Open Bug 932767 Opened 12 years ago Updated 2 months ago

Flag code paths tainted by unexpected NaNs to help eliminate canonicalizing floats loaded from typed arrays.

Tracking

()

Status:

ASSIGNED

People

(Reporter: dougc, Assigned: anba)

References

(Blocks 1 open bug)

Details

Attachments

(16 files)

Bug 932767 - Part 1: Add tainted floating point types. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 2: Add separate instruction to canonicalize NaN. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 3: Update MIRType checks to use new helpers. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 4: Update switch-statements over MIRType to handle tainted types. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 5: Handle tainted types when passed to MDefinition::definitelyType. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 6: Add type checks for JS::Value compatible types. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 7: Allow to pass tainted types to MToFPInstruction subclasses. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 8: Update TypePolicy to handle tainted types. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 9: Update MacroAssembler to handle tainted types. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 10: Update GVN for tainted types. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 11: Update phi specialization for tainted types. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 12: Add pass to propagate tainted floating point values. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 13: Add JITOption to allow loading non-canonicalized doubles. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 14: Add tests. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 15: Use MCanonicalizeNaN for differential testing. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 932767 - Part 16: Rename storeUncanonicalized to just store. r=jandem! 6 months ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review

Douglas Crosher [:dougc]

Reporter

Description

•

12 years ago

Floating point values read from typed arrays currently need to be canonicalized to limit the range of NaNs. See bug 584158 and also bug 584168. Unfortunately this can have a significant performance impact to some numerical code, and in particular asm.js style code that makes heavy use of typed arrays. The Odin compiler avoids this canonicalization, and the Chrome JIT also appears to not needed this. The Ion JIT compiler might flag the data flows of floating point values read from typed arrays and eliminate the canonicalization if the values are written back to typed arrays. It might also be possible to move canonicalization out of a loop. For example, if a loop is reducing a collection of floating point values stored in a typed array then it would likely improve performance to canonicalize the reduced value at the end of the loop rather than canonicalizing each value read from the typed array.

Luke Wagner [:luke]

Comment 1

•

12 years ago

This sounds good. Note: it's very important that on all bail paths, any speculatively-not-canonicalized doubles get canonicalized. To wit, V8 avoids the canonicalization by not using NaN-boxing to represent their values: their values are represented as pointers to doubles, which are GC-allocated. In the JIT, of course, they avoid the heap allocation and just pass around unboxed doubles by value.

Benjamin Bouvier [:bbouvier] (inactive)

Comment 2

•

12 years ago

That would definitely help some real world JS frameworks, for instance gl-matrix, which perform a lot of loads by function calls. For a specific benchmark I am looking at, there is up to 50% speedup if I just comment the canonicalizeFloat / canonicalizeDouble call in IonMacroAssembler::loadFromTypedArray.

Jan de Mooij [:jandem]

Comment 3

•

12 years ago

(In reply to Benjamin Bouvier [:bbouvier] from comment #2) > For a specific benchmark I am looking at, there is up to 50% speedup if I > just comment the canonicalizeFloat / canonicalizeDouble call in > IonMacroAssembler::loadFromTypedArray. sunfish, can you think of a more efficient implementation of canonicalizeDouble on x86/x64 maybe?

Flags: needinfo?(sunfish)

Dan Gohman [:sunfish]

Comment 4

•

12 years ago

You could try moving the NaN constant load out of line (such as with the OutOfLineCodeBase mechanism), so that you can make the non-NaN case a fallthrough. That probably won't completely fix it, but it might help.

Flags: needinfo?(sunfish)

Nicolas B. Pierron [:nbp]

Updated

•

9 years ago

Priority: -- → P5

BMO Automation

Updated

•

3 years ago

Severity: normal → S3