[webkit-changes] [WebKit/WebKit] a3e443: [JSC] Support `DoubleShape` in `ArrayLengthStore` IC

Tue, 14 Apr 2026 01:49:43 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a3e4439fb95cefbdcebb8d1fd4739a1db1d6d267
      
https://github.com/WebKit/WebKit/commit/a3e4439fb95cefbdcebb8d1fd4739a1db1d6d267
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-04-14 (Tue, 14 Apr 2026)

  Changed paths:
    A JSTests/microbenchmarks/array-length-reset-double.js
    A JSTests/stress/array-length-store-ic-double-noncow.js
    A JSTests/stress/array-length-store-ic-double-then-int32.js
    M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp

  Log Message:
  -----------
  [JSC] Support `DoubleShape` in `ArrayLengthStore` IC
https://bugs.webkit.org/show_bug.cgi?id=312050

Reviewed by Yusuke Suzuki.

311326@main added an ArrayLengthStore inline cache that handles
ArrayWithInt32 and ArrayWithContiguous. This patch extends it to
ArrayWithDouble by selecting the hole pattern (encoded empty JSValue
vs PNaN) at the shape guard, the same way FTL initializeArrayElements
does, and using a single store64 clear loop. The Int32/Contiguous
fast path gains only a single `movz #0`.

FTL:
                                   TipOfTree                  Patched

array-length-reset-double       63.4825+-4.1166     ^     13.0505+-0.4404       
 ^ definitely 4.8644x faster

DFG:
                                   TipOfTree                  Patched

array-length-reset-double       61.7985+-0.9654     ^     15.8700+-0.5495       
 ^ definitely 3.8940x faster

Baseline:
                                   TipOfTree                  Patched

array-length-reset-double      121.8742+-2.5465     ^     75.3147+-0.3700       
 ^ definitely 1.6182x faster

Tests: JSTests/microbenchmarks/array-length-reset-double.js
       JSTests/stress/array-length-store-ic-double-noncow.js
       JSTests/stress/array-length-store-ic-double-then-int32.js

* JSTests/microbenchmarks/array-length-reset-double.js: Added.
(test):
* JSTests/stress/array-length-store-ic-double-noncow.js: Added.
(shouldBe):
(f):
* JSTests/stress/array-length-store-ic-double-then-int32.js: Added.
(shouldBe):
(f):
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::InlineCacheCompiler::generateWithGuard):

Canonical link: https://commits.webkit.org/311181@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to