v8/test/mjsunit/harmony/array-species-proto.js

29 lines
954 B
JavaScript
Raw Normal View History

Optimize @@species based on a global 'protector' cell This patch makes ArraySpeciesCreate fast in V8 by avoiding two property reads when the following conditions are met: - No Array instance has had its __proto__ reset - No Array instance has had a constructor property defined - Array.prototype has not had its constructor changed - Array[Symbol.species] has not been reset For subclasses of Array, or for conditions where one of these assumptions is violated, the full lookup of species is done according to the ArraySpeciesCreate algorithm. Although this is a "performance cliff", it does not come up in the expected typical use case of @@species (Array subclassing), so it is hoped that this can form a good start. Array subclasses will incur the slowness of looking up @@species, but their use won't slow down invocations of, for example, Array.prototype.slice on Array base class instances. Possible future optimizations: - For the fallback case where the assumptions don't hold, optimize the two property lookups. - For Array.prototype.slice and Array.prototype.splice, even if the full lookup of @@species needs to take place, we still could take the rest of the C++ fastpath. However, to do this correctly requires changing the calling convention from C++ to JS to pass the @@species out, so it is not attempted in this patch. With this patch, microbenchmarks of Array.prototype.slice do not suffer a noticeable performance regression, unlike their previous 2.5x penalty. TBR=hpayer@chromium.org Review URL: https://codereview.chromium.org/1689733002 Cr-Commit-Position: refs/heads/master@{#34199}
2016-02-22 21:01:29 +00:00
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Make array __proto__ manipulations not disturb the species protector Previously, the species protector was invalidated whenever the __proto__ of an Array instance was manipulated. Then, if the map's new_target_is_base field remained set, it was correct to conclude that GetPrototypeOf(array) was %ArrayPrototype%. However, this choice caused the popular D3 framework to invalidate the species protector, causing many functions to become slower. This patch eliminates that aspect of the species protector. Instead, the check is to look at the instance->map()->prototype(). It is valid to look directly at the map's prototype slot, ignoring hidden prototypes and proxies, because - This is only called on Array instances, so the receiver cannot be a Proxy. - For hidden prototypes, any inaccuracy would only result in conservatively taking the slow path. Theoretically, this patch could make methods applied to arrays from other contexts slower. However, the slowdown would only affect a particular array instance and not have a global spill-over effect. Further, the slowdown could be addressed by tracking, either in the instance's map or in the actual prototype object, whether it is a %ArrayPrototype% from any context, in a way which is cheap to query, and use that rather than comparing to the currently executing native context. In interactive testing, this patch led the OnShape CAD system to experience faster load times (110+s -> 40s). BUG=chromium:606207 LOG=Y Review-Url: https://codereview.chromium.org/1936393002 Cr-Commit-Position: refs/heads/master@{#36033}
2016-05-04 16:47:34 +00:00
// Flags: --harmony-species --allow-natives-syntax
Optimize @@species based on a global 'protector' cell This patch makes ArraySpeciesCreate fast in V8 by avoiding two property reads when the following conditions are met: - No Array instance has had its __proto__ reset - No Array instance has had a constructor property defined - Array.prototype has not had its constructor changed - Array[Symbol.species] has not been reset For subclasses of Array, or for conditions where one of these assumptions is violated, the full lookup of species is done according to the ArraySpeciesCreate algorithm. Although this is a "performance cliff", it does not come up in the expected typical use case of @@species (Array subclassing), so it is hoped that this can form a good start. Array subclasses will incur the slowness of looking up @@species, but their use won't slow down invocations of, for example, Array.prototype.slice on Array base class instances. Possible future optimizations: - For the fallback case where the assumptions don't hold, optimize the two property lookups. - For Array.prototype.slice and Array.prototype.splice, even if the full lookup of @@species needs to take place, we still could take the rest of the C++ fastpath. However, to do this correctly requires changing the calling convention from C++ to JS to pass the @@species out, so it is not attempted in this patch. With this patch, microbenchmarks of Array.prototype.slice do not suffer a noticeable performance regression, unlike their previous 2.5x penalty. TBR=hpayer@chromium.org Review URL: https://codereview.chromium.org/1689733002 Cr-Commit-Position: refs/heads/master@{#34199}
2016-02-22 21:01:29 +00:00
// Overwriting an array instance's __proto__ updates the protector
let x = [];
assertEquals(Array, x.map(()=>{}).constructor);
assertEquals(Array, x.filter(()=>{}).constructor);
assertEquals(Array, x.slice().constructor);
assertEquals(Array, x.splice().constructor);
assertEquals(Array, x.concat([1]).constructor);
assertEquals(1, x.concat([1])[0]);
class MyArray extends Array { }
x.__proto__ = MyArray.prototype;
Make array __proto__ manipulations not disturb the species protector Previously, the species protector was invalidated whenever the __proto__ of an Array instance was manipulated. Then, if the map's new_target_is_base field remained set, it was correct to conclude that GetPrototypeOf(array) was %ArrayPrototype%. However, this choice caused the popular D3 framework to invalidate the species protector, causing many functions to become slower. This patch eliminates that aspect of the species protector. Instead, the check is to look at the instance->map()->prototype(). It is valid to look directly at the map's prototype slot, ignoring hidden prototypes and proxies, because - This is only called on Array instances, so the receiver cannot be a Proxy. - For hidden prototypes, any inaccuracy would only result in conservatively taking the slow path. Theoretically, this patch could make methods applied to arrays from other contexts slower. However, the slowdown would only affect a particular array instance and not have a global spill-over effect. Further, the slowdown could be addressed by tracking, either in the instance's map or in the actual prototype object, whether it is a %ArrayPrototype% from any context, in a way which is cheap to query, and use that rather than comparing to the currently executing native context. In interactive testing, this patch led the OnShape CAD system to experience faster load times (110+s -> 40s). BUG=chromium:606207 LOG=Y Review-Url: https://codereview.chromium.org/1936393002 Cr-Commit-Position: refs/heads/master@{#36033}
2016-05-04 16:47:34 +00:00
assertTrue(%SpeciesProtector());
Optimize @@species based on a global 'protector' cell This patch makes ArraySpeciesCreate fast in V8 by avoiding two property reads when the following conditions are met: - No Array instance has had its __proto__ reset - No Array instance has had a constructor property defined - Array.prototype has not had its constructor changed - Array[Symbol.species] has not been reset For subclasses of Array, or for conditions where one of these assumptions is violated, the full lookup of species is done according to the ArraySpeciesCreate algorithm. Although this is a "performance cliff", it does not come up in the expected typical use case of @@species (Array subclassing), so it is hoped that this can form a good start. Array subclasses will incur the slowness of looking up @@species, but their use won't slow down invocations of, for example, Array.prototype.slice on Array base class instances. Possible future optimizations: - For the fallback case where the assumptions don't hold, optimize the two property lookups. - For Array.prototype.slice and Array.prototype.splice, even if the full lookup of @@species needs to take place, we still could take the rest of the C++ fastpath. However, to do this correctly requires changing the calling convention from C++ to JS to pass the @@species out, so it is not attempted in this patch. With this patch, microbenchmarks of Array.prototype.slice do not suffer a noticeable performance regression, unlike their previous 2.5x penalty. TBR=hpayer@chromium.org Review URL: https://codereview.chromium.org/1689733002 Cr-Commit-Position: refs/heads/master@{#34199}
2016-02-22 21:01:29 +00:00
assertEquals(MyArray, x.map(()=>{}).constructor);
assertEquals(MyArray, x.filter(()=>{}).constructor);
assertEquals(MyArray, x.slice().constructor);
assertEquals(MyArray, x.splice().constructor);
assertEquals(MyArray, x.concat([1]).constructor);
assertEquals(1, x.concat([1])[0]);