Changeset 90371 in webkit

Timestamp:

Jul 4, 2011 12:26:05 PM (13 years ago)

Author:

barraclough@apple.com

Message:

​https://bugs.webkit.org/show_bug.cgi?id=63881
Need separate bytecodes for handling >, >= comparisons.

Reviewed by Oliver Hunt.

This clears the way to fix Bug#63880. We currently handle greater-than comparisons
as being using the corresponding op_less, etc opcodes. This is incorrect with
respect to evaluation ordering of the implicit conversions performed on operands -
we should be calling ToPrimitive on the LHS and RHS operands to the greater than,
but instead convert RHS then LHS.

This patch adds opcodes for greater-than comparisons mirroring existing ones used
for less-than.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dump):

• bytecode/Opcode.h:
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitJumpIfTrue):
(JSC::BytecodeGenerator::emitJumpIfFalse):

• bytecompiler/NodesCodegen.cpp:
• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGNode.h:
• dfg/DFGNonSpeculativeJIT.cpp:

(JSC::DFG::NonSpeculativeJIT::compare):
(JSC::DFG::NonSpeculativeJIT::compile):

• dfg/DFGNonSpeculativeJIT.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT.h:
• interpreter/Interpreter.cpp:

(JSC::Interpreter::privateExecute):

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:

(JSC::JIT::emit_op_loop_if_greater):
(JSC::JIT::emitSlow_op_loop_if_greater):
(JSC::JIT::emit_op_loop_if_greatereq):
(JSC::JIT::emitSlow_op_loop_if_greatereq):

• jit/JITArithmetic.cpp:

(JSC::JIT::emit_op_jgreater):
(JSC::JIT::emit_op_jgreatereq):
(JSC::JIT::emit_op_jngreater):
(JSC::JIT::emit_op_jngreatereq):
(JSC::JIT::emitSlow_op_jgreater):
(JSC::JIT::emitSlow_op_jgreatereq):
(JSC::JIT::emitSlow_op_jngreater):
(JSC::JIT::emitSlow_op_jngreatereq):
(JSC::JIT::emit_compareAndJumpSlow):

• jit/JITArithmetic32_64.cpp:

(JSC::JIT::emitBinaryDoubleOp):

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• jit/JITStubs.h:
• parser/NodeConstructors.h:

(JSC::GreaterNode::GreaterNode):
(JSC::GreaterEqNode::GreaterEqNode):

• parser/Nodes.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (5 diffs)
• bytecode/Opcode.h (modified) (3 diffs)
• bytecompiler/BytecodeGenerator.cpp (modified) (2 diffs)
• bytecompiler/NodesCodegen.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (4 diffs)
• dfg/DFGNode.h (modified) (1 diff)
• dfg/DFGNonSpeculativeJIT.cpp (modified) (2 diffs)
• dfg/DFGNonSpeculativeJIT.h (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• interpreter/Interpreter.cpp (modified) (4 diffs)
• jit/JIT.cpp (modified) (4 diffs)
• jit/JIT.h (modified) (4 diffs)
• jit/JITArithmetic.cpp (modified) (9 diffs)
• jit/JITArithmetic32_64.cpp (modified) (2 diffs)
• jit/JITStubs.cpp (modified) (4 diffs)
• jit/JITStubs.h (modified) (2 diffs)
• parser/NodeConstructors.h (modified) (3 diffs)
• parser/Nodes.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-07-04  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=63881
+        Need separate bytecodes for handling >, >= comparisons.
+
+        Reviewed by Oliver Hunt.
+
+        This clears the way to fix Bug#63880. We currently handle greater-than comparisons
+        as being using the corresponding op_less, etc opcodes.  This is incorrect with
+        respect to evaluation ordering of the implicit conversions performed on operands -
+        we should be calling ToPrimitive on the LHS and RHS operands to the greater than,
+        but instead convert RHS then LHS.
+
+        This patch adds opcodes for greater-than comparisons mirroring existing ones used
+        for less-than.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dump):
+        * bytecode/Opcode.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitJumpIfTrue):
+        (JSC::BytecodeGenerator::emitJumpIfFalse):
+        * bytecompiler/NodesCodegen.cpp:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGNode.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compare):
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGNonSpeculativeJIT.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compare):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.h:
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        (JSC::JIT::emit_op_loop_if_greater):
+        (JSC::JIT::emitSlow_op_loop_if_greater):
+        (JSC::JIT::emit_op_loop_if_greatereq):
+        (JSC::JIT::emitSlow_op_loop_if_greatereq):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_jgreater):
+        (JSC::JIT::emit_op_jgreatereq):
+        (JSC::JIT::emit_op_jngreater):
+        (JSC::JIT::emit_op_jngreatereq):
+        (JSC::JIT::emitSlow_op_jgreater):
+        (JSC::JIT::emitSlow_op_jgreatereq):
+        (JSC::JIT::emitSlow_op_jngreater):
+        (JSC::JIT::emitSlow_op_jngreatereq):
+        (JSC::JIT::emit_compareAndJumpSlow):
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emitBinaryDoubleOp):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * jit/JITStubs.h:
+        * parser/NodeConstructors.h:
+        (JSC::GreaterNode::GreaterNode):
+        (JSC::GreaterEqNode::GreaterEqNode):
+        * parser/Nodes.h:
+
 2011-07-03  Gavin Barraclough  <barraclough@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -587 +587 @@
             break;
         }
+        case op_greater: {
+            printBinaryOp(exec, location, it, "greater");
+            break;
+        }
+        case op_greatereq: {
+            printBinaryOp(exec, location, it, "greatereq");
+            break;
+        }
         case op_pre_inc: {
             int r0 = (++it)->u.operand;
@@ -996 +1004 @@
             break;
         }
+        case op_jless: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int offset = (++it)->u.operand;
+            printf("[%4d] jless\t\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
+            break;
+        }
+        case op_jlesseq: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int offset = (++it)->u.operand;
+            printf("[%4d] jlesseq\t\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
+            break;
+        }
+        case op_jgreater: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int offset = (++it)->u.operand;
+            printf("[%4d] jgreater\t\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
+            break;
+        }
+        case op_jgreatereq: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int offset = (++it)->u.operand;
+            printf("[%4d] jgreatereq\t\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
+            break;
+        }
         case op_jnless: {
             int r0 = (++it)->u.operand;
@@ -1010 +1046 @@
             break;
         }
+        case op_jngreater: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int offset = (++it)->u.operand;
+            printf("[%4d] jngreater\t\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
+            break;
+        }
+        case op_jngreatereq: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int offset = (++it)->u.operand;
+            printf("[%4d] jngreatereq\t\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
+            break;
+        }
         case op_loop_if_less: {
             int r0 = (++it)->u.operand;
@@ -1017 +1067 @@
             break;
         }
-        case op_jless: {
-            int r0 = (++it)->u.operand;
-            int r1 = (++it)->u.operand;
-            int offset = (++it)->u.operand;
-            printf("[%4d] jless\t\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
-            break;
-        }
-        case op_jlesseq: {
-            int r0 = (++it)->u.operand;
-            int r1 = (++it)->u.operand;
-            int offset = (++it)->u.operand;
-            printf("[%4d] jlesseq\t\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
-            break;
-        }
         case op_loop_if_lesseq: {
             int r0 = (++it)->u.operand;
@@ -1036 +1072 @@
             int offset = (++it)->u.operand;
             printf("[%4d] loop_if_lesseq\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
+            break;
+        }
+        case op_loop_if_greater: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int offset = (++it)->u.operand;
+            printf("[%4d] loop_if_greater\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
+            break;
+        }
+        case op_loop_if_greatereq: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int offset = (++it)->u.operand;
+            printf("[%4d] loop_if_greatereq\t %s, %s, %d(->%d)\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), offset, location + offset);
             break;
         }

trunk/Source/JavaScriptCore/bytecode/Opcode.h

@@ -63 +63 @@
         macro(op_less, 4) \
         macro(op_lesseq, 4) \
+        macro(op_greater, 4) \
+        macro(op_greatereq, 4) \
         \
         macro(op_pre_inc, 2) \
@@ -146 +148 @@
         macro(op_jneq_null, 3) \
         macro(op_jneq_ptr, 4) \
+        macro(op_jless, 4) \
+        macro(op_jlesseq, 4) \
+        macro(op_jgreater, 4) \
+        macro(op_jgreatereq, 4) \
         macro(op_jnless, 4) \
         macro(op_jnlesseq, 4) \
-        macro(op_jless, 4) \
-        macro(op_jlesseq, 4) \
+        macro(op_jngreater, 4) \
+        macro(op_jngreatereq, 4) \
         macro(op_jmp_scopes, 3) \
         macro(op_loop, 2) \
@@ -156 +162 @@
         macro(op_loop_if_less, 4) \
         macro(op_loop_if_lesseq, 4) \
+        macro(op_loop_if_greater, 4) \
+        macro(op_loop_if_greatereq, 4) \
         macro(op_switch_imm, 4) \
         macro(op_switch_char, 4) \

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -734 +734 @@
             return target;
         }
+    } else if (m_lastOpcodeID == op_greater) {
+        int dstIndex;
+        int src1Index;
+        int src2Index;
+
+        retrieveLastBinaryOp(dstIndex, src1Index, src2Index);
+
+        if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
+            rewindBinaryOp();
+
+            size_t begin = instructions().size();
+            emitOpcode(target->isForward() ? op_jgreater : op_loop_if_greater);
+            instructions().append(src1Index);
+            instructions().append(src2Index);
+            instructions().append(target->bind(begin, instructions().size()));
+            return target;
+        }
+    } else if (m_lastOpcodeID == op_greatereq) {
+        int dstIndex;
+        int src1Index;
+        int src2Index;
+
+        retrieveLastBinaryOp(dstIndex, src1Index, src2Index);
+
+        if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
+            rewindBinaryOp();
+
+            size_t begin = instructions().size();
+            emitOpcode(target->isForward() ? op_jgreatereq : op_loop_if_greatereq);
+            instructions().append(src1Index);
+            instructions().append(src2Index);
+            instructions().append(target->bind(begin, instructions().size()));
+            return target;
+        }
     } else if (m_lastOpcodeID == op_eq_null && target->isForward()) {
         int dstIndex;
@@ -805 +839 @@
             size_t begin = instructions().size();
             emitOpcode(op_jnlesseq);
+            instructions().append(src1Index);
+            instructions().append(src2Index);
+            instructions().append(target->bind(begin, instructions().size()));
+            return target;
+        }
+    } else if (m_lastOpcodeID == op_greater && target->isForward()) {
+        int dstIndex;
+        int src1Index;
+        int src2Index;
+
+        retrieveLastBinaryOp(dstIndex, src1Index, src2Index);
+
+        if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
+            rewindBinaryOp();
+
+            size_t begin = instructions().size();
+            emitOpcode(op_jngreater);
+            instructions().append(src1Index);
+            instructions().append(src2Index);
+            instructions().append(target->bind(begin, instructions().size()));
+            return target;
+        }
+    } else if (m_lastOpcodeID == op_greatereq && target->isForward()) {
+        int dstIndex;
+        int src1Index;
+        int src2Index;
+
+        retrieveLastBinaryOp(dstIndex, src1Index, src2Index);
+
+        if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
+            rewindBinaryOp();
+
+            size_t begin = instructions().size();
+            emitOpcode(op_jngreatereq);
             instructions().append(src1Index);
             instructions().append(src2Index);

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -986 +986 @@
 }
 
-RegisterID* ReverseBinaryOpNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
-{
-    RefPtr<RegisterID> src1 = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
-    RegisterID* src2 = generator.emitNode(m_expr2);
-    return generator.emitBinaryOp(opcodeID(), generator.finalDestination(dst, src1.get()), src2, src1.get(), OperandTypes(m_expr2->resultDescriptor(), m_expr1->resultDescriptor()));
-}
-
 RegisterID* ThrowableBinaryOpNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
 {

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -737 +737 @@
         }
 
+        case op_greater: {
+            ARITHMETIC_OP();
+            NodeIndex op1 = get(currentInstruction[2].u.operand);
+            NodeIndex op2 = get(currentInstruction[3].u.operand);
+            set(currentInstruction[1].u.operand, addToGraph(CompareGreater, op1, op2));
+            NEXT_OPCODE(op_greater);
+        }
+
+        case op_greatereq: {
+            ARITHMETIC_OP();
+            NodeIndex op1 = get(currentInstruction[2].u.operand);
+            NodeIndex op2 = get(currentInstruction[3].u.operand);
+            set(currentInstruction[1].u.operand, addToGraph(CompareGreaterEq, op1, op2));
+            NEXT_OPCODE(op_greatereq);
+        }
+
         case op_eq: {
             ARITHMETIC_OP();
@@ -912 +928 @@
         }
 
+        case op_jless: {
+            unsigned relativeOffset = currentInstruction[3].u.operand;
+            NodeIndex op1 = get(currentInstruction[1].u.operand);
+            NodeIndex op2 = get(currentInstruction[2].u.operand);
+            NodeIndex condition = addToGraph(CompareLess, op1, op2);
+            addToGraph(Branch, OpInfo(m_currentIndex + relativeOffset), OpInfo(m_currentIndex + OPCODE_LENGTH(op_jless)), condition);
+            LAST_OPCODE(op_jless);
+        }
+
+        case op_jlesseq: {
+            unsigned relativeOffset = currentInstruction[3].u.operand;
+            NodeIndex op1 = get(currentInstruction[1].u.operand);
+            NodeIndex op2 = get(currentInstruction[2].u.operand);
+            NodeIndex condition = addToGraph(CompareLessEq, op1, op2);
+            addToGraph(Branch, OpInfo(m_currentIndex + relativeOffset), OpInfo(m_currentIndex + OPCODE_LENGTH(op_jlesseq)), condition);
+            LAST_OPCODE(op_jlesseq);
+        }
+
+        case op_jgreater: {
+            unsigned relativeOffset = currentInstruction[3].u.operand;
+            NodeIndex op1 = get(currentInstruction[1].u.operand);
+            NodeIndex op2 = get(currentInstruction[2].u.operand);
+            NodeIndex condition = addToGraph(CompareGreater, op1, op2);
+            addToGraph(Branch, OpInfo(m_currentIndex + relativeOffset), OpInfo(m_currentIndex + OPCODE_LENGTH(op_jgreater)), condition);
+            LAST_OPCODE(op_jgreater);
+        }
+
+        case op_jgreatereq: {
+            unsigned relativeOffset = currentInstruction[3].u.operand;
+            NodeIndex op1 = get(currentInstruction[1].u.operand);
+            NodeIndex op2 = get(currentInstruction[2].u.operand);
+            NodeIndex condition = addToGraph(CompareGreaterEq, op1, op2);
+            addToGraph(Branch, OpInfo(m_currentIndex + relativeOffset), OpInfo(m_currentIndex + OPCODE_LENGTH(op_jgreatereq)), condition);
+            LAST_OPCODE(op_jgreatereq);
+        }
+
         case op_jnless: {
             unsigned relativeOffset = currentInstruction[3].u.operand;
@@ -930 +982 @@
         }
 
-        case op_jless: {
+        case op_jngreater: {
             unsigned relativeOffset = currentInstruction[3].u.operand;
             NodeIndex op1 = get(currentInstruction[1].u.operand);
             NodeIndex op2 = get(currentInstruction[2].u.operand);
-            NodeIndex condition = addToGraph(CompareLess, op1, op2);
-            addToGraph(Branch, OpInfo(m_currentIndex + relativeOffset), OpInfo(m_currentIndex + OPCODE_LENGTH(op_jless)), condition);
-            LAST_OPCODE(op_jless);
-        }
-
-        case op_jlesseq: {
+            NodeIndex condition = addToGraph(CompareGreater, op1, op2);
+            addToGraph(Branch, OpInfo(m_currentIndex + OPCODE_LENGTH(op_jngreater)), OpInfo(m_currentIndex + relativeOffset), condition);
+            LAST_OPCODE(op_jngreater);
+        }
+
+        case op_jngreatereq: {
             unsigned relativeOffset = currentInstruction[3].u.operand;
             NodeIndex op1 = get(currentInstruction[1].u.operand);
             NodeIndex op2 = get(currentInstruction[2].u.operand);
-            NodeIndex condition = addToGraph(CompareLessEq, op1, op2);
-            addToGraph(Branch, OpInfo(m_currentIndex + relativeOffset), OpInfo(m_currentIndex + OPCODE_LENGTH(op_jlesseq)), condition);
-            LAST_OPCODE(op_jlesseq);
+            NodeIndex condition = addToGraph(CompareGreaterEq, op1, op2);
+            addToGraph(Branch, OpInfo(m_currentIndex + OPCODE_LENGTH(op_jngreatereq)), OpInfo(m_currentIndex + relativeOffset), condition);
+            LAST_OPCODE(op_jngreatereq);
         }
 
@@ -964 +1016 @@
             addToGraph(Branch, OpInfo(m_currentIndex + relativeOffset), OpInfo(m_currentIndex + OPCODE_LENGTH(op_loop_if_lesseq)), condition);
             LAST_OPCODE(op_loop_if_lesseq);
+        }
+
+        case op_loop_if_greater: {
+            unsigned relativeOffset = currentInstruction[3].u.operand;
+            NodeIndex op1 = get(currentInstruction[1].u.operand);
+            NodeIndex op2 = get(currentInstruction[2].u.operand);
+            NodeIndex condition = addToGraph(CompareGreater, op1, op2);
+            addToGraph(Branch, OpInfo(m_currentIndex + relativeOffset), OpInfo(m_currentIndex + OPCODE_LENGTH(op_loop_if_greater)), condition);
+            LAST_OPCODE(op_loop_if_greater);
+        }
+
+        case op_loop_if_greatereq: {
+            unsigned relativeOffset = currentInstruction[3].u.operand;
+            NodeIndex op1 = get(currentInstruction[1].u.operand);
+            NodeIndex op2 = get(currentInstruction[2].u.operand);
+            NodeIndex condition = addToGraph(CompareGreaterEq, op1, op2);
+            addToGraph(Branch, OpInfo(m_currentIndex + relativeOffset), OpInfo(m_currentIndex + OPCODE_LENGTH(op_loop_if_greatereq)), condition);
+            LAST_OPCODE(op_loop_if_greatereq);
         }
 

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -134 +134 @@
     macro(CompareLess, NodeResultJS | NodeMustGenerate) \
     macro(CompareLessEq, NodeResultJS | NodeMustGenerate) \
+    macro(CompareGreater, NodeResultJS | NodeMustGenerate) \
+    macro(CompareGreaterEq, NodeResultJS | NodeMustGenerate) \
     macro(CompareEq, NodeResultJS | NodeMustGenerate) \
     macro(CompareStrictEq, NodeResultJS) \

trunk/Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp

@@ -343 +343 @@
 }
 
-void NonSpeculativeJIT::compare(Node& node, MacroAssembler::RelationalCondition cond, const Z_DFGOperation_EJJ& helperFunction)
+void NonSpeculativeJIT::compare(Node& node, MacroAssembler::RelationalCondition cond, Z_DFGOperation_EJJ helperFunction)
 {
     // FIXME: should do some peephole to fuse compare/branch
@@ -741 +741 @@
         break;
         
+    case CompareGreater:
+        compare(node, MacroAssembler::GreaterThan, operationCompareGreater);
+        break;
+        
+    case CompareGreaterEq:
+        compare(node, MacroAssembler::GreaterThanOrEqual, operationCompareGreaterEq);
+        break;
+        
     case CompareEq:
         compare(node, MacroAssembler::Equal, operationCompareEq);

trunk/Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.h

@@ -103 +103 @@
     void knownConstantArithOp(NodeType op, NodeIndex regChild, NodeIndex immChild, bool commute);
     void basicArithOp(NodeType op, Node&);
-    void compare(Node&, MacroAssembler::RelationalCondition, const Z_DFGOperation_EJJ&);
-    
+    void compare(Node&, MacroAssembler::RelationalCondition, Z_DFGOperation_EJJ);
+
     EntryLocationVector m_entryLocations;
 };

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -378 +378 @@
 }
 
+bool operationCompareGreater(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    return jsLess(exec, JSValue::decode(encodedOp2), JSValue::decode(encodedOp1)); // FIXME: Bug#63880
+}
+
+bool operationCompareGreaterEq(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    return jsLessEq(exec, JSValue::decode(encodedOp2), JSValue::decode(encodedOp1)); // FIXME: Bug#63880
+}
+
 bool operationCompareEq(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -77 +77 @@
 bool operationCompareLess(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2);
 bool operationCompareLessEq(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2);
+bool operationCompareGreater(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2);
+bool operationCompareGreaterEq(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2);
 bool operationCompareEq(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2);
 bool operationCompareStrictEq(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -414 +414 @@
 }
 
+// Returns true if the compare is fused with a subsequent branch.
+bool SpeculativeJIT::compare(Node& node, MacroAssembler::RelationalCondition condition, Z_DFGOperation_EJJ operation)
+{
+    // Fused compare & branch.
+    NodeIndex branchNodeIndex = detectPeepHoleBranch();
+    if (branchNodeIndex != NoNode) {
+        // detectPeepHoleBranch currently only permits the branch to be the very next node,
+        // so can be no intervening nodes to also reference the compare. 
+        ASSERT(node.adjustedRefCount() == 1);
+
+        if (shouldSpeculateInteger(node.child1, node.child2))
+            compilePeepHoleIntegerBranch(node, branchNodeIndex, condition);
+        else
+            compilePeepHoleCall(node, branchNodeIndex, operation);
+
+        use(node.child1);
+        use(node.child2);
+        m_compileIndex = branchNodeIndex;
+        return true;
+    }
+
+    // Normal case, not fused to branch.
+    SpeculateIntegerOperand op1(this, node.child1);
+    SpeculateIntegerOperand op2(this, node.child2);
+    GPRTemporary result(this, op1, op2);
+
+    m_jit.compare32(condition, op1.gpr(), op2.gpr(), result.gpr());
+
+    // If we add a DataFormatBool, we should use it here.
+    m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
+    jsValueResult(result.gpr(), m_compileIndex);
+    return false;
+}
+
 void SpeculativeJIT::compile(Node& node)
 {
@@ -739 +773 @@
     }
 
-    case CompareLess: {
-        // Fused compare & branch.
-        NodeIndex branchNodeIndex = detectPeepHoleBranch();
-        if (branchNodeIndex != NoNode) {
-            // detectPeepHoleBranch currently only permits the branch to be the very next node,
-            // so can be no intervening nodes to also reference the compare. 
-            ASSERT(node.adjustedRefCount() == 1);
-
-            if (shouldSpeculateInteger(node.child1, node.child2))
-                compilePeepHoleIntegerBranch(node, branchNodeIndex, JITCompiler::LessThan);
-            else
-                compilePeepHoleCall(node, branchNodeIndex, operationCompareLess);
-
-            use(node.child1);
-            use(node.child2);
-            m_compileIndex = branchNodeIndex;
+    case CompareLess:
+        if (compare(node, JITCompiler::LessThan, operationCompareLess))
             return;
-        }
-
-        // Normal case, not fused to branch.
-        SpeculateIntegerOperand op1(this, node.child1);
-        SpeculateIntegerOperand op2(this, node.child2);
-        GPRTemporary result(this, op1, op2);
-
-        m_jit.compare32(JITCompiler::LessThan, op1.gpr(), op2.gpr(), result.gpr());
-
-        // If we add a DataFormatBool, we should use it here.
-        m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
-        jsValueResult(result.gpr(), m_compileIndex);
-        break;
-    }
-
-    case CompareLessEq: {
-        // Fused compare & branch.
-        NodeIndex branchNodeIndex = detectPeepHoleBranch();
-        if (branchNodeIndex != NoNode) {
-            // detectPeepHoleBranch currently only permits the branch to be the very next node,
-            // so can be no intervening nodes to also reference the compare. 
-            ASSERT(node.adjustedRefCount() == 1);
-
-            if (shouldSpeculateInteger(node.child1, node.child2))
-                compilePeepHoleIntegerBranch(node, branchNodeIndex, JITCompiler::LessThanOrEqual);
-            else
-                compilePeepHoleCall(node, branchNodeIndex, operationCompareLessEq);
-
-            use(node.child1);
-            use(node.child2);
-            m_compileIndex = branchNodeIndex;
+        break;
+
+    case CompareLessEq:
+        if (compare(node, JITCompiler::LessThanOrEqual, operationCompareLessEq))
             return;
-        }
-
-        // Normal case, not fused to branch.
-        SpeculateIntegerOperand op1(this, node.child1);
-        SpeculateIntegerOperand op2(this, node.child2);
-        GPRTemporary result(this, op1, op2);
-
-        m_jit.compare32(JITCompiler::LessThanOrEqual, op1.gpr(), op2.gpr(), result.gpr());
-
-        // If we add a DataFormatBool, we should use it here.
-        m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
-        jsValueResult(result.gpr(), m_compileIndex);
-        break;
-    }
-
-    case CompareEq: {
-        // Fused compare & branch.
-        NodeIndex branchNodeIndex = detectPeepHoleBranch();
-        if (branchNodeIndex != NoNode) {
-            // detectPeepHoleBranch currently only permits the branch to be the very next node,
-            // so can be no intervening nodes to also reference the compare. 
-            ASSERT(node.adjustedRefCount() == 1);
-
-            if (shouldSpeculateInteger(node.child1, node.child2))
-                compilePeepHoleIntegerBranch(node, branchNodeIndex, JITCompiler::Equal);
-            else
-                compilePeepHoleCall(node, branchNodeIndex, operationCompareEq);
-
-            use(node.child1);
-            use(node.child2);
-            m_compileIndex = branchNodeIndex;
+        break;
+
+    case CompareGreater:
+        if (compare(node, JITCompiler::GreaterThan, operationCompareGreater))
             return;
-        }
-
-        SpeculateIntegerOperand op1(this, node.child1);
-        SpeculateIntegerOperand op2(this, node.child2);
-        GPRTemporary result(this, op1, op2);
-
-        m_jit.compare32(JITCompiler::Equal, op1.gpr(), op2.gpr(), result.gpr());
-
-        // If we add a DataFormatBool, we should use it here.
-        m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
-        jsValueResult(result.gpr(), m_compileIndex);
-        break;
-    }
+        break;
+
+    case CompareGreaterEq:
+        if (compare(node, JITCompiler::GreaterThanOrEqual, operationCompareGreaterEq))
+            return;
+        break;
+
+    case CompareEq:
+        if (compare(node, JITCompiler::Equal, operationCompareEq))
+            return;
+        break;
 
     case CompareStrictEq: {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -185 +185 @@
     }
 
+    bool compare(Node&, MacroAssembler::RelationalCondition, Z_DFGOperation_EJJ);
     void compilePeepHoleIntegerBranch(Node&, NodeIndex branchNodeIndex, JITCompiler::RelationalCondition);
     void compilePeepHoleCall(Node&, NodeIndex branchNodeIndex, Z_DFGOperation_EJJ);

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -1797 +1797 @@
         NEXT_INSTRUCTION();
     }
+    DEFINE_OPCODE(op_greater) {
+        /* greater dst(r) src1(r) src2(r)
+
+           Checks whether register src1 is greater than register src2, as
+           with the ECMAScript '>' operator, and puts the result as
+           a boolean in register dst.
+        */
+        int dst = vPC[1].u.operand;
+        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
+        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
+        JSValue result = jsBoolean(jsLess(callFrame, src2, src1)); // FIXME: Bug#63880
+        CHECK_FOR_EXCEPTION();
+        callFrame->uncheckedR(dst) = result;
+
+        vPC += OPCODE_LENGTH(op_greater);
+        NEXT_INSTRUCTION();
+    }
+    DEFINE_OPCODE(op_greatereq) {
+        /* greatereq dst(r) src1(r) src2(r)
+
+           Checks whether register src1 is greater than or equal to
+           register src2, as with the ECMAScript '>=' operator, and
+           puts the result as a boolean in register dst.
+        */
+        int dst = vPC[1].u.operand;
+        JSValue src1 = callFrame->r(vPC[2].u.operand).jsValue();
+        JSValue src2 = callFrame->r(vPC[3].u.operand).jsValue();
+        JSValue result = jsBoolean(jsLessEq(callFrame, src2, src1)); // FIXME: Bug#63880
+        CHECK_FOR_EXCEPTION();
+        callFrame->uncheckedR(dst) = result;
+
+        vPC += OPCODE_LENGTH(op_greatereq);
+        NEXT_INSTRUCTION();
+    }
     DEFINE_OPCODE(op_pre_inc) {
         /* pre_inc srcDst(r)
@@ -3694 +3728 @@
         NEXT_INSTRUCTION();
     }
-    DEFINE_OPCODE(op_jnless) {
-        /* jnless src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is less than register src2, as
-           with the ECMAScript '<' operator, and then jumps to offset
+    DEFINE_OPCODE(op_loop_if_greater) {
+        /* loop_if_greater src1(r) src2(r) target(offset)
+
+           Checks whether register src1 is greater than register src2, as
+           with the ECMAScript '>' operator, and then jumps to offset
            target from the current instruction, if and only if the 
-           result of the comparison is false.
-        */
+           result of the comparison is true.
+
+           Additionally this loop instruction may terminate JS execution is
+           the JS timeout is reached.
+         */
         JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
         JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
         int target = vPC[3].u.operand;
-
-        bool result = jsLess(callFrame, src1, src2);
+        
+        bool result = jsLess(callFrame, src2, src1); // FIXME: Bug#63880
         CHECK_FOR_EXCEPTION();
         
-        if (!result) {
+        if (result) {
             vPC += target;
+            CHECK_FOR_TIMEOUT();
             NEXT_INSTRUCTION();
         }
-
-        vPC += OPCODE_LENGTH(op_jnless);
+        
+        vPC += OPCODE_LENGTH(op_loop_if_greater);
+        NEXT_INSTRUCTION();
+    }
+    DEFINE_OPCODE(op_loop_if_greatereq) {
+        /* loop_if_greatereq src1(r) src2(r) target(offset)
+
+           Checks whether register src1 is greater than or equal to register
+           src2, as with the ECMAScript '>=' operator, and then jumps to
+           offset target from the current instruction, if and only if the 
+           result of the comparison is true.
+
+           Additionally this loop instruction may terminate JS execution is
+           the JS timeout is reached.
+        */
+        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
+        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
+        int target = vPC[3].u.operand;
+        
+        bool result = jsLessEq(callFrame, src2, src1); // FIXME: Bug#63880
+        CHECK_FOR_EXCEPTION();
+        
+        if (result) {
+            vPC += target;
+            CHECK_FOR_TIMEOUT();
+            NEXT_INSTRUCTION();
+        }
+        
+        vPC += OPCODE_LENGTH(op_loop_if_greatereq);
         NEXT_INSTRUCTION();
     }
@@ -3738 +3803 @@
 
         vPC += OPCODE_LENGTH(op_jless);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_jnlesseq) {
-        /* jnlesseq src1(r) src2(r) target(offset)
-
-           Checks whether register src1 is less than or equal to
-           register src2, as with the ECMAScript '<=' operator,
-           and then jumps to offset target from the current instruction,
-           if and only if theresult of the comparison is false.
-        */
-        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
-        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
-        int target = vPC[3].u.operand;
-
-        bool result = jsLessEq(callFrame, src1, src2);
-        CHECK_FOR_EXCEPTION();
-        
-        if (!result) {
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-
-        vPC += OPCODE_LENGTH(op_jnlesseq);
         NEXT_INSTRUCTION();
     }
@@ -3784 +3826 @@
         
         vPC += OPCODE_LENGTH(op_jlesseq);
+        NEXT_INSTRUCTION();
+    }
+    DEFINE_OPCODE(op_jgreater) {
+        /* jgreater src1(r) src2(r) target(offset)
+
+           Checks whether register src1 is greater than register src2, as
+           with the ECMAScript '>' operator, and then jumps to offset
+           target from the current instruction, if and only if the 
+           result of the comparison is true.
+        */
+        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
+        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
+        int target = vPC[3].u.operand;
+
+        bool result = jsLess(callFrame, src2, src1); // FIXME: Bug#63880
+        CHECK_FOR_EXCEPTION();
+        
+        if (result) {
+            vPC += target;
+            NEXT_INSTRUCTION();
+        }
+
+        vPC += OPCODE_LENGTH(op_jgreater);
+        NEXT_INSTRUCTION();
+    }
+    DEFINE_OPCODE(op_jgreatereq) {
+        /* jgreatereq src1(r) src2(r) target(offset)
+         
+         Checks whether register src1 is greater than or equal to
+         register src2, as with the ECMAScript '>=' operator,
+         and then jumps to offset target from the current instruction,
+         if and only if the result of the comparison is true.
+         */
+        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
+        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
+        int target = vPC[3].u.operand;
+        
+        bool result = jsLessEq(callFrame, src2, src1); // FIXME: Bug#63880
+        CHECK_FOR_EXCEPTION();
+        
+        if (result) {
+            vPC += target;
+            NEXT_INSTRUCTION();
+        }
+        
+        vPC += OPCODE_LENGTH(op_jgreatereq);
+        NEXT_INSTRUCTION();
+    }
+    DEFINE_OPCODE(op_jnless) {
+        /* jnless src1(r) src2(r) target(offset)
+
+           Checks whether register src1 is less than register src2, as
+           with the ECMAScript '<' operator, and then jumps to offset
+           target from the current instruction, if and only if the 
+           result of the comparison is false.
+        */
+        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
+        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
+        int target = vPC[3].u.operand;
+
+        bool result = jsLess(callFrame, src1, src2);
+        CHECK_FOR_EXCEPTION();
+        
+        if (!result) {
+            vPC += target;
+            NEXT_INSTRUCTION();
+        }
+
+        vPC += OPCODE_LENGTH(op_jnless);
+        NEXT_INSTRUCTION();
+    }
+    DEFINE_OPCODE(op_jnlesseq) {
+        /* jnlesseq src1(r) src2(r) target(offset)
+
+           Checks whether register src1 is less than or equal to
+           register src2, as with the ECMAScript '<=' operator,
+           and then jumps to offset target from the current instruction,
+           if and only if theresult of the comparison is false.
+        */
+        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
+        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
+        int target = vPC[3].u.operand;
+
+        bool result = jsLessEq(callFrame, src1, src2);
+        CHECK_FOR_EXCEPTION();
+        
+        if (!result) {
+            vPC += target;
+            NEXT_INSTRUCTION();
+        }
+
+        vPC += OPCODE_LENGTH(op_jnlesseq);
+        NEXT_INSTRUCTION();
+    }
+    DEFINE_OPCODE(op_jngreater) {
+        /* jngreater src1(r) src2(r) target(offset)
+
+           Checks whether register src1 is greater than register src2, as
+           with the ECMAScript '>' operator, and then jumps to offset
+           target from the current instruction, if and only if the 
+           result of the comparison is false.
+        */
+        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
+        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
+        int target = vPC[3].u.operand;
+
+        bool result = jsLess(callFrame, src2, src1); // FIXME: Bug#63880
+        CHECK_FOR_EXCEPTION();
+        
+        if (!result) {
+            vPC += target;
+            NEXT_INSTRUCTION();
+        }
+
+        vPC += OPCODE_LENGTH(op_jngreater);
+        NEXT_INSTRUCTION();
+    }
+    DEFINE_OPCODE(op_jngreatereq) {
+        /* jngreatereq src1(r) src2(r) target(offset)
+
+           Checks whether register src1 is greater than or equal to
+           register src2, as with the ECMAScript '>=' operator,
+           and then jumps to offset target from the current instruction,
+           if and only if theresult of the comparison is false.
+        */
+        JSValue src1 = callFrame->r(vPC[1].u.operand).jsValue();
+        JSValue src2 = callFrame->r(vPC[2].u.operand).jsValue();
+        int target = vPC[3].u.operand;
+
+        bool result = jsLessEq(callFrame, src2, src1); // FIXME: Bug#63880
+        CHECK_FOR_EXCEPTION();
+        
+        if (!result) {
+            vPC += target;
+            NEXT_INSTRUCTION();
+        }
+
+        vPC += OPCODE_LENGTH(op_jngreatereq);
         NEXT_INSTRUCTION();
     }

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -199 +199 @@
         DEFINE_BINARY_OP(op_less)
         DEFINE_BINARY_OP(op_lesseq)
+        DEFINE_BINARY_OP(op_greater)
+        DEFINE_BINARY_OP(op_greatereq)
         DEFINE_UNARY_OP(op_is_boolean)
         DEFINE_UNARY_OP(op_is_function)
@@ -250 +252 @@
         DEFINE_OP(op_jneq_null)
         DEFINE_OP(op_jneq_ptr)
-        DEFINE_OP(op_jnless)
         DEFINE_OP(op_jless)
         DEFINE_OP(op_jlesseq)
+        DEFINE_OP(op_jgreater)
+        DEFINE_OP(op_jgreatereq)
+        DEFINE_OP(op_jnless)
         DEFINE_OP(op_jnlesseq)
+        DEFINE_OP(op_jngreater)
+        DEFINE_OP(op_jngreatereq)
         DEFINE_OP(op_jsr)
         DEFINE_OP(op_jtrue)
@@ -260 +266 @@
         DEFINE_OP(op_loop_if_less)
         DEFINE_OP(op_loop_if_lesseq)
+        DEFINE_OP(op_loop_if_greater)
+        DEFINE_OP(op_loop_if_greatereq)
         DEFINE_OP(op_loop_if_true)
         DEFINE_OP(op_loop_if_false)
@@ -406 +414 @@
         DEFINE_SLOWCASE_OP(op_instanceof)
         DEFINE_SLOWCASE_OP(op_jfalse)
-        DEFINE_SLOWCASE_OP(op_jnless)
         DEFINE_SLOWCASE_OP(op_jless)
         DEFINE_SLOWCASE_OP(op_jlesseq)
+        DEFINE_SLOWCASE_OP(op_jgreater)
+        DEFINE_SLOWCASE_OP(op_jgreatereq)
+        DEFINE_SLOWCASE_OP(op_jnless)
         DEFINE_SLOWCASE_OP(op_jnlesseq)
+        DEFINE_SLOWCASE_OP(op_jngreater)
+        DEFINE_SLOWCASE_OP(op_jngreatereq)
         DEFINE_SLOWCASE_OP(op_jtrue)
         DEFINE_SLOWCASE_OP(op_load_varargs)
         DEFINE_SLOWCASE_OP(op_loop_if_less)
         DEFINE_SLOWCASE_OP(op_loop_if_lesseq)
+        DEFINE_SLOWCASE_OP(op_loop_if_greater)
+        DEFINE_SLOWCASE_OP(op_loop_if_greatereq)
         DEFINE_SLOWCASE_OP(op_loop_if_true)
         DEFINE_SLOWCASE_OP(op_loop_if_false)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -764 +764 @@
         void emit_op_jneq_null(Instruction*);
         void emit_op_jneq_ptr(Instruction*);
-        void emit_op_jnless(Instruction*);
         void emit_op_jless(Instruction*);
         void emit_op_jlesseq(Instruction*);
+        void emit_op_jgreater(Instruction*);
+        void emit_op_jgreatereq(Instruction*);
+        void emit_op_jnless(Instruction*);
         void emit_op_jnlesseq(Instruction*);
+        void emit_op_jngreater(Instruction*);
+        void emit_op_jngreatereq(Instruction*);
         void emit_op_jsr(Instruction*);
         void emit_op_jtrue(Instruction*);
@@ -774 +778 @@
         void emit_op_loop_if_less(Instruction*);
         void emit_op_loop_if_lesseq(Instruction*);
+        void emit_op_loop_if_greater(Instruction*);
+        void emit_op_loop_if_greatereq(Instruction*);
         void emit_op_loop_if_true(Instruction*);
         void emit_op_loop_if_false(Instruction*);
@@ -860 +866 @@
         void emitSlow_op_instanceof(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_jfalse(Instruction*, Vector<SlowCaseEntry>::iterator&);
-        void emitSlow_op_jnless(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_jless(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_jlesseq(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_jgreater(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_jgreatereq(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_jnless(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_jnlesseq(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_jngreater(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_jngreatereq(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_jtrue(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_load_varargs(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_loop_if_less(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_loop_if_lesseq(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_loop_if_greater(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_loop_if_greatereq(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_loop_if_true(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_loop_if_false(Instruction*, Vector<SlowCaseEntry>::iterator&);
@@ -1055 +1067 @@
     }
 
+    inline void JIT::emit_op_loop_if_greater(Instruction* currentInstruction)
+    {
+        emitTimeoutCheck();
+        emit_op_jgreater(currentInstruction);
+    }
+
+    inline void JIT::emitSlow_op_loop_if_greater(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+    {
+        emitSlow_op_jgreater(currentInstruction, iter);
+    }
+
+    inline void JIT::emit_op_loop_if_greatereq(Instruction* currentInstruction)
+    {
+        emitTimeoutCheck();
+        emit_op_jgreatereq(currentInstruction);
+    }
+
+    inline void JIT::emitSlow_op_loop_if_greatereq(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+    {
+        emitSlow_op_jgreatereq(currentInstruction, iter);
+    }
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/JITArithmetic.cpp

@@ -65 +65 @@
 }
 
+void JIT::emit_op_jgreater(Instruction* currentInstruction)
+{
+    unsigned op1 = currentInstruction[1].u.operand;
+    unsigned op2 = currentInstruction[2].u.operand;
+    unsigned target = currentInstruction[3].u.operand;
+
+    emit_compareAndJump(op_jgreater, op1, op2, target, GreaterThan);
+}
+
+void JIT::emit_op_jgreatereq(Instruction* currentInstruction)
+{
+    unsigned op1 = currentInstruction[1].u.operand;
+    unsigned op2 = currentInstruction[2].u.operand;
+    unsigned target = currentInstruction[3].u.operand;
+
+    emit_compareAndJump(op_jgreatereq, op1, op2, target, GreaterThanOrEqual);
+}
+
 void JIT::emit_op_jnless(Instruction* currentInstruction)
 {
@@ -83 +101 @@
 }
 
+void JIT::emit_op_jngreater(Instruction* currentInstruction)
+{
+    unsigned op1 = currentInstruction[1].u.operand;
+    unsigned op2 = currentInstruction[2].u.operand;
+    unsigned target = currentInstruction[3].u.operand;
+
+    emit_compareAndJump(op_jngreater, op1, op2, target, LessThanOrEqual);
+}
+
+void JIT::emit_op_jngreatereq(Instruction* currentInstruction)
+{
+    unsigned op1 = currentInstruction[1].u.operand;
+    unsigned op2 = currentInstruction[2].u.operand;
+    unsigned target = currentInstruction[3].u.operand;
+
+    emit_compareAndJump(op_jngreatereq, op1, op2, target, LessThan);
+}
+
 void JIT::emitSlow_op_jless(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
@@ -101 +137 @@
 }
 
+void JIT::emitSlow_op_jgreater(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    unsigned op1 = currentInstruction[1].u.operand;
+    unsigned op2 = currentInstruction[2].u.operand;
+    unsigned target = currentInstruction[3].u.operand;
+
+    emit_compareAndJumpSlow(op1, op2, target, DoubleGreaterThan, cti_op_jgreater, false, iter);
+}
+
+void JIT::emitSlow_op_jgreatereq(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    unsigned op1 = currentInstruction[1].u.operand;
+    unsigned op2 = currentInstruction[2].u.operand;
+    unsigned target = currentInstruction[3].u.operand;
+
+    emit_compareAndJumpSlow(op1, op2, target, DoubleGreaterThanOrEqual, cti_op_jgreatereq, false, iter);
+}
+
 void JIT::emitSlow_op_jnless(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
@@ -117 +171 @@
 
     emit_compareAndJumpSlow(op1, op2, target, DoubleGreaterThanOrUnordered, cti_op_jlesseq, true, iter);
+}
+
+void JIT::emitSlow_op_jngreater(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    unsigned op1 = currentInstruction[1].u.operand;
+    unsigned op2 = currentInstruction[2].u.operand;
+    unsigned target = currentInstruction[3].u.operand;
+
+    emit_compareAndJumpSlow(op1, op2, target, DoubleLessThanOrEqualOrUnordered, cti_op_jgreater, true, iter);
+}
+
+void JIT::emitSlow_op_jngreatereq(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    unsigned op1 = currentInstruction[1].u.operand;
+    unsigned op2 = currentInstruction[2].u.operand;
+    unsigned target = currentInstruction[3].u.operand;
+
+    emit_compareAndJumpSlow(op1, op2, target, DoubleLessThanOrUnordered, cti_op_jgreatereq, true, iter);
 }
 
@@ -362 +434 @@
 void JIT::emit_compareAndJumpSlow(unsigned op1, unsigned op2, unsigned target, DoubleCondition condition, int (JIT_STUB *stub)(STUB_ARGS_DECLARATION), bool invert, Vector<SlowCaseEntry>::iterator& iter)
 {
+    COMPILE_ASSERT(OPCODE_LENGTH(op_jless) == OPCODE_LENGTH(op_jlesseq), OPCODE_LENGTH_op_jlesseq_equals_op_jless);
+    COMPILE_ASSERT(OPCODE_LENGTH(op_jless) == OPCODE_LENGTH(op_jnless), OPCODE_LENGTH_op_jnless_equals_op_jless);
+    COMPILE_ASSERT(OPCODE_LENGTH(op_jless) == OPCODE_LENGTH(op_jnlesseq), OPCODE_LENGTH_op_jnlesseq_equals_op_jless);
+    COMPILE_ASSERT(OPCODE_LENGTH(op_jless) == OPCODE_LENGTH(op_jgreater), OPCODE_LENGTH_op_jgreater_equals_op_jless);
+    COMPILE_ASSERT(OPCODE_LENGTH(op_jless) == OPCODE_LENGTH(op_jgreatereq), OPCODE_LENGTH_op_jgreatereq_equals_op_jless);
+    COMPILE_ASSERT(OPCODE_LENGTH(op_jless) == OPCODE_LENGTH(op_jngreater), OPCODE_LENGTH_op_jngreater_equals_op_jless);
+    COMPILE_ASSERT(OPCODE_LENGTH(op_jless) == OPCODE_LENGTH(op_jngreatereq), OPCODE_LENGTH_op_jngreatereq_equals_op_jless);
+    
     // We generate inline code for the following cases in the slow path:
     // - floating-point number to constant int immediate
@@ -394 +474 @@
             emitJumpSlowToHot(branchDouble(condition, fpRegT0, fpRegT1), target);
 
-            emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_jnless));
+            emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_jless));
 
             fail1.link(this);
@@ -420 +500 @@
             emitJumpSlowToHot(branchDouble(condition, fpRegT0, fpRegT1), target);
 
-            emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_jnless));
+            emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_jless));
 
             fail1.link(this);
@@ -430 +510 @@
         stubCall.call();
         emitJumpSlowToHot(branchTest32(invert ? Zero : NonZero, regT0), target);
-
     } else {
         linkSlowCase(iter);
@@ -445 +524 @@
             emitJumpSlowToHot(branchDouble(condition, fpRegT0, fpRegT1), target);
 
-            emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_jnless));
+            emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_jless));
 
             fail1.link(this);

trunk/Source/JavaScriptCore/jit/JITArithmetic32_64.cpp

@@ -865 +865 @@
                 emitStoreDouble(dst, fpRegT1);
                 break;
+            case op_jless:
+                emitLoadDouble(op1, fpRegT2);
+                addJump(branchDouble(DoubleLessThan, fpRegT2, fpRegT0), dst);
+                break;
+            case op_jlesseq:
+                emitLoadDouble(op1, fpRegT2);
+                addJump(branchDouble(DoubleLessThanOrEqual, fpRegT2, fpRegT0), dst);
+                break;
+            case op_jgreater:
+                emitLoadDouble(op1, fpRegT2);
+                addJump(branchDouble(DoubleGreaterThan, fpRegT2, fpRegT0), dst);
+                break;
+            case op_jgreatereq:
+                emitLoadDouble(op1, fpRegT2);
+                addJump(branchDouble(DoubleGreaterThanOrEqual, fpRegT2, fpRegT0), dst);
+                break;
             case op_jnless:
                 emitLoadDouble(op1, fpRegT2);
                 addJump(branchDouble(DoubleLessThanOrEqualOrUnordered, fpRegT0, fpRegT2), dst);
                 break;
-            case op_jless:
-                emitLoadDouble(op1, fpRegT2);
-                addJump(branchDouble(DoubleLessThan, fpRegT2, fpRegT0), dst);
-                break;
-            case op_jlesseq:
-                emitLoadDouble(op1, fpRegT2);
-                addJump(branchDouble(DoubleLessThanOrEqual, fpRegT2, fpRegT0), dst);
-                break;
             case op_jnlesseq:
                 emitLoadDouble(op1, fpRegT2);
                 addJump(branchDouble(DoubleLessThanOrUnordered, fpRegT0, fpRegT2), dst);
+                break;
+            case op_jngreater:
+                emitLoadDouble(op1, fpRegT2);
+                addJump(branchDouble(DoubleGreaterThanOrEqualOrUnordered, fpRegT0, fpRegT2), dst);
+                break;
+            case op_jngreatereq:
+                emitLoadDouble(op1, fpRegT2);
+                addJump(branchDouble(DoubleGreaterThanOrUnordered, fpRegT0, fpRegT2), dst);
                 break;
             default:
@@ -926 +942 @@
                 emitStoreDouble(dst, fpRegT0);
                 break;
+            case op_jless:
+                emitLoadDouble(op2, fpRegT1);
+                addJump(branchDouble(DoubleLessThan, fpRegT0, fpRegT1), dst);
+                break;
+            case op_jlesseq:
+                emitLoadDouble(op2, fpRegT1);
+                addJump(branchDouble(DoubleLessThanOrEqual, fpRegT0, fpRegT1), dst);
+                break;
+            case op_jgreater:
+                emitLoadDouble(op2, fpRegT1);
+                addJump(branchDouble(DoubleGreaterThan, fpRegT0, fpRegT1), dst);
+                break;
+            case op_jgreatereq:
+                emitLoadDouble(op2, fpRegT1);
+                addJump(branchDouble(DoubleGreaterThanOrEqual, fpRegT0, fpRegT1), dst);
+                break;
             case op_jnless:
                 emitLoadDouble(op2, fpRegT1);
                 addJump(branchDouble(DoubleLessThanOrEqualOrUnordered, fpRegT1, fpRegT0), dst);
                 break;
-            case op_jless:
-                emitLoadDouble(op2, fpRegT1);
-                addJump(branchDouble(DoubleLessThan, fpRegT0, fpRegT1), dst);
-                break;
             case op_jnlesseq:
                 emitLoadDouble(op2, fpRegT1);
                 addJump(branchDouble(DoubleLessThanOrUnordered, fpRegT1, fpRegT0), dst);
                 break;
-            case op_jlesseq:
+            case op_jngreater:
                 emitLoadDouble(op2, fpRegT1);
-                addJump(branchDouble(DoubleLessThanOrEqual, fpRegT0, fpRegT1), dst);
+                addJump(branchDouble(DoubleGreaterThanOrEqualOrUnordered, fpRegT1, fpRegT0), dst);
+                break;
+            case op_jngreatereq:
+                emitLoadDouble(op2, fpRegT1);
+                addJump(branchDouble(DoubleGreaterThanOrUnordered, fpRegT1, fpRegT0), dst);
                 break;
             default:

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -2537 +2537 @@
 }
 
+DEFINE_STUB_FUNCTION(EncodedJSValue, op_less)
+{
+    STUB_INIT_STACK_FRAME(stackFrame);
+
+    CallFrame* callFrame = stackFrame.callFrame;
+    JSValue result = jsBoolean(jsLess(callFrame, stackFrame.args[0].jsValue(), stackFrame.args[1].jsValue()));
+    CHECK_FOR_EXCEPTION_AT_END();
+    return JSValue::encode(result);
+}
+
 DEFINE_STUB_FUNCTION(EncodedJSValue, op_lesseq)
 {
@@ -2543 +2553 @@
     CallFrame* callFrame = stackFrame.callFrame;
     JSValue result = jsBoolean(jsLessEq(callFrame, stackFrame.args[0].jsValue(), stackFrame.args[1].jsValue()));
+    CHECK_FOR_EXCEPTION_AT_END();
+    return JSValue::encode(result);
+}
+
+DEFINE_STUB_FUNCTION(EncodedJSValue, op_greater)
+{
+    STUB_INIT_STACK_FRAME(stackFrame);
+
+    CallFrame* callFrame = stackFrame.callFrame;
+    JSValue result = jsBoolean(jsLess(callFrame, stackFrame.args[1].jsValue(), stackFrame.args[0].jsValue())); // FIXME: Bug#63880
+    CHECK_FOR_EXCEPTION_AT_END();
+    return JSValue::encode(result);
+}
+
+DEFINE_STUB_FUNCTION(EncodedJSValue, op_greatereq)
+{
+    STUB_INIT_STACK_FRAME(stackFrame);
+
+    CallFrame* callFrame = stackFrame.callFrame;
+    JSValue result = jsBoolean(jsLessEq(callFrame, stackFrame.args[1].jsValue(), stackFrame.args[0].jsValue())); // FIXME: Bug#63880
     CHECK_FOR_EXCEPTION_AT_END();
     return JSValue::encode(result);
@@ -2808 +2838 @@
 }
 
+DEFINE_STUB_FUNCTION(int, op_jgreater)
+{
+    STUB_INIT_STACK_FRAME(stackFrame);
+
+    JSValue src1 = stackFrame.args[0].jsValue();
+    JSValue src2 = stackFrame.args[1].jsValue();
+    CallFrame* callFrame = stackFrame.callFrame;
+
+    bool result = jsLess(callFrame, src2, src1); // FIXME: Bug#63880
+    CHECK_FOR_EXCEPTION_AT_END();
+    return result;
+}
+
+DEFINE_STUB_FUNCTION(int, op_jgreatereq)
+{
+    STUB_INIT_STACK_FRAME(stackFrame);
+
+    JSValue src1 = stackFrame.args[0].jsValue();
+    JSValue src2 = stackFrame.args[1].jsValue();
+    CallFrame* callFrame = stackFrame.callFrame;
+
+    bool result = jsLessEq(callFrame, src2, src1); // FIXME: Bug#63880
+    CHECK_FOR_EXCEPTION_AT_END();
+    return result;
+}
+
 DEFINE_STUB_FUNCTION(EncodedJSValue, op_not)
 {
@@ -3091 +3147 @@
 }
 
-DEFINE_STUB_FUNCTION(EncodedJSValue, op_less)
-{
-    STUB_INIT_STACK_FRAME(stackFrame);
-
-    CallFrame* callFrame = stackFrame.callFrame;
-    JSValue result = jsBoolean(jsLess(callFrame, stackFrame.args[0].jsValue(), stackFrame.args[1].jsValue()));
-    CHECK_FOR_EXCEPTION_AT_END();
-    return JSValue::encode(result);
-}
-
 DEFINE_STUB_FUNCTION(EncodedJSValue, op_post_dec)
 {

trunk/Source/JavaScriptCore/jit/JITStubs.h

@@ -353 +353 @@
     EncodedJSValue JIT_STUB cti_op_less(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_lesseq(STUB_ARGS_DECLARATION);
+    EncodedJSValue JIT_STUB cti_op_greater(STUB_ARGS_DECLARATION);
+    EncodedJSValue JIT_STUB cti_op_greatereq(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_lshift(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_mod(STUB_ARGS_DECLARATION);
@@ -395 +397 @@
     int JIT_STUB cti_op_jless(STUB_ARGS_DECLARATION);
     int JIT_STUB cti_op_jlesseq(STUB_ARGS_DECLARATION);
+    int JIT_STUB cti_op_jgreater(STUB_ARGS_DECLARATION);
+    int JIT_STUB cti_op_jgreatereq(STUB_ARGS_DECLARATION);
     int JIT_STUB cti_op_jtrue(STUB_ARGS_DECLARATION);
     int JIT_STUB cti_op_load_varargs(STUB_ARGS_DECLARATION);

trunk/Source/JavaScriptCore/parser/NodeConstructors.h

@@ -450 +450 @@
     }
 
-    inline ReverseBinaryOpNode::ReverseBinaryOpNode(JSGlobalData* globalData, ExpressionNode* expr1, ExpressionNode* expr2, OpcodeID opcodeID, bool rightHasAssignments)
-        : BinaryOpNode(globalData, expr1, expr2, opcodeID, rightHasAssignments)
-    {
-    }
-
-    inline ReverseBinaryOpNode::ReverseBinaryOpNode(JSGlobalData* globalData, ResultType type, ExpressionNode* expr1, ExpressionNode* expr2, OpcodeID opcodeID, bool rightHasAssignments)
-        : BinaryOpNode(globalData, type, expr1, expr2, opcodeID, rightHasAssignments)
-    {
-    }
-
     inline MultNode::MultNode(JSGlobalData* globalData, ExpressionNode* expr1, ExpressionNode* expr2, bool rightHasAssignments)
         : BinaryOpNode(globalData, ResultType::numberTypeCanReuse(), expr1, expr2, op_mul, rightHasAssignments)
@@ -507 +497 @@
 
     inline GreaterNode::GreaterNode(JSGlobalData* globalData, ExpressionNode* expr1, ExpressionNode* expr2, bool rightHasAssignments)
-        : ReverseBinaryOpNode(globalData, ResultType::booleanType(), expr1, expr2, op_less, rightHasAssignments)
+        : BinaryOpNode(globalData, ResultType::booleanType(), expr1, expr2, op_greater, rightHasAssignments)
     {
     }
@@ -517 +507 @@
 
     inline GreaterEqNode::GreaterEqNode(JSGlobalData* globalData, ExpressionNode* expr1, ExpressionNode* expr2, bool rightHasAssignments)
-        : ReverseBinaryOpNode(globalData, ResultType::booleanType(), expr1, expr2, op_lesseq, rightHasAssignments)
+        : BinaryOpNode(globalData, ResultType::booleanType(), expr1, expr2, op_greatereq, rightHasAssignments)
     {
     }

trunk/Source/JavaScriptCore/parser/Nodes.h

@@ -830 +830 @@
     };
 
-    class ReverseBinaryOpNode : public BinaryOpNode {
-    public:
-        ReverseBinaryOpNode(JSGlobalData*, ExpressionNode* expr1, ExpressionNode* expr2, OpcodeID, bool rightHasAssignments);
-        ReverseBinaryOpNode(JSGlobalData*, ResultType, ExpressionNode* expr1, ExpressionNode* expr2, OpcodeID, bool rightHasAssignments);
-
-        virtual RegisterID* emitBytecode(BytecodeGenerator&, RegisterID* = 0);
-    };
-
     class MultNode : public BinaryOpNode {
     public:
@@ -887 +879 @@
     };
 
-    class GreaterNode : public ReverseBinaryOpNode {
+    class GreaterNode : public BinaryOpNode {
     public:
         GreaterNode(JSGlobalData*, ExpressionNode* expr1, ExpressionNode* expr2, bool rightHasAssignments);
@@ -897 +889 @@
     };
 
-    class GreaterEqNode : public ReverseBinaryOpNode {
+    class GreaterEqNode : public BinaryOpNode {
     public:
         GreaterEqNode(JSGlobalData*, ExpressionNode* expr1, ExpressionNode* expr2, bool rightHasAssignments);