Closed
Bug 1379626
Opened 7 years ago
Closed 4 years ago
Naïve ToInteger implementation can lead to repeated bailouts in Math.ceil
Categories
(Core :: JavaScript Engine: JIT, enhancement, P3)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: anba, Unassigned)
Details
(Keywords: triage-deferred)
Test case:
---
function Number_isInteger(number) {
// Step 1.
if (typeof number !== "number")
return false;
// Step 3.
var integer = number >= 0 ? Math.floor(number) : Math.ceil(number);
// Steps 2, 4.
if (integer - number !== 0)
return false;
// Step 5.
return true;
}
Number.isInteger = Number_isInteger;
// Values are non-int32 and INT32_MIN.
var values = [4.2, -(2**31)];
var t = Date.now();
for (var i = 0; i < 10000000; ++i) {
Number.isInteger(values[i % values.length]);
}
print(Date.now() - t);
---
The test case leads to repeated bailouts, IONFLAGS=bailouts shows "[IonBailouts] bailing from bytecode: call, MIR: ceil [14], LIR: ceil [13]".
Comment 1•7 years ago
|
||
Probably because of the bailoutCvttsd2si in CodeGeneratorX86Shared::visitCeil. We bail because we get INT32_MIN which happens to be the value the CPU throws at us for "not an integer valued double" :(
Updated•7 years ago
|
Keywords: triage-deferred
Priority: -- → P3
Reporter | ||
Comment 2•4 years ago
|
||
Warp prevents repeated bailouts from happening for this test case. The bailoutCvttsd2si
issue noted in comment #1 is still present, e.g. when var values = [-4.2, -(2**31)];
is used, so both values are negative, Warp will stop inlining Math.ceil
because the fallback stub was taken. If that issue ever becomes are problem in practice, we should track it under a different bug.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•