Changeset 242715 in webkit

Timestamp:

Mar 11, 2019 10:21:41 AM (5 years ago)

Author:

Caio Lima

Message:

[ESNext][BigInt] Implement "~" unary operation
​https://bugs.webkit.org/show_bug.cgi?id=182216

Reviewed by Keith Miller.

JSTests:

• stress/big-int-bit-not-general.js: Added.
• stress/big-int-bitwise-not-jit.js: Added.
• stress/big-int-bitwise-not-wrapped-value.js: Added.
• stress/bit-op-with-object-returning-int32.js:
• stress/bitwise-not-fixup-rules.js: Added.
• stress/value-bit-not-ai-rule.js: Added.

PerformanceTests:

• BigIntBench/big-int-simple-bit-not.js: Added.

Source/JavaScriptCore:

This patch is adding support of BigInt into op_bitnot operations. In
addition, we are changing ArithBitNot to handle only Number operands,
while introducing a new node named ValueBitNot to handle Untyped and
BigInt. This node follows the same approach we are doing into other
arithimetic operations into DFG.

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

It is possible that fixup and prediction propagation don't convert a
ValueBitNot(ConstInt32) into ArithBitNot(ConstInt32) because these
analysis are conservative. In such case, we are adding constant
folding rules to ValueBitNot AI.

• dfg/DFGBackwardsPropagationPhase.cpp:

(JSC::DFG::BackwardsPropagationPhase::propagate):

ValueBitNot has same rules as ArithBitNot on backwards propagation.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

We can emit ArithBitNot if we know that operand of op_bitnot is a
Number or any int. Otherwise we fallback to ValueBitNot and rely on
fixup to convert the node to ArithBitNot when it is possible.
ValueBitNot uses heap prediction on prediction propagation and we
collect its type from op_bitnot's value profiler.

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

When we have the case with ValueBitNot(BigInt), we don't clobberize
world.

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

ValueBitNot can GC on BigIntUse because, right now, all bitNot
operation allocates temporary BigInts to perform calculations and it
can potentially trigger GC.

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

ValueBitNot is responsible do handle BigIntUse and UntypedUse. To all
other uses, we fallback to ArithBitNot.

• dfg/DFGNode.h:

(JSC::DFG::Node::hasHeapPrediction):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:

(JSC::DFG::bitwiseBinaryOp):

This template function is abstracting the new semantics of numeric
values operations on bitwise operations. These operations usually
folow these steps:

1. rhsNumeric = GetInt32OrBigInt(rhs)
2. lhsNumeric = GetInt32OrBigInt(lhs)
3. trhow error if TypeOf(rhsNumeric) != TypeOf(lhsNumeric)
4. return BigInt::bitwiseOp(bitOp, rhs, lhs) if TypeOf(lhsNumeric) == BigInt
5. return rhs <int32BitOp> lhs

Since we have almost the same code for every bitwise op,
we use such template to avoid code duplication. The template receives
Int32 and BigInt operations as parameter. Error message is received as
const char* instead of String& to avoid String allocation even when
there is no error to throw.

• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileValueBitNot):

ValueBitNot generates speculative code for BigIntUse and this code is a
call to operationBitNotBigInt. This operation is faster than
operationValueBitNot because there is no need to check types of
operands and execute properly operation. We still need to check
exceptions after operationBitNotBigInt because it can throw OOM.

(JSC::DFG::SpeculativeJIT::compileBitwiseNot):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
(JSC::FTL::DFG::LowerDFGToB3::compileArithBitNot):

• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/JSBigInt.cpp:

(JSC::JSBigInt::bitwiseNot):

