[DFG] DFG should handle String#toString
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
146             }
147             break;
148         }
149
150         case ValueNegate: {
151             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
152                 node->setOp(ArithNegate);
153                 fixIntOrBooleanEdge(node->child1());
154                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
155                     node->setArithMode(Arith::Unchecked);
156                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
157                     node->setArithMode(Arith::CheckOverflow);
158                 else
159                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
160                 node->setResult(NodeResultInt32);
161                 node->clearFlags(NodeMustGenerate);
162                 break;
163             }
164             
165             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
166                 node->setOp(ArithNegate);
167                 fixEdge<Int52RepUse>(node->child1());
168                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
169                     node->setArithMode(Arith::CheckOverflow);
170                 else
171                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
172                 node->setResult(NodeResultInt52);
173                 node->clearFlags(NodeMustGenerate);
174                 break;
175             }
176             if (node->child1()->shouldSpeculateNotCell()) {
177                 node->setOp(ArithNegate);
178                 fixDoubleOrBooleanEdge(node->child1());
179                 node->setResult(NodeResultDouble);
180                 node->clearFlags(NodeMustGenerate);
181             } else {
182                 fixEdge<UntypedUse>(node->child1());
183                 node->setResult(NodeResultJS);
184             }
185             break;
186         }
187
188         case ValueAdd: {
189             if (attemptToMakeIntegerAdd(node)) {
190                 node->setOp(ArithAdd);
191                 break;
192             }
193             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
194                 fixDoubleOrBooleanEdge(node->child1());
195                 fixDoubleOrBooleanEdge(node->child2());
196                 node->setOp(ArithAdd);
197                 node->setResult(NodeResultDouble);
198                 break;
199             }
200             
201             if (attemptToMakeFastStringAdd(node))
202                 break;
203
204             Edge& child1 = node->child1();
205             Edge& child2 = node->child2();
206             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
207                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
208                     auto convertString = [&](Node* node, Edge& edge) {
209                         if (edge->shouldSpeculateInt32())
210                             convertStringAddUse<Int32Use>(node, edge);
211                         else {
212                             ASSERT(edge->shouldSpeculateString());
213                             convertStringAddUse<StringUse>(node, edge);
214                         }
215                     };
216                     convertString(node, child1);
217                     convertString(node, child2);
218                     convertToMakeRope(node);
219                     break;
220                 }
221             }
222
223             fixEdge<UntypedUse>(child1);
224             fixEdge<UntypedUse>(child2);
225             node->setResult(NodeResultJS);
226             break;
227         }
228
229         case StrCat: {
230             if (attemptToMakeFastStringAdd(node))
231                 break;
232
233             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
234             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
235             // the implementation of StrCat doesn't dynamically optimize for empty strings.
236             // https://bugs.webkit.org/show_bug.cgi?id=148540
237             m_graph.doToChildren(
238                 node,
239                 [&] (Edge& edge) {
240                     fixEdge<KnownPrimitiveUse>(edge);
241                     // StrCat automatically coerces the values into strings before concatenating them.
242                     // The ECMA spec says that we're not allowed to automatically coerce a Symbol into
243                     // a string. If a Symbol is encountered, a TypeError will be thrown. As a result,
244                     // our runtime functions for this slow path expect that they will never be passed
245                     // Symbols.
246                     m_insertionSet.insertNode(
247                         m_indexInBlock, SpecNone, Check, node->origin,
248                         Edge(edge.node(), NotSymbolUse));
249                 });
250             break;
251         }
252             
253         case MakeRope: {
254             fixupMakeRope(node);
255             break;
256         }
257             
258         case ArithAdd:
259         case ArithSub: {
260             if (op == ArithSub
261                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
262                 fixEdge<UntypedUse>(node->child1());
263                 fixEdge<UntypedUse>(node->child2());
264                 node->setResult(NodeResultJS);
265                 break;
266             }
267             if (attemptToMakeIntegerAdd(node))
268                 break;
269             fixDoubleOrBooleanEdge(node->child1());
270             fixDoubleOrBooleanEdge(node->child2());
271             node->setResult(NodeResultDouble);
272             break;
273         }
274             
275         case ArithNegate: {
276             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
277                 fixIntOrBooleanEdge(node->child1());
278                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
279                     node->setArithMode(Arith::Unchecked);
280                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
281                     node->setArithMode(Arith::CheckOverflow);
282                 else
283                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
284                 node->setResult(NodeResultInt32);
285                 node->clearFlags(NodeMustGenerate);
286                 break;
287             }
288             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
289                 fixEdge<Int52RepUse>(node->child1());
290                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
291                     node->setArithMode(Arith::CheckOverflow);
292                 else
293                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
294                 node->setResult(NodeResultInt52);
295                 node->clearFlags(NodeMustGenerate);
296                 break;
297             }
298
299             fixDoubleOrBooleanEdge(node->child1());
300             node->setResult(NodeResultDouble);
301             node->clearFlags(NodeMustGenerate);
302             break;
303         }
304             
305         case ArithMul: {
306             Edge& leftChild = node->child1();
307             Edge& rightChild = node->child2();
308             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
309                 fixEdge<UntypedUse>(leftChild);
310                 fixEdge<UntypedUse>(rightChild);
311                 node->setResult(NodeResultJS);
312                 break;
313             }
314             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
315                 fixIntOrBooleanEdge(leftChild);
316                 fixIntOrBooleanEdge(rightChild);
317                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
318                     node->setArithMode(Arith::Unchecked);
319                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
320                     || leftChild.node() == rightChild.node())
321                     node->setArithMode(Arith::CheckOverflow);
322                 else
323                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
324                 break;
325             }
326             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
327                 fixEdge<Int52RepUse>(leftChild);
328                 fixEdge<Int52RepUse>(rightChild);
329                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
330                     || leftChild.node() == rightChild.node())
331                     node->setArithMode(Arith::CheckOverflow);
332                 else
333                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
334                 node->setResult(NodeResultInt52);
335                 break;
336             }
337             fixDoubleOrBooleanEdge(leftChild);
338             fixDoubleOrBooleanEdge(rightChild);
339             node->setResult(NodeResultDouble);
340             break;
341         }
342
343         case ArithDiv:
344         case ArithMod: {
345             Edge& leftChild = node->child1();
346             Edge& rightChild = node->child2();
347             if (op == ArithDiv
348                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
349                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
350                 fixEdge<UntypedUse>(leftChild);
351                 fixEdge<UntypedUse>(rightChild);
352                 node->setResult(NodeResultJS);
353                 break;
354             }
355             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
356                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
357                     fixIntOrBooleanEdge(leftChild);
358                     fixIntOrBooleanEdge(rightChild);
359                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
360                         node->setArithMode(Arith::Unchecked);
361                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
362                         node->setArithMode(Arith::CheckOverflow);
363                     else
364                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
365                     break;
366                 }
367                 
368                 // This will cause conversion nodes to be inserted later.
369                 fixDoubleOrBooleanEdge(leftChild);
370                 fixDoubleOrBooleanEdge(rightChild);
371                 
372                 // We don't need to do ref'ing on the children because we're stealing them from
373                 // the original division.
374                 Node* newDivision = m_insertionSet.insertNode(
375                     m_indexInBlock, SpecBytecodeDouble, *node);
376                 newDivision->setResult(NodeResultDouble);
377                 
378                 node->setOp(DoubleAsInt32);
379                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
380                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
381                     node->setArithMode(Arith::CheckOverflow);
382                 else
383                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
384                 break;
385             }
386             fixDoubleOrBooleanEdge(leftChild);
387             fixDoubleOrBooleanEdge(rightChild);
388             node->setResult(NodeResultDouble);
389             break;
390         }
391             
392         case ArithMin:
393         case ArithMax: {
394             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
395                 fixIntOrBooleanEdge(node->child1());
396                 fixIntOrBooleanEdge(node->child2());
397                 break;
398             }
399             fixDoubleOrBooleanEdge(node->child1());
400             fixDoubleOrBooleanEdge(node->child2());
401             node->setResult(NodeResultDouble);
402             break;
403         }
404             
405         case ArithAbs: {
406             if (node->child1()->shouldSpeculateInt32OrBoolean()
407                 && node->canSpeculateInt32(FixupPass)) {
408                 fixIntOrBooleanEdge(node->child1());
409                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
410                     node->setArithMode(Arith::Unchecked);
411                 else
412                     node->setArithMode(Arith::CheckOverflow);
413                 node->clearFlags(NodeMustGenerate);
414                 node->setResult(NodeResultInt32);
415                 break;
416             }
417
418             if (node->child1()->shouldSpeculateNotCell()) {
419                 fixDoubleOrBooleanEdge(node->child1());
420                 node->clearFlags(NodeMustGenerate);
421             } else
422                 fixEdge<UntypedUse>(node->child1());
423             node->setResult(NodeResultDouble);
424             break;
425         }
426
427         case ArithPow: {
428             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
429                 fixDoubleOrBooleanEdge(node->child1());
430                 fixIntOrBooleanEdge(node->child2());
431                 break;
432             }
433
434             fixDoubleOrBooleanEdge(node->child1());
435             fixDoubleOrBooleanEdge(node->child2());
436             break;
437         }
438
439         case ArithRandom: {
440             node->setResult(NodeResultDouble);
441             break;
442         }
443
444         case ArithRound:
445         case ArithFloor:
446         case ArithCeil:
447         case ArithTrunc: {
448             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
449                 fixIntOrBooleanEdge(node->child1());
450                 insertCheck<Int32Use>(node->child1().node());
451                 node->convertToIdentity();
452                 break;
453             }
454             if (node->child1()->shouldSpeculateNotCell()) {
455                 fixDoubleOrBooleanEdge(node->child1());
456
457                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
458                     node->setResult(NodeResultInt32);
459                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
460                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
461                     else
462                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
463                 } else {
464                     node->setResult(NodeResultDouble);
465                     node->setArithRoundingMode(Arith::RoundingMode::Double);
466                 }
467                 node->clearFlags(NodeMustGenerate);
468             } else
469                 fixEdge<UntypedUse>(node->child1());
470             break;
471         }
472
473         case ArithFRound:
474         case ArithSqrt:
475         case ArithUnary: {
476             Edge& child1 = node->child1();
477             if (child1->shouldSpeculateNotCell()) {
478                 fixDoubleOrBooleanEdge(child1);
479                 node->clearFlags(NodeMustGenerate);
480             } else
481                 fixEdge<UntypedUse>(child1);
482             break;
483         }
484             
485         case LogicalNot: {
486             if (node->child1()->shouldSpeculateBoolean()) {
487                 if (node->child1()->result() == NodeResultBoolean) {
488                     // This is necessary in case we have a bytecode instruction implemented by:
489                     //
490                     // a: CompareEq(...)
491                     // b: LogicalNot(@a)
492                     //
493                     // In that case, CompareEq might have a side-effect. Then, we need to make
494                     // sure that we know that Branch does not exit.
495                     fixEdge<KnownBooleanUse>(node->child1());
496                 } else
497                     fixEdge<BooleanUse>(node->child1());
498             } else if (node->child1()->shouldSpeculateObjectOrOther())
499                 fixEdge<ObjectOrOtherUse>(node->child1());
500             else if (node->child1()->shouldSpeculateInt32OrBoolean())
501                 fixIntOrBooleanEdge(node->child1());
502             else if (node->child1()->shouldSpeculateNumber())
503                 fixEdge<DoubleRepUse>(node->child1());
504             else if (node->child1()->shouldSpeculateString())
505                 fixEdge<StringUse>(node->child1());
506             else if (node->child1()->shouldSpeculateStringOrOther())
507                 fixEdge<StringOrOtherUse>(node->child1());
508             else {
509                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
510                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
511                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
512             }
513             break;
514         }
515
516         case CompareEq:
517         case CompareLess:
518         case CompareLessEq:
519         case CompareGreater:
520         case CompareGreaterEq: {
521             if (node->op() == CompareEq
522                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
523                 fixEdge<BooleanUse>(node->child1());
524                 fixEdge<BooleanUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
529                 fixIntOrBooleanEdge(node->child1());
530                 fixIntOrBooleanEdge(node->child2());
531                 node->clearFlags(NodeMustGenerate);
532                 break;
533             }
534             if (enableInt52()
535                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
536                 fixEdge<Int52RepUse>(node->child1());
537                 fixEdge<Int52RepUse>(node->child2());
538                 node->clearFlags(NodeMustGenerate);
539                 break;
540             }
541             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
542                 fixDoubleOrBooleanEdge(node->child1());
543                 fixDoubleOrBooleanEdge(node->child2());
544             }
545             if (node->op() != CompareEq
546                 && node->child1()->shouldSpeculateNotCell()
547                 && node->child2()->shouldSpeculateNotCell()) {
548                 if (node->child1()->shouldSpeculateNumberOrBoolean())
549                     fixDoubleOrBooleanEdge(node->child1());
550                 else
551                     fixEdge<DoubleRepUse>(node->child1());
552                 if (node->child2()->shouldSpeculateNumberOrBoolean())
553                     fixDoubleOrBooleanEdge(node->child2());
554                 else
555                     fixEdge<DoubleRepUse>(node->child2());
556                 node->clearFlags(NodeMustGenerate);
557                 break;
558             }
559             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
560                 fixEdge<StringIdentUse>(node->child1());
561                 fixEdge<StringIdentUse>(node->child2());
562                 node->clearFlags(NodeMustGenerate);
563                 break;
564             }
565             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
566                 fixEdge<StringUse>(node->child1());
567                 fixEdge<StringUse>(node->child2());
568                 node->clearFlags(NodeMustGenerate);
569                 break;
570             }
571
572             if (node->op() != CompareEq)
573                 break;
574             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
575                 fixEdge<SymbolUse>(node->child1());
576                 fixEdge<SymbolUse>(node->child2());
577                 node->clearFlags(NodeMustGenerate);
578                 break;
579             }
580             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
581                 fixEdge<ObjectUse>(node->child1());
582                 fixEdge<ObjectUse>(node->child2());
583                 node->clearFlags(NodeMustGenerate);
584                 break;
585             }
586
587             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
588             bool oneArgumentIsUsedAsSpecOther = false;
589             if (node->child1()->isUndefinedOrNullConstant()) {
590                 fixEdge<KnownOtherUse>(node->child1());
591                 oneArgumentIsUsedAsSpecOther = true;
592             } else if (node->child1()->shouldSpeculateOther()) {
593                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
594                     Edge(node->child1().node(), OtherUse));
595                 fixEdge<KnownOtherUse>(node->child1());
596                 oneArgumentIsUsedAsSpecOther = true;
597             }
598             if (node->child2()->isUndefinedOrNullConstant()) {
599                 fixEdge<KnownOtherUse>(node->child2());
600                 oneArgumentIsUsedAsSpecOther = true;
601             } else if (node->child2()->shouldSpeculateOther()) {
602                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
603                     Edge(node->child2().node(), OtherUse));
604                 fixEdge<KnownOtherUse>(node->child2());
605                 oneArgumentIsUsedAsSpecOther = true;
606             }
607             if (oneArgumentIsUsedAsSpecOther) {
608                 node->clearFlags(NodeMustGenerate);
609                 break;
610             }
611
612             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
613                 fixEdge<ObjectUse>(node->child1());
614                 fixEdge<ObjectOrOtherUse>(node->child2());
615                 node->clearFlags(NodeMustGenerate);
616                 break;
617             }
618             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
619                 fixEdge<ObjectOrOtherUse>(node->child1());
620                 fixEdge<ObjectUse>(node->child2());
621                 node->clearFlags(NodeMustGenerate);
622                 break;
623             }
624
625             break;
626         }
627             
628         case CompareStrictEq:
629         case SameValue: {
630             fixupCompareStrictEqAndSameValue(node);
631             break;
632         }
633
634         case StringFromCharCode:
635             if (node->child1()->shouldSpeculateInt32()) {
636                 fixEdge<Int32Use>(node->child1());
637                 node->clearFlags(NodeMustGenerate);
638             } else
639                 fixEdge<UntypedUse>(node->child1());
640             break;
641
642         case StringCharAt:
643         case StringCharCodeAt: {
644             // Currently we have no good way of refining these.
645             ASSERT(node->arrayMode() == ArrayMode(Array::String, Array::Read));
646             blessArrayOperation(node->child1(), node->child2(), node->child3());
647             fixEdge<KnownCellUse>(node->child1());
648             fixEdge<Int32Use>(node->child2());
649             break;
650         }
651
652         case GetByVal: {
653             if (!node->prediction()) {
654                 m_insertionSet.insertNode(
655                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
656             }
657             
658             node->setArrayMode(
659                 node->arrayMode().refine(
660                     m_graph, node,
661                     m_graph.varArgChild(node, 0)->prediction(),
662                     m_graph.varArgChild(node, 1)->prediction(),
663                     SpecNone));
664             
665             blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
666             
667             ArrayMode arrayMode = node->arrayMode();
668             switch (arrayMode.type()) {
669             case Array::Contiguous:
670             case Array::Double:
671                 if (arrayMode.isJSArrayWithOriginalStructure() && arrayMode.speculation() == Array::InBounds) {
672                     // Check if SaneChain will work on a per-type basis. Note that:
673                     //
674                     // 1) We don't want double arrays to sometimes return undefined, since
675                     // that would require a change to the return type and it would pessimise
676                     // things a lot. So, we'd only want to do that if we actually had
677                     // evidence that we could read from a hole. That's pretty annoying.
678                     // Likely the best way to handle that case is with an equivalent of
679                     // SaneChain for OutOfBounds. For now we just detect when Undefined and
680                     // NaN are indistinguishable according to backwards propagation, and just
681                     // use SaneChain in that case. This happens to catch a lot of cases.
682                     //
683                     // 2) We don't want int32 array loads to have to do a hole check just to
684                     // coerce to Undefined, since that would mean twice the checks.
685                     //
686                     // This has two implications. First, we have to do more checks than we'd
687                     // like. It's unfortunate that we have to do the hole check. Second,
688                     // some accesses that hit a hole will now need to take the full-blown
689                     // out-of-bounds slow path. We can fix that with:
690                     // https://bugs.webkit.org/show_bug.cgi?id=144668
691                     
692                     bool canDoSaneChain = false;
693                     switch (arrayMode.type()) {
694                     case Array::Contiguous:
695                         // This is happens to be entirely natural. We already would have
696                         // returned any JSValue, and now we'll return Undefined. We still do
697                         // the check but it doesn't require taking any kind of slow path.
698                         canDoSaneChain = true;
699                         break;
700                         
701                     case Array::Double:
702                         if (!(node->flags() & NodeBytecodeUsesAsOther)) {
703                             // Holes look like NaN already, so if the user doesn't care
704                             // about the difference between Undefined and NaN then we can
705                             // do this.
706                             canDoSaneChain = true;
707                         }
708                         break;
709                         
710                     default:
711                         break;
712                     }
713                     
714                     if (canDoSaneChain) {
715                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
716                         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
717                         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
718                         if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
719                             && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
720                             && globalObject->arrayPrototypeChainIsSane()) {
721                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
722                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
723                             node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
724                         }
725                     }
726                 }
727                 break;
728                 
729             case Array::String:
730                 if ((node->prediction() & ~SpecString)
731                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
732                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
733                 break;
734                 
735             default:
736                 break;
737             }
738             
739             arrayMode = node->arrayMode();
740             switch (arrayMode.type()) {
741             case Array::SelectUsingPredictions:
742             case Array::Unprofiled:
743                 RELEASE_ASSERT_NOT_REACHED();
744                 break;
745             case Array::Generic:
746                 if (m_graph.varArgChild(node, 0)->shouldSpeculateObject()) {
747                     if (m_graph.varArgChild(node, 1)->shouldSpeculateString()) {
748                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
749                         fixEdge<StringUse>(m_graph.varArgChild(node, 1));
750                         break;
751                     }
752
753                     if (m_graph.varArgChild(node, 1)->shouldSpeculateSymbol()) {
754                         fixEdge<ObjectUse>(m_graph.varArgChild(node, 0));
755                         fixEdge<SymbolUse>(m_graph.varArgChild(node, 1));
756                         break;
757                     }
758                 }
759 #if USE(JSVALUE32_64)
760                 fixEdge<CellUse>(m_graph.varArgChild(node, 0)); // Speculating cell due to register pressure on 32-bit.
761 #endif
762                 break;
763             case Array::ForceExit:
764                 break;
765             default:
766                 fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
767                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
768                 break;
769             }
770             
771             switch (arrayMode.type()) {
772             case Array::Double:
773                 if (!arrayMode.isOutOfBounds())
774                     node->setResult(NodeResultDouble);
775                 break;
776                 
777             case Array::Float32Array:
778             case Array::Float64Array:
779                 node->setResult(NodeResultDouble);
780                 break;
781                 
782             case Array::Uint32Array:
783                 if (node->shouldSpeculateInt32())
784                     break;
785                 if (node->shouldSpeculateAnyInt() && enableInt52())
786                     node->setResult(NodeResultInt52);
787                 else
788                     node->setResult(NodeResultDouble);
789                 break;
790                 
791             default:
792                 break;
793             }
794             
795             break;
796         }
797
798         case PutByValDirect:
799         case PutByVal:
800         case PutByValAlias: {
801             Edge& child1 = m_graph.varArgChild(node, 0);
802             Edge& child2 = m_graph.varArgChild(node, 1);
803             Edge& child3 = m_graph.varArgChild(node, 2);
804
805             node->setArrayMode(
806                 node->arrayMode().refine(
807                     m_graph, node,
808                     child1->prediction(),
809                     child2->prediction(),
810                     child3->prediction()));
811             
812             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
813             
814             switch (node->arrayMode().modeForPut().type()) {
815             case Array::SelectUsingPredictions:
816             case Array::SelectUsingArguments:
817             case Array::Unprofiled:
818             case Array::Undecided:
819                 RELEASE_ASSERT_NOT_REACHED();
820                 break;
821             case Array::ForceExit:
822             case Array::Generic:
823                 if (child1->shouldSpeculateCell()) {
824                     if (child2->shouldSpeculateString()) {
825                         fixEdge<CellUse>(child1);
826                         fixEdge<StringUse>(child2);
827                         break;
828                     }
829
830                     if (child2->shouldSpeculateSymbol()) {
831                         fixEdge<CellUse>(child1);
832                         fixEdge<SymbolUse>(child2);
833                         break;
834                     }
835                 }
836 #if USE(JSVALUE32_64)
837                 // Due to register pressure on 32-bit, we speculate cell and
838                 // ignore the base-is-not-cell case entirely by letting the
839                 // baseline JIT handle it.
840                 fixEdge<CellUse>(child1);
841 #endif
842                 break;
843             case Array::Int32:
844                 fixEdge<KnownCellUse>(child1);
845                 fixEdge<Int32Use>(child2);
846                 fixEdge<Int32Use>(child3);
847                 break;
848             case Array::Double:
849                 fixEdge<KnownCellUse>(child1);
850                 fixEdge<Int32Use>(child2);
851                 fixEdge<DoubleRepRealUse>(child3);
852                 break;
853             case Array::Int8Array:
854             case Array::Int16Array:
855             case Array::Int32Array:
856             case Array::Uint8Array:
857             case Array::Uint8ClampedArray:
858             case Array::Uint16Array:
859             case Array::Uint32Array:
860                 fixEdge<KnownCellUse>(child1);
861                 fixEdge<Int32Use>(child2);
862                 if (child3->shouldSpeculateInt32())
863                     fixIntOrBooleanEdge(child3);
864                 else if (child3->shouldSpeculateAnyInt())
865                     fixEdge<Int52RepUse>(child3);
866                 else
867                     fixDoubleOrBooleanEdge(child3);
868                 break;
869             case Array::Float32Array:
870             case Array::Float64Array:
871                 fixEdge<KnownCellUse>(child1);
872                 fixEdge<Int32Use>(child2);
873                 fixDoubleOrBooleanEdge(child3);
874                 break;
875             case Array::Contiguous:
876             case Array::ArrayStorage:
877             case Array::SlowPutArrayStorage:
878                 fixEdge<KnownCellUse>(child1);
879                 fixEdge<Int32Use>(child2);
880                 speculateForBarrier(child3);
881                 break;
882             default:
883                 fixEdge<KnownCellUse>(child1);
884                 fixEdge<Int32Use>(child2);
885                 break;
886             }
887             break;
888         }
889             
890         case AtomicsAdd:
891         case AtomicsAnd:
892         case AtomicsCompareExchange:
893         case AtomicsExchange:
894         case AtomicsLoad:
895         case AtomicsOr:
896         case AtomicsStore:
897         case AtomicsSub:
898         case AtomicsXor: {
899             Edge& base = m_graph.child(node, 0);
900             Edge& index = m_graph.child(node, 1);
901             
902             bool badNews = false;
903             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
904                 Edge& child = m_graph.child(node, 2 + i);
905                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
906                 // just call the function when that happens. But the FTL is totally cool with those
907                 // conversions.
908                 if (!child->shouldSpeculateInt32()
909                     && !child->shouldSpeculateAnyInt()
910                     && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
911                     badNews = true;
912             }
913             
914             if (badNews) {
915                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
916                 break;
917             }
918             
919             node->setArrayMode(
920                 node->arrayMode().refine(
921                     m_graph, node, base->prediction(), index->prediction()));
922             
923             if (node->arrayMode().type() == Array::Generic)
924                 break;
925             
926             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
927                 Edge& child = m_graph.child(node, 2 + i);
928                 if (child->shouldSpeculateInt32())
929                     fixIntOrBooleanEdge(child);
930                 else if (child->shouldSpeculateAnyInt())
931                     fixEdge<Int52RepUse>(child);
932                 else {
933                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
934                     fixDoubleOrBooleanEdge(child);
935                 }
936             }
937             
938             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
939             fixEdge<CellUse>(base);
940             fixEdge<Int32Use>(index);
941             
942             if (node->arrayMode().type() == Array::Uint32Array) {
943                 // NOTE: This means basically always doing Int52.
944                 if (node->shouldSpeculateAnyInt() && enableInt52())
945                     node->setResult(NodeResultInt52);
946                 else
947                     node->setResult(NodeResultDouble);
948             }
949             break;
950         }
951             
952         case AtomicsIsLockFree:
953             if (node->child1()->shouldSpeculateInt32())
954                 fixIntOrBooleanEdge(node->child1());
955             break;
956             
957         case ArrayPush: {
958             // May need to refine the array mode in case the value prediction contravenes
959             // the array prediction. For example, we may have evidence showing that the
960             // array is in Int32 mode, but the value we're storing is likely to be a double.
961             // Then we should turn this into a conversion to Double array followed by the
962             // push. On the other hand, we absolutely don't want to refine based on the
963             // base prediction. If it has non-cell garbage in it, then we want that to be
964             // ignored. That's because ArrayPush can't handle any array modes that aren't
965             // array-related - so if refine() turned this into a "Generic" ArrayPush then
966             // that would break things.
967             Edge& storageEdge = m_graph.varArgChild(node, 0);
968             Edge& arrayEdge = m_graph.varArgChild(node, 1);
969             unsigned elementOffset = 2;
970             unsigned elementCount = node->numChildren() - elementOffset;
971             for (unsigned i = 0; i < elementCount; ++i) {
972                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
973                 node->setArrayMode(
974                     node->arrayMode().refine(
975                         m_graph, node,
976                         arrayEdge->prediction() & SpecCell,
977                         SpecInt32Only,
978                         element->prediction()));
979             }
980             blessArrayOperation(arrayEdge, Edge(), storageEdge);
981             fixEdge<KnownCellUse>(arrayEdge);
982
983             // Convert `array.push()` to GetArrayLength.
984             if (!elementCount && node->arrayMode().supportsSelfLength()) {
985                 node->setOpAndDefaultFlags(GetArrayLength);
986                 node->child1() = arrayEdge;
987                 node->child2() = storageEdge;
988                 fixEdge<KnownCellUse>(node->child1());
989                 break;
990             }
991
992             // We do not want to perform osr exit and retry for ArrayPush. We insert Check with appropriate type,
993             // and ArrayPush uses the edge as known typed edge. Therefore, ArrayPush do not need to perform type checks.
994             for (unsigned i = 0; i < elementCount; ++i) {
995                 Edge& element = m_graph.varArgChild(node, i + elementOffset);
996                 switch (node->arrayMode().type()) {
997                 case Array::Int32:
998                     insertCheck<Int32Use>(element.node());
999                     fixEdge<KnownInt32Use>(element);
1000                     break;
1001                 case Array::Double:
1002                     insertCheck<DoubleRepRealUse>(element.node());
1003                     fixEdge<DoubleRepUse>(element);
1004                     break;
1005                 case Array::Contiguous:
1006                 case Array::ArrayStorage:
1007                     speculateForBarrier(element);
1008                     break;
1009                 default:
1010                     break;
1011                 }
1012                 ASSERT(shouldNotHaveTypeCheck(element.useKind()));
1013             }
1014             break;
1015         }
1016             
1017         case ArrayPop: {
1018             blessArrayOperation(node->child1(), Edge(), node->child2());
1019             fixEdge<KnownCellUse>(node->child1());
1020             break;
1021         }
1022
1023         case ArraySlice: {
1024             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1025             if (node->numChildren() >= 3) {
1026                 fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1027                 if (node->numChildren() == 4)
1028                     fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1029             }
1030             break;
1031         }
1032
1033         case ArrayIndexOf:
1034             fixupArrayIndexOf(node);
1035             break;
1036             
1037         case RegExpExec:
1038         case RegExpTest: {
1039             fixEdge<KnownCellUse>(node->child1());
1040             
1041             if (node->child2()->shouldSpeculateRegExpObject()) {
1042                 fixEdge<RegExpObjectUse>(node->child2());
1043
1044                 if (node->child3()->shouldSpeculateString())
1045                     fixEdge<StringUse>(node->child3());
1046             }
1047             break;
1048         }
1049
1050         case RegExpMatchFast: {
1051             fixEdge<KnownCellUse>(node->child1());
1052             fixEdge<RegExpObjectUse>(node->child2());
1053             fixEdge<StringUse>(node->child3());
1054             break;
1055         }
1056
1057         case StringReplace:
1058         case StringReplaceRegExp: {
1059             if (node->child2()->shouldSpeculateString()) {
1060                 m_insertionSet.insertNode(
1061                     m_indexInBlock, SpecNone, Check, node->origin,
1062                     Edge(node->child2().node(), StringUse));
1063                 fixEdge<StringUse>(node->child2());
1064             } else if (op == StringReplace) {
1065                 if (node->child2()->shouldSpeculateRegExpObject())
1066                     addStringReplacePrimordialChecks(node->child2().node());
1067                 else 
1068                     m_insertionSet.insertNode(
1069                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1070             }
1071
1072             if (node->child1()->shouldSpeculateString()
1073                 && node->child2()->shouldSpeculateRegExpObject()
1074                 && node->child3()->shouldSpeculateString()) {
1075
1076                 fixEdge<StringUse>(node->child1());
1077                 fixEdge<RegExpObjectUse>(node->child2());
1078                 fixEdge<StringUse>(node->child3());
1079                 break;
1080             }
1081             break;
1082         }
1083             
1084         case Branch: {
1085             if (node->child1()->shouldSpeculateBoolean()) {
1086                 if (node->child1()->result() == NodeResultBoolean) {
1087                     // This is necessary in case we have a bytecode instruction implemented by:
1088                     //
1089                     // a: CompareEq(...)
1090                     // b: Branch(@a)
1091                     //
1092                     // In that case, CompareEq might have a side-effect. Then, we need to make
1093                     // sure that we know that Branch does not exit.
1094                     fixEdge<KnownBooleanUse>(node->child1());
1095                 } else
1096                     fixEdge<BooleanUse>(node->child1());
1097             } else if (node->child1()->shouldSpeculateObjectOrOther())
1098                 fixEdge<ObjectOrOtherUse>(node->child1());
1099             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1100                 fixIntOrBooleanEdge(node->child1());
1101             else if (node->child1()->shouldSpeculateNumber())
1102                 fixEdge<DoubleRepUse>(node->child1());
1103             else if (node->child1()->shouldSpeculateString())
1104                 fixEdge<StringUse>(node->child1());
1105             else if (node->child1()->shouldSpeculateStringOrOther())
1106                 fixEdge<StringOrOtherUse>(node->child1());
1107             else {
1108                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1109                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1110                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1111             }
1112             break;
1113         }
1114             
1115         case Switch: {
1116             SwitchData* data = node->switchData();
1117             switch (data->kind) {
1118             case SwitchImm:
1119                 if (node->child1()->shouldSpeculateInt32())
1120                     fixEdge<Int32Use>(node->child1());
1121                 break;
1122             case SwitchChar:
1123                 if (node->child1()->shouldSpeculateString())
1124                     fixEdge<StringUse>(node->child1());
1125                 break;
1126             case SwitchString:
1127                 if (node->child1()->shouldSpeculateStringIdent())
1128                     fixEdge<StringIdentUse>(node->child1());
1129                 else if (node->child1()->shouldSpeculateString())
1130                     fixEdge<StringUse>(node->child1());
1131                 break;
1132             case SwitchCell:
1133                 if (node->child1()->shouldSpeculateCell())
1134                     fixEdge<CellUse>(node->child1());
1135                 // else it's fine for this to have UntypedUse; we will handle this by just making
1136                 // non-cells take the default case.
1137                 break;
1138             }
1139             break;
1140         }
1141             
1142         case ToPrimitive: {
1143             fixupToPrimitive(node);
1144             break;
1145         }
1146
1147         case ToNumber: {
1148             fixupToNumber(node);
1149             break;
1150         }
1151             
1152         case ToString:
1153         case CallStringConstructor: {
1154             fixupToStringOrCallStringConstructor(node);
1155             break;
1156         }
1157             
1158         case NewStringObject: {
1159             fixEdge<KnownStringUse>(node->child1());
1160             break;
1161         }
1162
1163         case NewArrayWithSpread: {
1164             watchHavingABadTime(node);
1165             
1166             BitVector* bitVector = node->bitVector();
1167             for (unsigned i = node->numChildren(); i--;) {
1168                 if (bitVector->get(i))
1169                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1170                 else
1171                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1172             }
1173
1174             break;
1175         }
1176
1177         case Spread: {
1178             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1179             
1180             watchHavingABadTime(node->child1().node());
1181
1182             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1183             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1184             // that it doesn't contain any indexed properties, and that any holes will result in
1185             // jsUndefined().
1186             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(vm());
1187             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(vm());
1188             if (node->child1()->shouldSpeculateArray()
1189                 && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
1190                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
1191                 && globalObject->arrayPrototypeChainIsSane()
1192                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1193                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1194                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
1195                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
1196                 fixEdge<ArrayUse>(node->child1());
1197             } else
1198                 fixEdge<CellUse>(node->child1());
1199             break;
1200         }
1201             
1202         case NewArray: {
1203             watchHavingABadTime(node);
1204             
1205             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1206                 node->setIndexingType(
1207                     leastUpperBoundOfIndexingTypeAndType(
1208                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1209             }
1210             switch (node->indexingType()) {
1211             case ALL_BLANK_INDEXING_TYPES:
1212                 CRASH();
1213                 break;
1214             case ALL_UNDECIDED_INDEXING_TYPES:
1215                 if (node->numChildren()) {
1216                     // This will only happen if the children have no type predictions. We
1217                     // would have already exited by now, but insert a forced exit just to
1218                     // be safe.
1219                     m_insertionSet.insertNode(
1220                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1221                 }
1222                 break;
1223             case ALL_INT32_INDEXING_TYPES:
1224                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1225                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1226                 break;
1227             case ALL_DOUBLE_INDEXING_TYPES:
1228                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1229                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1230                 break;
1231             case ALL_CONTIGUOUS_INDEXING_TYPES:
1232             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1233                 break;
1234             default:
1235                 CRASH();
1236                 break;
1237             }
1238             break;
1239         }
1240             
1241         case NewTypedArray: {
1242             watchHavingABadTime(node);
1243             
1244             if (node->child1()->shouldSpeculateInt32()) {
1245                 fixEdge<Int32Use>(node->child1());
1246                 node->clearFlags(NodeMustGenerate);
1247                 break;
1248             }
1249             break;
1250         }
1251             
1252         case NewArrayWithSize: {
1253             watchHavingABadTime(node);
1254             fixEdge<Int32Use>(node->child1());
1255             break;
1256         }
1257
1258         case NewArrayBuffer: {
1259             watchHavingABadTime(node);
1260             break;
1261         }
1262
1263         case ToObject: {
1264             fixupToObject(node);
1265             break;
1266         }
1267
1268         case CallObjectConstructor: {
1269             fixupCallObjectConstructor(node);
1270             break;
1271         }
1272
1273         case ToThis: {
1274             fixupToThis(node);
1275             break;
1276         }
1277             
1278         case PutStructure: {
1279             fixEdge<KnownCellUse>(node->child1());
1280             break;
1281         }
1282             
1283         case GetClosureVar:
1284         case GetFromArguments: {
1285             fixEdge<KnownCellUse>(node->child1());
1286             break;
1287         }
1288
1289         case PutClosureVar:
1290         case PutToArguments: {
1291             fixEdge<KnownCellUse>(node->child1());
1292             speculateForBarrier(node->child2());
1293             break;
1294         }
1295
1296         case SkipScope:
1297         case GetScope:
1298         case GetGetter:
1299         case GetSetter:
1300         case GetGlobalObject: {
1301             fixEdge<KnownCellUse>(node->child1());
1302             break;
1303         }
1304             
1305         case AllocatePropertyStorage:
1306         case ReallocatePropertyStorage: {
1307             fixEdge<KnownCellUse>(node->child1());
1308             break;
1309         }
1310             
1311         case NukeStructureAndSetButterfly: {
1312             fixEdge<KnownCellUse>(node->child1());
1313             break;
1314         }
1315
1316         case TryGetById: {
1317             if (node->child1()->shouldSpeculateCell())
1318                 fixEdge<CellUse>(node->child1());
1319             break;
1320         }
1321
1322         case GetByIdDirect:
1323         case GetByIdDirectFlush: {
1324             if (node->child1()->shouldSpeculateCell())
1325                 fixEdge<CellUse>(node->child1());
1326             break;
1327         }
1328
1329         case GetById:
1330         case GetByIdFlush: {
1331             // FIXME: This should be done in the ByteCodeParser based on reading the
1332             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1333             // https://bugs.webkit.org/show_bug.cgi?id=154990
1334             auto uid = m_graph.identifiers()[node->identifierNumber()];
1335             if (node->child1()->shouldSpeculateCellOrOther()
1336                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1337                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1338                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1339                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1340                 
1341                 if (uid == vm().propertyNames->length.impl()) {
1342                     attemptToMakeGetArrayLength(node);
1343                     break;
1344                 }
1345
1346                 if (uid == vm().propertyNames->lastIndex.impl()
1347                     && node->child1()->shouldSpeculateRegExpObject()) {
1348                     node->setOp(GetRegExpObjectLastIndex);
1349                     node->clearFlags(NodeMustGenerate);
1350                     fixEdge<RegExpObjectUse>(node->child1());
1351                     break;
1352                 }
1353             }
1354
1355             if (node->child1()->shouldSpeculateNumber()) {
1356                 if (uid == vm().propertyNames->toString.impl()) {
1357                     if (m_graph.isWatchingNumberToStringWatchpoint(node)) {
1358                         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
1359                         if (node->child1()->shouldSpeculateInt32()) {
1360                             insertCheck<Int32Use>(node->child1().node());
1361                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1362                             break;
1363                         }
1364
1365                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
1366                             insertCheck<Int52RepUse>(node->child1().node());
1367                             m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1368                             break;
1369                         }
1370
1371                         ASSERT(node->child1()->shouldSpeculateNumber());
1372                         insertCheck<DoubleRepUse>(node->child1().node());
1373                         m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
1374                         break;
1375                     }
1376                 }
1377             }
1378
1379             if (node->child1()->shouldSpeculateCell())
1380                 fixEdge<CellUse>(node->child1());
1381             break;
1382         }
1383         
1384         case GetByIdWithThis: {
1385             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1386                 fixEdge<CellUse>(node->child1());
1387                 fixEdge<CellUse>(node->child2());
1388             }
1389             break;
1390         }
1391
1392         case PutById:
1393         case PutByIdFlush:
1394         case PutByIdDirect: {
1395             if (node->child1()->shouldSpeculateCellOrOther()
1396                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1397                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1398                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1399                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1400                 
1401                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1402                 
1403                 if (uid == vm().propertyNames->lastIndex.impl()
1404                     && node->child1()->shouldSpeculateRegExpObject()) {
1405                     node->convertToSetRegExpObjectLastIndex();
1406                     fixEdge<RegExpObjectUse>(node->child1());
1407                     speculateForBarrier(node->child2());
1408                     break;
1409                 }
1410             }
1411             
1412             fixEdge<CellUse>(node->child1());
1413             break;
1414         }
1415
1416         case PutGetterById:
1417         case PutSetterById: {
1418             fixEdge<KnownCellUse>(node->child1());
1419             fixEdge<KnownCellUse>(node->child2());
1420             break;
1421         }
1422
1423         case PutGetterSetterById: {
1424             fixEdge<KnownCellUse>(node->child1());
1425             break;
1426         }
1427
1428         case PutGetterByVal:
1429         case PutSetterByVal: {
1430             fixEdge<KnownCellUse>(node->child1());
1431             fixEdge<KnownCellUse>(node->child3());
1432             break;
1433         }
1434
1435         case GetExecutable: {
1436             fixEdge<FunctionUse>(node->child1());
1437             break;
1438         }
1439
1440         case OverridesHasInstance:
1441         case CheckStructure:
1442         case CheckCell:
1443         case CreateThis:
1444         case GetButterfly: {
1445             fixEdge<CellUse>(node->child1());
1446             break;
1447         }
1448
1449         case ObjectCreate: {
1450             if (node->child1()->shouldSpeculateObject()) {
1451                 fixEdge<ObjectUse>(node->child1());
1452                 node->clearFlags(NodeMustGenerate);
1453                 break;
1454             }
1455             break;
1456         }
1457
1458         case CheckStringIdent: {
1459             fixEdge<StringIdentUse>(node->child1());
1460             break;
1461         }
1462             
1463         case Arrayify:
1464         case ArrayifyToStructure: {
1465             fixEdge<CellUse>(node->child1());
1466             if (node->child2())
1467                 fixEdge<Int32Use>(node->child2());
1468             break;
1469         }
1470             
1471         case GetByOffset:
1472         case GetGetterSetterByOffset: {
1473             if (!node->child1()->hasStorageResult())
1474                 fixEdge<KnownCellUse>(node->child1());
1475             fixEdge<KnownCellUse>(node->child2());
1476             break;
1477         }
1478             
1479         case MultiGetByOffset: {
1480             fixEdge<CellUse>(node->child1());
1481             break;
1482         }
1483             
1484         case PutByOffset: {
1485             if (!node->child1()->hasStorageResult())
1486                 fixEdge<KnownCellUse>(node->child1());
1487             fixEdge<KnownCellUse>(node->child2());
1488             unsigned index = indexForChecks();
1489             insertInferredTypeCheck(
1490                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1491                 node->storageAccessData().inferredType);
1492             speculateForBarrier(node->child3());
1493             break;
1494         }
1495             
1496         case MultiPutByOffset: {
1497             fixEdge<CellUse>(node->child1());
1498             break;
1499         }
1500             
1501         case MatchStructure: {
1502             // FIXME: Introduce a variant of MatchStructure that doesn't do a cell check.
1503             // https://bugs.webkit.org/show_bug.cgi?id=185784
1504             fixEdge<CellUse>(node->child1());
1505             break;
1506         }
1507             
1508         case InstanceOf: {
1509             if (node->child1()->shouldSpeculateCell()
1510                 && node->child2()->shouldSpeculateCell()
1511                 && is64Bit()) {
1512                 fixEdge<CellUse>(node->child1());
1513                 fixEdge<CellUse>(node->child2());
1514                 break;
1515             }
1516             break;
1517         }
1518
1519         case InstanceOfCustom:
1520             fixEdge<CellUse>(node->child2());
1521             break;
1522
1523         case InById: {
1524             fixEdge<CellUse>(node->child1());
1525             break;
1526         }
1527
1528         case InByVal: {
1529             if (node->child2()->shouldSpeculateInt32()) {
1530                 convertToHasIndexedProperty(node);
1531                 break;
1532             }
1533
1534             fixEdge<CellUse>(node->child1());
1535             break;
1536         }
1537
1538         case HasOwnProperty: {
1539             fixEdge<ObjectUse>(node->child1());
1540 #if CPU(X86)
1541             // We don't have enough registers to do anything interesting on x86 and mips.
1542             fixEdge<UntypedUse>(node->child2());
1543 #else
1544             if (node->child2()->shouldSpeculateString())
1545                 fixEdge<StringUse>(node->child2());
1546             else if (node->child2()->shouldSpeculateSymbol())
1547                 fixEdge<SymbolUse>(node->child2());
1548             else
1549                 fixEdge<UntypedUse>(node->child2());
1550 #endif
1551             break;
1552         }
1553
1554         case CheckVarargs:
1555         case Check: {
1556             m_graph.doToChildren(
1557                 node,
1558                 [&] (Edge& edge) {
1559                     switch (edge.useKind()) {
1560                     case NumberUse:
1561                         if (edge->shouldSpeculateInt32ForArithmetic())
1562                             edge.setUseKind(Int32Use);
1563                         break;
1564                     default:
1565                         break;
1566                     }
1567                     observeUseKindOnEdge(edge);
1568                 });
1569             break;
1570         }
1571
1572         case Phantom:
1573             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1574             node->remove(m_graph);
1575             break;
1576
1577         case FiatInt52: {
1578             RELEASE_ASSERT(enableInt52());
1579             node->convertToIdentity();
1580             fixEdge<Int52RepUse>(node->child1());
1581             node->setResult(NodeResultInt52);
1582             break;
1583         }
1584
1585         case GetArrayLength: {
1586             fixEdge<KnownCellUse>(node->child1());
1587             break;
1588         }
1589
1590         case GetTypedArrayByteOffset: {
1591             fixEdge<KnownCellUse>(node->child1());
1592             break;
1593         }
1594
1595         case CompareBelow:
1596         case CompareBelowEq: {
1597             fixEdge<Int32Use>(node->child1());
1598             fixEdge<Int32Use>(node->child2());
1599             break;
1600         }
1601
1602         case GetPrototypeOf: {
1603             fixupGetPrototypeOf(node);
1604             break;
1605         }
1606
1607         case Phi:
1608         case Upsilon:
1609         case EntrySwitch:
1610         case GetIndexedPropertyStorage:
1611         case LastNodeType:
1612         case CheckTierUpInLoop:
1613         case CheckTierUpAtReturn:
1614         case CheckTierUpAndOSREnter:
1615         case CheckArray:
1616         case CheckInBounds:
1617         case ConstantStoragePointer:
1618         case DoubleAsInt32:
1619         case ValueToInt32:
1620         case DoubleRep:
1621         case ValueRep:
1622         case Int52Rep:
1623         case Int52Constant:
1624         case Identity: // This should have been cleaned up.
1625         case BooleanToNumber:
1626         case PhantomNewObject:
1627         case PhantomNewFunction:
1628         case PhantomNewGeneratorFunction:
1629         case PhantomNewAsyncGeneratorFunction:
1630         case PhantomNewAsyncFunction:
1631         case PhantomCreateActivation:
1632         case PhantomDirectArguments:
1633         case PhantomCreateRest:
1634         case PhantomSpread:
1635         case PhantomNewArrayWithSpread:
1636         case PhantomNewArrayBuffer:
1637         case PhantomClonedArguments:
1638         case PhantomNewRegexp:
1639         case GetMyArgumentByVal:
1640         case GetMyArgumentByValOutOfBounds:
1641         case GetVectorLength:
1642         case PutHint:
1643         case CheckStructureImmediate:
1644         case CheckStructureOrEmpty:
1645         case MaterializeNewObject:
1646         case MaterializeCreateActivation:
1647         case PutStack:
1648         case KillStack:
1649         case GetStack:
1650         case StoreBarrier:
1651         case FencedStoreBarrier:
1652         case GetRegExpObjectLastIndex:
1653         case SetRegExpObjectLastIndex:
1654         case RecordRegExpCachedResult:
1655         case RegExpExecNonGlobalOrSticky:
1656         case RegExpMatchFastGlobal:
1657             // These are just nodes that we don't currently expect to see during fixup.
1658             // If we ever wanted to insert them prior to fixup, then we just have to create
1659             // fixup rules for them.
1660             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1661             break;
1662
1663         case PutGlobalVariable: {
1664             fixEdge<CellUse>(node->child1());
1665             speculateForBarrier(node->child2());
1666             break;
1667         }
1668
1669         case IsObject:
1670             if (node->child1()->shouldSpeculateObject()) {
1671                 m_insertionSet.insertNode(
1672                     m_indexInBlock, SpecNone, Check, node->origin,
1673                     Edge(node->child1().node(), ObjectUse));
1674                 m_graph.convertToConstant(node, jsBoolean(true));
1675                 observeUseKindOnNode<ObjectUse>(node);
1676             }
1677             break;
1678
1679         case IsCellWithType: {
1680             fixupIsCellWithType(node);
1681             break;
1682         }
1683
1684         case GetEnumerableLength: {
1685             fixEdge<CellUse>(node->child1());
1686             break;
1687         }
1688         case HasGenericProperty: {
1689             fixEdge<CellUse>(node->child2());
1690             break;
1691         }
1692         case HasStructureProperty: {
1693             fixEdge<StringUse>(node->child2());
1694             fixEdge<KnownCellUse>(node->child3());
1695             break;
1696         }
1697         case HasIndexedProperty: {
1698             node->setArrayMode(
1699                 node->arrayMode().refine(
1700                     m_graph, node,
1701                     node->child1()->prediction(),
1702                     node->child2()->prediction(),
1703                     SpecNone));
1704             
1705             blessArrayOperation(node->child1(), node->child2(), node->child3());
1706             fixEdge<CellUse>(node->child1());
1707             fixEdge<KnownInt32Use>(node->child2());
1708             break;
1709         }
1710         case GetDirectPname: {
1711             Edge& base = m_graph.varArgChild(node, 0);
1712             Edge& property = m_graph.varArgChild(node, 1);
1713             Edge& index = m_graph.varArgChild(node, 2);
1714             Edge& enumerator = m_graph.varArgChild(node, 3);
1715             fixEdge<CellUse>(base);
1716             fixEdge<KnownCellUse>(property);
1717             fixEdge<KnownInt32Use>(index);
1718             fixEdge<KnownCellUse>(enumerator);
1719             break;
1720         }
1721         case GetPropertyEnumerator: {
1722             if (node->child1()->shouldSpeculateCell())
1723                 fixEdge<CellUse>(node->child1());
1724             break;
1725         }
1726         case GetEnumeratorStructurePname: {
1727             fixEdge<KnownCellUse>(node->child1());
1728             fixEdge<KnownInt32Use>(node->child2());
1729             break;
1730         }
1731         case GetEnumeratorGenericPname: {
1732             fixEdge<KnownCellUse>(node->child1());
1733             fixEdge<KnownInt32Use>(node->child2());
1734             break;
1735         }
1736         case ToIndexString: {
1737             fixEdge<KnownInt32Use>(node->child1());
1738             break;
1739         }
1740         case ProfileType: {
1741             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1742             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1743             // type T for the instructionTypeSet, the global type set must also have information for type T.
1744             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1745             // in the globalTypeSet would've also succeeded.
1746             // (The other direction does not hold in general).
1747
1748             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1749             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1750             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1751                 if (node->child1()->shouldSpeculateInt32()) {
1752                     fixEdge<Int32Use>(node->child1());
1753                     node->remove(m_graph);
1754                     break;
1755                 }
1756
1757                 if (enableInt52()) {
1758                     fixEdge<AnyIntUse>(node->child1());
1759                     node->remove(m_graph);
1760                     break;
1761                 }
1762
1763                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1764             }
1765
1766             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1767                 fixEdge<NumberUse>(node->child1());
1768                 node->remove(m_graph);
1769             } else if (typeSet->doesTypeConformTo(TypeString)) {
1770                 fixEdge<StringUse>(node->child1());
1771                 node->remove(m_graph);
1772             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1773                 fixEdge<BooleanUse>(node->child1());
1774                 node->remove(m_graph);
1775             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1776                 fixEdge<OtherUse>(node->child1());
1777                 node->remove(m_graph);
1778             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1779                 StructureSet set;
1780                 {
1781                     ConcurrentJSLocker locker(typeSet->m_lock);
1782                     set = typeSet->structureSet(locker);
1783                 }
1784                 if (!set.isEmpty()) {
1785                     fixEdge<CellUse>(node->child1());
1786                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1787                 }
1788             }
1789
1790             break;
1791         }
1792
1793         case CreateClonedArguments: {
1794             watchHavingABadTime(node);
1795             break;
1796         }
1797
1798         case CreateScopedArguments:
1799         case CreateActivation:
1800         case NewFunction:
1801         case NewGeneratorFunction:
1802         case NewAsyncGeneratorFunction:
1803         case NewAsyncFunction: {
1804             // Child 1 is always the current scope, which is guaranteed to be an object
1805             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1806             fixEdge<KnownCellUse>(node->child1());
1807             break;
1808         }
1809
1810         case PushWithScope: {
1811             // Child 1 is always the current scope, which is guaranteed to be an object
1812             // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
1813             fixEdge<KnownCellUse>(node->child1());
1814             if (node->child2()->shouldSpeculateObject())
1815                 fixEdge<ObjectUse>(node->child2());
1816             break;
1817         }
1818
1819         case SetFunctionName: {
1820             // The first child is guaranteed to be a cell because op_set_function_name is only used
1821             // on a newly instantiated function object (the first child).
1822             fixEdge<KnownCellUse>(node->child1());
1823             fixEdge<UntypedUse>(node->child2());
1824             break;
1825         }
1826
1827         case CreateRest: {
1828             watchHavingABadTime(node);
1829             fixEdge<KnownInt32Use>(node->child1());
1830             break;
1831         }
1832
1833         case ResolveScopeForHoistingFuncDeclInEval: {
1834             fixEdge<KnownCellUse>(node->child1());
1835             break;
1836         }
1837         case ResolveScope:
1838         case GetDynamicVar:
1839         case PutDynamicVar: {
1840             fixEdge<KnownCellUse>(node->child1());
1841             break;
1842         }
1843
1844         case LogShadowChickenPrologue: {
1845             fixEdge<KnownCellUse>(node->child1());
1846             break;
1847         }
1848         case LogShadowChickenTail: {
1849             fixEdge<UntypedUse>(node->child1());
1850             fixEdge<KnownCellUse>(node->child2());
1851             break;
1852         }
1853
1854         case GetMapBucket:
1855             if (node->child1().useKind() == MapObjectUse)
1856                 fixEdge<MapObjectUse>(node->child1());
1857             else if (node->child1().useKind() == SetObjectUse)
1858                 fixEdge<SetObjectUse>(node->child1());
1859             else
1860                 RELEASE_ASSERT_NOT_REACHED();
1861
1862 #if USE(JSVALUE64)
1863             if (node->child2()->shouldSpeculateBoolean())
1864                 fixEdge<BooleanUse>(node->child2());
1865             else if (node->child2()->shouldSpeculateInt32())
1866                 fixEdge<Int32Use>(node->child2());
1867             else if (node->child2()->shouldSpeculateSymbol())
1868                 fixEdge<SymbolUse>(node->child2());
1869             else if (node->child2()->shouldSpeculateObject())
1870                 fixEdge<ObjectUse>(node->child2());
1871             else if (node->child2()->shouldSpeculateString())
1872                 fixEdge<StringUse>(node->child2());
1873             else if (node->child2()->shouldSpeculateCell())
1874                 fixEdge<CellUse>(node->child2());
1875             else
1876                 fixEdge<UntypedUse>(node->child2());
1877 #else
1878             fixEdge<UntypedUse>(node->child2());
1879 #endif // USE(JSVALUE64)
1880
1881             fixEdge<Int32Use>(node->child3());
1882             break;
1883
1884         case GetMapBucketHead:
1885             if (node->child1().useKind() == MapObjectUse)
1886                 fixEdge<MapObjectUse>(node->child1());
1887             else if (node->child1().useKind() == SetObjectUse)
1888                 fixEdge<SetObjectUse>(node->child1());
1889             else
1890                 RELEASE_ASSERT_NOT_REACHED();
1891             break;
1892
1893         case GetMapBucketNext:
1894         case LoadKeyFromMapBucket:
1895         case LoadValueFromMapBucket:
1896             fixEdge<CellUse>(node->child1());
1897             break;
1898
1899         case MapHash: {
1900 #if USE(JSVALUE64)
1901             if (node->child1()->shouldSpeculateBoolean()) {
1902                 fixEdge<BooleanUse>(node->child1());
1903                 break;
1904             }
1905
1906             if (node->child1()->shouldSpeculateInt32()) {
1907                 fixEdge<Int32Use>(node->child1());
1908                 break;
1909             }
1910
1911             if (node->child1()->shouldSpeculateSymbol()) {
1912                 fixEdge<SymbolUse>(node->child1());
1913                 break;
1914             }
1915
1916             if (node->child1()->shouldSpeculateObject()) {
1917                 fixEdge<ObjectUse>(node->child1());
1918                 break;
1919             }
1920
1921             if (node->child1()->shouldSpeculateString()) {
1922                 fixEdge<StringUse>(node->child1());
1923                 break;
1924             }
1925
1926             if (node->child1()->shouldSpeculateCell()) {
1927                 fixEdge<CellUse>(node->child1());
1928                 break;
1929             }
1930
1931             fixEdge<UntypedUse>(node->child1());
1932 #else
1933             fixEdge<UntypedUse>(node->child1());
1934 #endif // USE(JSVALUE64)
1935             break;
1936         }
1937
1938         case NormalizeMapKey: {
1939             fixupNormalizeMapKey(node);
1940             break;
1941         }
1942
1943         case WeakMapGet: {
1944             if (node->child1().useKind() == WeakMapObjectUse)
1945                 fixEdge<WeakMapObjectUse>(node->child1());
1946             else if (node->child1().useKind() == WeakSetObjectUse)
1947                 fixEdge<WeakSetObjectUse>(node->child1());
1948             else
1949                 RELEASE_ASSERT_NOT_REACHED();
1950             fixEdge<ObjectUse>(node->child2());
1951             fixEdge<Int32Use>(node->child3());
1952             break;
1953         }
1954
1955         case SetAdd: {
1956             fixEdge<SetObjectUse>(node->child1());
1957             fixEdge<Int32Use>(node->child3());
1958             break;
1959         }
1960
1961         case MapSet: {
1962             fixEdge<MapObjectUse>(m_graph.varArgChild(node, 0));
1963             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1964             break;
1965         }
1966
1967         case WeakSetAdd: {
1968             fixEdge<WeakSetObjectUse>(node->child1());
1969             fixEdge<ObjectUse>(node->child2());
1970             fixEdge<Int32Use>(node->child3());
1971             break;
1972         }
1973
1974         case WeakMapSet: {
1975             fixEdge<WeakMapObjectUse>(m_graph.varArgChild(node, 0));
1976             fixEdge<ObjectUse>(m_graph.varArgChild(node, 1));
1977             fixEdge<Int32Use>(m_graph.varArgChild(node, 3));
1978             break;
1979         }
1980
1981         case DefineDataProperty: {
1982             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1983             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1984             if (propertyEdge->shouldSpeculateSymbol())
1985                 fixEdge<SymbolUse>(propertyEdge);
1986             else if (propertyEdge->shouldSpeculateStringIdent())
1987                 fixEdge<StringIdentUse>(propertyEdge);
1988             else if (propertyEdge->shouldSpeculateString())
1989                 fixEdge<StringUse>(propertyEdge);
1990             else
1991                 fixEdge<UntypedUse>(propertyEdge);
1992             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1993             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1994             break;
1995         }
1996
1997         case StringValueOf: {
1998             fixupStringValueOf(node);
1999             break;
2000         }
2001
2002         case StringSlice: {
2003             fixEdge<StringUse>(node->child1());
2004             fixEdge<Int32Use>(node->child2());
2005             if (node->child3())
2006                 fixEdge<Int32Use>(node->child3());
2007             break;
2008         }
2009
2010         case ToLowerCase: {
2011             // We currently only support StringUse since that will ensure that
2012             // ToLowerCase is a pure operation. If we decide to update this with
2013             // more types in the future, we need to ensure that the clobberize rules
2014             // are correct.
2015             fixEdge<StringUse>(node->child1());
2016             break;
2017         }
2018
2019         case NumberToStringWithRadix: {
2020             if (node->child1()->shouldSpeculateInt32())
2021                 fixEdge<Int32Use>(node->child1());
2022             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
2023                 fixEdge<Int52RepUse>(node->child1());
2024             else
2025                 fixEdge<DoubleRepUse>(node->child1());
2026             fixEdge<Int32Use>(node->child2());
2027             break;
2028         }
2029
2030         case DefineAccessorProperty: {
2031             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
2032             Edge& propertyEdge = m_graph.varArgChild(node, 1);
2033             if (propertyEdge->shouldSpeculateSymbol())
2034                 fixEdge<SymbolUse>(propertyEdge);
2035             else if (propertyEdge->shouldSpeculateStringIdent())
2036                 fixEdge<StringIdentUse>(propertyEdge);
2037             else if (propertyEdge->shouldSpeculateString())
2038                 fixEdge<StringUse>(propertyEdge);
2039             else
2040                 fixEdge<UntypedUse>(propertyEdge);
2041             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
2042             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
2043             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
2044             break;
2045         }
2046
2047         case CheckSubClass: {
2048             fixupCheckSubClass(node);
2049             break;
2050         }
2051
2052         case CallDOMGetter: {
2053             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
2054             fixEdge<CellUse>(node->child1()); // DOM.
2055             if (snippet && snippet->requireGlobalObject)
2056                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
2057             break;
2058         }
2059
2060         case CallDOM: {
2061             fixupCallDOM(node);
2062             break;
2063         }
2064
2065         case Call: {
2066             attemptToMakeCallDOM(node);
2067             break;
2068         }
2069
2070         case ParseInt: {
2071             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
2072                 fixEdge<Int32Use>(node->child1());
2073                 node->convertToIdentity();
2074                 break;
2075             }
2076
2077             if (node->child1()->shouldSpeculateString()) {
2078                 fixEdge<StringUse>(node->child1());
2079                 node->clearFlags(NodeMustGenerate);
2080             }
2081
2082             if (node->child2())
2083                 fixEdge<Int32Use>(node->child2());
2084
2085             break;
2086         }
2087
2088         case IdentityWithProfile: {
2089             node->clearFlags(NodeMustGenerate);
2090             break;
2091         }
2092
2093         case ThrowStaticError:
2094             fixEdge<StringUse>(node->child1());
2095             break;
2096
2097         case NumberIsInteger:
2098             if (node->child1()->shouldSpeculateInt32()) {
2099                 m_insertionSet.insertNode(
2100                     m_indexInBlock, SpecNone, Check, node->origin,
2101                     Edge(node->child1().node(), Int32Use));
2102                 m_graph.convertToConstant(node, jsBoolean(true));
2103                 break;
2104             }
2105             break;
2106
2107         case SetCallee:
2108             fixEdge<CellUse>(node->child1());
2109             break;
2110
2111         case DataViewGetInt:
2112         case DataViewGetFloat: {
2113             fixEdge<DataViewObjectUse>(node->child1());
2114             fixEdge<Int32Use>(node->child2());
2115             if (node->child3())
2116                 fixEdge<BooleanUse>(node->child3());
2117
2118             if (node->op() == DataViewGetInt) {
2119                 DataViewData data = node->dataViewData();
2120                 switch (data.byteSize) {
2121                 case 1:
2122                 case 2:
2123                     node->setResult(NodeResultInt32);
2124                     break;
2125                 case 4:
2126                     if (data.isSigned)
2127                         node->setResult(NodeResultInt32);
2128                     else
2129                         node->setResult(NodeResultInt52);
2130                     break;
2131                 default:
2132                     RELEASE_ASSERT_NOT_REACHED();
2133                 }
2134             }
2135             break;
2136         }
2137
2138         case DataViewSet: {
2139             fixEdge<DataViewObjectUse>(m_graph.varArgChild(node, 0));
2140             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
2141             if (m_graph.varArgChild(node, 3))
2142                 fixEdge<BooleanUse>(m_graph.varArgChild(node, 3));
2143             
2144             DataViewData data = node->dataViewData();
2145             Edge& valueToStore = m_graph.varArgChild(node, 2);
2146             if (data.isFloatingPoint)
2147                 fixEdge<DoubleRepUse>(valueToStore);
2148             else {
2149                 switch (data.byteSize) {
2150                 case 1:
2151                 case 2:
2152                     fixEdge<Int32Use>(valueToStore);
2153                     break;
2154                 case 4:
2155                     if (data.isSigned)
2156                         fixEdge<Int32Use>(valueToStore);
2157                     else
2158                         fixEdge<Int52RepUse>(valueToStore);
2159                     break;
2160                 }
2161             }
2162             break;
2163         }
2164
2165 #if !ASSERT_DISABLED
2166         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
2167         case SetArgument:
2168         case JSConstant:
2169         case LazyJSConstant:
2170         case DoubleConstant:
2171         case GetLocal:
2172         case GetCallee:
2173         case GetArgumentCountIncludingThis:
2174         case SetArgumentCountIncludingThis:
2175         case GetRestLength:
2176         case GetArgument:
2177         case Flush:
2178         case PhantomLocal:
2179         case GetGlobalVar:
2180         case GetGlobalLexicalVariable:
2181         case NotifyWrite:
2182         case DirectCall:
2183         case CheckTypeInfoFlags:
2184         case TailCallInlinedCaller:
2185         case DirectTailCallInlinedCaller:
2186         case Construct:
2187         case DirectConstruct:
2188         case CallVarargs:
2189         case CallEval:
2190         case TailCallVarargsInlinedCaller:
2191         case ConstructVarargs:
2192         case CallForwardVarargs:
2193         case ConstructForwardVarargs:
2194         case TailCallForwardVarargs:
2195         case TailCallForwardVarargsInlinedCaller:
2196         case LoadVarargs:
2197         case ForwardVarargs:
2198         case ProfileControlFlow:
2199         case NewObject:
2200         case NewRegexp:
2201         case DeleteById:
2202         case DeleteByVal:
2203         case IsTypedArrayView:
2204         case IsEmpty:
2205         case IsUndefined:
2206         case IsBoolean:
2207         case IsNumber:
2208         case IsObjectOrNull:
2209         case IsFunction:
2210         case CreateDirectArguments:
2211         case Jump:
2212         case Return:
2213         case TailCall:
2214         case DirectTailCall:
2215         case TailCallVarargs:
2216         case Throw:
2217         case CountExecution:
2218         case SuperSamplerBegin:
2219         case SuperSamplerEnd:
2220         case ForceOSRExit:
2221         case CheckBadCell:
2222         case CheckNotEmpty:
2223         case AssertNotEmpty:
2224         case CheckTraps:
2225         case Unreachable:
2226         case ExtractOSREntryLocal:
2227         case ExtractCatchLocal:
2228         case ClearCatchLocals:
2229         case LoopHint:
2230         case MovHint:
2231         case InitializeEntrypointArguments:
2232         case ZombieHint:
2233         case ExitOK:
2234         case BottomValue:
2235         case TypeOf:
2236         case PutByIdWithThis:
2237         case PutByValWithThis:
2238         case GetByValWithThis:
2239         case CompareEqPtr:
2240         case NumberToStringWithValidRadixConstant:
2241         case GetGlobalThis:
2242         case ExtractValueFromWeakMapGet:
2243         case CPUIntrinsic:
2244         case FilterCallLinkStatus:
2245         case FilterGetByIdStatus:
2246         case FilterPutByIdStatus:
2247         case FilterInByIdStatus:
2248         case InvalidationPoint:
2249             break;
2250 #else
2251         default:
2252             break;
2253 #endif
2254         }
2255     }
2256
2257     void watchHavingABadTime(Node* node)
2258     {
2259         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2260
2261         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2262         // does an array allocation. The types of array allocations may change if we start to have a bad
2263         // time. It's easier to reason about this if we know that whenever the types change after we start
2264         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2265         // prior to this point nobody should have been doing optimizations based on the indexing type of
2266         // the allocation.
2267         if (!globalObject->isHavingABadTime()) {
2268             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2269             m_graph.freeze(globalObject);
2270         }
2271     }
2272     
2273     template<UseKind useKind>
2274     void createToString(Node* node, Edge& edge)
2275     {
2276         Node* toString = m_insertionSet.insertNode(
2277             m_indexInBlock, SpecString, ToString, node->origin,
2278             Edge(edge.node(), useKind));
2279         switch (useKind) {
2280         case Int32Use:
2281         case Int52RepUse:
2282         case DoubleRepUse:
2283         case NotCellUse:
2284             toString->clearFlags(NodeMustGenerate);
2285             break;
2286         default:
2287             break;
2288         }
2289         edge.setNode(toString);
2290     }
2291     
2292     template<UseKind useKind>
2293     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2294     {
2295         ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
2296         
2297         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2298             return;
2299         
2300         createToString<useKind>(node, node->child1());
2301         arrayMode = ArrayMode(Array::String, Array::Read);
2302     }
2303     
2304     template<UseKind useKind>
2305     bool isStringObjectUse()
2306     {
2307         switch (useKind) {
2308         case StringObjectUse:
2309         case StringOrStringObjectUse:
2310             return true;
2311         default:
2312             return false;
2313         }
2314     }
2315     
2316     template<UseKind useKind>
2317     void convertStringAddUse(Node* node, Edge& edge)
2318     {
2319         if (useKind == StringUse) {
2320             observeUseKindOnNode<StringUse>(edge.node());
2321             m_insertionSet.insertNode(
2322                 m_indexInBlock, SpecNone, Check, node->origin,
2323                 Edge(edge.node(), StringUse));
2324             edge.setUseKind(KnownStringUse);
2325             return;
2326         }
2327         
2328         observeUseKindOnNode<useKind>(edge.node());
2329         createToString<useKind>(node, edge);
2330     }
2331     
2332     void convertToMakeRope(Node* node)
2333     {
2334         node->setOpAndDefaultFlags(MakeRope);
2335         fixupMakeRope(node);
2336     }
2337     
2338     void fixupMakeRope(Node* node)
2339     {
2340         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2341             Edge& edge = node->children.child(i);
2342             if (!edge)
2343                 break;
2344             edge.setUseKind(KnownStringUse);
2345             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2346             if (!string)
2347                 continue;
2348             if (string->length())
2349                 continue;
2350             
2351             // Don't allow the MakeRope to have zero children.
2352             if (!i && !node->child2())
2353                 break;
2354             
2355             node->children.removeEdge(i--);
2356         }
2357         
2358         if (!node->child2()) {
2359             ASSERT(!node->child3());
2360             node->convertToIdentity();
2361         }
2362     }
2363
2364     void fixupIsCellWithType(Node* node)
2365     {
2366         switch (node->speculatedTypeForQuery()) {
2367         case SpecString:
2368             if (node->child1()->shouldSpeculateString()) {
2369                 m_insertionSet.insertNode(
2370                     m_indexInBlock, SpecNone, Check, node->origin,
2371                     Edge(node->child1().node(), StringUse));
2372                 m_graph.convertToConstant(node, jsBoolean(true));
2373                 observeUseKindOnNode<StringUse>(node);
2374                 return;
2375             }
2376             break;
2377
2378         case SpecProxyObject:
2379             if (node->child1()->shouldSpeculateProxyObject()) {
2380                 m_insertionSet.insertNode(
2381                     m_indexInBlock, SpecNone, Check, node->origin,
2382                     Edge(node->child1().node(), ProxyObjectUse));
2383                 m_graph.convertToConstant(node, jsBoolean(true));
2384                 observeUseKindOnNode<ProxyObjectUse>(node);
2385                 return;
2386             }
2387             break;
2388
2389         case SpecRegExpObject:
2390             if (node->child1()->shouldSpeculateRegExpObject()) {
2391                 m_insertionSet.insertNode(
2392                     m_indexInBlock, SpecNone, Check, node->origin,
2393                     Edge(node->child1().node(), RegExpObjectUse));
2394                 m_graph.convertToConstant(node, jsBoolean(true));
2395                 observeUseKindOnNode<RegExpObjectUse>(node);
2396                 return;
2397             }
2398             break;
2399
2400         case SpecArray:
2401             if (node->child1()->shouldSpeculateArray()) {
2402                 m_insertionSet.insertNode(
2403                     m_indexInBlock, SpecNone, Check, node->origin,
2404                     Edge(node->child1().node(), ArrayUse));
2405                 m_graph.convertToConstant(node, jsBoolean(true));
2406                 observeUseKindOnNode<ArrayUse>(node);
2407                 return;
2408             }
2409             break;
2410
2411         case SpecDerivedArray:
2412             if (node->child1()->shouldSpeculateDerivedArray()) {
2413                 m_insertionSet.insertNode(
2414                     m_indexInBlock, SpecNone, Check, node->origin,
2415                     Edge(node->child1().node(), DerivedArrayUse));
2416                 m_graph.convertToConstant(node, jsBoolean(true));
2417                 observeUseKindOnNode<DerivedArrayUse>(node);
2418                 return;
2419             }
2420             break;
2421         }
2422
2423         if (node->child1()->shouldSpeculateCell()) {
2424             fixEdge<CellUse>(node->child1());
2425             return;
2426         }
2427
2428         if (node->child1()->shouldSpeculateNotCell()) {
2429             m_insertionSet.insertNode(
2430                 m_indexInBlock, SpecNone, Check, node->origin,
2431                 Edge(node->child1().node(), NotCellUse));
2432             m_graph.convertToConstant(node, jsBoolean(false));
2433             observeUseKindOnNode<NotCellUse>(node);
2434             return;
2435         }
2436     }
2437
2438     void fixupGetPrototypeOf(Node* node)
2439     {
2440         // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.
2441         if (node->child1().useKind() != ObjectUse) {
2442             if (node->child1()->shouldSpeculateString()) {
2443                 insertCheck<StringUse>(node->child1().node());
2444                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));
2445                 return;
2446             }
2447             if (node->child1()->shouldSpeculateInt32()) {
2448                 insertCheck<Int32Use>(node->child1().node());
2449                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2450                 return;
2451             }
2452             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2453                 insertCheck<Int52RepUse>(node->child1().node());
2454                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2455                 return;
2456             }
2457             if (node->child1()->shouldSpeculateNumber()) {
2458                 insertCheck<NumberUse>(node->child1().node());
2459                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
2460                 return;
2461             }
2462             if (node->child1()->shouldSpeculateSymbol()) {
2463                 insertCheck<SymbolUse>(node->child1().node());
2464                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));
2465                 return;
2466             }
2467             if (node->child1()->shouldSpeculateBoolean()) {
2468                 insertCheck<BooleanUse>(node->child1().node());
2469                 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));
2470                 return;
2471             }
2472         }
2473
2474         if (node->child1()->shouldSpeculateFinalObject()) {
2475             fixEdge<FinalObjectUse>(node->child1());
2476             node->clearFlags(NodeMustGenerate);
2477             return;
2478         }
2479         if (node->child1()->shouldSpeculateArray()) {
2480             fixEdge<ArrayUse>(node->child1());
2481             node->clearFlags(NodeMustGenerate);
2482             return;
2483         }
2484         if (node->child1()->shouldSpeculateFunction()) {
2485             fixEdge<FunctionUse>(node->child1());
2486             node->clearFlags(NodeMustGenerate);
2487             return;
2488         }
2489     }
2490
2491     void fixupToThis(Node* node)
2492     {
2493         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2494
2495         if (ecmaMode == StrictMode) {
2496             if (node->child1()->shouldSpeculateBoolean()) {
2497                 fixEdge<BooleanUse>(node->child1());
2498                 node->convertToIdentity();
2499                 return;
2500             }
2501
2502             if (node->child1()->shouldSpeculateInt32()) {
2503                 fixEdge<Int32Use>(node->child1());
2504                 node->convertToIdentity();
2505                 return;
2506             }
2507
2508             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2509                 fixEdge<Int52RepUse>(node->child1());
2510                 node->convertToIdentity();
2511                 node->setResult(NodeResultInt52);
2512                 return;
2513             }
2514
2515             if (node->child1()->shouldSpeculateNumber()) {
2516                 fixEdge<DoubleRepUse>(node->child1());
2517                 node->convertToIdentity();
2518                 node->setResult(NodeResultDouble);
2519                 return;
2520             }
2521
2522             if (node->child1()->shouldSpeculateSymbol()) {
2523                 fixEdge<SymbolUse>(node->child1());
2524                 node->convertToIdentity();
2525                 return;
2526             }
2527
2528             if (node->child1()->shouldSpeculateStringIdent()) {
2529                 fixEdge<StringIdentUse>(node->child1());
2530                 node->convertToIdentity();
2531                 return;
2532             }
2533
2534             if (node->child1()->shouldSpeculateString()) {
2535                 fixEdge<StringUse>(node->child1());
2536                 node->convertToIdentity();
2537                 return;
2538             }
2539             
2540             if (node->child1()->shouldSpeculateBigInt()) {
2541                 fixEdge<BigIntUse>(node->child1());
2542                 node->convertToIdentity();
2543                 return;
2544             }
2545         }
2546
2547         if (node->child1()->shouldSpeculateOther()) {
2548             if (ecmaMode == StrictMode) {
2549                 fixEdge<OtherUse>(node->child1());
2550                 node->convertToIdentity();
2551                 return;
2552             }
2553
2554             m_insertionSet.insertNode(
2555                 m_indexInBlock, SpecNone, Check, node->origin,
2556                 Edge(node->child1().node(), OtherUse));
2557             observeUseKindOnNode<OtherUse>(node->child1().node());
2558             m_graph.convertToConstant(
2559                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2560             return;
2561         }
2562
2563         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2564         // however, since we cover all the missing cases in constant folding.
2565         // https://bugs.webkit.org/show_bug.cgi?id=157213
2566         if (node->child1()->shouldSpeculateStringObject()) {
2567             fixEdge<StringObjectUse>(node->child1());
2568             node->convertToIdentity();
2569             return;
2570         }
2571
2572         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2573             fixEdge<FinalObjectUse>(node->child1());
2574             node->convertToIdentity();
2575             return;
2576         }
2577     }
2578     
2579     void fixupToPrimitive(Node* node)
2580     {
2581         if (node->child1()->shouldSpeculateInt32()) {
2582             fixEdge<Int32Use>(node->child1());
2583             node->convertToIdentity();
2584             return;
2585         }
2586         
2587         if (node->child1()->shouldSpeculateString()) {
2588             fixEdge<StringUse>(node->child1());
2589             node->convertToIdentity();
2590             return;
2591         }
2592         
2593         if (node->child1()->shouldSpeculateStringObject()
2594             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2595             fixEdge<StringObjectUse>(node->child1());
2596             node->convertToToString();
2597             return;
2598         }
2599         
2600         if (node->child1()->shouldSpeculateStringOrStringObject()
2601             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2602             fixEdge<StringOrStringObjectUse>(node->child1());
2603             node->convertToToString();
2604             return;
2605         }
2606     }
2607
2608     void fixupToNumber(Node* node)
2609     {
2610         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2611         if (node->child1()->shouldSpeculateNumber()) {
2612             if (isInt32Speculation(node->getHeapPrediction())) {
2613                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2614                 if (node->child1()->shouldSpeculateInt32()) {
2615                     fixEdge<Int32Use>(node->child1());
2616                     node->convertToIdentity();
2617                     return;
2618                 }
2619
2620                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2621                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2622                 fixEdge<DoubleRepUse>(node->child1());
2623                 node->setOp(DoubleAsInt32);
2624                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2625                     node->setArithMode(Arith::CheckOverflow);
2626                 else
2627                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2628                 return;
2629             }
2630
2631             fixEdge<DoubleRepUse>(node->child1());
2632             node->convertToIdentity();
2633             node->setResult(NodeResultDouble);
2634             return;
2635         }
2636
2637         fixEdge<UntypedUse>(node->child1());
2638         node->setResult(NodeResultJS);
2639     }
2640
2641     void fixupToObject(Node* node)
2642     {
2643         if (node->child1()->shouldSpeculateObject()) {
2644             fixEdge<ObjectUse>(node->child1());
2645             node->convertToIdentity();
2646             return;
2647         }
2648
2649         // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
2650
2651         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2652
2653         if (node->child1()->shouldSpeculateString()) {
2654             insertCheck<StringUse>(node->child1().node());
2655             fixEdge<KnownStringUse>(node->child1());
2656             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2657             return;
2658         }
2659
2660         if (node->child1()->shouldSpeculateSymbol()) {
2661             insertCheck<SymbolUse>(node->child1().node());
2662             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2663             return;
2664         }
2665
2666         if (node->child1()->shouldSpeculateNumber()) {
2667             insertCheck<NumberUse>(node->child1().node());
2668             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2669             return;
2670         }
2671
2672         if (node->child1()->shouldSpeculateBoolean()) {
2673             insertCheck<BooleanUse>(node->child1().node());
2674             node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
2675             return;
2676         }
2677
2678         fixEdge<UntypedUse>(node->child1());
2679     }
2680
2681     void fixupCallObjectConstructor(Node* node)
2682     {
2683         if (node->child1()->shouldSpeculateObject()) {
2684             fixEdge<ObjectUse>(node->child1());
2685             node->convertToIdentity();
2686             return;
2687         }
2688
2689         if (node->child1()->shouldSpeculateString()) {
2690             auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
2691             insertCheck<StringUse>(node->child1().node());
2692             fixEdge<KnownStringUse>(node->child1());
2693             node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
2694             return;
2695         }
2696
2697         // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
2698         if (node->child1()->shouldSpeculateOther()) {
2699             insertCheck<OtherUse>(node->child1().node());
2700             node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
2701             return;
2702         }
2703
2704         fixEdge<UntypedUse>(node->child1());
2705     }
2706     
2707     void fixupToStringOrCallStringConstructor(Node* node)
2708     {
2709         if (node->child1()->shouldSpeculateString()) {
2710             fixEdge<StringUse>(node->child1());
2711             node->convertToIdentity();
2712             return;
2713         }
2714         
2715         if (node->child1()->shouldSpeculateStringObject()
2716             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2717             fixEdge<StringObjectUse>(node->child1());
2718             return;
2719         }
2720         
2721         if (node->child1()->shouldSpeculateStringOrStringObject()
2722             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2723             fixEdge<StringOrStringObjectUse>(node->child1());
2724             return;
2725         }
2726         
2727         if (node->child1()->shouldSpeculateCell()) {
2728             fixEdge<CellUse>(node->child1());
2729             return;
2730         }
2731
2732         if (node->child1()->shouldSpeculateInt32()) {
2733             fixEdge<Int32Use>(node->child1());
2734             node->clearFlags(NodeMustGenerate);
2735             return;
2736         }
2737
2738         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2739             fixEdge<Int52RepUse>(node->child1());
2740             node->clearFlags(NodeMustGenerate);
2741             return;
2742         }
2743
2744         if (node->child1()->shouldSpeculateNumber()) {
2745             fixEdge<DoubleRepUse>(node->child1());
2746             node->clearFlags(NodeMustGenerate);
2747             return;
2748         }
2749
2750         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2751         // we need to care about it in the clobberize. In the following case,
2752         // since NotCellUse edge filter is used and this edge filters Symbols,
2753         // we can say that ToString never throws an error!
2754         if (node->child1()->shouldSpeculateNotCell()) {
2755             fixEdge<NotCellUse>(node->child1());
2756             node->clearFlags(NodeMustGenerate);
2757             return;
2758         }
2759     }
2760
2761     void fixupStringValueOf(Node* node)
2762     {
2763         if (node->child1()->shouldSpeculateString()) {
2764             fixEdge<StringUse>(node->child1());
2765             node->convertToIdentity();
2766             return;
2767         }
2768
2769         if (node->child1()->shouldSpeculateStringObject()) {
2770             fixEdge<StringObjectUse>(node->child1());
2771             node->convertToToString();
2772             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2773             node->clearFlags(NodeMustGenerate);
2774             return;
2775         }
2776
2777         if (node->child1()->shouldSpeculateStringOrStringObject()) {
2778             fixEdge<StringOrStringObjectUse>(node->child1());
2779             node->convertToToString();
2780             // It does not need to look up a toString property for the StringObject case. So we can clear NodeMustGenerate.
2781             node->clearFlags(NodeMustGenerate);
2782             return;
2783         }
2784     }
2785
2786     bool attemptToMakeFastStringAdd(Node* node)
2787     {
2788         bool goodToGo = true;
2789         m_graph.doToChildren(
2790             node,
2791             [&] (Edge& edge) {
2792                 if (edge->shouldSpeculateString())
2793                     return;
2794                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2795                     if (edge->shouldSpeculateStringObject())
2796                         return;
2797                     if (edge->shouldSpeculateStringOrStringObject())
2798                         return;
2799                 }
2800                 goodToGo = false;
2801             });
2802         if (!goodToGo)
2803             return false;
2804
2805         m_graph.doToChildren(
2806             node,
2807             [&] (Edge& edge) {
2808                 if (edge->shouldSpeculateString()) {
2809                     convertStringAddUse<StringUse>(node, edge);
2810                     return;
2811                 }
2812                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2813                 if (edge->shouldSpeculateStringObject()) {
2814                     convertStringAddUse<StringObjectUse>(node, edge);
2815                     return;
2816                 }
2817                 if (edge->shouldSpeculateStringOrStringObject()) {
2818                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2819                     return;
2820                 }
2821                 RELEASE_ASSERT_NOT_REACHED();
2822             });
2823         
2824         convertToMakeRope(node);
2825         return true;
2826     }
2827
2828     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2829     {
2830         if (!block)
2831             return;
2832         ASSERT(block->isReachable);
2833         m_block = block;
2834         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2835             Node* node = m_currentNode = block->at(m_indexInBlock);
2836             if (node->op() != SetLocal && node->op() != GetLocal)
2837                 continue;
2838             
2839             VariableAccessData* variable = node->variableAccessData();
2840             switch (node->op()) {
2841             case GetLocal:
2842                 switch (variable->flushFormat()) {
2843                 case FlushedDouble:
2844                     node->setResult(NodeResultDouble);
2845                     break;
2846                 case FlushedInt52:
2847                     node->setResult(NodeResultInt52);
2848                     break;
2849                 default:
2850                     break;
2851                 }
2852                 break;
2853                 
2854             case SetLocal:
2855                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2856                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2857                 
2858                 switch (variable->flushFormat()) {
2859                 case FlushedJSValue:
2860                     break;
2861                 case FlushedDouble:
2862                     fixEdge<DoubleRepUse>(node->child1());
2863                     break;
2864                 case FlushedInt32:
2865                     fixEdge<Int32Use>(node->child1());
2866                     break;
2867                 case FlushedInt52:
2868                     fixEdge<Int52RepUse>(node->child1());
2869                     break;
2870                 case FlushedCell:
2871                     fixEdge<CellUse>(node->child1());
2872                     break;
2873                 case FlushedBoolean:
2874                     fixEdge<BooleanUse>(node->child1());
2875                     break;
2876                 default:
2877                     RELEASE_ASSERT_NOT_REACHED();
2878                     break;
2879                 }
2880                 break;
2881                 
2882             default:
2883                 RELEASE_ASSERT_NOT_REACHED();
2884                 break;
2885             }
2886         }
2887         m_insertionSet.execute(block);
2888     }
2889     
2890     void addStringReplacePrimordialChecks(Node* searchRegExp)
2891     {
2892         Node* node = m_currentNode;
2893
2894         // Check that structure of searchRegExp is RegExp object
2895         m_insertionSet.insertNode(
2896             m_indexInBlock, SpecNone, Check, node->origin,
2897             Edge(searchRegExp, RegExpObjectUse));
2898
2899         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2900             unsigned index = m_graph.identifiers().ensure(propertyUID);
2901
2902             Node* actualProperty = m_insertionSet.insertNode(
2903                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2904                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2905
2906             m_insertionSet.insertNode(
2907                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2908                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2909         };
2910
2911         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2912
2913         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2914         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2915         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2916         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2917         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2918         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2919         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2920         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2921     }
2922
2923     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2924     {
2925         ASSERT(arrayMode.isSpecific());
2926         
2927         if (arrayMode.type() == Array::String) {
2928             m_insertionSet.insertNode(
2929                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2930         } else {
2931             // Note that we only need to be using a structure check if we opt for SaneChain, since
2932             // that needs to protect against JSArray's __proto__ being changed.
2933             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2934         
2935             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2936             
2937             if (arrayMode.doesConversion()) {
2938                 if (structure) {
2939                     m_insertionSet.insertNode(
2940                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2941                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2942                 } else {
2943                     m_insertionSet.insertNode(
2944                         m_indexInBlock, SpecNone, Arrayify, origin,
2945                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2946                 }
2947             } else {
2948                 if (structure) {
2949                     m_insertionSet.insertNode(
2950                         m_indexInBlock, SpecNone, CheckStructure, origin,
2951                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2952                 } else {
2953                     m_insertionSet.insertNode(
2954                         m_indexInBlock, SpecNone, CheckArray, origin,
2955                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2956                 }
2957             }
2958         }
2959         
2960         if (!storageCheck(arrayMode))
2961             return nullptr;
2962         
2963         if (arrayMode.usesButterfly()) {
2964             return m_insertionSet.insertNode(
2965                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2966         }
2967         
2968         return m_insertionSet.insertNode(
2969             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2970             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2971     }
2972     
2973     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2974     {
2975         Node* node = m_currentNode;
2976         
2977         switch (node->arrayMode().type()) {
2978         case Array::ForceExit: {
2979             m_insertionSet.insertNode(
2980                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2981             return;
2982         }
2983             
2984         case Array::SelectUsingPredictions:
2985         case Array::Unprofiled:
2986             RELEASE_ASSERT_NOT_REACHED();
2987             return;
2988             
2989         case Array::Generic:
2990             return;
2991             
2992         default: {
2993             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2994             if (!storage)
2995                 return;
2996             
2997             storageChild = Edge(storage);
2998             return;
2999         } }
3000     }
3001     
3002     bool alwaysUnboxSimplePrimitives()
3003     {
3004 #if USE(JSVALUE64)
3005         return false;
3006 #else
3007         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
3008         // reduces traffic.
3009         return true;
3010 #endif
3011     }
3012
3013     template<UseKind useKind>
3014     void observeUseKindOnNode(Node* node)
3015     {
3016         if (useKind == UntypedUse)
3017             return;
3018         observeUseKindOnNode(node, useKind);
3019     }
3020
3021     void observeUseKindOnEdge(Edge edge)
3022     {
3023         observeUseKindOnNode(edge.node(), edge.useKind());
3024     }
3025
3026     void observeUseKindOnNode(Node* node, UseKind useKind)
3027     {
3028         if (node->op() != GetLocal)
3029             return;
3030         
3031         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
3032         // https://bugs.webkit.org/show_bug.cgi?id=121518
3033         
3034         VariableAccessData* variable = node->variableAccessData();
3035         switch (useKind) {
3036         case Int32Use:
3037         case KnownInt32Use:
3038             if (alwaysUnboxSimplePrimitives()
3039                 || isInt32Speculation(variable->prediction()))
3040                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3041             break;
3042         case NumberUse:
3043         case RealNumberUse:
3044         case DoubleRepUse:
3045         case DoubleRepRealUse:
3046             if (variable->doubleFormatState() == UsingDoubleFormat)
3047                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3048             break;
3049         case BooleanUse:
3050         case KnownBooleanUse:
3051             if (alwaysUnboxSimplePrimitives()
3052                 || isBooleanSpeculation(variable->prediction()))
3053                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3054             break;
3055         case Int52RepUse:
3056             if (isAnyIntSpeculation(variable->prediction()))
3057                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
3058             break;
3059         case CellUse:
3060         case KnownCellUse:
3061         case ObjectUse:
3062         case FunctionUse:
3063         case StringUse:
3064         case KnownStringUse:
3065         case SymbolUse:
3066         case BigIntUse:
3067         case StringObjectUse:
3068         case StringOrStringObjectUse:
3069             if (alwaysUnboxSimplePrimitives()
3070                 || isCellSpeculation(variable->prediction()))
3071                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);