| blob | f6c0e93ff074cee4b19de2b1538658f060e8b0c2 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
9 #include <algorithm>
25 // Stack used by FlagPhiInputsAsImplicitlyUsed. It stores the Phi instruction
26 // pointer and the MUseIterator which should be visited next.
30 // Look for Phi uses with a depth-first search. If any uses are found the stack
31 // of MPhi instructions is returned in the |worklist| argument.
34 // Push a Phi and the next use to iterate over in the worklist.
38 };
40 #ifdef DEBUG
41 // Used to assert that when we have no uses, we at least visited all the
42 // transitive uses.
45 #endif
49 }
52 // Resume iterating over the last phi-use pair added by the next loop.
59 // Keep going down the tree of uses, skipping (continue)
60 // non-observable/unused cases and Phi which are already listed in the
61 // worklist. Stop (return) as soon as one use is found.
65 use++;
66 #ifdef DEBUG
67 useCount++;
68 #endif
71 }
75 // Observable operands are similar to potential uses.
78 }
80 }
84 // The producer is explicitly used by a definition.
86 }
91 // The information got cached on the Phi the last time it
92 // got visited, or when flagging operands of implicitly used
93 // instructions.
95 }
98 // We are already iterating over the uses of this Phi instruction which
99 // are part of a loop, instead of trying to handle loops, conservatively
100 // mark them as used.
102 }
105 // The instruction already got visited and is known to have
106 // no uses. Skip it.
108 }
110 // We found another Phi instruction, move the use iterator to
111 // the next use push it to the worklist stack. Then, continue
112 // with a depth search.
115 }
119 #ifdef DEBUG
121 #endif
122 }
124 // When unused, we cannot bubble up this information without iterating
125 // over the rest of the previous Phi instruction consumers.
128 }
132 }
137 // When removing an edge between 2 blocks, we might remove the ability of
138 // later phases to figure out that the uses of a Phi should be considered as
139 // a use of all its inputs. Thus we need to mark the Phi inputs as being
140 // implicitly used iff the phi has any uses.
141 //
142 //
143 // +--------------------+ +---------------------+
144 // |12 MFoo 6 | |32 MBar 5 |
145 // | | | |
146 // | ... | | ... |
147 // | | | |
148 // |25 MGoto Block 4 | |43 MGoto Block 4 |
149 // +--------------------+ +---------------------+
150 // | |
151 // | | |
152 // | | |
153 // | +-----X------------------------+
154 // | Edge |
155 // | Removed |
156 // | |
157 // | +------------v-----------+
158 // | |50 MPhi 12 32 |
159 // | | |
160 // | | ... |
161 // | | |
162 // | |70 MReturn 50 |
163 // | +------------------------+
164 // |
165 // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
166 // |
167 // v
168 //
169 // ^ +--------------------+ +---------------------+
170 // /!\ |12 MConst opt-out | |32 MBar 5 |
171 // '---' | | | |
172 // | ... | | ... |
173 // |78 MBail | | |
174 // |80 MUnreachable | |43 MGoto Block 4 |
175 // +--------------------+ +---------------------+
176 // |
177 // |
178 // |
179 // +---------------+
180 // |
181 // |
182 // |
183 // +------------v-----------+
184 // |50 MPhi 32 |
185 // | |
186 // | ... |
187 // | |
188 // |70 MReturn 50 |
189 // +------------------------+
190 //
191 //
192 // If the inputs of the Phi are not flagged as implicitly used, then
193 // later compilation phase might optimize them out. The problem is that a
194 // bailout will use this value and give it back to baseline, which will then
195 // use the OptimizedOut magic value in a computation.
196 //
197 // Unfortunately, we cannot be too conservative about flagging Phi inputs as
198 // having implicit uses, as this would prevent many optimizations from being
199 // used. Thus, the following code is in charge of flagging Phi instructions
200 // as Unused or Used, and setting ImplicitlyUsed accordingly.
209 }
211 // We are looking to mark the Phi inputs which are used across the edge
212 // between the |block| and its successor |succ|.
216 }
218 // If the Phi is either Used or Unused, set the ImplicitlyUsed flag
219 // accordingly.
225 }
227 // We do not know if the Phi was Used or Unused, iterate over all uses
228 // with a depth-search of uses. Returns the matching stack in the
229 // worklist as soon as one use is found.
233 }
238 // One of the Phis is used, set Used flags on all the Phis which are
239 // in the use chain.
247 }
249 }
252 }
259 it++;
261 }
262 }
264 }
266 // Given an iterator pointing to the first removed instruction, mark
267 // the operands of each removed instruction as having implicit uses.
274 // Flag operands of removed instructions as having implicit uses.
279 }
284 }
286 // Flag observable resume point operands as having implicit uses.
288 // Note: no need to iterate over the caller's of the resume point as
289 // this is the same as the entry resume point.
294 }
295 }
296 }
297 }
299 // Flag Phi inputs of the successors as having implicit uses.
300 MPhiUseIteratorStack worklist;
304 }
307 worklist)) {
309 }
310 }
313 }
317 // Flag observable operands of the entry resume point as having implicit uses.
322 }
328 }
329 }
332 }
335 }
341 }
343 // WarpBuilder sets the alwaysBails flag on blocks that contain an
344 // unconditional bailout. We trim any instructions in those blocks
345 // after the first unconditional bailout, and remove any blocks that
346 // are only reachable through bailing blocks.
350 // Pruning is guided by unconditional bailouts. Wasm does not have bailouts.
359 numMarked++;
362 }
364 };
366 // The entry block is always reachable.
369 }
371 // The OSR entry block is always reachable if it exists.
374 }
376 // Iteratively mark all reachable blocks.
380 }
386 // If this block always bails, then it does not reach its successors.
389 }
395 }
399 }
400 }
401 }
404 // There is nothing to prune.
407 }
412 // The operands of removed instructions may be needed in baseline
413 // after bailing out.
417 }
421 // If we are removing the block entirely, mark the operands of every
422 // instruction as being implicitly used.
425 // If we are only trimming instructions after a bail, only mark operands
426 // of removed instructions.
429 }
430 }
432 // Remove the blocks in post-order such that consumers are visited before
433 // the predecessors, the only exception being the Phi nodes of loop headers.
437 }
440 }
445 }
447 // As we are going to replace/remove the last instruction, we first have
448 // to remove this block from the predecessor list of its successors.
454 }
456 // Our dominators code expects all loop headers to have two predecessors.
457 // If we are removing the normal entry to a loop, but can still reach
458 // the loop header via OSR, we create a fake unreachable predecessor.
463 }
468 }
469 // Mark the block to avoid removing it as unreachable.
475 }
480 }
483 // Remove unreachable blocks from the CFG.
487 // Remove unreachable instructions after unconditional bailouts.
490 // Discard all instructions after the first MBail.
496 }
499 }
500 }
504 }
509 }
514 }
516 // Create a simple new block which contains a goto and which split the
517 // edge between block and target.
521 }
522 }
524 }
526 // A critical edge is an edge which is neither its successor's only predecessor
527 // nor its predecessor's only successor. Critical edges must be split to
528 // prevent copy-insertion and code motion from affecting other edges.
534 }
535 }
537 }
542 }
546 }
551 }
553 // Determine whether phiBlock/testBlock simply compute a phi and perform a
554 // test on it.
565 }
566 }
571 }
574 // Unwrap boolean conversion performed through the '!!' idiom.
579 // The MNot must only be used by |testOrNot|.
583 }
586 }
591 // Fail if there are any other instructions than MNot.
593 }
594 }
596 // There's an odd number of MNot, so this can't be the '!!' idiom.
599 }
606 }
610 }
616 }
621 }
622 }
624 }
630 }
631 }
635 }
641 }
643 // Determine if value is directly or indirectly the test input.
648 // Only accept if there's an even number of MNot.
651 }
653 // Unwrap boolean conversion performed through the '!!' idiom.
658 }
661 }
662 }
664 // Change block so that it ends in a goto to the specific target block.
665 // existingPred is an existing predecessor of the block.
679 }
681 // Change block so that it ends in a test of the specified value, going to
682 // either ifTrue or ifFalse. existingPred is an existing predecessor of ifTrue
683 // or ifFalse with the same values incoming to ifTrue/ifFalse as block.
684 // existingPred is not required to be a predecessor of ifTrue/ifFalse if block
685 // already ends in a test going to that block on a true/false result.
698 }
701 }
707 }
710 }
713 }
724 }
727 }
729 }
731 /*
732 * Look for a diamond pattern:
733 *
734 * initialBlock
735 * / \
736 * trueBranch falseBranch
737 * \ /
738 * phiBlock
739 * |
740 * testBlock
741 */
746 }
752 }
758 }
763 }
766 }
768 }
774 // Optimize the MIR graph to improve the code generated for conditional
775 // operations. A test like 'if (a ? b : c)' normally requires four blocks,
776 // with a phi for the intermediate value. This can be improved to use three
777 // blocks with no phi value.
779 /*
780 * Look for a diamond pattern:
781 *
782 * initialBlock
783 * / \
784 * trueBranch falseBranch
785 * \ /
786 * phiBlock
787 * |
788 * testBlock
789 *
790 * Where phiBlock contains a single phi combining values pushed onto the
791 * stack by trueBranch and falseBranch, and testBlock contains a test on
792 * that phi. phiBlock and testBlock may be the same block; generated code
793 * will use different blocks if the (?:) op is in an inlined function.
794 */
803 }
810 }
814 }
815 }
821 }
825 // Make sure the test block does not have any outgoing loop backedges.
828 }
835 // OK, we found the desired pattern, now transform the graph.
837 // Remove the phi from phiBlock.
840 // Change the end of the block to a test that jumps directly to successors of
841 // testBlock, rather than to testBlock itself.
845 testBlock)) {
847 }
851 testBlock)) {
853 }
854 }
858 testBlock)) {
860 }
864 testBlock)) {
866 }
867 }
869 // Remove phiBlock, if different from testBlock.
873 }
875 // Remove testBlock itself.
881 }
883 /*
884 * Look for a triangle pattern:
885 *
886 * initialBlock
887 * / \
888 * trueBranch |
889 * \ /
890 * phiBlock+falseBranch
891 * |
892 * testBlock
893 *
894 * Or:
895 *
896 * initialBlock
897 * / \
898 * | falseBranch
899 * \ /
900 * phiBlock+trueBranch
901 * |
902 * testBlock
903 */
908 }
918 }
921 }
923 }
929 }
932 }
934 }
937 }
943 // Optimize the MIR graph to improve the code generated for boolean
944 // operations. A test like 'if (a && b)' normally requires three blocks, with
945 // a phi for the intermediate value. This can be improved to use no phi value.
947 /*
948 * Look for a triangle pattern:
949 *
950 * initialBlock
951 * / \
952 * trueBranch |
953 * \ /
954 * phiBlock+falseBranch
955 * |
956 * testBlock
957 *
958 * Or:
959 *
960 * initialBlock
961 * / \
962 * | falseBranch
963 * \ /
964 * phiBlock+trueBranch
965 * |
966 * testBlock
967 *
968 * Where phiBlock contains a single phi combining values pushed onto the stack
969 * by trueBranch and falseBranch, and testBlock contains a test on that phi.
970 * phiBlock and testBlock may be the same block; generated code will use
971 * different blocks if the (&&) op is in an inlined function.
972 */
981 }
990 }
999 }
1000 }
1006 }
1010 // If the phi-operand doesn't match the initial input, we can't fold the test.
1015 }
1017 // Make sure the test block does not have any outgoing loop backedges.
1020 }
1030 }
1032 // OK, we found the desired pattern, now transform the graph.
1034 // Remove the phi from phiBlock.
1037 // Change the end of the block to a test that jumps directly to successors of
1038 // testBlock, rather than to testBlock itself.
1043 testBlock)) {
1045 }
1048 testBlock)) {
1050 }
1054 testBlock)) {
1056 }
1057 }
1062 testBlock)) {
1064 }
1067 testBlock)) {
1069 }
1073 testBlock)) {
1075 }
1076 }
1078 // Remove phiBlock, if different from testBlock.
1082 }
1084 // Remove testBlock itself.
1090 }
1096 }
1099 }
1101 }
1104 // Handle test expressions on more than two inputs. For example
1105 // |if ((x > 10) && (y > 20) && (z > 30)) { ... }|, which results in the below
1106 // pattern.
1107 //
1108 // Look for the pattern:
1109 // ┌─────────────────┐
1110 // 1 │ 1 compare │
1111 // ┌─────┤ 2 test compare1 │
1112 // │ └──────┬──────────┘
1113 // │ │0
1114 // ┌───────▼─────────┐ │
1115 // │ 3 compare │ │
1116 // │ 4 test compare3 │ └──────────┐
1117 // └──┬──────────┬───┘ │
1118 // 1│ │0 │
1119 // ┌──────────▼──────┐ │ │
1120 // │ 5 compare │ └─────────┐ │
1121 // │ 6 goto │ │ │
1122 // └───────┬─────────┘ │ │
1123 // │ │ │
1124 // │ ┌──────────────────▼───────▼───────┐
1125 // └───►│ 9 phi compare1 compare3 compare5 │
1126 // │10 goto │
1127 // └────────────────┬─────────────────┘
1128 // │
1129 // ┌────────▼────────┐
1130 // │11 test phi9 │
1131 // └─────┬─────┬─────┘
1132 // 1│ │0
1133 // ┌────────────┐ │ │ ┌─────────────┐
1134 // │ TrueBranch │◄────┘ └─────►│ FalseBranch │
1135 // └────────────┘ └─────────────┘
1136 //
1137 // And transform it to:
1138 //
1139 // ┌─────────────────┐
1140 // 1 │ 1 compare │
1141 // ┌───┤ 2 test compare1 │
1142 // │ └──────────┬──────┘
1143 // │ │0
1144 // ┌───────▼─────────┐ │
1145 // │ 3 compare │ │
1146 // │ 4 test compare3 │ │
1147 // └──┬─────────┬────┘ │
1148 // 1│ │0 │
1149 // ┌──────────▼──────┐ │ │
1150 // │ 5 compare │ └──────┐ │
1151 // │ 6 test compare5 │ │ │
1152 // └────┬────────┬───┘ │ │
1153 // 1│ │0 │ │
1154 // ┌─────▼──────┐ │ ┌───▼──▼──────┐
1155 // │ TrueBranch │ └─────────► FalseBranch │
1156 // └────────────┘ └─────────────┘
1161 }
1167 // MaybeFoldConditionBlock handles the case for two operands.
1175 }
1181 }
1185 }
1186 }
1194 }
1198 // If the phi-operand doesn't match the initial input, we can't fold the test.
1203 }
1208 // The block of each phi operand must either end with a test instruction on
1209 // that phi operand or it's the sole block which ends with a goto instruction.
1214 // Each predecessor must end with either a test or goto instruction.
1222 }
1225 }
1228 }
1230 // Ensure we found the single goto block.
1233 }
1235 // Make sure the test block does not have any outgoing loop backedges.
1238 }
1240 // OK, we found the desired pattern, now transform the graph.
1242 // Remove the phi from phiBlock.
1245 // Create the new test instruction.
1248 testBlock)) {
1250 }
1252 // Update all test instructions to point to the final target.
1261 testBlock)) {
1263 }
1268 testBlock)) {
1270 }
1271 }
1273 // Ensure we've made progress.
1275 }
1277 // Remove phiBlock, if different from testBlock.
1281 }
1283 // Remove testBlock itself.
1289 }
1293 block++) {
1296 }
1299 }
1300 }
1302 }
1307 iter++;
1311 }
1315 }
1319 }
1323 }
1330 }
1339 }
1341 }
1343 }
1347 // If we will pop the top of the stack immediately after resuming,
1348 // then don't preserve the top value in the resume point.
1351 }
1356 }
1359 }
1367 }
1371 }
1373 // Operands to a resume point which are dead at the point of the resume can be
1374 // replaced with a magic value. This pass only replaces resume points which are
1375 // trivially dead.
1376 //
1377 // This is intended to ensure that extra resume points within a basic block
1378 // will not artificially extend the lifetimes of any SSA values. This could
1379 // otherwise occur if the new resume point captured a value which is created
1380 // between the old and new resume point and is dead at the new resume point.
1387 }
1389 }
1390 }
1392 }
1394 // Operands to a resume point which are dead at the point of the resume can be
1395 // replaced with a magic value. This analysis supports limited detection of
1396 // dead operands, pruning those which are defined in the resume point's basic
1397 // block and have no uses outside the block or at points later than the resume
1398 // point.
1399 //
1400 // This is intended to ensure that extra resume points within a basic block
1401 // will not artificially extend the lifetimes of any SSA values. This could
1402 // otherwise occur if the new resume point captured a value which is created
1403 // between the old and new resume point and is dead at the new resume point.
1405 // If we are compiling try blocks, locals and arguments may be observable
1406 // from catch or finally blocks (which Ion does not compile). For now just
1407 // disable the pass in this case.
1410 }
1413 block++) {
1416 }
1421 }
1423 }
1425 // The logic below can get confused on infinite loops.
1428 }
1431 ins++) {
1435 }
1437 }
1439 // No benefit to replacing constant operands with other constants.
1442 }
1444 // Scanning uses does not give us sufficient information to tell
1445 // where instructions that are involved in box/unbox operations or
1446 // parameter passing might be live. Rewriting uses of these terms
1447 // in resume points may affect the interpreter's behavior. Rather
1448 // than doing a more sophisticated analysis, just ignore these.
1452 }
1454 // Early intermediate values captured by resume points, such as
1455 // ArrayState and its allocation, may be legitimately dead in Ion code,
1456 // but are still needed if we bail out. They can recover on bailout.
1460 }
1462 // If an instruction can be recovered on bailout, but it has a resume
1463 // point, then do not attempt to remove its uses. The reason being that
1464 // this is likely to be an allocation which would be flagged as recovered
1465 // on bailout by the Sink phase, as long as it is captured by resume
1466 // points, but it would not be removed by DCE as it has a resume point.
1469 }
1471 // If the instruction's behavior has been constant folded into a
1472 // separate instruction, we can't determine precisely where the
1473 // instruction becomes dead and can't eliminate its uses.
1476 }
1478 // Check if this instruction's result is only used within the
1479 // current block, and keep track of its last use in a definition
1480 // (not resume point). This requires the instructions in the block
1481 // to be numbered, ensured by running this immediately after alias
1482 // analysis.
1483 //
1484 // The fact that the consumers are in the same block is a cheap way to
1485 // ensure that there is no need for block domination question, nor any Phi
1486 // at a loop edge.
1489 uses++) {
1492 // If the instruction's is captured by one of the resume point, then
1493 // it might be observed indirectly while the frame is live on the
1494 // stack, so it has to be computed.
1499 }
1501 }
1507 }
1509 }
1512 }
1514 // Walk the uses a second time, removing any in resume points after
1515 // the last use in a definition.
1516 //
1517 // Given that all consumers are in the same block as the definition, and
1518 // there is not observable operand, then we can replace this operand in
1519 // any resume point which is after the last consumer. This means, in a
1520 // different block or located after the last consumer.
1526 }
1530 // The transformation below would remove the instruction from the
1531 // operand of the resume point. This condition is used to preserve any
1532 // resume point which value might flow in one of the live consumers.
1536 }
1540 }
1542 // Store an optimized out magic value in place of all dead
1543 // resume point operands. Making any such substitution can in
1544 // general alter the interpreter's behavior, even though the
1545 // code is dead, as the interpreter will still execute opcodes
1546 // whose effects cannot be observed. If the magic value value
1547 // were to flow to, say, a dead property access the
1548 // interpreter could throw an exception; we avoid this problem
1549 // by removing dead operands before removing dead code.
1554 }
1555 }
1556 }
1559 }
1561 // Test whether |def| would be needed if it had no uses.
1563 // Effectful instructions of course cannot be removed.
1566 }
1568 // Never eliminate guard instructions.
1571 }
1573 // Required to be preserved, as the type guard related to this instruction
1574 // is part of the semantics of a transformation.
1577 }
1579 // Control instructions have no uses, but also shouldn't be optimized out
1582 }
1584 // Used when lowering to generate the corresponding snapshots and aggregate
1585 // the list of recover instructions to be repeated.
1588 }
1591 }
1593 // Similar to DeadIfUnused(), but additionally allows effectful instructions.
1595 // Never eliminate guard instructions.
1598 }
1600 // Required to be preserved, as the type guard related to this instruction
1601 // is part of the semantics of a transformation.
1604 }
1606 // Control instructions have no uses, but also shouldn't be optimized out
1609 }
1611 // Used when lowering to generate the corresponding snapshots and aggregate
1612 // the list of recover instructions to be repeated.
1614 // All effectful instructions must have a resume point attached. We're
1615 // allowing effectful instructions here, so we have to ignore any resume
1616 // points if we want to consider effectful instructions as dead.
1619 }
1620 }
1623 }
1625 // Test whether |def| may be safely discarded, due to being dead or due to being
1626 // located in a basic block which has itself been marked for discarding.
1629 }
1631 // Similar to IsDiscardable(), but additionally allows effectful instructions.
1635 }
1637 // Instructions are useless if they are unused and have no side effects.
1638 // This pass eliminates useless instructions.
1639 // The graph itself is unchanged.
1641 // Traverse in postorder so that we hit uses before definitions.
1642 // Traverse instruction list backwards for the same reason.
1644 block++) {
1647 }
1649 // Remove unused instructions.
1655 }
1656 }
1657 }
1660 }
1663 // If the phi has uses which are not reflected in SSA, then behavior in the
1664 // interpreter may be affected by removing the phi.
1667 }
1669 // Check for uses of this phi node outside of other phi nodes.
1670 // Note that, initially, we skip reading resume points, which we
1671 // don't count as actual uses. If the only uses are resume points,
1672 // then the SSA name is never consumed by the program. However,
1673 // after optimizations have been performed, it's possible that the
1674 // actual uses in the program have been (incorrectly) optimized
1675 // away, so we must be more conservative and consider resume
1676 // points as well.
1683 }
1686 }
1691 }
1692 }
1693 }
1696 }
1698 // Handles cases like:
1699 // x is phi(a, x) --> a
1700 // x is phi(a, a) --> a
1705 }
1707 // Propagate the ImplicitlyUsed flag if |phi| is replaced with another phi.
1710 }
1713 }
1716 Observability observe) {
1717 // Eliminates redundant or unobservable phis from the graph. A
1718 // redundant phi is something like b = phi(a, a) or b = phi(a, b),
1719 // both of which can be replaced with a. An unobservable phi is
1720 // one that whose value is never used in the program.
1721 //
1722 // Note that we must be careful not to eliminate phis representing
1723 // values that the interpreter will require later. When the graph
1724 // is first constructed, we can be more aggressive, because there
1725 // is a greater correspondence between the CFG and the bytecode.
1726 // After optimizations such as GVN have been performed, however,
1727 // the bytecode and CFG may not correspond as closely to one
1728 // another. In that case, we must be more conservative. The flag
1729 // |conservativeObservability| is used to indicate that eliminate
1730 // phis is being run after some optimizations have been performed,
1731 // and thus we should use more conservative rules about
1732 // observability. The particular danger is that we can optimize
1733 // away uses of a phi because we think they are not executable,
1734 // but the foundation for that assumption is false TI information
1735 // that will eventually be invalidated. Therefore, if
1736 // |conservativeObservability| is set, we will consider any use
1737 // from a resume point to be observable. Otherwise, we demand a
1738 // use from an actual instruction.
1742 // Add all observable phis to a worklist. We use the "in worklist" bit to
1743 // mean "this phi is live".
1745 block++) {
1752 }
1754 // Flag all as unused, only observable phis would be marked as used
1755 // when processed by the work list.
1758 // If the phi is redundant, remove it here.
1763 }
1765 // Enqueue observable Phis.
1770 }
1771 }
1772 }
1773 }
1775 // Iteratively mark all phis reachable from live phis.
1779 }
1785 // The removal of Phis can produce newly redundant phis.
1787 // Add to the worklist the used phis which are impacted.
1796 }
1797 }
1798 }
1799 }
1802 // Otherwise flag them as used.
1804 }
1806 // The current phi is/was used, so all its operands are used.
1811 }
1815 }
1816 }
1817 }
1819 // Sweep dead phis.
1821 block++) {
1828 }
1830 }
1831 }
1832 }
1835 }
1839 // The type analysis algorithm inserts conversions and box/unbox instructions
1840 // to make the IR graph well-typed for future passes.
1841 //
1842 // Phi adjustment: If a phi's inputs are all the same type, the phi is
1843 // specialized to return that type.
