Re: [v8-users] Array splice is not optimized when Array.prototype has been altered in v8 7.1+

[Ben Noordhuis]

On Wed, Sep 23, 2020 at 11:26 AM Guillaume Grossetie
<grosset...@gmail.com> wrote:
>
> Hello,
>
> I'm working on the Opal project and I've noticed that Array#splice is not 
> optimized anymore (ie. 4-8 times slower) when using a recent version of v8.
>
> To reproduce this slowdown I'm using the following code:
>
> const arr = []
> for (let j = 0; j < 50000; j++) {
>   arr.push('index' + j)
> }
>
> Object.setPrototypeOf(Array.prototype, {})
>
> let r
> for (let i = 0; i < 1000; i++) {
>   r = arr.splice(0, 1)
> }
> console.log(r)
>
> You can run the above code against Node 10, which is using v8 version < 7, 
> and against Node 12, which is using v8 version > 7.8.
> Please note that removing "Object.setPrototypeOf(Array.prototype, {})" will 
> effectively enable the optimization.
>
> I think the reason is that Array#splice is now using a Torque implementation 
> where "fast" splice is only used when Array.prototype is pristine :
>
> https://github.com/v8/v8/blob/4b9b23521e6fd42373ebbcb20ebe03bf445494f9/src/builtins/array-splice.tq#L125
>
> I'm well aware that we should not mess with prototypes[2][3] but is there any 
> workaround to get an optimized version of splice even if prototype has been 
> altered?
> Or do you have any idea on how we could mitigate this issue?
>
>
> Thanks for your help,
> Guillaume
>
> [1] https://github.com/opal/opal
> [2] https://mathiasbynens.be/notes/prototypes
> [3] https://mathiasbynens.be/notes/shapes-ics

I don't think so.

Array.p.splice() returns a new array. array-splice.tq has a fast path
for that (ExtractFastJSArray, defined in
src/codegen/code-stub-assembler.cc) but that's only sound when
Array.prototype is unmodified, hence the
IsPrototypeInitialArrayPrototype() check.

Perhaps V8 could be made smart enough to distinguish between benign
and non-benign prototype tampering but the subset that can be proven
safe is probably so small that it's not worth the complexity and
overhead.

-- 
-- 
v8-users mailing list
v8-users@googlegroups.com
http://groups.google.com/group/v8-users
--- 
You received this message because you are subscribed to the Google Groups 
"v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/v8-users/CAHQurc9UGMipbLjEjkJzFGQvu1V-nCmEiOSS5Kta60_-qeubKQ%40mail.gmail.com.