Closed Bug 766805 Opened 12 years ago Closed 12 years ago

IonMonkey: Immediate invalidation in 3d-raytrace.js:189

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 772509

People

(Reporter: sstangl, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

The function on line 189 of SS-1.0's 3d-raytrace.js is invalidated very soon after compilation -- it doesn't get through one iteration. This is worse than usual, because it also turns out that this function is extremely expensive to compile (2.8ms of 24ms).

The story is this:

- The function runs in JM for a while, gathering accurate type information.
- Eventually, it gets hot enough that we compile with Ion.
- Because we have good type information, the target of a JSOP_CALL is known, and we bake in the target.
- Baking in a target puts a freeze on the target JSFunction.
- Compilation finishes, and we go to run the code.
- The target JSFunction has no IonScript, so we go through js::InvokeFunction().
- js::Invoke() calls ensureOnTop().
- ensureOnTop() sets a special "uninlineable" flag on the JSFunction. This flag is for JM use only.
- Since a flag was changed, we broke a frozen constraint on the JSFunction, and we invalidate.

This is all very silly.

Backtrace:

> #0  js::types::TypeCompartment::addPendingRecompile (this=0x883d3cc, cx=0x883c9a8, info=...)
>     at /home/sstangl/dev/ionmonkey/js/src/jsinfer.cpp:2192
> #1  0x081343e7 in TypeConstraintFreezeObjectFlags::newObjectState (this=0xf75e1178, cx=0x883c9a8, 
>     object=0xf76006a0, force=false) at /home/sstangl/dev/ionmonkey/js/src/jsinfer.cpp:1504
> #2  0x081348b2 in ObjectStateChange (cx=0x883c9a8, object=0xf76006a0, markingUnknown=false, force=false)
>     at /home/sstangl/dev/ionmonkey/js/src/jsinfer.cpp:1626
> #3  0x08139231 in js::types::TypeObject::setFlags (this=0xf76006a0, cx=0x883c9a8, flags=524288)
>     at /home/sstangl/dev/ionmonkey/js/src/jsinfer.cpp:2988
> #4  0x08071b1e in js::types::MarkTypeObjectFlags (cx=0x883c9a8, obj=0xf760bf60, flags=524288)
>     at ../jsinferinlines.h:374
> #5  0x082d6836 in js::ContextStack::ensureOnTop (this=0x883c9e8, cx=0x883c9a8, report=js::REPORT_ERROR, 
>     nvars=6, extend=js::ContextStack::CAN_EXTEND, pushedSeg=0xffffc258, dest=0xc)
>     at /home/sstangl/dev/ionmonkey/js/src/vm/Stack.cpp:841
> #6  0x082d6b00 in js::ContextStack::pushInvokeArgs (this=0x883c9e8, cx=0x883c9a8, argc=4, 
>     iag=0xffffc240, report=js::REPORT_ERROR) at /home/sstangl/dev/ionmonkey/js/src/vm/Stack.cpp:888
> #7  0x0815cb35 in js::Invoke (cx=0x883c9a8, thisv=..., fval=..., argc=4, argv=0xffffc314, 
>     rval=0xffffc2e8) at /home/sstangl/dev/ionmonkey/js/src/jsinterp.cpp:354
> #8  0x084db5c1 in js::ion::InvokeFunction (cx=0x883c9a8, fun=0xf760bf20, argc=4, argv=0xffffc30c, 
>     rval=0xffffc2e8) at /home/sstangl/dev/ionmonkey/js/src/ion/VMFunctions.cpp:65
> #9  0xf782c485 in ?? ()
Attached patch patchSplinter Review
Patch: Don't set uninlineable if function is called from Ion's InvokeFunction(). This successfully avoids the bailout, and 3d-raytrace now successfully runs without a single bail.

Unfortunately, although this saves a ~2.8ms extraneous compilation, there appear to be performance issues with the generated Ion code that negate the savings, so 3d-raytrace only gets negligibly faster (~0.5ms).
Attachment #635496 - Flags: review?(bhackett1024)
Attachment #635496 - Flags: review?(bhackett1024) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/9970cddd21fd
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
http://hg.mozilla.org/projects/ionmonkey/rev/d85ca085f35d

Backed out due to unexpected orange. Transition from Ion -> JM is preventing JM from setting the uninlineable bit.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Blocks: IonSpeed
According to Nicolas in Bug 771583, this also affects v8-raytrace. Logic to fix the above bug needs to check whether the caller of Invoke() is not JM, and only mark uninlineable in that case.
Blocks: 768745
With Bug 772509 patches, I noticed that the invalidation cause in v8-raytrace was a freeze added while compiling with JM which caused the invalidation of Ion code.

For JM chunks, the current behaviour is justified in ContextStack::ensureOnTop function body.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.