Add MIRType::Iterator
Categories
(Core :: JavaScript Engine: JIT, task, P3)
Tracking
()
People
(Reporter: iain, Assigned: iain)
References
(Blocks 1 open bug)
Details
(Whiteboard: [sp3])
Attachments
(7 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
In bug 1799025, we improved our optimization of for-in iterators in Ion. Iterators in Ion are represented as a PropertyIteratorObject wrapping a NativeIterator, which means that we have to load the NativeIterator out of the wrapper every time we touch it. As a follow up, we could consider adding MIRType::Iterator and using an unwrapped NativeIterator instead.
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 1•2 years ago
|
||
|
|
Assignee | |
Comment 2•2 years ago
|
||
I initially intended to change ValueToIterator and ObjectToIterator to return MIRType::NativeIterator, but that change has to be plumbed through code to rewrap the native iterator when reading the snapshot. After writing most of that patch, I realized that it was much simpler to only change the consumers, let the TypePolicy insert the necessary conversions, and keep the snapshot unchanged. In practice, we end up with a single UnwrapIterator hoisted up just below the ValueToIterator/ObjectToIterator.
Depends on D165478
|
|
Assignee | |
Comment 3•2 years ago
|
||
Depends on D165479
|
|
Assignee | |
Comment 4•2 years ago
|
||
Depends on D165480
|
|
Assignee | |
Comment 5•2 years ago
|
||
This simplifies the next two patches.
Depends on D165481
|
|
Assignee | |
Comment 6•2 years ago
|
||
Depends on D165482
|
|
Assignee | |
Comment 7•2 years ago
|
||
This has the side-effect of letting us simplify the register allocation for the baseline implementation.
Depends on D165483
|
|
Assignee | |
Comment 8•2 years ago
|
||
I implemented this, but I didn't see any measurable performance improvements. Not sure if it's worth landing the patches, but I put them up as a WIP.
|
||
Comment 9•2 years ago
|
||
We have to be a bit careful with GC: if an iterator can outlive its owning JS object, we'd have a UAF. For object Slots/Elements we have this insert-keepalive-instructions pass.
|
|
Assignee | |
Comment 10•2 years ago
|
||
My reasoning for not including keepalive instructions in these patches was that the owning JS object is always being kept alive in the snapshot because it's used on bailout. In the slots/elements case, you can write code where the object whose slots/elements are being accessed is a temporary value that is unreachable at the point of the snapshot. In the iterator case, the iterator object is on the operand stack for the duration of the loop, so (I think/hope) it should always be included in the snapshot.
But it's possible that I'm missing something.
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•