[webkit-changes] [WebKit/WebKit] b7c903: [JSC] Add ArrayIsArray intrinsic for Array.isArray

Fri, 13 Mar 2026 08:34:08 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b7c903516b25148b30e3ed279df67988a38ae8a9
      
https://github.com/WebKit/WebKit/commit/b7c903516b25148b30e3ed279df67988a38ae8a9
  Author: Yijia Huang <[email protected]>
  Date:   2026-03-13 (Fri, 13 Mar 2026)

  Changed paths:
    A JSTests/stress/array-is-array-intrinsic.js
    M Source/JavaScriptCore/builtins/ArrayConstructor.js
    M Source/JavaScriptCore/builtins/BuiltinNames.h
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/runtime/ArrayConstructor.cpp
    M Source/JavaScriptCore/runtime/ArrayConstructor.h
    M Source/JavaScriptCore/runtime/Intrinsic.h
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp

  Log Message:
  -----------
  [JSC] Add ArrayIsArray intrinsic for Array.isArray
rdar://172330191
https://bugs.webkit.org/show_bug.cgi?id=309738

Reviewed by Yusuke Suzuki.

Array.isArray was a JS builtin using IsCellWithType(CellUse), which caused
TypeCheckHoistingPhase to hoist a cell check to function entry. Non-cell
inputs (undefined, null, booleans) triggered BadType OSR exits and DFG
jettisons.

Replace the builtin with a C++ host function + ArrayIsArray DFG/FTL node
using UntypedUse, bypassing type-check hoisting. The node handles all ES
spec cases inline: non-cell -> false, ArrayType/DerivedArrayType -> true,
ProxyObjectType -> isArraySlow slow path, other cells -> false. The abstract
interpreter constant-folds the node when the input type is known.

Test: JSTests/stress/array-is-array-intrinsic.js
Canonical link: https://commits.webkit.org/309209@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to