Bug 151467

Summary: implement op_get_rest_length so that we can allocate the rest array with the right size from the start
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, fpizlo, ggaren, gskachkov, keith_miller, mark.lam, msaboff, oliver, sukolsak, ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 151701    
Bug Blocks: 151454    
Attachments:
Description Flags
patch ggaren: review+

Saam Barati
Reported 2015-11-19 15:56:08 PST
This will allow other optimizations.
Attachments
patch (33.96 KB, patch)
2015-11-20 01:13 PST, Saam Barati 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2015-11-20 01:13:19 PST
Created attachment 265945 [details] patch
Geoffrey Garen
Comment 2 2015-11-20 10:20:30 PST
Comment on attachment 265945 [details] patch r=me
Mark Lam
Comment 3 2015-11-20 10:27:45 PST
Comment on attachment 265945 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=265945&action=review > Source/JavaScriptCore/ChangeLog:10 > + it might be a constant value in the precense of inlining in the DFG. typo: precense ==> presence. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:5353 > SpeculateCellOperand array(this, node->child1()); > - GPRReg arrayGPR = array.gpr(); > - > - GPRTemporary argumentsLength(this); > - GPRReg argumentsLengthGPR = argumentsLength.gpr(); > - > GPRTemporary argumentsStart(this); > + SpeculateStrictInt32Operand arrayLength(this, node->child2()); Do we really need a speculation (i.e. runtime check) for the int32-ness of the array length? Since this value can only be populated with the result of op_get_rest_length, doesn't that already ensure that it is always an int32? Would a DFG compile time assertion suffice here instead? Hmmm, for that matter, can the array operand above be anything but a JSArray since the bytecode generator only passes an array as an operand to op_copy_rest. Will we ever have a chance to invoke op_copy_rest on variable input? If not, would a DFG compile time assertion suffice here as well? > Source/JavaScriptCore/jit/JITOpcodes.cpp:1415 > + unsigned numParamsToSkip = currentInstruction[2].u.unsignedValue; > + load32(payloadFor(JSStack::ArgumentCount), regT0); > + sub32(TrustedImm32(1), regT0); > + Jump zeroLength = branch32(LessThanOrEqual, regT0, TrustedImm32(numParamsToSkip)); > + sub32(TrustedImm32(numParamsToSkip), regT0); Technically, you should use Imm32(numParamsToSkip) here instead of TrustedImm32(...). That is because the numParamsToSkip is defined by the user and can be any value. Hence, we want to blind that constant if necessary. In practice for non-malicious code, numParamsToSkip will tend to be small and not need blinding. But if you use Imm32(), it will take care of figuring that out for you.
Saam Barati
Comment 4 2015-11-20 15:24:48 PST
Comment on attachment 265945 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=265945&action=review >> Source/JavaScriptCore/jit/JITOpcodes.cpp:1415 >> + sub32(TrustedImm32(numParamsToSkip), regT0); > > Technically, you should use Imm32(numParamsToSkip) here instead of TrustedImm32(...). That is because the numParamsToSkip is defined by the user and can be any value. Hence, we want to blind that constant if necessary. In practice for non-malicious code, numParamsToSkip will tend to be small and not need blinding. But if you use Imm32(), it will take care of figuring that out for you. Thanks for letting me know. I didn't know this. I'll make the change and also in the other places I do TrustedImm32 w.r.t rest parameters.
Saam Barati
Comment 5 2015-11-30 12:37:41 PST
landed in: http://trac.webkit.org/changeset/192814
Note You need to log in before you can comment on or make changes to this bug.