The default bug view has changed. See this FAQ.

Completely re-do jsarena.{cpp,h}

RESOLVED FIXED in mozilla9

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: njn, Assigned: njn)

Tracking

unspecified
mozilla9
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
jsarena.{cpp,h} are *awful*.  Bad things I've discovered so far:

- Bug 675150.

- In multiple places we compare |nb| (the size of an allocation request) against |a->limit| (a pointer).  WTF?

- There's this optimization where larger-than-arena-size allocations get an extra pointer in their header so that if they are reallocated, we can avoid searching through the list of JSArenas.  But it's hardly ever hit (once in all of SunSpider, a few dozen times in the browser when starting up and loading Gmail).  But it complicates things massively.

Seriously, I just started out wanting to fix bug 675150, but I'm having trouble seeing how to do incremental fixes, the whole thing is so busted.

This code should be about half as long as it currently is.

Comment 1

6 years ago
Please do.  Chris had a patch from a year ago that redid things in a template-y manner.

Of historical interest, jsarena used to support inline function calls, invoke args, and a few other things before these were all redone.  That may explain some of the hackage.

Updated

6 years ago
OS: Linux → All
Hardware: x86_64 → All
(Assignee)

Comment 2

6 years ago
(In reply to comment #0)
> 
> - In multiple places we compare |nb| (the size of an allocation request)
> against |a->limit| (a pointer).  WTF?

Oh god, turns out this is necessary to avoid wrap-arounds in some cases.  There's no comment explaining it, of course :(
(Assignee)

Comment 3

6 years ago
(In reply to comment #1)
> Please do.  Chris had a patch from a year ago that redid things in a
> template-y manner.

Yeah, bug 559408.  It landed and bounced, but got marked RESOLVE FIXED nonetheless.
(Assignee)

Comment 4

6 years ago
Created attachment 549723 [details] [diff] [review]
patch

Changes in this patch:

- Each oversized block had an extra pointer in its header which allowed its
  arena to be found in O(1) time;  this was used if it was realloc'd.  This
  turned out to not help in practice, AFAICT, and was hugely complex, so I
  removed it.

- It restricts the requested alignments to 1, 2, 4 or 8.  This avoids a lot of
  mucking around with post-header alignment code, because the header is
  always 8-aligned.  (Multiple assertions guarantee this.)

- Adds some comments.

Passes jstests and jit-tests;  I'll do a full try server run before any landing.
Attachment #549723 - Flags: review?(brendan)
(Assignee)

Updated

6 years ago
Blocks: 675150
(Assignee)

Updated

6 years ago
Duplicate of this bug: 420476
(Assignee)

Updated

6 years ago
Attachment #549723 - Flags: review?(brendan) → review?(cdleary)
Attachment #549723 - Flags: review?(cdleary) → review+
(Assignee)

Comment 6

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/f9638b44893b
Whiteboard: [inbound]
http://hg.mozilla.org/mozilla-central/rev/f9638b44893b
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]
Target Milestone: --- → mozilla9
You need to log in before you can comment on or make changes to this bug.