCall:
2149         case TailCallVarargs:
2150         case Throw:
2151         case CountExecution:
2152         case SuperSamplerBegin:
2153         case SuperSamplerEnd:
2154         case ForceOSRExit:
2155         case CheckBadCell:
2156         case CheckNotEmpty:
2157         case AssertNotEmpty:
2158         case CheckTraps:
2159         case Unreachable:
2160         case ExtractOSREntryLocal:
2161         case ExtractCatchLocal:
2162         case LoopHint:
2163         case MovHint:
2164         case InitializeEntrypointArguments:
2165         case ZombieHint:
2166         case ExitOK:
2167         case BottomValue:
2168         case TypeOf:
2169         case PutByIdWithThis:
2170         case PutByValWithThis:
2171         case GetByValWithThis:
2172         case CompareEqPtr:
2173         case NumberToStringWithValidRadixConstant:
2174         case GetGlobalThis:
2175         case ExtractValueFromWeakMapGet:
2176         case CPUIntrinsic:
2177             break;
2178 #else
2179         default:
2180             break;
2181 #endif
2182         }
2183     }
2184
2185     void watchHavingABadTime(Node* node)
2186     {
2187         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2188
2189         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2190         // does an array allocation. The types of array allocations may change if we start to have a bad
2191         // time. It's easier to reason about this if we know that whenever the types change after we start
2192         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2193         // prior to this point nobody should have been doing optimizations based on the indexing type of
2194         // the allocation.
2195         if (!globalObject->isHavingABadTime()) {
2196             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2197             m_graph.freeze(globalObject);
2198         }
2199     }
2200     
2201     template<UseKind useKind>
2202     void createToString(Node* node, Edge& edge)
2203     {
2204         Node* toString = m_insertionSet.insertNode(
2205             m_indexInBlock, SpecString, ToString, node->origin,
2206             Edge(edge.node(), useKind));
2207         switch (useKind) {
2208         case Int32Use:
2209         case Int52RepUse:
2210         case DoubleRepUse:
2211         case NotCellUse:
2212             toString->clearFlags(NodeMustGenerate);
2213             break;
2214         default:
2215             break;
2216         }
2217         edge.setNode(toString);
2218     }
2219     
2220     template<UseKind useKind>
2221     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2222     {
2223         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2224         
2225         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2226             return;
2227         
2228         createToString<useKind>(node, node->child1());
2229         arrayMode = ArrayMode(Array::String, Array::Read);
2230     }
2231     
2232     template<UseKind useKind>
2233     bool isStringObjectUse()
2234     {
2235         switch (useKind) {
2236         case StringObjectUse:
2237         case StringOrStringObjectUse:
2238             return true;
2239         default:
2240             return false;
2241         }
2242     }
2243     
2244     template<UseKind useKind>
2245     void convertStringAddUse(Node* node, Edge& edge)
2246     {
2247         if (useKind == StringUse) {
2248             observeUseKindOnNode<StringUse>(edge.node());
2249             m_insertionSet.insertNode(
2250                 m_indexInBlock, SpecNone, Check, node->origin,
2251                 Edge(edge.node(), StringUse));
2252             edge.setUseKind(KnownStringUse);
2253             return;
2254         }
2255         
2256         observeUseKindOnNode<useKind>(edge.node());
2257         createToString<useKind>(node, edge);
2258     }
2259     
2260     void convertToMakeRope(Node* node)
2261     {
2262         node->setOpAndDefaultFlags(MakeRope);
2263         fixupMakeRope(node);
2264     }
2265     
2266     void fixupMakeRope(Node* node)
2267     {
2268         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2269             Edge& edge = node->children.child(i);
2270             if (!edge)
2271                 break;
2272             edge.setUseKind(KnownStringUse);
2273             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2274             if (!string)
2275                 continue;
2276             if (string->length())
2277                 continue;
2278             
2279             // Don't allow the MakeRope to have zero children.
2280             if (!i && !node->child2())
2281                 break;
2282             
2283             node->children.removeEdge(i--);
2284         }
2285         
2286         if (!node->child2()) {
2287             ASSERT(!node->child3());
2288             node->convertToIdentity();
2289         }
2290     }
2291
2292     void fixupIsCellWithType(Node* node)
2293     {
2294         switch (node->speculatedTypeForQuery()) {
2295         case SpecString:
2296             if (node->child1()->shouldSpeculateString()) {
2297                 m_insertionSet.insertNode(
2298                     m_indexInBlock, SpecNone, Check, node->origin,
2299                     Edge(node->child1().node(), StringUse));
2300                 m_graph.convertToConstant(node, jsBoolean(true));
2301                 observeUseKindOnNode<StringUse>(node);
2302                 return;
2303             }
2304             break;
2305
2306         case SpecProxyObject:
2307             if (node->child1()->shouldSpeculateProxyObject()) {
2308                 m_insertionSet.insertNode(
2309                     m_indexInBlock, SpecNone, Check, node->origin,
2310                     Edge(node->child1().node(), ProxyObjectUse));
2311                 m_graph.convertToConstant(node, jsBoolean(true));
2312                 observeUseKindOnNode<ProxyObjectUse>(node);
2313                 return;
2314             }
2315             break;
2316
2317         case SpecRegExpObject:
2318             if (node->child1()->shouldSpeculateRegExpObject()) {
2319                 m_insertionSet.insertNode(
2320                     m_indexInBlock, SpecNone, Check, node->origin,
2321                     Edge(node->child1().node(), RegExpObjectUse));
2322                 m_graph.convertToConstant(node, jsBoolean(true));
2323                 observeUseKindOnNode<RegExpObjectUse>(node);
2324                 return;
2325             }
2326             break;
2327
2328         case SpecArray:
2329             if (node->child1()->shouldSpeculateArray()) {
2330                 m_insertionSet.insertNode(
2331                     m_indexInBlock, SpecNone, Check, node->origin,
2332                     Edge(node->child1().node(), ArrayUse));
2333                 m_graph.convertToConstant(node, jsBoolean(true));
2334                 observeUseKindOnNode<ArrayUse>(node);
2335                 return;
2336             }
2337             break;
2338
2339         case SpecDerivedArray:
2340             if (node->child1()->shouldSpeculateDerivedArray()) {
2341                 m_insertionSet.insertNode(
2342                     m_indexInBlock, SpecNone, Check, node->origin,
2343                     Edge(node->child1().node(), DerivedArrayUse));
2344                 m_graph.convertToConstant(node, jsBoolean(true));
2345                 observeUseKindOnNode<DerivedArrayUse>(node);
2346                 return;
2347             }
2348             break;
2349         }
2350
2351         if (node->child1()->shouldSpeculateCell()) {
2352             fixEdge<CellUse>(node->child1());
2353             return;
2354         }
2355
2356         if (node->child1()->shouldSpeculateNotCell()) {
2357             m_insertionSet.insertNode(
2358                 m_indexInBlock, SpecNone, Check, node->origin,
2359                 Edge(node->child1().node(), NotCellUse));
2360             m_graph.convertToConstant(node, jsBoolean(false));
2361             observeUseKindOnNode<NotCellUse>(node);
2362             return;
2363         }
2364     }
2365
2366     void fixupGetPrototypeOf(Node* node)
2367     {
2368         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2369         if (node->child1().useKind() != ObjectUse) {
2370             if (node->child1()->shouldSpeculateString()) {
2371                 insertCheck<StringUse>(node->child1().node());
2372                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2373                 return;
2374             }
2375             if (node->child1()->shouldSpeculateInt32()) {
2376                 insertCheck<Int32Use>(node->child1().node());
2377                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2378                 return;
2379             }
2380             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2381                 insertCheck<Int52RepUse>(node->child1().node());
2382                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2383                 return;
2384             }
2385             if (node->child1()->shouldSpeculateNumber()) {
2386                 insertCheck<NumberUse>(node->child1().node());
2387                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2388                 return;
2389             }
2390             if (node->child1()->shouldSpeculateSymbol()) {
2391                 insertCheck<SymbolUse>(node->child1().node());
2392                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2393                 return;
2394             }
2395             if (node->child1()->shouldSpeculateBoolean()) {
2396                 insertCheck<BooleanUse>(node->child1().node());
2397                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2398                 return;
2399             }
2400         }
2401
2402         if (node->child1()->shouldSpeculateFinalObject()) {
2403             fixEdge<FinalObjectUse>(node->child1());
2404             node->clearFlags(NodeMustGenerate);
2405             return;
2406         }
2407         if (node->child1()->shouldSpeculateArray()) {
2408             fixEdge<ArrayUse>(node->child1());
2409             node->clearFlags(NodeMustGenerate);
2410             return;
2411         }
2412         if (node->child1()->shouldSpeculateFunction()) {
2413             fixEdge<FunctionUse>(node->child1());
2414             node->clearFlags(NodeMustGenerate);
2415             return;
2416         }
2417     }
2418
2419     void fixupToThis(Node* node)
2420     {
2421         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2422
2423         if (ecmaMode == StrictMode) {
2424             if (node->child1()->shouldSpeculateBoolean()) {
2425                 fixEdge<BooleanUse>(node->child1());
2426                 node->convertToIdentity();
2427                 return;
2428             }
2429
2430             if (node->child1()->shouldSpeculateInt32()) {
2431                 fixEdge<Int32Use>(node->child1());
2432                 node->convertToIdentity();
2433                 return;
2434             }
2435
2436             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2437                 fixEdge<Int52RepUse>(node->child1());
2438                 node->convertToIdentity();
2439                 node->setResult(NodeResultInt52);
2440                 return;
2441             }
2442
2443             if (node->child1()->shouldSpeculateNumber()) {
2444                 fixEdge<DoubleRepUse>(node->child1());
2445                 node->convertToIdentity();
2446                 node->setResult(NodeResultDouble);
2447                 return;
2448             }
2449
2450             if (node->child1()->shouldSpeculateSymbol()) {
2451                 fixEdge<SymbolUse>(node->child1());
2452                 node->convertToIdentity();
2453                 return;
2454             }
2455
2456             if (node->child1()->shouldSpeculateStringIdent()) {
2457                 fixEdge<StringIdentUse>(node->child1());
2458                 node->convertToIdentity();
2459                 return;
2460             }
2461
2462             if (node->child1()->shouldSpeculateString()) {
2463                 fixEdge<StringUse>(node->child1());
2464                 node->convertToIdentity();
2465                 return;
2466             }
2467             
2468             if (node->child1()->shouldSpeculateBigInt()) {
2469                 fixEdge<BigIntUse>(node->child1());
2470                 node->convertToIdentity();
2471                 return;
2472             }
2473         }
2474
2475         if (node->child1()->shouldSpeculateOther()) {
2476             if (ecmaMode == StrictMode) {
2477                 fixEdge<OtherUse>(node->child1());
2478                 node->convertToIdentity();
2479                 return;
2480             }
2481
2482             m_insertionSet.insertNode(
2483                 m_indexInBlock, SpecNone, Check, node->origin,
2484                 Edge(node->child1().node(), OtherUse));
2485             observeUseKindOnNode<OtherUse>(node->child1().node());
2486             m_graph.convertToConstant(
2487                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2488             return;
2489         }
2490
2491         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2492         // however, since we cover all the missing cases in constant folding.
2493         // https://bugs.webkit.org/show_bug.cgi?id=157213
2494         if (node->child1()->shouldSpeculateStringObject()) {
2495             fixEdge<StringObjectUse>(node->child1());
2496             node->convertToIdentity();
2497             return;
2498         }
2499
2500         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2501             fixEdge<FinalObjectUse>(node->child1());
2502             node->convertToIdentity();
2503             return;
2504         }
2505     }
2506     
2507     void fixupToPrimitive(Node* node)
2508     {
2509         if (node->child1()->shouldSpeculateInt32()) {
2510             fixEdge<Int32Use>(node->child1());
2511             node->convertToIdentity();
2512             return;
2513         }
2514         
2515         if (node->child1()->shouldSpeculateString()) {
2516             fixEdge<StringUse>(node->child1());
2517             node->convertToIdentity();
2518             return;
2519         }
2520         
2521         if (node->child1()->shouldSpeculateStringObject()
2522             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2523             fixEdge<StringObjectUse>(node->child1());
2524             node->convertToToString();
2525             return;
2526         }
2527         
2528         if (node->child1()->shouldSpeculateStringOrStringObject()
2529             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2530             fixEdge<StringOrStringObjectUse>(node->child1());
2531             node->convertToToString();
2532             return;
2533         }
2534     }
2535
2536     void fixupToNumber(Node* node)
2537     {
2538         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2539         if (node->child1()->shouldSpeculateNumber()) {
2540             if (isInt32Speculation(node->getHeapPrediction())) {
2541                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2542                 if (node->child1()->shouldSpeculateInt32()) {
2543                     fixEdge<Int32Use>(node->child1());
2544                     node->convertToIdentity();
2545                     return;
2546                 }
2547
2548                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2549                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2550                 fixEdge<DoubleRepUse>(node->child1());
2551                 node->setOp(DoubleAsInt32);
2552                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2553                     node->setArithMode(Arith::CheckOverflow);
2554                 else
2555                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2556                 return;
2557             }
2558
2559             fixEdge<DoubleRepUse>(node->child1());
2560             node->convertToIdentity();
2561             node->setResult(NodeResultDouble);
2562             return;
2563         }
2564
2565         fixEdge<UntypedUse>(node->child1());
2566         node->setResult(NodeResultJS);
2567     }
2568
2569     void fixupToObject(Node* node)
2570     {
2571         if (node->child1()->shouldSpeculateObject()) {
2572             fixEdge<ObjectUse>(node->child1());
2573             node->convertToIdentity();
2574             return;
2575         }
2576
2577         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2578
2579         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2580
2581         if (node->child1()->shouldSpeculateString()) {
2582             insertCheck<StringUse>(node->child1().node());
2583             fixEdge<KnownStringUse>(node->child1());
2584             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2585             return;
2586         }
2587
2588         if (node->child1()->shouldSpeculateSymbol()) {
2589             insertCheck<SymbolUse>(node->child1().node());
2590             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2591             return;
2592         }
2593
2594         if (node->child1()->shouldSpeculateNumber()) {
2595             insertCheck<NumberUse>(node->child1().node());
2596             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2597             return;
2598         }
2599
2600         if (node->child1()->shouldSpeculateBoolean()) {
2601             insertCheck<BooleanUse>(node->child1().node());
2602             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2603             return;
2604         }
2605
2606         fixEdge<UntypedUse>(node->child1());
2607     }
2608
2609     void fixupCallObjectConstructor(Node* node)
2610     {
2611         if (node->child1()->shouldSpeculateObject()) {
2612             fixEdge<ObjectUse>(node->child1());
2613             node->convertToIdentity();
2614             return;
2615         }
2616
2617         if (node->child1()->shouldSpeculateString()) {
2618             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2619             insertCheck<StringUse>(node->child1().node());
2620             fixEdge<KnownStringUse>(node->child1());
2621             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2622             return;
2623         }
2624
2625         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2626         if (node->child1()->shouldSpeculateOther()) {
2627             insertCheck<OtherUse>(node->child1().node());
2628             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2629             return;
2630         }
2631
2632         fixEdge<UntypedUse>(node->child1());
2633     }
2634     
2635     void fixupToStringOrCallStringConstructor(Node* node)
2636     {
2637         if (node->child1()->shouldSpeculateString()) {
2638             fixEdge<StringUse>(node->child1());
2639             node->convertToIdentity();
2640             return;
2641         }
2642         
2643         if (node->child1()->shouldSpeculateStringObject()
2644             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2645             fixEdge<StringObjectUse>(node->child1());
2646             return;
2647         }
2648         
2649         if (node->child1()->shouldSpeculateStringOrStringObject()
2650             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2651             fixEdge<StringOrStringObjectUse>(node->child1());
2652             return;
2653         }
2654         
2655         if (node->child1()->shouldSpeculateCell()) {
2656             fixEdge<CellUse>(node->child1());
2657             return;
2658         }
2659
2660         if (node->child1()->shouldSpeculateInt32()) {
2661             fixEdge<Int32Use>(node->child1());
2662             node->clearFlags(NodeMustGenerate);
2663             return;
2664         }
2665
2666         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2667             fixEdge<Int52RepUse>(node->child1());
2668             node->clearFlags(NodeMustGenerate);
2669             return;
2670         }
2671
2672         if (node->child1()->shouldSpeculateNumber()) {
2673             fixEdge<DoubleRepUse>(node->child1());
2674             node->clearFlags(NodeMustGenerate);
2675             return;
2676         }
2677
2678         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2679         // we need to care about it in the clobberize. In the following case,
2680         // since NotCellUse edge filter is used and this edge filters Symbols,
2681         // we can say that ToString never throws an error!
