Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: bc02c09f91bbf76ce60c324268bce9be26dbb583
https://github.com/WebKit/WebKit/commit/bc02c09f91bbf76ce60c324268bce9be26dbb583
Author: Sosuke Suzuki <[email protected]>
Date: 2026-04-19 (Sun, 19 Apr 2026)
Changed paths:
A JSTests/microbenchmarks/array-is-array-cse.js
A JSTests/stress/array-is-array-clobberize.js
A JSTests/stress/array-is-array-proxy-effects.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGHeapLocation.h
Log Message:
-----------
[JSC] Refine clobberize rule for `ArrayIsArray`
https://bugs.webkit.org/show_bug.cgi?id=312700
Reviewed by Yusuke Suzuki.
ArrayIsArray was falling through to clobberTop(), preventing CSE and
invalidating all structure information around every Array.isArray() call.
Per spec, IsArray never invokes user JS[1]: it reads the immutable JSCell type,
and for ProxyObject walks the immutable [[ProxyTarget]] chain checking only
whether [[ProxyHandler]] is null. No proxy trap is defined for IsArray. The
only side effect is a TypeError when a revoked proxy is encountered.
This patch gives ArrayIsArray a precise rule:
- read(MiscFields): the proxy handler slot is mutated only by
ProxyObject::revoke(), whose sole caller is the performProxyRevoke host
function. As a Call node it clobbers Heap (which includes MiscFields),
so a revoke between two ArrayIsArray nodes correctly kills the def.
- write(SideState): models the conditional throw so LICM won't hoist the
node past a guarding branch and throw on an otherwise-unreached path.
- def(ArrayIsArrayLoc): enables CSE of redundant checks on the same value,
matching the IsCallable / IsConstructor pattern.
The abstract interpreter no longer calls clobberWorld() since the node
writes neither Heap nor JSCell_structureID.
TipOfTree Patched
array-is-array-cse 5.7308+-0.1379 ^ 3.2529+-0.2866 ^
definitely 1.7617x faster
[1]: https://tc39.es/ecma262/#sec-isarray
Tests: JSTests/microbenchmarks/array-is-array-cse.js
JSTests/stress/array-is-array-clobberize.js
JSTests/stress/array-is-array-proxy-effects.js
* JSTests/microbenchmarks/array-is-array-cse.js: Added.
(test):
* JSTests/stress/array-is-array-clobberize.js: Added.
(shouldBe):
(shouldThrow):
(testCSE.go):
(testCSE):
(testNoClobber.go):
(testNoClobber):
(testRevokedProxy.go):
(testRevokedProxy):
(testNoCSEAcrossRevoke.go):
(testDerivedArray.Derived):
(testDerivedArray.go):
(testDerivedArray):
* JSTests/stress/array-is-array-proxy-effects.js: Added.
(shouldBe):
(shouldThrow):
(testNoTrapInvocation.go):
(testNestedProxy.go):
(testNestedProxy):
(testNoHoistPastGuard.go):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
Canonical link: https://commits.webkit.org/311553@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
