Closed Bug 759978 Opened 11 years ago Closed 11 years ago

Inline property assignment after normal property assignment in constructor (much) slower on TI/JM


(Core :: JavaScript Engine, defect)

Not set





(Reporter: shu, Assigned: shu)




(2 files, 3 obsolete files)

Attached file test case
At a glance the definite property analysis fails for |C|, but it's unclear why removing

  this.cval = 0;

from the constructor speeds it up.
5 seems to be the magic number of properties that triggers this.
This test is just allocating objects in a loop so the main bottleneck is the giant number of page faults we will take.  The objects have 4 properties without the .cval assign, and 5 with it.  That bumps the objects into a higher size class and they will increase from 12 words (on 32 bit, 4 header + 8 fixed slots) to 20 words (4 header + 16 fixed slots) and we will take a lot more faults.

I get about the same times for C() and D().  What engine(s) and running modes are you looking at, and what are the times you get?
64bit debug build on Linux:

$ ./js -n -m objwtf.js 
err, 64bit debug JM/TI on m-i tip.
Hmm, what do you get with an opt build?  (debug builds can be pretty flaky for doing perf comparions.)  And is this on the version of the test where C() and D() both define just four properties?
Sorry I'm being sloppy. I get similar slowdown in both opt and debug builds for the version with *5* properties on both C and D.
Attached patch WIP (obsolete) — Splinter Review
It is definitely caused in part by |AnalyzeNewScriptProperties| not understanding inline assignments like |this.x = this.y = 0|, as the 'this' values are pushed but not used immediately, which causes the function to bail out and mark nothing as definite.

Callgrind shows most of the time being spent in the SetProp IC stub due to properties not being marked definite for both the 5 and 4-properties versions. The reason for the 5-properties version being much slower than the 4-properties version even when the IC stub keeps getting hit must be the faults that bhackett mentioned.

This WIP patch tries to teach |AnalyzeNewScriptProperties| to understand multiple inline property assignments on 'this'.
Attached patch WIP (obsolete) — Splinter Review
Reorder functions to make patch smaller.
Attachment #628625 - Attachment is obsolete: true
Attached patch patch (obsolete) — Splinter Review
new version
Attachment #628626 - Attachment is obsolete: true

Why do non-SETPROP uses of 'this' bail out the entire |AnalyzeNewScriptProperties| function instead of be ignored? Why should something like:

  this.x = 0;
  this.y = this.x;

not mark this.y as a definite property? I feel like I'm missing some soundness issue.
Definite properties need to describe not just properties that an object will eventually have, but those it will have before anything actually tries to access the property.  So AnalyzeNewScriptProperties bails out when it finds a use of 'this' which could escape and cause properties of the 'this' object to be accessed in unknown ways.

This shouldn't conflict with this patch, you just need to make sure that when the constructor accesses this.f that this.f is definitely a property of the object by that point.
Attachment #628921 - Flags: review?(bhackett1024)
Attached patch patchSplinter Review
Final-ish version.

This patch refactors |AnalyzeNewScriptProperties| to process popped 'this' values in FIFO (stack) order instead of linear PC order.

The main refactoring is that there is a "producer" loop in |AnalyzeNewScriptProperties| that pushes 'this' uses onto a stack and a "consumer" loop in |AnalyzePoppedThis| that processes them all in FIFO order, which results in appending SETPROPs to |initializerList| in PC order.

Re: complexity concerns, I don't think this adds any more complexity than the previous case, and processes the 'this' in the natural order that it's used in the bytecode anyways.

The ordering constraints that check for 'this' escaping via eval and the like are intact -- the notion of |lastThisPopped| now generalizes to the offset of the bottom of the 'this' stack everytime that stack is processed, which is (assuming non-crazy malformed bytecode) the largest 'this' pop offset that we've processed.

More could be done in general to analyze definite properties, of course, but this patch just fixes this single thing.
Attachment #628921 - Attachment is obsolete: true
Attachment #628921 - Flags: review?(bhackett1024)
Comment on attachment 629899 [details] [diff] [review]

Review of attachment 629899 [details] [diff] [review]:

Looks great!
Attachment #629899 - Flags: review+
Closed: 11 years ago
Resolution: --- → FIXED
This should not be marked RESOLVED FIXED, as it has not been merged to M-C yet.  Also, this patch significantly regressed 64-bit Kraken Gaussian Blur on AWFY.
Correction:  The patch actually has been merged to M-C.  It still regresses Kraken, though.
Assignee: general → shu
Target Milestone: --- → mozilla16
I can't reproduce the slowdown locally for 64-bit imaging-gaussian-blur. That benchmark doesn't even call the function that this patch changed.

Any suggestions?
I have no suggestions for you on this one, but the regression remains and is consistent on AWFY.
Several kraken tests and at least one SS test are very sensitive to cache behavior and can change in performance dramatically for no good reason.  Since the shell is deterministic that change will persist across runs until some other random commit changes the behavior again.  This stuff generally won't reproduce on other machines or in the browser.
Depends on: 762022
Filed Bug 762022 and marked blocking this one.
Depends on: 783396
You need to log in before you can comment on or make changes to this bug.