2682         if (node->child1()->shouldSpeculateNotCell()) {
2683             fixEdge<NotCellUse>(node->child1());
2684             node->clearFlags(NodeMustGenerate);
2685             return;
2686         }
2687     }
2688
2689     bool attemptToMakeFastStringAdd(Node* node)
2690     {
2691         bool goodToGo = true;
2692         m_graph.doToChildren(
2693             node,
2694             [&] (Edge& edge) {
2695                 if (edge->shouldSpeculateString())
2696                     return;
2697                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2698                     if (edge->shouldSpeculateStringObject())
2699                         return;
2700                     if (edge->shouldSpeculateStringOrStringObject())
2701                         return;
2702                 }
2703                 goodToGo = false;
2704             });
2705         if (!goodToGo)
2706             return false;
2707
2708         m_graph.doToChildren(
2709             node,
2710             [&] (Edge& edge) {
2711                 if (edge->shouldSpeculateString()) {
2712                     convertStringAddUse<StringUse>(node, edge);
2713                     return;
2714                 }
2715                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2716                 if (edge->shouldSpeculateStringObject()) {
2717                     convertStringAddUse<StringObjectUse>(node, edge);
2718                     return;
2719                 }
2720                 if (edge->shouldSpeculateStringOrStringObject()) {
2721                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2722                     return;
2723                 }
2724                 RELEASE_ASSERT_NOT_REACHED();
2725             });
2726         
2727         convertToMakeRope(node);
2728         return true;
2729     }
2730
2731     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2732     {
2733         if (!block)
2734             return;
2735         ASSERT(block->isReachable);
2736         m_block = block;
2737         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2738             Node* node = m_currentNode = block->at(m_indexInBlock);
2739             if (node->op() != SetLocal && node->op() != GetLocal)
2740                 continue;
2741             
2742             VariableAccessData* variable = node->variableAccessData();
2743             switch (node->op()) {
2744             case GetLocal:
2745                 switch (variable->flushFormat()) {
2746                 case FlushedDouble:
2747                     node->setResult(NodeResultDouble);
2748                     break;
2749                 case FlushedInt52:
2750                     node->setResult(NodeResultInt52);
2751                     break;
2752                 default:
2753                     break;
2754                 }
2755                 break;
2756                 
2757             case SetLocal:
2758                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2759                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2760                 
2761                 switch (variable->flushFormat()) {
2762                 case FlushedJSValue:
2763                     break;
2764                 case FlushedDouble:
2765                     fixEdge<DoubleRepUse>(node->child1());
2766                     break;
2767                 case FlushedInt32:
2768                     fixEdge<Int32Use>(node->child1());
2769                     break;
2770                 case FlushedInt52:
2771                     fixEdge<Int52RepUse>(node->child1());
2772                     break;
2773                 case FlushedCell:
2774                     fixEdge<CellUse>(node->child1());
2775                     break;
2776                 case FlushedBoolean:
2777                     fixEdge<BooleanUse>(node->child1());
2778                     break;
2779                 default:
2780                     RELEASE_ASSERT_NOT_REACHED();
2781                     break;
2782                 }
2783                 break;
2784                 
2785             default:
2786                 RELEASE_ASSERT_NOT_REACHED();
2787                 break;
2788             }
2789         }
2790         m_insertionSet.execute(block);
2791     }
2792     
2793     void addStringReplacePrimordialChecks(Node* searchRegExp)
2794     {
2795         Node* node = m_currentNode;
2796
2797         // Check that structure of searchRegExp is RegExp object
2798         m_insertionSet.insertNode(
2799             m_indexInBlock, SpecNone, Check, node->origin,
2800             Edge(searchRegExp, RegExpObjectUse));
2801
2802         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2803             unsigned index = m_graph.identifiers().ensure(propertyUID);
2804
2805             Node* actualProperty = m_insertionSet.insertNode(
2806                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2807                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2808
2809             m_insertionSet.insertNode(
2810                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2811                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2812         };
2813
2814         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2815
2816         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2817         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2818         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2819         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2820         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2821         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2822         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2823         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2824     }
2825
2826     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2827     {
2828         ASSERT(arrayMode.isSpecific());
2829         
2830         if (arrayMode.type() == Array::String) {
2831             m_insertionSet.insertNode(
2832                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2833         } else {
2834             // Note that we only need to be using a structure check if we opt for SaneChain, since
2835             // that needs to protect against JSArray's __proto__ being changed.
2836             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2837         
2838             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2839             
2840             if (arrayMode.doesConversion()) {
2841                 if (structure) {
2842                     m_insertionSet.insertNode(
2843                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2844                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2845                 } else {
2846                     m_insertionSet.insertNode(
2847                         m_indexInBlock, SpecNone, Arrayify, origin,
2848                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2849                 }
2850             } else {
2851                 if (structure) {
2852                     m_insertionSet.insertNode(
2853                         m_indexInBlock, SpecNone, CheckStructure, origin,
2854                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2855                 } else {
2856                     m_insertionSet.insertNode(
2857                         m_indexInBlock, SpecNone, CheckArray, origin,
2858                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2859                 }
2860             }
2861         }
2862         
2863         if (!storageCheck(arrayMode))
2864             return nullptr;
2865         
2866         if (arrayMode.usesButterfly()) {
2867             return m_insertionSet.insertNode(
2868                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2869         }
2870         
2871         return m_insertionSet.insertNode(
2872             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2873             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2874     }
2875     
2876     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2877     {
2878         Node* node = m_currentNode;
2879         
2880         switch (node->arrayMode().type()) {
2881         case Array::ForceExit: {
2882             m_insertionSet.insertNode(
2883                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2884             return;
2885         }
2886             
2887         case Array::SelectUsingPredictions:
2888         case Array::Unprofiled:
2889             RELEASE_ASSERT_NOT_REACHED();
2890             return;
2891             
2892         case Array::Generic:
2893             return;
2894             
2895         default: {
2896             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2897             if (!storage)
2898                 return;
2899             
2900             storageChild = Edge(storage);
2901             return;
2902         } }
2903     }
2904     
2905     bool alwaysUnboxSimplePrimitives()
2906     {
2907 #if USE(JSVALUE64)
2908         return false;
2909 #else
2910         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2911         // reduces traffic.
2912         return true;
2913 #endif
2914     }
2915
2916     template<UseKind useKind>
2917     void observeUseKindOnNode(Node* node)
2918     {
2919         if (useKind == UntypedUse)
2920             return;
2921         observeUseKindOnNode(node, useKind);
2922     }
2923
2924     void observeUseKindOnEdge(Edge edge)
2925     {
2926         observeUseKindOnNode(edge.node(), edge.useKind());
2927     }
2928
2929     void observeUseKindOnNode(Node* node, UseKind useKind)
2930     {
2931         if (node->op() != GetLocal)
2932             return;
2933         
2934         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2935         // https://bugs.webkit.org/show_bug.cgi?id=121518
2936         
2937         VariableAccessData* variable = node->variableAccessData();
2938         switch (useKind) {
2939         case Int32Use:
2940         case KnownInt32Use:
2941             if (alwaysUnboxSimplePrimitives()
2942                 || isInt32Speculation(variable->prediction()))
2943                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2944             break;
2945         case NumberUse:
2946         case RealNumberUse:
2947         case DoubleRepUse:
2948         case DoubleRepRealUse:
2949             if (variable->doubleFormatState() == UsingDoubleFormat)
2950                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2951             break;
2952         case BooleanUse:
2953         case KnownBooleanUse:
2954             if (alwaysUnboxSimplePrimitives()
2955                 || isBooleanSpeculation(variable->prediction()))
2956                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2957             break;
2958         case Int52RepUse:
2959             if (isAnyIntSpeculation(variable->prediction()))
2960                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2961             break;
2962         case CellUse:
2963         case KnownCellUse:
2964         case ObjectUse:
2965         case FunctionUse:
2966         case StringUse:
2967         case KnownStringUse:
2968         case SymbolUse:
2969         case BigIntUse:
2970         case StringObjectUse:
2971         case StringOrStringObjectUse:
2972             if (alwaysUnboxSimplePrimitives()
2973                 || isCellSpeculation(variable->prediction()))
2974                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2975             break;
2976         default:
2977             break;
2978         }
2979     }
2980     
2981     template<UseKind useKind>
2982     void fixEdge(Edge& edge)
2983     {
2984         observeUseKindOnNode<useKind>(edge.node());
2985         edge.setUseKind(useKind);
2986     }
2987     
2988     unsigned indexForChecks()
2989     {
2990         unsigned index = m_indexInBlock;
2991         while (!m_block->at(index)->origin.exitOK)
2992             index--;
2993         return index;
2994     }
2995     
2996     NodeOrigin originForCheck(unsigned index)
2997     {
2998         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
2999     }
3000     
3001     void speculateForBarrier(Edge value)
3002     {
3003         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3004         // the DFG anyway because if such a speculation would be wrong, we want to know before
3005         // we do an expensive compile.
3006         
3007         if (value->shouldSpeculateInt32()) {
3008             insertCheck<Int32Use>(value.node());
3009             return;
3010         }
3011             
3012         if (value->shouldSpeculateBoolean()) {
3013             insertCheck<BooleanUse>(value.node());
3014             return;
3015         }
3016             
3017         if (value->shouldSpeculateOther()) {
3018             insertCheck<OtherUse>(value.node());
3019             return;
3020         }
3021             
3022         if (value->shouldSpeculateNumber()) {
3023             insertCheck<NumberUse>(value.node());
3024             return;
3025         }
3026             
3027         if (value->shouldSpeculateNotCell()) {
3028             insertCheck<NotCellUse>(value.node());
3029             return;
3030         }
3031     }
3032     
3033     template<UseKind useKind>
3034     void insertCheck(Node* node)
3035     {
3036         observeUseKindOnNode<useKind>(node);
3037         unsigned index = indexForChecks();
3038         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3039     }
3040
3041     void fixIntConvertingEdge(Edge& edge)
3042     {
3043         Node* node = edge.node();
3044         if (node->shouldSpeculateInt32OrBoolean()) {
3045             fixIntOrBooleanEdge(edge);
3046             return;
3047         }
3048         
3049         UseKind useKind;
3050         if (node->shouldSpeculateAnyInt())
3051             useKind = Int52RepUse;
3052         else if (node->shouldSpeculateNumber())
3053             useKind = DoubleRepUse;
3054         else
3055             useKind = NotCellUse;
3056         Node* newNode = m_insertionSet.insertNode(
3057             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3058             Edge(node, useKind));
3059         observeUseKindOnNode(node, useKind);
3060         
3061         edge = Edge(newNode, KnownInt32Use);
3062     }
3063     
3064     void fixIntOrBooleanEdge(Edge& edge)
3065     {
3066         Node* node = edge.node();
3067         if (!node->sawBooleans()) {
3068             fixEdge<Int32Use>(edge);
3069             return;
3070         }
3071         
3072         UseKind useKind;
3073         if (node->shouldSpeculateBoolean())
3074             useKind = BooleanUse;
3075         else
3076             useKind = UntypedUse;
3077         Node* newNode = m_insertionSet.insertNode(
3078             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3079             Edge(node, useKind));
3080         observeUseKindOnNode(node, useKind);
3081         
3082         edge = Edge(newNode, Int32Use);
3083     }
3084     
3085     void fixDoubleOrBooleanEdge(Edge& edge)
3086     {
3087         Node* node = edge.node();
3088         if (!node->sawBooleans()) {
3089             fixEdge<DoubleRepUse>(edge);
3090             return;
3091         }
3092         
3093         UseKind useKind;
3094         if (node->shouldSpeculateBoolean())
3095             useKind = BooleanUse;
3096         else
3097             useKind = UntypedUse;
3098         Node* newNode = m_insertionSet.insertNode(
3099             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3100             Edge(node, useKind));
3101         observeUseKindOnNode(node, useKind);
3102         
3103         edge = Edge(newNode, DoubleRepUse);
3104     }
3105     
3106     void truncateConstantToInt32(Edge& edge)
3107     {
3108         Node* oldNode = edge.node();
3109         
3110         JSValue value = oldNode->asJSValue();
3111         if (value.isInt32())
3112             return;
3113         
3114         value = jsNumber(JSC::toInt32(value.asNumber()));
3115         ASSERT(value.isInt32());
3116         edge.setNode(m_insertionSet.insertNode(
3117             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3118             OpInfo(m_graph.freeze(value))));
3119     }
3120     
3121     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3122     {
3123         if (mode != SpeculateInt32AndTruncateConstants)
3124             return;
3125         
3126         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3127         if (node->child1()->hasConstant())
3128             truncateConstantToInt32(node->child1());
3129         else
3130             truncateConstantToInt32(node->child2());
3131     }
3132
3133     bool attemptToMakeIntegerAdd(Node* node)
3134     {
3135         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3136         if (mode != DontSpeculateInt32) {
3137             truncateConstantsIfNecessary(node, mode);
3138             fixIntOrBooleanEdge(node->child1());
3139             fixIntOrBooleanEdge(node->child2());
3140             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3141                 node->setArithMode(Arith::Unchecked);
3142             else
3143                 node->setArithMode(Arith::CheckOverflow);
3144             return true;
3145         }
3146         
3147         if (m_graph.addShouldSpeculateAnyInt(node)) {
3148             fixEdge<Int52RepUse>(node->child1());
3149             fixEdge<Int52RepUse>(node->child2());
3150             node->setArithMode(Arith::CheckOverflow);
3151             node->setResult(NodeResultInt52);
3152             return true;
3153         }
3154         
3155         return false;
3156     }
3157     
3158     bool attemptToMakeGetArrayLength(Node* node)
3159     {
3160         if (!isInt32Speculation(node->prediction()))
3161             return false;
3162         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3163         ArrayProfile* arrayProfile = 
3164             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3165         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3166         if (arrayProfile) {
3167             ConcurrentJSLocker locker(profiledBlock->m_lock);
3168             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3169             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3170             if (arrayMode.type() == Array::Unprofiled) {
3171                 // For normal array operations, it makes sense to treat Unprofiled
3172                 // accesses as ForceExit and get more data rather than using
3173                 // predictions and then possibly ending up with a Generic. But here,
3174                 // we treat anything that is Unprofiled as Generic and keep the
3175                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3176                 // profit - from treating the Unprofiled case as
3177                 // SelectUsingPredictions.
3178                 arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3179             }
3180         }
3181             
3182         arrayMode = arrayMode.refine(
3183             m_graph, node, node->child1()->prediction(), node->prediction());
3184             
3185         if (arrayMode.type() == Array::Generic) {
3186             // Check if the input is something that we can't get array length for, but for which we
3187             // could insert some conversions in order to transform it into something that we can do it
3188             // for.
3189             if (node->child1()->shouldSpeculateStringObject())
3190                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3191             else if (node->child1()->shouldSpeculateStringOrStringObject())
3192                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3193         }
3194             
3195         if (!arrayMode.supportsSelfLength())
3196             return false;
3197         
3198         convertToGetArrayLength(node, arrayMode);
3199         return true;
3200     }
3201
3202     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3203     {
3204         node->setOp(GetArrayLength);
3205         node->clearFlags(NodeMustGenerate);
3206         fixEdge<KnownCellUse>(node->child1());
3207         node->setArrayMode(arrayMode);
3208             
3209         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3210         if (!storage)
3211             return;
3212             
3213         node->child2() = Edge(storage);
3214     }
3215     
3216     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3217     {
3218         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3219         return m_insertionSet.insertNode(
3220             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3221             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3222     }
3223
3224     void convertToHasIndexedProperty(Node* node)
3225     {
3226         node->setOp(HasIndexedProperty);
3227         node->clearFlags(NodeMustGenerate);
3228         node->setArrayMode(
3229             node->arrayMode().refine(
3230                 m_graph, node,
3231                 node->child1()->prediction(),
3232                 node->child2()->prediction(),
3233                 SpecNone));
3234         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3235
3236         blessArrayOperation(node->child1(), node->child2(), node->child3());
3237
3238         fixEdge<CellUse>(node->child1());
3239         fixEdge<Int32Use>(node->child2());
3240     }
3241
3242     void fixupNormalizeMapKey(Node* node)
3243     {
3244         if (node->child1()->shouldSpeculateBoolean()) {
3245             fixEdge<BooleanUse>(node->child1());
3246             node->convertToIdentity();
3247             return;
3248         }
3249
3250         if (node->child1()->shouldSpeculateInt32()) {
3251             fixEdge<Int32Use>(node->child1());
3252             node->convertToIdentity();
3253             return;
3254         }
3255
3256         if (node->child1()->shouldSpeculateSymbol()) {
3257             fixEdge<SymbolUse>(node->child1());
3258             node->convertToIdentity();
3259             return;
3260         }
3261
3262         if (node->child1()->shouldSpeculateObject()) {
3263             fixEdge<ObjectUse>(node->child1());
3264             node->convertToIdentity();
3265             return;
3266         }
3267
3268         if (node->child1()->shouldSpeculateString()) {
3269             fixEdge<StringUse>(node->child1());
3270             node->convertToIdentity();
3271             return;
3272         }
3273
3274         if (node->child1()->shouldSpeculateCell()) {
3275             fixEdge<CellUse>(node->child1());
3276             node->convertToIdentity();
3277             return;
3278         }
3279
3280         fixEdge<UntypedUse>(node->child1());
3281     }
3282
3283     bool attemptToMakeCallDOM(Node* node)
3284     {
3285         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3286             return false;
3287
3288         const DOMJIT::Signature* signature = node->signature();
3289         if (!signature)
3290             return false;
3291
3292         {
3293             unsigned index = 0;
3294             bool shouldConvertToCallDOM = true;
3295             m_graph.doToChildren(node, [&](Edge& edge) {
3296                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3297                 if (!index)
3298                     return;
3299
3300                 if (index == 1) {
3301                     // DOM node case.
3302                     if (edge->shouldSpeculateNotCell())
3303                         shouldConvertToCallDOM = false;
3304                 } else {
3305                     switch (signature->arguments[index - 2]) {
3306                     case SpecString:
3307                         if (edge->shouldSpeculateNotString())
3308                             shouldConvertToCallDOM = false;
3309                         break;
3310                     case SpecInt32Only:
3311                         if (edge->shouldSpeculateNotInt32())
3312                             shouldConvertToCallDOM = false;
3313                         break;
3314                     case SpecBoolean:
3315                         if (edge->shouldSpeculateNotBoolean())
3316                             shouldConvertToCallDOM = false;
3317                         break;
3318                     default:
3319                         RELEASE_ASSERT_NOT_REACHED();
3320                         break;
3321                     }
3322                 }
3323                 ++index;
3324             });
3325             if (!shouldConvertToCallDOM)
3326                 return false;
3327         }
3328
3329         Node* thisNode = m_graph.varArgChild(node, 1).node();
3330         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3331         node->convertToCallDOM(m_graph);
3332         fixupCheckSubClass(checkSubClass);
3333         fixupCallDOM(node);
3334         return true;
3335     }
3336
3337     void fixupCheckSubClass(Node* node)
3338     {
3339         fixEdge<CellUse>(node->child1());
3340     }
3341
3342     void fixupCallDOM(Node* node)
3343     {
3344         const DOMJIT::Signature* signature = node->signature();
3345         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3346             if (!edge)
3347                 return;
3348             switch (signature->arguments[argumentIndex]) {
3349             case SpecString:
3350                 fixEdge<StringUse>(edge);
3351                 break;
3352             case SpecInt32Only:
3353                 fixEdge<Int32Use>(edge);
3354                 break;
3355             case SpecBoolean:
3356                 fixEdge<BooleanUse>(edge);
3357                 break;
3358             default:
3359                 RELEASE_ASSERT_NOT_REACHED();
3360                 break;
3361             }
3362         };
3363         fixEdge<CellUse>(node->child1()); // DOM.
3364         fixup(node->child2(), 0);
3365         fixup(node->child3(), 1);
3366     }
3367
3368     void fixupArrayIndexOf(Node* node)
3369     {
3370         Edge& array = m_graph.varArgChild(node, 0);
3371         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3372         blessArrayOperation(array, Edge(), storage);
3373         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3374
3375         Edge& searchElement = m_graph.varArgChild(node, 1);
3376
3377         // Constant folding.
3378         switch (node->arrayMode().type()) {
3379         case Array::Double:
3380         case Array::Int32: {
3381             if (searchElement->shouldSpeculateCell()) {
3382                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3383                 m_graph.convertToConstant(node, jsNumber(-1));
3384                 observeUseKindOnNode<CellUse>(searchElement.node());
3385                 return;
3386             }
3387
3388             if (searchElement->shouldSpeculateOther()) {
3389                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3390                 m_graph.convertToConstant(node, jsNumber(-1));
3391                 observeUseKindOnNode<OtherUse>(searchElement.node());
3392                 return;
3393             }
3394
3395             if (searchElement->shouldSpeculateBoolean()) {
3396                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3397                 m_graph.convertToConstant(node, jsNumber(-1));
3398                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3399                 return;
3400             }
3401             break;
3402         }
3403         default:
3404             break;
3405         }
3406
3407         fixEdge<KnownCellUse>(array);
3408         if (node->numChildren() == 4)
3409             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3410
3411         switch (node->arrayMode().type()) {
3412         case Array::Double: {
3413             if (searchElement->shouldSpeculateNumber())
3414                 fixEdge<DoubleRepUse>(searchElement);
3415             return;
3416         }
3417         case Array::Int32: {
3418             if (searchElement->shouldSpeculateInt32())
3419                 fixEdge<Int32Use>(searchElement);
3420             return;
3421         }
3422         case Array::Contiguous: {
3423             if (searchElement->shouldSpeculateString())
3424                 fixEdge<StringUse>(searchElement);
3425             else if (searchElement->shouldSpeculateSymbol())
3426                 fixEdge<SymbolUse>(searchElement);
3427             else if (searchElement->shouldSpeculateOther())
3428                 fixEdge<OtherUse>(searchElement);
3429             else if (searchElement->shouldSpeculateObject())
3430                 fixEdge<ObjectUse>(searchElement);
3431             return;
3432         }
3433         default:
3434             RELEASE_ASSERT_NOT_REACHED();
3435             return;
3436         }
3437     }
3438
3439     void fixupCompareStrictEqAndSameValue(Node* node)
3440     {
3441         ASSERT(node->op() == SameValue || node->op() == CompareStrictEq);
3442
3443         if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
3444             fixEdge<BooleanUse>(node->child1());
3445             fixEdge<BooleanUse>(node->child2());
3446             node->setOpAndDefaultFlags(CompareStrictEq);
3447             return;
3448         }
3449         if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
3450             fixEdge<Int32Use>(node->child1());
3451             fixEdge<Int32Use>(node->child2());
3452             node->setOpAndDefaultFlags(CompareStrictEq);
3453             return;
3454         }
3455         if (enableInt52()
3456             && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
3457             fixEdge<Int52RepUse>(node->child1());
3458             fixEdge<Int52RepUse>(node->child2());
3459             node->setOpAndDefaultFlags(CompareStrictEq);
3460             return;
3461         }
3462         if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
3463             fixEdge<DoubleRepUse>(node->child1());
3464             fixEdge<DoubleRepUse>(node->child2());
3465             // Do not convert SameValue to CompareStrictEq in this case since SameValue(NaN, NaN) and SameValue(-0, +0)
3466             // are not the same to CompareStrictEq(NaN, NaN) and CompareStrictEq(-0, +0).
3467             return;
3468         }
3469         if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
3470             fixEdge<SymbolUse>(node->child1());
3471             fixEdge<SymbolUse>(node->child2());
3472             node->setOpAndDefaultFlags(CompareStrictEq);
3473             return;
3474         }
3475         if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
3476             fixEdge<BigIntUse>(node->child1());
3477             fixEdge<BigIntUse>(node->child2());
3478             node->setOpAndDefaultFlags(CompareStrictEq);
3479             return;
3480         }
3481         if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
3482             fixEdge<StringIdentUse>(node->child1());
3483             fixEdge<StringIdentUse>(node->child2());
3484             node->setOpAndDefaultFlags(CompareStrictEq);
3485             return;
3486         }
3487         if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
3488             fixEdge<StringUse>(node->child1());
3489             fixEdge<StringUse>(node->child2());
3490             node->setOpAndDefaultFlags(CompareStrictEq);
3491             return;
3492         }
3493
3494         if (node->op() == SameValue) {
3495             if (node->child1()->shouldSpeculateObject()) {
3496                 fixEdge<ObjectUse>(node->child1());
3497                 node->setOpAndDefaultFlags(CompareStrictEq);
3498                 return;
3499             }
3500             if (node->child2()->shouldSpeculateObject()) {
3501                 fixEdge<ObjectUse>(node->child2());
3502                 node->setOpAndDefaultFlags(CompareStrictEq);
3503                 return;
3504             }
3505         } else {
3506             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
3507             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
3508                 if (node->child1()->shouldSpeculateObject()) {
3509                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
3510                     fixEdge<ObjectUse>(node->child1());
3511                     return;
3512                 }
3513                 if (node->child2()->shouldSpeculateObject()) {
3514                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
3515                     fixEdge<ObjectUse>(node->child2());
3516                     return;
3517                 }
3518             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
3519                 fixEdge<ObjectUse>(node->child1());
3520                 fixEdge<ObjectUse>(node->child2());
3521                 return;
3522             }
3523         }
3524
3525         if (node->child1()->shouldSpeculateSymbol()) {
3526             fixEdge<SymbolUse>(node->child1());
3527             node->setOpAndDefaultFlags(CompareStrictEq);
3528             return;
3529         }
3530         if (node->child2()->shouldSpeculateSymbol()) {
3531             fixEdge<SymbolUse>(node->child2());
3532             node->setOpAndDefaultFlags(CompareStrictEq);
3533             return;
3534         }
3535         if (node->child1()->shouldSpeculateMisc()) {