Closed Bug 1974493 Opened 2 months ago Closed 4 hours ago

1.2% regression on Ares6-ML_steadyState on 24June2025

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
144 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox-esr140 --- unaffected
firefox140 --- unaffected
firefox141 --- unaffected
firefox142 --- fix-optional
firefox143 --- affected
firefox144 --- fixed

People

(Reporter: mayankleoboy1, Assigned: iain, NeedInfo)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1974493: Remove GuardElementsArePacked when consumers are folded away r=jandem
48 bytes, text/x-phabricator-request
Details | Review

:nika, since you are the author of the regressor, bug 1953595, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(nika)

Set release status flags based on info from the regressing bug 1953595

status-firefox140: --- → unaffected
status-firefox141: --- → unaffected
status-firefox142: --- → affected
status-firefox-esr128: --- → unaffected
status-firefox-esr140: --- → unaffected

This seems very unlikely to be the regressor, as the regression is on Windows, and the code changed in bug 1953595 is Android-only.

Flags: needinfo?(nika) → needinfo?(mayankleoboy1)

After some retriggers, looks like the regressing changeset is https://hg-edge.mozilla.org/integration/autoland/pushloghtml?fromchange=d84b6c0995f02602907ec03ee051571ffb5ebf2c&tochange=29f18fab3ab5974f6426019d37a127816056c4e1
which points to bug 1973117

Flags: needinfo?(mayankleoboy1)
Regressed by: 1973117
No longer regressed by: 1953595

:sdetar since iain is on pto, could you set a prioirty/severity for this?

Flags: needinfo?(sdetar)
Flags: needinfo?(iireland)
Blocks: sm-jits
Severity: -- → S3
Flags: needinfo?(sdetar)
Priority: -- → P2

I don't have access to a Windows machine, but I spent some time investigating this on my Linux laptop. I used rr to identify each function that transpiled a StoreDenseElement with the flag set (there were 8). Then I compared the generated LIR for each of those functions using samply profiles. In all but one case, the LIR operations were the same: we generated a GuardElementsArePacked MIR node, but optimized it away because it was redundant with an earlier guard. (This happens whenever we have, for example, arr[idx] += ...: we can combine the GuardElementsArePacked from the pre-addition read with the post-addition store.) The only exception was maxRowIndex, which accounts for ~0.01% of the total samples.

Conversely, looking at the assembly, I saw several cases where the new version of StoreDenseElement generated better code: if we don't generate the GuardElementsArePacked node, we instead have to generate a magic value guard as part of the StoreElementT.

I tried generating a comparison report, but it reported that the biggest difference was in mmul, which is entirely unaffected by the change in bug 1973117.

The only changes I can actually see in this benchmark from this change look like they should be strict improvements (eg we generate strictly less code). If there's any real effect here, it's some sort of weird counterintuitive hardware nonsense (eg "generating more code happens to make the loop alignment better" or whatever).

I don't think digging into this any further is a good use of time.

Status: NEW → RESOLVED
Closed: 20 days ago
Flags: needinfo?(iireland)
Resolution: --- → WONTFIX

Oh, wait, I hadn't realized that the regression window also included bug 1971446. I was only investigating changes caused by the changes in bug 1973117. I'll take a look at the other changes tomorrow.

Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

If we create a GuardElementsArePacked to ensure that MLoadElement doesn't have to check for magic values, but then fold an unbox into the MLoadElement, then the unbox implicitly handles the magic check, and the guard is superfluous. This patch checks to make sure that all the consumers of the MElements are on an allow-list of ops that can handle non-packed arrays.

In testing on try, this does seem to very slightly improve the specific subtests (ares6-ML on Windows, Perf-Dashboard/SelectingPoints on OSX) that were regressed in bug 1974493 and bug 1975491. I don't completely trust platform-specific regressions, but if we can fix them I suppose we might as well.

Assignee: nobody → iireland
Duplicate of this bug: 1975491

https://hg.mozilla.org/mozilla-central/rev/3d6ae7e05567

Status: REOPENED → RESOLVED
Closed: 20 days ago4 hours ago
status-firefox144: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 144 Branch

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.

status-firefox143: --- → affected

The patch landed in nightly and beta is affected.
:iain, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(iireland)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: