Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f977b7aa6f769b2fa944b306bdde40e365388e53
https://github.com/WebKit/WebKit/commit/f977b7aa6f769b2fa944b306bdde40e365388e53
Author: Sosuke Suzuki <[email protected]>
Date: 2026-04-08 (Wed, 08 Apr 2026)
Changed paths:
A JSTests/microbenchmarks/check-private-brand-polymorphic.js
A JSTests/stress/check-private-brand-clobberize.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGHeapLocation.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
[JSC] Refine clobberize rules for `CheckPrivateBrand` and `SetPrivateBrand`
https://bugs.webkit.org/show_bug.cgi?id=311058
Reviewed by Yusuke Suzuki.
CheckPrivateBrand and SetPrivateBrand were falling through to clobberWorld(),
preventing CSE and LICM. This patch gives them precise rules: CheckPrivateBrand
only reads JSCell_structureID (BrandedStructure::checkBrand traverses immutable
m_brand/m_parentBrand after reading the base's structure, same category as
CheckStructure), and SetPrivateBrand reads/writes it like PutStructure. A new
CheckPrivateBrandLoc heap location enables CSE of redundant brand checks on the
same base and symbol.
This patch also adds CellUse to CheckPrivateBrand's base operand in FixupPhase,
matching SetPrivateBrand's existing handling. On speculation failure, OSR exit
falls back to baseline where toObject throws, preserving semantics. This lets us
drop branchIfNotCell in the DFG fast path and use lowCell in FTL.
Polymorphic private method calls (>4 classes, where the raw CheckPrivateBrand
node survives instead of being lowered to CheckStructure) show ~1.5x
improvement.
JetStream3 raytrace-private-class-fields is neutral as its monomorphic call
sites are already lowered.
TipOfTree Patched
check-private-brand-polymorphic 54.1080+-3.8215 ^ 36.2630+-3.5408
^ definitely 1.4921x faster
Tests: JSTests/microbenchmarks/check-private-brand-polymorphic.js
JSTests/stress/check-private-brand-clobberize.js
* JSTests/microbenchmarks/check-private-brand-polymorphic.js: Added.
* JSTests/stress/check-private-brand-clobberize.js: Added.
(assert):
(assertThrows):
(testPolymorphicCSE.factory.return.prototype.m):
(testPolymorphicCSE.factory.return.prototype.go):
(testPolymorphicCSE.run):
(testCellUseThrow.C.prototype.m):
(testCellUseThrow.C.call):
(testCellUseThrow.C):
(testNoStaleCSEAcrossTransition.factory.return.prototype.m):
(testNoStaleCSEAcrossTransition.factory.return.prototype.go):
(testNoStaleCSEAcrossTransition.run):
(testWrongBrandAfterCSE.factory.return.prototype.m):
(testWrongBrandAfterCSE.factory.return.prototype.go):
(testWrongBrandAfterCSE.run):
(testLICM.factory.return.prototype.m):
(testLICM.factory.return.prototype.sum):
(testLICM.run):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckPrivateBrand):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckPrivateBrand):
Canonical link: https://commits.webkit.org/310775@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
