621942 - JM: TypeInference: re-enable call ICs on monitored calls

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Brian Hackett [Laid off!]]

Type inference currently disables ICs for calls where the callee could not be determined.  This issue is analogous to bug 621937; inference needs to overapproximate the possible argument types of every script.  The simple thing to do here is just mark all argument types as unknown when generating an IC for a monitored call.  Since ICs can be generated that don't specialize on the callee, a bit may need to be added to JSScript or TypeScript indicating whether all arguments have been marked as unknown, and checked by the IC stub (this only needs to be done when inference marks a call site as needing monitoring).

Comment 1

[Brian Hackett [Laid off!]]

This keeps track of passed types at monitored call sites and pushes them to the callee when generating a MIC.  The Function.prototype.{apply,call} optimizations are also fixed.  For IC'ed monitored calls and speculated Function.prototype.call where argc == nargs, the callee is updated with the call site types, similar to how monitored SETNAME/SETPROP are handled.  For sites calling apply and sites where argc != nargs, 'this' and all args are marked as unknown.  The latter could be improved with JIT code to type check the arguments, but doing that right would I think require a new IC (this will I think be wanted eventually, but there's other things to do first).

http://hg.mozilla.org/projects/jaegermonkey/rev/ce1accd11d7a
http://hg.mozilla.org/projects/jaegermonkey/rev/dd21e37cff01

JM+TI performance improves from 1.8x slower to about 2-3% slower than stock JM on the V8 benchmarks.