On Mon, May 26, 2014 at 8:40 PM, Ilya Kantor <[email protected]> wrote: > Hello, > > I'm exploring v8 disasm or this code: > ``` > function walkLength(x) { > for(var i=0; i<arr.length; i++) arr[i]++; > } > ``` > > That's what I analyze: > out/ia32.release/d8 --print-opt-code --print_code_verbose --code-comments > in.js > res > > In section B4 of walkLength I see: > > ``` > ;;; <@48,#40> bounds-check > 0x2e34f629 105 3bd1 cmp edx,ecx ;; debug: > position 271 > 0x2e34f62b 107 0f833e000000 jnc 175 (0x2e34f66f) > ;;; <@50,#41> load-keyed > 0x2e34f631 113 8b5c5007 mov ebx,[eax+edx*2+0x7] > ;;; <@52,#43> add-i > 0x2e34f635 117 83c302 add ebx,0x2 > 0x2e34f638 120 0f8036000000 jo 180 (0x2e34f674) > ;;; <@54,#55> store-keyed > 0x2e34f63e 126 895c5007 mov [eax+edx*2+0x7],ebx > ;;; <@56,#58> add-i > 0x2e34f642 130 83c202 add edx,0x2 ;; debug: > position 260 > ``` > > The question is: why is it increment as "add ebx, 0x2" on line 117, why not > "add ebx, 0x1" ?
V8 uses tagged pointers[1] internally. The least significant bit is used to discern between pointers and integers. Adding two to a tagged integer increments it by one while leaving the tag bit intact. [1] http://en.wikipedia.org/wiki/Tagged_pointer -- -- v8-users mailing list [email protected] http://groups.google.com/group/v8-users --- You received this message because you are subscribed to the Google Groups "v8-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
