RESOLVED FIXED 155391
We should be able to eliminate cloned arguments objects that use the length property 
https://bugs.webkit.org/show_bug.cgi?id=155391
Summary We should be able to eliminate cloned arguments objects that use the length p...
Keith Miller
Reported 2016-03-12 08:13:08 PST
We should be able to eliminate cloned arguments objects that use the length property
Attachments
Patch (37.92 KB, patch)
2016-03-14 10:41 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Benchmark results (65.92 KB, text/plain)
2016-03-14 10:47 PDT, Keith Miller 		no flags
Details
Patch for landing (39.10 KB, patch)
2016-03-14 12:54 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Keith Miller
Comment 1 2016-03-14 10:41:31 PDT
Created attachment 273989 [details] Patch
WebKit Commit Bot
Comment 2 2016-03-14 10:44:04 PDT
Attachment 273989 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:122: Place brace on its own line for function definitions. [whitespace/braces] [4] ERROR: Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:129: Place brace on its own line for function definitions. [whitespace/braces] [4] Total errors found: 2 in 26 files If any of these errors are false positives, please file a bug against check-webkit-style.
Keith Miller
Comment 3 2016-03-14 10:47:21 PDT
Created attachment 273991 [details] Benchmark results !s appear to be noise on reruns.
Geoffrey Garen
Comment 4 2016-03-14 11:19:00 PDT
Comment on attachment 273989 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=273989&action=review You should add a performance regression test, and also some adversarial tests that modify the structure of the arguments object in interesting ways and verify that doing so still gets the right behavior. > Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:434 > + // Meh, this is kind of hackish - we use an Identity so that we can reuse the > + // getArrayLength() helper. I don't think you need this comment. Converting to identity is a pretty common idiom. > Source/JavaScriptCore/runtime/ClonedArguments.cpp:44 > ClonedArguments* ClonedArguments::createEmpty( All of the create functions in this file should end by ASSERTing that their structure is equal to globalObject->clonedArgumentsStructure(). > Source/JavaScriptCore/runtime/ClonedArguments.cpp:140 > + // FIXME: we should do a better job at choosing the indexing type for cloned arguments. We always choose contiguous > + // since it enables arguments elimination with the length property. https://bugs.webkit.org/show_bug.cgi?id=155396 This comment would be better if it just explained the rationale for the current way of doing things, rather than half-explaining and half-criticizing: // We use contiguous storage because optimizations in the FTL assume that cloned arguments creation always produces the same initial structure. It's not necessarily obvious whether this should change or not. We should reserve FIXME for cases when we know that something should change.
Saam Barati
Comment 5 2016-03-14 11:37:13 PDT
Comment on attachment 273989 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=273989&action=review > Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:126 > + if (m_candidates.remove(edge.node()) && verbose) > + dataLog("eliminating candidate: ", edge.node(), " because it escapes from: ", source, "\n"); Style: I'm not a big fan of having a logging branch and a necessary operation in the same "if" statement. I think it'd be better to assign the result to a local and branch on that and "verbose"
Keith Miller
Comment 6 2016-03-14 12:52:03 PDT
Comment on attachment 273989 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=273989&action=review >> Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:126 >> + dataLog("eliminating candidate: ", edge.node(), " because it escapes from: ", source, "\n"); > > Style: I'm not a big fan of having a logging branch and a necessary operation in the same "if" statement. > I think it'd be better to assign the result to a local and branch on that and "verbose" Fair enough, fixed. >> Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:434 >> + // getArrayLength() helper. > > I don't think you need this comment. Converting to identity is a pretty common idiom. Removed. >> Source/JavaScriptCore/runtime/ClonedArguments.cpp:44 >> ClonedArguments* ClonedArguments::createEmpty( > > All of the create functions in this file should end by ASSERTing that their structure is equal to globalObject->clonedArgumentsStructure(). Added. >> Source/JavaScriptCore/runtime/ClonedArguments.cpp:140 >> + // since it enables arguments elimination with the length property. https://bugs.webkit.org/show_bug.cgi?id=155396 > > This comment would be better if it just explained the rationale for the current way of doing things, rather than half-explaining and half-criticizing: > > // We use contiguous storage because optimizations in the FTL assume that cloned arguments creation always produces the same initial structure. > > It's not necessarily obvious whether this should change or not. We should reserve FIXME for cases when we know that something should change. Ok, I changed it to your comment.
Keith Miller
Comment 7 2016-03-14 12:54:57 PDT
Created attachment 274004 [details] Patch for landing
WebKit Commit Bot
Comment 8 2016-03-14 13:55:02 PDT
Comment on attachment 274004 [details] Patch for landing Clearing flags on attachment: 274004 Committed r198154: <http://trac.webkit.org/changeset/198154>
WebKit Commit Bot
Comment 9 2016-03-14 13:55:05 PDT
All reviewed patches have been landed. Closing bug.
Ryosuke Niwa
Comment 10 2016-03-14 22:55:46 PDT
Looks like this was 2-5% improvement on Speedometer!
Note You need to log in before you can comment on or make changes to this bug.