DFG node for `String.fromCodePoint`
93a4fbe
Source/JavaScriptCore/dfg/DFGOperations.cpp
+JSC_DEFINE_JIT_OPERATION(operationStringFromCodePointUntyped, EncodedJSValue, (JSGlobalObject* globalObject, EncodedJSValue encodedValue))
+{
+ ...
+ double codePointAsDouble = value.toNumber(globalObject);
+ OPERATION_RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+ uint32_t codePoint = static_cast<uint32_t>(codePointAsDouble);
+ if (codePoint != codePointAsDouble || codePoint > UCHAR_MAX_VALUE) [[unlikely]] {
+ throwRangeError(globalObject, scope, "Arguments contain a value that is out of range of code points"_s);
+ OPERATION_RETURN(scope, encodedJSValue());
+ }
+
+ if (U_IS_BMP(codePoint))
+ OPERATION_RETURN(scope, JSValue::encode(jsSingleCharacterString(vm, static_cast<char16_t>(codePoint))));
+
+ char16_t buffer[2] = { U16_LEAD(codePoint), U16_TRAIL(codePoint) };
+ OPERATION_RETURN(scope, JSValue::encode(jsNontrivialString(vm, String({ buffer, 2 }))));
+}
JSC의 계층형 JIT(Baseline → DFG → FTL)는 bytecode 파싱 단계에서 특정 built-in 함수를 인식하고 전용 IR node를 생성합니다. String.fromCodePoint는 String.fromCharCode보다 구현이 까다롭습니다. 첫째, 인자가 Int32로 증명된 경우에도 비정수, 음수, 0x10FFFF 초과 입력에 대해 RangeError를 throw해야 합니다. 둘째, supplementary plane의 code point는 high/low surrogate 두 단위로 구성된 surrogate pair를 생성해야 합니다.
이 commit은 StringFromCodePoint DFG node와 FromCodePointIntrinsic을 추가했습니다. [0, 0xFF] 범위의 Int32 인자에 대해서는 compileStringFromCharCodeOrCodePoint를 통해 StringFromCharCode와 fast path를 공유합니다. 더 큰 code point나 surrogate pair, RangeError 케이스는 operationStringFromCodePoint(Int32 slow path) 또는 operationStringFromCodePointUntyped로 fallback됩니다. 한편 node는 NodeMustGenerate를 유지하며 write(SideState)로 모델링되어, optimizer가 side effect 없는 연산으로 취급하지 못하도록 합니다.
Significance
이번 변경으로 Latin-1 code point에서 측정 기준 약 5.2배의 성능 향상이 달성되었으며, String.fromCodePoint가 JIT intrinsic 계층으로 편입되었습니다. 새로운 DFG intrinsic은 clobberize, doesGC, safeToExecute, prediction propagation, loop unrolling, 그리고 32-bit 및 64-bit speculative JIT backend 전체에 걸쳐 연결되어야 합니다. 각 phase와의 상호작용은 모두 잠재적인 miscompilation 지점에 해당합니다.
Audit directions
a Aaaaaaaa Aaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aa Aaa Aaa Aaaaaa Aaaaaaaaaaaaaaa Aaaaa Aa Aaa Aaa Aa Aa Aaaa Aaaaa Aaaa Aaa Aaaaaaaaaaaa Aa Aaa Aaa Aaa Aaaa Aaaaa
a Aaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa a a Aaaa Aaaaaaaaaa Aaaaaaaaaaaa Aaaaaa Aaaaaa Aaaa Aaaa Aa Aaa Aa Aaaaaa Aaaaa Aaaa Aaaaaaaaaaa Aaaa Aa Aaaa Aaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaa Aa Aaaaaaa Aaaa Aaa Aaaa Aaaa
a Aaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa a Aaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaa Aa Aaaa Aaaaaa Aaaaaaaa Aaaaa Aa a Aaaaaa Aa Aaa Aaaaaaaaaa Aaa Aaa Aaa Aaa Aaaaa
a Aaaaaaaaaaaaaaaa Aaaaaaaa Aa Aaaaaaaaa Aaaaaaa Aaaaaaaaa Aaaaa Aaaaaaaaa Aaaaaaaaa Aaaa Aaa Aaaa Aaaa Aaaaaaaaaa Aaaaaaaa Aaaaaaaaa Aaaa Aaaaaa Aaaaa Aaaaaaaaaa Aaa Aaaa Aaaa
🔒New JIT code paths for a spec function with error semantics — edge cases in the fast path and runtime helpers warrant security investigation.
더 확인하려면 구독해 주세요