811566 - JM: Compile JSOP_INTRINSICNAME better

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Shu-yu Guo [:shu]]

Currently JaegerMonkey is eagerly caching all intrinsics at compile time. This has led to bugs with TI in IonMonkey (see bug 784291), though the particular bug in question doesn't arise in JM. I'm not sure why exactly, but probably because the way barriers are emitted and checked are different.

JM should also compile intrinsics by baking in the pointer only after JSOP_INTRINISCNAME has already been executed, i.e., its typeset is not empty.

Comment 2

[Shu-yu Guo [:shu]]

Norbert has confirmed that this bug *does* arise in JM in bug 816394.

Comment 3

[Till Schneidereit [:till]]

It seemed so simple in theory ...

Will look at what you've done for IM and see if I can implement it for JM.

Comment 4

[Shu-yu Guo [:shu]]

Attachment: fix

This patch mirrors the IM logic in JM: if we don't know the pushed type of the intrinsic, we call a stub which then bails, propagating the correct type.

If we really want to do better we can do some kind of IC, but I think the unknown pushed type case only really happens on eager compilation or on error paths, so a bail isn't so bad.

Comment 5

[Till Schneidereit [:till]]

Comment on attachment 686475 [details] [diff] [review]
fix

I have now tested this patch quite extensively and think there's not a single thing wrong with it.

r+ for a pretty straight-forward change from me, if that's sufficient.

Comment 6

[Shu-yu Guo [:shu]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/bbcc465e7d45

Comment 7

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/bbcc465e7d45