Summary: | Array.prototype.concat should allocate output storage only once. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Andreas Kling <kling> | ||||||
Component: | JavaScriptCore | Assignee: | Andreas Kling <kling> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | commit-queue, kling, oliver | ||||||
Priority: | P2 | Keywords: | Performance | ||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Bug Depends on: | 131621 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Andreas Kling
2014-04-14 01:30:29 PDT
Created attachment 229273 [details]
Patch
Comment on attachment 229273 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=229273&action=review > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:421 > + unsigned finalArraySize = 0; This is unsigned. > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423 > + for (size_t i = 0; i <= argCount; ++i) { Yet this is size_t. What guarantees we don’t overflow the unsigned? > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:428 > + curArg = exec->uncheckedArgument(i); A little lame to do this one extra time at the end of the loop but then discard the result. > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:431 > + JSArray* arr = constructEmptyArray(exec, nullptr, finalArraySize); Go nuts and call this array instead of arr? (In reply to comment #2) > (From update of attachment 229273 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=229273&action=review > > > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:421 > > + unsigned finalArraySize = 0; > > This is unsigned. > > > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423 > > + for (size_t i = 0; i <= argCount; ++i) { > > Yet this is size_t. What guarantees we don’t overflow the unsigned? Let's Checked<> it. Committed r167249: <http://trac.webkit.org/changeset/167249> Comment on attachment 229273 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=229273&action=review >> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423 >> + for (size_t i = 0; i <= argCount; ++i) { > > Yet this is size_t. What guarantees we don’t overflow the unsigned? Why <= argCount? That means we always walk off the end of the argument list. What am i missing? >> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:428 >> + curArg = exec->uncheckedArgument(i); > > A little lame to do this one extra time at the end of the loop but then discard the result. ah i see. do {} while loop instead maybe? > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:442 > for (unsigned k = 0; k < length; ++k) { > - JSValue v = getProperty(exec, curObject, k); > + JSValue v = getProperty(exec, currentArray, k); currentArray is an object, i would do a canGetFastIndex, and fastGet -- so two loops but the get should be much faster. Re-opened since this is blocked by bug 131621 Created attachment 229291 [details]
Patch
Derp, let's not read past the last argument, shall we. Wish we had a debug-ews to tell me I'm doing dumb stuff sometimes.
Comment on attachment 229291 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=229291&action=review > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:444 > - JSValue v = getProperty(exec, curObject, k); > + JSValue v = getProperty(exec, currentArray, k); Follow on patch to optimise this get Committed r167255: <http://trac.webkit.org/changeset/167255> |