Last Comment Bug 619433 - [meta] TypeInference browser integration
: [meta] TypeInference browser integration
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: x86_64 Linux
: -- normal with 6 votes (vote)
: ---
Assigned To: general
:
Mentors:
Depends on: 530641 639967 650864 650912 651119 652646 653639 655708 655711 658623 662082
Blocks: TypeInference
  Show dependency treegraph
 
Reported: 2010-12-15 12:15 PST by David Anderson [:dvander]
Modified: 2012-01-19 07:26 PST (History)
15 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description David Anderson [:dvander] 2010-12-15 12:15:07 PST
Tracking bug for making type inference work in the browser, which includes mochitest failures, possible problems involving the embedding or XPConnect, etc.
Comment 1 Brian Hackett (:bhackett) 2011-03-06 20:13:12 PST
Fix a missed case when compiling JSOP_STRICTEQ (x === x on a known double) that showed up running jstestbrowser with TI on.

http://hg.mozilla.org/projects/jaegermonkey/rev/c9a806301518
Comment 2 Brian Hackett (:bhackett) 2011-03-07 08:27:11 PST
Make a new type object for each function that is associated with a script.

http://hg.mozilla.org/projects/jaegermonkey/rev/1dab51bde3f1
Comment 3 Brian Hackett (:bhackett) 2011-03-07 16:29:16 PST
Remove a hack for telling apart fastcalls and native calls when recompiling.  This requires an additional write after each native call returns, which will be less of an issue as we move forwards with inlined/traceable natives.

http://hg.mozilla.org/projects/jaegermonkey/rev/9b576fe9baed
Comment 4 Brian Hackett (:bhackett) 2011-03-07 20:13:43 PST
Fix a couple cases where cx->compartment was used during GC (it is NULL during the final GC, and I think is wrong the rest of the time).

http://hg.mozilla.org/projects/jaegermonkey/rev/559b9da69fcb
Comment 5 Brian Hackett (:bhackett) 2011-03-07 23:48:26 PST
Fix a bug in JSOP_NEG which would force a frame entry to be double if the result was a double, breaking the invariant correlating the FrameState types with inference types (this invariant should be asserted somewhere, but isn't yet).  Also fix a couple memory leaks.

http://hg.mozilla.org/projects/jaegermonkey/rev/511f51584aad
Comment 6 Brian Hackett (:bhackett) 2011-03-08 10:23:28 PST
Fix cases where we could cx->malloc data during GC (when making condensed constraints and when reconstructing type sets with removed entries), triggering a reentrant GC.  This changes things to use js_malloc in these cases.

http://hg.mozilla.org/projects/jaegermonkey/rev/6328ceab78de
Comment 7 Brian Hackett (:bhackett) 2011-03-09 11:12:24 PST
Restore the cutoff from earlier versions of inference that mark type sets as unknown when adding objects which have been added to many other large type sets, to avoid the algorithm's worst-case cubic behavior.

http://hg.mozilla.org/projects/jaegermonkey/rev/c288ca4152d1
Comment 8 Brian Hackett (:bhackett) 2011-03-10 12:30:29 PST
Overhaul handling of scripted new in inference.  Previously, we tried to figure out what the 'this' type was at the callsite, and on dynamic calls would call getProperty to figure out the .prototype value to use (basically duplicate js_ComputeThis).  This is stupid because getProperty ends up getting called twice, and wrong because getProperty can be effectful if it has a scripted getter.

Now it is modeled on what ScriptPrologue does --- compute the possible objects which 'this' could be when analyzing the script, rather than when discovering a call to it.

http://hg.mozilla.org/projects/jaegermonkey/rev/af764018d6f7
Comment 9 Brian Hackett (:bhackett) 2011-05-12 09:55:13 PDT
Several fixes to get jit-tests working under Windows.  A few warnings, a fix for where accessing an enum in a bitwise field gets sign-extended by cl, and interpoline fix where all the memory operations were being done backwards.

http://hg.mozilla.org/projects/jaegermonkey/rev/09461ee64436
Comment 10 Brian Hackett (:bhackett) 2011-05-12 18:03:34 PDT
Don't analyze types in compileAndGo scripts whose associated global has had its standard classes cleared.  According to GlobalObject::clearScope such scripts will never run again, and trying to do reanalysis after e.g. a GC caused reentrance problems with standard class initialization.

http://hg.mozilla.org/projects/jaegermonkey/rev/a9744127fee4
Comment 11 Brian Hackett (:bhackett) 2011-05-22 08:56:57 PDT
Fix some orange on tinderbox, recent regression where we recorded isOwnProperty constraints on the type set pushed by a GETGNAME/CALLGNAME, rather than on the global property itself (so we were not sensitive to that property getting deleted or reconfigured).

http://hg.mozilla.org/projects/jaegermonkey/rev/7c4d5e4cd9cf
Comment 12 Marco Castelluccio [:marco] 2012-01-19 06:31:40 PST
Can we close this now?
Comment 13 Brian Hackett (:bhackett) 2012-01-19 06:33:26 PST
Sure.

Note You need to log in before you can comment on or make changes to this bug.