DFG/FTL ArrayUnshift intrinsic
5965900
JSTests/stress/array-unshift-intrinsic-ftl.js
+(function () {
+ function unshiftDouble(a, v) { return a.unshift(v); }
+ noInline(unshiftDouble);
+ for (var i = 0; i < testLoopCount; ++i) {
+ var array = [1.5];
+ shouldBe(unshiftDouble(array, 2.5), 2);
+ }
+ var array = [1.5];
+ var r = unshiftDouble(array, NaN);
+ shouldBe(r, 2);
+ shouldBe(array.length, 2);
+ shouldBe(Number.isNaN(array[0]), true);
+ shouldBe(array[1], 1.5);
+})();
JSC uses a tiered JIT (Baseline → DFG → FTL). For hot built-in functions, the DFG bytecode parser recognises an "intrinsic" and emits a specialised DFG node. Array.prototype.unshift is more complex than push: it must shift all existing elements one or more positions toward higher indices, involving a memmove of the butterfly storage. For Contiguous arrays (which hold GC-managed JSValues), every moved element also requires a write barrier.
This commit implements Array.prototype.unshift as a first-class DFG and FTL intrinsic. Int32, Double, and Contiguous array storage types are supported with inline fast paths for 0- and 1-element unshift; ArrayStorage falls back to the slow path. The intrinsic is wired through bytecode parser, fixup, clobberize, abstract interpreter, speculative JIT (64-bit), and FTL B3 lowering.
Significance
Adds a new JIT-compiled code path for a mutation-heavy array operation that shifts all existing elements rightward in memory — a historically fertile area for type confusion and bounds errors in JIT compilers.
Audit directions
a Aaaaaaaa Aaaaaaa Aaaaaaaaa Aaa Aaaaaaaaa Aaaaaa Aaaa Aaaaaa Aaaaaaaa Aaaaaaaa Aa Aaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaa Aa Aaaaaaaaaaa Aaaaa Aa Aaaaaaaaaa Aa Aaa Aaaaaaaa Aa Aaaaaa Aaaaa Aaaaaa Aaa Aaaaaaa Aaa Aaaaaaa Aa Aaaaaaaaaaaaa Aaaaa Aaaa Aaa Aaaaaaaaaa
a Aaaaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaaaaa Aaaa Aaaaa a Aaaaa Aaaaaaaa Aa Aaa Aaaaa Aaaa Aa Aaa Aaaaaaaaaaaaaaa Aaaaaa Aaa Aaaaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaa Aaa Aaa Aaa Aaaa Aa Aaaaa a Aa Aaaaaaa Aaaaaaa a Aaaaaaaaa Aaa Aaaa Aaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaa Aa a Aaaaaa Aaaaaaaaaaa
a Aaaaaa Aaaaaaaaaaa Aa Aaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaa Aaa Aaaa Aaaaa Aaa Aaa Aaaaaa Aaaaaaaaa Aaaaaaaaa a Aaaaaaaaaa Aa Aa Aa Aaaaaaaaaaa Aaaaa Aaaaa Aaaaaa Aaa Aaaaaaa Aaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaa a Aaaaaaaaaaaa Aaa a Aaaaaa Aa Aaa Aaaaaaaa Aaaaa Aaaaaaa Aaaaa Aaaa Aaaaaaa Aaa Aaaaaa Aaa Aaaaa Aaaaaaaaaa Aaaaaaa Aaaaa Aa Aaaaaaaaaaaa Aaaaaaa
a Aaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaa Aaa Aa Aaaaaaaaaa Aaaaaaaa Aaa Aaaaaa Aa a Aaaaaaa Aaaaaa Aaaaaaa Aaaa Aaa Aaaaaaaa Aaaaaa Aa Aaa Aaa Aaaaaaaaa Aaaaaaaaaaa Aa Aaaaaa Aaaaaaaaa Aaa Aaaaaa Aaaaaaaaaaa a Aaaaa Aaaa Aaa Aaa Aa Aaa Aaaaaaa Aaaaaa Aa Aaaaaaaaa
a Aaaaaaaa Aaaaaaaaaaa Aa Aaaaa Aaaa Aaaaaa Aaaaaaaa Aaaaa Aaa Aaaaaa Aaaaaaaa Aaaaaaaaa Aa Aaaaa Aaaaaaa a Aaa Aaa Aaa Aaaaa Aaa Aaaaaaaa Aaaaa Aa Aa Aaaaaaa Aaa Aaaaaa Aaaa Aa Aaaaa Aaaa Aaaa Aaaaaaaaaaaa
🔒New JIT-compiled memory-mutation fast paths with inline butterfly writes and GC barriers — several edge cases are worth security investigation.
Subscribe to read more