Closed Bug 600424 Opened 14 years ago Closed 14 years ago

JM: PICs must obey method read barriers

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dvander, Assigned: dvander)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files)

test case
224 bytes, text/plain
Details
fix
5.00 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
PICs call hasGetterOrIsMethod() to check for getters, but this elides a check for method-valued shapes. We must handle this case correctly. Test-case forthcoming.
OS: Linux → All
Hardware: x86_64 → All
Attached file test case 
Assignee: general → dvander
Status: NEW → ASSIGNED

        Attachment #479260 -
        Attachment is patch: false

    
    

    
  
I'd be willing to do a followup to make a guard type for that check, iff'n we are so inclined to think that's a good idea.

    
    

    
  
We know this case hits in v8-raytrace. I'll see how much we lose by just disabling the PIC. If it's too much...

AFAIK (Brendan, please check me on this), we *must* call the read barrier, which does three things:
 1) Clones the function object.
 2) Deletes the method-valued property, and adds the function object as a normal property. This calls into SetPropertyHelper which does a full property lookup. That calls into js_NativeGet -> methodWriteBarrier -> putProperty, which searches the shape ancestry.
 3) Generates a new unique shape for the object, meaning some code may become (more) poly/megamorphic.

By inlining a call to the read barrier, we can avoid at least the initial property lookup that would occur in stubs::GetProp. Past that, maybe there is more we could do, but it sounds tricky. The tracer doesn't bother (though it calls the read barrier).

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  
This patch just disables the PIC. It's about a 5ms loss on v8-raytrace, unfortunately. I dampened this in the overall suite by avoiding the slot load on method-valued shapes. Now it's about a 15ms net win (noise on SunSpider).

Branding, and potentially calling the read barrier, can be follow-up bugs.

        Attachment #479452 -
        Flags: review?(dmandelin)

        Attachment #479452 -
        Flags: review?(dmandelin) → review+

    
    

    
  
Yes, the read barrier is mandatory if you defer cloning (which the interpreter and tracer do, and cloning eagerly is strictly more expensive than setting a bit).

We talked about this the other week, not sure why we thought JM could go its own way on the method barrier.

Branding on method call to make receiver (this) shape depend on identity of the method is a different case, where JM is (still) going its own way, although both is-branded and has-method-barrier tests govern the method write barrier tripping. Maybe the two flags (BRANDED, METHOD_BARRIER) were muddled together too much when we last spoke.

We need to win back what was lost here. Please cc: me on followups.

/be

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/93e14d3a1eff
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: