Closed Bug 619433 Opened 10 years ago Closed 9 years ago

[meta] TypeInference browser integration


(Core :: JavaScript Engine, defect)

Not set





(Reporter: dvander, Unassigned)


(Blocks 1 open bug)


Tracking bug for making type inference work in the browser, which includes mochitest failures, possible problems involving the embedding or XPConnect, etc.
Fix a missed case when compiling JSOP_STRICTEQ (x === x on a known double) that showed up running jstestbrowser with TI on.
Make a new type object for each function that is associated with a script.
Remove a hack for telling apart fastcalls and native calls when recompiling.  This requires an additional write after each native call returns, which will be less of an issue as we move forwards with inlined/traceable natives.
Fix a couple cases where cx->compartment was used during GC (it is NULL during the final GC, and I think is wrong the rest of the time).
Fix a bug in JSOP_NEG which would force a frame entry to be double if the result was a double, breaking the invariant correlating the FrameState types with inference types (this invariant should be asserted somewhere, but isn't yet).  Also fix a couple memory leaks.
Fix cases where we could cx->malloc data during GC (when making condensed constraints and when reconstructing type sets with removed entries), triggering a reentrant GC.  This changes things to use js_malloc in these cases.
Depends on: 639967
Restore the cutoff from earlier versions of inference that mark type sets as unknown when adding objects which have been added to many other large type sets, to avoid the algorithm's worst-case cubic behavior.
Overhaul handling of scripted new in inference.  Previously, we tried to figure out what the 'this' type was at the callsite, and on dynamic calls would call getProperty to figure out the .prototype value to use (basically duplicate js_ComputeThis).  This is stupid because getProperty ends up getting called twice, and wrong because getProperty can be effectful if it has a scripted getter.

Now it is modeled on what ScriptPrologue does --- compute the possible objects which 'this' could be when analyzing the script, rather than when discovering a call to it.
Depends on: 650864
Depends on: 650912
Depends on: 651119
Depends on: 652646
Depends on: 653639
Depends on: 655708
Depends on: 655711
Several fixes to get jit-tests working under Windows.  A few warnings, a fix for where accessing an enum in a bitwise field gets sign-extended by cl, and interpoline fix where all the memory operations were being done backwards.
Don't analyze types in compileAndGo scripts whose associated global has had its standard classes cleared.  According to GlobalObject::clearScope such scripts will never run again, and trying to do reanalysis after e.g. a GC caused reentrance problems with standard class initialization.
Depends on: 658623
Fix some orange on tinderbox, recent regression where we recorded isOwnProperty constraints on the type set pushed by a GETGNAME/CALLGNAME, rather than on the global property itself (so we were not sensitive to that property getting deleted or reconfigured).
Depends on: 530641
Depends on: 662082
Can we close this now?
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.