typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to...
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->clearFlags(NodeMustGenerate);
146                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
147             }
148             break;
149         }
150             
151         case ValueAdd: {
152             if (attemptToMakeIntegerAdd(node)) {
153                 node->setOp(ArithAdd);
154                 break;
155             }
156             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
157                 fixDoubleOrBooleanEdge(node->child1());
158                 fixDoubleOrBooleanEdge(node->child2());
159                 node->setOp(ArithAdd);
160                 node->setResult(NodeResultDouble);
161                 break;
162             }
163             
164             if (attemptToMakeFastStringAdd(node))
165                 break;
166
167             Edge& child1 = node->child1();
168             Edge& child2 = node->child2();
169             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
170                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
171                     auto convertString = [&](Node* node, Edge& edge) {
172                         if (edge->shouldSpeculateInt32())
173                             convertStringAddUse<Int32Use>(node, edge);
174                         else {
175                             ASSERT(edge->shouldSpeculateString());
176                             convertStringAddUse<StringUse>(node, edge);
177                         }
178                     };
179                     convertString(node, child1);
180                     convertString(node, child2);
181                     convertToMakeRope(node);
182                     break;
183                 }
184             }
185
186             fixEdge<UntypedUse>(child1);
187             fixEdge<UntypedUse>(child2);
188             node->setResult(NodeResultJS);
189             break;
190         }
191
192         case StrCat: {
193             if (attemptToMakeFastStringAdd(node))
194                 break;
195
196             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
197             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
198             // the implementation of StrCat doesn't dynamically optimize for empty strings.
199             // https://bugs.webkit.org/show_bug.cgi?id=148540
200             m_graph.doToChildren(
201                 node,
202                 [&] (Edge& edge) {
203                     fixEdge<KnownPrimitiveUse>(edge);
204                 });
205             break;
206         }
207             
208         case MakeRope: {
209             fixupMakeRope(node);
210             break;
211         }
212             
213         case ArithAdd:
214         case ArithSub: {
215             if (op == ArithSub
216                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
217                 fixEdge<UntypedUse>(node->child1());
218                 fixEdge<UntypedUse>(node->child2());
219                 node->setResult(NodeResultJS);
220                 break;
221             }
222             if (attemptToMakeIntegerAdd(node))
223                 break;
224             fixDoubleOrBooleanEdge(node->child1());
225             fixDoubleOrBooleanEdge(node->child2());
226             node->setResult(NodeResultDouble);
227             break;
228         }
229             
230         case ArithNegate: {
231             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
232                 fixIntOrBooleanEdge(node->child1());
233                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
234                     node->setArithMode(Arith::Unchecked);
235                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
236                     node->setArithMode(Arith::CheckOverflow);
237                 else
238                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
239                 node->setResult(NodeResultInt32);
240                 node->clearFlags(NodeMustGenerate);
241                 break;
242             }
243             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
244                 fixEdge<Int52RepUse>(node->child1());
245                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
246                     node->setArithMode(Arith::CheckOverflow);
247                 else
248                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
249                 node->setResult(NodeResultInt52);
250                 node->clearFlags(NodeMustGenerate);
251                 break;
252             }
253             if (node->child1()->shouldSpeculateNotCell()) {
254                 fixDoubleOrBooleanEdge(node->child1());
255                 node->setResult(NodeResultDouble);
256                 node->clearFlags(NodeMustGenerate);
257             } else
258                 fixEdge<UntypedUse>(node->child1());
259             break;
260         }
261             
262         case ArithMul: {
263             Edge& leftChild = node->child1();
264             Edge& rightChild = node->child2();
265             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
266                 fixEdge<UntypedUse>(leftChild);
267                 fixEdge<UntypedUse>(rightChild);
268                 node->setResult(NodeResultJS);
269                 break;
270             }
271             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
272                 fixIntOrBooleanEdge(leftChild);
273                 fixIntOrBooleanEdge(rightChild);
274                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
275                     node->setArithMode(Arith::Unchecked);
276                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
277                     || leftChild.node() == rightChild.node())
278                     node->setArithMode(Arith::CheckOverflow);
279                 else
280                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
281                 break;
282             }
283             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
284                 fixEdge<Int52RepUse>(leftChild);
285                 fixEdge<Int52RepUse>(rightChild);
286                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
287                     || leftChild.node() == rightChild.node())
288                     node->setArithMode(Arith::CheckOverflow);
289                 else
290                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
291                 node->setResult(NodeResultInt52);
292                 break;
293             }
294             fixDoubleOrBooleanEdge(leftChild);
295             fixDoubleOrBooleanEdge(rightChild);
296             node->setResult(NodeResultDouble);
297             break;
298         }
299
300         case ArithDiv:
301         case ArithMod: {
302             Edge& leftChild = node->child1();
303             Edge& rightChild = node->child2();
304             if (op == ArithDiv
305                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
306                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
307                 fixEdge<UntypedUse>(leftChild);
308                 fixEdge<UntypedUse>(rightChild);
309                 node->setResult(NodeResultJS);
310                 break;
311             }
312             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
313                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
314                     fixIntOrBooleanEdge(leftChild);
315                     fixIntOrBooleanEdge(rightChild);
316                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
317                         node->setArithMode(Arith::Unchecked);
318                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
319                         node->setArithMode(Arith::CheckOverflow);
320                     else
321                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
322                     break;
323                 }
324                 
325                 // This will cause conversion nodes to be inserted later.
326                 fixDoubleOrBooleanEdge(leftChild);
327                 fixDoubleOrBooleanEdge(rightChild);
328                 
329                 // We don't need to do ref'ing on the children because we're stealing them from
330                 // the original division.
331                 Node* newDivision = m_insertionSet.insertNode(
332                     m_indexInBlock, SpecBytecodeDouble, *node);
333                 newDivision->setResult(NodeResultDouble);
334                 
335                 node->setOp(DoubleAsInt32);
336                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
337                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
338                     node->setArithMode(Arith::CheckOverflow);
339                 else
340                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
341                 break;
342             }
343             fixDoubleOrBooleanEdge(leftChild);
344             fixDoubleOrBooleanEdge(rightChild);
345             node->setResult(NodeResultDouble);
346             break;
347         }
348             
349         case ArithMin:
350         case ArithMax: {
351             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
352                 fixIntOrBooleanEdge(node->child1());
353                 fixIntOrBooleanEdge(node->child2());
354                 break;
355             }
356             fixDoubleOrBooleanEdge(node->child1());
357             fixDoubleOrBooleanEdge(node->child2());
358             node->setResult(NodeResultDouble);
359             break;
360         }
361             
362         case ArithAbs: {
363             if (node->child1()->shouldSpeculateInt32OrBoolean()
364                 && node->canSpeculateInt32(FixupPass)) {
365                 fixIntOrBooleanEdge(node->child1());
366                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
367                     node->setArithMode(Arith::Unchecked);
368                 else
369                     node->setArithMode(Arith::CheckOverflow);
370                 node->clearFlags(NodeMustGenerate);
371                 node->setResult(NodeResultInt32);
372                 break;
373             }
374
375             if (node->child1()->shouldSpeculateNotCell()) {
376                 fixDoubleOrBooleanEdge(node->child1());
377                 node->clearFlags(NodeMustGenerate);
378             } else
379                 fixEdge<UntypedUse>(node->child1());
380             node->setResult(NodeResultDouble);
381             break;
382         }
383
384         case ArithPow: {
385             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
386                 fixDoubleOrBooleanEdge(node->child1());
387                 fixIntOrBooleanEdge(node->child2());
388                 break;
389             }
390
391             fixDoubleOrBooleanEdge(node->child1());
392             fixDoubleOrBooleanEdge(node->child2());
393             break;
394         }
395
396         case ArithRandom: {
397             node->setResult(NodeResultDouble);
398             break;
399         }
400
401         case ArithRound:
402         case ArithFloor:
403         case ArithCeil:
404         case ArithTrunc: {
405             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
406                 fixIntOrBooleanEdge(node->child1());
407                 insertCheck<Int32Use>(node->child1().node());
408                 node->convertToIdentity();
409                 break;
410             }
411             if (node->child1()->shouldSpeculateNotCell()) {
412                 fixDoubleOrBooleanEdge(node->child1());
413
414                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
415                     node->setResult(NodeResultInt32);
416                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
417                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
418                     else
419                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
420                 } else {
421                     node->setResult(NodeResultDouble);
422                     node->setArithRoundingMode(Arith::RoundingMode::Double);
423                 }
424                 node->clearFlags(NodeMustGenerate);
425             } else
426                 fixEdge<UntypedUse>(node->child1());
427             break;
428         }
429
430         case ArithFRound:
431         case ArithSqrt:
432         case ArithUnary: {
433             Edge& child1 = node->child1();
434             if (child1->shouldSpeculateNotCell()) {
435                 fixDoubleOrBooleanEdge(child1);
436                 node->clearFlags(NodeMustGenerate);
437             } else
438                 fixEdge<UntypedUse>(child1);
439             break;
440         }
441             
442         case LogicalNot: {
443             if (node->child1()->shouldSpeculateBoolean()) {
444                 if (node->child1()->result() == NodeResultBoolean) {
445                     // This is necessary in case we have a bytecode instruction implemented by:
446                     //
447                     // a: CompareEq(...)
448                     // b: LogicalNot(@a)
449                     //
450                     // In that case, CompareEq might have a side-effect. Then, we need to make
451                     // sure that we know that Branch does not exit.
452                     fixEdge<KnownBooleanUse>(node->child1());
453                 } else
454                     fixEdge<BooleanUse>(node->child1());
455             } else if (node->child1()->shouldSpeculateObjectOrOther())
456                 fixEdge<ObjectOrOtherUse>(node->child1());
457             else if (node->child1()->shouldSpeculateInt32OrBoolean())
458                 fixIntOrBooleanEdge(node->child1());
459             else if (node->child1()->shouldSpeculateNumber())
460                 fixEdge<DoubleRepUse>(node->child1());
461             else if (node->child1()->shouldSpeculateString())
462                 fixEdge<StringUse>(node->child1());
463             else if (node->child1()->shouldSpeculateStringOrOther())
464                 fixEdge<StringOrOtherUse>(node->child1());
465             else {
466                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
467                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
468                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
469             }
470             break;
471         }
472
473         case CompareEq:
474         case CompareLess:
475         case CompareLessEq:
476         case CompareGreater:
477         case CompareGreaterEq: {
478             if (node->op() == CompareEq
479                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
480                 fixEdge<BooleanUse>(node->child1());
481                 fixEdge<BooleanUse>(node->child2());
482                 node->clearFlags(NodeMustGenerate);
483                 break;
484             }
485             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
486                 fixIntOrBooleanEdge(node->child1());
487                 fixIntOrBooleanEdge(node->child2());
488                 node->clearFlags(NodeMustGenerate);
489                 break;
490             }
491             if (enableInt52()
492                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
493                 fixEdge<Int52RepUse>(node->child1());
494                 fixEdge<Int52RepUse>(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
499                 fixDoubleOrBooleanEdge(node->child1());
500                 fixDoubleOrBooleanEdge(node->child2());
501             }
502             if (node->op() != CompareEq
503                 && node->child1()->shouldSpeculateNotCell()
504                 && node->child2()->shouldSpeculateNotCell()) {
505                 if (node->child1()->shouldSpeculateNumberOrBoolean())
506                     fixDoubleOrBooleanEdge(node->child1());
507                 else
508                     fixEdge<DoubleRepUse>(node->child1());
509                 if (node->child2()->shouldSpeculateNumberOrBoolean())
510                     fixDoubleOrBooleanEdge(node->child2());
511                 else
512                     fixEdge<DoubleRepUse>(node->child2());
513                 node->clearFlags(NodeMustGenerate);
514                 break;
515             }
516             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
517                 fixEdge<StringIdentUse>(node->child1());
518                 fixEdge<StringIdentUse>(node->child2());
519                 node->clearFlags(NodeMustGenerate);
520                 break;
521             }
522             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
523                 fixEdge<StringUse>(node->child1());
524                 fixEdge<StringUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528
529             if (node->op() != CompareEq)
530                 break;
531             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
532                 fixEdge<SymbolUse>(node->child1());
533                 fixEdge<SymbolUse>(node->child2());
534                 node->clearFlags(NodeMustGenerate);
535                 break;
536             }
537             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
538                 fixEdge<ObjectUse>(node->child1());
539                 fixEdge<ObjectUse>(node->child2());
540                 node->clearFlags(NodeMustGenerate);
541                 break;
542             }
543
544             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
545             bool oneArgumentIsUsedAsSpecOther = false;
546             if (node->child1()->isUndefinedOrNullConstant()) {
547                 fixEdge<OtherUse>(node->child1());
548                 oneArgumentIsUsedAsSpecOther = true;
549             } else if (node->child1()->shouldSpeculateOther()) {
550                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
551                     Edge(node->child1().node(), OtherUse));
552                 fixEdge<OtherUse>(node->child1());
553                 oneArgumentIsUsedAsSpecOther = true;
554             }
555             if (node->child2()->isUndefinedOrNullConstant()) {
556                 fixEdge<OtherUse>(node->child2());
557                 oneArgumentIsUsedAsSpecOther = true;
558             } else if (node->child2()->shouldSpeculateOther()) {
559                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
560                     Edge(node->child2().node(), OtherUse));
561                 fixEdge<OtherUse>(node->child2());
562                 oneArgumentIsUsedAsSpecOther = true;
563             }
564             if (oneArgumentIsUsedAsSpecOther) {
565                 node->clearFlags(NodeMustGenerate);
566                 break;
567             }
568
569             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
570                 fixEdge<ObjectUse>(node->child1());
571                 fixEdge<ObjectOrOtherUse>(node->child2());
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
576                 fixEdge<ObjectOrOtherUse>(node->child1());
577                 fixEdge<ObjectUse>(node->child2());
578                 node->clearFlags(NodeMustGenerate);
579                 break;
580             }
581
582             break;
583         }
584             
585         case CompareStrictEq: {
586             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
587                 fixEdge<BooleanUse>(node->child1());
588                 fixEdge<BooleanUse>(node->child2());
589                 break;
590             }
591             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
592                 fixEdge<Int32Use>(node->child1());
593                 fixEdge<Int32Use>(node->child2());
594                 break;
595             }
596             if (enableInt52()
597                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
598                 fixEdge<Int52RepUse>(node->child1());
599                 fixEdge<Int52RepUse>(node->child2());
600                 break;
601             }
602             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
603                 fixEdge<DoubleRepUse>(node->child1());
604                 fixEdge<DoubleRepUse>(node->child2());
605                 break;
606             }
607             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
608                 fixEdge<SymbolUse>(node->child1());
609                 fixEdge<SymbolUse>(node->child2());
610                 break;
611             }
612             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
613                 fixEdge<StringIdentUse>(node->child1());
614                 fixEdge<StringIdentUse>(node->child2());
615                 break;
616             }
617             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
618                 fixEdge<StringUse>(node->child1());
619                 fixEdge<StringUse>(node->child2());
620                 break;
621             }
622             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
623             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
624                 
625                 if (node->child1()->shouldSpeculateObject()) {
626                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
627                     fixEdge<ObjectUse>(node->child1());
628                     break;
629                 }
630                 if (node->child2()->shouldSpeculateObject()) {
631                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
632                     fixEdge<ObjectUse>(node->child2());
633                     break;
634                 }
635                 
636             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
637                 fixEdge<ObjectUse>(node->child1());
638                 fixEdge<ObjectUse>(node->child2());
639                 break;
640             }
641             if (node->child1()->shouldSpeculateSymbol()) {
642                 fixEdge<SymbolUse>(node->child1());
643                 break;
644             }
645             if (node->child2()->shouldSpeculateSymbol()) {
646                 fixEdge<SymbolUse>(node->child2());
647                 break;
648             }
649             if (node->child1()->shouldSpeculateMisc()) {
650                 fixEdge<MiscUse>(node->child1());
651                 break;
652             }
653             if (node->child2()->shouldSpeculateMisc()) {
654                 fixEdge<MiscUse>(node->child2());
655                 break;
656             }
657             if (node->child1()->shouldSpeculateStringIdent()
658                 && node->child2()->shouldSpeculateNotStringVar()) {
659                 fixEdge<StringIdentUse>(node->child1());
660                 fixEdge<NotStringVarUse>(node->child2());
661                 break;
662             }
663             if (node->child2()->shouldSpeculateStringIdent()
664                 && node->child1()->shouldSpeculateNotStringVar()) {
665                 fixEdge<StringIdentUse>(node->child2());
666                 fixEdge<NotStringVarUse>(node->child1());
667                 break;
668             }
669             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
670                 fixEdge<StringUse>(node->child1());
671                 break;
672             }
673             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
674                 fixEdge<StringUse>(node->child2());
675                 break;
676             }
677             break;
678         }
679             
680         case StringFromCharCode:
681             if (node->child1()->shouldSpeculateInt32())
682                 fixEdge<Int32Use>(node->child1());
683             else
684                 fixEdge<UntypedUse>(node->child1());
685             break;
686
687         case StringCharAt:
688         case StringCharCodeAt: {
689             // Currently we have no good way of refining these.
690             ASSERT(node->arrayMode() == ArrayMode(Array::String));
691             blessArrayOperation(node->child1(), node->child2(), node->child3());
692             fixEdge<KnownCellUse>(node->child1());
693             fixEdge<Int32Use>(node->child2());
694             break;
695         }
696
697         case GetByVal: {
698             if (!node->prediction()) {
699                 m_insertionSet.insertNode(
700                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
701             }
702             
703             node->setArrayMode(
704                 node->arrayMode().refine(
705                     m_graph, node,
706                     node->child1()->prediction(),
707                     node->child2()->prediction(),
708                     SpecNone));
709             
710             blessArrayOperation(node->child1(), node->child2(), node->child3());
711             
712             ArrayMode arrayMode = node->arrayMode();
713             switch (arrayMode.type()) {
714             case Array::Contiguous:
715             case Array::Double:
716                 if (arrayMode.arrayClass() == Array::OriginalArray
717                     && arrayMode.speculation() == Array::InBounds) {
718                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
719                     if (globalObject->arrayPrototypeChainIsSane()) {
720                         // Check if SaneChain will work on a per-type basis. Note that:
721                         //
722                         // 1) We don't want double arrays to sometimes return undefined, since
723                         // that would require a change to the return type and it would pessimise
724                         // things a lot. So, we'd only want to do that if we actually had
725                         // evidence that we could read from a hole. That's pretty annoying.
726                         // Likely the best way to handle that case is with an equivalent of
727                         // SaneChain for OutOfBounds. For now we just detect when Undefined and
728                         // NaN are indistinguishable according to backwards propagation, and just
729                         // use SaneChain in that case. This happens to catch a lot of cases.
730                         //
731                         // 2) We don't want int32 array loads to have to do a hole check just to
732                         // coerce to Undefined, since that would mean twice the checks.
733                         //
734                         // This has two implications. First, we have to do more checks than we'd
735                         // like. It's unfortunate that we have to do the hole check. Second,
736                         // some accesses that hit a hole will now need to take the full-blown
737                         // out-of-bounds slow path. We can fix that with:
738                         // https://bugs.webkit.org/show_bug.cgi?id=144668
739                         
740                         bool canDoSaneChain = false;
741                         switch (arrayMode.type()) {
742                         case Array::Contiguous:
743                             // This is happens to be entirely natural. We already would have
744                             // returned any JSValue, and now we'll return Undefined. We still do
745                             // the check but it doesn't require taking any kind of slow path.
746                             canDoSaneChain = true;
747                             break;
748                             
749                         case Array::Double:
750                             if (!(node->flags() & NodeBytecodeUsesAsOther)) {
751                                 // Holes look like NaN already, so if the user doesn't care
752                                 // about the difference between Undefined and NaN then we can
753                                 // do this.
754                                 canDoSaneChain = true;
755                             }
756                             break;
757                             
758                         default:
759                             break;
760                         }
761                         
762                         if (canDoSaneChain) {
763                             m_graph.watchpoints().addLazily(
764                                 globalObject->arrayPrototype()->structure()->transitionWatchpointSet());
765                             m_graph.watchpoints().addLazily(
766                                 globalObject->objectPrototype()->structure()->transitionWatchpointSet());
767                             if (globalObject->arrayPrototypeChainIsSane())
768                                 node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
769                         }
770                     }
771                 }
772                 break;
773                 
774             case Array::String:
775                 if ((node->prediction() & ~SpecString)
776                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
777                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
778                 break;
779                 
780             default:
781                 break;
782             }
783             
784             arrayMode = node->arrayMode();
785             switch (arrayMode.type()) {
786             case Array::SelectUsingPredictions:
787             case Array::Unprofiled:
788                 RELEASE_ASSERT_NOT_REACHED();
789                 break;
790             case Array::Generic:
791 #if USE(JSVALUE32_64)
792                 fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit.
793 #endif
794                 break;
795             case Array::ForceExit:
796                 break;
797             default:
798                 fixEdge<KnownCellUse>(node->child1());
799                 fixEdge<Int32Use>(node->child2());
800                 break;
801             }
802             
803             switch (arrayMode.type()) {
804             case Array::Double:
805                 if (!arrayMode.isOutOfBounds())
806                     node->setResult(NodeResultDouble);
807                 break;
808                 
809             case Array::Float32Array:
810             case Array::Float64Array:
811                 node->setResult(NodeResultDouble);
812                 break;
813                 
814             case Array::Uint32Array:
815                 if (node->shouldSpeculateInt32())
816                     break;
817                 if (node->shouldSpeculateAnyInt() && enableInt52())
818                     node->setResult(NodeResultInt52);
819                 else
820                     node->setResult(NodeResultDouble);
821                 break;
822                 
823             default:
824                 break;
825             }
826             
827             break;
828         }
829
830         case PutByValDirect:
831         case PutByVal:
832         case PutByValAlias: {
833             Edge& child1 = m_graph.varArgChild(node, 0);
834             Edge& child2 = m_graph.varArgChild(node, 1);
835             Edge& child3 = m_graph.varArgChild(node, 2);
836
837             node->setArrayMode(
838                 node->arrayMode().refine(
839                     m_graph, node,
840                     child1->prediction(),
841                     child2->prediction(),
842                     child3->prediction()));
843             
844             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
845             
846             switch (node->arrayMode().modeForPut().type()) {
847             case Array::SelectUsingPredictions:
848             case Array::SelectUsingArguments:
849             case Array::Unprofiled:
850             case Array::Undecided:
851                 RELEASE_ASSERT_NOT_REACHED();
852                 break;
853             case Array::ForceExit:
854             case Array::Generic:
855 #if USE(JSVALUE32_64)
856                 // Due to register pressure on 32-bit, we speculate cell and
857                 // ignore the base-is-not-cell case entirely by letting the
858                 // baseline JIT handle it.
859                 fixEdge<CellUse>(child1);
860 #endif
861                 break;
862             case Array::Int32:
863                 fixEdge<KnownCellUse>(child1);
864                 fixEdge<Int32Use>(child2);
865                 fixEdge<Int32Use>(child3);
866                 break;
867             case Array::Double:
868                 fixEdge<KnownCellUse>(child1);
869                 fixEdge<Int32Use>(child2);
870                 fixEdge<DoubleRepRealUse>(child3);
871                 break;
872             case Array::Int8Array:
873             case Array::Int16Array:
874             case Array::Int32Array:
875             case Array::Uint8Array:
876             case Array::Uint8ClampedArray:
877             case Array::Uint16Array:
878             case Array::Uint32Array:
879                 fixEdge<KnownCellUse>(child1);
880                 fixEdge<Int32Use>(child2);
881                 if (child3->shouldSpeculateInt32())
882                     fixIntOrBooleanEdge(child3);
883                 else if (child3->shouldSpeculateAnyInt())
884                     fixEdge<Int52RepUse>(child3);
885                 else
886                     fixDoubleOrBooleanEdge(child3);
887                 break;
888             case Array::Float32Array:
889             case Array::Float64Array:
890                 fixEdge<KnownCellUse>(child1);
891                 fixEdge<Int32Use>(child2);
892                 fixDoubleOrBooleanEdge(child3);
893                 break;
894             case Array::Contiguous:
895             case Array::ArrayStorage:
896             case Array::SlowPutArrayStorage:
897                 fixEdge<KnownCellUse>(child1);
898                 fixEdge<Int32Use>(child2);
899                 speculateForBarrier(child3);
900                 break;
901             default:
902                 fixEdge<KnownCellUse>(child1);
903                 fixEdge<Int32Use>(child2);
904                 break;
905             }
906             break;
907         }
908             
909         case AtomicsAdd:
910         case AtomicsAnd:
911         case AtomicsCompareExchange:
912         case AtomicsExchange:
913         case AtomicsLoad:
914         case AtomicsOr:
915         case AtomicsStore:
916         case AtomicsSub:
917         case AtomicsXor: {
918             Edge& base = m_graph.child(node, 0);
919             Edge& index = m_graph.child(node, 1);
920             
921             bool badNews = false;
922             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
923                 Edge& child = m_graph.child(node, 2 + i);
924                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
925                 // just call the function when that happens. But the FTL is totally cool with those
926                 // conversions.
927                 if (!child->shouldSpeculateInt32()
928                     && !child->shouldSpeculateAnyInt()
929                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
930                     badNews = true;
931             }
932             
933             if (badNews) {
934                 node->setArrayMode(ArrayMode(Array::Generic));
935                 break;
936             }
937             
938             node->setArrayMode(
939                 node->arrayMode().refine(
940                     m_graph, node, base->prediction(), index->prediction()));
941             
942             if (node->arrayMode().type() == Array::Generic)
943                 break;
944             
945             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
946                 Edge& child = m_graph.child(node, 2 + i);
947                 if (child->shouldSpeculateInt32())
948                     fixIntOrBooleanEdge(child);
949                 else if (child->shouldSpeculateAnyInt())
950                     fixEdge<Int52RepUse>(child);
951                 else {
952                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
953                     fixDoubleOrBooleanEdge(child);
954                 }
955             }
956             
957             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
958             fixEdge<CellUse>(base);
959             fixEdge<Int32Use>(index);
960             
961             if (node->arrayMode().type() == Array::Uint32Array) {
962                 // NOTE: This means basically always doing Int52.
963                 if (node->shouldSpeculateAnyInt() && enableInt52())
964                     node->setResult(NodeResultInt52);
965                 else
966                     node->setResult(NodeResultDouble);
967             }
968             break;
969         }
970             
971         case AtomicsIsLockFree:
972             if (node->child1()->shouldSpeculateInt32())
973                 fixIntOrBooleanEdge(node->child1());
974             break;
975             
976         case ArrayPush: {
977             // May need to refine the array mode in case the value prediction contravenes
978             // the array prediction. For example, we may have evidence showing that the
979             // array is in Int32 mode, but the value we're storing is likely to be a double.
980             // Then we should turn this into a conversion to Double array followed by the
981             // push. On the other hand, we absolutely don't want to refine based on the
982             // base prediction. If it has non-cell garbage in it, then we want that to be
983             // ignored. That's because ArrayPush can't handle any array modes that aren't
984             // array-related - so if refine() turned this into a "Generic" ArrayPush then
985             // that would break things.
986             node->setArrayMode(
987                 node->arrayMode().refine(
988                     m_graph, node,
989                     node->child1()->prediction() & SpecCell,
990                     SpecInt32Only,
991                     node->child2()->prediction()));
992             blessArrayOperation(node->child1(), Edge(), node->child3());
993             fixEdge<KnownCellUse>(node->child1());
994             
995             switch (node->arrayMode().type()) {
996             case Array::Int32:
997                 fixEdge<Int32Use>(node->child2());
998                 break;
999             case Array::Double:
1000                 fixEdge<DoubleRepRealUse>(node->child2());
1001                 break;
1002             case Array::Contiguous:
1003             case Array::ArrayStorage:
1004                 speculateForBarrier(node->child2());
1005                 break;
1006             default:
1007                 break;
1008             }
1009             break;
1010         }
1011             
1012         case ArrayPop: {
1013             blessArrayOperation(node->child1(), Edge(), node->child2());
1014             fixEdge<KnownCellUse>(node->child1());
1015             break;
1016         }
1017
1018         case ArraySlice: {
1019             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1020             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1021             if (node->numChildren() == 4)
1022                 fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1023             break;
1024         }
1025
1026         case ArrayIndexOf:
1027             fixupArrayIndexOf(node);
1028             break;
1029             
1030         case RegExpExec:
1031         case RegExpTest: {
1032             fixEdge<KnownCellUse>(node->child1());
1033             
1034             if (node->child2()->shouldSpeculateRegExpObject()) {
1035                 fixEdge<RegExpObjectUse>(node->child2());
1036
1037                 if (node->child3()->shouldSpeculateString())
1038                     fixEdge<StringUse>(node->child3());
1039             }
1040             break;
1041         }
1042
1043         case StringReplace:
1044         case StringReplaceRegExp: {
1045             if (node->child2()->shouldSpeculateString()) {
1046                 m_insertionSet.insertNode(
1047                     m_indexInBlock, SpecNone, Check, node->origin,
1048                     Edge(node->child2().node(), StringUse));
1049                 fixEdge<StringUse>(node->child2());
1050             } else if (op == StringReplace) {
1051                 if (node->child2()->shouldSpeculateRegExpObject())
1052                     addStringReplacePrimordialChecks(node->child2().node());
1053                 else 
1054                     m_insertionSet.insertNode(
1055                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1056             }
1057
1058             if (node->child1()->shouldSpeculateString()
1059                 && node->child2()->shouldSpeculateRegExpObject()
1060                 && node->child3()->shouldSpeculateString()) {
1061
1062                 fixEdge<StringUse>(node->child1());
1063                 fixEdge<RegExpObjectUse>(node->child2());
1064                 fixEdge<StringUse>(node->child3());
1065                 break;
1066             }
1067             break;
1068         }
1069             
1070         case Branch: {
1071             if (node->child1()->shouldSpeculateBoolean()) {
1072                 if (node->child1()->result() == NodeResultBoolean) {
1073                     // This is necessary in case we have a bytecode instruction implemented by:
1074                     //
1075                     // a: CompareEq(...)
1076                     // b: Branch(@a)
1077                     //
1078                     // In that case, CompareEq might have a side-effect. Then, we need to make
1079                     // sure that we know that Branch does not exit.
1080                     fixEdge<KnownBooleanUse>(node->child1());
1081                 } else
1082                     fixEdge<BooleanUse>(node->child1());
1083             } else if (node->child1()->shouldSpeculateObjectOrOther())
1084                 fixEdge<ObjectOrOtherUse>(node->child1());
1085             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1086                 fixIntOrBooleanEdge(node->child1());
1087             else if (node->child1()->shouldSpeculateNumber())
1088                 fixEdge<DoubleRepUse>(node->child1());
1089             else if (node->child1()->shouldSpeculateString())
1090                 fixEdge<StringUse>(node->child1());
1091             else if (node->child1()->shouldSpeculateStringOrOther())
1092                 fixEdge<StringOrOtherUse>(node->child1());
1093             else {
1094                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1095                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1096                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1097             }
1098             break;
1099         }
1100             
1101         case Switch: {
1102             SwitchData* data = node->switchData();
1103             switch (data->kind) {
1104             case SwitchImm:
1105                 if (node->child1()->shouldSpeculateInt32())
1106                     fixEdge<Int32Use>(node->child1());
1107                 break;
1108             case SwitchChar:
1109                 if (node->child1()->shouldSpeculateString())
1110                     fixEdge<StringUse>(node->child1());
1111                 break;
1112             case SwitchString:
1113                 if (node->child1()->shouldSpeculateStringIdent())
1114                     fixEdge<StringIdentUse>(node->child1());
1115                 else if (node->child1()->shouldSpeculateString())
1116                     fixEdge<StringUse>(node->child1());
1117                 break;
1118             case SwitchCell:
1119                 if (node->child1()->shouldSpeculateCell())
1120                     fixEdge<CellUse>(node->child1());
1121                 // else it's fine for this to have UntypedUse; we will handle this by just making
1122                 // non-cells take the default case.
1123                 break;
1124             }
1125             break;
1126         }
1127             
1128         case ToPrimitive: {
1129             fixupToPrimitive(node);
1130             break;
1131         }
1132
1133         case ToNumber: {
1134             fixupToNumber(node);
1135             break;
1136         }
1137             
1138         case ToString:
1139         case CallStringConstructor: {
1140             fixupToStringOrCallStringConstructor(node);
1141             break;
1142         }
1143             
1144         case NewStringObject: {
1145             fixEdge<KnownStringUse>(node->child1());
1146             break;
1147         }
1148
1149         case NewArrayWithSpread: {
1150             watchHavingABadTime(node);
1151             
1152             BitVector* bitVector = node->bitVector();
1153             for (unsigned i = node->numChildren(); i--;) {
1154                 if (bitVector->get(i))
1155                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1156                 else
1157                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1158             }
1159
1160             break;
1161         }
1162
1163         case Spread: {
1164             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1165             
1166             watchHavingABadTime(node->child1().node());
1167
1168             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1169             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1170             // that it doesn't contain any indexed properties, and that any holes will result in
1171             // jsUndefined().
1172             InlineWatchpointSet& objectPrototypeTransition = globalObject->objectPrototype()->structure()->transitionWatchpointSet();
1173             InlineWatchpointSet& arrayPrototypeTransition = globalObject->arrayPrototype()->structure()->transitionWatchpointSet();
1174             if (node->child1()->shouldSpeculateArray() 
1175                 && arrayPrototypeTransition.isStillValid() 
1176                 && objectPrototypeTransition.isStillValid() 
1177                 && globalObject->arrayPrototypeChainIsSane()
1178                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1179                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1180                 m_graph.watchpoints().addLazily(objectPrototypeTransition);
1181                 m_graph.watchpoints().addLazily(arrayPrototypeTransition);
1182                 fixEdge<ArrayUse>(node->child1());
1183             } else
1184                 fixEdge<CellUse>(node->child1());
1185             break;
1186         }
1187             
1188         case NewArray: {
1189             watchHavingABadTime(node);
1190             
1191             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1192                 node->setIndexingType(
1193                     leastUpperBoundOfIndexingTypeAndType(
1194                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1195             }
1196             switch (node->indexingType()) {
1197             case ALL_BLANK_INDEXING_TYPES:
1198                 CRASH();
1199                 break;
1200             case ALL_UNDECIDED_INDEXING_TYPES:
1201                 if (node->numChildren()) {
1202                     // This will only happen if the children have no type predictions. We
1203                     // would have already exited by now, but insert a forced exit just to
1204                     // be safe.
1205                     m_insertionSet.insertNode(
1206                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1207                 }
1208                 break;
1209             case ALL_INT32_INDEXING_TYPES:
1210                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1211                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1212                 break;
1213             case ALL_DOUBLE_INDEXING_TYPES:
1214                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1215                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1216                 break;
1217             case ALL_CONTIGUOUS_INDEXING_TYPES:
1218             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1219                 break;
1220             default:
1221                 CRASH();
1222                 break;
1223             }
1224             break;
1225         }
1226             
1227         case NewTypedArray: {
1228             watchHavingABadTime(node);
1229             
1230             if (node->child1()->shouldSpeculateInt32()) {
1231                 fixEdge<Int32Use>(node->child1());
1232                 node->clearFlags(NodeMustGenerate);
1233                 break;
1234             }
1235             break;
1236         }
1237             
1238         case NewArrayWithSize: {
1239             watchHavingABadTime(node);
1240             fixEdge<Int32Use>(node->child1());
1241             break;
1242         }
1243
1244         case NewArrayBuffer: {
1245             watchHavingABadTime(node);
1246             break;
1247         }
1248
1249         case CallObjectConstructor: {
1250             if (node->child1()->shouldSpeculateObject()) {
1251                 fixEdge<ObjectUse>(node->child1());
1252                 node->convertToIdentity();
1253                 break;
1254             }
1255
1256             fixEdge<UntypedUse>(node->child1());
1257             break;
1258         }
1259
1260         case ToThis: {
1261             fixupToThis(node);
1262             break;
1263         }
1264             
1265         case PutStructure: {
1266             fixEdge<KnownCellUse>(node->child1());
1267             break;
1268         }
1269             
1270         case GetClosureVar:
1271         case GetFromArguments: {
1272             fixEdge<KnownCellUse>(node->child1());
1273             break;
1274         }
1275
1276         case PutClosureVar:
1277         case PutToArguments: {
1278             fixEdge<KnownCellUse>(node->child1());
1279             speculateForBarrier(node->child2());
1280             break;
1281         }
1282
1283         case SkipScope:
1284         case GetScope:
1285         case GetGetter:
1286         case GetSetter:
1287         case GetGlobalObject: {
1288             fixEdge<KnownCellUse>(node->child1());
1289             break;
1290         }
1291             
1292         case AllocatePropertyStorage:
1293         case ReallocatePropertyStorage: {
1294             fixEdge<KnownCellUse>(node->child1());
1295             break;
1296         }
1297             
1298         case NukeStructureAndSetButterfly: {
1299             fixEdge<KnownCellUse>(node->child1());
1300             break;
1301         }
1302
1303         case TryGetById: {
1304             if (node->child1()->shouldSpeculateCell())
1305                 fixEdge<CellUse>(node->child1());
1306             break;
1307         }
1308
1309         case GetById:
1310         case GetByIdFlush: {
1311             // FIXME: This should be done in the ByteCodeParser based on reading the
1312             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1313             // https://bugs.webkit.org/show_bug.cgi?id=154990
1314             auto uid = m_graph.identifiers()[node->identifierNumber()];
1315             if (node->child1()->shouldSpeculateCellOrOther()
1316                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1317                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1318                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1319                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1320                 
1321                 if (uid == vm().propertyNames->length.impl()) {
1322                     attemptToMakeGetArrayLength(node);
1323                     break;
1324                 }
1325
1326                 if (uid == vm().propertyNames->lastIndex.impl()
1327                     && node->child1()->shouldSpeculateRegExpObject()) {
1328                     node->setOp(GetRegExpObjectLastIndex);
1329                     node->clearFlags(NodeMustGenerate);
1330                     fixEdge<RegExpObjectUse>(node->child1());
1331                     break;
1332                 }
1333             }
1334
1335             if (node->child1()->shouldSpeculateNumber()) {
1336                 if (uid == vm().propertyNames->toString.impl()) {
1337                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1338                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1339                         if (node->child1()->shouldSpeculateInt32()) {
1340                             insertCheck<Int32Use>(node->child1().node());
1341                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1342                             break;
1343                         }
1344
1345                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1346                             insertCheck<Int52RepUse>(node->child1().node());
1347                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1348                             break;
1349                         }
1350
1351                         ASSERT(node->child1()->shouldSpeculateNumber());
1352                         insertCheck<DoubleRepUse>(node->child1().node());
1353                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1354                         break;
1355                     }
1356                 }
1357             }
1358
1359             if (node->child1()->shouldSpeculateCell())
1360                 fixEdge<CellUse>(node->child1());
1361             break;
1362         }
1363         
1364         case GetByIdWithThis: {
1365             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1366                 fixEdge<CellUse>(node->child1());
1367                 fixEdge<CellUse>(node->child2());
1368             }
1369             break;
1370         }
1371
1372         case PutById:
1373         case PutByIdFlush:
1374         case PutByIdDirect: {
1375             if (node->child1()->shouldSpeculateCellOrOther()
1376                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1377                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1378                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1379                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1380                 
1381                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1382                 
1383                 if (uid == vm().propertyNames->lastIndex.impl()
1384                     && node->child1()->shouldSpeculateRegExpObject()) {
1385                     node->setOp(SetRegExpObjectLastIndex);
1386                     fixEdge<RegExpObjectUse>(node->child1());
1387                     speculateForBarrier(node->child2());
1388                     break;
1389                 }
1390             }
1391             
1392             fixEdge<CellUse>(node->child1());
1393             break;
1394         }
1395
1396         case PutGetterById:
1397         case PutSetterById: {
1398             fixEdge<KnownCellUse>(node->child1());
1399             fixEdge<KnownCellUse>(node->child2());
1400             break;
1401         }
1402
1403         case PutGetterSetterById: {
1404             fixEdge<KnownCellUse>(node->child1());
1405             break;
1406         }
1407
1408         case PutGetterByVal:
1409         case PutSetterByVal: {
1410             fixEdge<KnownCellUse>(node->child1());
1411             fixEdge<KnownCellUse>(node->child3());
1412             break;
1413         }
1414
1415         case GetExecutable: {
1416             fixEdge<FunctionUse>(node->child1());
1417             break;
1418         }
1419
1420         case OverridesHasInstance:
1421         case CheckStructure:
1422         case CheckCell:
1423         case CreateThis:
1424         case GetButterfly:
1425         case GetButterflyWithoutCaging: {
1426             fixEdge<CellUse>(node->child1());
1427             break;
1428         }
1429
1430         case CheckStringIdent: {
1431             fixEdge<StringIdentUse>(node->child1());
1432             break;
1433         }
1434             
1435         case Arrayify:
1436         case ArrayifyToStructure: {
1437             fixEdge<CellUse>(node->child1());
1438             if (node->child2())
1439                 fixEdge<Int32Use>(node->child2());
1440             break;
1441         }
1442             
1443         case GetByOffset:
1444         case GetGetterSetterByOffset: {
1445             if (!node->child1()->hasStorageResult())
1446                 fixEdge<KnownCellUse>(node->child1());
1447             fixEdge<KnownCellUse>(node->child2());
1448             break;
1449         }
1450             
1451         case MultiGetByOffset: {
1452             fixEdge<CellUse>(node->child1());
1453             break;
1454         }
1455             
1456         case PutByOffset: {
1457             if (!node->child1()->hasStorageResult())
1458                 fixEdge<KnownCellUse>(node->child1());
1459             fixEdge<KnownCellUse>(node->child2());
1460             unsigned index = indexForChecks();
1461             insertInferredTypeCheck(
1462                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1463                 node->storageAccessData().inferredType);
1464             speculateForBarrier(node->child3());
1465             break;
1466         }
1467             
1468         case MultiPutByOffset: {
1469             fixEdge<CellUse>(node->child1());
1470             break;
1471         }
1472             
1473         case InstanceOf: {
1474             if (!(node->child1()->prediction() & ~SpecCell))
1475                 fixEdge<CellUse>(node->child1());
1476             fixEdge<CellUse>(node->child2());
1477             break;
1478         }
1479
1480         case InstanceOfCustom:
1481             fixEdge<CellUse>(node->child2());
1482             break;
1483
1484         case In: {
1485             if (node->child2()->shouldSpeculateInt32()) {
1486                 convertToHasIndexedProperty(node);
1487                 break;
1488             }
1489
1490             fixEdge<CellUse>(node->child1());
1491             break;
1492         }
1493
1494         case HasOwnProperty: {
1495             fixEdge<ObjectUse>(node->child1());
1496 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1497             // We don't have enough registers to do anything interesting on x86 and mips.
1498             fixEdge<UntypedUse>(node->child2());
1499 #else
1500             if (node->child2()->shouldSpeculateString())
1501                 fixEdge<StringUse>(node->child2());
1502             else if (node->child2()->shouldSpeculateSymbol())
1503                 fixEdge<SymbolUse>(node->child2());
1504             else
1505                 fixEdge<UntypedUse>(node->child2());
1506 #endif
1507             break;
1508         }
1509
1510         case Check: {
1511             m_graph.doToChildren(
1512                 node,
1513                 [&] (Edge& edge) {
1514                     switch (edge.useKind()) {
1515                     case NumberUse:
1516                         if (edge->shouldSpeculateInt32ForArithmetic())
1517                             edge.setUseKind(Int32Use);
1518                         break;
1519                     default:
1520                         break;
1521                     }
1522                     observeUseKindOnEdge(edge);
1523                 });
1524             break;
1525         }
1526
1527         case Phantom:
1528             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1529             node->remove();
1530             break;
1531
1532         case FiatInt52: {
1533             RELEASE_ASSERT(enableInt52());
1534             node->convertToIdentity();
1535             fixEdge<Int52RepUse>(node->child1());
1536             node->setResult(NodeResultInt52);
1537             break;
1538         }
1539
1540         case GetArrayLength: {
1541             fixEdge<KnownCellUse>(node->child1());
1542             break;
1543         }
1544
1545         case GetTypedArrayByteOffset: {
1546             fixEdge<KnownCellUse>(node->child1());
1547             break;
1548         }
1549
1550         case Phi:
1551         case Upsilon:
1552         case EntrySwitch:
1553         case GetIndexedPropertyStorage:
1554         case LastNodeType:
1555         case CheckTierUpInLoop:
1556         case CheckTierUpAtReturn:
1557         case CheckTierUpAndOSREnter:
1558         case InvalidationPoint:
1559         case CheckArray:
1560         case CheckInBounds:
1561         case ConstantStoragePointer:
1562         case DoubleAsInt32:
1563         case ValueToInt32:
1564         case DoubleRep:
1565         case ValueRep:
1566         case Int52Rep:
1567         case Int52Constant:
1568         case Identity: // This should have been cleaned up.
1569         case BooleanToNumber:
1570         case PhantomNewObject:
1571         case PhantomNewFunction:
1572         case PhantomNewGeneratorFunction:
1573         case PhantomNewAsyncGeneratorFunction:
1574         case PhantomNewAsyncFunction:
1575         case PhantomCreateActivation:
1576         case PhantomDirectArguments:
1577         case PhantomCreateRest:
1578         case PhantomSpread:
1579         case PhantomNewArrayWithSpread:
1580         case PhantomClonedArguments:
1581         case GetMyArgumentByVal:
1582         case GetMyArgumentByValOutOfBounds:
1583         case GetVectorLength:
1584         case PutHint:
1585         case CheckStructureImmediate:
1586         case CheckStructureOrEmpty:
1587         case MaterializeNewObject:
1588         case MaterializeCreateActivation:
1589         case PutStack:
1590         case KillStack:
1591         case GetStack:
1592         case StoreBarrier:
1593         case FencedStoreBarrier:
1594         case GetRegExpObjectLastIndex:
1595         case SetRegExpObjectLastIndex:
1596         case RecordRegExpCachedResult:
1597             // These are just nodes that we don't currently expect to see during fixup.
1598             // If we ever wanted to insert them prior to fixup, then we just have to create
1599             // fixup rules for them.
1600             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1601             break;
1602
1603         case PutGlobalVariable: {
1604             fixEdge<CellUse>(node->child1());
1605             speculateForBarrier(node->child2());
1606             break;
1607         }
1608
1609         case IsObject:
1610             if (node->child1()->shouldSpeculateObject()) {
1611                 m_insertionSet.insertNode(
1612                     m_indexInBlock, SpecNone, Check, node->origin,
1613                     Edge(node->child1().node(), ObjectUse));
1614                 m_graph.convertToConstant(node, jsBoolean(true));
1615                 observeUseKindOnNode<ObjectUse>(node);
1616             }
1617             break;
1618
1619         case IsCellWithType: {
1620             fixupIsCellWithType(node);
1621             break;
1622         }
1623
1624         case GetEnumerableLength: {
1625             fixEdge<CellUse>(node->child1());
1626             break;
1627         }
1628         case HasGenericProperty: {
1629             fixEdge<CellUse>(node->child2());
1630             break;
1631         }
1632         case HasStructureProperty: {
1633             fixEdge<StringUse>(node->child2());
1634             fixEdge<KnownCellUse>(node->child3());
1635             break;
1636         }
1637         case HasIndexedProperty: {
1638             node->setArrayMode(
1639                 node->arrayMode().refine(
1640                     m_graph, node,
1641                     node->child1()->prediction(),
1642                     node->child2()->prediction(),
1643                     SpecNone));
1644             
1645             blessArrayOperation(node->child1(), node->child2(), node->child3());
1646             fixEdge<CellUse>(node->child1());
1647             fixEdge<KnownInt32Use>(node->child2());
1648             break;
1649         }
1650         case GetDirectPname: {
1651             Edge& base = m_graph.varArgChild(node, 0);
1652             Edge& property = m_graph.varArgChild(node, 1);
1653             Edge& index = m_graph.varArgChild(node, 2);
1654             Edge& enumerator = m_graph.varArgChild(node, 3);
1655             fixEdge<CellUse>(base);
1656             fixEdge<KnownCellUse>(property);
1657             fixEdge<KnownInt32Use>(index);
1658             fixEdge<KnownCellUse>(enumerator);
1659             break;
1660         }
1661         case GetPropertyEnumerator: {
1662             fixEdge<CellUse>(node->child1());
1663             break;
1664         }
1665         case GetEnumeratorStructurePname: {
1666             fixEdge<KnownCellUse>(node->child1());
1667             fixEdge<KnownInt32Use>(node->child2());
1668             break;
1669         }
1670         case GetEnumeratorGenericPname: {
1671             fixEdge<KnownCellUse>(node->child1());
1672             fixEdge<KnownInt32Use>(node->child2());
1673             break;
1674         }
1675         case ToIndexString: {
1676             fixEdge<KnownInt32Use>(node->child1());
1677             break;
1678         }
1679         case ProfileType: {
1680             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1681             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1682             // type T for the instructionTypeSet, the global type set must also have information for type T.
1683             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1684             // in the globalTypeSet would've also succeeded.
1685             // (The other direction does not hold in general).
1686
1687             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1688             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1689             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1690                 if (node->child1()->shouldSpeculateInt32()) {
1691                     fixEdge<Int32Use>(node->child1());
1692                     node->remove();
1693                     break;
1694                 }
1695
1696                 if (enableInt52()) {
1697                     fixEdge<AnyIntUse>(node->child1());
1698                     node->remove();
1699                     break;
1700                 }
1701
1702                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1703             }
1704
1705             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1706                 fixEdge<NumberUse>(node->child1());
1707                 node->remove();
1708             } else if (typeSet->doesTypeConformTo(TypeString)) {
1709                 fixEdge<StringUse>(node->child1());
1710                 node->remove();
1711             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1712                 fixEdge<BooleanUse>(node->child1());
1713                 node->remove();
1714             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1715                 fixEdge<OtherUse>(node->child1());
1716                 node->remove();
1717             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1718                 StructureSet set;
1719                 {
1720                     ConcurrentJSLocker locker(typeSet->m_lock);
1721                     set = typeSet->structureSet(locker);
1722                 }
1723                 if (!set.isEmpty()) {
1724                     fixEdge<CellUse>(node->child1());
1725                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1726                 }
1727             }
1728
1729             break;
1730         }
1731
1732         case CreateClonedArguments: {
1733             watchHavingABadTime(node);
1734             break;
1735         }
1736
1737         case CreateScopedArguments:
1738         case CreateActivation:
1739         case NewFunction:
1740         case NewGeneratorFunction:
1741         case NewAsyncGeneratorFunction:
1742         case NewAsyncFunction: {
1743             // Child 1 is always the current scope, which is guaranteed to be an object
1744             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1745             fixEdge<KnownCellUse>(node->child1());
1746             break;
1747         }
1748
1749         case PushWithScope: {
1750             // Child 1 is always the current scope, which is guaranteed to be an object
1751             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1752             fixEdge<KnownCellUse>(node->child1());
1753             if (node->child2()->shouldSpeculateObject())
1754                 fixEdge<ObjectUse>(node->child2());
1755             break;
1756         }
1757
1758         case SetFunctionName: {
1759             // The first child is guaranteed to be a cell because op_set_function_name is only used
1760             // on a newly instantiated function object (the first child).
1761             fixEdge<KnownCellUse>(node->child1());
1762             fixEdge<UntypedUse>(node->child2());
1763             break;
1764         }
1765
1766         case CreateRest: {
1767             watchHavingABadTime(node);
1768             fixEdge<KnownInt32Use>(node->child1());
1769             break;
1770         }
1771
1772         case ResolveScopeForHoistingFuncDeclInEval: {
1773             fixEdge<KnownCellUse>(node->child1());
1774             break;
1775         }
1776         case ResolveScope:
1777         case GetDynamicVar:
1778         case PutDynamicVar: {
1779             fixEdge<KnownCellUse>(node->child1());
1780             break;
1781         }
1782
1783         case LogShadowChickenPrologue: {
1784             fixEdge<KnownCellUse>(node->child1());
1785             break;
1786         }
1787         case LogShadowChickenTail: {
1788             fixEdge<UntypedUse>(node->child1());
1789             fixEdge<KnownCellUse>(node->child2());
1790             break;
1791         }
1792
1793         case GetMapBucket:
1794             if (node->child1().useKind() == MapObjectUse)
1795                 fixEdge<MapObjectUse>(node->child1());
1796             else if (node->child1().useKind() == SetObjectUse)
1797                 fixEdge<SetObjectUse>(node->child1());
1798             else
1799                 RELEASE_ASSERT_NOT_REACHED();
1800
1801 #if USE(JSVALUE64)
1802             if (node->child2()->shouldSpeculateBoolean())
1803                 fixEdge<BooleanUse>(node->child2());
1804             else if (node->child2()->shouldSpeculateInt32())
1805                 fixEdge<Int32Use>(node->child2());
1806             else if (node->child2()->shouldSpeculateSymbol())
1807                 fixEdge<SymbolUse>(node->child2());
1808             else if (node->child2()->shouldSpeculateObject())
1809                 fixEdge<ObjectUse>(node->child2());
1810             else if (node->child2()->shouldSpeculateString())
1811                 fixEdge<StringUse>(node->child2());
1812             else if (node->child2()->shouldSpeculateCell())
1813                 fixEdge<CellUse>(node->child2());
1814             else
1815                 fixEdge<UntypedUse>(node->child2());
1816 #else
1817             fixEdge<UntypedUse>(node->child2());
1818 #endif // USE(JSVALUE64)
1819
1820             fixEdge<Int32Use>(node->child3());
1821             break;
1822
1823         case GetMapBucketHead:
1824             if (node->child1().useKind() == MapObjectUse)
1825                 fixEdge<MapObjectUse>(node->child1());
1826             else if (node->child1().useKind() == SetObjectUse)
1827                 fixEdge<SetObjectUse>(node->child1());
1828             else
1829                 RELEASE_ASSERT_NOT_REACHED();
1830             break;
1831
1832         case GetMapBucketNext:
1833         case LoadKeyFromMapBucket:
1834         case LoadValueFromMapBucket:
1835             fixEdge<CellUse>(node->child1());
1836             break;
1837
1838         case MapHash: {
1839 #if USE(JSVALUE64)
1840             if (node->child1()->shouldSpeculateBoolean()) {
1841                 fixEdge<BooleanUse>(node->child1());
1842                 break;
1843             }
1844
1845             if (node->child1()->shouldSpeculateInt32()) {
1846                 fixEdge<Int32Use>(node->child1());
1847                 break;
1848             }
1849
1850             if (node->child1()->shouldSpeculateSymbol()) {
1851                 fixEdge<SymbolUse>(node->child1());
1852                 break;
1853             }
1854
1855             if (node->child1()->shouldSpeculateObject()) {
1856                 fixEdge<ObjectUse>(node->child1());
1857                 break;
1858             }
1859
1860             if (node->child1()->shouldSpeculateString()) {
1861                 fixEdge<StringUse>(node->child1());
1862                 break;
1863             }
1864
1865             if (node->child1()->shouldSpeculateCell()) {
1866                 fixEdge<CellUse>(node->child1());
1867                 break;
1868             }
1869
1870             fixEdge<UntypedUse>(node->child1());
1871 #else
1872             fixEdge<UntypedUse>(node->child1());
1873 #endif // USE(JSVALUE64)
1874             break;
1875         }
1876
1877         case DefineDataProperty: {
1878             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1879             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1880             if (propertyEdge->shouldSpeculateSymbol())
1881                 fixEdge<SymbolUse>(propertyEdge);
1882             else if (propertyEdge->shouldSpeculateStringIdent())
1883                 fixEdge<StringIdentUse>(propertyEdge);
1884             else if (propertyEdge->shouldSpeculateString())
1885                 fixEdge<StringUse>(propertyEdge);
1886             else
1887                 fixEdge<UntypedUse>(propertyEdge);
1888             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1889             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1890             break;
1891         }
1892
1893         case ToLowerCase: {
1894             // We currently only support StringUse since that will ensure that
1895             // ToLowerCase is a pure operation. If we decide to update this with
1896             // more types in the future, we need to ensure that the clobberize rules
1897             // are correct.
1898             fixEdge<StringUse>(node->child1());
1899             break;
1900         }
1901
1902         case NumberToStringWithRadix: {
1903             if (node->child1()->shouldSpeculateInt32())
1904                 fixEdge<Int32Use>(node->child1());
1905             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
1906                 fixEdge<Int52RepUse>(node->child1());
1907             else
1908                 fixEdge<DoubleRepUse>(node->child1());
1909             fixEdge<Int32Use>(node->child2());
1910             break;
1911         }
1912
1913         case DefineAccessorProperty: {
1914             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1915             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1916             if (propertyEdge->shouldSpeculateSymbol())
1917                 fixEdge<SymbolUse>(propertyEdge);
1918             else if (propertyEdge->shouldSpeculateStringIdent())
1919                 fixEdge<StringIdentUse>(propertyEdge);
1920             else if (propertyEdge->shouldSpeculateString())
1921                 fixEdge<StringUse>(propertyEdge);
1922             else
1923                 fixEdge<UntypedUse>(propertyEdge);
1924             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
1925             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
1926             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
1927             break;
1928         }
1929
1930         case CheckSubClass: {
1931             fixupCheckSubClass(node);
1932             break;
1933         }
1934
1935         case CallDOMGetter: {
1936             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
1937             fixEdge<CellUse>(node->child1()); // DOM.
1938             if (snippet && snippet->requireGlobalObject)
1939                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
1940             break;
1941         }
1942
1943         case CallDOM: {
1944             fixupCallDOM(node);
1945             break;
1946         }
1947
1948         case Call: {
1949             attemptToMakeCallDOM(node);
1950             break;
1951         }
1952
1953         case ParseInt: {
1954             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
1955                 fixEdge<Int32Use>(node->child1());
1956                 node->convertToIdentity();
1957                 break;
1958             }
1959
1960             if (node->child1()->shouldSpeculateString()) {
1961                 fixEdge<StringUse>(node->child1());
1962                 node->clearFlags(NodeMustGenerate);
1963             }
1964
1965             if (node->child2())
1966                 fixEdge<Int32Use>(node->child2());
1967
1968             break;
1969         }
1970
1971         case IdentityWithProfile: {
1972             node->clearFlags(NodeMustGenerate);
1973             break;
1974         }
1975
1976         case ThrowStaticError:
1977             fixEdge<StringUse>(node->child1());
1978             break;
1979
1980 #if !ASSERT_DISABLED
1981         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
1982         case SetArgument:
1983         case JSConstant:
1984         case LazyJSConstant:
1985         case DoubleConstant:
1986         case GetLocal:
1987         case GetCallee:
1988         case GetArgumentCountIncludingThis:
1989         case GetRestLength:
1990         case GetArgument:
1991         case Flush:
1992         case PhantomLocal:
1993         case GetLocalUnlinked:
1994         case GetGlobalVar:
1995         case GetGlobalLexicalVariable:
1996         case NotifyWrite:
1997         case DirectCall:
1998         case CheckTypeInfoFlags:
1999         case TailCallInlinedCaller:
2000         case DirectTailCallInlinedCaller:
2001         case Construct:
2002         case DirectConstruct:
2003         case CallVarargs:
2004         case CallEval:
2005         case TailCallVarargsInlinedCaller:
2006         case ConstructVarargs:
2007         case CallForwardVarargs:
2008         case ConstructForwardVarargs:
2009         case TailCallForwardVarargs:
2010         case TailCallForwardVarargsInlinedCaller:
2011         case LoadVarargs:
2012         case ForwardVarargs:
2013         case ProfileControlFlow:
2014         case NewObject:
2015         case NewRegexp:
2016         case DeleteById:
2017         case DeleteByVal:
2018         case IsTypedArrayView:
2019         case IsEmpty:
2020         case IsUndefined:
2021         case IsBoolean:
2022         case IsNumber:
2023         case IsObjectOrNull:
2024         case IsFunction:
2025         case CreateDirectArguments:
2026         case Jump:
2027         case Return:
2028         case TailCall:
2029         case DirectTailCall:
2030         case TailCallVarargs:
2031         case Throw:
2032         case CountExecution:
2033         case ForceOSRExit:
2034         case CheckBadCell:
2035         case CheckNotEmpty:
2036         case CheckTraps:
2037         case Unreachable:
2038         case ExtractOSREntryLocal:
2039         case ExtractCatchLocal:
2040         case LoopHint:
2041         case MovHint:
2042         case InitializeEntrypointArguments:
2043         case ZombieHint:
2044         case ExitOK:
2045         case BottomValue:
2046         case TypeOf:
2047         case PutByIdWithThis:
2048         case PutByValWithThis:
2049         case GetByValWithThis:
2050         case CompareEqPtr:
2051         case NumberToStringWithValidRadixConstant:
2052             break;
2053 #else
2054         default:
2055             break;
2056 #endif
2057         }
2058     }
2059
2060     void watchHavingABadTime(Node* node)
2061     {
2062         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2063
2064         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2065         // does an array allocation. The types of array allocations may change if we start to have a bad
2066         // time. It's easier to reason about this if we know that whenever the types change after we start
2067         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2068         // prior to this point nobody should have been doing optimizations based on the indexing type of
2069         // the allocation.
2070         if (!globalObject->isHavingABadTime()) {
2071             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2072             m_graph.freeze(globalObject);
2073         }
2074     }
2075     
2076     template<UseKind useKind>
2077     void createToString(Node* node, Edge& edge)
2078     {
2079         Node* toString = m_insertionSet.insertNode(
2080             m_indexInBlock, SpecString, ToString, node->origin,
2081             Edge(edge.node(), useKind));
2082         switch (useKind) {
2083         case Int32Use:
2084         case Int52RepUse:
2085         case DoubleRepUse:
2086         case NotCellUse:
2087             toString->clearFlags(NodeMustGenerate);
2088             break;
2089         default:
2090             break;
2091         }
2092         edge.setNode(toString);
2093     }
2094     
2095     template<UseKind useKind>
2096     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2097     {
2098         ASSERT(arrayMode == ArrayMode(Array::Generic));
2099         
2100         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2101             return;
2102         
2103         createToString<useKind>(node, node->child1());
2104         arrayMode = ArrayMode(Array::String);
2105     }
2106     
2107     template<UseKind useKind>
2108     bool isStringObjectUse()
2109     {
2110         switch (useKind) {
2111         case StringObjectUse:
2112         case StringOrStringObjectUse:
2113             return true;
2114         default:
2115             return false;
2116         }
2117     }
2118     
2119     template<UseKind useKind>
2120     void convertStringAddUse(Node* node, Edge& edge)
2121     {
2122         if (useKind == StringUse) {
2123             observeUseKindOnNode<StringUse>(edge.node());
2124             m_insertionSet.insertNode(
2125                 m_indexInBlock, SpecNone, Check, node->origin,
2126                 Edge(edge.node(), StringUse));
2127             edge.setUseKind(KnownStringUse);
2128             return;
2129         }
2130         
2131         observeUseKindOnNode<useKind>(edge.node());
2132         createToString<useKind>(node, edge);
2133     }
2134     
2135     void convertToMakeRope(Node* node)
2136     {
2137         node->setOpAndDefaultFlags(MakeRope);
2138         fixupMakeRope(node);
2139     }
2140     
2141     void fixupMakeRope(Node* node)
2142     {
2143         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2144             Edge& edge = node->children.child(i);
2145             if (!edge)
2146                 break;
2147             edge.setUseKind(KnownStringUse);
2148             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2149             if (!string)
2150                 continue;
2151             if (string->length())
2152                 continue;
2153             
2154             // Don't allow the MakeRope to have zero children.
2155             if (!i && !node->child2())
2156                 break;
2157             
2158             node->children.removeEdge(i--);
2159         }
2160         
2161         if (!node->child2()) {
2162             ASSERT(!node->child3());
2163             node->convertToIdentity();
2164         }
2165     }
2166
2167     void fixupIsCellWithType(Node* node)
2168     {
2169         switch (node->speculatedTypeForQuery()) {
2170         case SpecString:
2171             if (node->child1()->shouldSpeculateString()) {
2172                 m_insertionSet.insertNode(
2173                     m_indexInBlock, SpecNone, Check, node->origin,
2174                     Edge(node->child1().node(), StringUse));
2175                 m_graph.convertToConstant(node, jsBoolean(true));
2176                 observeUseKindOnNode<StringUse>(node);
2177                 return;
2178             }
2179             break;
2180
2181         case SpecProxyObject:
2182             if (node->child1()->shouldSpeculateProxyObject()) {
2183                 m_insertionSet.insertNode(
2184                     m_indexInBlock, SpecNone, Check, node->origin,
2185                     Edge(node->child1().node(), ProxyObjectUse));
2186                 m_graph.convertToConstant(node, jsBoolean(true));
2187                 observeUseKindOnNode<ProxyObjectUse>(node);
2188                 return;
2189             }
2190             break;
2191
2192         case SpecRegExpObject:
2193             if (node->child1()->shouldSpeculateRegExpObject()) {
2194                 m_insertionSet.insertNode(
2195                     m_indexInBlock, SpecNone, Check, node->origin,
2196                     Edge(node->child1().node(), RegExpObjectUse));
2197                 m_graph.convertToConstant(node, jsBoolean(true));
2198                 observeUseKindOnNode<RegExpObjectUse>(node);
2199                 return;
2200             }
2201             break;
2202
2203         case SpecArray:
2204             if (node->child1()->shouldSpeculateArray()) {
2205                 m_insertionSet.insertNode(
2206                     m_indexInBlock, SpecNone, Check, node->origin,
2207                     Edge(node->child1().node(), ArrayUse));
2208                 m_graph.convertToConstant(node, jsBoolean(true));
2209                 observeUseKindOnNode<ArrayUse>(node);
2210                 return;
2211             }
2212             break;
2213
2214         case SpecDerivedArray:
2215             if (node->child1()->shouldSpeculateDerivedArray()) {
2216                 m_insertionSet.insertNode(
2217                     m_indexInBlock, SpecNone, Check, node->origin,
2218                     Edge(node->child1().node(), DerivedArrayUse));
2219                 m_graph.convertToConstant(node, jsBoolean(true));
2220                 observeUseKindOnNode<DerivedArrayUse>(node);
2221                 return;
2222             }
2223             break;
2224         }
2225
2226         if (node->child1()->shouldSpeculateCell()) {
2227             fixEdge<CellUse>(node->child1());
2228             return;
2229         }
2230
2231         if (node->child1()->shouldSpeculateNotCell()) {
2232             m_insertionSet.insertNode(
2233                 m_indexInBlock, SpecNone, Check, node->origin,
2234                 Edge(node->child1().node(), NotCellUse));
2235             m_graph.convertToConstant(node, jsBoolean(false));
2236             observeUseKindOnNode<NotCellUse>(node);
2237             return;
2238         }
2239     }
2240
2241     void fixupToThis(Node* node)
2242     {
2243         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2244
2245         if (ecmaMode == StrictMode) {
2246             if (node->child1()->shouldSpeculateBoolean()) {
2247                 fixEdge<BooleanUse>(node->child1());
2248                 node->convertToIdentity();
2249                 return;
2250             }
2251
2252             if (node->child1()->shouldSpeculateInt32()) {
2253                 fixEdge<Int32Use>(node->child1());
2254                 node->convertToIdentity();
2255                 return;
2256             }
2257
2258             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2259                 fixEdge<Int52RepUse>(node->child1());
2260                 node->convertToIdentity();
2261                 node->setResult(NodeResultInt52);
2262                 return;
2263             }
2264
2265             if (node->child1()->shouldSpeculateNumber()) {
2266                 fixEdge<DoubleRepUse>(node->child1());
2267                 node->convertToIdentity();
2268                 node->setResult(NodeResultDouble);
2269                 return;
2270             }
2271
2272             if (node->child1()->shouldSpeculateSymbol()) {
2273                 fixEdge<SymbolUse>(node->child1());
2274                 node->convertToIdentity();
2275                 return;
2276             }
2277
2278             if (node->child1()->shouldSpeculateStringIdent()) {
2279                 fixEdge<StringIdentUse>(node->child1());
2280                 node->convertToIdentity();
2281                 return;
2282             }
2283
2284             if (node->child1()->shouldSpeculateString()) {
2285                 fixEdge<StringUse>(node->child1());
2286                 node->convertToIdentity();
2287                 return;
2288             }
2289         }
2290
2291         if (node->child1()->shouldSpeculateOther()) {
2292             if (ecmaMode == StrictMode) {
2293                 fixEdge<OtherUse>(node->child1());
2294                 node->convertToIdentity();
2295                 return;
2296             }
2297
2298             m_insertionSet.insertNode(
2299                 m_indexInBlock, SpecNone, Check, node->origin,
2300                 Edge(node->child1().node(), OtherUse));
2301             observeUseKindOnNode<OtherUse>(node->child1().node());
2302             m_graph.convertToConstant(
2303                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2304             return;
2305         }
2306
2307         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2308         // however, since we cover all the missing cases in constant folding.
2309         // https://bugs.webkit.org/show_bug.cgi?id=157213
2310         if (node->child1()->shouldSpeculateStringObject()) {
2311             fixEdge<StringObjectUse>(node->child1());
2312             node->convertToIdentity();
2313             return;
2314         }
2315
2316         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2317             fixEdge<FinalObjectUse>(node->child1());
2318             node->convertToIdentity();
2319             return;
2320         }
2321     }
2322     
2323     void fixupToPrimitive(Node* node)
2324     {
2325         if (node->child1()->shouldSpeculateInt32()) {
2326             fixEdge<Int32Use>(node->child1());
2327             node->convertToIdentity();
2328             return;
2329         }
2330         
2331         if (node->child1()->shouldSpeculateString()) {
2332             fixEdge<StringUse>(node->child1());
2333             node->convertToIdentity();
2334             return;
2335         }
2336         
2337         if (node->child1()->shouldSpeculateStringObject()
2338             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2339             fixEdge<StringObjectUse>(node->child1());
2340             node->convertToToString();
2341             return;
2342         }
2343         
2344         if (node->child1()->shouldSpeculateStringOrStringObject()
2345             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2346             fixEdge<StringOrStringObjectUse>(node->child1());
2347             node->convertToToString();
2348             return;
2349         }
2350     }
2351
2352     void fixupToNumber(Node* node)
2353     {
2354         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2355         if (node->child1()->shouldSpeculateNumber()) {
2356             if (isInt32Speculation(node->getHeapPrediction())) {
2357                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2358                 if (node->child1()->shouldSpeculateInt32()) {
2359                     fixEdge<Int32Use>(node->child1());
2360                     node->convertToIdentity();
2361                     return;
2362                 }
2363
2364                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2365                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2366                 fixEdge<DoubleRepUse>(node->child1());
2367                 node->setOp(DoubleAsInt32);
2368                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2369                     node->setArithMode(Arith::CheckOverflow);
2370                 else
2371                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2372                 return;
2373             }
2374
2375             fixEdge<DoubleRepUse>(node->child1());
2376             node->convertToIdentity();
2377             node->setResult(NodeResultDouble);
2378             return;
2379         }
2380
2381         fixEdge<UntypedUse>(node->child1());
2382         node->setResult(NodeResultJS);
2383     }
2384     
2385     void fixupToStringOrCallStringConstructor(Node* node)
2386     {
2387         if (node->child1()->shouldSpeculateString()) {
2388             fixEdge<StringUse>(node->child1());
2389             node->convertToIdentity();
2390             return;
2391         }
2392         
2393         if (node->child1()->shouldSpeculateStringObject()
2394             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2395             fixEdge<StringObjectUse>(node->child1());
2396             return;
2397         }
2398         
2399         if (node->child1()->shouldSpeculateStringOrStringObject()
2400             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2401             fixEdge<StringOrStringObjectUse>(node->child1());
2402             return;
2403         }
2404         
2405         if (node->child1()->shouldSpeculateCell()) {
2406             fixEdge<CellUse>(node->child1());
2407             return;
2408         }
2409
2410         if (node->child1()->shouldSpeculateInt32()) {
2411             fixEdge<Int32Use>(node->child1());
2412             node->clearFlags(NodeMustGenerate);
2413             return;
2414         }
2415
2416         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2417             fixEdge<Int52RepUse>(node->child1());
2418             node->clearFlags(NodeMustGenerate);
2419             return;
2420         }
2421
2422         if (node->child1()->shouldSpeculateNumber()) {
2423             fixEdge<DoubleRepUse>(node->child1());
2424             node->clearFlags(NodeMustGenerate);
2425             return;
2426         }
2427
2428         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2429         // we need to care about it in the clobberize. In the following case,
2430         // since NotCellUse edge filter is used and this edge filters Symbols,
2431         // we can say that ToString never throws an error!
2432         if (node->child1()->shouldSpeculateNotCell()) {
2433             fixEdge<NotCellUse>(node->child1());
2434             node->clearFlags(NodeMustGenerate);
2435             return;
2436         }
2437     }
2438
2439     bool attemptToMakeFastStringAdd(Node* node)
2440     {
2441         bool goodToGo = true;
2442         m_graph.doToChildren(
2443             node,
2444             [&] (Edge& edge) {
2445                 if (edge->shouldSpeculateString())
2446                     return;
2447                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2448                     if (edge->shouldSpeculateStringObject())
2449                         return;
2450                     if (edge->shouldSpeculateStringOrStringObject())
2451                         return;
2452                 }
2453                 goodToGo = false;
2454             });
2455         if (!goodToGo)
2456             return false;
2457
2458         m_graph.doToChildren(
2459             node,
2460             [&] (Edge& edge) {
2461                 if (edge->shouldSpeculateString()) {
2462                     convertStringAddUse<StringUse>(node, edge);
2463                     return;
2464                 }
2465                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2466                 if (edge->shouldSpeculateStringObject()) {
2467                     convertStringAddUse<StringObjectUse>(node, edge);
2468                     return;
2469                 }
2470                 if (edge->shouldSpeculateStringOrStringObject()) {
2471                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2472                     return;
2473                 }
2474                 RELEASE_ASSERT_NOT_REACHED();
2475             });
2476         
2477         convertToMakeRope(node);
2478         return true;
2479     }
2480
2481     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2482     {
2483         if (!block)
2484             return;
2485         ASSERT(block->isReachable);
2486         m_block = block;
2487         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2488             Node* node = m_currentNode = block->at(m_indexInBlock);
2489             if (node->op() != SetLocal && node->op() != GetLocal)
2490                 continue;
2491             
2492             VariableAccessData* variable = node->variableAccessData();
2493             switch (node->op()) {
2494             case GetLocal:
2495                 switch (variable->flushFormat()) {
2496                 case FlushedDouble:
2497                     node->setResult(NodeResultDouble);
2498                     break;
2499                 case FlushedInt52:
2500                     node->setResult(NodeResultInt52);
2501                     break;
2502                 default:
2503                     break;
2504                 }
2505                 break;
2506                 
2507             case SetLocal:
2508                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2509                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2510                 
2511                 switch (variable->flushFormat()) {
2512                 case FlushedJSValue:
2513                     break;
2514                 case FlushedDouble:
2515                     fixEdge<DoubleRepUse>(node->child1());
2516                     break;
2517                 case FlushedInt32:
2518                     fixEdge<Int32Use>(node->child1());
2519                     break;
2520                 case FlushedInt52:
2521                     fixEdge<Int52RepUse>(node->child1());
2522                     break;
2523                 case FlushedCell:
2524                     fixEdge<CellUse>(node->child1());
2525                     break;
2526                 case FlushedBoolean:
2527                     fixEdge<BooleanUse>(node->child1());
2528                     break;
2529                 default:
2530                     RELEASE_ASSERT_NOT_REACHED();
2531                     break;
2532                 }
2533                 break;
2534                 
2535             default:
2536                 RELEASE_ASSERT_NOT_REACHED();
2537                 break;
2538             }
2539         }
2540         m_insertionSet.execute(block);
2541     }
2542     
2543     void addStringReplacePrimordialChecks(Node* searchRegExp)
2544     {
2545         Node* node = m_currentNode;
2546
2547         // Check that structure of searchRegExp is RegExp object
2548         m_insertionSet.insertNode(
2549             m_indexInBlock, SpecNone, Check, node->origin,
2550             Edge(searchRegExp, RegExpObjectUse));
2551
2552         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2553             unsigned index = m_graph.identifiers().ensure(propertyUID);
2554
2555             Node* actualProperty = m_insertionSet.insertNode(
2556                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2557                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2558
2559             m_insertionSet.insertNode(
2560                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2561                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2562         };
2563
2564         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2565
2566         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2567         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2568         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2569         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2570         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2571         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2572         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2573         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2574     }
2575
2576     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2577     {
2578         ASSERT(arrayMode.isSpecific());
2579         
2580         if (arrayMode.type() == Array::String) {
2581             m_insertionSet.insertNode(
2582                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2583         } else {
2584             // Note that we only need to be using a structure check if we opt for SaneChain, since
2585             // that needs to protect against JSArray's __proto__ being changed.
2586             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2587         
2588             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2589             
2590             if (arrayMode.doesConversion()) {
2591                 if (structure) {
2592                     m_insertionSet.insertNode(
2593                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2594                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2595                 } else {
2596                     m_insertionSet.insertNode(
2597                         m_indexInBlock, SpecNone, Arrayify, origin,
2598                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2599                 }
2600             } else {
2601                 if (structure) {
2602                     m_insertionSet.insertNode(
2603                         m_indexInBlock, SpecNone, CheckStructure, origin,
2604                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2605                 } else {
2606                     m_insertionSet.insertNode(
2607                         m_indexInBlock, SpecNone, CheckArray, origin,
2608                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2609                 }
2610             }
2611         }
2612         
2613         if (!storageCheck(arrayMode))
2614             return nullptr;
2615         
2616         if (arrayMode.usesButterfly()) {
2617             return m_insertionSet.insertNode(
2618                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2619         }
2620         
2621         return m_insertionSet.insertNode(
2622             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2623             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2624     }
2625     
2626     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2627     {
2628         Node* node = m_currentNode;
2629         
2630         switch (node->arrayMode().type()) {
2631         case Array::ForceExit: {
2632             m_insertionSet.insertNode(
2633                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2634             return;
2635         }
2636             
2637         case Array::SelectUsingPredictions:
2638         case Array::Unprofiled:
2639             RELEASE_ASSERT_NOT_REACHED();
2640             return;
2641             
2642         case Array::Generic:
2643             return;
2644             
2645         default: {
2646             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2647             if (!storage)
2648                 return;
2649             
2650             storageChild = Edge(storage);
2651             return;
2652         } }
2653     }
2654     
2655     bool alwaysUnboxSimplePrimitives()
2656     {
2657 #if USE(JSVALUE64)
2658         return false;
2659 #else
2660         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2661         // reduces traffic.
2662         return true;
2663 #endif
2664     }
2665
2666     template<UseKind useKind>
2667     void observeUseKindOnNode(Node* node)
2668     {
2669         if (useKind == UntypedUse)
2670             return;
2671         observeUseKindOnNode(node, useKind);
2672     }
2673
2674     void observeUseKindOnEdge(Edge edge)
2675     {
2676         observeUseKindOnNode(edge.node(), edge.useKind());
2677     }
2678
2679     void observeUseKindOnNode(Node* node, UseKind useKind)
2680     {
2681         if (node->op() != GetLocal)
2682             return;
2683         
2684         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2685         // https://bugs.webkit.org/show_bug.cgi?id=121518
2686         
2687         VariableAccessData* variable = node->variableAccessData();
2688         switch (useKind) {
2689         case Int32Use:
2690         case KnownInt32Use:
2691             if (alwaysUnboxSimplePrimitives()
2692                 || isInt32Speculation(variable->prediction()))
2693                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2694             break;
2695         case NumberUse:
2696         case RealNumberUse:
2697         case DoubleRepUse:
2698         case DoubleRepRealUse:
2699             if (variable->doubleFormatState() == UsingDoubleFormat)
2700                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2701             break;
2702         case BooleanUse:
2703         case KnownBooleanUse:
2704             if (alwaysUnboxSimplePrimitives()
2705                 || isBooleanSpeculation(variable->prediction()))
2706                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2707             break;
2708         case Int52RepUse:
2709             if (isAnyIntSpeculation(variable->prediction()))
2710                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2711             break;
2712         case CellUse:
2713         case KnownCellUse:
2714         case ObjectUse:
2715         case FunctionUse:
2716         case StringUse:
2717         case KnownStringUse:
2718         case SymbolUse:
2719         case StringObjectUse:
2720         case StringOrStringObjectUse:
2721             if (alwaysUnboxSimplePrimitives()
2722                 || isCellSpeculation(variable->prediction()))
2723                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2724             break;
2725         default:
2726             break;
2727         }
2728     }
2729     
2730     template<UseKind useKind>
2731     void fixEdge(Edge& edge)
2732     {
2733         observeUseKindOnNode<useKind>(edge.node());
2734         edge.setUseKind(useKind);
2735     }
2736     
2737     unsigned indexForChecks()
2738     {
2739         unsigned index = m_indexInBlock;
2740         while (!m_block->at(index)->origin.exitOK)
2741             index--;
2742         return index;
2743     }
2744     
2745     NodeOrigin originForCheck(unsigned index)
2746     {
2747         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
2748     }
2749     
2750     void speculateForBarrier(Edge value)
2751     {
2752         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
2753         // the DFG anyway because if such a speculation would be wrong, we want to know before
2754         // we do an expensive compile.
2755         
2756         if (value->shouldSpeculateInt32()) {
2757             insertCheck<Int32Use>(value.node());
2758             return;
2759         }
2760             
2761         if (value->shouldSpeculateBoolean()) {
2762             insertCheck<BooleanUse>(value.node());
2763             return;
2764         }
2765             
2766         if (value->shouldSpeculateOther()) {
2767             insertCheck<OtherUse>(value.node());
2768             return;
2769         }
2770             
2771         if (value->shouldSpeculateNumber()) {
2772             insertCheck<NumberUse>(value.node());
2773             return;
2774         }
2775             
2776         if (value->shouldSpeculateNotCell()) {
2777             insertCheck<NotCellUse>(value.node());
2778             return;
2779         }
2780     }
2781     
2782     template<UseKind useKind>
2783     void insertCheck(Node* node)
2784     {
2785         observeUseKindOnNode<useKind>(node);
2786         unsigned index = indexForChecks();
2787         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
2788     }
2789
2790     void fixIntConvertingEdge(Edge& edge)
2791     {
2792         Node* node = edge.node();
2793         if (node->shouldSpeculateInt32OrBoolean()) {
2794             fixIntOrBooleanEdge(edge);
2795             return;
2796         }
2797         
2798         UseKind useKind;
2799         if (node->shouldSpeculateAnyInt())
2800             useKind = Int52RepUse;
2801         else if (node->shouldSpeculateNumber())
2802             useKind = DoubleRepUse;
2803         else
2804             useKind = NotCellUse;
2805         Node* newNode = m_insertionSet.insertNode(
2806             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
2807             Edge(node, useKind));
2808         observeUseKindOnNode(node, useKind);
2809         
2810         edge = Edge(newNode, KnownInt32Use);
2811     }
2812     
2813     void fixIntOrBooleanEdge(Edge& edge)
2814     {
2815         Node* node = edge.node();
2816         if (!node->sawBooleans()) {
2817             fixEdge<Int32Use>(edge);
2818             return;
2819         }
2820         
2821         UseKind useKind;
2822         if (node->shouldSpeculateBoolean())
2823             useKind = BooleanUse;
2824         else
2825             useKind = UntypedUse;
2826         Node* newNode = m_insertionSet.insertNode(
2827             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2828             Edge(node, useKind));
2829         observeUseKindOnNode(node, useKind);
2830         
2831         edge = Edge(newNode, Int32Use);
2832     }
2833     
2834     void fixDoubleOrBooleanEdge(Edge& edge)
2835     {
2836         Node* node = edge.node();
2837         if (!node->sawBooleans()) {
2838             fixEdge<DoubleRepUse>(edge);
2839             return;
2840         }
2841         
2842         UseKind useKind;
2843         if (node->shouldSpeculateBoolean())
2844             useKind = BooleanUse;
2845         else
2846             useKind = UntypedUse;
2847         Node* newNode = m_insertionSet.insertNode(
2848             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2849             Edge(node, useKind));
2850         observeUseKindOnNode(node, useKind);
2851         
2852         edge = Edge(newNode, DoubleRepUse);
2853     }
2854     
2855     void truncateConstantToInt32(Edge& edge)
2856     {
2857         Node* oldNode = edge.node();
2858         
2859         JSValue value = oldNode->asJSValue();
2860         if (value.isInt32())
2861             return;
2862         
2863         value = jsNumber(JSC::toInt32(value.asNumber()));
2864         ASSERT(value.isInt32());
2865         edge.setNode(m_insertionSet.insertNode(
2866             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
2867             OpInfo(m_graph.freeze(value))));
2868     }
2869     
2870     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
2871     {
2872         if (mode != SpeculateInt32AndTruncateConstants)
2873             return;
2874         
2875         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
2876         if (node->child1()->hasConstant())
2877             truncateConstantToInt32(node->child1());
2878         else
2879             truncateConstantToInt32(node->child2());
2880     }
2881
2882     bool attemptToMakeIntegerAdd(Node* node)
2883     {
2884         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
2885         if (mode != DontSpeculateInt32) {
2886             truncateConstantsIfNecessary(node, mode);
2887             fixIntOrBooleanEdge(node->child1());
2888             fixIntOrBooleanEdge(node->child2());
2889             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
2890                 node->setArithMode(Arith::Unchecked);
2891             else
2892                 node->setArithMode(Arith::CheckOverflow);
2893             return true;
2894         }
2895         
2896         if (m_graph.addShouldSpeculateAnyInt(node)) {
2897             fixEdge<Int52RepUse>(node->child1());
2898             fixEdge<Int52RepUse>(node->child2());
2899             node->setArithMode(Arith::CheckOverflow);
2900             node->setResult(NodeResultInt52);
2901             return true;
2902         }
2903         
2904         return false;
2905     }
2906     
2907     bool attemptToMakeGetArrayLength(Node* node)
2908     {
2909         if (!isInt32Speculation(node->prediction()))
2910             return false;
2911         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
2912         ArrayProfile* arrayProfile = 
2913             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
2914         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
2915         if (arrayProfile) {
2916             ConcurrentJSLocker locker(profiledBlock->m_lock);
2917             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
2918             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
2919             if (arrayMode.type() == Array::Unprofiled) {
2920                 // For normal array operations, it makes sense to treat Unprofiled
2921                 // accesses as ForceExit and get more data rather than using
2922                 // predictions and then possibly ending up with a Generic. But here,
2923                 // we treat anything that is Unprofiled as Generic and keep the
2924                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
2925                 // profit - from treating the Unprofiled case as
2926                 // SelectUsingPredictions.
2927                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
2928             }
2929         }
2930             
2931         arrayMode = arrayMode.refine(
2932             m_graph, node, node->child1()->prediction(), node->prediction());
2933             
2934         if (arrayMode.type() == Array::Generic) {
2935             // Check if the input is something that we can't get array length for, but for which we
2936             // could insert some conversions in order to transform it into something that we can do it
2937             // for.
2938             if (node->child1()->shouldSpeculateStringObject())
2939                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
2940             else if (node->child1()->shouldSpeculateStringOrStringObject())
2941                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
2942         }
2943             
2944         if (!arrayMode.supportsSelfLength())
2945             return false;
2946         
2947         convertToGetArrayLength(node, arrayMode);
2948         return true;
2949     }
2950
2951     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
2952     {
2953         node->setOp(GetArrayLength);
2954         node->clearFlags(NodeMustGenerate);
2955         fixEdge<KnownCellUse>(node->child1());
2956         node->setArrayMode(arrayMode);
2957             
2958         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
2959         if (!storage)
2960             return;
2961             
2962         node->child2() = Edge(storage);
2963     }
2964     
2965     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
2966     {
2967         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
2968         return m_insertionSet.insertNode(
2969             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
2970             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
2971     }
2972
2973     void convertToHasIndexedProperty(Node* node)
2974     {
2975         node->setOp(HasIndexedProperty);
2976         node->clearFlags(NodeMustGenerate);
2977         node->setArrayMode(
2978             node->arrayMode().refine(
2979                 m_graph, node,
2980                 node->child1()->prediction(),
2981                 node->child2()->prediction(),
2982                 SpecNone));
2983         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
2984
2985         blessArrayOperation(node->child1(), node->child2(), node->child3());
2986
2987         fixEdge<CellUse>(node->child1());
2988         fixEdge<Int32Use>(node->child2());
2989     }
2990
2991     bool attemptToMakeCallDOM(Node* node)
2992     {
2993         if (m_graph.hasExitSite(node->origin.semantic, BadType))
2994             return false;
2995
2996         const DOMJIT::Signature* signature = node->signature();
2997         if (!signature)
2998             return false;
2999
3000         {
3001             unsigned index = 0;
3002             bool shouldConvertToCallDOM = true;
3003             m_graph.doToChildren(node, [&](Edge& edge) {
3004                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
3005                 if (!index)
3006                     return;
3007
3008                 if (index == 1) {
3009                     // DOM node case.
