Bug 158769

Created attachment 281315 [details]
Patch

Created attachment 281318 [details]
JS-benchmarks

Created attachment 281319 [details]
JS-Bench benchmark

Comment on attachment 281315 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=281315&action=review

> Source/JavaScriptCore/ChangeLog:9
> +        do so it was necessary to move the Array.prototype.concat function

Please add a comma after "so".

> Source/JavaScriptCore/ChangeLog:39
> +        Two new debugging tools are also added to the jsc cli. One is a

Should "cli" be "CLI"?

> Source/JavaScriptCore/ChangeLog:42
> +        version of the print function with a private name so it can be
> +        used for debugging builtins. The other is dumpDataLog, which takes
> +        a JSValue and runs our dataLog function on it.

You can already do this by using JSC_useDollarVM=1, and in builtin code do:
     @$vm.print("The value of this var is ", $vm.value(myVar), "\n");

Do we really need to add another version of it (especially since this is not code that is supposed to be left in the builtin)?  Using $vm also has the advantage that it will be disabled by default, and if you forget to take the debugging code out, the tests will barf with an undefined $vm error.

NOTE: JSC_useDollarVM is a "Restricted" option.  That means, if you want to use it on release builds, you will need to modify allowRestrictedOptions() in Options.cpp to return true.  It is built in by default on debug builds.

Comment on attachment 281315 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=281315&action=review

>> Source/JavaScriptCore/ChangeLog:42
>> +        a JSValue and runs our dataLog function on it.
> 
> You can already do this by using JSC_useDollarVM=1, and in builtin code do:
>      @$vm.print("The value of this var is ", $vm.value(myVar), "\n");
> 
> Do we really need to add another version of it (especially since this is not code that is supposed to be left in the builtin)?  Using $vm also has the advantage that it will be disabled by default, and if you forget to take the debugging code out, the tests will barf with an undefined $vm error.
> 
> NOTE: JSC_useDollarVM is a "Restricted" option.  That means, if you want to use it on release builds, you will need to modify allowRestrictedOptions() in Options.cpp to return true.  It is built in by default on debug builds.

Correction: the $vm example should be:
    @$vm.print("The value of this var is ", @$vm.value(myVar), "\n");

I was missing the @ before $vm in the @$vm.value() case.

> Source/JavaScriptCore/builtins/ArrayPrototype.js:712
> +        if (@isArrayConstructor(constructor) && @Array !== constructor)
> +            constructor = @Array;

Perf-wise (for the LLINT and baseline JIT), is it better to do the "@Array !== constructor" check, or to just skip it and just do the assignment?  I suspect its better to skip the second condition.

> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:-4135
> -

Please revert.

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1017
> +                return false;

Please fix indentation.

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1050
> +            ASSERT(vm.exception());

Is this assertion correct?  moveElement() can do a getProperty() on the source, and getProperty() can invoke getters.  Hence, an exception can be thrown, no?

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1060
> +        RELEASE_ASSERT(result->appendMemcpy(exec, vm, 0, first));

Putting this statement in a RELEASE_ASSERT suggests that it is optional when that is not the case.  Can you express this as "bool appendMemcpySucceeded = ..." and "RELEASE_ASSERT(appendMemcpySucceeded);" instead?

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1076
> +    // This code assumes that the neither array has set Symbol.isConcatSpreadable. If the first array

Remove "the" before "neither".

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1126
> +    } else if (type != ArrayWithUndecided) {
> +        WriteBarrier<Unknown>* buffer = result->butterfly()->contiguous().data();
> +        memcpy(buffer, firstButterfly->contiguous().data(), sizeof(JSValue) * firstArraySize);
> +        memcpy(buffer + firstArraySize, secondButterfly->contiguous().data(), sizeof(JSValue) * secondArraySize);
> +    }

I presume (type == ArrayWithUndecided) means that the length of both are 0.  Can you make that explicit here with an else case that asserts the following?

       ASSERT(!firstArraySize && !secondArraySize);

> Source/JavaScriptCore/runtime/JSArray.cpp:411
> +            ASSERT(copyType == ArrayWithUndecided);
> +            return true;

Please add an assertion here that makes it clear that ArrayWithUndecided means 0 length:
    ASSERT(!otherArray->length());

> Source/JavaScriptCore/runtime/JSArray.cpp:427
> +    if (length() < newLength) {
> +        throwOutOfMemoryError(exec);
> +        return false;
> +    }

Shouldn't ensureLength() already guarantee that (length() >= newLength)?  You should move this throwOutOfMemoryError() into the fail case for ensureLength() above.

> Source/JavaScriptCore/runtime/JSArrayInlines.h:29
> +IndexingType JSArray::memCopyWithIndexingType(IndexingType other)

This name "memCopyWithIndexingType" is a bit misleading because it implies that it will do a memcpy.  How about naming it something like "resultIndexingTypeForMemCopy" or "computeResultIndexingTypeForMemCopy"instead?

Created attachment 281404 [details]
Patch

Created attachment 281407 [details]
Patch

Attachment 281407 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1064:  Code inside a namespace should not be indented.  [whitespace/indent] [4]
Total errors found: 1 in 60 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Created attachment 281410 [details]
Patch

Comment on attachment 281410 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=281410&action=review

r=me with one fix (assuming EWS bots will be happy).

> Source/JavaScriptCore/builtins/ArrayPrototype.js:713
> +        if (@isObject(constructor)) {

I think you should make this an "else if" since @isObject() should always fail for @undefined.

Created attachment 281415 [details]
Patch for landing

Comment on attachment 281415 [details]
Patch for landing

Attachment 281415 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/1509985

New failing tests:
js/array-species-different-globalobjects.html

Created attachment 281419 [details]
Archive of layout-test-results from ews101 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-yosemite  Platform: Mac OS X 10.10.5

Comment on attachment 281415 [details]
Patch for landing

Attachment 281415 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/1509969

New failing tests:
js/array-species-different-globalobjects.html

Created attachment 281420 [details]
Archive of layout-test-results from ews125 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews125  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.4

Comment on attachment 281415 [details]
Patch for landing

Attachment 281415 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/1509990

New failing tests:
js/array-species-different-globalobjects.html

Created attachment 281421 [details]
Archive of layout-test-results from ews105 for mac-yosemite-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105  Port: mac-yosemite-wk2  Platform: Mac OS X 10.10.5

Comment on attachment 281415 [details]
Patch for landing

Attachment 281415 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/1509987

New failing tests:
js/array-species-different-globalobjects.html
js/kde/Array.html

Created attachment 281422 [details]
Archive of layout-test-results from ews113 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews113  Port: mac-yosemite  Platform: Mac OS X 10.10.5

Created attachment 281426 [details]
Patch for landing

> I presume (type == ArrayWithUndecided) means that the length of both are 0. 
> Can you make that explicit here with an else case that asserts the following?
> 
>        ASSERT(!firstArraySize && !secondArraySize);
> 
> > Source/JavaScriptCore/runtime/JSArray.cpp:411
> > +            ASSERT(copyType == ArrayWithUndecided);
> > +            return true;
> 
> Please add an assertion here that makes it clear that ArrayWithUndecided
> means 0 length:
>     ASSERT(!otherArray->length());
> 

These assertions are not right. We use ArrayWithUndecided for arrays with non-zero length but no elements in them. For instance, Array(5).

(In reply to comment #21)
> > Please add an assertion here that makes it clear that ArrayWithUndecided
> > means 0 length:
> >     ASSERT(!otherArray->length());
> > 
> 
> These assertions are not right. We use ArrayWithUndecided for arrays with
> non-zero length but no elements in them. For instance, Array(5).

You're right.  Sorry for my mistake.  Please remove those asserts.

Comment on attachment 281426 [details]
Patch for landing

Clearing flags on attachment: 281426

Committed r202125: <http://trac.webkit.org/changeset/202125>

All reviewed patches have been landed.  Closing bug.

I am working on confirming but this looks like a 1% PLT regression on iOS :(

This also appears to be 1% JSBench regression on iPhone 6 Plus.

(In reply to comment #25)
> I am working on confirming but this looks like a 1% PLT regression on iOS :(

Confirmed slight regression on iOS.