Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: fe410e6e7bcf963cc8cc7d30e978f447f01ec68d
https://github.com/WebKit/WebKit/commit/fe410e6e7bcf963cc8cc7d30e978f447f01ec68d
Author: Yusuke Suzuki <[email protected]>
Date: 2026-04-08 (Wed, 08 Apr 2026)
Changed paths:
A JSTests/wasm/stress/wasm-array-omg-array-length-cse.js
A JSTests/wasm/stress/wasm-array-omg-array-new.js
A JSTests/wasm/stress/wasm-array-omg-cse.js
A JSTests/wasm/stress/wasm-array-omg-element-types.js
A JSTests/wasm/stress/wasm-array-omg-packed-types.js
M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
M Source/JavaScriptCore/Sources.txt
M Source/JavaScriptCore/b3/B3AbstractHeapRepository.cpp
M Source/JavaScriptCore/b3/B3AbstractHeapRepository.h
M Source/JavaScriptCore/b3/B3EliminateCommonSubexpressions.cpp
M Source/JavaScriptCore/b3/B3Generate.cpp
M Source/JavaScriptCore/b3/B3Kind.h
M Source/JavaScriptCore/b3/B3LowerMacros.cpp
M Source/JavaScriptCore/b3/B3Opcode.h
M Source/JavaScriptCore/b3/B3Procedure.cpp
M Source/JavaScriptCore/b3/B3Procedure.h
M Source/JavaScriptCore/b3/B3ReduceStrength.cpp
M Source/JavaScriptCore/b3/B3Validate.cpp
M Source/JavaScriptCore/b3/B3Value.cpp
M Source/JavaScriptCore/b3/B3Value.h
M Source/JavaScriptCore/b3/B3ValueInlines.h
M Source/JavaScriptCore/b3/B3ValueKey.cpp
A Source/JavaScriptCore/b3/B3WasmArrayElementValue.cpp
A Source/JavaScriptCore/b3/B3WasmArrayElementValue.h
A Source/JavaScriptCore/b3/B3WasmArrayGetValue.cpp
A Source/JavaScriptCore/b3/B3WasmArrayGetValue.h
A Source/JavaScriptCore/b3/B3WasmArrayLengthValue.cpp
A Source/JavaScriptCore/b3/B3WasmArrayLengthValue.h
A Source/JavaScriptCore/b3/B3WasmArrayNewValue.cpp
A Source/JavaScriptCore/b3/B3WasmArrayNewValue.h
A Source/JavaScriptCore/b3/B3WasmArraySetValue.cpp
A Source/JavaScriptCore/b3/B3WasmArraySetValue.h
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/runtime/PutPropertySlot.h
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
Log Message:
-----------
[JSC] Add WasmArrayGet / WasmArraySet / WasmArrayNew / WasmArrayLength
https://bugs.webkit.org/show_bug.cgi?id=310424
rdar://173048844
Reviewed by Yijia Huang.
This patch implements WasmArrayGet / WasmArraySet / WasmArrayNew /
WasmArrayLength
to offer higher semantics to B3.
1. WasmArrayGet / WasmArraySet are separate from WasmArrayLength, and
bound checks are done explicitly with WasmArrayLength. Making it
easier to be detected and removed via future range analysis.
2. WasmArrayNew offers better type information so we can easily remove
traps in WasmArrayLength. Also even we can fold it since size is
passed to WasmArrayNew.
3. To make WasmArrayLength ValueKey handling easy, we moved B3
AbstractHeapRepository to B3::Procedure's field so heap is always
accessible throughout the B3 pipeline.
Tests: JSTests/wasm/stress/wasm-array-omg-cse.js
JSTests/wasm/stress/wasm-array-omg-element-types.js
JSTests/wasm/stress/wasm-array-omg-packed-types.js
* JSTests/wasm/stress/wasm-array-omg-array-length-cse.js: Added.
(makeInstance):
(set makeInstance):
(throw.new.Error):
(throw.new.Error.set const):
* JSTests/wasm/stress/wasm-array-omg-array-new.js: Added.
(makeInstance):
(unsignedLEB128):
(signedLEB128):
(encodeString):
(makeSection):
(buildI32Module):
(buildI64Module):
(buildF32Module):
(buildF64Module):
(r.0.throw.new.Error.i32.defGet):
(throw.new.Error):
* JSTests/wasm/stress/wasm-array-omg-cse.js: Added.
(makeInstance):
(r.v.throw.new.Error.storeLoadFwd):
(throw.new.Error):
* JSTests/wasm/stress/wasm-array-omg-element-types.js: Added.
(makeInstance):
(9.42.throw.new.Error):
* JSTests/wasm/stress/wasm-array-omg-packed-types.js: Added.
(makeInstance):
(s.expectS.throw.new.Error.i8.getS):
(throw.new.Error.get if):
(throw.new.Error):
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
* Source/JavaScriptCore/Sources.txt:
* Source/JavaScriptCore/b3/B3AbstractHeapRepository.cpp:
(JSC::B3::AbstractHeapRepository::decorateWasmArrayGet):
(JSC::B3::AbstractHeapRepository::decorateWasmArraySet):
(JSC::B3::AbstractHeapRepository::decorateWasmArrayLength):
(JSC::B3::AbstractHeapRepository::computeRangesAndDecorateInstructions):
* Source/JavaScriptCore/b3/B3AbstractHeapRepository.h:
* Source/JavaScriptCore/b3/B3EliminateCommonSubexpressions.cpp:
* Source/JavaScriptCore/b3/B3Generate.cpp:
(JSC::B3::prepareForGeneration):
* Source/JavaScriptCore/b3/B3Kind.h:
(JSC::B3::Kind::hasTraps const):
* Source/JavaScriptCore/b3/B3LowerMacros.cpp:
* Source/JavaScriptCore/b3/B3Opcode.h:
* Source/JavaScriptCore/b3/B3Procedure.cpp:
(JSC::B3::Procedure::Procedure):
* Source/JavaScriptCore/b3/B3Procedure.h:
(JSC::B3::Procedure::heaps):
(JSC::B3::Procedure::heaps const):
* Source/JavaScriptCore/b3/B3ReduceStrength.cpp:
* Source/JavaScriptCore/b3/B3Validate.cpp:
* Source/JavaScriptCore/b3/B3Value.cpp:
(JSC::B3::Value::effects const):
(JSC::B3::Value::key const):
* Source/JavaScriptCore/b3/B3Value.h:
* Source/JavaScriptCore/b3/B3ValueInlines.h:
* Source/JavaScriptCore/b3/B3ValueKey.cpp:
(JSC::B3::ValueKey::materialize const):
* Source/JavaScriptCore/b3/B3WasmArrayElementValue.cpp: Added.
* Source/JavaScriptCore/b3/B3WasmArrayElementValue.h: Added.
(JSC::B3::WasmArrayElementValue::accepts):
(JSC::B3::WasmArrayElementValue::rtt const):
(JSC::B3::WasmArrayElementValue::arrayType const):
(JSC::B3::WasmArrayElementValue::range const):
(JSC::B3::WasmArrayElementValue::setRange):
(JSC::B3::WasmArrayElementValue::mutability const):
(JSC::B3::WasmArrayElementValue::WasmArrayElementValue):
* Source/JavaScriptCore/b3/B3WasmArrayGetValue.cpp: Added.
(JSC::B3::WasmArrayGetValue::WasmArrayGetValue):
(JSC::B3::WasmArrayGetValue::dumpMeta const):
* Source/JavaScriptCore/b3/B3WasmArrayGetValue.h: Added.
* Source/JavaScriptCore/b3/B3WasmArrayLengthValue.cpp: Added.
* Source/JavaScriptCore/b3/B3WasmArrayLengthValue.h: Added.
* Source/JavaScriptCore/b3/B3WasmArrayNewValue.cpp: Added.
(JSC::B3::WasmArrayNewValue::dumpMeta const):
* Source/JavaScriptCore/b3/B3WasmArrayNewValue.h: Added.
* Source/JavaScriptCore/b3/B3WasmArraySetValue.cpp: Added.
(JSC::B3::WasmArraySetValue::WasmArraySetValue):
(JSC::B3::WasmArraySetValue::dumpMeta const):
* Source/JavaScriptCore/b3/B3WasmArraySetValue.h: Added.
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/runtime/PutPropertySlot.h:
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::loadGCObjectStructureID):
(JSC::Wasm::OMGIRGenerator::arrayElementHeap):
(JSC::Wasm::OMGIRGenerator::addArrayNew):
(JSC::Wasm::OMGIRGenerator::addArrayNewDefault):
(JSC::Wasm::OMGIRGenerator::addArrayNewFixed):
(JSC::Wasm::OMGIRGenerator::emitGetArraySizeWithNullCheck):
(JSC::Wasm::OMGIRGenerator::addArrayGet):
(JSC::Wasm::OMGIRGenerator::emitArraySetUncheckedWithoutWriteBarrier):
(JSC::Wasm::OMGIRGenerator::addStructNew):
(JSC::Wasm::OMGIRGenerator::addStructNewDefault):
(JSC::Wasm::OMGIRGenerator::emitRefTestOrCast):
(JSC::Wasm::parseAndCompileOMG):
(JSC::Wasm::OMGIRGenerator::allocateWasmGCArray): Deleted.
(JSC::Wasm::OMGIRGenerator::emitGetArrayPayloadBase): Deleted.
(JSC::Wasm::OMGIRGenerator::encodeStructureID): Deleted.
(JSC::Wasm::OMGIRGenerator::allocatorForWasmGCHeapCellSize): Deleted.
(JSC::Wasm::OMGIRGenerator::allocateWasmGCHeapCell): Deleted.
(JSC::Wasm::OMGIRGenerator::allocateWasmGCObject): Deleted.
(JSC::Wasm::OMGIRGenerator::allocateWasmGCArrayUninitialized):
Canonical link: https://commits.webkit.org/310817@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
