Bug 131609

Summary: Array.prototype.concat should allocate output storage only once.
Product: WebKit Reporter: Andreas Kling <kling>
Component: JavaScriptCoreAssignee: Andreas Kling <kling>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, kling, oliver
Priority: P2 Keywords: Performance
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 131621    
Bug Blocks:    
Attachments:
Description Flags
Patch
oliver: review-
Patch oliver: review+

Description Andreas Kling 2014-04-14 01:30:29 PDT 
Array.prototype.concat should allocate output storage only once.
Comment 1 Andreas Kling 2014-04-14 01:32:40 PDT 
Created attachment 229273 [details]
Patch
Comment 2 Darin Adler 2014-04-14 01:36:20 PDT 
Comment on attachment 229273 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=229273&action=review

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:421
> +    unsigned finalArraySize = 0;

This is unsigned.

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423
> +    for (size_t i = 0; i <= argCount; ++i) {

Yet this is size_t. What guarantees we don’t overflow the unsigned?

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:428
> +        curArg = exec->uncheckedArgument(i);

A little lame to do this one extra time at the end of the loop but then discard the result.

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:431
> +    JSArray* arr = constructEmptyArray(exec, nullptr, finalArraySize);

Go nuts and call this array instead of arr?
Comment 3 Andreas Kling 2014-04-14 09:20:28 PDT 
(In reply to comment #2)
> (From update of attachment 229273 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=229273&action=review
> 
> > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:421
> > +    unsigned finalArraySize = 0;
> 
> This is unsigned.
> 
> > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423
> > +    for (size_t i = 0; i <= argCount; ++i) {
> 
> Yet this is size_t. What guarantees we don’t overflow the unsigned?

Let's Checked<> it.
Comment 4 Andreas Kling 2014-04-14 09:20:37 PDT 
Committed r167249: <http://trac.webkit.org/changeset/167249>
Comment 5 Oliver Hunt 2014-04-14 09:40:28 PDT 
Comment on attachment 229273 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=229273&action=review

>> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423
>> +    for (size_t i = 0; i <= argCount; ++i) {
> 
> Yet this is size_t. What guarantees we don’t overflow the unsigned?

Why <= argCount? That means we always walk off the end of the argument list.  What am i missing?

>> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:428
>> +        curArg = exec->uncheckedArgument(i);
> 
> A little lame to do this one extra time at the end of the loop but then discard the result.

ah i see. do {} while loop instead maybe?

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:442
>              for (unsigned k = 0; k < length; ++k) {
> -                JSValue v = getProperty(exec, curObject, k);
> +                JSValue v = getProperty(exec, currentArray, k);

currentArray is an object, i would do a canGetFastIndex, and fastGet -- so two loops but the get should be much faster.
Comment 6 WebKit Commit Bot 2014-04-14 10:23:58 PDT 
Re-opened since this is blocked by bug 131621
Comment 7 Andreas Kling 2014-04-14 10:50:20 PDT 
Created attachment 229291 [details]
Patch

Derp, let's not read past the last argument, shall we. Wish we had a debug-ews to tell me I'm doing dumb stuff sometimes.
Comment 8 Oliver Hunt 2014-04-14 10:51:51 PDT 
Comment on attachment 229291 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=229291&action=review

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:444
> -                JSValue v = getProperty(exec, curObject, k);
> +                JSValue v = getProperty(exec, currentArray, k);

Follow on patch to optimise this get
Comment 9 Andreas Kling 2014-04-14 11:04:55 PDT 
Committed r167255: <http://trac.webkit.org/changeset/167255>