Closed Bug 129496 Opened 23 years ago Closed 17 years ago

JS object initializer dynamic overhead (affects a DHTML test case)

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9beta4

People

(Reporter: markushuebner, Assigned: brendan)

References

(
URL
)

Details

(Keywords: js1.5, perf, testcase)

Attachments

(6 files, 5 obsolete files)

E-Mail conversation
5.13 KB, text/plain
Details
Updated testcase.
6.12 KB, text/html
Details
file:///d:/solarsystem3d.html
81.45 KB, text/html
Details
micro-benchmarks testing initialisers vs. constructors
1.12 KB, text/plain
Details
fix bug found with further firefox testing
33.76 KB, patch
shaver
: review+
Details | Diff | Splinter Review
sigh, interdiff sucks, falling back on plain old diff
6.06 KB, patch
Details | Diff | Splinter Review
See attached e-mail conversation ...
Attached file E-Mail conversation
Blocks: 21762
Keywords: mozilla1.0, perf
The URL is hanging the browser with 2002030603 or 2002030703 NT4.
It would help if we knew why this test URL allocates strings and objects like mad. I am pretty sure that even with generational GC, the testcase is going to pay a high (but smoothed-out into little disruptions to the schedule) overhead in GC. If we find that it is just doing crasy O(n^2) or worse explosive growth in JS object/string allocation, it should be fixed to do something smarter. If this has to do with DOM nodelists being document listeners, there's a bug on that already, I believe. Let's get to the bottom of this testcase, not just point fingers at the JS GC. /be
The base problem appears (at a glance) to be in this: coord = function (x,y) { if(!x) var x=0; if(!y) var y=0; return {x: x, y: y}; } function getBezier(percent,C1,C2,C3,C4) { var pos = new coord(); pos.x = ... pos.y = ... return pos; } Then lots of calls to getBezier().
OS: Windows 2000 → All
Hardware: PC → All
>coord = function (x,y) { if(!x) var x=0; if(!y) var y=0; return {x: x, y: y}; } > >function getBezier(percent,C1,C2,C3,C4) > { var pos = new coord(); > pos.x = ... > pos.y = ... > return pos; >} The new operator causes a new object to be made and passed as the this parameter to the constructor, but in the case of coord, that object is wasted, because coord returns an object created with an object initializer. The JS engine could do better here: - it migth be able to analyze the constructor (this one is easy, there are obvious hard cases) to see that it "overrides this" by returning a different object; - it certainly could literalize a prototype object corresponding to the object initializer (aka object literal) and avoid creating a new object with its own scope for each coord call -- instead, it would clone the prototype and set its slots. Can someone try eliminating the operator new usage and see how much that helps? Also, any commentary on how 0.9.9-candidates (anything since bug 62164's patch landed) does compared to 0.9.8? It should help, but maybe not enough to matter at the limit. /be
Tried the testcase with 0.9.8 and 0.9.9 and both have the same problems as already described.
Attached file Updated testcase.
I'm not sure if this is what Brendan asked for in comment #5. I elliminated the "new" operator in the getBezier function. I couldn't measure any performance improvements..
Keywords: testcase
Removing the new helps, but not enough -- there are simply too many new objects created by the {x: x, y: y} literal. I have a plan to fix that bloat issue in bug 123668. /be
Depends on: 123668
Keywords: mozilla1.0mozilla1.1
reassigning ...
Assignee: jst → brendan
I should put a work-in-progress patch in here, just for backup purposes. It won't help on footprint yet. /be
Status: NEW → ASSIGNED
Keywords: mozilla1.1mozilla1.2
Target Milestone: --- → mozilla1.2alpha
Summary: JS GC issue relating to DHTML → JS object initializer dynamic overhead (affects a DHTML test case)
Moving out, some of these may move to 1.3alpha shortly. /be
Target Milestone: mozilla1.2alpha → mozilla1.2beta
Keywords: mozilla1.2mozilla1.3
Bug 184352 seems to be affected by this too - dupe of this one?
bug 184352 is Mac-only, it can't have anything to do with this bug. /be
Fixing TM. /be
Target Milestone: mozilla1.2beta → mozilla1.3beta
Noting true dependency. /be
Depends on: 94693
No longer depends on: 123668
Keywords: mozilla1.3js1.5
Target Milestone: mozilla1.3beta → mozilla1.4alpha
Can we get this into 1.4beta ?
Target Milestone: mozilla1.4alpha → mozilla1.4beta
Target Milestone: mozilla1.4beta → mozilla1.5alpha
Target Milestone: mozilla1.5alpha → mozilla1.6alpha
Bump. /be
Target Milestone: mozilla1.6alpha → mozilla1.7alpha
Rather work on Narcissus. /be
Target Milestone: mozilla1.7alpha → Future
Testing the mentioned example at http://3dhtml.netzministerium.de/examples/beziercube3d.html as well as all other examples at http://3dhtml.netzministerium.de/ like http://3dhtml.netzministerium.de/examples/solarsystem3d.html with trunk build 2004112405 on winxp pro still is very choppy! Maybe a profile shows were we are currently lacking.
Blocks: 203448
URL: http://3dhtml.netzministerium.de/exam...http://3dhtml.netzministerium.de/exam...
This is low priority for a SpiderMonkey fix, but should be addressed in any new runtime designed for JS2. /be
Priority: -- → P5
Running with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050907 Firefox/1.6a1 this is as it was. Also CPU usage is 70-80%
I have around 15% CPU usage but the animation is choppy.
Assignee: brendan → general
Status: ASSIGNED → NEW
Component: DOM: Core → JavaScript Engine
Flags: wanted1.9+
Flags: blocking1.9?
Priority: P5 → P2
QA Contact: stummala → general
Target Milestone: Future → mozilla1.9beta4
Assignee: general → brendan
The URL loads but nothing works, tons of ns and ie not defined errors. Anyone have a diagnosis or (better) fixed test? /be
De-ns4-ified and all external files inlined version of SolarSystem3d.html.
Just wondering why the URL worked for crowder but not me -- anyone else have testimony? /be
Status: NEW → ASSIGNED
# baseline unpatched js shell: $ ../src.bench/Darwin_OPT.OBJ/js /tmp/initests.js 1e6 small object initialisers: 1341 before 33316864, after 16384, break 07c05000 1e6 larger-than-fslots initialiser: 2375 before 33316864, after 16384, break 07c05000 1e6 small object constructions: 835 before 33316864, after 16384, break 07c05000 1e6 larger-than-fslots constructions: 1586 # with forthcoming patch: $ ./Darwin_OPT.OBJ/js /tmp/initests.js 1e6 small object initialisers: 772 before 33316864, after 16384, break 07c05000 1e6 larger-than-fslots initialiser: 982 before 33316864, after 16384, break 07c05000 1e6 small object constructions: 882 before 33316864, after 16384, break 07c05000 1e6 larger-than-fslots constructions: 1307 Lopped 42% off the small fits-in-fslots case, 59% off the bigger case. Note also the last number improving due to fslots-exceeded hazard elimination under JSOP_SETNAME/JSOP_SETPROP. /be
Attached patch fix (obsolete) — Splinter Review
Would appreciate anyone with time and interest applying this patch and testing it, solarsystem3d.html and general dogfooding. I will do that tomorrow but not today, trying to get a hard patch finished. Thanks, /be
Attachment #304594 - Flags: review?(shaver)
Should the URL link to the attachment now? I defer to bugzilla protocol experts. /be
Flags: blocking1.9? → blocking1.9+
Flags: blocking1.9+ → blocking1.9?
Comment on attachment 304594 [details] [diff] [review] fix This crashed me. Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 Thread 0 Crashed: 0 libmozjs.dylib 0x0013b2f2 ChangeScope + 139 (jsscope.c:361) 1 libmozjs.dylib 0x0013c1b1 js_AddScopeProperty + 201 (jsscope.c:1024) 2 libmozjs.dylib 0x00114340 js_SetPropertyHelper + 1087 (jsobj.c:3858) 3 libmozjs.dylib 0x00101760 js_Interpret + 26860 (jsinterp.c:4374) 4 libmozjs.dylib 0x0010770d js_Invoke + 2150 (jsinterp.c:1432) 5 libmozjs.dylib 0x00107a8e js_InternalInvoke + 124 (jsinterp.c:1489) 6 libmozjs.dylib 0x00107bc6 js_InternalGetOrSet + 200 (jsinterp.c:1546) 7 libmozjs.dylib 0x0010ec29 js_NativeGet + 215 (jsobj.c:3523) 8 libmozjs.dylib 0x00113e0a js_GetPropertyHelper + 674 (jsobj.c:3672) 9 libmozjs.dylib 0x001008e0 js_Interpret + 23148 (jsinterp.c:4082) 10 libmozjs.dylib 0x0010770d js_Invoke + 2150 (jsinterp.c:1432) 11 XUL 0x01a4c176 nsXPCWrappedJSClass::CallMethod
Comment on attachment 304594 [details] [diff] [review] fix More a WIP, and backup. I'll debug. /be
Attachment #304594 - Flags: review?(shaver)
Attached patch fix, v2 (obsolete) — Splinter Review
This tests better, and I need to get it out of my tree and brain. Sayrer, can you give it a whirl? Thanks, /be
Attachment #304594 - Attachment is obsolete: true
Attachment #305044 - Flags: review?(shaver)
Attached patch fix, v3 (obsolete) — Splinter Review
Removed another hazard in the {add,set,ini}pchit case, fixed last version's bogus hit test condition. /be
Attachment #305044 - Attachment is obsolete: true
Attachment #305044 - Flags: review?(shaver)
This patch does not malfunction, but doesn't seem to help the tests in this bug.
Attached patch free slot on error (obsolete) — Splinter Review
Attachment #305055 - Attachment is obsolete: true
Attachment #305305 - Flags: review?(shaver)
Comment on attachment 305305 [details] [diff] [review] free slot on error r=shaver, thanks for the call to go through this.
Attachment #305305 - Flags: review?(shaver) → review+
The clasp->reserveSlots hazard that the JSOP_SETNAME/JSOP_SETPROP logic faces was not addressed by previous patches. This patch resolves it by detecting when the cached sprop's slot does not match the next one allocated for obj, in which case it updates the cache entry. Tests well (mochi and suite plus random dogfooding), soliciting re-review. /be
Attachment #305305 - Attachment is obsolete: true
Attachment #305879 - Flags: review?(shaver)
Attached patch interdiff of v3 vs. latest patch (obsolete) — Splinter Review
Comment on attachment 305879 [details] [diff] [review] fix bug found with further firefox testing Looks good, well-caught. r=shaver
Attachment #305879 - Flags: review?(shaver) → review+
Fixed on trunk: js/src/jsapi.c 3.424 js/src/jsgc.c 3.283 js/src/jsgc.h 3.107 js/src/jsinterp.c 3.444 js/src/jsinterp.h 3.77 js/src/jsobj.c 3.443 js/src/jsopcode.tbl 3.109 js/src/jsscope.c 3.85 js/src/jsscope.h 3.57 Anything else to report about object initialisers (more could be done, probably under bug 412868), file a new bug after looking for existing to avoid dup'ing. /be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Depends on: 419803
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: