Inline property assignment after normal property assignment in constructor (much) slower on TI/JM

RESOLVED FIXED in mozilla16



7 years ago
6 years ago


(Reporter: shu, Assigned: shu)


Dependency tree / graph

Firefox Tracking Flags

(Not tracked)



(2 attachments, 3 obsolete attachments)



7 years ago
Created attachment 628575 [details]
test case

At a glance the definite property analysis fails for |C|, but it's unclear why removing

  this.cval = 0;

from the constructor speeds it up.

Comment 1

7 years ago
5 seems to be the magic number of properties that triggers this.
This test is just allocating objects in a loop so the main bottleneck is the giant number of page faults we will take.  The objects have 4 properties without the .cval assign, and 5 with it.  That bumps the objects into a higher size class and they will increase from 12 words (on 32 bit, 4 header + 8 fixed slots) to 20 words (4 header + 16 fixed slots) and we will take a lot more faults.

I get about the same times for C() and D().  What engine(s) and running modes are you looking at, and what are the times you get?

Comment 3

7 years ago
64bit debug build on Linux:

$ ./js -n -m objwtf.js 

Comment 4

7 years ago
err, 64bit debug JM/TI on m-i tip.
Hmm, what do you get with an opt build?  (debug builds can be pretty flaky for doing perf comparions.)  And is this on the version of the test where C() and D() both define just four properties?

Comment 6

7 years ago
Sorry I'm being sloppy. I get similar slowdown in both opt and debug builds for the version with *5* properties on both C and D.

Comment 7

7 years ago
Created attachment 628625 [details] [diff] [review]

It is definitely caused in part by |AnalyzeNewScriptProperties| not understanding inline assignments like |this.x = this.y = 0|, as the 'this' values are pushed but not used immediately, which causes the function to bail out and mark nothing as definite.

Callgrind shows most of the time being spent in the SetProp IC stub due to properties not being marked definite for both the 5 and 4-properties versions. The reason for the 5-properties version being much slower than the 4-properties version even when the IC stub keeps getting hit must be the faults that bhackett mentioned.

This WIP patch tries to teach |AnalyzeNewScriptProperties| to understand multiple inline property assignments on 'this'.

Comment 8

7 years ago
Created attachment 628626 [details] [diff] [review]

Reorder functions to make patch smaller.
Attachment #628625 - Attachment is obsolete: true

Comment 9

7 years ago
Created attachment 628921 [details] [diff] [review]

new version
Attachment #628626 - Attachment is obsolete: true

Comment 10

7 years ago

Why do non-SETPROP uses of 'this' bail out the entire |AnalyzeNewScriptProperties| function instead of be ignored? Why should something like:

  this.x = 0;
  this.y = this.x;

not mark this.y as a definite property? I feel like I'm missing some soundness issue.
Definite properties need to describe not just properties that an object will eventually have, but those it will have before anything actually tries to access the property.  So AnalyzeNewScriptProperties bails out when it finds a use of 'this' which could escape and cause properties of the 'this' object to be accessed in unknown ways.

This shouldn't conflict with this patch, you just need to make sure that when the constructor accesses this.f that this.f is definitely a property of the object by that point.


7 years ago
Attachment #628921 - Flags: review?(bhackett1024)

Comment 12

7 years ago
Created attachment 629899 [details] [diff] [review]

Final-ish version.

This patch refactors |AnalyzeNewScriptProperties| to process popped 'this' values in FIFO (stack) order instead of linear PC order.

The main refactoring is that there is a "producer" loop in |AnalyzeNewScriptProperties| that pushes 'this' uses onto a stack and a "consumer" loop in |AnalyzePoppedThis| that processes them all in FIFO order, which results in appending SETPROPs to |initializerList| in PC order.

Re: complexity concerns, I don't think this adds any more complexity than the previous case, and processes the 'this' in the natural order that it's used in the bytecode anyways.

The ordering constraints that check for 'this' escaping via eval and the like are intact -- the notion of |lastThisPopped| now generalizes to the offset of the bottom of the 'this' stack everytime that stack is processed, which is (assuming non-crazy malformed bytecode) the largest 'this' pop offset that we've processed.

More could be done in general to analyze definite properties, of course, but this patch just fixes this single thing.
Attachment #628921 - Attachment is obsolete: true
Attachment #628921 - Flags: review?(bhackett1024)
Comment on attachment 629899 [details] [diff] [review]

Review of attachment 629899 [details] [diff] [review]:

Looks great!
Attachment #629899 - Flags: review+

Comment 14

7 years ago
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 15

7 years ago
This should not be marked RESOLVED FIXED, as it has not been merged to M-C yet.  Also, this patch significantly regressed 64-bit Kraken Gaussian Blur on AWFY.

Comment 16

7 years ago
Correction:  The patch actually has been merged to M-C.  It still regresses Kraken, though.
Assignee: general → shu
Target Milestone: --- → mozilla16

Comment 18

7 years ago
I can't reproduce the slowdown locally for 64-bit imaging-gaussian-blur. That benchmark doesn't even call the function that this patch changed.

Any suggestions?

Comment 19

7 years ago
I have no suggestions for you on this one, but the regression remains and is consistent on AWFY.
Several kraken tests and at least one SS test are very sensitive to cache behavior and can change in performance dramatically for no good reason.  Since the shell is deterministic that change will persist across runs until some other random commit changes the behavior again.  This stuff generally won't reproduce on other machines or in the browser.


7 years ago
Depends on: 762022

Comment 21

7 years ago
Filed Bug 762022 and marked blocking this one.
You need to log in before you can comment on or make changes to this bug.