1844 //
1845 // Input adjustment: Each input is asked to apply conversion operations to its
1846 // inputs. This may include Box, Unbox, or other instruction-specific type
1847 // conversion operations.
1848 //
1859 }
1862 }
1865 }
1870 }
1898 };
1903 // [SMDOC] OSR Phi Type Specialization
1904 //
1905 // Without special handling for OSR phis, we end up with unspecialized phis
1906 // (MIRType::Value) in the loop (pre)header and other blocks, resulting in
1907 // unnecessary boxing and unboxing in the loop body.
1908 //
1909 // To fix this, phi type specialization needs special code to deal with the
1910 // OSR entry block. Recall that OSR results in the following basic block
1911 // structure:
1912 //
1913 // +------------------+ +-----------------+
1914 // | Code before loop | | OSR entry block |
1915 // +------------------+ +-----------------+
1916 // | |
1917 // | |
1918 // | +---------------+ |
1919 // +---------> | OSR preheader | <---------+
1920 // +---------------+
1921 // |
1922 // V
1923 // +---------------+
1924 // | Loop header |<-----+
1925 // +---------------+ |
1926 // | |
1927 // ... |
1928 // | |
1929 // +---------------+ |
1930 // | Loop backedge |------+
1931 // +---------------+
1932 //
1933 // OSR phi specialization happens in three steps:
1934 //
1935 // (1) Specialize phis but ignore MOsrValue phi inputs. In other words,
1936 // pretend the OSR entry block doesn't exist. See guessPhiType.
1937 //
1938 // (2) Once phi specialization is done, look at the types of loop header phis
1939 // and add these types to the corresponding preheader phis. This way, the
1940 // types of the preheader phis are based on the code before the loop and
1941 // the code in the loop body. These are exactly the types we expect for
1942 // the OSR Values. See the last part of TypeAnalyzer::specializePhis.
1943 //
1944 // (3) For type-specialized preheader phis, add guard/unbox instructions to
1945 // the OSR entry block to guard the incoming Value indeed has this type.
1946 // This happens in:
1947 //
1948 // * TypeAnalyzer::adjustPhiInputs: adds a fallible unbox for values that
1949 // can be unboxed.
1950 //
1951 // * TypeAnalyzer::replaceRedundantPhi: adds a type guard for values that
1952 // can't be unboxed (null/undefined/magic Values).
1955 }
1958 }
1960 // Try to specialize this phi based on its non-cyclic inputs.
1962 #ifdef DEBUG
1963 // Check that different magic constants aren't flowing together. Ignore
1964 // JS_OPTIMIZED_OUT, since an operand could be legitimately optimized
1965 // away.
1973 }
1975 }
1976 }
1977 #endif
1989 }
1991 // The operand is a phi we tried to specialize, but we were
1992 // unable to guess its type. propagateSpecialization will
1993 // propagate the type to this phi when it becomes known.
1995 }
1996 }
1998 // See shouldSpecializeOsrPhis comment. This is the first step mentioned
1999 // there.
2004 }
2011 }
2013 }
2019 // If we only saw definitions that can be converted into Float32 before
2020 // and encounter a Float32 value, promote previous values to Float32
2024 // Specialize phis with int32 and double operands as double.
2029 }
2030 }
2031 }
2034 // TODO(post-Warp): simplify float32 handling in this function or (better)
2035 // make the float32 analysis a stand-alone optimization pass instead of
2036 // complicating type analysis. See bug 1655773.
2038 }
2042 }
2047 }
2050 }
2055 // Verify that this specialization matches any phis depending on it.
2059 }
2063 }
2065 // We tried to specialize this phi, but were unable to guess its
2066 // type. Now that we know the type of one of its operands, we can
2067 // specialize it. If it can't be specialized as float32, specialize
2068 // as double.
2072 }
2075 }
2077 }
2079 // Specialize phis with int32 that can be converted to float and float
2080 // operands as floats.
2087 }
2089 }
2091 // Specialize phis with int32 and double operands as double.
2096 }
2098 }
2100 // This phi in our use chain can now no longer be specialized.
2103 }
2104 }
2105 }
2108 }
2114 }
2119 }
2120 }
2123 }
2125 // If branch pruning removes the path from the entry block to the OSR
2126 // preheader, we may have phis (or chains of phis) with no operands
2127 // other than OsrValues. These phis will still have MIRType::None.
2128 // Since we don't have any information about them, we specialize them
2129 // as MIRType::Value.
2135 block++) {
2138 }
2143 }
2147 }
2148 }
2149 }
2151 }
2155 block++) {
2158 }
2163 }
2168 // We tried to guess the type but failed because all operands are
2169 // phis we still have to visit. Set the triedToSpecialize flag but
2170 // don't propagate the type to other phis, propagateSpecialization
2171 // will do that once we know the type of one of the operands.
2173 }
2176 }
2177 }
2178 }
2182 }
2185 // See shouldSpecializeOsrPhis comment. This is the second step, propagating
2186 // loop header phi types to preheader phis.
2192 // Branch pruning has removed the path from the entry block
2193 // to the preheader. Specialize any phis with no non-osr inputs.
2196 }
2199 phi++) {
2204 // Already includes everything.
2206 }
2211 }
2212 }
2215 }
2217 // Edge case: there is no backedge in this loop. This can happen
2218 // if the header is a 'pending' loop header when control flow in
2219 // the loop body is terminated unconditionally, or if a block
2220 // that dominates the backedge unconditionally bails out. In
2221 // this case the header only has the preheader as predecessor
2222 // and we don't need to do anything.
2224 }
2225 }
2229 }
2235 // If we specialized a type that's not Value, there are 3 cases:
2236 // 1. Every input is of that type.
2237 // 2. Every observed input is of that type (i.e., some inputs haven't been
2238 // executed yet).
2239 // 3. Inputs were doubles and int32s, and was specialized to double.
2245 }
2249 }
2257 // Convert int32 operands to double.
2263 // See comment below
2268 }
2275 }
2277 // If we know this branch will fail to convert to phiType,
2278 // insert a box that'll immediately fail in the fallible unbox
2279 // below.
2284 }
2286 // Be optimistic and insert unboxes when the operand is a
2287 // value.
2289 }
2294 }
2295 }
2298 }
2300 // Box every typed input.
2305 }
2307 // The input is being explicitly unboxed, so sneak past and grab the
2308 // original box. Don't bother optimizing if magic values are involved.
2313 }
2314 }
2319 }
2323 }
2326 }
2329 }
2332 // Definitions such as MPhi have no type policy.
2335 }
2341 }
2343 }
2367 }
2369 // The instruction pass will insert the box
2374 // See shouldSpecializeOsrPhis comment. This is part of the third step,
2375 // guard the incoming MOsrValue is of this type.
2384 }
2385 }
2386 }
2387 }
2390 // Instructions are processed in reverse postorder: all uses are defs are
2391 // seen before uses. This ensures that output adjustment (which may rewrite
2392 // inputs of uses) does not conflict with input adjustment.
2397 }
2403 // We can replace this phi with a constant.
2406 }
2412 }
2413 }
2414 }
2416 // AdjustInputs can add/remove/mutate instructions before and after the
2417 // current instruction. Only increment the iterator after it is finished.
2419 iter++) {
2422 }
2426 }
2427 }
2428 }
2430 }
2432 /* clang-format off */
2433 //
2434 // This function tries to emit Float32 specialized operations whenever it's possible.
2435 // MIR nodes are flagged as:
2436 // - Producers, when they can create Float32 that might need to be coerced into a Double.
2437 // Loads in Float32 arrays and conversions to Float32 are producers.
2438 // - Consumers, when they can have Float32 as inputs and validate a legal use of a Float32.
2439 // Stores in Float32 arrays and conversions to Float32 are consumers.
2440 // - Float32 commutative, when using the Float32 instruction instead of the Double instruction
2441 // does not result in a compound loss of precision. This is the case for +, -, /, * with 2
2442 // operands, for instance. However, an addition with 3 operands is not commutative anymore,
2443 // so an intermediate coercion is needed.
2444 // Except for phis, all these flags are known after Ion building, so they cannot change during
2445 // the process.
