Changeset 194113 in webkit

Timestamp:

Dec 15, 2015, 1:19:31 PM (9 years ago)

Author:

mark.lam@apple.com

Message:

Polymorphic operand types for DFG and FTL bit operators.
​https://bugs.webkit.org/show_bug.cgi?id=152191

Reviewed by Saam Barati.

Source/JavaScriptCore:

• bytecode/SpeculatedType.h:

(JSC::isUntypedSpeculationForBitOps):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateUntypedForBitOps):

• Added check for types not supported by ValueToInt32, and therefore should be treated as untyped for bitops.

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• Handled untyped operands.

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• Added DFG slow path functions for bitops.

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
(JSC::DFG::SpeculativeJIT::compileBitwiseOp):
(JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
(JSC::DFG::SpeculativeJIT::compileShiftOp):

• dfg/DFGSpeculativeJIT.h:
• Added DFG backend support untyped operands for bitops.

• dfg/DFGStrengthReductionPhase.cpp:

(JSC::DFG::StrengthReductionPhase::handleNode):

• Limit bitops strength reduction only to when we don't have untyped operands. This is because values that are not int32s need to be converted to int32. Without untyped operands, the ValueToInt32 node takes care of this. With untyped operands, we cannot use ValueToInt32, and need to do the conversion in the code emitted for the bitop node itself. For example:

5.5 | 0; yields 5 because ValueToInt32 converts the 5.5 to a 5.
"abc" | 0; would yield "abc" instead of the expected 0 if we let

strength reduction do its thing.

• ftl/FTLCompileBinaryOp.cpp:

(JSC::FTL::generateBinaryBitOpFastPath):
(JSC::FTL::generateRightShiftFastPath):
(JSC::FTL::generateBinaryOpFastPath):

• ftl/FTLInlineCacheDescriptor.h:

(JSC::FTL::BitAndDescriptor::BitAndDescriptor):
(JSC::FTL::BitAndDescriptor::icSize):
(JSC::FTL::BitAndDescriptor::nodeType):
(JSC::FTL::BitAndDescriptor::opName):
(JSC::FTL::BitAndDescriptor::slowPathFunction):
(JSC::FTL::BitAndDescriptor::nonNumberSlowPathFunction):
(JSC::FTL::BitOrDescriptor::BitOrDescriptor):
(JSC::FTL::BitOrDescriptor::icSize):
(JSC::FTL::BitOrDescriptor::nodeType):
(JSC::FTL::BitOrDescriptor::opName):
(JSC::FTL::BitOrDescriptor::slowPathFunction):
(JSC::FTL::BitOrDescriptor::nonNumberSlowPathFunction):
(JSC::FTL::BitXorDescriptor::BitXorDescriptor):
(JSC::FTL::BitXorDescriptor::icSize):
(JSC::FTL::BitXorDescriptor::nodeType):
(JSC::FTL::BitXorDescriptor::opName):
(JSC::FTL::BitXorDescriptor::slowPathFunction):
(JSC::FTL::BitXorDescriptor::nonNumberSlowPathFunction):
(JSC::FTL::BitLShiftDescriptor::BitLShiftDescriptor):
(JSC::FTL::BitLShiftDescriptor::icSize):
(JSC::FTL::BitLShiftDescriptor::nodeType):
(JSC::FTL::BitLShiftDescriptor::opName):
(JSC::FTL::BitLShiftDescriptor::slowPathFunction):
(JSC::FTL::BitLShiftDescriptor::nonNumberSlowPathFunction):
(JSC::FTL::BitRShiftDescriptor::BitRShiftDescriptor):
(JSC::FTL::BitRShiftDescriptor::icSize):
(JSC::FTL::BitRShiftDescriptor::nodeType):
(JSC::FTL::BitRShiftDescriptor::opName):
(JSC::FTL::BitRShiftDescriptor::slowPathFunction):
(JSC::FTL::BitRShiftDescriptor::nonNumberSlowPathFunction):
(JSC::FTL::BitURShiftDescriptor::BitURShiftDescriptor):
(JSC::FTL::BitURShiftDescriptor::icSize):
(JSC::FTL::BitURShiftDescriptor::nodeType):
(JSC::FTL::BitURShiftDescriptor::opName):
(JSC::FTL::BitURShiftDescriptor::slowPathFunction):
(JSC::FTL::BitURShiftDescriptor::nonNumberSlowPathFunction):

• Added support for bitop ICs.

• ftl/FTLInlineCacheSize.cpp:

(JSC::FTL::sizeOfBitAnd):
(JSC::FTL::sizeOfBitOr):
(JSC::FTL::sizeOfBitXor):
(JSC::FTL::sizeOfBitLShift):
(JSC::FTL::sizeOfBitRShift):
(JSC::FTL::sizeOfBitURShift):

• ftl/FTLInlineCacheSize.h:
• Added new bitop IC sizes. These are just estimates for now that work adequately, and are shown to not impact performance on benchmarks. We will re-tune these sizes values later in another patch once all snippet ICs have been added.

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
(JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
(JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
(JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
(JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
(JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):

• Added support for bitop ICs.

• jit/JITLeftShiftGenerator.cpp:

(JSC::JITLeftShiftGenerator::generateFastPath):

• jit/JITLeftShiftGenerator.h:

(JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):

• jit/JITRightShiftGenerator.cpp:

(JSC::JITRightShiftGenerator::generateFastPath):

• The shift MASM operatons need to ensure that the shiftAmount is not in the same register as the destination register. With the baselineJIT and DFG, this is ensured in how we allocate these registers, and hence, the bug does not manifest. With the FTL, these registers are not guaranteed to be unique. Hence, we need to fix the shift op snippet code to compensate for this.

LayoutTests:

• js/regress/ftl-polymorphic-bitand-expected.txt: Added.
• js/regress/ftl-polymorphic-bitand.html: Added.
• js/regress/ftl-polymorphic-bitor-expected.txt: Added.
• js/regress/ftl-polymorphic-bitor.html: Added.
• js/regress/ftl-polymorphic-bitxor-expected.txt: Added.
• js/regress/ftl-polymorphic-bitxor.html: Added.
• js/regress/ftl-polymorphic-lshift-expected.txt: Added.
• js/regress/ftl-polymorphic-lshift.html: Added.
• js/regress/ftl-polymorphic-rshift-expected.txt: Added.
• js/regress/ftl-polymorphic-rshift.html: Added.
• js/regress/ftl-polymorphic-urshift-expected.txt: Added.
• js/regress/ftl-polymorphic-urshift.html: Added.
• js/regress/script-tests/ftl-polymorphic-bitand.js: Added.

(o1.valueOf):
(foo):

• js/regress/script-tests/ftl-polymorphic-bitor.js: Added.

(o1.valueOf):
(foo):

• js/regress/script-tests/ftl-polymorphic-bitxor.js: Added.

(o1.valueOf):
(foo):

• js/regress/script-tests/ftl-polymorphic-lshift.js: Added.

(o1.valueOf):
(foo):

• js/regress/script-tests/ftl-polymorphic-rshift.js: Added.

(o1.valueOf):
(foo):

• js/regress/script-tests/ftl-polymorphic-urshift.js: Added.

(o1.valueOf):
(foo):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress/ftl-polymorphic-bitand-expected.txt (added)
• LayoutTests/js/regress/ftl-polymorphic-bitand.html (added)
• LayoutTests/js/regress/ftl-polymorphic-bitor-expected.txt (added)
• LayoutTests/js/regress/ftl-polymorphic-bitor.html (added)
• LayoutTests/js/regress/ftl-polymorphic-bitxor-expected.txt (added)
• LayoutTests/js/regress/ftl-polymorphic-bitxor.html (added)
• LayoutTests/js/regress/ftl-polymorphic-lshift-expected.txt (added)
• LayoutTests/js/regress/ftl-polymorphic-lshift.html (added)
• LayoutTests/js/regress/ftl-polymorphic-rshift-expected.txt (added)
• LayoutTests/js/regress/ftl-polymorphic-rshift.html (added)
• LayoutTests/js/regress/ftl-polymorphic-urshift-expected.txt (added)
• LayoutTests/js/regress/ftl-polymorphic-urshift.html (added)
• LayoutTests/js/regress/script-tests/ftl-polymorphic-bitand.js (added)
• LayoutTests/js/regress/script-tests/ftl-polymorphic-bitor.js (added)
• LayoutTests/js/regress/script-tests/ftl-polymorphic-bitxor.js (added)
• LayoutTests/js/regress/script-tests/ftl-polymorphic-lshift.js (added)
• LayoutTests/js/regress/script-tests/ftl-polymorphic-rshift.js (added)
• LayoutTests/js/regress/script-tests/ftl-polymorphic-urshift.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/SpeculatedType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLCompileBinaryOp.cpp (modified) (6 diffs)
• Source/JavaScriptCore/ftl/FTLInlineCacheDescriptor.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLInlineCacheSize.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLInlineCacheSize.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (modified) (6 diffs)
• Source/JavaScriptCore/jit/JITLeftShiftGenerator.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITLeftShiftGenerator.h (modified) (1 diff)
• Source/JavaScriptCore/jit/JITRightShiftGenerator.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-12-15  Mark Lam  <mark.lam@apple.com>
+
+        Polymorphic operand types for DFG and FTL bit operators.
+        https://bugs.webkit.org/show_bug.cgi?id=152191
+
+        Reviewed by Saam Barati.
+
+        * js/regress/ftl-polymorphic-bitand-expected.txt: Added.
+        * js/regress/ftl-polymorphic-bitand.html: Added.
+        * js/regress/ftl-polymorphic-bitor-expected.txt: Added.
+        * js/regress/ftl-polymorphic-bitor.html: Added.
+        * js/regress/ftl-polymorphic-bitxor-expected.txt: Added.
+        * js/regress/ftl-polymorphic-bitxor.html: Added.
+        * js/regress/ftl-polymorphic-lshift-expected.txt: Added.
+        * js/regress/ftl-polymorphic-lshift.html: Added.
+        * js/regress/ftl-polymorphic-rshift-expected.txt: Added.
+        * js/regress/ftl-polymorphic-rshift.html: Added.
+        * js/regress/ftl-polymorphic-urshift-expected.txt: Added.
+        * js/regress/ftl-polymorphic-urshift.html: Added.
+        * js/regress/script-tests/ftl-polymorphic-bitand.js: Added.
+        (o1.valueOf):
+        (foo):
+        * js/regress/script-tests/ftl-polymorphic-bitor.js: Added.
+        (o1.valueOf):
+        (foo):
+        * js/regress/script-tests/ftl-polymorphic-bitxor.js: Added.
+        (o1.valueOf):
+        (foo):
+        * js/regress/script-tests/ftl-polymorphic-lshift.js: Added.
+        (o1.valueOf):
+        (foo):
+        * js/regress/script-tests/ftl-polymorphic-rshift.js: Added.
+        (o1.valueOf):
+        (foo):
+        * js/regress/script-tests/ftl-polymorphic-urshift.js: Added.
+        (o1.valueOf):
+        (foo):
+
 2015-12-15  Adam Bergkvist  <adam.bergkvist@ericsson.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-12-15  Mark Lam  <mark.lam@apple.com>
+
+        Polymorphic operand types for DFG and FTL bit operators.
+        https://bugs.webkit.org/show_bug.cgi?id=152191
+
+        Reviewed by Saam Barati.
+
+        * bytecode/SpeculatedType.h:
+        (JSC::isUntypedSpeculationForBitOps):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::shouldSpeculateUntypedForBitOps):
+        - Added check for types not supported by ValueToInt32, and therefore should be
+          treated as untyped for bitops.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        - Handled untyped operands.
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        - Added DFG slow path functions for bitops.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
+        (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
+        (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
+        (JSC::DFG::SpeculativeJIT::compileShiftOp):
+        * dfg/DFGSpeculativeJIT.h:
+        - Added DFG backend support untyped operands for bitops.
+
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        - Limit bitops strength reduction only to when we don't have untyped operands.
+          This is because values that are not int32s need to be converted to int32.
+          Without untyped operands, the ValueToInt32 node takes care of this.
+          With untyped operands, we cannot use ValueToInt32, and need to do the conversion
+          in the code emitted for the bitop node itself.  For example:
+
+              5.5 | 0; // yields 5 because ValueToInt32 converts the 5.5 to a 5.
+              "abc" | 0; // would yield "abc" instead of the expected 0 if we let
+                         // strength reduction do its thing.
+
+        * ftl/FTLCompileBinaryOp.cpp:
+        (JSC::FTL::generateBinaryBitOpFastPath):
+        (JSC::FTL::generateRightShiftFastPath):
+        (JSC::FTL::generateBinaryOpFastPath):
+
+        * ftl/FTLInlineCacheDescriptor.h:
+        (JSC::FTL::BitAndDescriptor::BitAndDescriptor):
+        (JSC::FTL::BitAndDescriptor::icSize):
+        (JSC::FTL::BitAndDescriptor::nodeType):
+        (JSC::FTL::BitAndDescriptor::opName):
+        (JSC::FTL::BitAndDescriptor::slowPathFunction):
+        (JSC::FTL::BitAndDescriptor::nonNumberSlowPathFunction):
+        (JSC::FTL::BitOrDescriptor::BitOrDescriptor):
+        (JSC::FTL::BitOrDescriptor::icSize):
+        (JSC::FTL::BitOrDescriptor::nodeType):
+        (JSC::FTL::BitOrDescriptor::opName):
+        (JSC::FTL::BitOrDescriptor::slowPathFunction):
+        (JSC::FTL::BitOrDescriptor::nonNumberSlowPathFunction):
+        (JSC::FTL::BitXorDescriptor::BitXorDescriptor):
+        (JSC::FTL::BitXorDescriptor::icSize):
+        (JSC::FTL::BitXorDescriptor::nodeType):
+        (JSC::FTL::BitXorDescriptor::opName):
+        (JSC::FTL::BitXorDescriptor::slowPathFunction):
+        (JSC::FTL::BitXorDescriptor::nonNumberSlowPathFunction):
+        (JSC::FTL::BitLShiftDescriptor::BitLShiftDescriptor):
+        (JSC::FTL::BitLShiftDescriptor::icSize):
+        (JSC::FTL::BitLShiftDescriptor::nodeType):
+        (JSC::FTL::BitLShiftDescriptor::opName):
+        (JSC::FTL::BitLShiftDescriptor::slowPathFunction):
+        (JSC::FTL::BitLShiftDescriptor::nonNumberSlowPathFunction):
+        (JSC::FTL::BitRShiftDescriptor::BitRShiftDescriptor):
+        (JSC::FTL::BitRShiftDescriptor::icSize):
+        (JSC::FTL::BitRShiftDescriptor::nodeType):
+        (JSC::FTL::BitRShiftDescriptor::opName):
+        (JSC::FTL::BitRShiftDescriptor::slowPathFunction):
+        (JSC::FTL::BitRShiftDescriptor::nonNumberSlowPathFunction):
+        (JSC::FTL::BitURShiftDescriptor::BitURShiftDescriptor):
+        (JSC::FTL::BitURShiftDescriptor::icSize):
+        (JSC::FTL::BitURShiftDescriptor::nodeType):
+        (JSC::FTL::BitURShiftDescriptor::opName):
+        (JSC::FTL::BitURShiftDescriptor::slowPathFunction):
+        (JSC::FTL::BitURShiftDescriptor::nonNumberSlowPathFunction):
+        - Added support for bitop ICs.
+
+        * ftl/FTLInlineCacheSize.cpp:
+        (JSC::FTL::sizeOfBitAnd):
+        (JSC::FTL::sizeOfBitOr):
+        (JSC::FTL::sizeOfBitXor):
+        (JSC::FTL::sizeOfBitLShift):
+        (JSC::FTL::sizeOfBitRShift):
+        (JSC::FTL::sizeOfBitURShift):
+        * ftl/FTLInlineCacheSize.h:
+        - Added new bitop IC sizes.  These are just estimates for now that work adequately,
+          and are shown to not impact performance on benchmarks.  We will re-tune these
+          sizes values later in another patch once all snippet ICs have been added.
+
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
+        - Added support for bitop ICs.
+
+        * jit/JITLeftShiftGenerator.cpp:
+        (JSC::JITLeftShiftGenerator::generateFastPath):
+        * jit/JITLeftShiftGenerator.h:
+        (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
+        * jit/JITRightShiftGenerator.cpp:
+        (JSC::JITRightShiftGenerator::generateFastPath):
+        - The shift MASM operatons need to ensure that the shiftAmount is not in the same
+          register as the destination register.  With the baselineJIT and DFG, this is
+          ensured in how we allocate these registers, and hence, the bug does not manifest.
+          With the FTL, these registers are not guaranteed to be unique.  Hence, we need
+          to fix the shift op snippet code to compensate for this. 
+
 2015-12-15  Caitlin Potter  <caitp@igalia.com>
 
@@ -1606 +1729 @@
         * runtime/CommonIdentifiers.h:
 
->>>>>>> .r193940
 2015-12-08  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.h

@@ -391 +391 @@
 }
 
+inline bool isUntypedSpeculationForBitOps(SpeculatedType value)
+{
+    return !(value & (SpecFullNumber | SpecBoolean | SpecOther));
+}
+
 void dumpSpeculation(PrintStream&, SpeculatedType);
 void dumpSpeculationAbbreviated(PrintStream&, SpeculatedType);

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -234 +234 @@
     case BitLShift:
     case BitURShift: {
+        if (node->child1().useKind() == UntypedUse || node->child2().useKind() == UntypedUse) {
+            clobberWorld(node->origin.semantic, clobberLimit);
+            forNode(node).setType(m_graph, SpecInt32);
+            break;
+        }
+
         JSValue left = forNode(node->child1()).value();
         JSValue right = forNode(node->child2()).value();

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -122 +122 @@
         return;
         
-    case BitAnd:
-    case BitOr:
-    case BitXor:
-    case BitLShift:
-    case BitRShift:
-    case BitURShift:
     case ArithIMul:
     case ArithAbs:
@@ -165 +159 @@
         return;
 
+    case BitAnd:
+    case BitOr:
+    case BitXor:
+    case BitLShift:
+    case BitRShift:
+    case BitURShift:
+        if (node->child1().useKind() == UntypedUse || node->child2().useKind() == UntypedUse) {
+            read(World);
+            write(Heap);
+            return;
+        }
+        def(PureValue(node));
+        return;
+
     case ArithRandom:
         read(MathDotRandomState);

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -106 +106 @@
         case BitLShift:
         case BitURShift: {
+            if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())
+                && m_graph.hasExitSite(node->origin.semantic, BadType)) {
+                fixEdge<UntypedUse>(node->child1());
+                fixEdge<UntypedUse>(node->child2());
+                break;
+            }
             fixIntConvertingEdge(node->child1());
             fixIntConvertingEdge(node->child2());

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -2034 +2034 @@
     }
     
+    bool shouldSpeculateUntypedForBitOps()
+    {
+        return isUntypedSpeculationForBitOps(prediction());
+    }
+    
+    static bool shouldSpeculateUntypedForBitOps(Node* op1, Node* op2)
+    {
+        return op1->shouldSpeculateUntypedForBitOps() || op2->shouldSpeculateUntypedForBitOps();
+    }
+    
     static bool shouldSpeculateBoolean(Node* op1, Node* op2)
     {

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -174 +174 @@
 }
 
+EncodedJSValue JIT_OPERATION operationValueBitAnd(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    int32_t a = op1.toInt32(exec);
+    int32_t b = op2.toInt32(exec);
+    return JSValue::encode(jsNumber(a & b));
+}
+
+EncodedJSValue JIT_OPERATION operationValueBitOr(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    int32_t a = op1.toInt32(exec);
+    int32_t b = op2.toInt32(exec);
+    return JSValue::encode(jsNumber(a | b));
+}
+
+EncodedJSValue JIT_OPERATION operationValueBitXor(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    int32_t a = op1.toInt32(exec);
+    int32_t b = op2.toInt32(exec);
+    return JSValue::encode(jsNumber(a ^ b));
+}
+
+EncodedJSValue JIT_OPERATION operationValueBitLShift(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    int32_t a = op1.toInt32(exec);
+    uint32_t b = op2.toUInt32(exec);
+    return JSValue::encode(jsNumber(a << (b & 0x1f)));
+}
+
+EncodedJSValue JIT_OPERATION operationValueBitRShift(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    int32_t a = op1.toInt32(exec);
+    uint32_t b = op2.toUInt32(exec);
+    return JSValue::encode(jsNumber(a >> (b & 0x1f)));
+}
+
+EncodedJSValue JIT_OPERATION operationValueBitURShift(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    uint32_t a = op1.toUInt32(exec);
+    uint32_t b = op2.toUInt32(exec);
+    return JSValue::encode(jsNumber(static_cast<int32_t>(a >> (b & 0x1f))));
+}
+
 EncodedJSValue JIT_OPERATION operationValueAdd(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -44 +44 @@
 EncodedJSValue JIT_OPERATION operationToThis(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationToThisStrict(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueBitAnd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueBitOr(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueBitXor(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueBitLShift(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueBitRShift(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValueBitURShift(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueAdd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueAddNotNumber(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -40 +40 @@
 #include "DirectArguments.h"
 #include "JITAddGenerator.h"
+#include "JITBitAndGenerator.h"
+#include "JITBitOrGenerator.h"
+#include "JITBitXorGenerator.h"
 #include "JITDivGenerator.h"
+#include "JITLeftShiftGenerator.h"
 #include "JITMulGenerator.h"
+#include "JITRightShiftGenerator.h"
 #include "JITSubGenerator.h"
 #include "JSArrowFunction.h"
@@ -2787 +2792 @@
 }
 
+template<typename SnippetGenerator, J_JITOperation_EJJ snippetSlowPathFunction>
+void SpeculativeJIT::emitUntypedBitOp(Node* node)
+{
+    Edge& leftChild = node->child1();
+    Edge& rightChild = node->child2();
+
+    if (isKnownNotNumber(leftChild.node()) || isKnownNotNumber(rightChild.node())) {
+        JSValueOperand left(this, leftChild);
+        JSValueOperand right(this, rightChild);
+        JSValueRegs leftRegs = left.jsValueRegs();
+        JSValueRegs rightRegs = right.jsValueRegs();
+#if USE(JSVALUE64)
+        GPRTemporary result(this);
+        JSValueRegs resultRegs = JSValueRegs(result.gpr());
+#else
+        GPRTemporary resultTag(this);
+        GPRTemporary resultPayload(this);
+        JSValueRegs resultRegs = JSValueRegs(resultPayload.gpr(), resultTag.gpr());
+#endif
+        flushRegisters();
+        callOperation(snippetSlowPathFunction, resultRegs, leftRegs, rightRegs);
+        m_jit.exceptionCheck();
+
+        jsValueResult(resultRegs, node);
+        return;
+    }
+
+    Optional<JSValueOperand> left;
+    Optional<JSValueOperand> right;
+
+    JSValueRegs leftRegs;
+    JSValueRegs rightRegs;
+
+#if USE(JSVALUE64)
+    GPRTemporary result(this);
+    JSValueRegs resultRegs = JSValueRegs(result.gpr());
+    GPRTemporary scratch(this);
+    GPRReg scratchGPR = scratch.gpr();
+#else
+    GPRTemporary resultTag(this);
+    GPRTemporary resultPayload(this);
+    JSValueRegs resultRegs = JSValueRegs(resultPayload.gpr(), resultTag.gpr());
+    GPRReg scratchGPR = resultTag.gpr();
+#endif
+
+    SnippetOperand leftOperand;
+    SnippetOperand rightOperand;
+
+    // The snippet generator does not support both operands being constant. If the left
+    // operand is already const, we'll ignore the right operand's constness.
+    if (leftChild->isInt32Constant())
+        leftOperand.setConstInt32(leftChild->asInt32());
+    else if (rightChild->isInt32Constant())
+        rightOperand.setConstInt32(rightChild->asInt32());
+
+    RELEASE_ASSERT(!leftOperand.isConst() || !rightOperand.isConst());
+
+    if (!leftOperand.isConst()) {
+        left = JSValueOperand(this, leftChild);
+        leftRegs = left->jsValueRegs();
+    }
+    if (!rightOperand.isConst()) {
+        right = JSValueOperand(this, rightChild);
+        rightRegs = right->jsValueRegs();
+    }
+
+    SnippetGenerator gen(leftOperand, rightOperand, resultRegs, leftRegs, rightRegs, scratchGPR);
+    gen.generateFastPath(m_jit);
+
+    ASSERT(gen.didEmitFastPath());
+    gen.endJumpList().append(m_jit.jump());
+
+    gen.slowPathJumpList().link(&m_jit);
+    silentSpillAllRegisters(resultRegs);
+
+    if (leftOperand.isConst()) {
+        leftRegs = resultRegs;
+        m_jit.moveValue(leftChild->asJSValue(), leftRegs);
+    } else if (rightOperand.isConst()) {
+        rightRegs = resultRegs;
+        m_jit.moveValue(rightChild->asJSValue(), rightRegs);
+    }
+
+    callOperation(snippetSlowPathFunction, resultRegs, leftRegs, rightRegs);
+
+    silentFillAllRegisters(resultRegs);
+    m_jit.exceptionCheck();
+
+    gen.endJumpList().link(&m_jit);
+    jsValueResult(resultRegs, node);
+}
+
 void SpeculativeJIT::compileBitwiseOp(Node* node)
 {
@@ -2792 +2889 @@
     Edge& leftChild = node->child1();
     Edge& rightChild = node->child2();
+
+    if (leftChild.useKind() == UntypedUse || rightChild.useKind() == UntypedUse) {
+        switch (op) {
+        case BitAnd:
+            emitUntypedBitOp<JITBitAndGenerator, operationValueBitAnd>(node);
+            return;
+        case BitOr:
+            emitUntypedBitOp<JITBitOrGenerator, operationValueBitOr>(node);
+            return;
+        case BitXor:
+            emitUntypedBitOp<JITBitXorGenerator, operationValueBitXor>(node);
+            return;
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+        }
+    }
 
     if (leftChild->isInt32Constant()) {
@@ -2822 +2935 @@
 }
 
+void SpeculativeJIT::emitUntypedRightShiftBitOp(Node* node)
+{
+    J_JITOperation_EJJ snippetSlowPathFunction = node->op() == BitRShift
+        ? operationValueBitRShift : operationValueBitURShift;
+    JITRightShiftGenerator::ShiftType shiftType = node->op() == BitRShift
+        ? JITRightShiftGenerator::SignedShift : JITRightShiftGenerator::UnsignedShift;
+
+    Edge& leftChild = node->child1();
+    Edge& rightChild = node->child2();
+
+    if (isKnownNotNumber(leftChild.node()) || isKnownNotNumber(rightChild.node())) {
+        JSValueOperand left(this, leftChild);
+        JSValueOperand right(this, rightChild);
+        JSValueRegs leftRegs = left.jsValueRegs();
+        JSValueRegs rightRegs = right.jsValueRegs();
+#if USE(JSVALUE64)
+        GPRTemporary result(this);
+        JSValueRegs resultRegs = JSValueRegs(result.gpr());
+#else
+        GPRTemporary resultTag(this);
+        GPRTemporary resultPayload(this);
+        JSValueRegs resultRegs = JSValueRegs(resultPayload.gpr(), resultTag.gpr());
+#endif
+        flushRegisters();
+        callOperation(snippetSlowPathFunction, resultRegs, leftRegs, rightRegs);
+        m_jit.exceptionCheck();
+
+        jsValueResult(resultRegs, node);
+        return;
+    }
+
+    Optional<JSValueOperand> left;
+    Optional<JSValueOperand> right;
+
+    JSValueRegs leftRegs;
+    JSValueRegs rightRegs;
+
+    FPRTemporary leftNumber(this);
+    FPRReg leftFPR = leftNumber.fpr();
+
+#if USE(JSVALUE64)
+    GPRTemporary result(this);
+    JSValueRegs resultRegs = JSValueRegs(result.gpr());
+    GPRTemporary scratch(this);
+    GPRReg scratchGPR = scratch.gpr();
+    FPRReg scratchFPR = InvalidFPRReg;
+#else
+    GPRTemporary resultTag(this);
+    GPRTemporary resultPayload(this);
+    JSValueRegs resultRegs = JSValueRegs(resultPayload.gpr(), resultTag.gpr());
+    GPRReg scratchGPR = resultTag.gpr();
+    FPRTemporary fprScratch(this);
+    FPRReg scratchFPR = fprScratch.fpr();
+#endif
+
+    SnippetOperand leftOperand;
+    SnippetOperand rightOperand;
+
+    // The snippet generator does not support both operands being constant. If the left
+    // operand is already const, we'll ignore the right operand's constness.
+    if (leftChild->isInt32Constant())
+        leftOperand.setConstInt32(leftChild->asInt32());
+    else if (rightChild->isInt32Constant())
+        rightOperand.setConstInt32(rightChild->asInt32());
+
+    RELEASE_ASSERT(!leftOperand.isConst() || !rightOperand.isConst());
+
+    if (!leftOperand.isConst()) {
+        left = JSValueOperand(this, leftChild);
+        leftRegs = left->jsValueRegs();
+    }
+    if (!rightOperand.isConst()) {
+        right = JSValueOperand(this, rightChild);
+        rightRegs = right->jsValueRegs();
+    }
+
+    JITRightShiftGenerator gen(leftOperand, rightOperand, resultRegs, leftRegs, rightRegs,
+        leftFPR, scratchGPR, scratchFPR, shiftType);
+    gen.generateFastPath(m_jit);
+
+    ASSERT(gen.didEmitFastPath());
+    gen.endJumpList().append(m_jit.jump());
+
+    gen.slowPathJumpList().link(&m_jit);
+    silentSpillAllRegisters(resultRegs);
+
+    if (leftOperand.isConst()) {
+        leftRegs = resultRegs;
+        m_jit.moveValue(leftChild->asJSValue(), leftRegs);
+    } else if (rightOperand.isConst()) {
+        rightRegs = resultRegs;
+        m_jit.moveValue(rightChild->asJSValue(), rightRegs);
+    }
+
+    callOperation(snippetSlowPathFunction, resultRegs, leftRegs, rightRegs);
+
+    silentFillAllRegisters(resultRegs);
+    m_jit.exceptionCheck();
+
+    gen.endJumpList().link(&m_jit);
+    jsValueResult(resultRegs, node);
+    return;
+}
+
 void SpeculativeJIT::compileShiftOp(Node* node)
 {
@@ -2827 +3044 @@
     Edge& leftChild = node->child1();
     Edge& rightChild = node->child2();
+
+    if (leftChild.useKind() == UntypedUse || rightChild.useKind() == UntypedUse) {
+        switch (op) {
+        case BitLShift:
+            emitUntypedBitOp<JITLeftShiftGenerator, operationValueBitLShift>(node);
+            return;
+        case BitRShift:
+        case BitURShift:
+            emitUntypedRightShiftBitOp(node);
+            return;
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+        }
+    }
 
     if (rightChild->isInt32Constant()) {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -2218 +2218 @@
     void compileUInt32ToNumber(Node*);
     void compileDoubleAsInt32(Node*);
+
+    template<typename SnippetGenerator, J_JITOperation_EJJ slowPathFunction>
+    void emitUntypedBitOp(Node*);
     void compileBitwiseOp(Node*);
+
+    void emitUntypedRightShiftBitOp(Node*);
     void compileShiftOp(Node*);
+
     void compileValueAdd(Node*);
     void compileArithAdd(Node*);

trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp

@@ -75 +75 @@
             handleCommutativity();
 
-            if (m_node->child2()->isInt32Constant() && !m_node->child2()->asInt32()) {
+            if (m_node->child1().useKind() != UntypedUse && m_node->child2()->isInt32Constant() && !m_node->child2()->asInt32()) {
                 convertToIdentityOverChild1();
                 break;
@@ -89 +89 @@
         case BitRShift:
         case BitURShift:
-            if (m_node->child2()->isInt32Constant() && !(m_node->child2()->asInt32() & 0x1f)) {
+            if (m_node->child1().useKind() != UntypedUse && m_node->child2()->isInt32Constant() && !(m_node->child2()->asInt32() & 0x1f)) {
                 convertToIdentityOverChild1();
                 break;

trunk/Source/JavaScriptCore/ftl/FTLCompileBinaryOp.cpp

@@ -33 +33 @@
 #include "GPRInfo.h"
 #include "JITAddGenerator.h"
+#include "JITBitAndGenerator.h"
+#include "JITBitOrGenerator.h"
+#include "JITBitXorGenerator.h"
 #include "JITDivGenerator.h"
+#include "JITLeftShiftGenerator.h"
 #include "JITMulGenerator.h"
+#include "JITRightShiftGenerator.h"
 #include "JITSubGenerator.h"
 #include "ScratchRegisterAllocator.h"
@@ -160 +165 @@
 };
 
+template<typename SnippetGenerator>
+void generateBinaryBitOpFastPath(BinaryOpDescriptor& ic, CCallHelpers& jit,
+    GPRReg result, GPRReg left, GPRReg right, RegisterSet usedRegisters,
+    CCallHelpers::Jump& done, CCallHelpers::Jump& slowPathStart)
+{
+    ScratchRegisterAllocator allocator(usedRegisters);
+
+    BinarySnippetRegisterContext context(allocator, result, left, right);
+
+    GPRReg scratchGPR = allocator.allocateScratchGPR();
+
+    SnippetGenerator gen(ic.leftOperand(), ic.rightOperand(), JSValueRegs(result),
+        JSValueRegs(left), JSValueRegs(right), scratchGPR);
+
+    unsigned numberOfBytesUsedToPreserveReusedRegisters =
+        allocator.preserveReusedRegistersByPushing(jit, ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
+
+    context.initializeRegisters(jit);
+    gen.generateFastPath(jit);
+
+    ASSERT(gen.didEmitFastPath());
+    gen.endJumpList().link(&jit);
+
+    context.restoreRegisters(jit);
+    allocator.restoreReusedRegistersByPopping(jit, numberOfBytesUsedToPreserveReusedRegisters,
+        ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
+    done = jit.jump();
+
+    gen.slowPathJumpList().link(&jit);
+    context.restoreRegisters(jit);
+    allocator.restoreReusedRegistersByPopping(jit, numberOfBytesUsedToPreserveReusedRegisters,
+        ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
+    slowPathStart = jit.jump();
+}
+
+static void generateRightShiftFastPath(BinaryOpDescriptor& ic, CCallHelpers& jit,
+    GPRReg result, GPRReg left, GPRReg right, RegisterSet usedRegisters,
+    CCallHelpers::Jump& done, CCallHelpers::Jump& slowPathStart,
+    JITRightShiftGenerator::ShiftType shiftType)
+{
+    ScratchRegisterAllocator allocator(usedRegisters);
+
+    BinarySnippetRegisterContext context(allocator, result, left, right);
+
+    FPRReg leftFPR = allocator.allocateScratchFPR();
+    GPRReg scratchGPR = allocator.allocateScratchGPR();
+
+    JITRightShiftGenerator gen(ic.leftOperand(), ic.rightOperand(), JSValueRegs(result),
+        JSValueRegs(left), JSValueRegs(right), leftFPR, scratchGPR, InvalidFPRReg, shiftType);
+
+    unsigned numberOfBytesUsedToPreserveReusedRegisters =
+        allocator.preserveReusedRegistersByPushing(jit, ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
+
+    context.initializeRegisters(jit);
+    gen.generateFastPath(jit);
+
+    ASSERT(gen.didEmitFastPath());
+    gen.endJumpList().link(&jit);
+    context.restoreRegisters(jit);
+    allocator.restoreReusedRegistersByPopping(jit, numberOfBytesUsedToPreserveReusedRegisters,
+        ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
+    done = jit.jump();
+
+    gen.slowPathJumpList().link(&jit);
+    context.restoreRegisters(jit);
+    allocator.restoreReusedRegistersByPopping(jit, numberOfBytesUsedToPreserveReusedRegisters,
+        ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
+    slowPathStart = jit.jump();
+}
+
 template<typename BinaryArithOpGenerator, ScratchFPRUsage scratchFPRUsage = DontNeedScratchFPR>
 void generateBinaryArithOpFastPath(BinaryOpDescriptor& ic, CCallHelpers& jit,
@@ -179 +254 @@
         JSValueRegs(left), JSValueRegs(right), leftFPR, rightFPR, scratchGPR, scratchFPR);
 
-    auto numberOfBytesUsedToPreserveReusedRegisters =
+    unsigned numberOfBytesUsedToPreserveReusedRegisters =
         allocator.preserveReusedRegistersByPushing(jit, ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
 
@@ -189 +264 @@
     context.restoreRegisters(jit);
     allocator.restoreReusedRegistersByPopping(jit, numberOfBytesUsedToPreserveReusedRegisters,
-        ScratchRegisterAllocator::ExtraStackSpace::SpaceForCCall);
+        ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
     done = jit.jump();
 
@@ -195 +270 @@
     context.restoreRegisters(jit);
     allocator.restoreReusedRegistersByPopping(jit, numberOfBytesUsedToPreserveReusedRegisters,
-        ScratchRegisterAllocator::ExtraStackSpace::SpaceForCCall);
+        ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
     slowPathStart = jit.jump();
 }
@@ -204 +279 @@
 {
     switch (ic.nodeType()) {
+    case BitAnd:
+        generateBinaryBitOpFastPath<JITBitAndGenerator>(ic, jit, result, left, right, usedRegisters, done, slowPathStart);
+        break;
+    case BitOr:
+        generateBinaryBitOpFastPath<JITBitOrGenerator>(ic, jit, result, left, right, usedRegisters, done, slowPathStart);
+        break;
+    case BitXor:
+        generateBinaryBitOpFastPath<JITBitXorGenerator>(ic, jit, result, left, right, usedRegisters, done, slowPathStart);
+        break;
+    case BitLShift:
+        generateBinaryBitOpFastPath<JITLeftShiftGenerator>(ic, jit, result, left, right, usedRegisters, done, slowPathStart);
+        break;
+    case BitRShift:
+        generateRightShiftFastPath(ic, jit, result, left, right, usedRegisters, done, slowPathStart, JITRightShiftGenerator::SignedShift);
+        break;
+    case BitURShift:
+        generateRightShiftFastPath(ic, jit, result, left, right, usedRegisters, done, slowPathStart, JITRightShiftGenerator::UnsignedShift);
+        break;
     case ArithDiv:
         generateBinaryArithOpFastPath<JITDivGenerator, NeedScratchFPR>(ic, jit, result, left, right, usedRegisters, done, slowPathStart);

trunk/Source/JavaScriptCore/ftl/FTLInlineCacheDescriptor.h

@@ -165 +165 @@
 };
 
+class BitAndDescriptor : public BinaryOpDescriptor {
+public:
+    BitAndDescriptor(unsigned stackmapID, CodeOrigin codeOrigin, const SnippetOperand& leftOperand, const SnippetOperand& rightOperand)
+        : BinaryOpDescriptor(nodeType(), stackmapID, codeOrigin, icSize(), opName(), slowPathFunction(), leftOperand, rightOperand)
+    { }
+
+    static size_t icSize() { return sizeOfBitAnd(); }
+    static unsigned nodeType() { return DFG::BitAnd; }
+    static const char* opName() { return "BitAnd"; }
+    static J_JITOperation_EJJ slowPathFunction() { return DFG::operationValueBitAnd; }
+    static J_JITOperation_EJJ nonNumberSlowPathFunction() { return slowPathFunction(); }
+};
+
+class BitOrDescriptor : public BinaryOpDescriptor {
+public:
+    BitOrDescriptor(unsigned stackmapID, CodeOrigin codeOrigin, const SnippetOperand& leftOperand, const SnippetOperand& rightOperand)
+        : BinaryOpDescriptor(nodeType(), stackmapID, codeOrigin, icSize(), opName(), slowPathFunction(), leftOperand, rightOperand)
+    { }
+
+    static size_t icSize() { return sizeOfBitOr(); }
+    static unsigned nodeType() { return DFG::BitOr; }
+    static const char* opName() { return "BitOr"; }
+    static J_JITOperation_EJJ slowPathFunction() { return DFG::operationValueBitOr; }
+    static J_JITOperation_EJJ nonNumberSlowPathFunction() { return slowPathFunction(); }
+};
+
+class BitXorDescriptor : public BinaryOpDescriptor {
+public:
+    BitXorDescriptor(unsigned stackmapID, CodeOrigin codeOrigin, const SnippetOperand& leftOperand, const SnippetOperand& rightOperand)
+        : BinaryOpDescriptor(nodeType(), stackmapID, codeOrigin, icSize(), opName(), slowPathFunction(), leftOperand, rightOperand)
+    { }
+
+    static size_t icSize() { return sizeOfBitXor(); }
+    static unsigned nodeType() { return DFG::BitXor; }
+    static const char* opName() { return "BitXor"; }
+    static J_JITOperation_EJJ slowPathFunction() { return DFG::operationValueBitXor; }
+    static J_JITOperation_EJJ nonNumberSlowPathFunction() { return slowPathFunction(); }
+};
+
+class BitLShiftDescriptor : public BinaryOpDescriptor {
+public:
+    BitLShiftDescriptor(unsigned stackmapID, CodeOrigin codeOrigin, const SnippetOperand& leftOperand, const SnippetOperand& rightOperand)
+        : BinaryOpDescriptor(nodeType(), stackmapID, codeOrigin, icSize(), opName(), slowPathFunction(), leftOperand, rightOperand)
+    { }
+
+    static size_t icSize() { return sizeOfBitLShift(); }
+    static unsigned nodeType() { return DFG::BitLShift; }
+    static const char* opName() { return "BitLShift"; }
+    static J_JITOperation_EJJ slowPathFunction() { return DFG::operationValueBitLShift; }
+    static J_JITOperation_EJJ nonNumberSlowPathFunction() { return slowPathFunction(); }
+};
+
+class BitRShiftDescriptor : public BinaryOpDescriptor {
+public:
+    BitRShiftDescriptor(unsigned stackmapID, CodeOrigin codeOrigin, const SnippetOperand& leftOperand, const SnippetOperand& rightOperand)
+        : BinaryOpDescriptor(nodeType(), stackmapID, codeOrigin, icSize(), opName(), slowPathFunction(), leftOperand, rightOperand)
+    { }
+
+    static size_t icSize() { return sizeOfBitRShift(); }
+    static unsigned nodeType() { return DFG::BitRShift; }
+    static const char* opName() { return "BitRShift"; }
+    static J_JITOperation_EJJ slowPathFunction() { return DFG::operationValueBitRShift; }
+    static J_JITOperation_EJJ nonNumberSlowPathFunction() { return slowPathFunction(); }
+};
+
+class BitURShiftDescriptor : public BinaryOpDescriptor {
+public:
+    BitURShiftDescriptor(unsigned stackmapID, CodeOrigin codeOrigin, const SnippetOperand& leftOperand, const SnippetOperand& rightOperand)
+        : BinaryOpDescriptor(nodeType(), stackmapID, codeOrigin, icSize(), opName(), slowPathFunction(), leftOperand, rightOperand)
+    { }
+
+    static size_t icSize() { return sizeOfBitURShift(); }
+    static unsigned nodeType() { return DFG::BitURShift; }
+    static const char* opName() { return "BitURShift"; }
+    static J_JITOperation_EJJ slowPathFunction() { return DFG::operationValueBitURShift; }
+    static J_JITOperation_EJJ nonNumberSlowPathFunction() { return slowPathFunction(); }
+};
+
 class ArithDivDescriptor : public BinaryOpDescriptor {
 public:

trunk/Source/JavaScriptCore/ftl/FTLInlineCacheSize.cpp

@@ -126 +126 @@
 #else
     return 5; 
+#endif
+}
+
+size_t sizeOfBitAnd()
+{
+#if CPU(ARM64)
+#ifdef NDEBUG
+return 180; // ARM64 release.
+#else
+return 276; // ARM64 debug.
+#endif
+#else // CPU(X86_64)
+#ifdef NDEBUG
+return 199; // X86_64 release.
+#else
+return 286; // X86_64 debug.
+#endif
+#endif
+}
+
+size_t sizeOfBitOr()
+{
+#if CPU(ARM64)
+#ifdef NDEBUG
+    return 180; // ARM64 release.
+#else
+    return 276; // ARM64 debug.
+#endif
+#else // CPU(X86_64)
+#ifdef NDEBUG
+    return 199; // X86_64 release.
+#else
+    return 286; // X86_64 debug.
+#endif
+#endif
+}
+
+size_t sizeOfBitXor()
+{
+#if CPU(ARM64)
+#ifdef NDEBUG
+    return 180; // ARM64 release.
+#else
+    return 276; // ARM64 debug.
+#endif
+#else // CPU(X86_64)
+#ifdef NDEBUG
+    return 199; // X86_64 release.
+#else
+    return 286; // X86_64 debug.
+#endif
+#endif
+}
+
+size_t sizeOfBitLShift()
+{
+#if CPU(ARM64)
+#ifdef NDEBUG
+    return 180; // ARM64 release.
+#else
+    return 276; // ARM64 debug.
+#endif
+#else // CPU(X86_64)
+#ifdef NDEBUG
+    return 199; // X86_64 release.
+#else
+    return 286; // X86_64 debug.
+#endif
+#endif
+}
+
+size_t sizeOfBitRShift()
+{
+#if CPU(ARM64)
+#ifdef NDEBUG
+    return 180; // ARM64 release.
+#else
+    return 276; // ARM64 debug.
+#endif
+#else // CPU(X86_64)
+#ifdef NDEBUG
+    return 199; // X86_64 release.
+#else
+    return 286; // X86_64 debug.
+#endif
+#endif
+}
+
+size_t sizeOfBitURShift()
+{
+#if CPU(ARM64)
+#ifdef NDEBUG
+    return 180; // ARM64 release.
+#else
+    return 276; // ARM64 debug.
+#endif
+#else // CPU(X86_64)
+#ifdef NDEBUG
+    return 199; // X86_64 release.
+#else
+    return 286; // X86_64 debug.
+#endif
 #endif
 }

trunk/Source/JavaScriptCore/ftl/FTLInlineCacheSize.h

@@ -47 +47 @@
 size_t sizeOfConstructForwardVarargs();
 size_t sizeOfIn();
+size_t sizeOfBitAnd();
+size_t sizeOfBitOr();
+size_t sizeOfBitXor();
+size_t sizeOfBitLShift();
+size_t sizeOfBitRShift();
+size_t sizeOfBitURShift();
 size_t sizeOfArithDiv();
 size_t sizeOfArithMul();

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -2264 +2264 @@
     void compileBitAnd()
     {
+        if (m_node->child1().useKind() == UntypedUse || m_node->child2().useKind() == UntypedUse) {
+            compileUntypedBinaryOp<BitAndDescriptor>();
+            return;
+        }
         setInt32(m_out.bitAnd(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
     }
@@ -2269 +2273 @@
     void compileBitOr()
     {
+        if (m_node->child1().useKind() == UntypedUse || m_node->child2().useKind() == UntypedUse) {
+            compileUntypedBinaryOp<BitOrDescriptor>();
+            return;
+        }
         setInt32(m_out.bitOr(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
     }
@@ -2274 +2282 @@
     void compileBitXor()
     {
+        if (m_node->child1().useKind() == UntypedUse || m_node->child2().useKind() == UntypedUse) {
+            compileUntypedBinaryOp<BitXorDescriptor>();
+            return;
+        }
         setInt32(m_out.bitXor(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
     }
@@ -2279 +2291 @@
     void compileBitRShift()
     {
+        if (m_node->child1().useKind() == UntypedUse || m_node->child2().useKind() == UntypedUse) {
+            compileUntypedBinaryOp<BitRShiftDescriptor>();
+            return;
+        }
         setInt32(m_out.aShr(
             lowInt32(m_node->child1()),
@@ -2286 +2302 @@
     void compileBitLShift()
     {
+        if (m_node->child1().useKind() == UntypedUse || m_node->child2().useKind() == UntypedUse) {
+            compileUntypedBinaryOp<BitLShiftDescriptor>();
+            return;
+        }
         setInt32(m_out.shl(
             lowInt32(m_node->child1()),
@@ -2293 +2313 @@
     void compileBitURShift()
     {
+        if (m_node->child1().useKind() == UntypedUse || m_node->child2().useKind() == UntypedUse) {
+            compileUntypedBinaryOp<BitURShiftDescriptor>();
+            return;
+        }
         setInt32(m_out.lShr(
             lowInt32(m_node->child1()),

trunk/Source/JavaScriptCore/jit/JITLeftShiftGenerator.cpp

@@ -33 +33 @@
 void JITLeftShiftGenerator::generateFastPath(CCallHelpers& jit)
 {
+    ASSERT(m_scratchGPR != InvalidGPRReg);
+    ASSERT(m_scratchGPR != m_left.payloadGPR());
+    ASSERT(m_scratchGPR != m_right.payloadGPR());
+#if USE(JSVALUE32_64)
+    ASSERT(m_scratchGPR != m_left.tagGPR());
+    ASSERT(m_scratchGPR != m_right.tagGPR());
+#endif
+
     ASSERT(!m_leftOperand.isConstInt32() || !m_rightOperand.isConstInt32());
 
@@ -48 +56 @@
         m_slowPathJumpList.append(jit.branchIfNotInt32(m_right));
 
+        GPRReg rightOperandGPR = m_right.payloadGPR();
+        if (rightOperandGPR == m_result.payloadGPR()) {
+            jit.move(rightOperandGPR, m_scratchGPR);
+            rightOperandGPR = m_scratchGPR;
+        }
+
         if (m_leftOperand.isConstInt32()) {
 #if USE(JSVALUE32_64)
@@ -58 +72 @@
         }
 
-        jit.lshift32(m_right.payloadGPR(), m_result.payloadGPR());
+        jit.lshift32(rightOperandGPR, m_result.payloadGPR());
     }
 

trunk/Source/JavaScriptCore/jit/JITLeftShiftGenerator.h

@@ -36 +36 @@
 public:
     JITLeftShiftGenerator(const SnippetOperand& leftOperand, const SnippetOperand& rightOperand,
-        JSValueRegs result, JSValueRegs left, JSValueRegs right, GPRReg unused = InvalidGPRReg)
-        : JITBitBinaryOpGenerator(leftOperand, rightOperand, result, left, right, unused)
+        JSValueRegs result, JSValueRegs left, JSValueRegs right, GPRReg scratchGPR)
+        : JITBitBinaryOpGenerator(leftOperand, rightOperand, result, left, right, scratchGPR)
     { }
 

trunk/Source/JavaScriptCore/jit/JITRightShiftGenerator.cpp

@@ -88 +88 @@
         m_slowPathJumpList.append(jit.branchIfNotInt32(m_right));
 
+        GPRReg rightOperandGPR = m_right.payloadGPR();
+        if (rightOperandGPR == m_result.payloadGPR())
+            rightOperandGPR = m_scratchGPR;
+
         CCallHelpers::Jump leftNotInt;
         if (m_leftOperand.isConstInt32()) {
+            jit.move(m_right.payloadGPR(), rightOperandGPR);
 #if USE(JSVALUE32_64)
             jit.move(m_right.tagGPR(), m_result.tagGPR());
@@ -96 +101 @@
         } else {
             leftNotInt = jit.branchIfNotInt32(m_left);
+            jit.move(m_right.payloadGPR(), rightOperandGPR);
             jit.moveValueRegs(m_left, m_result);
         }
 
         if (m_shiftType == SignedShift)
-            jit.rshift32(m_right.payloadGPR(), m_result.payloadGPR());
+            jit.rshift32(rightOperandGPR, m_result.payloadGPR());
         else
-            jit.urshift32(m_right.payloadGPR(), m_result.payloadGPR());
+            jit.urshift32(rightOperandGPR, m_result.payloadGPR());
 #if USE(JSVALUE64)
         jit.or64(GPRInfo::tagTypeNumberRegister, m_result.payloadGPR());