[webkit-changes] [WebKit/WebKit] 10c13e: [JSC] Refine clobberize rule for ObjectCreate

Fri, 24 Apr 2026 19:54:34 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 10c13e90401d5a664b4db19dcd6eb773617f15fb
      
https://github.com/WebKit/WebKit/commit/10c13e90401d5a664b4db19dcd6eb773617f15fb
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-04-24 (Fri, 24 Apr 2026)

  Changed paths:
    A JSTests/microbenchmarks/object-create-null-cse.js
    A JSTests/stress/object-create-untyped-clobberize.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGClobberize.h

  Log Message:
  -----------
  [JSC] Refine clobberize rule for ObjectCreate
https://bugs.webkit.org/show_bug.cgi?id=312731

Reviewed by Yusuke Suzuki.

ObjectCreate(UntypedUse) was calling clobberTop().

operationObjectCreate never runs user JS: for non-object/non-null it
throws TypeError, for null it allocates with nullPrototypeObjectStructure(),
and for an object it calls constructEmptyObject. The only mutation of 
pre-existing
heap state is StructureCache::createEmptyStructure -> 
JSObject::didBecomePrototype
on the prototype, which performs becomePrototypeTransition. That
transition rewrites only the prototype's structureID (indexingType and
typeInfo are carried over verbatim), touches no butterfly, does not
trigger haveABadTime, and fires the prototype's transition watchpoint set
via DeferredStructureTransitionWatchpointFire.

Unify both useKinds under read/write(HeapObjectCount) +
write(JSCell_structureID, Watchpoint_fire), plus write(SideState) for
UntypedUse to model the conditional throw. Watchpoint_fire was also
missing from the existing ObjectUse rule, so InvalidationPoints were
never inserted after ObjectCreate.

                            TipOfTree                  Patched

object-create-null-cse   21.1291+-0.1360     ^     19.6590+-0.1359        ^ 
definitely 1.0748x faster

Tests: JSTests/microbenchmarks/object-create-null-cse.js
       JSTests/stress/object-create-untyped-clobberize.js

* JSTests/microbenchmarks/object-create-null-cse.js: Added.
(test):
* JSTests/stress/object-create-untyped-clobberize.js: Added.
(shouldBe):
(shouldThrow):
(testCSEAcrossUntypedCreate.go):
(testCSEAcrossUntypedCreate):
(testThrowOnBadPrototype.go):
(testNoHoistPastGuard.go):
(testResultPrototype.go):
(testResultPrototype):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

Canonical link: https://commits.webkit.org/312000@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to