From bug 1255352 comment 0:
Our current IC design has a number of problems, most importantly:
* Baseline and Ion ICs don't share much code. The same or similar logic and code is duplicated (often slightly differently and more than once per JIT).
* Ion ICs can handle cases that Baseline doesn't support, and vice versa.
* Baseline ICs are sometimes not 'flexible' enough: an example of this is the does-not-exist stub: Baseline does not attach a stub if an object on the proto chain has obj->hasUncacheableProto(), because it's really hard to support this case with the current ICs.
* It's hard to do something like: unwrap a (Window)Proxy, CCW, etc. and then optimize as a normal getprop, without duplicating/complicating a lot of code.
* ICs and Baseline stub classes are boilerplate-heavy (there are > 7000 lines of code in BaselineIC.h and SharedIC.h).
* Register allocation in ICs, especially Ion ICs, can be hard to get right.
* Adding ICs is a lot of work. I want to add an Ion IC for JSOP_IN. We also need ICs for the new |super| property accesses for ES6 classes (these are like normal GetProp/SetProp, but have an additional receiver argument).
* For Ion there's no good mechanism to discard or update stubs that are no longer valid, so we sometimes attach similar stubs multiple times.
I've been working on a design that addresses all of those issues. The idea is that we emit a very simple, linear (there are guards but no loops or branches) CacheIR bytecode, and generate Baseline and Ion IC code from it. The IR for a simple read-slot getprop looks like this:
The generated CacheIR will be exactly the same for Baseline and Ion, but they will compile each op to different machine code and Ion can skip certain guards (if it knows they will never fail).
This ensures we optimize exactly the same cases in Baseline and Ion. We still need different CacheIR -> IC code generators, but at that point all the high-level decisions and VM bits are taken care of.
The actual shapes and slot offsets will be stored separately from the CacheIR. Ion can bake those directly into the JitCode, but (just like we do now) Baseline code will store them in the ICStub, allowing us to share IC stub code. Sharing Baseline stub code happens transparently with this design: stubs that have the same CacheIR can share JIT code.
We'll no longer need Baseline ICStub classes for each case, as the stubs are allocated dynamically. Stubs have a pointer to their (shared) CacheIR code, that allows Ion to optimize based on Baseline ICs. (Later on we could compile CacheIR we get from Baseline stubs to Ion MIR instructions, allowing us to inline and optimize more cases in IonBuilder without ICs).