Closed Bug 983131 Opened 10 years ago Closed 3 years ago

Baldr: Add pre-heap buffer guard pages to avoid bounds checks for accesses that are known not to be negative by more than a small amount.

Categories

(Core :: JavaScript: WebAssembly, enhancement, P5)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: dougc, Unassigned)

References

(Blocks 1 open bug)

Details

After bug 979480 it becomes possible to allocate guard pages before the heap buffer.  These could be protected so that a read or write causes a SIGSEGV and the signal handler could emulate an out of bounds access.  This would allow bounds checks to be avoided when the index can be proven to no be negative by more than a small amount.  For example, an access with a hoisted mask minus a small constant u8[i&m - c].

An alternative is to bias the heap base so that small negative offsets are not really out of bounds.  For example u8[i&m - c + bias] where the bias would be common to most heap accesses so could be a common heap base offset and thus would not need to be computed on each heap access.

The use of guard pages has the advantage of not requiring an extension to the asm.js common usage or syntax, and would give more compact asm.js code by avoiding the addition of the bias on each heap access.  Handling the out-of-bounds access would be much slower in the signal handler but code would not be expected to hit this anyway.
Sounds great!

To wit, this was a prerequisite for bug 865523 (except with a much larger pre-heap guard region).  I see I resolved it WONTFIX, but I'm not sure why; I've always wondered how the 2-instruction sequence would compare to the current 3-instruction sequence.
Blocks: wasm-perf
Priority: -- → P5
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
Status: RESOLVED → REOPENED
Resolution: INACTIVE → ---
Component: JavaScript Engine: JIT → Javascript: WebAssembly

This seems applicable to 32-bit systems still, though for wasm, not asm.js.

Summary: Odinmonkey: add pre-heap buffer guard pages to avoid bounds checks for accesses that are known not to be negative by more than a small amount. → Baldr: Add pre-heap buffer guard pages to avoid bounds checks for accesses that are known not to be negative by more than a small amount.
Type: defect → enhancement

I think we've pretty much committed to not applying heroic effort to 32-bit performance.

Status: REOPENED → RESOLVED
Closed: 6 years ago3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.