9661b8bee5188681f5382901447a8d130061be54
[WebKit.git] / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
1 /*
2  * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGFixupPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "ArrayPrototype.h"
32 #include "DFGGraph.h"
33 #include "DFGInferredTypeCheck.h"
34 #include "DFGInsertionSet.h"
35 #include "DFGPhase.h"
36 #include "DFGPredictionPropagationPhase.h"
37 #include "DFGVariableAccessDataDump.h"
38 #include "JSCInlines.h"
39 #include "TypeLocation.h"
40
41 namespace JSC { namespace DFG {
42
43 class FixupPhase : public Phase {
44 public:
45     FixupPhase(Graph& graph)
46         : Phase(graph, "fixup")
47         , m_insertionSet(graph)
48     {
49     }
50     
51     bool run()
52     {
53         ASSERT(m_graph.m_fixpointState == BeforeFixpoint);
54         ASSERT(m_graph.m_form == ThreadedCPS);
55         
56         m_profitabilityChanged = false;
57         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
58             fixupBlock(m_graph.block(blockIndex));
59         
60         while (m_profitabilityChanged) {
61             m_profitabilityChanged = false;
62             
63             for (unsigned i = m_graph.m_argumentPositions.size(); i--;)
64                 m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness();
65             
66             for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
67                 fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex));
68         }
69         
70         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
71             fixupChecksInBlock(m_graph.block(blockIndex));
72
73         m_graph.m_planStage = PlanStage::AfterFixup;
74
75         return true;
76     }
77
78 private:
79     void fixupBlock(BasicBlock* block)
80     {
81         if (!block)
82             return;
83         ASSERT(block->isReachable);
84         m_block = block;
85         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
86             m_currentNode = block->at(m_indexInBlock);
87             fixupNode(m_currentNode);
88         }
89         m_insertionSet.execute(block);
90     }
91     
92     void fixupNode(Node* node)
93     {
94         NodeType op = node->op();
95
96         switch (op) {
97         case SetLocal: {
98             // This gets handled by fixupGetAndSetLocalsInBlock().
99             return;
100         }
101             
102         case BitAnd:
103         case BitOr:
104         case BitXor:
105         case BitRShift:
106         case BitLShift:
107         case BitURShift: {
108             if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) {
109                 fixEdge<UntypedUse>(node->child1());
110                 fixEdge<UntypedUse>(node->child2());
111                 break;
112             }
113             fixIntConvertingEdge(node->child1());
114             fixIntConvertingEdge(node->child2());
115             break;
116         }
117
118         case ArithIMul: {
119             fixIntConvertingEdge(node->child1());
120             fixIntConvertingEdge(node->child2());
121             node->setOp(ArithMul);
122             node->setArithMode(Arith::Unchecked);
123             node->child1().setUseKind(Int32Use);
124             node->child2().setUseKind(Int32Use);
125             break;
126         }
127
128         case ArithClz32: {
129             if (node->child1()->shouldSpeculateNotCell()) {
130                 fixIntConvertingEdge(node->child1());
131                 node->clearFlags(NodeMustGenerate);
132             } else
133                 fixEdge<UntypedUse>(node->child1());
134             break;
135         }
136             
137         case UInt32ToNumber: {
138             fixIntConvertingEdge(node->child1());
139             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
140                 node->convertToIdentity();
141             else if (node->canSpeculateInt32(FixupPass))
142                 node->setArithMode(Arith::CheckOverflow);
143             else {
144                 node->setArithMode(Arith::DoOverflow);
145                 node->clearFlags(NodeMustGenerate);
146                 node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble);
147             }
148             break;
149         }
150             
151         case ValueAdd: {
152             if (attemptToMakeIntegerAdd(node)) {
153                 node->setOp(ArithAdd);
154                 break;
155             }
156             if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) {
157                 fixDoubleOrBooleanEdge(node->child1());
158                 fixDoubleOrBooleanEdge(node->child2());
159                 node->setOp(ArithAdd);
160                 node->setResult(NodeResultDouble);
161                 break;
162             }
163             
164             if (attemptToMakeFastStringAdd(node))
165                 break;
166
167             Edge& child1 = node->child1();
168             Edge& child2 = node->child2();
169             if (child1->shouldSpeculateString() || child2->shouldSpeculateString()) {
170                 if (child1->shouldSpeculateInt32() || child2->shouldSpeculateInt32()) {
171                     auto convertString = [&](Node* node, Edge& edge) {
172                         if (edge->shouldSpeculateInt32())
173                             convertStringAddUse<Int32Use>(node, edge);
174                         else {
175                             ASSERT(edge->shouldSpeculateString());
176                             convertStringAddUse<StringUse>(node, edge);
177                         }
178                     };
179                     convertString(node, child1);
180                     convertString(node, child2);
181                     convertToMakeRope(node);
182                     break;
183                 }
184             }
185
186             fixEdge<UntypedUse>(child1);
187             fixEdge<UntypedUse>(child2);
188             node->setResult(NodeResultJS);
189             break;
190         }
191
192         case StrCat: {
193             if (attemptToMakeFastStringAdd(node))
194                 break;
195
196             // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That
197             // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because
198             // the implementation of StrCat doesn't dynamically optimize for empty strings.
199             // https://bugs.webkit.org/show_bug.cgi?id=148540
200             m_graph.doToChildren(
201                 node,
202                 [&] (Edge& edge) {
203                     fixEdge<KnownPrimitiveUse>(edge);
204                 });
205             break;
206         }
207             
208         case MakeRope: {
209             fixupMakeRope(node);
210             break;
211         }
212             
213         case ArithAdd:
214         case ArithSub: {
215             if (op == ArithSub
216                 && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
217                 fixEdge<UntypedUse>(node->child1());
218                 fixEdge<UntypedUse>(node->child2());
219                 node->setResult(NodeResultJS);
220                 break;
221             }
222             if (attemptToMakeIntegerAdd(node))
223                 break;
224             fixDoubleOrBooleanEdge(node->child1());
225             fixDoubleOrBooleanEdge(node->child2());
226             node->setResult(NodeResultDouble);
227             break;
228         }
229             
230         case ArithNegate: {
231             if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) {
232                 fixIntOrBooleanEdge(node->child1());
233                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
234                     node->setArithMode(Arith::Unchecked);
235                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
236                     node->setArithMode(Arith::CheckOverflow);
237                 else
238                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
239                 node->setResult(NodeResultInt32);
240                 node->clearFlags(NodeMustGenerate);
241                 break;
242             }
243             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
244                 fixEdge<Int52RepUse>(node->child1());
245                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
246                     node->setArithMode(Arith::CheckOverflow);
247                 else
248                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
249                 node->setResult(NodeResultInt52);
250                 node->clearFlags(NodeMustGenerate);
251                 break;
252             }
253             if (node->child1()->shouldSpeculateNotCell()) {
254                 fixDoubleOrBooleanEdge(node->child1());
255                 node->setResult(NodeResultDouble);
256                 node->clearFlags(NodeMustGenerate);
257             } else
258                 fixEdge<UntypedUse>(node->child1());
259             break;
260         }
261             
262         case ArithMul: {
263             Edge& leftChild = node->child1();
264             Edge& rightChild = node->child2();
265             if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) {
266                 fixEdge<UntypedUse>(leftChild);
267                 fixEdge<UntypedUse>(rightChild);
268                 node->setResult(NodeResultJS);
269                 break;
270             }
271             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
272                 fixIntOrBooleanEdge(leftChild);
273                 fixIntOrBooleanEdge(rightChild);
274                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
275                     node->setArithMode(Arith::Unchecked);
276                 else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
277                     || leftChild.node() == rightChild.node())
278                     node->setArithMode(Arith::CheckOverflow);
279                 else
280                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
281                 break;
282             }
283             if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
284                 fixEdge<Int52RepUse>(leftChild);
285                 fixEdge<Int52RepUse>(rightChild);
286                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
287                     || leftChild.node() == rightChild.node())
288                     node->setArithMode(Arith::CheckOverflow);
289                 else
290                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
291                 node->setResult(NodeResultInt52);
292                 break;
293             }
294             fixDoubleOrBooleanEdge(leftChild);
295             fixDoubleOrBooleanEdge(rightChild);
296             node->setResult(NodeResultDouble);
297             break;
298         }
299
300         case ArithDiv:
301         case ArithMod: {
302             Edge& leftChild = node->child1();
303             Edge& rightChild = node->child2();
304             if (op == ArithDiv
305                 && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())
306                 && m_graph.hasExitSite(node->origin.semantic, BadType)) {
307                 fixEdge<UntypedUse>(leftChild);
308                 fixEdge<UntypedUse>(rightChild);
309                 node->setResult(NodeResultJS);
310                 break;
311             }
312             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
313                 if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) {
314                     fixIntOrBooleanEdge(leftChild);
315                     fixIntOrBooleanEdge(rightChild);
316                     if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
317                         node->setArithMode(Arith::Unchecked);
318                     else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
319                         node->setArithMode(Arith::CheckOverflow);
320                     else
321                         node->setArithMode(Arith::CheckOverflowAndNegativeZero);
322                     break;
323                 }
324                 
325                 // This will cause conversion nodes to be inserted later.
326                 fixDoubleOrBooleanEdge(leftChild);
327                 fixDoubleOrBooleanEdge(rightChild);
328                 
329                 // We don't need to do ref'ing on the children because we're stealing them from
330                 // the original division.
331                 Node* newDivision = m_insertionSet.insertNode(
332                     m_indexInBlock, SpecBytecodeDouble, *node);
333                 newDivision->setResult(NodeResultDouble);
334                 
335                 node->setOp(DoubleAsInt32);
336                 node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge());
337                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
338                     node->setArithMode(Arith::CheckOverflow);
339                 else
340                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
341                 break;
342             }
343             fixDoubleOrBooleanEdge(leftChild);
344             fixDoubleOrBooleanEdge(rightChild);
345             node->setResult(NodeResultDouble);
346             break;
347         }
348             
349         case ArithMin:
350         case ArithMax: {
351             if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) {
352                 fixIntOrBooleanEdge(node->child1());
353                 fixIntOrBooleanEdge(node->child2());
354                 break;
355             }
356             fixDoubleOrBooleanEdge(node->child1());
357             fixDoubleOrBooleanEdge(node->child2());
358             node->setResult(NodeResultDouble);
359             break;
360         }
361             
362         case ArithAbs: {
363             if (node->child1()->shouldSpeculateInt32OrBoolean()
364                 && node->canSpeculateInt32(FixupPass)) {
365                 fixIntOrBooleanEdge(node->child1());
366                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
367                     node->setArithMode(Arith::Unchecked);
368                 else
369                     node->setArithMode(Arith::CheckOverflow);
370                 node->clearFlags(NodeMustGenerate);
371                 node->setResult(NodeResultInt32);
372                 break;
373             }
374
375             if (node->child1()->shouldSpeculateNotCell()) {
376                 fixDoubleOrBooleanEdge(node->child1());
377                 node->clearFlags(NodeMustGenerate);
378             } else
379                 fixEdge<UntypedUse>(node->child1());
380             node->setResult(NodeResultDouble);
381             break;
382         }
383
384         case ArithPow: {
385             if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
386                 fixDoubleOrBooleanEdge(node->child1());
387                 fixIntOrBooleanEdge(node->child2());
388                 break;
389             }
390
391             fixDoubleOrBooleanEdge(node->child1());
392             fixDoubleOrBooleanEdge(node->child2());
393             break;
394         }
395
396         case ArithRandom: {
397             node->setResult(NodeResultDouble);
398             break;
399         }
400
401         case ArithRound:
402         case ArithFloor:
403         case ArithCeil:
404         case ArithTrunc: {
405             if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
406                 fixIntOrBooleanEdge(node->child1());
407                 insertCheck<Int32Use>(node->child1().node());
408                 node->convertToIdentity();
409                 break;
410             }
411             if (node->child1()->shouldSpeculateNotCell()) {
412                 fixDoubleOrBooleanEdge(node->child1());
413
414                 if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
415                     node->setResult(NodeResultInt32);
416                     if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
417                         node->setArithRoundingMode(Arith::RoundingMode::Int32);
418                     else
419                         node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck);
420                 } else {
421                     node->setResult(NodeResultDouble);
422                     node->setArithRoundingMode(Arith::RoundingMode::Double);
423                 }
424                 node->clearFlags(NodeMustGenerate);
425             } else
426                 fixEdge<UntypedUse>(node->child1());
427             break;
428         }
429
430         case ArithFRound:
431         case ArithSqrt:
432         case ArithUnary: {
433             Edge& child1 = node->child1();
434             if (child1->shouldSpeculateNotCell()) {
435                 fixDoubleOrBooleanEdge(child1);
436                 node->clearFlags(NodeMustGenerate);
437             } else
438                 fixEdge<UntypedUse>(child1);
439             break;
440         }
441             
442         case LogicalNot: {
443             if (node->child1()->shouldSpeculateBoolean()) {
444                 if (node->child1()->result() == NodeResultBoolean) {
445                     // This is necessary in case we have a bytecode instruction implemented by:
446                     //
447                     // a: CompareEq(...)
448                     // b: LogicalNot(@a)
449                     //
450                     // In that case, CompareEq might have a side-effect. Then, we need to make
451                     // sure that we know that Branch does not exit.
452                     fixEdge<KnownBooleanUse>(node->child1());
453                 } else
454                     fixEdge<BooleanUse>(node->child1());
455             } else if (node->child1()->shouldSpeculateObjectOrOther())
456                 fixEdge<ObjectOrOtherUse>(node->child1());
457             else if (node->child1()->shouldSpeculateInt32OrBoolean())
458                 fixIntOrBooleanEdge(node->child1());
459             else if (node->child1()->shouldSpeculateNumber())
460                 fixEdge<DoubleRepUse>(node->child1());
461             else if (node->child1()->shouldSpeculateString())
462                 fixEdge<StringUse>(node->child1());
463             else if (node->child1()->shouldSpeculateStringOrOther())
464                 fixEdge<StringOrOtherUse>(node->child1());
465             else {
466                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
467                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
468                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
469             }
470             break;
471         }
472
473         case CompareEq:
474         case CompareLess:
475         case CompareLessEq:
476         case CompareGreater:
477         case CompareGreaterEq: {
478             if (node->op() == CompareEq
479                 && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
480                 fixEdge<BooleanUse>(node->child1());
481                 fixEdge<BooleanUse>(node->child2());
482                 node->clearFlags(NodeMustGenerate);
483                 break;
484             }
485             if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) {
486                 fixIntOrBooleanEdge(node->child1());
487                 fixIntOrBooleanEdge(node->child2());
488                 node->clearFlags(NodeMustGenerate);
489                 break;
490             }
491             if (enableInt52()
492                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
493                 fixEdge<Int52RepUse>(node->child1());
494                 fixEdge<Int52RepUse>(node->child2());
495                 node->clearFlags(NodeMustGenerate);
496                 break;
497             }
498             if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) {
499                 fixDoubleOrBooleanEdge(node->child1());
500                 fixDoubleOrBooleanEdge(node->child2());
501             }
502             if (node->op() != CompareEq
503                 && node->child1()->shouldSpeculateNotCell()
504                 && node->child2()->shouldSpeculateNotCell()) {
505                 if (node->child1()->shouldSpeculateNumberOrBoolean())
506                     fixDoubleOrBooleanEdge(node->child1());
507                 else
508                     fixEdge<DoubleRepUse>(node->child1());
509                 if (node->child2()->shouldSpeculateNumberOrBoolean())
510                     fixDoubleOrBooleanEdge(node->child2());
511                 else
512                     fixEdge<DoubleRepUse>(node->child2());
513                 node->clearFlags(NodeMustGenerate);
514                 break;
515             }
516             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
517                 fixEdge<StringIdentUse>(node->child1());
518                 fixEdge<StringIdentUse>(node->child2());
519                 node->clearFlags(NodeMustGenerate);
520                 break;
521             }
522             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) {
523                 fixEdge<StringUse>(node->child1());
524                 fixEdge<StringUse>(node->child2());
525                 node->clearFlags(NodeMustGenerate);
526                 break;
527             }
528
529             if (node->op() != CompareEq)
530                 break;
531             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
532                 fixEdge<SymbolUse>(node->child1());
533                 fixEdge<SymbolUse>(node->child2());
534                 node->clearFlags(NodeMustGenerate);
535                 break;
536             }
537             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
538                 fixEdge<ObjectUse>(node->child1());
539                 fixEdge<ObjectUse>(node->child2());
540                 node->clearFlags(NodeMustGenerate);
541                 break;
542             }
543
544             // If either child can be proved to be Null or Undefined, comparing them is greatly simplified.
545             bool oneArgumentIsUsedAsSpecOther = false;
546             if (node->child1()->isUndefinedOrNullConstant()) {
547                 fixEdge<OtherUse>(node->child1());
548                 oneArgumentIsUsedAsSpecOther = true;
549             } else if (node->child1()->shouldSpeculateOther()) {
550                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
551                     Edge(node->child1().node(), OtherUse));
552                 fixEdge<OtherUse>(node->child1());
553                 oneArgumentIsUsedAsSpecOther = true;
554             }
555             if (node->child2()->isUndefinedOrNullConstant()) {
556                 fixEdge<OtherUse>(node->child2());
557                 oneArgumentIsUsedAsSpecOther = true;
558             } else if (node->child2()->shouldSpeculateOther()) {
559                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin,
560                     Edge(node->child2().node(), OtherUse));
561                 fixEdge<OtherUse>(node->child2());
562                 oneArgumentIsUsedAsSpecOther = true;
563             }
564             if (oneArgumentIsUsedAsSpecOther) {
565                 node->clearFlags(NodeMustGenerate);
566                 break;
567             }
568
569             if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) {
570                 fixEdge<ObjectUse>(node->child1());
571                 fixEdge<ObjectOrOtherUse>(node->child2());
572                 node->clearFlags(NodeMustGenerate);
573                 break;
574             }
575             if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) {
576                 fixEdge<ObjectOrOtherUse>(node->child1());
577                 fixEdge<ObjectUse>(node->child2());
578                 node->clearFlags(NodeMustGenerate);
579                 break;
580             }
581
582             break;
583         }
584             
585         case CompareStrictEq: {
586             if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
587                 fixEdge<BooleanUse>(node->child1());
588                 fixEdge<BooleanUse>(node->child2());
589                 break;
590             }
591             if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) {
592                 fixEdge<Int32Use>(node->child1());
593                 fixEdge<Int32Use>(node->child2());
594                 break;
595             }
596             if (enableInt52()
597                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
598                 fixEdge<Int52RepUse>(node->child1());
599                 fixEdge<Int52RepUse>(node->child2());
600                 break;
601             }
602             if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) {
603                 fixEdge<DoubleRepUse>(node->child1());
604                 fixEdge<DoubleRepUse>(node->child2());
605                 break;
606             }
607             if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) {
608                 fixEdge<SymbolUse>(node->child1());
609                 fixEdge<SymbolUse>(node->child2());
610                 break;
611             }
612             if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) {
613                 fixEdge<StringIdentUse>(node->child1());
614                 fixEdge<StringIdentUse>(node->child2());
615                 break;
616             }
617             if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) {
618                 fixEdge<StringUse>(node->child1());
619                 fixEdge<StringUse>(node->child2());
620                 break;
621             }
622             WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
623             if (masqueradesAsUndefinedWatchpoint->isStillValid()) {
624                 
625                 if (node->child1()->shouldSpeculateObject()) {
626                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
627                     fixEdge<ObjectUse>(node->child1());
628                     break;
629                 }
630                 if (node->child2()->shouldSpeculateObject()) {
631                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
632                     fixEdge<ObjectUse>(node->child2());
633                     break;
634                 }
635                 
636             } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) {
637                 fixEdge<ObjectUse>(node->child1());
638                 fixEdge<ObjectUse>(node->child2());
639                 break;
640             }
641             if (node->child1()->shouldSpeculateSymbol()) {
642                 fixEdge<SymbolUse>(node->child1());
643                 break;
644             }
645             if (node->child2()->shouldSpeculateSymbol()) {
646                 fixEdge<SymbolUse>(node->child2());
647                 break;
648             }
649             if (node->child1()->shouldSpeculateMisc()) {
650                 fixEdge<MiscUse>(node->child1());
651                 break;
652             }
653             if (node->child2()->shouldSpeculateMisc()) {
654                 fixEdge<MiscUse>(node->child2());
655                 break;
656             }
657             if (node->child1()->shouldSpeculateStringIdent()
658                 && node->child2()->shouldSpeculateNotStringVar()) {
659                 fixEdge<StringIdentUse>(node->child1());
660                 fixEdge<NotStringVarUse>(node->child2());
661                 break;
662             }
663             if (node->child2()->shouldSpeculateStringIdent()
664                 && node->child1()->shouldSpeculateNotStringVar()) {
665                 fixEdge<StringIdentUse>(node->child2());
666                 fixEdge<NotStringVarUse>(node->child1());
667                 break;
668             }
669             if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
670                 fixEdge<StringUse>(node->child1());
671                 break;
672             }
673             if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) {
674                 fixEdge<StringUse>(node->child2());
675                 break;
676             }
677             break;
678         }
679             
680         case StringFromCharCode:
681             if (node->child1()->shouldSpeculateInt32())
682                 fixEdge<Int32Use>(node->child1());
683             else
684                 fixEdge<UntypedUse>(node->child1());
685             break;
686
687         case StringCharAt:
688         case StringCharCodeAt: {
689             // Currently we have no good way of refining these.
690             ASSERT(node->arrayMode() == ArrayMode(Array::String));
691             blessArrayOperation(node->child1(), node->child2(), node->child3());
692             fixEdge<KnownCellUse>(node->child1());
693             fixEdge<Int32Use>(node->child2());
694             break;
695         }
696
697         case GetByVal: {
698             if (!node->prediction()) {
699                 m_insertionSet.insertNode(
700                     m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
701             }
702             
703             node->setArrayMode(
704                 node->arrayMode().refine(
705                     m_graph, node,
706                     node->child1()->prediction(),
707                     node->child2()->prediction(),
708                     SpecNone));
709             
710             blessArrayOperation(node->child1(), node->child2(), node->child3());
711             
712             ArrayMode arrayMode = node->arrayMode();
713             switch (arrayMode.type()) {
714             case Array::Contiguous:
715             case Array::Double:
716                 if (arrayMode.arrayClass() == Array::OriginalArray
717                     && arrayMode.speculation() == Array::InBounds) {
718                     JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
719                     if (globalObject->arrayPrototypeChainIsSane()) {
720                         // Check if SaneChain will work on a per-type basis. Note that:
721                         //
722                         // 1) We don't want double arrays to sometimes return undefined, since
723                         // that would require a change to the return type and it would pessimise
724                         // things a lot. So, we'd only want to do that if we actually had
725                         // evidence that we could read from a hole. That's pretty annoying.
726                         // Likely the best way to handle that case is with an equivalent of
727                         // SaneChain for OutOfBounds. For now we just detect when Undefined and
728                         // NaN are indistinguishable according to backwards propagation, and just
729                         // use SaneChain in that case. This happens to catch a lot of cases.
730                         //
731                         // 2) We don't want int32 array loads to have to do a hole check just to
732                         // coerce to Undefined, since that would mean twice the checks.
733                         //
734                         // This has two implications. First, we have to do more checks than we'd
735                         // like. It's unfortunate that we have to do the hole check. Second,
736                         // some accesses that hit a hole will now need to take the full-blown
737                         // out-of-bounds slow path. We can fix that with:
738                         // https://bugs.webkit.org/show_bug.cgi?id=144668
739                         
740                         bool canDoSaneChain = false;
741                         switch (arrayMode.type()) {
742                         case Array::Contiguous:
743                             // This is happens to be entirely natural. We already would have
744                             // returned any JSValue, and now we'll return Undefined. We still do
745                             // the check but it doesn't require taking any kind of slow path.
746                             canDoSaneChain = true;
747                             break;
748                             
749                         case Array::Double:
750                             if (!(node->flags() & NodeBytecodeUsesAsOther)) {
751                                 // Holes look like NaN already, so if the user doesn't care
752                                 // about the difference between Undefined and NaN then we can
753                                 // do this.
754                                 canDoSaneChain = true;
755                             }
756                             break;
757                             
758                         default:
759                             break;
760                         }
761                         
762                         if (canDoSaneChain) {
763                             m_graph.watchpoints().addLazily(
764                                 globalObject->arrayPrototype()->structure()->transitionWatchpointSet());
765                             m_graph.watchpoints().addLazily(
766                                 globalObject->objectPrototype()->structure()->transitionWatchpointSet());
767                             if (globalObject->arrayPrototypeChainIsSane())
768                                 node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
769                         }
770                     }
771                 }
772                 break;
773                 
774             case Array::String:
775                 if ((node->prediction() & ~SpecString)
776                     || m_graph.hasExitSite(node->origin.semantic, OutOfBounds))
777                     node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds));
778                 break;
779                 
780             default:
781                 break;
782             }
783             
784             arrayMode = node->arrayMode();
785             switch (arrayMode.type()) {
786             case Array::SelectUsingPredictions:
787             case Array::Unprofiled:
788                 RELEASE_ASSERT_NOT_REACHED();
789                 break;
790             case Array::Generic:
791 #if USE(JSVALUE32_64)
792                 fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit.
793 #endif
794                 break;
795             case Array::ForceExit:
796                 break;
797             default:
798                 fixEdge<KnownCellUse>(node->child1());
799                 fixEdge<Int32Use>(node->child2());
800                 break;
801             }
802             
803             switch (arrayMode.type()) {
804             case Array::Double:
805                 if (!arrayMode.isOutOfBounds())
806                     node->setResult(NodeResultDouble);
807                 break;
808                 
809             case Array::Float32Array:
810             case Array::Float64Array:
811                 node->setResult(NodeResultDouble);
812                 break;
813                 
814             case Array::Uint32Array:
815                 if (node->shouldSpeculateInt32())
816                     break;
817                 if (node->shouldSpeculateAnyInt() && enableInt52())
818                     node->setResult(NodeResultInt52);
819                 else
820                     node->setResult(NodeResultDouble);
821                 break;
822                 
823             default:
824                 break;
825             }
826             
827             break;
828         }
829
830         case PutByValDirect:
831         case PutByVal:
832         case PutByValAlias: {
833             Edge& child1 = m_graph.varArgChild(node, 0);
834             Edge& child2 = m_graph.varArgChild(node, 1);
835             Edge& child3 = m_graph.varArgChild(node, 2);
836
837             node->setArrayMode(
838                 node->arrayMode().refine(
839                     m_graph, node,
840                     child1->prediction(),
841                     child2->prediction(),
842                     child3->prediction()));
843             
844             blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3));
845             
846             switch (node->arrayMode().modeForPut().type()) {
847             case Array::SelectUsingPredictions:
848             case Array::SelectUsingArguments:
849             case Array::Unprofiled:
850             case Array::Undecided:
851                 RELEASE_ASSERT_NOT_REACHED();
852                 break;
853             case Array::ForceExit:
854             case Array::Generic:
855 #if USE(JSVALUE32_64)
856                 // Due to register pressure on 32-bit, we speculate cell and
857                 // ignore the base-is-not-cell case entirely by letting the
858                 // baseline JIT handle it.
