[builtins] Improve performance of array.prototype.filter and map

src/builtins/builtins-array-gen.cc

 // Copyright 2017 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/builtins/builtins-utils-gen.h"
 #include "src/builtins/builtins.h"
 #include "src/code-stub-assembler.h"
 
 namespace v8 {
 namespace internal {
@@ skipping 119 matching lines @@
 
   Node* FilterProcessor(Node* k_value, Node* k) {
     // ii. Let selected be ToBoolean(? Call(callbackfn, T, kValue, k, O)).
     Node* selected = CallJS(CodeFactory::Call(isolate()), context(),
                             callbackfn(), this_arg(), k_value, k, o());
     Label true_continue(this, &to_), false_continue(this);
     BranchIfToBooleanIsTrue(selected, &true_continue, &false_continue);
     BIND(&true_continue);
     // iii. If selected is true, then...
     {
-      // 1. Perform ? CreateDataPropertyOrThrow(A, ToString(to), kValue).
-      CallRuntime(Runtime::kCreateDataProperty, context(), a(), to_.value(),
-                  k_value);
+      Label after_work(this, &to_);
+      Node* kind = nullptr;
 
-      // 2. Increase to by 1.
-      to_.Bind(NumberInc(to_.value()));
-      Goto(&false_continue);
+      // If a() is a JSArray, we can have a fast path.
+      Label fast(this);
+      Label runtime(this);
+      Label object_push_pre(this), object_push(this), double_push(this);
+      BranchIfFastJSArray(a(), context(), FastJSArrayAccessMode::ANY_ACCESS,
+                          &fast, &runtime);
+
+      BIND(&fast);
+      {
+        kind = EnsureArrayPushable(a(), &runtime);
+        GotoIf(IsElementsKindGreaterThan(kind, FAST_HOLEY_SMI_ELEMENTS),
+               &object_push_pre);
+
+        BuildAppendJSArray(FAST_SMI_ELEMENTS, a(), k_value, &runtime);
+        Goto(&after_work);
+      }
+
+      BIND(&object_push_pre);
+      {
+        Branch(IsElementsKindGreaterThan(kind, FAST_HOLEY_ELEMENTS),
+               &double_push, &object_push);
+      }
+
+      BIND(&object_push);
+      {
+        BuildAppendJSArray(FAST_ELEMENTS, a(), k_value, &runtime);
+        Goto(&after_work);
+      }
+
+      BIND(&double_push);
+      {
+        BuildAppendJSArray(FAST_DOUBLE_ELEMENTS, a(), k_value, &runtime);
+        Goto(&after_work);
+      }
+
+      BIND(&runtime);
+      {
+        // 1. Perform ? CreateDataPropertyOrThrow(A, ToString(to), kValue).
+        CallRuntime(Runtime::kCreateDataProperty, context(), a(), to_.value(),
+                    k_value);
+        Goto(&after_work);
+      }
+
+      BIND(&after_work);
+      {
+        // 2. Increase to by 1.
+        to_.Bind(NumberInc(to_.value()));
+        Goto(&false_continue);
+      }
     }
     BIND(&false_continue);
     return a();
   }
 
   Node* MapResultGenerator() {
     // 5. Let A be ? ArraySpeciesCreate(O, len).
     return ArraySpeciesCreate(context(), o(), len_);
   }
 
   Node* MapProcessor(Node* k_value, Node* k) {
     //  i. Let kValue be ? Get(O, Pk). Performed by the caller of MapProcessor.
     // ii. Let mappedValue be ? Call(callbackfn, T, kValue, k, O).
     Node* mappedValue = CallJS(CodeFactory::Call(isolate()), context(),
                                callbackfn(), this_arg(), k_value, k, o());
 
-    // iii. Perform ? CreateDataPropertyOrThrow(A, Pk, mappedValue).
-    CallRuntime(Runtime::kCreateDataProperty, context(), a(), k, mappedValue);
+    Label finished(this);
+    Node* kind = nullptr;
+    Node* elements = nullptr;
+
+    // If a() is a JSArray, we can have a fast path.
+    // mode is SMI_PARAMETERS because k has tagged representation.
+    ParameterMode mode = SMI_PARAMETERS;
+    Label fast(this);
+    Label runtime(this);
+    Label object_push_pre(this), object_push(this), double_push(this);
+    BranchIfFastJSArray(a(), context(), FastJSArrayAccessMode::ANY_ACCESS,
+                        &fast, &runtime);
+
+    BIND(&fast);
+    {
+      kind = EnsureArrayPushable(a(), &runtime);
+      elements = LoadElements(a());
+      GotoIf(IsElementsKindGreaterThan(kind, FAST_HOLEY_SMI_ELEMENTS),
+             &object_push_pre);
+      TryStoreArrayElement(FAST_SMI_ELEMENTS, mode, &runtime, elements, k,
+                           mappedValue);
+      Goto(&finished);
+    }
+
+    BIND(&object_push_pre);
+    {
+      Branch(IsElementsKindGreaterThan(kind, FAST_HOLEY_ELEMENTS), &double_push,
+             &object_push);
+    }
+
+    BIND(&object_push);
+    {
+      TryStoreArrayElement(FAST_ELEMENTS, mode, &runtime, elements, k,
+                           mappedValue);
+      Goto(&finished);
+    }
+
+    BIND(&double_push);
+    {
+      TryStoreArrayElement(FAST_DOUBLE_ELEMENTS, mode, &runtime, elements, k,
+                           mappedValue);
+      Goto(&finished);
+    }
+
+    BIND(&runtime);
+    {
+      // iii. Perform ? CreateDataPropertyOrThrow(A, Pk, mappedValue).
+      CallRuntime(Runtime::kCreateDataProperty, context(), a(), k, mappedValue);
+      Goto(&finished);
+    }
+
+    BIND(&finished);
     return a();
   }
 
   void NullPostLoopAction() {}
 
  protected:
   Node* context() { return context_; }
   Node* receiver() { return receiver_; }
   Node* new_target() { return new_target_; }
   Node* o() { return o_; }
@@ skipping 393 matching lines @@
 
     BranchIfFastJSArray(o(), context(),
                         CodeStubAssembler::FastJSArrayAccessMode::INBOUNDS_READ,
                         &switch_on_elements_kind, slow);
 
     BIND(&switch_on_elements_kind);
     // Select by ElementsKind
     Node* o_map = LoadMap(o());
     Node* bit_field2 = LoadMapBitField2(o_map);
     Node* kind = DecodeWord32<Map::ElementsKindBits>(bit_field2);
-    Branch(Int32GreaterThan(kind, Int32Constant(FAST_HOLEY_ELEMENTS)),
+    Branch(IsElementsKindGreaterThan(kind, FAST_HOLEY_ELEMENTS),
            &maybe_double_elements, &fast_elements);
 
     ParameterMode mode = OptimalParameterMode();
     BIND(&fast_elements);
     {
       VisitAllFastElementsOneKind(FAST_ELEMENTS, processor, slow, mode,
                                   direction);
 
       action(this);
 
       // No exception, return success
       Return(a_.value());
     }
 
     BIND(&maybe_double_elements);
-    Branch(Int32GreaterThan(kind, Int32Constant(FAST_HOLEY_DOUBLE_ELEMENTS)),
-           slow, &fast_double_elements);
+    Branch(IsElementsKindGreaterThan(kind, FAST_HOLEY_DOUBLE_ELEMENTS), slow,
+           &fast_double_elements);
 
     BIND(&fast_double_elements);
     {
       VisitAllFastElementsOneKind(FAST_DOUBLE_ELEMENTS, processor, slow, mode,
                                   direction);
 
       action(this);
 
       // No exception, return success
       Return(a_.value());
@@ skipping 31 matching lines @@
   CodeStubArguments args(this, ChangeInt32ToIntPtr(argc));
   Node* receiver = args.GetReceiver();
   Node* kind = nullptr;
 
   Label fast(this);
   BranchIfFastJSArray(receiver, context, FastJSArrayAccessMode::ANY_ACCESS,
                       &fast, &runtime);
 
   BIND(&fast);
   {
-    // Disallow pushing onto prototypes. It might be the JSArray prototype.
-    // Disallow pushing onto non-extensible objects.
-    Comment("Disallow pushing onto prototypes");
-    Node* map = LoadMap(receiver);
-    Node* bit_field2 = LoadMapBitField2(map);
-    int mask = static_cast<int>(Map::IsPrototypeMapBits::kMask) |
-               (1 << Map::kIsExtensible);
-    Node* test = Word32And(bit_field2, Int32Constant(mask));
-    GotoIf(Word32NotEqual(test, Int32Constant(1 << Map::kIsExtensible)),
-           &runtime);
-
-    // Disallow pushing onto arrays in dictionary named property mode. We need
-    // to figure out whether the length property is still writable.
-    Comment("Disallow pushing onto arrays in dictionary named property mode");
-    GotoIf(IsDictionaryMap(map), &runtime);
-
-    // Check whether the length property is writable. The length property is the
-    // only default named property on arrays. It's nonconfigurable, hence is
-    // guaranteed to stay the first property.
-    Node* descriptors = LoadMapDescriptors(map);
-    Node* details =
-        LoadFixedArrayElement(descriptors, DescriptorArray::ToDetailsIndex(0));
-    GotoIf(IsSetSmi(details, PropertyDetails::kAttributesReadOnlyMask),
-           &runtime);
-
     arg_index.Bind(IntPtrConstant(0));
-    kind = DecodeWord32<Map::ElementsKindBits>(bit_field2);
-
-    GotoIf(Int32GreaterThan(kind, Int32Constant(FAST_HOLEY_SMI_ELEMENTS)),
+    kind = EnsureArrayPushable(receiver, &runtime);
+    GotoIf(IsElementsKindGreaterThan(kind, FAST_HOLEY_SMI_ELEMENTS),
            &object_push_pre);
 
-    Node* new_length = BuildAppendJSArray(FAST_SMI_ELEMENTS, context, receiver,
-                                          args, arg_index, &smi_transition);
+    Node* new_length = BuildAppendJSArray(FAST_SMI_ELEMENTS, receiver, args,
+                                          arg_index, &smi_transition);
     args.PopAndReturn(new_length);
   }
 
   // If the argument is not a smi, then use a heavyweight SetProperty to
   // transition the array for only the single next element. If the argument is
   // a smi, the failure is due to some other reason and we should fall back on
   // the most generic implementation for the rest of the array.
   BIND(&smi_transition);
   {
     Node* arg = args.AtIndex(arg_index.value());
@@ skipping 11 matching lines @@
     Node* kind = DecodeWord32<Map::ElementsKindBits>(bit_field2);
     GotoIf(Word32Equal(kind, Int32Constant(DICTIONARY_ELEMENTS)),
            &default_label);
 
     GotoIfNotNumber(arg, &object_push);
     Goto(&double_push);
   }
 
   BIND(&object_push_pre);
   {
-    Branch(Int32GreaterThan(kind, Int32Constant(FAST_HOLEY_ELEMENTS)),
-           &double_push, &object_push);
+    Branch(IsElementsKindGreaterThan(kind, FAST_HOLEY_ELEMENTS), &double_push,
+           &object_push);
   }
 
   BIND(&object_push);
   {
-    Node* new_length = BuildAppendJSArray(FAST_ELEMENTS, context, receiver,
-                                          args, arg_index, &default_label);
+    Node* new_length = BuildAppendJSArray(FAST_ELEMENTS, receiver, args,
+                                          arg_index, &default_label);
     args.PopAndReturn(new_length);
   }
 
   BIND(&double_push);
   {
-    Node* new_length =
-        BuildAppendJSArray(FAST_DOUBLE_ELEMENTS, context, receiver, args,
-                           arg_index, &double_transition);
+    Node* new_length = BuildAppendJSArray(FAST_DOUBLE_ELEMENTS, receiver, args,
+                                          arg_index, &double_transition);
     args.PopAndReturn(new_length);
   }
 
   // If the argument is not a double, then use a heavyweight SetProperty to
   // transition the array for only the single next element. If the argument is
   // a double, the failure is due to some other reason and we should fall back
   // on the most generic implementation for the rest of the array.
   BIND(&double_transition);
   {
     Node* arg = args.AtIndex(arg_index.value());
@@ skipping 1427 matching lines @@
   {
     Node* message = SmiConstant(MessageTemplate::kDetachedOperation);
     CallRuntime(Runtime::kThrowTypeError, context, message,
                 HeapConstant(operation));
     Unreachable();
   }
 }
 
 }  // namespace internal
 }  // namespace v8