[webkit-changes] [WebKit/WebKit] 7937fd: [JSC] Map / Set iterator next operation should not...

Tue, 16 Jun 2026 14:55:02 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 7937fd75aea7b110e74d088f4fa99dbac5e2f72c
      
https://github.com/WebKit/WebKit/commit/7937fd75aea7b110e74d088f4fa99dbac5e2f72c
  Author: Yusuke Suzuki <[email protected]>
  Date:   2026-06-16 (Tue, 16 Jun 2026)

  Changed paths:
    A JSTests/stress/map-set-iterator-next-deferred-commit.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  [JSC] Map / Set iterator next operation should not touch JSMapIterator / 
JSSetIterator directly
https://bugs.webkit.org/show_bug.cgi?id=315650
rdar://178034413

Reviewed by Yijia Huang.

This patch moves MapIteratorNext model from the model modifying
JSMapIterator itself to getting advanced storage and index: so this
makes the model more stateless instead of depending on the state of
JSMapIterator. This offers significant benefit.

1. Since iteration itself does not change iterator's field implicitly,
   DFG / FTL now can see full modification of iterator
   (PutInternalField), thus they can do ObjectAllocationSinking for
   for-of case for JSMapIterator / JSSetIterator.
2. DFG / FTL can control when publishing the side-effect of iteration
   (advancing the iterator) fully, which removes OSR exit related
   restrictions on for-of iteration code in DFG / FTL. They can now
   publish the irreversible change only after ensuring everything is done!

The new code leverages the newly introduced private tmp to carry the
obtained tuple entries. We do not do what JSStringIterator is doing here
since we cannot return prediction-typed result value when encountering the 
sentinel.
JSStringIterator can consistently produce String for value not to
pollute types and not to cause OSR exit. But in MapIterator /
SetIterator case, the expected value's speculation is coming from prediction
type, so sentinel handling is hard since we are not having arbitrary bottom 
value
for the prediction. It is much simpler for us to have done and load
blocks and generating the results in each block.

* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::handleIteratorNext):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::isTuple const):
(JSC::DFG::Node::tupleSize const):
(JSC::DFG::Node::hasBucketOwnerType):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::jsValueTupleResultWithoutUsingChildren):
(JSC::DFG::SpeculativeJIT::cellTupleResultWithoutUsingChildren):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileMapIteratorNext):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileMapIteratorNext):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMapIteratorNext):
(JSC::FTL::DFG::LowerDFGToB3::compileMapIteratorKey):
(JSC::FTL::DFG::LowerDFGToB3::compileMapIteratorValue):
* JSTests/stress/map-set-iterator-next-deferred-commit.js: Added.

Canonical link: https://commits.webkit.org/315330@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to