1415119 - PostWriteElementBarrier should handle out-of-bounds indexes better

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, enhancement)

Description

[Jan de Mooij [:jandem]]

Attachment: Patch

In PostWriteElementBarrier, if index >= initializedLength, we put the object in the WholeCell StoreBuffer instead of using the per-element buffer. This case can show up in Ion because we add MPostWriteElementBarrier before we do the actual store.

This is hurting us on the Log Analyzer in bug 1391710. There's an array with > 700,000 elements and right now we trace all of them on each minor GC.

We can just put the element index in the store buffer when index >= 0. I also fixed ArrayPush to use the element barrier. This improves the micro-benchmark below from 180 ms to 5 ms. I see a similar improvement when I use arr.push({}) in the second loop.

function f() {
    var arr = [];
    for (var i = 0; i < 10000000; i++) {
        arr.push({});
    }
    var t = new Date;
    for (var j = 0; j < 100000; j++) {
        arr[arr.length] = {};
        arr.length--;
    }
    print(new Date - t);
}
f();

Comment 1

[Jon Coppeard (:jonco)]

Comment on attachment 8925871 [details] [diff] [review]
Patch

Review of attachment 8925871 [details] [diff] [review]:
-----------------------------------------------------------------

Nice.  We check the intialised length in SlotsEdge::trace so this check is not needed.

Comment 2

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8b64b1c8347b
Support out-of-bounds indexes in PostWriteElementBarrier. r=jonco

Comment 3

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/8b64b1c8347b