Closed Bug 1405457 Opened 7 years ago Closed 7 years ago

Unused NewCallObject is not removed

Categories

(Core :: JavaScript Engine: JIT, enhancement)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox58 --- fixed

People

(Reporter: evilpie, Assigned: evilpie)

References

Details

Attachments

(2 files, 1 obsolete file)

testcase
234 bytes, text/plain
Details
Scalar replacement for call objects
7.08 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
On arrow-declare.es6 we remove the lambda with the help of scalar replacement, but somehow an unused NewCallObject is kept alive.

Per nbp: MNewCallObject is not recovered on bailout.
Attached file testcase 

    
    

    
  
For posterity:

My concern is to double check this doesn't screw up bailout handling of prologues such as https://searchfox.org/mozilla-central/source/js/src/jit/BaselineBailouts.cpp#731-742

:nbp reassures me that the recovery should recreate this before InitFromBailouts runs and so this isn't a problem.

    
    

    
  


  
Assignee: nobody → evilpies

    
    

    
  
This passes tests locally \o/. I am not sure if we can CallObject::create instead of NewCallObject, we are not really running in ion while recovering, so the barriers don't matter?

Pushed to try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=d4f323517d053e38952a5340f98a93a69b5e0351

From my past experience testing recover instructions is always a bit annoying. I did verify that at least some tests end up in RNewCallObject::recover.

    
    

    
  


  
I just added a functional test based on six-speed benchmark. Continue using NewCallObject based on Jon's comments on IRC.

        Attachment #8914917 -
        Attachment is obsolete: true

        Attachment #8915119 -
        Flags: review?(nicolas.b.pierron)

    
    

    
  
Comment on attachment 8915119 [details] [diff] [review]
Scalar replacement for call objects

Review of attachment 8915119 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/MIR.h
@@ +13149,5 @@
>  
> +class MNewCallObjectBase : public MUnaryInstruction
> +                         , public SingleObjectPolicy::Data
> +{
> +  CompilerGCPointer<CallObject*> templateObj_;

nit: indent by 4.

Note: This is not be necessary as the MConstant would already do this, and you can always reach out to the templateObject pointer as done in MNewObject:

http://searchfox.org/mozilla-central/rev/a4702203522745baff21e519035b6c946b7d710d/js/src/jit/MIR.h#3582-3584

@@ +13204,5 @@
>        : MNewCallObjectBase(classOpcode, templateObj)
>      {}
>  
>      static MNewSingletonCallObject*
> +    New(TempAllocator& alloc, MConstant* templateObj)

nit: Use TRIVIAL_NEW_WRAPPERS macro. (do the same for MNewCallObject)

        Attachment #8915119 -
        Flags: review?(nicolas.b.pierron) → review+

    
    

    
  
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/53006df129c8
Scalar replacement for call objects. r=nbp

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/53006df129c8
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox58:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: