1477210 - Support more than 375 arguments for funapply without a bailout on every compilation

Status: NEW

(Core :: JavaScript Engine: JIT, enhancement, P5)

Description

[André Bargull [:anba]]

CodeGenerator::visitApplyArgsGeneric and CodeGenerator::visitApplyArrayGeneric currently perform a bailout if the arguments/array is longer than 375 elements [1]. The bailout occurs after every recompilation, because when compiling neither the arguments/array length nor previous bailouts are taken into account.

The following test case (adapted from [2], spread operator was replaced with apply b/c of bug 1382370), takes 110ms for me with the default CHUNK_SIZE of 10000, but only 60ms with a CHUNK_SIZE of 375.

[1] https://searchfox.org/mozilla-central/rev/8384a6519437f5eefbe522196f9ddf5c8b1d3fb4/js/src/jit/CodeGenerator.cpp#5072,5089
[2] https://github.com/tc39/test262/blob/master/harness/regExpUtils.js


---
function buildString({ loneCodePoints, ranges }) {
  const CHUNK_SIZE = 10000;
  // const CHUNK_SIZE = 375;
  let result = String.fromCodePoint.apply(null, loneCodePoints);
  for (const [start, end] of ranges) {
    const codePoints = [];
    for (let length = 0, codePoint = start; codePoint <= end; codePoint++) {
      codePoints[length++] = codePoint;
      if (length === CHUNK_SIZE) {
        result += String.fromCodePoint.apply(null, codePoints);
        codePoints.length = length = 0;
      }
    }
    result += String.fromCodePoint.apply(null, codePoints);
  }
  return result;
}

var t = dateNow();
var str = buildString({ranges: [[0, 0x10ffff]], loneCodePoints: []})
print("time:", dateNow() - t)
---

Comment 1

[Nicolas B. Pierron [:nbp]]

The reason of this limitation is that arguments are living on the C stack, which is a spare resource when we are in JIT code.
Increasing this limit can have security implications, which can lead to priviledges escalation.

The preferred way of doing it would be to add JIT support for a heap allocated list of arguments, and add an extra bit in the descriptor for managing it.