Closed Bug 1765397 Opened 3 years ago Closed 3 years ago

Optimise Array.prototype.slice on arguments objects

Categories

(Core :: JavaScript Engine: JIT, enhancement)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox101 --- fixed

People

(Reporter: anba, Assigned: anba)

References

Details

Attachments

(7 files)

Bug 1765397 - Part 1: Add CacheIR support for Array.prototype.slice on arguments objects. r=iain!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1765397 - Part 2: Transpile ArgumentsSliceResult for Warp. r=iain!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1765397 - Part 3: Scalar replace ArgumentsSlice on frame arguments. r=iain!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1765397 - Part 4: Scalar replace ArgumentsSlice on inline arguments. r=iain!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1765397 - Part 5: Teach MMinMax that ArgumentsLength is never negative. r=iain!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1765397 - Part 6: Inline CodeGenerator::emitRest(). r=iain!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1765397 - Part 7: Optimise slice when no end-index is present. r=iain!
48 bytes, text/x-phabricator-request
Details | Review

A while ago I was checking when we fail to scalar replace the arguments object. I found two common code patterns:

  • super(...arguments) (bug 1740737)
  • Array.prototype.slice.call(arguments)

Optimising Array.prototype.slice.call(arguments) was blocked on bug 1738413, so now we can finally tackle this issue.

The next patches will add Warp and scalar replacement support. The tests are based
on the existing arguments objects tests and cover the following cases:

  1. begin and end index are both missing,
  2. begin index is positive,
  3. begin index is negative,
  4. begin and end index are both present.

Transpile "ArgumentsSliceResult" similar to how "PackedArraySliceResult" is
optimised.

Depends on D144041

Adds support to scalar replace MArgumentsSlice for frame arguments. The next
patch will add support for inlined arguments.

Depends on D144042

This change ensures the MMinMax nodes added in part 3 can be folded away.

Depends on D144044

There used to be multiple callers to emitRest() (bug 867471), but now
there's only a single caller, so we can inline it again.

Depends on D144047

This is the case which actually happens in practice and we should aim to
provide support for.

Depends on D144048

Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/ba4b24512db8 Part 1: Add CacheIR support for Array.prototype.slice on arguments objects. r=iain https://hg.mozilla.org/integration/autoland/rev/aeb3d90e0434 Part 2: Transpile ArgumentsSliceResult for Warp. r=iain https://hg.mozilla.org/integration/autoland/rev/b037127d38f3 Part 3: Scalar replace ArgumentsSlice on frame arguments. r=iain https://hg.mozilla.org/integration/autoland/rev/4676e18c3cf0 Part 4: Scalar replace ArgumentsSlice on inline arguments. r=iain https://hg.mozilla.org/integration/autoland/rev/1e2bfa74a88e Part 5: Teach MMinMax that ArgumentsLength is never negative. r=iain https://hg.mozilla.org/integration/autoland/rev/257207e109b2 Part 6: Inline CodeGenerator::emitRest(). r=iain https://hg.mozilla.org/integration/autoland/rev/201252c849f4 Part 7: Optimise slice when no end-index is present. r=iain
Regressions: 1766225
Regressions: CVE-2022-38475
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: