[webkit-changes] [WebKit/WebKit] cf081a: [JSC] Embed RTT* into WasmGC object and use it ins...

Mon, 26 Jan 2026 11:12:15 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cf081af6f520988721d37786cf2b93fb7c719d1e
      
https://github.com/WebKit/WebKit/commit/cf081af6f520988721d37786cf2b93fb7c719d1e
  Author: Yusuke Suzuki <[email protected]>
  Date:   2026-01-26 (Mon, 26 Jan 2026)

  Changed paths:
    M Source/JavaScriptCore/b3/B3AbstractHeapRepository.h
    M Source/JavaScriptCore/b3/B3LowerMacros.cpp
    M Source/JavaScriptCore/b3/B3WasmRefTypeCheckValue.cpp
    M Source/JavaScriptCore/b3/B3WasmRefTypeCheckValue.h
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyArrayInlines.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.h

  Log Message:
  -----------
  [JSC] Embed RTT* into WasmGC object and use it instead of Structure
https://bugs.webkit.org/show_bug.cgi?id=306142
rdar://168781508

Reviewed by Dan Hecht.

Still, loading RTT from structure for type check is costly. But
structure is not sharable between multiple VMs, and structures can be
different for each JSWebAssemblyInstance with different realm for the
same RTT types. Thus, let's just add const RTT* field to Wasm GC object
field to make type check faster.

This patch improves several things.

1. We stop using TrailingArray for JSWebAssemblyStruct since it adds
   size, which is not used, but taking much space. This allows 8 byte
   space for us, which can be used for `const RTT*`.
2. Add `const RTT*` field to WebAssemblyGCObjectBase and use it for type
   checking. We no longer need to load structure for type checks.
3. We stop having inlined RTT display list in WebAssemblyGCStructure.
   And instead, having it in RTT. So we can continue using this
   optimization. Since it now becomes per-RTT, it is more memory efficient
   than the previuos approach.

* Source/JavaScriptCore/b3/B3AbstractHeapRepository.h:
* Source/JavaScriptCore/b3/B3LowerMacros.cpp:
* Source/JavaScriptCore/b3/B3WasmRefTypeCheckValue.cpp:
(JSC::B3::WasmRefTypeCheckValue::dumpMeta const):
* Source/JavaScriptCore/b3/B3WasmRefTypeCheckValue.h:
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::emitArrayGetPayload):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::emitAllocateGCArrayUninitialized):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitAllocateGCStructUninitialized):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitRefTestOrCast):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::emitGetArrayPayloadBase):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCObject):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCArrayUninitialized):
(JSC::Wasm::OMGIRGenerator::decodeNonNullStructure): Deleted.
(JSC::Wasm::OMGIRGenerator::emitLoadRTTFromObject): Deleted.
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp:
(JSC::Wasm::OMGIRGenerator::emitGetArrayPayloadBase):
(JSC::Wasm::OMGIRGenerator::emitRefTestOrCast):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCObject):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCArrayUninitialized):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCStructUninitialized):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::RTT::RTT):
(JSC::Wasm::RTT::tryCreate):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyArrayInlines.h:
(JSC::JSWebAssemblyArray::bytes):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.cpp:
(JSC::JSWebAssemblyStruct::JSWebAssemblyStruct):
(JSC::JSWebAssemblyStruct::tryCreate):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.cpp:
(JSC::WebAssemblyGCObjectBase::WebAssemblyGCObjectBase):
* Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.h:
(JSC::WebAssemblyGCObjectBase::rtt const):
(JSC::WebAssemblyGCObjectBase::offsetOfRTT):
* Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.cpp:
(JSC::WebAssemblyGCStructure::WebAssemblyGCStructure):
* Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.h:

Canonical link: https://commits.webkit.org/306226@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to