Closed
Bug 1415119
Opened 7 years ago
Closed 7 years ago
PostWriteElementBarrier should handle out-of-bounds indexes better
Categories
(Core :: JavaScript Engine: JIT, enhancement)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla58
Tracking | Status | |
---|---|---|
firefox58 | --- | fixed |
People
(Reporter: jandem, Assigned: jandem)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
2.14 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
In PostWriteElementBarrier, if index >= initializedLength, we put the object in the WholeCell StoreBuffer instead of using the per-element buffer. This case can show up in Ion because we add MPostWriteElementBarrier before we do the actual store. This is hurting us on the Log Analyzer in bug 1391710. There's an array with > 700,000 elements and right now we trace all of them on each minor GC. We can just put the element index in the store buffer when index >= 0. I also fixed ArrayPush to use the element barrier. This improves the micro-benchmark below from 180 ms to 5 ms. I see a similar improvement when I use arr.push({}) in the second loop. function f() { var arr = []; for (var i = 0; i < 10000000; i++) { arr.push({}); } var t = new Date; for (var j = 0; j < 100000; j++) { arr[arr.length] = {}; arr.length--; } print(new Date - t); } f();
Attachment #8925871 -
Flags: review?(jcoppeard)
Comment 1•7 years ago
|
||
Comment on attachment 8925871 [details] [diff] [review] Patch Review of attachment 8925871 [details] [diff] [review]: ----------------------------------------------------------------- Nice. We check the intialised length in SlotsEdge::trace so this check is not needed.
Attachment #8925871 -
Flags: review?(jcoppeard) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8b64b1c8347b Support out-of-bounds indexes in PostWriteElementBarrier. r=jonco
Comment 3•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/8b64b1c8347b
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox58:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in
before you can comment on or make changes to this bug.
Description
•