MegamorphicStoreSlot is both more conservative and less performant than MegamorphicSetElement, and importantly because of this more conservative nature, we often don't have any megamorphic strategy for certain types of code, and just go to a generic SetPropertyCache. We can rectify this by broadening MegamorphicStoreSlot and tying it into the MegamorphicSetPropCache to ensure that it is as performant as possible.

Depends on D175678

Depends on D175679

Depends on D175680

Depends on D175681

Depends on D175682

This is pretty hard to hit. I actually wasn't able to make a cleaner testcase
than the one I edited, which needs JS_GC_ZEAL=IncrementalMultipleSlices to
get hit. In any case, this is an existing correctness issue with megamorphic
SetElem in Ion, and becomes an issue with megamorphic SetProp with the patch
stack under this.

Depends on D176110

Depends on D176429

Depends on D176430

Backed out for causing wpt failures.

Backout link: https://hg.mozilla.org/integration/autoland/rev/943d77e340d2c6cfbd6cd8f8eb2edbebdd8d1ea9

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&searchStr=linux%2C18.04%2Cx64%2Cwebrender%2Cdebug%2Cweb%2Cplatform%2Ctests%2Ctest-linux1804-64-qr%2Fdebug-web-platform-tests%2Cwpt1&revision=c93794786b84571c9b5e855e539e9d1b0d0245a1

Failure log: https://treeherder.mozilla.org/logviewer?job_id=414007175&repo=autoland&lineNumber=8187

This bypasses a very confusing issue where someone, somewhere seems to be
assuming that sizeof(JSRuntime) fits in a uint16_t. Or something like that.
Just adding dead space to it to push it over that boundary causes a leak
in a test. In any case, this works us toward something we might want to do
anyway, which is to lazily instantiate the MegamorphicSetPropCache in order
to save memory when it's not used. I didn't do the same change for the
MegamorphicCache (the get-handling one), because it is accessed from C++
even in hot cache hit paths, where obviously we can't bake pointers to it
into the binary, so there's a slightly plausible case that the extra
pointer dereference could matter.

Depends on D176448

Backed out for causing crashes on MegamorphicSetPropCache

• backout: https://hg.mozilla.org/integration/autoland/rev/0eda5ee0d54c4a61913664826dae071e97059b9c
• push: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&revision=8700c08f79f5c14625a668366c121bbe7d2f1aca
• failure log: https://treeherder.mozilla.org/logviewer?job_id=414546118&repo=autoland&lineNumber=10457

[task 2023-05-03T21:31:55.360Z] TEST-PASS | testHelperThreadOOM | ok
[task 2023-05-03T21:31:55.360Z] testNewContextOOM
[task 2023-05-03T21:31:55.416Z] Assertion failure: get() (dereferencing a UniquePtr containing nullptr with ->), at /builds/worker/workspace/obj-spider/dist/include/mozilla/UniquePtr.h:280
[task 2023-05-03T21:31:55.416Z] #01: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0xc6431c]
[task 2023-05-03T21:31:55.416Z] #02: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0xc4d627]
[task 2023-05-03T21:31:55.416Z] #03: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0xc53505]
[task 2023-05-03T21:31:55.416Z] #04: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0xc59961]
[task 2023-05-03T21:31:55.416Z] #05: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0xc5cd18]
[task 2023-05-03T21:31:55.417Z] #06: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0xc5de84]
[task 2023-05-03T21:31:55.417Z] #07: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0xc49e3a]
[task 2023-05-03T21:31:55.417Z] #08: JSRuntime::destroyRuntime()[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0x8896c5]
[task 2023-05-03T21:31:55.417Z] #09: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0x7b5ccc]
[task 2023-05-03T21:31:55.417Z] #10: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0x4108ab]
[task 2023-05-03T21:31:55.417Z] #11: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0x49ce96]
[task 2023-05-03T21:31:55.417Z] #12: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x23d0a]
[task 2023-05-03T21:31:55.417Z] #13: ???[/builds/worker/workspace/obj-spider/dist/bin/jsapi-tests +0x235b4a]
[task 2023-05-03T21:31:55.417Z] #14: ??? (???:???)
[task 2023-05-03T21:31:55.417Z] ExceptionHandler::GenerateDump cloned child 15488
[task 2023-05-03T21:31:55.417Z] ExceptionHandler::SendContinueSignalToChild sent continue signal to child
[task 2023-05-03T21:31:55.417Z] ExceptionHandler::WaitForContinueSignal waiting for continue signal...
[task 2023-05-03T21:31:55.545Z] in directory /builds/worker/workspace/obj-spider, running ['/builds/worker/workspace/obj-spider/_virtualenvs/build/bin/python3', '/builds/worker/checkouts/gecko/testing/mozbase/mozcrash/mozcrash/mozcrash.py', '/tmp', '/builds/worker/workspace/obj-spider/dist/crashreporter-symbols']
[task 2023-05-03T21:31:55.649Z] mozcrash INFO | Copy/paste: /builds/worker/fetches/minidump-stackwalk/minidump-stackwalk --symbols-url=https://symbols.mozilla.org/ --cyborg=/tmp/tmprzbsw5bm/7a032cdb-c14d-7474-3ee6-45469c35f700.trace /tmp/7a032cdb-c14d-7474-3ee6-45469c35f700.dmp /builds/worker/workspace/obj-spider/dist/crashreporter-symbols
[task 2023-05-03T21:31:57.479Z] mozcrash INFO | Saved minidump as /builds/worker/artifacts/7a032cdb-c14d-7474-3ee6-45469c35f700.dmp
[task 2023-05-03T21:31:57.479Z] mozcrash checking /tmp for minidumps...
[task 2023-05-03T21:31:57.479Z] PROCESS-CRASH | mozcrash.py | application crashed [@ mozilla::UniquePtr<js::MegamorphicSetPropCache, JS::DeletePolicy<js::MegamorphicSetPropCache> >::operator->]

Backout merged to central: https://hg.mozilla.org/mozilla-central/rev/0eda5ee0d54c

All right. I think the patch is finally in the clear, but I'm going to wait until after code freeze to land this.

https://hg.mozilla.org/mozilla-central/rev/ffa4965c15bb
https://hg.mozilla.org/mozilla-central/rev/58b59cdfeba7
https://hg.mozilla.org/mozilla-central/rev/1d6294070abb
https://hg.mozilla.org/mozilla-central/rev/a3d1b7d5886e
https://hg.mozilla.org/mozilla-central/rev/522430c88cb1
https://hg.mozilla.org/mozilla-central/rev/dde994d92a84
https://hg.mozilla.org/mozilla-central/rev/cc99aea0fa4e
https://hg.mozilla.org/mozilla-central/rev/908f81fc3d15
https://hg.mozilla.org/mozilla-central/rev/87bdb14719ba
https://hg.mozilla.org/mozilla-central/rev/764a0722b38f

30% improvement on AWFY-Jetstream2-typescript* tests. Example : https://treeherder.mozilla.org/perfherder/graphs?highlightAlerts=1&highlightChangelogData=1&highlightCommonAlerts=0&selected=3911505,1692013209&series=mozilla-central,3738118,1,13&series=mozilla-central,3738118,1,13&series=autoland,3911505,1,13&timerange=5184000&zoom=1683562069835,1683592418717,7.373583357083318,14.511800514994963

129% improvement on AWFY-Jetstream2-FlightPlanner* subtests. Example: https://treeherder.mozilla.org/perfherder/graphs?highlightAlerts=1&highlightChangelogData=1&highlightCommonAlerts=0&selected=3911287,1692012932&series=mozilla-central,3737900,1,13&series=mozilla-central,3737900,1,13&series=autoland,3911287,1,13&timerange=5184000&zoom=1683572748395,1683588304522,175.41647298922416,827.5511923589148