Changeset 156019 in webkit for trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

Timestamp:

Sep 17, 2013, 6:31:04 PM (12 years ago)

Author:

[email protected]

Message:

DFG should support Int52 for local variables
​https://bugs.webkit.org/show_bug.cgi?id=121064

Source/JavaScriptCore:

Reviewed by Oliver Hunt.

This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
programs that have local int32 overflows but where a larger int representation can
prevent us from having to convert all the way up to double.

It's a small speed-up for now. But we're just supporting Int52 for a handful of
operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
the groundwork for adding Int52 to JSValue, which will probably be a bigger
speed-up.

The basic approach is:

• We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop or HeapTop - i.e. it doesn't arise from JSValues.

• DFG treats Int52 as being part of its FullTop and will treat it as being a subtype of double unless instructed otherwise.

• Prediction propagator creates Int52s whenever we have a node going doubly but due to large values rather than fractional values, and that node is known to be able to produce Int52 natively in the DFG backend.

• Fixup phase converts edges to MachineIntUses in nodes that are known to be able to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted input.

• The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that are left-shifted by 16 (great for overflow checks) and ones that are sign-extended. Both backends know how to convert between Int52s and the other representations.

• assembler/MacroAssemblerX86_64.h:

(JSC::MacroAssemblerX86_64::rshift64):
(JSC::MacroAssemblerX86_64::mul64):
(JSC::MacroAssemblerX86_64::branchMul64):
(JSC::MacroAssemblerX86_64::branchNeg64):
(JSC::MacroAssemblerX86_64::convertInt64ToDouble):

• assembler/X86Assembler.h:

(JSC::X86Assembler::imulq_rr):
(JSC::X86Assembler::cvtsi2sdq_rr):

• bytecode/DataFormat.h:

(JSC::dataFormatToString):

• bytecode/OperandsInlines.h:

(JSC::::dumpInContext):

• bytecode/SpeculatedType.cpp:

(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):

• bytecode/SpeculatedType.h:

(JSC::isInt32SpeculationForArithmetic):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isBytecodeRealNumberSpeculation):
(JSC::isFullRealNumberSpeculation):
(JSC::isBytecodeNumberSpeculation):
(JSC::isFullNumberSpeculation):
(JSC::isBytecodeNumberSpeculationExpectingDefined):
(JSC::isFullNumberSpeculationExpectingDefined):

• bytecode/ValueRecovery.h:

(JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
(JSC::ValueRecovery::inGPR):
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::isAlreadyInJSStack):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):

• dfg/DFGAbstractInterpreter.h:

(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterByType):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

• dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::checkConsistency):

• dfg/DFGAbstractValue.h:

(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):
(JSC::DFG::AbstractValue::checkConsistency):
(JSC::DFG::AbstractValue::validateType):

• dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::refine):

• dfg/DFGAssemblyHelpers.h:

(JSC::DFG::AssemblyHelpers::boxInt52):

• dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGCommon.h:

(JSC::DFG::enableInt52):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):

• dfg/DFGFlushFormat.cpp:

(WTF::printInternal):

• dfg/DFGFlushFormat.h:

(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):

• dfg/DFGGenerationInfo.h:

(JSC::DFG::GenerationInfo::initInt52):
(JSC::DFG::GenerationInfo::initStrictInt52):
(JSC::DFG::GenerationInfo::isFormat):
(JSC::DFG::GenerationInfo::isInt52):
(JSC::DFG::GenerationInfo::isStrictInt52):
(JSC::DFG::GenerationInfo::fillInt52):
(JSC::DFG::GenerationInfo::fillStrictInt52):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::addShouldSpeculateMachineInt):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):

• dfg/DFGInPlaceAbstractState.cpp:

(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):

• dfg/DFGJITCode.cpp:

(JSC::DFG::JITCode::reconstruct):

• dfg/DFGMinifiedNode.h:

(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):

• dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):

• dfg/DFGNodeFlags.h:
• dfg/DFGNodeType.h:

(JSC::DFG::forwardRewiringSelectionScore):

• dfg/DFGOSRExitCompiler.cpp:
• dfg/DFGOSRExitCompiler64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):

• dfg/DFGSilentRegisterSavePlan.h:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateMachineInt):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculate):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::canReuse):
(JSC::DFG::SpeculativeJIT::isFilled):
(JSC::DFG::SpeculativeJIT::isFilledDouble):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::int52Result):
(JSC::DFG::SpeculativeJIT::strictInt52Result):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isInteger):
(JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
(JSC::DFG::SpeculativeJIT::generationInfo):
(JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
(JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
(JSC::DFG::SpeculateInt52Operand::edge):
(JSC::DFG::SpeculateInt52Operand::node):
(JSC::DFG::SpeculateInt52Operand::gpr):
(JSC::DFG::SpeculateInt52Operand::use):
(JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::edge):
(JSC::DFG::SpeculateStrictInt52Operand::node):
(JSC::DFG::SpeculateStrictInt52Operand::gpr):
(JSC::DFG::SpeculateStrictInt52Operand::use):
(JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::edge):
(JSC::DFG::SpeculateWhicheverInt52Operand::node):
(JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
(JSC::DFG::SpeculateWhicheverInt52Operand::use):
(JSC::DFG::SpeculateWhicheverInt52Operand::format):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::boxInt52):
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileInt52Compare):
(JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGUseKind.cpp:

(WTF::printInternal):

• dfg/DFGUseKind.h:

(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):

• dfg/DFGValueSource.cpp:

(JSC::DFG::ValueSource::dump):

• dfg/DFGValueSource.h:

(JSC::DFG::dataFormatToValueSourceKind):
(JSC::DFG::valueSourceKindToDataFormat):
(JSC::DFG::ValueSource::forFlushFormat):
(JSC::DFG::ValueSource::valueRecovery):

• dfg/DFGVariableAccessData.h:

(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::flushFormat):

• ftl/FTLCArgumentGetter.cpp:

(JSC::FTL::CArgumentGetter::loadNextAndBox):

• ftl/FTLCArgumentGetter.h:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLExitValue.cpp:

(JSC::FTL::ExitValue::dumpInContext):

• ftl/FTLExitValue.h:

(JSC::FTL::ExitValue::inJSStackAsInt52):

• ftl/FTLIntrinsicRepository.h:
• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowInt52):
(JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
(JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
(JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
(JSC::FTL::LowerDFGToLLVM::opposite):
(JSC::FTL::LowerDFGToLLVM::Int52s::operator[]):
(JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
(JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s):
(JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
(JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
(JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt52):
(JSC::FTL::LowerDFGToLLVM::setStrictInt52):

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):

• ftl/FTLOutput.h:

(JSC::FTL::Output::addWithOverflow64):
(JSC::FTL::Output::subWithOverflow64):
(JSC::FTL::Output::mulWithOverflow64):

• ftl/FTLValueFormat.cpp:

(WTF::printInternal):

• ftl/FTLValueFormat.h:
• ftl/FTLValueSource.cpp:

(JSC::FTL::ValueSource::dump):

• ftl/FTLValueSource.h:
• interpreter/Register.h:

(JSC::Register::unboxedInt52):

• runtime/Arguments.cpp:

(JSC::Arguments::tearOffForInlineCallFrame):

• runtime/IndexingType.cpp:

(JSC::leastUpperBoundOfIndexingTypeAndType):

• runtime/JSCJSValue.h:
• runtime/JSCJSValueInlines.h:

(JSC::JSValue::isMachineInt):
(JSC::JSValue::asMachineInt):

Source/WTF:

Reviewed by Oliver Hunt.

• wtf/PrintStream.h:

(WTF::ValueIgnoringContext::ValueIgnoringContext):
(WTF::ValueIgnoringContext::dump):
(WTF::ignoringContext):

Tools:

Reviewed by Oliver Hunt.

• Scripts/run-jsc-stress-tests:

LayoutTests:

Reviewed by Oliver Hunt.

• js/regress/large-int-captured-expected.txt: Added.
• js/regress/large-int-captured.html: Added.
• js/regress/large-int-expected.txt: Added.
• js/regress/large-int-neg-expected.txt: Added.
• js/regress/large-int-neg.html: Added.
• js/regress/large-int.html: Added.
• js/regress/marsaglia-larger-ints-expected.txt: Added.
• js/regress/marsaglia-larger-ints.html: Added.
• js/regress/script-tests/large-int-captured.js: Added.

(.bar):
(foo):

• js/regress/script-tests/large-int-neg.js: Added.

(foo):

• js/regress/script-tests/large-int.js: Added.

(foo):

• js/regress/script-tests/marsaglia-larger-ints.js: Added.

(uint):
(marsaglia):

File:

• trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (23 diffs)

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -41 +41 @@
 #if USE(JSVALUE64)
 
+void SpeculativeJIT::boxInt52(GPRReg sourceGPR, GPRReg targetGPR, DataFormat format)
+{
+    GPRReg tempGPR;
+    if (sourceGPR == targetGPR)
+        tempGPR = allocate();
+    else
+        tempGPR = targetGPR;
+    
+    FPRReg fpr = fprAllocate();
+
+    if (format == DataFormatInt52)
+        m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), sourceGPR);
+    else
+        ASSERT(format == DataFormatStrictInt52);
+    
+    m_jit.boxInt52(sourceGPR, targetGPR, tempGPR, fpr);
+    
+    if (tempGPR != targetGPR)
+        unlock(tempGPR);
+    
+    unlock(fpr);
+}
+
 GPRReg SpeculativeJIT::fillJSValue(Edge edge)
 {
@@ -70 +93 @@
             DataFormat spillFormat = info.spillFormat();
             m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
-            if (spillFormat == DataFormatInt32) {
+            switch (spillFormat) {
+            case DataFormatInt32: {
                 m_jit.load32(JITCompiler::addressFor(virtualRegister), gpr);
                 m_jit.or64(GPRInfo::tagTypeNumberRegister, gpr);
                 spillFormat = DataFormatJSInt32;
-            } else {
+                break;
+            }
+                
+            case DataFormatInt52:
+            case DataFormatStrictInt52: {
+                m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
+                boxInt52(gpr, gpr, spillFormat);
+                return gpr;
+            }
+                
+            default:
                 m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
                 if (spillFormat == DataFormatDouble) {
@@ -82 +116 @@
                 } else
                     RELEASE_ASSERT(spillFormat & DataFormatJS);
+                break;
             }
             info.fillJSValue(*m_stream, gpr, spillFormat);
@@ -113 +148 @@
 
         return gpr;
+    }
+        
+    case DataFormatInt52:
+    case DataFormatStrictInt52: {
+        GPRReg gpr = info.gpr();
+        lock(gpr);
+        GPRReg resultGPR = allocate();
+        boxInt52(gpr, resultGPR, info.registerFormat());
+        unlock(gpr);
+        return resultGPR;
     }
 
@@ -769 +814 @@
         DataFormat spillFormat = info.spillFormat();
         
-        RELEASE_ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInt32);
+        RELEASE_ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInt32 || spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52);
         
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
@@ -790 +835 @@
             return gpr;
         }
+        if (spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52) {
+            // Generally, this can only happen if we've already proved that the
+            // value is an int32. That's because if a value originated as a JSValue
+            // then we would speculate that it's an int32 before representing it as
+            // an int52. Otherwise, if we knowingly produced an int52, then we would
+            // be boxing it into a value using Int52ToValue. This assertion is valid
+            // only because Int52 is something that we introduce at prediction time.
+            // However: we may have an int32-producing node replaced by an
+            // int52-producing node due to CSE. So we must do a check.
+            RELEASE_ASSERT(!(type & ~SpecMachineInt));
+            if (type & SpecInt52) {
+                GPRReg temp = allocate();
+                m_jit.signExtend32ToPtr(gpr, temp);
+                // Currently, we can't supply value profiling information here. :-/
+                speculationCheck(
+                    BadType, JSValueRegs(), 0,
+                    m_jit.branch64(MacroAssembler::NotEqual, gpr, temp));
+                unlock(temp);
+            }
+            if (spillFormat == DataFormatStrictInt52)
+                m_jit.load32(JITCompiler::addressFor(virtualRegister), gpr);
+            else {
+                m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
+                m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
+                m_jit.zeroExtend32ToPtr(gpr, gpr);
+            }
+            info.fillInt32(*m_stream, gpr);
+            returnFormat = DataFormatInt32;
+            return gpr;
+        }
         m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
 
@@ -798 +873 @@
 
     case DataFormatJS: {
+        RELEASE_ASSERT(!(type & SpecInt52));
         // Check the value is an integer.
         GPRReg gpr = info.gpr();
@@ -844 +920 @@
         return gpr;
     }
+        
+    case DataFormatStrictInt52:
+    case DataFormatInt52: {
+        GPRReg gpr = info.gpr();
+        GPRReg result;
+        if (m_gprs.isLocked(gpr)) {
+            result = allocate();
+            m_jit.move(gpr, result);
+        } else {
+            lock(gpr);
+            info.fillInt32(*m_stream, gpr);
+            result = gpr;
+        }
+        RELEASE_ASSERT(!(type & ~SpecMachineInt));
+        if (info.registerFormat() == DataFormatInt52)
+            m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), result);
+        if (type & SpecInt52) {
+            GPRReg temp = allocate();
+            m_jit.signExtend32ToPtr(result, temp);
+            // Currently, we can't supply value profiling information here. :-/
+            speculationCheck(
+                BadType, JSValueRegs(), 0,
+                m_jit.branch64(MacroAssembler::NotEqual, result, temp));
+            unlock(temp);
+        }
+        m_jit.zeroExtend32ToPtr(result, result);
+        returnFormat = DataFormatInt32;
+        return gpr;
+    }
 
     case DataFormatDouble:
@@ -886 +991 @@
 }
 
+GPRReg SpeculativeJIT::fillSpeculateInt52(Edge edge, DataFormat desiredFormat)
+{
+    ASSERT(desiredFormat == DataFormatInt52 || desiredFormat == DataFormatStrictInt52);
+    AbstractValue& value = m_state.forNode(edge);
+    SpeculatedType type = value.m_type;
+    m_interpreter.filter(value, SpecMachineInt);
+    VirtualRegister virtualRegister = edge->virtualRegister();
+    GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
+
+    switch (info.registerFormat()) {
+    case DataFormatNone: {
+        if ((edge->hasConstant() && !valueOfJSConstant(edge.node()).isMachineInt()) || info.spillFormat() == DataFormatDouble) {
+            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+            return allocate();
+        }
+        
+        GPRReg gpr = allocate();
+
+        if (edge->hasConstant()) {
+            JSValue jsValue = valueOfJSConstant(edge.node());
+            ASSERT(jsValue.isMachineInt());
+            m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
+            int64_t value = jsValue.asMachineInt();
+            if (desiredFormat == DataFormatInt52)
+                value = value << JSValue::int52ShiftAmount;
+            m_jit.move(MacroAssembler::Imm64(value), gpr);
+            info.fillGPR(*m_stream, gpr, desiredFormat);
+            return gpr;
+        }
+        
+        DataFormat spillFormat = info.spillFormat();
+        
+        RELEASE_ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInt32 || spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52);
+        
+        m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
+        
+        if (spillFormat == DataFormatJSInt32 || spillFormat == DataFormatInt32) {
+            // If we know this was spilled as an integer we can fill without checking.
+            m_jit.load32(JITCompiler::addressFor(virtualRegister), gpr);
+            m_jit.signExtend32ToPtr(gpr, gpr);
+            if (desiredFormat == DataFormatStrictInt52) {
+                info.fillStrictInt52(*m_stream, gpr);
+                return gpr;
+            }
+            m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
+            info.fillInt52(*m_stream, gpr);
+            return gpr;
+        }
+        if (spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52) {
+            m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
+            if (desiredFormat == DataFormatStrictInt52) {
+                if (spillFormat == DataFormatInt52)
+                    m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
+                info.fillStrictInt52(*m_stream, gpr);
+                return gpr;
+            }
+            if (spillFormat == DataFormatStrictInt52)
+                m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
+            info.fillInt52(*m_stream, gpr);
+            return gpr;
+        }
+        m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
+
+        // Fill as JSValue, and fall through.
+        info.fillJSValue(*m_stream, gpr, DataFormatJSInt32);
+        m_gprs.unlock(gpr);
+    }
+
+    case DataFormatJS: {
+        // Check the value is an integer. Note that we would *like* to unbox an Int52
+        // at this point but this is too costly. We only *prove* that this is an Int52
+        // even though we check if it's an int32.
+        GPRReg gpr = info.gpr();
+        GPRReg result;
+        if (m_gprs.isLocked(gpr)) {
+            result = allocate();
+            m_jit.move(gpr, result);
+        } else {
+            m_gprs.lock(gpr);
+            result = gpr;
+        }
+        if (type & ~SpecInt32)
+            speculationCheck(BadType, JSValueRegs(result), edge, m_jit.branch64(MacroAssembler::Below, result, GPRInfo::tagTypeNumberRegister));
+        if (result == gpr) // The not-already-locked, so fill in-place, case.
+            info.fillInt52(*m_stream, gpr, desiredFormat);
+        m_jit.signExtend32ToPtr(result, result);
+        if (desiredFormat == DataFormatInt52)
+            m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), result);
+        return result;
+    }
+
+    case DataFormatInt32:
+    case DataFormatJSInt32: {
+        GPRReg gpr = info.gpr();
+        GPRReg result;
+        if (m_gprs.isLocked(gpr)) {
+            result = allocate();
+            m_jit.move(gpr, result);
+        } else {
+            m_gprs.lock(gpr);
+            info.fillInt52(*m_stream, gpr, desiredFormat);
+            result = gpr;
+        }
+        m_jit.signExtend32ToPtr(result, result);
+        if (desiredFormat == DataFormatInt52)
+            m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), result);
+        return result;
+    }
+
+    case DataFormatStrictInt52: {
+        GPRReg gpr = info.gpr();
+        bool wasLocked = m_gprs.isLocked(gpr);
+        lock(gpr);
+        if (desiredFormat == DataFormatStrictInt52)
+            return gpr;
+        if (wasLocked) {
+            GPRReg result = allocate();
+            m_jit.move(gpr, result);
+            unlock(gpr);
+            gpr = result;
+        } else
+            info.fillStrictInt52(*m_stream, gpr);
+        m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
+        return gpr;
+    }
+        
+    case DataFormatInt52: {
+        GPRReg gpr = info.gpr();
+        bool wasLocked = m_gprs.isLocked(gpr);
+        lock(gpr);
+        if (desiredFormat == DataFormatInt52)
+            return gpr;
+        if (wasLocked) {
+            GPRReg result = allocate();
+            m_jit.move(gpr, result);
+            unlock(gpr);
+            gpr = result;
+        } else
+            info.fillInt52(*m_stream, gpr);
+        m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), gpr);
+        return gpr;
+    }
+
+    case DataFormatDouble:
+    case DataFormatJSDouble:
+        if (edge->hasConstant()) {
+            JSValue jsValue = valueOfJSConstant(edge.node());
+            if (jsValue.isMachineInt()) {
+                int64_t value = jsValue.asMachineInt();
+                if (desiredFormat == DataFormatInt52)
+                    value = value << JSValue::int52ShiftAmount;
+                GPRReg gpr = allocate();
+                m_jit.move(MacroAssembler::Imm64(value), gpr);
+                return gpr;
+            }
+        }
+        
+    case DataFormatCell:
+    case DataFormatBoolean:
+    case DataFormatJSCell:
+    case DataFormatJSBoolean: {
+        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+        return allocate();
+    }
+
+    case DataFormatStorage:
+        RELEASE_ASSERT_NOT_REACHED();
+        
+    default:
+        RELEASE_ASSERT_NOT_REACHED();
+        return InvalidGPRReg;
+    }
+}
+
 FPRReg SpeculativeJIT::fillSpeculateDouble(Edge edge)
 {
@@ -893 +1172 @@
     AbstractValue& value = m_state.forNode(edge);
     SpeculatedType type = value.m_type;
-    ASSERT(edge.useKind() != KnownNumberUse || !(value.m_type & ~SpecNumber));
-    m_interpreter.filter(value, SpecNumber);
+    ASSERT(edge.useKind() != KnownNumberUse || !(value.m_type & ~SpecFullNumber));
+    m_interpreter.filter(value, SpecFullNumber);
     VirtualRegister virtualRegister = edge->virtualRegister();
     GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
@@ -946 +1225 @@
             break;
         }
+            
+        case DataFormatInt52: {
+            GPRReg gpr = allocate();
+            m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
+            m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
+            info.fillInt52(*m_stream, gpr);
+            unlock(gpr);
+            break;
+        }
+            
+        case DataFormatStrictInt52: {
+            GPRReg gpr = allocate();
+            m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
+            m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
+            info.fillStrictInt52(*m_stream, gpr);
+            unlock(gpr);
+            break;
+        }
 
         default:
@@ -979 +1276 @@
         JITCompiler::Jump isInteger = m_jit.branch64(MacroAssembler::AboveOrEqual, jsValueGpr, GPRInfo::tagTypeNumberRegister);
 
-        if (type & ~SpecNumber)
+        if (type & ~SpecFullNumber)
             speculationCheck(BadType, JSValueRegs(jsValueGpr), edge, m_jit.branchTest64(MacroAssembler::Zero, jsValueGpr, GPRInfo::tagTypeNumberRegister));
 
@@ -1007 +1304 @@
         m_gprs.lock(gpr);
         m_jit.convertInt32ToDouble(gpr, fpr);
+        m_gprs.unlock(gpr);
+        return fpr;
+    }
+        
+    case DataFormatInt52: {
+        FPRReg fpr = fprAllocate();
+        GPRReg gpr = info.gpr();
+        m_gprs.lock(gpr);
+        GPRReg temp = allocate();
+        m_jit.move(gpr, temp);
+        m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), temp);
+        m_jit.convertInt64ToDouble(temp, fpr);
+        unlock(temp);
+        m_gprs.unlock(gpr);
+        return fpr;
+    }
+        
+    case DataFormatStrictInt52: {
+        FPRReg fpr = fprAllocate();
+        GPRReg gpr = info.gpr();
+        m_gprs.lock(gpr);
+        m_jit.convertInt64ToDouble(gpr, fpr);
         m_gprs.unlock(gpr);
         return fpr;
@@ -1112 +1431 @@
     case DataFormatDouble:
     case DataFormatJSBoolean:
-    case DataFormatBoolean: {
+    case DataFormatBoolean:
+    case DataFormatInt52:
+    case DataFormatStrictInt52: {
         terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
         return allocate();
@@ -1195 +1516 @@
     case DataFormatDouble:
     case DataFormatJSCell:
-    case DataFormatCell: {
+    case DataFormatCell:
+    case DataFormatInt52:
+    case DataFormatStrictInt52: {
         terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
         return allocate();
@@ -1502 +1825 @@
     m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
     jsValueResult(result.gpr(), m_currentNode, DataFormatJSBoolean);
+}
+
+void SpeculativeJIT::compileInt52Compare(Node* node, MacroAssembler::RelationalCondition condition)
+{
+    SpeculateWhicheverInt52Operand op1(this, node->child1());
+    SpeculateWhicheverInt52Operand op2(this, node->child2(), op1);
+    GPRTemporary result(this, Reuse, op1, op2);
+    
+    m_jit.compare64(condition, op1.gpr(), op2.gpr(), result.gpr());
+    
+    // If we add a DataFormatBool, we should use it here.
+    m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
+    jsValueResult(result.gpr(), m_currentNode, DataFormatJSBoolean);
+}
+
+void SpeculativeJIT::compilePeepHoleInt52Branch(Node* node, Node* branchNode, JITCompiler::RelationalCondition condition)
+{
+    BasicBlock* taken = branchNode->takenBlock();
+    BasicBlock* notTaken = branchNode->notTakenBlock();
+
+    // The branch instruction will branch to the taken block.
+    // If taken is next, switch taken with notTaken & invert the branch condition so we can fall through.
+    if (taken == nextBlock()) {
+        condition = JITCompiler::invert(condition);
+        BasicBlock* tmp = taken;
+        taken = notTaken;
+        notTaken = tmp;
+    }
+    
+    SpeculateWhicheverInt52Operand op1(this, node->child1());
+    SpeculateWhicheverInt52Operand op2(this, node->child2(), op1);
+    
+    branch64(condition, op1.gpr(), op2.gpr(), taken);
+    jump(notTaken);
 }
 
@@ -1907 +2264 @@
         }
             
+        case FlushedInt52: {
+            GPRTemporary result(this);
+            m_jit.load64(JITCompiler::addressFor(node->local()), result.gpr());
+            
+            VirtualRegister virtualRegister = node->virtualRegister();
+            m_gprs.retain(result.gpr(), virtualRegister, SpillOrderJS);
+            generationInfoFromVirtualRegister(virtualRegister).initInt52(node, node->refCount(), result.gpr());
+            break;
+        }
+            
         default:
             GPRTemporary result(this);
@@ -1982 +2349 @@
         }
             
+        case FlushedInt52: {
+            SpeculateInt52Operand value(this, node->child1());
+            m_jit.store64(value.gpr(), JITCompiler::addressFor(node->local()));
+            noResult(node);
+            recordSetLocal(node->local(), ValueSource(Int52InJSStack));
+            break;
+        }
+            
         case FlushedCell: {
             SpeculateCellOperand cell(this, node->child1());
@@ -2102 +2477 @@
     case Int32ToDouble: {
         compileInt32ToDouble(node);
+        break;
+    }
+        
+    case Int52ToValue: {
+        JSValueOperand operand(this, node->child1());
+        GPRTemporary result(this, Reuse, operand);
+        m_jit.move(operand.gpr(), result.gpr());
+        jsValueResult(result.gpr(), node);
+        break;
+    }
+        
+    case Int52ToDouble: {
+        SpeculateDoubleOperand operand(this, node->child1());
+        FPRTemporary result(this, operand);
+        m_jit.moveDouble(operand.fpr(), result.fpr());
+        doubleResult(result.fpr(), node);
         break;
     }
@@ -2890 +3281 @@
 
             DFG_TYPE_CHECK(
-                JSValueRegs(), node->child2(), SpecRealNumber,
+                JSValueRegs(), node->child2(), SpecFullRealNumber,
                 m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, valueFPR, valueFPR));
             
@@ -3106 +3497 @@
         op1.use();
         
-        if (!(m_state.forNode(node->child1()).m_type & ~(SpecNumber | SpecBoolean)))
+        if (!(m_state.forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean)))
             m_jit.move(op1GPR, resultGPR);
         else {
@@ -3203 +3594 @@
                     FPRReg opFPR = operand.fpr();
                     DFG_TYPE_CHECK(
-                        JSValueRegs(), use, SpecRealNumber,
+                        JSValueRegs(), use, SpecFullRealNumber,
                         m_jit.branchDouble(
                             MacroAssembler::DoubleNotEqualOrUnordered, opFPR, opFPR));
@@ -3268 +3659 @@
                 GPRReg scratchGPR = scratch.gpr();
                 DFG_TYPE_CHECK(
-                    JSValueRegs(), use, SpecRealNumber,
+                    JSValueRegs(), use, SpecFullRealNumber,
                     m_jit.branchDouble(
                         MacroAssembler::DoubleNotEqualOrUnordered, opFPR, opFPR));