[JSC] __proto__ getter should be fast
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149             
150         case ValueAdd: {
151             if (attemptToMakeIntegerAdd(node)) {
152                 node->setOp(ArithAdd);
153                 break;
154             }
155             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
156                 fixDoubleOrBooleanEdge(node->child1());
157                 fixDoubleOrBooleanEdge(node->child2());
158                 node->setOp(ArithAdd);
159                 node->setResult(NodeResultDouble);
160                 break;
161             }
162             
163             if (attemptToMakeFastStringAdd(node))
164                 break;
165
166             Edge& child1 = node->child1();
167             Edge& child2 = node->child2();
168             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
169                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
170                     auto convertString = [&](Node* node, Edge& edge) {
171                         if (edge->shouldSpeculateInt32())
172                             convertStringAddUse<Int32Use>(node, edge);
173                         else {
174                             ASSERT(edge->shouldSpeculateString());
175                             convertStringAddUse<StringUse>(node, edge);
176                         }
177                     };
178                     convertString(node, child1);
179                     convertString(node, child2);
180                     convertToMakeRope(node);
181                     break;
182                 }
183             }
184
185             fixEdge<UntypedUse>(child1);
186             fixEdge<UntypedUse>(child2);
187             node->setResult(NodeResultJS);
188             break;
189         }
190
191         case StrCat: {
192             if (attemptToMakeFastStringAdd(node))
193                 break;
194
195             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
196             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
197             // the implementation of StrCat doesn't dynamically optimize for empty strings.
198             // https://bugs.webkit.org/show_bug.cgi?id=148540
199             m_graph.doToChildren(
200                 node,
201                 [&] (Edge& edge) {
202                     fixEdge<KnownPrimitiveUse>(edge);
203                 });
204             break;
205         }
206             
207         case MakeRope: {
208             fixupMakeRope(node);
209             break;
210         }
211             
212         case ArithAdd:
213         case ArithSub: {
214             if (op == ArithSub
215                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
216                 fixEdge<UntypedUse>(node->child1());
217                 fixEdge<UntypedUse>(node->child2());
218                 node->setResult(NodeResultJS);
219                 break;
220             }
221             if (attemptToMakeIntegerAdd(node))
222                 break;
223             fixDoubleOrBooleanEdge(node->child1());
224             fixDoubleOrBooleanEdge(node->child2());
225             node->setResult(NodeResultDouble);
226             break;
227         }
228             
229         case ArithNegate: {
230             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
231                 fixIntOrBooleanEdge(node->child1());
232                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
233                     node->setArithMode(Arith::Unchecked);
234                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
235                     node->setArithMode(Arith::CheckOverflow);
236                 else
237                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
238                 node->setResult(NodeResultInt32);
239                 node->clearFlags(NodeMustGenerate);
240                 break;
241             }
242             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
243                 fixEdge<Int52RepUse>(node->child1());
244                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
245                     node->setArithMode(Arith::CheckOverflow);
246                 else
247                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
248                 node->setResult(NodeResultInt52);
249                 node->clearFlags(NodeMustGenerate);
250                 break;
251             }
252             if (node->child1()->shouldSpeculateNotCell()) {
253                 fixDoubleOrBooleanEdge(node->child1());
254                 node->setResult(NodeResultDouble);
255                 node->clearFlags(NodeMustGenerate);
256             } else
257                 fixEdge<UntypedUse>(node->child1());
258             break;
259         }
260             
261         case ArithMul: {
262             Edge& leftChild = node->child1();
263             Edge& rightChild = node->child2();
264             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
265                 fixEdge<UntypedUse>(leftChild);
266                 fixEdge<UntypedUse>(rightChild);
267                 node->setResult(NodeResultJS);
268                 break;
269             }
270             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
271                 fixIntOrBooleanEdge(leftChild);
272                 fixIntOrBooleanEdge(rightChild);
273                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
274                     node->setArithMode(Arith::Unchecked);
275                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
276                     || leftChild.node() == rightChild.node())
277                     node->setArithMode(Arith::CheckOverflow);
278                 else
279                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
280                 break;
281             }
282             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
283                 fixEdge<Int52RepUse>(leftChild);
284                 fixEdge<Int52RepUse>(rightChild);
285                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
286                     || leftChild.node() == rightChild.node())
287                     node->setArithMode(Arith::CheckOverflow);
288                 else
289                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
290                 node->setResult(NodeResultInt52);
291                 break;
292             }
293             fixDoubleOrBooleanEdge(leftChild);
294             fixDoubleOrBooleanEdge(rightChild);
295             node->setResult(NodeResultDouble);
296             break;
297         }
298
299         case ArithDiv:
300         case ArithMod: {
301             Edge& leftChild = node->child1();
302             Edge& rightChild = node->child2();
303             if (op == ArithDiv
304                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
305                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
306                 fixEdge<UntypedUse>(leftChild);
307                 fixEdge<UntypedUse>(rightChild);
308                 node->setResult(NodeResultJS);
309                 break;
310             }
311             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
312                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
313                     fixIntOrBooleanEdge(leftChild);
314                     fixIntOrBooleanEdge(rightChild);
315                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
316                         node->setArithMode(Arith::Unchecked);
317                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
318                         node->setArithMode(Arith::CheckOverflow);
319                     else
320                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
321                     break;
322                 }
323                 
324                 // This will cause conversion nodes to be inserted later.
325                 fixDoubleOrBooleanEdge(leftChild);
326                 fixDoubleOrBooleanEdge(rightChild);
327                 
328                 // We don't need to do ref'ing on the children because we're stealing them from
329                 // the original division.
330                 Node* newDivision = m_insertionSet.insertNode(
331                     m_indexInBlock, SpecBytecodeDouble, *node);
332                 newDivision->setResult(NodeResultDouble);
333                 
334                 node->setOp(DoubleAsInt32);
335                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
336                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
337                     node->setArithMode(Arith::CheckOverflow);
338                 else
339                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
340                 break;
341             }
342             fixDoubleOrBooleanEdge(leftChild);
343             fixDoubleOrBooleanEdge(rightChild);
344             node->setResult(NodeResultDouble);
345             break;
346         }
347             
348         case ArithMin:
349         case ArithMax: {
350             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
351                 fixIntOrBooleanEdge(node->child1());
352                 fixIntOrBooleanEdge(node->child2());
353                 break;
354             }
355             fixDoubleOrBooleanEdge(node->child1());
356             fixDoubleOrBooleanEdge(node->child2());
357             node->setResult(NodeResultDouble);
358             break;
359         }
360             
361         case ArithAbs: {
362             if (node->child1()->shouldSpeculateInt32OrBoolean()
363                 && node->canSpeculateInt32(FixupPass)) {
364                 fixIntOrBooleanEdge(node->child1());
365                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
366                     node->setArithMode(Arith::Unchecked);
367                 else
368                     node->setArithMode(Arith::CheckOverflow);
369                 node->clearFlags(NodeMustGenerate);
370                 node->setResult(NodeResultInt32);
371                 break;
372             }
373
374             if (node->child1()->shouldSpeculateNotCell()) {
375                 fixDoubleOrBooleanEdge(node->child1());
376                 node->clearFlags(NodeMustGenerate);
377             } else
378                 fixEdge<UntypedUse>(node->child1());
379             node->setResult(NodeResultDouble);
380             break;
381         }
382
383         case ArithPow: {
384             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
385                 fixDoubleOrBooleanEdge(node->child1());
386                 fixIntOrBooleanEdge(node->child2());
387                 break;
388             }
389
390             fixDoubleOrBooleanEdge(node->child1());
391             fixDoubleOrBooleanEdge(node->child2());
392             break;
393         }
394
395         case ArithRandom: {
396             node->setResult(NodeResultDouble);
397             break;
398         }
399
400         case ArithRound:
401         case ArithFloor:
402         case ArithCeil:
403         case ArithTrunc: {
404             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
405                 fixIntOrBooleanEdge(node->child1());
406                 insertCheck<Int32Use>(node->child1().node());
407                 node->convertToIdentity();
408                 break;
409             }
410             if (node->child1()->shouldSpeculateNotCell()) {
411                 fixDoubleOrBooleanEdge(node->child1());
412
413                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
414                     node->setResult(NodeResultInt32);
415                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
416                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
417                     else
418                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
419                 } else {
420                     node->setResult(NodeResultDouble);
421                     node->setArithRoundingMode(Arith::RoundingMode::Double);
422                 }
423                 node->clearFlags(NodeMustGenerate);
424             } else
425                 fixEdge<UntypedUse>(node->child1());
426             break;
427         }
428
429         case ArithFRound:
430         case ArithSqrt:
431         case ArithUnary: {
432             Edge& child1 = node->child1();
433             if (child1->shouldSpeculateNotCell()) {
434                 fixDoubleOrBooleanEdge(child1);
435                 node->clearFlags(NodeMustGenerate);
436             } else
437                 fixEdge<UntypedUse>(child1);
438             break;
439         }
440             
441         case LogicalNot: {
442             if (node->child1()->shouldSpeculateBoolean()) {
443                 if (node->child1()->result() == NodeResultBoolean) {
444                     // This is necessary in case we have a bytecode instruction implemented by:
445                     //
446                     // a: CompareEq(...)
447                     // b: LogicalNot(@a)
448                     //
449                     // In that case, CompareEq might have a side-effect. Then, we need to make
450                     // sure that we know that Branch does not exit.
451                     fixEdge<KnownBooleanUse>(node->child1());
452                 } else
453                     fixEdge<BooleanUse>(node->child1());
454             } else if (node->child1()->shouldSpeculateObjectOrOther())
455                 fixEdge<ObjectOrOtherUse>(node->child1());
456             else if (node->child1()->shouldSpeculateInt32OrBoolean())
457                 fixIntOrBooleanEdge(node->child1());
458             else if (node->child1()->shouldSpeculateNumber())
459                 fixEdge<DoubleRepUse>(node->child1());
460             else if (node->child1()->shouldSpeculateString())
461                 fixEdge<StringUse>(node->child1());
462             else if (node->child1()->shouldSpeculateStringOrOther())
463                 fixEdge<StringOrOtherUse>(node->child1());
464             else {
465                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
466                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
467                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
468             }
469             break;
470         }
471
472         case CompareEq:
473         case CompareLess:
474         case CompareLessEq:
475         case CompareGreater:
476         case CompareGreaterEq: {
477             if (node->op() == CompareEq
478                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
479                 fixEdge<BooleanUse>(node->child1());
480                 fixEdge<BooleanUse>(node->child2());
481                 node->clearFlags(NodeMustGenerate);
482                 break;
483             }
484             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
485                 fixIntOrBooleanEdge(node->child1());
486                 fixIntOrBooleanEdge(node->child2());
487                 node->clearFlags(NodeMustGenerate);
488                 break;
489             }
490             if (enableInt52()
491                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
492                 fixEdge<Int52RepUse>(node->child1());
493                 fixEdge<Int52RepUse>(node->child2());
494                 node->clearFlags(NodeMustGenerate);
495                 break;
496             }
497             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
498                 fixDoubleOrBooleanEdge(node->child1());
499                 fixDoubleOrBooleanEdge(node->child2());
500             }
501             if (node->op() != CompareEq
502                 && node->child1()->shouldSpeculateNotCell()
503                 && node->child2()->shouldSpeculateNotCell()) {
504                 if (node->child1()->shouldSpeculateNumberOrBoolean())
505                     fixDoubleOrBooleanEdge(node->child1());
506                 else
507                     fixEdge<DoubleRepUse>(node->child1());
508                 if (node->child2()->shouldSpeculateNumberOrBoolean())
509                     fixDoubleOrBooleanEdge(node->child2());
510                 else
511                     fixEdge<DoubleRepUse>(node->child2());
512                 node->clearFlags(NodeMustGenerate);
513                 break;
514             }
515             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
516                 fixEdge<StringIdentUse>(node->child1());
517                 fixEdge<StringIdentUse>(node->child2());
518                 node->clearFlags(NodeMustGenerate);
519                 break;
520             }
521             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
522                 fixEdge<StringUse>(node->child1());
523                 fixEdge<StringUse>(node->child2());
524                 node->clearFlags(NodeMustGenerate);
525                 break;
526             }
527
528             if (node->op() != CompareEq)
529                 break;
530             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
531                 fixEdge<SymbolUse>(node->child1());
532                 fixEdge<SymbolUse>(node->child2());
533                 node->clearFlags(NodeMustGenerate);
534                 break;
535             }
536             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
537                 fixEdge<ObjectUse>(node->child1());
538                 fixEdge<ObjectUse>(node->child2());
539                 node->clearFlags(NodeMustGenerate);
540                 break;
541             }
542
543             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
544             bool oneArgumentIsUsedAsSpecOther = false;
545             if (node->child1()->isUndefinedOrNullConstant()) {
546                 fixEdge<OtherUse>(node->child1());
547                 oneArgumentIsUsedAsSpecOther = true;
548             } else if (node->child1()->shouldSpeculateOther()) {
549                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
550                     Edge(node->child1().node(), OtherUse));
551                 fixEdge<OtherUse>(node->child1());
552                 oneArgumentIsUsedAsSpecOther = true;
553             }
554             if (node->child2()->isUndefinedOrNullConstant()) {
555                 fixEdge<OtherUse>(node->child2());
556                 oneArgumentIsUsedAsSpecOther = true;
557             } else if (node->child2()->shouldSpeculateOther()) {
558                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
559                     Edge(node->child2().node(), OtherUse));
560                 fixEdge<OtherUse>(node->child2());
561                 oneArgumentIsUsedAsSpecOther = true;
562             }
563             if (oneArgumentIsUsedAsSpecOther) {
564                 node->clearFlags(NodeMustGenerate);
565                 break;
566             }
567
568             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
569                 fixEdge<ObjectUse>(node->child1());
570                 fixEdge<ObjectOrOtherUse>(node->child2());
571                 node->clearFlags(NodeMustGenerate);
572                 break;
573             }
574             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
575                 fixEdge<ObjectOrOtherUse>(node->child1());
576                 fixEdge<ObjectUse>(node->child2());
577                 node->clearFlags(NodeMustGenerate);
578                 break;
579             }
580
581             break;
582         }
583             
584         case CompareStrictEq: {
585             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
586                 fixEdge<BooleanUse>(node->child1());
587                 fixEdge<BooleanUse>(node->child2());
588                 break;
589             }
590             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
591                 fixEdge<Int32Use>(node->child1());
592                 fixEdge<Int32Use>(node->child2());
593                 break;
594             }
595             if (enableInt52()
596                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
597                 fixEdge<Int52RepUse>(node->child1());
598                 fixEdge<Int52RepUse>(node->child2());
599                 break;
600             }
601             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
602                 fixEdge<DoubleRepUse>(node->child1());
603                 fixEdge<DoubleRepUse>(node->child2());
604                 break;
605             }
606             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
607                 fixEdge<SymbolUse>(node->child1());
608                 fixEdge<SymbolUse>(node->child2());
609                 break;
610             }
611             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
612                 fixEdge<StringIdentUse>(node->child1());
613                 fixEdge<StringIdentUse>(node->child2());
614                 break;
615             }
616             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
617                 fixEdge<StringUse>(node->child1());
618                 fixEdge<StringUse>(node->child2());
619                 break;
620             }
621             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
622             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
623                 
624                 if (node->child1()->shouldSpeculateObject()) {
625                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
626                     fixEdge<ObjectUse>(node->child1());
627                     break;
628                 }
629                 if (node->child2()->shouldSpeculateObject()) {
630                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
631                     fixEdge<ObjectUse>(node->child2());
632                     break;
633                 }
634                 
635             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
636                 fixEdge<ObjectUse>(node->child1());
637                 fixEdge<ObjectUse>(node->child2());
638                 break;
639             }
640             if (node->child1()->shouldSpeculateSymbol()) {
641                 fixEdge<SymbolUse>(node->child1());
642                 break;
643             }
644             if (node->child2()->shouldSpeculateSymbol()) {
645                 fixEdge<SymbolUse>(node->child2());
646                 break;
647             }
648             if (node->child1()->shouldSpeculateMisc()) {
649                 fixEdge<MiscUse>(node->child1());
650                 break;
651             }
652             if (node->child2()->shouldSpeculateMisc()) {
653                 fixEdge<MiscUse>(node->child2());
654                 break;
655             }
656             if (node->child1()->shouldSpeculateStringIdent()
657                 && node->child2()->shouldSpeculateNotStringVar()) {
658                 fixEdge<StringIdentUse>(node->child1());
659                 fixEdge<NotStringVarUse>(node->child2());
660                 break;
661             }
662             if (node->child2()->shouldSpeculateStringIdent()
663                 && node->child1()->shouldSpeculateNotStringVar()) {
664                 fixEdge<StringIdentUse>(node->child2());
665                 fixEdge<NotStringVarUse>(node->child1());
666                 break;
667             }
668             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
669                 fixEdge<StringUse>(node->child1());
670                 break;
671             }
672             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
673                 fixEdge<StringUse>(node->child2());
674                 break;
675             }
676             break;
677         }
678             
679         case StringFromCharCode:
680             if (node->child1()->shouldSpeculateInt32())
681                 fixEdge<Int32Use>(node->child1());
682             else
683                 fixEdge<UntypedUse>(node->child1());
684             break;
685
686         case StringCharAt:
687         case StringCharCodeAt: {
688             // Currently we have no good way of refining these.
689             ASSERT(node->arrayMode() == ArrayMode(Array::String));
690             blessArrayOperation(node->child1(), node->child2(), node->child3());
691             fixEdge<KnownCellUse>(node->child1());
692             fixEdge<Int32Use>(node->child2());
693             break;
694         }
695
696         case GetByVal: {
697             if (!node->prediction()) {
698                 m_insertionSet.insertNode(
699                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
700             }
701             
702             node->setArrayMode(
703                 node->arrayMode().refine(
704                     m_graph, node,
705                     node->child1()->prediction(),
706                     node->child2()->prediction(),
707                     SpecNone));
708             
709             blessArrayOperation(node->child1(), node->child2(), node->child3());
710             
711             ArrayMode arrayMode = node->arrayMode();
712             switch (arrayMode.type()) {
713             case Array::Contiguous:
714             case Array::Double:
715                 if (arrayMode.arrayClass() == Array::OriginalArray
716                     && arrayMode.speculation() == Array::InBounds) {
717                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
718                     if (globalObject->arrayPrototypeChainIsSane()) {
719                         // Check if SaneChain will work on a per-type basis. Note that:
720                         //
721                         // 1) We don't want double arrays to sometimes return undefined, since
722                         // that would require a change to the return type and it would pessimise
723                         // things a lot. So, we'd only want to do that if we actually had
724                         // evidence that we could read from a hole. That's pretty annoying.
725                         // Likely the best way to handle that case is with an equivalent of
726                         // SaneChain for OutOfBounds. For now we just detect when Undefined and
727                         // NaN are indistinguishable according to backwards propagation, and just
728                         // use SaneChain in that case. This happens to catch a lot of cases.
729                         //
730                         // 2) We don't want int32 array loads to have to do a hole check just to
731                         // coerce to Undefined, since that would mean twice the checks.
732                         //
733                         // This has two implications. First, we have to do more checks than we'd
734                         // like. It's unfortunate that we have to do the hole check. Second,
735                         // some accesses that hit a hole will now need to take the full-blown
736                         // out-of-bounds slow path. We can fix that with:
737                         // https://bugs.webkit.org/show_bug.cgi?id=144668
738                         
739                         bool canDoSaneChain = false;
740                         switch (arrayMode.type()) {
741                         case Array::Contiguous:
742                             // This is happens to be entirely natural. We already would have
743                             // returned any JSValue, and now we'll return Undefined. We still do
744                             // the check but it doesn't require taking any kind of slow path.
745                             canDoSaneChain = true;
746                             break;
747                             
748                         case Array::Double:
749                             if (!(node->flags() & NodeBytecodeUsesAsOther)) {
750                                 // Holes look like NaN already, so if the user doesn't care
751                                 // about the difference between Undefined and NaN then we can
752                                 // do this.
753                                 canDoSaneChain = true;
754                             }
755                             break;
756                             
757                         default:
758                             break;
759                         }
760                         
761                         if (canDoSaneChain) {
762                             m_graph.watchpoints().addLazily(
763                                 globalObject->arrayPrototype()->structure()->transitionWatchpointSet());
764                             m_graph.watchpoints().addLazily(
765                                 globalObject->objectPrototype()->structure()->transitionWatchpointSet());
766                             if (globalObject->arrayPrototypeChainIsSane())
767                                 node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
768                         }
769                     }
770                 }
771                 break;
772                 
773             case Array::String:
774                 if ((node->prediction() & ~SpecString)
775                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
776                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
777                 break;
778                 
779             default:
780                 break;
781             }
782             
783             arrayMode = node->arrayMode();
784             switch (arrayMode.type()) {
785             case Array::SelectUsingPredictions:
786             case Array::Unprofiled:
787                 RELEASE_ASSERT_NOT_REACHED();
788                 break;
789             case Array::Generic:
790                 if (node->child1()->shouldSpeculateObject()) {
791                     if (node->child2()->shouldSpeculateString()) {
792                         fixEdge<ObjectUse>(node->child1());
793                         fixEdge<StringUse>(node->child2());
794                         break;
795                     }
796
797                     if (node->child2()->shouldSpeculateSymbol()) {
798                         fixEdge<ObjectUse>(node->child1());
799                         fixEdge<SymbolUse>(node->child2());
800                         break;
801                     }
802                 }
803 #if USE(JSVALUE32_64)
804                 fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit.
805 #endif
806                 break;
807             case Array::ForceExit:
808                 break;
809             default:
810                 fixEdge<KnownCellUse>(node->child1());
811                 fixEdge<Int32Use>(node->child2());
812                 break;
813             }
814             
815             switch (arrayMode.type()) {
816             case Array::Double:
817                 if (!arrayMode.isOutOfBounds())
818                     node->setResult(NodeResultDouble);
819                 break;
820                 
821             case Array::Float32Array:
822             case Array::Float64Array:
823                 node->setResult(NodeResultDouble);
824                 break;
825                 
826             case Array::Uint32Array:
827                 if (node->shouldSpeculateInt32())
828                     break;
829                 if (node->shouldSpeculateAnyInt() && enableInt52())
830                     node->setResult(NodeResultInt52);
831                 else
832                     node->setResult(NodeResultDouble);
833                 break;
834                 
835             default:
836                 break;
837             }
838             
839             break;
840         }
841
842         case PutByValDirect:
843         case PutByVal:
844         case PutByValAlias: {
845             Edge& child1 = m_graph.varArgChild(node, 0);
846             Edge& child2 = m_graph.varArgChild(node, 1);
847             Edge& child3 = m_graph.varArgChild(node, 2);
848
849             node->setArrayMode(
850                 node->arrayMode().refine(
851                     m_graph, node,
852                     child1->prediction(),
853                     child2->prediction(),
854                     child3->prediction()));
855             
856             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
857             
858             switch (node->arrayMode().modeForPut().type()) {
859             case Array::SelectUsingPredictions:
860             case Array::SelectUsingArguments:
861             case Array::Unprofiled:
862             case Array::Undecided:
863                 RELEASE_ASSERT_NOT_REACHED();
864                 break;
865             case Array::ForceExit:
866             case Array::Generic:
867                 if (child1->shouldSpeculateCell()) {
868                     if (child2->shouldSpeculateString()) {
869                         fixEdge<CellUse>(child1);
870                         fixEdge<StringUse>(child2);
871                         break;
872                     }
873
874                     if (child2->shouldSpeculateSymbol()) {
875                         fixEdge<CellUse>(child1);
876                         fixEdge<SymbolUse>(child2);
877                         break;
878                     }
879                 }
880 #if USE(JSVALUE32_64)
881                 // Due to register pressure on 32-bit, we speculate cell and
882                 // ignore the base-is-not-cell case entirely by letting the
883                 // baseline JIT handle it.
884                 fixEdge<CellUse>(child1);
885 #endif
886                 break;
887             case Array::Int32:
888                 fixEdge<KnownCellUse>(child1);
889                 fixEdge<Int32Use>(child2);
890                 fixEdge<Int32Use>(child3);
891                 break;
892             case Array::Double:
893                 fixEdge<KnownCellUse>(child1);
894                 fixEdge<Int32Use>(child2);
895                 fixEdge<DoubleRepRealUse>(child3);
896                 break;
897             case Array::Int8Array:
898             case Array::Int16Array:
899             case Array::Int32Array:
900             case Array::Uint8Array:
901             case Array::Uint8ClampedArray:
902             case Array::Uint16Array:
903             case Array::Uint32Array:
904                 fixEdge<KnownCellUse>(child1);
905                 fixEdge<Int32Use>(child2);
906                 if (child3->shouldSpeculateInt32())
907                     fixIntOrBooleanEdge(child3);
908                 else if (child3->shouldSpeculateAnyInt())
909                     fixEdge<Int52RepUse>(child3);
910                 else
911                     fixDoubleOrBooleanEdge(child3);
912                 break;
913             case Array::Float32Array:
914             case Array::Float64Array:
915                 fixEdge<KnownCellUse>(child1);
916                 fixEdge<Int32Use>(child2);
917                 fixDoubleOrBooleanEdge(child3);
918                 break;
919             case Array::Contiguous:
920             case Array::ArrayStorage:
921             case Array::SlowPutArrayStorage:
922                 fixEdge<KnownCellUse>(child1);
923                 fixEdge<Int32Use>(child2);
924                 speculateForBarrier(child3);
925                 break;
926             default:
927                 fixEdge<KnownCellUse>(child1);
928                 fixEdge<Int32Use>(child2);
929                 break;
930             }
931             break;
932         }
933             
934         case AtomicsAdd:
935         case AtomicsAnd:
936         case AtomicsCompareExchange:
937         case AtomicsExchange:
938         case AtomicsLoad:
939         case AtomicsOr:
940         case AtomicsStore:
941         case AtomicsSub:
942         case AtomicsXor: {
943             Edge& base = m_graph.child(node, 0);
944             Edge& index = m_graph.child(node, 1);
945             
946             bool badNews = false;
947             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
948                 Edge& child = m_graph.child(node, 2 + i);
949                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
950                 // just call the function when that happens. But the FTL is totally cool with those
951                 // conversions.
952                 if (!child->shouldSpeculateInt32()
953                     && !child->shouldSpeculateAnyInt()
954                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
955                     badNews = true;
956             }
957             
958             if (badNews) {
959                 node->setArrayMode(ArrayMode(Array::Generic));
960                 break;
961             }
962             
963             node->setArrayMode(
964                 node->arrayMode().refine(
965                     m_graph, node, base->prediction(), index->prediction()));
966             
967             if (node->arrayMode().type() == Array::Generic)
968                 break;
969             
970             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
971                 Edge& child = m_graph.child(node, 2 + i);
972                 if (child->shouldSpeculateInt32())
973                     fixIntOrBooleanEdge(child);
974                 else if (child->shouldSpeculateAnyInt())
975                     fixEdge<Int52RepUse>(child);
976                 else {
977                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
978                     fixDoubleOrBooleanEdge(child);
979                 }
980             }
981             
982             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
983             fixEdge<CellUse>(base);
984             fixEdge<Int32Use>(index);
985             
986             if (node->arrayMode().type() == Array::Uint32Array) {
987                 // NOTE: This means basically always doing Int52.
988                 if (node->shouldSpeculateAnyInt() && enableInt52())
989                     node->setResult(NodeResultInt52);
990                 else
991                     node->setResult(NodeResultDouble);
992             }
993             break;
994         }
995             
996         case AtomicsIsLockFree:
997             if (node->child1()->shouldSpeculateInt32())
998                 fixIntOrBooleanEdge(node->child1());
999             break;
1000             
1001         case ArrayPush: {
1002             // May need to refine the array mode in case the value prediction contravenes
1003             // the array prediction. For example, we may have evidence showing that the
1004             // array is in Int32 mode, but the value we're storing is likely to be a double.
1005             // Then we should turn this into a conversion to Double array followed by the
1006             // push. On the other hand, we absolutely don't want to refine based on the
1007             // base prediction. If it has non-cell garbage in it, then we want that to be
1008             // ignored. That's because ArrayPush can't handle any array modes that aren't
1009             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1010             // that would break things.
1011             Edge& storageEdge = m_graph.varArgChild(node, 0);
1012             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1013             unsigned elementOffset = 2;
1014             unsigned elementCount = node->numChildren() - elementOffset;
1015             for (unsigned i = 0; i < elementCount; ++i) {
1016                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1017                 node->setArrayMode(
1018                     node->arrayMode().refine(
1019                         m_graph, node,
1020                         arrayEdge->prediction() & SpecCell,
1021                         SpecInt32Only,
1022                         element->prediction()));
1023             }
1024             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1025             fixEdge<KnownCellUse>(arrayEdge);
1026
1027             // Convert `array.push()` to GetArrayLength.
1028             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1029                 node->setOpAndDefaultFlags(GetArrayLength);
1030                 node->child1() = arrayEdge;
1031                 node->child2() = storageEdge;
1032                 fixEdge<KnownCellUse>(node->child1());
1033                 break;
1034             }
1035
1036             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1037             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1038             for (unsigned i = 0; i < elementCount; ++i) {
1039                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1040                 switch (node->arrayMode().type()) {
1041                 case Array::Int32:
1042                     insertCheck<Int32Use>(element.node());
1043                     fixEdge<KnownInt32Use>(element);
1044                     break;
1045                 case Array::Double:
1046                     insertCheck<DoubleRepRealUse>(element.node());
1047                     fixEdge<DoubleRepUse>(element);
1048                     break;
1049                 case Array::Contiguous:
1050                 case Array::ArrayStorage:
1051                     speculateForBarrier(element);
1052                     break;
1053                 default:
1054                     break;
1055                 }
1056                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1057             }
1058             break;
1059         }
1060             
1061         case ArrayPop: {
1062             blessArrayOperation(node->child1(), Edge(), node->child2());
1063             fixEdge<KnownCellUse>(node->child1());
1064             break;
1065         }
1066
1067         case ArraySlice: {
1068             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1069             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1070             if (node->numChildren() == 4)
1071                 fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1072             break;
1073         }
1074
1075         case ArrayIndexOf:
1076             fixupArrayIndexOf(node);
1077             break;
1078             
1079         case RegExpExec:
1080         case RegExpTest: {
1081             fixEdge<KnownCellUse>(node->child1());
1082             
1083             if (node->child2()->shouldSpeculateRegExpObject()) {
1084                 fixEdge<RegExpObjectUse>(node->child2());
1085
1086                 if (node->child3()->shouldSpeculateString())
1087                     fixEdge<StringUse>(node->child3());
1088             }
1089             break;
1090         }
1091
1092         case StringReplace:
1093         case StringReplaceRegExp: {
1094             if (node->child2()->shouldSpeculateString()) {
1095                 m_insertionSet.insertNode(
1096                     m_indexInBlock, SpecNone, Check, node->origin,
1097                     Edge(node->child2().node(), StringUse));
1098                 fixEdge<StringUse>(node->child2());
1099             } else if (op == StringReplace) {
1100                 if (node->child2()->shouldSpeculateRegExpObject())
1101                     addStringReplacePrimordialChecks(node->child2().node());
1102                 else 
1103                     m_insertionSet.insertNode(
1104                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1105             }
1106
1107             if (node->child1()->shouldSpeculateString()
1108                 && node->child2()->shouldSpeculateRegExpObject()
1109                 && node->child3()->shouldSpeculateString()) {
1110
1111                 fixEdge<StringUse>(node->child1());
1112                 fixEdge<RegExpObjectUse>(node->child2());
1113                 fixEdge<StringUse>(node->child3());
1114                 break;
1115             }
1116             break;
1117         }
1118             
1119         case Branch: {
1120             if (node->child1()->shouldSpeculateBoolean()) {
1121                 if (node->child1()->result() == NodeResultBoolean) {
1122                     // This is necessary in case we have a bytecode instruction implemented by:
1123                     //
1124                     // a: CompareEq(...)
1125                     // b: Branch(@a)
1126                     //
1127                     // In that case, CompareEq might have a side-effect. Then, we need to make
1128                     // sure that we know that Branch does not exit.
1129                     fixEdge<KnownBooleanUse>(node->child1());
1130                 } else
1131                     fixEdge<BooleanUse>(node->child1());
1132             } else if (node->child1()->shouldSpeculateObjectOrOther())
1133                 fixEdge<ObjectOrOtherUse>(node->child1());
1134             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1135                 fixIntOrBooleanEdge(node->child1());
1136             else if (node->child1()->shouldSpeculateNumber())
1137                 fixEdge<DoubleRepUse>(node->child1());
1138             else if (node->child1()->shouldSpeculateString())
1139                 fixEdge<StringUse>(node->child1());
1140             else if (node->child1()->shouldSpeculateStringOrOther())
1141                 fixEdge<StringOrOtherUse>(node->child1());
1142             else {
1143                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1144                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1145                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1146             }
1147             break;
1148         }
1149             
1150         case Switch: {
1151             SwitchData* data = node->switchData();
1152             switch (data->kind) {
1153             case SwitchImm:
1154                 if (node->child1()->shouldSpeculateInt32())
1155                     fixEdge<Int32Use>(node->child1());
1156                 break;
1157             case SwitchChar:
1158                 if (node->child1()->shouldSpeculateString())
1159                     fixEdge<StringUse>(node->child1());
1160                 break;
1161             case SwitchString:
1162                 if (node->child1()->shouldSpeculateStringIdent())
1163                     fixEdge<StringIdentUse>(node->child1());
1164                 else if (node->child1()->shouldSpeculateString())
1165                     fixEdge<StringUse>(node->child1());
1166                 break;
1167             case SwitchCell:
1168                 if (node->child1()->shouldSpeculateCell())
1169                     fixEdge<CellUse>(node->child1());
1170                 // else it's fine for this to have UntypedUse; we will handle this by just making
1171                 // non-cells take the default case.
1172                 break;
1173             }
1174             break;
1175         }
1176             
1177         case ToPrimitive: {
1178             fixupToPrimitive(node);
1179             break;
1180         }
1181
1182         case ToNumber: {
1183             fixupToNumber(node);
1184             break;
1185         }
1186             
1187         case ToString:
1188         case CallStringConstructor: {
1189             fixupToStringOrCallStringConstructor(node);
1190             break;
1191         }
1192             
1193         case NewStringObject: {
1194             fixEdge<KnownStringUse>(node->child1());
1195             break;
1196         }
1197
1198         case NewArrayWithSpread: {
1199             watchHavingABadTime(node);
1200             
1201             BitVector* bitVector = node->bitVector();
1202             for (unsigned i = node->numChildren(); i--;) {
1203                 if (bitVector->get(i))
1204                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1205                 else
1206                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1207             }
1208
1209             break;
1210         }
1211
1212         case Spread: {
1213             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1214             
1215             watchHavingABadTime(node->child1().node());
1216
1217             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1218             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1219             // that it doesn't contain any indexed properties, and that any holes will result in
1220             // jsUndefined().
1221             InlineWatchpointSet& objectPrototypeTransition = globalObject->objectPrototype()->structure()->transitionWatchpointSet();
1222             InlineWatchpointSet& arrayPrototypeTransition = globalObject->arrayPrototype()->structure()->transitionWatchpointSet();
1223             if (node->child1()->shouldSpeculateArray() 
1224                 && arrayPrototypeTransition.isStillValid() 
1225                 && objectPrototypeTransition.isStillValid() 
1226                 && globalObject->arrayPrototypeChainIsSane()
1227                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1228                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1229                 m_graph.watchpoints().addLazily(objectPrototypeTransition);
1230                 m_graph.watchpoints().addLazily(arrayPrototypeTransition);
1231                 fixEdge<ArrayUse>(node->child1());
1232             } else
1233                 fixEdge<CellUse>(node->child1());
1234             break;
1235         }
1236             
1237         case NewArray: {
1238             watchHavingABadTime(node);
1239             
1240             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1241                 node->setIndexingType(
1242                     leastUpperBoundOfIndexingTypeAndType(
1243                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1244             }
1245             switch (node->indexingType()) {
1246             case ALL_BLANK_INDEXING_TYPES:
1247                 CRASH();
1248                 break;
1249             case ALL_UNDECIDED_INDEXING_TYPES:
1250                 if (node->numChildren()) {
1251                     // This will only happen if the children have no type predictions. We
1252                     // would have already exited by now, but insert a forced exit just to
1253                     // be safe.
1254                     m_insertionSet.insertNode(
1255                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1256                 }
1257                 break;
1258             case ALL_INT32_INDEXING_TYPES:
1259                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1260                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1261                 break;
1262             case ALL_DOUBLE_INDEXING_TYPES:
1263                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1264                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1265                 break;
1266             case ALL_CONTIGUOUS_INDEXING_TYPES:
1267             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1268                 break;
1269             default:
1270                 CRASH();
1271                 break;
1272             }
1273             break;
1274         }
1275             
1276         case NewTypedArray: {
1277             watchHavingABadTime(node);
1278             
1279             if (node->child1()->shouldSpeculateInt32()) {
1280                 fixEdge<Int32Use>(node->child1());
1281                 node->clearFlags(NodeMustGenerate);
1282                 break;
1283             }
1284             break;
1285         }
1286             
1287         case NewArrayWithSize: {
1288             watchHavingABadTime(node);
1289             fixEdge<Int32Use>(node->child1());
1290             break;
1291         }
1292
1293         case NewArrayBuffer: {
1294             watchHavingABadTime(node);
1295             break;
1296         }
1297
1298         case CallObjectConstructor: {
1299             if (node->child1()->shouldSpeculateObject()) {
1300                 fixEdge<ObjectUse>(node->child1());
1301                 node->convertToIdentity();
1302                 break;
1303             }
1304
1305             fixEdge<UntypedUse>(node->child1());
1306             break;
1307         }
1308
1309         case ToThis: {
1310             fixupToThis(node);
1311             break;
1312         }
1313             
1314         case PutStructure: {
1315             fixEdge<KnownCellUse>(node->child1());
1316             break;
1317         }
1318             
1319         case GetClosureVar:
1320         case GetFromArguments: {
1321             fixEdge<KnownCellUse>(node->child1());
1322             break;
1323         }
1324
1325         case PutClosureVar:
1326         case PutToArguments: {
1327             fixEdge<KnownCellUse>(node->child1());
1328             speculateForBarrier(node->child2());
1329             break;
1330         }
1331
1332         case SkipScope:
1333         case GetScope:
1334         case GetGetter:
1335         case GetSetter:
1336         case GetGlobalObject: {
1337             fixEdge<KnownCellUse>(node->child1());
1338             break;
1339         }
1340             
1341         case AllocatePropertyStorage:
1342         case ReallocatePropertyStorage: {
1343             fixEdge<KnownCellUse>(node->child1());
1344             break;
1345         }
1346             
1347         case NukeStructureAndSetButterfly: {
1348             fixEdge<KnownCellUse>(node->child1());
1349             break;
1350         }
1351
1352         case TryGetById: {
1353             if (node->child1()->shouldSpeculateCell())
1354                 fixEdge<CellUse>(node->child1());
1355             break;
1356         }
1357
1358         case GetById:
1359         case GetByIdFlush: {
1360             // FIXME: This should be done in the ByteCodeParser based on reading the
1361             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1362             // https://bugs.webkit.org/show_bug.cgi?id=154990
1363             auto uid = m_graph.identifiers()[node->identifierNumber()];
1364             if (node->child1()->shouldSpeculateCellOrOther()
1365                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1366                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1367                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1368                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1369                 
1370                 if (uid == vm().propertyNames->length.impl()) {
1371                     attemptToMakeGetArrayLength(node);
1372                     break;
1373                 }
1374
1375                 if (uid == vm().propertyNames->lastIndex.impl()
1376                     && node->child1()->shouldSpeculateRegExpObject()) {
1377                     node->setOp(GetRegExpObjectLastIndex);
1378                     node->clearFlags(NodeMustGenerate);
1379                     fixEdge<RegExpObjectUse>(node->child1());
1380                     break;
1381                 }
1382             }
1383
1384             if (node->child1()->shouldSpeculateNumber()) {
1385                 if (uid == vm().propertyNames->toString.impl()) {
1386                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1387                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1388                         if (node->child1()->shouldSpeculateInt32()) {
1389                             insertCheck<Int32Use>(node->child1().node());
1390                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1391                             break;
1392                         }
1393
1394                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1395                             insertCheck<Int52RepUse>(node->child1().node());
1396                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1397                             break;
1398                         }
1399
1400                         ASSERT(node->child1()->shouldSpeculateNumber());
1401                         insertCheck<DoubleRepUse>(node->child1().node());
1402                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1403                         break;
1404                     }
1405                 }
1406             }
1407
1408             if (node->child1()->shouldSpeculateCell())
1409                 fixEdge<CellUse>(node->child1());
1410             break;
1411         }
1412         
1413         case GetByIdWithThis: {
1414             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1415                 fixEdge<CellUse>(node->child1());
1416                 fixEdge<CellUse>(node->child2());
1417             }
1418             break;
1419         }
1420
1421         case PutById:
1422         case PutByIdFlush:
1423         case PutByIdDirect: {
1424             if (node->child1()->shouldSpeculateCellOrOther()
1425                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1426                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1427                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1428                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1429                 
1430                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1431                 
1432                 if (uid == vm().propertyNames->lastIndex.impl()
1433                     && node->child1()->shouldSpeculateRegExpObject()) {
1434                     node->setOp(SetRegExpObjectLastIndex);
1435                     fixEdge<RegExpObjectUse>(node->child1());
1436                     speculateForBarrier(node->child2());
1437                     break;
1438                 }
1439             }
1440             
1441             fixEdge<CellUse>(node->child1());
1442             break;
1443         }
1444
1445         case PutGetterById:
1446         case PutSetterById: {
1447             fixEdge<KnownCellUse>(node->child1());
1448             fixEdge<KnownCellUse>(node->child2());
1449             break;
1450         }
1451
1452         case PutGetterSetterById: {
1453             fixEdge<KnownCellUse>(node->child1());
1454             break;
1455         }
1456
1457         case PutGetterByVal:
1458         case PutSetterByVal: {
1459             fixEdge<KnownCellUse>(node->child1());
1460             fixEdge<KnownCellUse>(node->child3());
1461             break;
1462         }
1463
1464         case GetExecutable: {
1465             fixEdge<FunctionUse>(node->child1());
1466             break;
1467         }
1468
1469         case OverridesHasInstance:
1470         case CheckStructure:
1471         case CheckCell:
1472         case CreateThis:
1473         case GetButterfly:
1474         case GetButterflyWithoutCaging: {
1475             fixEdge<CellUse>(node->child1());
1476             break;
1477         }
1478
1479         case CheckStringIdent: {
1480             fixEdge<StringIdentUse>(node->child1());
1481             break;
1482         }
1483             
1484         case Arrayify:
1485         case ArrayifyToStructure: {
1486             fixEdge<CellUse>(node->child1());
1487             if (node->child2())
1488                 fixEdge<Int32Use>(node->child2());
1489             break;
1490         }
1491             
1492         case GetByOffset:
1493         case GetGetterSetterByOffset: {
1494             if (!node->child1()->hasStorageResult())
1495                 fixEdge<KnownCellUse>(node->child1());
1496             fixEdge<KnownCellUse>(node->child2());
1497             break;
1498         }
1499             
1500         case MultiGetByOffset: {
1501             fixEdge<CellUse>(node->child1());
1502             break;
1503         }
1504             
1505         case PutByOffset: {
1506             if (!node->child1()->hasStorageResult())
1507                 fixEdge<KnownCellUse>(node->child1());
1508             fixEdge<KnownCellUse>(node->child2());
1509             unsigned index = indexForChecks();
1510             insertInferredTypeCheck(
1511                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1512                 node->storageAccessData().inferredType);
1513             speculateForBarrier(node->child3());
1514             break;
1515         }
1516             
1517         case MultiPutByOffset: {
1518             fixEdge<CellUse>(node->child1());
1519             break;
1520         }
1521             
1522         case InstanceOf: {
1523             if (!(node->child1()->prediction() & ~SpecCell))
1524                 fixEdge<CellUse>(node->child1());
1525             fixEdge<CellUse>(node->child2());
1526             break;
1527         }
1528
1529         case InstanceOfCustom:
1530             fixEdge<CellUse>(node->child2());
1531             break;
1532
1533         case In: {
1534             if (node->child2()->shouldSpeculateInt32()) {
1535                 convertToHasIndexedProperty(node);
1536                 break;
1537             }
1538
1539             fixEdge<CellUse>(node->child1());
1540             break;
1541         }
1542
1543         case HasOwnProperty: {
1544             fixEdge<ObjectUse>(node->child1());
1545 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1546             // We don't have enough registers to do anything interesting on x86 and mips.
1547             fixEdge<UntypedUse>(node->child2());
1548 #else
1549             if (node->child2()->shouldSpeculateString())
1550                 fixEdge<StringUse>(node->child2());
1551             else if (node->child2()->shouldSpeculateSymbol())
1552                 fixEdge<SymbolUse>(node->child2());
1553             else
1554                 fixEdge<UntypedUse>(node->child2());
1555 #endif
1556             break;
1557         }
1558
1559         case Check: {
1560             m_graph.doToChildren(
1561                 node,
1562                 [&] (Edge& edge) {
1563                     switch (edge.useKind()) {
1564                     case NumberUse:
1565                         if (edge->shouldSpeculateInt32ForArithmetic())
1566                             edge.setUseKind(Int32Use);
1567                         break;
1568                     default:
1569                         break;
1570                     }
1571                     observeUseKindOnEdge(edge);
1572                 });
1573             break;
1574         }
1575
1576         case Phantom:
1577             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1578             node->remove();
1579             break;
1580
1581         case FiatInt52: {
1582             RELEASE_ASSERT(enableInt52());
1583             node->convertToIdentity();
1584             fixEdge<Int52RepUse>(node->child1());
1585             node->setResult(NodeResultInt52);
1586             break;
1587         }
1588
1589         case GetArrayLength: {
1590             fixEdge<KnownCellUse>(node->child1());
1591             break;
1592         }
1593
1594         case GetTypedArrayByteOffset: {
1595             fixEdge<KnownCellUse>(node->child1());
1596             break;
1597         }
1598
1599         case CompareBelow:
1600         case CompareBelowEq: {
1601             fixEdge<Int32Use>(node->child1());
1602             fixEdge<Int32Use>(node->child2());
1603             break;
1604         }
1605
1606         case GetPrototypeOf: {
1607             fixupGetPrototypeOf(node);
1608             break;
1609         }
1610
1611         case Phi:
1612         case Upsilon:
1613         case EntrySwitch:
1614         case GetIndexedPropertyStorage:
1615         case LastNodeType:
1616         case CheckTierUpInLoop:
1617         case CheckTierUpAtReturn:
1618         case CheckTierUpAndOSREnter:
1619         case InvalidationPoint:
1620         case CheckArray:
1621         case CheckInBounds:
1622         case ConstantStoragePointer:
1623         case DoubleAsInt32:
1624         case ValueToInt32:
1625         case DoubleRep:
1626         case ValueRep:
1627         case Int52Rep:
1628         case Int52Constant:
1629         case Identity: // This should have been cleaned up.
1630         case BooleanToNumber:
1631         case PhantomNewObject:
1632         case PhantomNewFunction:
1633         case PhantomNewGeneratorFunction:
1634         case PhantomNewAsyncGeneratorFunction:
1635         case PhantomNewAsyncFunction:
1636         case PhantomCreateActivation:
1637         case PhantomDirectArguments:
1638         case PhantomCreateRest:
1639         case PhantomSpread:
1640         case PhantomNewArrayWithSpread:
1641         case PhantomClonedArguments:
1642         case GetMyArgumentByVal:
1643         case GetMyArgumentByValOutOfBounds:
1644         case GetVectorLength:
1645         case PutHint:
1646         case CheckStructureImmediate:
1647         case CheckStructureOrEmpty:
1648         case MaterializeNewObject:
1649         case MaterializeCreateActivation:
1650         case PutStack:
1651         case KillStack:
1652         case GetStack:
1653         case StoreBarrier:
1654         case FencedStoreBarrier:
1655         case GetRegExpObjectLastIndex:
1656         case SetRegExpObjectLastIndex:
1657         case RecordRegExpCachedResult:
1658             // These are just nodes that we don't currently expect to see during fixup.
1659             // If we ever wanted to insert them prior to fixup, then we just have to create
1660             // fixup rules for them.
1661             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1662             break;
1663
1664         case PutGlobalVariable: {
1665             fixEdge<CellUse>(node->child1());
1666             speculateForBarrier(node->child2());
1667             break;
1668         }
1669
1670         case IsObject:
1671             if (node->child1()->shouldSpeculateObject()) {
1672                 m_insertionSet.insertNode(
1673                     m_indexInBlock, SpecNone, Check, node->origin,
1674                     Edge(node->child1().node(), ObjectUse));
1675                 m_graph.convertToConstant(node, jsBoolean(true));
1676                 observeUseKindOnNode<ObjectUse>(node);
1677             }
1678             break;
1679
1680         case IsCellWithType: {
1681             fixupIsCellWithType(node);
1682             break;
1683         }
1684
1685         case GetEnumerableLength: {
1686             fixEdge<CellUse>(node->child1());
1687             break;
1688         }
1689         case HasGenericProperty: {
1690             fixEdge<CellUse>(node->child2());
1691             break;
1692         }
1693         case HasStructureProperty: {
1694             fixEdge<StringUse>(node->child2());
1695             fixEdge<KnownCellUse>(node->child3());
1696             break;
1697         }
1698         case HasIndexedProperty: {
1699             node->setArrayMode(
1700                 node->arrayMode().refine(
1701                     m_graph, node,
1702                     node->child1()->prediction(),
1703                     node->child2()->prediction(),
1704                     SpecNone));
1705             
1706             blessArrayOperation(node->child1(), node->child2(), node->child3());
1707             fixEdge<CellUse>(node->child1());
1708             fixEdge<KnownInt32Use>(node->child2());
1709             break;
1710         }
1711         case GetDirectPname: {
1712             Edge& base = m_graph.varArgChild(node, 0);
1713             Edge& property = m_graph.varArgChild(node, 1);
1714             Edge& index = m_graph.varArgChild(node, 2);
1715             Edge& enumerator = m_graph.varArgChild(node, 3);
1716             fixEdge<CellUse>(base);
1717             fixEdge<KnownCellUse>(property);
1718             fixEdge<KnownInt32Use>(index);
1719             fixEdge<KnownCellUse>(enumerator);
1720             break;
1721         }
1722         case GetPropertyEnumerator: {
1723             fixEdge<CellUse>(node->child1());
1724             break;
1725         }
1726         case GetEnumeratorStructurePname: {
1727             fixEdge<KnownCellUse>(node->child1());
1728             fixEdge<KnownInt32Use>(node->child2());
1729             break;
1730         }
1731         case GetEnumeratorGenericPname: {
1732             fixEdge<KnownCellUse>(node->child1());
1733             fixEdge<KnownInt32Use>(node->child2());
1734             break;
1735         }
1736         case ToIndexString: {
1737             fixEdge<KnownInt32Use>(node->child1());
1738             break;
1739         }
1740         case ProfileType: {
1741             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1742             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1743             // type T for the instructionTypeSet, the global type set must also have information for type T.
1744             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1745             // in the globalTypeSet would've also succeeded.
1746             // (The other direction does not hold in general).
1747
1748             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1749             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1750             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1751                 if (node->child1()->shouldSpeculateInt32()) {
1752                     fixEdge<Int32Use>(node->child1());
1753                     node->remove();
1754                     break;
1755                 }
1756
1757                 if (enableInt52()) {
1758                     fixEdge<AnyIntUse>(node->child1());
1759                     node->remove();
1760                     break;
1761                 }
1762
1763                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1764             }
1765
1766             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1767                 fixEdge<NumberUse>(node->child1());
1768                 node->remove();
1769             } else if (typeSet->doesTypeConformTo(TypeString)) {
1770                 fixEdge<StringUse>(node->child1());
1771                 node->remove();
1772             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1773                 fixEdge<BooleanUse>(node->child1());
1774                 node->remove();
1775             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1776                 fixEdge<OtherUse>(node->child1());
1777                 node->remove();
1778             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1779                 StructureSet set;
1780                 {
1781                     ConcurrentJSLocker locker(typeSet->m_lock);
1782                     set = typeSet->structureSet(locker);
1783                 }
1784                 if (!set.isEmpty()) {
1785                     fixEdge<CellUse>(node->child1());
1786                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1787                 }
1788             }
1789
1790             break;
1791         }
1792
1793         case CreateClonedArguments: {
1794             watchHavingABadTime(node);
1795             break;
1796         }
1797
1798         case CreateScopedArguments:
1799         case CreateActivation:
1800         case NewFunction:
1801         case NewGeneratorFunction:
1802         case NewAsyncGeneratorFunction:
1803         case NewAsyncFunction: {
1804             // Child 1 is always the current scope, which is guaranteed to be an object
1805             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1806             fixEdge<KnownCellUse>(node->child1());
1807             break;
1808         }
1809
1810         case PushWithScope: {
1811             // Child 1 is always the current scope, which is guaranteed to be an object
1812             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1813             fixEdge<KnownCellUse>(node->child1());
1814             if (node->child2()->shouldSpeculateObject())
1815                 fixEdge<ObjectUse>(node->child2());
1816             break;
1817         }
1818
1819         case SetFunctionName: {
1820             // The first child is guaranteed to be a cell because op_set_function_name is only used
1821             // on a newly instantiated function object (the first child).
1822             fixEdge<KnownCellUse>(node->child1());
1823             fixEdge<UntypedUse>(node->child2());
1824             break;
1825         }
1826
1827         case CreateRest: {
1828             watchHavingABadTime(node);
1829             fixEdge<KnownInt32Use>(node->child1());
1830             break;
1831         }
1832
1833         case ResolveScopeForHoistingFuncDeclInEval: {
1834             fixEdge<KnownCellUse>(node->child1());
1835             break;
1836         }
1837         case ResolveScope:
1838         case GetDynamicVar:
1839         case PutDynamicVar: {
1840             fixEdge<KnownCellUse>(node->child1());
1841             break;
1842         }
1843
1844         case LogShadowChickenPrologue: {
1845             fixEdge<KnownCellUse>(node->child1());
1846             break;
1847         }
1848         case LogShadowChickenTail: {
1849             fixEdge<UntypedUse>(node->child1());
1850             fixEdge<KnownCellUse>(node->child2());
1851             break;
1852         }
1853
1854         case GetMapBucket:
1855             if (node->child1().useKind() == MapObjectUse)
1856                 fixEdge<MapObjectUse>(node->child1());
1857             else if (node->child1().useKind() == SetObjectUse)
1858                 fixEdge<SetObjectUse>(node->child1());
1859             else
1860                 RELEASE_ASSERT_NOT_REACHED();
1861
1862 #if USE(JSVALUE64)
1863             if (node->child2()->shouldSpeculateBoolean())
1864                 fixEdge<BooleanUse>(node->child2());
1865             else if (node->child2()->shouldSpeculateInt32())
1866                 fixEdge<Int32Use>(node->child2());
1867             else if (node->child2()->shouldSpeculateSymbol())
1868                 fixEdge<SymbolUse>(node->child2());
1869             else if (node->child2()->shouldSpeculateObject())
1870                 fixEdge<ObjectUse>(node->child2());
1871             else if (node->child2()->shouldSpeculateString())
1872                 fixEdge<StringUse>(node->child2());
1873             else if (node->child2()->shouldSpeculateCell())
1874                 fixEdge<CellUse>(node->child2());
1875             else
1876                 fixEdge<UntypedUse>(node->child2());
1877 #else
1878             fixEdge<UntypedUse>(node->child2());
1879 #endif // USE(JSVALUE64)
1880
1881             fixEdge<Int32Use>(node->child3());
1882             break;
1883
1884         case GetMapBucketHead:
1885             if (node->child1().useKind() == MapObjectUse)
1886                 fixEdge<MapObjectUse>(node->child1());
1887             else if (node->child1().useKind() == SetObjectUse)
1888                 fixEdge<SetObjectUse>(node->child1());
1889             else
1890                 RELEASE_ASSERT_NOT_REACHED();
1891             break;
1892
1893         case GetMapBucketNext:
1894         case LoadKeyFromMapBucket:
1895         case LoadValueFromMapBucket:
1896             fixEdge<CellUse>(node->child1());
1897             break;
1898
1899         case MapHash: {
1900 #if USE(JSVALUE64)
1901             if (node->child1()->shouldSpeculateBoolean()) {
1902                 fixEdge<BooleanUse>(node->child1());
1903                 break;
1904             }
1905
1906             if (node->child1()->shouldSpeculateInt32()) {
1907                 fixEdge<Int32Use>(node->child1());
1908                 break;
1909             }
1910
1911             if (node->child1()->shouldSpeculateSymbol()) {
1912                 fixEdge<SymbolUse>(node->child1());
1913                 break;
1914             }
1915
1916             if (node->child1()->shouldSpeculateObject()) {
1917                 fixEdge<ObjectUse>(node->child1());
1918                 break;
1919             }
1920
1921             if (node->child1()->shouldSpeculateString()) {
1922                 fixEdge<StringUse>(node->child1());
1923                 break;
1924             }
1925
1926             if (node->child1()->shouldSpeculateCell()) {
1927                 fixEdge<CellUse>(node->child1());
1928                 break;
1929             }
1930
1931             fixEdge<UntypedUse>(node->child1());
1932 #else
1933             fixEdge<UntypedUse>(node->child1());
1934 #endif // USE(JSVALUE64)
1935             break;
1936         }
1937
1938         case WeakMapGet: {
1939             fixEdge<WeakMapObjectUse>(node->child1());
1940             fixEdge<ObjectUse>(node->child2());
1941             fixEdge<Int32Use>(node->child3());
1942             break;
1943         }
1944
1945         case DefineDataProperty: {
1946             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1947             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1948             if (propertyEdge->shouldSpeculateSymbol())
1949                 fixEdge<SymbolUse>(propertyEdge);
1950             else if (propertyEdge->shouldSpeculateStringIdent())
1951                 fixEdge<StringIdentUse>(propertyEdge);
1952             else if (propertyEdge->shouldSpeculateString())
1953                 fixEdge<StringUse>(propertyEdge);
1954             else
1955                 fixEdge<UntypedUse>(propertyEdge);
1956             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1957             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1958             break;
1959         }
1960
1961         case ToLowerCase: {
1962             // We currently only support StringUse since that will ensure that
1963             // ToLowerCase is a pure operation. If we decide to update this with
1964             // more types in the future, we need to ensure that the clobberize rules
1965             // are correct.
1966             fixEdge<StringUse>(node->child1());
1967             break;
1968         }
1969
1970         case NumberToStringWithRadix: {
1971             if (node->child1()->shouldSpeculateInt32())
1972                 fixEdge<Int32Use>(node->child1());
1973             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
1974                 fixEdge<Int52RepUse>(node->child1());
1975             else
1976                 fixEdge<DoubleRepUse>(node->child1());
1977             fixEdge<Int32Use>(node->child2());
1978             break;
1979         }
1980
1981         case DefineAccessorProperty: {
1982             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1983             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1984             if (propertyEdge->shouldSpeculateSymbol())
1985                 fixEdge<SymbolUse>(propertyEdge);
1986             else if (propertyEdge->shouldSpeculateStringIdent())
1987                 fixEdge<StringIdentUse>(propertyEdge);
1988             else if (propertyEdge->shouldSpeculateString())
1989                 fixEdge<StringUse>(propertyEdge);
1990             else
1991                 fixEdge<UntypedUse>(propertyEdge);
1992             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
1993             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
1994             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
1995             break;
1996         }
1997
1998         case CheckSubClass: {
1999             fixupCheckSubClass(node);
2000             break;
2001         }
2002
2003         case CallDOMGetter: {
2004             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2005             fixEdge<CellUse>(node->child1()); // DOM.
2006             if (snippet && snippet->requireGlobalObject)
2007                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2008             break;
2009         }
2010
2011         case CallDOM: {
2012             fixupCallDOM(node);
2013             break;
2014         }
2015
2016         case Call: {
2017             attemptToMakeCallDOM(node);
2018             break;
2019         }
2020
2021         case ParseInt: {
2022             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2023                 fixEdge<Int32Use>(node->child1());
2024                 node->convertToIdentity();
2025                 break;
2026             }
2027
2028             if (node->child1()->shouldSpeculateString()) {
2029                 fixEdge<StringUse>(node->child1());
2030                 node->clearFlags(NodeMustGenerate);
2031             }
2032
2033             if (node->child2())
2034                 fixEdge<Int32Use>(node->child2());
2035
2036             break;
2037         }
2038
2039         case IdentityWithProfile: {
2040             node->clearFlags(NodeMustGenerate);
2041             break;
2042         }
2043
2044         case ThrowStaticError:
2045             fixEdge<StringUse>(node->child1());
2046             break;
2047
2048 #if !ASSERT_DISABLED
2049         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2050         case SetArgument:
2051         case JSConstant:
2052         case LazyJSConstant:
2053         case DoubleConstant:
2054         case GetLocal:
2055         case GetCallee:
2056         case GetArgumentCountIncludingThis:
2057         case GetRestLength:
2058         case GetArgument:
2059         case Flush:
2060         case PhantomLocal:
2061         case GetLocalUnlinked:
2062         case GetGlobalVar:
2063         case GetGlobalLexicalVariable:
2064         case NotifyWrite:
2065         case DirectCall:
2066         case CheckTypeInfoFlags:
2067         case TailCallInlinedCaller:
2068         case DirectTailCallInlinedCaller:
2069         case Construct:
2070         case DirectConstruct:
2071         case CallVarargs:
2072         case CallEval:
2073         case TailCallVarargsInlinedCaller:
2074         case ConstructVarargs:
2075         case CallForwardVarargs:
2076         case ConstructForwardVarargs:
2077         case TailCallForwardVarargs:
2078         case TailCallForwardVarargsInlinedCaller:
2079         case LoadVarargs:
2080         case ForwardVarargs:
2081         case ProfileControlFlow:
2082         case NewObject:
2083         case NewRegexp:
2084         case DeleteById:
2085         case DeleteByVal:
2086         case IsTypedArrayView:
2087         case IsEmpty:
2088         case IsUndefined:
2089         case IsBoolean:
2090         case IsNumber:
2091         case IsObjectOrNull:
2092         case IsFunction:
2093         case CreateDirectArguments:
2094         case Jump:
2095         case Return:
2096         case TailCall:
2097         case DirectTailCall:
2098         case TailCallVarargs:
2099         case Throw:
2100         case CountExecution:
2101         case ForceOSRExit:
2102         case CheckBadCell:
2103         case CheckNotEmpty:
2104         case CheckTraps:
2105         case Unreachable:
2106         case ExtractOSREntryLocal:
2107         case ExtractCatchLocal:
2108         case LoopHint:
2109         case MovHint:
2110         case InitializeEntrypointArguments:
2111         case ZombieHint:
2112         case ExitOK:
2113         case BottomValue:
2114         case TypeOf:
2115         case PutByIdWithThis:
2116         case PutByValWithThis:
2117         case GetByValWithThis:
2118         case CompareEqPtr:
2119         case NumberToStringWithValidRadixConstant:
2120         case GetGlobalThis:
2121             break;
2122 #else
2123         default:
2124             break;
2125 #endif
2126         }
2127     }
2128
2129     void watchHavingABadTime(Node* node)
2130     {
2131         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2132
2133         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2134         // does an array allocation. The types of array allocations may change if we start to have a bad
2135         // time. It's easier to reason about this if we know that whenever the types change after we start
2136         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2137         // prior to this point nobody should have been doing optimizations based on the indexing type of
2138         // the allocation.
2139         if (!globalObject->isHavingABadTime()) {
2140             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2141             m_graph.freeze(globalObject);
2142         }
2143     }
2144     
2145     template<UseKind useKind>
2146     void createToString(Node* node, Edge& edge)
2147     {
2148         Node* toString = m_insertionSet.insertNode(
2149             m_indexInBlock, SpecString, ToString, node->origin,
2150             Edge(edge.node(), useKind));
2151         switch (useKind) {
2152         case Int32Use:
2153         case Int52RepUse:
2154         case DoubleRepUse:
2155         case NotCellUse:
2156             toString->clearFlags(NodeMustGenerate);
2157             break;
2158         default:
2159             break;
2160         }
2161         edge.setNode(toString);
2162     }
2163     
2164     template<UseKind useKind>
2165     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2166     {
2167         ASSERT(arrayMode == ArrayMode(Array::Generic));
2168         
2169         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2170             return;
2171         
2172         createToString<useKind>(node, node->child1());
2173         arrayMode = ArrayMode(Array::String);
2174     }
2175     
2176     template<UseKind useKind>
2177     bool isStringObjectUse()
2178     {
2179         switch (useKind) {
2180         case StringObjectUse:
2181         case StringOrStringObjectUse:
2182             return true;
2183         default:
2184             return false;
2185         }
2186     }
2187     
2188     template<UseKind useKind>
2189     void convertStringAddUse(Node* node, Edge& edge)
2190     {
2191         if (useKind == StringUse) {
2192             observeUseKindOnNode<StringUse>(edge.node());
2193             m_insertionSet.insertNode(
2194                 m_indexInBlock, SpecNone, Check, node->origin,
2195                 Edge(edge.node(), StringUse));
2196             edge.setUseKind(KnownStringUse);
2197             return;
2198         }
2199         
2200         observeUseKindOnNode<useKind>(edge.node());
2201         createToString<useKind>(node, edge);
2202     }
2203     
2204     void convertToMakeRope(Node* node)
2205     {
2206         node->setOpAndDefaultFlags(MakeRope);
2207         fixupMakeRope(node);
2208     }
2209     
2210     void fixupMakeRope(Node* node)
2211     {
2212         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2213             Edge& edge = node->children.child(i);
2214             if (!edge)
2215                 break;
2216             edge.setUseKind(KnownStringUse);
2217             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2218             if (!string)
2219                 continue;
2220             if (string->length())
2221                 continue;
2222             
2223             // Don't allow the MakeRope to have zero children.
2224             if (!i && !node->child2())
2225                 break;
2226             
2227             node->children.removeEdge(i--);
2228         }
2229         
2230         if (!node->child2()) {
2231             ASSERT(!node->child3());
2232             node->convertToIdentity();
2233         }
2234     }
2235
2236     void fixupIsCellWithType(Node* node)
2237     {
2238         switch (node->speculatedTypeForQuery()) {
2239         case SpecString:
2240             if (node->child1()->shouldSpeculateString()) {
2241                 m_insertionSet.insertNode(
2242                     m_indexInBlock, SpecNone, Check, node->origin,
2243                     Edge(node->child1().node(), StringUse));
2244                 m_graph.convertToConstant(node, jsBoolean(true));
2245                 observeUseKindOnNode<StringUse>(node);
2246                 return;
2247             }
2248             break;
2249
2250         case SpecProxyObject:
2251             if (node->child1()->shouldSpeculateProxyObject()) {
2252                 m_insertionSet.insertNode(
2253                     m_indexInBlock, SpecNone, Check, node->origin,
2254                     Edge(node->child1().node(), ProxyObjectUse));
2255                 m_graph.convertToConstant(node, jsBoolean(true));
2256                 observeUseKindOnNode<ProxyObjectUse>(node);
2257                 return;
2258             }
2259             break;
2260
2261         case SpecRegExpObject:
2262             if (node->child1()->shouldSpeculateRegExpObject()) {
2263                 m_insertionSet.insertNode(
2264                     m_indexInBlock, SpecNone, Check, node->origin,
2265                     Edge(node->child1().node(), RegExpObjectUse));
2266                 m_graph.convertToConstant(node, jsBoolean(true));
2267                 observeUseKindOnNode<RegExpObjectUse>(node);
2268                 return;
2269             }
2270             break;
2271
2272         case SpecArray:
2273             if (node->child1()->shouldSpeculateArray()) {
2274                 m_insertionSet.insertNode(
2275                     m_indexInBlock, SpecNone, Check, node->origin,
2276                     Edge(node->child1().node(), ArrayUse));
2277                 m_graph.convertToConstant(node, jsBoolean(true));
2278                 observeUseKindOnNode<ArrayUse>(node);
2279                 return;
2280             }
2281             break;
2282
2283         case SpecDerivedArray:
2284             if (node->child1()->shouldSpeculateDerivedArray()) {
2285                 m_insertionSet.insertNode(
2286                     m_indexInBlock, SpecNone, Check, node->origin,
2287                     Edge(node->child1().node(), DerivedArrayUse));
2288                 m_graph.convertToConstant(node, jsBoolean(true));
2289                 observeUseKindOnNode<DerivedArrayUse>(node);
2290                 return;
2291             }
2292             break;
2293         }
2294
2295         if (node->child1()->shouldSpeculateCell()) {
2296             fixEdge<CellUse>(node->child1());
2297             return;
2298         }
2299
2300         if (node->child1()->shouldSpeculateNotCell()) {
2301             m_insertionSet.insertNode(
2302                 m_indexInBlock, SpecNone, Check, node->origin,
2303                 Edge(node->child1().node(), NotCellUse));
2304             m_graph.convertToConstant(node, jsBoolean(false));
2305             observeUseKindOnNode<NotCellUse>(node);
2306             return;
2307         }
2308     }
2309
2310     void fixupGetPrototypeOf(Node* node)
2311     {
2312         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2313         if (node->child1().useKind() != ObjectUse) {
2314             if (node->child1()->shouldSpeculateString()) {
2315                 insertCheck<StringUse>(node->child1().node());
2316                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2317                 return;
2318             }
2319             if (node->child1()->shouldSpeculateInt32()) {
2320                 insertCheck<Int32Use>(node->child1().node());
2321                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2322                 return;
2323             }
2324             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2325                 insertCheck<Int52RepUse>(node->child1().node());
2326                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2327                 return;
2328             }
2329             if (node->child1()->shouldSpeculateNumber()) {
2330                 insertCheck<NumberUse>(node->child1().node());
2331                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2332                 return;
2333             }
2334             if (node->child1()->shouldSpeculateSymbol()) {
2335                 insertCheck<SymbolUse>(node->child1().node());
2336                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2337                 return;
2338             }
2339             if (node->child1()->shouldSpeculateBoolean()) {
2340                 insertCheck<BooleanUse>(node->child1().node());
2341                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2342                 return;
2343             }
2344         }
2345
2346         if (node->child1()->shouldSpeculateFinalObject()) {
2347             fixEdge<FinalObjectUse>(node->child1());
2348             node->clearFlags(NodeMustGenerate);
2349             return;
2350         }
2351         if (node->child1()->shouldSpeculateArray()) {
2352             fixEdge<ArrayUse>(node->child1());
2353             node->clearFlags(NodeMustGenerate);
2354             return;
2355         }
2356         if (node->child1()->shouldSpeculateFunction()) {
2357             fixEdge<FunctionUse>(node->child1());
2358             node->clearFlags(NodeMustGenerate);
2359             return;
2360         }
2361     }
2362
2363     void fixupToThis(Node* node)
2364     {
2365         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2366
2367         if (ecmaMode == StrictMode) {
2368             if (node->child1()->shouldSpeculateBoolean()) {
2369                 fixEdge<BooleanUse>(node->child1());
2370                 node->convertToIdentity();
2371                 return;
2372             }
2373
2374             if (node->child1()->shouldSpeculateInt32()) {
2375                 fixEdge<Int32Use>(node->child1());
2376                 node->convertToIdentity();
2377                 return;
2378             }
2379
2380             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2381                 fixEdge<Int52RepUse>(node->child1());
2382                 node->convertToIdentity();
2383                 node->setResult(NodeResultInt52);
2384                 return;
2385             }
2386
2387             if (node->child1()->shouldSpeculateNumber()) {
2388                 fixEdge<DoubleRepUse>(node->child1());
2389                 node->convertToIdentity();
2390                 node->setResult(NodeResultDouble);
2391                 return;
2392             }
2393
2394             if (node->child1()->shouldSpeculateSymbol()) {
2395                 fixEdge<SymbolUse>(node->child1());
2396                 node->convertToIdentity();
2397                 return;
2398             }
2399
2400             if (node->child1()->shouldSpeculateStringIdent()) {
2401                 fixEdge<StringIdentUse>(node->child1());
2402                 node->convertToIdentity();
2403                 return;
2404             }
2405
2406             if (node->child1()->shouldSpeculateString()) {
2407                 fixEdge<StringUse>(node->child1());
2408                 node->convertToIdentity();
2409                 return;
2410             }
2411         }
2412
2413         if (node->child1()->shouldSpeculateOther()) {
2414             if (ecmaMode == StrictMode) {
2415                 fixEdge<OtherUse>(node->child1());
2416                 node->convertToIdentity();
2417                 return;
2418             }
2419
2420             m_insertionSet.insertNode(
2421                 m_indexInBlock, SpecNone, Check, node->origin,
2422                 Edge(node->child1().node(), OtherUse));
2423             observeUseKindOnNode<OtherUse>(node->child1().node());
2424             m_graph.convertToConstant(
2425                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2426             return;
2427         }
2428
2429         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2430         // however, since we cover all the missing cases in constant folding.
2431         // https://bugs.webkit.org/show_bug.cgi?id=157213
2432         if (node->child1()->shouldSpeculateStringObject()) {
2433             fixEdge<StringObjectUse>(node->child1());
2434             node->convertToIdentity();
2435             return;
2436         }
2437
2438         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2439             fixEdge<FinalObjectUse>(node->child1());
2440             node->convertToIdentity();
2441             return;
2442         }
2443     }
2444     
2445     void fixupToPrimitive(Node* node)
2446     {
2447         if (node->child1()->shouldSpeculateInt32()) {
2448             fixEdge<Int32Use>(node->child1());
2449             node->convertToIdentity();
2450             return;
2451         }
2452         
2453         if (node->child1()->shouldSpeculateString()) {
2454             fixEdge<StringUse>(node->child1());
2455             node->convertToIdentity();
2456             return;
2457         }
2458         
2459         if (node->child1()->shouldSpeculateStringObject()
2460             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2461             fixEdge<StringObjectUse>(node->child1());
2462             node->convertToToString();
2463             return;
2464         }
2465         
2466         if (node->child1()->shouldSpeculateStringOrStringObject()
2467             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2468             fixEdge<StringOrStringObjectUse>(node->child1());
2469             node->convertToToString();
2470             return;
2471         }
2472     }
2473
2474     void fixupToNumber(Node* node)
2475     {
2476         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2477         if (node->child1()->shouldSpeculateNumber()) {
2478             if (isInt32Speculation(node->getHeapPrediction())) {
2479                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2480                 if (node->child1()->shouldSpeculateInt32()) {
2481                     fixEdge<Int32Use>(node->child1());
2482                     node->convertToIdentity();
2483                     return;
2484                 }
2485
2486                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2487                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2488                 fixEdge<DoubleRepUse>(node->child1());
2489                 node->setOp(DoubleAsInt32);
2490                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2491                     node->setArithMode(Arith::CheckOverflow);
2492                 else
2493                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2494                 return;
2495             }
2496
2497             fixEdge<DoubleRepUse>(node->child1());
2498             node->convertToIdentity();
2499             node->setResult(NodeResultDouble);
2500             return;
2501         }
2502
2503         fixEdge<UntypedUse>(node->child1());
2504         node->setResult(NodeResultJS);
2505     }
2506     
2507     void fixupToStringOrCallStringConstructor(Node* node)
2508     {
2509         if (node->child1()->shouldSpeculateString()) {
2510             fixEdge<StringUse>(node->child1());
2511             node->convertToIdentity();
2512             return;
2513         }
2514         
2515         if (node->child1()->shouldSpeculateStringObject()
2516             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2517             fixEdge<StringObjectUse>(node->child1());
2518             return;
2519         }
2520         
2521         if (node->child1()->shouldSpeculateStringOrStringObject()
2522             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2523             fixEdge<StringOrStringObjectUse>(node->child1());
2524             return;
2525         }
2526         
2527         if (node->child1()->shouldSpeculateCell()) {
2528             fixEdge<CellUse>(node->child1());
2529             return;
2530         }
2531
2532         if (node->child1()->shouldSpeculateInt32()) {
2533             fixEdge<Int32Use>(node->child1());
2534             node->clearFlags(NodeMustGenerate);
2535             return;
2536         }
2537
2538         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2539             fixEdge<Int52RepUse>(node->child1());
2540             node->clearFlags(NodeMustGenerate);
2541             return;
2542         }
2543
2544         if (node->child1()->shouldSpeculateNumber()) {
2545             fixEdge<DoubleRepUse>(node->child1());
2546             node->clearFlags(NodeMustGenerate);
2547             return;
2548         }
2549
2550         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2551         // we need to care about it in the clobberize. In the following case,
2552         // since NotCellUse edge filter is used and this edge filters Symbols,
2553         // we can say that ToString never throws an error!
2554         if (node->child1()->shouldSpeculateNotCell()) {
2555             fixEdge<NotCellUse>(node->child1());
2556             node->clearFlags(NodeMustGenerate);
2557             return;
2558         }
2559     }
2560
2561     bool attemptToMakeFastStringAdd(Node* node)
2562     {
2563         bool goodToGo = true;
2564         m_graph.doToChildren(
2565             node,
2566             [&] (Edge& edge) {
2567                 if (edge->shouldSpeculateString())
2568                     return;
2569                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2570                     if (edge->shouldSpeculateStringObject())
2571                         return;
2572                     if (edge->shouldSpeculateStringOrStringObject())
2573                         return;
2574                 }
2575                 goodToGo = false;
2576             });
2577         if (!goodToGo)
2578             return false;
2579
2580         m_graph.doToChildren(
2581             node,
2582             [&] (Edge& edge) {
2583                 if (edge->shouldSpeculateString()) {
2584                     convertStringAddUse<StringUse>(node, edge);
2585                     return;
2586                 }
2587                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2588                 if (edge->shouldSpeculateStringObject()) {
2589                     convertStringAddUse<StringObjectUse>(node, edge);
2590                     return;
2591                 }
2592                 if (edge->shouldSpeculateStringOrStringObject()) {
2593                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2594                     return;
2595                 }
2596                 RELEASE_ASSERT_NOT_REACHED();
2597             });
2598         
2599         convertToMakeRope(node);
2600         return true;
2601     }
2602
2603     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2604     {
2605         if (!block)
2606             return;
2607         ASSERT(block->isReachable);
2608         m_block = block;
2609         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2610             Node* node = m_currentNode = block->at(m_indexInBlock);
2611             if (node->op() != SetLocal && node->op() != GetLocal)
2612                 continue;
2613             
2614             VariableAccessData* variable = node->variableAccessData();
2615             switch (node->op()) {
2616             case GetLocal:
2617                 switch (variable->flushFormat()) {
2618                 case FlushedDouble:
2619                     node->setResult(NodeResultDouble);
2620                     break;
2621                 case FlushedInt52:
2622                     node->setResult(NodeResultInt52);
2623                     break;
2624                 default:
2625                     break;
2626                 }
2627                 break;
2628                 
2629             case SetLocal:
2630                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2631                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2632                 
2633                 switch (variable->flushFormat()) {
2634                 case FlushedJSValue:
2635                     break;
2636                 case FlushedDouble:
2637                     fixEdge<DoubleRepUse>(node->child1());
2638                     break;
2639                 case FlushedInt32:
2640                     fixEdge<Int32Use>(node->child1());
2641                     break;
2642                 case FlushedInt52:
2643                     fixEdge<Int52RepUse>(node->child1());
2644                     break;
2645                 case FlushedCell:
2646                     fixEdge<CellUse>(node->child1());
2647                     break;
2648                 case FlushedBoolean:
2649                     fixEdge<BooleanUse>(node->child1());
2650                     break;
2651                 default:
2652                     RELEASE_ASSERT_NOT_REACHED();
2653                     break;
2654                 }
2655                 break;
2656                 
2657             default:
2658                 RELEASE_ASSERT_NOT_REACHED();
2659                 break;
2660             }
2661         }
2662         m_insertionSet.execute(block);
2663     }
2664     
2665     void addStringReplacePrimordialChecks(Node* searchRegExp)
2666     {
2667         Node* node = m_currentNode;
2668
2669         // Check that structure of searchRegExp is RegExp object
2670         m_insertionSet.insertNode(
2671             m_indexInBlock, SpecNone, Check, node->origin,
2672             Edge(searchRegExp, RegExpObjectUse));
2673
2674         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2675             unsigned index = m_graph.identifiers().ensure(propertyUID);
2676
2677             Node* actualProperty = m_insertionSet.insertNode(
2678                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2679                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2680
2681             m_insertionSet.insertNode(
2682                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2683                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2684         };
2685
2686         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2687
2688         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2689         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2690         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2691         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2692         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2693         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2694         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2695         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2696     }
2697
2698     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2699     {
2700         ASSERT(arrayMode.isSpecific());
2701         
2702         if (arrayMode.type() == Array::String) {
2703             m_insertionSet.insertNode(
2704                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2705         } else {
2706             // Note that we only need to be using a structure check if we opt for SaneChain, since
2707             // that needs to protect against JSArray's __proto__ being changed.
2708             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2709         
2710             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2711             
2712             if (arrayMode.doesConversion()) {
2713                 if (structure) {
2714                     m_insertionSet.insertNode(
2715                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2716                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2717                 } else {
2718                     m_insertionSet.insertNode(
2719                         m_indexInBlock, SpecNone, Arrayify, origin,
2720                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2721                 }
2722             } else {
2723                 if (structure) {
2724                     m_insertionSet.insertNode(
2725                         m_indexInBlock, SpecNone, CheckStructure, origin,
2726                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2727                 } else {
2728                     m_insertionSet.insertNode(
2729                         m_indexInBlock, SpecNone, CheckArray, origin,
2730                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2731                 }
2732             }
2733         }
2734         
2735         if (!storageCheck(arrayMode))
2736             return nullptr;
2737         
2738         if (arrayMode.usesButterfly()) {
2739             return m_insertionSet.insertNode(
2740                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2741         }
2742         
2743         return m_insertionSet.insertNode(
2744             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2745             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2746     }
2747     
2748     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2749     {
2750         Node* node = m_currentNode;
2751         
2752         switch (node->arrayMode().type()) {
2753         case Array::ForceExit: {
2754             m_insertionSet.insertNode(
2755                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2756             return;
2757         }
2758             
2759         case Array::SelectUsingPredictions:
2760         case Array::Unprofiled:
2761             RELEASE_ASSERT_NOT_REACHED();
2762             return;
2763             
2764         case Array::Generic:
2765             return;
2766             
2767         default: {
2768             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2769             if (!storage)
2770                 return;
2771             
2772             storageChild = Edge(storage);
2773             return;
2774         } }
2775     }
2776     
2777     bool alwaysUnboxSimplePrimitives()
2778     {
2779 #if USE(JSVALUE64)
2780         return false;
2781 #else
2782         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2783         // reduces traffic.
2784         return true;
2785 #endif
2786     }
2787
2788     template<UseKind useKind>
2789     void observeUseKindOnNode(Node* node)
2790     {
2791         if (useKind == UntypedUse)
2792             return;
2793         observeUseKindOnNode(node, useKind);
2794     }
2795
2796     void observeUseKindOnEdge(Edge edge)
2797     {
2798         observeUseKindOnNode(edge.node(), edge.useKind());
2799     }
2800
2801     void observeUseKindOnNode(Node* node, UseKind useKind)
2802     {
2803         if (node->op() != GetLocal)
2804             return;
2805         
2806         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2807         // https://bugs.webkit.org/show_bug.cgi?id=121518
2808         
2809         VariableAccessData* variable = node->variableAccessData();
2810         switch (useKind) {
2811         case Int32Use:
2812         case KnownInt32Use:
2813             if (alwaysUnboxSimplePrimitives()
2814                 || isInt32Speculation(variable->prediction()))
2815                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2816             break;
2817         case NumberUse:
2818         case RealNumberUse:
2819         case DoubleRepUse:
2820         case DoubleRepRealUse:
2821             if (variable->doubleFormatState() == UsingDoubleFormat)
2822                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2823             break;
2824         case BooleanUse:
2825         case KnownBooleanUse:
2826             if (alwaysUnboxSimplePrimitives()
2827                 || isBooleanSpeculation(variable->prediction()))
2828                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2829             break;
2830         case Int52RepUse:
2831             if (isAnyIntSpeculation(variable->prediction()))
2832                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2833             break;
2834         case CellUse:
2835         case KnownCellUse:
2836         case ObjectUse:
2837         case FunctionUse:
2838         case StringUse:
2839         case KnownStringUse:
2840         case SymbolUse:
2841         case StringObjectUse:
2842         case StringOrStringObjectUse:
2843             if (alwaysUnboxSimplePrimitives()
2844                 || isCellSpeculation(variable->prediction()))
2845                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2846             break;
2847         default:
2848             break;
2849         }
2850     }
2851     
2852     template<UseKind useKind>
2853     void fixEdge(Edge& edge)
2854     {
2855         observeUseKindOnNode<useKind>(edge.node());
2856         edge.setUseKind(useKind);
2857     }
2858     
2859     unsigned indexForChecks()
2860     {
2861         unsigned index = m_indexInBlock;
2862         while (!m_block->at(index)->origin.exitOK)
2863             index--;
2864         return index;
2865     }
2866     
2867     NodeOrigin originForCheck(unsigned index)
2868     {
2869         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
2870     }
2871     
2872     void speculateForBarrier(Edge value)
2873     {
2874         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
2875         // the DFG anyway because if such a speculation would be wrong, we want to know before
2876         // we do an expensive compile.
2877         
2878         if (value->shouldSpeculateInt32()) {
2879             insertCheck<Int32Use>(value.node());
2880             return;
2881         }
2882             
2883         if (value->shouldSpeculateBoolean()) {
2884             insertCheck<BooleanUse>(value.node());
2885             return;
2886         }
2887             
2888         if (value->shouldSpeculateOther()) {
2889             insertCheck<OtherUse>(value.node());
2890             return;
2891         }
2892             
2893         if (value->shouldSpeculateNumber()) {
2894             insertCheck<NumberUse>(value.node());
2895             return;
2896         }
2897             
2898         if (value->shouldSpeculateNotCell()) {
2899             insertCheck<NotCellUse>(value.node());
2900             return;
2901         }
2902     }
2903     
2904     template<UseKind useKind>
2905     void insertCheck(Node* node)
2906     {
2907         observeUseKindOnNode<useKind>(node);
2908         unsigned index = indexForChecks();
2909         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
2910     }
2911
2912     void fixIntConvertingEdge(Edge& edge)
2913     {
2914         Node* node = edge.node();
2915         if (node->shouldSpeculateInt32OrBoolean()) {
2916             fixIntOrBooleanEdge(edge);
2917             return;
2918         }
2919         
2920         UseKind useKind;
2921         if (node->shouldSpeculateAnyInt())
2922             useKind = Int52RepUse;
2923         else if (node->shouldSpeculateNumber())
2924             useKind = DoubleRepUse;
2925         else
2926             useKind = NotCellUse;
2927         Node* newNode = m_insertionSet.insertNode(
2928             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
2929             Edge(node, useKind));
2930         observeUseKindOnNode(node, useKind);
2931         
2932         edge = Edge(newNode, KnownInt32Use);
2933     }
2934     
2935     void fixIntOrBooleanEdge(Edge& edge)
2936     {
2937         Node* node = edge.node();
2938         if (!node->sawBooleans()) {
2939             fixEdge<Int32Use>(edge);
2940             return;
2941         }
2942         
2943         UseKind useKind;
2944         if (node->shouldSpeculateBoolean())
2945             useKind = BooleanUse;
2946         else
2947             useKind = UntypedUse;
2948         Node* newNode = m_insertionSet.insertNode(
2949             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2950             Edge(node, useKind));
2951         observeUseKindOnNode(node, useKind);
2952         
2953         edge = Edge(newNode, Int32Use);
2954     }
2955     
2956     void fixDoubleOrBooleanEdge(Edge& edge)
2957     {
2958         Node* node = edge.node();
2959         if (!node->sawBooleans()) {
2960             fixEdge<DoubleRepUse>(edge);
2961             return;
2962         }
2963         
2964         UseKind useKind;
2965         if (node->shouldSpeculateBoolean())
2966             useKind = BooleanUse;
2967         else
2968             useKind = UntypedUse;
2969         Node* newNode = m_insertionSet.insertNode(
2970             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2971             Edge(node, useKind));
2972         observeUseKindOnNode(node, useKind);
2973         
2974         edge = Edge(newNode, DoubleRepUse);
2975     }
2976     
2977     void truncateConstantToInt32(Edge& edge)
2978     {
2979         Node* oldNode = edge.node();
2980         
2981         JSValue value = oldNode->asJSValue();
2982         if (value.isInt32())
2983             return;
2984         
2985         value = jsNumber(JSC::toInt32(value.asNumber()));
2986         ASSERT(value.isInt32());
2987         edge.setNode(m_insertionSet.insertNode(
2988             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
2989             OpInfo(m_graph.freeze(value))));
2990     }
2991     
2992     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
2993     {
2994         if (mode != SpeculateInt32AndTruncateConstants)
2995             return;
2996         
2997         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
2998         if (node->child1()->hasConstant())
2999             truncateConstantToInt32(node->child1());
3000         else
3001             truncateConstantToInt32(node->child2());
3002     }
3003
3004     bool attemptToMakeIntegerAdd(Node* node)
3005     {
3006         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3007         if (mode != DontSpeculateInt32) {
3008             truncateConstantsIfNecessary(node, mode);
3009             fixIntOrBooleanEdge(node->child1());
3010             fixIntOrBooleanEdge(node->child2());
3011             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3012                 node->setArithMode(Arith::Unchecked);
3013             else
3014                 node->setArithMode(Arith::CheckOverflow);
3015             return true;
3016         }
3017         
3018         if (m_graph.addShouldSpeculateAnyInt(node)) {
3019             fixEdge<Int52RepUse>(node->child1());
3020             fixEdge<Int52RepUse>(node->child2());
3021             node->setArithMode(Arith::CheckOverflow);
3022             node->setResult(NodeResultInt52);
3023             return true;
3024         }
3025         
3026         return false;
3027     }
3028     
3029     bool attemptToMakeGetArrayLength(Node* node)
3030     {
3031         if (!isInt32Speculation(node->prediction()))
3032             return false;
3033         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3034         ArrayProfile* arrayProfile = 
3035             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3036         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
3037         if (arrayProfile) {
3038             ConcurrentJSLocker locker(profiledBlock->m_lock);
3039             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3040             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3041             if (arrayMode.type() == Array::Unprofiled) {
3042                 // For normal array operations, it makes sense to treat Unprofiled
3043                 // accesses as ForceExit and get more data rather than using
3044                 // predictions and then possibly ending up with a Generic. But here,
3045                 // we treat anything that is Unprofiled as Generic and keep the
3046                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3047                 // profit - from treating the Unprofiled case as
3048                 // SelectUsingPredictions.
3049                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
3050             }
3051         }
3052             
3053         arrayMode = arrayMode.refine(
3054             m_graph, node, node->child1()->prediction(), node->prediction());
3055             
3056         if (arrayMode.type() == Array::Generic) {
3057             // Check if the input is something that we can't get array length for, but for which we
3058             // could insert some conversions in order to transform it into something that we can do it
3059             // for.
3060             if (node->child1()->shouldSpeculateStringObject())
3061                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3062             else if (node->child1()->shouldSpeculateStringOrStringObject())
3063                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3064         }
3065             
3066         if (!arrayMode.supportsSelfLength())
3067             return false;
3068         
3069         convertToGetArrayLength(node, arrayMode);
3070         return true;
3071     }
3072
3073     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3074     {
3075         node->setOp(GetArrayLength);
3076         node->clearFlags(NodeMustGenerate);
3077         fixEdge<KnownCellUse>(node->child1());
3078         node->setArrayMode(arrayMode);
3079             
3080         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3081         if (!storage)
3082             return;
3083             
3084         node->child2() = Edge(storage);
3085     }
3086     
3087     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3088     {
3089         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3090         return m_insertionSet.insertNode(
3091             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3092             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3093     }
3094
3095     void convertToHasIndexedProperty(Node* node)
3096     {
3097         node->setOp(HasIndexedProperty);
3098         node->clearFlags(NodeMustGenerate);
3099         node->setArrayMode(
3100             node->arrayMode().refine(
3101                 m_graph, node,
3102                 node->child1()->prediction(),
3103                 node->child2()->prediction(),
3104                 SpecNone));
3105         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3106
3107         blessArrayOperation(node->child1(), node->child2(), node->child3());
3108
3109         fixEdge<CellUse>(node->child1());
3110         fixEdge<Int32Use>(node->child2());
3111     }
3112
3113     bool attemptToMakeCallDOM(Node* node)
3114     {
3115         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3116             return false;
3117
3118         const DOMJIT::Signature* signature = node->signature();
3119         if (!signature)
3120             return false;
3121
3122         {
3123             unsigned index = 0;
3124             bool shouldConvertToCallDOM = true;
3125             m_graph.doToChildren(node, [&](Edge& edge) {
3126                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3127                 if (!index)
3128                     return;
3129
3130                 if (index == 1) {
3131                     // DOM node case.
3132                     if (edge->shouldSpeculateNotCell())
3133                         shouldConvertToCallDOM = false;
3134                 } else {
3135                     switch (signature->arguments[index - 2]) {
3136                     case SpecString:
3137                         if (edge->shouldSpeculateNotString())
3138                             shouldConvertToCallDOM = false;
3139                         break;
3140                     case SpecInt32Only:
3141                         if (edge->shouldSpeculateNotInt32())
3142                             shouldConvertToCallDOM = false;
3143                         break;
3144                     case SpecBoolean:
3145                         if (edge->shouldSpeculateNotBoolean())
3146                             shouldConvertToCallDOM = false;
3147                         break;
3148                     default:
3149                         RELEASE_ASSERT_NOT_REACHED();
3150                         break;
3151                     }
3152                 }
3153                 ++index;
3154             });
3155             if (!shouldConvertToCallDOM)
3156                 return false;
3157         }
3158
3159         Node* thisNode = m_graph.varArgChild(node, 1).node();
3160         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3161         node->convertToCallDOM(m_graph);
3162         fixupCheckSubClass(checkSubClass);
3163         fixupCallDOM(node);
3164         return true;
3165     }
3166
3167     void fixupCheckSubClass(Node* node)
3168     {
3169         fixEdge<CellUse>(node->child1());
3170     }
3171
3172     void fixupCallDOM(Node* node)
3173     {
3174         const DOMJIT::Signature* signature = node->signature();
3175         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3176             if (!edge)
3177                 return;
3178             switch (signature->arguments[argumentIndex]) {
3179             case SpecString:
3180                 fixEdge<StringUse>(edge);
3181                 break;
3182             case SpecInt32Only:
3183                 fixEdge<Int32Use>(edge);
3184                 break;
3185             case SpecBoolean:
3186                 fixEdge<BooleanUse>(edge);
3187                 break;
3188             default:
3189                 RELEASE_ASSERT_NOT_REACHED();
3190                 break;
3191             }
3192         };
3193         fixEdge<CellUse>(node->child1()); // DOM.
3194         fixup(node->child2(), 0);
3195         fixup(node->child3(), 1);
3196     }
3197
3198     void fixupArrayIndexOf(Node* node)
3199     {
3200         Edge& array = m_graph.varArgChild(node, 0);
3201         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3202         blessArrayOperation(array, Edge(), storage);
3203         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3204
3205         Edge& searchElement = m_graph.varArgChild(node, 1);
3206
3207         // Constant folding.
3208         switch (node->arrayMode().type()) {
3209         case Array::Double:
3210         case Array::Int32: {
3211             if (searchElement->shouldSpeculateCell()) {
3212                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3213                 m_graph.convertToConstant(node, jsNumber(-1));
3214                 observeUseKindOnNode<CellUse>(searchElement.node());
3215                 return;
3216             }
3217
3218             if (searchElement->shouldSpeculateOther()) {
3219                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3220                 m_graph.convertToConstant(node, jsNumber(-1));
3221                 observeUseKindOnNode<OtherUse>(searchElement.node());
3222                 return;
3223             }
3224
3225             if (searchElement->shouldSpeculateBoolean()) {
3226                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3227                 m_graph.convertToConstant(node, jsNumber(-1));
3228                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3229                 return;
3230             }
3231             break;
3232         }
3233         default:
3234             break;
3235         }
3236
3237         fixEdge<KnownCellUse>(array);
3238         if (node->numChildren() == 4)
3239             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3240
3241         switch (node->arrayMode().type()) {
3242         case Array::Double: {
3243             if (searchElement->shouldSpeculateNumber())
3244                 fixEdge<DoubleRepUse>(searchElement);
3245             return;
3246         }
3247         case Array::Int32: {
3248             if (searchElement->shouldSpeculateInt32())
3249                 fixEdge<Int32Use>(searchElement);
3250             return;
3251         }
3252         case Array::Contiguous: {
3253             if (searchElement->shouldSpeculateString())
3254                 fixEdge<StringUse>(searchElement);
3255             else if (searchElement->shouldSpeculateSymbol())
3256                 fixEdge<SymbolUse>(searchElement);
3257             else if (searchElement->shouldSpeculateOther())
3258                 fixEdge<OtherUse>(searchElement);
3259             else if (searchElement->shouldSpeculateObject())
3260                 fixEdge<ObjectUse>(searchElement);
3261             return;
3262         }
3263         default:
3264             RELEASE_ASSERT_NOT_REACHED();
3265             return;
3266         }
3267     }
3268
3269     void fixupChecksInBlock(BasicBlock* block)
3270     {
3271         if (!block)
3272             return;
3273         ASSERT(block->isReachable);
3274         m_block = block;
3275         unsigned indexForChecks = UINT_MAX;
3276         NodeOrigin originForChecks;
3277         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
3278             Node* node = block->at(indexInBlock);
3279
3280             // If this is a node at which we could exit, then save its index. If nodes after this one
3281             // cannot exit, then we will hoist checks to here.
3282             if (node->origin.exitOK) {
3283                 indexForChecks = indexInBlock;
3284                 originForChecks = node->origin;
3285             }
3286
3287             originForChecks = originForChecks.withSemantic(node->origin.semantic);
3288             
3289             // First, try to relax the representational demands of each node, in order to have
3290             // fewer conversions.
3291             switch (node->op()) {
3292             case MovHint:
3293             case Check:
3294                 m_graph.doToChildren(
3295                     node,
3296                     [&] (Edge& edge) {
3297                         switch (edge.useKind()) {
3298                         case DoubleRepUse:
3299                         case DoubleRepRealUse:
3300                             if (edge->hasDoubleResult())
3301                                 break;
3302             
3303                             if (edge->hasInt52Result())
3304                                 edge.setUseKind(Int52RepUse);
3305                             else if (edge.useKind() == DoubleRepUse)
3306                                 edge.setUseKind(NumberUse);
3307                             break;
3308             
3309                         case Int52RepUse:
3310                             // Nothing we can really do.
3311                             break;
3312             
3313                         case UntypedUse:
3314                         case NumberUse:
3315                             if (edge->hasDoubleResult())
3316                                 edge.setUseKind(DoubleRepUse);
3317                             else if (edge->hasInt52Result())
3318                                 edge.setUseKind(Int52RepUse);
3319                             break;
3320             
3321                         case RealNumberUse:
3322                             if (edge->hasDoubleResult())
3323                                 edge.setUseKind(DoubleRepRealUse);
3324                             else if (edge->hasInt52Result())
3325                                 edge.setUseKind(Int52RepUse);
3326                             break;
3327             
3328                         default:
3329                             break;
3330                         }
3331                     });
3332                 break;
3333                 
3334             case ValueToInt32:
3335                 if (node->child1().useKind() == DoubleRepUse
3336                     && !node->child1()->hasDoubleResult()) {
3337                     node->child1().setUseKind(NumberUse);
3338                     break;
3339                 }
3340                 break;
3341                 
3342             default:
3343                 break;
3344             }
3345
3346             // Now, insert type conversions if necessary.
3347             m_graph.doToChildren(
3348                 node,
3349                 [&] (Edge& edge) {
3350                     Node* result = nullptr;
3351
3352                     switch (edge.useKind()) {
3353                     case DoubleRepUse:
3354                     case DoubleRepRealUse:
3355                     case DoubleRepAnyIntUse: {
3356                         if (edge->hasDoubleResult())
3357                             break;
3358             
3359                         ASSERT(indexForChecks != UINT_MAX);
3360                         if (edge->isNumberConstant()) {
3361                             result = m_insertionSet.insertNode(
3362                                 indexForChecks, SpecBytecodeDouble, DoubleConstant, originForChecks,
3363                                 OpInfo(m_graph.freeze(jsDoubleNumber(edge->asNumber()))));
3364                         } else if (edge->hasInt52Result()) {
3365                             result = m_insertionSet.insertNode(
3366                                 indexForChecks, SpecAnyIntAsDouble, DoubleRep, originForChecks,
3367                                 Edge(edge.node(), Int52RepUse));
3368                         } else {
3369                             UseKind useKind;
3370                             if (edge->shouldSpeculateDoubleReal())
3371                                 useKind = RealNumberUse;
3372                             else if (edge->shouldSpeculateNumber())
3373                                 useKind = NumberUse;
3374                             else
3375                                 useKind = NotCellUse;
3376
3377                             result = m_insertionSet.insertNode(
3378                                 indexForChecks, SpecBytecodeDouble, DoubleRep, originForChecks,
3379                                 Edge(edge.node(), useKind));
3380                         }
3381
3382                         edge.setNode(result);
3383                         break;
3384                     }
3385             
3386                     case Int52RepUse: {
3387                         if (edge->hasInt52Result())
3388                             break;
3389             
3390                         ASSERT(indexForChecks != UINT_MAX);
3391                         if (edge->isAnyIntConstant()) {
3392                             result = m_insertionSet.insertNode(
3393                                 indexForChecks, SpecAnyInt, Int52Constant, originForChecks,
3394                                 OpInfo(edge->constant()));
3395                         } else if (edge->hasDoubleResult()) {
3396                             result = m_insertionSet.insertNode(
3397                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3398                                 Edge(edge.node(), DoubleRepAnyIntUse));
3399                         } else if (edge->shouldSpeculateInt32ForArithmetic()) {
3400                             result = m_insertionSet.insertNode(
3401                                 indexForChecks, SpecInt32Only, Int52Rep, originForChecks,
3402                                 Edge(edge.node(), Int32Use));
3403                         } else {
3404                             result = m_insertionSet.insertNode(
3405                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3406                                 Edge(edge.node(), AnyIntUse));
3407                         }
3408
3409                         edge.setNode(result);
3410                         break;
3411                     }
3412
3413                     default: {
3414                         if (!edge->hasDoubleResult() && !edge->hasInt52Result())
3415                             break;
3416             
3417                         ASSERT(indexForChecks != UINT_MAX);
3418                         if (edge->hasDoubleResult()) {
3419                             result = m_insertionSet.insertNode(
3420                                 indexForChecks, SpecBytecodeDouble, ValueRep, originForChecks,
3421                                 Edge(edge.node(), DoubleRepUse));
3422                         } else {
3423                             result = m_insertionSet.insertNode(
3424                                 indexForChecks, SpecInt32Only | SpecAnyIntAsDouble, ValueRep,
3425                                 originForChecks, Edge(edge.node(), Int52RepUse));
3426                         }
3427
3428                         edge.setNode(result);
3429                         break;
3430                     } }
3431
3432                     // It's remotely possible that this node cannot do type checks, but we now have a
3433                     // type check on this node. We don't have to handle the general form of this
3434                     // problem. It only arises when ByteCodeParser emits an immediate SetLocal, rather
3435                     // than a delayed one. So, we only worry about those checks that we may have put on
3436                     // a SetLocal. Note that "indexForChecks != indexInBlock" is just another way of
3437                     // saying "!node->origin.exitOK".
3438                     if (indexForChecks != indexInBlock && mayHaveTypeCheck(edge.useKind())) {
3439                         UseKind knownUseKind;
3440                         
3441                         switch (edge.useKind()) {
3442                         case Int32Use:
3443                             knownUseKind = KnownInt32Use;
3444                             break;
3445                         case CellUse:
3446                             knownUseKind = KnownCellUse;
3447                             break;
3448                         case BooleanUse:
3449                             knownUseKind = KnownBooleanUse;
3450                             break;
3451                         default:
3452                             // This can only arise if we have a Check node, and in that case, we can
3453                             // just remove the original check.
3454                             DFG_ASSERT(m_graph, node, node->op() == Check);
3455                             knownUseKind = UntypedUse;
3456                             break;
3457                         }
3458
3459                         ASSERT(indexForChecks != UINT_MAX);
3460                         m_insertionSet.insertNode(
3461                             indexForChecks, SpecNone, Check, originForChecks, edge);
3462
3463                         edge.setUseKind(knownUseKind);
3464                     }
3465                 });
3466         }
3467         
3468         m_insertionSet.execute(block);
3469     }
3470     
3471     BasicBlock* m_block;
3472     unsigned m_indexInBlock;
3473     Node* m_currentNode;
3474     InsertionSet m_insertionSet;
3475     bool m_profitabilityChanged;
3476 };
3477     
3478 bool performFixup(Graph& graph)
3479 {
3480     return runPhase<FixupPhase>(graph);
3481 }
3482
3483 } } // namespace JSC::DFG
3484