Opcodes of the Hermes virtual machine

With the opcode byte value indicated respective to each stable version of the React Native Hermes VM bytecode format, as
well as the auto-generated documentation from the "BytecodeList.def" file from the Hermes VM source tree.

This list of opcodes is used by the hermes-dec open-source reverse engineering project.

Instruction Bytecode version to opcode Documentation

51 58 59 60 62 71 74 76 83 84 89
Reg8, Reg8, Reg8 (total size 3)
Add 21 21 21 21 21 21 21 21 22 22 22
Arg1 = Arg2 + Arg3 (JS
addition/concatenation)
Reg8, Reg8, Reg8 (total size 3)
Add32 185 190
Arg1 = Arg2 + Arg3 (32-bit integer
addition)
Reg8, Reg8 (total size 2)

Convert a value to a string as if

evaluating the expression:
Arg1 = "" + Arg2
AddEmptyString 113 115 116 116 116 116 116 116 121 121 126
In practice this means
Arg1 = ToString(ToPrimitive(Arg2,
PreferredType::NONE))
with ToPrimitive (ES5.1 9.1) and
ToString (ES5.1 9.8).
Reg8, Reg8, Reg8 (total size 3)
AddN 22 22 22 22 22 22 22 22 23 23 23
Arg1 = Arg2 + Arg3 (Numeric
addition, skips number check)
(total size 0)
AsyncBreakCheck 91 91 91 91 94 94 96
Fast check for an async interrupt
request.
Reg8, Reg8, Reg8 (total size 3)
BitAnd 33 33 33 33 33 33 33 33 34 34 34
Arg1 = Arg2 & Arg3 (JS bitwise AND)
Reg8, Reg8 (total size 2)
BitNot 11 11 11 11 11 11 11 11 12 12 12
Arg1 = ~Arg2 (Bitwise not)
Reg8, Reg8, Reg8 (total size 3)
BitOr 35 35 35 35 35 35 35 35 36 36 36
Arg1 = Arg2 | Arg3 (JS bitwise OR)
Reg8, Reg8, Reg8 (total size 3)
BitXor 34 34 34 34 34 34 34 34 35 35 35
Arg1 = Arg2 ^ Arg3 (JS bitwise XOR)
Reg8, Reg8, UInt8 (total size 3)

Call a function.
Arg1 is the destination of the return
value.
Call 74 74 74 74 74 74 74 74 75 75 77
Arg2 is the closure to invoke.
Arg3 is the number of arguments,
assumed to be found in reverse
order
from the end of the current frame.
Call1 76 76 76 76 76 76 76 76 77 77 79 Reg8, Reg8, Reg8 (total size 3)

Call a function with one arg.

 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Arg1 is the destination of the return
value.
Arg2 is the closure to invoke.
Arg3 is the first argument.
Reg8, Reg8, Reg8, Reg8 (total size 4)

Call a function with two args.

Arg1 is the destination of the return
Call2 78 78 78 78 78 78 78 78 79 79 81
value.
Arg2 is the closure to invoke.
Arg3 is the first argument.
Arg4 is the second argument.
Reg8, Reg8, Reg8, Reg8, Reg8 (total
size 5)

Call a function with three args.

Arg1 is the destination of the return
Call3 79 79 79 79 79 79 79 79 80 80 82
value.
Arg2 is the closure to invoke.
Arg3 is the first argument.
Arg4 is the second argument.
Arg5 is the third argument.
Reg8, Reg8, Reg8, Reg8, Reg8, Reg8
(total size 6)

Call a function with four args.

Arg1 is the destination of the return
Call4 80 80 80 80 80 80 80 80 81 81 83 value.
Arg2 is the closure to invoke.
Arg3 is the first argument.
Arg4 is the second argument.
Arg5 is the third argument.
Arg6 is the fourth argument.
Reg8, UInt8, UInt8 (total size 3)

Call a builtin function.

Note this is NOT marked as a Ret
target, because the callee is native
and therefore never JS.
Arg1 is the destination of the return
CallBuiltin 84 84 84 84 84 84 84 84 85 85 87
value.
Arg2 is the builtin number.
Arg3 is the number of arguments,
assumed to be found in reverse
order
from the end of the current frame.
thisArg is set to "undefined".
Reg8, UInt8, UInt32 (total size 6)

Call a builtin function.

Note this is NOT marked as a Ret
target, because the callee is native
and therefore never JS.
Arg1 is the destination of the return
CallBuiltinLong 86 86 88
value.
Arg2 is the builtin number.
Arg3 is the number of arguments,
assumed to be found in reverse
order
from the end of the current frame.
thisArg is set to "undefined".
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Reg8, UInt8, UInt16 (function_id)
(total size 4)

Call a function directly without a

closure.
Arg1 is the destination of the return
value.
Arg2 is the number of arguments,
CallDirect 77 77 77 77 77 77 77 77 78 78 80 assumed to be found in reverse
order
from the end of the current frame.
The first argument 'this'
is assumed to be created with
CreateThis.
Arg3 is index in the function table.
Note that we expect the variable-
sized argument to be last.
Reg8, UInt8, UInt32 (total size 6)
CallDirectLongIndex 83 83 83 83 83 83 83 83 84 84 86
Identical to CallDirect, but the
function index is 32-bit.
Reg8, Reg8, UInt32 (total size 6)
CallLong 81 81 81 81 81 81 81 81 82 82 84
Identical to Call, but allowing more
arguments.
Reg8 (total size 1)

Catch 86 86 86 86 86 86 86 86 89 89 91 Catch an exception (the first

instruction in an exception handler).
} catch(Arg1) {
Reg8, Reg8 (total size 2)

Coerce a value assumed to contain

'this' to an object using non-strict
CoerceThisNS 109 111 112 112 112 112 112 112 117 117 121 mode rules. Primitives are boxed, \c
null or \c undefed produce the
global
object.
Arg1 = coerce_to_object(Arg2)
(total size 0)
CompleteGenerator 123 124 124 124 124 124 124 129 129 134
Set the generator status to complete,
but do not return.
Reg8, Reg8, UInt8 (total size 3)

Call a constructor, with semantics

identical to Call.
Arg1 is the destination of the return
value.
Arg2 is the closure to invoke.
Construct 75 75 75 75 75 75 75 75 76 76 78
Arg3 is the number of arguments,
assumed to be found in reverse
order
from the end of the current frame.
The first argument 'this'
is assumed to be created with
CreateThis.
Reg8, Reg8, UInt32 (total size 6)
ConstructLong 82 82 82 82 82 82 82 82 83 83 85
Identical to Construct, but allowing
more arguments.
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Reg8, Reg8, UInt16 (function_id)
(total size 4)

Create a closure for an

AsyncFunction.
CreateAsyncClosure 100 100 102
Arg1 is the register in which to store
the closure.
Arg2 is the current environment as
loaded by GetEnvironment 0.
Arg3 is index in the function table.
Reg8, Reg8, UInt32 (function_id)
(total size 6)

Create a closure for an

AsyncFunction.
CreateAsyncClosureLongIndex 101 101 103
Arg1 is the register in which to store
the closure.
Arg2 is the current environment as
loaded by GetEnvironment 0.
Arg3 is index in the function table.
Reg8, Reg8, UInt16 (function_id)
(total size 4)

Create a closure.
CreateClosure 93 93 94 94 94 94 94 94 96 96 98 Arg1 is the register in which to store
the closure.
Arg2 is the current environment as
loaded by GetEnvironment 0.
Arg3 is index in the function table.
Reg8, Reg8, UInt32 (function_id)
(total size 6)

Create a closure.
CreateClosureLongIndex 94 94 95 95 95 95 95 95 97 97 99 Arg1 is the register in which to store
the closure.
Arg2 is the current environment as
loaded by GetEnvironment 0.
Arg3 is index in the function table.
Reg8 (total size 1)
CreateEnvironment 47 47 47 47 47 47 47 47 48 48 50
Create a new environment, to store
values captured by closures.
Reg8, Reg8, UInt16 (function_id)
(total size 4)

Create a generator.
CreateGenerator 124 125 125 125 125 125 125 130 130 135 Arg1 is the register in which to store
the generator.
Arg2 is the current environment as
loaded by GetEnvironment 0.
Arg3 is index in the function table.
Reg8, Reg8, UInt16 (function_id)
(total size 4)

Create a closure for a

GeneratorFunction.
CreateGeneratorClosure 95 96 96 96 96 96 96 98 98 100
Arg1 is the register in which to store
the closure.
Arg2 is the current environment as
loaded by GetEnvironment 0.
Arg3 is index in the function table.
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Reg8, Reg8, UInt32 (function_id)
(total size 6)

Create a closure for a

GeneratorFunction.
CreateGeneratorClosureLongIndex 96 97 97 97 97 97 97 99 99 101
Arg1 is the register in which to store
the closure.
Arg2 is the current environment as
loaded by GetEnvironment 0.
Arg3 is index in the function table.
Reg8, Reg8, UInt32 (function_id)
(total size 6)

CreateGeneratorLongIndex
Create a generator.
125 126 126 126 126 126 126 131 131 136 Arg1 is the register in which to store
the generator.
Arg2 is the current environment as
loaded by GetEnvironment 0.
Arg3 is index in the function table.
Reg8, UInt32 (string_id), UInt32
(string_id), UInt32 (total size 13)

Create a regular expression.

Arg1 is the result.
CreateRegExp 117 119 120 120 120 120 120 120 125 125 130
Arg2 is the string index of the
pattern.
Arg3 is the string index of the flags.
Arg4 is the regexp bytecode index in
the regexp table.
Reg8, Reg8, Reg8 (total size 3)

Allocate an empty, uninitialized

object (immediately before a
constructor).
CreateThis 95 97 98 98 98 98 98 98 102 102 104 Arg1 is the destination register.
Arg2 is the prototype to assign it.
Arg3 is the constructor closure that
will be used*.
* To allow internal constructors to
have special objects allocated.
(total size 0)
Debugger 89 89 90 90 90 90 90 90 93 93 95
Implementation dependent
debugger action.
(total size 0)
DebuggerCheckBreak 90 90 91 91
Fast check for a debugger break
request.
Reg8, Reg8 (total size 2)
Dec 38
Arg1 = Arg2 - 1 (JS decrement, skips
number check)
UInt32 (string_id) (total size 4)

Declare a global variable by string

DeclareGlobalVar 48 48 48 48 48 48 48 48 49 49 51
table index.
The variable will be set to
undefined.
DelById 66 66 66 66 66 66 66 66 67 67 69 Reg8, Reg8, UInt16 (string_id) (total
size 4)
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Delete a property by string table
index.
Arg1 = delete
Arg2[stringtable[Arg3]]
Reg8, Reg8, UInt32 (string_id) (total
size 6)

DelByIdLong 67 67 67 67 67 67 67 67 68 68 70 Delete a property by string table

index.
Arg1 = delete
Arg2[stringtable[Arg3]]
Reg8, Reg8, Reg8 (total size 3)

Delete a property by value (when

DelByVal 70 70 70 70 70 70 70 70 71 71 73
the value is not known at compile
time).
Arg1 = delete Arg2[Arg3]
Reg8, Reg8 (total size 2)

ES6 18.2.1.1 PerformEval(Arg2,

evalRealm, strictCaller=true,
DirectEval 87 87 87 87 87 87 87 87 90 90 92
direct=true)
Arg1 is the destination of the return
value.
Arg2 is the value to eval.
Reg8, Reg8, Reg8 (total size 3)
Div 25 25 25 25 25 25 25 25 26 26 26
Arg1 = Arg2 / Arg3 (JS division)
Reg8, Reg8, Reg8 (total size 3)
DivN 26 26 26 26 26 26 26 26 27 27 27
Arg1 = Arg2 / Arg3 (Numeric
division, skips number check)
Reg8, Reg8, Reg8 (total size 3)
Divi32 188 193
Arg1 = Arg2 / Arg3 (32-bit signed
integer division)
Reg8, Reg8, Reg8 (total size 3)
Divu32 189 194
Arg1 = Arg2 / Arg3 (32-bit unsigned
integer division)
Reg8, Reg8, Reg8 (total size 3)
Eq 13 13 13 13 13 13 13 13 14 14 14
Arg1 = Arg2 == Arg3 (JS equality)
Reg8, Reg8 (total size 2)

Get the length of the 'arguments'

GetArgumentsLength 115 117 118 118 118 118 118 118 123 123 128 array.
Arg1 is the result.
Arg2 is the lazy loaded register.
Arg1 = arguments.length
Reg8, Reg8, Reg8 (total size 3)

Get a property of the 'arguments'

array by value.
GetArgumentsPropByVal 114 116 117 117 117 117 117 117 122 122 127
Arg1 is the result.
Arg2 is the index.
Arg3 is the lazy loaded register.
Arg1 = arguments[Arg2]
GetBuiltinClosure 87 87 89 Reg8, UInt8 (total size 2)
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Get a closure from a builtin function.
Arg1 is the destination of the return
value.
Arg2 is the builtin number.
Reg8, Reg8, UInt8, UInt16 (string_id)
(total size 5)

Get an object property by string

GetById 50 50 50 50 50 50 50 50 51 51 53
table index.
Arg1 = Arg2[stringtable[Arg4]]
Arg3 is a cache index used to speed
up the above operation.
Reg8, Reg8, UInt8, UInt32 (string_id)
(total size 7)

Get an object property by string

GetByIdLong 51 51 51 51 51 51 51 51 52 52 54
table index.
Arg1 = Arg2[stringtable[Arg4]]
Arg3 is a cache index used to speed
up the above operation.
Reg8, Reg8, UInt8, UInt8 (string_id)
(total size 4)

Get an object property by string

GetByIdShort 49 49 49 49 49 49 49 49 50 50 52
table index.
Arg1 = Arg2[stringtable[Arg4]]
Arg3 is a cache index used to speed
up the above operation.
Reg8, Reg8, Reg8 (total size 3)

Get a property by value. Constants

GetByVal 68 68 68 68 68 68 68 68 69 69 71
string values should instead use
GetById.
Arg1 = Arg2[Arg3]
Reg8, UInt8 (total size 2)

Get an environment (scope) from N

GetEnvironment 38 38 38 38 38 38 38 38 39 39 41
levels up the stack.
0 is the current environment, 1 is
the caller's environment, etc.
Reg8 (total size 1)
GetGlobalObject 45 45 45 45 45 45 45 45 46 46 48
Get the global object (the object in
which global variables are stored).
Reg8 (total size 1)

GetNewTarget 46 46 46 46 46 46 46 46 47 47 49 Obtain the value of NewTarget from

the frame.
Arg1 = NewTarget
GetNextPName 73 73 73 73 73 73 73 73 74 74 76 Reg8, Reg8, Reg8, Reg8, Reg8 (total
size 5)

Get the next property in the for..in

iterator.
Returns Arg1, which is the next
property. Undefined if unavailable.
Arg2 is the register that holds array
of properties.
Arg3 is the register that holds the
object.
Arg4 is the register that holds the
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
iterating index.
Arg5 is the register that holds the
size of the property list.
Reg8, Reg8, Reg8, Reg8 (total size 4)

Get the list of properties from an

object to implement for..in loop.
Returns Arg1, which is the register
that holds array of properties.
Returns Undefined if the object is
GetPNameList 72 72 72 72 72 72 72 72 73 73 75
null/undefined.
Arg2 is the register that holds the
object.
Arg3 is the register that holds the
iterating index.
Arg4 is the register that holds the
size of the property list.
Reg8, Reg8, Reg8 (total size 3)
Greater 19 19 19 19 19 19 19 19 20 20 20
Arg1 = Arg2 > Arg3 (JS greater-than)
Reg8, Reg8, Reg8 (total size 3)
GreaterEq 20 20 20 20 20 20 20 20 21 21 21
Arg1 = Arg2 >= Arg3 (JS greater-
than-or-equals)
Reg8, Reg8 (total size 2)
Inc 37
Arg1 = Arg2 + 1 (JS increment, skips
number check)
Reg8, Reg8, Reg8 (total size 3)

Check whether Arg2 contains Arg3

in its prototype chain.
InstanceOf 36 36 36 36 36 36 36 36 37 37 39
Note that this is not the same as JS
instanceof.
Pseudocode: Arg1 =
prototypechain(Arg2).contains(Arg3)
Reg8, Reg8, Reg8 (total size 3)
IsIn 37 37 37 37 37 37 37 37 38 38 40
Arg1 = Arg2 in Arg3 (JS relational
'in')
Reg8, Reg8 (total size 2)

Arg1 [out] is the result iterator or

index.
Arg2 [in/out] is the source. Output
for either the source or next
method.
IteratorBegin 127 127 132 132 137 If source is an array with an
unmodified [Symbol.iterator], the
result is
0. Else the result is
source[Symbol.iterator] and the
output is the .next()
method on the iterator.
See IR.md for IteratorBeginInst.
IteratorClose 129 129 134 134 139 Reg8, UInt8 (total size 2)

Arg1 [in] is the iterator or array

index.
Arg2 is a bool indicating whether to
ignore the inner exception.
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
If the iterator is an object, call
iterator.return().
If Arg2 is true, ignore exceptions
which are thrown by
iterator.return().
See IR.md for IteratorCloseInst.
Reg8, Reg8, Reg8 (total size 3)

Arg1 [out] is the result, or undefined

if done.
Arg2 [in/out] is the iterator or index.
Arg2 [in] is the source or the next
method.
If iterator is undefined, result =
undefined.
If iterator is a number:
IteratorNext 128 128 133 133 138
If iterator is less than source.length,
return source[iterator++]
Else iterator = undefined and result
= undefined
Else:
n = iterator.next()
If n.done, iterator = undefined and
result = undefined.
Else result = n.value
See IR.md for IteratorNextInst.
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JEqual 159 168 169 169 169 169 172 172 177 177 182 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JEqualLong 160 169 170 170 170 170 173 173 178 178 183 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
JGreater 143 152 153 153 153 153 156 156 161 161 166 Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JGreaterEqual 151 160 161 161 161 161 164 164 169 169 174 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JGreaterEqualLong 152 161 162 162 162 162 165 165 170 170 175 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JGreaterEqualN 155 164 165 165 165 165 168 168 173 173 178 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JGreaterEqualNLong 156 165 166 166 166 166 169 169 174 174 179 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
JGreaterLong 144 153 154 154 154 154 157 157 162 162 167 Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
we need to be able to say "jump
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JGreaterN 147 156 157 157 157 157 160 160 165 165 170 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JGreaterNLong 148 157 158 158 158 158 161 161 166 166 171 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JLess 127 136 137 137 137 137 140 140 145 145 150 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JLessEqual 135 144 145 145 145 145 148 148 153 153 158 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
JLessEqualLong 136 145 146 146 146 146 149 149 154 154 159 Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Since we want to be able to reorder
targets to allow for fall-throughs,
we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JLessEqualN 139 148 149 149 149 149 152 152 157 157 162 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JLessEqualNLong 140 149 150 150 150 150 153 153 158 158 163 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JLessLong 128 137 138 138 138 138 141 141 146 146 151 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JLessN 131 140 141 141 141 141 144 144 149 149 154 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JLessNLong 132 141 142 142 142 142 145 145 150 150 155 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotEqual 161 170 171 171 171 171 174 174 179 179 184 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotEqualLong 162 171 172 172 172 172 175 175 180 180 185 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotGreater 145 154 155 155 155 155 158 158 163 163 168 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
JNotGreaterEqual 153 162 163 163 163 163 166 166 171 171 176 Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotGreaterEqualLong 154 163 164 164 164 164 167 167 172 172 177 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotGreaterEqualN 157 166 167 167 167 167 170 170 175 175 180 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotGreaterEqualNLong 158 167 168 168 168 168 171 171 176 176 181 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotGreaterLong 146 155 156 156 156 156 159 159 164 164 169 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
JNotGreaterN 149 158 159 159 159 159 162 162 167 167 172 Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
we need to be able to say "jump
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotGreaterNLong 150 159 160 160 160 160 163 163 168 168 173 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotLess 129 138 139 139 139 139 142 142 147 147 152 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotLessEqual 137 146 147 147 147 147 150 150 155 155 160 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotLessEqualLong 138 147 148 148 148 148 151 151 156 156 161 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
JNotLessEqualN 141 150 151 151 151 151 154 154 159 159 164 Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Since we want to be able to reorder
targets to allow for fall-throughs,
we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotLessEqualNLong 142 151 152 152 152 152 155 155 160 160 165 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotLessLong 130 139 140 140 140 140 143 143 148 148 153 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotLessN 133 142 143 143 143 143 146 146 151 151 156 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JNotLessNLong 134 143 144 144 144 144 147 147 152 152 157 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JStrictEqual 163 172 173 173 173 173 176 176 181 181 186 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JStrictEqualLong 164 173 174 174 174 174 177 177 182 182 187 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8, Reg8, Reg8 (total size 3)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JStrictNotEqual 165 174 175 175 175 175 178 178 183 183 188 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr32, Reg8, Reg8 (total size 6)

Not conditionals are required for

NaN comparisons
Since we want to be able to reorder
targets to allow for fall-throughs,
JStrictNotEqualLong 166 175 176 176 176 176 179 179 184 184 189 we need to be able to say "jump
when not less than to BB2" instead
of
"jump when less than to BB1".
Since NaN comparisons always
return false, "not less" != "greater or
equal"
Addr8 (total size 1)
Jmp 119 126 127 127 127 127 130 130 135 135 140
Unconditional branch to Arg1.
Addr8, Reg8 (total size 2)
JmpFalse 123 130 131 131 131 131 134 134 139 139 144
Conditional branches to Arg1 based
on Arg2.
JmpFalseLong 124 131 132 132 132 132 135 135 140 140 145 Addr32, Reg8 (total size 5)
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Conditional branches to Arg1 based
on Arg2.
Addr32 (total size 4)
JmpLong 120 127 128 128 128 128 131 131 136 136 141
Unconditional branch to Arg1.
Addr8, Reg8 (total size 2)
JmpTrue 121 128 129 129 129 129 132 132 137 137 142
Conditional branches to Arg1 based
on Arg2.
Addr32, Reg8 (total size 5)
JmpTrueLong 122 129 130 130 130 130 133 133 138 138 143
Conditional branches to Arg1 based
on Arg2.
Addr8, Reg8 (total size 2)
JmpUndefined 125 132 133 133 133 133 136 136 141 141 146
Jump if the value is undefined.
Addr32, Reg8 (total size 5)
JmpUndefinedLong 126 133 134 134 134 134 137 137 142 142 147
Jump if the value is undefined.
Reg8, Reg8, Reg8 (total size 3)
LShift 30 30 30 30 30 30 30 30 31 31 31
Arg1 = Arg2 << Arg3 (JS bitshift left)
Reg8, Reg8, Reg8 (total size 3)
Less 17 17 17 17 17 17 17 17 18 18 18
Arg1 = Arg2 < Arg3 (JS less-than)
Reg8, Reg8, Reg8 (total size 3)
LessEq 18 18 18 18 18 18 18 18 19 19 19
Arg1 = Arg2 <= Arg3 (JS less-than-or-
equals)
Reg8, UInt16 (bigint_id) (total size 3)
LoadConstBigInt 111
Load a constant BigInt value by
bigint table index.
Reg8, UInt32 (bigint_id) (total size 5)
LoadConstBigIntLongIndex 112
Load a constant BigInt value by
bigint table index.
Reg8, Double (total size 9)
LoadConstDouble 101 103 104 104 104 104 104 104 108 108 110
Load a constant double value.
Reg8 (total size 1)
LoadConstEmpty 111 111 115
Load common constants.
Reg8 (total size 1)
LoadConstFalse 107 109 110 110 110 110 110 110 115 115 119
Load common constants.
Reg8, Imm32 (total size 5)
LoadConstInt 100 102 103 103 103 103 103 103 107 107 109
Load a constant integer value.
Reg8 (total size 1)
LoadConstNull 105 107 108 108 108 108 108 108 113 113 117
Load common constants.
Reg8, UInt16 (string_id) (total size 3)
LoadConstString 102 104 105 105 105 105 105 105 109 109 113
Load a constant string value by
string table index.
LoadConstStringLongIndex 103 105 106 106 106 106 106 106 110 110 114 Reg8, UInt32 (string_id) (total size 5)
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Load a constant string value by
string table index.
Reg8 (total size 1)
LoadConstTrue 106 108 109 109 109 109 109 109 114 114 118
Load common constants.
Reg8, UInt8 (total size 2)
LoadConstUInt8 99 101 102 102 102 102 102 102 106 106 108
Load a constant integer value.
Reg8 (total size 1)
LoadConstUndefined 104 106 107 107 107 107 107 107 112 112 116
Load common constants.
Reg8 (total size 1)
LoadConstZero 108 110 111 111 111 111 111 111 116 116 120
Load common constants.
Reg8, Reg8, UInt8 (total size 3)

Load a value from an environment.

Arg1 is the destination.
LoadFromEnvironment 43 43 43 43 43 43 43 43 44 44 46
Arg2 is the environment (as fetched
by GetEnvironment).
Arg3 is the environment index slot
number.
Reg8, Reg8, UInt16 (total size 4)

Load a value from an environment.

Arg1 is the destination.
LoadFromEnvironmentL 44 44 44 44 44 44 44 44 45 45 47
Arg2 is the environment (as fetched
by GetEnvironment).
Arg3 is the environment index slot
number.
Reg8, UInt8 (total size 2)

Load a function parameter by index.

LoadParam 97 99 100 100 100 100 100 100 104 104 106
Starts at 0 with 'this'.
Arg1 = Arg2 == 0 ? this :
arguments[Arg2 - 1];
Reg8, UInt32 (total size 5)
LoadParamLong 98 100 101 101 101 101 101 101 105 105 107
Like LoadParam, but allows
accessing arguments >= 255.
Reg8 (total size 1)

Obtain the raw \c this value and

coerce it to an object. Equivalent to:
LoadThisNS 110 112 113 113 113 113 113 113 118 118 122
\code
LoadParam Arg1, #0
CoerceThisNS Arg1, Arg1
\endcode
Reg8, Reg8, Reg8 (total size 3)
Loadi16 192 197
Arg1 = HEAP16[Arg3 >> 1] (load
signed 16-bit integer)
Reg8, Reg8, Reg8 (total size 3)
Loadi32 194 199
Arg1 = HEAP32[Arg3 >> 2] (load
signed 32-bit integer)
Loadi8 190 195 Reg8, Reg8, Reg8 (total size 3)
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Arg1 = HEAP8[Arg3] (load signed 8-
bit integer)
Reg8, Reg8, Reg8 (total size 3)
Loadu16 193 198
Arg1 = HEAPU16[Arg3 >> 1] (load
unsigned 16-bit integer)
Reg8, Reg8, Reg8 (total size 3)
Loadu32 195 200
Arg1 = HEAPU32[Arg3 >> 2] (load
unsigned 32-bit integer)
Reg8, Reg8, Reg8 (total size 3)
Loadu8 191 196
Arg1 = HEAPU8[Arg3] (load
unsigned 8-bit integer)
Reg8, Reg8, Reg8 (total size 3)
Mod 27 27 27 27 27 27 27 27 28 28 28
Arg1 = Arg2 % Arg3 (JS remainder)
Reg8, Reg8 (total size 2)
Mov 7 7 7 7 7 7 7 7 8 8 8
Arg1 = Arg2 (Register copy)
Reg32, Reg32 (total size 8)
MovLong 8 8 8 8 8 8 8 8 9 9 9
Arg1 = Arg2 (Register copy, long
index)
Reg8, Reg8, Reg8 (total size 3)
Mul 23 23 23 23 23 23 23 23 24 24 24
Arg1 = Arg2 * Arg3 (JS
multiplication)
Reg8, Reg8, Reg8 (total size 3)
Mul32 187 192
Arg1 = Arg2 * Arg3 (32-bit integer
multiplication)
Reg8, Reg8, Reg8 (total size 3)
MulN 24 24 24 24 24 24 24 24 25 25 25
Arg1 = Arg2 * Arg3 (Numeric
multiplication, skips number check)
Reg8, Reg8 (total size 2)
Negate 9 9 9 9 9 9 9 9 10 10 10
Arg1 = -Arg2 (Unary minus)
Reg8, Reg8, Reg8 (total size 3)
Neq 15 15 15 15 15 15 15 15 16 16 16
Arg1 = Arg2 != Arg3 (JS inequality)
Reg8, UInt16 (total size 3)
NewArray 6 6 6 6 6 6 6 6 7 7 7
Create a new array of a given size.
Arg1 = new Array(Arg2)
NewArrayWithBuffer 4 4 4 4 4 4 4 4 5 5 5 Reg8, UInt16, UInt16, UInt16 (total
size 7)

Create an array from a static list of

values, as for var=[1,2,3].
Any non-constant elements can be
set afterwards with
PutOwnByIndex.
Arg1 is the destination.
Arg2 is a preallocation size hint.
Arg3 is the number of static
elements.
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Arg4 is the index in the array buffer
table.
Reg8, UInt16, UInt16, UInt32 (total
size 9)

Create an array from a static list of

values, as for var=[1,2,3].
Any non-constant elements can be
set afterwards with
NewArrayWithBufferLong 5 5 5 5 5 5 5 5 6 6 6
PutOwnByIndex.
Arg1 is the destination.
Arg2 is a preallocation size hint.
Arg3 is the number of static
elements.
Arg4 is the index in the array buffer
table.
Reg8 (total size 1)

Create a new, empty Object using

NewObject 2 2 2 2 2 2 2 2 3 3 3 the built-in constructor (regardless
of
whether it was overridden).
Arg1 = {}
Reg8, UInt16, UInt16, UInt16, UInt16
(total size 9)

Create an object from a static map of

values, as for var={'a': 3}.
Any non-constant elements can be
set afterwards with PutOwnByInd.
NewObjectWithBuffer 0 0 0 0 0 0 0 0 1 1 1 Arg1 is the destination.
Arg2 is a preallocation size hint.
Arg3 is the number of static
elements.
Arg4 is the index in the object key
buffer table.
Arg5 is the index in the object val
buffer table.
Reg8, UInt16, UInt16, UInt32, UInt32
(total size 13)

Create an object from a static map of

values, as for var={'a': 3}.
Any non-constant elements can be
set afterwards with PutOwnByInd.
NewObjectWithBufferLong 1 1 1 1 1 1 1 1 2 2 2 Arg1 is the destination.
Arg2 is a preallocation size hint.
Arg3 is the number of static
elements.
Arg4 is the index in the object key
buffer table.
Arg5 is the index in the object val
buffer table.
NewObjectWithParent 3 3 3 3 3 3 3 3 4 4 4 Reg8, Reg8 (total size 2)

Create a new empty Object with the

specified parent. If the parent is
null, no parent is used. If the parent
is not an object, the builtin
Object.prototype is used. Otherwise
the parent itself is used.
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
Arg1 = the created object
Arg2 = the parent.
Reg8, Reg8 (total size 2)
Not 10 10 10 10 10 10 10 10 11 11 11
Arg1 = !Arg2 (Boolean not)
UInt16 (total size 2)

Define a profile point.

Arg1 is the function local profile
point index. The first one will have
ProfilePoint 91 91 92 92 92 92 92 92 95 95 97
the
largest index. If there are more than
2^16 profile points in the function,
all the overflowed profile points
have index zero.
Reg8, Reg8, UInt8, UInt16 (string_id)
(total size 5)
PutById 54 54 54 54 54 54 54 54 55 55 57
Set an object property by string
index.
Arg1[stringtable[Arg4]] = Arg2.
Reg8, Reg8, UInt8, UInt32 (string_id)
(total size 7)
PutByIdLong 55 55 55 55 55 55 55 55 56 56 58
Set an object property by string
index.
Arg1[stringtable[Arg4]] = Arg2.
Reg8, Reg8, Reg8 (total size 3)

Set a property by value. Constant

string values should instead use
GetById
PutByVal 69 69 69 69 69 69 69 69 70 70 72
(unless they are array indices
according to ES5.1 section 15.4, in
which
case this is still the right opcode).
Arg1[Arg2] = Arg3
Reg8, Reg8, UInt16 (string_id) (total
size 4)

Create a new own property on an

object. This is similar to PutById, but
the destination must be an object, it
only deals with own properties,
ignoring the prototype chain, and
the property must not already be
PutNewOwnById 59 59 59 59 59 59 59 59 60 60 62
defined.
Similarly to PutById, the property
name cannot be a valid array index.
Arg1 is the destination object, which
is known to be an object.
Arg2 is the value to write.
Arg3 is the string table ID of the
property name.
Arg1[stringtable[Arg3]] = Arg2
PutNewOwnByIdLong 60 60 60 60 60 60 60 60 61 61 63 Reg8, Reg8, UInt32 (string_id) (total
size 6)

Create a new own property on an

object. This is similar to PutById, but
the destination must be an object, it
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
only deals with own properties,
ignoring the prototype chain, and
the property must not already be
defined.
Similarly to PutById, the property
name cannot be a valid array index.
Arg1 is the destination object, which
is known to be an object.
Arg2 is the value to write.
Arg3 is the string table ID of the
property name.
Arg1[stringtable[Arg3]] = Arg2
Reg8, Reg8, UInt8 (string_id) (total
size 3)

Create a new own property on an

object. This is similar to PutById, but
the destination must be an object, it
only deals with own properties,
ignoring the prototype chain, and
the property must not already be
PutNewOwnByIdShort 58 58 58 58 58 58 58 58 59 59 61
defined.
Similarly to PutById, the property
name cannot be a valid array index.
Arg1 is the destination object, which
is known to be an object.
Arg2 is the value to write.
Arg3 is the string table ID of the
property name.
Arg1[stringtable[Arg3]] = Arg2
Reg8, Reg8, UInt16 (string_id) (total
size 4)

Create a new non-enumerable own

property on an object. This is the
same as
PutNewOwnById, but creates the
PutNewOwnNEById 61 61 61 61 61 61 61 61 62 62 64
property with different
enumerability.
Arg1 is the destination object.
Arg2 is the value to write.
Arg3 is the string table ID of the
property name.
Arg1[stringtable[Arg3]] = Arg2
Reg8, Reg8, UInt32 (string_id) (total
size 6)

Create a new non-enumerable own

property on an object. This is the
same as
PutNewOwnById, but creates the
PutNewOwnNEByIdLong 62 62 62 62 62 62 62 62 63 63 65
property with different
enumerability.
Arg1 is the destination object.
Arg2 is the value to write.
Arg3 is the string table ID of the
property name.
Arg1[stringtable[Arg3]] = Arg2
PutOwnByIndex 63 63 63 63 63 63 63 63 64 64 66 Reg8, Reg8, UInt8 (total size 3)

Assign a value to a constant integer

own property which will be created
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
as
enumerable. This is used
(potentially in conjunction with
NewArrayWithBuffer) for arr=
[foo,bar] initializations.
Arg1[Arg3] = Arg2;
Reg8, Reg8, UInt32 (total size 6)

Assign a value to a constant integer

own property which will be created
as
PutOwnByIndexL 64 64 64 64 64 64 64 64 65 65 67
enumerable. This is used
(potentially in conjunction with
NewArrayWithBuffer) for arr=
[foo,bar] initializations.
Arg1[Arg3] = Arg2;
Reg8, Reg8, Reg8, UInt8 (total size 4)

Set an own property identified by

value.
Arg1 is the destination object.
Arg2 is the value to write.
PutOwnByVal 65 65 65 65 65 65 65 65 66 66 68
Arg3 is the property name.
Arg4 : bool -> enumerable. If true,
the property is created as
enumerable,
non-enumerable otherwise.
Arg1[Arg3] = Arg2;
Reg8, Reg8, Reg8, Reg8, UInt8 (total
size 5)

Add a getter and a setter for a

property by value.
Object.defineProperty(Arg1, Arg2, {
get: Arg3, set: Arg4 }).
Arg1 is the target object which will
PutOwnGetterSetterByVal 71 71 71 71 71 71 71 71 72 72 74
have a property defined.
Arg2 is the property name
Arg3 is the getter closure or
undefined
Arg4 is the setter closure or
undefined
Arg5 : boolean - if true, the property
will be enumerable.
Reg8, Reg8, Reg8 (total size 3)
RShift 31 31 31 31 31 31 31 31 32 32 32
Arg1 = Arg2 >> Arg3 (JS signed
bitshift right)
Reg8 (total size 1)

Create an actual 'arguments' array,

if get-by-index and length isn't
enough.
ReifyArguments 116 118 119 119 119 119 119 119 124 124 129
Arg1 is the lazy loaded register,
which afterwards will contain a
proper
object that can be used by non-
*Arguments* opcodes like Return.
ResumeGenerator 122 123 123 123 123 123 123 128 128 133 Reg8, Reg8 (total size 2)

Resume generator by performing

one of the following user-requested
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
actions:
- next(val): Set Arg1 to val, Arg2 to
false, run next instruction
- return(val): Set Arg1 to val, Arg2 to
true, run next instruction
- throw(val): Throw val as an error
Arg1 is the result provided by the
user.
Arg2 is a boolean which is true if the
user requested a return().
Reg8 (total size 1)

Ret 85 85 85 85 85 85 85 85 88 88 90 Return a value from the current

function.
return Arg1;
Addr8 (total size 1)

SaveGenerator 134 135 135 135 135 138 138 143 143 148 Save the provided value, yield, and
signal the VM to restart execution
at the provided target.
Addr32 (total size 4)

SaveGeneratorLong 135 136 136 136 136 139 139 144 144 149 Save the provided value, yield, and
signal the VM to restart execution
at the provided target.
Reg8, Reg8, Reg8 (total size 3)

Choose the result of a constructor:

'this' or a returned object.
Arg1 is the result.
SelectObject 96 98 99 99 99 99 99 99 103 103 105 Arg2 is the 'this' object used for the
constructor.
Arg3 is the constructor's return
value.
Arg1 = Arg3 instanceof Object ? Arg3
: Arg2
(total size 0)

Start the generator by jumping to

StartGenerator 121 122 122 122 122 122 122 127 127 132 the next instruction to begin.
Restore the stack frame if this
generator has previously been
suspended.
Reg8, Reg8, Reg8 (total size 3)
Store16 197 202
HEAP16[Arg2] = Arg3 (store signed
or unsigned 16-bit integer)
Reg8, Reg8, Reg8 (total size 3)
Store32 198 203
HEAP32[Arg2] = Arg3 (store signed
or unsigned 32-bit integer)
Reg8, Reg8, Reg8 (total size 3)
Store8 196 201
HEAP8[Arg2] = Arg3 (store signed or
unsigned 8-bit integer)
StoreNPToEnvironment 41 41 41 41 41 41 41 41 42 42 44 Reg8, UInt8, Reg8 (total size 3)

Store a value in an environment.

StoreNPToEnvironment[L] store a
non-pointer value in an
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89
environment
Arg1 is the environment (as fetched
by GetEnvironment).
Arg2 is the environment index slot
number.
Arg3 is the value.
Reg8, UInt16, Reg8 (total size 4)

Store a value in an environment.

StoreNPToEnvironment[L] store a
non-pointer value in an
StoreNPToEnvironmentL 42 42 42 42 42 42 42 42 43 43 45 environment
Arg1 is the environment (as fetched
by GetEnvironment).
Arg2 is the environment index slot
number.
Arg3 is the value.
Reg8, UInt8, Reg8 (total size 3)

Store a value in an environment.

StoreNPToEnvironment[L] store a
non-pointer value in an
StoreToEnvironment 39 39 39 39 39 39 39 39 40 40 42 environment
Arg1 is the environment (as fetched
by GetEnvironment).
Arg2 is the environment index slot
number.
Arg3 is the value.
Reg8, UInt16, Reg8 (total size 4)

Store a value in an environment.

StoreNPToEnvironment[L] store a
non-pointer value in an
StoreToEnvironmentL 40 40 40 40 40 40 40 40 41 41 43 environment
Arg1 is the environment (as fetched
by GetEnvironment).
Arg2 is the environment index slot
number.
Arg3 is the value.
Reg8, Reg8, Reg8 (total size 3)
StrictEq 14 14 14 14 14 14 14 14 15 15 15
Arg1 = Arg2 === Arg3 (JS strict
equality)
Reg8, Reg8, Reg8 (total size 3)
StrictNeq 16 16 16 16 16 16 16 16 17 17 17
Arg1 = Arg2 !== Arg3 (JS strict
inequality)
Reg8, Reg8, Reg8 (total size 3)
Sub 28 28 28 28 28 28 28 28 29 29 29
Arg1 = Arg2 - Arg3 (JS subtraction)
Reg8, Reg8, Reg8 (total size 3)
Sub32 186 191
Arg1 = Arg2 - Arg3 (32-bit integer
subtraction)
Reg8, Reg8, Reg8 (total size 3)
SubN 29 29 29 29 29 29 29 29 30 30 30
Arg1 = Arg2 - Arg3 (Numeric
subtraction, skips number check)
SwitchImm 118 120 121 121 121 121 121 121 126 126 131 Reg8, UInt32, Addr32, UInt32, UInt32
(total size 17)
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89

Jump table switch - using a table of

offset, jump to the offset of the given
input or to the default block if out of
range (or not right type)
Arg 1 is the value to be branched
upon
Arg 2 is the relative offset of the
jump table to be used by this
instruction. Jump tables are
appended to the bytecode. Arg 3 is
the relative
offset for the "default" jump. Arg 4 is
the unsigned min value, if arg 1 is
less than this value jmp to
default block
Arg 5 is the unsigned max value, if
arg 1 is greater than this value jmp
to
default block.
Given the above, the jump table
entry for a given value (that is in
range)
is located at offset ip + arg2 + arg1 -
arg4. We subtract arg4 to avoid
wasting space when compiling
denses switches that do not start at
zero. Note
that Arg2 is *unaligned* it is
dynamically aligned at runtime.
Reg8 (total size 1)
Throw 88 88 88 88 88 88 88 88 91 91 93
Throw an exception.
throw Arg1;
Reg8, Reg8 (total size 2)

If Arg2 is Empty, throw

ReferenceError, otherwise move it
ThrowIfEmpty 92 92 94
into Arg1.
Arg1 is the destination of the return
value
Arg2 is the value to check
Reg8 (total size 1)
ThrowIfUndefinedInst 89 89 89 89 89 89
Throw ReferenceError if the
operand is HermesValue::undefined
Reg8, Reg8 (total size 2)

ToInt32 112 114 115 115 115 115 115 115 120 120 125 Convert a value to a 32-bit signed
integer.
Arg1 = Arg2 | 0
Reg8, Reg8 (total size 2)
ToNumber 111 113 114 114 114 114 114 114 119 119 123
Convert a value to a number.
Arg1 = Arg2 - 0
Reg8, Reg8 (total size 2)
ToNumeric 124
Convert a value to a numberic.
Arg1 = ToNumeric(Arg2)
TryGetById 52 52 52 52 52 52 52 52 53 53 55 Reg8, Reg8, UInt8, UInt16 (string_id)
(total size 5)
 Instruction Bytecode version to opcode Documentation
51 58 59 60 62 71 74 76 83 84 89

Get an object property by string

table index, or throw if not found.
This is similar to GetById, but
intended for use with global
variables
where Arg2 = GetGlobalObject.
Reg8, Reg8, UInt8, UInt32 (string_id)
(total size 7)

Get an object property by string

TryGetByIdLong 53 53 53 53 53 53 53 53 54 54 56 table index, or throw if not found.
This is similar to GetById, but
intended for use with global
variables
where Arg2 = GetGlobalObject.
Reg8, Reg8, UInt8, UInt16 (string_id)
(total size 5)

Set an object property by string

TryPutById 56 56 56 56 56 56 56 56 57 57 59 index, or throw if undeclared.
This is similar to PutById, but
intended for use with global
variables
where Arg1 = GetGlobalObject.
Reg8, Reg8, UInt8, UInt32 (string_id)
(total size 7)

Set an object property by string

TryPutByIdLong 57 57 57 57 57 57 57 57 58 58 60 index, or throw if undeclared.
This is similar to PutById, but
intended for use with global
variables
where Arg1 = GetGlobalObject.
Reg8, Reg8 (total size 2)
TypeOf 12 12 12 12 12 12 12 12 13 13 13
Arg1 = typeof Arg2 (JS typeof)
Reg8, Reg8, Reg8 (total size 3)
URshift 32 32 32 32 32 32 32 32 33 33 33
Arg1 = Arg2 >>> Arg3 (JS unsigned
bitshift right)
(total size 0)

Unreachable 92 92 93 93 93 93 93 93 0 0 0 Unreachable opcode for stubs and

similar. This is first so that it has the
value zero.