• runtime/JSBigInt.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/big-int-bit-not-general.js (added)
• JSTests/stress/big-int-bitwise-not-jit.js (added)
• JSTests/stress/big-int-bitwise-not-wrapped-value.js (added)
• JSTests/stress/bit-op-with-object-returning-int32.js (modified) (1 diff)
• JSTests/stress/bitwise-not-fixup-rules.js (added)
• JSTests/stress/value-bit-not-ai-rule.js (added)
• PerformanceTests/BigIntBench/big-int-simple-bit-not.js (added)
• PerformanceTests/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSBigInt.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSBigInt.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-03-11  Caio Lima  <ticaiolima@gmail.com>
+
+        [ESNext][BigInt] Implement "~" unary operation
+        https://bugs.webkit.org/show_bug.cgi?id=182216
+
+        Reviewed by Keith Miller.
+
+        * stress/big-int-bit-not-general.js: Added.
+        * stress/big-int-bitwise-not-jit.js: Added.
+        * stress/big-int-bitwise-not-wrapped-value.js: Added.
+        * stress/bit-op-with-object-returning-int32.js:
+        * stress/bitwise-not-fixup-rules.js: Added.
+        * stress/value-bit-not-ai-rule.js: Added.
+
 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/JSTests/stress/bit-op-with-object-returning-int32.js

@@ -37 +37 @@
 assert(numberOfDFGCompiles(bitXor) <= 1, true);
 
+function bitNot(a) {
+    return ~a;
+}
+noInline(bitNot);
+
+for (var i = 0; i < 10000; i++)
+    assert(bitNot(o), -14);
+
+assert(numberOfDFGCompiles(bitNot) <= 1, true);
+

trunk/PerformanceTests/ChangeLog

@@ +1 @@
+2019-03-11  Caio Lima  <ticaiolima@gmail.com>
+
+        [ESNext][BigInt] Implement "~" unary operation
+        https://bugs.webkit.org/show_bug.cgi?id=182216
+
+        Reviewed by Keith Miller.
+
+        * BigIntBench/big-int-simple-bit-not.js: Added.
+
 2019-03-04  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-03-11  Caio Lima  <ticaiolima@gmail.com>
+
+        [ESNext][BigInt] Implement "~" unary operation
+        https://bugs.webkit.org/show_bug.cgi?id=182216
+
+        Reviewed by Keith Miller.
+
+        This patch is adding support of BigInt into op_bitnot operations. In
+        addition, we are changing ArithBitNot to handle only Number operands,
+        while introducing a new node named ValueBitNot to handle Untyped and
+        BigInt. This node follows the same approach we are doing into other
+        arithimetic operations into DFG.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+        It is possible that fixup and prediction propagation don't convert a
+        ValueBitNot(ConstInt32) into ArithBitNot(ConstInt32) because these
+        analysis are conservative. In such case, we are adding constant
+        folding rules to ValueBitNot AI.
+
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+
+        ValueBitNot has same rules as ArithBitNot on backwards propagation.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+        We can emit ArithBitNot if we know that operand of op_bitnot is a
+        Number or any int. Otherwise we fallback to ValueBitNot and rely on
+        fixup to convert the node to ArithBitNot when it is possible.
+        ValueBitNot uses heap prediction on prediction propagation and we
+        collect its type from op_bitnot's value profiler.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+        When we have the case with ValueBitNot(BigInt), we don't clobberize
+        world.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
+        ValueBitNot can GC on BigIntUse because, right now, all bitNot
+        operation allocates temporary BigInts to perform calculations and it
+        can potentially trigger GC.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
+        ValueBitNot is responsible do handle BigIntUse and UntypedUse. To all
+        other uses, we fallback to ArithBitNot.
+
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::bitwiseBinaryOp):
+
+        This template function is abstracting the new semantics of numeric
+        values operations on bitwise operations. These operations usually
+        folow these steps:
+
+            1. rhsNumeric = GetInt32OrBigInt(rhs)
+            2. lhsNumeric = GetInt32OrBigInt(lhs)
+            3. trhow error if TypeOf(rhsNumeric) != TypeOf(lhsNumeric)
+            4. return BigInt::bitwiseOp(bitOp, rhs, lhs) if TypeOf(lhsNumeric) == BigInt
+            5. return rhs <int32BitOp> lhs
+
+        Since we have almost the same code for every bitwise op,
+        we use such template to avoid code duplication. The template receives
+        Int32 and BigInt operations as parameter. Error message is received as
+        `const char*` instead of `String&` to avoid String allocation even when
+        there is no error to throw.
+
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueBitNot):
+
+        ValueBitNot generates speculative code for BigIntUse and this code is a
+        call to `operationBitNotBigInt`. This operation is faster than
+        `operationValueBitNot` because there is no need to check types of
+        operands and execute properly operation. We still need to check
+        exceptions after `operationBitNotBigInt` because it can throw OOM.
+
+        (JSC::DFG::SpeculativeJIT::compileBitwiseNot):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithBitNot):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::bitwiseNot):
+        * runtime/JSBigInt.h:
+
 2019-03-11  Darin Adler  <darin@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -377 +377 @@
     }
 
