Closed
Bug 766805
Opened 12 years ago
Closed 12 years ago
IonMonkey: Immediate invalidation in 3d-raytrace.js:189
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 772509
People
(Reporter: sstangl, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
4.62 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The function on line 189 of SS-1.0's 3d-raytrace.js is invalidated very soon after compilation -- it doesn't get through one iteration. This is worse than usual, because it also turns out that this function is extremely expensive to compile (2.8ms of 24ms).
The story is this:
- The function runs in JM for a while, gathering accurate type information.
- Eventually, it gets hot enough that we compile with Ion.
- Because we have good type information, the target of a JSOP_CALL is known, and we bake in the target.
- Baking in a target puts a freeze on the target JSFunction.
- Compilation finishes, and we go to run the code.
- The target JSFunction has no IonScript, so we go through js::InvokeFunction().
- js::Invoke() calls ensureOnTop().
- ensureOnTop() sets a special "uninlineable" flag on the JSFunction. This flag is for JM use only.
- Since a flag was changed, we broke a frozen constraint on the JSFunction, and we invalidate.
This is all very silly.
Backtrace:
> #0 js::types::TypeCompartment::addPendingRecompile (this=0x883d3cc, cx=0x883c9a8, info=...)
> at /home/sstangl/dev/ionmonkey/js/src/jsinfer.cpp:2192
> #1 0x081343e7 in TypeConstraintFreezeObjectFlags::newObjectState (this=0xf75e1178, cx=0x883c9a8,
> object=0xf76006a0, force=false) at /home/sstangl/dev/ionmonkey/js/src/jsinfer.cpp:1504
> #2 0x081348b2 in ObjectStateChange (cx=0x883c9a8, object=0xf76006a0, markingUnknown=false, force=false)
> at /home/sstangl/dev/ionmonkey/js/src/jsinfer.cpp:1626
> #3 0x08139231 in js::types::TypeObject::setFlags (this=0xf76006a0, cx=0x883c9a8, flags=524288)
> at /home/sstangl/dev/ionmonkey/js/src/jsinfer.cpp:2988
> #4 0x08071b1e in js::types::MarkTypeObjectFlags (cx=0x883c9a8, obj=0xf760bf60, flags=524288)
> at ../jsinferinlines.h:374
> #5 0x082d6836 in js::ContextStack::ensureOnTop (this=0x883c9e8, cx=0x883c9a8, report=js::REPORT_ERROR,
> nvars=6, extend=js::ContextStack::CAN_EXTEND, pushedSeg=0xffffc258, dest=0xc)
> at /home/sstangl/dev/ionmonkey/js/src/vm/Stack.cpp:841
> #6 0x082d6b00 in js::ContextStack::pushInvokeArgs (this=0x883c9e8, cx=0x883c9a8, argc=4,
> iag=0xffffc240, report=js::REPORT_ERROR) at /home/sstangl/dev/ionmonkey/js/src/vm/Stack.cpp:888
> #7 0x0815cb35 in js::Invoke (cx=0x883c9a8, thisv=..., fval=..., argc=4, argv=0xffffc314,
> rval=0xffffc2e8) at /home/sstangl/dev/ionmonkey/js/src/jsinterp.cpp:354
> #8 0x084db5c1 in js::ion::InvokeFunction (cx=0x883c9a8, fun=0xf760bf20, argc=4, argv=0xffffc30c,
> rval=0xffffc2e8) at /home/sstangl/dev/ionmonkey/js/src/ion/VMFunctions.cpp:65
> #9 0xf782c485 in ?? ()
Reporter | ||
Comment 1•12 years ago
|
||
Patch: Don't set uninlineable if function is called from Ion's InvokeFunction(). This successfully avoids the bailout, and 3d-raytrace now successfully runs without a single bail. Unfortunately, although this saves a ~2.8ms extraneous compilation, there appear to be performance issues with the generated Ion code that negate the savings, so 3d-raytrace only gets negligibly faster (~0.5ms).
Attachment #635496 -
Flags: review?(bhackett1024)
Updated•12 years ago
|
Attachment #635496 -
Flags: review?(bhackett1024) → review+
Reporter | ||
Comment 2•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/9970cddd21fd
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 3•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/d85ca085f35d Backed out due to unexpected orange. Transition from Ion -> JM is preventing JM from setting the uninlineable bit.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Comment 5•12 years ago
|
||
According to Nicolas in Bug 771583, this also affects v8-raytrace. Logic to fix the above bug needs to check whether the caller of Invoke() is not JM, and only mark uninlineable in that case.
Blocks: 768745
Comment 6•12 years ago
|
||
With Bug 772509 patches, I noticed that the invalidation cause in v8-raytrace was a freeze added while compiling with JM which caused the invalidation of Ion code. For JM chunks, the current behaviour is justified in ContextStack::ensureOnTop function body.
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•