Seeing DFG dump, (unfortunately!) Array iteration methods (like forEach) performs Double Comparison on loop condition!
This is because,
1. Poor toInteger implementation
We should convert @Number(...) to NumberUse edge filtering. And implementing isFinite in JS is better (If value is speculated as Int32, we can purge many conditions!)
return value === Infinity || value === -Infinity;
var numberValue = @Number(value); // This should be converted to edge filtering.
return numberValue === Infinity || numberValue === -Infinity;
Handling NumberConstructor::info() in DFGByteCodeParser.cpp makes it easy I think. And to ensure more high performance implementation, introducing @toNumber bytecode intrinsic (that emits to_number bytecode) may also be good.
2. maxSafeInteger = 0x1FFFFFFFFFFFFF
Now, in toLength, we have a chance to return maxSafeInteger (This is represented as double). It is unfortunate, because it makes the result value double rep.
One plan is,
When comparing value < maxSafeInteger, and if we know value is Int32, value < maxSafeInteger becomes always true.
So we can purge this comparison and maxSafeInteger. It makes the result value Int32.
How about this?
Sounds good to me.