[JSC] Implement `%RegExpStringIteratorPrototype%.next` in C++
1452a43
JSC's DFG and FTL tiers inline frequently called builtins as first-class IR nodes, letting the compiler reason about types and elide JS call overhead. The "primordial exec" guard is a watchpoint: when RegExp.prototype.exec is still the original native implementation, the fast path calls execInline directly, bypassing the observable JS exec call. If exec is ever replaced — even mid-iteration after the call site has tiered up — the watchpoint fires and JSC must OSR-exit to the slow path.
JSTests/stress/regexp-string-iterator-next-adversarial.js
+ class Species extends RegExp {
+ static get [Symbol.species]() {
+ return function (p, f) {
+ matcher = new RegExp(p, f);
+ if (configure)
+ configure(matcher);
+ return matcher;
+ };
+ }
+ }
This commit migrates %RegExpStringIteratorPrototype%.next from a JavaScript builtin (now deleted) to a native C++ implementation, adding a new RegExpStringIteratorNext DFG node compiled inline in both DFG and FTL tiers, with a fast path that calls RegExpObject::execInline directly when the iterated RegExp still holds the primordial exec.
Significance
Every String.prototype.matchAll loop now routes through a new JIT-inlined C++ hot path with watchpoint-gated fast/slow branching, yielding up to ~19% throughput improvement on matchAll benchmarks.
Audit directions
Aaa Aaa Aaaa Aaaaaaa Aaaaa Aaaaaaaa Aaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaa Aaaa a Aaaa Aaaaaaaaaaaaaaaaa Aaa Aaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaa Aaaaaa Aaaaaa Aaaaaaaaaaa Aa Aaaaaaaaaaaaa Aa Aa Aaaa Aaaaaaaaaaa Aa Aa Aaaaa Aaaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaa Aaaaa Aaa Aaa Aaa Aa Aaa Aaaaaaa Aaa Aaaaaaaa Aaaaa Aaaaa Aaaaaaa Aaaa Aaa Aaaaa Aaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aaaa Aaaaaaaaa Aaaaaaaaaaaaa Aaaa Aaaaaa Aaa Aaaa Aaaaaaaa Aaaaaa Aa Aaa Aaaaaaa Aaaaaaaa Aa Aaaaaa Aa Aaaaaaaa Aaaaaaaa Aaaaaaaaaaaaa Aaaaaaaa Aaa Aaaa Aaaa Aaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaa Aaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaaaa Aaa Aaaaaaa Aa Aaaaaa Aaa Aaaaaaaaaa Aaa Aaaaaaaaaa Aaa Aaa Aaaa a Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aa Aaa Aaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaa Aaaa Aa Aaaa Aaa Aaaa Aaaa Aaaaa Aaaaa Aaaaaaaaaa Aaaaaaaaa Aaaaaaa Aa Aaaaaaaa Aaaaa Aa Aaaaaa Aaaaaaa Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaa
🔒New DFG/FTL inline node with watchpoint-gated fast path and inlined object allocation — several edge cases in the fast/slow path transitions are worth investigation.
Subscribe to read more