[webkit-changes] [WebKit/WebKit] 9f356a: [JSC] Introduce BadStringType exit kind

[Yusuke Suzuki]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 9f356ab748c54c07f772ad2e72140ea78fbd62c2
      https://github.com/WebKit/WebKit/commit/9f356ab748c54c07f772ad2e72140ea78fbd62c2
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2024-09-23 (Mon, 23 Sep 2024)

  Changed paths:
    M Source/JavaScriptCore/bytecode/ExitKind.h
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  [JSC] Introduce BadStringType exit kind
https://bugs.webkit.org/show_bug.cgi?id=280240
<rdar://problem/136542341>

Reviewed by Mark Lam.

We should not handle StringIdentUse's failure as BadType. Let's say we
encounter non StringIdent value in StringIdentUse. But it is possible
that this string will be converted into StringIdent at any point. As a
result, ValueProfile may just point at this already converted string and
we cannot get updated type feedback in that case since it will just
offer SpecStringIdent. Instead, we record new BadStringType exit kind
here so that we can offer solid feedback to DFG fixup phase in the
reoptimization case.

* Source/JavaScriptCore/bytecode/ExitKind.h:
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToThis):
(JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

Canonical link: https://commits.webkit.org/284133@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications