Closed Bug 619271 Opened 9 years ago Closed 9 years ago

TypeInference: shape should determine type, type should determine prototype


(Core :: JavaScript Engine, defect)

Windows Vista
Not set





(Reporter: bhackett1024, Assigned: bhackett1024)


(Blocks 1 open bug)



(1 file, 2 obsolete files)

All objects with the same shape should have the same type object, which we can accomplish by moving emptyShapes from the prototype object to the type object of the instances (removing a word from JSObject).  This would require all objects with the same type object to have the same prototype object (this is mostly the case now), which would also allow removing the prototype word from JSObject.

This would allow SETPROP/etc. ICs to work on bytecodes monitored by the type inference.  These are sites where the assigned object could not be determined statically, and which currently are forced through a stub call every time.  Along with a similar situation for calls, this is the main source of slowdown inference can introduce vs. the plain method JIT.  We want a situation where no matter how bad the inference results are, the method JIT should only slow down marginally.
Attached patch WIP (obsolete) — Splinter Review
WIP, compiles without --enable-type-inference

This reshuffles JSObject to remove .prototype and .emptyShapes, and instead have .type and .newType (object size is the same with/without inference).

.type is the type of the object, and stores the prototype JSObject at .proto and empty shapes at .emptyShapes
.newType is the default type to use for objects with this as their prototype, where .newType->proto == this.


- Any two objects with the same shape have the same type (follows from placement of .emptyShapes).
- Any two objects with the same type have the same prototype (follows from placement of .proto).

An additional condition (which should hold, but is not strictly required to) is that for all objects except Array.prototype and Object.prototype, all instances use newType as their type.  This is really nice because the type of most objects can be determined from the prototype, and the original signatures can be restored for all the object creation methods in jsobjinlines.h and jsapi.h.  A good portion of this patch is undoing invasive changes previously required for type objects.

When an object is allocated which needs a type other than that newType (array/object initializers and Array/Object calls, for example), it is first created with the default type and then has that type changed to another with the same .proto.  Later arbitrary changes to type (as required by mutable __proto__) can happen, but properties in both the old and new types have to marked as unknown.
Assignee: general → bhackett1024
Attached patch WIP 2 (obsolete) — Splinter Review
Passes jit-tests with and without inference.
Attachment #498260 - Attachment is obsolete: true
Attached patch patchSplinter Review
Patch landed on JM.
Attachment #498457 - Attachment is obsolete: true
Closed: 9 years ago
Resolution: --- → FIXED
Duplicate of this bug: 621937
You need to log in before you can comment on or make changes to this bug.