Closed Bug 722708 Opened 12 years ago Closed 12 years ago

IonMonkey: Handle hoisted bounds check failures better

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jandem, Assigned: jandem)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

See bug 722331 comment 3.

If we want to handle this like JM, we could add a new bailout kind and use it for hoisted bounds checks. When we bailout, we can set script->failedBoundsCheck to |true| and invalidate the caller. The next time the script is compiled, we can check this flag to prevent hoisting bounds checks.
Attached patch WIP (obsolete) — Splinter Review
This fixes some benchmark problems. More complete patch tomorrow.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Blocks: 768572
Depends on: 770623
Attached patch PatchSplinter Review
If a bounds check fails, recompile and don't optimize bounds checks in the future.

On v8-crypto, with --no-jm, this reduces the number of bailouts caused by bounds checks from > 1100 to 3. Without --no-jm, v8-crypto becomes slower unfortunately, because we use IonMonkey more, which isn't as heavily optimized for am3. The right way forward there is enabling/improving our range analysis so that we don't have to rely on using JM+TI instead of Ion though.
Attachment #632331 - Attachment is obsolete: true
Attachment #639296 - Flags: review?(dvander)
Attachment #639296 - Flags: review?(dvander) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/df6295d780ed
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.