Changeset 202413 in webkit

Timestamp:

Jun 23, 2016 8:41:52 PM (8 years ago)

Author:

Yusuke Suzuki

Message:

[JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values
​https://bugs.webkit.org/show_bug.cgi?id=154022

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

We aim at optimizing @toInteger operation.
While it still has an unoptimized part[1], this patch should be a first step.

We introduce the @toNumber builtin intrinsic operation.
This converts the given value to the JS number by emitting op_to_number bytecode.
Previously @toInteger called C++ @Number constructor for that purpose.

And in DFG, op_to_number is converted to DFG ToNumber node.
During DFG, we attempt to convert this to edge filtering and Identity, but if we fail,
we just fall back to calling the C++ function.

To utilize ToNumber in user-land side, we add a path attempting to convert Number constructor calls
to ToNumber DFG nodes. This conversion is useful because Number(value) is used to convert a value to a number in JS.

Before this patch, we emit simple edge filtering (NumberUse) instead of emitting DFG node like ToNumber for op_to_number.
But emitting ToNumber is useful, because in the case of Number(value), considering value may not be a number is reasonable.

By leveraging @toNumber operation, we rewrite Number.{isFinite, isNaN}, global.{isFinite, isNaN} and @toInteger.

ToNumber DFG node has a value profiling. This profiling is leveraged to determine the result number type of the ToNumber operation.
This value profiling is provided from either NumberConstructor's call operation or op_to_number.

The results (with the added performance tests) show that, while existing cases are performance neutral, the newly added cases gain the performance benefit.
And ASMBench/n-body.c also shows stable ~2% progression.

[1]: ​https://bugs.webkit.org/show_bug.cgi?id=153738

• CMakeLists.txt:
• DerivedSources.make:
• JavaScriptCore.xcodeproj/project.pbxproj:
• builtins/BuiltinNames.h:
• builtins/GlobalObject.js:

(globalPrivate.isFinite):
(globalPrivate.isNaN):
(globalPrivate.toInteger): Deleted.
(globalPrivate.toLength): Deleted.
(globalPrivate.isDictionary): Deleted.
(globalPrivate.speciesGetter): Deleted.
(globalPrivate.speciesConstructor): Deleted.

• builtins/GlobalOperations.js: Copied from Source/JavaScriptCore/builtins/GlobalObject.js.

(globalPrivate.toInteger):
(globalPrivate.toLength):
(globalPrivate.isDictionary):
(globalPrivate.speciesGetter):
(globalPrivate.speciesConstructor):

• builtins/NumberConstructor.js: Added.

(isFinite):
(isNaN):

• bytecode/BytecodeIntrinsicRegistry.cpp:

(JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):

• bytecode/BytecodeIntrinsicRegistry.h:
• bytecode/BytecodeList.json:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::finishCreation):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitUnaryOp):
(JSC::BytecodeGenerator::emitUnaryOpProfiled):

• bytecompiler/BytecodeGenerator.h:

(JSC::BytecodeGenerator::emitToNumber):

• bytecompiler/NodesCodegen.cpp:

(JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
(JSC::UnaryPlusNode::emitBytecode):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::parseBlock):
We use getPrediction() to retrieve the heap prediction from the to_number bytecode.
According to the benchmark results, choosing getPredictionWithoutOSRExit() causes performance regression (1.5%) in kraken stanford-crypto-aes.

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToNumber):

• dfg/DFGNode.h:

(JSC::DFG::Node::hasHeapPrediction):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

Alway rely on the heap prediction.

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):
As of 64bit version, we carefully manage the register reuse. The largest difference between 32bit and 64bit is
branchIfNotNumber() requires the temporary register. We should not use the result registers for that since
it may be reuse the argument registers and it can break the argument registers before using them to call the operation.
Currently, we allocate the additional temporary register for that scratch register.

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):
Reuse the argument register for the result if possible. And manually decrement the use count in the middle of the node.
This is similar technique used in ToPrimitive. Typically, the child of ToNumber is only used by this ToNumber node since
we would like to perform the type conversion onto this child node here. So this careful register reuse effectively removes
the spills to call the operation. The example of the actually emitted code is the following.

76:<!2:loc11> ToNumber(Untyped:@68, JS|MustGen|UseAsOther, DoubleimpurenanTopEmpty, R:World, W:Heap, Exits, ClobbersExit, bc#48) predicting DoubleimpurenanTopEmpty

0x7f986d5fe693: test %rax, %r14
0x7f986d5fe696: jz 0x7f986d5fe6a1
0x7f986d5fe69c: jmp 0x7f986d5fe6d1
0x7f986d5fe6a1: mov %rax, %rsi
0x7f986d5fe6a4: mov %rbp, %rdi
0x7f986d5fe6a7: mov $0x2, 0x24(%rbp)
0x7f986d5fe6ae: mov $0x7f98711ea5f0, %r11
0x7f986d5fe6b8: call *%r11
0x7f986d5fe6bb: mov $0x7f982d3f72d0, %r11
0x7f986d5fe6c5: mov (%r11), %r11
0x7f986d5fe6c8: test %r11, %r11
0x7f986d5fe6cb: jnz 0x7f986d5fe88c

It effectively removes the unnecessary spill to call the operation!

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::branchIfNumber):
(JSC::AssemblyHelpers::branchIfNotNumber):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_to_number):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_to_number):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• parser/Nodes.h:

(JSC::UnaryOpNode::opcodeID):

• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncIsNaN): Deleted.
(JSC::globalFuncIsFinite): Deleted.

• runtime/JSGlobalObjectFunctions.h:
• runtime/MathCommon.h:

(JSC::maxSafeInteger):
(JSC::minSafeInteger):

• runtime/NumberConstructor.cpp:

(JSC::NumberConstructor::finishCreation):
(JSC::numberConstructorFuncIsFinite): Deleted.
(JSC::numberConstructorFuncIsNaN): Deleted.

• runtime/NumberConstructor.h:
• tests/stress/Number-isNaN-basics.js: Added.

(numberIsNaNOnInteger):
(testNumberIsNaNOnIntegers):
(verifyNumberIsNaNOnIntegerWithOtherTypes):
(numberIsNaNOnDouble):
(testNumberIsNaNOnDoubles):
(verifyNumberIsNaNOnDoublesWithOtherTypes):
(numberIsNaNNoArguments):
(numberIsNaNTooManyArguments):
(testNumberIsNaNOnConstants):
(numberIsNaNStructTransition):
(Number.isNaN):

• tests/stress/global-is-finite.js: Added.

(shouldBe):

• tests/stress/global-is-nan.js: Added.

(shouldBe):

• tests/stress/global-isNaN-basics.js: Added.

(isNaNOnInteger):
(testIsNaNOnIntegers):
(verifyIsNaNOnIntegerWithOtherTypes):
(isNaNOnDouble):
(testIsNaNOnDoubles):
(verifyIsNaNOnDoublesWithOtherTypes):
(verifyIsNaNOnCoercedTypes):
(isNaNNoArguments):
(isNaNTooManyArguments):
(testIsNaNOnConstants):
(isNaNTypeCoercionSideEffects):
(i.value.isNaNTypeCoercionSideEffects.valueOf):
(isNaNStructTransition):
(isNaN):

• tests/stress/number-is-finite.js: Added.

(shouldBe):
(test2):
(test3):

• tests/stress/number-is-nan.js: Added.

(shouldBe):
(test2):
(test3):

• tests/stress/to-number-basics.js: Added.

(shouldBe):

• tests/stress/to-number-convert-identity-without-execution.js: Added.

(shouldBe):
(object.valueOf):
(valueOf):

• tests/stress/to-number-int52.js: Added.

(shouldBe):
(object.valueOf):

• tests/stress/to-number-intrinsic-convert-to-identity-without-execution.js: Added.

(shouldBe):
(object.valueOf):
(valueOf):

• tests/stress/to-number-intrinsic-int52.js: Added.

(shouldBe):
(object.valueOf):

• tests/stress/to-number-intrinsic-object-without-execution.js: Added.

(shouldBe):
(object.valueOf):

• tests/stress/to-number-intrinsic-value-profiling.js: Added.

(shouldBe):
(object.valueOf):

• tests/stress/to-number-object-without-execution.js: Added.

(shouldBe):
(object.valueOf):

• tests/stress/to-number-object.js: Added.

(shouldBe):
(test12):
(object1.valueOf):
(test2):
(test22):
(object2.valueOf):
(test3):
(test32):
(object3.valueOf):

• tests/stress/to-number-value-profiling.js: Added.

(shouldBe):
(object.valueOf):

LayoutTests:

• js/regress/Number-isNaN-expected.txt: Added.
• js/regress/Number-isNaN.html: Added.
• js/regress/global-isNaN-expected.txt: Added.
• js/regress/global-isNaN.html: Added.
• js/regress/script-tests/Number-isNaN.js: Added.
• js/regress/script-tests/global-isNaN.js: Added.
• js/regress/script-tests/many-foreach-calls.js:

(i.4.forEach):
(i.array.forEach): Deleted.

• js/regress/script-tests/to-number-constructor-number-string-number-string.js: Added.

(test):

• js/regress/script-tests/to-number-constructor-only-number.js: Added.

(test):

• js/regress/script-tests/to-number-constructor-only-string.js: Added.

(test):

• js/regress/script-tests/to-number-constructor-string-number-string-number.js: Added.

(test):

• js/regress/script-tests/to-number-number-string-number-string.js: Added.

(test):

• js/regress/script-tests/to-number-only-number.js: Added.

(test):

• js/regress/script-tests/to-number-only-string.js: Added.

(test):

• js/regress/script-tests/to-number-string-number-string-number.js: Added.

(test):

• js/regress/to-number-constructor-number-string-number-string-expected.txt: Added.
• js/regress/to-number-constructor-number-string-number-string.html: Added.
• js/regress/to-number-constructor-only-number-expected.txt: Added.
• js/regress/to-number-constructor-only-number.html: Added.
• js/regress/to-number-constructor-only-string-expected.txt: Added.
• js/regress/to-number-constructor-only-string.html: Added.
• js/regress/to-number-constructor-string-number-string-number-expected.txt: Added.
• js/regress/to-number-constructor-string-number-string-number.html: Added.
• js/regress/to-number-number-string-number-string-expected.txt: Added.
• js/regress/to-number-number-string-number-string.html: Added.
• js/regress/to-number-only-number-expected.txt: Added.
• js/regress/to-number-only-number.html: Added.
• js/regress/to-number-only-string-expected.txt: Added.
• js/regress/to-number-only-string.html: Added.
• js/regress/to-number-string-number-string-number-expected.txt: Added.
• js/regress/to-number-string-number-string-number.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress/Number-isNaN-expected.txt (added)
• LayoutTests/js/regress/Number-isNaN.html (added)
• LayoutTests/js/regress/global-isNaN-expected.txt (added)
• LayoutTests/js/regress/global-isNaN.html (added)
• LayoutTests/js/regress/script-tests/Number-isNaN.js (added)
• LayoutTests/js/regress/script-tests/global-isNaN.js (added)
• LayoutTests/js/regress/script-tests/many-foreach-calls.js (modified) (1 diff)
• LayoutTests/js/regress/script-tests/to-number-constructor-number-string-number-string.js (added)
• LayoutTests/js/regress/script-tests/to-number-constructor-only-number.js (added)
• LayoutTests/js/regress/script-tests/to-number-constructor-only-string.js (added)
• LayoutTests/js/regress/script-tests/to-number-constructor-string-number-string-number.js (added)
• LayoutTests/js/regress/script-tests/to-number-number-string-number-string.js (added)
• LayoutTests/js/regress/script-tests/to-number-only-number.js (added)
• LayoutTests/js/regress/script-tests/to-number-only-string.js (added)
• LayoutTests/js/regress/script-tests/to-number-string-number-string-number.js (added)
• LayoutTests/js/regress/to-number-constructor-number-string-number-string-expected.txt (added)
• LayoutTests/js/regress/to-number-constructor-number-string-number-string.html (added)
• LayoutTests/js/regress/to-number-constructor-only-number-expected.txt (added)
• LayoutTests/js/regress/to-number-constructor-only-number.html (added)
• LayoutTests/js/regress/to-number-constructor-only-string-expected.txt (added)
• LayoutTests/js/regress/to-number-constructor-only-string.html (added)
• LayoutTests/js/regress/to-number-constructor-string-number-string-number-expected.txt (added)
• LayoutTests/js/regress/to-number-constructor-string-number-string-number.html (added)
• LayoutTests/js/regress/to-number-number-string-number-string-expected.txt (added)
• LayoutTests/js/regress/to-number-number-string-number-string.html (added)
• LayoutTests/js/regress/to-number-only-number-expected.txt (added)
• LayoutTests/js/regress/to-number-only-number.html (added)
• LayoutTests/js/regress/to-number-only-string-expected.txt (added)
• LayoutTests/js/regress/to-number-only-string.html (added)
• LayoutTests/js/regress/to-number-string-number-string-number-expected.txt (added)
• LayoutTests/js/regress/to-number-string-number-string-number.html (added)
• Source/JavaScriptCore/CMakeLists.txt (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/DerivedSources.make (modified) (2 diffs)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (3 diffs)
• Source/JavaScriptCore/builtins/BuiltinNames.h (modified) (1 diff)
• Source/JavaScriptCore/builtins/GlobalObject.js (modified) (2 diffs)
• Source/JavaScriptCore/builtins/GlobalOperations.js (copied) (copied from trunk/Source/JavaScriptCore/builtins/GlobalObject.js) (2 diffs)
• Source/JavaScriptCore/builtins/NumberConstructor.js (added)
• Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeList.json (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (2 diffs)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (6 diffs)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/AssemblyHelpers.h (modified) (4 diffs)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• Source/JavaScriptCore/parser/Nodes.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/MathCommon.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/NumberConstructor.cpp (modified) (5 diffs)
• Source/JavaScriptCore/runtime/NumberConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/tests/stress/Number-isNaN-basics.js (added)
• Source/JavaScriptCore/tests/stress/global-is-finite.js (added)
• Source/JavaScriptCore/tests/stress/global-is-nan.js (added)
• Source/JavaScriptCore/tests/stress/global-isNaN-basics.js (added)
• Source/JavaScriptCore/tests/stress/number-is-finite.js (added)
• Source/JavaScriptCore/tests/stress/number-is-nan.js (added)
• Source/JavaScriptCore/tests/stress/to-number-basics.js (added)
• Source/JavaScriptCore/tests/stress/to-number-convert-identity-without-execution.js (added)
• Source/JavaScriptCore/tests/stress/to-number-int52.js (added)
• Source/JavaScriptCore/tests/stress/to-number-intrinsic-convert-to-identity-without-execution.js (added)
• Source/JavaScriptCore/tests/stress/to-number-intrinsic-int52.js (added)
• Source/JavaScriptCore/tests/stress/to-number-intrinsic-object-without-execution.js (added)
• Source/JavaScriptCore/tests/stress/to-number-intrinsic-value-profiling.js (added)
• Source/JavaScriptCore/tests/stress/to-number-object-without-execution.js (added)
• Source/JavaScriptCore/tests/stress/to-number-object.js (added)
• Source/JavaScriptCore/tests/stress/to-number-value-profiling.js (added)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-06-23  Joseph Pecoraro  <pecoraro@apple.com> and Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values
+        https://bugs.webkit.org/show_bug.cgi?id=154022
+
+        Reviewed by Filip Pizlo.
+
+        * js/regress/Number-isNaN-expected.txt: Added.
+        * js/regress/Number-isNaN.html: Added.
+        * js/regress/global-isNaN-expected.txt: Added.
+        * js/regress/global-isNaN.html: Added.
+        * js/regress/script-tests/Number-isNaN.js: Added.
+        * js/regress/script-tests/global-isNaN.js: Added.
+        * js/regress/script-tests/many-foreach-calls.js:
+        (i.4.forEach):
+        (i.array.forEach): Deleted.
+        * js/regress/script-tests/to-number-constructor-number-string-number-string.js: Added.
+        (test):
+        * js/regress/script-tests/to-number-constructor-only-number.js: Added.
+        (test):
+        * js/regress/script-tests/to-number-constructor-only-string.js: Added.
+        (test):
+        * js/regress/script-tests/to-number-constructor-string-number-string-number.js: Added.
+        (test):
+        * js/regress/script-tests/to-number-number-string-number-string.js: Added.
+        (test):
+        * js/regress/script-tests/to-number-only-number.js: Added.
+        (test):
+        * js/regress/script-tests/to-number-only-string.js: Added.
+        (test):
+        * js/regress/script-tests/to-number-string-number-string-number.js: Added.
+        (test):
+        * js/regress/to-number-constructor-number-string-number-string-expected.txt: Added.
+        * js/regress/to-number-constructor-number-string-number-string.html: Added.
+        * js/regress/to-number-constructor-only-number-expected.txt: Added.
+        * js/regress/to-number-constructor-only-number.html: Added.
+        * js/regress/to-number-constructor-only-string-expected.txt: Added.
+        * js/regress/to-number-constructor-only-string.html: Added.
+        * js/regress/to-number-constructor-string-number-string-number-expected.txt: Added.
+        * js/regress/to-number-constructor-string-number-string-number.html: Added.
+        * js/regress/to-number-number-string-number-string-expected.txt: Added.
+        * js/regress/to-number-number-string-number-string.html: Added.
+        * js/regress/to-number-only-number-expected.txt: Added.
+        * js/regress/to-number-only-number.html: Added.
+        * js/regress/to-number-only-string-expected.txt: Added.
+        * js/regress/to-number-only-string.html: Added.
+        * js/regress/to-number-string-number-string-number-expected.txt: Added.
+        * js/regress/to-number-string-number-string-number.html: Added.
+
 2016-06-23  Simon Fraser  <simon.fraser@apple.com>
 

trunk/LayoutTests/js/regress/script-tests/many-foreach-calls.js

@@ -1 @@
-var sum = 0;
-var array = [1, 2, 3];
-for (var i = 0; i < 1e5; ++i) {
-    array.forEach(function (value) {
+for (var i = 0; i < 1e4; ++i) {
+    var sum = 0;
+    [1, 2, 3, 4].forEach(function (value) {
         sum += value;
     });

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -1218 +1218 @@
     ${JAVASCRIPTCORE_DIR}/builtins/GeneratorPrototype.js
     ${JAVASCRIPTCORE_DIR}/builtins/GlobalObject.js
+    ${JAVASCRIPTCORE_DIR}/builtins/GlobalOperations.js
     ${JAVASCRIPTCORE_DIR}/builtins/InspectorInstrumentationObject.js
     ${JAVASCRIPTCORE_DIR}/builtins/InternalPromiseConstructor.js
@@ -1223 +1224 @@
     ${JAVASCRIPTCORE_DIR}/builtins/MapPrototype.js
     ${JAVASCRIPTCORE_DIR}/builtins/ModuleLoaderObject.js
+    ${JAVASCRIPTCORE_DIR}/builtins/NumberConstructor.js
     ${JAVASCRIPTCORE_DIR}/builtins/NumberPrototype.js
     ${JAVASCRIPTCORE_DIR}/builtins/ObjectConstructor.js

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-06-23  Joseph Pecoraro  <pecoraro@apple.com> and Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values
+        https://bugs.webkit.org/show_bug.cgi?id=154022
+
+        Reviewed by Filip Pizlo.
+
+        We aim at optimizing @toInteger operation.
+        While it still has an unoptimized part[1], this patch should be a first step.
+
+        We introduce the @toNumber builtin intrinsic operation.
+        This converts the given value to the JS number by emitting op_to_number bytecode.
+        Previously @toInteger called C++ @Number constructor for that purpose.
+
+        And in DFG, op_to_number is converted to DFG ToNumber node.
+        During DFG, we attempt to convert this to edge filtering and Identity, but if we fail,
+        we just fall back to calling the C++ function.
+
+        To utilize ToNumber in user-land side, we add a path attempting to convert Number constructor calls
+        to ToNumber DFG nodes. This conversion is useful because `Number(value)` is used to convert a value to a number in JS.
+
+        Before this patch, we emit simple edge filtering (NumberUse) instead of emitting DFG node like ToNumber for op_to_number.
+        But emitting ToNumber is useful, because in the case of `Number(value)`, considering `value` may not be a number is reasonable.
+
+        By leveraging @toNumber operation, we rewrite Number.{isFinite, isNaN}, global.{isFinite, isNaN} and @toInteger.
+
+        ToNumber DFG node has a value profiling. This profiling is leveraged to determine the result number type of the ToNumber operation.
+        This value profiling is provided from either NumberConstructor's call operation or op_to_number.
+
+        The results (with the added performance tests) show that, while existing cases are performance neutral, the newly added cases gain the performance benefit.
+        And ASMBench/n-body.c also shows stable ~2% progression.
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=153738
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * builtins/BuiltinNames.h:
+        * builtins/GlobalObject.js:
+        (globalPrivate.isFinite):
+        (globalPrivate.isNaN):
+        (globalPrivate.toInteger): Deleted.
+        (globalPrivate.toLength): Deleted.
+        (globalPrivate.isDictionary): Deleted.
+        (globalPrivate.speciesGetter): Deleted.
+        (globalPrivate.speciesConstructor): Deleted.
+        * builtins/GlobalOperations.js: Copied from Source/JavaScriptCore/builtins/GlobalObject.js.
+        (globalPrivate.toInteger):
+        (globalPrivate.toLength):
+        (globalPrivate.isDictionary):
+        (globalPrivate.speciesGetter):
+        (globalPrivate.speciesConstructor):
+        * builtins/NumberConstructor.js: Added.
+        (isFinite):
+        (isNaN):
+        * bytecode/BytecodeIntrinsicRegistry.cpp:
+        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpBytecode):
+        (JSC::CodeBlock::finishCreation):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitUnaryOp):
+        (JSC::BytecodeGenerator::emitUnaryOpProfiled):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::emitToNumber):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
+        (JSC::UnaryPlusNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        We use `getPrediction()` to retrieve the heap prediction from the to_number bytecode.
+        According to the benchmark results, choosing `getPredictionWithoutOSRExit()` causes performance regression (1.5%) in kraken stanford-crypto-aes.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupToNumber):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        Alway rely on the heap prediction.
+
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        As of 64bit version, we carefully manage the register reuse. The largest difference between 32bit and 64bit is
+        `branchIfNotNumber()` requires the temporary register. We should not use the result registers for that since
+        it may be reuse the argument registers and it can break the argument registers before using them to call the operation.
+        Currently, we allocate the additional temporary register for that scratch register.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        Reuse the argument register for the result if possible. And manually decrement the use count in the middle of the node.
+        This is similar technique used in ToPrimitive. Typically, the child of ToNumber is only used by this ToNumber node since
+        we would like to perform the type conversion onto this child node here. So this careful register reuse effectively removes
+        the spills to call the operation. The example of the actually emitted code is the following.
+
+        76:<!2:loc11>     ToNumber(Untyped:@68, JS|MustGen|UseAsOther, DoubleimpurenanTopEmpty, R:World, W:Heap, Exits, ClobbersExit, bc#48)  predicting DoubleimpurenanTopEmpty
+            0x7f986d5fe693: test %rax, %r14
+            0x7f986d5fe696: jz 0x7f986d5fe6a1
+            0x7f986d5fe69c: jmp 0x7f986d5fe6d1
+            0x7f986d5fe6a1: mov %rax, %rsi
+            0x7f986d5fe6a4: mov %rbp, %rdi
+            0x7f986d5fe6a7: mov $0x2, 0x24(%rbp)
+            0x7f986d5fe6ae: mov $0x7f98711ea5f0, %r11
+            0x7f986d5fe6b8: call *%r11
+            0x7f986d5fe6bb: mov $0x7f982d3f72d0, %r11
+            0x7f986d5fe6c5: mov (%r11), %r11
+            0x7f986d5fe6c8: test %r11, %r11
+            0x7f986d5fe6cb: jnz 0x7f986d5fe88c
+
+        It effectively removes the unnecessary spill to call the operation!
+
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfNumber):
+        (JSC::AssemblyHelpers::branchIfNotNumber):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_to_number):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_to_number):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * parser/Nodes.h:
+        (JSC::UnaryOpNode::opcodeID):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncIsNaN): Deleted.
+        (JSC::globalFuncIsFinite): Deleted.
+        * runtime/JSGlobalObjectFunctions.h:
+        * runtime/MathCommon.h:
+        (JSC::maxSafeInteger):
+        (JSC::minSafeInteger):
+        * runtime/NumberConstructor.cpp:
+        (JSC::NumberConstructor::finishCreation):
+        (JSC::numberConstructorFuncIsFinite): Deleted.
+        (JSC::numberConstructorFuncIsNaN): Deleted.
+        * runtime/NumberConstructor.h:
+        * tests/stress/Number-isNaN-basics.js: Added.
+        (numberIsNaNOnInteger):
+        (testNumberIsNaNOnIntegers):
+        (verifyNumberIsNaNOnIntegerWithOtherTypes):
+        (numberIsNaNOnDouble):
+        (testNumberIsNaNOnDoubles):
+        (verifyNumberIsNaNOnDoublesWithOtherTypes):
+        (numberIsNaNNoArguments):
+        (numberIsNaNTooManyArguments):
+        (testNumberIsNaNOnConstants):
+        (numberIsNaNStructTransition):
+        (Number.isNaN):
+        * tests/stress/global-is-finite.js: Added.
+        (shouldBe):
+        * tests/stress/global-is-nan.js: Added.
+        (shouldBe):
+        * tests/stress/global-isNaN-basics.js: Added.
+        (isNaNOnInteger):
+        (testIsNaNOnIntegers):
+        (verifyIsNaNOnIntegerWithOtherTypes):
+        (isNaNOnDouble):
+        (testIsNaNOnDoubles):
+        (verifyIsNaNOnDoublesWithOtherTypes):
+        (verifyIsNaNOnCoercedTypes):
+        (isNaNNoArguments):
+        (isNaNTooManyArguments):
+        (testIsNaNOnConstants):
+        (isNaNTypeCoercionSideEffects):
+        (i.value.isNaNTypeCoercionSideEffects.valueOf):
+        (isNaNStructTransition):
+        (isNaN):
+        * tests/stress/number-is-finite.js: Added.
+        (shouldBe):
+        (test2):
+        (test3):
+        * tests/stress/number-is-nan.js: Added.
+        (shouldBe):
+        (test2):
+        (test3):
+        * tests/stress/to-number-basics.js: Added.
+        (shouldBe):
+        * tests/stress/to-number-convert-identity-without-execution.js: Added.
+        (shouldBe):
+        (object.valueOf):
+        (valueOf):
+        * tests/stress/to-number-int52.js: Added.
+        (shouldBe):
+        (object.valueOf):
+        * tests/stress/to-number-intrinsic-convert-to-identity-without-execution.js: Added.
+        (shouldBe):
+        (object.valueOf):
+        (valueOf):
+        * tests/stress/to-number-intrinsic-int52.js: Added.
+        (shouldBe):
+        (object.valueOf):
+        * tests/stress/to-number-intrinsic-object-without-execution.js: Added.
+        (shouldBe):
+        (object.valueOf):
+        * tests/stress/to-number-intrinsic-value-profiling.js: Added.
+        (shouldBe):
+        (object.valueOf):
+        * tests/stress/to-number-object-without-execution.js: Added.
+        (shouldBe):
+        (object.valueOf):
+        * tests/stress/to-number-object.js: Added.
+        (shouldBe):
+        (test12):
+        (object1.valueOf):
+        (test2):
+        (test22):
+        (object2.valueOf):
+        (test3):
+        (test32):
+        (object3.valueOf):
+        * tests/stress/to-number-value-profiling.js: Added.
+        (shouldBe):
+        (object.valueOf):
+
 2016-06-23  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/DerivedSources.make

@@ -89 +89 @@
     $(JavaScriptCore)/builtins/GeneratorPrototype.js \
     $(JavaScriptCore)/builtins/GlobalObject.js \
+    $(JavaScriptCore)/builtins/GlobalOperations.js \
     $(JavaScriptCore)/builtins/InspectorInstrumentationObject.js \
     $(JavaScriptCore)/builtins/InternalPromiseConstructor.js \
@@ -94 +95 @@
     $(JavaScriptCore)/builtins/MapPrototype.js \
     $(JavaScriptCore)/builtins/ModuleLoaderObject.js \
+    $(JavaScriptCore)/builtins/NumberConstructor.js \
     $(JavaScriptCore)/builtins/NumberPrototype.js \
     $(JavaScriptCore)/builtins/ObjectConstructor.js \

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -3773 +3773 @@
                 A514B2C0185A684400F3C7CB /* InjectedScriptBase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InjectedScriptBase.cpp; sourceTree = "<group>"; };
                 A514B2C1185A684400F3C7CB /* InjectedScriptBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InjectedScriptBase.h; sourceTree = "<group>"; };
+                A52704851D027C8800354C37 /* GlobalOperations.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; path = GlobalOperations.js; sourceTree = "<group>"; };
+                A52704861D027C8800354C37 /* NumberConstructor.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; path = NumberConstructor.js; sourceTree = "<group>"; };
                 A5311C341C77CEAC00E6B1B6 /* HeapSnapshotBuilder.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HeapSnapshotBuilder.cpp; sourceTree = "<group>"; };
                 A5311C351C77CEAC00E6B1B6 /* HeapSnapshotBuilder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapSnapshotBuilder.h; sourceTree = "<group>"; };
@@ -6884 +6886 @@
                                 70B7918F1C0244EC002481E2 /* GeneratorPrototype.js */,
                                 7CF9BC5A1B65D9A3009DB1EF /* GlobalObject.js */,
+                                A52704851D027C8800354C37 /* GlobalOperations.js */,
                                 E35E03611B7AB4850073AD2A /* InspectorInstrumentationObject.js */,
                                 E33F50881B844A1A00413856 /* InternalPromiseConstructor.js */,
@@ -6889 +6892 @@
                                 7035587C1C418419004BD7BF /* MapPrototype.js */,
                                 E30677971B8BC6F5003F87F0 /* ModuleLoaderObject.js */,
+                                A52704861D027C8800354C37 /* NumberConstructor.js */,
                                 A15DE5C51C0FBF8D0089133D /* NumberPrototype.js */,
                                 7CF9BC5C1B65D9B1009DB1EF /* ObjectConstructor.js */,

trunk/Source/JavaScriptCore/builtins/BuiltinNames.h

@@ -65 +65 @@
     macro(floor) \
     macro(trunc) \
-    macro(isFinite) \
-    macro(isNaN) \
     macro(create) \
     macro(defineProperty) \

trunk/Source/JavaScriptCore/builtins/GlobalObject.js

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Yusuke Suzuki <utatane.tea@gmail.com>.
+ * Copyright (C) 2015-2016 Yusuke Suzuki <utatane.tea@gmail.com>.
  * Copyright (C) 2016 Apple Inc. All rights reserved.
  *
@@ -25 +25 @@
  */
 
-// @internal
-
 @globalPrivate
-function toInteger(target)
+function isFinite(value)
 {
     "use strict";
 
-    var numberValue = @Number(target);
-
-    // isNaN(numberValue)
+    var numberValue = @toNumber(value);
+    // Return false if numberValue is |NaN|.
     if (numberValue !== numberValue)
-        return 0;
-    return @trunc(numberValue);
+        return false;
+    return numberValue !== @Infinity && numberValue !== -@Infinity;
 }
 
 @globalPrivate
-function toLength(target)
+function isNaN(value)
 {
     "use strict";
 
-    var maxSafeInteger = 0x1FFFFFFFFFFFFF;
-    var length = @toInteger(target);
-    // originally Math.min(Math.max(length, 0), maxSafeInteger));
-    return length > 0 ? (length < maxSafeInteger ? length : maxSafeInteger) : 0;
+    var numberValue = @toNumber(value);
+    return numberValue !== numberValue;
 }
-
-@globalPrivate
-function isDictionary(object)
-{
-    "use strict";
-
-    return object === @undefined || object == null || typeof object === "object";
-}
-
-// FIXME: this needs to have it's name changed to "get [Symbol.species]".
-// see: https://bugs.webkit.org/show_bug.cgi?id=151363
-@globalPrivate
-function speciesGetter()
-{
-    return this;
-}
-
-@globalPrivate
-function speciesConstructor(obj, defaultConstructor)
-{
-    var constructor = obj.constructor;
-    if (constructor === @undefined)
-        return defaultConstructor;
-    if (!@isObject(constructor))
-        throw new @TypeError("|this|.constructor is not an Object or undefined");
-    constructor = constructor.@speciesSymbol;
-    if (constructor == null)
-        return defaultConstructor;
-    if (@isConstructor(constructor))
-        return constructor;
-    throw new @TypeError("|this|.constructor[Symbol.species] is not a constructor");
-}

trunk/Source/JavaScriptCore/builtins/GlobalOperations.js

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Yusuke Suzuki <utatane.tea@gmail.com>.
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016 Yusuke Suzuki <utatane.tea@gmail.com>.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -45 +44 @@
     "use strict";
 
-    var maxSafeInteger = 0x1FFFFFFFFFFFFF;
     var length = @toInteger(target);
     // originally Math.min(Math.max(length, 0), maxSafeInteger));
-    return length > 0 ? (length < maxSafeInteger ? length : maxSafeInteger) : 0;
+    return length > 0 ? (length < @MAX_SAFE_INTEGER? length : @MAX_SAFE_INTEGER) : 0;
+
 }
 

trunk/Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.cpp

@@ -55 +55 @@
     m_arrayIterationKindKeyValue.set(m_vm, jsNumber(ArrayIterateKeyValue));
     m_MAX_STRING_LENGTH.set(m_vm, jsNumber(JSString::MaxLength));
-    m_MAX_SAFE_INTEGER.set(m_vm, jsDoubleNumber(9007199254740991.0)); // 2 ^ 53 - 1
+    m_MAX_SAFE_INTEGER.set(m_vm, jsDoubleNumber(maxSafeInteger()));
     m_ModuleFetch.set(m_vm, jsNumber(static_cast<unsigned>(ModuleLoaderObject::Status::Fetch)));
     m_ModuleTranslate.set(m_vm, jsNumber(static_cast<unsigned>(ModuleLoaderObject::Status::Translate)));

trunk/Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h

@@ -48 +48 @@
     macro(tryGetById) \
     macro(putByValDirect) \
+    macro(toNumber) \
     macro(toString)
 

trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

@@ -32 +32 @@
             { "name" : "op_inc", "length" : 2 },
             { "name" : "op_dec", "length" : 2 },
-            { "name" : "op_to_number", "length" : 3 },
+            { "name" : "op_to_number", "length" : 4 },
             { "name" : "op_to_string", "length" : 3 },
             { "name" : "op_negate", "length" : 3 },

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -993 +993 @@
         case op_to_number: {
             printUnaryOp(out, exec, location, it, "to_number");
+            dumpValueProfiling(out, it, hasPrintedProfiling);
             break;
         }
@@ -2094 +2095 @@
         case op_get_direct_pname:
         case op_get_by_id:
-        case op_get_from_arguments: {
+        case op_get_from_arguments:
+        case op_to_number: {
             ValueProfile* profile = &m_valueProfiles[pc[opLength - 1].u.operand];
             ASSERT(profile->m_bytecodeOffset == -1);

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1526 +1526 @@
 RegisterID* BytecodeGenerator::emitUnaryOp(OpcodeID opcodeID, RegisterID* dst, RegisterID* src)
 {
+    ASSERT_WITH_MESSAGE(op_to_number != opcodeID, "op_to_number is profiled.");
     emitOpcode(opcodeID);
     instructions().append(dst->index());
     instructions().append(src->index());
+    return dst;
+}
+
+RegisterID* BytecodeGenerator::emitUnaryOpProfiled(OpcodeID opcodeID, RegisterID* dst, RegisterID* src)
+{
+    UnlinkedValueProfile profile = emitProfiledOpcode(opcodeID);
+    instructions().append(dst->index());
+    instructions().append(src->index());
+    instructions().append(profile);
     return dst;
 }

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -511 +511 @@
 
         RegisterID* emitUnaryOp(OpcodeID, RegisterID* dst, RegisterID* src);
+        RegisterID* emitUnaryOpProfiled(OpcodeID, RegisterID* dst, RegisterID* src);
         RegisterID* emitBinaryOp(OpcodeID, RegisterID* dst, RegisterID* src1, RegisterID* src2, OperandTypes);
         RegisterID* emitEqualityOp(OpcodeID, RegisterID* dst, RegisterID* src1, RegisterID* src2);
@@ -537 +538 @@
         RegisterID* emitMove(RegisterID* dst, RegisterID* src);
 
-        RegisterID* emitToNumber(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_to_number, dst, src); }
+        RegisterID* emitToNumber(RegisterID* dst, RegisterID* src) { return emitUnaryOpProfiled(op_to_number, dst, src); }
         RegisterID* emitToString(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_to_string, dst, src); }
         RegisterID* emitInc(RegisterID* srcDst);

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -917 +917 @@
     RefPtr<RegisterID> finalDest = generator.finalDestination(dst);
     return generator.emitTryGetById(finalDest.get(), base.get(), ident);
+}
+
+RegisterID* BytecodeIntrinsicNode::emit_intrinsic_toNumber(BytecodeGenerator& generator, RegisterID* dst)
+{
+    ArgumentListNode* node = m_args->m_listNode;
+    RefPtr<RegisterID> src = generator.emitNode(node);
+    ASSERT(!node->m_next);
+
+    return generator.moveToDestinationIfNeeded(dst, generator.emitToNumber(generator.tempDestination(dst), src.get()));
 }
 
@@ -1550 +1559 @@
 }
 
+// ------------------------------ UnaryPlusNode -----------------------------------
+
+RegisterID* UnaryPlusNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
+{
+    ASSERT(opcodeID() == op_to_number);
+    RefPtr<RegisterID> src = generator.emitNode(expr());
+    generator.emitExpressionInfo(position(), position(), position());
+    return generator.emitToNumber(generator.finalDestination(dst), src.get());
+}
+
 // ------------------------------ BitwiseNotNode -----------------------------------
  

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1828 +1828 @@
         ASSERT(node->child1().useKind() == UntypedUse);
         
-        if (!forNode(node->child1()).m_type) {
-            m_state.setIsValid(false);
-            break;
-        }
-        
         if (!(forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol))) {
             m_state.setFoundConstants(true);
@@ -1842 +1837 @@
         
         forNode(node).setType(m_graph, SpecHeapTop & ~SpecObject);
+        break;
+    }
+
+    case ToNumber: {
+        JSValue childConst = forNode(node->child1()).value();
+        if (childConst && childConst.isNumber()) {
+            setConstant(node, childConst);
+            break;
+        }
+
+        ASSERT(node->child1().useKind() == UntypedUse);
+
+        if (!(forNode(node->child1()).m_type & ~SpecBytecodeNumber)) {
+            m_state.setFoundConstants(true);
+            forNode(node) = forNode(node->child1());
+            break;
+        }
+
+        clobberWorld(node->origin.semantic, clobberLimit);
+        forNode(node).setType(m_graph, SpecBytecodeNumber);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -43 +43 @@
 #include "GetByIdStatus.h"
 #include "Heap.h"
+#include "JSCInlines.h"
 #include "JSLexicalEnvironment.h"
-#include "JSCInlines.h"
 #include "JSModuleEnvironment.h"
+#include "NumberConstructor.h"
 #include "ObjectConstructor.h"
 #include "PreciseJumpTargets.h"
@@ -216 +217 @@
     bool handleTypedArrayConstructor(int resultOperand, InternalFunction*, int registerOffset, int argumentCountIncludingThis, TypedArrayType, const ChecksFunctor& insertChecks);
     template<typename ChecksFunctor>
-    bool handleConstantInternalFunction(Node* callTargetNode, int resultOperand, InternalFunction*, int registerOffset, int argumentCountIncludingThis, CodeSpecializationKind, const ChecksFunctor& insertChecks);
+    bool handleConstantInternalFunction(Node* callTargetNode, int resultOperand, InternalFunction*, int registerOffset, int argumentCountIncludingThis, CodeSpecializationKind, SpeculatedType, const ChecksFunctor& insertChecks);
     Node* handlePutByOffset(Node* base, unsigned identifier, PropertyOffset, const InferredType::Descriptor&, Node* value);
     Node* handleGetByOffset(SpeculatedType, Node* base, unsigned identifierNumber, PropertyOffset, const InferredType::Descriptor&, NodeType = GetByOffset);
@@ -1652 +1653 @@
     
         if (InternalFunction* function = callee.internalFunction()) {
-            if (handleConstantInternalFunction(callTargetNode, resultOperand, function, registerOffset, argumentCountIncludingThis, specializationKind, insertChecksWithAccounting)) {
+            if (handleConstantInternalFunction(callTargetNode, resultOperand, function, registerOffset, argumentCountIncludingThis, specializationKind, prediction, insertChecksWithAccounting)) {
                 RELEASE_ASSERT(didInsertChecks);
                 addToGraph(Phantom, callTargetNode);
@@ -2638 +2639 @@
 bool ByteCodeParser::handleConstantInternalFunction(
     Node* callTargetNode, int resultOperand, InternalFunction* function, int registerOffset,
-    int argumentCountIncludingThis, CodeSpecializationKind kind, const ChecksFunctor& insertChecks)
+    int argumentCountIncludingThis, CodeSpecializationKind kind, SpeculatedType prediction, const ChecksFunctor& insertChecks)
 {
     if (verbose)
@@ -2667 +2668 @@
         set(VirtualRegister(resultOperand),
             addToGraph(Node::VarArg, NewArray, OpInfo(ArrayWithUndecided), OpInfo(0)));
+        return true;
+    }
+
+    if (function->classInfo() == NumberConstructor::info()) {
+        if (kind == CodeForConstruct)
+            return false;
+
+        insertChecks();
+        if (argumentCountIncludingThis <= 1)
+            set(VirtualRegister(resultOperand), jsConstant(jsNumber(0)));
+        else
+            set(VirtualRegister(resultOperand), addToGraph(ToNumber, OpInfo(0), OpInfo(prediction), get(virtualRegisterForArgument(1, registerOffset))));
+
         return true;
     }
@@ -5047 +5061 @@
 
         case op_to_number: {
-            Node* node = get(VirtualRegister(currentInstruction[2].u.operand));
-            addToGraph(Phantom, Edge(node, NumberUse));
-            set(VirtualRegister(currentInstruction[1].u.operand), node);
+            SpeculatedType prediction = getPrediction();
+            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(ToNumber, OpInfo(0), OpInfo(prediction), value));
             NEXT_OPCODE(op_to_number);
         }

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -1174 +1174 @@
         write(Heap);
         return;
+
+    case ToNumber: {
+        read(World);
+        write(Heap);
+        return;
+    }
         
     case ToString:

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -567 +567 @@
             }
 
+            case ToNumber: {
+                if (m_state.forNode(node->child1()).m_type & ~SpecBytecodeNumber)
+                    break;
+
+                node->convertToIdentity();
+                changed = true;
+                break;
+            }
+
             case Check: {
                 alreadyHandled = true;

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -170 +170 @@
     case LogicalNot:
     case ToPrimitive:
+    case ToNumber:
     case ToString:
     case CallStringConstructor:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -988 +988 @@
         case ToPrimitive: {
             fixupToPrimitive(node);
+            break;
+        }
+
+        case ToNumber: {
+            fixupToNumber(node);
             break;
         }
@@ -1799 +1804 @@
         }
     }
+
+    void fixupToNumber(Node* node)
+    {
+        if (node->child1()->shouldSpeculateInt32()) {
+            fixEdge<Int32Use>(node->child1());
+            node->convertToIdentity();
+            return;
+        }
+
+        if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
+            fixEdge<Int52RepUse>(node->child1());
+            node->convertToIdentity();
+            node->setResult(NodeResultInt52);
+            return;
+        }
+
+        if (node->child1()->shouldSpeculateNumber()) {
+            fixEdge<DoubleRepUse>(node->child1());
+            node->convertToIdentity();
+            node->setResult(NodeResultDouble);
+            return;
+        }
+
+        fixEdge<UntypedUse>(node->child1());
+        node->setResult(NodeResultJS);
+    }
     
     void fixupToStringOrCallStringConstructor(Node* node)

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -1440 +1440 @@
         case StringReplace:
         case StringReplaceRegExp:
+        case ToNumber:
             return true;
         default:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -323 +323 @@
     macro(ToPrimitive, NodeResultJS | NodeMustGenerate) \
     macro(ToString, NodeResultJS | NodeMustGenerate) \
+    macro(ToNumber, NodeResultJS | NodeMustGenerate) \
     macro(CallObjectConstructor, NodeResultJS) \
     macro(CallStringConstructor, NodeResultJS | NodeMustGenerate) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -732 +732 @@
 }
 
+EncodedJSValue JIT_OPERATION operationToNumber(ExecState* exec, EncodedJSValue value)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    return JSValue::encode(jsNumber(JSValue::decode(value).toNumber(exec)));
+}
+
 EncodedJSValue JIT_OPERATION operationGetByIdWithThis(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedThis, UniquedStringImpl* impl)
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -59 +59 @@
 EncodedJSValue JIT_OPERATION operationGetByValStringInt(ExecState*, JSString*, int32_t) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationToPrimitive(ExecState*, EncodedJSValue) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationToNumber(ExecState*, EncodedJSValue) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationGetByIdWithThis(ExecState*, EncodedJSValue, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationGetByValWithThis(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -713 +713 @@
         case GetGlobalLexicalVariable:
         case GetClosureVar:
-        case GetFromArguments: {
+        case GetFromArguments:
+        case ToNumber: {
             setPrediction(m_currentNode->getHeapPrediction());
             break;

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -273 +273 @@
     case ToPrimitive:
     case ToString:
+    case ToNumber:
     case SetFunctionName:
     case StrCat:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3568 +3568 @@
     case ToPrimitive: {
         RELEASE_ASSERT(node->child1().useKind() == UntypedUse);
-        JSValueOperand op1(this, node->child1());
-        GPRTemporary resultTag(this, Reuse, op1, TagWord);
-        GPRTemporary resultPayload(this, Reuse, op1, PayloadWord);
-        
-        GPRReg op1TagGPR = op1.tagGPR();
-        GPRReg op1PayloadGPR = op1.payloadGPR();
+        JSValueOperand argument(this, node->child1());
+        GPRTemporary resultTag(this, Reuse, argument, TagWord);
+        GPRTemporary resultPayload(this, Reuse, argument, PayloadWord);
+        
+        GPRReg argumentTagGPR = argument.tagGPR();
+        GPRReg argumentPayloadGPR = argument.payloadGPR();
         GPRReg resultTagGPR = resultTag.gpr();
         GPRReg resultPayloadGPR = resultPayload.gpr();
         
-        op1.use();
-        
-        MacroAssembler::Jump alreadyPrimitive = m_jit.branchIfNotCell(op1.jsValueRegs());
-        MacroAssembler::Jump notPrimitive = m_jit.branchIfObject(op1PayloadGPR);
+        argument.use();
+        
+        MacroAssembler::Jump alreadyPrimitive = m_jit.branchIfNotCell(argument.jsValueRegs());
+        MacroAssembler::Jump notPrimitive = m_jit.branchIfObject(argumentPayloadGPR);
         
         alreadyPrimitive.link(&m_jit);
-        m_jit.move(op1TagGPR, resultTagGPR);
-        m_jit.move(op1PayloadGPR, resultPayloadGPR);
+        m_jit.move(argumentTagGPR, resultTagGPR);
+        m_jit.move(argumentPayloadGPR, resultPayloadGPR);
         
         addSlowPathGenerator(
             slowPathCall(
                 notPrimitive, this, operationToPrimitive,
-                JSValueRegs(resultTagGPR, resultPayloadGPR), op1TagGPR, op1PayloadGPR));
+                JSValueRegs(resultTagGPR, resultPayloadGPR), argumentTagGPR, argumentPayloadGPR));
         
         jsValueResult(resultTagGPR, resultPayloadGPR, node, UseChildrenCalledExplicitly);
+        break;
+    }
+
+    case ToNumber: {
+        JSValueOperand argument(this, node->child1());
+        GPRTemporary resultTag(this, Reuse, argument, TagWord);
+        GPRTemporary resultPayload(this, Reuse, argument, PayloadWord);
+
+        GPRReg argumentPayloadGPR = argument.payloadGPR();
+        GPRReg argumentTagGPR = argument.tagGPR();
+        JSValueRegs resultRegs(resultTag.gpr(), resultPayload.gpr());
+
+        argument.use();
+
+        // We have several attempts to remove ToNumber. But ToNumber still exists.
+        // It means that converting non-numbers to numbers by this ToNumber is not rare.
+        // Instead of the slow path generator, we emit callOperation here.
+        if (!(m_state.forNode(node->child1()).m_type & SpecBytecodeNumber)) {
+            flushRegisters();
+            callOperation(operationToNumber, resultRegs, argumentTagGPR, argumentPayloadGPR);
+            m_jit.exceptionCheck();
+        } else {
+            MacroAssembler::Jump notNumber;
+            {
+                GPRTemporary scratch(this);
+                notNumber = m_jit.branchIfNotNumber(argument.jsValueRegs(), scratch.gpr());
+            }
+            m_jit.move(argumentTagGPR, resultRegs.tagGPR());
+            m_jit.move(argumentPayloadGPR, resultRegs.payloadGPR());
+            MacroAssembler::Jump done = m_jit.jump();
+
+            notNumber.link(&m_jit);
+            silentSpillAllRegisters(resultRegs);
+            callOperation(operationToNumber, resultRegs, argumentTagGPR, argumentPayloadGPR);
+            silentFillAllRegisters(resultRegs);
+            m_jit.exceptionCheck();
+
+            done.link(&m_jit);
+        }
+
+        jsValueResult(resultRegs.tagGPR(), resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3521 +3521 @@
     case ToPrimitive: {
         DFG_ASSERT(m_jit.graph(), node, node->child1().useKind() == UntypedUse);
-        JSValueOperand op1(this, node->child1());
-        GPRTemporary result(this, Reuse, op1);
-        
-        GPRReg op1GPR = op1.gpr();
+        JSValueOperand argument(this, node->child1());
+        GPRTemporary result(this, Reuse, argument);
+        
+        GPRReg argumentGPR = argument.gpr();
         GPRReg resultGPR = result.gpr();
         
-        op1.use();
-        
-        MacroAssembler::Jump alreadyPrimitive = m_jit.branchIfNotCell(JSValueRegs(op1GPR));
-        MacroAssembler::Jump notPrimitive = m_jit.branchIfObject(op1GPR);
+        argument.use();
+        
+        MacroAssembler::Jump alreadyPrimitive = m_jit.branchIfNotCell(JSValueRegs(argumentGPR));
+        MacroAssembler::Jump notPrimitive = m_jit.branchIfObject(argumentGPR);
         
         alreadyPrimitive.link(&m_jit);
-        m_jit.move(op1GPR, resultGPR);
+        m_jit.move(argumentGPR, resultGPR);
         
         addSlowPathGenerator(
-            slowPathCall(notPrimitive, this, operationToPrimitive, resultGPR, op1GPR));
-        
+            slowPathCall(notPrimitive, this, operationToPrimitive, resultGPR, argumentGPR));
+        
+        jsValueResult(resultGPR, node, UseChildrenCalledExplicitly);
+        break;
+    }
+
+    case ToNumber: {
+        JSValueOperand argument(this, node->child1());
+        GPRTemporary result(this, Reuse, argument);
+
+        GPRReg argumentGPR = argument.gpr();
+        GPRReg resultGPR = result.gpr();
+
+        argument.use();
+
+        // We have several attempts to remove ToNumber. But ToNumber still exists.
+        // It means that converting non-numbers to numbers by this ToNumber is not rare.
+        // Instead of the slow path generator, we emit callOperation here.
+        if (!(m_state.forNode(node->child1()).m_type & SpecBytecodeNumber)) {
+            flushRegisters();
+            callOperation(operationToNumber, resultGPR, argumentGPR);
+            m_jit.exceptionCheck();
+        } else {
+            MacroAssembler::Jump notNumber = m_jit.branchIfNotNumber(argumentGPR);
+            m_jit.move(argumentGPR, resultGPR);
+            MacroAssembler::Jump done = m_jit.jump();
+
+            notNumber.link(&m_jit);
+            silentSpillAllRegisters(resultGPR);
+            callOperation(operationToNumber, resultGPR, argumentGPR);
+            silentFillAllRegisters(resultGPR);
+            m_jit.exceptionCheck();
+
+            done.link(&m_jit);
+        }
+
         jsValueResult(resultGPR, node, UseChildrenCalledExplicitly);
         break;

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -162 +162 @@
     case GetCallee:
     case GetArgumentCountIncludingThis:
+    case ToNumber:
+    case ToString:
     case CallObjectConstructor:
-    case ToString:
     case CallStringConstructor:
     case MakeRope:
@@ -404 +405 @@
             break;
         if (node->isBinaryUseKind(BooleanUse))
+            break;
+        if (node->isBinaryUseKind(UntypedUse))
             break;
         if (node->isBinaryUseKind(SymbolUse))

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -728 +728 @@
         case ReallocatePropertyStorage:
             compileReallocatePropertyStorage();
+            break;
+        case ToNumber:
+            compileToNumber();
             break;
         case ToString:
@@ -4100 +4103 @@
                 object, oldStorage, transition->previous, transition->next));
     }
+
+    void compileToNumber()
+    {
+        LValue value = lowJSValue(m_node->child1());
+
+        if (!(abstractValue(m_node->child1()).m_type & SpecBytecodeNumber))
+            setJSValue(vmCall(m_out.int64, m_out.operation(operationToNumber), m_callFrame, value));
+        else {
+            LBasicBlock notNumber = m_out.newBlock();
+            LBasicBlock continuation = m_out.newBlock();
+
+            ValueFromBlock fastResult = m_out.anchor(value);
+            m_out.branch(isNumber(value, provenType(m_node->child1())), unsure(continuation), unsure(notNumber));
+
+            // notNumber case.
+            LBasicBlock lastNext = m_out.appendTo(notNumber, continuation);
+            // We have several attempts to remove ToNumber. But ToNumber still exists.
+            // It means that converting non-numbers to numbers by this ToNumber is not rare.
+            // Instead of the lazy slow path generator, we call the operation here.
+            ValueFromBlock slowResult = m_out.anchor(vmCall(m_out.int64, m_out.operation(operationToNumber), m_callFrame, value));
+            m_out.jump(continuation);
+
+            // continuation case.
+            m_out.appendTo(continuation, lastNext);
+            setJSValue(m_out.phi(m_out.int64, fastResult, slowResult));
+        }
+    }
     
     void compileToStringOrCallStringConstructor()
@@ -4887 +4917 @@
             setBoolean(
                 m_out.equal(lowBoolean(m_node->child1()), lowBoolean(m_node->child2())));
+            return;
+        }
+
+        if (m_node->isBinaryUseKind(UntypedUse)) {
+            nonSpeculativeCompare(
+                [&] (LValue left, LValue right) {
+                    return m_out.equal(left, right);
+                },
+                operationCompareStrictEq);
             return;
         }

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -756 +756 @@
 #if USE(JSVALUE64)
         UNUSED_PARAM(tempGPR);
-        if (mode == HaveTagRegisters)
-            return branchTest64(NonZero, regs.gpr(), GPRInfo::tagTypeNumberRegister);
-        return branchTest64(NonZero, regs.gpr(), TrustedImm64(TagTypeNumber));
+        return branchIfNumber(regs.gpr(), mode);
 #else
         UNUSED_PARAM(mode);
@@ -765 +763 @@
 #endif
     }
+
+#if USE(JSVALUE64)
+    Jump branchIfNumber(GPRReg reg, TagRegistersMode mode = HaveTagRegisters)
+    {
+        if (mode == HaveTagRegisters)
+            return branchTest64(NonZero, reg, GPRInfo::tagTypeNumberRegister);
+        return branchTest64(NonZero, reg, TrustedImm64(TagTypeNumber));
+    }
+#endif
     
     // Note that the tempGPR is not used in 64-bit mode.
@@ -771 +778 @@
 #if USE(JSVALUE64)
         UNUSED_PARAM(tempGPR);
-        if (mode == HaveTagRegisters)
-            return branchTest64(Zero, regs.gpr(), GPRInfo::tagTypeNumberRegister);
-        return branchTest64(Zero, regs.gpr(), TrustedImm64(TagTypeNumber));
+        return branchIfNotNumber(regs.gpr(), mode);
 #else
         UNUSED_PARAM(mode);
@@ -780 +785 @@
 #endif
     }
+
+#if USE(JSVALUE64)
+    Jump branchIfNotNumber(GPRReg reg, TagRegistersMode mode = HaveTagRegisters)
+    {
+        if (mode == HaveTagRegisters)
+            return branchTest64(Zero, reg, GPRInfo::tagTypeNumberRegister);
+        return branchTest64(Zero, reg, TrustedImm64(TagTypeNumber));
+    }
+#endif
 
     Jump branchIfNotDoubleKnownNotInt32(JSValueRegs regs, TagRegistersMode mode = HaveTagRegisters)

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -517 +517 @@
 void JIT::emit_op_to_number(Instruction* currentInstruction)
 {
+    int dstVReg = currentInstruction[1].u.operand;
     int srcVReg = currentInstruction[2].u.operand;
     emitGetVirtualRegister(srcVReg, regT0);
@@ -522 +523 @@
     addSlowCase(emitJumpIfNotNumber(regT0));
 
-    emitPutVirtualRegister(currentInstruction[1].u.operand);
+    emitValueProfilingSite();
+    if (srcVReg != dstVReg)
+        emitPutVirtualRegister(dstVReg);
 }
 

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -829 +829 @@
     isInt32.link(this);
 
+    emitValueProfilingSite();
     if (src != dst)
         emitStore(dst, regT1, regT0);

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -956 +956 @@
     storei t2, TagOffset[cfr, t1, 8]
     storei t3, PayloadOffset[cfr, t1, 8]
-    dispatch(3)
+    valueProfile(t2, t3, 12, t1)
+    dispatch(4)
 
 .opToNumberSlow:

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -835 +835 @@
 .opToNumberIsImmediate:
     storeq t2, [cfr, t1, 8]
-    dispatch(3)
+    valueProfile(t2, 3, t0)
+    dispatch(4)
 
 .opToNumberSlow:
     callOpcodeSlowPath(_slow_path_to_number)
-    dispatch(3)
+    dispatch(4)
 
 

trunk/Source/JavaScriptCore/parser/Nodes.h

@@ -968 +968 @@
         ExpressionNode* expr() { return m_expr; }
         const ExpressionNode* expr() const { return m_expr; }
-
-    private:
-        RegisterID* emitBytecode(BytecodeGenerator&, RegisterID* = 0) override;
-
         OpcodeID opcodeID() const { return m_opcodeID; }
+
+    private:
+        RegisterID* emitBytecode(BytecodeGenerator&, RegisterID* = 0) override;
 
         ExpressionNode* m_expr;
@@ -983 +982 @@
 
     private:
+        RegisterID* emitBytecode(BytecodeGenerator&, RegisterID* = 0) override;
+
         ExpressionNode* stripUnaryPlus() override { return expr(); }
     };

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -347 +347 @@
 }
 
-SLOW_PATH_DECL(slow_path_to_number)
-{
-    BEGIN();
-    RETURN(jsNumber(OP_C(2).jsValue().toNumber(exec)));
-}
-
 SLOW_PATH_DECL(slow_path_to_string)
 {
@@ -398 +392 @@
 static void updateResultProfileForBinaryArithOp(ExecState*, Instruction*, JSValue, JSValue, JSValue) { }
 #endif
+
+SLOW_PATH_DECL(slow_path_to_number)
+{
+    BEGIN();
+    JSValue argument = OP_C(2).jsValue();
+    JSValue result = jsNumber(argument.toNumber(exec));
+    RETURN_PROFILED(op_to_number, result);
+}
 
 SLOW_PATH_DECL(slow_path_add)

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -212 +212 @@
 @begin globalObjectTable
   parseFloat            globalFuncParseFloat                         DontEnum|Function 1
-  isNaN                 globalFuncIsNaN                              DontEnum|Function 1
-  isFinite              globalFuncIsFinite                           DontEnum|Function 1
+  isNaN                 JSBuiltin                                    DontEnum|Function 1
+  isFinite              JSBuiltin                                    DontEnum|Function 1
   escape                globalFuncEscape                             DontEnum|Function 1
   unescape              globalFuncUnescape                           DontEnum|Function 1
@@ -403 +403 @@
 
     m_speciesGetterSetter.set(vm, this, GetterSetter::create(vm, this));
-    m_speciesGetterSetter->setGetter(vm, this, JSFunction::createBuiltinFunction(vm, globalObjectSpeciesGetterCodeGenerator(vm), this, "get [Symbol.species]"));
+    m_speciesGetterSetter->setGetter(vm, this, JSFunction::createBuiltinFunction(vm, globalOperationsSpeciesGetterCodeGenerator(vm), this, "get [Symbol.species]"));
 
     m_typedArrayProto.initLater(
@@ -648 +648 @@
     JSFunction* privateFuncAbs = JSFunction::create(vm, this, 0, String(), mathProtoFuncAbs, AbsIntrinsic);
     JSFunction* privateFuncFloor = JSFunction::create(vm, this, 0, String(), mathProtoFuncFloor, FloorIntrinsic);
-    JSFunction* privateFuncIsFinite = JSFunction::create(vm, this, 0, String(), globalFuncIsFinite);
-    JSFunction* privateFuncIsNaN = JSFunction::create(vm, this, 0, String(), globalFuncIsNaN);
     JSFunction* privateFuncTrunc = JSFunction::create(vm, this, 0, String(), mathProtoFuncTrunc, TruncIntrinsic);
 
@@ -716 +714 @@
         GlobalPropertyInfo(vm.propertyNames->builtinNames().floorPrivateName(), privateFuncFloor, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().truncPrivateName(), privateFuncTrunc, DontEnum | DontDelete | ReadOnly),
-        GlobalPropertyInfo(vm.propertyNames->builtinNames().isFinitePrivateName(), privateFuncIsFinite, DontEnum | DontDelete | ReadOnly),
-        GlobalPropertyInfo(vm.propertyNames->builtinNames().isNaNPrivateName(), privateFuncIsNaN, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().PromisePrivateName(), promiseConstructor, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().ReflectPrivateName(), reflectObject, DontEnum | DontDelete | ReadOnly),

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -707 +707 @@
 }
 
-EncodedJSValue JSC_HOST_CALL globalFuncIsNaN(ExecState* exec)
-{
-    return JSValue::encode(jsBoolean(std::isnan(exec->argument(0).toNumber(exec))));
-}
-
-EncodedJSValue JSC_HOST_CALL globalFuncIsFinite(ExecState* exec)
-{
-    double n = exec->argument(0).toNumber(exec);
-    return JSValue::encode(jsBoolean(std::isfinite(n)));
-}
-
 EncodedJSValue JSC_HOST_CALL globalFuncDecodeURI(ExecState* exec)
 {

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h

@@ -41 +41 @@
 EncodedJSValue JSC_HOST_CALL globalFuncParseInt(ExecState*);
 EncodedJSValue JSC_HOST_CALL globalFuncParseFloat(ExecState*);
-EncodedJSValue JSC_HOST_CALL globalFuncIsNaN(ExecState*);
-EncodedJSValue JSC_HOST_CALL globalFuncIsFinite(ExecState*);
 EncodedJSValue JSC_HOST_CALL globalFuncDecodeURI(ExecState*);
 EncodedJSValue JSC_HOST_CALL globalFuncDecodeURIComponent(ExecState*);

trunk/Source/JavaScriptCore/runtime/MathCommon.h

@@ -35 +35 @@
 double JIT_OPERATION operationMathPow(double x, double y) WTF_INTERNAL;
 int32_t JIT_OPERATION operationToInt32(double) WTF_INTERNAL;
+
+inline constexpr double maxSafeInteger()
+{
+    // 2 ^ 53 - 1
+    return 9007199254740991.0;
+}
+
+inline constexpr double minSafeInteger()
+{
+    // -(2 ^ 53 - 1)
+    return -9007199254740991.0;
+}
 
 inline int clz32(uint32_t number)

trunk/Source/JavaScriptCore/runtime/NumberConstructor.cpp

@@ -32 +32 @@
 namespace JSC {
 
-static EncodedJSValue JSC_HOST_CALL numberConstructorFuncIsFinite(ExecState*);
 static EncodedJSValue JSC_HOST_CALL numberConstructorFuncIsInteger(ExecState*);
-static EncodedJSValue JSC_HOST_CALL numberConstructorFuncIsNaN(ExecState*);
 static EncodedJSValue JSC_HOST_CALL numberConstructorFuncIsSafeInteger(ExecState*);
 
 } // namespace JSC
+
+#include "NumberConstructor.lut.h"
 
 namespace JSC {
@@ -43 +43 @@
 STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(NumberConstructor);
 
-const ClassInfo NumberConstructor::s_info = { "Function", &InternalFunction::s_info, 0, CREATE_METHOD_TABLE(NumberConstructor) };
+const ClassInfo NumberConstructor::s_info = { "Function", &InternalFunction::s_info, &numberConstructorTable, CREATE_METHOD_TABLE(NumberConstructor) };
+
+/* Source for NumberConstructor.lut.h
+@begin numberConstructorTable
+  isFinite       JSBuiltin                           DontEnum|Function 1
+  isInteger      numberConstructorFuncIsInteger      DontEnum|Function 1
+  isNaN          JSBuiltin                           DontEnum|Function 1
+  isSafeInteger  numberConstructorFuncIsSafeInteger  DontEnum|Function 1
+  parseFloat     globalFuncParseFloat                DontEnum|Function 1
+@end
+*/
 
 NumberConstructor::NumberConstructor(VM& vm, Structure* structure)
@@ -64 +74 @@
     putDirectWithoutTransition(vm, Identifier::fromString(&vm, "MAX_VALUE"), jsDoubleNumber(1.7976931348623157E+308), DontDelete | DontEnum | ReadOnly);
     putDirectWithoutTransition(vm, Identifier::fromString(&vm, "MIN_VALUE"), jsDoubleNumber(5E-324), DontDelete | DontEnum | ReadOnly);
-    putDirectWithoutTransition(vm, Identifier::fromString(&vm, "MAX_SAFE_INTEGER"), jsDoubleNumber(9007199254740991.0), DontDelete | DontEnum | ReadOnly);
-    putDirectWithoutTransition(vm, Identifier::fromString(&vm, "MIN_SAFE_INTEGER"), jsDoubleNumber(-9007199254740991.0), DontDelete | DontEnum | ReadOnly);
+    putDirectWithoutTransition(vm, Identifier::fromString(&vm, "MAX_SAFE_INTEGER"), jsDoubleNumber(maxSafeInteger()), DontDelete | DontEnum | ReadOnly);
+    putDirectWithoutTransition(vm, Identifier::fromString(&vm, "MIN_SAFE_INTEGER"), jsDoubleNumber(minSafeInteger()), DontDelete | DontEnum | ReadOnly);
     putDirectWithoutTransition(vm, Identifier::fromString(&vm, "NEGATIVE_INFINITY"), jsDoubleNumber(-std::numeric_limits<double>::infinity()), DontDelete | DontEnum | ReadOnly);
     putDirectWithoutTransition(vm, Identifier::fromString(&vm, "POSITIVE_INFINITY"), jsDoubleNumber(std::numeric_limits<double>::infinity()), DontDelete | DontEnum | ReadOnly);
     putDirectWithoutTransition(vm, Identifier::fromString(&vm, "NaN"), jsNaN(), DontDelete | DontEnum | ReadOnly);
 
-    putDirectNativeFunctionWithoutTransition(vm, numberPrototype->globalObject(), Identifier::fromString(&vm, "isFinite"), 1, numberConstructorFuncIsFinite, NoIntrinsic, DontEnum);
-    putDirectNativeFunctionWithoutTransition(vm, numberPrototype->globalObject(), Identifier::fromString(&vm, "isInteger"), 1, numberConstructorFuncIsInteger, NoIntrinsic, DontEnum);
-    putDirectNativeFunctionWithoutTransition(vm, numberPrototype->globalObject(), Identifier::fromString(&vm, "isNaN"), 1, numberConstructorFuncIsNaN, NoIntrinsic, DontEnum);
-    putDirectNativeFunctionWithoutTransition(vm, numberPrototype->globalObject(), Identifier::fromString(&vm, "isSafeInteger"), 1, numberConstructorFuncIsSafeInteger, NoIntrinsic, DontEnum);
-    putDirectNativeFunctionWithoutTransition(vm, numberPrototype->globalObject(), Identifier::fromString(&vm, "parseFloat"), 1, globalFuncParseFloat, NoIntrinsic, DontEnum);
     putDirectWithoutTransition(vm, Identifier::fromString(&vm, "parseInt"), numberPrototype->globalObject()->parseIntFunction(), DontEnum);
 }
@@ -109 +114 @@
 }
 
-// ECMA-262 20.1.2.2
-static EncodedJSValue JSC_HOST_CALL numberConstructorFuncIsFinite(ExecState* exec)
-{
-    JSValue argument = exec->argument(0);
-    return JSValue::encode(jsBoolean(argument.isNumber() && (argument.isInt32() || std::isfinite(argument.asDouble()))));
-}
-
 // ECMA-262 20.1.2.3
 static EncodedJSValue JSC_HOST_CALL numberConstructorFuncIsInteger(ExecState* exec)
@@ -130 +128 @@
     }
     return JSValue::encode(jsBoolean(isInteger));
-}
-
-// ECMA-262 20.1.2.4
-static EncodedJSValue JSC_HOST_CALL numberConstructorFuncIsNaN(ExecState* exec)
-{
-    JSValue argument = exec->argument(0);
-    return JSValue::encode(jsBoolean(argument.isDouble() && std::isnan(argument.asDouble())));
 }
 

trunk/Source/JavaScriptCore/runtime/NumberConstructor.h

@@ -32 +32 @@
 public:
     typedef InternalFunction Base;
-    static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | ImplementsHasInstance | ImplementsDefaultHasInstance;
+    static const unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance | HasStaticPropertyTable;
 
     static NumberConstructor* create(VM& vm, Structure* structure, NumberPrototype* numberPrototype, GetterSetter*)