| blob | 543ed0eb837282267f74535b271f3ed82623dfbb |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
9 #include <algorithm>
25 // Stack used by FlagPhiInputsAsImplicitlyUsed. It stores the Phi instruction
26 // pointer and the MUseIterator which should be visited next.
30 // Look for Phi uses with a depth-first search. If any uses are found the stack
31 // of MPhi instructions is returned in the |worklist| argument.
34 // Push a Phi and the next use to iterate over in the worklist.
38 };
40 #ifdef DEBUG
41 // Used to assert that when we have no uses, we at least visited all the
42 // transitive uses.
45 #endif
49 }
52 // Resume iterating over the last phi-use pair added by the next loop.
59 // Keep going down the tree of uses, skipping (continue)
60 // non-observable/unused cases and Phi which are already listed in the
61 // worklist. Stop (return) as soon as one use is found.
65 use++;
66 #ifdef DEBUG
67 useCount++;
68 #endif
71 }
75 // Observable operands are similar to potential uses.
78 }
80 }
84 // The producer is explicitly used by a definition.
86 }
91 // The information got cached on the Phi the last time it
92 // got visited, or when flagging operands of implicitly used
93 // instructions.
95 }
98 // We are already iterating over the uses of this Phi instruction which
99 // are part of a loop, instead of trying to handle loops, conservatively
100 // mark them as used.
102 }
105 // The instruction already got visited and is known to have
106 // no uses. Skip it.
108 }
110 // We found another Phi instruction, move the use iterator to
111 // the next use push it to the worklist stack. Then, continue
112 // with a depth search.
115 }
119 #ifdef DEBUG
121 #endif
122 }
124 // When unused, we cannot bubble up this information without iterating
125 // over the rest of the previous Phi instruction consumers.
128 }
132 }
137 // When removing an edge between 2 blocks, we might remove the ability of
138 // later phases to figure out that the uses of a Phi should be considered as
139 // a use of all its inputs. Thus we need to mark the Phi inputs as being
140 // implicitly used iff the phi has any uses.
141 //
142 //
143 // +--------------------+ +---------------------+
144 // |12 MFoo 6 | |32 MBar 5 |
145 // | | | |
146 // | ... | | ... |
147 // | | | |
148 // |25 MGoto Block 4 | |43 MGoto Block 4 |
149 // +--------------------+ +---------------------+
150 // | |
151 // | | |
152 // | | |
153 // | +-----X------------------------+
154 // | Edge |
155 // | Removed |
156 // | |
157 // | +------------v-----------+
158 // | |50 MPhi 12 32 |
159 // | | |
160 // | | ... |
161 // | | |
162 // | |70 MReturn 50 |
163 // | +------------------------+
164 // |
165 // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
166 // |
167 // v
168 //
169 // ^ +--------------------+ +---------------------+
170 // /!\ |12 MConst opt-out | |32 MBar 5 |
171 // '---' | | | |
172 // | ... | | ... |
173 // |78 MBail | | |
174 // |80 MUnreachable | |43 MGoto Block 4 |
175 // +--------------------+ +---------------------+
176 // |
177 // |
178 // |
179 // +---------------+
180 // |
181 // |
182 // |
183 // +------------v-----------+
184 // |50 MPhi 32 |
185 // | |
186 // | ... |
187 // | |
188 // |70 MReturn 50 |
189 // +------------------------+
190 //
191 //
192 // If the inputs of the Phi are not flagged as implicitly used, then
193 // later compilation phase might optimize them out. The problem is that a
194 // bailout will use this value and give it back to baseline, which will then
195 // use the OptimizedOut magic value in a computation.
196 //
197 // Unfortunately, we cannot be too conservative about flagging Phi inputs as
198 // having implicit uses, as this would prevent many optimizations from being
199 // used. Thus, the following code is in charge of flagging Phi instructions
200 // as Unused or Used, and setting ImplicitlyUsed accordingly.
209 }
211 // We are looking to mark the Phi inputs which are used across the edge
212 // between the |block| and its successor |succ|.
216 }
218 // If the Phi is either Used or Unused, set the ImplicitlyUsed flag
219 // accordingly.
225 }
227 // We do not know if the Phi was Used or Unused, iterate over all uses
228 // with a depth-search of uses. Returns the matching stack in the
229 // worklist as soon as one use is found.
233 }
238 // One of the Phis is used, set Used flags on all the Phis which are
239 // in the use chain.
247 }
249 }
252 }
259 it++;
261 }
262 }
264 }
266 // Given an iterator pointing to the first removed instruction, mark
267 // the operands of each removed instruction as having implicit uses.
274 // Flag operands of removed instructions as having implicit uses.
279 }
284 }
286 // Flag observable resume point operands as having implicit uses.
288 // Note: no need to iterate over the caller's of the resume point as
289 // this is the same as the entry resume point.
294 }
295 }
296 }
297 }
299 // Flag Phi inputs of the successors as having implicit uses.
300 MPhiUseIteratorStack worklist;
304 }
307 worklist)) {
309 }
310 }
313 }
317 // Flag observable operands of the entry resume point as having implicit uses.
322 }
328 }
329 }
332 }
335 }
341 }
343 // WarpBuilder sets the alwaysBails flag on blocks that contain an
344 // unconditional bailout. We trim any instructions in those blocks
345 // after the first unconditional bailout, and remove any blocks that
346 // are only reachable through bailing blocks.
350 // Pruning is guided by unconditional bailouts. Wasm does not have bailouts.
359 numMarked++;
362 }
364 };
366 // The entry block is always reachable.
369 }
371 // The OSR entry block is always reachable if it exists.
374 }
376 // Iteratively mark all reachable blocks.
380 }
386 // If this block always bails, then it does not reach its successors.
389 }
395 }
399 }
400 }
401 }
404 // There is nothing to prune.
407 }
412 // The operands of removed instructions may be needed in baseline
413 // after bailing out.
417 }
421 // If we are removing the block entirely, mark the operands of every
422 // instruction as being implicitly used.
425 // If we are only trimming instructions after a bail, only mark operands
426 // of removed instructions.
429 }
430 }
432 // Remove the blocks in post-order such that consumers are visited before
433 // the predecessors, the only exception being the Phi nodes of loop headers.
437 }
440 }
445 }
447 // As we are going to replace/remove the last instruction, we first have
448 // to remove this block from the predecessor list of its successors.
454 }
456 // Our dominators code expects all loop headers to have two predecessors.
457 // If we are removing the normal entry to a loop, but can still reach
458 // the loop header via OSR, we create a fake unreachable predecessor.
463 }
468 }
469 // Mark the block to avoid removing it as unreachable.
475 }
480 }
483 // Remove unreachable blocks from the CFG.
487 // Remove unreachable instructions after unconditional bailouts.
490 // Discard all instructions after the first MBail.
496 }
499 }
500 }
504 }
509 }
514 }
516 // Create a simple new block which contains a goto and which split the
517 // edge between block and target.
521 }
522 }
524 }
526 // A critical edge is an edge which is neither its successor's only predecessor
527 // nor its predecessor's only successor. Critical edges must be split to
528 // prevent copy-insertion and code motion from affecting other edges.
534 }
535 }
537 }
542 }
546 }
551 }
553 // Determine whether phiBlock/testBlock simply compute a phi and perform a
554 // test on it.
565 }
566 }
571 }
574 // Unwrap boolean conversion performed through the '!!' idiom.
579 // The MNot must only be used by |testOrNot|.
583 }
586 }
591 // Fail if there are any other instructions than MNot.
593 }
594 }
596 // There's an odd number of MNot, so this can't be the '!!' idiom.
599 }
606 }
610 }
616 }
621 }
622 }
624 }
630 }
631 }
635 }
641 }
643 // Determine if value is directly or indirectly the test input.
648 // Only accept if there's an even number of MNot.
651 }
653 // Unwrap boolean conversion performed through the '!!' idiom.
658 }
661 }
662 }
664 // Change block so that it ends in a goto to the specific target block.
665 // existingPred is an existing predecessor of the block.
679 }
681 // Change block so that it ends in a test of the specified value, going to
682 // either ifTrue or ifFalse. existingPred is an existing predecessor of ifTrue
683 // or ifFalse with the same values incoming to ifTrue/ifFalse as block.
684 // existingPred is not required to be a predecessor of ifTrue/ifFalse if block
685 // already ends in a test going to that block on a true/false result.
698 }
701 }
707 }
710 }
713 }
724 }
727 }
729 }
731 /*
732 * Look for a diamond pattern:
733 *
734 * initialBlock
735 * / \
736 * trueBranch falseBranch
737 * \ /
738 * phiBlock
739 * |
740 * testBlock
741 */
746 }
752 }
758 }
763 }
766 }
768 }
774 // Optimize the MIR graph to improve the code generated for conditional
775 // operations. A test like 'if (a ? b : c)' normally requires four blocks,
776 // with a phi for the intermediate value. This can be improved to use three
777 // blocks with no phi value.
779 /*
780 * Look for a diamond pattern:
781 *
782 * initialBlock
783 * / \
784 * trueBranch falseBranch
785 * \ /
786 * phiBlock
787 * |
788 * testBlock
789 *
790 * Where phiBlock contains a single phi combining values pushed onto the
791 * stack by trueBranch and falseBranch, and testBlock contains a test on
792 * that phi. phiBlock and testBlock may be the same block; generated code
793 * will use different blocks if the (?:) op is in an inlined function.
794 */
803 }
810 }
814 }
815 }
821 }
825 // Make sure the test block does not have any outgoing loop backedges.
828 }
835 // OK, we found the desired pattern, now transform the graph.
837 // Remove the phi from phiBlock.
840 // Change the end of the block to a test that jumps directly to successors of
841 // testBlock, rather than to testBlock itself.
845 testBlock)) {
847 }
851 testBlock)) {
853 }
854 }
858 testBlock)) {
860 }
864 testBlock)) {
866 }
867 }
869 // Remove phiBlock, if different from testBlock.
873 }
875 // Remove testBlock itself.
881 }
883 /*
884 * Look for a triangle pattern:
885 *
886 * initialBlock
887 * / \
888 * trueBranch |
889 * \ /
890 * phiBlock+falseBranch
891 * |
892 * testBlock
893 *
894 * Or:
895 *
896 * initialBlock
897 * / \
898 * | falseBranch
899 * \ /
900 * phiBlock+trueBranch
901 * |
902 * testBlock
903 */
908 }
918 }
921 }
923 }
929 }
932 }
934 }
937 }
943 // Optimize the MIR graph to improve the code generated for boolean
944 // operations. A test like 'if (a && b)' normally requires three blocks, with
945 // a phi for the intermediate value. This can be improved to use no phi value.
947 /*
948 * Look for a triangle pattern:
949 *
950 * initialBlock
951 * / \
952 * trueBranch |
953 * \ /
954 * phiBlock+falseBranch
955 * |
956 * testBlock
957 *
958 * Or:
959 *
960 * initialBlock
961 * / \
962 * | falseBranch
963 * \ /
964 * phiBlock+trueBranch
965 * |
966 * testBlock
967 *
968 * Where phiBlock contains a single phi combining values pushed onto the stack
969 * by trueBranch and falseBranch, and testBlock contains a test on that phi.
970 * phiBlock and testBlock may be the same block; generated code will use
971 * different blocks if the (&&) op is in an inlined function.
972 */
981 }
990 }
999 }
1000 }
1006 }
1010 // If the phi-operand doesn't match the initial input, we can't fold the test.
1015 }
1017 // Make sure the test block does not have any outgoing loop backedges.
1020 }
1030 }
1032 // OK, we found the desired pattern, now transform the graph.
1034 // Remove the phi from phiBlock.
1037 // Change the end of the block to a test that jumps directly to successors of
1038 // testBlock, rather than to testBlock itself.
1043 testBlock)) {
1045 }
1048 testBlock)) {
1050 }
1054 testBlock)) {
1056 }
1057 }
1062 testBlock)) {
1064 }
1067 testBlock)) {
1069 }
1073 testBlock)) {
1075 }
1076 }
1078 // Remove phiBlock, if different from testBlock.
1082 }
1084 // Remove testBlock itself.
1090 }
1096 }
1099 }
1101 }
1104 // Handle test expressions on more than two inputs. For example
1105 // |if ((x > 10) && (y > 20) && (z > 30)) { ... }|, which results in the below
1106 // pattern.
1107 //
1108 // Look for the pattern:
1109 // ┌─────────────────┐
1110 // 1 │ 1 compare │
1111 // ┌─────┤ 2 test compare1 │
1112 // │ └──────┬──────────┘
1113 // │ │0
1114 // ┌───────▼─────────┐ │
1115 // │ 3 compare │ │
1116 // │ 4 test compare3 │ └──────────┐
1117 // └──┬──────────┬───┘ │
1118 // 1│ │0 │
1119 // ┌──────────▼──────┐ │ │
1120 // │ 5 compare │ └─────────┐ │
1121 // │ 6 goto │ │ │
1122 // └───────┬─────────┘ │ │
1123 // │ │ │
1124 // │ ┌──────────────────▼───────▼───────┐
1125 // └───►│ 9 phi compare1 compare3 compare5 │
1126 // │10 goto │
1127 // └────────────────┬─────────────────┘
1128 // │
1129 // ┌────────▼────────┐
1130 // │11 test phi9 │
1131 // └─────┬─────┬─────┘
1132 // 1│ │0
1133 // ┌────────────┐ │ │ ┌─────────────┐
1134 // │ TrueBranch │◄────┘ └─────►│ FalseBranch │
1135 // └────────────┘ └─────────────┘
1136 //
1137 // And transform it to:
1138 //
1139 // ┌─────────────────┐
1140 // 1 │ 1 compare │
1141 // ┌───┤ 2 test compare1 │
1142 // │ └──────────┬──────┘
1143 // │ │0
1144 // ┌───────▼─────────┐ │
1145 // │ 3 compare │ │
1146 // │ 4 test compare3 │ │
1147 // └──┬─────────┬────┘ │
1148 // 1│ │0 │
1149 // ┌──────────▼──────┐ │ │
1150 // │ 5 compare │ └──────┐ │
1151 // │ 6 test compare5 │ │ │
1152 // └────┬────────┬───┘ │ │
1153 // 1│ │0 │ │
1154 // ┌─────▼──────┐ │ ┌───▼──▼──────┐
1155 // │ TrueBranch │ └─────────► FalseBranch │
1156 // └────────────┘ └─────────────┘
1161 }
1167 // MaybeFoldConditionBlock handles the case for two operands.
1175 }
1181 }
1185 }
1186 }
1194 }
1198 // If the phi-operand doesn't match the initial input, we can't fold the test.
1203 }
1208 // The block of each phi operand must either end with a test instruction on
1209 // that phi operand or it's the sole block which ends with a goto instruction.
1214 // Each predecessor must end with either a test or goto instruction.
1222 }
1225 }
1228 }
1230 // Ensure we found the single goto block.
1233 }
1235 // Make sure the test block does not have any outgoing loop backedges.
1238 }
1240 // OK, we found the desired pattern, now transform the graph.
1242 // Remove the phi from phiBlock.
1245 // Create the new test instruction.
1248 testBlock)) {
1250 }
1252 // Update all test instructions to point to the final target.
1261 testBlock)) {
1263 }
1268 testBlock)) {
1270 }
1271 }
1273 // Ensure we've made progress.
1275 }
1277 // Remove phiBlock, if different from testBlock.
1281 }
1283 // Remove testBlock itself.
1289 }
1293 block++) {
1296 }
1299 }
1300 }
1302 }
1307 iter++;
1311 }
1315 }
1319 }
1323 }
1330 }
1339 }
1341 }
1343 }
1347 // If we will pop the top of the stack immediately after resuming,
1348 // then don't preserve the top value in the resume point.
1351 }
1356 }
1359 }
1367 }
1371 }
1373 // Operands to a resume point which are dead at the point of the resume can be
1374 // replaced with a magic value. This pass only replaces resume points which are
1375 // trivially dead.
1376 //
1377 // This is intended to ensure that extra resume points within a basic block
1378 // will not artificially extend the lifetimes of any SSA values. This could
1379 // otherwise occur if the new resume point captured a value which is created
1380 // between the old and new resume point and is dead at the new resume point.
1387 }
1389 }
1390 }
1392 }
1394 // Operands to a resume point which are dead at the point of the resume can be
1395 // replaced with a magic value. This analysis supports limited detection of
1396 // dead operands, pruning those which are defined in the resume point's basic
1397 // block and have no uses outside the block or at points later than the resume
1398 // point.
1399 //
1400 // This is intended to ensure that extra resume points within a basic block
1401 // will not artificially extend the lifetimes of any SSA values. This could
1402 // otherwise occur if the new resume point captured a value which is created
1403 // between the old and new resume point and is dead at the new resume point.
1405 // If we are compiling try blocks, locals and arguments may be observable
1406 // from catch or finally blocks (which Ion does not compile). For now just
1407 // disable the pass in this case.
1410 }
1413 block++) {
1416 }
1421 }
1423 }
1425 // The logic below can get confused on infinite loops.
1428 }
1431 ins++) {
1435 }
1437 }
1439 // No benefit to replacing constant operands with other constants.
1442 }
1444 // Scanning uses does not give us sufficient information to tell
1445 // where instructions that are involved in box/unbox operations or
1446 // parameter passing might be live. Rewriting uses of these terms
1447 // in resume points may affect the interpreter's behavior. Rather
1448 // than doing a more sophisticated analysis, just ignore these.
1451 }
1453 // Early intermediate values captured by resume points, such as
1454 // ArrayState and its allocation, may be legitimately dead in Ion code,
1455 // but are still needed if we bail out. They can recover on bailout.
1459 }
1461 // If the instruction's behavior has been constant folded into a
1462 // separate instruction, we can't determine precisely where the
1463 // instruction becomes dead and can't eliminate its uses.
1466 }
1468 // Check if this instruction's result is only used within the
1469 // current block, and keep track of its last use in a definition
1470 // (not resume point). This requires the instructions in the block
1471 // to be numbered, ensured by running this immediately after alias
1472 // analysis.
1475 uses++) {
1478 // If the instruction's is captured by one of the resume point, then
1479 // it might be observed indirectly while the frame is live on the
1480 // stack, so it has to be computed.
1485 }
1487 }
1493 }
1495 }
1498 }
1500 // Walk the uses a second time, removing any in resume points after
1501 // the last use in a definition.
1506 }
1512 }
1516 }
1518 // Store an optimized out magic value in place of all dead
1519 // resume point operands. Making any such substitution can in
1520 // general alter the interpreter's behavior, even though the
1521 // code is dead, as the interpreter will still execute opcodes
1522 // whose effects cannot be observed. If the magic value value
1523 // were to flow to, say, a dead property access the
1524 // interpreter could throw an exception; we avoid this problem
1525 // by removing dead operands before removing dead code.
1530 }
1531 }
1532 }
1535 }
1537 // Test whether |def| would be needed if it had no uses.
1539 // Effectful instructions of course cannot be removed.
1542 }
1544 // Never eliminate guard instructions.
1547 }
1549 // Required to be preserved, as the type guard related to this instruction
1550 // is part of the semantics of a transformation.
1553 }
1555 // Control instructions have no uses, but also shouldn't be optimized out
1558 }
1560 // Used when lowering to generate the corresponding snapshots and aggregate
1561 // the list of recover instructions to be repeated.
1564 }
1567 }
1569 // Similar to DeadIfUnused(), but additionally allows effectful instructions.
1571 // Never eliminate guard instructions.
1574 }
1576 // Required to be preserved, as the type guard related to this instruction
1577 // is part of the semantics of a transformation.
1580 }
1582 // Control instructions have no uses, but also shouldn't be optimized out
1585 }
1587 // Used when lowering to generate the corresponding snapshots and aggregate
1588 // the list of recover instructions to be repeated.
1590 // All effectful instructions must have a resume point attached. We're
1591 // allowing effectful instructions here, so we have to ignore any resume
1592 // points if we want to consider effectful instructions as dead.
1595 }
1596 }
1599 }
1601 // Test whether |def| may be safely discarded, due to being dead or due to being
1602 // located in a basic block which has itself been marked for discarding.
1605 }
1607 // Similar to IsDiscardable(), but additionally allows effectful instructions.
1611 }
1613 // Instructions are useless if they are unused and have no side effects.
1614 // This pass eliminates useless instructions.
1615 // The graph itself is unchanged.
1617 // Traverse in postorder so that we hit uses before definitions.
1618 // Traverse instruction list backwards for the same reason.
1620 block++) {
1623 }
1625 // Remove unused instructions.
1631 }
1632 }
1633 }
1636 }
1639 // If the phi has uses which are not reflected in SSA, then behavior in the
1640 // interpreter may be affected by removing the phi.
1643 }
1645 // Check for uses of this phi node outside of other phi nodes.
1646 // Note that, initially, we skip reading resume points, which we
1647 // don't count as actual uses. If the only uses are resume points,
1648 // then the SSA name is never consumed by the program. However,
1649 // after optimizations have been performed, it's possible that the
1650 // actual uses in the program have been (incorrectly) optimized
1651 // away, so we must be more conservative and consider resume
1652 // points as well.
1659 }
1662 }
1667 }
1668 }
1669 }
1672 }
1674 // Handles cases like:
1675 // x is phi(a, x) --> a
1676 // x is phi(a, a) --> a
1681 }
1683 // Propagate the ImplicitlyUsed flag if |phi| is replaced with another phi.
1686 }
1689 }
1692 Observability observe) {
1693 // Eliminates redundant or unobservable phis from the graph. A
1694 // redundant phi is something like b = phi(a, a) or b = phi(a, b),
1695 // both of which can be replaced with a. An unobservable phi is
1696 // one that whose value is never used in the program.
1697 //
1698 // Note that we must be careful not to eliminate phis representing
1699 // values that the interpreter will require later. When the graph
1700 // is first constructed, we can be more aggressive, because there
1701 // is a greater correspondence between the CFG and the bytecode.
1702 // After optimizations such as GVN have been performed, however,
1703 // the bytecode and CFG may not correspond as closely to one
1704 // another. In that case, we must be more conservative. The flag
1705 // |conservativeObservability| is used to indicate that eliminate
1706 // phis is being run after some optimizations have been performed,
1707 // and thus we should use more conservative rules about
1708 // observability. The particular danger is that we can optimize
1709 // away uses of a phi because we think they are not executable,
1710 // but the foundation for that assumption is false TI information
1711 // that will eventually be invalidated. Therefore, if
1712 // |conservativeObservability| is set, we will consider any use
1713 // from a resume point to be observable. Otherwise, we demand a
1714 // use from an actual instruction.
1718 // Add all observable phis to a worklist. We use the "in worklist" bit to
1719 // mean "this phi is live".
1721 block++) {
1728 }
1730 // Flag all as unused, only observable phis would be marked as used
1731 // when processed by the work list.
1734 // If the phi is redundant, remove it here.
1739 }
1741 // Enqueue observable Phis.
1746 }
1747 }
1748 }
1749 }
1751 // Iteratively mark all phis reachable from live phis.
1755 }
1761 // The removal of Phis can produce newly redundant phis.
1763 // Add to the worklist the used phis which are impacted.
1772 }
1773 }
1774 }
1775 }
1778 // Otherwise flag them as used.
1780 }
1782 // The current phi is/was used, so all its operands are used.
1787 }
1791 }
1792 }
1793 }
1795 // Sweep dead phis.
1797 block++) {
1804 }
1806 }
1807 }
1808 }
1811 }
1815 // The type analysis algorithm inserts conversions and box/unbox instructions
1816 // to make the IR graph well-typed for future passes.
1817 //
1818 // Phi adjustment: If a phi's inputs are all the same type, the phi is
1819 // specialized to return that type.
1820 //
1821 // Input adjustment: Each input is asked to apply conversion operations to its
1822 // inputs. This may include Box, Unbox, or other instruction-specific type
1823 // conversion operations.
1824 //
1835 }
1838 }
1841 }
1846 }
1874 };
1879 // [SMDOC] OSR Phi Type Specialization
1880 //
1881 // Without special handling for OSR phis, we end up with unspecialized phis
1882 // (MIRType::Value) in the loop (pre)header and other blocks, resulting in
1883 // unnecessary boxing and unboxing in the loop body.
1884 //
1885 // To fix this, phi type specialization needs special code to deal with the
1886 // OSR entry block. Recall that OSR results in the following basic block
1887 // structure:
1888 //
1889 // +------------------+ +-----------------+
1890 // | Code before loop | | OSR entry block |
1891 // +------------------+ +-----------------+
1892 // | |
1893 // | |
1894 // | +---------------+ |
1895 // +---------> | OSR preheader | <---------+
1896 // +---------------+
1897 // |
1898 // V
1899 // +---------------+
1900 // | Loop header |<-----+
1901 // +---------------+ |
1902 // | |
1903 // ... |
1904 // | |
1905 // +---------------+ |
1906 // | Loop backedge |------+
1907 // +---------------+
1908 //
1909 // OSR phi specialization happens in three steps:
1910 //
1911 // (1) Specialize phis but ignore MOsrValue phi inputs. In other words,
1912 // pretend the OSR entry block doesn't exist. See guessPhiType.
1913 //
1914 // (2) Once phi specialization is done, look at the types of loop header phis
1915 // and add these types to the corresponding preheader phis. This way, the
1916 // types of the preheader phis are based on the code before the loop and
1917 // the code in the loop body. These are exactly the types we expect for
1918 // the OSR Values. See the last part of TypeAnalyzer::specializePhis.
1919 //
1920 // (3) For type-specialized preheader phis, add guard/unbox instructions to
1921 // the OSR entry block to guard the incoming Value indeed has this type.
1922 // This happens in:
1923 //
1924 // * TypeAnalyzer::adjustPhiInputs: adds a fallible unbox for values that
1925 // can be unboxed.
1926 //
1927 // * TypeAnalyzer::replaceRedundantPhi: adds a type guard for values that
1928 // can't be unboxed (null/undefined/magic Values).
1931 }
1934 }
1936 // Try to specialize this phi based on its non-cyclic inputs.
1938 #ifdef DEBUG
1939 // Check that different magic constants aren't flowing together. Ignore
1940 // JS_OPTIMIZED_OUT, since an operand could be legitimately optimized
1941 // away.
1949 }
1951 }
1952 }
1953 #endif
1965 }
1967 // The operand is a phi we tried to specialize, but we were
1968 // unable to guess its type. propagateSpecialization will
1969 // propagate the type to this phi when it becomes known.
1971 }
1972 }
1974 // See shouldSpecializeOsrPhis comment. This is the first step mentioned
1975 // there.
1980 }
1987 }
1989 }
1995 // If we only saw definitions that can be converted into Float32 before
1996 // and encounter a Float32 value, promote previous values to Float32
2000 // Specialize phis with int32 and double operands as double.
2005 }
2006 }
2007 }
2010 // TODO(post-Warp): simplify float32 handling in this function or (better)
2011 // make the float32 analysis a stand-alone optimization pass instead of
2012 // complicating type analysis. See bug 1655773.
2014 }
2018 }
2023 }
2026 }
2031 // Verify that this specialization matches any phis depending on it.
2035 }
2039 }
2041 // We tried to specialize this phi, but were unable to guess its
2042 // type. Now that we know the type of one of its operands, we can
2043 // specialize it. If it can't be specialized as float32, specialize
2044 // as double.
2048 }
2051 }
2053 }
2055 // Specialize phis with int32 that can be converted to float and float
2056 // operands as floats.
2063 }
2065 }
2067 // Specialize phis with int32 and double operands as double.
2072 }
2074 }
2076 // This phi in our use chain can now no longer be specialized.
2079 }
2080 }
2081 }
2084 }
2090 }
2095 }
2096 }
2099 }
2101 // If branch pruning removes the path from the entry block to the OSR
2102 // preheader, we may have phis (or chains of phis) with no operands
2103 // other than OsrValues. These phis will still have MIRType::None.
2104 // Since we don't have any information about them, we specialize them
2105 // as MIRType::Value.
2111 block++) {
2114 }
2119 }
2123 }
2124 }
2125 }
2127 }
2131 block++) {
2134 }
2139 }
2144 // We tried to guess the type but failed because all operands are
2145 // phis we still have to visit. Set the triedToSpecialize flag but
2146 // don't propagate the type to other phis, propagateSpecialization
2147 // will do that once we know the type of one of the operands.
2149 }
2152 }
2153 }
2154 }
2158 }
2161 // See shouldSpecializeOsrPhis comment. This is the second step, propagating
2162 // loop header phi types to preheader phis.
2168 // Branch pruning has removed the path from the entry block
2169 // to the preheader. Specialize any phis with no non-osr inputs.
2172 }
2175 phi++) {
2180 // Already includes everything.
2182 }
2187 }
2188 }
2191 }
2193 // Edge case: there is no backedge in this loop. This can happen
2194 // if the header is a 'pending' loop header when control flow in
2195 // the loop body is terminated unconditionally, or if a block
2196 // that dominates the backedge unconditionally bails out. In
2197 // this case the header only has the preheader as predecessor
2198 // and we don't need to do anything.
2200 }
2201 }
2205 }
2211 // If we specialized a type that's not Value, there are 3 cases:
2212 // 1. Every input is of that type.
2213 // 2. Every observed input is of that type (i.e., some inputs haven't been
2214 // executed yet).
2215 // 3. Inputs were doubles and int32s, and was specialized to double.
2221 }
2225 }
2234 // Convert int32 operands to double.
2240 // See comment below
2245 }
2252 }
2254 // If we know this branch will fail to convert to phiType,
2255 // insert a box that'll immediately fail in the fallible unbox
2256 // below.
2261 }
2263 // Be optimistic and insert unboxes when the operand is a
2264 // value.
2266 }
2271 }
2272 }
2275 }
2277 // Box every typed input.
2282 }
2284 // The input is being explicitly unboxed, so sneak past and grab the
2285 // original box. Don't bother optimizing if magic values are involved.
2290 }
2291 }
2296 }
2300 }
2303 }
2306 }
2309 // Definitions such as MPhi have no type policy.
2312 }
2318 }
2320 }
2344 }
2346 // The instruction pass will insert the box
2351 // See shouldSpecializeOsrPhis comment. This is part of the third step,
2352 // guard the incoming MOsrValue is of this type.
2361 }
2362 }
2363 }
2364 }
2367 // Instructions are processed in reverse postorder: all uses are defs are
2368 // seen before uses. This ensures that output adjustment (which may rewrite
2369 // inputs of uses) does not conflict with input adjustment.
2374 }
2380 // We can replace this phi with a constant.
2383 }
2389 }
2390 }
2391 }
2393 // AdjustInputs can add/remove/mutate instructions before and after the
2394 // current instruction. Only increment the iterator after it is finished.
2396 iter++) {
2399 }
2403 }
2404 }
2405 }
2407 }
2409 /* clang-format off */
2410 //
2411 // This function tries to emit Float32 specialized operations whenever it's possible.
2412 // MIR nodes are flagged as:
2413 // - Producers, when they can create Float32 that might need to be coerced into a Double.
2414 // Loads in Float32 arrays and conversions to Float32 are producers.
2415 // - Consumers, when they can have Float32 as inputs and validate a legal use of a Float32.
2416 // Stores in Float32 arrays and conversions to Float32 are consumers.
2417 // - Float32 commutative, when using the Float32 instruction instead of the Double instruction
2418 // does not result in a compound loss of precision. This is the case for +, -, /, * with 2
2419 // operands, for instance. However, an addition with 3 operands is not commutative anymore,
2420 // so an intermediate coercion is needed.
2421 // Except for phis, all these flags are known after Ion building, so they cannot change during
2422 // the process.
2423 //
2424 // The idea behind the algorithm is easy: whenever we can prove that a commutative operation
2425 // has only producers as inputs and consumers as uses, we can specialize the operation as a
2426 // float32 operation. Otherwise, we have to convert all float32 inputs to doubles. Even
2427 // if a lot of conversions are produced, GVN will take care of eliminating the redundant ones.
2428 //
2429 // Phis have a special status. Phis need to be flagged as producers or consumers as they can
2430 // be inputs or outputs of commutative instructions. Fortunately, producers and consumers
2431 // properties are such that we can deduce the property using all non phis inputs first (which form
2432 // an initial phi graph) and then propagate all properties from one phi to another using a
2433 // fixed point algorithm. The algorithm is ensured to terminate as each iteration has less or as
2434 // many flagged phis as the previous iteration (so the worst steady state case is all phis being
2435 // flagged as false).
