Closed Bug 619433 Opened 9 years ago Closed 8 years ago
Inference browser integration
Tracking bug for making type inference work in the browser, which includes mochitest failures, possible problems involving the embedding or XPConnect, etc.
Fix a missed case when compiling JSOP_STRICTEQ (x === x on a known double) that showed up running jstestbrowser with TI on. http://hg.mozilla.org/projects/jaegermonkey/rev/c9a806301518
Make a new type object for each function that is associated with a script. http://hg.mozilla.org/projects/jaegermonkey/rev/1dab51bde3f1
Remove a hack for telling apart fastcalls and native calls when recompiling. This requires an additional write after each native call returns, which will be less of an issue as we move forwards with inlined/traceable natives. http://hg.mozilla.org/projects/jaegermonkey/rev/9b576fe9baed
Fix a couple cases where cx->compartment was used during GC (it is NULL during the final GC, and I think is wrong the rest of the time). http://hg.mozilla.org/projects/jaegermonkey/rev/559b9da69fcb
Fix a bug in JSOP_NEG which would force a frame entry to be double if the result was a double, breaking the invariant correlating the FrameState types with inference types (this invariant should be asserted somewhere, but isn't yet). Also fix a couple memory leaks. http://hg.mozilla.org/projects/jaegermonkey/rev/511f51584aad
Fix cases where we could cx->malloc data during GC (when making condensed constraints and when reconstructing type sets with removed entries), triggering a reentrant GC. This changes things to use js_malloc in these cases. http://hg.mozilla.org/projects/jaegermonkey/rev/6328ceab78de
Restore the cutoff from earlier versions of inference that mark type sets as unknown when adding objects which have been added to many other large type sets, to avoid the algorithm's worst-case cubic behavior. http://hg.mozilla.org/projects/jaegermonkey/rev/c288ca4152d1
Overhaul handling of scripted new in inference. Previously, we tried to figure out what the 'this' type was at the callsite, and on dynamic calls would call getProperty to figure out the .prototype value to use (basically duplicate js_ComputeThis). This is stupid because getProperty ends up getting called twice, and wrong because getProperty can be effectful if it has a scripted getter. Now it is modeled on what ScriptPrologue does --- compute the possible objects which 'this' could be when analyzing the script, rather than when discovering a call to it. http://hg.mozilla.org/projects/jaegermonkey/rev/af764018d6f7
Several fixes to get jit-tests working under Windows. A few warnings, a fix for where accessing an enum in a bitwise field gets sign-extended by cl, and interpoline fix where all the memory operations were being done backwards. http://hg.mozilla.org/projects/jaegermonkey/rev/09461ee64436
Don't analyze types in compileAndGo scripts whose associated global has had its standard classes cleared. According to GlobalObject::clearScope such scripts will never run again, and trying to do reanalysis after e.g. a GC caused reentrance problems with standard class initialization. http://hg.mozilla.org/projects/jaegermonkey/rev/a9744127fee4
Fix some orange on tinderbox, recent regression where we recorded isOwnProperty constraints on the type set pushed by a GETGNAME/CALLGNAME, rather than on the global property itself (so we were not sensitive to that property getting deleted or reconfigured). http://hg.mozilla.org/projects/jaegermonkey/rev/7c4d5e4cd9cf
Can we close this now?
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.