JSC: cache Symbol.prototype.toString result
5e57a58
+function test(sym) { return sym.toString(); }
+noInline(test);
+const sym = Symbol("cocoa");
+for (let i = 0; i < testLoopCount; ++i)
+ shouldBe(test(sym), "Symbol(cocoa)");
JSC's optimization pipeline has three relevant tiers here: DFG (typed IR with speculation), FTL (B3 backend), and a GC that must trace every live heap pointer. An intrinsic is a built-in function the JIT recognizes by identity and replaces with a hand-coded IR node. This commit adds a per-Symbol cached JSString field and a SymbolToString DFG/FTL intrinsic node. DFGByteCodeParser emits the specialized node, DFGFixupPhase constrains its input to SymbolUse, and SpeculativeJIT/FTL lower it to a raw memory load of the new cached-string field.
Significance
A new JIT intrinsic touching a GC-traced field creates a multi-layered attack surface — type speculation, GC liveness, and slow-path write-back all have to be correct simultaneously.
Audit directions
a Aaaa Aaaaaaa Aa Aaa Aaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaa Aaa Aaaaaa Aaaaaaaaaa Aaaaaa Aa Aaaaaaaaa Aaaaa Aaaaaaa a Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaa Aa a Aaaaa Aaaaaaa Aaaaa Aa Aaaaaaaaaa Aaaaaa a Aaaa Aaaaaaaa Aaaaaa Aaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaa Aaaaa
a Aaaaaa Aaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaa Aaaaa Aa Aaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaa Aaaa a Aaaaaaaaaaaaaa Aaaaaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaa Aa Aaaaaaa Aa Aaa Aaaaaaaaa Aaaaa Aaaaaaaaaaa Aaaaa Aa Aaaaaa Aaaa Aaaaaaaaaaaaaaaaa Aa Aaaaaa Aaaaa Aaa Aaaaaaaaaaa Aaaaa Aa Aaaaaa Aaaaaaaaa Aa Aaaaaaaaa Aaaa Aaaaaaaaa Aaaaaaaaaaa
a Aaaaaaa Aaaaaaaaaa Aaaaaaa Aaa Aaaa Aaaa Aaaa Aaaaaaaaaaa Aaaaaaaaaaaaaaaa Aa Aaaaaaaa Aaaa Aaaaaaaaaaaa Aaaa Aa Aaaaaaaa Aaaaaa Aa Aaa Aaaaa Aa Aaa Aaaaaaa Aaaaaa Aaaaaaaaaa Aaaaaaaa Aa a Aaaaaa Aaaaaaaaa Aaaaa Aaaaa Aaaa Aaa Aaaaaa a Aaaaaa Aaaaa Aaaa a Aaaaaaaaaaaaaaaaa Aaaaaaaa
a Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaa Aaa Aaaa Aaaaa Aaa Aaa Aaaaaaaaaaaaaaaa Aaaa Aaaaa Aaa Aaaaaaaaaa Aa Aaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaa Aaaa Aaa Aaa Aaaaaaaaa Aa a Aaaaaaaaaaa Aaaa
🔒New JIT intrinsic with GC-traced cache field — type speculation edges and the slow-path write-back boundary carry audit-worthy risk.
더 확인하려면 구독해 주세요