859                 fixEdge<CellUse>(child1);
860 #endif
861                 break;
862             case Array::Int32:
863                 fixEdge<KnownCellUse>(child1);
864                 fixEdge<Int32Use>(child2);
865                 fixEdge<Int32Use>(child3);
866                 break;
867             case Array::Double:
868                 fixEdge<KnownCellUse>(child1);
869                 fixEdge<Int32Use>(child2);
870                 fixEdge<DoubleRepRealUse>(child3);
871                 break;
872             case Array::Int8Array:
873             case Array::Int16Array:
874             case Array::Int32Array:
875             case Array::Uint8Array:
876             case Array::Uint8ClampedArray:
877             case Array::Uint16Array:
878             case Array::Uint32Array:
879                 fixEdge<KnownCellUse>(child1);
880                 fixEdge<Int32Use>(child2);
881                 if (child3->shouldSpeculateInt32())
882                     fixIntOrBooleanEdge(child3);
883                 else if (child3->shouldSpeculateAnyInt())
884                     fixEdge<Int52RepUse>(child3);
885                 else
886                     fixDoubleOrBooleanEdge(child3);
887                 break;
888             case Array::Float32Array:
889             case Array::Float64Array:
890                 fixEdge<KnownCellUse>(child1);
891                 fixEdge<Int32Use>(child2);
892                 fixDoubleOrBooleanEdge(child3);
893                 break;
894             case Array::Contiguous:
895             case Array::ArrayStorage:
896             case Array::SlowPutArrayStorage:
897                 fixEdge<KnownCellUse>(child1);
898                 fixEdge<Int32Use>(child2);
899                 speculateForBarrier(child3);
900                 break;
901             default:
902                 fixEdge<KnownCellUse>(child1);
903                 fixEdge<Int32Use>(child2);
904                 break;
905             }
906             break;
907         }
908             
909         case AtomicsAdd:
910         case AtomicsAnd:
911         case AtomicsCompareExchange:
912         case AtomicsExchange:
913         case AtomicsLoad:
914         case AtomicsOr:
915         case AtomicsStore:
916         case AtomicsSub:
917         case AtomicsXor: {
918             Edge& base = m_graph.child(node, 0);
919             Edge& index = m_graph.child(node, 1);
920             
921             bool badNews = false;
922             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
923                 Edge& child = m_graph.child(node, 2 + i);
924                 // NOTE: DFG is not smart enough to handle double->int conversions in atomics. So, we
925                 // just call the function when that happens. But the FTL is totally cool with those
926                 // conversions.
927                 if (!child->shouldSpeculateInt32()
928                     && !child->shouldSpeculateAnyInt()
929                     && !(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode)))
930                     badNews = true;
931             }
932             
933             if (badNews) {
934                 node->setArrayMode(ArrayMode(Array::Generic));
935                 break;
936             }
937             
938             node->setArrayMode(
939                 node->arrayMode().refine(
940                     m_graph, node, base->prediction(), index->prediction()));
941             
942             if (node->arrayMode().type() == Array::Generic)
943                 break;
944             
945             for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
946                 Edge& child = m_graph.child(node, 2 + i);
947                 if (child->shouldSpeculateInt32())
948                     fixIntOrBooleanEdge(child);
949                 else if (child->shouldSpeculateAnyInt())
950                     fixEdge<Int52RepUse>(child);
951                 else {
952                     RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && isFTL(m_graph.m_plan.mode));
953                     fixDoubleOrBooleanEdge(child);
954                 }
955             }
956             
957             blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
958             fixEdge<CellUse>(base);
959             fixEdge<Int32Use>(index);
960             
961             if (node->arrayMode().type() == Array::Uint32Array) {
962                 // NOTE: This means basically always doing Int52.
963                 if (node->shouldSpeculateAnyInt() && enableInt52())
964                     node->setResult(NodeResultInt52);
965                 else
966                     node->setResult(NodeResultDouble);
967             }
968             break;
969         }
970             
971         case AtomicsIsLockFree:
972             if (node->child1()->shouldSpeculateInt32())
973                 fixIntOrBooleanEdge(node->child1());
974             break;
975             
976         case ArrayPush: {
977             // May need to refine the array mode in case the value prediction contravenes
978             // the array prediction. For example, we may have evidence showing that the
979             // array is in Int32 mode, but the value we're storing is likely to be a double.
980             // Then we should turn this into a conversion to Double array followed by the
981             // push. On the other hand, we absolutely don't want to refine based on the
982             // base prediction. If it has non-cell garbage in it, then we want that to be
983             // ignored. That's because ArrayPush can't handle any array modes that aren't
984             // array-related - so if refine() turned this into a "Generic" ArrayPush then
985             // that would break things.
986             node->setArrayMode(
987                 node->arrayMode().refine(
988                     m_graph, node,
989                     node->child1()->prediction() & SpecCell,
990                     SpecInt32Only,
991                     node->child2()->prediction()));
992             blessArrayOperation(node->child1(), Edge(), node->child3());
993             fixEdge<KnownCellUse>(node->child1());
994             
995             switch (node->arrayMode().type()) {
996             case Array::Int32:
997                 fixEdge<Int32Use>(node->child2());
998                 break;
999             case Array::Double:
1000                 fixEdge<DoubleRepRealUse>(node->child2());
1001                 break;
1002             case Array::Contiguous:
1003             case Array::ArrayStorage:
1004                 speculateForBarrier(node->child2());
1005                 break;
1006             default:
1007                 break;
1008             }
1009             break;
1010         }
1011             
1012         case ArrayPop: {
1013             blessArrayOperation(node->child1(), Edge(), node->child2());
1014             fixEdge<KnownCellUse>(node->child1());
1015             break;
1016         }
1017
1018         case ArraySlice: {
1019             fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0));
1020             fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
1021             if (node->numChildren() == 4)
1022                 fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
1023             break;
1024         }
1025
1026         case ArrayIndexOf:
1027             fixupArrayIndexOf(node);
1028             break;
1029             
1030         case RegExpExec:
1031         case RegExpTest: {
1032             fixEdge<KnownCellUse>(node->child1());
1033             
1034             if (node->child2()->shouldSpeculateRegExpObject()) {
1035                 fixEdge<RegExpObjectUse>(node->child2());
1036
1037                 if (node->child3()->shouldSpeculateString())
1038                     fixEdge<StringUse>(node->child3());
1039             }
1040             break;
1041         }
1042
1043         case StringReplace:
1044         case StringReplaceRegExp: {
1045             if (node->child2()->shouldSpeculateString()) {
1046                 m_insertionSet.insertNode(
1047                     m_indexInBlock, SpecNone, Check, node->origin,
1048                     Edge(node->child2().node(), StringUse));
1049                 fixEdge<StringUse>(node->child2());
1050             } else if (op == StringReplace) {
1051                 if (node->child2()->shouldSpeculateRegExpObject())
1052                     addStringReplacePrimordialChecks(node->child2().node());
1053                 else 
1054                     m_insertionSet.insertNode(
1055                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1056             }
1057
1058             if (node->child1()->shouldSpeculateString()
1059                 && node->child2()->shouldSpeculateRegExpObject()
1060                 && node->child3()->shouldSpeculateString()) {
1061
1062                 fixEdge<StringUse>(node->child1());
1063                 fixEdge<RegExpObjectUse>(node->child2());
1064                 fixEdge<StringUse>(node->child3());
1065                 break;
1066             }
1067             break;
1068         }
1069             
1070         case Branch: {
1071             if (node->child1()->shouldSpeculateBoolean()) {
1072                 if (node->child1()->result() == NodeResultBoolean) {
1073                     // This is necessary in case we have a bytecode instruction implemented by:
1074                     //
1075                     // a: CompareEq(...)
1076                     // b: Branch(@a)
1077                     //
1078                     // In that case, CompareEq might have a side-effect. Then, we need to make
1079                     // sure that we know that Branch does not exit.
1080                     fixEdge<KnownBooleanUse>(node->child1());
1081                 } else
1082                     fixEdge<BooleanUse>(node->child1());
1083             } else if (node->child1()->shouldSpeculateObjectOrOther())
1084                 fixEdge<ObjectOrOtherUse>(node->child1());
1085             else if (node->child1()->shouldSpeculateInt32OrBoolean())
1086                 fixIntOrBooleanEdge(node->child1());
1087             else if (node->child1()->shouldSpeculateNumber())
1088                 fixEdge<DoubleRepUse>(node->child1());
1089             else if (node->child1()->shouldSpeculateString())
1090                 fixEdge<StringUse>(node->child1());
1091             else if (node->child1()->shouldSpeculateStringOrOther())
1092                 fixEdge<StringOrOtherUse>(node->child1());
1093             else {
1094                 WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint();
1095                 if (masqueradesAsUndefinedWatchpoint->isStillValid())
1096                     m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint);
1097             }
1098             break;
1099         }
1100             
1101         case Switch: {
1102             SwitchData* data = node->switchData();
1103             switch (data->kind) {
1104             case SwitchImm:
1105                 if (node->child1()->shouldSpeculateInt32())
1106                     fixEdge<Int32Use>(node->child1());
1107                 break;
1108             case SwitchChar:
1109                 if (node->child1()->shouldSpeculateString())
1110                     fixEdge<StringUse>(node->child1());
1111                 break;
1112             case SwitchString:
1113                 if (node->child1()->shouldSpeculateStringIdent())
1114                     fixEdge<StringIdentUse>(node->child1());
1115                 else if (node->child1()->shouldSpeculateString())
1116                     fixEdge<StringUse>(node->child1());
1117                 break;
1118             case SwitchCell:
1119                 if (node->child1()->shouldSpeculateCell())
1120                     fixEdge<CellUse>(node->child1());
1121                 // else it's fine for this to have UntypedUse; we will handle this by just making
1122                 // non-cells take the default case.
1123                 break;
1124             }
1125             break;
1126         }
1127             
1128         case ToPrimitive: {
1129             fixupToPrimitive(node);
1130             break;
1131         }
1132
1133         case ToNumber: {
1134             fixupToNumber(node);
1135             break;
1136         }
1137             
1138         case ToString:
1139         case CallStringConstructor: {
1140             fixupToStringOrCallStringConstructor(node);
1141             break;
1142         }
1143             
1144         case NewStringObject: {
1145             fixEdge<KnownStringUse>(node->child1());
1146             break;
1147         }
1148
1149         case NewArrayWithSpread: {
1150             watchHavingABadTime(node);
1151             
1152             BitVector* bitVector = node->bitVector();
1153             for (unsigned i = node->numChildren(); i--;) {
1154                 if (bitVector->get(i))
1155                     fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1156                 else
1157                     fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]);
1158             }
1159
1160             break;
1161         }
1162
1163         case Spread: {
1164             // Note: We care about performing the protocol on our child's global object, not necessarily ours.
1165             
1166             watchHavingABadTime(node->child1().node());
1167
1168             JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic);
1169             // When we go down the fast path, we don't consult the prototype chain, so we must prove
1170             // that it doesn't contain any indexed properties, and that any holes will result in
1171             // jsUndefined().
1172             InlineWatchpointSet& objectPrototypeTransition = globalObject->objectPrototype()->structure()->transitionWatchpointSet();
1173             InlineWatchpointSet& arrayPrototypeTransition = globalObject->arrayPrototype()->structure()->transitionWatchpointSet();
1174             if (node->child1()->shouldSpeculateArray() 
1175                 && arrayPrototypeTransition.isStillValid() 
1176                 && objectPrototypeTransition.isStillValid() 
1177                 && globalObject->arrayPrototypeChainIsSane()
1178                 && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node())
1179                 && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) {
1180                 m_graph.watchpoints().addLazily(objectPrototypeTransition);
1181                 m_graph.watchpoints().addLazily(arrayPrototypeTransition);
1182                 fixEdge<ArrayUse>(node->child1());
1183             } else
1184                 fixEdge<CellUse>(node->child1());
1185             break;
1186         }
1187             
1188         case NewArray: {
1189             watchHavingABadTime(node);
1190             
1191             for (unsigned i = m_graph.varArgNumChildren(node); i--;) {
1192                 node->setIndexingType(
1193                     leastUpperBoundOfIndexingTypeAndType(
1194                         node->indexingType(), m_graph.varArgChild(node, i)->prediction()));
1195             }
1196             switch (node->indexingType()) {
1197             case ALL_BLANK_INDEXING_TYPES:
1198                 CRASH();
1199                 break;
1200             case ALL_UNDECIDED_INDEXING_TYPES:
1201                 if (node->numChildren()) {
1202                     // This will only happen if the children have no type predictions. We
1203                     // would have already exited by now, but insert a forced exit just to
1204                     // be safe.
1205                     m_insertionSet.insertNode(
1206                         m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
1207                 }
1208                 break;
1209             case ALL_INT32_INDEXING_TYPES:
1210                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1211                     fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1212                 break;
1213             case ALL_DOUBLE_INDEXING_TYPES:
1214                 for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex)
1215                     fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]);
1216                 break;
1217             case ALL_CONTIGUOUS_INDEXING_TYPES:
1218             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
1219                 break;
1220             default:
1221                 CRASH();
1222                 break;
1223             }
1224             break;
1225         }
1226             
1227         case NewTypedArray: {
1228             watchHavingABadTime(node);
1229             
1230             if (node->child1()->shouldSpeculateInt32()) {
1231                 fixEdge<Int32Use>(node->child1());
1232                 node->clearFlags(NodeMustGenerate);
1233                 break;
1234             }
1235             break;
1236         }
1237             
1238         case NewArrayWithSize: {
1239             watchHavingABadTime(node);
1240             fixEdge<Int32Use>(node->child1());
1241             break;
1242         }
1243
1244         case NewArrayBuffer: {
1245             watchHavingABadTime(node);
1246             break;
1247         }
1248
1249         case CallObjectConstructor: {
1250             if (node->child1()->shouldSpeculateObject()) {
1251                 fixEdge<ObjectUse>(node->child1());
1252                 node->convertToIdentity();
1253                 break;
1254             }
1255
1256             fixEdge<UntypedUse>(node->child1());
1257             break;
1258         }
1259
1260         case ToThis: {
1261             fixupToThis(node);
1262             break;
1263         }
1264             
1265         case PutStructure: {
1266             fixEdge<KnownCellUse>(node->child1());
1267             break;
1268         }
1269             
1270         case GetClosureVar:
1271         case GetFromArguments: {
1272             fixEdge<KnownCellUse>(node->child1());
1273             break;
1274         }
1275
1276         case PutClosureVar:
1277         case PutToArguments: {
1278             fixEdge<KnownCellUse>(node->child1());
1279             speculateForBarrier(node->child2());
1280             break;
1281         }
1282
1283         case SkipScope:
1284         case GetScope:
1285         case GetGetter:
1286         case GetSetter:
1287         case GetGlobalObject: {
1288             fixEdge<KnownCellUse>(node->child1());
1289             break;
1290         }
1291             
1292         case AllocatePropertyStorage:
1293         case ReallocatePropertyStorage: {
1294             fixEdge<KnownCellUse>(node->child1());
1295             break;
1296         }
1297             
1298         case NukeStructureAndSetButterfly: {
1299             fixEdge<KnownCellUse>(node->child1());
1300             break;
1301         }
1302
1303         case TryGetById: {
1304             if (node->child1()->shouldSpeculateCell())
1305                 fixEdge<CellUse>(node->child1());
1306             break;
1307         }
1308
1309         case GetById:
1310         case GetByIdFlush: {
1311             // FIXME: This should be done in the ByteCodeParser based on reading the
1312             // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength.
1313             // https://bugs.webkit.org/show_bug.cgi?id=154990
1314             if (node->child1()->shouldSpeculateCellOrOther()
1315                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1316                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1317                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1318                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1319                 
1320                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1321                 
1322                 if (uid == vm().propertyNames->length.impl()) {
1323                     attemptToMakeGetArrayLength(node);
1324                     break;
1325                 }
1326
1327                 if (uid == vm().propertyNames->lastIndex.impl()
1328                     && node->child1()->shouldSpeculateRegExpObject()) {
1329                     node->setOp(GetRegExpObjectLastIndex);
1330                     node->clearFlags(NodeMustGenerate);
1331                     fixEdge<RegExpObjectUse>(node->child1());
1332                     break;
1333                 }
1334             }
1335
1336             if (node->child1()->shouldSpeculateCell())
1337                 fixEdge<CellUse>(node->child1());
1338             break;
1339         }
1340         
1341         case GetByIdWithThis: {
1342             if (node->child1()->shouldSpeculateCell() && node->child2()->shouldSpeculateCell()) {
1343                 fixEdge<CellUse>(node->child1());
1344                 fixEdge<CellUse>(node->child2());
1345             }
1346             break;
1347         }
1348
1349         case PutById:
1350         case PutByIdFlush:
1351         case PutByIdDirect: {
1352             if (node->child1()->shouldSpeculateCellOrOther()
1353                 && !m_graph.hasExitSite(node->origin.semantic, BadType)
1354                 && !m_graph.hasExitSite(node->origin.semantic, BadCache)
1355                 && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType)
1356                 && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) {
1357                 
1358                 auto uid = m_graph.identifiers()[node->identifierNumber()];
1359                 
1360                 if (uid == vm().propertyNames->lastIndex.impl()
1361                     && node->child1()->shouldSpeculateRegExpObject()) {
1362                     node->setOp(SetRegExpObjectLastIndex);
1363                     fixEdge<RegExpObjectUse>(node->child1());
1364                     speculateForBarrier(node->child2());
1365                     break;
1366                 }
1367             }
1368             
1369             fixEdge<CellUse>(node->child1());
1370             break;
1371         }
1372
1373         case PutGetterById:
1374         case PutSetterById: {
1375             fixEdge<KnownCellUse>(node->child1());
1376             fixEdge<KnownCellUse>(node->child2());
1377             break;
1378         }
1379
1380         case PutGetterSetterById: {
1381             fixEdge<KnownCellUse>(node->child1());
1382             break;
1383         }
1384
1385         case PutGetterByVal:
1386         case PutSetterByVal: {
1387             fixEdge<KnownCellUse>(node->child1());
1388             fixEdge<KnownCellUse>(node->child3());
1389             break;
1390         }
1391
1392         case GetExecutable: {
1393             fixEdge<FunctionUse>(node->child1());
1394             break;
1395         }
1396
1397         case OverridesHasInstance:
1398         case CheckStructure:
1399         case CheckCell:
1400         case CreateThis:
1401         case GetButterfly: {
1402             fixEdge<CellUse>(node->child1());
1403             break;
1404         }
1405
1406         case CheckStringIdent: {
1407             fixEdge<StringIdentUse>(node->child1());
1408             break;
1409         }
1410             
1411         case Arrayify:
1412         case ArrayifyToStructure: {
1413             fixEdge<CellUse>(node->child1());
1414             if (node->child2())
1415                 fixEdge<Int32Use>(node->child2());
1416             break;
1417         }
1418             
1419         case GetByOffset:
1420         case GetGetterSetterByOffset: {
1421             if (!node->child1()->hasStorageResult())
1422                 fixEdge<KnownCellUse>(node->child1());
1423             fixEdge<KnownCellUse>(node->child2());
1424             break;
1425         }
1426             
1427         case MultiGetByOffset: {
1428             fixEdge<CellUse>(node->child1());
1429             break;
1430         }
1431             
1432         case PutByOffset: {
1433             if (!node->child1()->hasStorageResult())
1434                 fixEdge<KnownCellUse>(node->child1());
1435             fixEdge<KnownCellUse>(node->child2());
1436             unsigned index = indexForChecks();
1437             insertInferredTypeCheck(
1438                 m_insertionSet, index, originForCheck(index), node->child3().node(),
1439                 node->storageAccessData().inferredType);
1440             speculateForBarrier(node->child3());
1441             break;
1442         }
1443             
1444         case MultiPutByOffset: {
1445             fixEdge<CellUse>(node->child1());
1446             break;
1447         }
1448             
1449         case InstanceOf: {
1450             if (!(node->child1()->prediction() & ~SpecCell))
1451                 fixEdge<CellUse>(node->child1());
1452             fixEdge<CellUse>(node->child2());
1453             break;
1454         }
1455
1456         case InstanceOfCustom:
1457             fixEdge<CellUse>(node->child2());
1458             break;
1459
1460         case In: {
1461             if (node->child2()->shouldSpeculateInt32()) {
1462                 convertToHasIndexedProperty(node);
1463                 break;
1464             }
1465
1466             fixEdge<CellUse>(node->child1());
1467             break;
1468         }
1469
1470         case HasOwnProperty: {
1471             fixEdge<ObjectUse>(node->child1());
1472 #if (CPU(X86) || CPU(MIPS)) && USE(JSVALUE32_64)
1473             // We don't have enough registers to do anything interesting on x86 and mips.
1474             fixEdge<UntypedUse>(node->child2());
1475 #else
1476             if (node->child2()->shouldSpeculateString())
1477                 fixEdge<StringUse>(node->child2());
1478             else if (node->child2()->shouldSpeculateSymbol())
1479                 fixEdge<SymbolUse>(node->child2());
1480             else
1481                 fixEdge<UntypedUse>(node->child2());
1482 #endif
1483             break;
1484         }
1485
1486         case Check: {
1487             m_graph.doToChildren(
1488                 node,
1489                 [&] (Edge& edge) {
1490                     switch (edge.useKind()) {
1491                     case NumberUse:
1492                         if (edge->shouldSpeculateInt32ForArithmetic())
1493                             edge.setUseKind(Int32Use);
1494                         break;
1495                     default:
1496                         break;
1497                     }
1498                     observeUseKindOnEdge(edge);
1499                 });
1500             break;
1501         }
1502
1503         case Phantom:
1504             // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend.
1505             node->remove();
1506             break;
1507
1508         case FiatInt52: {
1509             RELEASE_ASSERT(enableInt52());
1510             node->convertToIdentity();
1511             fixEdge<Int52RepUse>(node->child1());
1512             node->setResult(NodeResultInt52);
1513             break;
1514         }
1515
1516         case GetArrayLength: {
1517             fixEdge<KnownCellUse>(node->child1());
1518             break;
1519         }
1520
1521         case GetTypedArrayByteOffset: {
1522             fixEdge<KnownCellUse>(node->child1());
1523             break;
1524         }
1525
1526         case Phi:
1527         case Upsilon:
1528         case GetIndexedPropertyStorage:
1529         case LastNodeType:
1530         case CheckTierUpInLoop:
1531         case CheckTierUpAtReturn:
1532         case CheckTierUpAndOSREnter:
1533         case InvalidationPoint:
1534         case CheckArray:
1535         case CheckInBounds:
1536         case ConstantStoragePointer:
1537         case DoubleAsInt32:
1538         case ValueToInt32:
1539         case DoubleRep:
1540         case ValueRep:
1541         case Int52Rep:
1542         case Int52Constant:
1543         case Identity: // This should have been cleaned up.
1544         case BooleanToNumber:
1545         case PhantomNewObject:
1546         case PhantomNewFunction:
1547         case PhantomNewGeneratorFunction:
1548         case PhantomNewAsyncFunction:
1549         case PhantomCreateActivation:
1550         case PhantomDirectArguments:
1551         case PhantomCreateRest:
1552         case PhantomSpread:
1553         case PhantomNewArrayWithSpread:
1554         case PhantomClonedArguments:
1555         case GetMyArgumentByVal:
1556         case GetMyArgumentByValOutOfBounds:
1557         case GetVectorLength:
1558         case PutHint:
1559         case CheckStructureImmediate:
1560         case MaterializeNewObject:
1561         case MaterializeCreateActivation:
1562         case PutStack:
1563         case KillStack:
1564         case GetStack:
1565         case StoreBarrier:
1566         case FencedStoreBarrier:
1567         case GetRegExpObjectLastIndex:
1568         case SetRegExpObjectLastIndex:
1569         case RecordRegExpCachedResult:
1570             // These are just nodes that we don't currently expect to see during fixup.
1571             // If we ever wanted to insert them prior to fixup, then we just have to create
1572             // fixup rules for them.
1573             DFG_CRASH(m_graph, node, "Unexpected node during fixup");
1574             break;
1575         
1576         case PutGlobalVariable: {
1577             fixEdge<CellUse>(node->child1());
1578             speculateForBarrier(node->child2());
1579             break;
1580         }
1581
1582         case IsObject:
1583             if (node->child1()->shouldSpeculateObject()) {
1584                 m_insertionSet.insertNode(
1585                     m_indexInBlock, SpecNone, Check, node->origin,
1586                     Edge(node->child1().node(), ObjectUse));
1587                 m_graph.convertToConstant(node, jsBoolean(true));
1588                 observeUseKindOnNode<ObjectUse>(node);
1589             }
1590             break;
1591
1592         case IsCellWithType: {
1593             fixupIsCellWithType(node);
1594             break;
1595         }
1596
1597         case GetEnumerableLength: {
1598             fixEdge<CellUse>(node->child1());
1599             break;
1600         }
1601         case HasGenericProperty: {
1602             fixEdge<CellUse>(node->child2());
1603             break;
1604         }
1605         case HasStructureProperty: {
1606             fixEdge<StringUse>(node->child2());
1607             fixEdge<KnownCellUse>(node->child3());
1608             break;
1609         }
1610         case HasIndexedProperty: {
1611             node->setArrayMode(
1612                 node->arrayMode().refine(
1613                     m_graph, node,
1614                     node->child1()->prediction(),
1615                     node->child2()->prediction(),
1616                     SpecNone));
1617             
1618             blessArrayOperation(node->child1(), node->child2(), node->child3());
1619             fixEdge<CellUse>(node->child1());
1620             fixEdge<KnownInt32Use>(node->child2());
1621             break;
1622         }
1623         case GetDirectPname: {
1624             Edge& base = m_graph.varArgChild(node, 0);
1625             Edge& property = m_graph.varArgChild(node, 1);
1626             Edge& index = m_graph.varArgChild(node, 2);
1627             Edge& enumerator = m_graph.varArgChild(node, 3);
1628             fixEdge<CellUse>(base);
1629             fixEdge<KnownCellUse>(property);
1630             fixEdge<KnownInt32Use>(index);
1631             fixEdge<KnownCellUse>(enumerator);
1632             break;
1633         }
1634         case GetPropertyEnumerator: {
1635             fixEdge<CellUse>(node->child1());
1636             break;
1637         }
1638         case GetEnumeratorStructurePname: {
1639             fixEdge<KnownCellUse>(node->child1());
1640             fixEdge<KnownInt32Use>(node->child2());
1641             break;
1642         }
1643         case GetEnumeratorGenericPname: {
1644             fixEdge<KnownCellUse>(node->child1());
1645             fixEdge<KnownInt32Use>(node->child2());
1646             break;
1647         }
1648         case ToIndexString: {
1649             fixEdge<KnownInt32Use>(node->child1());
1650             break;
1651         }
1652         case ProfileType: {
1653             // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet.
1654             // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for
1655             // type T for the instructionTypeSet, the global type set must also have information for type T.
1656             // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T 
1657             // in the globalTypeSet would've also succeeded.
1658             // (The other direction does not hold in general).
1659
1660             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
1661             RuntimeTypeMask seenTypes = typeSet->seenTypes();
1662             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
1663                 if (node->child1()->shouldSpeculateInt32()) {
1664                     fixEdge<Int32Use>(node->child1());
1665                     node->remove();
1666                     break;
1667                 }
1668
1669                 if (enableInt52()) {
1670                     fixEdge<AnyIntUse>(node->child1());
1671                     node->remove();
1672                     break;
1673                 }
1674
1675                 // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
1676             }
1677
1678             if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
1679                 fixEdge<NumberUse>(node->child1());
1680                 node->remove();
1681             } else if (typeSet->doesTypeConformTo(TypeString)) {
1682                 fixEdge<StringUse>(node->child1());
1683                 node->remove();
1684             } else if (typeSet->doesTypeConformTo(TypeBoolean)) {
1685                 fixEdge<BooleanUse>(node->child1());
1686                 node->remove();
1687             } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) {
1688                 fixEdge<OtherUse>(node->child1());
1689                 node->remove();
1690             } else if (typeSet->doesTypeConformTo(TypeObject)) {
1691                 StructureSet set;
1692                 {
1693                     ConcurrentJSLocker locker(typeSet->m_lock);
1694                     set = typeSet->structureSet(locker);
1695                 }
1696                 if (!set.isEmpty()) {
1697                     fixEdge<CellUse>(node->child1());
1698                     node->convertToCheckStructure(m_graph.addStructureSet(set));
1699                 }
1700             }
1701
1702             break;
1703         }
1704
1705         case CreateClonedArguments: {
1706             watchHavingABadTime(node);
1707             break;
1708         }
1709
1710         case CreateScopedArguments:
1711         case CreateActivation:
1712         case NewFunction:
1713         case NewGeneratorFunction:
1714         case NewAsyncFunction: {
1715             fixEdge<CellUse>(node->child1());
1716             break;
1717         }
1718
1719         case SetFunctionName: {
1720             // The first child is guaranteed to be a cell because op_set_function_name is only used
1721             // on a newly instantiated function object (the first child).
1722             fixEdge<KnownCellUse>(node->child1());
1723             fixEdge<UntypedUse>(node->child2());
1724             break;
1725         }
1726
1727         case CreateRest: {
1728             watchHavingABadTime(node);
1729             fixEdge<KnownInt32Use>(node->child1());
1730             break;
1731         }
1732
1733         case ResolveScopeForHoistingFuncDeclInEval: {
1734             fixEdge<KnownCellUse>(node->child1());
1735             break;
1736         }
1737         case ResolveScope:
1738         case GetDynamicVar:
1739         case PutDynamicVar: {
1740             fixEdge<KnownCellUse>(node->child1());
1741             break;
1742         }
1743
1744         case LogShadowChickenPrologue: {
1745             fixEdge<KnownCellUse>(node->child1());
1746             break;
1747         }
1748         case LogShadowChickenTail: {
1749             fixEdge<UntypedUse>(node->child1());
1750             fixEdge<KnownCellUse>(node->child2());
1751             break;
1752         }
1753
1754         case GetMapBucket:
1755             if (node->child1().useKind() == MapObjectUse)
1756                 fixEdge<MapObjectUse>(node->child1());
1757             else if (node->child1().useKind() == SetObjectUse)
1758                 fixEdge<SetObjectUse>(node->child1());
1759             else
1760                 RELEASE_ASSERT_NOT_REACHED();
1761
1762 #if USE(JSVALUE64)
1763             if (node->child2()->shouldSpeculateBoolean())
1764                 fixEdge<BooleanUse>(node->child2());
1765             else if (node->child2()->shouldSpeculateInt32())
1766                 fixEdge<Int32Use>(node->child2());
1767             else if (node->child2()->shouldSpeculateSymbol())
1768                 fixEdge<SymbolUse>(node->child2());
1769             else if (node->child2()->shouldSpeculateObject())
1770                 fixEdge<ObjectUse>(node->child2());
1771             else if (node->child2()->shouldSpeculateString())
1772                 fixEdge<StringUse>(node->child2());
1773             else if (node->child2()->shouldSpeculateCell())
1774                 fixEdge<CellUse>(node->child2());
1775             else
1776                 fixEdge<UntypedUse>(node->child2());
1777 #else
1778             fixEdge<UntypedUse>(node->child2());
1779 #endif // USE(JSVALUE64)
1780
1781             fixEdge<Int32Use>(node->child3());
1782             break;
1783
1784         case LoadFromJSMapBucket:
1785             fixEdge<KnownCellUse>(node->child1());
1786             break;
1787
1788         case IsNonEmptyMapBucket:
1789             fixEdge<KnownCellUse>(node->child1());
1790             break;
1791
1792         case MapHash: {
1793 #if USE(JSVALUE64)
1794             if (node->child1()->shouldSpeculateBoolean()) {
1795                 fixEdge<BooleanUse>(node->child1());
1796                 break;
1797             }
1798
1799             if (node->child1()->shouldSpeculateInt32()) {
1800                 fixEdge<Int32Use>(node->child1());
1801                 break;
1802             }
1803
1804             if (node->child1()->shouldSpeculateSymbol()) {
1805                 fixEdge<SymbolUse>(node->child1());
1806                 break;
1807             }
1808
1809             if (node->child1()->shouldSpeculateObject()) {
1810                 fixEdge<ObjectUse>(node->child1());
1811                 break;
1812             }
1813
1814             if (node->child1()->shouldSpeculateString()) {
1815                 fixEdge<StringUse>(node->child1());
1816                 break;
1817             }
1818
1819             if (node->child1()->shouldSpeculateCell()) {
1820                 fixEdge<CellUse>(node->child1());
1821                 break;
1822             }
1823
1824             fixEdge<UntypedUse>(node->child1());
1825 #else
1826             fixEdge<UntypedUse>(node->child1());
1827 #endif // USE(JSVALUE64)
1828             break;
1829         }
1830
1831         case DefineDataProperty: {
1832             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1833             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1834             if (propertyEdge->shouldSpeculateSymbol())
1835                 fixEdge<SymbolUse>(propertyEdge);
1836             else if (propertyEdge->shouldSpeculateStringIdent())
1837                 fixEdge<StringIdentUse>(propertyEdge);
1838             else if (propertyEdge->shouldSpeculateString())
1839                 fixEdge<StringUse>(propertyEdge);
1840             else
1841                 fixEdge<UntypedUse>(propertyEdge);
1842             fixEdge<UntypedUse>(m_graph.varArgChild(node, 2));
1843             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3));
1844             break;
1845         }
1846
1847         case ToLowerCase: {
1848             // We currently only support StringUse since that will ensure that
1849             // ToLowerCase is a pure operation. If we decide to update this with
1850             // more types in the future, we need to ensure that the clobberize rules
1851             // are correct.
1852             fixEdge<StringUse>(node->child1());
1853             break;
1854         }
1855
1856         case NumberToStringWithRadix: {
1857             if (node->child1()->shouldSpeculateInt32())
1858                 fixEdge<Int32Use>(node->child1());
1859             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
1860                 fixEdge<Int52RepUse>(node->child1());
1861             else
1862                 fixEdge<DoubleRepUse>(node->child1());
1863             fixEdge<Int32Use>(node->child2());
1864             break;
1865         }
1866
1867         case DefineAccessorProperty: {
1868             fixEdge<CellUse>(m_graph.varArgChild(node, 0));
1869             Edge& propertyEdge = m_graph.varArgChild(node, 1);
1870             if (propertyEdge->shouldSpeculateSymbol())
1871                 fixEdge<SymbolUse>(propertyEdge);
1872             else if (propertyEdge->shouldSpeculateStringIdent())
1873                 fixEdge<StringIdentUse>(propertyEdge);
1874             else if (propertyEdge->shouldSpeculateString())
1875                 fixEdge<StringUse>(propertyEdge);
1876             else
1877                 fixEdge<UntypedUse>(propertyEdge);
1878             fixEdge<CellUse>(m_graph.varArgChild(node, 2));
1879             fixEdge<CellUse>(m_graph.varArgChild(node, 3));
1880             fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4));
1881             break;
1882         }
1883
1884         case CheckSubClass: {
1885             fixupCheckSubClass(node);
1886             break;
1887         }
1888
1889         case CallDOMGetter: {
1890             DOMJIT::CallDOMGetterSnippet* snippet = node->callDOMGetterData()->snippet;
1891             fixEdge<CellUse>(node->child1()); // DOM.
1892             if (snippet && snippet->requireGlobalObject)
1893                 fixEdge<KnownCellUse>(node->child2()); // GlobalObject.
1894             break;
1895         }
1896
1897         case CallDOM: {
1898             fixupCallDOM(node);
1899             break;
1900         }
1901
1902         case Call: {
1903             attemptToMakeCallDOM(node);
1904             break;
1905         }
1906
1907         case ParseInt: {
1908             if (node->child1()->shouldSpeculateInt32() && !node->child2()) {
1909                 fixEdge<Int32Use>(node->child1());
1910                 node->convertToIdentity();
1911                 break;
1912             }
1913
1914             if (node->child1()->shouldSpeculateString()) {
1915                 fixEdge<StringUse>(node->child1());
1916                 node->clearFlags(NodeMustGenerate);
1917             }
1918
1919             if (node->child2())
1920                 fixEdge<Int32Use>(node->child2());
1921
1922             break;
1923         }
1924
1925 #if !ASSERT_DISABLED
1926         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
1927         case SetArgument:
1928         case JSConstant:
1929         case LazyJSConstant:
1930         case DoubleConstant:
1931         case GetLocal:
1932         case GetCallee:
1933         case GetArgumentCountIncludingThis:
1934         case GetRestLength:
1935         case GetArgument:
1936         case Flush:
1937         case PhantomLocal:
1938         case GetLocalUnlinked:
1939         case GetGlobalVar:
1940         case GetGlobalLexicalVariable:
1941         case NotifyWrite:
1942         case DirectCall:
1943         case CheckTypeInfoFlags:
1944         case TailCallInlinedCaller:
1945         case DirectTailCallInlinedCaller:
1946         case Construct:
1947         case DirectConstruct:
1948         case CallVarargs:
1949         case CallEval:
1950         case TailCallVarargsInlinedCaller:
1951         case ConstructVarargs:
1952         case CallForwardVarargs:
1953         case ConstructForwardVarargs:
1954         case TailCallForwardVarargs:
1955         case TailCallForwardVarargsInlinedCaller:
1956         case LoadVarargs:
1957         case ForwardVarargs:
1958         case ProfileControlFlow:
1959         case NewObject:
1960         case NewRegexp:
1961         case DeleteById:
1962         case DeleteByVal:
1963         case IsTypedArrayView:
1964         case IsEmpty:
1965         case IsUndefined:
1966         case IsBoolean:
1967         case IsNumber:
1968         case IsObjectOrNull:
1969         case IsFunction:
1970         case CreateDirectArguments:
1971         case Jump:
1972         case Return:
1973         case TailCall:
1974         case DirectTailCall:
1975         case TailCallVarargs:
1976         case Throw:
1977         case ThrowStaticError:
1978         case CountExecution:
1979         case ForceOSRExit:
1980         case CheckBadCell:
1981         case CheckNotEmpty:
1982         case CheckTraps:
1983         case Unreachable:
1984         case ExtractOSREntryLocal:
1985         case LoopHint:
1986         case MovHint:
1987         case ZombieHint:
1988         case ExitOK:
1989         case BottomValue:
1990         case TypeOf:
1991         case PutByIdWithThis:
1992         case PutByValWithThis:
1993         case GetByValWithThis:
1994         case CompareEqPtr:
1995             break;
1996 #else
1997         default:
1998             break;
1999 #endif
2000         }
2001     }
2002
2003     void watchHavingABadTime(Node* node)
2004     {
2005         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2006
2007         // If this global object is not having a bad time, watch it. We go down this path anytime the code
2008         // does an array allocation. The types of array allocations may change if we start to have a bad
2009         // time. It's easier to reason about this if we know that whenever the types change after we start
2010         // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since
2011         // prior to this point nobody should have been doing optimizations based on the indexing type of
2012         // the allocation.
2013         if (!globalObject->isHavingABadTime()) {
2014             m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
2015             m_graph.freeze(globalObject);
2016         }
2017     }
2018     
2019     template<UseKind useKind>
2020     void createToString(Node* node, Edge& edge)
2021     {
2022         Node* toString = m_insertionSet.insertNode(
2023             m_indexInBlock, SpecString, ToString, node->origin,
2024             Edge(edge.node(), useKind));
2025         switch (useKind) {
2026         case Int32Use:
2027         case Int52RepUse:
2028         case DoubleRepUse:
2029         case NotCellUse:
2030             toString->clearFlags(NodeMustGenerate);
2031             break;
2032         default:
2033             break;
2034         }
2035         edge.setNode(toString);
2036     }
2037     
2038     template<UseKind useKind>
2039     void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
2040     {
2041         ASSERT(arrayMode == ArrayMode(Array::Generic));
2042         
2043         if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
2044             return;
2045         
2046         createToString<useKind>(node, node->child1());
2047         arrayMode = ArrayMode(Array::String);
2048     }
2049     
2050     template<UseKind useKind>
2051     bool isStringObjectUse()
2052     {
2053         switch (useKind) {
2054         case StringObjectUse:
2055         case StringOrStringObjectUse:
2056             return true;
2057         default:
2058             return false;
2059         }
2060     }
2061     
2062     template<UseKind useKind>
2063     void convertStringAddUse(Node* node, Edge& edge)
2064     {
2065         if (useKind == StringUse) {
2066             observeUseKindOnNode<StringUse>(edge.node());
2067             m_insertionSet.insertNode(
2068                 m_indexInBlock, SpecNone, Check, node->origin,
2069                 Edge(edge.node(), StringUse));
2070             edge.setUseKind(KnownStringUse);
2071             return;
2072         }
2073         
2074         observeUseKindOnNode<useKind>(edge.node());
2075         createToString<useKind>(node, edge);
2076     }
2077     
2078     void convertToMakeRope(Node* node)
2079     {
2080         node->setOpAndDefaultFlags(MakeRope);
2081         fixupMakeRope(node);
2082     }
2083     
2084     void fixupMakeRope(Node* node)
2085     {
2086         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
2087             Edge& edge = node->children.child(i);
2088             if (!edge)
2089                 break;
2090             edge.setUseKind(KnownStringUse);
2091             JSString* string = edge->dynamicCastConstant<JSString*>(vm());
2092             if (!string)
2093                 continue;
2094             if (string->length())
2095                 continue;
2096             
2097             // Don't allow the MakeRope to have zero children.
2098             if (!i && !node->child2())
2099                 break;
2100             
2101             node->children.removeEdge(i--);
2102         }
2103         
2104         if (!node->child2()) {
2105             ASSERT(!node->child3());
2106             node->convertToIdentity();
2107         }
2108     }
2109
2110     void fixupIsCellWithType(Node* node)
2111     {
2112         switch (node->speculatedTypeForQuery()) {
2113         case SpecString:
2114             if (node->child1()->shouldSpeculateString()) {
2115                 m_insertionSet.insertNode(
2116                     m_indexInBlock, SpecNone, Check, node->origin,
2117                     Edge(node->child1().node(), StringUse));
2118                 m_graph.convertToConstant(node, jsBoolean(true));
2119                 observeUseKindOnNode<StringUse>(node);
2120                 return;
2121             }
2122             break;
2123
2124         case SpecProxyObject:
2125             if (node->child1()->shouldSpeculateProxyObject()) {
2126                 m_insertionSet.insertNode(
2127                     m_indexInBlock, SpecNone, Check, node->origin,
2128                     Edge(node->child1().node(), ProxyObjectUse));
2129                 m_graph.convertToConstant(node, jsBoolean(true));
2130                 observeUseKindOnNode<ProxyObjectUse>(node);
2131                 return;
2132             }
2133             break;
2134
2135         case SpecRegExpObject:
2136             if (node->child1()->shouldSpeculateRegExpObject()) {
2137                 m_insertionSet.insertNode(
2138                     m_indexInBlock, SpecNone, Check, node->origin,
2139                     Edge(node->child1().node(), RegExpObjectUse));
2140                 m_graph.convertToConstant(node, jsBoolean(true));
2141                 observeUseKindOnNode<RegExpObjectUse>(node);
2142                 return;
2143             }
2144             break;
2145
2146         case SpecArray:
2147             if (node->child1()->shouldSpeculateArray()) {
2148                 m_insertionSet.insertNode(
2149                     m_indexInBlock, SpecNone, Check, node->origin,
2150                     Edge(node->child1().node(), ArrayUse));
2151                 m_graph.convertToConstant(node, jsBoolean(true));
2152                 observeUseKindOnNode<ArrayUse>(node);
2153                 return;
2154             }
2155             break;
2156
2157         case SpecDerivedArray:
2158             if (node->child1()->shouldSpeculateDerivedArray()) {
2159                 m_insertionSet.insertNode(
2160                     m_indexInBlock, SpecNone, Check, node->origin,
2161                     Edge(node->child1().node(), DerivedArrayUse));
2162                 m_graph.convertToConstant(node, jsBoolean(true));
2163                 observeUseKindOnNode<DerivedArrayUse>(node);
2164                 return;
2165             }
2166             break;
2167         }
2168
2169         if (node->child1()->shouldSpeculateCell()) {
2170             fixEdge<CellUse>(node->child1());
2171             return;
2172         }
2173
2174         if (node->child1()->shouldSpeculateNotCell()) {
2175             m_insertionSet.insertNode(
2176                 m_indexInBlock, SpecNone, Check, node->origin,
2177                 Edge(node->child1().node(), NotCellUse));
2178             m_graph.convertToConstant(node, jsBoolean(false));
2179             observeUseKindOnNode<NotCellUse>(node);
2180             return;
2181         }
2182     }
2183
2184     void fixupToThis(Node* node)
2185     {
2186         ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
2187
2188         if (ecmaMode == StrictMode) {
2189             if (node->child1()->shouldSpeculateBoolean()) {
2190                 fixEdge<BooleanUse>(node->child1());
2191                 node->convertToIdentity();
2192                 return;
2193             }
2194
2195             if (node->child1()->shouldSpeculateInt32()) {
2196                 fixEdge<Int32Use>(node->child1());
2197                 node->convertToIdentity();
2198                 return;
2199             }
2200
2201             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2202                 fixEdge<Int52RepUse>(node->child1());
2203                 node->convertToIdentity();
2204                 node->setResult(NodeResultInt52);
2205                 return;
2206             }
2207
2208             if (node->child1()->shouldSpeculateNumber()) {
2209                 fixEdge<DoubleRepUse>(node->child1());
2210                 node->convertToIdentity();
2211                 node->setResult(NodeResultDouble);
2212                 return;
2213             }
2214
2215             if (node->child1()->shouldSpeculateSymbol()) {
2216                 fixEdge<SymbolUse>(node->child1());
2217                 node->convertToIdentity();
2218                 return;
2219             }
2220
2221             if (node->child1()->shouldSpeculateStringIdent()) {
2222                 fixEdge<StringIdentUse>(node->child1());
2223                 node->convertToIdentity();
2224                 return;
2225             }
2226
2227             if (node->child1()->shouldSpeculateString()) {
2228                 fixEdge<StringUse>(node->child1());
2229                 node->convertToIdentity();
2230                 return;
2231             }
2232         }
2233
2234         if (node->child1()->shouldSpeculateOther()) {
2235             if (ecmaMode == StrictMode) {
2236                 fixEdge<OtherUse>(node->child1());
2237                 node->convertToIdentity();
2238                 return;
2239             }
2240
2241             m_insertionSet.insertNode(
2242                 m_indexInBlock, SpecNone, Check, node->origin,
2243                 Edge(node->child1().node(), OtherUse));
2244             observeUseKindOnNode<OtherUse>(node->child1().node());
2245             m_graph.convertToConstant(
2246                 node, m_graph.globalThisObjectFor(node->origin.semantic));
2247             return;
2248         }
2249
2250         // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
2251         // however, since we cover all the missing cases in constant folding.
2252         // https://bugs.webkit.org/show_bug.cgi?id=157213
2253         if (node->child1()->shouldSpeculateStringObject()) {
2254             fixEdge<StringObjectUse>(node->child1());
2255             node->convertToIdentity();
2256             return;
2257         }
2258
2259         if (isFinalObjectSpeculation(node->child1()->prediction())) {
2260             fixEdge<FinalObjectUse>(node->child1());
2261             node->convertToIdentity();
2262             return;
2263         }
2264     }
2265     
2266     void fixupToPrimitive(Node* node)
2267     {
2268         if (node->child1()->shouldSpeculateInt32()) {
2269             fixEdge<Int32Use>(node->child1());
2270             node->convertToIdentity();
2271             return;
2272         }
2273         
2274         if (node->child1()->shouldSpeculateString()) {
2275             fixEdge<StringUse>(node->child1());
2276             node->convertToIdentity();
2277             return;
2278         }
2279         
2280         if (node->child1()->shouldSpeculateStringObject()
2281             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2282             fixEdge<StringObjectUse>(node->child1());
2283             node->convertToToString();
2284             return;
2285         }
2286         
2287         if (node->child1()->shouldSpeculateStringOrStringObject()
2288             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2289             fixEdge<StringOrStringObjectUse>(node->child1());
2290             node->convertToToString();
2291             return;
2292         }
2293     }
2294
2295     void fixupToNumber(Node* node)
2296     {
2297         // If the prediction of the child is Number, we attempt to convert ToNumber to Identity.
2298         if (node->child1()->shouldSpeculateNumber()) {
2299             if (isInt32Speculation(node->getHeapPrediction())) {
2300                 // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple.
2301                 if (node->child1()->shouldSpeculateInt32()) {
2302                     fixEdge<Int32Use>(node->child1());
2303                     node->convertToIdentity();
2304                     return;
2305                 }
2306
2307                 // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values.
2308                 // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000.
2309                 fixEdge<DoubleRepUse>(node->child1());
2310                 node->setOp(DoubleAsInt32);
2311                 if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
2312                     node->setArithMode(Arith::CheckOverflow);
2313                 else
2314                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
2315                 return;
2316             }
2317
2318             fixEdge<DoubleRepUse>(node->child1());
2319             node->convertToIdentity();
2320             node->setResult(NodeResultDouble);
2321             return;
2322         }
2323
2324         fixEdge<UntypedUse>(node->child1());
2325         node->setResult(NodeResultJS);
2326     }
2327     
2328     void fixupToStringOrCallStringConstructor(Node* node)
2329     {
2330         if (node->child1()->shouldSpeculateString()) {
2331             fixEdge<StringUse>(node->child1());
2332             node->convertToIdentity();
2333             return;
2334         }
2335         
2336         if (node->child1()->shouldSpeculateStringObject()
2337             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2338             fixEdge<StringObjectUse>(node->child1());
2339             return;
2340         }
2341         
2342         if (node->child1()->shouldSpeculateStringOrStringObject()
2343             && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2344             fixEdge<StringOrStringObjectUse>(node->child1());
2345             return;
2346         }
2347         
2348         if (node->child1()->shouldSpeculateCell()) {
2349             fixEdge<CellUse>(node->child1());
2350             return;
2351         }
2352
2353         if (node->child1()->shouldSpeculateInt32()) {
2354             fixEdge<Int32Use>(node->child1());
2355             node->clearFlags(NodeMustGenerate);
2356             return;
2357         }
2358
2359         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
2360             fixEdge<Int52RepUse>(node->child1());
2361             node->clearFlags(NodeMustGenerate);
2362             return;
2363         }
2364
2365         if (node->child1()->shouldSpeculateNumber()) {
2366             fixEdge<DoubleRepUse>(node->child1());
2367             node->clearFlags(NodeMustGenerate);
2368             return;
2369         }
2370
2371         // ToString(Symbol) throws an error. So if the child1 can include Symbols,
2372         // we need to care about it in the clobberize. In the following case,
2373         // since NotCellUse edge filter is used and this edge filters Symbols,
2374         // we can say that ToString never throws an error!
2375         if (node->child1()->shouldSpeculateNotCell()) {
2376             fixEdge<NotCellUse>(node->child1());
2377             node->clearFlags(NodeMustGenerate);
2378             return;
2379         }
2380     }
2381
2382     bool attemptToMakeFastStringAdd(Node* node)
2383     {
2384         bool goodToGo = true;
2385         m_graph.doToChildren(
2386             node,
2387             [&] (Edge& edge) {
2388                 if (edge->shouldSpeculateString())
2389                     return;
2390                 if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) {
2391                     if (edge->shouldSpeculateStringObject())
2392                         return;
2393                     if (edge->shouldSpeculateStringOrStringObject())
2394                         return;
2395                 }
2396                 goodToGo = false;
2397             });
2398         if (!goodToGo)
2399             return false;
2400
2401         m_graph.doToChildren(
2402             node,
2403             [&] (Edge& edge) {
2404                 if (edge->shouldSpeculateString()) {
2405                     convertStringAddUse<StringUse>(node, edge);
2406                     return;
2407                 }
2408                 ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic));
2409                 if (edge->shouldSpeculateStringObject()) {
2410                     convertStringAddUse<StringObjectUse>(node, edge);
2411                     return;
2412                 }
2413                 if (edge->shouldSpeculateStringOrStringObject()) {
2414                     convertStringAddUse<StringOrStringObjectUse>(node, edge);
2415                     return;
2416                 }
2417                 RELEASE_ASSERT_NOT_REACHED();
2418             });
2419         
2420         convertToMakeRope(node);
2421         return true;
2422     }
2423
2424     void fixupGetAndSetLocalsInBlock(BasicBlock* block)
2425     {
2426         if (!block)
2427             return;
2428         ASSERT(block->isReachable);
2429         m_block = block;
2430         for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) {
2431             Node* node = m_currentNode = block->at(m_indexInBlock);
2432             if (node->op() != SetLocal && node->op() != GetLocal)
2433                 continue;
2434             
2435             VariableAccessData* variable = node->variableAccessData();
2436             switch (node->op()) {
2437             case GetLocal:
2438                 switch (variable->flushFormat()) {
2439                 case FlushedDouble:
2440                     node->setResult(NodeResultDouble);
2441                     break;
2442                 case FlushedInt52:
2443                     node->setResult(NodeResultInt52);
2444                     break;
2445                 default:
2446                     break;
2447                 }
2448                 break;
2449                 
2450             case SetLocal:
2451                 // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we
2452                 // add new type checking use kind for SetLocals, we need to modify that code as well.
2453                 
2454                 switch (variable->flushFormat()) {
2455                 case FlushedJSValue:
2456                     break;
2457                 case FlushedDouble:
2458                     fixEdge<DoubleRepUse>(node->child1());
2459                     break;
2460                 case FlushedInt32:
2461                     fixEdge<Int32Use>(node->child1());
2462                     break;
2463                 case FlushedInt52:
2464                     fixEdge<Int52RepUse>(node->child1());
2465                     break;
2466                 case FlushedCell:
2467                     fixEdge<CellUse>(node->child1());
2468                     break;
2469                 case FlushedBoolean:
2470                     fixEdge<BooleanUse>(node->child1());
2471                     break;
2472                 default:
2473                     RELEASE_ASSERT_NOT_REACHED();
2474                     break;
2475                 }
2476                 break;
2477                 
2478             default:
2479                 RELEASE_ASSERT_NOT_REACHED();
2480                 break;
2481             }
2482         }
2483         m_insertionSet.execute(block);
2484     }
2485     
2486     void addStringReplacePrimordialChecks(Node* searchRegExp)
2487     {
2488         Node* node = m_currentNode;
2489
2490         // Check that structure of searchRegExp is RegExp object
2491         m_insertionSet.insertNode(
2492             m_indexInBlock, SpecNone, Check, node->origin,
2493             Edge(searchRegExp, RegExpObjectUse));
2494
2495         auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) {
2496             unsigned index = m_graph.identifiers().ensure(propertyUID);
2497
2498             Node* actualProperty = m_insertionSet.insertNode(
2499                 m_indexInBlock, SpecNone, TryGetById, node->origin,
2500                 OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse));
2501
2502             m_insertionSet.insertNode(
2503                 m_indexInBlock, SpecNone, CheckCell, node->origin,
2504                 OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse));
2505         };
2506
2507         JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
2508
2509         // Check that searchRegExp.exec is the primordial RegExp.prototype.exec
2510         emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl());
2511         // Check that searchRegExp.global is the primordial RegExp.prototype.global
2512         emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl());
2513         // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode
2514         emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl());
2515         // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace]
2516         emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl());
2517     }
2518
2519     Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage)
2520     {
2521         ASSERT(arrayMode.isSpecific());
2522         
2523         if (arrayMode.type() == Array::String) {
2524             m_insertionSet.insertNode(
2525                 m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse));
2526         } else {
2527             // Note that we only need to be using a structure check if we opt for SaneChain, since
2528             // that needs to protect against JSArray's __proto__ being changed.
2529             Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic);
2530         
2531             Edge indexEdge = index ? Edge(index, Int32Use) : Edge();
2532             
2533             if (arrayMode.doesConversion()) {
2534                 if (structure) {
2535                     m_insertionSet.insertNode(
2536                         m_indexInBlock, SpecNone, ArrayifyToStructure, origin,
2537                         OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2538                 } else {
2539                     m_insertionSet.insertNode(
2540                         m_indexInBlock, SpecNone, Arrayify, origin,
2541                         OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge);
2542                 }
2543             } else {
2544                 if (structure) {
2545                     m_insertionSet.insertNode(
2546                         m_indexInBlock, SpecNone, CheckStructure, origin,
2547                         OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse));
2548                 } else {
2549                     m_insertionSet.insertNode(
2550                         m_indexInBlock, SpecNone, CheckArray, origin,
2551                         OpInfo(arrayMode.asWord()), Edge(array, CellUse));
2552                 }
2553             }
2554         }
2555         
2556         if (!storageCheck(arrayMode))
2557             return nullptr;
2558         
2559         if (arrayMode.usesButterfly()) {
2560             return m_insertionSet.insertNode(
2561                 m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
2562         }
2563         
2564         return m_insertionSet.insertNode(
2565             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
2566             OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
2567     }
2568     
2569     void blessArrayOperation(Edge base, Edge index, Edge& storageChild)
2570     {
2571         Node* node = m_currentNode;
2572         
2573         switch (node->arrayMode().type()) {
2574         case Array::ForceExit: {
2575             m_insertionSet.insertNode(
2576                 m_indexInBlock, SpecNone, ForceOSRExit, node->origin);
2577             return;
2578         }
2579             
2580         case Array::SelectUsingPredictions:
2581         case Array::Unprofiled:
2582             RELEASE_ASSERT_NOT_REACHED();
2583             return;
2584             
2585         case Array::Generic:
2586             return;
2587             
2588         default: {
2589             Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node());
2590             if (!storage)
2591                 return;
2592             
2593             storageChild = Edge(storage);
2594             return;
2595         } }
2596     }
2597     
2598     bool alwaysUnboxSimplePrimitives()
2599     {
2600 #if USE(JSVALUE64)
2601         return false;
2602 #else
2603         // Any boolean, int, or cell value is profitable to unbox on 32-bit because it
2604         // reduces traffic.
2605         return true;
2606 #endif
2607     }
2608
2609     template<UseKind useKind>
2610     void observeUseKindOnNode(Node* node)
2611     {
2612         if (useKind == UntypedUse)
2613             return;
2614         observeUseKindOnNode(node, useKind);
2615     }
2616
2617     void observeUseKindOnEdge(Edge edge)
2618     {
2619         observeUseKindOnNode(edge.node(), edge.useKind());
2620     }
2621
2622     void observeUseKindOnNode(Node* node, UseKind useKind)
2623     {
2624         if (node->op() != GetLocal)
2625             return;
2626         
2627         // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious.
2628         // https://bugs.webkit.org/show_bug.cgi?id=121518
2629         
2630         VariableAccessData* variable = node->variableAccessData();
2631         switch (useKind) {
2632         case Int32Use:
2633         case KnownInt32Use:
2634             if (alwaysUnboxSimplePrimitives()
2635                 || isInt32Speculation(variable->prediction()))
2636                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2637             break;
2638         case NumberUse:
2639         case RealNumberUse:
2640         case DoubleRepUse:
2641         case DoubleRepRealUse:
2642             if (variable->doubleFormatState() == UsingDoubleFormat)
2643                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2644             break;
2645         case BooleanUse:
2646         case KnownBooleanUse:
2647             if (alwaysUnboxSimplePrimitives()
2648                 || isBooleanSpeculation(variable->prediction()))
2649                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2650             break;
2651         case Int52RepUse:
2652             if (isAnyIntSpeculation(variable->prediction()))
2653                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2654             break;
2655         case CellUse:
2656         case KnownCellUse:
2657         case ObjectUse:
2658         case FunctionUse:
2659         case StringUse:
2660         case KnownStringUse:
2661         case SymbolUse:
2662         case StringObjectUse:
2663         case StringOrStringObjectUse:
2664             if (alwaysUnboxSimplePrimitives()
2665                 || isCellSpeculation(variable->prediction()))
2666                 m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
2667             break;
2668         default:
2669             break;
2670         }
2671     }
2672     
2673     template<UseKind useKind>
2674     void fixEdge(Edge& edge)
2675     {
2676         observeUseKindOnNode<useKind>(edge.node());
2677         edge.setUseKind(useKind);
2678     }
2679     
2680     unsigned indexForChecks()
2681     {
2682         unsigned index = m_indexInBlock;
2683         while (!m_block->at(index)->origin.exitOK)
2684             index--;
2685         return index;
2686     }
2687     
2688     NodeOrigin originForCheck(unsigned index)
2689     {
2690         return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic);
2691     }
2692     
2693     void speculateForBarrier(Edge value)
2694     {
2695         // Currently, the DFG won't take advantage of this speculation. But, we want to do it in
2696         // the DFG anyway because if such a speculation would be wrong, we want to know before
2697         // we do an expensive compile.
2698         
2699         if (value->shouldSpeculateInt32()) {
2700             insertCheck<Int32Use>(value.node());
2701             return;
2702         }
2703             
2704         if (value->shouldSpeculateBoolean()) {
2705             insertCheck<BooleanUse>(value.node());
2706             return;
2707         }
2708             
2709         if (value->shouldSpeculateOther()) {
2710             insertCheck<OtherUse>(value.node());
2711             return;
2712         }
2713             
2714         if (value->shouldSpeculateNumber()) {
2715             insertCheck<NumberUse>(value.node());
2716             return;
2717         }
2718             
2719         if (value->shouldSpeculateNotCell()) {
2720             insertCheck<NotCellUse>(value.node());
2721             return;
2722         }
2723     }
2724     
2725     template<UseKind useKind>
2726     void insertCheck(Node* node)
2727     {
2728         observeUseKindOnNode<useKind>(node);
2729         unsigned index = indexForChecks();
2730         m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind));
2731     }
2732
2733     void fixIntConvertingEdge(Edge& edge)
2734     {
2735         Node* node = edge.node();
2736         if (node->shouldSpeculateInt32OrBoolean()) {
2737             fixIntOrBooleanEdge(edge);
2738             return;
2739         }
2740         
2741         UseKind useKind;
2742         if (node->shouldSpeculateAnyInt())
2743             useKind = Int52RepUse;
2744         else if (node->shouldSpeculateNumber())
2745             useKind = DoubleRepUse;
2746         else
2747             useKind = NotCellUse;
2748         Node* newNode = m_insertionSet.insertNode(
2749             m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
2750             Edge(node, useKind));
2751         observeUseKindOnNode(node, useKind);
2752         
2753         edge = Edge(newNode, KnownInt32Use);
2754     }
2755     
2756     void fixIntOrBooleanEdge(Edge& edge)
2757     {
2758         Node* node = edge.node();
2759         if (!node->sawBooleans()) {
2760             fixEdge<Int32Use>(edge);
2761             return;
2762         }
2763         
2764         UseKind useKind;
2765         if (node->shouldSpeculateBoolean())
2766             useKind = BooleanUse;
2767         else
2768             useKind = UntypedUse;
2769         Node* newNode = m_insertionSet.insertNode(
2770             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2771             Edge(node, useKind));
2772         observeUseKindOnNode(node, useKind);
2773         
2774         edge = Edge(newNode, Int32Use);
2775     }
2776     
2777     void fixDoubleOrBooleanEdge(Edge& edge)
2778     {
2779         Node* node = edge.node();
2780         if (!node->sawBooleans()) {
2781             fixEdge<DoubleRepUse>(edge);
2782             return;
2783         }
2784         
2785         UseKind useKind;
2786         if (node->shouldSpeculateBoolean())
2787             useKind = BooleanUse;
2788         else
2789             useKind = UntypedUse;
2790         Node* newNode = m_insertionSet.insertNode(
2791             m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin,
2792             Edge(node, useKind));
2793         observeUseKindOnNode(node, useKind);
2794         
2795         edge = Edge(newNode, DoubleRepUse);
2796     }
2797     
2798     void truncateConstantToInt32(Edge& edge)
2799     {
2800         Node* oldNode = edge.node();
2801         
2802         JSValue value = oldNode->asJSValue();
2803         if (value.isInt32())
2804             return;
2805         
2806         value = jsNumber(JSC::toInt32(value.asNumber()));
2807         ASSERT(value.isInt32());
2808         edge.setNode(m_insertionSet.insertNode(
2809             m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin,
2810             OpInfo(m_graph.freeze(value))));
2811     }
2812     
2813     void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode)
2814     {
2815         if (mode != SpeculateInt32AndTruncateConstants)
2816             return;
2817         
2818         ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant());
2819         if (node->child1()->hasConstant())
2820             truncateConstantToInt32(node->child1());
2821         else
2822             truncateConstantToInt32(node->child2());
2823     }
2824
2825     bool attemptToMakeIntegerAdd(Node* node)
2826     {
2827         AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
2828         if (mode != DontSpeculateInt32) {
2829             truncateConstantsIfNecessary(node, mode);
2830             fixIntOrBooleanEdge(node->child1());
2831             fixIntOrBooleanEdge(node->child2());
2832             if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
2833                 node->setArithMode(Arith::Unchecked);
2834             else
2835                 node->setArithMode(Arith::CheckOverflow);
2836             return true;
2837         }
2838         
2839         if (m_graph.addShouldSpeculateAnyInt(node)) {
2840             fixEdge<Int52RepUse>(node->child1());
2841             fixEdge<Int52RepUse>(node->child2());
2842             node->setArithMode(Arith::CheckOverflow);
2843             node->setResult(NodeResultInt52);
2844             return true;
2845         }
2846         
2847         return false;
2848     }
2849     
2850     bool attemptToMakeGetArrayLength(Node* node)
2851     {
2852         if (!isInt32Speculation(node->prediction()))
2853             return false;
2854         CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic);
2855         ArrayProfile* arrayProfile = 
2856             profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex);
2857         ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions);
2858         if (arrayProfile) {
2859             ConcurrentJSLocker locker(profiledBlock->m_lock);
2860             arrayProfile->computeUpdatedPrediction(locker, profiledBlock);
2861             arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false);
2862             if (arrayMode.type() == Array::Unprofiled) {
2863                 // For normal array operations, it makes sense to treat Unprofiled
2864                 // accesses as ForceExit and get more data rather than using
2865                 // predictions and then possibly ending up with a Generic. But here,
2866                 // we treat anything that is Unprofiled as Generic and keep the
2867                 // GetById. I.e. ForceExit = Generic. So, there is no harm - and only
2868                 // profit - from treating the Unprofiled case as
2869                 // SelectUsingPredictions.
2870                 arrayMode = ArrayMode(Array::SelectUsingPredictions);
2871             }
2872         }
2873             
2874         arrayMode = arrayMode.refine(
2875             m_graph, node, node->child1()->prediction(), node->prediction());
2876             
2877         if (arrayMode.type() == Array::Generic) {
2878             // Check if the input is something that we can't get array length for, but for which we
2879             // could insert some conversions in order to transform it into something that we can do it
2880             // for.
2881             if (node->child1()->shouldSpeculateStringObject())
2882                 attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node);
2883             else if (node->child1()->shouldSpeculateStringOrStringObject())
2884                 attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node);
2885         }
2886             
2887         if (!arrayMode.supportsSelfLength())
2888             return false;
2889         
2890         convertToGetArrayLength(node, arrayMode);
2891         return true;
2892     }
2893
2894     void convertToGetArrayLength(Node* node, ArrayMode arrayMode)
2895     {
2896         node->setOp(GetArrayLength);
2897         node->clearFlags(NodeMustGenerate);
2898         fixEdge<KnownCellUse>(node->child1());
2899         node->setArrayMode(arrayMode);
2900             
2901         Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage);
2902         if (!storage)
2903             return;
2904             
2905         node->child2() = Edge(storage);
2906     }
2907     
2908     Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode)
2909     {
2910         Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage);
2911         return m_insertionSet.insertNode(
2912             m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
2913             OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
2914     }
2915
2916     void convertToHasIndexedProperty(Node* node)
2917     {
2918         node->setOp(HasIndexedProperty);
2919         node->clearFlags(NodeMustGenerate);
2920         node->setArrayMode(
2921             node->arrayMode().refine(
2922                 m_graph, node,
2923                 node->child1()->prediction(),
2924                 node->child2()->prediction(),
2925                 SpecNone));
2926         node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
2927
2928         blessArrayOperation(node->child1(), node->child2(), node->child3());
2929
2930         fixEdge<CellUse>(node->child1());
2931         fixEdge<Int32Use>(node->child2());
2932     }
2933
2934     bool attemptToMakeCallDOM(Node* node)
2935     {
2936         if (m_graph.hasExitSite(node->origin.semantic, BadType))
2937             return false;
2938
2939         const DOMJIT::Signature* signature = node->signature();
2940         if (!signature)
2941             return false;
2942
2943         {
2944             unsigned index = 0;
2945             bool shouldConvertToCallDOM = true;
2946             m_graph.doToChildren(node, [&](Edge& edge) {
2947                 // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks.
2948                 if (!index)
2949                     return;
2950
2951                 if (index == 1) {
2952                     // DOM node case.
2953                     if (edge->shouldSpeculateNotCell())
2954                         shouldConvertToCallDOM = false;
2955                 } else {
2956                     switch (signature->arguments[index - 2]) {
2957                     case SpecString:
2958                         if (edge->shouldSpeculateNotString())
2959                             shouldConvertToCallDOM = false;
2960                         break;
2961                     case SpecInt32Only:
2962                         if (edge->shouldSpeculateNotInt32())
2963                             shouldConvertToCallDOM = false;
2964                         break;
2965                     case SpecBoolean:
2966                         if (edge->shouldSpeculateNotBoolean())
2967                             shouldConvertToCallDOM = false;
2968                         break;
2969                     default:
2970                         RELEASE_ASSERT_NOT_REACHED();
2971                         break;
2972                     }
2973                 }
2974                 ++index;
2975             });
2976             if (!shouldConvertToCallDOM)
2977                 return false;
2978         }
2979
2980         Node* thisNode = m_graph.varArgChild(node, 1).node();
2981         Node* checkSubClass = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckSubClass, node->origin, OpInfo(signature->classInfo), Edge(thisNode));
2982         node->convertToCallDOM(m_graph);
2983         fixupCheckSubClass(checkSubClass);
2984         fixupCallDOM(node);
2985         return true;
2986     }
2987
2988     void fixupCheckSubClass(Node* node)
2989     {
2990         fixEdge<CellUse>(node->child1());
2991     }
2992
2993     void fixupCallDOM(Node* node)
2994     {
2995         const DOMJIT::Signature* signature = node->signature();
2996         auto fixup = [&](Edge& edge, unsigned argumentIndex) {
2997             if (!edge)
2998                 return;
2999             switch (signature->arguments[argumentIndex]) {
3000             case SpecString:
3001                 fixEdge<StringUse>(edge);
3002                 break;
3003             case SpecInt32Only:
3004                 fixEdge<Int32Use>(edge);
3005                 break;
3006             case SpecBoolean:
3007                 fixEdge<BooleanUse>(edge);
3008                 break;
3009             default:
3010                 RELEASE_ASSERT_NOT_REACHED();
3011                 break;
3012             }
3013         };
3014         fixEdge<CellUse>(node->child1()); // DOM.
3015         fixup(node->child2(), 0);
3016         fixup(node->child3(), 1);
3017     }
3018
3019     void fixupArrayIndexOf(Node* node)
3020     {
3021         Edge& array = m_graph.varArgChild(node, 0);
3022         Edge& storage = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3);
3023         blessArrayOperation(array, Edge(), storage);
3024         ASSERT_WITH_MESSAGE(storage.node(), "blessArrayOperation for ArrayIndexOf must set Butterfly for storage edge.");
3025
3026         Edge& searchElement = m_graph.varArgChild(node, 1);
3027
3028         // Constant folding.
3029         switch (node->arrayMode().type()) {
3030         case Array::Double:
3031         case Array::Int32: {
3032             if (searchElement->shouldSpeculateCell()) {
3033                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
3034                 m_graph.convertToConstant(node, jsNumber(-1));
3035                 observeUseKindOnNode<CellUse>(searchElement.node());
3036                 return;
3037             }
3038
3039             if (searchElement->shouldSpeculateOther()) {
3040                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
3041                 m_graph.convertToConstant(node, jsNumber(-1));
3042                 observeUseKindOnNode<OtherUse>(searchElement.node());
3043                 return;
3044             }
3045
3046             if (searchElement->shouldSpeculateBoolean()) {
3047                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
3048                 m_graph.convertToConstant(node, jsNumber(-1));
3049                 observeUseKindOnNode<BooleanUse>(searchElement.node());
3050                 return;
3051             }
3052             break;
3053         }
3054         default:
3055             break;
3056         }
3057
3058         fixEdge<KnownCellUse>(array);
3059         if (node->numChildren() == 4)
3060             fixEdge<Int32Use>(m_graph.varArgChild(node, 2));
3061
3062         switch (node->arrayMode().type()) {
3063         case Array::Double: {
3064             if (searchElement->shouldSpeculateNumber())
3065                 fixEdge<DoubleRepUse>(searchElement);
3066             return;
3067         }
3068         case Array::Int32: {
3069             if (searchElement->shouldSpeculateInt32())
3070                 fixEdge<Int32Use>(searchElement);
3071             return;
3072         }
3073         case Array::Contiguous: {
3074             if (searchElement->shouldSpeculateString())
3075                 fixEdge<StringUse>(searchElement);
3076             else if (searchElement->shouldSpeculateSymbol())
3077                 fixEdge<SymbolUse>(searchElement);
3078             else if (searchElement->shouldSpeculateOther())
3079                 fixEdge<OtherUse>(searchElement);
3080             else if (searchElement->shouldSpeculateObject())
3081                 fixEdge<ObjectUse>(searchElement);
3082             return;
3083         }
3084         default:
3085             RELEASE_ASSERT_NOT_REACHED();
3086             return;
3087         }
3088     }
3089
3090     void fixupChecksInBlock(BasicBlock* block)
3091     {
3092         if (!block)
3093             return;
3094         ASSERT(block->isReachable);
3095         m_block = block;
3096         unsigned indexForChecks = UINT_MAX;
3097         NodeOrigin originForChecks;
3098         for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
3099             Node* node = block->at(indexInBlock);
3100
3101             // If this is a node at which we could exit, then save its index. If nodes after this one
3102             // cannot exit, then we will hoist checks to here.
3103             if (node->origin.exitOK) {
3104                 indexForChecks = indexInBlock;
3105                 originForChecks = node->origin;
3106             }
3107
3108             originForChecks = originForChecks.withSemantic(node->origin.semantic);
3109             
3110             // First, try to relax the representational demands of each node, in order to have
3111             // fewer conversions.
3112             switch (node->op()) {
3113             case MovHint:
3114             case Check:
3115                 m_graph.doToChildren(
3116                     node,
3117                     [&] (Edge& edge) {
3118                         switch (edge.useKind()) {
3119                         case DoubleRepUse:
3120                         case DoubleRepRealUse:
3121                             if (edge->hasDoubleResult())
3122                                 break;
3123             
3124                             if (edge->hasInt52Result())
3125                                 edge.setUseKind(Int52RepUse);
3126                             else if (edge.useKind() == DoubleRepUse)
3127                                 edge.setUseKind(NumberUse);
3128                             break;
3129             
3130                         case Int52RepUse:
3131                             // Nothing we can really do.
3132                             break;
3133             
3134                         case UntypedUse:
3135                         case NumberUse:
3136                             if (edge->hasDoubleResult())
3137                                 edge.setUseKind(DoubleRepUse);
3138                             else if (edge->hasInt52Result())
3139                                 edge.setUseKind(Int52RepUse);
3140                             break;
3141             
3142                         case RealNumberUse:
3143                             if (edge->hasDoubleResult())
3144                                 edge.setUseKind(DoubleRepRealUse);
3145                             else if (edge->hasInt52Result())
3146                                 edge.setUseKind(Int52RepUse);
3147                             break;
3148             
3149                         default:
3150                             break;
3151                         }
3152                     });
3153                 break;
3154                 
3155             case ValueToInt32:
3156                 if (node->child1().useKind() == DoubleRepUse
3157                     && !node->child1()->hasDoubleResult()) {
3158                     node->child1().setUseKind(NumberUse);
3159                     break;
3160                 }
3161                 break;
3162                 
3163             default:
3164                 break;
3165             }
3166
3167             // Now, insert type conversions if necessary.
3168             m_graph.doToChildren(
3169                 node,
3170                 [&] (Edge& edge) {
3171                     Node* result = nullptr;
3172
3173                     switch (edge.useKind()) {
3174                     case DoubleRepUse:
3175                     case DoubleRepRealUse:
3176                     case DoubleRepAnyIntUse: {
3177                         if (edge->hasDoubleResult())
3178                             break;
3179             
3180                         if (edge->isNumberConstant()) {
3181                             result = m_insertionSet.insertNode(
3182                                 indexForChecks, SpecBytecodeDouble, DoubleConstant, originForChecks,
3183                                 OpInfo(m_graph.freeze(jsDoubleNumber(edge->asNumber()))));
3184                         } else if (edge->hasInt52Result()) {
3185                             result = m_insertionSet.insertNode(
3186                                 indexForChecks, SpecAnyIntAsDouble, DoubleRep, originForChecks,
3187                                 Edge(edge.node(), Int52RepUse));
3188                         } else {
3189                             UseKind useKind;
3190                             if (edge->shouldSpeculateDoubleReal())
3191                                 useKind = RealNumberUse;
3192                             else if (edge->shouldSpeculateNumber())
3193                                 useKind = NumberUse;
3194                             else
3195                                 useKind = NotCellUse;
3196
3197                             result = m_insertionSet.insertNode(
3198                                 indexForChecks, SpecBytecodeDouble, DoubleRep, originForChecks,
3199                                 Edge(edge.node(), useKind));
3200                         }
3201
3202                         edge.setNode(result);
3203                         break;
3204                     }
3205             
3206                     case Int52RepUse: {
3207                         if (edge->hasInt52Result())
3208                             break;
3209             
3210                         if (edge->isAnyIntConstant()) {
3211                             result = m_insertionSet.insertNode(
3212                                 indexForChecks, SpecAnyInt, Int52Constant, originForChecks,
3213                                 OpInfo(edge->constant()));
3214                         } else if (edge->hasDoubleResult()) {
3215                             result = m_insertionSet.insertNode(
3216                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3217                                 Edge(edge.node(), DoubleRepAnyIntUse));
3218                         } else if (edge->shouldSpeculateInt32ForArithmetic()) {
3219                             result = m_insertionSet.insertNode(
3220                                 indexForChecks, SpecInt32Only, Int52Rep, originForChecks,
3221                                 Edge(edge.node(), Int32Use));
3222                         } else {
3223                             result = m_insertionSet.insertNode(
3224                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
3225                                 Edge(edge.node(), AnyIntUse));
3226                         }
3227
3228                         edge.setNode(result);
3229                         break;
3230                     }
3231
3232                     default: {
3233                         if (!edge->hasDoubleResult() && !edge->hasInt52Result())
3234                             break;
3235             
3236                         if (edge->hasDoubleResult()) {
3237                             result = m_insertionSet.insertNode(
3238                                 indexForChecks, SpecBytecodeDouble, ValueRep, originForChecks,
3239                                 Edge(edge.node(), DoubleRepUse));
3240                         } else {
3241                             result = m_insertionSet.insertNode(
3242                                 indexForChecks, SpecInt32Only | SpecAnyIntAsDouble, ValueRep,
3243                                 originForChecks, Edge(edge.node(), Int52RepUse));
3244                         }
3245
3246                         edge.setNode(result);
3247                         break;
3248                     } }
3249
3250                     // It's remotely possible that this node cannot do type checks, but we now have a
3251                     // type check on this node. We don't have to handle the general form of this
3252                     // problem. It only arises when ByteCodeParser emits an immediate SetLocal, rather
3253                     // than a delayed one. So, we only worry about those checks that we may have put on
3254                     // a SetLocal. Note that "indexForChecks != indexInBlock" is just another way of
3255                     // saying "!node->origin.exitOK".
3256                     if (indexForChecks != indexInBlock && mayHaveTypeCheck(edge.useKind())) {
3257                         UseKind knownUseKind;
3258                         
3259                         switch (edge.useKind()) {
3260                         case Int32Use:
3261                             knownUseKind = KnownInt32Use;
3262                             break;
3263                         case CellUse:
3264                             knownUseKind = KnownCellUse;
3265                             break;
3266                         case BooleanUse:
3267                             knownUseKind = KnownBooleanUse;
3268                             break;
3269                         default:
3270                             // This can only arise if we have a Check node, and in that case, we can
3271                             // just remove the original check.
3272                             DFG_ASSERT(m_graph, node, node->op() == Check);
3273                             knownUseKind = UntypedUse;
3274                             break;
3275                         }
3276
3277                         m_insertionSet.insertNode(
3278                             indexForChecks, SpecNone, Check, originForChecks, edge);
3279
3280                         edge.setUseKind(knownUseKind);
3281                     }
3282                 });
3283         }
3284         
3285         m_insertionSet.execute(block);
3286     }
3287     
3288     BasicBlock* m_block;
3289     unsigned m_indexInBlock;
3290     Node* m_currentNode;
3291     InsertionSet m_insertionSet;
3292     bool m_profitabilityChanged;
3293 };
3294     
3295 bool performFixup(Graph& graph)
3296 {
3297     return runPhase<FixupPhase>(graph);
3298 }
3299
3300 } } // namespace JSC::DFG
3301
3302 #endif // ENABLE(DFG_JIT)
3303