Created attachment 628575 [details]
At a glance the definite property analysis fails for |C|, but it's unclear why removing
this.cval = 0;
from the constructor speeds it up.
5 seems to be the magic number of properties that triggers this.
This test is just allocating objects in a loop so the main bottleneck is the giant number of page faults we will take. The objects have 4 properties without the .cval assign, and 5 with it. That bumps the objects into a higher size class and they will increase from 12 words (on 32 bit, 4 header + 8 fixed slots) to 20 words (4 header + 16 fixed slots) and we will take a lot more faults.
I get about the same times for C() and D(). What engine(s) and running modes are you looking at, and what are the times you get?
64bit debug build on Linux:
$ ./js -n -m objwtf.js
err, 64bit debug JM/TI on m-i tip.
Hmm, what do you get with an opt build? (debug builds can be pretty flaky for doing perf comparions.) And is this on the version of the test where C() and D() both define just four properties?
Sorry I'm being sloppy. I get similar slowdown in both opt and debug builds for the version with *5* properties on both C and D.
Created attachment 628625 [details] [diff] [review]
It is definitely caused in part by |AnalyzeNewScriptProperties| not understanding inline assignments like |this.x = this.y = 0|, as the 'this' values are pushed but not used immediately, which causes the function to bail out and mark nothing as definite.
Callgrind shows most of the time being spent in the SetProp IC stub due to properties not being marked definite for both the 5 and 4-properties versions. The reason for the 5-properties version being much slower than the 4-properties version even when the IC stub keeps getting hit must be the faults that bhackett mentioned.
This WIP patch tries to teach |AnalyzeNewScriptProperties| to understand multiple inline property assignments on 'this'.
Created attachment 628626 [details] [diff] [review]
Reorder functions to make patch smaller.
Created attachment 628921 [details] [diff] [review]
Why do non-SETPROP uses of 'this' bail out the entire |AnalyzeNewScriptProperties| function instead of be ignored? Why should something like:
this.x = 0;
this.y = this.x;
not mark this.y as a definite property? I feel like I'm missing some soundness issue.
Definite properties need to describe not just properties that an object will eventually have, but those it will have before anything actually tries to access the property. So AnalyzeNewScriptProperties bails out when it finds a use of 'this' which could escape and cause properties of the 'this' object to be accessed in unknown ways.
This shouldn't conflict with this patch, you just need to make sure that when the constructor accesses this.f that this.f is definitely a property of the object by that point.
Created attachment 629899 [details] [diff] [review]
This patch refactors |AnalyzeNewScriptProperties| to process popped 'this' values in FIFO (stack) order instead of linear PC order.
The main refactoring is that there is a "producer" loop in |AnalyzeNewScriptProperties| that pushes 'this' uses onto a stack and a "consumer" loop in |AnalyzePoppedThis| that processes them all in FIFO order, which results in appending SETPROPs to |initializerList| in PC order.
Re: complexity concerns, I don't think this adds any more complexity than the previous case, and processes the 'this' in the natural order that it's used in the bytecode anyways.
The ordering constraints that check for 'this' escaping via eval and the like are intact -- the notion of |lastThisPopped| now generalizes to the offset of the bottom of the 'this' stack everytime that stack is processed, which is (assuming non-crazy malformed bytecode) the largest 'this' pop offset that we've processed.
More could be done in general to analyze definite properties, of course, but this patch just fixes this single thing.
Comment on attachment 629899 [details] [diff] [review]
Review of attachment 629899 [details] [diff] [review]:
This should not be marked RESOLVED FIXED, as it has not been merged to M-C yet. Also, this patch significantly regressed 64-bit Kraken Gaussian Blur on AWFY.
Correction: The patch actually has been merged to M-C. It still regresses Kraken, though.
I can't reproduce the slowdown locally for 64-bit imaging-gaussian-blur. That benchmark doesn't even call the function that this patch changed.
I have no suggestions for you on this one, but the regression remains and is consistent on AWFY.
Several kraken tests and at least one SS test are very sensitive to cache behavior and can change in performance dramatically for no good reason. Since the shell is deterministic that change will persist across runs until some other random commit changes the behavior again. This stuff generally won't reproduce on other machines or in the browser.
Filed Bug 762022 and marked blocking this one.