2436 //
2437 // In a nutshell, the algorithm applies three passes:
2438 // 1 - Determine which phis are consumers. Each phi gets an initial value by making a global AND on
2439 // all its non-phi inputs. Then each phi propagates its value to other phis. If after propagation,
2440 // the flag value changed, we have to reapply the algorithm on all phi operands, as a phi is a
2441 // consumer if all of its uses are consumers.
2442 // 2 - Determine which phis are producers. It's the same algorithm, except that we have to reapply
2443 // the algorithm on all phi uses, as a phi is a producer if all of its operands are producers.
2444 // 3 - Go through all commutative operations and ensure their inputs are all producers and their
2445 // uses are all consumers.
2446 //
2447 /* clang-format on */
2451 // Iterate in postorder so worklist is initialized to RPO.
2457 }
2464 canConsumeFloat32 &=
2466 }
2470 }
2471 }
2472 }
2478 }
2489 }
2490 }
2494 }
2496 // Propagate invalidated phis
2504 }
2505 }
2506 }
2507 }
2509 }
2514 // Iterate in reverse postorder so worklist is initialized to PO.
2520 }
2529 }
2533 }
2534 }
2535 }
2541 }
2552 }
2553 }
2557 }
2559 // Propagate invalidated phis
2566 }
2567 }
2568 }
2569 }
2571 }
2578 }
2583 }
2587 }
2591 }
2593 // This call will try to specialize the instruction iff all uses are
2594 // consumers and all inputs are producers.
2596 }
2597 }
2599 }
2608 }
2612 }
2613 }
2614 }
2616 }
2619 // Asm.js uses the ahead of time type checks to specialize operations, no need
2620 // to check them again at this point.
2623 }
2625 // Check ahead of time that there is at least one definition typed as Float32,
2626 // otherwise we don't need this pass.
2629 }
2631 // WarpBuilder skips over code that can't be reached except through
2632 // a catch block. Locals and arguments may be observable in such
2633 // code after bailing out, so we can't rely on seeing all uses.
2636 }
2640 }
2643 }
2646 }
2648 }
2651 #ifdef DEBUG
2652 // Asserts that all Float32 instructions are flowing into Float32 consumers or
2653 // specialized operations
2658 }
2663 }
2668 }
2669 }
2670 }
2671 #endif
2673 }
2682 }
2685 }
2686 }
2688 }
2690 // Propagate type information from dominating unbox instructions.
2691 //
2692 // This optimization applies for example for self-hosted String.prototype
2693 // functions.
2694 //
2695 // Example:
2696 // ```
2697 // String.prototype.id = function() {
2698 // // Strict mode to avoid ToObject on primitive this-values.
2699 // "use strict";
2700 //
2701 // // Template string to apply ToString on the this-value.
2702 // return `${this}`;
2703 // };
2704 //
2705 // function f(s) {
2706 // // Assume |s| is a string value.
2707 // return s.id();
2708 // }
2709 // ```
2710 //
2711 // Compiles into: (Graph after Scalar Replacement)
2712 //
2713 // ┌───────────────────────────────────────────────────────────────────────────┐
2714 // │ Block 0 │
2715 // │ resumepoint 1 0 2 2 │
2716 // │ 0 parameter THIS_SLOT Value │
2717 // │ 1 parameter 0 Value │
2718 // │ 2 constant undefined Undefined │
2719 // │ 3 start │
2720 // │ 4 checkoverrecursed │
2721 // │ 5 unbox parameter1 to String (fallible) String │
2722 // │ 6 constant object 1d908053e088 (String) Object │
2723 // │ 7 guardshape constant6:Object Object │
2724 // │ 8 slots guardshape7:Object Slots │
2725 // │ 9 loaddynamicslot slots8:Slots (slot 53) Value │
2726 // │ 10 constant 0x0 Int32 │
2727 // │ 11 unbox loaddynamicslot9 to Object (fallible) Object │
2728 // │ 12 nurseryobject Object │
2729 // │ 13 guardspecificfunction unbox11:Object nurseryobject12:Object Object │
2730 // │ 14 goto block1 │
2731 // └──────────────────────────────────┬────────────────────────────────────────┘
2732 // │
2733 // ┌──────────────────────────────────▼────────────────────────────────────────┐
2734 // │ Block 1 │
2735 // │ ((0)) resumepoint 15 1 15 15 | 1 13 1 0 2 2 │
2736 // │ 15 constant undefined Undefined │
2737 // │ 16 tostring parameter1:Value String │
2738 // │ 18 goto block2 │
2739 // └──────────────────────────────────┬────────────────────────────────────────┘
2740 // │
2741 // ┌──────────────▼──────────────┐
2742 // │ Block 2 │
2743 // │ resumepoint 16 1 0 2 2 │
2744 // │ 19 return tostring16:String │
2745 // └─────────────────────────────┘
2746 //
2747 // The Unbox instruction is used as a type guard. The ToString instruction
2748 // doesn't use the type information from the preceding Unbox instruction and
2749 // therefore has to assume its operand can be any value.
2750 //
2751 // When instead propagating the type information from the preceding Unbox
2752 // instruction, this graph is constructed after the "Apply types" phase:
2753 //
2754 // ┌───────────────────────────────────────────────────────────────────────────┐
2755 // │ Block 0 │
2756 // │ resumepoint 1 0 2 2 │
2757 // │ 0 parameter THIS_SLOT Value │
2758 // │ 1 parameter 0 Value │
2759 // │ 2 constant undefined Undefined │
2760 // │ 3 start │
2761 // │ 4 checkoverrecursed │
2762 // │ 5 unbox parameter1 to String (fallible) String │
2763 // │ 6 constant object 1d908053e088 (String) Object │
2764 // │ 7 guardshape constant6:Object Object │
2765 // │ 8 slots guardshape7:Object Slots │
2766 // │ 9 loaddynamicslot slots8:Slots (slot 53) Value │
2767 // │ 10 constant 0x0 Int32 │
2768 // │ 11 unbox loaddynamicslot9 to Object (fallible) Object │
2769 // │ 12 nurseryobject Object │
2770 // │ 13 guardspecificfunction unbox11:Object nurseryobject12:Object Object │
2771 // │ 14 goto block1 │
2772 // └──────────────────────────────────┬────────────────────────────────────────┘
2773 // │
2774 // ┌──────────────────────────────────▼────────────────────────────────────────┐
2775 // │ Block 1 │
2776 // │ ((0)) resumepoint 15 1 15 15 | 1 13 1 0 2 2 │
2777 // │ 15 constant undefined Undefined │
2778 // │ 20 unbox parameter1 to String (fallible) String │
2779 // │ 16 tostring parameter1:Value String │
2780 // │ 18 goto block2 │
2781 // └──────────────────────────────────┬────────────────────────────────────────┘
2782 // │
2783 // ┌──────────────▼─────────────────────┐
2784 // │ Block 2 │
2785 // │ resumepoint 16 1 0 2 2 │
2786 // │ 21 box tostring16:String Value │
2787 // │ 19 return box21:Value │
2788 // └────────────────────────────────────┘
2789 //
2790 // GVN will later merge both Unbox instructions and fold away the ToString
2791 // instruction, so we get this final graph:
2792 //
2793 // ┌───────────────────────────────────────────────────────────────────────────┐
2794 // │ Block 0 │
2795 // │ resumepoint 1 0 2 2 │
2796 // │ 0 parameter THIS_SLOT Value │
2797 // │ 1 parameter 0 Value │
2798 // │ 2 constant undefined Undefined │
2799 // │ 3 start │
2800 // │ 4 checkoverrecursed │
2801 // │ 5 unbox parameter1 to String (fallible) String │
2802 // │ 6 constant object 1d908053e088 (String) Object │
2803 // │ 7 guardshape constant6:Object Object │
2804 // │ 8 slots guardshape7:Object Slots │
2805 // │ 22 loaddynamicslotandunbox slots8:Slots (slot 53) Object │
2806 // │ 11 nurseryobject Object │
2807 // │ 12 guardspecificfunction load22:Object nurseryobject11:Object Object │
2808 // │ 13 goto block1 │
2809 // └──────────────────────────────────┬────────────────────────────────────────┘
2810 // │
2811 // ┌──────────────────────────────────▼────────────────────────────────────────┐
2812 // │ Block 1 │
2813 // │ ((0)) resumepoint 2 1 2 2 | 1 12 1 0 2 2 │
2814 // │ 14 goto block2 │
2815 // └──────────────────────────────────┬────────────────────────────────────────┘
2816 // │
2817 // ┌──────────────▼─────────────────────┐
2818 // │ Block 2 │
2819 // │ resumepoint 5 1 0 2 2 │
2820 // │ 15 return parameter1:Value │
2821 // └────────────────────────────────────┘
2822 //
2824 // Visit the blocks in post-order, so that the type information of the closest
2825 // unbox operation is used.
2827 block++) {
2830 }
2832 // Iterate over all instructions to look for unbox instructions.
2834 iter++) {
2837 }
2842 // Ignore unbox operations on typed values.
2845 }
2847 // Ignore unbox to floating point types, because propagating boxed Int32
2848 // values as Double can lead to repeated bailouts when later instructions
2849 // expect Int32 inputs.
2852 }
2854 // Inspect other uses of |input| to propagate the unboxed type information
2855 // from |unbox|.
2859 // Ignore resume points.
2862 }
2865 // Ignore any unbox operations, including the current |unbox|.
2868 }
2870 // Ignore phi nodes, because we don't yet support them.
2873 }
2875 // The unbox operation needs to happen before the other use, otherwise
2876 // we can't propagate the type information.
2880 }
2884 }
2885 }
2887 // Replace the use with |unbox|, so that GVN knows about the actual
2888 // value type and can more easily fold unnecessary operations. If the
2889 // instruction actually needs a boxed input, the BoxPolicy type policy
2890 // will simply unwrap the unbox instruction.
2893 // The uses in the MIR graph no longer reflect the uses in the bytecode,
2894 // so we have to mark |input| as implicitly used.
2896 }
2897 }
2898 }
2900 }
2905 }
2908 }
2911 }
2914 }
2917 }
2919 }
2926 }
2929 }
2936 }
2937 }
2939 // A utility for code which adds/deletes blocks. Renumber the remaining blocks,
2940 // recompute dominators, and optionally recompute AliasAnalysis dependencies.
2944 // Renumber the blocks and clear out the old dominator info.
2950 }
2952 // Recompute dominator info.
2955 }
2957 // If needed, update alias analysis dependencies.
2961 }
2962 }
2966 }
2968 // Remove all blocks not marked with isMarked(). Unmark all remaining blocks.
2969 // Alias analysis dependencies may be invalid after calling this function.
2973 // If all blocks are marked, no blocks need removal. Just clear the
2974 // marks. We'll still need to update the dominator tree below though,
2975 // since we may have removed edges even if we didn't remove any blocks.
2978 // As we are going to remove edges and basic blocks, we have to mark
2979 // instructions which would be needed by baseline if we were to
2980 // bailout.
2985 }
2988 }
2990 // Find unmarked blocks and remove them.
2998 }
3000 // The block is unreachable. Clear out the loop header flag, as
3001 // we're doing the sweep of a mark-and-sweep here, so we no longer
3002 // need to worry about whether an unmarked block is a loop or not.
3005 }
3009 }
3011 }
3012 }
3014 // Renumber the blocks and update the dominator tree.
3016 }
3018 // A Simple, Fast Dominance Algorithm by Cooper et al.
3019 // Modified to support empty intersections for OSR, and in RPO.
3028 // In the original paper, the block ID comparisons are on the postorder index.
3029 // This implementation iterates in RPO, so the comparisons are reversed.
3031 // For this function to be called, the block must have multiple predecessors.
3032 // If a finger is then found to be self-dominating, it must therefore be
3033 // reachable from multiple roots through non-intersecting control flow.
3034 // nullptr is returned in this case, to denote an empty intersection.
3041 }
3043 }
3049 }
3051 }
3052 }
3054 }
3059 }
3060 }
3063 // The default start block is a root and therefore only self-dominates.
3067 // Any OSR block is a root and therefore only self-dominates.
3071 }
3080 // For each block in RPO, intersect all dominators.
3082 // If a node has once been found to have no exclusive dominator,
3083 // it will never have an exclusive dominator, so it may be skipped.
3086 }
3088 // A block with no predecessors is not reachable from any entry, so
3089 // it self-dominates.
3093 }
3097 // Find the first common dominator.
3102 }
3106 // If there is no common dominator, the block self-dominates.
3111 }
3112 }
3117 }
3118 }
3119 }
3121 #ifdef DEBUG
3122 // Assert that all blocks have dominator information.
3124 block++) {
3126 }
3127 #endif
3128 }
3137 // Traversing through the graph in post-order means that every non-phi use
3138 // of a definition is visited before the def itself. Since a def
3139 // dominates its uses, by the time we reach a particular
3140 // block, we have processed all of its dominated children, so
3141 // block->numDominated() is accurate.
3146 // Dominance is defined such that blocks always dominate themselves.
3149 // If the block only self-dominates, it has no definite parent.
3150 // Add it to the worklist as a root for pre-order traversal.
3151 // This includes all roots. Order does not matter.
3155 }
3157 }
3161 }
3164 }
3166 #ifdef DEBUG
3167 // If compiling with OSR, many blocks will self-dominate.
3168 // Without OSR, there is only one root block which dominates all.
3171 }
3172 #endif
3173 // Now, iterate through the dominator tree in pre-order and annotate every
3174 // block with its index in the traversal.
3183 }
3184 index++;
3185 }
3188 }
3191 // Build a mapping such that given a basic block, whose successor has one or
3192 // more phis, we can find our specific input to that phi. To make this fast
3193 // mapping work we rely on a specific property of our structured control
3194 // flow graph: For a block with phis, its predecessors each have only one
3195 // successor with phis. Consider each case:
3196 // * Blocks with less than two predecessors cannot have phis.
3197 // * Breaks. A break always has exactly one successor, and the break
3198 // catch block has exactly one predecessor for each break, as
3199 // well as a final predecessor for the actual loop exit.
3200 // * Continues. A continue always has exactly one successor, and the
3201 // continue catch block has exactly one predecessor for each
3202 // continue, as well as a final predecessor for the actual
3203 // loop continuation. The continue itself has exactly one
3204 // successor.
3205 // * An if. Each branch as exactly one predecessor.
3206 // * A switch. Each branch has exactly one predecessor.
3207 // * Loop tail. A new block is always created for the exit, and if a
3208 // break statement is present, the exit block will forward
3209 // directly to the break block.
3211 block++) {
3214 }
3216 // Assert on the above.
3220 #ifdef DEBUG
3225 numSuccessorsWithPhis++;
3226 }
3227 }
3229 #endif
3232 }
3233 }
3236 }
3238 #ifdef DEBUG
3240 // Assuming B = succ(A), verify A = pred(B).
3244 }
3245 }
3247 }
3250 // Assuming B = pred(A), verify A = succ(B).
3254 }
3255 }
3257 }
3259 // If you have issues with the usesBalance assertions, then define the macro
3260 // _DEBUG_CHECK_OPERANDS_USES_BALANCE to spew information on the error output.
3261 // This output can then be processed with the following awk script to filter and
3262 // highlight which checks are missing or if there is an unexpected operand /
3263 // use.
3264 //
3265 // define _DEBUG_CHECK_OPERANDS_USES_BALANCE 1
3266 /*
3268 $ ./js 2>stderr.log
3269 $ gawk '
3270 /^==Check/ { context = ""; state = $2; }
3271 /^[a-z]/ { context = context "\n\t" $0; }
3272 /^==End/ {
3273 if (state == "Operand") {
3274 list[context] = list[context] - 1;
3275 } else if (state == "Use") {
3276 list[context] = list[context] + 1;
3277 }
3278 }
3279 END {
3280 for (ctx in list) {
3281 if (list[ctx] > 0) {
3282 print "Missing operand check", ctx, "\n"
3283 }
3284 if (list[ctx] < 0) {
3285 print "Missing use check", ctx, "\n"
3286 }
3287 };
3288 }' < stderr.log
3290 */
3299 # ifdef _DEBUG_CHECK_OPERANDS_USES_BALANCE
3306 # endif
3308 }
3317 # ifdef _DEBUG_CHECK_OPERANDS_USES_BALANCE
3324 # endif
3326 }
3328 // To properly encode entry resume points, we have to ensure that all the
3329 // operands of the entry resume point are located before the safeInsertTop
3330 // location.
3335 }
3341 }
3344 }
3349 }
3353 }
3354 }
3355 }
3359 #ifdef DEBUG
3362 }
3373 }
3377 }
3379 // Assert successor and predecessor list coherency.
3383 block++) {
3384 count++;
3394 }
3399 }
3405 }
3409 }
3412 // We cannot yet assert that is there is no instruction then this is
3413 // the entry resume point because we are still storing resume points
3414 // in the InlinePropertyTable.
3419 }
3420 }
3426 }
3438 // Assert that use chains are valid for this instruction.
3441 }
3444 }
3451 }
3452 }
3456 }
3457 }
3459 // The control instruction is not visited by the MDefinitionIterator.
3469 }
3472 }
3473 }
3475 // In case issues, see the _DEBUG_CHECK_OPERANDS_USES_BALANCE macro above.
3479 #endif
3480 }
3482 #ifdef DEBUG
3484 // Check that every block is visited after all its predecessors (except
3485 // backedges).
3496 }
3497 }
3500 }
3503 }
3504 #endif
3506 #ifdef DEBUG
3508 // Check dominators.
3515 }
3520 block++) {
3535 }
3536 }
3538 }
3548 }
3552 i--;
3553 }
3556 }
3557 #endif
3560 #ifdef DEBUG
3563 }
3566 }
3569 #endif
3570 }
3572 #ifdef DEBUG
3574 // see CodeGeneratorShared::encodeAllocation
3605 }
3607 }
3614 }
3617 }
3618 }
3623 }
3625 }
3632 }
3633 }
3638 // Checks the basic GraphCoherency but also other conditions that
3639 // do not hold immediately (such as the fact that critical edges
3640 // are split)
3642 #ifdef DEBUG
3645 }
3648 }
3656 block++) {
3660 // No critical edges:
3664 }
3665 }
3669 // Fixup block.
3675 }
3680 }
3687 }
3688 }
3693 successorWithPhis++;
3694 }
3695 }
3701 // Verify that phi operands dominate the corresponding CFG predecessor
3702 // edges.
3710 }
3711 }
3713 // Verify that instructions are dominated by their operands.
3723 // If the operand is an instruction in the same block, check
3724 // that it comes first.
3732 }
3733 }
3738 }
3739 }
3741 // Verify that the block resume points are dominated by their operands.
3745 }
3749 }
3750 }
3751 #endif
3752 }
3757 };
3760 JitAllocPolicy>
3761 BoundsCheckMap;
3763 // Compute a hash for bounds checks which ignores constant offsets in the index.
3769 }
3774 // Since we are traversing the dominator tree in pre-order, when we
3775 // are looking at the |index|-th block, the next numDominated() blocks
3776 // we traverse are precisely the set of blocks that are dominated.
3777 //
3778 // So, this value is visible in all blocks if:
3779 // index <= index + ins->block->numDominated()
3780 // and becomes invalid after that.
3784 // We didn't find a dominating bounds check.
3785 BoundsCheckInfo info;
3792 }
3795 }
3804 }
3808 // TruncateAfterBailouts is considered as infinite space because the
3809 // LinearSum will effectively remove the bailout check.
3814 }
3816 }
3820 }
3824 }
3826 // Extract a linear sum from ins, if possible (otherwise giving the
3827 // sum 'ins + 0').
3833 }
3835 // Unwrap Int32ToIntPtr. This instruction only changes the representation
3836 // (int32_t to intptr_t) without affecting the value.
3839 }
3843 }
3849 }
3853 }
3857 }
3859 // Only allow math which are in the same space.
3865 }
3872 }
3874 // Extract linear sums of each operand.
3878 // LinearSum only considers a single term operand, if both sides have
3879 // terms, then ignore extracted linear sums.
3882 }
3884 // Check if this is of the form <SUM> + n or n + <SUM>.
3892 }
3894 }
3897 // Check if this is of the form <SUM> - n.
3905 }
3907 }
3909 // Ignore any of the form n - <SUM>.
3911 }
3913 // Extract a linear inequality holding when a boolean test goes in the
3914 // specified direction, of the form 'lhs + lhsN <= rhs' (or >=).
3920 }
3927 // TODO: optimize Compare_UInt32
3930 }
3938 }
3945 }
3947 // Normalize operations to use <= or >=.
3953 /* x < y ==> x + 1 <= y */
3956 }
3963 /* x > y ==> x - 1 >= y */
3966 }
3971 }
3977 }
3983 // Replace all uses of the bounds check with the actual index.
3984 // This is (a) necessary, because we can coalesce two different
3985 // bounds checks and would otherwise use the wrong index and
3986 // (b) helps register allocation. Note that this is safe since
3987 // no other pass after bounds check elimination moves instructions.
3992 }
3996 }
4002 }
4005 // We didn't find a dominating bounds check.
4007 }
4009 // We found two bounds checks with the same hash number, but we still have
4010 // to make sure the lengths and index terms are equal.
4013 }
4018 // Both terms should be nullptr or the same definition.
4021 }
4023 // This bounds check is redundant.
4026 // Normalize the ranges according to the constant offsets in the two indexes.
4033 }
4035 // Update the dominating check to cover both ranges, denormalizing the
4036 // result per the constant offset in the index.
4041 }
4048 }
4050 // Eliminate checks which are redundant given each other or other instructions.
4051 //
4052 // A bounds check is considered redundant if it's dominated by another bounds
4053 // check with the same length and the indexes differ by only a constant amount.
4054 // In this case we eliminate the redundant bounds check and update the other one
4055 // to cover the ranges of both checks.
4056 //
4057 // Bounds checks are added to a hash map and since the hash function ignores
4058 // differences in constant offset, this offers a fast way to find redundant
4059 // checks.
4063 // Stack for pre-order CFG traversal.
4066 // The index of the current block in the CFG traversal.
4069 // Add all self-dominating blocks to the worklist.
4070 // This includes all roots. Order does not matter.
4076 }
4077 }
4078 }
4080 // Starting from each self-dominating block, traverse the CFG in pre-order.
4084 // Add all immediate dominators to the front of the worklist.
4088 }
4095 }
4101 }
4105 }
4106 }
4107 index++;
4108 }
4113 }
4123 }
4129 }
4132 }
4134 // Eliminate shape guards which are redundant given other instructions.
4135 //
4136 // A shape guard is redundant if we can prove that the object being
4137 // guarded already has the correct shape. The conditions for doing so
4138 // are as follows:
4139 //
4140 // 1. We can see the most recent change to the shape of this object.
4141 // (This can be an AddAndStoreSlot, an AllocateAndStoreSlot, or the
4142 // creation of the object itself.
4143 // 2. That mutation dominates the shape guard.
4144 // 3. The shape that was assigned at that point matches the shape
4145 // we expect.
4146 //
4147 // If all of these conditions hold, then we can remove the shape guard.
4148 // In debug, we replace it with an AssertShape to help verify correctness.
4157 insIter++;
4159 // Skip instructions that aren't shape guards.
4162 }
4176 }
4183 }
4189 }
4191 // The guard doesn't depend on any other instruction that is modifying
4192 // the object operand, so we check the object operand directly.
4201 }
4209 }
4213 }
4218 }
4220 #ifdef DEBUG
4223 }
4227 #endif
4233 }
4234 }
4237 }
4249 // Skip `allocation`.
4251 insIter++;
4253 // Try to optimize the other instructions in the block.
4256 insIter++;
4262 // These instructions can't trigger GC or affect this analysis in other
4263 // ways.
4271 }
4275 }
4282 }
4283 #ifdef DEBUG
4286 }
4291 }
4295 #endif
4299 }
4304 }
4305 }
4308 }
4311 // Peephole optimization for the following pattern:
4312 //
4313 // 0: MNewCallObject
4314 // 1: MStoreFixedSlot(0, ...)
4315 // 2: MStoreFixedSlot(0, ...)
4316 // 3: MPostWriteBarrier(0, ...)
4317 //
4318 // If the instructions immediately following the allocation instruction can't
4319 // trigger GC and we are storing to the new object's slots, we can elide the
4320 // pre-barrier.
4321 //
4322 // We also eliminate the post barrier and (in debug builds) replace it with an
4323 // assertion.
4324 //
4325 // See also the similar optimizations in WarpBuilder::buildCallObject.
4334 insIter++;
4339 }
4340 }
4341 }
4342 }
4345 }
4348 // When a string is used as a property key, or as the key for a Map or Set, we
4349 // require it to be atomized. To avoid repeatedly atomizing the same string,
4350 // this analysis looks for cases where we are loading a value from the slot of
4351 // an object (which includes access to global variables and global lexicals)
4352 // and using it as a property key, and marks those loads. During codegen,
4353 // marked loads will check whether the value loaded is a non-atomized string.
4354 // If it is, we will atomize the string and update the stored value, ensuring
4355 // that future loads from the same slot will not have to atomize again.
4363 insIter++;
4402 }
4407 // Skip intermediate nodes.
4415 }
4422 }
4437 }
4438 }
4439 }
4442 }
4450 }
4452 // Allocating a BigInt can GC, so we have to keep the object alive.
4455 }
4459 }
4469 }
4493 iter++;
4497 }
4498 }
4501 }
4508 insIter++) {
4512 }
4526 }
4531 // Constants are kept alive by other pointers, for instance
4532 // ImmGCPtr in JIT code.
4534 }
4540 // StoreElementHole has an explicit object operand. If GVN
4541 // is disabled, we can get different unbox instructions with
4542 // the same object as input, so we check for that case.
4547 }
4550 #ifdef DEBUG
4551 // These two instructions don't start a GC unsafe region, because they
4552 // overwrite their elements register at the very start. This ensures
4553 // there's no invalidated elements value kept on the stack.
4556 }
4560 }
4562 // Enter a GC unsafe region while the elements/slots are on the stack.
4566 // Leave the region after the use.
4569 #endif
4571 }
4575 }
4579 }
4580 }
4581 }
4584 }
4590 }
4591 }
4593 }
4601 }
4602 }
4605 }
4609 }
4613 }
4620 }
4623 }
4624 }
4628 }
4630 }
4635 }
4640 }
4643 }
4650 }
4656 }
4658 }
4664 }
4668 }
4670 }
4671 }
4673 AutoEnterOOMUnsafeRegion oomUnsafe;
4676 }
4679 }
4683 }
4693 }
4698 }
4703 }
4704 }
4709 }
4710 }
4716 }
4720 BailoutKind bailoutKind) {
4734 }
4740 }
4760 }
4761 }
4762 }
4768 }
4771 }
4773 // Mark all the blocks that are in the loop with the given header.
4774 // Returns the number of blocks marked. Set *canOsr to true if the loop is
4775 // reachable from both the normal entry and the OSR entry.
4777 #ifdef DEBUG
4781 }
4782 #endif
4787 // The blocks are in RPO; start at the loop backedge, which marks the bottom
4788 // of the loop, and walk up until we get to the header. Loops may be
4789 // discontiguous, so we trace predecessors to determine which blocks are
4790 // actually part of the loop. The backedge is always part of the loop, and
4791 // so are its predecessors, transitively, up to the loop header or an OSR
4792 // entry.
4801 // If we've reached the loop header, we're done.
4804 }
4805 // A block not marked by the time we reach it is not in the loop.
4808 }
4810 // This block is in the loop; trace to its predecessors.
4815 }
4817 // Blocks dominated by the OSR entry are not part of the loop
4818 // (unless they aren't reachable from the normal entry).
4823 }
4831 // A nested loop may not exit back to the enclosing loop at its
4832 // bottom. If we just marked its header, then the whole nested loop
4833 // is part of the enclosing loop.
4837 // Mark its backedge so that we add all of its blocks to the
4838 // outer loop as we walk upwards.
4842 // If the nested loop is not contiguous, we may have already
4843 // passed its backedge. If this happens, back up.
4847 }
4848 }
4849 }
4850 }
4851 }
4853 // If there's no path connecting the header to the backedge, then this isn't
4854 // actually a loop. This can happen when the code starts with a loop but GVN
4855 // folds some branches away.
4859 }
4862 }
4864 // Unmark all the blocks that are in the loop with the given header.
4875 }
4876 }
4877 }
4879 #ifdef DEBUG
4883 }
4884 #endif
4885 }
4888 // This pass folds MLoadFixedSlot, MLoadDynamicSlot, MLoadElement instructions
4889 // followed by MUnbox into a single instruction. For LoadElement this allows
4890 // us to fuse the hole check with the type check for the unbox.
4893 block++) {
4896 }
4901 insIter++;
4903 // We're only interested in loads producing a Value.
4907 }
4910 }
4914 // Ensure there's a single def-use (ignoring resume points) and it's an
4915 // unbox. Unwrap MLexicalCheck because it's redundant if we have a
4916 // fallible unbox (checked below).
4920 }
4927 }
4928 }
4931 }
4933 // For now require the load and unbox to be in the same block. This isn't
4934 // strictly necessary but it's the common case and could prevent bailouts
4935 // when moving the unbox before a loop.
4939 }
4944 // If this is a LoadElement or if we have a lexical check between the load
4945 // and unbox, we only support folding the load with a fallible unbox so
4946 // that we can eliminate the MagicValue check.
4949 }
4951 // Combine the load and unbox into a single MIR instruction.
4954 }
4967 }
4974 }
4981 }
4984 }
4991 }
4995 insIter++;
4996 }
4998 insIter++;
4999 }
5003 }
5005 }
5006 }
5009 }
5011 // Reorder the blocks in the loop starting at the given header to be contiguous.
5019 // If there are any blocks between the loop header and the loop backedge
5020 // that are not part of the loop, prepare to move them to the end. We keep
5021 // them in order, which preserves RPO.
5023 insertIter++;
5026 // Visit all the blocks from the loop header to the loop backedge.
5037 // This block is in the loop.
5040 // If we've reached the loop backedge, we're done!
5043 }
5045 // This block is not in the loop. Move it to the end.
5048 }
5049 }
5056 }
5058 // Reorder the blocks in the graph so that loops are contiguous.
5060 // Visit all loop headers (in any order).
5065 }
5067 // Mark all blocks that are actually part of the loop.
5071 // If the loop isn't a loop, don't try to optimize it.
5074 }
5076 // If there's an OSR block entering the loop in the middle, it's tricky,
5077 // so don't try to handle it, for now.
5081 }
5083 // Move all blocks between header and backedge that aren't marked to
5084 // the end of the loop, making the loop itself contiguous.
5086 }
5089 }
5094 }
5096 }
5107 insIter++;
5110 }
5136 }
5140 }
5142 // Given the following structure (that occurs inside for-in loops):
5143 // obj: some object
5144 // iter: ObjectToIterator <obj>
5145 // iterNext: IteratorMore <iter>
5146 // access: HasProp/GetElem <obj> <iterNext>
5147 // If the iterator object has an indices array, we can speed up the
5148 // property access:
5149 // 1. If the property access is a HasProp looking for own properties,
5150 // then the result will always be true if the iterator has indices,
5151 // because we only populate the indices array for objects with no
5152 // enumerable properties on the prototype.
5153 // 2. If the property access is a GetProp, then we can use the contents
5154 // of the indices array to find the correct property faster than
5155 // the megamorphic cache.
5158 }
5163 }
5168 }
5179 replacement =
5186 }
5190 }
5195 // Advance to join block.
5198 }
5199 }
5203 }
5206 }
5209 #ifdef JS_JITSPEW
5215 }
5217 // Get any extra bits of text that the MIR node wants to show us. Both the
5218 // vector and the strings added to it belong to this function, so both will
5219 // be automatically freed at exit.
5220 ExtrasCollector extras;
5224 }
5228 }
5229 #endif
5230 }
5234 #ifdef JS_JITSPEW
5237 }
5249 }
5255 }
5256 }
5262 }
5263 #endif
5264 }