2446 //
2447 // The idea behind the algorithm is easy: whenever we can prove that a commutative operation
2448 // has only producers as inputs and consumers as uses, we can specialize the operation as a
2449 // float32 operation. Otherwise, we have to convert all float32 inputs to doubles. Even
2450 // if a lot of conversions are produced, GVN will take care of eliminating the redundant ones.
2451 //
2452 // Phis have a special status. Phis need to be flagged as producers or consumers as they can
2453 // be inputs or outputs of commutative instructions. Fortunately, producers and consumers
2454 // properties are such that we can deduce the property using all non phis inputs first (which form
2455 // an initial phi graph) and then propagate all properties from one phi to another using a
2456 // fixed point algorithm. The algorithm is ensured to terminate as each iteration has less or as
2457 // many flagged phis as the previous iteration (so the worst steady state case is all phis being
2458 // flagged as false).
2459 //
2460 // In a nutshell, the algorithm applies three passes:
2461 // 1 - Determine which phis are consumers. Each phi gets an initial value by making a global AND on
2462 // all its non-phi inputs. Then each phi propagates its value to other phis. If after propagation,
2463 // the flag value changed, we have to reapply the algorithm on all phi operands, as a phi is a
2464 // consumer if all of its uses are consumers.
2465 // 2 - Determine which phis are producers. It's the same algorithm, except that we have to reapply
2466 // the algorithm on all phi uses, as a phi is a producer if all of its operands are producers.
2467 // 3 - Go through all commutative operations and ensure their inputs are all producers and their
2468 // uses are all consumers.
2469 //
2470 /* clang-format on */
2474 // Iterate in postorder so worklist is initialized to RPO.
2480 }
2487 canConsumeFloat32 &=
2489 }
2493 }
2494 }
2495 }
2501 }
2512 }
2513 }
2517 }
2519 // Propagate invalidated phis
2527 }
2528 }
2529 }
2530 }
2532 }
2537 // Iterate in reverse postorder so worklist is initialized to PO.
2543 }
2552 }
2556 }
2557 }
2558 }
2564 }
2575 }
2576 }
2580 }
2582 // Propagate invalidated phis
2589 }
2590 }
2591 }
2592 }
2594 }
2601 }
2606 }
2610 }
2614 }
2616 // This call will try to specialize the instruction iff all uses are
2617 // consumers and all inputs are producers.
2619 }
2620 }
2622 }
2631 }
2635 }
2636 }
2637 }
2639 }
2642 // Asm.js uses the ahead of time type checks to specialize operations, no need
2643 // to check them again at this point.
2646 }
2648 // Check ahead of time that there is at least one definition typed as Float32,
2649 // otherwise we don't need this pass.
2652 }
2654 // WarpBuilder skips over code that can't be reached except through
2655 // a catch block. Locals and arguments may be observable in such
2656 // code after bailing out, so we can't rely on seeing all uses.
2659 }
2663 }
2666 }
2669 }
2671 }
2674 #ifdef DEBUG
2675 // Asserts that all Float32 instructions are flowing into Float32 consumers or
2676 // specialized operations
2681 }
2686 }
2691 }
2692 }
2693 }
2694 #endif
2696 }
2705 }
2708 }
2709 }
2711 }
2713 // Propagate type information from dominating unbox instructions.
2714 //
2715 // This optimization applies for example for self-hosted String.prototype
2716 // functions.
2717 //
2718 // Example:
2719 // ```
2720 // String.prototype.id = function() {
2721 // // Strict mode to avoid ToObject on primitive this-values.
2722 // "use strict";
2723 //
2724 // // Template string to apply ToString on the this-value.
2725 // return `${this}`;
2726 // };
2727 //
2728 // function f(s) {
2729 // // Assume |s| is a string value.
2730 // return s.id();
2731 // }
2732 // ```
2733 //
2734 // Compiles into: (Graph after Scalar Replacement)
2735 //
2736 // ┌───────────────────────────────────────────────────────────────────────────┐
2737 // │ Block 0 │
2738 // │ resumepoint 1 0 2 2 │
2739 // │ 0 parameter THIS_SLOT Value │
2740 // │ 1 parameter 0 Value │
2741 // │ 2 constant undefined Undefined │
2742 // │ 3 start │
2743 // │ 4 checkoverrecursed │
2744 // │ 5 unbox parameter1 to String (fallible) String │
2745 // │ 6 constant object 1d908053e088 (String) Object │
2746 // │ 7 guardshape constant6:Object Object │
2747 // │ 8 slots guardshape7:Object Slots │
2748 // │ 9 loaddynamicslot slots8:Slots (slot 53) Value │
2749 // │ 10 constant 0x0 Int32 │
2750 // │ 11 unbox loaddynamicslot9 to Object (fallible) Object │
2751 // │ 12 nurseryobject Object │
2752 // │ 13 guardspecificfunction unbox11:Object nurseryobject12:Object Object │
2753 // │ 14 goto block1 │
2754 // └──────────────────────────────────┬────────────────────────────────────────┘
2755 // │
2756 // ┌──────────────────────────────────▼────────────────────────────────────────┐
2757 // │ Block 1 │
2758 // │ ((0)) resumepoint 15 1 15 15 | 1 13 1 0 2 2 │
2759 // │ 15 constant undefined Undefined │
2760 // │ 16 tostring parameter1:Value String │
2761 // │ 18 goto block2 │
2762 // └──────────────────────────────────┬────────────────────────────────────────┘
2763 // │
2764 // ┌──────────────▼──────────────┐
2765 // │ Block 2 │
2766 // │ resumepoint 16 1 0 2 2 │
2767 // │ 19 return tostring16:String │
2768 // └─────────────────────────────┘
2769 //
2770 // The Unbox instruction is used as a type guard. The ToString instruction
2771 // doesn't use the type information from the preceding Unbox instruction and
2772 // therefore has to assume its operand can be any value.
2773 //
2774 // When instead propagating the type information from the preceding Unbox
2775 // instruction, this graph is constructed after the "Apply types" phase:
2776 //
2777 // ┌───────────────────────────────────────────────────────────────────────────┐
2778 // │ Block 0 │
2779 // │ resumepoint 1 0 2 2 │
2780 // │ 0 parameter THIS_SLOT Value │
2781 // │ 1 parameter 0 Value │
2782 // │ 2 constant undefined Undefined │
2783 // │ 3 start │
2784 // │ 4 checkoverrecursed │
2785 // │ 5 unbox parameter1 to String (fallible) String │
2786 // │ 6 constant object 1d908053e088 (String) Object │
2787 // │ 7 guardshape constant6:Object Object │
2788 // │ 8 slots guardshape7:Object Slots │
2789 // │ 9 loaddynamicslot slots8:Slots (slot 53) Value │
2790 // │ 10 constant 0x0 Int32 │
2791 // │ 11 unbox loaddynamicslot9 to Object (fallible) Object │
2792 // │ 12 nurseryobject Object │
2793 // │ 13 guardspecificfunction unbox11:Object nurseryobject12:Object Object │
2794 // │ 14 goto block1 │
2795 // └──────────────────────────────────┬────────────────────────────────────────┘
2796 // │
2797 // ┌──────────────────────────────────▼────────────────────────────────────────┐
2798 // │ Block 1 │
2799 // │ ((0)) resumepoint 15 1 15 15 | 1 13 1 0 2 2 │
2800 // │ 15 constant undefined Undefined │
2801 // │ 20 unbox parameter1 to String (fallible) String │
2802 // │ 16 tostring parameter1:Value String │
2803 // │ 18 goto block2 │
2804 // └──────────────────────────────────┬────────────────────────────────────────┘
2805 // │
2806 // ┌──────────────▼─────────────────────┐
2807 // │ Block 2 │
2808 // │ resumepoint 16 1 0 2 2 │
2809 // │ 21 box tostring16:String Value │
2810 // │ 19 return box21:Value │
2811 // └────────────────────────────────────┘
2812 //
2813 // GVN will later merge both Unbox instructions and fold away the ToString
2814 // instruction, so we get this final graph:
2815 //
2816 // ┌───────────────────────────────────────────────────────────────────────────┐
2817 // │ Block 0 │
2818 // │ resumepoint 1 0 2 2 │
2819 // │ 0 parameter THIS_SLOT Value │
2820 // │ 1 parameter 0 Value │
2821 // │ 2 constant undefined Undefined │
2822 // │ 3 start │
2823 // │ 4 checkoverrecursed │
2824 // │ 5 unbox parameter1 to String (fallible) String │
2825 // │ 6 constant object 1d908053e088 (String) Object │
2826 // │ 7 guardshape constant6:Object Object │
2827 // │ 8 slots guardshape7:Object Slots │
2828 // │ 22 loaddynamicslotandunbox slots8:Slots (slot 53) Object │
2829 // │ 11 nurseryobject Object │
2830 // │ 12 guardspecificfunction load22:Object nurseryobject11:Object Object │
2831 // │ 13 goto block1 │
2832 // └──────────────────────────────────┬────────────────────────────────────────┘
2833 // │
2834 // ┌──────────────────────────────────▼────────────────────────────────────────┐
2835 // │ Block 1 │
2836 // │ ((0)) resumepoint 2 1 2 2 | 1 12 1 0 2 2 │
2837 // │ 14 goto block2 │
2838 // └──────────────────────────────────┬────────────────────────────────────────┘
2839 // │
2840 // ┌──────────────▼─────────────────────┐
2841 // │ Block 2 │
2842 // │ resumepoint 5 1 0 2 2 │
2843 // │ 15 return parameter1:Value │
2844 // └────────────────────────────────────┘
2845 //
2847 // Visit the blocks in post-order, so that the type information of the closest
2848 // unbox operation is used.
2850 block++) {
2853 }
2855 // Iterate over all instructions to look for unbox instructions.
2857 iter++) {
2860 }
2865 // Ignore unbox operations on typed values.
2868 }
2870 // Ignore unbox to floating point types, because propagating boxed Int32
2871 // values as Double can lead to repeated bailouts when later instructions
2872 // expect Int32 inputs.
2875 }
2877 // Inspect other uses of |input| to propagate the unboxed type information
2878 // from |unbox|.
2882 // Ignore resume points.
2885 }
2888 // Ignore any unbox operations, including the current |unbox|.
2891 }
2893 // Ignore phi nodes, because we don't yet support them.
2896 }
2898 // The unbox operation needs to happen before the other use, otherwise
2899 // we can't propagate the type information.
2903 }
2907 }
2908 }
2910 // Replace the use with |unbox|, so that GVN knows about the actual
2911 // value type and can more easily fold unnecessary operations. If the
2912 // instruction actually needs a boxed input, the BoxPolicy type policy
2913 // will simply unwrap the unbox instruction.
2916 // The uses in the MIR graph no longer reflect the uses in the bytecode,
2917 // so we have to mark |input| as implicitly used.
2919 }
2920 }
2921 }
2923 }
2928 }
2931 }
2934 }
2937 }
2940 }
2942 }
2949 }
2952 }
2959 }
2960 }
2962 // A utility for code which adds/deletes blocks. Renumber the remaining blocks,
2963 // recompute dominators, and optionally recompute AliasAnalysis dependencies.
2967 // Renumber the blocks and clear out the old dominator info.
2973 }
2975 // Recompute dominator info.
2978 }
2980 // If needed, update alias analysis dependencies.
2984 }
2985 }
2989 }
2991 // Remove all blocks not marked with isMarked(). Unmark all remaining blocks.
2992 // Alias analysis dependencies may be invalid after calling this function.
2996 // If all blocks are marked, no blocks need removal. Just clear the
2997 // marks. We'll still need to update the dominator tree below though,
2998 // since we may have removed edges even if we didn't remove any blocks.
3001 // As we are going to remove edges and basic blocks, we have to mark
3002 // instructions which would be needed by baseline if we were to
3003 // bailout.
3008 }
3011 }
3013 // Find unmarked blocks and remove them.
3021 }
3023 // The block is unreachable. Clear out the loop header flag, as
3024 // we're doing the sweep of a mark-and-sweep here, so we no longer
3025 // need to worry about whether an unmarked block is a loop or not.
3028 }
3032 }
3034 }
3035 }
3037 // Renumber the blocks and update the dominator tree.
3039 }
3041 // A Simple, Fast Dominance Algorithm by Cooper et al.
3042 // Modified to support empty intersections for OSR, and in RPO.
3051 // In the original paper, the block ID comparisons are on the postorder index.
3052 // This implementation iterates in RPO, so the comparisons are reversed.
3054 // For this function to be called, the block must have multiple predecessors.
3055 // If a finger is then found to be self-dominating, it must therefore be
3056 // reachable from multiple roots through non-intersecting control flow.
3057 // nullptr is returned in this case, to denote an empty intersection.
3064 }
3066 }
3072 }
3074 }
3075 }
3077 }
3082 }
3083 }
3086 // The default start block is a root and therefore only self-dominates.
3090 // Any OSR block is a root and therefore only self-dominates.
3094 }
3103 // For each block in RPO, intersect all dominators.
3105 // If a node has once been found to have no exclusive dominator,
3106 // it will never have an exclusive dominator, so it may be skipped.
3109 }
3111 // A block with no predecessors is not reachable from any entry, so
3112 // it self-dominates.
3116 }
3120 // Find the first common dominator.
3125 }
3129 // If there is no common dominator, the block self-dominates.
3134 }
3135 }
3140 }
3141 }
3142 }
3144 #ifdef DEBUG
3145 // Assert that all blocks have dominator information.
3147 block++) {
3149 }
3150 #endif
3151 }
3160 // Traversing through the graph in post-order means that every non-phi use
3161 // of a definition is visited before the def itself. Since a def
3162 // dominates its uses, by the time we reach a particular
3163 // block, we have processed all of its dominated children, so
3164 // block->numDominated() is accurate.
3169 // Dominance is defined such that blocks always dominate themselves.
3172 // If the block only self-dominates, it has no definite parent.
3173 // Add it to the worklist as a root for pre-order traversal.
3174 // This includes all roots. Order does not matter.
3178 }
3180 }
3184 }
3187 }
3189 #ifdef DEBUG
3190 // If compiling with OSR, many blocks will self-dominate.
3191 // Without OSR, there is only one root block which dominates all.
3194 }
3195 #endif
3196 // Now, iterate through the dominator tree in pre-order and annotate every
3197 // block with its index in the traversal.
3206 }
3207 index++;
3208 }
3211 }
3214 // Build a mapping such that given a basic block, whose successor has one or
3215 // more phis, we can find our specific input to that phi. To make this fast
3216 // mapping work we rely on a specific property of our structured control
3217 // flow graph: For a block with phis, its predecessors each have only one
3218 // successor with phis. Consider each case:
3219 // * Blocks with less than two predecessors cannot have phis.
3220 // * Breaks. A break always has exactly one successor, and the break
3221 // catch block has exactly one predecessor for each break, as
3222 // well as a final predecessor for the actual loop exit.
3223 // * Continues. A continue always has exactly one successor, and the
3224 // continue catch block has exactly one predecessor for each
3225 // continue, as well as a final predecessor for the actual
3226 // loop continuation. The continue itself has exactly one
3227 // successor.
3228 // * An if. Each branch as exactly one predecessor.
3229 // * A switch. Each branch has exactly one predecessor.
3230 // * Loop tail. A new block is always created for the exit, and if a
3231 // break statement is present, the exit block will forward
3232 // directly to the break block.
3234 block++) {
3237 }
3239 // Assert on the above.
3243 #ifdef DEBUG
3248 numSuccessorsWithPhis++;
3249 }
3250 }
3252 #endif
3255 }
3256 }
3259 }
3261 #ifdef DEBUG
3263 // Assuming B = succ(A), verify A = pred(B).
3267 }
3268 }
3270 }
3273 // Assuming B = pred(A), verify A = succ(B).
3277 }
3278 }
3280 }
3282 // If you have issues with the usesBalance assertions, then define the macro
3283 // _DEBUG_CHECK_OPERANDS_USES_BALANCE to spew information on the error output.
3284 // This output can then be processed with the following awk script to filter and
3285 // highlight which checks are missing or if there is an unexpected operand /
3286 // use.
3287 //
3288 // define _DEBUG_CHECK_OPERANDS_USES_BALANCE 1
3289 /*
3291 $ ./js 2>stderr.log
3292 $ gawk '
3293 /^==Check/ { context = ""; state = $2; }
3294 /^[a-z]/ { context = context "\n\t" $0; }
3295 /^==End/ {
3296 if (state == "Operand") {
3297 list[context] = list[context] - 1;
3298 } else if (state == "Use") {
3299 list[context] = list[context] + 1;
3300 }
3301 }
3302 END {
3303 for (ctx in list) {
3304 if (list[ctx] > 0) {
3305 print "Missing operand check", ctx, "\n"
3306 }
3307 if (list[ctx] < 0) {
3308 print "Missing use check", ctx, "\n"
3309 }
3310 };
3311 }' < stderr.log
3313 */
3322 # ifdef _DEBUG_CHECK_OPERANDS_USES_BALANCE
3329 # endif
3331 }
3340 # ifdef _DEBUG_CHECK_OPERANDS_USES_BALANCE
3347 # endif
3349 }
3351 // To properly encode entry resume points, we have to ensure that all the
3352 // operands of the entry resume point are located before the safeInsertTop
3353 // location.
3358 }
3364 }
3367 }
3372 }
3376 }
3377 }
3378 }
3382 #ifdef DEBUG
3385 }
3396 }
3400 }
3402 // Assert successor and predecessor list coherency.
3406 block++) {
3407 count++;
3417 }
3422 }
3428 }
3432 }
3435 // We cannot yet assert that is there is no instruction then this is
3436 // the entry resume point because we are still storing resume points
3437 // in the InlinePropertyTable.
3442 }
3443 }
3449 }
3461 // Assert that use chains are valid for this instruction.
3464 }
3467 }
3474 }
3475 }
3479 }
3480 }
3482 // The control instruction is not visited by the MDefinitionIterator.
3492 }
3495 }
3496 }
3498 // In case issues, see the _DEBUG_CHECK_OPERANDS_USES_BALANCE macro above.
3502 #endif
3503 }
3505 #ifdef DEBUG
3507 // Check that every block is visited after all its predecessors (except
3508 // backedges).
3519 }
3520 }
3523 }
3526 }
3527 #endif
3529 #ifdef DEBUG
3531 // Check dominators.
3538 }
3543 block++) {
3558 }
3559 }
3561 }
3571 }
3575 i--;
3576 }
3579 }
3580 #endif
3583 #ifdef DEBUG
3586 }
3589 }
3592 #endif
3593 }
3595 #ifdef DEBUG
3597 // see CodeGeneratorShared::encodeAllocation
3627 }
3629 }
3636 }
3639 }
3640 }
3645 }
3647 }
3654 }
3655 }
3660 // Checks the basic GraphCoherency but also other conditions that
3661 // do not hold immediately (such as the fact that critical edges
3662 // are split)
3664 #ifdef DEBUG
3667 }
3670 }
3678 block++) {
3682 // No critical edges:
3686 }
3687 }
3691 // Fixup block.
3697 }
3702 }
3709 }
3710 }
3715 successorWithPhis++;
3716 }
3717 }
3723 // Verify that phi operands dominate the corresponding CFG predecessor
3724 // edges.
3732 }
3733 }
3735 // Verify that instructions are dominated by their operands.
3745 // If the operand is an instruction in the same block, check
3746 // that it comes first.
3754 }
3755 }
3760 }
3761 }
3763 // Verify that the block resume points are dominated by their operands.
3767 }
3771 }
3772 }
3773 #endif
3774 }
3779 };
3782 JitAllocPolicy>
3783 BoundsCheckMap;
3785 // Compute a hash for bounds checks which ignores constant offsets in the index.
3791 }
3796 // Since we are traversing the dominator tree in pre-order, when we
3797 // are looking at the |index|-th block, the next numDominated() blocks
3798 // we traverse are precisely the set of blocks that are dominated.
3799 //
3800 // So, this value is visible in all blocks if:
3801 // index <= index + ins->block->numDominated()
3802 // and becomes invalid after that.
3806 // We didn't find a dominating bounds check.
3807 BoundsCheckInfo info;
3814 }
3817 }
3826 }
3830 // TruncateAfterBailouts is considered as infinite space because the
3831 // LinearSum will effectively remove the bailout check.
3836 }
3838 }
3842 }
3846 }
3848 // Extract a linear sum from ins, if possible (otherwise giving the
3849 // sum 'ins + 0').
3855 }
3857 // Unwrap Int32ToIntPtr. This instruction only changes the representation
3858 // (int32_t to intptr_t) without affecting the value.
3861 }
3865 }
3871 }
3875 }
3879 }
3881 // Only allow math which are in the same space.
3887 }
3894 }
3896 // Extract linear sums of each operand.
3900 // LinearSum only considers a single term operand, if both sides have
3901 // terms, then ignore extracted linear sums.
3904 }
3906 // Check if this is of the form <SUM> + n or n + <SUM>.
3914 }
3916 }
3919 // Check if this is of the form <SUM> - n.
3927 }
3929 }
3931 // Ignore any of the form n - <SUM>.
3933 }
3935 // Extract a linear inequality holding when a boolean test goes in the
3936 // specified direction, of the form 'lhs + lhsN <= rhs' (or >=).
3942 }
3949 // TODO: optimize Compare_UInt32
3952 }
3960 }
3967 }
3969 // Normalize operations to use <= or >=.
3975 /* x < y ==> x + 1 <= y */
3978 }
3985 /* x > y ==> x - 1 >= y */
3988 }
3993 }
3999 }
4005 // Replace all uses of the bounds check with the actual index.
4006 // This is (a) necessary, because we can coalesce two different
4007 // bounds checks and would otherwise use the wrong index and
4008 // (b) helps register allocation. Note that this is safe since
4009 // no other pass after bounds check elimination moves instructions.
4014 }
4018 }
4024 }
4027 // We didn't find a dominating bounds check.
4029 }
4031 // We found two bounds checks with the same hash number, but we still have
4032 // to make sure the lengths and index terms are equal.
4035 }
4040 // Both terms should be nullptr or the same definition.
4043 }
4045 // This bounds check is redundant.
4048 // Normalize the ranges according to the constant offsets in the two indexes.
4055 }
4057 // Update the dominating check to cover both ranges, denormalizing the
4058 // result per the constant offset in the index.
4063 }
4070 }
4072 // Eliminate checks which are redundant given each other or other instructions.
4073 //
4074 // A bounds check is considered redundant if it's dominated by another bounds
4075 // check with the same length and the indexes differ by only a constant amount.
4076 // In this case we eliminate the redundant bounds check and update the other one
4077 // to cover the ranges of both checks.
4078 //
4079 // Bounds checks are added to a hash map and since the hash function ignores
4080 // differences in constant offset, this offers a fast way to find redundant
4081 // checks.
4085 // Stack for pre-order CFG traversal.
4088 // The index of the current block in the CFG traversal.
4091 // Add all self-dominating blocks to the worklist.
4092 // This includes all roots. Order does not matter.
4098 }
4099 }
4100 }
4102 // Starting from each self-dominating block, traverse the CFG in pre-order.
4106 // Add all immediate dominators to the front of the worklist.
4110 }
4117 }
4123 }
4127 }
4128 }
4129 index++;
4130 }
4135 }
4145 }
4151 }
4154 }
4156 // Eliminate shape guards which are redundant given other instructions.
4157 //
4158 // A shape guard is redundant if we can prove that the object being
4159 // guarded already has the correct shape. The conditions for doing so
4160 // are as follows:
4161 //
4162 // 1. We can see the most recent change to the shape of this object.
4163 // (This can be an AddAndStoreSlot, an AllocateAndStoreSlot, or the
4164 // creation of the object itself.
4165 // 2. That mutation dominates the shape guard.
4166 // 3. The shape that was assigned at that point matches the shape
4167 // we expect.
4168 //
4169 // If all of these conditions hold, then we can remove the shape guard.
4170 // In debug, we replace it with an AssertShape to help verify correctness.
4179 insIter++;
4181 // Skip instructions that aren't shape guards.
4184 }
4198 }
4205 }
4211 }
4213 // The guard doesn't depend on any other instruction that is modifying
4214 // the object operand, so we check the object operand directly.
4223 }
4231 }
4235 }
4240 }
4242 #ifdef DEBUG
4245 }
4249 #endif
4255 }
4256 }
4259 }
4271 // Skip `allocation`.
4273 insIter++;
4275 // Try to optimize the other instructions in the block.
4278 insIter++;
4284 // These instructions can't trigger GC or affect this analysis in other
4285 // ways.
4293 }
4297 }
4304 }
4305 #ifdef DEBUG
4308 }
4313 }
4317 #endif
4321 }
4326 }
4327 }
4330 }
4333 // Peephole optimization for the following pattern:
4334 //
4335 // 0: MNewCallObject
4336 // 1: MStoreFixedSlot(0, ...)
4337 // 2: MStoreFixedSlot(0, ...)
4338 // 3: MPostWriteBarrier(0, ...)
4339 //
4340 // If the instructions immediately following the allocation instruction can't
4341 // trigger GC and we are storing to the new object's slots, we can elide the
4342 // pre-barrier.
4343 //
4344 // We also eliminate the post barrier and (in debug builds) replace it with an
4345 // assertion.
4346 //
4347 // See also the similar optimizations in WarpBuilder::buildCallObject.
4356 insIter++;
4361 }
4362 }
4363 }
4364 }
4367 }
4370 // When a string is used as a property key, or as the key for a Map or Set, we
4371 // require it to be atomized. To avoid repeatedly atomizing the same string,
4372 // this analysis looks for cases where we are loading a value from the slot of
4373 // an object (which includes access to global variables and global lexicals)
4374 // and using it as a property key, and marks those loads. During codegen,
4375 // marked loads will check whether the value loaded is a non-atomized string.
4376 // If it is, we will atomize the string and update the stored value, ensuring
4377 // that future loads from the same slot will not have to atomize again.
4385 insIter++;
4424 }
4429 // Skip intermediate nodes.
4437 }
4444 }
4459 }
4460 }
4461 }
4464 }
4472 }
4474 // Allocating a BigInt can GC, so we have to keep the object alive.
4477 }
4487 }
4511 iter++;
4515 }
4516 }
4519 }
4526 insIter++) {
4530 }
4544 }
4549 // Constants are kept alive by other pointers, for instance
4550 // ImmGCPtr in JIT code.
4552 }
4558 // StoreElementHole has an explicit object operand. If GVN
4559 // is disabled, we can get different unbox instructions with
4560 // the same object as input, so we check for that case.
4565 }
4568 #ifdef DEBUG
4569 // These two instructions don't start a GC unsafe region, because they
4570 // overwrite their elements register at the very start. This ensures
4571 // there's no invalidated elements value kept on the stack.
4574 }
4578 }
4580 // Enter a GC unsafe region while the elements/slots are on the stack.
4584 // Leave the region after the use.
4587 #endif
4589 }
4593 }
4597 }
4598 }
4599 }
4602 }
4608 }
4609 }
4611 }
4619 }
4620 }
4623 }
4627 }
4631 }
4638 }
4641 }
4642 }
4646 }
4648 }
4653 }
4658 }
4661 }
4668 }
4674 }
4676 }
4682 }
4686 }
4688 }
4689 }
4691 AutoEnterOOMUnsafeRegion oomUnsafe;
4694 }
4697 }
4701 }
4711 }
4716 }
4721 }
4722 }
4727 }
4728 }
4734 }
4738 BailoutKind bailoutKind) {
4752 }
4758 }
4778 }
4779 }
4780 }
4786 }
4789 }
4791 // Mark all the blocks that are in the loop with the given header.
4792 // Returns the number of blocks marked. Set *canOsr to true if the loop is
4793 // reachable from both the normal entry and the OSR entry.
4795 #ifdef DEBUG
4799 }
4800 #endif
4805 // The blocks are in RPO; start at the loop backedge, which marks the bottom
4806 // of the loop, and walk up until we get to the header. Loops may be
4807 // discontiguous, so we trace predecessors to determine which blocks are
4808 // actually part of the loop. The backedge is always part of the loop, and
4809 // so are its predecessors, transitively, up to the loop header or an OSR
4810 // entry.
4819 // If we've reached the loop header, we're done.
4822 }
4823 // A block not marked by the time we reach it is not in the loop.
4826 }
4828 // This block is in the loop; trace to its predecessors.
4833 }
4835 // Blocks dominated by the OSR entry are not part of the loop
4836 // (unless they aren't reachable from the normal entry).
4841 }
4849 // A nested loop may not exit back to the enclosing loop at its
4850 // bottom. If we just marked its header, then the whole nested loop
4851 // is part of the enclosing loop.
4855 // Mark its backedge so that we add all of its blocks to the
4856 // outer loop as we walk upwards.
4860 // If the nested loop is not contiguous, we may have already
4861 // passed its backedge. If this happens, back up.
4865 }
4866 }
4867 }
4868 }
4869 }
4871 // If there's no path connecting the header to the backedge, then this isn't
4872 // actually a loop. This can happen when the code starts with a loop but GVN
4873 // folds some branches away.
4877 }
4880 }
4882 // Unmark all the blocks that are in the loop with the given header.
4893 }
4894 }
4895 }
4897 #ifdef DEBUG
4901 }
4902 #endif
4903 }
4906 // This pass folds MLoadFixedSlot, MLoadDynamicSlot, MLoadElement instructions
4907 // followed by MUnbox into a single instruction. For LoadElement this allows
4908 // us to fuse the hole check with the type check for the unbox.
4911 block++) {
4914 }
4919 insIter++;
4921 // We're only interested in loads producing a Value.
4925 }
4928 }
4932 // Ensure there's a single def-use (ignoring resume points) and it's an
4933 // unbox. Unwrap MLexicalCheck because it's redundant if we have a
4934 // fallible unbox (checked below).
4938 }
4945 }
4946 }
4949 }
4951 // For now require the load and unbox to be in the same block. This isn't
4952 // strictly necessary but it's the common case and could prevent bailouts
4953 // when moving the unbox before a loop.
4957 }
4962 // If this is a LoadElement or if we have a lexical check between the load
4963 // and unbox, we only support folding the load with a fallible unbox so
4964 // that we can eliminate the MagicValue check.
4967 }
4969 // Combine the load and unbox into a single MIR instruction.
4972 }
4985 }
4992 }
4999 }
5002 }
5009 }
5013 insIter++;
5014 }
5016 insIter++;
5017 }
5021 }
5023 }
5024 }
5027 }
5029 // Reorder the blocks in the loop starting at the given header to be contiguous.
5037 // If there are any blocks between the loop header and the loop backedge
5038 // that are not part of the loop, prepare to move them to the end. We keep
5039 // them in order, which preserves RPO.
5041 insertIter++;
5044 // Visit all the blocks from the loop header to the loop backedge.
5055 // This block is in the loop.
5058 // If we've reached the loop backedge, we're done!
5061 }
5063 // This block is not in the loop. Move it to the end.
5066 }
5067 }
5074 }
5076 // Reorder the blocks in the graph so that loops are contiguous.
5078 // Visit all loop headers (in any order).
5083 }
5085 // Mark all blocks that are actually part of the loop.
5089 // If the loop isn't a loop, don't try to optimize it.
5092 }
5094 // If there's an OSR block entering the loop in the middle, it's tricky,
5095 // so don't try to handle it, for now.
5099 }
5101 // Move all blocks between header and backedge that aren't marked to
5102 // the end of the loop, making the loop itself contiguous.
5104 }
5107 }
5112 }
5114 }
5125 insIter++;
5128 }
5154 }
5158 }
5160 // Given the following structure (that occurs inside for-in loops):
5161 // obj: some object
5162 // iter: ObjectToIterator <obj>
5163 // iterNext: IteratorMore <iter>
5164 // access: HasProp/GetElem <obj> <iterNext>
5165 // If the iterator object has an indices array, we can speed up the
5166 // property access:
5167 // 1. If the property access is a HasProp looking for own properties,
5168 // then the result will always be true if the iterator has indices,
5169 // because we only populate the indices array for objects with no
5170 // enumerable properties on the prototype.
5171 // 2. If the property access is a GetProp, then we can use the contents
5172 // of the indices array to find the correct property faster than
5173 // the megamorphic cache.
5176 }
5181 }
5186 }
5197 replacement =
5204 }
5208 }
5213 // Advance to join block.
5216 }
5217 }
5221 }
5224 }
5227 #ifdef JS_JITSPEW
5233 }
5235 // Get any extra bits of text that the MIR node wants to show us. Both the
5236 // vector and the strings added to it belong to this function, so both will
5237 // be automatically freed at exit.
5238 ExtrasCollector extras;
5242 }
5246 }
5247 #endif
5248 }
5252 #ifdef JS_JITSPEW
5255 }
5267 }
5273 }
5274 }
5280 }
5281 #endif
5282 }