DFG ArrayShift intrinsic node
dfe5dc6
The DFG bytecode parser can replace a generic JS function call with a hand-crafted node that the backend lowers to tightly optimised machine code. Each new intrinsic must be integrated into every phase that touches nodes: type fixup, clobber analysis, abstract interpretation, GC-interaction tracking, and the per-backend code generators. Array.shift() is semantically more complex than Array.pop() because it removes from the front: for length > 1 a full element-shift is required.
This commit adds ArrayShift as a new DFG intrinsic node, wired through the full DFG/FTL pipeline (fixup, clobberize, abstract interpreter, B3 lowering). The inline fast path covers only arrays of length 0 or 1; arrays of length ≥ 2 fall through to operationArrayShift at runtime. The fast path reads storage[0], stores empty over it, and decrements publicLength, bypassing the prototype-chain machinery.
Significance
This adds JIT-compiled machine code for a heavily-used array operation that mutates the front of the storage — a previously C++-only path now executing as speculative machine code with its own GC interaction and OSR-exit boundaries.
Audit directions
a Aaaaaa Aaaaaaaaa Aa Aaa Aaaa Aaaaaaa Aaa Aaaaaaaa Aaaa Aaaa Aaaa Aaaaaa Aa Aaaaa Aaaa Aa Aaaaaaaaaaaa Aaa Aaaa Aa Aaa Aaaa Aaaaa Aa Aaa Aaaaaaaaa Aaaaa Aa Aaaaaaaaa Aa Aaa Aaaaaaaaaa Aaaaaaaaaaa Aa Aaaaaa a Aaaaa Aa Aaaaaaaaaaaaa Aaaaa Aaaaa Aa Aaaaaaaa Aa Aa a Aaaaaaaaa Aaaa Aaaaaaaaaa
a Aaaa Aaaaaaaaaaa Aaaaaaaaa Aaa Aaaa Aaaa Aaaaa Aaaaaaaaaaaaa Aaaaaa Aaaaaaa Aaaa Aaa Aaaa Aaaaaaaaaa Aaaaaaaaaaaaaaa Aa Aaaaaaaa Aaaaaaaaaaaaa Aaaa Aaaa Aa Aaaaaaa Aa a Aaaa Aaaa Aaa Aaaaaaaa Aaaaaaa Aaaaaaaaaaa Aaa Aa Aaaaa Aaaaaaa a Aaaaaaaaaaaaaaaaa Aaaaaaaaaa
a Aaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaa a Aaaaaa Aa Aaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaa Aaaaa Aaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaaaaaa Aaaaa Aa Aaaaaaaaa Aaaaaa Aaaaaaaa Aa Aaa Aaaaa Aaaaa
a Aaaaaaaaaaaaa Aa Aaaaa Aaaaaaaaaaa Aaaaaa Aaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaa Aa Aaa Aaaaaa Aa a Aaaaaaaaa Aaa a Aaaaaaa Aaaaaa Aa Aaaaa a Aaa Aaa Aaaaaaaaaaa Aaaaa Aaaaaa Aaa Aaa Aaaaaaaaaa Aaaaaaaa Aaaaa Aa Aaaaaaa Aaaaaaaaa
a Aaaaaaaa a a a Aaaaaaaaaaaaa Aaaaa Aaa Aaaa Aaaaa Aaaaaaaaaaaaaa Aaaaaaa a Aaaa Aaaaaaaaaaaa Aaaaaa Aaaa Aaa Aaaa Aaaa Aaaaaaaa Aaa Aaaaa Aaaaaaa Aaa Aaaaaaa Aaaaa Aaa Aaa Aaaaaa Aaaaaaaaa Aaaa Aa Aaaaaaaaaaaa Aaaaaa
🔒New JIT intrinsic with direct butterfly writes and a narrow fast path — several edge cases in the inline path are worth security investigation.
Subscribe to read more