ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard
verified publisher icon chakra-core

Fix wrong optimisation of arguments[-1]

Open rhuanjl opened this issue 3 years ago • 1 comments

Background The use of the full arguments object per spec in Javascript has various performance penalties. For this reason the CC Jit contains two different optimisations for it which seek to optimise away the use of this object when it is being used for simple purposes that can be redirected (e.g. accessing params that exist)

One of these optimisations is specific to inlined functions and the other is slightly more general, the inline specific optimisation was added in the master branch since the last release and introduced a bug.

Specific Bug arguments[-1] in function inlined by the Jit was loading the this object - when it should return undefined (and would return undefined when not inlined).

This is because Chakracore internally stores arguments to JS functions in a row with the this object as item 0 and a check was not being done to avoid hitting it.

Ride-along improvement The optimisation of arguments in a non-inlined function was triggering a rejit if it encountered a constant negative index - but such should just result in returning undefined - added a path for doing that, see comments below.

EDIT: converted to draft whilst I look at the issue @pleath has raised below.

FIx #6783

rhuanjl avatar Jan 31 '22 21:01 rhuanjl

@ppenzin I've added tests for the points discussed with pleath above.

Upon looking at the logic further I'm happy that my actual code was fine though.

There are two different optimisations here - for loads of arguments[x] one for a normal jitted function and the other for an inlined function. In both cases the optimisation is disabled earlier in the Jit process if the arguments object is edited in any way - hence why it is safe to supply undefined for any out of bounds load.

EDIT: test fail needs investigating - may be a legitimate issue I've somehow introduced or may need a new baseline;

rhuanjl avatar Sep 10 '22 16:09 rhuanjl

I've updated a few comments for clarity and I believe I've solved the test issues.

Test 1: "funcexpr_2" My ride along improvement had got rid of a rejit in this testcase which in turn meant the baseline was wrong. The case is meant to test a facility used in that rejit so I edited the case so the rejit still occurs.

Test 2: "StackArgWIthFormals" My ride along improvement had got rid of a bailout in this testcase which meant the baseline was wrong. As other cases in this testfile hit similar bailouts I've updated the baseline.

rhuanjl avatar Sep 27 '22 21:09 rhuanjl