WebKit Weekly
Log in
← All issues
← 2026-W14 overview

JSC B3 Wasm GC array opcodes

fe410e6

Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp

+ B3::Value* WasmOMGIRGenerator::emitGetArraySizeWithNullCheck(...) {
+ // Emit explicit WasmArrayLength node — bounds checks are separate from
+ // WasmArrayGet/Set so range analysis can later eliminate them.
+ auto* len = m_currentBlock->appendNew<B3::WasmArrayLengthValue>(
+ m_proc, origin(), array);
+ ...
+ }
+
+ PartialResult WasmOMGIRGenerator::addArrayGet(...) {
+ // Bounds check via a separate WasmArrayLength node, not an operand to get.
+ auto* len = emitGetArraySizeWithNullCheck(...);
+ m_currentBlock->appendNew<B3::WasmArrayGetValue>(
+ m_proc, origin(), array, index, ...);
+ ...
+ }

WebKit's OMG (Optimizing Multi-tiered JIT) compiles hot WebAssembly functions using B3, a typed SSA intermediate representation. B3 runs CSE (common subexpression elimination), range analysis, and strength reduction passes before lowering to machine code. Before this commit, Wasm GC array operations — array.get, array.set, array.new, array.len — were immediately lowered to raw memory loads and stores during IR generation, destroying the semantic information that the optimizer could exploit.

This commit adds four new B3 opcodes — WasmArrayGet, WasmArraySet, WasmArrayNew, WasmArrayLength — that preserve array-level semantics through the optimization pipeline. Bounds checks are expressed as separate WasmArrayLength nodes rather than being folded into the access operations, so CSE can eliminate redundant length loads and future range analysis can prove bounds checks unnecessary. WasmArrayNew carries type information that lets B3 remove null-trap checks on WasmArrayLength when the array comes from an allocation (which cannot return null). AbstractHeapRepository was moved from a local construct into B3::Procedure so alias information remains consistent across all passes. Final lowering to concrete memory operations happens in B3LowerMacros.

Before (immediate lowering):
  OMGIRGenerator                B3 pipeline
    array.get ──► Load(base+off)   ──► CSE (sees raw Load, can't alias)
    array.len ──► Load(arr+lenOff) ──► (bounds check inlined, opaque)

After (high-level opcodes preserved):
  OMGIRGenerator                B3 pipeline
    array.get ──► WasmArrayGet    ──► CSE (understands array identity)
    array.len ──► WasmArrayLength ──► de-trap: if fed by WasmArrayNew, null check removed
                                  ──► future range analysis: eliminate redundant length checks
    array.new ──► WasmArrayNew    ──► proves result non-null; size foldable
                                  ──► B3LowerMacros (final lowering to Load/Store)
Significance

This enables the OMG tier to eliminate redundant array length loads across loops and prove bounds checks unnecessary when the array was just allocated — a significant optimization for Wasm GC workloads that manipulate arrays in tight loops. The approach mirrors how JSC's DFG/FTL tiers handle JavaScript array operations: keep high-level semantics alive through optimization, then lower late. The packed type support (i8/i16 via array.get_s/array.get_u) means sign extension correctness in the lowering path is load-bearing for type safety.

Audit directions
🔒

New JIT opcodes for GC array ops with separated bounds-check nodes — several correctness edges in the lowering and aliasing logic are worth auditing.

Subscribe to read more

← Back to 2026-W14 overview