JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyB...
authortzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 17:42:41 +0000 (17:42 +0000)
committertzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 17:42:41 +0000 (17:42 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196078
<rdar://problem/35925380>

Reviewed by Mark Lam.

JSTests:

Add a new benchmark that allocates several objects and invokes put_by_val_direct
with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".

* microbenchmarks/put-by-val-direct-large-index.js: Added.

Source/JavaScriptCore:

Unlike the other variations of putByIndex, it only checked if the index
was larger than MIN_SPARSE_ARRAY_INDEX when the indexingType was
ALL_BLANK_INDEXING_TYPES. This resulted in a huge butterfly being
allocated for object literals (e.g. `{[9e4]: ...}`) and objects parsed
from JSON.

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243299 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/microbenchmarks/put-by-val-direct-large-index.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.cpp

index bc35305..af69f22 100644 (file)
@@ -1,3 +1,16 @@
+2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
+
+        JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
+        https://bugs.webkit.org/show_bug.cgi?id=196078
+        <rdar://problem/35925380>
+
+        Reviewed by Mark Lam.
+
+        Add a new benchmark that allocates several objects and invokes put_by_val_direct
+        with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
+
+        * microbenchmarks/put-by-val-direct-large-index.js: Added.
+
 2019-03-21  Mark Lam  <mark.lam@apple.com>
 
         Placate exception check validation in operationArrayIndexOfString().
diff --git a/JSTests/microbenchmarks/put-by-val-direct-large-index.js b/JSTests/microbenchmarks/put-by-val-direct-large-index.js
new file mode 100644 (file)
index 0000000..9cd2340
--- /dev/null
@@ -0,0 +1,4 @@
+var acc = [];
+for (var i = 0; i < 1e6; i++) {
+    acc.push({[5e4 + (i % 1e4)]: true});
+}
index ab8ddef..3861a43 100644 (file)
@@ -1,5 +1,22 @@
 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
 
+        JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
+        https://bugs.webkit.org/show_bug.cgi?id=196078
+        <rdar://problem/35925380>
+
+        Reviewed by Mark Lam.
+
+        Unlike the other variations of putByIndex, it only checked if the index
+        was larger than MIN_SPARSE_ARRAY_INDEX when the indexingType was
+        ALL_BLANK_INDEXING_TYPES. This resulted in a huge butterfly being
+        allocated for object literals (e.g. `{[9e4]: ...}`) and objects parsed
+        from JSON.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+
+2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
+
         CachedUnlinkedSourceCodeShape::m_provider should be a CachedRefPtr
         https://bugs.webkit.org/show_bug.cgi?id=196079
 
index 3e8f6e0..ecd7b84 100644 (file)
@@ -3055,7 +3055,7 @@ bool JSObject::putDirectIndexSlowOrBeyondVectorLength(ExecState* exec, unsigned
                 exec, i, value, attributes, mode,
                 ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
         }
-        if (i >= MIN_SPARSE_ARRAY_INDEX) {
+        if (indexIsSufficientlyBeyondLengthForSparseMap(i, 0) || i >= MIN_SPARSE_ARRAY_INDEX) {
             return putDirectIndexBeyondVectorLengthWithArrayStorage(
                 exec, i, value, attributes, mode, createArrayStorage(vm, 0, 0));
         }