DFG/FTL: Object.defineProperty descriptor field extraction

93e2909

JSTests/microbenchmarks/object-define-property-put-by-id-direct.js

+function bench() {
+    var sum = 0;
+    for (var i = 0; i < 1000000; i++) {
+        var obj = {};
+        Object.defineProperty(obj, "prop",
+            { value: i, writable: true, enumerable: true, configurable: true });
+        sum += obj.prop;
+    }
+    return sum;
+}

JSC's optimizing JIT has two upper tiers: DFG (mid-tier, dataflow graph) and FTL (top-tier, B3 backend). Object.defineProperty was historically opaque to the JIT because the descriptor is a general object. This commit exploits two watchpoints — the sane-chain watchpoint on Object.prototype and a descriptor-field watchpoint — to prove the descriptor has a known structure at compile time. DFG then inserts GetByOffset nodes that read each descriptor field directly into a new ObjectDefinePropertyFromFields IR node. When all attributes are default and the base object has no existing property for the key, the call collapses further to PutByIdDirect, hitting the inline-cache fast path.

ObjectDefineProperty(obj, key, desc)
        |
        v
ObjectDefinePropertyFromFields(obj, key, e, c, v, w, get, set)
        |
        +--[e=true,c=true,w=true; no existing prop; non-indexed key]
        |       +--> PutByIdDirect(obj, key, value)   ~12x faster
        |
        +--[data desc, any attr differs] --> DefineDataProperty
        |
        +--[accessor desc]                 --> DefineAccessorProperty

Significance

Hot Object.defineProperty with a default data descriptor now compiles to a single PutByIdDirect, yielding up to 11.9x speedup on the microbenchmark. The optimization touches watchpoint logic, structure assumptions, property storage semantics, and FTL allocation sinking — every layer where prior DFG bugs have produced exploitable JIT primitives.

Audit directions

a Aaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaaaaa Aaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaa Aaaaaaaaa Aaaaa Aaaaaaaaaaaaaa Aaaa Aaaa Aa Aaaa Aaa Aaaaaaaaaa Aaaaa Aaaaa Aaa Aaa Aaaaaaa Aaaa Aaaaa Aaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaa Aa Aaa Aaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaa Aaa Aa Aaaaaaaa Aaaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aaaaa Aaaaaa Aaaaa

a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaa Aa Aaaaaaaaaaaaaaa Aaaaaaaa Aa Aaaaaaaa Aaaaaaaaa Aaaaaaaaaaa Aaaa Aaa Aaa Aaaaaaaaaa Aaaaa Aaaaa Aaa Aaaaaaa Aaaaaaaaaaaa Aa Aaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaa a Aaaaaaaaaaaaa Aaaaaaaa Aaaaaaa Aaaa Aaaaaaa Aaaaaaa Aaaaaa Aaaa Aaaa Aaaa Aaa Aaaaaaaaaaa Aaaaaa Aaaaaaaaa Aaaaa Aaaaaaa a Aaaaaa Aaaaaaa Aaaaa Aaaaaaaaaa Aaaaa Aaa Aa Aaaa Aa Aaaaaaaaaa

a Aaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaa Aaaa Aaaaaaaaaa Aaaaa Aa Aaaaaaaaaaaaaaaaaa Aaaaaaa Aa Aaaaaaa Aa Aaaaaaaaa Aaaaaaaa Aaaaaaaaaaa Aaaaaaaaa a Aaaaa Aa Aaaaaa Aaaa Aa Aa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaaaa Aaaa a Aaaaaaaaaaa Aaaaaaaa a Aaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaa Aaaaaaaa Aaaa Aaa Aaaaaa Aaaaaaaa Aaaaaaaaaa Aaa Aaaaaaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaa Aaa Aaaaaaaaaaaaaa Aaaaaaaa Aa a Aaaaaaaa Aaaa Aa Aaaaaaa

a Aaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aa Aaa Aaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaaaaa Aa Aaaaaaaaa Aaaa a Aaaaaaaaa Aaaaaa Aaaaaaaaaaaaaaaaa Aaa Aaaaa Aaaaaaa Aaaa Aaaaaaaaaaaa Aaa Aaaaaa a Aaa Aaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaa Aaa Aa Aaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaa Aaaaaa Aa Aa Aaaaaa Aaaaa Aa Aaaaaaaaa Aaaaaaaaaaaa

🔒

Layered watchpoint guards and multi-stage IR lowering create several audit-worthy edge cases in this new optimization path.

Subscribe to read more