Seeing DFG dump, (unfortunately!) Array iteration methods (like forEach) performs Double Comparison on loop condition! This is because, 1. Poor toInteger implementation We should convert @Number(...) to NumberUse edge filtering. And implementing isFinite in JS is better (If value is speculated as Int32, we can purge many conditions!) Like, (Number.isFinite) function isFinite(value) { return value === Infinity || value === -Infinity; } And, (global).isFinite function isFinite(value) { var numberValue = @Number(value); // This should be converted to edge filtering. return numberValue === Infinity || numberValue === -Infinity; } Handling NumberConstructor::info() in DFGByteCodeParser.cpp makes it easy I think. And to ensure more high performance implementation, introducing @toNumber bytecode intrinsic (that emits to_number bytecode) may also be good. 2. maxSafeInteger = 0x1FFFFFFFFFFFFF Now, in toLength, we have a chance to return maxSafeInteger (This is represented as double). It is unfortunate, because it makes the result value double rep. One plan is, When comparing value < maxSafeInteger, and if we know value is Int32, value < maxSafeInteger becomes always true. So we can purge this comparison and maxSafeInteger. It makes the result value Int32. How about this?
Sounds good to me.