Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 93518ed198a17261a6d6b1b1527c529a00f26efb
https://github.com/WebKit/WebKit/commit/93518ed198a17261a6d6b1b1527c529a00f26efb
Author: Sosuke Suzuki <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
A JSTests/microbenchmarks/string-iterator-manual-next.js
A JSTests/stress/string-iterator-next-intrinsic.js
M Source/JavaScriptCore/CMakeLists.txt
M Source/JavaScriptCore/DerivedSources-input.xcfilelist
M Source/JavaScriptCore/DerivedSources.make
M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
R Source/JavaScriptCore/builtins/StringIteratorPrototype.js
M Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.cpp
M Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGCloneHelper.h
M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGNode.h
M Source/JavaScriptCore/dfg/DFGNodeType.h
M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/runtime/Intrinsic.h
M Source/JavaScriptCore/runtime/IteratorOperations.cpp
M Source/JavaScriptCore/runtime/IteratorOperations.h
M Source/JavaScriptCore/runtime/JSGlobalObject.h
M Source/JavaScriptCore/runtime/StringIteratorPrototype.cpp
Log Message:
-----------
[JSC] Add new DFG node for `StringIteratorPrototype.next`
https://bugs.webkit.org/show_bug.cgi?id=316267
Reviewed by Yusuke Suzuki.
314417@main restored the JS builtin for StringIteratorPrototype.next because
babel-wtb calls next() directly and inlining it at the call site is critical.
This patch implements the suggested better shape: next() becomes a C++ host
function with JSStringIteratorNextIntrinsic, and DFG / FTL expand the call
into straight-line code: CheckStructure + GetInternalField x2 +
StringIteratorNextWithUndefined + NewObject / PutByOffset for the iterator
result object + PutInternalField. The Index field is advanced after all
nodes that can OSR exit so an exit cannot re-run next() with the advanced
position, and both the iterator and the result object stay eligible for
ObjectAllocationSinking. The JS builtin and its bytecode intrinsics are
removed again.
StringIteratorNextWithUndefined is a sibling of the for-of StringIteratorNext
node sharing the same codegen. The only difference is that it produces
undefined instead of the empty string placeholder when the iteration is done,
as required for the result object's value. Keeping the nodes separate leaves
the for-of value SpecString-typed. Since this is the first tuple node with a
boxed JSValue element, this adds jsValueTupleResultWithoutUsingChildren().
The intrinsic is 64-bit only; 32-bit keeps calling the C++ function.
ToT Patched
string-iterator-for-of-ascii 26.7609+-0.1097 26.7133+-0.4403
string-iterator-for-of-surrogate-pairs 372.5698+-3.5469 370.5920+-3.6605
string-iterator-spread-surrogate-pairs 274.8831+-7.5499 270.4274+-9.2849
string-iterator-manual-next 105.5357+-1.0142 ^ 61.4561+-0.6055 ^
definitely 1.7173x faster
Tests: JSTests/microbenchmarks/string-iterator-manual-next.js
JSTests/stress/string-iterator-next-intrinsic.js
* JSTests/microbenchmarks/string-iterator-manual-next.js: Added.
(sumCodePoints):
* JSTests/stress/string-iterator-next-intrinsic.js: Added.
(shouldBe):
(shouldThrow):
(stepShapes):
(collect):
(makeRope):
(callNextWithBadThis):
(mixed):
* Source/JavaScriptCore/CMakeLists.txt:
* Source/JavaScriptCore/DerivedSources-input.xcfilelist:
* Source/JavaScriptCore/DerivedSources.make:
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
* Source/JavaScriptCore/builtins/StringIteratorPrototype.js: Removed.
* Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.cpp:
(JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
* Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitIsShadowRealm):
(JSC::BytecodeGenerator::emitIsStringIterator): Deleted.
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::stringIteratorInternalFieldIndex): Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_getStringIteratorInternalField):
Deleted.
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putStringIteratorInternalField):
Deleted.
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGCloneHelper.h:
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::isTuple const):
(JSC::DFG::Node::tupleSize const):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::jsValueTupleResultWithoutUsingChildren):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/runtime/Intrinsic.h:
* Source/JavaScriptCore/runtime/IteratorOperations.cpp:
(JSC::createIteratorResultObjectStructure):
(JSC::createIteratorResultObject):
* Source/JavaScriptCore/runtime/IteratorOperations.h:
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::iteratorResultObjectStructureConcurrently const):
* Source/JavaScriptCore/runtime/StringIteratorPrototype.cpp:
(JSC::StringIteratorPrototype::finishCreation):
(JSC::JSC_DEFINE_HOST_FUNCTION):
Canonical link: https://commits.webkit.org/315180@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
