Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5659b3ed4152aa7821288fdea285e3adfd1e0ae2
https://github.com/WebKit/WebKit/commit/5659b3ed4152aa7821288fdea285e3adfd1e0ae2
Author: Yusuke Suzuki <[email protected]>
Date: 2025-11-20 (Thu, 20 Nov 2025)
Changed paths:
A JSTests/stress/bound-check-removal-typed-array-byte-length.js
M Source/JavaScriptCore/dfg/DFGMayExit.cpp
M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp
Log Message:
-----------
[JSC] Fold `new Uint8Array(new ArrayBuffer(length)).length` to `length`
https://bugs.webkit.org/show_bug.cgi?id=302832
rdar://165095809
Reviewed by Justin Michaud.
We found that this is particularly common since Uint8Array is byte view
to the underlying ArrayBuffer. This patch introduces the above folding
so that we can make GetUndetachedTypeArrayLength non-opaque to the loop
when it is using `length` directly for the loop condition instead of
`view.length`. We also make it more precise about MayExit for PutByVal
with TypedArray in FTL. Since bound-check is already separate, if it is
typed array, then it does not exit within the node.
* JSTests/stress/bound-check-removal-typed-array-byte-length.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/dfg/DFGMayExit.cpp:
* Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
Canonical link: https://commits.webkit.org/303351@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
