Open Bug 1804104 Opened 2 years ago Updated 2 years ago

43% regression on AWFY-Sunspider-access-nsieve on 30-Nov

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox107 --- unaffected
firefox108 --- unaffected
firefox109 --- fix-optional
firefox110 --- fix-optional

People

(Reporter: mayankleoboy1, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

Keywords: regression

Iain, bug 1797486 is in the range in comment 0. Mind taking a quick look to see if this is reproducible and easily fixable?

Flags: needinfo?(iireland)

It's reproducible. Not immediately sure about easily fixable.

The relevant code looks something like this:

for (var i = 1; i <= 3; i++) {
  var m = (1 << i) * 10000;
  var flags = Array(m+1);
  for (var j = 2; j <= m; j++) {
    flags[j] = true;
  }
  // Do something with flags.
}

We allocate a large array, then we initialize all but the first two elements.

Before my patch, this code had bimodal behaviour:

  1. The first few iterations of the inner loop happen in the C++ interpreter. We don't attach any ICs.
  2. Eventually, we tier up to blinterp and attach a StoreDenseElementHole IC.
  3. We kick off an OSR compilation on a background thread.
    4A: In the fast case, we finish the compilation before the second iteration of the outer loop. Because the pre-patch code supported indices > initializedLength, we don't bail out when writing to flags[2]: the initialized length is 2, but the capacity is 2046. We continue running in Ion with StoreDenseElementHole.
    4B: In the slow case, we start the second iteration of the loop before tiering up to Ion. When we try writing to flags[2], the guard fails, and we instead attach (and eventually transpile) CallAddOrUpdateSparseElement.

After my patch, both baseline ICs and Ion only support writing one past the initialized length, even if we have the capacity.

One option for fixing this would be to add support (in both CacheIR and Ion) for the OOB case where we have the capacity. We'd have to add a loop to fill the gaps with the magic hole value.

Flags: needinfo?(iireland)

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox109: --- → affected
status-firefox107: --- → unaffected
status-firefox108: --- → unaffected
status-firefox-esr102: --- → unaffected
Component: General → JavaScript: GC
Product: Firefox → Core
Regressed by: 1797486
Component: JavaScript: GC → JavaScript Engine: JIT

Set release status flags based on info from the regressing bug 1797486

status-firefox110: --- → affected
Severity: -- → S3
Priority: -- → P2
Whiteboard: [sp3]
You need to log in before you can comment on or make changes to this bug.