+    case ValueBitNot: {
+        JSValue operand = forNode(node->child1()).value();
+        if (operand && operand.isInt32()) {
+            didFoldClobberWorld();
+            int32_t a = operand.asInt32();
+            setConstant(node, JSValue(~a));
+            break;
+        }
+
+        if (node->child1().useKind() == BigIntUse)
+            setTypeForNode(node, SpecBigInt);
+        else {
+            clobberWorld();
+            setTypeForNode(node, SpecBoolInt32 | SpecBigInt);
+        }
+
+        break;
+    }
+
     case ArithBitNot: {
-        if (node->child1().useKind() == UntypedUse) {
-            clobberWorld();
-            setNonCellTypeForNode(node, SpecInt32Only);
-            break;
-        }
-
         JSValue operand = forNode(node->child1()).value();
         if (operand && operand.isInt32()) {

trunk/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp

@@ -211 +211 @@
             break;
             
+        case ValueBitNot:
         case ArithBitNot: {
             flags |= NodeBytecodeUsesAsInt;

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -4919 +4919 @@
         case op_bitnot: {
             auto bytecode = currentInstruction->as<OpBitnot>();
+            SpeculatedType prediction = getPrediction();
             Node* op1 = get(bytecode.m_operand);
-            set(bytecode.m_dst, addToGraph(ArithBitNot, op1));
+            if (op1->hasNumberOrAnyIntResult())
+                set(bytecode.m_dst, addToGraph(ArithBitNot, op1));
+            else
+                set(bytecode.m_dst, addToGraph(ValueBitNot, OpInfo(), OpInfo(prediction), op1));
             NEXT_OPCODE(op_bitnot);
         }

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -260 +260 @@
         return;
 
+    case ValueBitNot:
+        if (node->child1().useKind() == BigIntUse) {
+            def(PureValue(node));
+            return;
+        }
+        read(World);
+        write(Heap);
+        return;
+
     case ArithBitNot:
         if (node->child1().useKind() == UntypedUse) {

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -379 +379 @@
     case ValueMul:
     case ValueDiv:
+    case ValueBitNot:
     case ValueNegate:
 #else

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -235 +235 @@
         }
 
+        case ValueBitNot: {
+            Edge& operandEdge = node->child1();
+
+            if (operandEdge.node()->shouldSpeculateBigInt()) {
+                node->clearFlags(NodeMustGenerate);
+                fixEdge<BigIntUse>(operandEdge);
+            } else if (operandEdge.node()->shouldSpeculateUntypedForBitOps())
+                fixEdge<UntypedUse>(operandEdge);
+            else {
+                node->setOp(ArithBitNot);
+                node->setResult(NodeResultInt32);
+                node->clearFlags(NodeMustGenerate);
+                fixIntConvertingEdge(operandEdge);
+            }
+            break;
+        }
+
         case ArithBitNot: {
-            if (node->child1().node()->shouldSpeculateUntypedForBitOps()) {
-                fixEdge<UntypedUse>(node->child1());
-                break;
-            }
-
-            fixIntConvertingEdge(node->child1());
-            node->clearFlags(NodeMustGenerate);
+            Edge& operandEdge = node->child1();
+
+            fixIntConvertingEdge(operandEdge);
             break;
         }

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -1694 +1694 @@
         case ValueBitOr:
         case ValueBitXor:
+        case ValueBitNot:
         case CallObjectConstructor:
         case LoadKeyFromMapBucket:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -112 +112 @@
     \
     /* Nodes for bitwise operations. */\
-    macro(ArithBitNot, NodeResultInt32 | NodeMustGenerate) \
+    macro(ValueBitNot, NodeResultJS | NodeMustGenerate) \
+    macro(ArithBitNot, NodeResultInt32) \
     macro(ValueBitAnd, NodeResultJS | NodeMustGenerate) \
     macro(ArithBitAnd, NodeResultInt32) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -214 +214 @@
 }
 
+template<typename BigIntOperation, typename Int32Operation>
+static ALWAYS_INLINE EncodedJSValue bitwiseBinaryOp(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2, BigIntOperation&& bigIntOp, Int32Operation&& int32Op, const char* errorMessage)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    auto scope = DECLARE_THROW_SCOPE(*vm);
+
+    JSValue op1 = JSValue::decode(encodedOp1);
+    JSValue op2 = JSValue::decode(encodedOp2);
+
+    auto leftNumeric = op1.toBigIntOrInt32(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    auto rightNumeric = op2.toBigIntOrInt32(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
+        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric))
+            RELEASE_AND_RETURN(scope, JSValue::encode(bigIntOp(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric))));
+
+        return throwVMTypeError(exec, scope, errorMessage);
+    }
+
+    scope.release();
+
+    return JSValue::encode(jsNumber(int32Op(WTF::get<int32_t>(leftNumeric), WTF::get<int32_t>(rightNumeric))));
+}
+
 static ALWAYS_INLINE EncodedJSValue parseIntResult(double input)
 {
@@ -362 +389 @@
     JSValue op1 = JSValue::decode(encodedOp1);
 
-    int32_t operandValue = op1.toInt32(exec);
+    auto operandNumeric = op1.toBigIntOrInt32(exec);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
-    return JSValue::encode(jsNumber(~operandValue));
+    if (WTF::holds_alternative<JSBigInt*>(operandNumeric))
+        RELEASE_AND_RETURN(scope, JSValue::encode(JSBigInt::bitwiseNot(exec, WTF::get<JSBigInt*>(operandNumeric))));
+
+    return JSValue::encode(jsNumber(~WTF::get<int32_t>(operandNumeric)));
 }
 
 EncodedJSValue JIT_OPERATION operationValueBitAnd(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-    auto scope = DECLARE_THROW_SCOPE(*vm);
-
-    JSValue op1 = JSValue::decode(encodedOp1);
-    JSValue op2 = JSValue::decode(encodedOp2);
-
-    auto leftNumeric = op1.toBigIntOrInt32(exec);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
-    auto rightNumeric = op2.toBigIntOrInt32(exec);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
-
-    if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-            JSBigInt* result = JSBigInt::bitwiseAnd(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
-            RETURN_IF_EXCEPTION(scope, encodedJSValue());
-            return JSValue::encode(result);
-        }
-
-        return throwVMTypeError(exec, scope, "Invalid mix of BigInt and other type in bitwise 'and' operation.");
-    }
-
-    return JSValue::encode(jsNumber(WTF::get<int32_t>(leftNumeric) & WTF::get<int32_t>(rightNumeric)));
+    auto bigIntOp = [] (ExecState* exec, JSBigInt* left, JSBigInt* right) -> JSBigInt* {
+        return JSBigInt::bitwiseAnd(exec, left, right);
+    };
+
+    auto int32Op = [] (int32_t left, int32_t right) -> int32_t {
+        return left & right;
+    };
+
+    return bitwiseBinaryOp(exec, encodedOp1, encodedOp2, bigIntOp, int32Op, "Invalid mix of BigInt and other type in bitwise 'and' operation."_s);
 }
 
 EncodedJSValue JIT_OPERATION operationValueBitOr(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-    auto scope = DECLARE_THROW_SCOPE(*vm);
-
-    JSValue op1 = JSValue::decode(encodedOp1);
-    JSValue op2 = JSValue::decode(encodedOp2);
-
-    auto leftNumeric = op1.toBigIntOrInt32(exec);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
-    auto rightNumeric = op2.toBigIntOrInt32(exec);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
-
-    if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-            JSBigInt* result = JSBigInt::bitwiseOr(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
-            RETURN_IF_EXCEPTION(scope, encodedJSValue());
-            return JSValue::encode(result);
-        }
-
-        return throwVMTypeError(exec, scope, "Invalid mix of BigInt and other type in bitwise 'or' operation.");
-    }
-
-    return JSValue::encode(jsNumber(WTF::get<int32_t>(leftNumeric) | WTF::get<int32_t>(rightNumeric)));
+    auto bigIntOp = [] (ExecState* exec, JSBigInt* left, JSBigInt* right) -> JSBigInt* {
+        return JSBigInt::bitwiseOr(exec, left, right);
+    };
+
+    auto int32Op = [] (int32_t left, int32_t right) -> int32_t {
+        return left | right;
+    };
+
+    return bitwiseBinaryOp(exec, encodedOp1, encodedOp2, bigIntOp, int32Op, "Invalid mix of BigInt and other type in bitwise 'or' operation."_s);
 }
 
