Changeset 156029 in webkit for trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

Timestamp:

Sep 18, 2013, 12:25:52 AM (12 years ago)

Author:

[email protected]

Message:

Unreviewed, rolling out r156019 and r156020.
​http://trac.webkit.org/changeset/156019
​http://trac.webkit.org/changeset/156020
​https://bugs.webkit.org/show_bug.cgi?id=121540

Broke tests (Requested by ap on #webkit).

Source/JavaScriptCore:

• assembler/MacroAssemblerX86_64.h:
• assembler/X86Assembler.h:
• bytecode/DataFormat.h:

(JSC::dataFormatToString):

• bytecode/ExitKind.cpp:

(JSC::exitKindToString):

• bytecode/ExitKind.h:
• bytecode/OperandsInlines.h:

(JSC::::dumpInContext):

• bytecode/SpeculatedType.cpp:

(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):

• bytecode/SpeculatedType.h:

(JSC::isInt32SpeculationForArithmetic):
(JSC::isInt48Speculation):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isInt48AsDoubleSpeculation):
(JSC::isRealNumberSpeculation):
(JSC::isNumberSpeculation):
(JSC::isNumberSpeculationExpectingDefined):

• bytecode/ValueRecovery.h:

(JSC::ValueRecovery::inGPR):
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::isAlreadyInJSStack):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):

• dfg/DFGAbstractInterpreter.h:

(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterByType):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

• dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::checkConsistency):

• dfg/DFGAbstractValue.h:

(JSC::DFG::AbstractValue::validateType):

• dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::refine):

• dfg/DFGAssemblyHelpers.h:

(JSC::DFG::AssemblyHelpers::unboxDouble):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::makeSafe):

• dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::canonicalize):
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGCommon.h:
• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):

• dfg/DFGFlushFormat.cpp:

(WTF::printInternal):

• dfg/DFGFlushFormat.h:

(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):

• dfg/DFGGenerationInfo.h:

(JSC::DFG::GenerationInfo::initInt32):
(JSC::DFG::GenerationInfo::fillInt32):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::addShouldSpeculateMachineInt):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):

• dfg/DFGInPlaceAbstractState.cpp:

(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):

• dfg/DFGJITCode.cpp:

(JSC::DFG::JITCode::reconstruct):

• dfg/DFGMinifiedNode.h:

(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):

• dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
(JSC::DFG::Node::canSpeculateInt48):

• dfg/DFGNodeFlags.h:

(JSC::DFG::nodeCanSpeculateInt48):

• dfg/DFGNodeType.h:

(JSC::DFG::forwardRewiringSelectionScore):

• dfg/DFGOSRExitCompiler.cpp:

(JSC::DFG::shortOperandsDump):

• dfg/DFGOSRExitCompiler64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):

• dfg/DFGSilentRegisterSavePlan.h:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculate):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::canReuse):
(JSC::DFG::SpeculativeJIT::isFilled):
(JSC::DFG::SpeculativeJIT::isFilledDouble):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::boxDouble):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::int32Result):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isInteger):
(JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGUseKind.cpp:

(WTF::printInternal):

• dfg/DFGUseKind.h:

(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):

• dfg/DFGValueSource.cpp:

(JSC::DFG::ValueSource::dump):

• dfg/DFGValueSource.h:

(JSC::DFG::dataFormatToValueSourceKind):
(JSC::DFG::valueSourceKindToDataFormat):
(JSC::DFG::ValueSource::forFlushFormat):
(JSC::DFG::ValueSource::valueRecovery):

• dfg/DFGVariableAccessData.h:

(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::flushFormat):

• ftl/FTLCArgumentGetter.cpp:

(JSC::FTL::CArgumentGetter::loadNextAndBox):

• ftl/FTLCArgumentGetter.h:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLExitValue.cpp:

(JSC::FTL::ExitValue::dumpInContext):

• ftl/FTLExitValue.h:
• ftl/FTLIntrinsicRepository.h:
• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt32):

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):

• ftl/FTLOutput.h:

(JSC::FTL::Output::mulWithOverflow32):

• ftl/FTLValueFormat.cpp:

(WTF::printInternal):

• ftl/FTLValueFormat.h:
• ftl/FTLValueSource.cpp:

(JSC::FTL::ValueSource::dump):

• ftl/FTLValueSource.h:
• interpreter/Register.h:
• runtime/Arguments.cpp:

(JSC::Arguments::tearOffForInlineCallFrame):

• runtime/IndexingType.cpp:

(JSC::leastUpperBoundOfIndexingTypeAndType):

• runtime/JSCJSValue.h:
• runtime/JSCJSValueInlines.h:

Source/WTF:

• wtf/PrintStream.h:

Tools:

• Scripts/run-jsc-stress-tests:

LayoutTests:

• js/regress/large-int-captured-expected.txt: Removed.
• js/regress/large-int-captured.html: Removed.
• js/regress/large-int-expected.txt: Removed.
• js/regress/large-int-neg-expected.txt: Removed.
• js/regress/large-int-neg.html: Removed.
• js/regress/large-int.html: Removed.
• js/regress/marsaglia-larger-ints-expected.txt: Removed.
• js/regress/marsaglia-larger-ints.html: Removed.
• js/regress/script-tests/large-int-captured.js: Removed.
• js/regress/script-tests/large-int-neg.js: Removed.
• js/regress/script-tests/large-int.js: Removed.
• js/regress/script-tests/marsaglia-larger-ints.js: Removed.

File:

• trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (29 diffs)

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -336 +336 @@
         else if (registerFormat == DataFormatCell || registerFormat == DataFormatStorage)
             spillAction = StorePtr;
-        else if (registerFormat == DataFormatInt52 || registerFormat == DataFormatStrictInt52)
-            spillAction = Store64;
         else {
             ASSERT(registerFormat & DataFormatJS);
@@ -389 +387 @@
         ASSERT(info.gpr() == source);
         fillAction = LoadPtr;
-    } else if (registerFormat == DataFormatInt52) {
-        if (node->hasConstant())
-            fillAction = SetInt52Constant;
-        else if (isJSInt32(info.spillFormat()) || info.spillFormat() == DataFormatJS)
-            fillAction = Load32PayloadConvertToInt52;
-        else if (info.spillFormat() == DataFormatInt52)
-            fillAction = Load64;
-        else if (info.spillFormat() == DataFormatStrictInt52)
-            fillAction = Load64ShiftInt52Left;
-        else if (info.spillFormat() == DataFormatNone)
-            fillAction = Load64;
-        else {
-            // Should never happen. Anything that qualifies as an int32 will never
-            // be turned into a cell (immediate spec fail) or a double (to-double
-            // conversions involve a separate node).
-            RELEASE_ASSERT_NOT_REACHED();
-            fillAction = Load64; // Make GCC happy.
-        }
-    } else if (registerFormat == DataFormatStrictInt52) {
-        if (node->hasConstant())
-            fillAction = SetStrictInt52Constant;
-        else if (isJSInt32(info.spillFormat()) || info.spillFormat() == DataFormatJS)
-            fillAction = Load32PayloadSignExtend;
-        else if (info.spillFormat() == DataFormatInt52)
-            fillAction = Load64ShiftInt52Right;
-        else if (info.spillFormat() == DataFormatStrictInt52)
-            fillAction = Load64;
-        else if (info.spillFormat() == DataFormatNone)
-            fillAction = Load64;
-        else {
-            // Should never happen. Anything that qualifies as an int32 will never
-            // be turned into a cell (immediate spec fail) or a double (to-double
-            // conversions involve a separate node).
-            RELEASE_ASSERT_NOT_REACHED();
-            fillAction = Load64; // Make GCC happy.
-        }
     } else {
         ASSERT(registerFormat & DataFormatJS);
@@ -432 +394 @@
             if (valueOfJSConstant(node).isCell())
                 fillAction = SetTrustedJSConstant;
+            else
                 fillAction = SetJSConstant;
         } else if (info.spillFormat() == DataFormatInt32) {
@@ -550 +513 @@
         m_jit.move(Imm32(valueOfInt32Constant(plan.node())), plan.gpr());
         break;
-#if USE(JSVALUE64)
-    case SetInt52Constant:
-        m_jit.move(Imm64(valueOfJSConstant(plan.node()).asMachineInt() << JSValue::int52ShiftAmount), plan.gpr());
-        break;
-    case SetStrictInt52Constant:
-        m_jit.move(Imm64(valueOfJSConstant(plan.node()).asMachineInt()), plan.gpr());
-        break;
-#endif // USE(JSVALUE64)
     case SetBooleanConstant:
         m_jit.move(TrustedImm32(valueOfBooleanConstant(plan.node())), plan.gpr());
@@ -579 +534 @@
         m_jit.or64(GPRInfo::tagTypeNumberRegister, plan.gpr());
         break;
-    case Load32PayloadConvertToInt52:
-        m_jit.load32(JITCompiler::payloadFor(plan.node()->virtualRegister()), plan.gpr());
-        m_jit.signExtend32ToPtr(plan.gpr(), plan.gpr());
-        m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), plan.gpr());
-        break;
-    case Load32PayloadSignExtend:
-        m_jit.load32(JITCompiler::payloadFor(plan.node()->virtualRegister()), plan.gpr());
-        m_jit.signExtend32ToPtr(plan.gpr(), plan.gpr());
-        break;
     case LoadDoubleBoxDouble:
         m_jit.load64(JITCompiler::addressFor(plan.node()->virtualRegister()), plan.gpr());
@@ -628 +574 @@
     case Load64:
         m_jit.load64(JITCompiler::addressFor(plan.node()->virtualRegister()), plan.gpr());
-        break;
-    case Load64ShiftInt52Right:
-        m_jit.load64(JITCompiler::addressFor(plan.node()->virtualRegister()), plan.gpr());
-        m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), plan.gpr());
-        break;
-    case Load64ShiftInt52Left:
-        m_jit.load64(JITCompiler::addressFor(plan.node()->virtualRegister()), plan.gpr());
-        m_jit.lshift64(TrustedImm32(JSValue::int52ShiftAmount), plan.gpr());
         break;
 #endif
@@ -1479 +1417 @@
         if (node->isBinaryUseKind(Int32Use))
             compilePeepHoleInt32Branch(node, branchNode, condition);
-#if USE(JSVALUE64)
-        else if (node->isBinaryUseKind(MachineIntUse))
-            compilePeepHoleInt52Branch(node, branchNode, condition);
-#endif // USE(JSVALUE64)
         else if (node->isBinaryUseKind(NumberUse))
             compilePeepHoleDoubleBranch(node, branchNode, doubleCondition);
@@ -1573 +1507 @@
             case FlushedInt32:
                 valueSource = ValueSource(Int32InJSStack);
-                break;
-            case FlushedInt52:
-                valueSource = ValueSource(Int52InJSStack);
                 break;
             case FlushedCell:
@@ -1943 +1874 @@
     
     DFG_TYPE_CHECK(
-        JSValueRegs(), child3, SpecFullRealNumber,
+        JSValueRegs(), child3, SpecRealNumber,
         m_jit.branchDouble(
             MacroAssembler::DoubleNotEqualOrUnordered, valueReg, valueReg));
@@ -2219 +2150 @@
         return;
     }
-        
-#if USE(JSVALUE64)
-    case MachineIntUse: {
-        SpeculateStrictInt52Operand op1(this, node->child1());
-        GPRTemporary result(this, Reuse, op1);
-        GPRReg op1GPR = op1.gpr();
-        GPRReg resultGPR = result.gpr();
-        m_jit.zeroExtend32ToPtr(op1GPR, resultGPR);
-        int32Result(resultGPR, node, DataFormatInt32);
-        return;
-    }
-#endif // USE(JSVALUE64)
     
     case NumberUse:
@@ -2269 +2188 @@
             if (node->child1().useKind() == NumberUse) {
                 DFG_TYPE_CHECK(
-                    JSValueRegs(gpr), node->child1(), SpecFullNumber,
+                    JSValueRegs(gpr), node->child1(), SpecNumber,
                     m_jit.branchTest64(
                         MacroAssembler::Zero, gpr, GPRInfo::tagTypeNumberRegister));
@@ -2325 +2244 @@
                 if (node->child1().useKind() == NumberUse) {
                     DFG_TYPE_CHECK(
-                        JSValueRegs(tagGPR, payloadGPR), node->child1(), SpecFullNumber,
+                        JSValueRegs(tagGPR, payloadGPR), node->child1(), SpecNumber,
                         m_jit.branch32(
                             MacroAssembler::AboveOrEqual, tagGPR,
@@ -2471 +2390 @@
         MacroAssembler::AboveOrEqual, op1GPR, GPRInfo::tagTypeNumberRegister);
     
-    if (needsTypeCheck(node->child1(), SpecFullNumber)) {
+    if (needsTypeCheck(node->child1(), SpecNumber)) {
         if (node->flags() & NodeExitsForward) {
             forwardTypeCheck(
-                JSValueRegs(op1GPR), node->child1(), SpecFullNumber,
+                JSValueRegs(op1GPR), node->child1(), SpecNumber,
                 m_jit.branchTest64(MacroAssembler::Zero, op1GPR, GPRInfo::tagTypeNumberRegister),
                 ValueRecovery::inGPR(op1GPR, DataFormatJS));
         } else {
             backwardTypeCheck(
-                JSValueRegs(op1GPR), node->child1(), SpecFullNumber,
+                JSValueRegs(op1GPR), node->child1(), SpecNumber,
                 m_jit.branchTest64(MacroAssembler::Zero, op1GPR, GPRInfo::tagTypeNumberRegister));
         }
@@ -2502 +2421 @@
         MacroAssembler::Equal, op1TagGPR, TrustedImm32(JSValue::Int32Tag));
     
-    if (needsTypeCheck(node->child1(), SpecFullNumber)) {
+    if (needsTypeCheck(node->child1(), SpecNumber)) {
         if (node->flags() & NodeExitsForward) {
             forwardTypeCheck(
-                JSValueRegs(op1TagGPR, op1PayloadGPR), node->child1(), SpecFullNumber,
+                JSValueRegs(op1TagGPR, op1PayloadGPR), node->child1(), SpecNumber,
                 m_jit.branch32(MacroAssembler::AboveOrEqual, op1TagGPR, TrustedImm32(JSValue::LowestTag)),
                 ValueRecovery::inPair(op1TagGPR, op1PayloadGPR));
         } else {
             backwardTypeCheck(
-                JSValueRegs(op1TagGPR, op1PayloadGPR), node->child1(), SpecFullNumber,
+                JSValueRegs(op1TagGPR, op1PayloadGPR), node->child1(), SpecNumber,
                 m_jit.branch32(MacroAssembler::AboveOrEqual, op1TagGPR, TrustedImm32(JSValue::LowestTag)));
         }
@@ -2630 +2549 @@
         return;
     }
-    
-#if USE(JSVALUE64)
-    if (node->shouldSpeculateMachineInt()) {
-        m_jit.zeroExtend32ToPtr(resultReg, resultReg);
-        strictInt52Result(resultReg, node);
-        return;
-    }
-#endif
     
     FPRTemporary fresult(this);
@@ -2691 +2602 @@
             break;
         }
-            
-#if USE(JSVALUE64)
-        case MachineIntUse: {
-            SpeculateStrictInt52Operand valueOp(this, valueUse);
-            GPRTemporary scratch(this);
-            GPRReg scratchReg = scratch.gpr();
-            m_jit.move(valueOp.gpr(), scratchReg);
-            if (isClamped(type)) {
-                ASSERT(elementSize(type) == 1);
-                MacroAssembler::Jump inBounds = m_jit.branch64(
-                    MacroAssembler::BelowOrEqual, scratchReg, JITCompiler::TrustedImm64(0xff));
-                MacroAssembler::Jump tooBig = m_jit.branch64(
-                    MacroAssembler::GreaterThan, scratchReg, JITCompiler::TrustedImm64(0xff));
-                m_jit.move(TrustedImm32(0), scratchReg);
-                MacroAssembler::Jump clamped = m_jit.jump();
-                tooBig.link(&m_jit);
-                m_jit.move(JITCompiler::TrustedImm32(255), scratchReg);
-                clamped.link(&m_jit);
-                inBounds.link(&m_jit);
-            }
-            value.adopt(scratch);
-            valueGPR = scratchReg;
-            break;
-        }
-#endif // USE(JSVALUE64)
             
         case NumberUse: {
@@ -2985 +2871 @@
             return;
         }
-        
+                
         if (isNumberConstant(node->child2().node())) {
             SpeculateInt32Operand op1(this, node->child1());
@@ -3030 +2916 @@
         return;
     }
-        
-#if USE(JSVALUE64)
-    case MachineIntUse: {
-        // Will we need an overflow check? If we can prove that neither input can be
-        // Int52 then the overflow check will not be necessary.
-        if (!m_state.forNode(node->child1()).couldBeType(SpecInt52)
-            && !m_state.forNode(node->child2()).couldBeType(SpecInt52)) {
-            SpeculateWhicheverInt52Operand op1(this, node->child1());
-            SpeculateWhicheverInt52Operand op2(this, node->child2(), op1);
-            GPRTemporary result(this, Reuse, op1);
-            m_jit.move(op1.gpr(), result.gpr());
-            m_jit.add64(op2.gpr(), result.gpr());
-            int52Result(result.gpr(), node, op1.format());
-            return;
-        }
-        
-        SpeculateInt52Operand op1(this, node->child1());
-        SpeculateInt52Operand op2(this, node->child2());
-        GPRTemporary result(this, Reuse, op1, op2);
-        m_jit.move(op1.gpr(), result.gpr());
-        speculationCheck(
-            Int52Overflow, JSValueRegs(), 0,
-            m_jit.branchAdd64(MacroAssembler::Overflow, op2.gpr(), result.gpr()));
-        int52Result(result.gpr(), node);
-        return;
-    }
-#endif // USE(JSVALUE64)
     
     case NumberUse: {
@@ -3202 +3061 @@
     }
         
-#if USE(JSVALUE64)
-    case MachineIntUse: {
-        // Will we need an overflow check? If we can prove that neither input can be
-        // Int52 then the overflow check will not be necessary.
-        if (!m_state.forNode(node->child1()).couldBeType(SpecInt52)
-            && !m_state.forNode(node->child2()).couldBeType(SpecInt52)) {
-            SpeculateWhicheverInt52Operand op1(this, node->child1());
-            SpeculateWhicheverInt52Operand op2(this, node->child2(), op1);
-            GPRTemporary result(this, Reuse, op1);
-            m_jit.move(op1.gpr(), result.gpr());
-            m_jit.sub64(op2.gpr(), result.gpr());
-            int52Result(result.gpr(), node, op1.format());
-            return;
-        }
-        
-        SpeculateInt52Operand op1(this, node->child1());
-        SpeculateInt52Operand op2(this, node->child2());
-        GPRTemporary result(this, Reuse, op1, op2);
-        m_jit.move(op1.gpr(), result.gpr());
-        speculationCheck(
-            Int52Overflow, JSValueRegs(), 0,
-            m_jit.branchSub64(MacroAssembler::Overflow, op2.gpr(), result.gpr()));
-        int52Result(result.gpr(), node);
-        return;
-    }
-#endif // USE(JSVALUE64)
-
     case NumberUse: {
         SpeculateDoubleOperand op1(this, node->child1());
@@ -3257 +3089 @@
         m_jit.move(op1.gpr(), result.gpr());
 
-        // Note: there is no notion of being not used as a number, but someone
-        // caring about negative zero.
-        
         if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
             m_jit.neg32(result.gpr());
@@ -3272 +3101 @@
         return;
     }
-
-#if USE(JSVALUE64)
-    case MachineIntUse: {
-        if (!m_state.forNode(node->child1()).couldBeType(SpecInt52)) {
-            SpeculateWhicheverInt52Operand op1(this, node->child1());
-            GPRTemporary result(this);
-            GPRReg op1GPR = op1.gpr();
-            GPRReg resultGPR = result.gpr();
-            m_jit.move(op1GPR, resultGPR);
-            m_jit.neg64(resultGPR);
-            if (!bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) {
-                speculationCheck(
-                    NegativeZero, JSValueRegs(), 0,
-                    m_jit.branchTest64(MacroAssembler::Zero, resultGPR));
-            }
-            int52Result(resultGPR, node, op1.format());
-            return;
-        }
-        
-        SpeculateInt52Operand op1(this, node->child1());
-        GPRTemporary result(this);
-        GPRReg op1GPR = op1.gpr();
-        GPRReg resultGPR = result.gpr();
-        m_jit.move(op1GPR, resultGPR);
-        speculationCheck(
-            Int52Overflow, JSValueRegs(), 0,
-            m_jit.branchNeg64(MacroAssembler::Overflow, resultGPR));
-        if (!bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) {
-            speculationCheck(
-                NegativeZero, JSValueRegs(), 0,
-                m_jit.branchTest64(MacroAssembler::Zero, resultGPR));
-        }
-        int52Result(resultGPR, node);
-        return;
-    }
-#endif // USE(JSVALUE64)
         
     case NumberUse: {
@@ -3373 +3166 @@
         return;
     }
-    
-#if USE(JSVALUE64)   
-    case MachineIntUse: {
-        // This is super clever. We want to do an int52 multiplication and check the
-        // int52 overflow bit. There is no direct hardware support for this, but we do
-        // have the ability to do an int64 multiplication and check the int64 overflow
-        // bit. We leverage that. Consider that a, b are int52 numbers inside int64
-        // registers, with the high 12 bits being sign-extended. We can do:
-        //
-        //     (a * (b << 12))
-        //
-        // This will give us a left-shifted int52 (value is in high 52 bits, low 16
-        // bits are zero) plus the int52 overflow bit. I.e. whether this 64-bit
-        // multiplication overflows is identical to whether the 'a * b' 52-bit
-        // multiplication overflows.
-        //
-        // In our nomenclature, this is:
-        //
-        //     strictInt52(a) * int52(b) => int52
-        //
-        // That is "strictInt52" means unshifted and "int52" means left-shifted by 16
-        // bits.
-        //
-        // We don't care which of op1 or op2 serves as the left-shifted operand, so
-        // we just do whatever is more convenient for op1 and have op2 do the
-        // opposite. This ensures that we do at most one shift.
-
-        SpeculateWhicheverInt52Operand op1(this, node->child1());
-        SpeculateWhicheverInt52Operand op2(this, node->child2(), OppositeShift, op1);
-        GPRTemporary result(this);
-        
-        GPRReg op1GPR = op1.gpr();
-        GPRReg op2GPR = op2.gpr();
-        GPRReg resultGPR = result.gpr();
-        
-        m_jit.move(op1GPR, resultGPR);
-        speculationCheck(
-            Int52Overflow, JSValueRegs(), 0,
-            m_jit.branchMul64(MacroAssembler::Overflow, op2GPR, resultGPR));
-        
-        if (!bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) {
-            MacroAssembler::Jump resultNonZero = m_jit.branchTest64(
-                MacroAssembler::NonZero, resultGPR);
-            speculationCheck(
-                NegativeZero, JSValueRegs(), 0,
-                m_jit.branch64(MacroAssembler::LessThan, op1GPR, TrustedImm64(0)));
-            speculationCheck(
-                NegativeZero, JSValueRegs(), 0,
-                m_jit.branch64(MacroAssembler::LessThan, op2GPR, TrustedImm64(0)));
-            resultNonZero.link(&m_jit);
-        }
-        
-        int52Result(resultGPR, node);
-        return;
-    }
-#endif // USE(JSVALUE64)
         
     case NumberUse: {
@@ -3852 +3589 @@
         return false;
     }
-    
-#if USE(JSVALUE64)
-    if (node->isBinaryUseKind(MachineIntUse)) {
-        compileInt52Compare(node, condition);
-        return false;
-    }
-#endif // USE(JSVALUE64)
-    
+
     if (node->isBinaryUseKind(NumberUse)) {
         compileDoubleCompare(node, doubleCondition);
@@ -4009 +3739 @@
         return false;
     }
-    
-#if USE(JSVALUE64)   
-    case MachineIntUse: {
-        unsigned branchIndexInBlock = detectPeepHoleBranch();
-        if (branchIndexInBlock != UINT_MAX) {
-            Node* branchNode = m_block->at(branchIndexInBlock);
-            compilePeepHoleInt52Branch(node, branchNode, MacroAssembler::Equal);
-            use(node->child1());
-            use(node->child2());
-            m_indexInBlock = branchIndexInBlock;
-            m_currentNode = branchNode;
-            return true;
-        }
-        compileInt52Compare(node, MacroAssembler::Equal);
-        return false;
-    }
-#endif // USE(JSVALUE64)
         
     case NumberUse: {
@@ -4781 +4494 @@
 }
 
-void SpeculativeJIT::speculateMachineInt(Edge edge)
-{
-#if USE(JSVALUE64)
-    if (!needsTypeCheck(edge, SpecMachineInt))
-        return;
-    
-    (SpeculateWhicheverInt52Operand(this, edge)).gpr();
-#else // USE(JSVALUE64)
-    UNUSED_PARAM(edge);
-    UNREACHABLE_FOR_PLATFORM();
-#endif // USE(JSVALUE64)
-}
-
 void SpeculativeJIT::speculateNumber(Edge edge)
 {
-    if (!needsTypeCheck(edge, SpecFullNumber))
+    if (!needsTypeCheck(edge, SpecNumber))
         return;
     
@@ -4804 +4504 @@
 void SpeculativeJIT::speculateRealNumber(Edge edge)
 {
-    if (!needsTypeCheck(edge, SpecFullRealNumber))
+    if (!needsTypeCheck(edge, SpecRealNumber))
         return;
     
@@ -4810 +4510 @@
     FPRReg fpr = operand.fpr();
     DFG_TYPE_CHECK(
-        JSValueRegs(), edge, SpecFullRealNumber,
+        JSValueRegs(), edge, SpecRealNumber,
         m_jit.branchDouble(
             MacroAssembler::DoubleNotEqualOrUnordered, fpr, fpr));
@@ -5072 +4772 @@
         break;
     case KnownNumberUse:
-        ASSERT(!needsTypeCheck(edge, SpecFullNumber));
+        ASSERT(!needsTypeCheck(edge, SpecNumber));
         break;
     case KnownCellUse:
@@ -5082 +4782 @@
     case Int32Use:
         speculateInt32(edge);
-        break;
-    case MachineIntUse:
-        speculateMachineInt(edge);
         break;
     case RealNumberUse: