Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 93e29091710ce0fa437e19fa63f345d5d706fa74
https://github.com/WebKit/WebKit/commit/93e29091710ce0fa437e19fa63f345d5d706fa74
Author: Yusuke Suzuki <[email protected]>
Date: 2026-05-12 (Tue, 12 May 2026)
Changed paths:
A JSTests/microbenchmarks/define-property-accessor.js
A JSTests/microbenchmarks/define-property-data.js
A JSTests/microbenchmarks/define-property-getter-only.js
A JSTests/microbenchmarks/define-property-setter-only.js
A JSTests/microbenchmarks/object-define-property-put-by-id-direct.js
A JSTests/stress/object-define-property-fields-refinement.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGNode.cpp
M Source/JavaScriptCore/dfg/DFGNode.h
M Source/JavaScriptCore/dfg/DFGNodeType.h
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/dfg/DFGOperations.h
M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
[JSC] Extract fields of descriptor in Object.defineProperty in DFG / FTL
https://bugs.webkit.org/show_bug.cgi?id=313636
rdar://175837797
Reviewed by Yijia Huang.
Given that we have
1. sane chain watchpoint
2. descriptor field watchpoint on Object.prototype
3. typically object literal / constant descriptor is used
AbstractInterpreter / ConstantFolding can detect finite structure. And we can
extract
fields via GetByOffset insertion. This means that we can convert
ObjectDefineProperty(Object, Key, Descriptor)
to
enumerable = GetByOffset(Descriptor, enumerable-offset) OR empty
configurable = GetByOffset(Descriptor, configurable-offset) OR empty
value = GetByOffset(Descriptor, value-offset) OR empty
writable = GetByOffset(Descriptor, writable-offset) OR empty
get = GetByOffset(Descriptor, get-offset) OR empty
set = GetByOffset(Descriptor, set-offset) OR empty
ObjectDefinePropertyFromFields(Object, Key, enumerable, configurable,
value, writable, get, set)
This is good since,
1. We can remove object property access in C++
2. We can teach DFG / FTL about descriptor access. FTL can potentially
do object-allocation-sinking and remove object literal for this
descriptor completely!
Also, we convert DefineDataProperty to PutByIdDirect when its attributes
are enumerable: true / configurable: true, writable: true, and base
object does not have a property for this id.
ToT
Patched
object-define-property-value-only 23.8154+-0.3948 ^
17.6551+-0.6358 ^ definitely 1.3489x faster
define-property-accessor 0.6917+-0.1979
0.5889+-0.1481 might be 1.1746x faster
redefine-property-accessor-dictionary 2.6613+-0.0682
2.4801+-0.1592 might be 1.0731x faster
redefine-property-previous-attributes 23.5308+-0.2114 ^
18.6530+-0.1750 ^ definitely 1.2615x faster
redefine-property-data-dictionary 2.1729+-0.0655 ^
1.9438+-0.0311 ^ definitely 1.1178x faster
define-property-simple 0.9628+-0.0761
0.8713+-0.0361 might be 1.1050x faster
object-define-property-put-by-id-direct 30.7412+-0.4415 ^
2.5854+-0.3793 ^ definitely 11.8905x faster
redefine-property-data 1.9969+-0.1488 ^
1.6229+-0.0350 ^ definitely 1.2305x faster
redefine-property-accessor 2.2817+-0.1191 ^
1.9361+-0.0258 ^ definitely 1.1785x faster
define-property-data 0.4759+-0.0098 ?
0.5339+-0.1655 ? might be 1.1219x slower
* JSTests/microbenchmarks/define-property-accessor.js: Added.
(set get Object):
(test):
(set get noInline):
* JSTests/microbenchmarks/define-property-data.js: Added.
(test):
* JSTests/microbenchmarks/define-property-getter-only.js: Added.
(get Object):
(test):
(get noInline):
* JSTests/microbenchmarks/define-property-setter-only.js: Added.
(set Object):
(test):
(set noInline):
* JSTests/microbenchmarks/object-define-property-put-by-id-direct.js: Added.
(bench):
* JSTests/stress/object-define-property-fields-refinement.js: Added.
(shouldBe):
(shouldThrow):
(readDesc):
(testAllTrueData):
(testValueOnly):
(testWritableFalse):
(testGeneric):
(testOpaqueConfigurable):
(testOpaqueEnumerable):
(i.const.e):
(testOpaqueWritable):
(testAccessorLiterals.):
(testAccessorArgs):
(set get noInline):
(testGetOnly):
(get noInline):
(testGetOnlyStrictWrite):
(testAccessorLiterals.set get o):
(testAccessorLiterals):
(set noInline):
(testBadGetOnly):
(testBadSetOnly):
(testBadGetter):
(testMixed.):
(testMixed):
(testNullProtoData):
(get for):
(testDefineAllTruePutsDirect):
(testBareValueDoesNotLower):
(set for):
(testExistingPropertyDoesNotLower):
(testDynamicPropertyDoesNotLower):
(testIndexedPropertyDoesNotLower):
(testAccessorOnValue.):
(testAccessorOnValue.get d):
(testAccessorOnValue):
(testAccessorOnWritable.):
(testAccessorOnWritable.get const):
(testAccessorOnWritable):
(testAccessorOnGet.const.fn):
(testAccessorOnGet.):
(testAccessorOnGet.get const):
(testAccessorOnGet):
(testDictionaryMutation):
(noInline):
(testSymbolKey):
(typeof.createGlobalObject.string_appeared_here.testCrossRealm):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::tryFoldDefineDataPropertyToPutByIdDirect):
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToDefineDataProperty):
(JSC::DFG::Node::convertToDefineAccessorProperty):
(JSC::DFG::Node::convertToObjectDefinePropertyFromFields):
(JSC::DFG::Node::convertToPutByIdDirect):
* Source/JavaScriptCore/dfg/DFGNode.h:
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty):
(JSC::FTL::DFG::LowerDFGToB3::compileObjectDefinePropertyFromFields):
(JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty):
Canonical link: https://commits.webkit.org/313124@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
