Currently Null or Undefined value test in 32_64 DFG will check Null and Undefined tag separately and introduce one more branch. It can be improved in the way how the baseline JIT is doing - by relying on the fact that "UndefinedTag + 1 == NullTag and NullTag & 1".
Created attachment 110315 [details] the patch
Comment on attachment 110315 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=110315&action=review > Source/JavaScriptCore/dfg/DFGJITCodeGenerator32_64.cpp:1178 > + ASSERT((JSValue::UndefinedTag + 1 == JSValue::NullTag) && (JSValue::NullTag & 0x1)); This assertion is written in an oblique way and could instead be written to directly mirror what the code relies on: COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag); > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:460 > + ASSERT((JSValue::UndefinedTag + 1 == JSValue::NullTag) && (JSValue::NullTag & 0x1)); Ditto. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:560 > + ASSERT((JSValue::UndefinedTag + 1 == JSValue::NullTag) && (JSValue::NullTag & 0x1)); Ditto.
Comment on attachment 110315 [details] the patch Agree with Darin's comments, r=me otherwise. I'll be happy to cq+ if you can just fix that assertion.
Created attachment 110319 [details] patch addressing Darin's comments
Comment on attachment 110319 [details] patch addressing Darin's comments Clearing flags on attachment: 110319 Committed r97039: <http://trac.webkit.org/changeset/97039>
All reviewed patches have been landed. Closing bug.