IonMonkey: Handle big overflow of arguments.




7 years ago
5 years ago


(Reporter: nbp, Unassigned)


(Blocks: 1 bug)

Other Branch
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [ion:t])



7 years ago
Bug 735406 is planning to implement JSOP_ARGUMENTS and have a slow implementation of arguments.length. The goal of this bug is to provide an alternative implementation for arguments.length which can be way more faster and might be critical for small overflow of arguments such as:

function f() {
  var x = [];
  for (var i = 0; i < arguments.length; i++)
    x[i] = arguments[i];
  return x;

for (var j = 0; j < 10000; j++)

One Possible implementations is to pack the number of arguments in the frame descriptor:


To avoid slowdown of frame iterations (for GC), we need to keep the frame size "s" and the frame type "t" easily reachable, such as a logical shift and a mask.

The number of arguments "a" can be packed in the middle with an extra flag "o" used to report overflow when the number of argument cannot be stored in the descriptor.  In such cases, we may want to allocate some extra space out of the stack to store the full set of arguments and only use the stack to store the formal arguments for the next JS frame.

Another option would be to limit the number of overflow arguments and avoid compiling functions with large immediate overflow of arguments because these are costly in terms of snapshots and in terms of register allocation.

Still, we want to keep such flag for when entering a function with a huge overflow of arguments and for the fun.apply where the number of arguments can easily overflow and take too much space on the stack.


7 years ago
Depends on: 759442
Whiteboard: [ion:t]

Comment 1

7 years ago
The current implementation of the argument length consist of pushing the number of actual arguments on the stack, before the calleeToken.  The current implementation does not support big overflow of arguments, and to avoid overflowing the stack with series of call having thousands of arguments we limit the number before entering Ion code.

This feature is important for passing arguments from one function to another and for the inlining of

    fun.apply(self, object)

where object can be a big array, which lead us to handle big argument vectors.
Summary: IonMonkey: Optimize arguments.length. → IonMonkey: Handle big overflow of arguments.
Whiteboard: [ion:t]
Assignee: general → nobody
You need to log in before you can comment on or make changes to this bug.