Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 94e35cf4d86c0d426751c9e46ce9a8f853dfea64
https://github.com/WebKit/WebKit/commit/94e35cf4d86c0d426751c9e46ce9a8f853dfea64
Author: Yusuke Suzuki <[email protected]>
Date: 2026-05-04 (Mon, 04 May 2026)
Changed paths:
A JSTests/stress/array-concat-intrinsic-cow-result.js
A JSTests/stress/array-concat-intrinsic-non-array-object.js
A JSTests/stress/array-concat-intrinsic-sparse-threshold.js
A JSTests/stress/array-concat-intrinsic-spreadable-watchpoint.js
A JSTests/stress/array-concat-intrinsic.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGCloneHelper.h
M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGNodeType.h
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/dfg/DFGOperations.h
M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
M Source/JavaScriptCore/runtime/ArrayPrototype.h
M Source/JavaScriptCore/runtime/Intrinsic.h
Log Message:
-----------
[JSC] Add Array#concat DFG nodes
https://bugs.webkit.org/show_bug.cgi?id=313926
rdar://176122830
Reviewed by Yijia Huang.
This patch adds Array#concat handling in DFG / FTL.
1. Initially we emit ArrayConcatAppendOne DFG node. This is because we
have no idea whether second input is Array or not at this point yet.
2. In fixup phase, we check prediction, and we may convert
ArrayConcatAppendOne to ArrayConcatArray, which is more optimized for
`array.concat(array)` case.
3. Add DFG operation, which can return nullptr when it has complicated
side-effects, like @@isConcatSpreadable for the second argument. When
we found these cases, we just return nullptr. And then DFG / FTL will
do OSR exit via ExoticObjectMode.
4. We set necessary watchpoints in DFG so that operation code skips many
checks.
Tests: JSTests/stress/array-concat-intrinsic-cow-result.js
JSTests/stress/array-concat-intrinsic-non-array-object.js
JSTests/stress/array-concat-intrinsic-sparse-threshold.js
JSTests/stress/array-concat-intrinsic-spreadable-watchpoint.js
JSTests/stress/array-concat-intrinsic.js
* JSTests/stress/array-concat-intrinsic-cow-result.js: Added.
(assert):
(shallowEq):
(firstEmpty):
(secondEmpty):
(firstEmptyDouble):
(secondEmptyDouble):
(firstEmptyContiguous):
(secondEmptyContiguous):
(sumAfterConcat):
* JSTests/stress/array-concat-intrinsic-non-array-object.js: Added.
(assert):
(objConcat):
(runAll):
* JSTests/stress/array-concat-intrinsic-sparse-threshold.js: Added.
(assert):
(makeInt32):
(doConcat):
* JSTests/stress/array-concat-intrinsic-spreadable-watchpoint.js: Added.
(assert):
(shallowEq):
(concatArr):
(concatOne):
* JSTests/stress/array-concat-intrinsic.js: Added.
(assert):
(shallowEq):
(runConcat):
(testBasic):
(testSpeciesInvalidation.MyArray.get Symbol):
(testSpeciesInvalidation.MyArray):
(testSpeciesInvalidation):
(testIsConcatSpreadable):
(testCOW.makeCOW):
(testCOW):
(testLarge):
(appendInt):
(appendDouble):
(appendString):
(appendBool):
(appendNull):
(appendUndef):
(polyConcat):
(objConcat):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGCloneHelper.h:
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileArrayConcatArray):
(JSC::FTL::DFG::LowerDFGToB3::compileArrayConcatAppendOne):
* Source/JavaScriptCore/runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::finishCreation):
(JSC::tryConcatAppendOneNonArray):
(JSC::tryConcatAppendArrayFastWithWatchpoints):
(JSC::tryConcatOneArgFast):
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::concatAppendOne): Deleted.
(JSC::concatAppendArray): Deleted.
* Source/JavaScriptCore/runtime/ArrayPrototype.h:
* Source/JavaScriptCore/runtime/Intrinsic.h:
Canonical link: https://commits.webkit.org/312543@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
