Closed Bug 894447 Opened 11 years ago Closed 11 years ago

Regression on ss-tagcloud from not immediately deoptimizing typesets on string SETELEM (lots more Ion bailouts)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25

People

(Reporter: bzbarsky, Assigned: jandem)

References

Details

Attachments

(1 file)

Patch
2.09 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
Bug 893897 caused a regression on ss-tagcloud.  bhackett thinks the issue is the parseJSON bit that does v[i] = n.

Profiling this is a PITA but at first glance it looks like we end up with Ion bailouts now when we didn't use to before.  A simple test confirms it.  Without the patch for bug 893897:

  env IONFLAGS=bailouts ../obj-firefox/dist/bin/js /tmp/test.js |& wc -l
       1

with the patch:

  env IONFLAGS=bailouts ../obj-firefox/dist/bin/js /tmp/test.js |& wc -l
    2252
Blocks: 893897
The bailouts are happening for "function walk".  

The typical bailout looks like this:

[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=149,line=193,uses=424,stubs=0): SetElem(setelem)
[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=75,line=190,uses=425,stubs=0): NewArray
[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=88,line=190,uses=425,stubs=0): Call(funapply)
[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=149,line=193,uses=425,stubs=0): SetElem(setelem)
[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=75,line=190,uses=426,stubs=0): NewArray
[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=88,line=190,uses=426,stubs=0): Call(funapply)
[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=159,line=193,uses=427,stubs=0): IteratorClose
[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=149,line=193,uses=427,stubs=0): SetElem(setelem)
[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=75,line=190,uses=428,stubs=0): NewArray
[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=88,line=190,uses=428,stubs=0): Call(funapply)
[BaselineICFallback] Fallback hit for (/tmp/test.js:185) (pc=117,line=191,uses=428,stubs=2): GetElem(getelem)
[Bailouts] Took bailout! Snapshot offset: 461

over and over and over again.
Oh, I got that by just putting http://mxr.mozilla.org/mozilla-central/source/js/src/devtools/jint/sunspider/string-tagcloud.js?force=1 in /tmp/test.js and then running shell on it...

We need to figure out what's causing all the bailouts.
We also have a regression on the dromaeo test that tests assigning expandos to DOM objects; somewhere on the order of a 20% hit on that subtest, translating to a 2-5% hit on dromaeo-dom in general.  

I'm not sure why that's happening, but seems pretty related to this bug...
The bailouts on tagcloud are from a MMonitorTypes instruction we add for |n| here, to check it's included in the LHS property TypeSet:

v[i] = n;

Two problems I noticed at a first glance:

(1) We shouldn't add a MonitorTypes followed by a CallSetElement -- the VM call will handle the monitoring etc.

(2) We add a freeze constraint for the property type but somehow this doesn't trigger recompilation.

Looking into (2) now.
Ah, so the problem is that IonBuilder::jsop_setelem calls PropertyWriteNeedsTypeBarrier with PropertyName == NULL (treated as JSID_VOID). However, v[i] = n does not access an indexed property but a named one (i is a string) and we will always bailout...
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attached patch PatchSplinter Review 
Fixes both problems in comment 5 by calling ElementAccessIsDenseNative before PropertyWriteNeedsTypeBarrier.

The extra object->resultTypeSet() NULL check is necessary because MGuardObjectType does not have a result TypeSet.

Should I also revert/backout bug 894463?
Attachment #776729 - Flags: review?(bhackett1024)
Comment on attachment 776729 [details] [diff] [review]
Patch

Review of attachment 776729 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, if this fixes the ss regression then the workaround in bug 894463 should be backed out.
Attachment #776729 - Flags: review?(bhackett1024) → review+
So for what it's worth, the workaround in bug 894463 fixed the dromaeo-css regression but not the dromaeo-dom, as expected.  Going to test this patch on dromaeo-dom.
Seems to help, yes.
Actually, no.  Seems to have no effect on dromaeo-dom (in particular, on dom-attr, which is what I've been testing)
(In reply to Boris Zbarsky (:bz) from comment #11)
> Actually, no.  Seems to have no effect on dromaeo-dom (in particular, on
> dom-attr, which is what I've been testing)

It's possible there's a similar problem somewhere else. Do you have a small shell testcase?
> Do you have a small shell testcase?

It's hard to create a small shell testcase for DOM nodes.  ;)

The dromaeo test in question ends up looking more or less like this, in browser:

  var a = document.getElementsByTagName("a")[0];
  var num = 10240;
  var f = function()  {
    for ( var i = 0; i < num; i++ )
    a["test" + num] = function(){};
  }
  var start = new Date;
  var count = 0;
  while (new Date - start < 1000) {
    ++count;
    f();
  }
  alert(count/(new Date - start) * 1000);

More or less...  The f in question is actually a closure, not just a global function.

If I do a shell testcase like this, though (using an object literal for "a"), I can't even reproduce a slowdown from bug 893897.  :(
Should I just file a separate bug on the dromaeo-dom thing?
(In reply to Boris Zbarsky (:bz) from comment #15)
> Should I just file a separate bug on the dromaeo-dom thing?

Yeah that would be good.
OK, filed bug 894921.
https://hg.mozilla.org/mozilla-central/rev/4aed60373019
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: