[v8-dev] Issue 3826 in v8: Hydrogenized array growth stub poorly handles very large arrays

Mon, 19 Jan 2015 18:13:29 -0800 

Status: Assigned
Owner: [email protected]
Labels: Type-Bug Priority-Medium
New issue 3826 by [email protected]: Hydrogenized array growth stub poorly handles very large arrays 
https://code.google.com/p/v8/issues/detail?id=3826

Hydrogenized stub has the following check

      Add<HBoundsCheck>(new_capacity,
                        Add<HConstant>((Page::kMaxRegularHeapObjectSize -
                                        FixedArray::kHeaderSize) >>
                                       ElementsKindToShiftSize(kind)));
This goes into stub failure and later tries to update the IC state, however KeyedStoreIC::StoreElementStub doesn't grok that this failure is different from other failures and that IC should be kept in the monomorphic growth mode. Instead it hits: 

  if (!map_added) {
    // If the miss wasn't due to an unseen map, a polymorphic stub
    // won't help, use the generic stub.
    TRACE_GENERIC_IC(isolate(), "KeyedStoreIC", "same map added twice");
    return generic_stub();
  }

transitioning IC to generic and regressing performance completely.
Very old stub (I am looking at 3.14) used to just delegate backing store growth to the runtime system: 

    // Handle transition requiring the array to grow.
    __ bind(&grow);

    // yada-yada-yada check fast path --- skipped ----

    __ bind(&slow);
    Handle<Code> ic_slow = masm->isolate()->builtins()->KeyedStoreIC_Slow();
    __ jmp(ic_slow, RelocInfo::CODE_TARGET);
Note: KeyedStoreIC_Slow unlike KeyedStoreIC_Miss did not update the ic state. 

Benchmark:

function grow(maxNum) {
  var data = [];

  for (var i = 0; i <= maxNum; i++) {
    data[i] = 1;
  }

  return data;
}

function measure(f, m) {
    var start = Date.now();
    for (var j = 0; j < m; j++) {
      f(1e7);
    }
    var end = Date.now();
    return (end - start);
}

print(measure(grow, 2));

Comparing against very old V8 (3.14) it's around 4x slow down.

$ d8 test.js
3987

$ node test.js  ;; this runs V8 3.14
1053
Comparing against V8 which I force prohibited to exit monomorphic GROW mode of the IC on the miss it's 10x: 

$ d8 test.js
327
Tentatively assigning to Igor (as the author of ExtendStorageStub). Please triage to the correct owner. 

--
You received this message because this project is configured to send all issue notifications to this address. 
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to