Thanks for your answer Ben.
> Perhaps V8 could be made smart enough to distinguish between benign
> and non-benign prototype tampering but the subset that can be proven
> safe is probably so small that it's not worth the complexity and
> overhead.
Yes, I agree.
Alternatively, could v8 use the pre 7.1 impl of Array#splice when the
prototype has been modified?
Obviously, this is easier said than done and I'm guessing that it might not
be an easy task.
But it's worth noting that the pre 7.1 impl performance (with and without
prototype tampering) were similar.
Not sure how it was all made possible... but it was great for us :)
Anyway thanks again for your input!
Have a nice day
Le jeudi 24 septembre 2020 à 10:43:44 UTC+2, Ben Noordhuis a écrit :
> On Wed, Sep 23, 2020 at 11:26 AM Guillaume Grossetie
> <gross...@gmail.com> wrote:
> >
> > Hello,
> >
> > I'm working on the Opal project and I've noticed that Array#splice is
> not optimized anymore (ie. 4-8 times slower) when using a recent version of
> v8.
> >
> > To reproduce this slowdown I'm using the following code:
> >
> > const arr = []
> > for (let j = 0; j < 50000; j++) {
> > arr.push('index' + j)
> > }
> >
> > Object.setPrototypeOf(Array.prototype, {})
> >
> > let r
> > for (let i = 0; i < 1000; i++) {
> > r = arr.splice(0, 1)
> > }
> > console.log(r)
> >
> > You can run the above code against Node 10, which is using v8 version <
> 7, and against Node 12, which is using v8 version > 7.8.
> > Please note that removing "Object.setPrototypeOf(Array.prototype, {})"
> will effectively enable the optimization.
> >
> > I think the reason is that Array#splice is now using a Torque
> implementation where "fast" splice is only used when Array.prototype is
> pristine :
> >
> >
> https://github.com/v8/v8/blob/4b9b23521e6fd42373ebbcb20ebe03bf445494f9/src/builtins/array-splice.tq#L125
> >
> > I'm well aware that we should not mess with prototypes[2][3] but is
> there any workaround to get an optimized version of splice even if
> prototype has been altered?
> > Or do you have any idea on how we could mitigate this issue?
> >
> >
> > Thanks for your help,
> > Guillaume
> >
> > [1] https://github.com/opal/opal
> > [2] https://mathiasbynens.be/notes/prototypes
> > [3] https://mathiasbynens.be/notes/shapes-ics
>
> I don't think so.
>
> Array.p.splice() returns a new array. array-splice.tq has a fast path
> for that (ExtractFastJSArray, defined in
> src/codegen/code-stub-assembler.cc) but that's only sound when
> Array.prototype is unmodified, hence the
> IsPrototypeInitialArrayPrototype() check.
>
> Perhaps V8 could be made smart enough to distinguish between benign
> and non-benign prototype tampering but the subset that can be proven
> safe is probably so small that it's not worth the complexity and
> overhead.
>
--
--
v8-users mailing list
v8-users@googlegroups.com
http://groups.google.com/group/v8-users
---
You received this message because you are subscribed to the Google Groups
"v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/v8-users/c72b3b33-b77b-4791-83a6-317a834aa3b8n%40googlegroups.com.