3010                     if (edge->shouldSpeculateNotCell())
3011                         shouldConvertToCallDOM = false;
3012                 } else {
3013                     switch (signature->arguments[index - 2]) {
3014                     case SpecString:
3015                         if (edge->shouldSpeculateNotString())
3016                             shouldConvertToCallDOM = false;
3017                         break;
3018                     case SpecInt32Only:
3019                         if (edge->shouldSpeculateNotInt32())
3020                             shouldConvertToCallDOM = false;
3021                         break;
3022                     case SpecBoolean:
3023                         if (edge->shouldSpeculateNotBoolean())
3024                             shouldConvertToCallDOM = false;
3025                         break;
3026                     default:
3027                         RELEASE_ASSERT_NOT_REACHED();
3028                         break;
3029                     }
3030                 }
3031                 ++index;
3032             });
3033             if (!shouldConvertToCallDOM)
3034                 return false;
3035         }
3036
3037         Node* thisNode = m_graph.varArgChild(node, 1).node();
3038         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
3039         node->convertToCallDOM(m_graph);
3040         fixupCheckSubClass(checkSubClass);
3041         fixupCallDOM(node);
3042         return true;
3043     }
3044
3045     void fixupCheckSubClass(Node* node)
3046     {
3047         fixEdge<CellUse>(node->child1());
3048     }
3049
3050     void fixupCallDOM(Node* node)
3051     {
3052         const DOMJIT::Signature* signature = node->signature();
3053         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
3054             if (!edge)
3055                 return;
3056             switch (signature->arguments[argumentIndex]) {
3057             case SpecString:
3058                 fixEdge<StringUse>(edge);
3059                 break;
3060             case SpecInt32Only:
3061                 fixEdge<Int32Use>(edge);
3062                 break;
3063             case SpecBoolean:
3064                 fixEdge<BooleanUse>(edge);
3065                 break;
3066             default:
3067                 RELEASE_ASSERT_NOT_REACHED();
3068                 break;
3069             }
3070         };
3071         fixEdge<CellUse>(node->child1()); // DOM.
3072         fixup(node->child2(), 0);
3073         fixup(node->child3(), 1);
3074     }
3075
3076     void fixupArrayIndexOf(Node* node)
3077     {
3078         Edge& array = m_graph.varArgChild(node, 0);
3079         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3080         blessArrayOperation(array, Edge(), storage);
3081         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3082
3083         Edge& searchElement = m_graph.varArgChild(node, 1);
3084
3085         // Constant folding.
3086         switch (node->arrayMode().type()) {
3087         case Array::Double:
3088         case Array::Int32: {
3089             if (searchElement->shouldSpeculateCell()) {
3090                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3091                 m_graph.convertToConstant(node, jsNumber(-1));
3092                 observeUseKindOnNode<CellUse>(searchElement.node());
3093                 return;
3094             }
3095
3096             if (searchElement->shouldSpeculateOther()) {
3097                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3098                 m_graph.convertToConstant(node, jsNumber(-1));
3099                 observeUseKindOnNode<OtherUse>(searchElement.node());
3100                 return;
3101             }
3102
3103             if (searchElement->shouldSpeculateBoolean()) {
3104                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3105                 m_graph.convertToConstant(node, jsNumber(-1));
3106                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3107                 return;
3108             }
3109             break;
3110         }
3111         default:
3112             break;
3113         }
3114
3115         fixEdge<KnownCellUse>(array);
3116         if (node->numChildren() == 4)
3117             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3118
3119         switch (node->arrayMode().type()) {
3120         case Array::Double: {
3121             if (searchElement->shouldSpeculateNumber())
3122                 fixEdge<DoubleRepUse>(searchElement);
3123             return;
3124         }
3125         case Array::Int32: {
3126             if (searchElement->shouldSpeculateInt32())
3127                 fixEdge<Int32Use>(searchElement);
3128             return;
3129         }
3130         case Array::Contiguous: {
3131             if (searchElement->shouldSpeculateString())
3132                 fixEdge<StringUse>(searchElement);
3133             else if (searchElement->shouldSpeculateSymbol())
3134                 fixEdge<SymbolUse>(searchElement);
3135             else if (searchElement->shouldSpeculateOther())
3136                 fixEdge<OtherUse>(searchElement);
3137             else if (searchElement->shouldSpeculateObject())
3138                 fixEdge<ObjectUse>(searchElement);
3139             return;
3140         }
3141         default:
3142             RELEASE_ASSERT_NOT_REACHED();
3143             return;
3144         }
3145     }
3146
3147     void fixupChecksInBlock(BasicBlock* block)
3148     {
3149         if (!block)
3150             return;
3151         ASSERT(block->isReachable);
3152         m_block = block;
3153         unsigned indexForChecks = UINT_MAX;
3154         NodeOrigin originForChecks;
3155         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
3156             Node* node = block->at(indexInBlock);
3157
3158             // If this is a node at which we could exit, then save its index. If nodes after this one
3159             // cannot exit, then we will hoist checks to here.
3160             if (node->origin.exitOK) {
3161                 indexForChecks = indexInBlock;
3162                 originForChecks = node->origin;
3163             }
3164
3165             originForChecks = originForChecks.withSemantic(node->origin.semantic);
3166             
3167             // First, try to relax the representational demands of each node, in order to have
3168             // fewer conversions.
3169             switch (node->op()) {
3170             case MovHint:
3171             case Check:
3172                 m_graph.doToChildren(
3173                     node,
3174                     [&] (Edge& edge) {
3175                         switch (edge.useKind()) {
3176                         case DoubleRepUse:
3177                         case DoubleRepRealUse:
3178                             if (edge->hasDoubleResult())
3179                                 break;
3180             
3181                             if (edge->hasInt52Result())
3182                                 edge.setUseKind(Int52RepUse);
3183                             else if (edge.useKind() == DoubleRepUse)
3184                                 edge.setUseKind(NumberUse);
3185                             break;
3186             
3187                         case Int52RepUse:
3188                             // Nothing we can really do.
3189                             break;
3190             
3191                         case UntypedUse:
3192                         case NumberUse:
3193                             if (edge->hasDoubleResult())
3194                                 edge.setUseKind(DoubleRepUse);
3195                             else if (edge->hasInt52Result())
3196                                 edge.setUseKind(Int52RepUse);
3197                             break;
3198             
3199                         case RealNumberUse:
3200                             if (edge->hasDoubleResult())
3201                                 edge.setUseKind(DoubleRepRealUse);
3202                             else if (edge->hasInt52Result())
3203                                 edge.setUseKind(Int52RepUse);
3204                             break;
3205             
3206                         default:
3207                             break;
3208                         }
3209                     });
3210                 break;
3211                 
3212             case ValueToInt32:
3213                 if (node->child1().useKind() == DoubleRepUse
3214                     && !node->child1()->hasDoubleResult()) {
3215                     node->child1().setUseKind(NumberUse);
3216                     break;
3217                 }
3218                 break;
3219                 
3220             default:
3221                 break;
3222             }
3223
3224             // Now, insert type conversions if necessary.
3225             m_graph.doToChildren(
3226                 node,
3227                 [&] (Edge& edge) {
3228                     Node* result = nullptr;
3229
3230                     switch (edge.useKind()) {
3231                     case DoubleRepUse:
3232                     case DoubleRepRealUse:
3233                     case DoubleRepAnyIntUse: {
3234                         if (edge->hasDoubleResult())
3235                             break;
3236             
3237                         ASSERT(indexForChecks != UINT_MAX);
3238                         if (edge->isNumberConstant()) {
3239                             result = m_insertionSet.insertNode(
3240                                 indexForChecks, SpecBytecodeDouble, DoubleConstant, originForChecks,
3241                                 OpInfo(m_graph.freeze(jsDoubleNumber(edge->asNumber()))));
3242                         } else if (edge->hasInt52Result()) {
3243                             result = m_insertionSet.insertNode(
3244                                 indexForChecks, SpecAnyIntAsDouble, DoubleRep, originForChecks,
3245                                 Edge(edge.node(), Int52RepUse));
3246                         } else {
3247                             UseKind useKind;
3248                             if (edge->shouldSpeculateDoubleReal())
3249                                 useKind = RealNumberUse;
3250                             else if (edge->shouldSpeculateNumber())
3251                                 useKind = NumberUse;
3252                             else
3253                                 useKind = NotCellUse;
3254
3255                             result = m_insertionSet.insertNode(
3256                                 indexForChecks, SpecBytecodeDouble, DoubleRep, originForChecks,
3257                                 Edge(edge.node(), useKind));
3258                         }
3259
3260                         edge.setNode(result);
3261                         break;
3262                     }
3263             
3264                     case Int52RepUse: {
3265                         if (edge->hasInt52Result())
3266                             break;
3267             
3268                         ASSERT(indexForChecks != UINT_MAX);
3269                         if (edge->isAnyIntConstant()) {
3270                             result = m_insertionSet.insertNode(
3271                                 indexForChecks, SpecAnyInt, Int52Constant, originForChecks,
3272                                 OpInfo(edge->constant()));
3273                         } else if (edge->hasDoubleResult()) {
3274                             result = m_insertionSet.insertNode(
3275                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3276                                 Edge(edge.node(), DoubleRepAnyIntUse));
3277                         } else if (edge->shouldSpeculateInt32ForArithmetic()) {
3278                             result = m_insertionSet.insertNode(
3279                                 indexForChecks, SpecInt32Only, Int52Rep, originForChecks,
3280                                 Edge(edge.node(), Int32Use));
3281                         } else {
3282                             result = m_insertionSet.insertNode(
3283                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3284                                 Edge(edge.node(), AnyIntUse));
3285                         }
3286
3287                         edge.setNode(result);
3288                         break;
3289                     }
3290
3291                     default: {
3292                         if (!edge->hasDoubleResult() && !edge->hasInt52Result())
3293                             break;
3294             
3295                         ASSERT(indexForChecks != UINT_MAX);
3296                         if (edge->hasDoubleResult()) {
3297                             result = m_insertionSet.insertNode(
3298                                 indexForChecks, SpecBytecodeDouble, ValueRep, originForChecks,
3299                                 Edge(edge.node(), DoubleRepUse));
3300                         } else {
3301                             result = m_insertionSet.insertNode(
3302                                 indexForChecks, SpecInt32Only | SpecAnyIntAsDouble, ValueRep,
3303                                 originForChecks, Edge(edge.node(), Int52RepUse));
3304                         }
3305
3306                         edge.setNode(result);
3307                         break;
3308                     } }
3309
3310                     // It's remotely possible that this node cannot do type checks, but we now have a
3311                     // type check on this node. We don't have to handle the general form of this
3312                     // problem. It only arises when ByteCodeParser emits an immediate SetLocal, rather
3313                     // than a delayed one. So, we only worry about those checks that we may have put on
3314                     // a SetLocal. Note that "indexForChecks != indexInBlock" is just another way of
3315                     // saying "!node->origin.exitOK".
3316                     if (indexForChecks != indexInBlock && mayHaveTypeCheck(edge.useKind())) {
3317                         UseKind knownUseKind;
3318                         
3319                         switch (edge.useKind()) {
3320                         case Int32Use:
3321                             knownUseKind = KnownInt32Use;
3322                             break;
3323                         case CellUse:
3324                             knownUseKind = KnownCellUse;
3325                             break;
3326                         case BooleanUse:
3327                             knownUseKind = KnownBooleanUse;
3328                             break;
3329                         default:
3330                             // This can only arise if we have a Check node, and in that case, we can
3331                             // just remove the original check.
3332                             DFG_ASSERT(m_graph, node, node->op() == Check);
3333                             knownUseKind = UntypedUse;
3334                             break;
3335                         }
3336
3337                         ASSERT(indexForChecks != UINT_MAX);
3338                         m_insertionSet.insertNode(
3339                             indexForChecks, SpecNone, Check, originForChecks, edge);
3340
3341                         edge.setUseKind(knownUseKind);
3342                     }
3343                 });
3344         }
3345         
3346         m_insertionSet.execute(block);
3347     }
3348     
3349     BasicBlock* m_block;
3350     unsigned m_indexInBlock;
3351     Node* m_currentNode;
3352     InsertionSet m_insertionSet;
3353     bool m_profitabilityChanged;
3354 };
3355     
3356 bool performFixup(Graph& graph)
3357 {
3358     return runPhase<FixupPhase>(graph);
3359 }
3360
3361 } } // namespace JSC::DFG
3362
3363 #endif // ENABLE(DFG_JIT)
3364