Closed Bug 1415119 Opened 2 years ago Closed 2 years ago

PostWriteElementBarrier should handle out-of-bounds indexes better

Categories

(Core :: JavaScript Engine: JIT, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox58 --- fixed

People

(Reporter: jandem, Assigned: jandem)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Attached patch PatchSplinter Review
In PostWriteElementBarrier, if index >= initializedLength, we put the object in the WholeCell StoreBuffer instead of using the per-element buffer. This case can show up in Ion because we add MPostWriteElementBarrier before we do the actual store.

This is hurting us on the Log Analyzer in bug 1391710. There's an array with > 700,000 elements and right now we trace all of them on each minor GC.

We can just put the element index in the store buffer when index >= 0. I also fixed ArrayPush to use the element barrier. This improves the micro-benchmark below from 180 ms to 5 ms. I see a similar improvement when I use arr.push({}) in the second loop.

function f() {
    var arr = [];
    for (var i = 0; i < 10000000; i++) {
        arr.push({});
    }
    var t = new Date;
    for (var j = 0; j < 100000; j++) {
        arr[arr.length] = {};
        arr.length--;
    }
    print(new Date - t);
}
f();
Attachment #8925871 - Flags: review?(jcoppeard)
Comment on attachment 8925871 [details] [diff] [review]
Patch

Review of attachment 8925871 [details] [diff] [review]:
-----------------------------------------------------------------

Nice.  We check the intialised length in SlotsEdge::trace so this check is not needed.
Attachment #8925871 - Flags: review?(jcoppeard) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8b64b1c8347b
Support out-of-bounds indexes in PostWriteElementBarrier. r=jonco
https://hg.mozilla.org/mozilla-central/rev/8b64b1c8347b
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.