[JSC] MapIterator / SetIterator should be handled in DFG

300fd8c

// Source/JavaScriptCore/builtins/MapIteratorPrototype.js: Removed.
// Source/JavaScriptCore/builtins/SetIteratorPrototype.js: Removed.
+ JSC::VM::fastMapKeysSentinel
+ JSC::VM::fastMapValuesSentinel
+ JSC::VM::fastSetEntriesSentinel
+ JSC::iteratorOpenTryFastImpl
+ JSC::iteratorNextTryFastImpl

JSC's DFG performs speculative optimizations based on observed types. 'Handling an iterator in DFG' means emitting IteratorOpen and IteratorNext IR nodes that lower directly to C++ fast-path calls instead of dispatching through JS function call machinery. The fast path is protected by watchpoints — weak references that fire and trigger OSR-exit when guarded objects (here, MapIteratorPrototype.next or Map.prototype[@@iterator]) are modified.

This commit moves MapIterator#next() and SetIterator#next() from builtin JavaScript to C++ and wires all six Map/Set iteration methods into DFG as first-class fast paths. The VM now carries three new sentinel values (fastMapKeysSentinel, fastMapValuesSentinel, fastSetEntriesSentinel) used to distinguish iteration modes. Previously next() ran through JS-level safety guarantees; moving to C++ with DFG integration eliminates that safety net — the C++ implementation must manually uphold every invariant the JS version got for free.

Significance

This is a large-surface JIT fast-path addition: new C++ iterator state machines, new DFG IR nodes, new watchpoint guards, and new cross-realm checks all land at once. Every layer is a potential source of type confusion, lifetime bugs, or guard-bypass.

Audit directions

a Aaaaaaaaaaaa Aaaaaaaaaaa Aaa Aaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaa Aaa Aaaaaaaa Aaaaaaaaa Aaaaaa Aaaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaa Aaaaa Aa Aaaaaaaaaaaaaaa Aaaaaaaaa Aaa Aa Aaaaaaaa Aaaaaaa Aaaaaaaaaa Aaaaaa Aaaaaaaaaa a Aaaaaaaaaaaa Aa Aaaaaaaaaaa Aaaaaaaaa Aaaaa Aaa Aaaaaaaaaa Aaaaaaaaa Aaaaa Aaa Aaaaaa Aaaa Aaa Aaaaaaa Aaaaaaaa
a Aaaaaaaaaaaaa Aaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaa Aaaaa Aaaaaaaa Aaaaaa Aaa Aaaaaaaaa Aaa Aaaa Aaaaaa Aaa Aaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aa Aaaaaaaa Aaaaaa Aaa Aaaa Aaaa Aaaaaaaaa Aaaaa Aaaa Aaa Aaaaaaaaaa Aaaaaaaaa Aaaaaaa Aa a Aaaaaaaaa Aaaaaa Aaaaaaa
a Aaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaa Aaa Aaa Aaaa Aaaa Aaaaaaaa Aa Aaaaaaaa Aaaaa Aaaa Aaa Aaaaaaa Aaaaaaaa Aa Aaa Aaa Aa Aaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaa Aaaaa Aaaaa Aaa Aaa Aaaaaaaaaa Aa Aaa Aaaaaaaaaa Aaaaa Aaaaaaa Aaaaa Aaaaaaaaaaa Aaa Aa Aaa Aa Aaaaaa Aa Aaaaa a Aaaaaaa Aaaaaa
a Aaaa Aaaaaaaa Aaaaaaaaaaa Aaa Aaaaa Aaa Aaaaaaaaa Aaaaaaaaa Aaa Aaaa Aaaa Aaaa Aa Aaaaaaa Aaaaaaaaa Aa Aaa Aaaa Aaaa Aaaaaaaaaaaaa Aaaaa Aa Aaaaaaa Aaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaa Aaaa Aaa Aaaaaa Aa Aaaaaaaaaa Aaaaaa Aaaa Aaaaaaaa Aaa Aaaaaaaa Aaaaa Aaa Aaaaaaaa Aaaa Aaaaaaaaaa
a Aaaaaaaaaa Aaaaaaaaa Aaaa Aaa Aaaaaaaaaaa Aaaaaaaa Aaa Aa Aaaaaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aaaa Aaaaaaaaaaa Aaaaaaaa Aaaaa Aaaa Aaa Aaa Aaaaaa Aaaaaa Aaa Aaaaaaaa Aaaaaaaa Aaaaaa Aaaaaaa Aaaa Aaaaa Aaaaaaa Aaaaaaa Aaaaaaaa Aaa Aaaaaaaaa Aaaaaaaaaaaa Aa Aaaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaa Aaa Aaa Aaaaa Aaaaaaaaaaaaaaa

🔒

New JIT-generated code for security-critical iterator operations — several edge cases in the fast path and its guards are worth audit investigation.

Subscribe to read more