Closed Bug 1379626 Opened 7 years ago Closed 4 years ago

Naïve ToInteger implementation can lead to repeated bailouts in Math.ceil

Categories

(Core :: JavaScript Engine: JIT, enhancement, P3)

enhancement

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: anba, Unassigned)

Details

(Keywords: triage-deferred)

Test case: --- function Number_isInteger(number) { // Step 1. if (typeof number !== "number") return false; // Step 3. var integer = number >= 0 ? Math.floor(number) : Math.ceil(number); // Steps 2, 4. if (integer - number !== 0) return false; // Step 5. return true; } Number.isInteger = Number_isInteger; // Values are non-int32 and INT32_MIN. var values = [4.2, -(2**31)]; var t = Date.now(); for (var i = 0; i < 10000000; ++i) { Number.isInteger(values[i % values.length]); } print(Date.now() - t); --- The test case leads to repeated bailouts, IONFLAGS=bailouts shows "[IonBailouts] bailing from bytecode: call, MIR: ceil [14], LIR: ceil [13]".
Probably because of the bailoutCvttsd2si in CodeGeneratorX86Shared::visitCeil. We bail because we get INT32_MIN which happens to be the value the CPU throws at us for "not an integer valued double" :(
Keywords: triage-deferred
Priority: -- → P3

Warp prevents repeated bailouts from happening for this test case. The bailoutCvttsd2si issue noted in comment #1 is still present, e.g. when var values = [-4.2, -(2**31)]; is used, so both values are negative, Warp will stop inlining Math.ceil because the fallback stub was taken. If that issue ever becomes are problem in practice, we should track it under a different bug.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.