The default bug view has changed. See this FAQ.

IonMonkey: Handle hoisted bounds check failures better

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: jandem, Assigned: jandem)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

5 years ago
See bug 722331 comment 3.

If we want to handle this like JM, we could add a new bailout kind and use it for hoisted bounds checks. When we bailout, we can set script->failedBoundsCheck to |true| and invalidate the caller. The next time the script is compiled, we can check this flag to prevent hoisting bounds checks.
(Assignee)

Comment 1

5 years ago
Created attachment 632331 [details] [diff] [review]
WIP

This fixes some benchmark problems. More complete patch tomorrow.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
(Assignee)

Updated

5 years ago
Blocks: 768572
(Assignee)

Updated

5 years ago
Depends on: 770623
(Assignee)

Comment 2

5 years ago
Created attachment 639296 [details] [diff] [review]
Patch

If a bounds check fails, recompile and don't optimize bounds checks in the future.

On v8-crypto, with --no-jm, this reduces the number of bailouts caused by bounds checks from > 1100 to 3. Without --no-jm, v8-crypto becomes slower unfortunately, because we use IonMonkey more, which isn't as heavily optimized for am3. The right way forward there is enabling/improving our range analysis so that we don't have to rely on using JM+TI instead of Ion though.
Attachment #632331 - Attachment is obsolete: true
Attachment #639296 - Flags: review?(dvander)
Attachment #639296 - Flags: review?(dvander) → review+
(Assignee)

Comment 3

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/df6295d780ed
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.