Tracking bug for making type inference work in the browser, which includes mochitest failures, possible problems involving the embedding or XPConnect, etc.
Fix a missed case when compiling JSOP_STRICTEQ (x === x on a known double) that showed up running jstestbrowser with TI on.
Make a new type object for each function that is associated with a script.
Remove a hack for telling apart fastcalls and native calls when recompiling. This requires an additional write after each native call returns, which will be less of an issue as we move forwards with inlined/traceable natives.
Fix a couple cases where cx->compartment was used during GC (it is NULL during the final GC, and I think is wrong the rest of the time).
Fix a bug in JSOP_NEG which would force a frame entry to be double if the result was a double, breaking the invariant correlating the FrameState types with inference types (this invariant should be asserted somewhere, but isn't yet). Also fix a couple memory leaks.
Fix cases where we could cx->malloc data during GC (when making condensed constraints and when reconstructing type sets with removed entries), triggering a reentrant GC. This changes things to use js_malloc in these cases.
Restore the cutoff from earlier versions of inference that mark type sets as unknown when adding objects which have been added to many other large type sets, to avoid the algorithm's worst-case cubic behavior.
Overhaul handling of scripted new in inference. Previously, we tried to figure out what the 'this' type was at the callsite, and on dynamic calls would call getProperty to figure out the .prototype value to use (basically duplicate js_ComputeThis). This is stupid because getProperty ends up getting called twice, and wrong because getProperty can be effectful if it has a scripted getter.
Now it is modeled on what ScriptPrologue does --- compute the possible objects which 'this' could be when analyzing the script, rather than when discovering a call to it.
Several fixes to get jit-tests working under Windows. A few warnings, a fix for where accessing an enum in a bitwise field gets sign-extended by cl, and interpoline fix where all the memory operations were being done backwards.
Don't analyze types in compileAndGo scripts whose associated global has had its standard classes cleared. According to GlobalObject::clearScope such scripts will never run again, and trying to do reanalysis after e.g. a GC caused reentrance problems with standard class initialization.
Fix some orange on tinderbox, recent regression where we recorded isOwnProperty constraints on the type set pushed by a GETGNAME/CALLGNAME, rather than on the global property itself (so we were not sensitive to that property getting deleted or reconfigured).
Can we close this now?