JSC Inline Cache for undefined/null/true/false Property Keys
Source/JavaScriptCore/bytecode/Repatch.cpp
Source/JavaScriptCore/bytecode/AccessCase.cpp
JSC's inline cache (IC) is the core mechanism for making property access fast under JIT compilation. When GetByVal or PutByVal executes repeatedly with the same key type and object structure, the IC generates a type-specialized machine-code stub that bypasses C++ dispatch on subsequent executions. The system uses typed "access cases" — Load (own property hit), Miss (property absent), Transition (new property added, triggering structure change), Replace (existing property overwritten) — each guarded by structure checks. Previously, non-integer primitive keys like undefined coerced to the string "undefined" and were handled by string-based IC stubs or fell through to the generic slow path.
This commit introduces a parallel family of access case types (IndexedUndefinedKeyLoad, IndexedNullKeyMiss, IndexedTrueKeyTransition, etc.) that emit an identity check on the key register (isUndefined(), isNull(), etc.) instead of coercing to a string, then proceed with normal structure-based property lookup. The new stubs are implemented in both normal and handler (pre-compiled) forms, with repatch logic in nonStringPrimitiveKeyForSubscript() that detects these primitives and routes to convertToNonStringPrimitiveKeyAccessType().
GetByVal IC dispatch (after this patch):
key register
│
├─ isInt32? ──► [existing Int32 IC stubs]
│
├─ isUndefined? ──► IndexedUndefinedKeyLoad / Miss
├─ isNull? ──► IndexedNullKeyLoad / Miss
├─ isTrue? ──► IndexedTrueKeyLoad / Miss
├─ isFalse? ──► IndexedFalseKeyLoad / Miss
│
├─ isString/Symbol? ──► [existing string IC stubs]
│
└─ other ──► slow path (C++ call)
Significance
Common real-world patterns like obj[undefined] or obj[null] now get JIT-compiled fast paths instead of bailing to slow-path C++, adding a significant new block of JIT code generation and IC dispatch logic in one of JSC's most security-sensitive subsystems.