Closed
Bug 786491
Opened 12 years ago
Closed 12 years ago
Fix v8-deltablue regression from bug 778724
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla18
People
(Reporter: bhackett1024, Unassigned)
References
Details
(Whiteboard: [js:p0])
Attachments
(1 file)
|
1.85 KB,
patch
|
luke
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
dmandelin saw this in the browser and I'm able to confirm it in the shell (not sure why it didn't show earlier). After bug 778724 v8-deltablue is no longer inlining calls to Array.push, which hurts it significantly. This is because of a change in bug 778724 which speculatively marks the result of calls whose return value is ignored as potentially undefined, which hurts type information and breaks the Array.push fast path (which wants to see a known int32 result for the call).
This may not be the only fallout from the change, too. If I just fix Array.push, score goes from 7200 to 9400, but if I remove the type despecialization entirely I get 9600. (I get 9500 before bug 778724; there seem to be significantly fewer compilations post-778724).
The point of the type despecialization is to avoid recompiling large swaths of a script when it calls a function that has never been called before, adding a void type to the call site which is promptly popped. There's a better mechanism for this now, though, used for avoiding recompilation after new overflows in (a + b) | 0 etc. operations. This fix reverts the type despecialization change, and switches to this other mechanism to avoid any new recompilation activity in large scripts.
Attachment #656246 -
Flags: review?(luke)
|
||
Updated•12 years ago
|
Attachment #656246 -
Flags: review?(luke) → review+
|
||
Updated•12 years ago
|
Whiteboard: [js:p0]
|
||
Updated•12 years ago
|
status-firefox17:
--- → affected
status-firefox18:
--- → affected
tracking-firefox17:
--- → ?
tracking-firefox18:
--- → ?
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
Actually, I'm a moron, the mechanism for (a + b) | 0 won't apply to call results as they are JOF_TYPESET opcodes and use TypeMonitorResult rather than TypeDynamicResult. There isn't a simple fix to avoid the new recompilations, but I need to make another pass over this stuff for bug 785905 anyways and will clean things up there.
|
||
Comment 3•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
|
||
Updated•12 years ago
|
|
||
Updated•12 years ago
|
|
|
||
Comment 4•12 years ago
|
||
Luke, could you land this on the 17 branch?
|
|
||
Comment 5•12 years ago
|
||
Comment on attachment 656246 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 778724
User impact if declined: perf regression
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): low
Attachment #656246 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
Attachment #656246 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 6•12 years ago
|
||
|
|
||
Comment 7•12 years ago
|
||
(In reply to Luke Wagner [:luke] from comment #6)
> https://hg.mozilla.org/releases/mozilla-aurora/rev/4840dbaa967b
Thanks again for picking up the Aurora landing.
You need to log in
before you can comment on or make changes to this bug.
Description
•