Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6da8ead481eb7cbd2203ea767098c3d5f69e8656
https://github.com/WebKit/WebKit/commit/6da8ead481eb7cbd2203ea767098c3d5f69e8656
Author: Yusuke Suzuki <[email protected]>
Date: 2026-06-07 (Sun, 07 Jun 2026)
Changed paths:
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
M Source/JavaScriptCore/runtime/ModuleProgramExecutable.cpp
M Source/JavaScriptCore/runtime/SymbolTable.cpp
M Source/JavaScriptCore/runtime/SymbolTable.h
Log Message:
-----------
[JSC] Propagate "singleton" invalidation to originating SymbolTable
rdar://178874394
https://bugs.webkit.org/show_bug.cgi?id=316472
Reviewed by Mark Lam.
SymbolTable is maintaining InferredValue "singleton". This is a
watchpoint to maintain whether this SymbolTable is singleton (it is
never used for the different lexical environment again). If we figure
out that this is singleton, then we can fold an environment into a
constant in DFG, leveraging constant folding and which leads further
more optimizations.
But if we failed to speculate, then it gets fired, and it invalidates
CodeBlock. If we can get better information about "this is not a singleton"
before subscribing a watchpoint, we can improve DFG~'s quality due to
precise information.
This patch adds PropagateCloneInvalidationToOriginal flag to SymbolTable.
When it is true, then when cloning,
1. If original SymbolTable's singleton is already invalidated, then we
just makes the SymbolTable singleton invalidated from the beginning.
2. If not, we record this flag.
3. When SymbolTable's singleton gets invalidated, we propagate this
invalidation to the originating SymbolTable's singleton.
Since the original SymbolTable is stored in UnlinkedCodeBlock, we can
share this information across multiple realms for the same code.
We do not directly share the same watchpoint between them because it is
natural to have multiple SymbolTable when you have two realms (navigation)
and the previous SymbolTable is still alive because of GC timing etc.
We would like to invalidate singleton only when one realm creates lexical
environment with the same SymbolTable multiple times.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::pushLexicalScopeInternal):
* Source/JavaScriptCore/runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::getUnlinkedCodeBlock):
* Source/JavaScriptCore/runtime/SymbolTable.cpp:
(JSC::SymbolTable::cloneScopePart):
* Source/JavaScriptCore/runtime/SymbolTable.h:
Canonical link: https://commits.webkit.org/314723@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
