Closed
Bug 919544
Opened 12 years ago
Closed 11 years ago
GenerationalGC: NewObjectCache::newObjectFromHit allocates in the tenured heap when the nursery is full
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: jandem, Assigned: terrence)
References
(Blocks 1 open bug)
Details
Attachments
(2 files, 1 obsolete file)
|
3.83 KB,
application/x-javascript
|
Details | |
|
17.89 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
NewObjectCache::newObjectFromHit does:
JSObject *obj = js_NewGCObject<NoGC>(cx, entry->kind, heap);
The NoGC is bad: when the nursery is full, we don't trigger minor GCs and happily allocate in the tenured heap.
I'm attaching a testcase (based on bug 918746) that runs almost twice as fast if I disable the NewObjectCache lookup in NewArray. We really want to nursery-allocate these arrays to avoid slow malloc/realloc for the elements.
|
Reporter | |
Comment 1•12 years ago
|
||
Terrence, this also affects the micro-benchmark in bug 874580 comment 8. A GGC build is at least 2x slower but after disabling the NewObjectCache lookup in NewObjectWithClassProtoCommon we're suddenly 3x faster.
Requesting needinfo: I keep running into this and it probably affects non-micro-benchmarks as well.
Flags: needinfo?(terrence)
|
Assignee | |
Comment 2•12 years ago
|
||
Good catch, that is indeed quite bad! I did not notice that newObjectFromHit used NoGC.
I think this is only used in spots that allocate, so switching that to MayGC should not be that hard. The static rooting analysis (working on try now) would probably help make sure we don't make any mistakes.
Flags: needinfo?(terrence)
|
|
Assignee | |
Comment 3•12 years ago
|
||
This turned out to be fairly annoying to implement cleanly: we want to GC, but still return null, which is at total cross purposes to our current allocators. I ended up implementing a new allocator function specially for the new case; an extra template arg would have worked with less code, but would have made both paths totally incomprehensible.
The attached patch takes my local times on the testcast in this bug from 620ms -> 185ms. Octane does not appear to be affected, but we should keep an eye on *Latency when this lands just in case.
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
|
Reporter | |
Comment 5•12 years ago
|
||
Comment on attachment 8368899 [details] [diff] [review]
fix_newobjectfromhit_allocation-v0.diff
Review of attachment 8368899 [details] [diff] [review]:
-----------------------------------------------------------------
Nice, thanks!
::: js/src/jsgcinlines.h
@@ +529,5 @@
> +#ifdef JSGC_GENERATIONAL
> + if (ShouldNurseryAllocate(cx->nursery(), kind, heap)) {
> + size_t thingSize = Arena::thingSize(kind);
> +
> + JS_ASSERT(thingSize == Arena::thingSize(kind));
Nit: can remove the assert in this case.
Attachment #8368899 -
Flags: review?(jdemooij) → review+
|
|
Reporter | |
Comment 6•12 years ago
|
||
(In case you missed it, the static analysis found some new hazards with this patch.)
|
|
Assignee | |
Comment 7•12 years ago
|
||
The one case I looked at rooted everything up front, but I still should have realized the templateObject pointer would be a "hazard" even though it doesn't even point into the heap.
This patch uses AllowGC to delay rooting in all cases until after a cache hit fails, which hopefully will shave a few more nanoseconds off the common case.
Attachment #8368899 -
Attachment is obsolete: true
Attachment #8369585 -
Flags: review+
|
|
Assignee | |
Comment 8•12 years ago
|
||
|
|
Assignee | |
Comment 9•11 years ago
|
||
|
||
Comment 10•11 years ago
|
||
I see 13% improvement on ss-aes. Bringing ggc on par with non-ggc on this benchmark
|
||
Comment 11•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in
before you can comment on or make changes to this bug.
Description
•