Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4758c065a2c90027f5e7d243d73f2dceb9be5da5
https://github.com/WebKit/WebKit/commit/4758c065a2c90027f5e7d243d73f2dceb9be5da5
Author: Yusuke Suzuki <[email protected]>
Date: 2026-01-16 (Fri, 16 Jan 2026)
Changed paths:
M Source/JavaScriptCore/b3/B3AbstractHeap.h
M Source/JavaScriptCore/b3/B3AbstractHeapRepository.h
M Source/JavaScriptCore/wasm/WasmBBQJIT.h
M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
M Source/JavaScriptCore/wasm/WasmConstExprGenerator.cpp
M Source/JavaScriptCore/wasm/WasmFunctionParser.h
M Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
Log Message:
-----------
[JSC] More precise TBAA for WasmGC Struct
https://bugs.webkit.org/show_bug.cgi?id=305623
rdar://168279327
Reviewed by Justin Michaud.
Previously WasmGC struct Type-based Alias Analysis (TBAA) was using
offset of the field + type. But this is not precise since completely
unrelated WasmGC struct type may have the same key.
We can do more precise TBAA by using StructType information which
directly owns this field. Like,
struct A {
int a;
int b;
};
struct B : A {
int c;
int d;
};
struct C : A {
int e;
int f;
};
When C.a, B.a, A.a are accessed, since they can be aliased, we
should have a key `(A, a)`. By using the owner Struct Type and field
index, we can have unique identifier for each field.
We use RTT* and fieldIndex to generate this key. And use it in B3 CSE.
* Source/JavaScriptCore/b3/B3AbstractHeap.h:
(JSC::B3::NumberedAbstractHeap::at):
(JSC::B3::NumberedAbstractHeap::operator[]):
* Source/JavaScriptCore/b3/B3AbstractHeapRepository.h:
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
* Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructSet):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructSet):
* Source/JavaScriptCore/wasm/WasmConstExprGenerator.cpp:
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp:
(JSC::Wasm::IPIntGenerator::addStructGet):
(JSC::Wasm::IPIntGenerator::addStructSet):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::structFieldHeap):
(JSC::Wasm::OMGIRGenerator::emitStructSet):
(JSC::Wasm::OMGIRGenerator::addStructNew):
(JSC::Wasm::OMGIRGenerator::addStructNewDefault):
(JSC::Wasm::OMGIRGenerator::addStructGet):
(JSC::Wasm::OMGIRGenerator::addStructSet):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp:
(JSC::Wasm::OMGIRGenerator::structFieldHeap):
(JSC::Wasm::OMGIRGenerator::emitStructSet):
(JSC::Wasm::OMGIRGenerator::addStructNew):
(JSC::Wasm::OMGIRGenerator::addStructNewDefault):
(JSC::Wasm::OMGIRGenerator::addStructGet):
(JSC::Wasm::OMGIRGenerator::addStructSet):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::RTT::RTT):
(JSC::Wasm::RTT::tryCreate):
(JSC::Wasm::TypeInformation::createCanonicalRTTForType):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
Canonical link: https://commits.webkit.org/305726@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
