CSE DataViewGet* DFG nodes
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149
150         case ValueNegate: {
151             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
152                 node->setOp(ArithNegate);
153                 fixIntOrBooleanEdge(node->child1());
154                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
155                     node->setArithMode(Arith::Unchecked);
156                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
157                     node->setArithMode(Arith::CheckOverflow);
158                 else
159                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
160                 node->setResult(NodeResultInt32);
161                 node->clearFlags(NodeMustGenerate);
162                 break;
163             }
164             
165             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
166                 node->setOp(ArithNegate);
167                 fixEdge<Int52RepUse>(node->child1());
168                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
169                     node->setArithMode(Arith::CheckOverflow);
170                 else
171                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
172                 node->setResult(NodeResultInt52);
173                 node->clearFlags(NodeMustGenerate);
174                 break;
175             }
176             if (node->child1()->shouldSpeculateNotCell()) {
177                 node->setOp(ArithNegate);
178                 fixDoubleOrBooleanEdge(node->child1());
179                 node->setResult(NodeResultDouble);
180                 node->clearFlags(NodeMustGenerate);
181             } else {
182                 fixEdge<UntypedUse>(node->child1());
183                 node->setResult(NodeResultJS);
184             }
185             break;
186         }
187
188         case ValueAdd: {
189             if (attemptToMakeIntegerAdd(node)) {
190                 node->setOp(ArithAdd);
191                 break;
192             }
193             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
194                 fixDoubleOrBooleanEdge(node->child1());
195                 fixDoubleOrBooleanEdge(node->child2());
196                 node->setOp(ArithAdd);
197                 node->setResult(NodeResultDouble);
198                 break;
199             }
200             
201             if (attemptToMakeFastStringAdd(node))
202                 break;
203
204             Edge& child1 = node->child1();
205             Edge& child2 = node->child2();
206             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
207                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
208                     auto convertString = [&](Node* node, Edge& edge) {
209                         if (edge->shouldSpeculateInt32())
210                             convertStringAddUse<Int32Use>(node, edge);
211                         else {
212                             ASSERT(edge->shouldSpeculateString());
213                             convertStringAddUse<StringUse>(node, edge);
214                         }
215                     };
216                     convertString(node, child1);
217                     convertString(node, child2);
218                     convertToMakeRope(node);
219                     break;
220                 }
221             }
222
223             fixEdge<UntypedUse>(child1);
224             fixEdge<UntypedUse>(child2);
225             node->setResult(NodeResultJS);
226             break;
227         }
228
229         case StrCat: {
230             if (attemptToMakeFastStringAdd(node))
231                 break;
232
233             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
234             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
235             // the implementation of StrCat doesn't dynamically optimize for empty strings.
236             // https://bugs.webkit.org/show_bug.cgi?id=148540
237             m_graph.doToChildren(
238                 node,
239                 [&] (Edge& edge) {
240                     fixEdge<KnownPrimitiveUse>(edge);
241                     // StrCat automatically coerces the values into strings before concatenating them.
242                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
243                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
244                     // our runtime functions for this slow path expect that they will never be passed
245                     // Symbols.
246                     m_insertionSet.insertNode(
247                         m_indexInBlock, SpecNone, Check, node->origin,
248                         Edge(edge.node(), NotSymbolUse));
249                 });
250             break;
251         }
252             
253         case MakeRope: {
254             fixupMakeRope(node);
255             break;
256         }
257             
258         case ArithAdd:
259         case ArithSub: {
260             if (op == ArithSub
261                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
262                 fixEdge<UntypedUse>(node->child1());
263                 fixEdge<UntypedUse>(node->child2());
264                 node->setResult(NodeResultJS);
265                 break;
266             }
267             if (attemptToMakeIntegerAdd(node))
268                 break;
269             fixDoubleOrBooleanEdge(node->child1());
270             fixDoubleOrBooleanEdge(node->child2());
271             node->setResult(NodeResultDouble);
272             break;
273         }
274             
275         case ArithNegate: {
276             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
277                 fixIntOrBooleanEdge(node->child1());
278                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
279                     node->setArithMode(Arith::Unchecked);
280                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
281                     node->setArithMode(Arith::CheckOverflow);
282                 else
283                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
284                 node->setResult(NodeResultInt32);
285                 node->clearFlags(NodeMustGenerate);
286                 break;
287             }
288             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
289                 fixEdge<Int52RepUse>(node->child1());
290                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
291                     node->setArithMode(Arith::CheckOverflow);
292                 else
293                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
294                 node->setResult(NodeResultInt52);
295                 node->clearFlags(NodeMustGenerate);
296                 break;
297             }
298
299             fixDoubleOrBooleanEdge(node->child1());
300             node->setResult(NodeResultDouble);
301             node->clearFlags(NodeMustGenerate);
302             break;
303         }
304             
305         case ArithMul: {
306             Edge& leftChild = node->child1();
307             Edge& rightChild = node->child2();
308             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
309                 fixEdge<UntypedUse>(leftChild);
310                 fixEdge<UntypedUse>(rightChild);
311                 node->setResult(NodeResultJS);
312                 break;
313             }
314             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
315                 fixIntOrBooleanEdge(leftChild);
316                 fixIntOrBooleanEdge(rightChild);
317                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
318                     node->setArithMode(Arith::Unchecked);
319                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
320                     || leftChild.node() == rightChild.node())
321                     node->setArithMode(Arith::CheckOverflow);
322                 else
323                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
324                 break;
325             }
326             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
327                 fixEdge<Int52RepUse>(leftChild);
328                 fixEdge<Int52RepUse>(rightChild);
329                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
330                     || leftChild.node() == rightChild.node())
331                     node->setArithMode(Arith::CheckOverflow);
332                 else
333                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
334                 node->setResult(NodeResultInt52);
335                 break;
336             }
337             fixDoubleOrBooleanEdge(leftChild);
338             fixDoubleOrBooleanEdge(rightChild);
339             node->setResult(NodeResultDouble);
340             break;
341         }
342
343         case ArithDiv:
344         case ArithMod: {
345             Edge& leftChild = node->child1();
346             Edge& rightChild = node->child2();
347             if (op == ArithDiv
348                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
349                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
350                 fixEdge<UntypedUse>(leftChild);
351                 fixEdge<UntypedUse>(rightChild);
352                 node->setResult(NodeResultJS);
353                 break;
354             }
355             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
356                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
357                     fixIntOrBooleanEdge(leftChild);
358                     fixIntOrBooleanEdge(rightChild);
359                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
360                         node->setArithMode(Arith::Unchecked);
361                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
362                         node->setArithMode(Arith::CheckOverflow);
363                     else
364                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
365                     break;
366                 }
367                 
368                 // This will cause conversion nodes to be inserted later.
369                 fixDoubleOrBooleanEdge(leftChild);
370                 fixDoubleOrBooleanEdge(rightChild);
371                 
372                 // We don't need to do ref'ing on the children because we're stealing them from
373                 // the original division.
374                 Node* newDivision = m_insertionSet.insertNode(
375                     m_indexInBlock, SpecBytecodeDouble, *node);
376                 newDivision->setResult(NodeResultDouble);
377                 
378                 node->setOp(DoubleAsInt32);
379                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
380                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
381                     node->setArithMode(Arith::CheckOverflow);
382                 else
383                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
384                 break;
385             }
386             fixDoubleOrBooleanEdge(leftChild);
387             fixDoubleOrBooleanEdge(rightChild);
388             node->setResult(NodeResultDouble);
389             break;
390         }
391             
392         case ArithMin:
393         case ArithMax: {
394             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
395                 fixIntOrBooleanEdge(node->child1());
396                 fixIntOrBooleanEdge(node->child2());
397                 break;
398             }
399             fixDoubleOrBooleanEdge(node->child1());
400             fixDoubleOrBooleanEdge(node->child2());
401             node->setResult(NodeResultDouble);
402             break;
403         }
404             
405         case ArithAbs: {
406             if (node->child1()->shouldSpeculateInt32OrBoolean()
407                 && node->canSpeculateInt32(FixupPass)) {
408                 fixIntOrBooleanEdge(node->child1());
409                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
410                     node->setArithMode(Arith::Unchecked);
411                 else
412                     node->setArithMode(Arith::CheckOverflow);
413                 node->clearFlags(NodeMustGenerate);
414                 node->setResult(NodeResultInt32);
415                 break;
416             }
417
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420                 node->clearFlags(NodeMustGenerate);
421             } else
422                 fixEdge<UntypedUse>(node->child1());
423             node->setResult(NodeResultDouble);
424             break;
425         }
426
427         case ArithPow: {
428             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
429                 fixDoubleOrBooleanEdge(node->child1());
430                 fixIntOrBooleanEdge(node->child2());
431                 break;
432             }
433
434             fixDoubleOrBooleanEdge(node->child1());
435             fixDoubleOrBooleanEdge(node->child2());
436             break;
437         }
438
439         case ArithRandom: {
440             node->setResult(NodeResultDouble);
441             break;
442         }
443
444         case ArithRound:
445         case ArithFloor:
446         case ArithCeil:
447         case ArithTrunc: {
448             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
449                 fixIntOrBooleanEdge(node->child1());
450                 insertCheck<Int32Use>(node->child1().node());
451                 node->convertToIdentity();
452                 break;
453             }
454             if (node->child1()->shouldSpeculateNotCell()) {
455                 fixDoubleOrBooleanEdge(node->child1());
456
457                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
458                     node->setResult(NodeResultInt32);
459                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
460                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
461                     else
462                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
463                 } else {
464                     node->setResult(NodeResultDouble);
465                     node->setArithRoundingMode(Arith::RoundingMode::Double);
466                 }
467                 node->clearFlags(NodeMustGenerate);
468             } else
469                 fixEdge<UntypedUse>(node->child1());
470             break;
471         }
472
473         case ArithFRound:
474         case ArithSqrt:
475         case ArithUnary: {
476             Edge& child1 = node->child1();
477             if (child1->shouldSpeculateNotCell()) {
478                 fixDoubleOrBooleanEdge(child1);
479                 node->clearFlags(NodeMustGenerate);
480             } else
481                 fixEdge<UntypedUse>(child1);
482             break;
483         }
484             
485         case LogicalNot: {
486             if (node->child1()->shouldSpeculateBoolean()) {
487                 if (node->child1()->result() == NodeResultBoolean) {
488                     // This is necessary in case we have a bytecode instruction implemented by:
489                     //
490                     // a: CompareEq(...)
491                     // b: LogicalNot(@a)
492                     //
493                     // In that case, CompareEq might have a side-effect. Then, we need to make
494                     // sure that we know that Branch does not exit.
495                     fixEdge<KnownBooleanUse>(node->child1());
496                 } else
497                     fixEdge<BooleanUse>(node->child1());
498             } else if (node->child1()->shouldSpeculateObjectOrOther())
499                 fixEdge<ObjectOrOtherUse>(node->child1());
500             else if (node->child1()->shouldSpeculateInt32OrBoolean())
501                 fixIntOrBooleanEdge(node->child1());
502             else if (node->child1()->shouldSpeculateNumber())
503                 fixEdge<DoubleRepUse>(node->child1());
504             else if (node->child1()->shouldSpeculateString())
505                 fixEdge<StringUse>(node->child1());
506             else if (node->child1()->shouldSpeculateStringOrOther())
507                 fixEdge<StringOrOtherUse>(node->child1());
508             else {
509                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
510                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
511                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
512             }
513             break;
514         }
515
516         case CompareEq:
517         case CompareLess:
518         case CompareLessEq:
519         case CompareGreater:
520         case CompareGreaterEq: {
521             if (node->op() == CompareEq
522                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
523                 fixEdge<BooleanUse>(node->child1());
524                 fixEdge<BooleanUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
529                 fixIntOrBooleanEdge(node->child1());
530                 fixIntOrBooleanEdge(node->child2());
531                 node->clearFlags(NodeMustGenerate);
532                 break;
533             }
534             if (enableInt52()
535                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
536                 fixEdge<Int52RepUse>(node->child1());
537                 fixEdge<Int52RepUse>(node->child2());
538                 node->clearFlags(NodeMustGenerate);
539                 break;
540             }
541             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
542                 fixDoubleOrBooleanEdge(node->child1());
543                 fixDoubleOrBooleanEdge(node->child2());
544             }
545             if (node->op() != CompareEq
546                 && node->child1()->shouldSpeculateNotCell()
547                 && node->child2()->shouldSpeculateNotCell()) {
548                 if (node->child1()->shouldSpeculateNumberOrBoolean())
549                     fixDoubleOrBooleanEdge(node->child1());
550                 else
551                     fixEdge<DoubleRepUse>(node->child1());
552                 if (node->child2()->shouldSpeculateNumberOrBoolean())
553                     fixDoubleOrBooleanEdge(node->child2());
554                 else
555                     fixEdge<DoubleRepUse>(node->child2());
556                 node->clearFlags(NodeMustGenerate);
557                 break;
558             }
559             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
560                 fixEdge<StringIdentUse>(node->child1());
561                 fixEdge<StringIdentUse>(node->child2());
562                 node->clearFlags(NodeMustGenerate);
563                 break;
564             }
565             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
566                 fixEdge<StringUse>(node->child1());
567                 fixEdge<StringUse>(node->child2());
568                 node->clearFlags(NodeMustGenerate);
569                 break;
570             }
571
572             if (node->op() != CompareEq)
573                 break;
574             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
575                 fixEdge<SymbolUse>(node->child1());
576                 fixEdge<SymbolUse>(node->child2());
577                 node->clearFlags(NodeMustGenerate);
578                 break;
579             }
580             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
581                 fixEdge<ObjectUse>(node->child1());
582                 fixEdge<ObjectUse>(node->child2());
583                 node->clearFlags(NodeMustGenerate);
584                 break;
585             }
586
587             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
588             bool oneArgumentIsUsedAsSpecOther = false;
589             if (node->child1()->isUndefinedOrNullConstant()) {
590                 fixEdge<KnownOtherUse>(node->child1());
591                 oneArgumentIsUsedAsSpecOther = true;
592             } else if (node->child1()->shouldSpeculateOther()) {
593                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
594                     Edge(node->child1().node(), OtherUse));
595                 fixEdge<KnownOtherUse>(node->child1());
596                 oneArgumentIsUsedAsSpecOther = true;
597             }
598             if (node->child2()->isUndefinedOrNullConstant()) {
599                 fixEdge<KnownOtherUse>(node->child2());
600                 oneArgumentIsUsedAsSpecOther = true;
601             } else if (node->child2()->shouldSpeculateOther()) {
602                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
603                     Edge(node->child2().node(), OtherUse));
604                 fixEdge<KnownOtherUse>(node->child2());
605                 oneArgumentIsUsedAsSpecOther = true;
606             }
607             if (oneArgumentIsUsedAsSpecOther) {
608                 node->clearFlags(NodeMustGenerate);
609                 break;
610             }
611
612             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
613                 fixEdge<ObjectUse>(node->child1());
614                 fixEdge<ObjectOrOtherUse>(node->child2());
615                 node->clearFlags(NodeMustGenerate);
616                 break;
617             }
618             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
619                 fixEdge<ObjectOrOtherUse>(node->child1());
620                 fixEdge<ObjectUse>(node->child2());
621                 node->clearFlags(NodeMustGenerate);
622                 break;
623             }
624
625             break;
626         }
627             
628         case CompareStrictEq:
629         case SameValue: {
630             fixupCompareStrictEqAndSameValue(node);
631             break;
632         }
633
634         case StringFromCharCode:
635             if (node->child1()->shouldSpeculateInt32()) {
636                 fixEdge<Int32Use>(node->child1());
637                 node->clearFlags(NodeMustGenerate);
638             } else
639                 fixEdge<UntypedUse>(node->child1());
640             break;
641
642         case StringCharAt:
643         case StringCharCodeAt: {
644             // Currently we have no good way of refining these.
645             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
646             blessArrayOperation(node->child1(), node->child2(), node->child3());
647             fixEdge<KnownCellUse>(node->child1());
648             fixEdge<Int32Use>(node->child2());
649             break;
650         }
651
652         case GetByVal: {
653             if (!node->prediction()) {
654                 m_insertionSet.insertNode(
655                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
656             }
657             
658             node->setArrayMode(
659                 node->arrayMode().refine(
660                     m_graph, node,
661                     m_graph.varArgChild(node, 0)->prediction(),
662                     m_graph.varArgChild(node, 1)->prediction(),
663                     SpecNone));
664             
665             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
666             
667             ArrayMode arrayMode = node->arrayMode();
668             switch (arrayMode.type()) {
669             case Array::Contiguous:
670             case Array::Double:
671                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
672                     // Check if SaneChain will work on a per-type basis. Note that:
673                     //
674                     // 1) We don't want double arrays to sometimes return undefined, since
675                     // that would require a change to the return type and it would pessimise
676                     // things a lot. So, we'd only want to do that if we actually had
677                     // evidence that we could read from a hole. That's pretty annoying.
678                     // Likely the best way to handle that case is with an equivalent of
679                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
680                     // NaN are indistinguishable according to backwards propagation, and just
681                     // use SaneChain in that case. This happens to catch a lot of cases.
682                     //
683                     // 2) We don't want int32 array loads to have to do a hole check just to
684                     // coerce to Undefined, since that would mean twice the checks.
685                     //
686                     // This has two implications. First, we have to do more checks than we'd
687                     // like. It's unfortunate that we have to do the hole check. Second,
688                     // some accesses that hit a hole will now need to take the full-blown
689                     // out-of-bounds slow path. We can fix that with:
690                     // https://bugs.webkit.org/show_bug.cgi?id=144668
691                     
692                     bool canDoSaneChain = false;
693                     switch (arrayMode.type()) {
694                     case Array::Contiguous:
695                         // This is happens to be entirely natural. We already would have
696                         // returned any JSValue, and now we'll return Undefined. We still do
697                         // the check but it doesn't require taking any kind of slow path.
698                         canDoSaneChain = true;
699                         break;
700                         
701                     case Array::Double:
702                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
703                             // Holes look like NaN already, so if the user doesn't care
704                             // about the difference between Undefined and NaN then we can
705                             // do this.
706                             canDoSaneChain = true;
707                         }
708                         break;
709                         
710                     default:
711                         break;
712                     }
713                     
714                     if (canDoSaneChain) {
715                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
716                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
717                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
718                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
719                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
720                             && globalObject->arrayPrototypeChainIsSane()) {
721                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
722                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
723                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
724                         }
725                     }
726                 }
727                 break;
728                 
729             case Array::String:
730                 if ((node->prediction() & ~SpecString)
731                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
732                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
733                 break;
734                 
735             default:
736                 break;
737             }
738             
739             arrayMode = node->arrayMode();
740             switch (arrayMode.type()) {
741             case Array::SelectUsingPredictions:
742             case Array::Unprofiled:
743                 RELEASE_ASSERT_NOT_REACHED();
744                 break;
745             case Array::Generic:
746                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
747                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
748                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
749                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
750                         break;
751                     }
752
753                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
754                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
755                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
756                         break;
757                     }
758                 }
759 #if USE(JSVALUE32_64)
760                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
761 #endif
762                 break;
763             case Array::ForceExit:
764                 break;
765             default:
766                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
767                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
768                 break;
769             }
770             
771             switch (arrayMode.type()) {
772             case Array::Double:
773                 if (!arrayMode.isOutOfBounds())
774                     node->setResult(NodeResultDouble);
775                 break;
776                 
777             case Array::Float32Array:
778             case Array::Float64Array:
779                 node->setResult(NodeResultDouble);
780                 break;
781                 
782             case Array::Uint32Array:
783                 if (node->shouldSpeculateInt32())
784                     break;
785                 if (node->shouldSpeculateAnyInt() && enableInt52())
786                     node->setResult(NodeResultInt52);
787                 else
788                     node->setResult(NodeResultDouble);
789                 break;
790                 
791             default:
792                 break;
793             }
794             
795             break;
796         }
797
798         case PutByValDirect:
799         case PutByVal:
800         case PutByValAlias: {
801             Edge& child1 = m_graph.varArgChild(node, 0);
802             Edge& child2 = m_graph.varArgChild(node, 1);
803             Edge& child3 = m_graph.varArgChild(node, 2);
804
805             node->setArrayMode(
806                 node->arrayMode().refine(
807                     m_graph, node,
808                     child1->prediction(),
809                     child2->prediction(),
810                     child3->prediction()));
811             
812             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
813             
814             switch (node->arrayMode().modeForPut().type()) {
815             case Array::SelectUsingPredictions:
816             case Array::SelectUsingArguments:
817             case Array::Unprofiled:
818             case Array::Undecided:
819                 RELEASE_ASSERT_NOT_REACHED();
820                 break;
821             case Array::ForceExit:
822             case Array::Generic:
823                 if (child1->shouldSpeculateCell()) {
824                     if (child2->shouldSpeculateString()) {
825                         fixEdge<CellUse>(child1);
826                         fixEdge<StringUse>(child2);
827                         break;
828                     }
829
830                     if (child2->shouldSpeculateSymbol()) {
831                         fixEdge<CellUse>(child1);
832                         fixEdge<SymbolUse>(child2);
833                         break;
834                     }
835                 }
836 #if USE(JSVALUE32_64)
837                 // Due to register pressure on 32-bit, we speculate cell and
838                 // ignore the base-is-not-cell case entirely by letting the
839                 // baseline JIT handle it.
840                 fixEdge<CellUse>(child1);
841 #endif
842                 break;
843             case Array::Int32:
844                 fixEdge<KnownCellUse>(child1);
845                 fixEdge<Int32Use>(child2);
846                 fixEdge<Int32Use>(child3);
847                 break;
848             case Array::Double:
849                 fixEdge<KnownCellUse>(child1);
850                 fixEdge<Int32Use>(child2);
851                 fixEdge<DoubleRepRealUse>(child3);
852                 break;
853             case Array::Int8Array:
854             case Array::Int16Array:
855             case Array::Int32Array:
856             case Array::Uint8Array:
857             case Array::Uint8ClampedArray:
858             case Array::Uint16Array:
859             case Array::Uint32Array:
860                 fixEdge<KnownCellUse>(child1);
861                 fixEdge<Int32Use>(child2);
862                 if (child3->shouldSpeculateInt32())
863                     fixIntOrBooleanEdge(child3);
864                 else if (child3->shouldSpeculateAnyInt())
865                     fixEdge<Int52RepUse>(child3);
866                 else
867                     fixDoubleOrBooleanEdge(child3);
868                 break;
869             case Array::Float32Array:
870             case Array::Float64Array:
871                 fixEdge<KnownCellUse>(child1);
872                 fixEdge<Int32Use>(child2);
873                 fixDoubleOrBooleanEdge(child3);
874                 break;
875             case Array::Contiguous:
876             case Array::ArrayStorage:
877             case Array::SlowPutArrayStorage:
878                 fixEdge<KnownCellUse>(child1);
879                 fixEdge<Int32Use>(child2);
880                 speculateForBarrier(child3);
881                 break;
882             default:
883                 fixEdge<KnownCellUse>(child1);
884                 fixEdge<Int32Use>(child2);
885                 break;
886             }
887             break;
888         }
889             
890         case AtomicsAdd:
891         case AtomicsAnd:
892         case AtomicsCompareExchange:
893         case AtomicsExchange:
894         case AtomicsLoad:
895         case AtomicsOr:
896         case AtomicsStore:
897         case AtomicsSub:
898         case AtomicsXor: {
899             Edge& base = m_graph.child(node, 0);
900             Edge& index = m_graph.child(node, 1);
901             
902             bool badNews = false;
903             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
904                 Edge& child = m_graph.child(node, 2 + i);
905                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
906                 // just call the function when that happens. But the FTL is totally cool with those
907                 // conversions.
908                 if (!child->shouldSpeculateInt32()
909                     && !child->shouldSpeculateAnyInt()
910                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
911                     badNews = true;
912             }
913             
914             if (badNews) {
915                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
916                 break;
917             }
918             
919             node->setArrayMode(
920                 node->arrayMode().refine(
921                     m_graph, node, base->prediction(), index->prediction()));
922             
923             if (node->arrayMode().type() == Array::Generic)
924                 break;
925             
926             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
927                 Edge& child = m_graph.child(node, 2 + i);
928                 if (child->shouldSpeculateInt32())
929                     fixIntOrBooleanEdge(child);
930                 else if (child->shouldSpeculateAnyInt())
931                     fixEdge<Int52RepUse>(child);
932                 else {
933                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
934                     fixDoubleOrBooleanEdge(child);
935                 }
936             }
937             
938             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
939             fixEdge<CellUse>(base);
940             fixEdge<Int32Use>(index);
941             
942             if (node->arrayMode().type() == Array::Uint32Array) {
943                 // NOTE: This means basically always doing Int52.
944                 if (node->shouldSpeculateAnyInt() && enableInt52())
945                     node->setResult(NodeResultInt52);
946                 else
947                     node->setResult(NodeResultDouble);
948             }
949             break;
950         }
951             
952         case AtomicsIsLockFree:
953             if (node->child1()->shouldSpeculateInt32())
954                 fixIntOrBooleanEdge(node->child1());
955             break;
956             
957         case ArrayPush: {
958             // May need to refine the array mode in case the value prediction contravenes
959             // the array prediction. For example, we may have evidence showing that the
960             // array is in Int32 mode, but the value we're storing is likely to be a double.
961             // Then we should turn this into a conversion to Double array followed by the
962             // push. On the other hand, we absolutely don't want to refine based on the
963             // base prediction. If it has non-cell garbage in it, then we want that to be
964             // ignored. That's because ArrayPush can't handle any array modes that aren't
965             // array-related - so if refine() turned this into a "Generic" ArrayPush then
966             // that would break things.
967             Edge& storageEdge = m_graph.varArgChild(node, 0);
968             Edge& arrayEdge = m_graph.varArgChild(node, 1);
969             unsigned elementOffset = 2;
970             unsigned elementCount = node->numChildren() - elementOffset;
971             for (unsigned i = 0; i < elementCount; ++i) {
972                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
973                 node->setArrayMode(
974                     node->arrayMode().refine(
975                         m_graph, node,
976                         arrayEdge->prediction() & SpecCell,
977                         SpecInt32Only,
978                         element->prediction()));
979             }
980             blessArrayOperation(arrayEdge, Edge(), storageEdge);
981             fixEdge<KnownCellUse>(arrayEdge);
982
983             // Convert `array.push()` to GetArrayLength.
984             if (!elementCount && node->arrayMode().supportsSelfLength()) {
985                 node->setOpAndDefaultFlags(GetArrayLength);
986                 node->child1() = arrayEdge;
987                 node->child2() = storageEdge;
988                 fixEdge<KnownCellUse>(node->child1());
989                 break;
990             }
991
992             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
993             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
994             for (unsigned i = 0; i < elementCount; ++i) {
995                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
996                 switch (node->arrayMode().type()) {
997                 case Array::Int32:
998                     insertCheck<Int32Use>(element.node());
999                     fixEdge<KnownInt32Use>(element);
1000                     break;
1001                 case Array::Double:
1002                     insertCheck<DoubleRepRealUse>(element.node());
1003                     fixEdge<DoubleRepUse>(element);
1004                     break;
1005                 case Array::Contiguous:
1006                 case Array::ArrayStorage:
1007                     speculateForBarrier(element);
1008                     break;
1009                 default:
1010                     break;
1011                 }
1012                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1013             }
1014             break;
1015         }
1016             
1017         case ArrayPop: {
1018             blessArrayOperation(node->child1(), Edge(), node->child2());
1019             fixEdge<KnownCellUse>(node->child1());
1020             break;
1021         }
1022
1023         case ArraySlice: {
1024             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1025             if (node->numChildren() >= 3) {
1026                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1027                 if (node->numChildren() == 4)
1028                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1029             }
1030             break;
1031         }
1032
1033         case ArrayIndexOf:
1034             fixupArrayIndexOf(node);
1035             break;
1036             
1037         case RegExpExec:
1038         case RegExpTest: {
1039             fixEdge<KnownCellUse>(node->child1());
1040             
1041             if (node->child2()->shouldSpeculateRegExpObject()) {
1042                 fixEdge<RegExpObjectUse>(node->child2());
1043
1044                 if (node->child3()->shouldSpeculateString())
1045                     fixEdge<StringUse>(node->child3());
1046             }
1047             break;
1048         }
1049
1050         case RegExpMatchFast: {
1051             fixEdge<KnownCellUse>(node->child1());
1052             fixEdge<RegExpObjectUse>(node->child2());
1053             fixEdge<StringUse>(node->child3());
1054             break;
1055         }
1056
1057         case StringReplace:
1058         case StringReplaceRegExp: {
1059             if (node->child2()->shouldSpeculateString()) {
1060                 m_insertionSet.insertNode(
1061                     m_indexInBlock, SpecNone, Check, node->origin,
1062                     Edge(node->child2().node(), StringUse));
1063                 fixEdge<StringUse>(node->child2());
1064             } else if (op == StringReplace) {
1065                 if (node->child2()->shouldSpeculateRegExpObject())
1066                     addStringReplacePrimordialChecks(node->child2().node());
1067                 else 
1068                     m_insertionSet.insertNode(
1069                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1070             }
1071
1072             if (node->child1()->shouldSpeculateString()
1073                 && node->child2()->shouldSpeculateRegExpObject()
1074                 && node->child3()->shouldSpeculateString()) {
1075
1076                 fixEdge<StringUse>(node->child1());
1077                 fixEdge<RegExpObjectUse>(node->child2());
1078                 fixEdge<StringUse>(node->child3());
1079                 break;
1080             }
1081             break;
1082         }
1083             
1084         case Branch: {
1085             if (node->child1()->shouldSpeculateBoolean()) {
1086                 if (node->child1()->result() == NodeResultBoolean) {
1087                     // This is necessary in case we have a bytecode instruction implemented by:
1088                     //
1089                     // a: CompareEq(...)
1090                     // b: Branch(@a)
1091                     //
1092                     // In that case, CompareEq might have a side-effect. Then, we need to make
1093                     // sure that we know that Branch does not exit.
1094                     fixEdge<KnownBooleanUse>(node->child1());
1095                 } else
1096                     fixEdge<BooleanUse>(node->child1());
1097             } else if (node->child1()->shouldSpeculateObjectOrOther())
1098                 fixEdge<ObjectOrOtherUse>(node->child1());
1099             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1100                 fixIntOrBooleanEdge(node->child1());
1101             else if (node->child1()->shouldSpeculateNumber())
1102                 fixEdge<DoubleRepUse>(node->child1());
1103             else if (node->child1()->shouldSpeculateString())
1104                 fixEdge<StringUse>(node->child1());
1105             else if (node->child1()->shouldSpeculateStringOrOther())
1106                 fixEdge<StringOrOtherUse>(node->child1());
1107             else {
1108                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1109                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1110                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1111             }
1112             break;
1113         }
1114             
1115         case Switch: {
1116             SwitchData* data = node->switchData();
1117             switch (data->kind) {
1118             case SwitchImm:
1119                 if (node->child1()->shouldSpeculateInt32())
1120                     fixEdge<Int32Use>(node->child1());
1121                 break;
1122             case SwitchChar:
1123                 if (node->child1()->shouldSpeculateString())
1124                     fixEdge<StringUse>(node->child1());
1125                 break;
1126             case SwitchString:
1127                 if (node->child1()->shouldSpeculateStringIdent())
1128                     fixEdge<StringIdentUse>(node->child1());
1129                 else if (node->child1()->shouldSpeculateString())
1130                     fixEdge<StringUse>(node->child1());
1131                 break;
1132             case SwitchCell:
1133                 if (node->child1()->shouldSpeculateCell())
1134                     fixEdge<CellUse>(node->child1());
1135                 // else it's fine for this to have UntypedUse; we will handle this by just making
1136                 // non-cells take the default case.
1137                 break;
1138             }
1139             break;
1140         }
1141             
1142         case ToPrimitive: {
1143             fixupToPrimitive(node);
1144             break;
1145         }
1146
1147         case ToNumber: {
1148             fixupToNumber(node);
1149             break;
1150         }
1151             
1152         case ToString:
1153         case CallStringConstructor: {
1154             fixupToStringOrCallStringConstructor(node);
1155             break;
1156         }
1157             
1158         case NewStringObject: {
1159             fixEdge<KnownStringUse>(node->child1());
1160             break;
1161         }
1162
1163         case NewArrayWithSpread: {
1164             watchHavingABadTime(node);
1165             
1166             BitVector* bitVector = node->bitVector();
1167             for (unsigned i = node->numChildren(); i--;) {
1168                 if (bitVector->get(i))
1169                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1170                 else
1171                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1172             }
1173
1174             break;
1175         }
1176
1177         case Spread: {
1178             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1179             
1180             watchHavingABadTime(node->child1().node());
1181
1182             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1183             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1184             // that it doesn't contain any indexed properties, and that any holes will result in
1185             // jsUndefined().
1186             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1187             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1188             if (node->child1()->shouldSpeculateArray()
1189                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1190                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1191                 && globalObject->arrayPrototypeChainIsSane()
1192                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1193                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1194                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1195                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1196                 fixEdge<ArrayUse>(node->child1());
1197             } else
1198                 fixEdge<CellUse>(node->child1());
1199             break;
1200         }
1201             
1202         case NewArray: {
1203             watchHavingABadTime(node);
1204             
1205             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1206                 node->setIndexingType(
1207                     leastUpperBoundOfIndexingTypeAndType(
1208                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1209             }
1210             switch (node->indexingType()) {
1211             case ALL_BLANK_INDEXING_TYPES:
1212                 CRASH();
1213                 break;
1214             case ALL_UNDECIDED_INDEXING_TYPES:
1215                 if (node->numChildren()) {
1216                     // This will only happen if the children have no type predictions. We
1217                     // would have already exited by now, but insert a forced exit just to
1218                     // be safe.
1219                     m_insertionSet.insertNode(
1220                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1221                 }
1222                 break;
1223             case ALL_INT32_INDEXING_TYPES:
1224                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1225                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1226                 break;
1227             case ALL_DOUBLE_INDEXING_TYPES:
1228                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1229                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1230                 break;
1231             case ALL_CONTIGUOUS_INDEXING_TYPES:
1232             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1233                 break;
1234             default:
1235                 CRASH();
1236                 break;
1237             }
1238             break;
1239         }
1240             
1241         case NewTypedArray: {
1242             watchHavingABadTime(node);
1243             
1244             if (node->child1()->shouldSpeculateInt32()) {
1245                 fixEdge<Int32Use>(node->child1());
1246                 node->clearFlags(NodeMustGenerate);
1247                 break;
1248             }
1249             break;
1250         }
1251             
1252         case NewArrayWithSize: {
1253             watchHavingABadTime(node);
1254             fixEdge<Int32Use>(node->child1());
1255             break;
1256         }
1257
1258         case NewArrayBuffer: {
1259             watchHavingABadTime(node);
1260             break;
1261         }
1262
1263         case ToObject: {
1264             fixupToObject(node);
1265             break;
1266         }
1267
1268         case CallObjectConstructor: {
1269             fixupCallObjectConstructor(node);
1270             break;
1271         }
1272
1273         case ToThis: {
1274             fixupToThis(node);
1275             break;
1276         }
1277             
1278         case PutStructure: {
1279             fixEdge<KnownCellUse>(node->child1());
1280             break;
1281         }
1282             
1283         case GetClosureVar:
1284         case GetFromArguments: {
1285             fixEdge<KnownCellUse>(node->child1());
1286             break;
1287         }
1288
1289         case PutClosureVar:
1290         case PutToArguments: {
1291             fixEdge<KnownCellUse>(node->child1());
1292             speculateForBarrier(node->child2());
1293             break;
1294         }
1295
1296         case SkipScope:
1297         case GetScope:
1298         case GetGetter:
1299         case GetSetter:
1300         case GetGlobalObject: {
1301             fixEdge<KnownCellUse>(node->child1());
1302             break;
1303         }
1304             
1305         case AllocatePropertyStorage:
1306         case ReallocatePropertyStorage: {
1307             fixEdge<KnownCellUse>(node->child1());
1308             break;
1309         }
1310             
1311         case NukeStructureAndSetButterfly: {
1312             fixEdge<KnownCellUse>(node->child1());
1313             break;
1314         }
1315
1316         case TryGetById: {
1317             if (node->child1()->shouldSpeculateCell())
1318                 fixEdge<CellUse>(node->child1());
1319             break;
1320         }
1321
1322         case GetByIdDirect:
1323         case GetByIdDirectFlush: {
1324             if (node->child1()->shouldSpeculateCell())
1325                 fixEdge<CellUse>(node->child1());
1326             break;
1327         }
1328
1329         case GetById:
1330         case GetByIdFlush: {
1331             // FIXME: This should be done in the ByteCodeParser based on reading the
1332             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1333             // https://bugs.webkit.org/show_bug.cgi?id=154990
1334             auto uid = m_graph.identifiers()[node->identifierNumber()];
1335             if (node->child1()->shouldSpeculateCellOrOther()
1336                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1337                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1338                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1339                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1340                 
1341                 if (uid == vm().propertyNames->length.impl()) {
1342                     attemptToMakeGetArrayLength(node);
1343                     break;
1344                 }
1345
1346                 if (uid == vm().propertyNames->lastIndex.impl()
1347                     && node->child1()->shouldSpeculateRegExpObject()) {
1348                     node->setOp(GetRegExpObjectLastIndex);
1349                     node->clearFlags(NodeMustGenerate);
1350                     fixEdge<RegExpObjectUse>(node->child1());
1351                     break;
1352                 }
1353             }
1354
1355             if (node->child1()->shouldSpeculateNumber()) {
1356                 if (uid == vm().propertyNames->toString.impl()) {
1357                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1358                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1359                         if (node->child1()->shouldSpeculateInt32()) {
1360                             insertCheck<Int32Use>(node->child1().node());
1361                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1362                             break;
1363                         }
1364
1365                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1366                             insertCheck<Int52RepUse>(node->child1().node());
1367                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1368                             break;
1369                         }
1370
1371                         ASSERT(node->child1()->shouldSpeculateNumber());
1372                         insertCheck<DoubleRepUse>(node->child1().node());
1373                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1374                         break;
1375                     }
1376                 }
1377             }
1378
1379             if (node->child1()->shouldSpeculateCell())
1380                 fixEdge<CellUse>(node->child1());
1381             break;
1382         }
1383         
1384         case GetByIdWithThis: {
1385             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1386                 fixEdge<CellUse>(node->child1());
1387                 fixEdge<CellUse>(node->child2());
1388             }
1389             break;
1390         }
1391
1392         case PutById:
1393         case PutByIdFlush:
1394         case PutByIdDirect: {
1395             if (node->child1()->shouldSpeculateCellOrOther()
1396                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1397                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1398                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1399                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1400                 
1401                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1402                 
1403                 if (uid == vm().propertyNames->lastIndex.impl()
1404                     && node->child1()->shouldSpeculateRegExpObject()) {
1405                     node->convertToSetRegExpObjectLastIndex();
1406                     fixEdge<RegExpObjectUse>(node->child1());
1407                     speculateForBarrier(node->child2());
1408                     break;
1409                 }
1410             }
1411             
1412             fixEdge<CellUse>(node->child1());
1413             break;
1414         }
1415
1416         case PutGetterById:
1417         case PutSetterById: {
1418             fixEdge<KnownCellUse>(node->child1());
1419             fixEdge<KnownCellUse>(node->child2());
1420             break;
1421         }
1422
1423         case PutGetterSetterById: {
1424             fixEdge<KnownCellUse>(node->child1());
1425             break;
1426         }
1427
1428         case PutGetterByVal:
1429         case PutSetterByVal: {
1430             fixEdge<KnownCellUse>(node->child1());
1431             fixEdge<KnownCellUse>(node->child3());
1432             break;
1433         }
1434
1435         case GetExecutable: {
1436             fixEdge<FunctionUse>(node->child1());
1437             break;
1438         }
1439
1440         case OverridesHasInstance:
1441         case CheckStructure:
1442         case CheckCell:
1443         case CreateThis:
1444         case GetButterfly: {
1445             fixEdge<CellUse>(node->child1());
1446             break;
1447         }
1448
1449         case ObjectCreate: {
1450             if (node->child1()->shouldSpeculateObject()) {
1451                 fixEdge<ObjectUse>(node->child1());
1452                 node->clearFlags(NodeMustGenerate);
1453                 break;
1454             }
1455             break;
1456         }
1457
1458         case CheckStringIdent: {
1459             fixEdge<StringIdentUse>(node->child1());
1460             break;
1461         }
1462             
1463         case Arrayify:
1464         case ArrayifyToStructure: {
1465             fixEdge<CellUse>(node->child1());
1466             if (node->child2())
1467                 fixEdge<Int32Use>(node->child2());
1468             break;
1469         }
1470             
1471         case GetByOffset:
1472         case GetGetterSetterByOffset: {
1473             if (!node->child1()->hasStorageResult())
1474                 fixEdge<KnownCellUse>(node->child1());
1475             fixEdge<KnownCellUse>(node->child2());
1476             break;
1477         }
1478             
1479         case MultiGetByOffset: {
1480             fixEdge<CellUse>(node->child1());
1481             break;
1482         }
1483             
1484         case PutByOffset: {
1485             if (!node->child1()->hasStorageResult())
1486                 fixEdge<KnownCellUse>(node->child1());
1487             fixEdge<KnownCellUse>(node->child2());
1488             unsigned index = indexForChecks();
1489             insertInferredTypeCheck(
1490                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1491                 node->storageAccessData().inferredType);
1492             speculateForBarrier(node->child3());
1493             break;
1494         }
1495             
1496         case MultiPutByOffset: {
1497             fixEdge<CellUse>(node->child1());
1498             break;
1499         }
1500             
1501         case MatchStructure: {
1502             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1503             // https://bugs.webkit.org/show_bug.cgi?id=185784
1504             fixEdge<CellUse>(node->child1());
1505             break;
1506         }
1507             
1508         case InstanceOf: {
1509             if (node->child1()->shouldSpeculateCell()
1510                 && node->child2()->shouldSpeculateCell()
1511                 && is64Bit()) {
1512                 fixEdge<CellUse>(node->child1());
1513                 fixEdge<CellUse>(node->child2());
1514                 break;
1515             }
1516             break;
1517         }
1518
1519         case InstanceOfCustom:
1520             fixEdge<CellUse>(node->child2());
1521             break;
1522
1523         case InById: {
1524             fixEdge<CellUse>(node->child1());
1525             break;
1526         }
1527
1528         case InByVal: {
1529             if (node->child2()->shouldSpeculateInt32()) {
1530                 convertToHasIndexedProperty(node);
1531                 break;
1532             }
1533
1534             fixEdge<CellUse>(node->child1());
1535             break;
1536         }
1537
1538         case HasOwnProperty: {
1539             fixEdge<ObjectUse>(node->child1());
1540 #if CPU(X86)
1541             // We don't have enough registers to do anything interesting on x86 and mips.
1542             fixEdge<UntypedUse>(node->child2());
1543 #else
1544             if (node->child2()->shouldSpeculateString())
1545                 fixEdge<StringUse>(node->child2());
1546             else if (node->child2()->shouldSpeculateSymbol())
1547                 fixEdge<SymbolUse>(node->child2());
1548             else
1549                 fixEdge<UntypedUse>(node->child2());
1550 #endif
1551             break;
1552         }
1553
1554         case CheckVarargs:
1555         case Check: {
1556             m_graph.doToChildren(
1557                 node,
1558                 [&] (Edge& edge) {
1559                     switch (edge.useKind()) {
1560                     case NumberUse:
1561                         if (edge->shouldSpeculateInt32ForArithmetic())
1562                             edge.setUseKind(Int32Use);
1563                         break;
1564                     default:
1565                         break;
1566                     }
1567                     observeUseKindOnEdge(edge);
1568                 });
1569             break;
1570         }
1571
1572         case Phantom:
1573             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1574             node->remove(m_graph);
1575             break;
1576
1577         case FiatInt52: {
1578             RELEASE_ASSERT(enableInt52());
1579             node->convertToIdentity();
1580             fixEdge<Int52RepUse>(node->child1());
1581             node->setResult(NodeResultInt52);
1582             break;
1583         }
1584
1585         case GetArrayLength: {
1586             fixEdge<KnownCellUse>(node->child1());
1587             break;
1588         }
1589
1590         case GetTypedArrayByteOffset: {
1591             fixEdge<KnownCellUse>(node->child1());
1592             break;
1593         }
1594
1595         case CompareBelow:
1596         case CompareBelowEq: {
1597             fixEdge<Int32Use>(node->child1());
1598             fixEdge<Int32Use>(node->child2());
1599             break;
1600         }
1601
1602         case GetPrototypeOf: {
1603             fixupGetPrototypeOf(node);
1604             break;
1605         }
1606
1607         case Phi:
1608         case Upsilon:
1609         case EntrySwitch:
1610         case GetIndexedPropertyStorage:
1611         case LastNodeType:
1612         case CheckTierUpInLoop:
1613         case CheckTierUpAtReturn:
1614         case CheckTierUpAndOSREnter:
1615         case InvalidationPoint:
1616         case CheckArray:
1617         case CheckInBounds:
1618         case ConstantStoragePointer:
1619         case DoubleAsInt32:
1620         case ValueToInt32:
1621         case DoubleRep:
1622         case ValueRep:
1623         case Int52Rep:
1624         case Int52Constant:
1625         case Identity: // This should have been cleaned up.
1626         case BooleanToNumber:
1627         case PhantomNewObject:
1628         case PhantomNewFunction:
1629         case PhantomNewGeneratorFunction:
1630         case PhantomNewAsyncGeneratorFunction:
1631         case PhantomNewAsyncFunction:
1632         case PhantomCreateActivation:
1633         case PhantomDirectArguments:
1634         case PhantomCreateRest:
1635         case PhantomSpread:
1636         case PhantomNewArrayWithSpread:
1637         case PhantomNewArrayBuffer:
1638         case PhantomClonedArguments:
1639         case PhantomNewRegexp:
1640         case GetMyArgumentByVal:
1641         case GetMyArgumentByValOutOfBounds:
1642         case GetVectorLength:
1643         case PutHint:
1644         case CheckStructureImmediate:
1645         case CheckStructureOrEmpty:
1646         case MaterializeNewObject:
1647         case MaterializeCreateActivation:
1648         case PutStack:
1649         case KillStack:
1650         case GetStack:
1651         case StoreBarrier:
1652         case FencedStoreBarrier:
1653         case GetRegExpObjectLastIndex:
1654         case SetRegExpObjectLastIndex:
1655         case RecordRegExpCachedResult:
1656         case RegExpExecNonGlobalOrSticky:
1657         case RegExpMatchFastGlobal:
1658             // These are just nodes that we don't currently expect to see during fixup.
1659             // If we ever wanted to insert them prior to fixup, then we just have to create
1660             // fixup rules for them.
1661             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1662             break;
1663
1664         case PutGlobalVariable: {
1665             fixEdge<CellUse>(node->child1());
1666             speculateForBarrier(node->child2());
1667             break;
1668         }
1669
1670         case IsObject:
1671             if (node->child1()->shouldSpeculateObject()) {
1672                 m_insertionSet.insertNode(
1673                     m_indexInBlock, SpecNone, Check, node->origin,
1674                     Edge(node->child1().node(), ObjectUse));
1675                 m_graph.convertToConstant(node, jsBoolean(true));
1676                 observeUseKindOnNode<ObjectUse>(node);
1677             }
1678             break;
1679
1680         case IsCellWithType: {
1681             fixupIsCellWithType(node);
1682             break;
1683         }
1684
1685         case GetEnumerableLength: {
1686             fixEdge<CellUse>(node->child1());
1687             break;
1688         }
1689         case HasGenericProperty: {
1690             fixEdge<CellUse>(node->child2());
1691             break;
1692         }
1693         case HasStructureProperty: {
1694             fixEdge<StringUse>(node->child2());
1695             fixEdge<KnownCellUse>(node->child3());
1696             break;
1697         }
1698         case HasIndexedProperty: {
1699             node->setArrayMode(
1700                 node->arrayMode().refine(
1701                     m_graph, node,
1702                     node->child1()->prediction(),
1703                     node->child2()->prediction(),
1704                     SpecNone));
1705             
1706             blessArrayOperation(node->child1(), node->child2(), node->child3());
1707             fixEdge<CellUse>(node->child1());
1708             fixEdge<KnownInt32Use>(node->child2());
1709             break;
1710         }
1711         case GetDirectPname: {
1712             Edge& base = m_graph.varArgChild(node, 0);
1713             Edge& property = m_graph.varArgChild(node, 1);
1714             Edge& index = m_graph.varArgChild(node, 2);
1715             Edge& enumerator = m_graph.varArgChild(node, 3);
1716             fixEdge<CellUse>(base);
1717             fixEdge<KnownCellUse>(property);
1718             fixEdge<KnownInt32Use>(index);
1719             fixEdge<KnownCellUse>(enumerator);
1720             break;
1721         }
1722         case GetPropertyEnumerator: {
1723             if (node->child1()->shouldSpeculateCell())
1724                 fixEdge<CellUse>(node->child1());
1725             break;
1726         }
1727         case GetEnumeratorStructurePname: {
1728             fixEdge<KnownCellUse>(node->child1());
1729             fixEdge<KnownInt32Use>(node->child2());
1730             break;
1731         }
1732         case GetEnumeratorGenericPname: {
1733             fixEdge<KnownCellUse>(node->child1());
1734             fixEdge<KnownInt32Use>(node->child2());
1735             break;
1736         }
1737         case ToIndexString: {
1738             fixEdge<KnownInt32Use>(node->child1());
1739             break;
1740         }
1741         case ProfileType: {
1742             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1743             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1744             // type T for the instructionTypeSet, the global type set must also have information for type T.
1745             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1746             // in the globalTypeSet would've also succeeded.
1747             // (The other direction does not hold in general).
1748
1749             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1750             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1751             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1752                 if (node->child1()->shouldSpeculateInt32()) {
1753                     fixEdge<Int32Use>(node->child1());
1754                     node->remove(m_graph);
1755                     break;
1756                 }
1757
1758                 if (enableInt52()) {
1759                     fixEdge<AnyIntUse>(node->child1());
1760                     node->remove(m_graph);
1761                     break;
1762                 }
1763
1764                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1765             }
1766
1767             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1768                 fixEdge<NumberUse>(node->child1());
1769                 node->remove(m_graph);
1770             } else if (typeSet->doesTypeConformTo(TypeString)) {
1771                 fixEdge<StringUse>(node->child1());
1772                 node->remove(m_graph);
1773             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1774                 fixEdge<BooleanUse>(node->child1());
1775                 node->remove(m_graph);
1776             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1777                 fixEdge<OtherUse>(node->child1());
1778                 node->remove(m_graph);
1779             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1780                 StructureSet set;
1781                 {
1782                     ConcurrentJSLocker locker(typeSet->m_lock);
1783                     set = typeSet->structureSet(locker);
1784                 }
1785                 if (!set.isEmpty()) {
1786                     fixEdge<CellUse>(node->child1());
1787                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1788                 }
1789             }
1790
1791             break;
1792         }
1793
1794         case CreateClonedArguments: {
1795             watchHavingABadTime(node);
1796             break;
1797         }
1798
1799         case CreateScopedArguments:
1800         case CreateActivation:
1801         case NewFunction:
1802         case NewGeneratorFunction:
1803         case NewAsyncGeneratorFunction:
1804         case NewAsyncFunction: {
1805             // Child 1 is always the current scope, which is guaranteed to be an object
1806             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1807             fixEdge<KnownCellUse>(node->child1());
1808             break;
1809         }
1810
1811         case PushWithScope: {
1812             // Child 1 is always the current scope, which is guaranteed to be an object
1813             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1814             fixEdge<KnownCellUse>(node->child1());
1815             if (node->child2()->shouldSpeculateObject())
1816                 fixEdge<ObjectUse>(node->child2());
1817             break;
1818         }
1819
1820         case SetFunctionName: {
1821             // The first child is guaranteed to be a cell because op_set_function_name is only used
1822             // on a newly instantiated function object (the first child).
1823             fixEdge<KnownCellUse>(node->child1());
1824             fixEdge<UntypedUse>(node->child2());
1825             break;
1826         }
1827
1828         case CreateRest: {
1829             watchHavingABadTime(node);
1830             fixEdge<KnownInt32Use>(node->child1());
1831             break;
1832         }
1833
1834         case ResolveScopeForHoistingFuncDeclInEval: {
1835             fixEdge<KnownCellUse>(node->child1());
1836             break;
1837         }
1838         case ResolveScope:
1839         case GetDynamicVar:
1840         case PutDynamicVar: {
1841             fixEdge<KnownCellUse>(node->child1());
1842             break;
1843         }
1844
1845         case LogShadowChickenPrologue: {
1846             fixEdge<KnownCellUse>(node->child1());
1847             break;
1848         }
1849         case LogShadowChickenTail: {
1850             fixEdge<UntypedUse>(node->child1());
1851             fixEdge<KnownCellUse>(node->child2());
1852             break;
1853         }
1854
1855         case GetMapBucket:
1856             if (node->child1().useKind() == MapObjectUse)
1857                 fixEdge<MapObjectUse>(node->child1());
1858             else if (node->child1().useKind() == SetObjectUse)
1859                 fixEdge<SetObjectUse>(node->child1());
1860             else
1861                 RELEASE_ASSERT_NOT_REACHED();
1862
1863 #if USE(JSVALUE64)
1864             if (node->child2()->shouldSpeculateBoolean())
1865                 fixEdge<BooleanUse>(node->child2());
1866             else if (node->child2()->shouldSpeculateInt32())
1867                 fixEdge<Int32Use>(node->child2());
1868             else if (node->child2()->shouldSpeculateSymbol())
1869                 fixEdge<SymbolUse>(node->child2());
1870             else if (node->child2()->shouldSpeculateObject())
1871                 fixEdge<ObjectUse>(node->child2());
1872             else if (node->child2()->shouldSpeculateString())
1873                 fixEdge<StringUse>(node->child2());
1874             else if (node->child2()->shouldSpeculateCell())
1875                 fixEdge<CellUse>(node->child2());
1876             else
1877                 fixEdge<UntypedUse>(node->child2());
1878 #else
1879             fixEdge<UntypedUse>(node->child2());
1880 #endif // USE(JSVALUE64)
1881
1882             fixEdge<Int32Use>(node->child3());
1883             break;
1884
1885         case GetMapBucketHead:
1886             if (node->child1().useKind() == MapObjectUse)
1887                 fixEdge<MapObjectUse>(node->child1());
1888             else if (node->child1().useKind() == SetObjectUse)
1889                 fixEdge<SetObjectUse>(node->child1());
1890             else
1891                 RELEASE_ASSERT_NOT_REACHED();
1892             break;
1893
1894         case GetMapBucketNext:
1895         case LoadKeyFromMapBucket:
1896         case LoadValueFromMapBucket:
1897             fixEdge<CellUse>(node->child1());
1898             break;
1899
1900         case MapHash: {
1901 #if USE(JSVALUE64)
1902             if (node->child1()->shouldSpeculateBoolean()) {
1903                 fixEdge<BooleanUse>(node->child1());
1904                 break;
1905             }
1906
1907             if (node->child1()->shouldSpeculateInt32()) {
1908                 fixEdge<Int32Use>(node->child1());
1909                 break;
1910             }
1911
1912             if (node->child1()->shouldSpeculateSymbol()) {
1913                 fixEdge<SymbolUse>(node->child1());
1914                 break;
1915             }
1916
1917             if (node->child1()->shouldSpeculateObject()) {
1918                 fixEdge<ObjectUse>(node->child1());
1919                 break;
1920             }
1921
1922             if (node->child1()->shouldSpeculateString()) {
1923                 fixEdge<StringUse>(node->child1());
1924                 break;
1925             }
1926
1927             if (node->child1()->shouldSpeculateCell()) {
1928                 fixEdge<CellUse>(node->child1());
1929                 break;
1930             }
1931
1932             fixEdge<UntypedUse>(node->child1());
1933 #else
1934             fixEdge<UntypedUse>(node->child1());
1935 #endif // USE(JSVALUE64)
1936             break;
1937         }
1938
1939         case NormalizeMapKey: {
1940             fixupNormalizeMapKey(node);
1941             break;
1942         }
1943
1944         case WeakMapGet: {
1945             if (node->child1().useKind() == WeakMapObjectUse)
1946                 fixEdge<WeakMapObjectUse>(node->child1());
1947             else if (node->child1().useKind() == WeakSetObjectUse)
1948                 fixEdge<WeakSetObjectUse>(node->child1());
1949             else
1950                 RELEASE_ASSERT_NOT_REACHED();
1951             fixEdge<ObjectUse>(node->child2());
1952             fixEdge<Int32Use>(node->child3());
1953             break;
1954         }
1955
1956         case SetAdd: {
1957             fixEdge<SetObjectUse>(node->child1());
1958             fixEdge<Int32Use>(node->child3());
1959             break;
1960         }
1961
1962         case MapSet: {
1963             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1964             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1965             break;
1966         }
1967
1968         case WeakSetAdd: {
1969             fixEdge<WeakSetObjectUse>(node->child1());
1970             fixEdge<ObjectUse>(node->child2());
1971             fixEdge<Int32Use>(node->child3());
1972             break;
1973         }
1974
1975         case WeakMapSet: {
1976             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
1977             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
1978             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1979             break;
1980         }
1981
1982         case DefineDataProperty: {
1983             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1984             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1985             if (propertyEdge->shouldSpeculateSymbol())
1986                 fixEdge<SymbolUse>(propertyEdge);
1987             else if (propertyEdge->shouldSpeculateStringIdent())
1988                 fixEdge<StringIdentUse>(propertyEdge);
1989             else if (propertyEdge->shouldSpeculateString())
1990                 fixEdge<StringUse>(propertyEdge);
1991             else
1992                 fixEdge<UntypedUse>(propertyEdge);
1993             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1994             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1995             break;
1996         }
1997
1998         case StringSlice: {
1999             fixEdge<StringUse>(node->child1());
2000             fixEdge<Int32Use>(node->child2());
2001             if (node->child3())
2002                 fixEdge<Int32Use>(node->child3());
2003             break;
2004         }
2005
2006         case ToLowerCase: {
2007             // We currently only support StringUse since that will ensure that
2008             // ToLowerCase is a pure operation. If we decide to update this with
2009             // more types in the future, we need to ensure that the clobberize rules
2010             // are correct.
2011             fixEdge<StringUse>(node->child1());
2012             break;
2013         }
2014
2015         case NumberToStringWithRadix: {
2016             if (node->child1()->shouldSpeculateInt32())
2017                 fixEdge<Int32Use>(node->child1());
2018             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2019                 fixEdge<Int52RepUse>(node->child1());
2020             else
2021                 fixEdge<DoubleRepUse>(node->child1());
2022             fixEdge<Int32Use>(node->child2());
2023             break;
2024         }
2025
2026         case DefineAccessorProperty: {
2027             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2028             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2029             if (propertyEdge->shouldSpeculateSymbol())
2030                 fixEdge<SymbolUse>(propertyEdge);
2031             else if (propertyEdge->shouldSpeculateStringIdent())
2032                 fixEdge<StringIdentUse>(propertyEdge);
2033             else if (propertyEdge->shouldSpeculateString())
2034                 fixEdge<StringUse>(propertyEdge);
2035             else
2036                 fixEdge<UntypedUse>(propertyEdge);
2037             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2038             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2039             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2040             break;
2041         }
2042
2043         case CheckSubClass: {
2044             fixupCheckSubClass(node);
2045             break;
2046         }
2047
2048         case CallDOMGetter: {
2049             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2050             fixEdge<CellUse>(node->child1()); // DOM.
2051             if (snippet && snippet->requireGlobalObject)
2052                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2053             break;
2054         }
2055
2056         case CallDOM: {
2057             fixupCallDOM(node);
2058             break;
2059         }
2060
2061         case Call: {
2062             attemptToMakeCallDOM(node);
2063             break;
2064         }
2065
2066         case ParseInt: {
2067             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2068                 fixEdge<Int32Use>(node->child1());
2069                 node->convertToIdentity();
2070                 break;
2071             }
2072
2073             if (node->child1()->shouldSpeculateString()) {
2074                 fixEdge<StringUse>(node->child1());
2075                 node->clearFlags(NodeMustGenerate);
2076             }
2077
2078             if (node->child2())
2079                 fixEdge<Int32Use>(node->child2());
2080
2081             break;
2082         }
2083
2084         case IdentityWithProfile: {
2085             node->clearFlags(NodeMustGenerate);
2086             break;
2087         }
2088
2089         case ThrowStaticError:
2090             fixEdge<StringUse>(node->child1());
2091             break;
2092
2093         case NumberIsInteger:
2094             if (node->child1()->shouldSpeculateInt32()) {
2095                 m_insertionSet.insertNode(
2096                     m_indexInBlock, SpecNone, Check, node->origin,
2097                     Edge(node->child1().node(), Int32Use));
2098                 m_graph.convertToConstant(node, jsBoolean(true));
2099                 break;
2100             }
2101             break;
2102
2103         case SetCallee:
2104             fixEdge<CellUse>(node->child1());
2105             break;
2106
2107         case DataViewGetInt:
2108         case DataViewGetFloat: {
2109             fixEdge<DataViewObjectUse>(node->child1());
2110             fixEdge<Int32Use>(node->child2());
2111             if (node->child3())
2112                 fixEdge<BooleanUse>(node->child3());
2113
2114             if (node->op() == DataViewGetInt) {
2115                 DataViewData data = node->dataViewData();
2116                 switch (data.byteSize) {
2117                 case 1:
2118                 case 2:
2119                     node->setResult(NodeResultInt32);
2120                     break;
2121                 case 4:
2122                     if (data.isSigned)
2123                         node->setResult(NodeResultInt32);
2124                     else
2125                         node->setResult(NodeResultInt52);
2126                     break;
2127                 default:
2128                     RELEASE_ASSERT_NOT_REACHED();
2129                 }
2130             }
2131             break;
2132         }
2133
2134         case DataViewSet: {
2135             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2136             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2137             if (m_graph.varArgChild(node, 3))
2138                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2139             
2140             DataViewData data = node->dataViewData();
2141             Edge& valueToStore = m_graph.varArgChild(node, 2);
2142             if (data.isFloatingPoint)
2143                 fixEdge<DoubleRepUse>(valueToStore);
2144             else {
2145                 switch (data.byteSize) {
2146                 case 1:
2147                 case 2:
2148                     fixEdge<Int32Use>(valueToStore);
2149                     break;
2150                 case 4:
2151                     if (data.isSigned)
2152                         fixEdge<Int32Use>(valueToStore);
2153                     else
2154                         fixEdge<Int52RepUse>(valueToStore);
2155                     break;
2156                 }
2157             }
2158             break;
2159         }
2160
2161 #if !ASSERT_DISABLED
2162         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2163         case SetArgument:
2164         case JSConstant:
2165         case LazyJSConstant:
2166         case DoubleConstant:
2167         case GetLocal:
2168         case GetCallee:
2169         case GetArgumentCountIncludingThis:
2170         case SetArgumentCountIncludingThis:
2171         case GetRestLength:
2172         case GetArgument:
2173         case Flush:
2174         case PhantomLocal:
2175         case GetGlobalVar:
2176         case GetGlobalLexicalVariable:
2177         case NotifyWrite:
2178         case DirectCall:
2179         case CheckTypeInfoFlags:
2180         case TailCallInlinedCaller:
2181         case DirectTailCallInlinedCaller:
2182         case Construct:
2183         case DirectConstruct:
2184         case CallVarargs:
2185         case CallEval:
2186         case TailCallVarargsInlinedCaller:
2187         case ConstructVarargs:
2188         case CallForwardVarargs:
2189         case ConstructForwardVarargs:
2190         case TailCallForwardVarargs:
2191         case TailCallForwardVarargsInlinedCaller:
2192         case LoadVarargs:
2193         case ForwardVarargs:
2194         case ProfileControlFlow:
2195         case NewObject:
2196         case NewRegexp:
2197         case DeleteById:
2198         case DeleteByVal:
2199         case IsTypedArrayView:
2200         case IsEmpty:
2201         case IsUndefined:
2202         case IsBoolean:
2203         case IsNumber:
2204         case IsObjectOrNull:
2205         case IsFunction:
2206         case CreateDirectArguments:
2207         case Jump:
2208         case Return:
2209         case TailCall:
2210         case DirectTailCall:
2211         case TailCallVarargs:
2212         case Throw:
2213         case CountExecution:
2214         case SuperSamplerBegin:
2215         case SuperSamplerEnd:
2216         case ForceOSRExit:
2217         case CheckBadCell:
2218         case CheckNotEmpty:
2219         case AssertNotEmpty:
2220         case CheckTraps:
2221         case Unreachable:
2222         case ExtractOSREntryLocal:
2223         case ExtractCatchLocal:
2224         case ClearCatchLocals:
2225         case LoopHint:
2226         case MovHint:
2227         case InitializeEntrypointArguments:
2228         case ZombieHint:
2229         case ExitOK:
2230         case BottomValue:
2231         case TypeOf:
2232         case PutByIdWithThis:
2233         case PutByValWithThis:
2234         case GetByValWithThis:
2235         case CompareEqPtr:
2236         case NumberToStringWithValidRadixConstant:
2237         case GetGlobalThis:
2238         case ExtractValueFromWeakMapGet:
2239         case CPUIntrinsic:
2240         case FilterCallLinkStatus:
2241         case FilterGetByIdStatus:
2242         case FilterPutByIdStatus:
2243         case FilterInByIdStatus:
2244             break;
2245 #else
2246         default:
2247             break;
2248 #endif
2249         }
2250     }
2251
2252     void watchHavingABadTime(Node* node)
2253     {
2254         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2255
2256         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2257         // does an array allocation. The types of array allocations may change if we start to have a bad
2258         // time. It's easier to reason about this if we know that whenever the types change after we start
2259         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2260         // prior to this point nobody should have been doing optimizations based on the indexing type of
2261         // the allocation.
2262         if (!globalObject->isHavingABadTime()) {
2263             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2264             m_graph.freeze(globalObject);
2265         }
2266     }
2267     
2268     template<UseKind useKind>
2269     void createToString(Node* node, Edge& edge)
2270     {
2271         Node* toString = m_insertionSet.insertNode(
2272             m_indexInBlock, SpecString, ToString, node->origin,
2273             Edge(edge.node(), useKind));
2274         switch (useKind) {
2275         case Int32Use:
2276         case Int52RepUse:
2277         case DoubleRepUse:
2278         case NotCellUse:
2279             toString->clearFlags(NodeMustGenerate);
2280             break;
2281         default:
2282             break;
2283         }
2284         edge.setNode(toString);
2285     }
2286     
2287     template<UseKind useKind>
2288     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2289     {
2290         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2291         
2292         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2293             return;
2294         
2295         createToString<useKind>(node, node->child1());
2296         arrayMode = ArrayMode(Array::String, Array::Read);
2297     }
2298     
2299     template<UseKind useKind>
2300     bool isStringObjectUse()
2301     {
2302         switch (useKind) {
2303         case StringObjectUse:
2304         case StringOrStringObjectUse:
2305             return true;
2306         default:
2307             return false;
2308         }
2309     }
2310     
2311     template<UseKind useKind>
2312     void convertStringAddUse(Node* node, Edge& edge)
2313     {
2314         if (useKind == StringUse) {
2315             observeUseKindOnNode<StringUse>(edge.node());
2316             m_insertionSet.insertNode(
2317                 m_indexInBlock, SpecNone, Check, node->origin,
2318                 Edge(edge.node(), StringUse));
2319             edge.setUseKind(KnownStringUse);
2320             return;
2321         }
2322         
2323         observeUseKindOnNode<useKind>(edge.node());
2324         createToString<useKind>(node, edge);
2325     }
2326     
2327     void convertToMakeRope(Node* node)
2328     {
2329         node->setOpAndDefaultFlags(MakeRope);
2330         fixupMakeRope(node);
2331     }
2332     
2333     void fixupMakeRope(Node* node)
2334     {
2335         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2336             Edge& edge = node->children.child(i);
2337             if (!edge)
2338                 break;
2339             edge.setUseKind(KnownStringUse);
2340             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2341             if (!string)
2342                 continue;
2343             if (string->length())
2344                 continue;
2345             
2346             // Don't allow the MakeRope to have zero children.
2347             if (!i && !node->child2())
2348                 break;
2349             
2350             node->children.removeEdge(i--);
2351         }
2352         
2353         if (!node->child2()) {
2354             ASSERT(!node->child3());
2355             node->convertToIdentity();
2356         }
2357     }
2358
2359     void fixupIsCellWithType(Node* node)
2360     {
2361         switch (node->speculatedTypeForQuery()) {
2362         case SpecString:
2363             if (node->child1()->shouldSpeculateString()) {
2364                 m_insertionSet.insertNode(
2365                     m_indexInBlock, SpecNone, Check, node->origin,
2366                     Edge(node->child1().node(), StringUse));
2367                 m_graph.convertToConstant(node, jsBoolean(true));
2368                 observeUseKindOnNode<StringUse>(node);
2369                 return;
2370             }
2371             break;
2372
2373         case SpecProxyObject:
2374             if (node->child1()->shouldSpeculateProxyObject()) {
2375                 m_insertionSet.insertNode(
2376                     m_indexInBlock, SpecNone, Check, node->origin,
2377                     Edge(node->child1().node(), ProxyObjectUse));
2378                 m_graph.convertToConstant(node, jsBoolean(true));
2379                 observeUseKindOnNode<ProxyObjectUse>(node);
2380                 return;
2381             }
2382             break;
2383
2384         case SpecRegExpObject:
2385             if (node->child1()->shouldSpeculateRegExpObject()) {
2386                 m_insertionSet.insertNode(
2387                     m_indexInBlock, SpecNone, Check, node->origin,
2388                     Edge(node->child1().node(), RegExpObjectUse));
2389                 m_graph.convertToConstant(node, jsBoolean(true));
2390                 observeUseKindOnNode<RegExpObjectUse>(node);
2391                 return;
2392             }
2393             break;
2394
2395         case SpecArray:
2396             if (node->child1()->shouldSpeculateArray()) {
2397                 m_insertionSet.insertNode(
2398                     m_indexInBlock, SpecNone, Check, node->origin,
2399                     Edge(node->child1().node(), ArrayUse));
2400                 m_graph.convertToConstant(node, jsBoolean(true));
2401                 observeUseKindOnNode<ArrayUse>(node);
2402                 return;
2403             }
2404             break;
2405
2406         case SpecDerivedArray:
2407             if (node->child1()->shouldSpeculateDerivedArray()) {
2408                 m_insertionSet.insertNode(
2409                     m_indexInBlock, SpecNone, Check, node->origin,
2410                     Edge(node->child1().node(), DerivedArrayUse));
2411                 m_graph.convertToConstant(node, jsBoolean(true));
2412                 observeUseKindOnNode<DerivedArrayUse>(node);
2413                 return;
2414             }
2415             break;
2416         }
2417
2418         if (node->child1()->shouldSpeculateCell()) {
2419             fixEdge<CellUse>(node->child1());
2420             return;
2421         }
2422
2423         if (node->child1()->shouldSpeculateNotCell()) {
2424             m_insertionSet.insertNode(
2425                 m_indexInBlock, SpecNone, Check, node->origin,
2426                 Edge(node->child1().node(), NotCellUse));
2427             m_graph.convertToConstant(node, jsBoolean(false));
2428             observeUseKindOnNode<NotCellUse>(node);
2429             return;
2430         }
2431     }
2432
2433     void fixupGetPrototypeOf(Node* node)
2434     {
2435         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2436         if (node->child1().useKind() != ObjectUse) {
2437             if (node->child1()->shouldSpeculateString()) {
2438                 insertCheck<StringUse>(node->child1().node());
2439                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2440                 return;
2441             }
2442             if (node->child1()->shouldSpeculateInt32()) {
2443                 insertCheck<Int32Use>(node->child1().node());
2444                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2445                 return;
2446             }
2447             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2448                 insertCheck<Int52RepUse>(node->child1().node());
2449                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2450                 return;
2451             }
2452             if (node->child1()->shouldSpeculateNumber()) {
2453                 insertCheck<NumberUse>(node->child1().node());
2454                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2455                 return;
2456             }
2457             if (node->child1()->shouldSpeculateSymbol()) {
2458                 insertCheck<SymbolUse>(node->child1().node());
2459                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2460                 return;
2461             }
2462             if (node->child1()->shouldSpeculateBoolean()) {
2463                 insertCheck<BooleanUse>(node->child1().node());
2464                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2465                 return;
2466             }
2467         }
2468
2469         if (node->child1()->shouldSpeculateFinalObject()) {
2470             fixEdge<FinalObjectUse>(node->child1());
2471             node->clearFlags(NodeMustGenerate);
2472             return;
2473         }
2474         if (node->child1()->shouldSpeculateArray()) {
2475             fixEdge<ArrayUse>(node->child1());
2476             node->clearFlags(NodeMustGenerate);
2477             return;
2478         }
2479         if (node->child1()->shouldSpeculateFunction()) {
2480             fixEdge<FunctionUse>(node->child1());
2481             node->clearFlags(NodeMustGenerate);
2482             return;
2483         }
2484     }
2485
2486     void fixupToThis(Node* node)
2487     {
2488         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2489
2490         if (ecmaMode == StrictMode) {
2491             if (node->child1()->shouldSpeculateBoolean()) {
2492                 fixEdge<BooleanUse>(node->child1());
2493                 node->convertToIdentity();
2494                 return;
2495             }
2496
2497             if (node->child1()->shouldSpeculateInt32()) {
2498                 fixEdge<Int32Use>(node->child1());
2499                 node->convertToIdentity();
2500                 return;
2501             }
2502
2503             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2504                 fixEdge<Int52RepUse>(node->child1());
2505                 node->convertToIdentity();
2506                 node->setResult(NodeResultInt52);
2507                 return;
2508             }
2509
2510             if (node->child1()->shouldSpeculateNumber()) {
2511                 fixEdge<DoubleRepUse>(node->child1());
2512                 node->convertToIdentity();
2513                 node->setResult(NodeResultDouble);
2514                 return;
2515             }
2516
2517             if (node->child1()->shouldSpeculateSymbol()) {
2518                 fixEdge<SymbolUse>(node->child1());
2519                 node->convertToIdentity();
2520                 return;
2521             }
2522
2523             if (node->child1()->shouldSpeculateStringIdent()) {
2524                 fixEdge<StringIdentUse>(node->child1());
2525                 node->convertToIdentity();
2526                 return;
2527             }
2528
2529             if (node->child1()->shouldSpeculateString()) {
2530                 fixEdge<StringUse>(node->child1());
2531                 node->convertToIdentity();
2532                 return;
2533             }
2534             
2535             if (node->child1()->shouldSpeculateBigInt()) {
2536                 fixEdge<BigIntUse>(node->child1());
2537                 node->convertToIdentity();
2538                 return;
2539             }
2540         }
2541
2542         if (node->child1()->shouldSpeculateOther()) {
2543             if (ecmaMode == StrictMode) {
2544                 fixEdge<OtherUse>(node->child1());
2545                 node->convertToIdentity();
2546                 return;
2547             }
2548
2549             m_insertionSet.insertNode(
2550                 m_indexInBlock, SpecNone, Check, node->origin,
2551                 Edge(node->child1().node(), OtherUse));
2552             observeUseKindOnNode<OtherUse>(node->child1().node());
2553             m_graph.convertToConstant(
2554                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2555             return;
2556         }
2557
2558         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2559         // however, since we cover all the missing cases in constant folding.
2560         // https://bugs.webkit.org/show_bug.cgi?id=157213
2561         if (node->child1()->shouldSpeculateStringObject()) {
2562             fixEdge<StringObjectUse>(node->child1());
2563             node->convertToIdentity();
2564             return;
2565         }
2566
2567         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2568             fixEdge<FinalObjectUse>(node->child1());
2569             node->convertToIdentity();
2570             return;
2571         }
2572     }
2573     
2574     void fixupToPrimitive(Node* node)
2575     {
2576         if (node->child1()->shouldSpeculateInt32()) {
2577             fixEdge<Int32Use>(node->child1());
2578             node->convertToIdentity();
2579             return;
2580         }
2581         
2582         if (node->child1()->shouldSpeculateString()) {
2583             fixEdge<StringUse>(node->child1());
2584             node->convertToIdentity();
2585             return;
2586         }
2587         
2588         if (node->child1()->shouldSpeculateStringObject()
2589             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2590             fixEdge<StringObjectUse>(node->child1());
2591             node->convertToToString();
2592             return;
2593         }
2594         
2595         if (node->child1()->shouldSpeculateStringOrStringObject()
2596             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2597             fixEdge<StringOrStringObjectUse>(node->child1());
2598             node->convertToToString();
2599             return;
2600         }
2601     }
2602
2603     void fixupToNumber(Node* node)
2604     {
2605         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2606         if (node->child1()->shouldSpeculateNumber()) {
2607             if (isInt32Speculation(node->getHeapPrediction())) {
2608                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2609                 if (node->child1()->shouldSpeculateInt32()) {
2610                     fixEdge<Int32Use>(node->child1());
2611                     node->convertToIdentity();
2612                     return;
2613                 }
2614
2615                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2616                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2617                 fixEdge<DoubleRepUse>(node->child1());
2618                 node->setOp(DoubleAsInt32);
2619                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2620                     node->setArithMode(Arith::CheckOverflow);
2621                 else
2622                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2623                 return;
2624             }
2625
2626             fixEdge<DoubleRepUse>(node->child1());
2627             node->convertToIdentity();
2628             node->setResult(NodeResultDouble);
2629             return;
2630         }
2631
2632         fixEdge<UntypedUse>(node->child1());
2633         node->setResult(NodeResultJS);
2634     }
2635
2636     void fixupToObject(Node* node)
2637     {
2638         if (node->child1()->shouldSpeculateObject()) {
2639             fixEdge<ObjectUse>(node->child1());
2640             node->convertToIdentity();
2641             return;
2642         }
2643
2644         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2645
2646         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2647
2648         if (node->child1()->shouldSpeculateString()) {
2649             insertCheck<StringUse>(node->child1().node());
2650             fixEdge<KnownStringUse>(node->child1());
2651             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2652             return;
2653         }
2654
2655         if (node->child1()->shouldSpeculateSymbol()) {
2656             insertCheck<SymbolUse>(node->child1().node());
2657             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2658             return;
2659         }
2660
2661         if (node->child1()->shouldSpeculateNumber()) {
2662             insertCheck<NumberUse>(node->child1().node());
2663             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2664             return;
2665         }
2666
2667         if (node->child1()->shouldSpeculateBoolean()) {
2668             insertCheck<BooleanUse>(node->child1().node());
2669             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2670             return;
2671         }
2672
2673         fixEdge<UntypedUse>(node->child1());
2674     }
2675
2676     void fixupCallObjectConstructor(Node* node)
2677     {
2678         if (node->child1()->shouldSpeculateObject()) {
2679             fixEdge<ObjectUse>(node->child1());
2680             node->convertToIdentity();
2681             return;
2682         }
2683
2684         if (node->child1()->shouldSpeculateString()) {
2685             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2686             insertCheck<StringUse>(node->child1().node());
2687             fixEdge<KnownStringUse>(node->child1());
2688             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2689             return;
2690         }
2691
2692         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2693         if (node->child1()->shouldSpeculateOther()) {
2694             insertCheck<OtherUse>(node->child1().node());
2695             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2696             return;
2697         }
2698
2699         fixEdge<UntypedUse>(node->child1());
2700     }
2701     
2702     void fixupToStringOrCallStringConstructor(Node* node)
2703     {
2704         if (node->child1()->shouldSpeculateString()) {
2705             fixEdge<StringUse>(node->child1());
2706             node->convertToIdentity();
2707             return;
2708         }
2709         
2710         if (node->child1()->shouldSpeculateStringObject()
2711             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2712             fixEdge<StringObjectUse>(node->child1());
2713             return;
2714         }
2715         
2716         if (node->child1()->shouldSpeculateStringOrStringObject()
2717             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2718             fixEdge<StringOrStringObjectUse>(node->child1());
2719             return;
2720         }
2721         
2722         if (node->child1()->shouldSpeculateCell()) {
2723             fixEdge<CellUse>(node->child1());
2724             return;
2725         }
2726
2727         if (node->child1()->shouldSpeculateInt32()) {
2728             fixEdge<Int32Use>(node->child1());
2729             node->clearFlags(NodeMustGenerate);
2730             return;
2731         }
2732
2733         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2734             fixEdge<Int52RepUse>(node->child1());
2735             node->clearFlags(NodeMustGenerate);
2736             return;
2737         }
2738
2739         if (node->child1()->shouldSpeculateNumber()) {
2740             fixEdge<DoubleRepUse>(node->child1());
2741             node->clearFlags(NodeMustGenerate);
2742             return;
2743         }
2744
2745         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2746         // we need to care about it in the clobberize. In the following case,
2747         // since NotCellUse edge filter is used and this edge filters Symbols,
2748         // we can say that ToString never throws an error!
2749         if (node->child1()->shouldSpeculateNotCell()) {
2750             fixEdge<NotCellUse>(node->child1());
2751             node->clearFlags(NodeMustGenerate);
2752             return;
2753         }
2754     }
2755
2756     bool attemptToMakeFastStringAdd(Node* node)
2757     {
2758         bool goodToGo = true;
2759         m_graph.doToChildren(
2760             node,
2761             [&] (Edge& edge) {
2762                 if (edge->shouldSpeculateString())
2763                     return;
2764                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2765                     if (edge->shouldSpeculateStringObject())
2766                         return;
2767                     if (edge->shouldSpeculateStringOrStringObject())
2768                         return;
2769                 }
2770                 goodToGo = false;
2771             });
2772         if (!goodToGo)
2773             return false;
2774
2775         m_graph.doToChildren(
2776             node,
2777             [&] (Edge& edge) {
2778                 if (edge->shouldSpeculateString()) {
2779                     convertStringAddUse<StringUse>(node, edge);
2780                     return;
2781                 }
2782                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2783                 if (edge->shouldSpeculateStringObject()) {
2784                     convertStringAddUse<StringObjectUse>(node, edge);
2785                     return;
2786                 }
2787                 if (edge->shouldSpeculateStringOrStringObject()) {
2788                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2789                     return;
2790                 }
2791                 RELEASE_ASSERT_NOT_REACHED();
2792             });
2793         
2794         convertToMakeRope(node);
2795         return true;
2796     }
2797
2798     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2799     {
2800         if (!block)
2801             return;
2802         ASSERT(block->isReachable);
2803         m_block = block;
2804         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2805             Node* node = m_currentNode = block->at(m_indexInBlock);
2806             if (node->op() != SetLocal && node->op() != GetLocal)
2807                 continue;
2808             
2809             VariableAccessData* variable = node->variableAccessData();
2810             switch (node->op()) {
2811             case GetLocal:
2812                 switch (variable->flushFormat()) {
2813                 case FlushedDouble:
2814                     node->setResult(NodeResultDouble);
2815                     break;
2816                 case FlushedInt52:
2817                     node->setResult(NodeResultInt52);
2818                     break;
2819                 default:
2820                     break;
2821                 }
2822                 break;
2823                 
2824             case SetLocal:
2825                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2826                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2827                 
2828                 switch (variable->flushFormat()) {
2829                 case FlushedJSValue:
2830                     break;
2831                 case FlushedDouble:
2832                     fixEdge<DoubleRepUse>(node->child1());
2833                     break;
2834                 case FlushedInt32:
2835                     fixEdge<Int32Use>(node->child1());
2836                     break;
2837                 case FlushedInt52:
2838                     fixEdge<Int52RepUse>(node->child1());
2839                     break;
2840                 case FlushedCell:
2841                     fixEdge<CellUse>(node->child1());
2842                     break;
2843                 case FlushedBoolean:
2844                     fixEdge<BooleanUse>(node->child1());
2845                     break;
2846                 default:
2847                     RELEASE_ASSERT_NOT_REACHED();
2848                     break;
2849                 }
2850                 break;
2851                 
2852             default:
2853                 RELEASE_ASSERT_NOT_REACHED();
2854                 break;
2855             }
2856         }
2857         m_insertionSet.execute(block);
2858     }
2859     
2860     void addStringReplacePrimordialChecks(Node* searchRegExp)
2861     {
2862         Node* node = m_currentNode;
2863
2864         // Check that structure of searchRegExp is RegExp object
2865         m_insertionSet.insertNode(
2866             m_indexInBlock, SpecNone, Check, node->origin,
2867             Edge(searchRegExp, RegExpObjectUse));
2868
2869         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2870             unsigned index = m_graph.identifiers().ensure(propertyUID);
2871
2872             Node* actualProperty = m_insertionSet.insertNode(
2873                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2874                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2875
2876             m_insertionSet.insertNode(
2877                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2878                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2879         };
2880
2881         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2882
2883         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2884         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2885         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2886         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2887         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2888         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2889         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2890         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2891     }
2892
2893     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2894     {
2895         ASSERT(arrayMode.isSpecific());
2896         
2897         if (arrayMode.type() == Array::String) {
2898             m_insertionSet.insertNode(
2899                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2900         } else {
2901             // Note that we only need to be using a structure check if we opt for SaneChain, since
2902             // that needs to protect against JSArray's __proto__ being changed.
2903             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2904         
2905             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2906             
2907             if (arrayMode.doesConversion()) {
2908                 if (structure) {
2909                     m_insertionSet.insertNode(
2910                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2911                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2912                 } else {
2913                     m_insertionSet.insertNode(
2914                         m_indexInBlock, SpecNone, Arrayify, origin,
2915                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2916                 }
2917             } else {
2918                 if (structure) {
2919                     m_insertionSet.insertNode(
2920                         m_indexInBlock, SpecNone, CheckStructure, origin,
2921                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2922                 } else {
2923                     m_insertionSet.insertNode(
2924                         m_indexInBlock, SpecNone, CheckArray, origin,
2925                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2926                 }
2927             }
2928         }
2929         
2930         if (!storageCheck(arrayMode))
2931             return nullptr;
2932         
2933         if (arrayMode.usesButterfly()) {
2934             return m_insertionSet.insertNode(
2935                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2936         }
2937         
2938         return m_insertionSet.insertNode(
2939             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2940             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2941     }
2942     
2943     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2944     {
2945         Node* node = m_currentNode;
2946         
2947         switch (node->arrayMode().type()) {
2948         case Array::ForceExit: {
2949             m_insertionSet.insertNode(
2950                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2951             return;
2952         }
2953             
2954         case Array::SelectUsingPredictions:
2955         case Array::Unprofiled:
2956             RELEASE_ASSERT_NOT_REACHED();
2957             return;
2958             
2959         case Array::Generic:
2960             return;
2961             
2962         default: {
2963             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2964             if (!storage)
2965                 return;
2966             
2967             storageChild = Edge(storage);
2968             return;
2969         } }
2970     }
2971     
2972     bool alwaysUnboxSimplePrimitives()
2973     {
2974 #if USE(JSVALUE64)
2975         return false;
2976 #else
2977         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2978         // reduces traffic.
2979         return true;
2980 #endif
2981     }
2982
2983     template<UseKind useKind>
2984     void observeUseKindOnNode(Node* node)
2985     {
2986         if (useKind == UntypedUse)
2987             return;
2988         observeUseKindOnNode(node, useKind);
2989     }
2990
2991     void observeUseKindOnEdge(Edge edge)
2992     {
2993         observeUseKindOnNode(edge.node(), edge.useKind());
2994     }
2995
2996     void observeUseKindOnNode(Node* node, UseKind useKind)
2997     {
2998         if (node->op() != GetLocal)
2999             return;
3000         
3001         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
3002         // https://bugs.webkit.org/show_bug.cgi?id=121518
3003         
3004         VariableAccessData* variable = node->variableAccessData();
3005         switch (useKind) {
3006         case Int32Use:
3007         case KnownInt32Use:
3008             if (alwaysUnboxSimplePrimitives()
3009                 || isInt32Speculation(variable->prediction()))
3010                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3011             break;
3012         case NumberUse:
3013         case RealNumberUse:
3014         case DoubleRepUse:
3015         case DoubleRepRealUse:
3016             if (variable->doubleFormatState() == UsingDoubleFormat)
3017                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3018             break;
3019         case BooleanUse:
3020         case KnownBooleanUse:
3021             if (alwaysUnboxSimplePrimitives()
3022                 || isBooleanSpeculation(variable->prediction()))
3023                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3024             break;
3025         case Int52RepUse:
3026             if (isAnyIntSpeculation(variable->prediction()))
3027                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3028             break;
3029         case CellUse:
3030         case KnownCellUse:
3031         case ObjectUse:
3032         case FunctionUse:
3033         case StringUse:
3034         case KnownStringUse:
3035         case SymbolUse:
3036         case BigIntUse:
3037         case StringObjectUse:
3038         case StringOrStringObjectUse:
3039             if (alwaysUnboxSimplePrimitives()
3040                 || isCellSpeculation(variable->prediction()))
3041                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3042             break;
3043         default:
3044             break;
3045         }
3046     }
3047     
3048     template<UseKind useKind>
3049     void fixEdge(Edge& edge)
3050     {
3051         observeUseKindOnNode<useKind>(edge.node());
3052         edge.setUseKind(useKind);
3053     }
3054     
3055     unsigned indexForChecks()
3056     {
3057         unsigned index = m_indexInBlock;
3058         while (!m_block->at(index)->origin.exitOK)
3059             index--;
3060         return index;
3061     }
3062     
3063     NodeOrigin originForCheck(unsigned index)
3064     {
3065         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
3066     }
3067     
3068     void speculateForBarrier(Edge value)
3069     {
3070         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
3071         // the DFG anyway because if such a speculation would be wrong, we want to know before
3072         // we do an expensive compile.
3073         
3074         if (value->shouldSpeculateInt32()) {
3075             insertCheck<Int32Use>(value.node());
3076             return;
3077         }
3078             
3079         if (value->shouldSpeculateBoolean()) {
3080             insertCheck<BooleanUse>(value.node());
3081             return;
3082         }
3083             
3084         if (value->shouldSpeculateOther()) {
3085             insertCheck<OtherUse>(value.node());
3086             return;
3087         }
3088             
3089         if (value->shouldSpeculateNumber()) {
3090             insertCheck<NumberUse>(value.node());
3091             return;
3092         }
3093             
3094         if (value->shouldSpeculateNotCell()) {
3095             insertCheck<NotCellUse>(value.node());
3096             return;
3097         }
3098     }
3099     
3100     template<UseKind useKind>
3101     void insertCheck(Node* node)
3102     {
3103         observeUseKindOnNode<useKind>(node);
3104         unsigned index = indexForChecks();
3105         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
3106     }
3107
3108     void fixIntConvertingEdge(Edge& edge)
3109     {
3110         Node* node = edge.node();
3111         if (node->shouldSpeculateInt32OrBoolean()) {
3112             fixIntOrBooleanEdge(edge);
3113             return;
3114         }
3115         
3116         UseKind useKind;
3117         if (node->shouldSpeculateAnyInt())
3118             useKind = Int52RepUse;
3119         else if (node->shouldSpeculateNumber())
3120             useKind = DoubleRepUse;
3121         else
3122             useKind = NotCellUse;
3123         Node* newNode = m_insertionSet.insertNode(
3124             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
3125             Edge(node, useKind));
3126         observeUseKindOnNode(node, useKind);
3127         
3128         edge = Edge(newNode, KnownInt32Use);
3129     }
3130     
3131     void fixIntOrBooleanEdge(Edge& edge)
3132     {
3133         Node* node = edge.node();
3134         if (!node->sawBooleans()) {
3135             fixEdge<Int32Use>(edge);
3136             return;
3137         }
3138         
3139         UseKind useKind;
3140         if (node->shouldSpeculateBoolean())
3141             useKind = BooleanUse;
3142         else
3143             useKind = UntypedUse;
3144         Node* newNode = m_insertionSet.insertNode(
3145             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3146             Edge(node, useKind));
3147         observeUseKindOnNode(node, useKind);
3148         
3149         edge = Edge(newNode, Int32Use);
3150     }
3151     
3152     void fixDoubleOrBooleanEdge(Edge& edge)
3153     {
3154         Node* node = edge.node();
3155         if (!node->sawBooleans()) {
3156             fixEdge<DoubleRepUse>(edge);
3157             return;
3158         }
3159         
3160         UseKind useKind;
3161         if (node->shouldSpeculateBoolean())
3162             useKind = BooleanUse;
3163         else
3164             useKind = UntypedUse;
3165         Node* newNode = m_insertionSet.insertNode(
3166             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
3167             Edge(node, useKind));
3168         observeUseKindOnNode(node, useKind);
3169         
3170         edge = Edge(newNode, DoubleRepUse);
3171     }
3172     
3173     void truncateConstantToInt32(Edge& edge)
3174     {
3175         Node* oldNode = edge.node();
3176         
3177         JSValue value = oldNode->asJSValue();
3178         if (value.isInt32())
3179             return;
3180         
3181         value = jsNumber(JSC::toInt32(value.asNumber()));
3182         ASSERT(value.isInt32());
3183         edge.setNode(m_insertionSet.insertNode(
3184             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
3185             OpInfo(m_graph.freeze(value))));
3186     }
3187     
3188     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
3189     {
3190         if (mode != SpeculateInt32AndTruncateConstants)
3191             return;
3192         
3193         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
3194         if (node->child1()->hasConstant())
3195             truncateConstantToInt32(node->child1());
3196         else
3197             truncateConstantToInt32(node->child2());
3198     }
3199
3200     bool attemptToMakeIntegerAdd(Node* node)
3201     {
3202         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
3203         if (mode != DontSpeculateInt32) {
3204             truncateConstantsIfNecessary(node, mode);
3205             fixIntOrBooleanEdge(node->child1());
3206             fixIntOrBooleanEdge(node->child2());
3207             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
3208                 node->setArithMode(Arith::Unchecked);
3209             else
3210                 node->setArithMode(Arith::CheckOverflow);
3211             return true;
3212         }
3213         
3214         if (m_graph.addShouldSpeculateAnyInt(node)) {
3215             fixEdge<Int52RepUse>(node->child1());
3216             fixEdge<Int52RepUse>(node->child2());
3217             node->setArithMode(Arith::CheckOverflow);
3218             node->setResult(NodeResultInt52);
3219             return true;
3220         }
3221         
3222         return false;
3223     }
3224     
3225     bool attemptToMakeGetArrayLength(Node* node)
3226     {
3227         if (!isInt32Speculation(node->prediction()))
3228             return false;
3229         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
3230         ArrayProfile* arrayProfile = 
3231             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
3232         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3233         if (arrayProfile) {
3234             ConcurrentJSLocker locker(profiledBlock->m_lock);
3235             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
3236             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
3237             if (arrayMode.type() == Array::Unprofiled) {
3238                 // For normal array operations, it makes sense to treat Unprofiled
3239                 // accesses as ForceExit and get more data rather than using
3240                 // predictions and then possibly ending up with a Generic. But here,
3241                 // we treat anything that is Unprofiled as Generic and keep the
3242                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
3243                 // profit - from treating the Unprofiled case as
3244                 // SelectUsingPredictions.
3245                 arrayMode = ArrayMode(Array::SelectUsingPredictions, Array::Read);
3246             }
3247         }
3248             
3249         arrayMode = arrayMode.refine(
3250             m_graph, node, node->child1()->prediction(), node->prediction());
3251             
3252         if (arrayMode.type() == Array::Generic) {
3253             // Check if the input is something that we can't get array length for, but for which we
3254             // could insert some conversions in order to transform it into something that we can do it
3255             // for.
3256             if (node->child1()->shouldSpeculateStringObject())
3257                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
3258             else if (node->child1()->shouldSpeculateStringOrStringObject())
3259                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
3260         }
3261             
3262         if (!arrayMode.supportsSelfLength())
3263             return false;
3264         
3265         convertToGetArrayLength(node, arrayMode);
3266         return true;
3267     }
3268
3269     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
3270     {
3271         node->setOp(GetArrayLength);
3272         node->clearFlags(NodeMustGenerate);
3273         fixEdge<KnownCellUse>(node->child1());
3274         node->setArrayMode(arrayMode);
3275             
3276         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
3277         if (!storage)
3278             return;
3279             
3280         node->child2() = Edge(storage);
3281     }
3282     
3283     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
3284     {
3285         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
3286         return m_insertionSet.insertNode(
3287             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
3288             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
3289     }
3290
3291     void convertToHasIndexedProperty(Node* node)
3292     {
3293         node->setOp(HasIndexedProperty);
3294         node->clearFlags(NodeMustGenerate);
3295         node->setArrayMode(
3296             node->arrayMode().refine(
3297                 m_graph, node,
3298                 node->child1()->prediction(),
3299                 node->child2()->prediction(),
3300                 SpecNone));
3301         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
3302
3303         blessArrayOperation(node->child1(), node->child2(), node->child3());
3304
3305         fixEdge<CellUse>(node->child1());
3306         fixEdge<Int32Use>(node->child2());
3307     }
3308
3309     void fixupNormalizeMapKey(Node* node)
3310     {
3311         if (node->child1()->shouldSpeculateBoolean()) {
3312             fixEdge<BooleanUse>(node->child1());
3313             node->convertToIdentity();
3314             return;
3315         }
3316
3317         if (node->child1()->shouldSpeculateInt32()) {
3318             fixEdge<Int32Use>(node->child1());
3319             node->convertToIdentity();
3320             return;
3321         }
3322
3323         if (node->child1()->shouldSpeculateSymbol()) {
3324             fixEdge<SymbolUse>(node->child1());
3325             node->convertToIdentity();
3326             return;
3327         }
3328
3329         if (node->child1()->shouldSpeculateObject()) {
3330             fixEdge<ObjectUse>(node->child1());
3331             node->convertToIdentity();
3332             return;
3333         }
3334
3335         if (node->child1()->shouldSpeculateString()) {
3336             fixEdge<StringUse>(node->child1());
3337             node->convertToIdentity();
3338             return;
3339         }
3340
3341         if (node->child1()->shouldSpeculateCell()) {
3342             fixEdge<CellUse>(node->child1());
3343             node->convertToIdentity();
3344             return;
3345         }
3346
3347         fixEdge<UntypedUse>(node->child1());
3348     }
3349
3350     bool attemptToMakeCallDOM(Node* node)
3351     {
3352         if (m_graph.hasExitSite(node->origin.semantic, BadType))
3353             return false;
3354
3355         const DOMJIT::Signature* signature = node->signature();
3356         if (!signature)
3357             return false;
3358
3359         {
3360             unsigned index = 0;
3361             bool shouldConvertToCallDOM = true;
3362             m_graph.doToChildren(node, [&](Edge& edge) {
3363                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3364                 if (!index)
3365                     return;
3366
3367                 if (index == 1) {
3368                     // DOM node case.
3369                     if (edge->shouldSpeculateNotCell())
3370                         shouldConvertToCallDOM = false;
3371                 } else {
3372                     switch (signature->arguments[index - 2]) {
3373                     case SpecString:
3374                         if (edge->shouldSpeculateNotString())
3375                             shouldConvertToCallDOM = false;
3376                         break;
3377                     case SpecInt32Only:
3378                         if (edge->shouldSpeculateNotInt32())
3379                             shouldConvertToCallDOM = false;
3380                         break;
3381                     case SpecBoolean:
3382                         if (edge->shouldSpeculateNotBoolean())
3383                             shouldConvertToCallDOM = false;
3384                         break;
3385                     default:
3386                         RELEASE_ASSERT_NOT_REACHED();
3387                         break;
3388                     }
3389                 }
3390                 ++index;
3391             });
3392             if (!shouldConvertToCallDOM)
3393                 return false;
3394         }
3395
3396         Node* thisNode = m_graph.varArgChild(node, 1).node();
3397         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3398         node->convertToCallDOM(m_graph);
3399         fixupCheckSubClass(checkSubClass);
3400         fixupCallDOM(node);
3401         return true;
3402     }
3403
3404     void fixupCheckSubClass(Node* node)
3405     {
3406         fixEdge<CellUse>(node->child1());
3407     }
3408
3409     void fixupCallDOM(Node* node)
3410     {
3411         const DOMJIT::Signature* signature = node->signature();
3412         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3413             if (!edge)
3414                 return;
3415             switch (signature->arguments[argumentIndex]) {
3416             case SpecString:
3417                 fixEdge<StringUse>(edge);
3418                 break;
3419             case SpecInt32Only:
3420                 fixEdge<Int32Use>(edge);
3421                 break;
3422             case SpecBoolean:
3423                 fixEdge<BooleanUse>(edge);
3424                 break;
3425             default:
3426                 RELEASE_ASSERT_NOT_REACHED();
3427                 break;
3428             }
3429         };
3430         fixEdge<CellUse>(node->child1()); // DOM.
3431         fixup(node->child2(), 0);
3432         fixup(node->child3(), 1);
3433     }
3434
3435     void fixupArrayIndexOf(Node* node)
3436     {
3437         Edge& array = m_graph.varArgChild(node, 0);
3438         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3439         blessArrayOperation(array, Edge(), storage);
3440         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3441
3442         Edge& searchElement = m_graph.varArgChild(node, 1);
3443
3444         // Constant folding.
3445         switch (node->arrayMode().type()) {
3446         case Array::Double:
3447         case Array::Int32: {
3448             if (searchElement->shouldSpeculateCell()) {
3449                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3450                 m_graph.convertToConstant(node, jsNumber(-1));
3451                 observeUseKindOnNode<CellUse>(searchElement.node());
3452                 return;
3453             }
3454
3455             if (searchElement->shouldSpeculateOther()) {
3456                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3457                 m_graph.convertToConstant(node, jsNumber(-1));
3458                 observeUseKindOnNode<OtherUse>(searchElement.node());
3459                 return;
3460             }
3461
3462             if (searchElement->shouldSpeculateBoolean()) {
3463                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3464                 m_graph.convertToConstant(node, jsNumber(-1));
3465                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3466                 return;
3467             }
3468             break;
3469         }
3470         default:
3471             break;
3472         }
3473
3474         fixEdge<KnownCellUse>(array);
3475         if (node->numChildren() == 4)
3476             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3477
3478         switch (node->arrayMode().type()) {
3479         case Array::Double: {
3480             if (searchElement->shouldSpeculateNumber())
3481                 fixEdge<DoubleRepUse>(searchElement);
3482             return;
3483         }
3484         case Array::Int32: {
3485             if (searchElement->shouldSpeculateInt32())
3486                 fixEdge<Int32Use>(searchElement);
3487             return;
3488         }
3489         case Array::Contiguous: {
3490             if (searchElement->shouldSpeculateString())
3491                 fixEdge<StringUse>(searchElement);
3492             else if (searchElement->shouldSpeculateSymbol())
3493                 fixEdge<SymbolUse>(searchElement);
3494             else if (searchElement->shouldSpeculateOther())
3495                 fixEdge<OtherUse>(searchElement);
3496             else if (searchElement->shouldSpeculateObject())
3497                 fixEdge<ObjectUse>(searchElement);
3498             return;
3499         }
3500         default:
3501             RELEASE_ASSERT_NOT_REACHED();
3502             return;
3503         }
3504     }
3505
3506     void fixupCompareStrictEqAndSameValue(Node* node)
3507     {
3508         ASSERT(node->op() == SameValue || node->op() == CompareStrictEq);
3509
3510         if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
3511             fixEdge<BooleanUse>(node->child1());
3512             fixEdge<BooleanUse>(node->child2());
3513             node->setOpAndDefaultFlags(CompareStrictEq);
3514             return;
3515         }
3516         if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
3517             fixEdge<Int32Use>(node->child1());
3518             fixEdge<Int32Use>(node->child2());
3519             node->setOpAndDefaultFlags(CompareStrictEq);
3520             return;
3521         }
3522         if (enableInt52()
3523             && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
3524             fixEdge<Int52RepUse>(node->child1());
3525             fixEdge<Int52RepUse>(node->child2());
3526             node->setOpAndDefaultFlags(CompareStrictEq);
3527             return;
3528         }
3529         if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
3530             fixEdge<DoubleRepUse>(node->child1());
3531             fixEdge<DoubleRepUse>(node->child2());
3532             // Do not convert SameValue to CompareStrictEq in this case since SameValue(NaN, NaN) and SameValue(-0, +0)
3533             // are not the same to CompareStrictEq(NaN, NaN) and CompareStrictEq(-0, +0).
3534             return;
3535         }
3536         if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
3537             fixEdge<SymbolUse>(node->child1());