[DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be...
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->clearFlags(NodeMustGenerate);
146                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
147             }
148             break;
149         }
150             
151         case ValueAdd: {
152             if (attemptToMakeIntegerAdd(node)) {
153                 node->setOp(ArithAdd);
154                 break;
155             }
156             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
157                 fixDoubleOrBooleanEdge(node->child1());
158                 fixDoubleOrBooleanEdge(node->child2());
159                 node->setOp(ArithAdd);
160                 node->setResult(NodeResultDouble);
161                 break;
162             }
163             
164             if (attemptToMakeFastStringAdd(node))
165                 break;
166
167             Edge& child1 = node->child1();
168             Edge& child2 = node->child2();
169             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
170                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
171                     auto convertString = [&](Node* node, Edge& edge) {
172                         if (edge->shouldSpeculateInt32())
173                             convertStringAddUse<Int32Use>(node, edge);
174                         else {
175                             ASSERT(edge->shouldSpeculateString());
176                             convertStringAddUse<StringUse>(node, edge);
177                         }
178                     };
179                     convertString(node, child1);
180                     convertString(node, child2);
181                     convertToMakeRope(node);
182                     break;
183                 }
184             }
185
186             fixEdge<UntypedUse>(child1);
187             fixEdge<UntypedUse>(child2);
188             node->setResult(NodeResultJS);
189             break;
190         }
191
192         case StrCat: {
193             if (attemptToMakeFastStringAdd(node))
194                 break;
195
196             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
197             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
198             // the implementation of StrCat doesn't dynamically optimize for empty strings.
199             // https://bugs.webkit.org/show_bug.cgi?id=148540
200             m_graph.doToChildren(
201                 node,
202                 [&] (Edge& edge) {
203                     fixEdge<KnownPrimitiveUse>(edge);
204                 });
205             break;
206         }
207             
208         case MakeRope: {
209             fixupMakeRope(node);
210             break;
211         }
212             
213         case ArithAdd:
214         case ArithSub: {
215             if (op == ArithSub
216                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
217                 fixEdge<UntypedUse>(node->child1());
218                 fixEdge<UntypedUse>(node->child2());
219                 node->setResult(NodeResultJS);
220                 break;
221             }
222             if (attemptToMakeIntegerAdd(node))
223                 break;
224             fixDoubleOrBooleanEdge(node->child1());
225             fixDoubleOrBooleanEdge(node->child2());
226             node->setResult(NodeResultDouble);
227             break;
228         }
229             
230         case ArithNegate: {
231             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
232                 fixIntOrBooleanEdge(node->child1());
233                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
234                     node->setArithMode(Arith::Unchecked);
235                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
236                     node->setArithMode(Arith::CheckOverflow);
237                 else
238                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
239                 node->setResult(NodeResultInt32);
240                 node->clearFlags(NodeMustGenerate);
241                 break;
242             }
243             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
244                 fixEdge<Int52RepUse>(node->child1());
245                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
246                     node->setArithMode(Arith::CheckOverflow);
247                 else
248                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
249                 node->setResult(NodeResultInt52);
250                 node->clearFlags(NodeMustGenerate);
251                 break;
252             }
253             if (node->child1()->shouldSpeculateNotCell()) {
254                 fixDoubleOrBooleanEdge(node->child1());
255                 node->setResult(NodeResultDouble);
256                 node->clearFlags(NodeMustGenerate);
257             } else
258                 fixEdge<UntypedUse>(node->child1());
259             break;
260         }
261             
262         case ArithMul: {
263             Edge& leftChild = node->child1();
264             Edge& rightChild = node->child2();
265             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
266                 fixEdge<UntypedUse>(leftChild);
267                 fixEdge<UntypedUse>(rightChild);
268                 node->setResult(NodeResultJS);
269                 break;
270             }
271             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
272                 fixIntOrBooleanEdge(leftChild);
273                 fixIntOrBooleanEdge(rightChild);
274                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
275                     node->setArithMode(Arith::Unchecked);
276                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
277                     || leftChild.node() == rightChild.node())
278                     node->setArithMode(Arith::CheckOverflow);
279                 else
280                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
281                 break;
282             }
283             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
284                 fixEdge<Int52RepUse>(leftChild);
285                 fixEdge<Int52RepUse>(rightChild);
286                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
287                     || leftChild.node() == rightChild.node())
288                     node->setArithMode(Arith::CheckOverflow);
289                 else
290                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
291                 node->setResult(NodeResultInt52);
292                 break;
293             }
294             fixDoubleOrBooleanEdge(leftChild);
295             fixDoubleOrBooleanEdge(rightChild);
296             node->setResult(NodeResultDouble);
297             break;
298         }
299
300         case ArithDiv:
301         case ArithMod: {
302             Edge& leftChild = node->child1();
303             Edge& rightChild = node->child2();
304             if (op == ArithDiv
305                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
306                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
307                 fixEdge<UntypedUse>(leftChild);
308                 fixEdge<UntypedUse>(rightChild);
309                 node->setResult(NodeResultJS);
310                 break;
311             }
312             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
313                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
314                     fixIntOrBooleanEdge(leftChild);
315                     fixIntOrBooleanEdge(rightChild);
316                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
317                         node->setArithMode(Arith::Unchecked);
318                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
319                         node->setArithMode(Arith::CheckOverflow);
320                     else
321                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
322                     break;
323                 }
324                 
325                 // This will cause conversion nodes to be inserted later.
326                 fixDoubleOrBooleanEdge(leftChild);
327                 fixDoubleOrBooleanEdge(rightChild);
328                 
329                 // We don't need to do ref'ing on the children because we're stealing them from
330                 // the original division.
331                 Node* newDivision = m_insertionSet.insertNode(
332                     m_indexInBlock, SpecBytecodeDouble, *node);
333                 newDivision->setResult(NodeResultDouble);
334                 
335                 node->setOp(DoubleAsInt32);
336                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
337                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
338                     node->setArithMode(Arith::CheckOverflow);
339                 else
340                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
341                 break;
342             }
343             fixDoubleOrBooleanEdge(leftChild);
344             fixDoubleOrBooleanEdge(rightChild);
345             node->setResult(NodeResultDouble);
346             break;
347         }
348             
349         case ArithMin:
350         case ArithMax: {
351             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
352                 fixIntOrBooleanEdge(node->child1());
353                 fixIntOrBooleanEdge(node->child2());
354                 break;
355             }
356             fixDoubleOrBooleanEdge(node->child1());
357             fixDoubleOrBooleanEdge(node->child2());
358             node->setResult(NodeResultDouble);
359             break;
360         }
361             
362         case ArithAbs: {
363             if (node->child1()->shouldSpeculateInt32OrBoolean()
364                 && node->canSpeculateInt32(FixupPass)) {
365                 fixIntOrBooleanEdge(node->child1());
366                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
367                     node->setArithMode(Arith::Unchecked);
368                 else
369                     node->setArithMode(Arith::CheckOverflow);
370                 node->clearFlags(NodeMustGenerate);
371                 node->setResult(NodeResultInt32);
372                 break;
373             }
374
375             if (node->child1()->shouldSpeculateNotCell()) {
376                 fixDoubleOrBooleanEdge(node->child1());
377                 node->clearFlags(NodeMustGenerate);
378             } else
379                 fixEdge<UntypedUse>(node->child1());
380             node->setResult(NodeResultDouble);
381             break;
382         }
383
384         case ArithPow: {
385             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
386                 fixDoubleOrBooleanEdge(node->child1());
387                 fixIntOrBooleanEdge(node->child2());
388                 break;
389             }
390
391             fixDoubleOrBooleanEdge(node->child1());
392             fixDoubleOrBooleanEdge(node->child2());
393             break;
394         }
395
396         case ArithRandom: {
397             node->setResult(NodeResultDouble);
398             break;
399         }
400
401         case ArithRound:
402         case ArithFloor:
403         case ArithCeil:
404         case ArithTrunc: {
405             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
406                 fixIntOrBooleanEdge(node->child1());
407                 insertCheck<Int32Use>(node->child1().node());
408                 node->convertToIdentity();
409                 break;
410             }
411             if (node->child1()->shouldSpeculateNotCell()) {
412                 fixDoubleOrBooleanEdge(node->child1());
413
414                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
415                     node->setResult(NodeResultInt32);
416                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
417                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
418                     else
419                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
420                 } else {
421                     node->setResult(NodeResultDouble);
422                     node->setArithRoundingMode(Arith::RoundingMode::Double);
423                 }
424                 node->clearFlags(NodeMustGenerate);
425             } else
426                 fixEdge<UntypedUse>(node->child1());
427             break;
428         }
429
430         case ArithFRound:
431         case ArithSqrt:
432         case ArithUnary: {
433             Edge& child1 = node->child1();
434             if (child1->shouldSpeculateNotCell()) {
435                 fixDoubleOrBooleanEdge(child1);
436                 node->clearFlags(NodeMustGenerate);
437             } else
438                 fixEdge<UntypedUse>(child1);
439             break;
440         }
441             
442         case LogicalNot: {
443             if (node->child1()->shouldSpeculateBoolean()) {
444                 if (node->child1()->result() == NodeResultBoolean) {
445                     // This is necessary in case we have a bytecode instruction implemented by:
446                     //
447                     // a: CompareEq(...)
448                     // b: LogicalNot(@a)
449                     //
450                     // In that case, CompareEq might have a side-effect. Then, we need to make
451                     // sure that we know that Branch does not exit.
452                     fixEdge<KnownBooleanUse>(node->child1());
453                 } else
454                     fixEdge<BooleanUse>(node->child1());
455             } else if (node->child1()->shouldSpeculateObjectOrOther())
456                 fixEdge<ObjectOrOtherUse>(node->child1());
457             else if (node->child1()->shouldSpeculateInt32OrBoolean())
458                 fixIntOrBooleanEdge(node->child1());
459             else if (node->child1()->shouldSpeculateNumber())
460                 fixEdge<DoubleRepUse>(node->child1());
461             else if (node->child1()->shouldSpeculateString())
462                 fixEdge<StringUse>(node->child1());
463             else if (node->child1()->shouldSpeculateStringOrOther())
464                 fixEdge<StringOrOtherUse>(node->child1());
465             else {
466                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
467                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
468                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
469             }
470             break;
471         }
472
473         case CompareEq:
474         case CompareLess:
475         case CompareLessEq:
476         case CompareGreater:
477         case CompareGreaterEq: {
478             if (node->op() == CompareEq
479                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
480                 fixEdge<BooleanUse>(node->child1());
481                 fixEdge<BooleanUse>(node->child2());
482                 node->clearFlags(NodeMustGenerate);
483                 break;
484             }
485             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
486                 fixIntOrBooleanEdge(node->child1());
487                 fixIntOrBooleanEdge(node->child2());
488                 node->clearFlags(NodeMustGenerate);
489                 break;
490             }
491             if (enableInt52()
492                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
493                 fixEdge<Int52RepUse>(node->child1());
494                 fixEdge<Int52RepUse>(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
499                 fixDoubleOrBooleanEdge(node->child1());
500                 fixDoubleOrBooleanEdge(node->child2());
501             }
502             if (node->op() != CompareEq
503                 && node->child1()->shouldSpeculateNotCell()
504                 && node->child2()->shouldSpeculateNotCell()) {
505                 if (node->child1()->shouldSpeculateNumberOrBoolean())
506                     fixDoubleOrBooleanEdge(node->child1());
507                 else
508                     fixEdge<DoubleRepUse>(node->child1());
509                 if (node->child2()->shouldSpeculateNumberOrBoolean())
510                     fixDoubleOrBooleanEdge(node->child2());
511                 else
512                     fixEdge<DoubleRepUse>(node->child2());
513                 node->clearFlags(NodeMustGenerate);
514                 break;
515             }
516             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
517                 fixEdge<StringIdentUse>(node->child1());
518                 fixEdge<StringIdentUse>(node->child2());
519                 node->clearFlags(NodeMustGenerate);
520                 break;
521             }
522             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
523                 fixEdge<StringUse>(node->child1());
524                 fixEdge<StringUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528
529             if (node->op() != CompareEq)
530                 break;
531             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
532                 fixEdge<SymbolUse>(node->child1());
533                 fixEdge<SymbolUse>(node->child2());
534                 node->clearFlags(NodeMustGenerate);
535                 break;
536             }
537             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
538                 fixEdge<ObjectUse>(node->child1());
539                 fixEdge<ObjectUse>(node->child2());
540                 node->clearFlags(NodeMustGenerate);
541                 break;
542             }
543
544             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
545             bool oneArgumentIsUsedAsSpecOther = false;
546             if (node->child1()->isUndefinedOrNullConstant()) {
547                 fixEdge<OtherUse>(node->child1());
548                 oneArgumentIsUsedAsSpecOther = true;
549             } else if (node->child1()->shouldSpeculateOther()) {
550                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
551                     Edge(node->child1().node(), OtherUse));
552                 fixEdge<OtherUse>(node->child1());
553                 oneArgumentIsUsedAsSpecOther = true;
554             }
555             if (node->child2()->isUndefinedOrNullConstant()) {
556                 fixEdge<OtherUse>(node->child2());
557                 oneArgumentIsUsedAsSpecOther = true;
558             } else if (node->child2()->shouldSpeculateOther()) {
559                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
560                     Edge(node->child2().node(), OtherUse));
561                 fixEdge<OtherUse>(node->child2());
562                 oneArgumentIsUsedAsSpecOther = true;
563             }
564             if (oneArgumentIsUsedAsSpecOther) {
565                 node->clearFlags(NodeMustGenerate);
566                 break;
567             }
568
569             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
570                 fixEdge<ObjectUse>(node->child1());
571                 fixEdge<ObjectOrOtherUse>(node->child2());
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
576                 fixEdge<ObjectOrOtherUse>(node->child1());
577                 fixEdge<ObjectUse>(node->child2());
578                 node->clearFlags(NodeMustGenerate);
579                 break;
580             }
581
582             break;
583         }
584             
585         case CompareStrictEq: {
586             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
587                 fixEdge<BooleanUse>(node->child1());
588                 fixEdge<BooleanUse>(node->child2());
589                 break;
590             }
591             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
592                 fixEdge<Int32Use>(node->child1());
593                 fixEdge<Int32Use>(node->child2());
594                 break;
595             }
596             if (enableInt52()
597                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
598                 fixEdge<Int52RepUse>(node->child1());
599                 fixEdge<Int52RepUse>(node->child2());
600                 break;
601             }
602             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
603                 fixEdge<DoubleRepUse>(node->child1());
604                 fixEdge<DoubleRepUse>(node->child2());
605                 break;
606             }
607             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
608                 fixEdge<SymbolUse>(node->child1());
609                 fixEdge<SymbolUse>(node->child2());
610                 break;
611             }
612             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
613                 fixEdge<StringIdentUse>(node->child1());
614                 fixEdge<StringIdentUse>(node->child2());
615                 break;
616             }
617             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
618                 fixEdge<StringUse>(node->child1());
619                 fixEdge<StringUse>(node->child2());
620                 break;
621             }
622             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
623             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
624                 
625                 if (node->child1()->shouldSpeculateObject()) {
626                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
627                     fixEdge<ObjectUse>(node->child1());
628                     break;
629                 }
630                 if (node->child2()->shouldSpeculateObject()) {
631                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
632                     fixEdge<ObjectUse>(node->child2());
633                     break;
634                 }
635                 
636             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
637                 fixEdge<ObjectUse>(node->child1());
638                 fixEdge<ObjectUse>(node->child2());
639                 break;
640             }
641             if (node->child1()->shouldSpeculateSymbol()) {
642                 fixEdge<SymbolUse>(node->child1());
643                 break;
644             }
645             if (node->child2()->shouldSpeculateSymbol()) {
646                 fixEdge<SymbolUse>(node->child2());
647                 break;
648             }
649             if (node->child1()->shouldSpeculateMisc()) {
650                 fixEdge<MiscUse>(node->child1());
651                 break;
652             }
653             if (node->child2()->shouldSpeculateMisc()) {
654                 fixEdge<MiscUse>(node->child2());
655                 break;
656             }
657             if (node->child1()->shouldSpeculateStringIdent()
658                 && node->child2()->shouldSpeculateNotStringVar()) {
659                 fixEdge<StringIdentUse>(node->child1());
660                 fixEdge<NotStringVarUse>(node->child2());
661                 break;
662             }
663             if (node->child2()->shouldSpeculateStringIdent()
664                 && node->child1()->shouldSpeculateNotStringVar()) {
665                 fixEdge<StringIdentUse>(node->child2());
666                 fixEdge<NotStringVarUse>(node->child1());
667                 break;
668             }
669             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
670                 fixEdge<StringUse>(node->child1());
671                 break;
672             }
673             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
674                 fixEdge<StringUse>(node->child2());
675                 break;
676             }
677             break;
678         }
679             
680         case StringFromCharCode:
681             if (node->child1()->shouldSpeculateInt32())
682                 fixEdge<Int32Use>(node->child1());
683             else
684                 fixEdge<UntypedUse>(node->child1());
685             break;
686
687         case StringCharAt:
688         case StringCharCodeAt: {
689             // Currently we have no good way of refining these.
690             ASSERT(node->arrayMode() == ArrayMode(Array::String));
691             blessArrayOperation(node->child1(), node->child2(), node->child3());
692             fixEdge<KnownCellUse>(node->child1());
693             fixEdge<Int32Use>(node->child2());
694             break;
695         }
696
697         case GetByVal: {
698             if (!node->prediction()) {
699                 m_insertionSet.insertNode(
700                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
701             }
702             
703             node->setArrayMode(
704                 node->arrayMode().refine(
705                     m_graph, node,
706                     node->child1()->prediction(),
707                     node->child2()->prediction(),
708                     SpecNone));
709             
710             blessArrayOperation(node->child1(), node->child2(), node->child3());
711             
712             ArrayMode arrayMode = node->arrayMode();
713             switch (arrayMode.type()) {
714             case Array::Contiguous:
715             case Array::Double:
716                 if (arrayMode.arrayClass() == Array::OriginalArray
717                     && arrayMode.speculation() == Array::InBounds) {
718                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
719                     if (globalObject->arrayPrototypeChainIsSane()) {
720                         // Check if SaneChain will work on a per-type basis. Note that:
721                         //
722                         // 1) We don't want double arrays to sometimes return undefined, since
723                         // that would require a change to the return type and it would pessimise
724                         // things a lot. So, we'd only want to do that if we actually had
725                         // evidence that we could read from a hole. That's pretty annoying.
726                         // Likely the best way to handle that case is with an equivalent of
727                         // SaneChain for OutOfBounds. For now we just detect when Undefined and
728                         // NaN are indistinguishable according to backwards propagation, and just
729                         // use SaneChain in that case. This happens to catch a lot of cases.
730                         //
731                         // 2) We don't want int32 array loads to have to do a hole check just to
732                         // coerce to Undefined, since that would mean twice the checks.
733                         //
734                         // This has two implications. First, we have to do more checks than we'd
735                         // like. It's unfortunate that we have to do the hole check. Second,
736                         // some accesses that hit a hole will now need to take the full-blown
737                         // out-of-bounds slow path. We can fix that with:
738                         // https://bugs.webkit.org/show_bug.cgi?id=144668
739                         
740                         bool canDoSaneChain = false;
741                         switch (arrayMode.type()) {
742                         case Array::Contiguous:
743                             // This is happens to be entirely natural. We already would have
744                             // returned any JSValue, and now we'll return Undefined. We still do
745                             // the check but it doesn't require taking any kind of slow path.
746                             canDoSaneChain = true;
747                             break;
748                             
749                         case Array::Double:
750                             if (!(node->flags() & NodeBytecodeUsesAsOther)) {
751                                 // Holes look like NaN already, so if the user doesn't care
752                                 // about the difference between Undefined and NaN then we can
753                                 // do this.
754                                 canDoSaneChain = true;
755                             }
756                             break;
757                             
758                         default:
759                             break;
760                         }
761                         
762                         if (canDoSaneChain) {
763                             m_graph.watchpoints().addLazily(
764                                 globalObject->arrayPrototype()->structure()->transitionWatchpointSet());
765                             m_graph.watchpoints().addLazily(
766                                 globalObject->objectPrototype()->structure()->transitionWatchpointSet());
767                             if (globalObject->arrayPrototypeChainIsSane())
768                                 node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
769                         }
770                     }
771                 }
772                 break;
773                 
774             case Array::String:
775                 if ((node->prediction() & ~SpecString)
776                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
777                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
778                 break;
779                 
780             default:
781                 break;
782             }
783             
784             arrayMode = node->arrayMode();
785             switch (arrayMode.type()) {
786             case Array::SelectUsingPredictions:
787             case Array::Unprofiled:
788                 RELEASE_ASSERT_NOT_REACHED();
789                 break;
790             case Array::Generic:
791                 if (node->child1()->shouldSpeculateObject()) {
792                     if (node->child2()->shouldSpeculateString()) {
793                         fixEdge<ObjectUse>(node->child1());
794                         fixEdge<StringUse>(node->child2());
795                         break;
796                     }
797
798                     if (node->child2()->shouldSpeculateSymbol()) {
799                         fixEdge<ObjectUse>(node->child1());
800                         fixEdge<SymbolUse>(node->child2());
801                         break;
802                     }
803                 }
804 #if USE(JSVALUE32_64)
805                 fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit.
806 #endif
807                 break;
808             case Array::ForceExit:
809                 break;
810             default:
811                 fixEdge<KnownCellUse>(node->child1());
812                 fixEdge<Int32Use>(node->child2());
813                 break;
814             }
815             
816             switch (arrayMode.type()) {
817             case Array::Double:
818                 if (!arrayMode.isOutOfBounds())
819                     node->setResult(NodeResultDouble);
820                 break;
821                 
822             case Array::Float32Array:
823             case Array::Float64Array:
824                 node->setResult(NodeResultDouble);
825                 break;
826                 
827             case Array::Uint32Array:
828                 if (node->shouldSpeculateInt32())
829                     break;
830                 if (node->shouldSpeculateAnyInt() && enableInt52())
831                     node->setResult(NodeResultInt52);
832                 else
833                     node->setResult(NodeResultDouble);
834                 break;
835                 
836             default:
837                 break;
838             }
839             
840             break;
841         }
842
843         case PutByValDirect:
844         case PutByVal:
845         case PutByValAlias: {
846             Edge& child1 = m_graph.varArgChild(node, 0);
847             Edge& child2 = m_graph.varArgChild(node, 1);
848             Edge& child3 = m_graph.varArgChild(node, 2);
849
850             node->setArrayMode(
851                 node->arrayMode().refine(
852                     m_graph, node,
853                     child1->prediction(),
854                     child2->prediction(),
855                     child3->prediction()));
856             
857             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
858             
859             switch (node->arrayMode().modeForPut().type()) {
860             case Array::SelectUsingPredictions:
861             case Array::SelectUsingArguments:
862             case Array::Unprofiled:
863             case Array::Undecided:
864                 RELEASE_ASSERT_NOT_REACHED();
865                 break;
866             case Array::ForceExit:
867             case Array::Generic:
868 #if USE(JSVALUE32_64)
869                 // Due to register pressure on 32-bit, we speculate cell and
870                 // ignore the base-is-not-cell case entirely by letting the
871                 // baseline JIT handle it.
872                 fixEdge<CellUse>(child1);
873 #endif
874                 break;
875             case Array::Int32:
876                 fixEdge<KnownCellUse>(child1);
877                 fixEdge<Int32Use>(child2);
878                 fixEdge<Int32Use>(child3);
879                 break;
880             case Array::Double:
881                 fixEdge<KnownCellUse>(child1);
882                 fixEdge<Int32Use>(child2);
883                 fixEdge<DoubleRepRealUse>(child3);
884                 break;
885             case Array::Int8Array:
886             case Array::Int16Array:
887             case Array::Int32Array:
888             case Array::Uint8Array:
889             case Array::Uint8ClampedArray:
890             case Array::Uint16Array:
891             case Array::Uint32Array:
892                 fixEdge<KnownCellUse>(child1);
893                 fixEdge<Int32Use>(child2);
894                 if (child3->shouldSpeculateInt32())
895                     fixIntOrBooleanEdge(child3);
896                 else if (child3->shouldSpeculateAnyInt())
897                     fixEdge<Int52RepUse>(child3);
898                 else
899                     fixDoubleOrBooleanEdge(child3);
900                 break;
901             case Array::Float32Array:
902             case Array::Float64Array:
903                 fixEdge<KnownCellUse>(child1);
904                 fixEdge<Int32Use>(child2);
905                 fixDoubleOrBooleanEdge(child3);
906                 break;
907             case Array::Contiguous:
908             case Array::ArrayStorage:
909             case Array::SlowPutArrayStorage:
910                 fixEdge<KnownCellUse>(child1);
911                 fixEdge<Int32Use>(child2);
912                 speculateForBarrier(child3);
913                 break;
914             default:
915                 fixEdge<KnownCellUse>(child1);
916                 fixEdge<Int32Use>(child2);
917                 break;
918             }
919             break;
920         }
921             
922         case AtomicsAdd:
923         case AtomicsAnd:
924         case AtomicsCompareExchange:
925         case AtomicsExchange:
926         case AtomicsLoad:
927         case AtomicsOr:
928         case AtomicsStore:
929         case AtomicsSub:
930         case AtomicsXor: {
931             Edge& base = m_graph.child(node, 0);
932             Edge& index = m_graph.child(node, 1);
933             
934             bool badNews = false;
935             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
936                 Edge& child = m_graph.child(node, 2 + i);
937                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
938                 // just call the function when that happens. But the FTL is totally cool with those
939                 // conversions.
940                 if (!child->shouldSpeculateInt32()
941                     && !child->shouldSpeculateAnyInt()
942                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
943                     badNews = true;
944             }
945             
946             if (badNews) {
947                 node->setArrayMode(ArrayMode(Array::Generic));
948                 break;
949             }
950             
951             node->setArrayMode(
952                 node->arrayMode().refine(
953                     m_graph, node, base->prediction(), index->prediction()));
954             
955             if (node->arrayMode().type() == Array::Generic)
956                 break;
957             
958             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
959                 Edge& child = m_graph.child(node, 2 + i);
960                 if (child->shouldSpeculateInt32())
961                     fixIntOrBooleanEdge(child);
962                 else if (child->shouldSpeculateAnyInt())
963                     fixEdge<Int52RepUse>(child);
964                 else {
965                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
966                     fixDoubleOrBooleanEdge(child);
967                 }
968             }
969             
970             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
971             fixEdge<CellUse>(base);
972             fixEdge<Int32Use>(index);
973             
974             if (node->arrayMode().type() == Array::Uint32Array) {
975                 // NOTE: This means basically always doing Int52.
976                 if (node->shouldSpeculateAnyInt() && enableInt52())
977                     node->setResult(NodeResultInt52);
978                 else
979                     node->setResult(NodeResultDouble);
980             }
981             break;
982         }
983             
984         case AtomicsIsLockFree:
985             if (node->child1()->shouldSpeculateInt32())
986                 fixIntOrBooleanEdge(node->child1());
987             break;
988             
989         case ArrayPush: {
990             // May need to refine the array mode in case the value prediction contravenes
991             // the array prediction. For example, we may have evidence showing that the
992             // array is in Int32 mode, but the value we're storing is likely to be a double.
993             // Then we should turn this into a conversion to Double array followed by the
994             // push. On the other hand, we absolutely don't want to refine based on the
995             // base prediction. If it has non-cell garbage in it, then we want that to be
996             // ignored. That's because ArrayPush can't handle any array modes that aren't
997             // array-related - so if refine() turned this into a "Generic" ArrayPush then
998             // that would break things.
999             node->setArrayMode(
1000                 node->arrayMode().refine(
1001                     m_graph, node,
1002                     node->child1()->prediction() & SpecCell,
1003                     SpecInt32Only,
1004                     node->child2()->prediction()));
1005             blessArrayOperation(node->child1(), Edge(), node->child3());
1006             fixEdge<KnownCellUse>(node->child1());
1007             
1008             switch (node->arrayMode().type()) {
1009             case Array::Int32:
1010                 fixEdge<Int32Use>(node->child2());
1011                 break;
1012             case Array::Double:
1013                 fixEdge<DoubleRepRealUse>(node->child2());
1014                 break;
1015             case Array::Contiguous:
1016             case Array::ArrayStorage:
1017                 speculateForBarrier(node->child2());
1018                 break;
1019             default:
1020                 break;
1021             }
1022             break;
1023         }
1024             
1025         case ArrayPop: {
1026             blessArrayOperation(node->child1(), Edge(), node->child2());
1027             fixEdge<KnownCellUse>(node->child1());
1028             break;
1029         }
1030
1031         case ArraySlice: {
1032             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1033             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1034             if (node->numChildren() == 4)
1035                 fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1036             break;
1037         }
1038
1039         case ArrayIndexOf:
1040             fixupArrayIndexOf(node);
1041             break;
1042             
1043         case RegExpExec:
1044         case RegExpTest: {
1045             fixEdge<KnownCellUse>(node->child1());
1046             
1047             if (node->child2()->shouldSpeculateRegExpObject()) {
1048                 fixEdge<RegExpObjectUse>(node->child2());
1049
1050                 if (node->child3()->shouldSpeculateString())
1051                     fixEdge<StringUse>(node->child3());
1052             }
1053             break;
1054         }
1055
1056         case StringReplace:
1057         case StringReplaceRegExp: {
1058             if (node->child2()->shouldSpeculateString()) {
1059                 m_insertionSet.insertNode(
1060                     m_indexInBlock, SpecNone, Check, node->origin,
1061                     Edge(node->child2().node(), StringUse));
1062                 fixEdge<StringUse>(node->child2());
1063             } else if (op == StringReplace) {
1064                 if (node->child2()->shouldSpeculateRegExpObject())
1065                     addStringReplacePrimordialChecks(node->child2().node());
1066                 else 
1067                     m_insertionSet.insertNode(
1068                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1069             }
1070
1071             if (node->child1()->shouldSpeculateString()
1072                 && node->child2()->shouldSpeculateRegExpObject()
1073                 && node->child3()->shouldSpeculateString()) {
1074
1075                 fixEdge<StringUse>(node->child1());
1076                 fixEdge<RegExpObjectUse>(node->child2());
1077                 fixEdge<StringUse>(node->child3());
1078                 break;
1079             }
1080             break;
1081         }
1082             
1083         case Branch: {
1084             if (node->child1()->shouldSpeculateBoolean()) {
1085                 if (node->child1()->result() == NodeResultBoolean) {
1086                     // This is necessary in case we have a bytecode instruction implemented by:
1087                     //
1088                     // a: CompareEq(...)
1089                     // b: Branch(@a)
1090                     //
1091                     // In that case, CompareEq might have a side-effect. Then, we need to make
1092                     // sure that we know that Branch does not exit.
1093                     fixEdge<KnownBooleanUse>(node->child1());
1094                 } else
1095                     fixEdge<BooleanUse>(node->child1());
1096             } else if (node->child1()->shouldSpeculateObjectOrOther())
1097                 fixEdge<ObjectOrOtherUse>(node->child1());
1098             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1099                 fixIntOrBooleanEdge(node->child1());
1100             else if (node->child1()->shouldSpeculateNumber())
1101                 fixEdge<DoubleRepUse>(node->child1());
1102             else if (node->child1()->shouldSpeculateString())
1103                 fixEdge<StringUse>(node->child1());
1104             else if (node->child1()->shouldSpeculateStringOrOther())
1105                 fixEdge<StringOrOtherUse>(node->child1());
1106             else {
1107                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1108                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1109                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1110             }
1111             break;
1112         }
1113             
1114         case Switch: {
1115             SwitchData* data = node->switchData();
1116             switch (data->kind) {
1117             case SwitchImm:
1118                 if (node->child1()->shouldSpeculateInt32())
1119                     fixEdge<Int32Use>(node->child1());
1120                 break;
1121             case SwitchChar:
1122                 if (node->child1()->shouldSpeculateString())
1123                     fixEdge<StringUse>(node->child1());
1124                 break;
1125             case SwitchString:
1126                 if (node->child1()->shouldSpeculateStringIdent())
1127                     fixEdge<StringIdentUse>(node->child1());
1128                 else if (node->child1()->shouldSpeculateString())
1129                     fixEdge<StringUse>(node->child1());
1130                 break;
1131             case SwitchCell:
1132                 if (node->child1()->shouldSpeculateCell())
1133                     fixEdge<CellUse>(node->child1());
1134                 // else it's fine for this to have UntypedUse; we will handle this by just making
1135                 // non-cells take the default case.
1136                 break;
1137             }
1138             break;
1139         }
1140             
1141         case ToPrimitive: {
1142             fixupToPrimitive(node);
1143             break;
1144         }
1145
1146         case ToNumber: {
1147             fixupToNumber(node);
1148             break;
1149         }
1150             
1151         case ToString:
1152         case CallStringConstructor: {
1153             fixupToStringOrCallStringConstructor(node);
1154             break;
1155         }
1156             
1157         case NewStringObject: {
1158             fixEdge<KnownStringUse>(node->child1());
1159             break;
1160         }
1161
1162         case NewArrayWithSpread: {
1163             watchHavingABadTime(node);
1164             
1165             BitVector* bitVector = node->bitVector();
1166             for (unsigned i = node->numChildren(); i--;) {
1167                 if (bitVector->get(i))
1168                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1169                 else
1170                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1171             }
1172
1173             break;
1174         }
1175
1176         case Spread: {
1177             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1178             
1179             watchHavingABadTime(node->child1().node());
1180
1181             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1182             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1183             // that it doesn't contain any indexed properties, and that any holes will result in
1184             // jsUndefined().
1185             InlineWatchpointSet& objectPrototypeTransition = globalObject->objectPrototype()->structure()->transitionWatchpointSet();
1186             InlineWatchpointSet& arrayPrototypeTransition = globalObject->arrayPrototype()->structure()->transitionWatchpointSet();
1187             if (node->child1()->shouldSpeculateArray() 
1188                 && arrayPrototypeTransition.isStillValid() 
1189                 && objectPrototypeTransition.isStillValid() 
1190                 && globalObject->arrayPrototypeChainIsSane()
1191                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1192                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1193                 m_graph.watchpoints().addLazily(objectPrototypeTransition);
1194                 m_graph.watchpoints().addLazily(arrayPrototypeTransition);
1195                 fixEdge<ArrayUse>(node->child1());
1196             } else
1197                 fixEdge<CellUse>(node->child1());
1198             break;
1199         }
1200             
1201         case NewArray: {
1202             watchHavingABadTime(node);
1203             
1204             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1205                 node->setIndexingType(
1206                     leastUpperBoundOfIndexingTypeAndType(
1207                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1208             }
1209             switch (node->indexingType()) {
1210             case ALL_BLANK_INDEXING_TYPES:
1211                 CRASH();
1212                 break;
1213             case ALL_UNDECIDED_INDEXING_TYPES:
1214                 if (node->numChildren()) {
1215                     // This will only happen if the children have no type predictions. We
1216                     // would have already exited by now, but insert a forced exit just to
1217                     // be safe.
1218                     m_insertionSet.insertNode(
1219                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1220                 }
1221                 break;
1222             case ALL_INT32_INDEXING_TYPES:
1223                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1224                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1225                 break;
1226             case ALL_DOUBLE_INDEXING_TYPES:
1227                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1228                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1229                 break;
1230             case ALL_CONTIGUOUS_INDEXING_TYPES:
1231             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1232                 break;
1233             default:
1234                 CRASH();
1235                 break;
1236             }
1237             break;
1238         }
1239             
1240         case NewTypedArray: {
1241             watchHavingABadTime(node);
1242             
1243             if (node->child1()->shouldSpeculateInt32()) {
1244                 fixEdge<Int32Use>(node->child1());
1245                 node->clearFlags(NodeMustGenerate);
1246                 break;
1247             }
1248             break;
1249         }
1250             
1251         case NewArrayWithSize: {
1252             watchHavingABadTime(node);
1253             fixEdge<Int32Use>(node->child1());
1254             break;
1255         }
1256
1257         case NewArrayBuffer: {
1258             watchHavingABadTime(node);
1259             break;
1260         }
1261
1262         case CallObjectConstructor: {
1263             if (node->child1()->shouldSpeculateObject()) {
1264                 fixEdge<ObjectUse>(node->child1());
1265                 node->convertToIdentity();
1266                 break;
1267             }
1268
1269             fixEdge<UntypedUse>(node->child1());
1270             break;
1271         }
1272
1273         case ToThis: {
1274             fixupToThis(node);
1275             break;
1276         }
1277             
1278         case PutStructure: {
1279             fixEdge<KnownCellUse>(node->child1());
1280             break;
1281         }
1282             
1283         case GetClosureVar:
1284         case GetFromArguments: {
1285             fixEdge<KnownCellUse>(node->child1());
1286             break;
1287         }
1288
1289         case PutClosureVar:
1290         case PutToArguments: {
1291             fixEdge<KnownCellUse>(node->child1());
1292             speculateForBarrier(node->child2());
1293             break;
1294         }
1295
1296         case SkipScope:
1297         case GetScope:
1298         case GetGetter:
1299         case GetSetter:
1300         case GetGlobalObject: {
1301             fixEdge<KnownCellUse>(node->child1());
1302             break;
1303         }
1304             
1305         case AllocatePropertyStorage:
1306         case ReallocatePropertyStorage: {
1307             fixEdge<KnownCellUse>(node->child1());
1308             break;
1309         }
1310             
1311         case NukeStructureAndSetButterfly: {
1312             fixEdge<KnownCellUse>(node->child1());
1313             break;
1314         }
1315
1316         case TryGetById: {
1317             if (node->child1()->shouldSpeculateCell())
1318                 fixEdge<CellUse>(node->child1());
1319             break;
1320         }
1321
1322         case GetById:
1323         case GetByIdFlush: {
1324             // FIXME: This should be done in the ByteCodeParser based on reading the
1325             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1326             // https://bugs.webkit.org/show_bug.cgi?id=154990
1327             auto uid = m_graph.identifiers()[node->identifierNumber()];
1328             if (node->child1()->shouldSpeculateCellOrOther()
1329                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1330                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1331                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1332                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1333                 
1334                 if (uid == vm().propertyNames->length.impl()) {
1335                     attemptToMakeGetArrayLength(node);
1336                     break;
1337                 }
1338
1339                 if (uid == vm().propertyNames->lastIndex.impl()
1340                     && node->child1()->shouldSpeculateRegExpObject()) {
1341                     node->setOp(GetRegExpObjectLastIndex);
1342                     node->clearFlags(NodeMustGenerate);
1343                     fixEdge<RegExpObjectUse>(node->child1());
1344                     break;
1345                 }
1346             }
1347
1348             if (node->child1()->shouldSpeculateNumber()) {
1349                 if (uid == vm().propertyNames->toString.impl()) {
1350                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1351                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1352                         if (node->child1()->shouldSpeculateInt32()) {
1353                             insertCheck<Int32Use>(node->child1().node());
1354                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1355                             break;
1356                         }
1357
1358                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1359                             insertCheck<Int52RepUse>(node->child1().node());
1360                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1361                             break;
1362                         }
1363
1364                         ASSERT(node->child1()->shouldSpeculateNumber());
1365                         insertCheck<DoubleRepUse>(node->child1().node());
1366                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1367                         break;
1368                     }
1369                 }
1370             }
1371
1372             if (node->child1()->shouldSpeculateCell())
1373                 fixEdge<CellUse>(node->child1());
1374             break;
1375         }
1376         
1377         case GetByIdWithThis: {
1378             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1379                 fixEdge<CellUse>(node->child1());
1380                 fixEdge<CellUse>(node->child2());
1381             }
1382             break;
1383         }
1384
1385         case PutById:
1386         case PutByIdFlush:
1387         case PutByIdDirect: {
1388             if (node->child1()->shouldSpeculateCellOrOther()
1389                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1390                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1391                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1392                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1393                 
1394                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1395                 
1396                 if (uid == vm().propertyNames->lastIndex.impl()
1397                     && node->child1()->shouldSpeculateRegExpObject()) {
1398                     node->setOp(SetRegExpObjectLastIndex);
1399                     fixEdge<RegExpObjectUse>(node->child1());
1400                     speculateForBarrier(node->child2());
1401                     break;
1402                 }
1403             }
1404             
1405             fixEdge<CellUse>(node->child1());
1406             break;
1407         }
1408
1409         case PutGetterById:
1410         case PutSetterById: {
1411             fixEdge<KnownCellUse>(node->child1());
1412             fixEdge<KnownCellUse>(node->child2());
1413             break;
1414         }
1415
1416         case PutGetterSetterById: {
1417             fixEdge<KnownCellUse>(node->child1());
1418             break;
1419         }
1420
1421         case PutGetterByVal:
1422         case PutSetterByVal: {
1423             fixEdge<KnownCellUse>(node->child1());
1424             fixEdge<KnownCellUse>(node->child3());
1425             break;
1426         }
1427
1428         case GetExecutable: {
1429             fixEdge<FunctionUse>(node->child1());
1430             break;
1431         }
1432
1433         case OverridesHasInstance:
1434         case CheckStructure:
1435         case CheckCell:
1436         case CreateThis:
1437         case GetButterfly:
1438         case GetButterflyWithoutCaging: {
1439             fixEdge<CellUse>(node->child1());
1440             break;
1441         }
1442
1443         case CheckStringIdent: {
1444             fixEdge<StringIdentUse>(node->child1());
1445             break;
1446         }
1447             
1448         case Arrayify:
1449         case ArrayifyToStructure: {
1450             fixEdge<CellUse>(node->child1());
1451             if (node->child2())
1452                 fixEdge<Int32Use>(node->child2());
1453             break;
1454         }
1455             
1456         case GetByOffset:
1457         case GetGetterSetterByOffset: {
1458             if (!node->child1()->hasStorageResult())
1459                 fixEdge<KnownCellUse>(node->child1());
1460             fixEdge<KnownCellUse>(node->child2());
1461             break;
1462         }
1463             
1464         case MultiGetByOffset: {
1465             fixEdge<CellUse>(node->child1());
1466             break;
1467         }
1468             
1469         case PutByOffset: {
1470             if (!node->child1()->hasStorageResult())
1471                 fixEdge<KnownCellUse>(node->child1());
1472             fixEdge<KnownCellUse>(node->child2());
1473             unsigned index = indexForChecks();
1474             insertInferredTypeCheck(
1475                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1476                 node->storageAccessData().inferredType);
1477             speculateForBarrier(node->child3());
1478             break;
1479         }
1480             
1481         case MultiPutByOffset: {
1482             fixEdge<CellUse>(node->child1());
1483             break;
1484         }
1485             
1486         case InstanceOf: {
1487             if (!(node->child1()->prediction() & ~SpecCell))
1488                 fixEdge<CellUse>(node->child1());
1489             fixEdge<CellUse>(node->child2());
1490             break;
1491         }
1492
1493         case InstanceOfCustom:
1494             fixEdge<CellUse>(node->child2());
1495             break;
1496
1497         case In: {
1498             if (node->child2()->shouldSpeculateInt32()) {
1499                 convertToHasIndexedProperty(node);
1500                 break;
1501             }
1502
1503             fixEdge<CellUse>(node->child1());
1504             break;
1505         }
1506
1507         case HasOwnProperty: {
1508             fixEdge<ObjectUse>(node->child1());
1509 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1510             // We don't have enough registers to do anything interesting on x86 and mips.
1511             fixEdge<UntypedUse>(node->child2());
1512 #else
1513             if (node->child2()->shouldSpeculateString())
1514                 fixEdge<StringUse>(node->child2());
1515             else if (node->child2()->shouldSpeculateSymbol())
1516                 fixEdge<SymbolUse>(node->child2());
1517             else
1518                 fixEdge<UntypedUse>(node->child2());
1519 #endif
1520             break;
1521         }
1522
1523         case Check: {
1524             m_graph.doToChildren(
1525                 node,
1526                 [&] (Edge& edge) {
1527                     switch (edge.useKind()) {
1528                     case NumberUse:
1529                         if (edge->shouldSpeculateInt32ForArithmetic())
1530                             edge.setUseKind(Int32Use);
1531                         break;
1532                     default:
1533                         break;
1534                     }
1535                     observeUseKindOnEdge(edge);
1536                 });
1537             break;
1538         }
1539
1540         case Phantom:
1541             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1542             node->remove();
1543             break;
1544
1545         case FiatInt52: {
1546             RELEASE_ASSERT(enableInt52());
1547             node->convertToIdentity();
1548             fixEdge<Int52RepUse>(node->child1());
1549             node->setResult(NodeResultInt52);
1550             break;
1551         }
1552
1553         case GetArrayLength: {
1554             fixEdge<KnownCellUse>(node->child1());
1555             break;
1556         }
1557
1558         case GetTypedArrayByteOffset: {
1559             fixEdge<KnownCellUse>(node->child1());
1560             break;
1561         }
1562
1563         case Phi:
1564         case Upsilon:
1565         case EntrySwitch:
1566         case GetIndexedPropertyStorage:
1567         case LastNodeType:
1568         case CheckTierUpInLoop:
1569         case CheckTierUpAtReturn:
1570         case CheckTierUpAndOSREnter:
1571         case InvalidationPoint:
1572         case CheckArray:
1573         case CheckInBounds:
1574         case ConstantStoragePointer:
1575         case DoubleAsInt32:
1576         case ValueToInt32:
1577         case DoubleRep:
1578         case ValueRep:
1579         case Int52Rep:
1580         case Int52Constant:
1581         case Identity: // This should have been cleaned up.
1582         case BooleanToNumber:
1583         case PhantomNewObject:
1584         case PhantomNewFunction:
1585         case PhantomNewGeneratorFunction:
1586         case PhantomNewAsyncGeneratorFunction:
1587         case PhantomNewAsyncFunction:
1588         case PhantomCreateActivation:
1589         case PhantomDirectArguments:
1590         case PhantomCreateRest:
1591         case PhantomSpread:
1592         case PhantomNewArrayWithSpread:
1593         case PhantomClonedArguments:
1594         case GetMyArgumentByVal:
1595         case GetMyArgumentByValOutOfBounds:
1596         case GetVectorLength:
1597         case PutHint:
1598         case CheckStructureImmediate:
1599         case CheckStructureOrEmpty:
1600         case MaterializeNewObject:
1601         case MaterializeCreateActivation:
1602         case PutStack:
1603         case KillStack:
1604         case GetStack:
1605         case StoreBarrier:
1606         case FencedStoreBarrier:
1607         case GetRegExpObjectLastIndex:
1608         case SetRegExpObjectLastIndex:
1609         case RecordRegExpCachedResult:
1610             // These are just nodes that we don't currently expect to see during fixup.
1611             // If we ever wanted to insert them prior to fixup, then we just have to create
1612             // fixup rules for them.
1613             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1614             break;
1615
1616         case PutGlobalVariable: {
1617             fixEdge<CellUse>(node->child1());
1618             speculateForBarrier(node->child2());
1619             break;
1620         }
1621
1622         case IsObject:
1623             if (node->child1()->shouldSpeculateObject()) {
1624                 m_insertionSet.insertNode(
1625                     m_indexInBlock, SpecNone, Check, node->origin,
1626                     Edge(node->child1().node(), ObjectUse));
1627                 m_graph.convertToConstant(node, jsBoolean(true));
1628                 observeUseKindOnNode<ObjectUse>(node);
1629             }
1630             break;
1631
1632         case IsCellWithType: {
1633             fixupIsCellWithType(node);
1634             break;
1635         }
1636
1637         case GetEnumerableLength: {
1638             fixEdge<CellUse>(node->child1());
1639             break;
1640         }
1641         case HasGenericProperty: {
1642             fixEdge<CellUse>(node->child2());
1643             break;
1644         }
1645         case HasStructureProperty: {
1646             fixEdge<StringUse>(node->child2());
1647             fixEdge<KnownCellUse>(node->child3());
1648             break;
1649         }
1650         case HasIndexedProperty: {
1651             node->setArrayMode(
1652                 node->arrayMode().refine(
1653                     m_graph, node,
1654                     node->child1()->prediction(),
1655                     node->child2()->prediction(),
1656                     SpecNone));
1657             
1658             blessArrayOperation(node->child1(), node->child2(), node->child3());
1659             fixEdge<CellUse>(node->child1());
1660             fixEdge<KnownInt32Use>(node->child2());
1661             break;
1662         }
1663         case GetDirectPname: {
1664             Edge& base = m_graph.varArgChild(node, 0);
1665             Edge& property = m_graph.varArgChild(node, 1);
1666             Edge& index = m_graph.varArgChild(node, 2);
1667             Edge& enumerator = m_graph.varArgChild(node, 3);
1668             fixEdge<CellUse>(base);
1669             fixEdge<KnownCellUse>(property);
1670             fixEdge<KnownInt32Use>(index);
1671             fixEdge<KnownCellUse>(enumerator);
1672             break;
1673         }
1674         case GetPropertyEnumerator: {
1675             fixEdge<CellUse>(node->child1());
1676             break;
1677         }
1678         case GetEnumeratorStructurePname: {
1679             fixEdge<KnownCellUse>(node->child1());
1680             fixEdge<KnownInt32Use>(node->child2());
1681             break;
1682         }
1683         case GetEnumeratorGenericPname: {
1684             fixEdge<KnownCellUse>(node->child1());
1685             fixEdge<KnownInt32Use>(node->child2());
1686             break;
1687         }
1688         case ToIndexString: {
1689             fixEdge<KnownInt32Use>(node->child1());
1690             break;
1691         }
1692         case ProfileType: {
1693             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1694             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1695             // type T for the instructionTypeSet, the global type set must also have information for type T.
1696             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1697             // in the globalTypeSet would've also succeeded.
1698             // (The other direction does not hold in general).
1699
1700             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1701             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1702             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1703                 if (node->child1()->shouldSpeculateInt32()) {
1704                     fixEdge<Int32Use>(node->child1());
1705                     node->remove();
1706                     break;
1707                 }
1708
1709                 if (enableInt52()) {
1710                     fixEdge<AnyIntUse>(node->child1());
1711                     node->remove();
1712                     break;
1713                 }
1714
1715                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1716             }
1717
1718             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1719                 fixEdge<NumberUse>(node->child1());
1720                 node->remove();
1721             } else if (typeSet->doesTypeConformTo(TypeString)) {
1722                 fixEdge<StringUse>(node->child1());
1723                 node->remove();
1724             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1725                 fixEdge<BooleanUse>(node->child1());
1726                 node->remove();
1727             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1728                 fixEdge<OtherUse>(node->child1());
1729                 node->remove();
1730             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1731                 StructureSet set;
1732                 {
1733                     ConcurrentJSLocker locker(typeSet->m_lock);
1734                     set = typeSet->structureSet(locker);
1735                 }
1736                 if (!set.isEmpty()) {
1737                     fixEdge<CellUse>(node->child1());
1738                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1739                 }
1740             }
1741
1742             break;
1743         }
1744
1745         case CreateClonedArguments: {
1746             watchHavingABadTime(node);
1747             break;
1748         }
1749
1750         case CreateScopedArguments:
1751         case CreateActivation:
1752         case NewFunction:
1753         case NewGeneratorFunction:
1754         case NewAsyncGeneratorFunction:
1755         case NewAsyncFunction: {
1756             // Child 1 is always the current scope, which is guaranteed to be an object
1757             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1758             fixEdge<KnownCellUse>(node->child1());
1759             break;
1760         }
1761
1762         case PushWithScope: {
1763             // Child 1 is always the current scope, which is guaranteed to be an object
1764             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1765             fixEdge<KnownCellUse>(node->child1());
1766             if (node->child2()->shouldSpeculateObject())
1767                 fixEdge<ObjectUse>(node->child2());
1768             break;
1769         }
1770
1771         case SetFunctionName: {
1772             // The first child is guaranteed to be a cell because op_set_function_name is only used
1773             // on a newly instantiated function object (the first child).
1774             fixEdge<KnownCellUse>(node->child1());
1775             fixEdge<UntypedUse>(node->child2());
1776             break;
1777         }
1778
1779         case CreateRest: {
1780             watchHavingABadTime(node);
1781             fixEdge<KnownInt32Use>(node->child1());
1782             break;
1783         }
1784
1785         case ResolveScopeForHoistingFuncDeclInEval: {
1786             fixEdge<KnownCellUse>(node->child1());
1787             break;
1788         }
1789         case ResolveScope:
1790         case GetDynamicVar:
1791         case PutDynamicVar: {
1792             fixEdge<KnownCellUse>(node->child1());
1793             break;
1794         }
1795
1796         case LogShadowChickenPrologue: {
1797             fixEdge<KnownCellUse>(node->child1());
1798             break;
1799         }
1800         case LogShadowChickenTail: {
1801             fixEdge<UntypedUse>(node->child1());
1802             fixEdge<KnownCellUse>(node->child2());
1803             break;
1804         }
1805
1806         case GetMapBucket:
1807             if (node->child1().useKind() == MapObjectUse)
1808                 fixEdge<MapObjectUse>(node->child1());
1809             else if (node->child1().useKind() == SetObjectUse)
1810                 fixEdge<SetObjectUse>(node->child1());
1811             else
1812                 RELEASE_ASSERT_NOT_REACHED();
1813
1814 #if USE(JSVALUE64)
1815             if (node->child2()->shouldSpeculateBoolean())
1816                 fixEdge<BooleanUse>(node->child2());
1817             else if (node->child2()->shouldSpeculateInt32())
1818                 fixEdge<Int32Use>(node->child2());
1819             else if (node->child2()->shouldSpeculateSymbol())
1820                 fixEdge<SymbolUse>(node->child2());
1821             else if (node->child2()->shouldSpeculateObject())
1822                 fixEdge<ObjectUse>(node->child2());
1823             else if (node->child2()->shouldSpeculateString())
1824                 fixEdge<StringUse>(node->child2());
1825             else if (node->child2()->shouldSpeculateCell())
1826                 fixEdge<CellUse>(node->child2());
1827             else
1828                 fixEdge<UntypedUse>(node->child2());
1829 #else
1830             fixEdge<UntypedUse>(node->child2());
1831 #endif // USE(JSVALUE64)
1832
1833             fixEdge<Int32Use>(node->child3());
1834             break;
1835
1836         case GetMapBucketHead:
1837             if (node->child1().useKind() == MapObjectUse)
1838                 fixEdge<MapObjectUse>(node->child1());
1839             else if (node->child1().useKind() == SetObjectUse)
1840                 fixEdge<SetObjectUse>(node->child1());
1841             else
1842                 RELEASE_ASSERT_NOT_REACHED();
1843             break;
1844
1845         case GetMapBucketNext:
1846         case LoadKeyFromMapBucket:
1847         case LoadValueFromMapBucket:
1848             fixEdge<CellUse>(node->child1());
1849             break;
1850
1851         case MapHash: {
1852 #if USE(JSVALUE64)
1853             if (node->child1()->shouldSpeculateBoolean()) {
1854                 fixEdge<BooleanUse>(node->child1());
1855                 break;
1856             }
1857
1858             if (node->child1()->shouldSpeculateInt32()) {
1859                 fixEdge<Int32Use>(node->child1());
1860                 break;
1861             }
1862
1863             if (node->child1()->shouldSpeculateSymbol()) {
1864                 fixEdge<SymbolUse>(node->child1());
1865                 break;
1866             }
1867
1868             if (node->child1()->shouldSpeculateObject()) {
1869                 fixEdge<ObjectUse>(node->child1());
1870                 break;
1871             }
1872
1873             if (node->child1()->shouldSpeculateString()) {
1874                 fixEdge<StringUse>(node->child1());
1875                 break;
1876             }
1877
1878             if (node->child1()->shouldSpeculateCell()) {
1879                 fixEdge<CellUse>(node->child1());
1880                 break;
1881             }
1882
1883             fixEdge<UntypedUse>(node->child1());
1884 #else
1885             fixEdge<UntypedUse>(node->child1());
1886 #endif // USE(JSVALUE64)
1887             break;
1888         }
1889
1890         case DefineDataProperty: {
1891             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1892             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1893             if (propertyEdge->shouldSpeculateSymbol())
1894                 fixEdge<SymbolUse>(propertyEdge);
1895             else if (propertyEdge->shouldSpeculateStringIdent())
1896                 fixEdge<StringIdentUse>(propertyEdge);
1897             else if (propertyEdge->shouldSpeculateString())
1898                 fixEdge<StringUse>(propertyEdge);
1899             else
1900                 fixEdge<UntypedUse>(propertyEdge);
1901             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1902             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1903             break;
1904         }
1905
1906         case ToLowerCase: {
1907             // We currently only support StringUse since that will ensure that
1908             // ToLowerCase is a pure operation. If we decide to update this with
1909             // more types in the future, we need to ensure that the clobberize rules
1910             // are correct.
1911             fixEdge<StringUse>(node->child1());
1912             break;
1913         }
1914
1915         case NumberToStringWithRadix: {
1916             if (node->child1()->shouldSpeculateInt32())
1917                 fixEdge<Int32Use>(node->child1());
1918             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
1919                 fixEdge<Int52RepUse>(node->child1());
1920             else
1921                 fixEdge<DoubleRepUse>(node->child1());
1922             fixEdge<Int32Use>(node->child2());
1923             break;
1924         }
1925
1926         case DefineAccessorProperty: {
1927             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1928             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1929             if (propertyEdge->shouldSpeculateSymbol())
1930                 fixEdge<SymbolUse>(propertyEdge);
1931             else if (propertyEdge->shouldSpeculateStringIdent())
1932                 fixEdge<StringIdentUse>(propertyEdge);
1933             else if (propertyEdge->shouldSpeculateString())
1934                 fixEdge<StringUse>(propertyEdge);
1935             else
1936                 fixEdge<UntypedUse>(propertyEdge);
1937             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
1938             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
1939             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
1940             break;
1941         }
1942
1943         case CheckSubClass: {
1944             fixupCheckSubClass(node);
1945             break;
1946         }
1947
1948         case CallDOMGetter: {
1949             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
1950             fixEdge<CellUse>(node->child1()); // DOM.
1951             if (snippet && snippet->requireGlobalObject)
1952                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
1953             break;
1954         }
1955
1956         case CallDOM: {
1957             fixupCallDOM(node);
1958             break;
1959         }
1960
1961         case Call: {
1962             attemptToMakeCallDOM(node);
1963             break;
1964         }
1965
1966         case ParseInt: {
1967             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
1968                 fixEdge<Int32Use>(node->child1());
1969                 node->convertToIdentity();
1970                 break;
1971             }
1972
1973             if (node->child1()->shouldSpeculateString()) {
1974                 fixEdge<StringUse>(node->child1());
1975                 node->clearFlags(NodeMustGenerate);
1976             }
1977
1978             if (node->child2())
1979                 fixEdge<Int32Use>(node->child2());
1980
1981             break;
1982         }
1983
1984         case IdentityWithProfile: {
1985             node->clearFlags(NodeMustGenerate);
1986             break;
1987         }
1988
1989         case ThrowStaticError:
1990             fixEdge<StringUse>(node->child1());
1991             break;
1992
1993 #if !ASSERT_DISABLED
1994         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
1995         case SetArgument:
1996         case JSConstant:
1997         case LazyJSConstant:
1998         case DoubleConstant:
1999         case GetLocal:
2000         case GetCallee:
2001         case GetArgumentCountIncludingThis:
2002         case GetRestLength:
2003         case GetArgument:
2004         case Flush:
2005         case PhantomLocal:
2006         case GetLocalUnlinked:
2007         case GetGlobalVar:
2008         case GetGlobalLexicalVariable:
2009         case NotifyWrite:
2010         case DirectCall:
2011         case CheckTypeInfoFlags:
2012         case TailCallInlinedCaller:
2013         case DirectTailCallInlinedCaller:
2014         case Construct:
2015         case DirectConstruct:
2016         case CallVarargs:
2017         case CallEval:
2018         case TailCallVarargsInlinedCaller:
2019         case ConstructVarargs:
2020         case CallForwardVarargs:
2021         case ConstructForwardVarargs:
2022         case TailCallForwardVarargs:
2023         case TailCallForwardVarargsInlinedCaller:
2024         case LoadVarargs:
2025         case ForwardVarargs:
2026         case ProfileControlFlow:
2027         case NewObject:
2028         case NewRegexp:
2029         case DeleteById:
2030         case DeleteByVal:
2031         case IsTypedArrayView:
2032         case IsEmpty:
2033         case IsUndefined:
2034         case IsBoolean:
2035         case IsNumber:
2036         case IsObjectOrNull:
2037         case IsFunction:
2038         case CreateDirectArguments:
2039         case Jump:
2040         case Return:
2041         case TailCall:
2042         case DirectTailCall:
2043         case TailCallVarargs:
2044         case Throw:
2045         case CountExecution:
2046         case ForceOSRExit:
2047         case CheckBadCell:
2048         case CheckNotEmpty:
2049         case CheckTraps:
2050         case Unreachable:
2051         case ExtractOSREntryLocal:
2052         case ExtractCatchLocal:
2053         case LoopHint:
2054         case MovHint:
2055         case InitializeEntrypointArguments:
2056         case ZombieHint:
2057         case ExitOK:
2058         case BottomValue:
2059         case TypeOf:
2060         case PutByIdWithThis:
2061         case PutByValWithThis:
2062         case GetByValWithThis:
2063         case CompareEqPtr:
2064         case NumberToStringWithValidRadixConstant:
2065             break;
2066 #else
2067         default:
2068             break;
2069 #endif
2070         }
2071     }
2072
2073     void watchHavingABadTime(Node* node)
2074     {
2075         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2076
2077         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2078         // does an array allocation. The types of array allocations may change if we start to have a bad
2079         // time. It's easier to reason about this if we know that whenever the types change after we start
2080         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2081         // prior to this point nobody should have been doing optimizations based on the indexing type of
2082         // the allocation.
2083         if (!globalObject->isHavingABadTime()) {
2084             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2085             m_graph.freeze(globalObject);
2086         }
2087     }
2088     
2089     template<UseKind useKind>
2090     void createToString(Node* node, Edge& edge)
2091     {
2092         Node* toString = m_insertionSet.insertNode(
2093             m_indexInBlock, SpecString, ToString, node->origin,
2094             Edge(edge.node(), useKind));
2095         switch (useKind) {
2096         case Int32Use:
2097         case Int52RepUse:
2098         case DoubleRepUse:
2099         case NotCellUse:
2100             toString->clearFlags(NodeMustGenerate);
2101             break;
2102         default:
2103             break;
2104         }
2105         edge.setNode(toString);
2106     }
2107     
2108     template<UseKind useKind>
2109     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2110     {
2111         ASSERT(arrayMode == ArrayMode(Array::Generic));
2112         
2113         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2114             return;
2115         
2116         createToString<useKind>(node, node->child1());
2117         arrayMode = ArrayMode(Array::String);
2118     }
2119     
2120     template<UseKind useKind>
2121     bool isStringObjectUse()
2122     {
2123         switch (useKind) {
2124         case StringObjectUse:
2125         case StringOrStringObjectUse:
2126             return true;
2127         default:
2128             return false;
2129         }
2130     }
2131     
2132     template<UseKind useKind>
2133     void convertStringAddUse(Node* node, Edge& edge)
2134     {
2135         if (useKind == StringUse) {
2136             observeUseKindOnNode<StringUse>(edge.node());
2137             m_insertionSet.insertNode(
2138                 m_indexInBlock, SpecNone, Check, node->origin,
2139                 Edge(edge.node(), StringUse));
2140             edge.setUseKind(KnownStringUse);
2141             return;
2142         }
2143         
2144         observeUseKindOnNode<useKind>(edge.node());
2145         createToString<useKind>(node, edge);
2146     }
2147     
2148     void convertToMakeRope(Node* node)
2149     {
2150         node->setOpAndDefaultFlags(MakeRope);
2151         fixupMakeRope(node);
2152     }
2153     
2154     void fixupMakeRope(Node* node)
2155     {
2156         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2157             Edge& edge = node->children.child(i);
2158             if (!edge)
2159                 break;
2160             edge.setUseKind(KnownStringUse);
2161             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2162             if (!string)
2163                 continue;
2164             if (string->length())
2165                 continue;
2166             
2167             // Don't allow the MakeRope to have zero children.
2168             if (!i && !node->child2())
2169                 break;
2170             
2171             node->children.removeEdge(i--);
2172         }
2173         
2174         if (!node->child2()) {
2175             ASSERT(!node->child3());
2176             node->convertToIdentity();
2177         }
2178     }
2179
2180     void fixupIsCellWithType(Node* node)
2181     {
2182         switch (node->speculatedTypeForQuery()) {
2183         case SpecString:
2184             if (node->child1()->shouldSpeculateString()) {
2185                 m_insertionSet.insertNode(
2186                     m_indexInBlock, SpecNone, Check, node->origin,
2187                     Edge(node->child1().node(), StringUse));
2188                 m_graph.convertToConstant(node, jsBoolean(true));
2189                 observeUseKindOnNode<StringUse>(node);
2190                 return;
2191             }
2192             break;
2193
2194         case SpecProxyObject:
2195             if (node->child1()->shouldSpeculateProxyObject()) {
2196                 m_insertionSet.insertNode(
2197                     m_indexInBlock, SpecNone, Check, node->origin,
2198                     Edge(node->child1().node(), ProxyObjectUse));
2199                 m_graph.convertToConstant(node, jsBoolean(true));
2200                 observeUseKindOnNode<ProxyObjectUse>(node);
2201                 return;
2202             }
2203             break;
2204
2205         case SpecRegExpObject:
2206             if (node->child1()->shouldSpeculateRegExpObject()) {
2207                 m_insertionSet.insertNode(
2208                     m_indexInBlock, SpecNone, Check, node->origin,
2209                     Edge(node->child1().node(), RegExpObjectUse));
2210                 m_graph.convertToConstant(node, jsBoolean(true));
2211                 observeUseKindOnNode<RegExpObjectUse>(node);
2212                 return;
2213             }
2214             break;
2215
2216         case SpecArray:
2217             if (node->child1()->shouldSpeculateArray()) {
2218                 m_insertionSet.insertNode(
2219                     m_indexInBlock, SpecNone, Check, node->origin,
2220                     Edge(node->child1().node(), ArrayUse));
2221                 m_graph.convertToConstant(node, jsBoolean(true));
2222                 observeUseKindOnNode<ArrayUse>(node);
2223                 return;
2224             }
2225             break;
2226
2227         case SpecDerivedArray:
2228             if (node->child1()->shouldSpeculateDerivedArray()) {
2229                 m_insertionSet.insertNode(
2230                     m_indexInBlock, SpecNone, Check, node->origin,
2231                     Edge(node->child1().node(), DerivedArrayUse));
2232                 m_graph.convertToConstant(node, jsBoolean(true));
2233                 observeUseKindOnNode<DerivedArrayUse>(node);
2234                 return;
2235             }
2236             break;
2237         }
2238
2239         if (node->child1()->shouldSpeculateCell()) {
2240             fixEdge<CellUse>(node->child1());
2241             return;
2242         }
2243
2244         if (node->child1()->shouldSpeculateNotCell()) {
2245             m_insertionSet.insertNode(
2246                 m_indexInBlock, SpecNone, Check, node->origin,
2247                 Edge(node->child1().node(), NotCellUse));
2248             m_graph.convertToConstant(node, jsBoolean(false));
2249             observeUseKindOnNode<NotCellUse>(node);
2250             return;
2251         }
2252     }
2253
2254     void fixupToThis(Node* node)
2255     {
2256         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2257
2258         if (ecmaMode == StrictMode) {
2259             if (node->child1()->shouldSpeculateBoolean()) {
2260                 fixEdge<BooleanUse>(node->child1());
2261                 node->convertToIdentity();
2262                 return;
2263             }
2264
2265             if (node->child1()->shouldSpeculateInt32()) {
2266                 fixEdge<Int32Use>(node->child1());
2267                 node->convertToIdentity();
2268                 return;
2269             }
2270
2271             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2272                 fixEdge<Int52RepUse>(node->child1());
2273                 node->convertToIdentity();
2274                 node->setResult(NodeResultInt52);
2275                 return;
2276             }
2277
2278             if (node->child1()->shouldSpeculateNumber()) {
2279                 fixEdge<DoubleRepUse>(node->child1());
2280                 node->convertToIdentity();
2281                 node->setResult(NodeResultDouble);
2282                 return;
2283             }
2284
2285             if (node->child1()->shouldSpeculateSymbol()) {
2286                 fixEdge<SymbolUse>(node->child1());
2287                 node->convertToIdentity();
2288                 return;
2289             }
2290
2291             if (node->child1()->shouldSpeculateStringIdent()) {
2292                 fixEdge<StringIdentUse>(node->child1());
2293                 node->convertToIdentity();
2294                 return;
2295             }
2296
2297             if (node->child1()->shouldSpeculateString()) {
2298                 fixEdge<StringUse>(node->child1());
2299                 node->convertToIdentity();
2300                 return;
2301             }
2302         }
2303
2304         if (node->child1()->shouldSpeculateOther()) {
2305             if (ecmaMode == StrictMode) {
2306                 fixEdge<OtherUse>(node->child1());
2307                 node->convertToIdentity();
2308                 return;
2309             }
2310
2311             m_insertionSet.insertNode(
2312                 m_indexInBlock, SpecNone, Check, node->origin,
2313                 Edge(node->child1().node(), OtherUse));
2314             observeUseKindOnNode<OtherUse>(node->child1().node());
2315             m_graph.convertToConstant(
2316                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2317             return;
2318         }
2319
2320         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2321         // however, since we cover all the missing cases in constant folding.
2322         // https://bugs.webkit.org/show_bug.cgi?id=157213
2323         if (node->child1()->shouldSpeculateStringObject()) {
2324             fixEdge<StringObjectUse>(node->child1());
2325             node->convertToIdentity();
2326             return;
2327         }
2328
2329         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2330             fixEdge<FinalObjectUse>(node->child1());
2331             node->convertToIdentity();
2332             return;
2333         }
2334     }
2335     
2336     void fixupToPrimitive(Node* node)
2337     {
2338         if (node->child1()->shouldSpeculateInt32()) {
2339             fixEdge<Int32Use>(node->child1());
2340             node->convertToIdentity();
2341             return;
2342         }
2343         
2344         if (node->child1()->shouldSpeculateString()) {
2345             fixEdge<StringUse>(node->child1());
2346             node->convertToIdentity();
2347             return;
2348         }
2349         
2350         if (node->child1()->shouldSpeculateStringObject()
2351             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2352             fixEdge<StringObjectUse>(node->child1());
2353             node->convertToToString();
2354             return;
2355         }
2356         
2357         if (node->child1()->shouldSpeculateStringOrStringObject()
2358             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2359             fixEdge<StringOrStringObjectUse>(node->child1());
2360             node->convertToToString();
2361             return;
2362         }
2363     }
2364
2365     void fixupToNumber(Node* node)
2366     {
2367         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2368         if (node->child1()->shouldSpeculateNumber()) {
2369             if (isInt32Speculation(node->getHeapPrediction())) {
2370                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2371                 if (node->child1()->shouldSpeculateInt32()) {
2372                     fixEdge<Int32Use>(node->child1());
2373                     node->convertToIdentity();
2374                     return;
2375                 }
2376
2377                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2378                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2379                 fixEdge<DoubleRepUse>(node->child1());
2380                 node->setOp(DoubleAsInt32);
2381                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2382                     node->setArithMode(Arith::CheckOverflow);
2383                 else
2384                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2385                 return;
2386             }
2387
2388             fixEdge<DoubleRepUse>(node->child1());
2389             node->convertToIdentity();
2390             node->setResult(NodeResultDouble);
2391             return;
2392         }
2393
2394         fixEdge<UntypedUse>(node->child1());
2395         node->setResult(NodeResultJS);
2396     }
2397     
2398     void fixupToStringOrCallStringConstructor(Node* node)
2399     {
2400         if (node->child1()->shouldSpeculateString()) {
2401             fixEdge<StringUse>(node->child1());
2402             node->convertToIdentity();
2403             return;
2404         }
2405         
2406         if (node->child1()->shouldSpeculateStringObject()
2407             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2408             fixEdge<StringObjectUse>(node->child1());
2409             return;
2410         }
2411         
2412         if (node->child1()->shouldSpeculateStringOrStringObject()
2413             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2414             fixEdge<StringOrStringObjectUse>(node->child1());
2415             return;
2416         }
2417         
2418         if (node->child1()->shouldSpeculateCell()) {
2419             fixEdge<CellUse>(node->child1());
2420             return;
2421         }
2422
2423         if (node->child1()->shouldSpeculateInt32()) {
2424             fixEdge<Int32Use>(node->child1());
2425             node->clearFlags(NodeMustGenerate);
2426             return;
2427         }
2428
2429         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2430             fixEdge<Int52RepUse>(node->child1());
2431             node->clearFlags(NodeMustGenerate);
2432             return;
2433         }
2434
2435         if (node->child1()->shouldSpeculateNumber()) {
2436             fixEdge<DoubleRepUse>(node->child1());
2437             node->clearFlags(NodeMustGenerate);
2438             return;
2439         }
2440
2441         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2442         // we need to care about it in the clobberize. In the following case,
2443         // since NotCellUse edge filter is used and this edge filters Symbols,
2444         // we can say that ToString never throws an error!
2445         if (node->child1()->shouldSpeculateNotCell()) {
2446             fixEdge<NotCellUse>(node->child1());
2447             node->clearFlags(NodeMustGenerate);
2448             return;
2449         }
2450     }
2451
2452     bool attemptToMakeFastStringAdd(Node* node)
2453     {
2454         bool goodToGo = true;
2455         m_graph.doToChildren(
2456             node,
2457             [&] (Edge& edge) {
2458                 if (edge->shouldSpeculateString())
2459                     return;
2460                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2461                     if (edge->shouldSpeculateStringObject())
2462                         return;
2463                     if (edge->shouldSpeculateStringOrStringObject())
2464                         return;
2465                 }
2466                 goodToGo = false;
2467             });
2468         if (!goodToGo)
2469             return false;
2470
2471         m_graph.doToChildren(
2472             node,
2473             [&] (Edge& edge) {
2474                 if (edge->shouldSpeculateString()) {
2475                     convertStringAddUse<StringUse>(node, edge);
2476                     return;
2477                 }
2478                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2479                 if (edge->shouldSpeculateStringObject()) {
2480                     convertStringAddUse<StringObjectUse>(node, edge);
2481                     return;
2482                 }
2483                 if (edge->shouldSpeculateStringOrStringObject()) {
2484                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2485                     return;
2486                 }
2487                 RELEASE_ASSERT_NOT_REACHED();
2488             });
2489         
2490         convertToMakeRope(node);
2491         return true;
2492     }
2493
2494     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2495     {
2496         if (!block)
2497             return;
2498         ASSERT(block->isReachable);
2499         m_block = block;
2500         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2501             Node* node = m_currentNode = block->at(m_indexInBlock);
2502             if (node->op() != SetLocal && node->op() != GetLocal)
2503                 continue;
2504             
2505             VariableAccessData* variable = node->variableAccessData();
2506             switch (node->op()) {
2507             case GetLocal:
2508                 switch (variable->flushFormat()) {
2509                 case FlushedDouble:
2510                     node->setResult(NodeResultDouble);
2511                     break;
2512                 case FlushedInt52:
2513                     node->setResult(NodeResultInt52);
2514                     break;
2515                 default:
2516                     break;
2517                 }
2518                 break;
2519                 
2520             case SetLocal:
2521                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2522                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2523                 
2524                 switch (variable->flushFormat()) {
2525                 case FlushedJSValue:
2526                     break;
2527                 case FlushedDouble:
2528                     fixEdge<DoubleRepUse>(node->child1());
2529                     break;
2530                 case FlushedInt32:
2531                     fixEdge<Int32Use>(node->child1());
2532                     break;
2533                 case FlushedInt52:
2534                     fixEdge<Int52RepUse>(node->child1());
2535                     break;
2536                 case FlushedCell:
2537                     fixEdge<CellUse>(node->child1());
2538                     break;
2539                 case FlushedBoolean:
2540                     fixEdge<BooleanUse>(node->child1());
2541                     break;
2542                 default:
2543                     RELEASE_ASSERT_NOT_REACHED();
2544                     break;
2545                 }
2546                 break;
2547                 
2548             default:
2549                 RELEASE_ASSERT_NOT_REACHED();
2550                 break;
2551             }
2552         }
2553         m_insertionSet.execute(block);
2554     }
2555     
2556     void addStringReplacePrimordialChecks(Node* searchRegExp)
2557     {
2558         Node* node = m_currentNode;
2559
2560         // Check that structure of searchRegExp is RegExp object
2561         m_insertionSet.insertNode(
2562             m_indexInBlock, SpecNone, Check, node->origin,
2563             Edge(searchRegExp, RegExpObjectUse));
2564
2565         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2566             unsigned index = m_graph.identifiers().ensure(propertyUID);
2567
2568             Node* actualProperty = m_insertionSet.insertNode(
2569                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2570                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2571
2572             m_insertionSet.insertNode(
2573                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2574                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2575         };
2576
2577         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2578
2579         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2580         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2581         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2582         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2583         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2584         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2585         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2586         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2587     }
2588
2589     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2590     {
2591         ASSERT(arrayMode.isSpecific());
2592         
2593         if (arrayMode.type() == Array::String) {
2594             m_insertionSet.insertNode(
2595                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2596         } else {
2597             // Note that we only need to be using a structure check if we opt for SaneChain, since
2598             // that needs to protect against JSArray's __proto__ being changed.
2599             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2600         
2601             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2602             
2603             if (arrayMode.doesConversion()) {
2604                 if (structure) {
2605                     m_insertionSet.insertNode(
2606                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2607                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2608                 } else {
2609                     m_insertionSet.insertNode(
2610                         m_indexInBlock, SpecNone, Arrayify, origin,
2611                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2612                 }
2613             } else {
2614                 if (structure) {
2615                     m_insertionSet.insertNode(
2616                         m_indexInBlock, SpecNone, CheckStructure, origin,
2617                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2618                 } else {
2619                     m_insertionSet.insertNode(
2620                         m_indexInBlock, SpecNone, CheckArray, origin,
2621                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2622                 }
2623             }
2624         }
2625         
2626         if (!storageCheck(arrayMode))
2627             return nullptr;
2628         
2629         if (arrayMode.usesButterfly()) {
2630             return m_insertionSet.insertNode(
2631                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2632         }
2633         
2634         return m_insertionSet.insertNode(
2635             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2636             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2637     }
2638     
2639     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2640     {
2641         Node* node = m_currentNode;
2642         
2643         switch (node->arrayMode().type()) {
2644         case Array::ForceExit: {
2645             m_insertionSet.insertNode(
2646                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2647             return;
2648         }
2649             
2650         case Array::SelectUsingPredictions:
2651         case Array::Unprofiled:
2652             RELEASE_ASSERT_NOT_REACHED();
2653             return;
2654             
2655         case Array::Generic:
2656             return;
2657             
2658         default: {
2659             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2660             if (!storage)
2661                 return;
2662             
2663             storageChild = Edge(storage);
2664             return;
2665         } }
2666     }
2667     
2668     bool alwaysUnboxSimplePrimitives()
2669     {
2670 #if USE(JSVALUE64)
2671         return false;
2672 #else
2673         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2674         // reduces traffic.
2675         return true;
2676 #endif
2677     }
2678
2679     template<UseKind useKind>
2680     void observeUseKindOnNode(Node* node)
2681     {
2682         if (useKind == UntypedUse)
2683             return;
2684         observeUseKindOnNode(node, useKind);
2685     }
2686
2687     void observeUseKindOnEdge(Edge edge)
2688     {
2689         observeUseKindOnNode(edge.node(), edge.useKind());
2690     }
2691
2692     void observeUseKindOnNode(Node* node, UseKind useKind)
2693     {
2694         if (node->op() != GetLocal)
2695             return;
2696         
2697         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2698         // https://bugs.webkit.org/show_bug.cgi?id=121518
2699         
2700         VariableAccessData* variable = node->variableAccessData();
2701         switch (useKind) {
2702         case Int32Use:
2703         case KnownInt32Use:
2704             if (alwaysUnboxSimplePrimitives()
2705                 || isInt32Speculation(variable->prediction()))
2706                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2707             break;
2708         case NumberUse:
2709         case RealNumberUse:
2710         case DoubleRepUse:
2711         case DoubleRepRealUse:
2712             if (variable->doubleFormatState() == UsingDoubleFormat)
2713                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2714             break;
2715         case BooleanUse:
2716         case KnownBooleanUse:
2717             if (alwaysUnboxSimplePrimitives()
2718                 || isBooleanSpeculation(variable->prediction()))
2719                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2720             break;
2721         case Int52RepUse:
2722             if (isAnyIntSpeculation(variable->prediction()))
2723                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2724             break;
2725         case CellUse:
2726         case KnownCellUse:
2727         case ObjectUse:
2728         case FunctionUse:
2729         case StringUse:
2730         case KnownStringUse:
2731         case SymbolUse:
2732         case StringObjectUse:
2733         case StringOrStringObjectUse:
2734             if (alwaysUnboxSimplePrimitives()
2735                 || isCellSpeculation(variable->prediction()))
2736                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2737             break;
2738         default:
2739             break;
2740         }
2741     }
2742     
2743     template<UseKind useKind>
2744     void fixEdge(Edge& edge)
2745     {
2746         observeUseKindOnNode<useKind>(edge.node());
2747         edge.setUseKind(useKind);
2748     }
2749     
2750     unsigned indexForChecks()
2751     {
2752         unsigned index = m_indexInBlock;
2753         while (!m_block->at(index)->origin.exitOK)
2754             index--;
2755         return index;
2756     }
2757     
2758     NodeOrigin originForCheck(unsigned index)
2759     {
2760         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
2761     }
2762     
2763     void speculateForBarrier(Edge value)
2764     {
2765         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
2766         // the DFG anyway because if such a speculation would be wrong, we want to know before
2767         // we do an expensive compile.
2768         
2769         if (value->shouldSpeculateInt32()) {
2770             insertCheck<Int32Use>(value.node());
2771             return;
2772         }
2773             
2774         if (value->shouldSpeculateBoolean()) {
2775             insertCheck<BooleanUse>(value.node());
2776             return;
2777         }
2778             
2779         if (value->shouldSpeculateOther()) {
2780             insertCheck<OtherUse>(value.node());
2781             return;
2782         }
2783             
2784         if (value->shouldSpeculateNumber()) {
2785             insertCheck<NumberUse>(value.node());
2786             return;
2787         }
2788             
2789         if (value->shouldSpeculateNotCell()) {
2790             insertCheck<NotCellUse>(value.node());
2791             return;
2792         }
2793     }
2794     
2795     template<UseKind useKind>
2796     void insertCheck(Node* node)
2797     {
2798         observeUseKindOnNode<useKind>(node);
2799         unsigned index = indexForChecks();
2800         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
2801     }
2802
2803     void fixIntConvertingEdge(Edge& edge)
2804     {
2805         Node* node = edge.node();
2806         if (node->shouldSpeculateInt32OrBoolean()) {
2807             fixIntOrBooleanEdge(edge);
2808             return;
2809         }
2810         
2811         UseKind useKind;
2812         if (node->shouldSpeculateAnyInt())
2813             useKind = Int52RepUse;
2814         else if (node->shouldSpeculateNumber())
2815             useKind = DoubleRepUse;
2816         else
2817             useKind = NotCellUse;
2818         Node* newNode = m_insertionSet.insertNode(
2819             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
2820             Edge(node, useKind));
2821         observeUseKindOnNode(node, useKind);
2822         
2823         edge = Edge(newNode, KnownInt32Use);
2824     }
2825     
2826     void fixIntOrBooleanEdge(Edge& edge)
2827     {
2828         Node* node = edge.node();
2829         if (!node->sawBooleans()) {
2830             fixEdge<Int32Use>(edge);
2831             return;
2832         }
2833         
2834         UseKind useKind;
2835         if (node->shouldSpeculateBoolean())
2836             useKind = BooleanUse;
2837         else
2838             useKind = UntypedUse;
2839         Node* newNode = m_insertionSet.insertNode(
2840             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2841             Edge(node, useKind));
2842         observeUseKindOnNode(node, useKind);
2843         
2844         edge = Edge(newNode, Int32Use);
2845     }
2846     
2847     void fixDoubleOrBooleanEdge(Edge& edge)
2848     {
2849         Node* node = edge.node();
2850         if (!node->sawBooleans()) {
2851             fixEdge<DoubleRepUse>(edge);
2852             return;
2853         }
2854         
2855         UseKind useKind;
2856         if (node->shouldSpeculateBoolean())
2857             useKind = BooleanUse;
2858         else
2859             useKind = UntypedUse;
2860         Node* newNode = m_insertionSet.insertNode(
2861             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2862             Edge(node, useKind));
2863         observeUseKindOnNode(node, useKind);
2864         
2865         edge = Edge(newNode, DoubleRepUse);
2866     }
2867     
2868     void truncateConstantToInt32(Edge& edge)
2869     {
2870         Node* oldNode = edge.node();
2871         
2872         JSValue value = oldNode->asJSValue();
2873         if (value.isInt32())
2874             return;
2875         
2876         value = jsNumber(JSC::toInt32(value.asNumber()));
2877         ASSERT(value.isInt32());
2878         edge.setNode(m_insertionSet.insertNode(
2879             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
2880             OpInfo(m_graph.freeze(value))));
2881     }
2882     
2883     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
2884     {
2885         if (mode != SpeculateInt32AndTruncateConstants)
2886             return;
2887         
2888         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
2889         if (node->child1()->hasConstant())
2890             truncateConstantToInt32(node->child1());
2891         else
2892             truncateConstantToInt32(node->child2());
2893     }
2894
2895     bool attemptToMakeIntegerAdd(Node* node)
2896     {
2897         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
2898         if (mode != DontSpeculateInt32) {
2899             truncateConstantsIfNecessary(node, mode);
2900             fixIntOrBooleanEdge(node->child1());
2901             fixIntOrBooleanEdge(node->child2());
2902             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
2903                 node->setArithMode(Arith::Unchecked);
2904             else
2905                 node->setArithMode(Arith::CheckOverflow);
2906             return true;
2907         }
2908         
2909         if (m_graph.addShouldSpeculateAnyInt(node)) {
2910             fixEdge<Int52RepUse>(node->child1());
2911             fixEdge<Int52RepUse>(node->child2());
2912             node->setArithMode(Arith::CheckOverflow);
2913             node->setResult(NodeResultInt52);
2914             return true;
2915         }
2916         
2917         return false;
2918     }
2919     
2920     bool attemptToMakeGetArrayLength(Node* node)
2921     {
2922         if (!isInt32Speculation(node->prediction()))
2923             return false;
2924         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
2925         ArrayProfile* arrayProfile = 
2926             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
2927         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
2928         if (arrayProfile) {
2929             ConcurrentJSLocker locker(profiledBlock->m_lock);
2930             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
2931             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
2932             if (arrayMode.type() == Array::Unprofiled) {
2933                 // For normal array operations, it makes sense to treat Unprofiled
2934                 // accesses as ForceExit and get more data rather than using
2935                 // predictions and then possibly ending up with a Generic. But here,
2936                 // we treat anything that is Unprofiled as Generic and keep the
2937                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
2938                 // profit - from treating the Unprofiled case as
2939                 // SelectUsingPredictions.
2940                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
2941             }
2942         }
2943             
2944         arrayMode = arrayMode.refine(
2945             m_graph, node, node->child1()->prediction(), node->prediction());
2946             
2947         if (arrayMode.type() == Array::Generic) {
2948             // Check if the input is something that we can't get array length for, but for which we
2949             // could insert some conversions in order to transform it into something that we can do it
2950             // for.
2951             if (node->child1()->shouldSpeculateStringObject())
2952                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
2953             else if (node->child1()->shouldSpeculateStringOrStringObject())
2954                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
2955         }
2956             
2957         if (!arrayMode.supportsSelfLength())
2958             return false;
2959         
2960         convertToGetArrayLength(node, arrayMode);
2961         return true;
2962     }
2963
2964     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
2965     {
2966         node->setOp(GetArrayLength);
2967         node->clearFlags(NodeMustGenerate);
2968         fixEdge<KnownCellUse>(node->child1());
2969         node->setArrayMode(arrayMode);
2970             
2971         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
2972         if (!storage)
2973             return;
2974             
2975         node->child2() = Edge(storage);
2976     }
2977     
2978     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
2979     {
2980         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
2981         return m_insertionSet.insertNode(
2982             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
2983             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
2984     }
2985
2986     void convertToHasIndexedProperty(Node* node)
2987     {
2988         node->setOp(HasIndexedProperty);
2989         node->clearFlags(NodeMustGenerate);
2990         node->setArrayMode(
2991             node->arrayMode().refine(
2992                 m_graph, node,
2993                 node->child1()->prediction(),
2994                 node->child2()->prediction(),
2995                 SpecNone));
2996         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
2997
2998         blessArrayOperation(node->child1(), node->child2(), node->child3());
2999
3000         fixEdge<CellUse>(node->child1());
3001         fixEdge<Int32Use>(node->child2());
3002     }
3003
3004     bool attemptToMakeCallDOM(Node* node)
3005     {
3006         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3007             return false;
3008
3009         const DOMJIT::Signature* signature = node->signature();
3010         if (!signature)
3011             return false;
3012
3013         {
3014             unsigned index = 0;
3015             bool shouldConvertToCallDOM = true;
3016             m_graph.doToChildren(node, [&](Edge& edge) {
3017                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3018                 if (!index)
3019                     return;
3020
3021                 if (index == 1) {
3022                     // DOM node case.
3023                     if (edge->shouldSpeculateNotCell())
3024                         shouldConvertToCallDOM = false;
3025                 } else {
3026                     switch (signature->arguments[index - 2]) {
3027                     case SpecString:
3028                         if (edge->shouldSpeculateNotString())
3029                             shouldConvertToCallDOM = false;
3030                         break;
3031                     case SpecInt32Only:
3032                         if (edge->shouldSpeculateNotInt32())
3033                             shouldConvertToCallDOM = false;
3034                         break;
3035                     case SpecBoolean:
3036                         if (edge->shouldSpeculateNotBoolean())
3037                             shouldConvertToCallDOM = false;
3038                         break;
3039                     default:
3040                         RELEASE_ASSERT_NOT_REACHED();
3041                         break;
3042                     }
3043                 }
3044                 ++index;
3045             });
3046             if (!shouldConvertToCallDOM)
3047                 return false;
3048         }
3049
3050         Node* thisNode = m_graph.varArgChild(node, 1).node();
3051         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3052         node->convertToCallDOM(m_graph);
3053         fixupCheckSubClass(checkSubClass);
3054         fixupCallDOM(node);
3055         return true;
3056     }
3057
3058     void fixupCheckSubClass(Node* node)
3059     {
3060         fixEdge<CellUse>(node->child1());
3061     }
3062
3063     void fixupCallDOM(Node* node)
3064     {
3065         const DOMJIT::Signature* signature = node->signature();
3066         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3067             if (!edge)
3068                 return;
3069             switch (signature->arguments[argumentIndex]) {
3070             case SpecString:
3071                 fixEdge<StringUse>(edge);
3072                 break;
3073             case SpecInt32Only:
3074                 fixEdge<Int32Use>(edge);
3075                 break;
3076             case SpecBoolean:
3077                 fixEdge<BooleanUse>(edge);
3078                 break;
3079             default:
3080                 RELEASE_ASSERT_NOT_REACHED();
3081                 break;
3082             }
3083         };
3084         fixEdge<CellUse>(node->child1()); // DOM.
3085         fixup(node->child2(), 0);
3086         fixup(node->child3(), 1);
3087     }
3088
3089     void fixupArrayIndexOf(Node* node)
3090     {
3091         Edge& array = m_graph.varArgChild(node, 0);
3092         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3093         blessArrayOperation(array, Edge(), storage);
3094         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3095
3096         Edge& searchElement = m_graph.varArgChild(node, 1);
3097
3098         // Constant folding.
3099         switch (node->arrayMode().type()) {
3100         case Array::Double:
3101         case Array::Int32: {
3102             if (searchElement->shouldSpeculateCell()) {
3103                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3104                 m_graph.convertToConstant(node, jsNumber(-1));
3105                 observeUseKindOnNode<CellUse>(searchElement.node());
3106                 return;
3107             }
3108
3109             if (searchElement->shouldSpeculateOther()) {
3110                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3111                 m_graph.convertToConstant(node, jsNumber(-1));
3112                 observeUseKindOnNode<OtherUse>(searchElement.node());
3113                 return;
3114             }
3115
3116             if (searchElement->shouldSpeculateBoolean()) {
3117                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3118                 m_graph.convertToConstant(node, jsNumber(-1));
3119                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3120                 return;
3121             }
3122             break;
3123         }
3124         default:
3125             break;
3126         }
3127
3128         fixEdge<KnownCellUse>(array);
3129         if (node->numChildren() == 4)
3130             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3131
3132         switch (node->arrayMode().type()) {
3133         case Array::Double: {
3134             if (searchElement->shouldSpeculateNumber())
3135                 fixEdge<DoubleRepUse>(searchElement);
3136             return;
3137         }
3138         case Array::Int32: {
3139             if (searchElement->shouldSpeculateInt32())
3140                 fixEdge<Int32Use>(searchElement);
3141             return;
3142         }
3143         case Array::Contiguous: {
3144             if (searchElement->shouldSpeculateString())
3145                 fixEdge<StringUse>(searchElement);
3146             else if (searchElement->shouldSpeculateSymbol())
3147                 fixEdge<SymbolUse>(searchElement);
3148             else if (searchElement->shouldSpeculateOther())
3149                 fixEdge<OtherUse>(searchElement);
3150             else if (searchElement->shouldSpeculateObject())
3151                 fixEdge<ObjectUse>(searchElement);
3152             return;
3153         }
3154         default:
3155             RELEASE_ASSERT_NOT_REACHED();
3156             return;
3157         }
3158     }
3159
3160     void fixupChecksInBlock(BasicBlock* block)
3161     {
3162         if (!block)
3163             return;
3164         ASSERT(block->isReachable);
3165         m_block = block;
3166         unsigned indexForChecks = UINT_MAX;
3167         NodeOrigin originForChecks;
3168         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
3169             Node* node = block->at(indexInBlock);
3170
3171             // If this is a node at which we could exit, then save its index. If nodes after this one
3172             // cannot exit, then we will hoist checks to here.
3173             if (node->origin.exitOK) {
3174                 indexForChecks = indexInBlock;
3175                 originForChecks = node->origin;
3176             }
3177
3178             originForChecks = originForChecks.withSemantic(node->origin.semantic);
3179             
3180             // First, try to relax the representational demands of each node, in order to have
3181             // fewer conversions.
3182             switch (node->op()) {
3183             case MovHint:
3184             case Check:
3185                 m_graph.doToChildren(
3186                     node,
3187                     [&] (Edge& edge) {
3188                         switch (edge.useKind()) {
3189                         case DoubleRepUse:
3190                         case DoubleRepRealUse:
3191                             if (edge->hasDoubleResult())
3192                                 break;
3193             
3194                             if (edge->hasInt52Result())
3195                                 edge.setUseKind(Int52RepUse);
3196                             else if (edge.useKind() == DoubleRepUse)
3197                                 edge.setUseKind(NumberUse);
3198                             break;
3199             
3200                         case Int52RepUse:
3201                             // Nothing we can really do.
3202                             break;
3203             
3204                         case UntypedUse:
3205                         case NumberUse:
3206                             if (edge->hasDoubleResult())
3207                                 edge.setUseKind(DoubleRepUse);
3208                             else if (edge->hasInt52Result())
3209                                 edge.setUseKind(Int52RepUse);
3210                             break;
3211             
3212                         case RealNumberUse:
3213                             if (edge->hasDoubleResult())
3214                                 edge.setUseKind(DoubleRepRealUse);
3215                             else if (edge->hasInt52Result())
3216                                 edge.setUseKind(Int52RepUse);
3217                             break;
3218             
3219                         default:
3220                             break;
3221                         }
3222                     });
3223                 break;
3224                 
3225             case ValueToInt32:
3226                 if (node->child1().useKind() == DoubleRepUse
3227                     && !node->child1()->hasDoubleResult()) {
3228                     node->child1().setUseKind(NumberUse);
3229                     break;
3230                 }
3231                 break;
3232                 
3233             default:
3234                 break;
3235             }
3236
3237             // Now, insert type conversions if necessary.
3238             m_graph.doToChildren(
3239                 node,
3240                 [&] (Edge& edge) {
3241                     Node* result = nullptr;
3242
3243                     switch (edge.useKind()) {
3244                     case DoubleRepUse:
3245                     case DoubleRepRealUse:
3246                     case DoubleRepAnyIntUse: {
3247                         if (edge->hasDoubleResult())
3248                             break;
3249             
3250                         ASSERT(indexForChecks != UINT_MAX);
3251                         if (edge->isNumberConstant()) {
3252                             result = m_insertionSet.insertNode(
3253                                 indexForChecks, SpecBytecodeDouble, DoubleConstant, originForChecks,
3254                                 OpInfo(m_graph.freeze(jsDoubleNumber(edge->asNumber()))));
3255                         } else if (edge->hasInt52Result()) {
3256                             result = m_insertionSet.insertNode(
3257                                 indexForChecks, SpecAnyIntAsDouble, DoubleRep, originForChecks,
3258                                 Edge(edge.node(), Int52RepUse));
3259                         } else {
3260                             UseKind useKind;
3261                             if (edge->shouldSpeculateDoubleReal())
3262                                 useKind = RealNumberUse;
3263                             else if (edge->shouldSpeculateNumber())
3264                                 useKind = NumberUse;
3265                             else
3266                                 useKind = NotCellUse;
3267
3268                             result = m_insertionSet.insertNode(
3269                                 indexForChecks, SpecBytecodeDouble, DoubleRep, originForChecks,
3270                                 Edge(edge.node(), useKind));
3271                         }
3272
3273                         edge.setNode(result);
3274                         break;
3275                     }
3276             
3277                     case Int52RepUse: {
3278                         if (edge->hasInt52Result())
3279                             break;
3280             
3281                         ASSERT(indexForChecks != UINT_MAX);
3282                         if (edge->isAnyIntConstant()) {
3283                             result = m_insertionSet.insertNode(
3284                                 indexForChecks, SpecAnyInt, Int52Constant, originForChecks,
3285                                 OpInfo(edge->constant()));
3286                         } else if (edge->hasDoubleResult()) {
3287                             result = m_insertionSet.insertNode(
3288                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3289                                 Edge(edge.node(), DoubleRepAnyIntUse));
3290                         } else if (edge->shouldSpeculateInt32ForArithmetic()) {
3291                             result = m_insertionSet.insertNode(
3292                                 indexForChecks, SpecInt32Only, Int52Rep, originForChecks,
3293                                 Edge(edge.node(), Int32Use));
3294                         } else {
3295                             result = m_insertionSet.insertNode(
3296                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3297                                 Edge(edge.node(), AnyIntUse));
3298                         }
3299
3300                         edge.setNode(result);
3301                         break;
3302                     }
3303
3304                     default: {
3305                         if (!edge->hasDoubleResult() && !edge->hasInt52Result())
3306                             break;
3307             
3308                         ASSERT(indexForChecks != UINT_MAX);
3309                         if (edge->hasDoubleResult()) {
3310                             result = m_insertionSet.insertNode(
3311                                 indexForChecks, SpecBytecodeDouble, ValueRep, originForChecks,
3312                                 Edge(edge.node(), DoubleRepUse));
3313                         } else {
3314                             result = m_insertionSet.insertNode(
3315                                 indexForChecks, SpecInt32Only | SpecAnyIntAsDouble, ValueRep,
3316                                 originForChecks, Edge(edge.node(), Int52RepUse));
3317                         }
3318
3319                         edge.setNode(result);
3320                         break;
3321                     } }
3322
3323                     // It's remotely possible that this node cannot do type checks, but we now have a
3324                     // type check on this node. We don't have to handle the general form of this
3325                     // problem. It only arises when ByteCodeParser emits an immediate SetLocal, rather
3326                     // than a delayed one. So, we only worry about those checks that we may have put on
3327                     // a SetLocal. Note that "indexForChecks != indexInBlock" is just another way of
3328                     // saying "!node->origin.exitOK".
3329                     if (indexForChecks != indexInBlock && mayHaveTypeCheck(edge.useKind())) {
3330                         UseKind knownUseKind;
3331                         
3332                         switch (edge.useKind()) {
3333                         case Int32Use:
3334                             knownUseKind = KnownInt32Use;
3335                             break;
3336                         case CellUse:
3337                             knownUseKind = KnownCellUse;
3338                             break;
3339                         case BooleanUse:
3340                             knownUseKind = KnownBooleanUse;
3341                             break;
3342                         default:
3343                             // This can only arise if we have a Check node, and in that case, we can
3344                             // just remove the original check.
3345                             DFG_ASSERT(m_graph, node, node->op() == Check);
3346                             knownUseKind = UntypedUse;
3347                             break;
3348                         }
3349
3350                         ASSERT(indexForChecks != UINT_MAX);
3351                         m_insertionSet.insertNode(
3352                             indexForChecks, SpecNone, Check, originForChecks, edge);
3353
3354                         edge.setUseKind(knownUseKind);
3355                     }
3356                 });
3357         }
3358         
3359         m_insertionSet.execute(block);
3360     }
3361     
3362     BasicBlock* m_block;
3363     unsigned m_indexInBlock;
3364     Node* m_currentNode;
3365     InsertionSet m_insertionSet;
3366     bool m_profitabilityChanged;
3367 };
3368     
3369 bool performFixup(Graph& graph)
3370 {
3371     return runPhase<FixupPhase>(graph);
3372 }
3373
3374 } } // namespace JSC::DFG
3375
3376 #endif // ENABLE(DFG_JIT)
3377