Changeset 36976 in webkit for trunk/JavaScriptCore/VM/CTI.cpp

Timestamp:

Sep 26, 2008, 6:44:15 PM (17 years ago)

Author:

[email protected]

Message:

2008-09-26 Gavin Barraclough <​[email protected]>

Reviewed by Maciej Stachowiak & Oliver Hunt.

Add support for reusing temporary JSNumberCells. This change is based on the observation
that if the result of certain operations is a JSNumberCell and is consumed by a subsequent
operation that would produce a JSNumberCell, we can reuse the object rather than allocating
a fresh one. E.g. given the expression ((a * b) * c), we can statically determine that
(a * b) will have a numeric result (or else it will have thrown an exception), so the result
will either be a JSNumberCell or a JSImmediate.

This patch changes three areas of JSC:

• The AST now tracks type information about the result of each node.
• This information is consumed in bytecode compilation, and certain bytecode operations now carry the statically determined type information about their operands.
• CTI uses the information in a number of fashions:
  • Where an operand to certain arithmetic operations is reusable, it will plant code to try to perform the operation in JIT code & reuse the cell, where appropriate.
  • Where it can be statically determined that an operand can only be numeric (typically the result of another arithmetic operation) the code will not redundantly check that the JSCell is a JSNumberCell.
  • Where either of the operands to an add are non-numeric do not plant an optimized arithmetic code path, just call straight out to the C function.

+6% Sunspider (10% progression on 3D, 16% progression on math, 60% progression on access-nbody),
+1% v8-tests (improvements in raytrace & crypto)

• VM/CTI.cpp: Add optimized code generation with reuse of temporary JSNumberCells.
• VM/CTI.h:
• kjs/JSNumberCell.h:
• masm/X86Assembler.h:

• VM/CodeBlock.cpp: Add type information to specific bytecodes.
• VM/CodeGenerator.cpp:
• VM/CodeGenerator.h:
• VM/Machine.cpp:

• kjs/nodes.cpp: Track static type information for nodes.
• kjs/nodes.h:
• kjs/ResultDescriptor.h: (Added)
• JavaScriptCore.xcodeproj/project.pbxproj:

File:

• trunk/JavaScriptCore/VM/CTI.cpp (modified) (15 diffs)

trunk/JavaScriptCore/VM/CTI.cpp

@@ -33 +33 @@
 #include "Machine.h"
 #include "wrec/WREC.h"
+#include "ResultType.h"
+#if PLATFORM(MAC)
+#include <sys/sysctl.h>
+#endif
 
 using namespace std;
 
 namespace JSC {
+
+#if PLATFORM(MAC)
+bool isSSE3Present()
+{
+    struct SSE3Check {
+        SSE3Check()
+        {
+            int hasSSE3 = 0;
+            size_t length = sizeof(hasSSE3);
+            int error = sysctlbyname("hw.optional.sse3", &hasSSE3, &length, NULL, 0);
+            present = hasSSE3 && !error;
+        }
+        bool present;
+    };
+    static SSE3Check check;
+    return check.present;
+}
+#else
+bool isSSE3Present()
+{
+    return false;
+}
+#endif
 
 #if COMPILER(GCC) && PLATFORM(X86)
@@ -602 +629 @@
 }
 
+/*
+  This is required since number representation is canonical - values representable as a JSImmediate should not be stored in a JSNumberCell.
+  
+  In the common case, the double value from 'xmmSource' is written to the reusable JSNumberCell pointed to by 'jsNumberCell', then 'jsNumberCell'
+  is written to the output SF Register 'dst', and then a jump is planted (stored into *wroteJSNumberCell).
+  
+  However if the value from xmmSource is representable as a JSImmediate, then the JSImmediate value will be written to the output, and flow
+  control will fall through from the code planted.
+*/
+void CTI::putDoubleResultToJSNumberCellOrJSImmediate(X86::XMMRegisterID xmmSource, X86::RegisterID jsNumberCell, unsigned dst, X86Assembler::JmpSrc* wroteJSNumberCell,  X86::XMMRegisterID tempXmm, X86::RegisterID tempReg1, X86::RegisterID tempReg2)
+{
+    // convert (double -> JSImmediate -> double), and check if the value is unchanged - in which case the value is representable as a JSImmediate.
+    m_jit.cvttsd2si_rr(xmmSource, tempReg1);
+    m_jit.addl_rr(tempReg1, tempReg1);
+    m_jit.sarl_i8r(1, tempReg1);
+    m_jit.cvtsi2sd_rr(tempReg1, tempXmm);
+    // Compare & branch if immediate. 
+    m_jit.ucomis_rr(tempXmm, xmmSource);
+    X86Assembler::JmpSrc resultIsImm = m_jit.emitUnlinkedJe();
+    X86Assembler::JmpDst resultLookedLikeImmButActuallyIsnt = m_jit.label();
+    
+    // Store the result to the JSNumberCell and jump.
+    m_jit.movsd_rm(xmmSource, OBJECT_OFFSET(JSNumberCell, m_value), jsNumberCell);
+    emitPutResult(dst, jsNumberCell);
+    *wroteJSNumberCell = m_jit.emitUnlinkedJmp();
+
+    m_jit.link(resultIsImm, m_jit.label());
+    // value == (double)(JSImmediate)value... or at least, it looks that way...
+    // ucomi will report that (0 == -0), and will report true if either input in NaN (result is unordered).
+    m_jit.link(m_jit.emitUnlinkedJp(), resultLookedLikeImmButActuallyIsnt); // Actually was a NaN
+    m_jit.pextrw_irr(3, xmmSource, tempReg2);
+    m_jit.cmpl_i32r(0x8000, tempReg2);
+    m_jit.link(m_jit.emitUnlinkedJe(), resultLookedLikeImmButActuallyIsnt); // Actually was -0
+    // Yes it really really really is representable as a JSImmediate.
+    emitFastArithIntToImmNoCheck(tempReg1);
+    emitPutResult(dst, X86::ecx);
+}
+
+void CTI::compileBinaryArithOp(OpcodeID opcodeID, unsigned dst, unsigned src1, unsigned src2, OperandTypes types, unsigned i)
+{
+    StructureID* numberStructureID = m_exec->globalData().numberStructureID.get();
+    X86Assembler::JmpSrc wasJSNumberCell1, wasJSNumberCell1b, wasJSNumberCell2, wasJSNumberCell2b;
+
+    emitGetArg(src1, X86::eax);
+    emitGetArg(src2, X86::edx);
+
+    if (types.second().isReusable() && isSSE3Present()) {
+        ASSERT(types.second().mightBeNumber());
+
+        // Check op2 is a number
+        m_jit.testl_i32r(JSImmediate::TagBitTypeInteger, X86::edx);
+        X86Assembler::JmpSrc op2imm = m_jit.emitUnlinkedJne();
+        if (!types.second().definitelyIsNumber()) {
+            emitJumpSlowCaseIfNotJSCell(X86::edx, i);
+            m_jit.cmpl_i32m(reinterpret_cast<unsigned>(numberStructureID), OBJECT_OFFSET(JSCell, m_structureID), X86::edx);
+            m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJne(), i));
+        }
+
+        // (1) In this case src2 is a reusable number cell.
+        //     Slow case if src1 is not a number type.
+        m_jit.testl_i32r(JSImmediate::TagBitTypeInteger, X86::eax);
+        X86Assembler::JmpSrc op1imm = m_jit.emitUnlinkedJne();
+        if (!types.first().definitelyIsNumber()) {
+            emitJumpSlowCaseIfNotJSCell(X86::eax, i);
+            m_jit.cmpl_i32m(reinterpret_cast<unsigned>(numberStructureID), OBJECT_OFFSET(JSCell, m_structureID), X86::eax);
+            m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJne(), i));
+        }
+
+        // (1a) if we get here, src1 is also a number cell
+        m_jit.movsd_mr(OBJECT_OFFSET(JSNumberCell, m_value), X86::eax, X86::xmm0);
+        X86Assembler::JmpSrc loadedDouble = m_jit.emitUnlinkedJmp();
+        // (1b) if we get here, src1 is an immediate
+        m_jit.link(op1imm, m_jit.label());
+        emitFastArithImmToInt(X86::eax);
+        m_jit.cvtsi2sd_rr(X86::eax, X86::xmm0);
+        // (1c) 
+        m_jit.link(loadedDouble, m_jit.label());
+        if (opcodeID == op_add)
+            m_jit.addsd_mr(OBJECT_OFFSET(JSNumberCell, m_value), X86::edx, X86::xmm0);
+        else if (opcodeID == op_sub)
+            m_jit.subsd_mr(OBJECT_OFFSET(JSNumberCell, m_value), X86::edx, X86::xmm0);
+        else {
+            ASSERT(opcodeID == op_mul);
+            m_jit.mulsd_mr(OBJECT_OFFSET(JSNumberCell, m_value), X86::edx, X86::xmm0);
+        }
+
+        putDoubleResultToJSNumberCellOrJSImmediate(X86::xmm0, X86::edx, dst, &wasJSNumberCell2, X86::xmm1, X86::ecx, X86::eax);
+        wasJSNumberCell2b = m_jit.emitUnlinkedJmp();
+
+        // (2) This handles cases where src2 is an immediate number.
+        //     Two slow cases - either src1 isn't an immediate, or the subtract overflows.
+        m_jit.link(op2imm, m_jit.label());
+        emitJumpSlowCaseIfNotImmNum(X86::eax, i);
+    } else if (types.first().isReusable() && isSSE3Present()) {
+        ASSERT(types.first().mightBeNumber());
+
+        // Check op1 is a number
+        m_jit.testl_i32r(JSImmediate::TagBitTypeInteger, X86::eax);
+        X86Assembler::JmpSrc op1imm = m_jit.emitUnlinkedJne();
+        if (!types.first().definitelyIsNumber()) {
+            emitJumpSlowCaseIfNotJSCell(X86::eax, i);
+            m_jit.cmpl_i32m(reinterpret_cast<unsigned>(numberStructureID), OBJECT_OFFSET(JSCell, m_structureID), X86::eax);
+            m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJne(), i));
+        }
+
+        // (1) In this case src1 is a reusable number cell.
+        //     Slow case if src2 is not a number type.
+        m_jit.testl_i32r(JSImmediate::TagBitTypeInteger, X86::edx);
+        X86Assembler::JmpSrc op2imm = m_jit.emitUnlinkedJne();
+        if (!types.second().definitelyIsNumber()) {
+            emitJumpSlowCaseIfNotJSCell(X86::edx, i);
+            m_jit.cmpl_i32m(reinterpret_cast<unsigned>(numberStructureID), OBJECT_OFFSET(JSCell, m_structureID), X86::edx);
+            m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJne(), i));
+        }
+
+        // (1a) if we get here, src2 is also a number cell
+        m_jit.movsd_mr(OBJECT_OFFSET(JSNumberCell, m_value), X86::edx, X86::xmm1);
+        X86Assembler::JmpSrc loadedDouble = m_jit.emitUnlinkedJmp();
+        // (1b) if we get here, src2 is an immediate
+        m_jit.link(op2imm, m_jit.label());
+        emitFastArithImmToInt(X86::edx);
+        m_jit.cvtsi2sd_rr(X86::edx, X86::xmm1);
+        // (1c) 
+        m_jit.link(loadedDouble, m_jit.label());
+        m_jit.movsd_mr(OBJECT_OFFSET(JSNumberCell, m_value), X86::eax, X86::xmm0);
+        if (opcodeID == op_add)
+            m_jit.addsd_rr(X86::xmm1, X86::xmm0);
+        else if (opcodeID == op_sub)
+            m_jit.subsd_rr(X86::xmm1, X86::xmm0);
+        else {
+            ASSERT(opcodeID == op_mul);
+            m_jit.mulsd_rr(X86::xmm1, X86::xmm0);
+        }
+        m_jit.movsd_rm(X86::xmm0, OBJECT_OFFSET(JSNumberCell, m_value), X86::eax);
+        emitPutResult(dst);
+
+        putDoubleResultToJSNumberCellOrJSImmediate(X86::xmm0, X86::eax, dst, &wasJSNumberCell1, X86::xmm1, X86::ecx, X86::edx);
+        wasJSNumberCell1b = m_jit.emitUnlinkedJmp();
+
+        // (2) This handles cases where src1 is an immediate number.
+        //     Two slow cases - either src2 isn't an immediate, or the subtract overflows.
+        m_jit.link(op1imm, m_jit.label());
+        emitJumpSlowCaseIfNotImmNum(X86::edx, i);
+    } else
+        emitJumpSlowCaseIfNotImmNums(X86::eax, X86::edx, i);
+
+    if (opcodeID == op_add) {
+        emitFastArithDeTagImmediate(X86::eax);
+        m_jit.addl_rr(X86::edx, X86::eax);
+        m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
+    } else  if (opcodeID == op_sub) {
+        m_jit.subl_rr(X86::edx, X86::eax);
+        m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
+        emitFastArithReTagImmediate(X86::eax);
+    } else {
+        ASSERT(opcodeID == op_mul);
+        emitFastArithDeTagImmediate(X86::eax);
+        emitFastArithImmToInt(X86::edx);
+        m_jit.imull_rr(X86::edx, X86::eax);
+        m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
+        emitFastArithReTagImmediate(X86::eax);
+    }
+    emitPutResult(dst);
+
+    if (types.second().isReusable() && isSSE3Present()) {
+        m_jit.link(wasJSNumberCell2, m_jit.label());
+        m_jit.link(wasJSNumberCell2b, m_jit.label());
+    }
+    else if (types.first().isReusable() && isSSE3Present()) {
+        m_jit.link(wasJSNumberCell1, m_jit.label());
+        m_jit.link(wasJSNumberCell1b, m_jit.label());
+    }
+}
+
+void CTI::compileBinaryArithOpSlowCase(OpcodeID opcodeID, Vector<SlowCaseEntry>::iterator& iter, unsigned dst, unsigned src1, unsigned src2, OperandTypes types, unsigned i)
+{
+    X86Assembler::JmpDst here = m_jit.label();
+    m_jit.link(iter->from, here);
+    if (types.second().isReusable() && isSSE3Present()) {
+        if (!types.first().definitelyIsNumber()) {
+            m_jit.link((++iter)->from, here);
+            m_jit.link((++iter)->from, here);
+        }
+        if (!types.second().definitelyIsNumber()) {
+            m_jit.link((++iter)->from, here);
+            m_jit.link((++iter)->from, here);
+        }
+        m_jit.link((++iter)->from, here);
+    } else if (types.first().isReusable() && isSSE3Present()) {
+        if (!types.first().definitelyIsNumber()) {
+            m_jit.link((++iter)->from, here);
+            m_jit.link((++iter)->from, here);
+        }
+        if (!types.second().definitelyIsNumber()) {
+            m_jit.link((++iter)->from, here);
+            m_jit.link((++iter)->from, here);
+        }
+        m_jit.link((++iter)->from, here);
+    } else
+        m_jit.link((++iter)->from, here);
+
+    emitGetPutArg(src1, 0, X86::ecx);
+    emitGetPutArg(src2, 4, X86::ecx);
+    if (opcodeID == op_add)
+        emitCall(i, Machine::cti_op_add);
+    else if (opcodeID == op_sub)
+        emitCall(i, Machine::cti_op_sub);
+    else {
+        ASSERT(opcodeID == op_mul);
+        emitCall(i, Machine::cti_op_mul);
+    }
+    emitPutResult(dst);
+}
+
 void CTI::privateCompileMainPass()
 {
@@ -633 +874 @@
             unsigned src1 = instruction[i + 2].u.operand;
             unsigned src2 = instruction[i + 3].u.operand;
-            if (isConstant(src2)) {
-                JSValue* value = getConstant(m_exec, src2);
-                if (JSImmediate::isNumber(value)) {
-                    emitGetArg(src1, X86::eax);
-                    emitJumpSlowCaseIfNotImmNum(X86::eax, i);
-                    m_jit.addl_i32r(getDeTaggedConstantImmediate(value), X86::eax);
-                    m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
-                    emitPutResult(dst);
-                    i += 4;
-                    break;
-                }
-            } else if (!isConstant(src1)) {
+
+            if (JSValue* value = getConstantImmediateNumericArg(src1)) {
+                emitGetArg(src2, X86::edx);
+                emitJumpSlowCaseIfNotImmNum(X86::edx, i);
+                m_jit.addl_i32r(getDeTaggedConstantImmediate(value), X86::edx);
+                m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
+                emitPutResult(dst, X86::edx);
+            } else if (JSValue* value = getConstantImmediateNumericArg(src2)) {
                 emitGetArg(src1, X86::eax);
-                emitGetArg(src2, X86::edx);
-                emitJumpSlowCaseIfNotImmNums(X86::eax, X86::edx, i);
-                emitFastArithDeTagImmediate(X86::eax);
-                m_jit.addl_rr(X86::edx, X86::eax);
+                emitJumpSlowCaseIfNotImmNum(X86::eax, i);
+                m_jit.addl_i32r(getDeTaggedConstantImmediate(value), X86::eax);
                 m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
                 emitPutResult(dst);
-                i += 4;
-                break;
+            } else {
+                OperandTypes types = OperandTypes::fromInt(instruction[i + 4].u.operand);
+                if (types.first().mightBeNumber() && types.second().mightBeNumber())
+                    compileBinaryArithOp(op_add, instruction[i + 1].u.operand, instruction[i + 2].u.operand, instruction[i + 3].u.operand, OperandTypes::fromInt(instruction[i + 4].u.operand), i);
+                else {
+                    emitGetPutArg(instruction[i + 2].u.operand, 0, X86::ecx);
+                    emitGetPutArg(instruction[i + 3].u.operand, 4, X86::ecx);
+                    emitCall(i, Machine::cti_op_add);
+                    emitPutResult(instruction[i + 1].u.operand);
+                }
             }
-            emitGetPutArg(instruction[i + 2].u.operand, 0, X86::ecx);
-            emitGetPutArg(instruction[i + 3].u.operand, 4, X86::ecx);
-            emitCall(i, Machine::cti_op_add);
-            emitPutResult(instruction[i + 1].u.operand);
-            i += 4;
+
+            i += 5;
             break;
         }
@@ -876 +1116 @@
             unsigned src1 = instruction[i + 2].u.operand;
             unsigned src2 = instruction[i + 3].u.operand;
-            if (isConstant(src1) || isConstant(src2)) {
-                unsigned constant = src1;
-                unsigned nonconstant = src2;
-                if (!isConstant(src1)) {
-                    constant = src2;
-                    nonconstant = src1;
-                }
-                JSValue* value = getConstant(m_exec, constant);
-                if (JSImmediate::isNumber(value)) {
-                    emitGetArg(nonconstant, X86::eax);
-                    emitJumpSlowCaseIfNotImmNum(X86::eax, i);
-                    emitFastArithImmToInt(X86::eax);
-                    m_jit.imull_i32r( X86::eax, getDeTaggedConstantImmediate(value), X86::eax);
-                    m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
-                    emitFastArithPotentiallyReTagImmediate(X86::eax);
-                    emitPutResult(dst);
-                    i += 4;
-                    break;
-                }
-            }
-
-            emitGetArg(src1, X86::eax);
-            emitGetArg(src2, X86::edx);
-            emitJumpSlowCaseIfNotImmNums(X86::eax, X86::edx, i);
-            emitFastArithDeTagImmediate(X86::eax);
-            emitFastArithImmToInt(X86::edx);
-            m_jit.imull_rr(X86::edx, X86::eax);
-            m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
-            emitFastArithPotentiallyReTagImmediate(X86::eax);
-            emitPutResult(dst);
-            i += 4;
+
+            if (JSValue* src1Value = getConstantImmediateNumericArg(src1)) {
+                emitGetArg(src2, X86::eax);
+                emitJumpSlowCaseIfNotImmNum(X86::eax, i);
+                emitFastArithImmToInt(X86::eax);
+                m_jit.imull_i32r(X86::eax, getDeTaggedConstantImmediate(src1Value), X86::eax);
+                m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
+                emitFastArithReTagImmediate(X86::eax);
+                emitPutResult(dst);
+            } else if (JSValue* src2Value = getConstantImmediateNumericArg(src2)) {
+                emitGetArg(src1, X86::eax);
+                emitJumpSlowCaseIfNotImmNum(X86::eax, i);
+                emitFastArithImmToInt(X86::eax);
+                m_jit.imull_i32r(X86::eax, getDeTaggedConstantImmediate(src2Value), X86::eax);
+                m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
+                emitFastArithReTagImmediate(X86::eax);
+                emitPutResult(dst);
+            } else
+                compileBinaryArithOp(op_mul, instruction[i + 1].u.operand, instruction[i + 2].u.operand, instruction[i + 3].u.operand, OperandTypes::fromInt(instruction[i + 4].u.operand), i);
+
+            i += 5;
             break;
         }
@@ -1087 +1317 @@
         }
         case op_sub: {
-            emitGetArg(instruction[i + 2].u.operand, X86::eax);
-            emitGetArg(instruction[i + 3].u.operand, X86::edx);
-            emitJumpSlowCaseIfNotImmNums(X86::eax, X86::edx, i);
-            m_jit.subl_rr(X86::edx, X86::eax);
-            m_slowCases.append(SlowCaseEntry(m_jit.emitUnlinkedJo(), i));
-            emitFastArithReTagImmediate(X86::eax);
-            emitPutResult(instruction[i + 1].u.operand);
-            i += 4;
+            compileBinaryArithOp(op_sub, instruction[i + 1].u.operand, instruction[i + 2].u.operand, instruction[i + 3].u.operand, OperandTypes::fromInt(instruction[i + 4].u.operand), i);
+            i += 5;
             break;
         }
@@ -1344 +1568 @@
                 emitPutResult(dst);
             }
-            i += 4;
+            i += 5;
             break;
         }
@@ -1455 +1679 @@
             emitFastArithReTagImmediate(X86::eax);
             emitPutResult(instruction[i + 1].u.operand);
-            i += 4;
+            i += 5;
             break;
         }
@@ -1472 +1696 @@
             m_jit.orl_rr(X86::edx, X86::eax);
             emitPutResult(instruction[i + 1].u.operand);
-            i += 4;
+            i += 5;
             break;
         }
@@ -1812 +2036 @@
         case op_add: {
             unsigned dst = instruction[i + 1].u.operand;
+            unsigned src1 = instruction[i + 2].u.operand;
             unsigned src2 = instruction[i + 3].u.operand;
-            if (isConstant(src2)) {
-                JSValue* value = getConstant(m_exec, src2);
-                if (JSImmediate::isNumber(value)) {
-                    X86Assembler::JmpSrc notImm = iter->from;
-                    m_jit.link((++iter)->from, m_jit.label());
-                    m_jit.subl_i32r(getDeTaggedConstantImmediate(value), X86::eax);
-                    m_jit.link(notImm, m_jit.label());
-                    emitPutArg(X86::eax, 0);
-                    emitGetPutArg(src2, 4, X86::ecx);
-                    emitCall(i, Machine::cti_op_add);
-                    emitPutResult(dst);
-                    i += 4;
-                    break;
-                }
+            if (JSValue* value = getConstantImmediateNumericArg(src1)) {
+                X86Assembler::JmpSrc notImm = iter->from;
+                m_jit.link((++iter)->from, m_jit.label());
+                m_jit.subl_i32r(getDeTaggedConstantImmediate(value), X86::edx);
+                m_jit.link(notImm, m_jit.label());
+                emitGetPutArg(src1, 0, X86::ecx);
+                emitPutArg(X86::edx, 4);
+                emitCall(i, Machine::cti_op_add);
+                emitPutResult(dst);
+            } else if (JSValue* value = getConstantImmediateNumericArg(src2)) {
+                X86Assembler::JmpSrc notImm = iter->from;
+                m_jit.link((++iter)->from, m_jit.label());
+                m_jit.subl_i32r(getDeTaggedConstantImmediate(value), X86::eax);
+                m_jit.link(notImm, m_jit.label());
+                emitPutArg(X86::eax, 0);
+                emitGetPutArg(src2, 4, X86::ecx);
+                emitCall(i, Machine::cti_op_add);
+                emitPutResult(dst);
+            } else {
+                OperandTypes types = OperandTypes::fromInt(instruction[i + 4].u.operand);
+                if (types.first().mightBeNumber() && types.second().mightBeNumber())
+                    compileBinaryArithOpSlowCase(op_add, iter, dst, src1, src2, types, i);
+                else
+                    ASSERT_NOT_REACHED();
             }
 
-            ASSERT(!isConstant(instruction[i + 2].u.operand));
-
-            X86Assembler::JmpSrc notImm = iter->from;
-            m_jit.link((++iter)->from, m_jit.label());
-            m_jit.subl_rr(X86::edx, X86::eax);
-            emitFastArithReTagImmediate(X86::eax);
-            m_jit.link(notImm, m_jit.label());
-            emitPutArg(X86::eax, 0);
-            emitPutArg(X86::edx, 4);
-            emitCall(i, Machine::cti_op_add);
-            emitPutResult(dst);
-            i += 4;
+            i += 5;
             break;
         }
@@ -1875 +2099 @@
         }
         case op_sub: {
-            X86Assembler::JmpSrc notImm = iter->from;
-            m_jit.link((++iter)->from, m_jit.label());
-            m_jit.addl_rr(X86::edx, X86::eax);
-            m_jit.link(notImm, m_jit.label());
-            emitPutArg(X86::eax, 0);
-            emitPutArg(X86::edx, 4);
-            emitCall(i, Machine::cti_op_sub);
-            emitPutResult(instruction[i + 1].u.operand);
-            i += 4;
+            compileBinaryArithOpSlowCase(op_sub, iter, instruction[i + 1].u.operand, instruction[i + 2].u.operand, instruction[i + 3].u.operand, OperandTypes::fromInt(instruction[i + 4].u.operand), i);
+            i += 5;
             break;
         }
@@ -1957 +2174 @@
             // so that we only need track one pointer into the slow case code - we track a pointer to the location
             // of the call (which we can use to look up the repatch information), but should a array-length or
-            // prototype access tramopile fail we want to bail out back to here.  To do so we can subtract back
+            // prototype access trampoline fail we want to bail out back to here.  To do so we can subtract back
             // the distance from the call to the head of the slow case.
 
@@ -2156 +2373 @@
                 emitPutResult(dst);
             }
-            i += 4;
+            i += 5;
             break;
         }
@@ -2187 +2404 @@
             emitCall(i, Machine::cti_op_bitxor);
             emitPutResult(instruction[i + 1].u.operand);
-            i += 4;
+            i += 5;
             break;
         }
@@ -2196 +2413 @@
             emitCall(i, Machine::cti_op_bitor);
             emitPutResult(instruction[i + 1].u.operand);
-            i += 4;
+            i += 5;
             break;
         }
@@ -2244 +2461 @@
             break;
         }
-        CTI_COMPILE_BINARY_OP_SLOW_CASE(op_mul);
+        case op_mul: {
+            int dst = instruction[i + 1].u.operand;
+            int src1 = instruction[i + 2].u.operand;
+            int src2 = instruction[i + 3].u.operand;
+            if (getConstantImmediateNumericArg(src1) || getConstantImmediateNumericArg(src2)) {
+                m_jit.link(iter->from, m_jit.label());
+                emitGetPutArg(src1, 0, X86::ecx);
+                emitGetPutArg(src2, 4, X86::ecx);
+                emitCall(i, Machine::cti_op_mul);
+                emitPutResult(dst);
+            } else
+                compileBinaryArithOpSlowCase(op_mul, iter, dst, src1, src2, OperandTypes::fromInt(instruction[i + 4].u.operand), i);
+            i += 5;
+            break;
+        }
+
         case op_call:
         case op_call_eval: