DFG AI and clobberize should agree with each other
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149             
150         case ValueAdd: {
151             if (attemptToMakeIntegerAdd(node)) {
152                 node->setOp(ArithAdd);
153                 break;
154             }
155             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
156                 fixDoubleOrBooleanEdge(node->child1());
157                 fixDoubleOrBooleanEdge(node->child2());
158                 node->setOp(ArithAdd);
159                 node->setResult(NodeResultDouble);
160                 break;
161             }
162             
163             if (attemptToMakeFastStringAdd(node))
164                 break;
165
166             Edge& child1 = node->child1();
167             Edge& child2 = node->child2();
168             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
169                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
170                     auto convertString = [&](Node* node, Edge& edge) {
171                         if (edge->shouldSpeculateInt32())
172                             convertStringAddUse<Int32Use>(node, edge);
173                         else {
174                             ASSERT(edge->shouldSpeculateString());
175                             convertStringAddUse<StringUse>(node, edge);
176                         }
177                     };
178                     convertString(node, child1);
179                     convertString(node, child2);
180                     convertToMakeRope(node);
181                     break;
182                 }
183             }
184
185             fixEdge<UntypedUse>(child1);
186             fixEdge<UntypedUse>(child2);
187             node->setResult(NodeResultJS);
188             break;
189         }
190
191         case StrCat: {
192             if (attemptToMakeFastStringAdd(node))
193                 break;
194
195             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
196             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
197             // the implementation of StrCat doesn't dynamically optimize for empty strings.
198             // https://bugs.webkit.org/show_bug.cgi?id=148540
199             m_graph.doToChildren(
200                 node,
201                 [&] (Edge& edge) {
202                     fixEdge<KnownPrimitiveUse>(edge);
203                     // StrCat automatically coerces the values into strings before concatenating them.
204                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
205                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
206                     // our runtime functions for this slow path expect that they will never be passed
207                     // Symbols.
208                     m_insertionSet.insertNode(
209                         m_indexInBlock, SpecNone, Check, node->origin,
210                         Edge(edge.node(), NotSymbolUse));
211                 });
212             break;
213         }
214             
215         case MakeRope: {
216             fixupMakeRope(node);
217             break;
218         }
219             
220         case ArithAdd:
221         case ArithSub: {
222             if (op == ArithSub
223                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
224                 fixEdge<UntypedUse>(node->child1());
225                 fixEdge<UntypedUse>(node->child2());
226                 node->setResult(NodeResultJS);
227                 break;
228             }
229             if (attemptToMakeIntegerAdd(node))
230                 break;
231             fixDoubleOrBooleanEdge(node->child1());
232             fixDoubleOrBooleanEdge(node->child2());
233             node->setResult(NodeResultDouble);
234             break;
235         }
236             
237         case ArithNegate: {
238             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
239                 fixIntOrBooleanEdge(node->child1());
240                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
241                     node->setArithMode(Arith::Unchecked);
242                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
243                     node->setArithMode(Arith::CheckOverflow);
244                 else
245                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
246                 node->setResult(NodeResultInt32);
247                 node->clearFlags(NodeMustGenerate);
248                 break;
249             }
250             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
251                 fixEdge<Int52RepUse>(node->child1());
252                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
253                     node->setArithMode(Arith::CheckOverflow);
254                 else
255                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
256                 node->setResult(NodeResultInt52);
257                 node->clearFlags(NodeMustGenerate);
258                 break;
259             }
260             if (node->child1()->shouldSpeculateNotCell()) {
261                 fixDoubleOrBooleanEdge(node->child1());
262                 node->setResult(NodeResultDouble);
263                 node->clearFlags(NodeMustGenerate);
264             } else
265                 fixEdge<UntypedUse>(node->child1());
266             break;
267         }
268             
269         case ArithMul: {
270             Edge& leftChild = node->child1();
271             Edge& rightChild = node->child2();
272             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
273                 fixEdge<UntypedUse>(leftChild);
274                 fixEdge<UntypedUse>(rightChild);
275                 node->setResult(NodeResultJS);
276                 break;
277             }
278             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
279                 fixIntOrBooleanEdge(leftChild);
280                 fixIntOrBooleanEdge(rightChild);
281                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
282                     node->setArithMode(Arith::Unchecked);
283                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
284                     || leftChild.node() == rightChild.node())
285                     node->setArithMode(Arith::CheckOverflow);
286                 else
287                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
288                 break;
289             }
290             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
291                 fixEdge<Int52RepUse>(leftChild);
292                 fixEdge<Int52RepUse>(rightChild);
293                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
294                     || leftChild.node() == rightChild.node())
295                     node->setArithMode(Arith::CheckOverflow);
296                 else
297                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
298                 node->setResult(NodeResultInt52);
299                 break;
300             }
301             fixDoubleOrBooleanEdge(leftChild);
302             fixDoubleOrBooleanEdge(rightChild);
303             node->setResult(NodeResultDouble);
304             break;
305         }
306
307         case ArithDiv:
308         case ArithMod: {
309             Edge& leftChild = node->child1();
310             Edge& rightChild = node->child2();
311             if (op == ArithDiv
312                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
313                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
314                 fixEdge<UntypedUse>(leftChild);
315                 fixEdge<UntypedUse>(rightChild);
316                 node->setResult(NodeResultJS);
317                 break;
318             }
319             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
320                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
321                     fixIntOrBooleanEdge(leftChild);
322                     fixIntOrBooleanEdge(rightChild);
323                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
324                         node->setArithMode(Arith::Unchecked);
325                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
326                         node->setArithMode(Arith::CheckOverflow);
327                     else
328                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
329                     break;
330                 }
331                 
332                 // This will cause conversion nodes to be inserted later.
333                 fixDoubleOrBooleanEdge(leftChild);
334                 fixDoubleOrBooleanEdge(rightChild);
335                 
336                 // We don't need to do ref'ing on the children because we're stealing them from
337                 // the original division.
338                 Node* newDivision = m_insertionSet.insertNode(
339                     m_indexInBlock, SpecBytecodeDouble, *node);
340                 newDivision->setResult(NodeResultDouble);
341                 
342                 node->setOp(DoubleAsInt32);
343                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
344                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
345                     node->setArithMode(Arith::CheckOverflow);
346                 else
347                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
348                 break;
349             }
350             fixDoubleOrBooleanEdge(leftChild);
351             fixDoubleOrBooleanEdge(rightChild);
352             node->setResult(NodeResultDouble);
353             break;
354         }
355             
356         case ArithMin:
357         case ArithMax: {
358             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
359                 fixIntOrBooleanEdge(node->child1());
360                 fixIntOrBooleanEdge(node->child2());
361                 break;
362             }
363             fixDoubleOrBooleanEdge(node->child1());
364             fixDoubleOrBooleanEdge(node->child2());
365             node->setResult(NodeResultDouble);
366             break;
367         }
368             
369         case ArithAbs: {
370             if (node->child1()->shouldSpeculateInt32OrBoolean()
371                 && node->canSpeculateInt32(FixupPass)) {
372                 fixIntOrBooleanEdge(node->child1());
373                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
374                     node->setArithMode(Arith::Unchecked);
375                 else
376                     node->setArithMode(Arith::CheckOverflow);
377                 node->clearFlags(NodeMustGenerate);
378                 node->setResult(NodeResultInt32);
379                 break;
380             }
381
382             if (node->child1()->shouldSpeculateNotCell()) {
383                 fixDoubleOrBooleanEdge(node->child1());
384                 node->clearFlags(NodeMustGenerate);
385             } else
386                 fixEdge<UntypedUse>(node->child1());
387             node->setResult(NodeResultDouble);
388             break;
389         }
390
391         case ArithPow: {
392             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
393                 fixDoubleOrBooleanEdge(node->child1());
394                 fixIntOrBooleanEdge(node->child2());
395                 break;
396             }
397
398             fixDoubleOrBooleanEdge(node->child1());
399             fixDoubleOrBooleanEdge(node->child2());
400             break;
401         }
402
403         case ArithRandom: {
404             node->setResult(NodeResultDouble);
405             break;
406         }
407
408         case ArithRound:
409         case ArithFloor:
410         case ArithCeil:
411         case ArithTrunc: {
412             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
413                 fixIntOrBooleanEdge(node->child1());
414                 insertCheck<Int32Use>(node->child1().node());
415                 node->convertToIdentity();
416                 break;
417             }
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420
421                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
422                     node->setResult(NodeResultInt32);
423                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
424                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
425                     else
426                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
427                 } else {
428                     node->setResult(NodeResultDouble);
429                     node->setArithRoundingMode(Arith::RoundingMode::Double);
430                 }
431                 node->clearFlags(NodeMustGenerate);
432             } else
433                 fixEdge<UntypedUse>(node->child1());
434             break;
435         }
436
437         case ArithFRound:
438         case ArithSqrt:
439         case ArithUnary: {
440             Edge& child1 = node->child1();
441             if (child1->shouldSpeculateNotCell()) {
442                 fixDoubleOrBooleanEdge(child1);
443                 node->clearFlags(NodeMustGenerate);
444             } else
445                 fixEdge<UntypedUse>(child1);
446             break;
447         }
448             
449         case LogicalNot: {
450             if (node->child1()->shouldSpeculateBoolean()) {
451                 if (node->child1()->result() == NodeResultBoolean) {
452                     // This is necessary in case we have a bytecode instruction implemented by:
453                     //
454                     // a: CompareEq(...)
455                     // b: LogicalNot(@a)
456                     //
457                     // In that case, CompareEq might have a side-effect. Then, we need to make
458                     // sure that we know that Branch does not exit.
459                     fixEdge<KnownBooleanUse>(node->child1());
460                 } else
461                     fixEdge<BooleanUse>(node->child1());
462             } else if (node->child1()->shouldSpeculateObjectOrOther())
463                 fixEdge<ObjectOrOtherUse>(node->child1());
464             else if (node->child1()->shouldSpeculateInt32OrBoolean())
465                 fixIntOrBooleanEdge(node->child1());
466             else if (node->child1()->shouldSpeculateNumber())
467                 fixEdge<DoubleRepUse>(node->child1());
468             else if (node->child1()->shouldSpeculateString())
469                 fixEdge<StringUse>(node->child1());
470             else if (node->child1()->shouldSpeculateStringOrOther())
471                 fixEdge<StringOrOtherUse>(node->child1());
472             else {
473                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
474                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
475                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
476             }
477             break;
478         }
479
480         case CompareEq:
481         case CompareLess:
482         case CompareLessEq:
483         case CompareGreater:
484         case CompareGreaterEq: {
485             if (node->op() == CompareEq
486                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
487                 fixEdge<BooleanUse>(node->child1());
488                 fixEdge<BooleanUse>(node->child2());
489                 node->clearFlags(NodeMustGenerate);
490                 break;
491             }
492             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
493                 fixIntOrBooleanEdge(node->child1());
494                 fixIntOrBooleanEdge(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (enableInt52()
499                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
500                 fixEdge<Int52RepUse>(node->child1());
501                 fixEdge<Int52RepUse>(node->child2());
502                 node->clearFlags(NodeMustGenerate);
503                 break;
504             }
505             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
506                 fixDoubleOrBooleanEdge(node->child1());
507                 fixDoubleOrBooleanEdge(node->child2());
508             }
509             if (node->op() != CompareEq
510                 && node->child1()->shouldSpeculateNotCell()
511                 && node->child2()->shouldSpeculateNotCell()) {
512                 if (node->child1()->shouldSpeculateNumberOrBoolean())
513                     fixDoubleOrBooleanEdge(node->child1());
514                 else
515                     fixEdge<DoubleRepUse>(node->child1());
516                 if (node->child2()->shouldSpeculateNumberOrBoolean())
517                     fixDoubleOrBooleanEdge(node->child2());
518                 else
519                     fixEdge<DoubleRepUse>(node->child2());
520                 node->clearFlags(NodeMustGenerate);
521                 break;
522             }
523             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
524                 fixEdge<StringIdentUse>(node->child1());
525                 fixEdge<StringIdentUse>(node->child2());
526                 node->clearFlags(NodeMustGenerate);
527                 break;
528             }
529             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
530                 fixEdge<StringUse>(node->child1());
531                 fixEdge<StringUse>(node->child2());
532                 node->clearFlags(NodeMustGenerate);
533                 break;
534             }
535
536             if (node->op() != CompareEq)
537                 break;
538             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
539                 fixEdge<SymbolUse>(node->child1());
540                 fixEdge<SymbolUse>(node->child2());
541                 node->clearFlags(NodeMustGenerate);
542                 break;
543             }
544             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
545                 fixEdge<ObjectUse>(node->child1());
546                 fixEdge<ObjectUse>(node->child2());
547                 node->clearFlags(NodeMustGenerate);
548                 break;
549             }
550
551             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
552             bool oneArgumentIsUsedAsSpecOther = false;
553             if (node->child1()->isUndefinedOrNullConstant()) {
554                 fixEdge<OtherUse>(node->child1());
555                 oneArgumentIsUsedAsSpecOther = true;
556             } else if (node->child1()->shouldSpeculateOther()) {
557                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
558                     Edge(node->child1().node(), OtherUse));
559                 fixEdge<OtherUse>(node->child1());
560                 oneArgumentIsUsedAsSpecOther = true;
561             }
562             if (node->child2()->isUndefinedOrNullConstant()) {
563                 fixEdge<OtherUse>(node->child2());
564                 oneArgumentIsUsedAsSpecOther = true;
565             } else if (node->child2()->shouldSpeculateOther()) {
566                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
567                     Edge(node->child2().node(), OtherUse));
568                 fixEdge<OtherUse>(node->child2());
569                 oneArgumentIsUsedAsSpecOther = true;
570             }
571             if (oneArgumentIsUsedAsSpecOther) {
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575
576             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
577                 fixEdge<ObjectUse>(node->child1());
578                 fixEdge<ObjectOrOtherUse>(node->child2());
579                 node->clearFlags(NodeMustGenerate);
580                 break;
581             }
582             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
583                 fixEdge<ObjectOrOtherUse>(node->child1());
584                 fixEdge<ObjectUse>(node->child2());
585                 node->clearFlags(NodeMustGenerate);
586                 break;
587             }
588
589             break;
590         }
591             
592         case CompareStrictEq: {
593             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
594                 fixEdge<BooleanUse>(node->child1());
595                 fixEdge<BooleanUse>(node->child2());
596                 break;
597             }
598             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
599                 fixEdge<Int32Use>(node->child1());
600                 fixEdge<Int32Use>(node->child2());
601                 break;
602             }
603             if (enableInt52()
604                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
605                 fixEdge<Int52RepUse>(node->child1());
606                 fixEdge<Int52RepUse>(node->child2());
607                 break;
608             }
609             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
610                 fixEdge<DoubleRepUse>(node->child1());
611                 fixEdge<DoubleRepUse>(node->child2());
612                 break;
613             }
614             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
615                 fixEdge<SymbolUse>(node->child1());
616                 fixEdge<SymbolUse>(node->child2());
617                 break;
618             }
619             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
620                 fixEdge<StringIdentUse>(node->child1());
621                 fixEdge<StringIdentUse>(node->child2());
622                 break;
623             }
624             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
625                 fixEdge<StringUse>(node->child1());
626                 fixEdge<StringUse>(node->child2());
627                 break;
628             }
629             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
630             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
631                 
632                 if (node->child1()->shouldSpeculateObject()) {
633                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
634                     fixEdge<ObjectUse>(node->child1());
635                     break;
636                 }
637                 if (node->child2()->shouldSpeculateObject()) {
638                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
639                     fixEdge<ObjectUse>(node->child2());
640                     break;
641                 }
642                 
643             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
644                 fixEdge<ObjectUse>(node->child1());
645                 fixEdge<ObjectUse>(node->child2());
646                 break;
647             }
648             if (node->child1()->shouldSpeculateSymbol()) {
649                 fixEdge<SymbolUse>(node->child1());
650                 break;
651             }
652             if (node->child2()->shouldSpeculateSymbol()) {
653                 fixEdge<SymbolUse>(node->child2());
654                 break;
655             }
656             if (node->child1()->shouldSpeculateMisc()) {
657                 fixEdge<MiscUse>(node->child1());
658                 break;
659             }
660             if (node->child2()->shouldSpeculateMisc()) {
661                 fixEdge<MiscUse>(node->child2());
662                 break;
663             }
664             if (node->child1()->shouldSpeculateStringIdent()
665                 && node->child2()->shouldSpeculateNotStringVar()) {
666                 fixEdge<StringIdentUse>(node->child1());
667                 fixEdge<NotStringVarUse>(node->child2());
668                 break;
669             }
670             if (node->child2()->shouldSpeculateStringIdent()
671                 && node->child1()->shouldSpeculateNotStringVar()) {
672                 fixEdge<StringIdentUse>(node->child2());
673                 fixEdge<NotStringVarUse>(node->child1());
674                 break;
675             }
676             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
677                 fixEdge<StringUse>(node->child1());
678                 break;
679             }
680             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
681                 fixEdge<StringUse>(node->child2());
682                 break;
683             }
684             break;
685         }
686             
687         case StringFromCharCode:
688             if (node->child1()->shouldSpeculateInt32()) {
689                 fixEdge<Int32Use>(node->child1());
690                 node->clearFlags(NodeMustGenerate);
691             } else
692                 fixEdge<UntypedUse>(node->child1());
693             break;
694
695         case StringCharAt:
696         case StringCharCodeAt: {
697             // Currently we have no good way of refining these.
698             ASSERT(node->arrayMode() == ArrayMode(Array::String));
699             blessArrayOperation(node->child1(), node->child2(), node->child3());
700             fixEdge<KnownCellUse>(node->child1());
701             fixEdge<Int32Use>(node->child2());
702             break;
703         }
704
705         case GetByVal: {
706             if (!node->prediction()) {
707                 m_insertionSet.insertNode(
708                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
709             }
710             
711             node->setArrayMode(
712                 node->arrayMode().refine(
713                     m_graph, node,
714                     m_graph.varArgChild(node, 0)->prediction(),
715                     m_graph.varArgChild(node, 1)->prediction(),
716                     SpecNone));
717             
718             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
719             
720             ArrayMode arrayMode = node->arrayMode();
721             switch (arrayMode.type()) {
722             case Array::Contiguous:
723             case Array::Double:
724                 if (arrayMode.arrayClass() == Array::OriginalArray
725                     && arrayMode.speculation() == Array::InBounds) {
726                     // Check if SaneChain will work on a per-type basis. Note that:
727                     //
728                     // 1) We don't want double arrays to sometimes return undefined, since
729                     // that would require a change to the return type and it would pessimise
730                     // things a lot. So, we'd only want to do that if we actually had
731                     // evidence that we could read from a hole. That's pretty annoying.
732                     // Likely the best way to handle that case is with an equivalent of
733                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
734                     // NaN are indistinguishable according to backwards propagation, and just
735                     // use SaneChain in that case. This happens to catch a lot of cases.
736                     //
737                     // 2) We don't want int32 array loads to have to do a hole check just to
738                     // coerce to Undefined, since that would mean twice the checks.
739                     //
740                     // This has two implications. First, we have to do more checks than we'd
741                     // like. It's unfortunate that we have to do the hole check. Second,
742                     // some accesses that hit a hole will now need to take the full-blown
743                     // out-of-bounds slow path. We can fix that with:
744                     // https://bugs.webkit.org/show_bug.cgi?id=144668
745                     
746                     bool canDoSaneChain = false;
747                     switch (arrayMode.type()) {
748                     case Array::Contiguous:
749                         // This is happens to be entirely natural. We already would have
750                         // returned any JSValue, and now we'll return Undefined. We still do
751                         // the check but it doesn't require taking any kind of slow path.
752                         canDoSaneChain = true;
753                         break;
754                         
755                     case Array::Double:
756                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
757                             // Holes look like NaN already, so if the user doesn't care
758                             // about the difference between Undefined and NaN then we can
759                             // do this.
760                             canDoSaneChain = true;
761                         }
762                         break;
763                         
764                     default:
765                         break;
766                     }
767                     
768                     if (canDoSaneChain) {
769                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
770                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
771                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
772                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
773                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
774                             && globalObject->arrayPrototypeChainIsSane()) {
775                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
776                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
777                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
778                         }
779                     }
780                 }
781                 break;
782                 
783             case Array::String:
784                 if ((node->prediction() & ~SpecString)
785                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
786                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
787                 break;
788                 
789             default:
790                 break;
791             }
792             
793             arrayMode = node->arrayMode();
794             switch (arrayMode.type()) {
795             case Array::SelectUsingPredictions:
796             case Array::Unprofiled:
797                 RELEASE_ASSERT_NOT_REACHED();
798                 break;
799             case Array::Generic:
800                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
801                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
802                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
803                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
804                         break;
805                     }
806
807                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
808                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
809                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
810                         break;
811                     }
812                 }
813 #if USE(JSVALUE32_64)
814                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
815 #endif
816                 break;
817             case Array::ForceExit:
818                 break;
819             default:
820                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
821                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
822                 break;
823             }
824             
825             switch (arrayMode.type()) {
826             case Array::Double:
827                 if (!arrayMode.isOutOfBounds())
828                     node->setResult(NodeResultDouble);
829                 break;
830                 
831             case Array::Float32Array:
832             case Array::Float64Array:
833                 node->setResult(NodeResultDouble);
834                 break;
835                 
836             case Array::Uint32Array:
837                 if (node->shouldSpeculateInt32())
838                     break;
839                 if (node->shouldSpeculateAnyInt() && enableInt52())
840                     node->setResult(NodeResultInt52);
841                 else
842                     node->setResult(NodeResultDouble);
843                 break;
844                 
845             default:
846                 break;
847             }
848             
849             break;
850         }
851
852         case PutByValDirect:
853         case PutByVal:
854         case PutByValAlias: {
855             Edge& child1 = m_graph.varArgChild(node, 0);
856             Edge& child2 = m_graph.varArgChild(node, 1);
857             Edge& child3 = m_graph.varArgChild(node, 2);
858
859             node->setArrayMode(
860                 node->arrayMode().refine(
861                     m_graph, node,
862                     child1->prediction(),
863                     child2->prediction(),
864                     child3->prediction()));
865             
866             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
867             
868             switch (node->arrayMode().modeForPut().type()) {
869             case Array::SelectUsingPredictions:
870             case Array::SelectUsingArguments:
871             case Array::Unprofiled:
872             case Array::Undecided:
873                 RELEASE_ASSERT_NOT_REACHED();
874                 break;
875             case Array::ForceExit:
876             case Array::Generic:
877                 if (child1->shouldSpeculateCell()) {
878                     if (child2->shouldSpeculateString()) {
879                         fixEdge<CellUse>(child1);
880                         fixEdge<StringUse>(child2);
881                         break;
882                     }
883
884                     if (child2->shouldSpeculateSymbol()) {
885                         fixEdge<CellUse>(child1);
886                         fixEdge<SymbolUse>(child2);
887                         break;
888                     }
889                 }
890 #if USE(JSVALUE32_64)
891                 // Due to register pressure on 32-bit, we speculate cell and
892                 // ignore the base-is-not-cell case entirely by letting the
893                 // baseline JIT handle it.
894                 fixEdge<CellUse>(child1);
895 #endif
896                 break;
897             case Array::Int32:
898                 fixEdge<KnownCellUse>(child1);
899                 fixEdge<Int32Use>(child2);
900                 fixEdge<Int32Use>(child3);
901                 break;
902             case Array::Double:
903                 fixEdge<KnownCellUse>(child1);
904                 fixEdge<Int32Use>(child2);
905                 fixEdge<DoubleRepRealUse>(child3);
906                 break;
907             case Array::Int8Array:
908             case Array::Int16Array:
909             case Array::Int32Array:
910             case Array::Uint8Array:
911             case Array::Uint8ClampedArray:
912             case Array::Uint16Array:
913             case Array::Uint32Array:
914                 fixEdge<KnownCellUse>(child1);
915                 fixEdge<Int32Use>(child2);
916                 if (child3->shouldSpeculateInt32())
917                     fixIntOrBooleanEdge(child3);
918                 else if (child3->shouldSpeculateAnyInt())
919                     fixEdge<Int52RepUse>(child3);
920                 else
921                     fixDoubleOrBooleanEdge(child3);
922                 break;
923             case Array::Float32Array:
924             case Array::Float64Array:
925                 fixEdge<KnownCellUse>(child1);
926                 fixEdge<Int32Use>(child2);
927                 fixDoubleOrBooleanEdge(child3);
928                 break;
929             case Array::Contiguous:
930             case Array::ArrayStorage:
931             case Array::SlowPutArrayStorage:
932                 fixEdge<KnownCellUse>(child1);
933                 fixEdge<Int32Use>(child2);
934                 speculateForBarrier(child3);
935                 break;
936             default:
937                 fixEdge<KnownCellUse>(child1);
938                 fixEdge<Int32Use>(child2);
939                 break;
940             }
941             break;
942         }
943             
944         case AtomicsAdd:
945         case AtomicsAnd:
946         case AtomicsCompareExchange:
947         case AtomicsExchange:
948         case AtomicsLoad:
949         case AtomicsOr:
950         case AtomicsStore:
951         case AtomicsSub:
952         case AtomicsXor: {
953             Edge& base = m_graph.child(node, 0);
954             Edge& index = m_graph.child(node, 1);
955             
956             bool badNews = false;
957             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
958                 Edge& child = m_graph.child(node, 2 + i);
959                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
960                 // just call the function when that happens. But the FTL is totally cool with those
961                 // conversions.
962                 if (!child->shouldSpeculateInt32()
963                     && !child->shouldSpeculateAnyInt()
964                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
965                     badNews = true;
966             }
967             
968             if (badNews) {
969                 node->setArrayMode(ArrayMode(Array::Generic));
970                 break;
971             }
972             
973             node->setArrayMode(
974                 node->arrayMode().refine(
975                     m_graph, node, base->prediction(), index->prediction()));
976             
977             if (node->arrayMode().type() == Array::Generic)
978                 break;
979             
980             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
981                 Edge& child = m_graph.child(node, 2 + i);
982                 if (child->shouldSpeculateInt32())
983                     fixIntOrBooleanEdge(child);
984                 else if (child->shouldSpeculateAnyInt())
985                     fixEdge<Int52RepUse>(child);
986                 else {
987                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
988                     fixDoubleOrBooleanEdge(child);
989                 }
990             }
991             
992             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
993             fixEdge<CellUse>(base);
994             fixEdge<Int32Use>(index);
995             
996             if (node->arrayMode().type() == Array::Uint32Array) {
997                 // NOTE: This means basically always doing Int52.
998                 if (node->shouldSpeculateAnyInt() && enableInt52())
999                     node->setResult(NodeResultInt52);
1000                 else
1001                     node->setResult(NodeResultDouble);
1002             }
1003             break;
1004         }
1005             
1006         case AtomicsIsLockFree:
1007             if (node->child1()->shouldSpeculateInt32())
1008                 fixIntOrBooleanEdge(node->child1());
1009             break;
1010             
1011         case ArrayPush: {
1012             // May need to refine the array mode in case the value prediction contravenes
1013             // the array prediction. For example, we may have evidence showing that the
1014             // array is in Int32 mode, but the value we're storing is likely to be a double.
1015             // Then we should turn this into a conversion to Double array followed by the
1016             // push. On the other hand, we absolutely don't want to refine based on the
1017             // base prediction. If it has non-cell garbage in it, then we want that to be
1018             // ignored. That's because ArrayPush can't handle any array modes that aren't
1019             // array-related - so if refine() turned this into a "Generic" ArrayPush then
1020             // that would break things.
1021             Edge& storageEdge = m_graph.varArgChild(node, 0);
1022             Edge& arrayEdge = m_graph.varArgChild(node, 1);
1023             unsigned elementOffset = 2;
1024             unsigned elementCount = node->numChildren() - elementOffset;
1025             for (unsigned i = 0; i < elementCount; ++i) {
1026                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1027                 node->setArrayMode(
1028                     node->arrayMode().refine(
1029                         m_graph, node,
1030                         arrayEdge->prediction() & SpecCell,
1031                         SpecInt32Only,
1032                         element->prediction()));
1033             }
1034             blessArrayOperation(arrayEdge, Edge(), storageEdge);
1035             fixEdge<KnownCellUse>(arrayEdge);
1036
1037             // Convert `array.push()` to GetArrayLength.
1038             if (!elementCount && node->arrayMode().supportsSelfLength()) {
1039                 node->setOpAndDefaultFlags(GetArrayLength);
1040                 node->child1() = arrayEdge;
1041                 node->child2() = storageEdge;
1042                 fixEdge<KnownCellUse>(node->child1());
1043                 break;
1044             }
1045
1046             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
1047             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
1048             for (unsigned i = 0; i < elementCount; ++i) {
1049                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
1050                 switch (node->arrayMode().type()) {
1051                 case Array::Int32:
1052                     insertCheck<Int32Use>(element.node());
1053                     fixEdge<KnownInt32Use>(element);
1054                     break;
1055                 case Array::Double:
1056                     insertCheck<DoubleRepRealUse>(element.node());
1057                     fixEdge<DoubleRepUse>(element);
1058                     break;
1059                 case Array::Contiguous:
1060                 case Array::ArrayStorage:
1061                     speculateForBarrier(element);
1062                     break;
1063                 default:
1064                     break;
1065                 }
1066                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1067             }
1068             break;
1069         }
1070             
1071         case ArrayPop: {
1072             blessArrayOperation(node->child1(), Edge(), node->child2());
1073             fixEdge<KnownCellUse>(node->child1());
1074             break;
1075         }
1076
1077         case ArraySlice: {
1078             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1079             if (node->numChildren() >= 3) {
1080                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1081                 if (node->numChildren() == 4)
1082                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1083             }
1084             break;
1085         }
1086
1087         case ArrayIndexOf:
1088             fixupArrayIndexOf(node);
1089             break;
1090             
1091         case RegExpExec:
1092         case RegExpTest: {
1093             fixEdge<KnownCellUse>(node->child1());
1094             
1095             if (node->child2()->shouldSpeculateRegExpObject()) {
1096                 fixEdge<RegExpObjectUse>(node->child2());
1097
1098                 if (node->child3()->shouldSpeculateString())
1099                     fixEdge<StringUse>(node->child3());
1100             }
1101             break;
1102         }
1103
1104         case RegExpMatchFast: {
1105             fixEdge<KnownCellUse>(node->child1());
1106             fixEdge<RegExpObjectUse>(node->child2());
1107             fixEdge<StringUse>(node->child3());
1108             break;
1109         }
1110
1111         case StringReplace:
1112         case StringReplaceRegExp: {
1113             if (node->child2()->shouldSpeculateString()) {
1114                 m_insertionSet.insertNode(
1115                     m_indexInBlock, SpecNone, Check, node->origin,
1116                     Edge(node->child2().node(), StringUse));
1117                 fixEdge<StringUse>(node->child2());
1118             } else if (op == StringReplace) {
1119                 if (node->child2()->shouldSpeculateRegExpObject())
1120                     addStringReplacePrimordialChecks(node->child2().node());
1121                 else 
1122                     m_insertionSet.insertNode(
1123                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1124             }
1125
1126             if (node->child1()->shouldSpeculateString()
1127                 && node->child2()->shouldSpeculateRegExpObject()
1128                 && node->child3()->shouldSpeculateString()) {
1129
1130                 fixEdge<StringUse>(node->child1());
1131                 fixEdge<RegExpObjectUse>(node->child2());
1132                 fixEdge<StringUse>(node->child3());
1133                 break;
1134             }
1135             break;
1136         }
1137             
1138         case Branch: {
1139             if (node->child1()->shouldSpeculateBoolean()) {
1140                 if (node->child1()->result() == NodeResultBoolean) {
1141                     // This is necessary in case we have a bytecode instruction implemented by:
1142                     //
1143                     // a: CompareEq(...)
1144                     // b: Branch(@a)
1145                     //
1146                     // In that case, CompareEq might have a side-effect. Then, we need to make
1147                     // sure that we know that Branch does not exit.
1148                     fixEdge<KnownBooleanUse>(node->child1());
1149                 } else
1150                     fixEdge<BooleanUse>(node->child1());
1151             } else if (node->child1()->shouldSpeculateObjectOrOther())
1152                 fixEdge<ObjectOrOtherUse>(node->child1());
1153             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1154                 fixIntOrBooleanEdge(node->child1());
1155             else if (node->child1()->shouldSpeculateNumber())
1156                 fixEdge<DoubleRepUse>(node->child1());
1157             else if (node->child1()->shouldSpeculateString())
1158                 fixEdge<StringUse>(node->child1());
1159             else if (node->child1()->shouldSpeculateStringOrOther())
1160                 fixEdge<StringOrOtherUse>(node->child1());
1161             else {
1162                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1163                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1164                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1165             }
1166             break;
1167         }
1168             
1169         case Switch: {
1170             SwitchData* data = node->switchData();
1171             switch (data->kind) {
1172             case SwitchImm:
1173                 if (node->child1()->shouldSpeculateInt32())
1174                     fixEdge<Int32Use>(node->child1());
1175                 break;
1176             case SwitchChar:
1177                 if (node->child1()->shouldSpeculateString())
1178                     fixEdge<StringUse>(node->child1());
1179                 break;
1180             case SwitchString:
1181                 if (node->child1()->shouldSpeculateStringIdent())
1182                     fixEdge<StringIdentUse>(node->child1());
1183                 else if (node->child1()->shouldSpeculateString())
1184                     fixEdge<StringUse>(node->child1());
1185                 break;
1186             case SwitchCell:
1187                 if (node->child1()->shouldSpeculateCell())
1188                     fixEdge<CellUse>(node->child1());
1189                 // else it's fine for this to have UntypedUse; we will handle this by just making
1190                 // non-cells take the default case.
1191                 break;
1192             }
1193             break;
1194         }
1195             
1196         case ToPrimitive: {
1197             fixupToPrimitive(node);
1198             break;
1199         }
1200
1201         case ToNumber: {
1202             fixupToNumber(node);
1203             break;
1204         }
1205             
1206         case ToString:
1207         case CallStringConstructor: {
1208             fixupToStringOrCallStringConstructor(node);
1209             break;
1210         }
1211             
1212         case NewStringObject: {
1213             fixEdge<KnownStringUse>(node->child1());
1214             break;
1215         }
1216
1217         case NewArrayWithSpread: {
1218             watchHavingABadTime(node);
1219             
1220             BitVector* bitVector = node->bitVector();
1221             for (unsigned i = node->numChildren(); i--;) {
1222                 if (bitVector->get(i))
1223                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1224                 else
1225                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1226             }
1227
1228             break;
1229         }
1230
1231         case Spread: {
1232             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1233             
1234             watchHavingABadTime(node->child1().node());
1235
1236             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1237             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1238             // that it doesn't contain any indexed properties, and that any holes will result in
1239             // jsUndefined().
1240             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure();
1241             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure();
1242             if (node->child1()->shouldSpeculateArray()
1243                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1244                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1245                 && globalObject->arrayPrototypeChainIsSane()
1246                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1247                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1248                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1249                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1250                 fixEdge<ArrayUse>(node->child1());
1251             } else
1252                 fixEdge<CellUse>(node->child1());
1253             break;
1254         }
1255             
1256         case NewArray: {
1257             watchHavingABadTime(node);
1258             
1259             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1260                 node->setIndexingType(
1261                     leastUpperBoundOfIndexingTypeAndType(
1262                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1263             }
1264             switch (node->indexingType()) {
1265             case ALL_BLANK_INDEXING_TYPES:
1266                 CRASH();
1267                 break;
1268             case ALL_UNDECIDED_INDEXING_TYPES:
1269                 if (node->numChildren()) {
1270                     // This will only happen if the children have no type predictions. We
1271                     // would have already exited by now, but insert a forced exit just to
1272                     // be safe.
1273                     m_insertionSet.insertNode(
1274                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1275                 }
1276                 break;
1277             case ALL_INT32_INDEXING_TYPES:
1278                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1279                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1280                 break;
1281             case ALL_DOUBLE_INDEXING_TYPES:
1282                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1283                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1284                 break;
1285             case ALL_CONTIGUOUS_INDEXING_TYPES:
1286             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1287                 break;
1288             default:
1289                 CRASH();
1290                 break;
1291             }
1292             break;
1293         }
1294             
1295         case NewTypedArray: {
1296             watchHavingABadTime(node);
1297             
1298             if (node->child1()->shouldSpeculateInt32()) {
1299                 fixEdge<Int32Use>(node->child1());
1300                 node->clearFlags(NodeMustGenerate);
1301                 break;
1302             }
1303             break;
1304         }
1305             
1306         case NewArrayWithSize: {
1307             watchHavingABadTime(node);
1308             fixEdge<Int32Use>(node->child1());
1309             break;
1310         }
1311
1312         case NewArrayBuffer: {
1313             watchHavingABadTime(node);
1314             break;
1315         }
1316
1317         case ToObject: {
1318             fixupToObject(node);
1319             break;
1320         }
1321
1322         case CallObjectConstructor: {
1323             fixupCallObjectConstructor(node);
1324             break;
1325         }
1326
1327         case ToThis: {
1328             fixupToThis(node);
1329             break;
1330         }
1331             
1332         case PutStructure: {
1333             fixEdge<KnownCellUse>(node->child1());
1334             break;
1335         }
1336             
1337         case GetClosureVar:
1338         case GetFromArguments: {
1339             fixEdge<KnownCellUse>(node->child1());
1340             break;
1341         }
1342
1343         case PutClosureVar:
1344         case PutToArguments: {
1345             fixEdge<KnownCellUse>(node->child1());
1346             speculateForBarrier(node->child2());
1347             break;
1348         }
1349
1350         case SkipScope:
1351         case GetScope:
1352         case GetGetter:
1353         case GetSetter:
1354         case GetGlobalObject: {
1355             fixEdge<KnownCellUse>(node->child1());
1356             break;
1357         }
1358             
1359         case AllocatePropertyStorage:
1360         case ReallocatePropertyStorage: {
1361             fixEdge<KnownCellUse>(node->child1());
1362             break;
1363         }
1364             
1365         case NukeStructureAndSetButterfly: {
1366             fixEdge<KnownCellUse>(node->child1());
1367             break;
1368         }
1369
1370         case TryGetById: {
1371             if (node->child1()->shouldSpeculateCell())
1372                 fixEdge<CellUse>(node->child1());
1373             break;
1374         }
1375
1376         case GetByIdDirect:
1377         case GetByIdDirectFlush: {
1378             if (node->child1()->shouldSpeculateCell())
1379                 fixEdge<CellUse>(node->child1());
1380             break;
1381         }
1382
1383         case GetById:
1384         case GetByIdFlush: {
1385             // FIXME: This should be done in the ByteCodeParser based on reading the
1386             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1387             // https://bugs.webkit.org/show_bug.cgi?id=154990
1388             auto uid = m_graph.identifiers()[node->identifierNumber()];
1389             if (node->child1()->shouldSpeculateCellOrOther()
1390                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1391                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1392                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1393                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1394                 
1395                 if (uid == vm().propertyNames->length.impl()) {
1396                     attemptToMakeGetArrayLength(node);
1397                     break;
1398                 }
1399
1400                 if (uid == vm().propertyNames->lastIndex.impl()
1401                     && node->child1()->shouldSpeculateRegExpObject()) {
1402                     node->setOp(GetRegExpObjectLastIndex);
1403                     node->clearFlags(NodeMustGenerate);
1404                     fixEdge<RegExpObjectUse>(node->child1());
1405                     break;
1406                 }
1407             }
1408
1409             if (node->child1()->shouldSpeculateNumber()) {
1410                 if (uid == vm().propertyNames->toString.impl()) {
1411                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1412                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1413                         if (node->child1()->shouldSpeculateInt32()) {
1414                             insertCheck<Int32Use>(node->child1().node());
1415                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1416                             break;
1417                         }
1418
1419                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1420                             insertCheck<Int52RepUse>(node->child1().node());
1421                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1422                             break;
1423                         }
1424
1425                         ASSERT(node->child1()->shouldSpeculateNumber());
1426                         insertCheck<DoubleRepUse>(node->child1().node());
1427                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1428                         break;
1429                     }
1430                 }
1431             }
1432
1433             if (node->child1()->shouldSpeculateCell())
1434                 fixEdge<CellUse>(node->child1());
1435             break;
1436         }
1437         
1438         case GetByIdWithThis: {
1439             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1440                 fixEdge<CellUse>(node->child1());
1441                 fixEdge<CellUse>(node->child2());
1442             }
1443             break;
1444         }
1445
1446         case PutById:
1447         case PutByIdFlush:
1448         case PutByIdDirect: {
1449             if (node->child1()->shouldSpeculateCellOrOther()
1450                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1451                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1452                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1453                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1454                 
1455                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1456                 
1457                 if (uid == vm().propertyNames->lastIndex.impl()
1458                     && node->child1()->shouldSpeculateRegExpObject()) {
1459                     node->convertToSetRegExpObjectLastIndex();
1460                     fixEdge<RegExpObjectUse>(node->child1());
1461                     speculateForBarrier(node->child2());
1462                     break;
1463                 }
1464             }
1465             
1466             fixEdge<CellUse>(node->child1());
1467             break;
1468         }
1469
1470         case PutGetterById:
1471         case PutSetterById: {
1472             fixEdge<KnownCellUse>(node->child1());
1473             fixEdge<KnownCellUse>(node->child2());
1474             break;
1475         }
1476
1477         case PutGetterSetterById: {
1478             fixEdge<KnownCellUse>(node->child1());
1479             break;
1480         }
1481
1482         case PutGetterByVal:
1483         case PutSetterByVal: {
1484             fixEdge<KnownCellUse>(node->child1());
1485             fixEdge<KnownCellUse>(node->child3());
1486             break;
1487         }
1488
1489         case GetExecutable: {
1490             fixEdge<FunctionUse>(node->child1());
1491             break;
1492         }
1493
1494         case OverridesHasInstance:
1495         case CheckStructure:
1496         case CheckCell:
1497         case CreateThis:
1498         case GetButterfly: {
1499             fixEdge<CellUse>(node->child1());
1500             break;
1501         }
1502
1503         case CheckStringIdent: {
1504             fixEdge<StringIdentUse>(node->child1());
1505             break;
1506         }
1507             
1508         case Arrayify:
1509         case ArrayifyToStructure: {
1510             fixEdge<CellUse>(node->child1());
1511             if (node->child2())
1512                 fixEdge<Int32Use>(node->child2());
1513             break;
1514         }
1515             
1516         case GetByOffset:
1517         case GetGetterSetterByOffset: {
1518             if (!node->child1()->hasStorageResult())
1519                 fixEdge<KnownCellUse>(node->child1());
1520             fixEdge<KnownCellUse>(node->child2());
1521             break;
1522         }
1523             
1524         case MultiGetByOffset: {
1525             fixEdge<CellUse>(node->child1());
1526             break;
1527         }
1528             
1529         case PutByOffset: {
1530             if (!node->child1()->hasStorageResult())
1531                 fixEdge<KnownCellUse>(node->child1());
1532             fixEdge<KnownCellUse>(node->child2());
1533             unsigned index = indexForChecks();
1534             insertInferredTypeCheck(
1535                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1536                 node->storageAccessData().inferredType);
1537             speculateForBarrier(node->child3());
1538             break;
1539         }
1540             
1541         case MultiPutByOffset: {
1542             fixEdge<CellUse>(node->child1());
1543             break;
1544         }
1545             
1546         case InstanceOf: {
1547             if (!(node->child1()->prediction() & ~SpecCell))
1548                 fixEdge<CellUse>(node->child1());
1549             fixEdge<CellUse>(node->child2());
1550             break;
1551         }
1552
1553         case InstanceOfCustom:
1554             fixEdge<CellUse>(node->child2());
1555             break;
1556
1557         case In: {
1558             if (node->child2()->shouldSpeculateInt32()) {
1559                 convertToHasIndexedProperty(node);
1560                 break;
1561             }
1562
1563             fixEdge<CellUse>(node->child1());
1564             break;
1565         }
1566
1567         case HasOwnProperty: {
1568             fixEdge<ObjectUse>(node->child1());
1569 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1570             // We don't have enough registers to do anything interesting on x86 and mips.
1571             fixEdge<UntypedUse>(node->child2());
1572 #else
1573             if (node->child2()->shouldSpeculateString())
1574                 fixEdge<StringUse>(node->child2());
1575             else if (node->child2()->shouldSpeculateSymbol())
1576                 fixEdge<SymbolUse>(node->child2());
1577             else
1578                 fixEdge<UntypedUse>(node->child2());
1579 #endif
1580             break;
1581         }
1582
1583         case CheckVarargs:
1584         case Check: {
1585             m_graph.doToChildren(
1586                 node,
1587                 [&] (Edge& edge) {
1588                     switch (edge.useKind()) {
1589                     case NumberUse:
1590                         if (edge->shouldSpeculateInt32ForArithmetic())
1591                             edge.setUseKind(Int32Use);
1592                         break;
1593                     default:
1594                         break;
1595                     }
1596                     observeUseKindOnEdge(edge);
1597                 });
1598             break;
1599         }
1600
1601         case Phantom:
1602             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1603             node->remove(m_graph);
1604             break;
1605
1606         case FiatInt52: {
1607             RELEASE_ASSERT(enableInt52());
1608             node->convertToIdentity();
1609             fixEdge<Int52RepUse>(node->child1());
1610             node->setResult(NodeResultInt52);
1611             break;
1612         }
1613
1614         case GetArrayLength: {
1615             fixEdge<KnownCellUse>(node->child1());
1616             break;
1617         }
1618
1619         case GetTypedArrayByteOffset: {
1620             fixEdge<KnownCellUse>(node->child1());
1621             break;
1622         }
1623
1624         case CompareBelow:
1625         case CompareBelowEq: {
1626             fixEdge<Int32Use>(node->child1());
1627             fixEdge<Int32Use>(node->child2());
1628             break;
1629         }
1630
1631         case GetPrototypeOf: {
1632             fixupGetPrototypeOf(node);
1633             break;
1634         }
1635
1636         case Phi:
1637         case Upsilon:
1638         case EntrySwitch:
1639         case GetIndexedPropertyStorage:
1640         case LastNodeType:
1641         case CheckTierUpInLoop:
1642         case CheckTierUpAtReturn:
1643         case CheckTierUpAndOSREnter:
1644         case InvalidationPoint:
1645         case CheckArray:
1646         case CheckInBounds:
1647         case ConstantStoragePointer:
1648         case DoubleAsInt32:
1649         case ValueToInt32:
1650         case DoubleRep:
1651         case ValueRep:
1652         case Int52Rep:
1653         case Int52Constant:
1654         case Identity: // This should have been cleaned up.
1655         case BooleanToNumber:
1656         case PhantomNewObject:
1657         case PhantomNewFunction:
1658         case PhantomNewGeneratorFunction:
1659         case PhantomNewAsyncGeneratorFunction:
1660         case PhantomNewAsyncFunction:
1661         case PhantomCreateActivation:
1662         case PhantomDirectArguments:
1663         case PhantomCreateRest:
1664         case PhantomSpread:
1665         case PhantomNewArrayWithSpread:
1666         case PhantomNewArrayBuffer:
1667         case PhantomClonedArguments:
1668         case PhantomNewRegexp:
1669         case GetMyArgumentByVal:
1670         case GetMyArgumentByValOutOfBounds:
1671         case GetVectorLength:
1672         case PutHint:
1673         case CheckStructureImmediate:
1674         case CheckStructureOrEmpty:
1675         case MaterializeNewObject:
1676         case MaterializeCreateActivation:
1677         case PutStack:
1678         case KillStack:
1679         case GetStack:
1680         case StoreBarrier:
1681         case FencedStoreBarrier:
1682         case GetRegExpObjectLastIndex:
1683         case SetRegExpObjectLastIndex:
1684         case RecordRegExpCachedResult:
1685         case RegExpExecNonGlobalOrSticky:
1686         case RegExpMatchFastGlobal:
1687             // These are just nodes that we don't currently expect to see during fixup.
1688             // If we ever wanted to insert them prior to fixup, then we just have to create
1689             // fixup rules for them.
1690             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1691             break;
1692
1693         case PutGlobalVariable: {
1694             fixEdge<CellUse>(node->child1());
1695             speculateForBarrier(node->child2());
1696             break;
1697         }
1698
1699         case IsObject:
1700             if (node->child1()->shouldSpeculateObject()) {
1701                 m_insertionSet.insertNode(
1702                     m_indexInBlock, SpecNone, Check, node->origin,
1703                     Edge(node->child1().node(), ObjectUse));
1704                 m_graph.convertToConstant(node, jsBoolean(true));
1705                 observeUseKindOnNode<ObjectUse>(node);
1706             }
1707             break;
1708
1709         case IsCellWithType: {
1710             fixupIsCellWithType(node);
1711             break;
1712         }
1713
1714         case GetEnumerableLength: {
1715             fixEdge<CellUse>(node->child1());
1716             break;
1717         }
1718         case HasGenericProperty: {
1719             fixEdge<CellUse>(node->child2());
1720             break;
1721         }
1722         case HasStructureProperty: {
1723             fixEdge<StringUse>(node->child2());
1724             fixEdge<KnownCellUse>(node->child3());
1725             break;
1726         }
1727         case HasIndexedProperty: {
1728             node->setArrayMode(
1729                 node->arrayMode().refine(
1730                     m_graph, node,
1731                     node->child1()->prediction(),
1732                     node->child2()->prediction(),
1733                     SpecNone));
1734             
1735             blessArrayOperation(node->child1(), node->child2(), node->child3());
1736             fixEdge<CellUse>(node->child1());
1737             fixEdge<KnownInt32Use>(node->child2());
1738             break;
1739         }
1740         case GetDirectPname: {
1741             Edge& base = m_graph.varArgChild(node, 0);
1742             Edge& property = m_graph.varArgChild(node, 1);
1743             Edge& index = m_graph.varArgChild(node, 2);
1744             Edge& enumerator = m_graph.varArgChild(node, 3);
1745             fixEdge<CellUse>(base);
1746             fixEdge<KnownCellUse>(property);
1747             fixEdge<KnownInt32Use>(index);
1748             fixEdge<KnownCellUse>(enumerator);
1749             break;
1750         }
1751         case GetPropertyEnumerator: {
1752             if (node->child1()->shouldSpeculateCell())
1753                 fixEdge<CellUse>(node->child1());
1754             break;
1755         }
1756         case GetEnumeratorStructurePname: {
1757             fixEdge<KnownCellUse>(node->child1());
1758             fixEdge<KnownInt32Use>(node->child2());
1759             break;
1760         }
1761         case GetEnumeratorGenericPname: {
1762             fixEdge<KnownCellUse>(node->child1());
1763             fixEdge<KnownInt32Use>(node->child2());
1764             break;
1765         }
1766         case ToIndexString: {
1767             fixEdge<KnownInt32Use>(node->child1());
1768             break;
1769         }
1770         case ProfileType: {
1771             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1772             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1773             // type T for the instructionTypeSet, the global type set must also have information for type T.
1774             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1775             // in the globalTypeSet would've also succeeded.
1776             // (The other direction does not hold in general).
1777
1778             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1779             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1780             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1781                 if (node->child1()->shouldSpeculateInt32()) {
1782                     fixEdge<Int32Use>(node->child1());
1783                     node->remove(m_graph);
1784                     break;
1785                 }
1786
1787                 if (enableInt52()) {
1788                     fixEdge<AnyIntUse>(node->child1());
1789                     node->remove(m_graph);
1790                     break;
1791                 }
1792
1793                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1794             }
1795
1796             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1797                 fixEdge<NumberUse>(node->child1());
1798                 node->remove(m_graph);
1799             } else if (typeSet->doesTypeConformTo(TypeString)) {
1800                 fixEdge<StringUse>(node->child1());
1801                 node->remove(m_graph);
1802             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1803                 fixEdge<BooleanUse>(node->child1());
1804                 node->remove(m_graph);
1805             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1806                 fixEdge<OtherUse>(node->child1());
1807                 node->remove(m_graph);
1808             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1809                 StructureSet set;
1810                 {
1811                     ConcurrentJSLocker locker(typeSet->m_lock);
1812                     set = typeSet->structureSet(locker);
1813                 }
1814                 if (!set.isEmpty()) {
1815                     fixEdge<CellUse>(node->child1());
1816                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1817                 }
1818             }
1819
1820             break;
1821         }
1822
1823         case CreateClonedArguments: {
1824             watchHavingABadTime(node);
1825             break;
1826         }
1827
1828         case CreateScopedArguments:
1829         case CreateActivation:
1830         case NewFunction:
1831         case NewGeneratorFunction:
1832         case NewAsyncGeneratorFunction:
1833         case NewAsyncFunction: {
1834             // Child 1 is always the current scope, which is guaranteed to be an object
1835             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1836             fixEdge<KnownCellUse>(node->child1());
1837             break;
1838         }
1839
1840         case PushWithScope: {
1841             // Child 1 is always the current scope, which is guaranteed to be an object
1842             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1843             fixEdge<KnownCellUse>(node->child1());
1844             if (node->child2()->shouldSpeculateObject())
1845                 fixEdge<ObjectUse>(node->child2());
1846             break;
1847         }
1848
1849         case SetFunctionName: {
1850             // The first child is guaranteed to be a cell because op_set_function_name is only used
1851             // on a newly instantiated function object (the first child).
1852             fixEdge<KnownCellUse>(node->child1());
1853             fixEdge<UntypedUse>(node->child2());
1854             break;
1855         }
1856
1857         case CreateRest: {
1858             watchHavingABadTime(node);
1859             fixEdge<KnownInt32Use>(node->child1());
1860             break;
1861         }
1862
1863         case ResolveScopeForHoistingFuncDeclInEval: {
1864             fixEdge<KnownCellUse>(node->child1());
1865             break;
1866         }
1867         case ResolveScope:
1868         case GetDynamicVar:
1869         case PutDynamicVar: {
1870             fixEdge<KnownCellUse>(node->child1());
1871             break;
1872         }
1873
1874         case LogShadowChickenPrologue: {
1875             fixEdge<KnownCellUse>(node->child1());
1876             break;
1877         }
1878         case LogShadowChickenTail: {
1879             fixEdge<UntypedUse>(node->child1());
1880             fixEdge<KnownCellUse>(node->child2());
1881             break;
1882         }
1883
1884         case GetMapBucket:
1885             if (node->child1().useKind() == MapObjectUse)
1886                 fixEdge<MapObjectUse>(node->child1());
1887             else if (node->child1().useKind() == SetObjectUse)
1888                 fixEdge<SetObjectUse>(node->child1());
1889             else
1890                 RELEASE_ASSERT_NOT_REACHED();
1891
1892 #if USE(JSVALUE64)
1893             if (node->child2()->shouldSpeculateBoolean())
1894                 fixEdge<BooleanUse>(node->child2());
1895             else if (node->child2()->shouldSpeculateInt32())
1896                 fixEdge<Int32Use>(node->child2());
1897             else if (node->child2()->shouldSpeculateSymbol())
1898                 fixEdge<SymbolUse>(node->child2());
1899             else if (node->child2()->shouldSpeculateObject())
1900                 fixEdge<ObjectUse>(node->child2());
1901             else if (node->child2()->shouldSpeculateString())
1902                 fixEdge<StringUse>(node->child2());
1903             else if (node->child2()->shouldSpeculateCell())
1904                 fixEdge<CellUse>(node->child2());
1905             else
1906                 fixEdge<UntypedUse>(node->child2());
1907 #else
1908             fixEdge<UntypedUse>(node->child2());
1909 #endif // USE(JSVALUE64)
1910
1911             fixEdge<Int32Use>(node->child3());
1912             break;
1913
1914         case GetMapBucketHead:
1915             if (node->child1().useKind() == MapObjectUse)
1916                 fixEdge<MapObjectUse>(node->child1());
1917             else if (node->child1().useKind() == SetObjectUse)
1918                 fixEdge<SetObjectUse>(node->child1());
1919             else
1920                 RELEASE_ASSERT_NOT_REACHED();
1921             break;
1922
1923         case GetMapBucketNext:
1924         case LoadKeyFromMapBucket:
1925         case LoadValueFromMapBucket:
1926             fixEdge<CellUse>(node->child1());
1927             break;
1928
1929         case MapHash: {
1930 #if USE(JSVALUE64)
1931             if (node->child1()->shouldSpeculateBoolean()) {
1932                 fixEdge<BooleanUse>(node->child1());
1933                 break;
1934             }
1935
1936             if (node->child1()->shouldSpeculateInt32()) {
1937                 fixEdge<Int32Use>(node->child1());
1938                 break;
1939             }
1940
1941             if (node->child1()->shouldSpeculateSymbol()) {
1942                 fixEdge<SymbolUse>(node->child1());
1943                 break;
1944             }
1945
1946             if (node->child1()->shouldSpeculateObject()) {
1947                 fixEdge<ObjectUse>(node->child1());
1948                 break;
1949             }
1950
1951             if (node->child1()->shouldSpeculateString()) {
1952                 fixEdge<StringUse>(node->child1());
1953                 break;
1954             }
1955
1956             if (node->child1()->shouldSpeculateCell()) {
1957                 fixEdge<CellUse>(node->child1());
1958                 break;
1959             }
1960
1961             fixEdge<UntypedUse>(node->child1());
1962 #else
1963             fixEdge<UntypedUse>(node->child1());
1964 #endif // USE(JSVALUE64)
1965             break;
1966         }
1967
1968         case NormalizeMapKey: {
1969             fixupNormalizeMapKey(node);
1970             break;
1971         }
1972
1973         case WeakMapGet: {
1974             if (node->child1().useKind() == WeakMapObjectUse)
1975                 fixEdge<WeakMapObjectUse>(node->child1());
1976             else if (node->child1().useKind() == WeakSetObjectUse)
1977                 fixEdge<WeakSetObjectUse>(node->child1());
1978             else
1979                 RELEASE_ASSERT_NOT_REACHED();
1980             fixEdge<ObjectUse>(node->child2());
1981             fixEdge<Int32Use>(node->child3());
1982             break;
1983         }
1984
1985         case SetAdd: {
1986             fixEdge<SetObjectUse>(node->child1());
1987             fixEdge<Int32Use>(node->child3());
1988             break;
1989         }
1990
1991         case MapSet: {
1992             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1993             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1994             break;
1995         }
1996
1997         case WeakSetAdd: {
1998             fixEdge<WeakSetObjectUse>(node->child1());
1999             fixEdge<ObjectUse>(node->child2());
2000             fixEdge<Int32Use>(node->child3());
2001             break;
2002         }
2003
2004         case WeakMapSet: {
2005             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
2006             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
2007             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
2008             break;
2009         }
2010
2011         case DefineDataProperty: {
2012             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2013             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2014             if (propertyEdge->shouldSpeculateSymbol())
2015                 fixEdge<SymbolUse>(propertyEdge);
2016             else if (propertyEdge->shouldSpeculateStringIdent())
2017                 fixEdge<StringIdentUse>(propertyEdge);
2018             else if (propertyEdge->shouldSpeculateString())
2019                 fixEdge<StringUse>(propertyEdge);
2020             else
2021                 fixEdge<UntypedUse>(propertyEdge);
2022             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
2023             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
2024             break;
2025         }
2026
2027         case StringSlice: {
2028             fixEdge<StringUse>(node->child1());
2029             fixEdge<Int32Use>(node->child2());
2030             if (node->child3())
2031                 fixEdge<Int32Use>(node->child3());
2032             break;
2033         }
2034
2035         case ToLowerCase: {
2036             // We currently only support StringUse since that will ensure that
2037             // ToLowerCase is a pure operation. If we decide to update this with
2038             // more types in the future, we need to ensure that the clobberize rules
2039             // are correct.
2040             fixEdge<StringUse>(node->child1());
2041             break;
2042         }
2043
2044         case NumberToStringWithRadix: {
2045             if (node->child1()->shouldSpeculateInt32())
2046                 fixEdge<Int32Use>(node->child1());
2047             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2048                 fixEdge<Int52RepUse>(node->child1());
2049             else
2050                 fixEdge<DoubleRepUse>(node->child1());
2051             fixEdge<Int32Use>(node->child2());
2052             break;
2053         }
2054
2055         case DefineAccessorProperty: {
2056             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2057             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2058             if (propertyEdge->shouldSpeculateSymbol())
2059                 fixEdge<SymbolUse>(propertyEdge);
2060             else if (propertyEdge->shouldSpeculateStringIdent())
2061                 fixEdge<StringIdentUse>(propertyEdge);
2062             else if (propertyEdge->shouldSpeculateString())
2063                 fixEdge<StringUse>(propertyEdge);
2064             else
2065                 fixEdge<UntypedUse>(propertyEdge);
2066             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2067             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2068             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2069             break;
2070         }
2071
2072         case CheckSubClass: {
2073             fixupCheckSubClass(node);
2074             break;
2075         }
2076
2077         case CallDOMGetter: {
2078             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2079             fixEdge<CellUse>(node->child1()); // DOM.
2080             if (snippet && snippet->requireGlobalObject)
2081                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2082             break;
2083         }
2084
2085         case CallDOM: {
2086             fixupCallDOM(node);
2087             break;
2088         }
2089
2090         case Call: {
2091             attemptToMakeCallDOM(node);
2092             break;
2093         }
2094
2095         case ParseInt: {
2096             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2097                 fixEdge<Int32Use>(node->child1());
2098                 node->convertToIdentity();
2099                 break;
2100             }
2101
2102             if (node->child1()->shouldSpeculateString()) {
2103                 fixEdge<StringUse>(node->child1());
2104                 node->clearFlags(NodeMustGenerate);
2105             }
2106
2107             if (node->child2())
2108                 fixEdge<Int32Use>(node->child2());
2109
2110             break;
2111         }
2112
2113         case IdentityWithProfile: {
2114             node->clearFlags(NodeMustGenerate);
2115             break;
2116         }
2117
2118         case ThrowStaticError:
2119             fixEdge<StringUse>(node->child1());
2120             break;
2121
2122         case NumberIsInteger:
2123             if (node->child1()->shouldSpeculateInt32()) {
2124                 m_insertionSet.insertNode(
2125                     m_indexInBlock, SpecNone, Check, node->origin,
2126                     Edge(node->child1().node(), Int32Use));
2127                 m_graph.convertToConstant(node, jsBoolean(true));
2128                 break;
2129             }
2130             break;
2131
2132 #if !ASSERT_DISABLED
2133         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2134         case SetArgument:
2135         case JSConstant:
2136         case LazyJSConstant:
2137         case DoubleConstant:
2138         case GetLocal:
2139         case GetCallee:
2140         case GetArgumentCountIncludingThis:
2141         case SetArgumentCountIncludingThis:
2142         case GetRestLength:
2143         case GetArgument:
2144         case Flush:
2145         case PhantomLocal:
2146         case GetGlobalVar:
2147         case GetGlobalLexicalVariable:
2148         case NotifyWrite:
2149         case DirectCall:
2150         case CheckTypeInfoFlags:
2151         case TailCallInlinedCaller:
2152         case DirectTailCallInlinedCaller:
2153         case Construct:
2154         case DirectConstruct:
2155         case CallVarargs:
2156         case CallEval:
2157         case TailCallVarargsInlinedCaller:
2158         case ConstructVarargs:
2159         case CallForwardVarargs:
2160         case ConstructForwardVarargs:
2161         case TailCallForwardVarargs:
2162         case TailCallForwardVarargsInlinedCaller:
2163         case LoadVarargs:
2164         case ForwardVarargs:
2165         case ProfileControlFlow:
2166         case NewObject:
2167         case NewRegexp:
2168         case DeleteById:
2169         case DeleteByVal:
2170         case IsTypedArrayView:
2171         case IsEmpty:
2172         case IsUndefined:
2173         case IsBoolean:
2174         case IsNumber:
2175         case IsObjectOrNull:
2176         case IsFunction:
2177         case CreateDirectArguments:
2178         case Jump:
2179         case Return:
2180         case TailCall:
2181         case DirectTailCall:
2182         case TailCallVarargs:
2183         case Throw:
2184         case CountExecution:
2185         case SuperSamplerBegin:
2186         case SuperSamplerEnd:
2187         case ForceOSRExit:
2188         case CheckBadCell:
2189         case CheckNotEmpty:
2190         case AssertNotEmpty:
2191         case CheckTraps:
2192         case Unreachable:
2193         case ExtractOSREntryLocal:
2194         case ExtractCatchLocal:
2195         case LoopHint:
2196         case MovHint:
2197         case InitializeEntrypointArguments:
2198         case ZombieHint:
2199         case ExitOK:
2200         case BottomValue:
2201         case TypeOf:
2202         case PutByIdWithThis:
2203         case PutByValWithThis:
2204         case GetByValWithThis:
2205         case CompareEqPtr:
2206         case NumberToStringWithValidRadixConstant:
2207         case GetGlobalThis:
2208         case ExtractValueFromWeakMapGet:
2209         case CPUIntrinsic:
2210             break;
2211 #else
2212         default:
2213             break;
2214 #endif
2215         }
2216     }
2217
2218     void watchHavingABadTime(Node* node)
2219     {
2220         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2221
2222         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2223         // does an array allocation. The types of array allocations may change if we start to have a bad
2224         // time. It's easier to reason about this if we know that whenever the types change after we start
2225         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2226         // prior to this point nobody should have been doing optimizations based on the indexing type of
2227         // the allocation.
2228         if (!globalObject->isHavingABadTime()) {
2229             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2230             m_graph.freeze(globalObject);
2231         }
2232     }
2233     
2234     template<UseKind useKind>
2235     void createToString(Node* node, Edge& edge)
2236     {
2237         Node* toString = m_insertionSet.insertNode(
2238             m_indexInBlock, SpecString, ToString, node->origin,
2239             Edge(edge.node(), useKind));
2240         switch (useKind) {
2241         case Int32Use:
2242         case Int52RepUse:
2243         case DoubleRepUse:
2244         case NotCellUse:
2245             toString->clearFlags(NodeMustGenerate);
2246             break;
2247         default:
2248             break;
2249         }
2250         edge.setNode(toString);
2251     }
2252     
2253     template<UseKind useKind>
2254     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2255     {
2256         ASSERT(arrayMode == ArrayMode(Array::Generic));
2257         
2258         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2259             return;
2260         
2261         createToString<useKind>(node, node->child1());
2262         arrayMode = ArrayMode(Array::String);
2263     }
2264     
2265     template<UseKind useKind>
2266     bool isStringObjectUse()
2267     {
2268         switch (useKind) {
2269         case StringObjectUse:
2270         case StringOrStringObjectUse:
2271             return true;
2272         default:
2273             return false;
2274         }
2275     }
2276     
2277     template<UseKind useKind>
2278     void convertStringAddUse(Node* node, Edge& edge)
2279     {
2280         if (useKind == StringUse) {
2281             observeUseKindOnNode<StringUse>(edge.node());
2282             m_insertionSet.insertNode(
2283                 m_indexInBlock, SpecNone, Check, node->origin,
2284                 Edge(edge.node(), StringUse));
2285             edge.setUseKind(KnownStringUse);
2286             return;
2287         }
2288         
2289         observeUseKindOnNode<useKind>(edge.node());
2290         createToString<useKind>(node, edge);
2291     }
2292     
2293     void convertToMakeRope(Node* node)
2294     {
2295         node->setOpAndDefaultFlags(MakeRope);
2296         fixupMakeRope(node);
2297     }
2298     
2299     void fixupMakeRope(Node* node)
2300     {
2301         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2302             Edge& edge = node->children.child(i);
2303             if (!edge)
2304                 break;
2305             edge.setUseKind(KnownStringUse);
2306             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2307             if (!string)
2308                 continue;
2309             if (string->length())
2310                 continue;
2311             
2312             // Don't allow the MakeRope to have zero children.
2313             if (!i && !node->child2())
2314                 break;
2315             
2316             node->children.removeEdge(i--);
2317         }
2318         
2319         if (!node->child2()) {
2320             ASSERT(!node->child3());
2321             node->convertToIdentity();
2322         }
2323     }
2324
2325     void fixupIsCellWithType(Node* node)
2326     {
2327         switch (node->speculatedTypeForQuery()) {
2328         case SpecString:
2329             if (node->child1()->shouldSpeculateString()) {
2330                 m_insertionSet.insertNode(
2331                     m_indexInBlock, SpecNone, Check, node->origin,
2332                     Edge(node->child1().node(), StringUse));
2333                 m_graph.convertToConstant(node, jsBoolean(true));
2334                 observeUseKindOnNode<StringUse>(node);
2335                 return;
2336             }
2337             break;
2338
2339         case SpecProxyObject:
2340             if (node->child1()->shouldSpeculateProxyObject()) {
2341                 m_insertionSet.insertNode(
2342                     m_indexInBlock, SpecNone, Check, node->origin,
2343                     Edge(node->child1().node(), ProxyObjectUse));
2344                 m_graph.convertToConstant(node, jsBoolean(true));
2345                 observeUseKindOnNode<ProxyObjectUse>(node);
2346                 return;
2347             }
2348             break;
2349
2350         case SpecRegExpObject:
2351             if (node->child1()->shouldSpeculateRegExpObject()) {
2352                 m_insertionSet.insertNode(
2353                     m_indexInBlock, SpecNone, Check, node->origin,
2354                     Edge(node->child1().node(), RegExpObjectUse));
2355                 m_graph.convertToConstant(node, jsBoolean(true));
2356                 observeUseKindOnNode<RegExpObjectUse>(node);
2357                 return;
2358             }
2359             break;
2360
2361         case SpecArray:
2362             if (node->child1()->shouldSpeculateArray()) {
2363                 m_insertionSet.insertNode(
2364                     m_indexInBlock, SpecNone, Check, node->origin,
2365                     Edge(node->child1().node(), ArrayUse));
2366                 m_graph.convertToConstant(node, jsBoolean(true));
2367                 observeUseKindOnNode<ArrayUse>(node);
2368                 return;
2369             }
2370             break;
2371
2372         case SpecDerivedArray:
2373             if (node->child1()->shouldSpeculateDerivedArray()) {
2374                 m_insertionSet.insertNode(
2375                     m_indexInBlock, SpecNone, Check, node->origin,
2376                     Edge(node->child1().node(), DerivedArrayUse));
2377                 m_graph.convertToConstant(node, jsBoolean(true));
2378                 observeUseKindOnNode<DerivedArrayUse>(node);
2379                 return;
2380             }
2381             break;
2382         }
2383
2384         if (node->child1()->shouldSpeculateCell()) {
2385             fixEdge<CellUse>(node->child1());
2386             return;
2387         }
2388
2389         if (node->child1()->shouldSpeculateNotCell()) {
2390             m_insertionSet.insertNode(
2391                 m_indexInBlock, SpecNone, Check, node->origin,
2392                 Edge(node->child1().node(), NotCellUse));
2393             m_graph.convertToConstant(node, jsBoolean(false));
2394             observeUseKindOnNode<NotCellUse>(node);
2395             return;
2396         }
2397     }
2398
2399     void fixupGetPrototypeOf(Node* node)
2400     {
2401         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2402         if (node->child1().useKind() != ObjectUse) {
2403             if (node->child1()->shouldSpeculateString()) {
2404                 insertCheck<StringUse>(node->child1().node());
2405                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2406                 return;
2407             }
2408             if (node->child1()->shouldSpeculateInt32()) {
2409                 insertCheck<Int32Use>(node->child1().node());
2410                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2411                 return;
2412             }
2413             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2414                 insertCheck<Int52RepUse>(node->child1().node());
2415                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2416                 return;
2417             }
2418             if (node->child1()->shouldSpeculateNumber()) {
2419                 insertCheck<NumberUse>(node->child1().node());
2420                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2421                 return;
2422             }
2423             if (node->child1()->shouldSpeculateSymbol()) {
2424                 insertCheck<SymbolUse>(node->child1().node());
2425                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2426                 return;
2427             }
2428             if (node->child1()->shouldSpeculateBoolean()) {
2429                 insertCheck<BooleanUse>(node->child1().node());
2430                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2431                 return;
2432             }
2433         }
2434
2435         if (node->child1()->shouldSpeculateFinalObject()) {
2436             fixEdge<FinalObjectUse>(node->child1());
2437             node->clearFlags(NodeMustGenerate);
2438             return;
2439         }
2440         if (node->child1()->shouldSpeculateArray()) {
2441             fixEdge<ArrayUse>(node->child1());
2442             node->clearFlags(NodeMustGenerate);
2443             return;
2444         }
2445         if (node->child1()->shouldSpeculateFunction()) {
2446             fixEdge<FunctionUse>(node->child1());
2447             node->clearFlags(NodeMustGenerate);
2448             return;
2449         }
2450     }
2451
2452     void fixupToThis(Node* node)
2453     {
2454         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2455
2456         if (ecmaMode == StrictMode) {
2457             if (node->child1()->shouldSpeculateBoolean()) {
2458                 fixEdge<BooleanUse>(node->child1());
2459                 node->convertToIdentity();
2460                 return;
2461             }
2462
2463             if (node->child1()->shouldSpeculateInt32()) {
2464                 fixEdge<Int32Use>(node->child1());
2465                 node->convertToIdentity();
2466                 return;
2467             }
2468
2469             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2470                 fixEdge<Int52RepUse>(node->child1());
2471                 node->convertToIdentity();
2472                 node->setResult(NodeResultInt52);
2473                 return;
2474             }
2475
2476             if (node->child1()->shouldSpeculateNumber()) {
2477                 fixEdge<DoubleRepUse>(node->child1());
2478                 node->convertToIdentity();
2479                 node->setResult(NodeResultDouble);
2480                 return;
2481             }
2482
2483             if (node->child1()->shouldSpeculateSymbol()) {
2484                 fixEdge<SymbolUse>(node->child1());
2485                 node->convertToIdentity();
2486                 return;
2487             }
2488
2489             if (node->child1()->shouldSpeculateStringIdent()) {
2490                 fixEdge<StringIdentUse>(node->child1());
2491                 node->convertToIdentity();
2492                 return;
2493             }
2494
2495             if (node->child1()->shouldSpeculateString()) {
2496                 fixEdge<StringUse>(node->child1());
2497                 node->convertToIdentity();
2498                 return;
2499             }
2500         }
2501
2502         if (node->child1()->shouldSpeculateOther()) {
2503             if (ecmaMode == StrictMode) {
2504                 fixEdge<OtherUse>(node->child1());
2505                 node->convertToIdentity();
2506                 return;
2507             }
2508
2509             m_insertionSet.insertNode(
2510                 m_indexInBlock, SpecNone, Check, node->origin,
2511                 Edge(node->child1().node(), OtherUse));
2512             observeUseKindOnNode<OtherUse>(node->child1().node());
2513             m_graph.convertToConstant(
2514                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2515             return;
2516         }
2517
2518         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2519         // however, since we cover all the missing cases in constant folding.
2520         // https://bugs.webkit.org/show_bug.cgi?id=157213
2521         if (node->child1()->shouldSpeculateStringObject()) {
2522             fixEdge<StringObjectUse>(node->child1());
2523             node->convertToIdentity();
2524             return;
2525         }
2526
2527         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2528             fixEdge<FinalObjectUse>(node->child1());
2529             node->convertToIdentity();
2530             return;
2531         }
2532     }
2533     
2534     void fixupToPrimitive(Node* node)
2535     {
2536         if (node->child1()->shouldSpeculateInt32()) {
2537             fixEdge<Int32Use>(node->child1());
2538             node->convertToIdentity();
2539             return;
2540         }
2541         
2542         if (node->child1()->shouldSpeculateString()) {
2543             fixEdge<StringUse>(node->child1());
2544             node->convertToIdentity();
2545             return;
2546         }
2547         
2548         if (node->child1()->shouldSpeculateStringObject()
2549             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2550             fixEdge<StringObjectUse>(node->child1());
2551             node->convertToToString();
2552             return;
2553         }
2554         
2555         if (node->child1()->shouldSpeculateStringOrStringObject()
2556             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2557             fixEdge<StringOrStringObjectUse>(node->child1());
2558             node->convertToToString();
2559             return;
2560         }
2561     }
2562
2563     void fixupToNumber(Node* node)
2564     {
2565         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2566         if (node->child1()->shouldSpeculateNumber()) {
2567             if (isInt32Speculation(node->getHeapPrediction())) {
2568                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2569                 if (node->child1()->shouldSpeculateInt32()) {
2570                     fixEdge<Int32Use>(node->child1());
2571                     node->convertToIdentity();
2572                     return;
2573                 }
2574
2575                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2576                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2577                 fixEdge<DoubleRepUse>(node->child1());
2578                 node->setOp(DoubleAsInt32);
2579                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2580                     node->setArithMode(Arith::CheckOverflow);
2581                 else
2582                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2583                 return;
2584             }
2585
2586             fixEdge<DoubleRepUse>(node->child1());
2587             node->convertToIdentity();
2588             node->setResult(NodeResultDouble);
2589             return;
2590         }
2591
2592         fixEdge<UntypedUse>(node->child1());
2593         node->setResult(NodeResultJS);
2594     }
2595
2596     void fixupToObject(Node* node)
2597     {
2598         if (node->child1()->shouldSpeculateObject()) {
2599             fixEdge<ObjectUse>(node->child1());
2600             node->convertToIdentity();
2601             return;
2602         }
2603
2604         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2605
2606         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2607
2608         if (node->child1()->shouldSpeculateString()) {
2609             insertCheck<StringUse>(node->child1().node());
2610             fixEdge<KnownStringUse>(node->child1());
2611             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2612             return;
2613         }
2614
2615         if (node->child1()->shouldSpeculateSymbol()) {
2616             insertCheck<SymbolUse>(node->child1().node());
2617             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2618             return;
2619         }
2620
2621         if (node->child1()->shouldSpeculateNumber()) {
2622             insertCheck<NumberUse>(node->child1().node());
2623             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2624             return;
2625         }
2626
2627         if (node->child1()->shouldSpeculateBoolean()) {
2628             insertCheck<BooleanUse>(node->child1().node());
2629             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2630             return;
2631         }
2632
2633         fixEdge<UntypedUse>(node->child1());
2634     }
2635
2636     void fixupCallObjectConstructor(Node* node)
2637     {
2638         if (node->child1()->shouldSpeculateObject()) {
2639             fixEdge<ObjectUse>(node->child1());
2640             node->convertToIdentity();
2641             return;
2642         }
2643
2644         if (node->child1()->shouldSpeculateString()) {
2645             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2646             insertCheck<StringUse>(node->child1().node());
2647             fixEdge<KnownStringUse>(node->child1());
2648             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2649             return;
2650         }
2651
2652         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2653         if (node->child1()->shouldSpeculateOther()) {
2654             insertCheck<OtherUse>(node->child1().node());
2655             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2656             return;
2657         }
2658
2659         fixEdge<UntypedUse>(node->child1());
2660     }
2661     
2662     void fixupToStringOrCallStringConstructor(Node* node)
2663     {
2664         if (node->child1()->shouldSpeculateString()) {
2665             fixEdge<StringUse>(node->child1());
2666             node->convertToIdentity();
2667             return;
2668         }
2669         
2670         if (node->child1()->shouldSpeculateStringObject()
2671             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2672             fixEdge<StringObjectUse>(node->child1());
2673             return;
2674         }
2675         
2676         if (node->child1()->shouldSpeculateStringOrStringObject()
2677             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2678             fixEdge<StringOrStringObjectUse>(node->child1());
2679             return;
2680         }
2681         
2682         if (node->child1()->shouldSpeculateCell()) {
2683             fixEdge<CellUse>(node->child1());
2684             return;
2685         }
2686
2687         if (node->child1()->shouldSpeculateInt32()) {
2688             fixEdge<Int32Use>(node->child1());
2689             node->clearFlags(NodeMustGenerate);
2690             return;
2691         }
2692
2693         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2694             fixEdge<Int52RepUse>(node->child1());
2695             node->clearFlags(NodeMustGenerate);
2696             return;
2697         }
2698
2699         if (node->child1()->shouldSpeculateNumber()) {
2700             fixEdge<DoubleRepUse>(node->child1());
2701             node->clearFlags(NodeMustGenerate);
2702             return;
2703         }
2704
2705         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2706         // we need to care about it in the clobberize. In the following case,
2707         // since NotCellUse edge filter is used and this edge filters Symbols,
2708         // we can say that ToString never throws an error!
2709         if (node->child1()->shouldSpeculateNotCell()) {
2710             fixEdge<NotCellUse>(node->child1());
2711             node->clearFlags(NodeMustGenerate);
2712             return;
2713         }
2714     }
2715
2716     bool attemptToMakeFastStringAdd(Node* node)
2717     {
2718         bool goodToGo = true;
2719         m_graph.doToChildren(
2720             node,
2721             [&] (Edge& edge) {
2722                 if (edge->shouldSpeculateString())
2723                     return;
2724                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2725                     if (edge->shouldSpeculateStringObject())
2726                         return;
2727                     if (edge->shouldSpeculateStringOrStringObject())
2728                         return;
2729                 }
2730                 goodToGo = false;
2731             });
2732         if (!goodToGo)
2733             return false;
2734
2735         m_graph.doToChildren(
2736             node,
2737             [&] (Edge& edge) {
2738                 if (edge->shouldSpeculateString()) {
2739                     convertStringAddUse<StringUse>(node, edge);
2740                     return;
2741                 }
2742                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2743                 if (edge->shouldSpeculateStringObject()) {
2744                     convertStringAddUse<StringObjectUse>(node, edge);
2745                     return;
2746                 }
2747                 if (edge->shouldSpeculateStringOrStringObject()) {
2748                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2749                     return;
2750                 }
2751                 RELEASE_ASSERT_NOT_REACHED();
2752             });
2753         
2754         convertToMakeRope(node);
2755         return true;
2756     }
2757
2758     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2759     {
2760         if (!block)
2761             return;
2762         ASSERT(block->isReachable);
2763         m_block = block;
2764         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2765             Node* node = m_currentNode = block->at(m_indexInBlock);
2766             if (node->op() != SetLocal && node->op() != GetLocal)
2767                 continue;
2768             
2769             VariableAccessData* variable = node->variableAccessData();
2770             switch (node->op()) {
2771             case GetLocal:
2772                 switch (variable->flushFormat()) {
2773                 case FlushedDouble:
2774                     node->setResult(NodeResultDouble);
2775                     break;
2776                 case FlushedInt52:
2777                     node->setResult(NodeResultInt52);
2778                     break;
2779                 default:
2780                     break;
2781                 }
2782                 break;
2783                 
2784             case SetLocal:
2785                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2786                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2787                 
2788                 switch (variable->flushFormat()) {
2789                 case FlushedJSValue:
2790                     break;
2791                 case FlushedDouble:
2792                     fixEdge<DoubleRepUse>(node->child1());
2793                     break;
2794                 case FlushedInt32:
2795                     fixEdge<Int32Use>(node->child1());
2796                     break;
2797                 case FlushedInt52:
2798                     fixEdge<Int52RepUse>(node->child1());
2799                     break;
2800                 case FlushedCell:
2801                     fixEdge<CellUse>(node->child1());
2802                     break;
2803                 case FlushedBoolean:
2804                     fixEdge<BooleanUse>(node->child1());
2805                     break;
2806                 default:
2807                     RELEASE_ASSERT_NOT_REACHED();
2808                     break;
2809                 }
2810                 break;
2811                 
2812             default:
2813                 RELEASE_ASSERT_NOT_REACHED();
2814                 break;
2815             }
2816         }
2817         m_insertionSet.execute(block);
2818     }
2819     
2820     void addStringReplacePrimordialChecks(Node* searchRegExp)
2821     {
2822         Node* node = m_currentNode;
2823
2824         // Check that structure of searchRegExp is RegExp object
2825         m_insertionSet.insertNode(
2826             m_indexInBlock, SpecNone, Check, node->origin,
2827             Edge(searchRegExp, RegExpObjectUse));
2828
2829         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2830             unsigned index = m_graph.identifiers().ensure(propertyUID);
2831
2832             Node* actualProperty = m_insertionSet.insertNode(
2833                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2834                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2835
2836             m_insertionSet.insertNode(
2837                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2838                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2839         };
2840
2841         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2842
2843         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2844         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2845         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2846         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2847         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2848         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2849         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2850         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2851     }
2852
2853     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2854     {
2855         ASSERT(arrayMode.isSpecific());
2856         
2857         if (arrayMode.type() == Array::String) {
2858             m_insertionSet.insertNode(
2859                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2860         } else {
2861             // Note that we only need to be using a structure check if we opt for SaneChain, since
2862             // that needs to protect against JSArray's __proto__ being changed.
2863             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2864         
2865             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2866             
2867             if (arrayMode.doesConversion()) {
2868                 if (structure) {
2869                     m_insertionSet.insertNode(
2870                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2871                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2872                 } else {
2873                     m_insertionSet.insertNode(
2874                         m_indexInBlock, SpecNone, Arrayify, origin,
2875                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2876                 }
2877             } else {
2878                 if (structure) {
2879                     m_insertionSet.insertNode(
2880                         m_indexInBlock, SpecNone, CheckStructure, origin,
2881                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2882                 } else {
2883                     m_insertionSet.insertNode(
2884                         m_indexInBlock, SpecNone, CheckArray, origin,
2885                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2886                 }
2887             }
2888         }
2889         
2890         if (!storageCheck(arrayMode))
2891             return nullptr;
2892         
2893         if (arrayMode.usesButterfly()) {
2894             return m_insertionSet.insertNode(
2895                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2896         }
2897         
2898         return m_insertionSet.insertNode(
2899             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2900             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2901     }
2902     
2903     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2904     {
2905         Node* node = m_currentNode;
2906         
2907         switch (node->arrayMode().type()) {
2908         case Array::ForceExit: {
2909             m_insertionSet.insertNode(
2910                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2911             return;
2912         }
2913             
2914         case Array::SelectUsingPredictions:
2915         case Array::Unprofiled:
2916             RELEASE_ASSERT_NOT_REACHED();
2917             return;
2918             
2919         case Array::Generic:
2920             return;
2921             
2922         default: {
2923             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2924             if (!storage)
2925                 return;
2926             
2927             storageChild = Edge(storage);
2928             return;
2929         } }
2930     }
2931     
2932     bool alwaysUnboxSimplePrimitives()
2933     {
2934 #if USE(JSVALUE64)
2935         return false;
2936 #else
2937         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2938         // reduces traffic.
2939         return true;
2940 #endif
2941     }
2942
2943     template<UseKind useKind>
2944     void observeUseKindOnNode(Node* node)
2945     {
2946         if (useKind == UntypedUse)
2947             return;
2948         observeUseKindOnNode(node, useKind);
2949     }
2950
2951     void observeUseKindOnEdge(Edge edge)
2952     {
2953         observeUseKindOnNode(edge.node(), edge.useKind());
2954     }
2955
2956     void observeUseKindOnNode(Node* node, UseKind useKind)
2957     {
2958         if (node->op() != GetLocal)
2959             return;
2960         
2961         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2962         // https://bugs.webkit.org/show_bug.cgi?id=121518
2963         
2964         VariableAccessData* variable = node->variableAccessData();
2965         switch (useKind) {
2966         case Int32Use:
2967         case KnownInt32Use:
2968             if (alwaysUnboxSimplePrimitives()
2969                 || isInt32Speculation(variable->prediction()))
2970                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2971             break;
2972         case NumberUse:
2973         case RealNumberUse:
2974         case DoubleRepUse:
2975         case DoubleRepRealUse:
2976             if (variable->doubleFormatState() == UsingDoubleFormat)
2977                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2978             break;
2979         case BooleanUse:
2980         case KnownBooleanUse:
2981             if (alwaysUnboxSimplePrimitives()
2982                 || isBooleanSpeculation(variable->prediction()))
2983                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2984             break;
2985         case Int52RepUse:
2986             if (isAnyIntSpeculation(variable->prediction()))
2987                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2988             break;
2989         case CellUse:
2990         case KnownCellUse:
2991         case ObjectUse:
2992         case FunctionUse:
2993         case StringUse:
2994         case KnownStringUse:
2995         case SymbolUse:
2996         case StringObjectUse:
2997         case StringOrStringObjectUse:
2998             if (alwaysUnboxSimplePrimitives()
2999                 || isCellSpeculation(variable->prediction()))
3000                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3001             break;
3002         default:
3003             break;
3004         }
3005     }
3006     
3007     template<UseKind useKind>
3008     void fixEdge(Edge& edge)
3009     {
3010         observeUseKindOnNode<useKind>(edge.node());
3011         edge.setUseKind(useKind);
3012     }
3013     
3014     unsigned indexForChecks()
3015     {
3016         unsigned index = m_indexInBlock;
3017         while (!m_block->at(index)->origin.exitOK)
3018             index--;
3019         return index;
3020     }
3021     
3022     NodeOrigin originForCheck(unsigned index)
3023     {
3024         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3025     }
3026     
3027     void speculateForBarrier(Edge value)
3028     {
3029         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3030         // the DFG anyway because if such a speculation would be wrong, we want to know before
3031         // we do an expensive compile.
3032         
3033         if (value->shouldSpeculateInt32()) {
3034             insertCheck<Int32Use>(value.node());
3035             return;
3036         }
3037             
3038         if (value->shouldSpeculateBoolean()) {
3039             insertCheck<BooleanUse>(value.node());
3040             return;
3041         }
3042             
3043         if (value->shouldSpeculateOther()) {
3044             insertCheck<OtherUse>(value.node());
3045             return;
3046         }
3047             
3048         if (value->shouldSpeculateNumber()) {
3049             insertCheck<NumberUse>(value.node());
3050             return;
3051         }
3052             
3053         if (value->shouldSpeculateNotCell()) {
3054             insertCheck<NotCellUse>(value.node());
3055             return;
3056         }
3057     }
3058     
3059     template<UseKind useKind>
3060     void insertCheck(Node* node)
3061     {
3062         observeUseKindOnNode<useKind>(node);
3063         unsigned index = indexForChecks();
3064         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3065     }
3066
3067     void fixIntConvertingEdge(Edge& edge)
3068     {
3069         Node* node = edge.node();
3070         if (node->shouldSpeculateInt32OrBoolean()) {
3071             fixIntOrBooleanEdge(edge);
3072             return;
3073         }
3074         
3075         UseKind useKind;
3076         if (node->shouldSpeculateAnyInt())
3077             useKind = Int52RepUse;
3078         else if (node->shouldSpeculateNumber())
3079             useKind = DoubleRepUse;
3080         else
3081             useKind = NotCellUse;
3082         Node* newNode = m_insertionSet.insertNode(
3083             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3084             Edge(node, useKind));
3085         observeUseKindOnNode(node, useKind);
3086         
3087         edge = Edge(newNode, KnownInt32Use);
3088     }
3089     
3090     void fixIntOrBooleanEdge(Edge& edge)
3091     {
3092         Node* node = edge.node();
3093         if (!node->sawBooleans()) {
3094             fixEdge<Int32Use>(edge);
3095             return;
3096         }
3097         
3098         UseKind useKind;
3099         if (node->shouldSpeculateBoolean())
3100             useKind = BooleanUse;
3101         else
3102             useKind = UntypedUse;
3103         Node* newNode = m_insertionSet.insertNode(
3104             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3105             Edge(node, useKind));
3106         observeUseKindOnNode(node, useKind);
3107         
3108         edge = Edge(newNode, Int32Use);
3109     }
3110     
3111     void fixDoubleOrBooleanEdge(Edge& edge)
3112     {
3113         Node* node = edge.node();
3114         if (!node->sawBooleans()) {
3115             fixEdge<DoubleRepUse>(edge);
3116             return;
3117         }
3118         
3119         UseKind useKind;
3120         if (node->shouldSpeculateBoolean())
3121             useKind = BooleanUse;
3122         else
3123             useKind = UntypedUse;
3124         Node* newNode = m_insertionSet.insertNode(
3125             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3126             Edge(node, useKind));
3127         observeUseKindOnNode(node, useKind);
3128         
3129         edge = Edge(newNode, DoubleRepUse);
3130     }
3131     
3132     void truncateConstantToInt32(Edge& edge)
3133     {
3134         Node* oldNode = edge.node();
3135         
3136         JSValue value = oldNode->asJSValue();
3137         if (value.isInt32())
3138             return;
3139         
3140         value = jsNumber(JSC::toInt32(value.asNumber()));
3141         ASSERT(value.isInt32());
3142         edge.setNode(m_insertionSet.insertNode(
3143             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3144             OpInfo(m_graph.freeze(value))));
3145     }
3146     
3147     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3148     {
3149         if (mode != SpeculateInt32AndTruncateConstants)
3150             return;
3151         
3152         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3153         if (node->child1()->hasConstant())
3154             truncateConstantToInt32(node->child1());
3155         else
3156             truncateConstantToInt32(node->child2());
3157     }
3158
3159     bool attemptToMakeIntegerAdd(Node* node)
3160     {
3161         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3162         if (mode != DontSpeculateInt32) {
3163             truncateConstantsIfNecessary(node, mode);
3164             fixIntOrBooleanEdge(node->child1());
3165             fixIntOrBooleanEdge(node->child2());
3166             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3167                 node->setArithMode(Arith::Unchecked);
3168             else
3169                 node->setArithMode(Arith::CheckOverflow);
3170             return true;
3171         }
3172         
3173         if (m_graph.addShouldSpeculateAnyInt(node)) {
3174             fixEdge<Int52RepUse>(node->child1());
3175             fixEdge<Int52RepUse>(node->child2());
3176             node->setArithMode(Arith::CheckOverflow);
3177             node->setResult(NodeResultInt52);
3178             return true;
3179         }
3180         
3181         return false;
3182     }
3183     
3184     bool attemptToMakeGetArrayLength(Node* node)
3185     {
3186         if (!isInt32Speculation(node->prediction()))
3187             return false;
3188         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3189         ArrayProfile* arrayProfile = 
3190             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3191         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
3192         if (arrayProfile) {
3193             ConcurrentJSLocker locker(profiledBlock->m_lock);
3194             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3195             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3196             if (arrayMode.type() == Array::Unprofiled) {
3197                 // For normal array operations, it makes sense to treat Unprofiled
3198                 // accesses as ForceExit and get more data rather than using
3199                 // predictions and then possibly ending up with a Generic. But here,
3200                 // we treat anything that is Unprofiled as Generic and keep the
3201                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3202                 // profit - from treating the Unprofiled case as
3203                 // SelectUsingPredictions.
3204                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
3205             }
3206         }
3207             
3208         arrayMode = arrayMode.refine(
3209             m_graph, node, node->child1()->prediction(), node->prediction());
3210             
3211         if (arrayMode.type() == Array::Generic) {
3212             // Check if the input is something that we can't get array length for, but for which we
3213             // could insert some conversions in order to transform it into something that we can do it
3214             // for.
3215             if (node->child1()->shouldSpeculateStringObject())
3216                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3217             else if (node->child1()->shouldSpeculateStringOrStringObject())
3218                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3219         }
3220             
3221         if (!arrayMode.supportsSelfLength())
3222             return false;
3223         
3224         convertToGetArrayLength(node, arrayMode);
3225         return true;
3226     }
3227
3228     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3229     {
3230         node->setOp(GetArrayLength);
3231         node->clearFlags(NodeMustGenerate);
3232         fixEdge<KnownCellUse>(node->child1());
3233         node->setArrayMode(arrayMode);
3234             
3235         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3236         if (!storage)
3237             return;
3238             
3239         node->child2() = Edge(storage);
3240     }
3241     
3242     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3243     {
3244         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3245         return m_insertionSet.insertNode(
3246             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3247             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3248     }
3249
3250     void convertToHasIndexedProperty(Node* node)
3251     {
3252         node->setOp(HasIndexedProperty);
3253         node->clearFlags(NodeMustGenerate);
3254         node->setArrayMode(
3255             node->arrayMode().refine(
3256                 m_graph, node,
3257                 node->child1()->prediction(),
3258                 node->child2()->prediction(),
3259                 SpecNone));
3260         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3261
3262         blessArrayOperation(node->child1(), node->child2(), node->child3());
3263
3264         fixEdge<CellUse>(node->child1());
3265         fixEdge<Int32Use>(node->child2());
3266     }
3267
3268     void fixupNormalizeMapKey(Node* node)
3269     {
3270         if (node->child1()->shouldSpeculateBoolean()) {
3271             fixEdge<BooleanUse>(node->child1());
3272             node->convertToIdentity();
3273             return;
3274         }
3275
3276         if (node->child1()->shouldSpeculateInt32()) {
3277             fixEdge<Int32Use>(node->child1());
3278             node->convertToIdentity();
3279             return;
3280         }
3281
3282         if (node->child1()->shouldSpeculateSymbol()) {
3283             fixEdge<SymbolUse>(node->child1());
3284             node->convertToIdentity();
3285             return;
3286         }
3287
3288         if (node->child1()->shouldSpeculateObject()) {
3289             fixEdge<ObjectUse>(node->child1());
3290             node->convertToIdentity();
3291             return;
3292         }
3293
3294         if (node->child1()->shouldSpeculateString()) {
3295             fixEdge<StringUse>(node->child1());
3296             node->convertToIdentity();
3297             return;
3298         }
3299
3300         if (node->child1()->shouldSpeculateCell()) {
3301             fixEdge<CellUse>(node->child1());
3302             node->convertToIdentity();
3303             return;
3304         }
3305
3306         fixEdge<UntypedUse>(node->child1());
3307     }
3308
3309     bool attemptToMakeCallDOM(Node* node)
3310     {
3311         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3312             return false;
3313
3314         const DOMJIT::Signature* signature = node->signature();
3315         if (!signature)
3316             return false;
3317
3318         {
3319             unsigned index = 0;
3320             bool shouldConvertToCallDOM = true;
3321             m_graph.doToChildren(node, [&](Edge& edge) {
3322                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3323                 if (!index)
3324                     return;
3325
3326                 if (index == 1) {
3327                     // DOM node case.
3328                     if (edge->shouldSpeculateNotCell())
3329                         shouldConvertToCallDOM = false;
3330                 } else {
3331                     switch (signature->arguments[index - 2]) {
3332                     case SpecString:
3333                         if (edge->shouldSpeculateNotString())
3334                             shouldConvertToCallDOM = false;
3335                         break;
3336                     case SpecInt32Only:
3337                         if (edge->shouldSpeculateNotInt32())
3338                             shouldConvertToCallDOM = false;
3339                         break;
3340                     case SpecBoolean:
3341                         if (edge->shouldSpeculateNotBoolean())
3342                             shouldConvertToCallDOM = false;
3343                         break;
3344                     default:
3345                         RELEASE_ASSERT_NOT_REACHED();
3346                         break;
3347                     }
3348                 }
3349                 ++index;
3350             });
3351             if (!shouldConvertToCallDOM)
3352                 return false;
3353         }
3354
3355         Node* thisNode = m_graph.varArgChild(node, 1).node();
3356         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3357         node->convertToCallDOM(m_graph);
3358         fixupCheckSubClass(checkSubClass);
3359         fixupCallDOM(node);
3360         return true;
3361     }
3362
3363     void fixupCheckSubClass(Node* node)
3364     {
3365         fixEdge<CellUse>(node->child1());
3366     }
3367
3368     void fixupCallDOM(Node* node)
3369     {
3370         const DOMJIT::Signature* signature = node->signature();
3371         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3372             if (!edge)
3373                 return;
3374             switch (signature->arguments[argumentIndex]) {
3375             case SpecString:
3376                 fixEdge<StringUse>(edge);
3377                 break;
3378             case SpecInt32Only:
3379                 fixEdge<Int32Use>(edge);
3380                 break;
3381             case SpecBoolean:
3382                 fixEdge<BooleanUse>(edge);
3383                 break;
3384             default:
3385                 RELEASE_ASSERT_NOT_REACHED();
3386                 break;
3387             }
3388         };
3389         fixEdge<CellUse>(node->child1()); // DOM.
3390         fixup(node->child2(), 0);
3391         fixup(node->child3(), 1);
3392     }
3393
3394     void fixupArrayIndexOf(Node* node)
3395     {
3396         Edge& array = m_graph.varArgChild(node, 0);
3397         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3398         blessArrayOperation(array, Edge(), storage);
3399         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3400
3401         Edge& searchElement = m_graph.varArgChild(node, 1);
3402
3403         // Constant folding.
3404         switch (node->arrayMode().type()) {
3405         case Array::Double:
3406         case Array::Int32: {
3407             if (searchElement->shouldSpeculateCell()) {
3408                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3409                 m_graph.convertToConstant(node, jsNumber(-1));
3410                 observeUseKindOnNode<CellUse>(searchElement.node());
3411                 return;
3412             }
3413
3414             if (searchElement->shouldSpeculateOther()) {
3415                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3416                 m_graph.convertToConstant(node, jsNumber(-1));
3417                 observeUseKindOnNode<OtherUse>(searchElement.node());
3418                 return;
3419             }
3420
3421             if (searchElement->shouldSpeculateBoolean()) {
3422                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3423                 m_graph.convertToConstant(node, jsNumber(-1));
3424                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3425                 return;
3426             }
3427             break;
3428         }
3429         default:
3430             break;
3431         }
3432
3433         fixEdge<KnownCellUse>(array);
3434         if (node->numChildren() == 4)
3435             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3436
3437         switch (node->arrayMode().type()) {
3438         case Array::Double: {
3439             if (searchElement->shouldSpeculateNumber())
3440                 fixEdge<DoubleRepUse>(searchElement);
3441             return;
3442         }
3443         case Array::Int32: {
3444             if (searchElement->shouldSpeculateInt32())
3445                 fixEdge<Int32Use>(searchElement);
3446             return;
3447         }
3448         case Array::Contiguous: {
3449             if (searchElement->shouldSpeculateString())
3450                 fixEdge<StringUse>(searchElement);
3451             else if (searchElement->shouldSpeculateSymbol())
3452                 fixEdge<SymbolUse>(searchElement);
3453             else if (searchElement->shouldSpeculateOther())
3454                 fixEdge<OtherUse>(searchElement);
3455             else if (searchElement->shouldSpeculateObject())
3456                 fixEdge<ObjectUse>(searchElement);
3457             return;
3458         }
3459         default:
3460             RELEASE_ASSERT_NOT_REACHED();
3461             return;
3462         }
3463     }
3464
3465     void fixupChecksInBlock(BasicBlock* block)
3466     {
3467         if (!block)
3468             return;
3469         ASSERT(block->isReachable);
3470         m_block = block;
3471         unsigned indexForChecks = UINT_MAX;
3472         NodeOrigin originForChecks;
3473         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
3474             Node* node = block->at(indexInBlock);
3475
3476             // If this is a node at which we could exit, then save its index. If nodes after this one
3477             // cannot exit, then we will hoist checks to here.
3478             if (node->origin.exitOK) {
3479                 indexForChecks = indexInBlock;
3480                 originForChecks = node->origin;
3481             }
3482
3483             originForChecks = originForChecks.withSemantic(node->origin.semantic);
3484             
3485             // First, try to relax the representational demands of each node, in order to have
3486             // fewer conversions.
3487             switch (node->op()) {
3488             case MovHint:
3489             case Check:
3490             case CheckVarargs:
3491                 m_graph.doToChildren(
3492                     node,
3493                     [&] (Edge& edge) {
3494                         switch (edge.useKind()) {
3495                         case DoubleRepUse:
3496                         case DoubleRepRealUse:
3497                             if (edge->hasDoubleResult())
3498                                 break;
3499             
3500                             if (edge->hasInt52Result())
3501                                 edge.setUseKind(Int52RepUse);
3502                             else if (edge.useKind() == DoubleRepUse)
3503                                 edge.setUseKind(NumberUse);
3504                             break;
3505             
3506                         case Int52RepUse:
3507                             // Nothing we can really do.
3508                             break;
3509             
3510                         case UntypedUse:
3511                         case NumberUse:
3512                             if (edge->hasDoubleResult())
3513                                 edge.setUseKind(DoubleRepUse);
3514                             else if (edge->hasInt52Result())
3515                                 edge.setUseKind(Int52RepUse);
3516                             break;
3517             
3518                         case RealNumberUse:
3519                             if (edge->hasDoubleResult())
3520                                 edge.setUseKind(DoubleRepRealUse);
3521                             else if (edge->hasInt52Result())
3522                                 edge.setUseKind(Int52RepUse);