[webkit-changes] [WebKit/WebKit] 85309c: [JSC] for-of with closure-captured const binding n...

Tue, 16 Jun 2026 02:35:14 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 85309cfe91e8b4b000e2fb44c13e71ce2558674d
      
https://github.com/WebKit/WebKit/commit/85309cfe91e8b4b000e2fb44c13e71ce2558674d
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-06-16 (Tue, 16 Jun 2026)

  Changed paths:
    A JSTests/stress/for-of-const-closure-captured-tier-up.js
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

  Log Message:
  -----------
  [JSC] for-of with closure-captured const binding never reaches DFG/FTL
https://bugs.webkit.org/show_bug.cgi?id=317169

Reviewed by Yusuke Suzuki.

`for (const x of arr)` whose body captures `x` in a closure emits a 
per-iteration
copy: it reads `x` from the previous iteration's scope and writes it into a 
freshly
created lexical environment. On the first iteration of every call, the value 
being
copied is the TDZ empty sentinel, but the value profile for the source 
GetClosureVar
is dominated by the steady-state Int32 samples and never reflects SpecEmpty.

DFGFixupPhase::speculateForBarrier therefore inserts an Int32Use hint Check at 
the
PutClosureVar. That check BadType-exits once per call on the empty sentinel, the
DFG code is jettisoned, and on recompile the same hint is inserted again because
speculateForBarrier never consults the exit profile. The function loops between
Baseline and DFG and never reaches FTL (the repro case is recompiled 7 times 
under
--useConcurrentJIT=0).

speculateForBarrier is purely advisory ("we want to know before we do an 
expensive
compile"), so this patch makes it back off when a BadType exit has already been
recorded at the current site, mirroring the existing check in
attemptToMakeDoubleRepForPut. With this change the second DFG compile drops the
hint, the function tiers up to FTL, and the included microbenchmark is ~2.5x 
faster.

    function hot(arr) {
      let sum = 0;
      for (const x of arr)
        (() => sum += x)();
      return sum;
    }

Test: JSTests/stress/for-of-const-closure-captured-tier-up.js

* JSTests/stress/for-of-const-closure-captured-tier-up.js: Added.
(shouldBe):
(hot):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::speculateForBarrier):

Canonical link: https://commits.webkit.org/315274@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to