 EncodedJSValue JIT_OPERATION operationValueBitXor(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-    auto scope = DECLARE_THROW_SCOPE(*vm);
-
-    JSValue op1 = JSValue::decode(encodedOp1);
-    JSValue op2 = JSValue::decode(encodedOp2);
-
-    auto leftNumeric = op1.toBigIntOrInt32(exec);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
-    auto rightNumeric = op2.toBigIntOrInt32(exec);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
-
-    if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-            JSBigInt* result = JSBigInt::bitwiseXor(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
-            RETURN_IF_EXCEPTION(scope, encodedJSValue());
-            return JSValue::encode(result);
-        }
-
-        return throwVMTypeError(exec, scope, "Invalid mix of BigInt and other type in bitwise 'xor' operation.");
-    }
-
-    return JSValue::encode(jsNumber(WTF::get<int32_t>(leftNumeric) ^ WTF::get<int32_t>(rightNumeric)));
+    auto bigIntOp = [] (ExecState* exec, JSBigInt* left, JSBigInt* right) -> JSBigInt* {
+        return JSBigInt::bitwiseXor(exec, left, right);
+    };
+
+    auto int32Op = [] (int32_t left, int32_t right) -> int32_t {
+        return left ^ right;
+    };
+
+    return bitwiseBinaryOp(exec, encodedOp1, encodedOp2, bigIntOp, int32Op, "Invalid mix of BigInt and other type in bitwise 'xor' operation."_s);
 }
 
@@ -1337 +1325 @@
     
     return JSBigInt::sub(exec, leftOperand, rightOperand);
+}
+
+JSCell* JIT_OPERATION operationBitNotBigInt(ExecState* exec, JSCell* op1)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSBigInt* operand = jsCast<JSBigInt*>(op1);
+
+    return JSBigInt::bitwiseNot(exec, operand);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -171 +171 @@
 JSCell* JIT_OPERATION operationDivBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationBitAndBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
+JSCell* JIT_OPERATION operationBitNotBigInt(ExecState*, JSCell* op1) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationBitOrBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationAddBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -803 +803 @@
         case ValueBitXor:
         case ValueBitOr:
+        case ValueBitNot:
         case CallObjectConstructor:
         case GetArgument:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -232 +232 @@
     case ValueBitXor:
     case ValueBitOr:
+    case ValueBitNot:
     case ValueNegate:
     case ValueAdd:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -3523 +3523 @@
 }
 
+void SpeculativeJIT::compileValueBitNot(Node* node)
+{
+    Edge& child1 = node->child1();
+
+    if (child1.useKind() == BigIntUse) {
+        SpeculateCellOperand operand(this, child1);
+        GPRReg operandGPR = operand.gpr();
+
+        speculateBigInt(child1, operandGPR);
+
+        flushRegisters();
+        GPRFlushedCallResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        callOperation(operationBitNotBigInt, resultGPR, operandGPR);
+        m_jit.exceptionCheck();
+        cellResult(resultGPR, node);
+
+        return;
+    }
+
+    JSValueOperand operand(this, child1);
+    JSValueRegs operandRegs = operand.jsValueRegs();
+
+    flushRegisters();
+    JSValueRegsFlushedCallResult result(this);
+    JSValueRegs resultRegs = result.regs();
+    callOperation(operationValueBitNot, resultRegs, operandRegs);
+    m_jit.exceptionCheck();
+
+    jsValueResult(resultRegs, node);
+}
+
 void SpeculativeJIT::compileBitwiseNot(Node* node)
 {
     Edge& child1 = node->child1();
-
-    if (child1.useKind() == UntypedUse) {
-        JSValueOperand operand(this, child1);
-        JSValueRegs operandRegs = operand.jsValueRegs();
-
-        flushRegisters();
-        JSValueRegsFlushedCallResult result(this);
-        JSValueRegs resultRegs = result.regs();
-        callOperation(operationValueBitNot, resultRegs, operandRegs);
-        m_jit.exceptionCheck();
-
-        jsValueResult(resultRegs, node);
-        return;
-    }
 
     SpeculateInt32Operand operand(this, child1);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1326 +1326 @@
     void compileDoubleAsInt32(Node*);
 
+    void compileValueBitNot(Node*);
     void compileBitwiseNot(Node*);
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -1990 +1990 @@
     case ArithBitXor:
         compileBitwiseOp(node);
+        break;
+
+    case ValueBitNot:
+        compileValueBitNot(node);
         break;
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -2079 +2079 @@
         // the argument is not used.
         recordSetLocal(dataFormatFor(node->variableAccessData()->flushFormat()));
+        break;
+
+    case ValueBitNot:
+        compileValueBitNot(node);
         break;
 

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -92 +92 @@
     case ValueBitXor:
     case ValueBitOr:
+    case ValueBitNot:
     case ValueNegate:
     case ValueAdd:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -666 +666 @@
             compileArithUnary();
             break;
+        case ValueBitNot:
+            compileValueBitNot();
+            break;
         case ArithBitNot:
             compileArithBitNot();
@@ -2891 +2894 @@
     }
     
+    void compileValueBitNot()
+    {
+        if (m_node->child1().useKind() == BigIntUse) {
+            LValue operand = lowBigInt(m_node->child1());
+            LValue result = vmCall(pointerType(), m_out.operation(operationBitNotBigInt), m_callFrame, operand);
+            setJSValue(result);
+            return;
+        }
+
+        LValue operand = lowJSValue(m_node->child1());
+        LValue result = vmCall(Int64, m_out.operation(operationValueBitNot), m_callFrame, operand);
+        setJSValue(result);
+    }
+
     void compileArithBitNot()
     {
-        if (m_node->child1().useKind() == UntypedUse) {
-            LValue operand = lowJSValue(m_node->child1());
-            LValue result = vmCall(Int64, m_out.operation(operationValueBitNot), m_callFrame, operand);
-            setJSValue(result);
-            return;
-        }
-
         setInt32(m_out.bitNot(lowInt32(m_node->child1())));
     }

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -716 +716 @@
     BEGIN();
     auto bytecode = pc->as<OpBitnot>();
-    int32_t operand = GET_C(bytecode.m_operand).jsValue().toInt32(exec);
-    CHECK_EXCEPTION();
-    RETURN_PROFILED(jsNumber(~operand));
+    auto operandNumeric = GET_C(bytecode.m_operand).jsValue().toBigIntOrInt32(exec);
+    CHECK_EXCEPTION();
+
+    if (WTF::holds_alternative<JSBigInt*>(operandNumeric)) {
+        JSBigInt* result = JSBigInt::bitwiseNot(exec, WTF::get<JSBigInt*>(operandNumeric));
+        CHECK_EXCEPTION();
+        RETURN_PROFILED(result);
+    }
+
+    RETURN_PROFILED(jsNumber(~WTF::get<int32_t>(operandNumeric)));
 }
 

trunk/Source/JavaScriptCore/runtime/JSBigInt.cpp

@@ -526 +526 @@
 }
 
+JSBigInt* JSBigInt::bitwiseNot(ExecState* exec, JSBigInt* x)
+{
+    if (x->sign()) {
+        // ~(-x) == ~(~(x-1)) == x-1
+        return absoluteSubOne(exec, x, x->length());
+    } 
+    // ~x == -x-1 == -(x+1)
+    return absoluteAddOne(exec, x, SignOption::Signed);
+}
+
 #if USE(JSVALUE32_64)
 #define HAVE_TWO_DIGIT 1

trunk/Source/JavaScriptCore/runtime/JSBigInt.h

@@ -125 +125 @@
     static JSBigInt* bitwiseOr(ExecState*, JSBigInt* x, JSBigInt* y);
     static JSBigInt* bitwiseXor(ExecState*, JSBigInt* x, JSBigInt* y);
+    static JSBigInt* bitwiseNot(ExecState*, JSBigInt* x);
 
     static JSBigInt* leftShift(ExecState*, JSBigInt* x, JSBigInt* y);