Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d90bb919af460a6d1e21164d745363b32e5e5d1e
https://github.com/WebKit/WebKit/commit/d90bb919af460a6d1e21164d745363b32e5e5d1e
Author: Yusuke Suzuki <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A JSTests/stress/dfg-licm-hoist-tuple-node.js
M Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp
M Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h
M Source/JavaScriptCore/dfg/DFGLICMPhase.cpp
Log Message:
-----------
[JSC] LICM should skip tuple consumers
https://bugs.webkit.org/show_bug.cgi?id=318513
rdar://181175678
Reviewed by Sosuke Suzuki.
DFG LICM is running AbstractInterpreter and safeToExecute with
DFGAtTailAbstractState, but
1. DFG LICM's safeToExecute is not correctly handling tuple children,
while the current code is harmless, ASSERT hits.
2. DFG LICM's AbstractInterpreter run hits ASSERT because of clearForNode
for Tuple returning DFG node, but this clearing is necessary and legit
as it is introduced in 264281@main.
So,
1. DFGAtTailAbstractState should allow tuple returning node with clearForNode,
as the other AbstractStates allow.
2. Let's disable LICM for ExtractFromTuple. Realistically, it has zero
value as tuple extraction is almost no-op hint operation.
Test: JSTests/stress/dfg-licm-hoist-tuple-node.js
* JSTests/stress/dfg-licm-hoist-tuple-node.js: Added.
(f):
(g):
* Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp:
(JSC::DFG::AtTailAbstractState::forNodeImpl):
(JSC::DFG::AtTailAbstractState::forNode): Deleted.
* Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h:
(JSC::DFG::AtTailAbstractState::forNode):
(JSC::DFG::AtTailAbstractState::clearForNode):
* Source/JavaScriptCore/dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
Canonical link: https://commits.webkit.org/316463@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications