blob: eba5cb0cba6cf44ee18f9f5c7d4d21c80b023c4a [file] [log] [blame]
/*
* Copyright (C) 2011-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "DFGGraph.h"
#if ENABLE(DFG_JIT)
#include "ArrayPrototype.h"
#include "CodeBlock.h"
#include "CodeBlockWithJITType.h"
#include "DFGBackwardsCFG.h"
#include "DFGBackwardsDominators.h"
#include "DFGBlockWorklist.h"
#include "DFGCFG.h"
#include "DFGClobberSet.h"
#include "DFGClobbersExitState.h"
#include "DFGControlEquivalenceAnalysis.h"
#include "DFGDominators.h"
#include "DFGFlowIndexing.h"
#include "DFGFlowMap.h"
#include "DFGMayExit.h"
#include "DFGNaturalLoops.h"
#include "DFGVariableAccessDataDump.h"
#include "FullBytecodeLiveness.h"
#include "FunctionExecutableDump.h"
#include "GetterSetter.h"
#include "JIT.h"
#include "JSLexicalEnvironment.h"
#include "MaxFrameExtentForSlowPathCall.h"
#include "OperandsInlines.h"
#include "Snippet.h"
#include "StackAlignment.h"
#include <wtf/CommaPrinter.h>
#include <wtf/ListDump.h>
namespace JSC { namespace DFG {
static constexpr bool dumpOSRAvailabilityData = false;
// Creates an array of stringized names.
static const char* dfgOpNames[] = {
#define STRINGIZE_DFG_OP_ENUM(opcode, flags) #opcode ,
FOR_EACH_DFG_OP(STRINGIZE_DFG_OP_ENUM)
#undef STRINGIZE_DFG_OP_ENUM
};
Graph::Graph(VM& vm, Plan& plan)
: m_vm(vm)
, m_plan(plan)
, m_codeBlock(m_plan.codeBlock())
, m_profiledBlock(m_codeBlock->alternative())
, m_ssaCFG(makeUnique<SSACFG>(*this))
, m_nextMachineLocal(0)
, m_fixpointState(BeforeFixpoint)
, m_structureRegistrationState(HaveNotStartedRegistering)
, m_form(LoadStore)
, m_unificationState(LocallyUnified)
, m_refCountState(EverythingIsLive)
{
ASSERT(m_profiledBlock);
m_hasDebuggerEnabled = m_profiledBlock->wasCompiledWithDebuggingOpcodes() || Options::forceDebuggerBytecodeGeneration();
m_indexingCache = makeUnique<FlowIndexing>(*this);
m_abstractValuesCache = makeUnique<FlowMap<AbstractValue>>(*this);
registerStructure(vm.structureStructure.get());
this->stringStructure = registerStructure(vm.stringStructure.get());
this->symbolStructure = registerStructure(vm.symbolStructure.get());
}
Graph::~Graph()
{
}
const char *Graph::opName(NodeType op)
{
return dfgOpNames[op];
}
static void printWhiteSpace(PrintStream& out, unsigned amount)
{
while (amount-- > 0)
out.print(" ");
}
bool Graph::dumpCodeOrigin(PrintStream& out, const char* prefixStr, Node*& previousNodeRef, Node* currentNode, DumpContext* context)
{
Prefix myPrefix(prefixStr);
Prefix& prefix = prefixStr ? myPrefix : m_prefix;
if (!currentNode->origin.semantic)
return false;
Node* previousNode = previousNodeRef;
previousNodeRef = currentNode;
if (!previousNode)
return false;
if (previousNode->origin.semantic.inlineCallFrame() == currentNode->origin.semantic.inlineCallFrame())
return false;
Vector<CodeOrigin> previousInlineStack = previousNode->origin.semantic.inlineStack();
Vector<CodeOrigin> currentInlineStack = currentNode->origin.semantic.inlineStack();
unsigned commonSize = std::min(previousInlineStack.size(), currentInlineStack.size());
unsigned indexOfDivergence = commonSize;
for (unsigned i = 0; i < commonSize; ++i) {
if (previousInlineStack[i].inlineCallFrame() != currentInlineStack[i].inlineCallFrame()) {
indexOfDivergence = i;
break;
}
}
bool hasPrinted = false;
// Print the pops.
for (unsigned i = previousInlineStack.size(); i-- > indexOfDivergence;) {
out.print(prefix);
printWhiteSpace(out, i * 2);
out.print("<-- ", inContext(*previousInlineStack[i].inlineCallFrame(), context), "\n");
hasPrinted = true;
}
// Print the pushes.
for (unsigned i = indexOfDivergence; i < currentInlineStack.size(); ++i) {
out.print(prefix);
printWhiteSpace(out, i * 2);
out.print("--> ", inContext(*currentInlineStack[i].inlineCallFrame(), context), "\n");
hasPrinted = true;
}
return hasPrinted;
}
int Graph::amountOfNodeWhiteSpace(Node* node)
{
return (node->origin.semantic.inlineDepth() - 1) * 2;
}
void Graph::printNodeWhiteSpace(PrintStream& out, Node* node)
{
printWhiteSpace(out, amountOfNodeWhiteSpace(node));
}
void Graph::dump(PrintStream& out, const char* prefixStr, Node* node, DumpContext* context)
{
Prefix myPrefix(prefixStr);
Prefix& prefix = prefixStr ? myPrefix : m_prefix;
NodeType op = node->op();
unsigned refCount = node->refCount();
bool mustGenerate = node->mustGenerate();
if (mustGenerate)
--refCount;
out.print(prefix);
printNodeWhiteSpace(out, node);
// Example/explanation of dataflow dump output
//
// D@14: <!2:7> GetByVal(@3, @13)
// ^1 ^2 ^3 ^4 ^5
//
// (1) The nodeIndex of this operation.
// (2) The reference count. The number printed is the 'real' count,
// not including the 'mustGenerate' ref. If the node is
// 'mustGenerate' then the count it prefixed with '!'.
// (3) The virtual register slot assigned to this node.
// (4) The name of the operation.
// (5) The arguments to the operation. The may be of the form:
// D@# - a NodeIndex referencing a prior node in the graph.
// arg# - an argument number.
// id# - the index in the CodeBlock of an identifier { if codeBlock is passed to dump(), the string representation is displayed }.
// var# - the index of a var on the global object, used by GetGlobalVar/GetGlobalLexicalVariable/PutGlobalVariable operations.
int nodeIndex = node->index();
const char* prefixPadding = nodeIndex < 10 ? " " : nodeIndex < 100 ? " " : " ";
out.printf("%sD@%d:<%c%u:", prefixPadding, nodeIndex, mustGenerate ? '!' : ' ', refCount);
if (node->hasResult() && node->hasVirtualRegister() && node->virtualRegister().isValid())
out.print(node->virtualRegister());
else
out.print("-");
out.print(">\t", opName(op), "(");
CommaPrinter comma;
if (node->flags() & NodeHasVarArgs) {
for (unsigned childIdx = node->firstChild(); childIdx < node->firstChild() + node->numChildren(); childIdx++) {
if (!m_varArgChildren[childIdx])
continue;
out.print(comma, m_varArgChildren[childIdx]);
}
} else {
if (!!node->child1() || !!node->child2() || !!node->child3())
out.print(comma, node->child1());
if (!!node->child2() || !!node->child3())
out.print(comma, node->child2());
if (!!node->child3())
out.print(comma, node->child3());
}
if (toCString(NodeFlagsDump(node->flags())) != "<empty>")
out.print(comma, NodeFlagsDump(node->flags()));
if (node->prediction())
out.print(comma, SpeculationDump(node->prediction()));
if (node->hasNumberOfArgumentsToSkip())
out.print(comma, "numberOfArgumentsToSkip = ", node->numberOfArgumentsToSkip());
if (node->hasArrayMode())
out.print(comma, node->arrayMode());
if (node->hasArithUnaryType())
out.print(comma, "Type:", node->arithUnaryType());
if (node->hasArithMode())
out.print(comma, node->arithMode());
if (node->hasArithRoundingMode())
out.print(comma, "Rounding:", node->arithRoundingMode());
if (node->hasScopeOffset())
out.print(comma, node->scopeOffset());
if (node->hasDirectArgumentsOffset())
out.print(comma, node->capturedArgumentsOffset());
if (node->hasArgumentIndex())
out.print(comma, node->argumentIndex());
if (node->hasRegisterPointer())
out.print(comma, "global", "(", RawPointer(node->variablePointer()), ")");
if (node->hasIdentifier() && node->identifierNumber() != UINT32_MAX)
out.print(comma, "id", node->identifierNumber(), "{", identifiers()[node->identifierNumber()], "}");
if (node->hasCacheableIdentifier() && node->cacheableIdentifier())
out.print(comma, "cachable-id {", node->cacheableIdentifier(), "}");
if (node->hasPromotedLocationDescriptor())
out.print(comma, node->promotedLocationDescriptor());
if (node->hasClassInfo())
out.print(comma, *node->classInfo());
if (node->hasStructureSet())
out.print(comma, inContext(node->structureSet().toStructureSet(), context));
if (node->hasStructure())
out.print(comma, inContext(*node->structure().get(), context));
if (node->op() == CPUIntrinsic)
out.print(comma, intrinsicName(node->intrinsic()));
if (node->hasTransition()) {
out.print(comma, pointerDumpInContext(node->transition(), context));
#if USE(JSVALUE64)
out.print(", ID:", node->transition()->next->id());
#else
out.print(", ID:", RawPointer(node->transition()->next.get()));
#endif
}
if (node->hasCellOperand()) {
if (!node->cellOperand()->value() || !node->cellOperand()->value().isCell())
out.print(comma, "invalid cell operand: ", node->cellOperand()->value());
else {
out.print(comma, pointerDump(node->cellOperand()->value().asCell()));
if (node->cellOperand()->value().isCell()) {
CallVariant variant(node->cellOperand()->value().asCell());
if (ExecutableBase* executable = variant.executable()) {
if (executable->isHostFunction())
out.print(comma, "<host function>");
else if (FunctionExecutable* functionExecutable = jsDynamicCast<FunctionExecutable*>(m_vm, executable))
out.print(comma, FunctionExecutableDump(functionExecutable));
else
out.print(comma, "<non-function executable>");
}
}
}
}
if (node->hasQueriedType())
out.print(comma, node->queriedType());
if (node->hasStorageAccessData()) {
StorageAccessData& storageAccessData = node->storageAccessData();
out.print(comma, "id", storageAccessData.identifierNumber, "{", identifiers()[storageAccessData.identifierNumber], "}");
out.print(", ", static_cast<ptrdiff_t>(storageAccessData.offset));
}
if (node->hasMultiGetByOffsetData()) {
MultiGetByOffsetData& data = node->multiGetByOffsetData();
out.print(comma, "id", data.identifierNumber, "{", identifiers()[data.identifierNumber], "}");
for (unsigned i = 0; i < data.cases.size(); ++i)
out.print(comma, inContext(data.cases[i], context));
}
if (node->hasMultiPutByOffsetData()) {
MultiPutByOffsetData& data = node->multiPutByOffsetData();
out.print(comma, "id", data.identifierNumber, "{", identifiers()[data.identifierNumber], "}");
for (unsigned i = 0; i < data.variants.size(); ++i)
out.print(comma, inContext(data.variants[i], context));
}
if (node->hasMultiDeleteByOffsetData()) {
MultiDeleteByOffsetData& data = node->multiDeleteByOffsetData();
out.print(comma, "id", data.identifierNumber, "{", identifiers()[data.identifierNumber], "}");
for (unsigned i = 0; i < data.variants.size(); ++i)
out.print(comma, inContext(data.variants[i], context));
}
if (node->hasMatchStructureData()) {
for (MatchStructureVariant& variant : node->matchStructureData().variants)
out.print(comma, inContext(*variant.structure.get(), context), "=>", variant.result);
}
ASSERT(node->hasVariableAccessData(*this) == node->accessesStack(*this));
if (node->hasVariableAccessData(*this)) {
VariableAccessData* variableAccessData = node->tryGetVariableAccessData();
if (variableAccessData) {
Operand operand = variableAccessData->operand();
out.print(comma, variableAccessData->operand(), "(", VariableAccessDataDump(*this, variableAccessData), ")");
operand = variableAccessData->machineLocal();
if (operand.isValid())
out.print(comma, "machine:", operand);
}
}
if (node->hasStackAccessData()) {
StackAccessData* data = node->stackAccessData();
out.print(comma, data->operand);
if (data->machineLocal.isValid())
out.print(comma, "machine:", data->machineLocal);
out.print(comma, data->format);
}
if (node->hasUnlinkedOperand())
out.print(comma, node->unlinkedOperand());
if (node->hasVectorLengthHint())
out.print(comma, "vectorLengthHint = ", node->vectorLengthHint());
if (node->hasLazyJSValue())
out.print(comma, node->lazyJSValue());
if (node->hasIndexingType())
out.print(comma, IndexingTypeDump(node->indexingMode()));
if (node->hasTypedArrayType())
out.print(comma, node->typedArrayType());
if (node->hasPhi())
out.print(comma, "^", node->phi()->index());
if (node->hasExecutionCounter())
out.print(comma, RawPointer(node->executionCounter()));
if (node->hasWatchpointSet())
out.print(comma, RawPointer(node->watchpointSet()));
if (node->hasStoragePointer())
out.print(comma, RawPointer(node->storagePointer()));
if (node->hasObjectMaterializationData())
out.print(comma, node->objectMaterializationData());
if (node->hasCallVarargsData())
out.print(comma, "firstVarArgOffset = ", node->callVarargsData()->firstVarArgOffset);
if (node->hasLoadVarargsData()) {
LoadVarargsData* data = node->loadVarargsData();
out.print(comma, "start = ", data->start, ", count = ", data->count);
if (data->machineStart.isValid())
out.print(", machineStart = ", data->machineStart);
if (data->machineCount.isValid())
out.print(", machineCount = ", data->machineCount);
out.print(", offset = ", data->offset, ", mandatoryMinimum = ", data->mandatoryMinimum);
out.print(", limit = ", data->limit);
}
if (node->hasIsInternalPromise())
out.print(comma, "isInternalPromise = ", node->isInternalPromise());
if (node->hasInternalFieldIndex())
out.print(comma, "internalFieldIndex = ", node->internalFieldIndex());
if (node->hasCallDOMGetterData()) {
CallDOMGetterData* data = node->callDOMGetterData();
out.print(comma, "id", data->identifierNumber, "{", identifiers()[data->identifierNumber], "}");
out.print(", domJIT = ", RawPointer(data->domJIT));
}
if (node->hasIgnoreLastIndexIsWritable())
out.print(comma, "ignoreLastIndexIsWritable = ", node->ignoreLastIndexIsWritable());
if (node->hasIntrinsic())
out.print(comma, "intrinsic = ", node->intrinsic());
if (node->isConstant())
out.print(comma, pointerDumpInContext(node->constant(), context));
if (node->hasCallLinkStatus())
out.print(comma, *node->callLinkStatus());
if (node->hasGetByStatus())
out.print(comma, *node->getByStatus());
if (node->hasInByIdStatus())
out.print(comma, *node->inByIdStatus());
if (node->hasPutByIdStatus())
out.print(comma, *node->putByIdStatus());
if (node->isJump())
out.print(comma, "T:", *node->targetBlock());
if (node->isBranch())
out.print(comma, "T:", node->branchData()->taken, ", F:", node->branchData()->notTaken);
if (node->isSwitch()) {
SwitchData* data = node->switchData();
out.print(comma, data->kind);
for (unsigned i = 0; i < data->cases.size(); ++i)
out.print(comma, inContext(data->cases[i].value, context), ":", data->cases[i].target);
out.print(comma, "default:", data->fallThrough);
}
if (node->isEntrySwitch()) {
EntrySwitchData* data = node->entrySwitchData();
for (unsigned i = 0; i < data->cases.size(); ++i)
out.print(comma, BranchTarget(data->cases[i]));
}
ClobberSet reads;
ClobberSet writes;
addReadsAndWrites(*this, node, reads, writes);
if (!reads.isEmpty())
out.print(comma, "R:", sortedListDump(reads.direct(), ","));
if (!writes.isEmpty())
out.print(comma, "W:", sortedListDump(writes.direct(), ","));
ExitMode exitMode = mayExit(*this, node);
if (exitMode != DoesNotExit)
out.print(comma, exitMode);
if (clobbersExitState(*this, node))
out.print(comma, "ClobbersExit");
if (node->origin.isSet()) {
out.print(comma, node->origin.semantic.bytecodeIndex());
if (node->origin.semantic != node->origin.forExit && node->origin.forExit.isSet())
out.print(comma, "exit: ", node->origin.forExit);
}
out.print(comma, node->origin.exitOK ? "ExitValid" : "ExitInvalid");
if (node->origin.wasHoisted)
out.print(comma, "WasHoisted");
out.print(")");
if (node->accessesStack(*this) && node->tryGetVariableAccessData())
out.print(" predicting ", SpeculationDump(node->tryGetVariableAccessData()->prediction()));
else if (node->hasHeapPrediction())
out.print(" predicting ", SpeculationDump(node->getHeapPrediction()));
out.print("\n");
}
bool Graph::terminalsAreValid()
{
for (BasicBlock* block : blocksInNaturalOrder()) {
if (!block->terminal())
return false;
}
return true;
}
static BasicBlock* unboxLoopNode(const CPSCFG::Node& node) { return node.node(); }
static BasicBlock* unboxLoopNode(BasicBlock* block) { return block; }
void Graph::dumpBlockHeader(PrintStream& out, const char* prefixStr, BasicBlock* block, PhiNodeDumpMode phiNodeDumpMode, DumpContext* context)
{
Prefix myPrefix(prefixStr);
Prefix& prefix = prefixStr ? myPrefix : m_prefix;
out.print(prefix, "Block ", *block, " (", inContext(block->at(0)->origin.semantic, context), "):",
block->isReachable ? "" : " (skipped)", block->isOSRTarget ? " (OSR target)" : "", block->isCatchEntrypoint ? " (Catch Entrypoint)" : "", "\n");
if (block->executionCount == block->executionCount)
out.print(prefix, " Execution count: ", block->executionCount, "\n");
out.print(prefix, " Predecessors:");
for (size_t i = 0; i < block->predecessors.size(); ++i)
out.print(" ", *block->predecessors[i]);
out.print("\n");
out.print(prefix, " Successors:");
if (block->terminal()) {
for (BasicBlock* successor : block->successors()) {
out.print(" ", *successor);
}
} else
out.print(" <invalid>");
out.print("\n");
auto printDominators = [&] (auto& dominators) {
out.print(prefix, " Dominated by: ", dominators.dominatorsOf(block), "\n");
out.print(prefix, " Dominates: ", dominators.blocksDominatedBy(block), "\n");
out.print(prefix, " Dominance Frontier: ", dominators.dominanceFrontierOf(block), "\n");
out.print(prefix, " Iterated Dominance Frontier: ",
dominators.iteratedDominanceFrontierOf(typename std::remove_reference<decltype(dominators)>::type::List { block }), "\n");
};
if (terminalsAreValid()) {
if (m_ssaDominators)
printDominators(*m_ssaDominators);
else if (m_cpsDominators)
printDominators(*m_cpsDominators);
}
if (m_backwardsDominators && terminalsAreValid()) {
out.print(prefix, " Backwards dominates by: ", m_backwardsDominators->dominatorsOf(block), "\n");
out.print(prefix, " Backwards dominates: ", m_backwardsDominators->blocksDominatedBy(block), "\n");
}
if (m_controlEquivalenceAnalysis && terminalsAreValid()) {
out.print(prefix, " Control equivalent to:");
for (BasicBlock* otherBlock : blocksInNaturalOrder()) {
if (m_controlEquivalenceAnalysis->areEquivalent(block, otherBlock))
out.print(" ", *otherBlock);
}
out.print("\n");
}
auto printNaturalLoops = [&] (auto& naturalLoops) {
if (const auto* loop = naturalLoops->headerOf(block)) {
out.print(prefix, " Loop header, contains:");
Vector<BlockIndex> sortedBlockList;
for (unsigned i = 0; i < loop->size(); ++i)
sortedBlockList.append(unboxLoopNode(loop->at(i))->index);
std::sort(sortedBlockList.begin(), sortedBlockList.end());
for (unsigned i = 0; i < sortedBlockList.size(); ++i)
out.print(" #", sortedBlockList[i]);
out.print("\n");
}
auto containingLoops = naturalLoops->loopsOf(block);
if (!containingLoops.isEmpty()) {
out.print(prefix, " Containing loop headers:");
for (unsigned i = 0; i < containingLoops.size(); ++i)
out.print(" ", *unboxLoopNode(containingLoops[i]->header()));
out.print("\n");
}
};
if (m_ssaNaturalLoops)
printNaturalLoops(m_ssaNaturalLoops);
else if (m_cpsNaturalLoops)
printNaturalLoops(m_cpsNaturalLoops);
if (!block->phis.isEmpty()) {
out.print(prefix, " Phi Nodes:");
for (size_t i = 0; i < block->phis.size(); ++i) {
Node* phiNode = block->phis[i];
ASSERT(phiNode->op() == Phi);
if (!phiNode->shouldGenerate() && phiNodeDumpMode == DumpLivePhisOnly)
continue;
out.print(" D@", phiNode->index(), "<", phiNode->operand(), ",", phiNode->refCount(), ">->(");
if (phiNode->child1()) {
out.print("D@", phiNode->child1()->index());
if (phiNode->child2()) {
out.print(", D@", phiNode->child2()->index());
if (phiNode->child3())
out.print(", D@", phiNode->child3()->index());
}
}
out.print(")", i + 1 < block->phis.size() ? "," : "");
}
out.print("\n");
}
}
void Graph::dump(PrintStream& out, DumpContext* context)
{
Prefix& prefix = m_prefix;
DumpContext myContext;
myContext.graph = this;
if (!context)
context = &myContext;
out.print("\n");
out.print(prefix, "DFG for ", CodeBlockWithJITType(m_codeBlock, JITType::DFGJIT), ":\n");
out.print(prefix, " Fixpoint state: ", m_fixpointState, "; Form: ", m_form, "; Unification state: ", m_unificationState, "; Ref count state: ", m_refCountState, "\n");
if (m_form == SSA) {
for (unsigned entrypointIndex = 0; entrypointIndex < m_argumentFormats.size(); ++entrypointIndex)
out.print(prefix, " Argument formats for entrypoint index: ", entrypointIndex, " : ", listDump(m_argumentFormats[entrypointIndex]), "\n");
}
else {
for (const auto& pair : m_rootToArguments)
out.print(prefix, " Arguments for block#", pair.key->index, ": ", listDump(pair.value), "\n");
}
out.print("\n");
Node* lastNode = nullptr;
for (size_t b = 0; b < m_blocks.size(); ++b) {
BasicBlock* block = m_blocks[b].get();
if (!block)
continue;
prefix.blockIndex = block->index;
dumpBlockHeader(out, Prefix::noString, block, DumpAllPhis, context);
out.print(prefix, " States: ", block->cfaStructureClobberStateAtHead);
if (!block->cfaHasVisited)
out.print(", CurrentlyCFAUnreachable");
if (!block->intersectionOfCFAHasVisited)
out.print(", CFAUnreachable");
out.print("\n");
switch (m_form) {
case LoadStore:
case ThreadedCPS: {
out.print(prefix, " Vars Before: ");
if (block->cfaHasVisited)
out.print(inContext(block->valuesAtHead, context));
else
out.print("<empty>");
out.print("\n");
out.print(prefix, " Intersected Vars Before: ");
if (block->intersectionOfCFAHasVisited)
out.print(inContext(block->intersectionOfPastValuesAtHead, context));
else
out.print("<empty>");
out.print("\n");
out.print(prefix, " Var Links: ", block->variablesAtHead, "\n");
break;
}
case SSA: {
RELEASE_ASSERT(block->ssa);
if (dumpOSRAvailabilityData)
out.print(prefix, " Availability: ", block->ssa->availabilityAtHead, "\n");
out.print(prefix, " Live: ", nodeListDump(block->ssa->liveAtHead), "\n");
out.print(prefix, " Values: ", nodeValuePairListDump(block->ssa->valuesAtHead, context), "\n");
break;
} }
for (size_t i = 0; i < block->size(); ++i) {
prefix.clearNodeIndex();
dumpCodeOrigin(out, Prefix::noString, lastNode, block->at(i), context);
prefix.nodeIndex = i;
dump(out, Prefix::noString, block->at(i), context);
}
prefix.clearNodeIndex();
out.print(prefix, " States: ", block->cfaBranchDirection, ", ", block->cfaStructureClobberStateAtTail);
if (!block->cfaDidFinish)
out.print(", CFAInvalidated");
out.print("\n");
switch (m_form) {
case LoadStore:
case ThreadedCPS: {
out.print(prefix, " Vars After: ");
if (block->cfaHasVisited)
out.print(inContext(block->valuesAtTail, context));
else
out.print("<empty>");
out.print("\n");
out.print(prefix, " Var Links: ", block->variablesAtTail, "\n");
break;
}
case SSA: {
RELEASE_ASSERT(block->ssa);
if (dumpOSRAvailabilityData)
out.print(prefix, " Availability: ", block->ssa->availabilityAtTail, "\n");
out.print(prefix, " Live: ", nodeListDump(block->ssa->liveAtTail), "\n");
out.print(prefix, " Values: ", nodeValuePairListDump(block->ssa->valuesAtTail, context), "\n");
break;
} }
out.print("\n");
}
prefix.clearBlockIndex();
out.print(prefix, "GC Values:\n");
for (FrozenValue* value : m_frozenValues) {
if (value->pointsToHeap())
out.print(prefix, " ", inContext(*value, &myContext), "\n");
}
out.print(inContext(watchpoints(), &myContext));
if (!myContext.isEmpty()) {
StringPrintStream prefixStr;
prefixStr.print(prefix);
myContext.dump(out, prefixStr.toCString().data());
out.print("\n");
}
}
void Graph::deleteNode(Node* node)
{
if (validationEnabled() && m_form == SSA) {
for (BasicBlock* block : blocksInNaturalOrder()) {
DFG_ASSERT(*this, node, !block->ssa->liveAtHead.contains(node));
DFG_ASSERT(*this, node, !block->ssa->liveAtTail.contains(node));
}
}
m_nodes.remove(node);
}
void Graph::packNodeIndices()
{
m_nodes.packIndices();
}
void Graph::dethread()
{
if (m_form == LoadStore || m_form == SSA)
return;
if (logCompilationChanges())
dataLog("Dethreading DFG graph.\n");
for (BlockIndex blockIndex = m_blocks.size(); blockIndex--;) {
BasicBlock* block = m_blocks[blockIndex].get();
if (!block)
continue;
for (unsigned phiIndex = block->phis.size(); phiIndex--;) {
Node* phi = block->phis[phiIndex];
phi->children.reset();
}
}
m_form = LoadStore;
}
void Graph::handleSuccessor(Vector<BasicBlock*, 16>& worklist, BasicBlock* block, BasicBlock* successor)
{
if (!successor->isReachable) {
successor->isReachable = true;
worklist.append(successor);
}
if (!successor->predecessors.contains(block))
successor->predecessors.append(block);
}
void Graph::determineReachability()
{
Vector<BasicBlock*, 16> worklist;
for (BasicBlock* entrypoint : m_roots) {
entrypoint->isReachable = true;
worklist.append(entrypoint);
}
while (!worklist.isEmpty()) {
BasicBlock* block = worklist.takeLast();
for (unsigned i = block->numSuccessors(); i--;)
handleSuccessor(worklist, block, block->successor(i));
}
}
void Graph::resetReachability()
{
for (BlockIndex blockIndex = m_blocks.size(); blockIndex--;) {
BasicBlock* block = m_blocks[blockIndex].get();
if (!block)
continue;
block->isReachable = false;
block->predecessors.clear();
}
determineReachability();
}
namespace {
class RefCountCalculator {
public:
RefCountCalculator(Graph& graph)
: m_graph(graph)
{
}
void calculate()
{
// First reset the counts to 0 for all nodes.
for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
BasicBlock* block = m_graph.block(blockIndex);
if (!block)
continue;
for (unsigned indexInBlock = block->size(); indexInBlock--;)
block->at(indexInBlock)->setRefCount(0);
for (unsigned phiIndex = block->phis.size(); phiIndex--;)
block->phis[phiIndex]->setRefCount(0);
}
// Now find the roots:
// - Nodes that are must-generate.
// - Nodes that are reachable from type checks.
// Set their ref counts to 1 and put them on the worklist.
for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
BasicBlock* block = m_graph.block(blockIndex);
if (!block)
continue;
for (unsigned indexInBlock = block->size(); indexInBlock--;) {
Node* node = block->at(indexInBlock);
DFG_NODE_DO_TO_CHILDREN(m_graph, node, findTypeCheckRoot);
if (!(node->flags() & NodeMustGenerate))
continue;
if (!node->postfixRef())
m_worklist.append(node);
}
}
while (!m_worklist.isEmpty()) {
while (!m_worklist.isEmpty()) {
Node* node = m_worklist.last();
m_worklist.removeLast();
ASSERT(node->shouldGenerate()); // It should not be on the worklist unless it's ref'ed.
DFG_NODE_DO_TO_CHILDREN(m_graph, node, countEdge);
}
if (m_graph.m_form == SSA) {
// Find Phi->Upsilon edges, which are represented as meta-data in the
// Upsilon.
for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
BasicBlock* block = m_graph.block(blockIndex);
if (!block)
continue;
for (unsigned nodeIndex = block->size(); nodeIndex--;) {
Node* node = block->at(nodeIndex);
if (node->op() != Upsilon)
continue;
if (node->shouldGenerate())
continue;
if (node->phi()->shouldGenerate())
countNode(node);
}
}
}
}
}
private:
void findTypeCheckRoot(Node*, Edge edge)
{
// We may have an "unproved" untyped use for code that is unreachable. The CFA
// will just not have gotten around to it.
if (edge.isProved() || edge.willNotHaveCheck())
return;
if (!edge->postfixRef())
m_worklist.append(edge.node());
}
void countNode(Node* node)
{
if (node->postfixRef())
return;
m_worklist.append(node);
}
void countEdge(Node*, Edge edge)
{
// Don't count edges that are already counted for their type checks.
if (!(edge.isProved() || edge.willNotHaveCheck()))
return;
countNode(edge.node());
}
Graph& m_graph;
Vector<Node*, 128> m_worklist;
};
} // anonymous namespace
void Graph::computeRefCounts()
{
RefCountCalculator calculator(*this);
calculator.calculate();
}
void Graph::killBlockAndItsContents(BasicBlock* block)
{
if (auto& ssaData = block->ssa)
ssaData->invalidate();
for (unsigned phiIndex = block->phis.size(); phiIndex--;)
deleteNode(block->phis[phiIndex]);
for (Node* node : *block)
deleteNode(node);
killBlock(block);
}
void Graph::killUnreachableBlocks()
{
invalidateNodeLiveness();
for (BlockIndex blockIndex = 0; blockIndex < numBlocks(); ++blockIndex) {
BasicBlock* block = this->block(blockIndex);
if (!block)
continue;
if (block->isReachable)
continue;
dataLogIf(Options::verboseDFGBytecodeParsing(), "Basic block #", blockIndex, " was killed because it was unreachable\n");
killBlockAndItsContents(block);
}
}
void Graph::invalidateCFG()
{
m_cpsDominators = nullptr;
m_ssaDominators = nullptr;
m_cpsNaturalLoops = nullptr;
m_ssaNaturalLoops = nullptr;
m_controlEquivalenceAnalysis = nullptr;
m_backwardsDominators = nullptr;
m_backwardsCFG = nullptr;
m_cpsCFG = nullptr;
}
void Graph::invalidateNodeLiveness()
{
if (m_form != SSA)
return;
for (BasicBlock* block : blocksInNaturalOrder())
block->ssa->invalidate();
}
void Graph::substituteGetLocal(BasicBlock& block, unsigned startIndexInBlock, VariableAccessData* variableAccessData, Node* newGetLocal)
{
for (unsigned indexInBlock = startIndexInBlock; indexInBlock < block.size(); ++indexInBlock) {
Node* node = block[indexInBlock];
bool shouldContinue = true;
switch (node->op()) {
case SetLocal: {
if (node->operand() == variableAccessData->operand())
shouldContinue = false;
break;
}
case GetLocal: {
if (node->variableAccessData() != variableAccessData)
continue;
substitute(block, indexInBlock, node, newGetLocal);
Node* oldTailNode = block.variablesAtTail.operand(variableAccessData->operand());
if (oldTailNode == node)
block.variablesAtTail.operand(variableAccessData->operand()) = newGetLocal;
shouldContinue = false;
break;
}
default:
break;
}
if (!shouldContinue)
break;
}
}
BlockList Graph::blocksInPreOrder()
{
BlockList result;
result.reserveInitialCapacity(m_blocks.size());
BlockWorklist worklist;
for (BasicBlock* entrypoint : m_roots)
worklist.push(entrypoint);
while (BasicBlock* block = worklist.pop()) {
result.append(block);
for (unsigned i = block->numSuccessors(); i--;)
worklist.push(block->successor(i));
}
if (validationEnabled()) {
// When iterating over pre order, we should see dominators
// before things they dominate.
auto validateResults = [&] (auto& dominators) {
for (unsigned i = 0; i < result.size(); ++i) {
BasicBlock* a = result[i];
if (!a)
continue;
for (unsigned j = 0; j < result.size(); ++j) {
BasicBlock* b = result[j];
if (!b || a == b)
continue;
if (dominators.dominates(a, b))
RELEASE_ASSERT(i < j);
}
}
};
if (m_form == SSA || m_isInSSAConversion)
validateResults(ensureSSADominators());
else
validateResults(ensureCPSDominators());
}
return result;
}
BlockList Graph::blocksInPostOrder(bool isSafeToValidate)
{
BlockList result;
result.reserveInitialCapacity(m_blocks.size());
PostOrderBlockWorklist worklist;
for (BasicBlock* entrypoint : m_roots)
worklist.push(entrypoint);
while (BlockWithOrder item = worklist.pop()) {
switch (item.order) {
case VisitOrder::Pre:
worklist.pushPost(item.node);
for (unsigned i = item.node->numSuccessors(); i--;)
worklist.push(item.node->successor(i));
break;
case VisitOrder::Post:
result.append(item.node);
break;
}
}
if (isSafeToValidate && validationEnabled()) { // There are users of this where we haven't yet built of the CFG enough to be able to run dominators.
auto validateResults = [&] (auto& dominators) {
// When iterating over reverse post order, we should see dominators
// before things they dominate.
for (unsigned i = 0; i < result.size(); ++i) {
BasicBlock* a = result[i];
if (!a)
continue;
for (unsigned j = 0; j < result.size(); ++j) {
BasicBlock* b = result[j];
if (!b || a == b)
continue;
if (dominators.dominates(a, b))
RELEASE_ASSERT(i > j);
}
}
};
if (m_form == SSA || m_isInSSAConversion)
validateResults(ensureSSADominators());
else
validateResults(ensureCPSDominators());
}
return result;
}
void Graph::clearReplacements()
{
for (BlockIndex blockIndex = numBlocks(); blockIndex--;) {
BasicBlock* block = m_blocks[blockIndex].get();
if (!block)
continue;
for (unsigned phiIndex = block->phis.size(); phiIndex--;)
block->phis[phiIndex]->setReplacement(nullptr);
for (unsigned nodeIndex = block->size(); nodeIndex--;)
block->at(nodeIndex)->setReplacement(nullptr);
}
}
void Graph::clearEpochs()
{
for (BlockIndex blockIndex = numBlocks(); blockIndex--;) {
BasicBlock* block = m_blocks[blockIndex].get();
if (!block)
continue;
for (unsigned phiIndex = block->phis.size(); phiIndex--;)
block->phis[phiIndex]->setEpoch(Epoch());
for (unsigned nodeIndex = block->size(); nodeIndex--;)
block->at(nodeIndex)->setEpoch(Epoch());
}
}
void Graph::initializeNodeOwners()
{
for (BlockIndex blockIndex = numBlocks(); blockIndex--;) {
BasicBlock* block = m_blocks[blockIndex].get();
if (!block)
continue;
for (unsigned phiIndex = block->phis.size(); phiIndex--;)
block->phis[phiIndex]->owner = block;
for (unsigned nodeIndex = block->size(); nodeIndex--;)
block->at(nodeIndex)->owner = block;
}
}
void Graph::clearFlagsOnAllNodes(NodeFlags flags)
{
for (BlockIndex blockIndex = numBlocks(); blockIndex--;) {
BasicBlock* block = m_blocks[blockIndex].get();
if (!block)
continue;
for (unsigned phiIndex = block->phis.size(); phiIndex--;)
block->phis[phiIndex]->clearFlags(flags);
for (unsigned nodeIndex = block->size(); nodeIndex--;)
block->at(nodeIndex)->clearFlags(flags);
}
}
bool Graph::watchCondition(const ObjectPropertyCondition& key)
{
if (!key.isWatchable())
return false;
DesiredWeakReferences& weakReferences = m_plan.weakReferences();
weakReferences.addLazily(key.object());
if (key.hasPrototype())
weakReferences.addLazily(key.prototype());
if (key.hasRequiredValue())
weakReferences.addLazily(key.requiredValue());
m_plan.watchpoints().addLazily(key);
if (key.kind() == PropertyCondition::Presence)
m_safeToLoad.add(std::make_pair(key.object(), key.offset()));
return true;
}
bool Graph::watchConditions(const ObjectPropertyConditionSet& keys)
{
if (!keys.isValid())
return false;
for (const ObjectPropertyCondition& key : keys) {
if (!watchCondition(key))
return false;
}
return true;
}
bool Graph::isSafeToLoad(JSObject* base, PropertyOffset offset)
{
return m_safeToLoad.contains(std::make_pair(base, offset));
}
bool Graph::watchGlobalProperty(JSGlobalObject* globalObject, unsigned identifierNumber)
{
UniquedStringImpl* uid = identifiers()[identifierNumber];
// If we already have a WatchpointSet, and it is already invalidated, it means that this scope operation must be changed from GlobalProperty to GlobalLexicalVar,
// but we still have stale metadata here since we have not yet executed this bytecode operation since the invalidation. Just emitting ForceOSRExit to update the
// metadata when it reaches to this code.
if (auto* watchpoint = globalObject->getReferencedPropertyWatchpointSet(uid)) {
if (!watchpoint->isStillValid())
return false;
}
globalProperties().addLazily(DesiredGlobalProperty(globalObject, identifierNumber));
return true;
}
FullBytecodeLiveness& Graph::livenessFor(CodeBlock* codeBlock)
{
HashMap<CodeBlock*, std::unique_ptr<FullBytecodeLiveness>>::iterator iter = m_bytecodeLiveness.find(codeBlock);
if (iter != m_bytecodeLiveness.end())
return *iter->value;
std::unique_ptr<FullBytecodeLiveness> liveness = makeUnique<FullBytecodeLiveness>();
codeBlock->livenessAnalysis().computeFullLiveness(codeBlock, *liveness);
FullBytecodeLiveness& result = *liveness;
m_bytecodeLiveness.add(codeBlock, WTFMove(liveness));
return result;
}
FullBytecodeLiveness& Graph::livenessFor(InlineCallFrame* inlineCallFrame)
{
return livenessFor(baselineCodeBlockFor(inlineCallFrame));
}
bool Graph::isLiveInBytecode(Operand operand, CodeOrigin codeOrigin)
{
static constexpr bool verbose = false;
if (verbose)
dataLog("Checking of operand is live: ", operand, "\n");
bool isCallerOrigin = false;
CodeOrigin* codeOriginPtr = &codeOrigin;
auto* inlineCallFrame = codeOriginPtr->inlineCallFrame();
// We need to handle tail callers because we may decide to exit to the
// the return bytecode following the tail call.
for (; codeOriginPtr; codeOriginPtr = inlineCallFrame ? &inlineCallFrame->directCaller : nullptr) {
inlineCallFrame = codeOriginPtr->inlineCallFrame();
if (operand.isTmp()) {
unsigned tmpOffset = inlineCallFrame ? inlineCallFrame->tmpOffset : 0;
unsigned operandIndex = static_cast<unsigned>(operand.value());
ASSERT(operand.value() >= 0);
// This tmp should have belonged to someone we inlined.
if (operandIndex > tmpOffset + maxNumCheckpointTmps)
return false;
CodeBlock* codeBlock = baselineCodeBlockFor(inlineCallFrame);
if (!codeBlock->numTmps() || operandIndex < tmpOffset)
continue;
auto bitMap = tmpLivenessForCheckpoint(*codeBlock, codeOriginPtr->bytecodeIndex());
return bitMap.get(operandIndex - tmpOffset);
}
VirtualRegister reg = operand.virtualRegister() - codeOriginPtr->stackOffset();
if (verbose)
dataLog("reg = ", reg, "\n");
if (operand.virtualRegister().offset() < codeOriginPtr->stackOffset() + CallFrame::headerSizeInRegisters) {
if (reg.isArgument()) {
RELEASE_ASSERT(reg.offset() < CallFrame::headerSizeInRegisters);
if (inlineCallFrame->isClosureCall
&& reg == CallFrameSlot::callee) {
if (verbose)
dataLog("Looks like a callee.\n");
return true;
}
if (inlineCallFrame->isVarargs()
&& reg == CallFrameSlot::argumentCountIncludingThis) {
if (verbose)
dataLog("Looks like the argument count.\n");
return true;
}
return false;
}
if (verbose)
dataLog("Asking the bytecode liveness.\n");
CodeBlock* codeBlock = baselineCodeBlockFor(inlineCallFrame);
FullBytecodeLiveness& fullLiveness = livenessFor(codeBlock);
BytecodeIndex bytecodeIndex = codeOriginPtr->bytecodeIndex();
return fullLiveness.virtualRegisterIsLive(reg, bytecodeIndex, appropriateLivenessCalculationPoint(*codeOriginPtr, isCallerOrigin));
}
// Arguments are always live. This would be redundant if it wasn't for our
// op_call_varargs inlining.
if (inlineCallFrame && reg.isArgument()
&& static_cast<size_t>(reg.toArgument()) < inlineCallFrame->argumentsWithFixup.size()) {
if (verbose)
dataLog("Argument is live.\n");
return true;
}
isCallerOrigin = true;
}
if (operand.isTmp())
return false;
if (verbose)
dataLog("Ran out of stack, returning true.\n");
return true;
}
BitVector Graph::localsAndTmpsLiveInBytecode(CodeOrigin codeOrigin)
{
BitVector result;
unsigned numLocals = block(0)->variablesAtHead.numberOfLocals();
result.ensureSize(numLocals + block(0)->variablesAtHead.numberOfTmps());
forAllLocalsAndTmpsLiveInBytecode(
codeOrigin,
[&] (Operand operand) {
unsigned offset = operand.isTmp() ? numLocals + operand.value() : operand.toLocal();
result.quickSet(offset);
});
return result;
}
unsigned Graph::parameterSlotsForArgCount(unsigned argCount)
{
size_t frameSize = CallFrame::headerSizeInRegisters + argCount;
size_t alignedFrameSize = WTF::roundUpToMultipleOf(stackAlignmentRegisters(), frameSize);
return alignedFrameSize - CallerFrameAndPC::sizeInRegisters;
}
unsigned Graph::frameRegisterCount()
{
unsigned result = m_nextMachineLocal + std::max(m_parameterSlots, static_cast<unsigned>(maxFrameExtentForSlowPathCallInRegisters));
return roundLocalRegisterCountForFramePointerOffset(result);
}
unsigned Graph::stackPointerOffset()
{
return virtualRegisterForLocal(frameRegisterCount() - 1).offset();
}
unsigned Graph::requiredRegisterCountForExit()
{
unsigned count = JIT::frameRegisterCountFor(m_profiledBlock);
for (InlineCallFrameSet::iterator iter = m_plan.inlineCallFrames()->begin(); !!iter; ++iter) {
InlineCallFrame* inlineCallFrame = *iter;
CodeBlock* codeBlock = baselineCodeBlockForInlineCallFrame(inlineCallFrame);
unsigned requiredCount = VirtualRegister(inlineCallFrame->stackOffset).toLocal() + 1 + JIT::frameRegisterCountFor(codeBlock);
count = std::max(count, requiredCount);
}
return count;
}
unsigned Graph::requiredRegisterCountForExecutionAndExit()
{
// FIXME: We should make sure that frameRegisterCount() and requiredRegisterCountForExit()
// never overflows. https://bugs.webkit.org/show_bug.cgi?id=173852
return std::max(frameRegisterCount(), requiredRegisterCountForExit());
}
JSValue Graph::tryGetConstantProperty(
JSValue base, const RegisteredStructureSet& structureSet, PropertyOffset offset)
{
if (!base || !base.isObject())
return JSValue();
JSObject* object = asObject(base);
for (unsigned i = structureSet.size(); i--;) {
RegisteredStructure structure = structureSet[i];
WatchpointSet* set = structure->propertyReplacementWatchpointSet(offset);
if (!set || !set->isStillValid())
return JSValue();
ASSERT(structure->isValidOffset(offset));
ASSERT(!structure->isUncacheableDictionary());
watchpoints().addLazily(set);
}
// What follows may require some extra thought. We need this load to load a valid JSValue. If
// our profiling makes sense and we're still on track to generate code that won't be
// invalidated, then we have nothing to worry about. We do, however, have to worry about
// loading - and then using - an invalid JSValue in the case that unbeknownst to us our code
// is doomed.
//
// One argument in favor of this code is that it should definitely work because the butterfly
// is always set before the structure. However, we don't currently have a fence between those
// stores. It's not clear if this matters, however. We only shrink the propertyStorage while
// holding the Structure's lock. So, for this to fail, you'd need an access on a constant
// object pointer such that the inline caches told us that the object had a structure that it
// did not *yet* have, and then later,the object transitioned to that structure that the inline
// caches had already seen. And then the processor reordered the stores. Seems unlikely and
// difficult to test. I believe that this is worth revisiting but it isn't worth losing sleep
// over. Filed:
// https://bugs.webkit.org/show_bug.cgi?id=134641
//
// For now, we just do the minimal thing: defend against the structure right now being
// incompatible with the getDirect we're trying to do. The easiest way to do that is to
// determine if the structure belongs to the proven set.
Structure* structure = object->structure(m_vm);
if (!structureSet.toStructureSet().contains(structure))
return JSValue();
return object->getDirectConcurrently(structure, offset);
}
JSValue Graph::tryGetConstantProperty(JSValue base, Structure* structure, PropertyOffset offset)
{
return tryGetConstantProperty(base, RegisteredStructureSet(registerStructure(structure)), offset);
}
JSValue Graph::tryGetConstantProperty(
JSValue base, const StructureAbstractValue& structure, PropertyOffset offset)
{
if (structure.isInfinite()) {
// FIXME: If we just converted the offset to a uid, we could do ObjectPropertyCondition
// watching to constant-fold the property.
// https://bugs.webkit.org/show_bug.cgi?id=147271
return JSValue();
}
return tryGetConstantProperty(base, structure.set(), offset);
}
JSValue Graph::tryGetConstantProperty(const AbstractValue& base, PropertyOffset offset)
{
return tryGetConstantProperty(base.m_value, base.m_structure, offset);
}
AbstractValue Graph::inferredValueForProperty(
const AbstractValue& base, PropertyOffset offset,
StructureClobberState clobberState)
{
if (JSValue value = tryGetConstantProperty(base, offset)) {
AbstractValue result;
result.set(*this, *freeze(value), clobberState);
return result;
}
return AbstractValue::heapTop();
}
JSValue Graph::tryGetConstantClosureVar(JSValue base, ScopeOffset offset)
{
// This has an awesome concurrency story. See comment for GetGlobalVar in ByteCodeParser.
if (!base)
return JSValue();
JSLexicalEnvironment* activation = jsDynamicCast<JSLexicalEnvironment*>(m_vm, base);
if (!activation)
return JSValue();
SymbolTable* symbolTable = activation->symbolTable();
JSValue value;
WatchpointSet* set;
{
ConcurrentJSLocker locker(symbolTable->m_lock);
SymbolTableEntry* entry = symbolTable->entryFor(locker, offset);
if (!entry)
return JSValue();
set = entry->watchpointSet();
if (!set)
return JSValue();
if (set->state() != IsWatched)
return JSValue();
ASSERT(entry->scopeOffset() == offset);
value = activation->variableAt(offset).get();
if (!value)
return JSValue();
}
watchpoints().addLazily(set);
return value;
}
JSValue Graph::tryGetConstantClosureVar(const AbstractValue& value, ScopeOffset offset)
{
return tryGetConstantClosureVar(value.m_value, offset);
}
JSValue Graph::tryGetConstantClosureVar(Node* node, ScopeOffset offset)
{
if (!node->hasConstant())
return JSValue();
return tryGetConstantClosureVar(node->asJSValue(), offset);
}
JSArrayBufferView* Graph::tryGetFoldableView(JSValue value)
{
if (!value)
return nullptr;
JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(m_vm, value);
if (!view)
return nullptr;
if (!view->length())
return nullptr;
WTF::loadLoadFence();
freeze(view);
watchpoints().addLazily(view);
return view;
}
JSArrayBufferView* Graph::tryGetFoldableView(JSValue value, ArrayMode arrayMode)
{
if (arrayMode.type() != Array::AnyTypedArray && arrayMode.typedArrayType() == NotTypedArray)
return nullptr;
return tryGetFoldableView(value);
}
void Graph::registerFrozenValues()
{
ConcurrentJSLocker locker(m_codeBlock->m_lock);
m_codeBlock->constants().shrink(0);
m_codeBlock->constantsSourceCodeRepresentation().resize(0);
for (FrozenValue* value : m_frozenValues) {
if (!value->pointsToHeap())
continue;
ASSERT(value->structure());
ASSERT(m_plan.weakReferences().contains(value->structure()));
switch (value->strength()) {
case WeakValue: {
m_plan.weakReferences().addLazily(value->value().asCell());
break;
}
case StrongValue: {
unsigned constantIndex = m_codeBlock->addConstantLazily(locker);
// We already have a barrier on the code block.
m_codeBlock->constants()[constantIndex].setWithoutWriteBarrier(value->value());
break;
} }
}
m_codeBlock->constants().shrinkToFit();
m_codeBlock->constantsSourceCodeRepresentation().shrinkToFit();
}
void Graph::visitChildren(SlotVisitor& visitor)
{
for (FrozenValue* value : m_frozenValues) {
visitor.appendUnbarriered(value->value());
visitor.appendUnbarriered(value->structure());
}
}
FrozenValue* Graph::freeze(JSValue value)
{
if (UNLIKELY(!value))
return FrozenValue::emptySingleton();
// There are weird relationships in how optimized CodeBlocks
// point to other CodeBlocks. We don't want to have them be
// part of the weak pointer set. For example, an optimized CodeBlock
// having a weak pointer to itself will cause it to get collected.
RELEASE_ASSERT(!jsDynamicCast<CodeBlock*>(m_vm, value));
auto result = m_frozenValueMap.add(JSValue::encode(value), nullptr);
if (LIKELY(!result.isNewEntry))
return result.iterator->value;
if (value.isUInt32())
m_uint32ValuesInUse.append(value.asUInt32());
FrozenValue frozenValue = FrozenValue::freeze(value);
if (Structure* structure = frozenValue.structure())
registerStructure(structure);
return result.iterator->value = m_frozenValues.add(frozenValue);
}
FrozenValue* Graph::freezeStrong(JSValue value)
{
FrozenValue* result = freeze(value);
result->strengthenTo(StrongValue);
return result;
}
void Graph::convertToConstant(Node* node, FrozenValue* value)
{
if (value->structure())
assertIsRegistered(value->structure());
node->convertToConstant(value);
}
void Graph::convertToConstant(Node* node, JSValue value)
{
convertToConstant(node, freeze(value));
}
void Graph::convertToStrongConstant(Node* node, JSValue value)
{
convertToConstant(node, freezeStrong(value));
}
FrozenValue* Graph::bottomValueMatchingSpeculation(SpeculatedType prediction)
{
// It probably doesn't matter what we return here.
if (prediction == SpecNone)
return freeze(JSValue());
if (speculationContains(prediction, SpecOther))
return freeze(jsNull());
if (speculationContains(prediction, SpecBoolean))
return freeze(jsBoolean(true));
if (speculationContains(prediction, SpecFullNumber))
return freeze(jsNumber(0));
if (speculationContains(prediction, SpecBigInt))
return freeze(m_vm.heapBigIntConstantOne.get());
if (speculationContains(prediction, SpecString | SpecSymbol))
return freeze(m_vm.smallStrings.emptyString());
if (speculationContains(prediction, SpecCellOther | SpecObject))
return freeze(jsNull());
ASSERT(speculationContains(prediction, SpecEmpty));
return freeze(JSValue());
}
RegisteredStructure Graph::registerStructure(Structure* structure, StructureRegistrationResult& result)
{
m_plan.weakReferences().addLazily(structure);
if (m_plan.watchpoints().consider(structure))
result = StructureRegisteredAndWatched;
else
result = StructureRegisteredNormally;
return RegisteredStructure::createPrivate(structure);
}
void Graph::registerAndWatchStructureTransition(Structure* structure)
{
m_plan.weakReferences().addLazily(structure);
m_plan.watchpoints().addLazily(structure->transitionWatchpointSet());
}
void Graph::assertIsRegistered(Structure* structure)
{
// It's convenient to be able to call this with a maybe-null structure.
if (!structure)
return;
DFG_ASSERT(*this, nullptr, m_plan.weakReferences().contains(structure));
if (!structure->dfgShouldWatch())
return;
if (watchpoints().isWatched(structure->transitionWatchpointSet()))
return;
DFG_CRASH(*this, nullptr, toCString("Structure ", pointerDump(structure), " is watchable but isn't being watched.").data());
}
static void logDFGAssertionFailure(
Graph& graph, const CString& whileText, const char* file, int line, const char* function,
const char* assertion)
{
startCrashing();
dataLog("DFG ASSERTION FAILED: ", assertion, "\n");
dataLog(file, "(", line, ") : ", function, "\n");
dataLog("\n");
dataLog(whileText);
dataLog("Graph at time of failure:\n");
graph.dump();
dataLog("\n");
dataLog("DFG ASSERTION FAILED: ", assertion, "\n");
dataLog(file, "(", line, ") : ", function, "\n");
}
void Graph::logAssertionFailure(
std::nullptr_t, const char* file, int line, const char* function, const char* assertion)
{
logDFGAssertionFailure(*this, "", file, line, function, assertion);
}
void Graph::logAssertionFailure(
Node* node, const char* file, int line, const char* function, const char* assertion)
{
logDFGAssertionFailure(*this, toCString("While handling node ", node, "\n\n"), file, line, function, assertion);
}
void Graph::logAssertionFailure(
BasicBlock* block, const char* file, int line, const char* function, const char* assertion)
{
logDFGAssertionFailure(*this, toCString("While handling block ", pointerDump(block), "\n\n"), file, line, function, assertion);
}
CPSCFG& Graph::ensureCPSCFG()
{
RELEASE_ASSERT(m_form != SSA && !m_isInSSAConversion);
if (!m_cpsCFG)
m_cpsCFG = makeUnique<CPSCFG>(*this);
return *m_cpsCFG;
}
CPSDominators& Graph::ensureCPSDominators()
{
RELEASE_ASSERT(m_form != SSA && !m_isInSSAConversion);
if (!m_cpsDominators)
m_cpsDominators = makeUnique<CPSDominators>(*this);
return *m_cpsDominators;
}
SSADominators& Graph::ensureSSADominators()
{
RELEASE_ASSERT(m_form == SSA || m_isInSSAConversion);
if (!m_ssaDominators)
m_ssaDominators = makeUnique<SSADominators>(*this);
return *m_ssaDominators;
}
CPSNaturalLoops& Graph::ensureCPSNaturalLoops()
{
RELEASE_ASSERT(m_form != SSA && !m_isInSSAConversion);
ensureCPSDominators();
if (!m_cpsNaturalLoops)
m_cpsNaturalLoops = makeUnique<CPSNaturalLoops>(*this);
return *m_cpsNaturalLoops;
}
SSANaturalLoops& Graph::ensureSSANaturalLoops()
{
RELEASE_ASSERT(m_form == SSA);
ensureSSADominators();
if (!m_ssaNaturalLoops)
m_ssaNaturalLoops = makeUnique<SSANaturalLoops>(*this);
return *m_ssaNaturalLoops;
}
BackwardsCFG& Graph::ensureBackwardsCFG()
{
// We could easily relax this in the future to work over CPS, but today, it's only used in SSA.
RELEASE_ASSERT(m_form == SSA);
if (!m_backwardsCFG)
m_backwardsCFG = makeUnique<BackwardsCFG>(*this);
return *m_backwardsCFG;
}
BackwardsDominators& Graph::ensureBackwardsDominators()
{
RELEASE_ASSERT(m_form == SSA);
if (!m_backwardsDominators)
m_backwardsDominators = makeUnique<BackwardsDominators>(*this);
return *m_backwardsDominators;
}
ControlEquivalenceAnalysis& Graph::ensureControlEquivalenceAnalysis()
{
RELEASE_ASSERT(m_form == SSA);
if (!m_controlEquivalenceAnalysis)
m_controlEquivalenceAnalysis = makeUnique<ControlEquivalenceAnalysis>(*this);
return *m_controlEquivalenceAnalysis;
}
MethodOfGettingAValueProfile Graph::methodOfGettingAValueProfileFor(Node* currentNode, Node* operandNode)
{
// This represents IR like `CurrentNode(@operandNode)`. For example: `GetByVal(..., Int32:@GetLocal)`.
for (Node* node = operandNode; node;) {
if (node->accessesStack(*this)) {
if (m_form != SSA && node->operand().isArgument()) {
int argument = node->operand().toArgument();
Node* argumentNode = m_rootToArguments.find(block(0))->value[argument];
// FIXME: We should match SetArgumentDefinitely nodes at other entrypoints as well:
// https://bugs.webkit.org/show_bug.cgi?id=175841
if (argumentNode && node->variableAccessData() == argumentNode->variableAccessData()) {
CodeBlock* profiledBlock = baselineCodeBlockFor(node->origin.semantic);
return &profiledBlock->valueProfileForArgument(argument);
}
}
}
// currentNode is null when we're doing speculation checks for checkArgumentTypes().
if (!currentNode || node->origin.semantic != currentNode->origin.semantic || !currentNode->hasResult()) {
CodeBlock* profiledBlock = baselineCodeBlockFor(node->origin.semantic);
if (node->accessesStack(*this)) {
if (node->op() == GetLocal) {
return MethodOfGettingAValueProfile::fromLazyOperand(
profiledBlock,
LazyOperandValueProfileKey(
node->origin.semantic.bytecodeIndex(), node->operand()));
}
}
if (node->hasHeapPrediction())
return &profiledBlock->valueProfileForBytecodeIndex(node->origin.semantic.bytecodeIndex());
if (profiledBlock->hasBaselineJITProfiling()) {
if (BinaryArithProfile* result = profiledBlock->binaryArithProfileForBytecodeIndex(node->origin.semantic.bytecodeIndex()))
return result;
if (UnaryArithProfile* result = profiledBlock->unaryArithProfileForBytecodeIndex(node->origin.semantic.bytecodeIndex()))
return result;
}
}
switch (node->op()) {
case BooleanToNumber:
case Identity:
case ValueRep:
case DoubleRep:
case Int52Rep:
node = node->child1().node();
break;
default:
node = nullptr;
}
}
return MethodOfGettingAValueProfile();
}
bool Graph::getRegExpPrototypeProperty(JSObject* regExpPrototype, Structure* regExpPrototypeStructure, UniquedStringImpl* uid, JSValue& returnJSValue)
{
unsigned attributesUnused;
PropertyOffset offset = regExpPrototypeStructure->getConcurrently(uid, attributesUnused);
if (!isValidOffset(offset))
return false;
JSValue value = tryGetConstantProperty(regExpPrototype, regExpPrototypeStructure, offset);
if (!value)
return false;
// We only care about functions and getters at this point. If you want to access other properties
// you'll have to add code for those types.
JSFunction* function = jsDynamicCast<JSFunction*>(m_vm, value);
if (!function) {
GetterSetter* getterSetter = jsDynamicCast<GetterSetter*>(m_vm, value);
if (!getterSetter)
return false;
returnJSValue = JSValue(getterSetter);
return true;
}
returnJSValue = value;
return true;
}
bool Graph::isStringPrototypeMethodSane(JSGlobalObject* globalObject, UniquedStringImpl* uid)
{
ObjectPropertyConditionSet conditions = generateConditionsForPrototypeEquivalenceConcurrently(m_vm, globalObject, globalObject->stringObjectStructure(), globalObject->stringPrototype(), uid);
if (!conditions.isValid())
return false;
ObjectPropertyCondition equivalenceCondition = conditions.slotBaseCondition();
RELEASE_ASSERT(equivalenceCondition.hasRequiredValue());
JSFunction* function = jsDynamicCast<JSFunction*>(m_vm, equivalenceCondition.condition().requiredValue());
if (!function)
return false;
if (function->executable()->intrinsicFor(CodeForCall) != StringPrototypeValueOfIntrinsic)
return false;
return watchConditions(conditions);
}
bool Graph::canOptimizeStringObjectAccess(const CodeOrigin& codeOrigin)
{
if (hasExitSite(codeOrigin, BadCache) || hasExitSite(codeOrigin, BadConstantCache))
return false;
JSGlobalObject* globalObject = globalObjectFor(codeOrigin);
Structure* stringObjectStructure = globalObjectFor(codeOrigin)->stringObjectStructure();
registerStructure(stringObjectStructure);
ASSERT(stringObjectStructure->storedPrototype().isObject());
ASSERT(stringObjectStructure->storedPrototype().asCell()->classInfo(stringObjectStructure->storedPrototype().asCell()->vm()) == StringPrototype::info());
if (!watchConditions(generateConditionsForPropertyMissConcurrently(m_vm, globalObject, stringObjectStructure, m_vm.propertyNames->toPrimitiveSymbol.impl())))
return false;
// We're being conservative here. We want DFG's ToString on StringObject to be
// used in both numeric contexts (that would call valueOf()) and string contexts
// (that would call toString()). We don't want the DFG to have to distinguish
// between the two, just because that seems like it would get confusing. So we
// just require both methods to be sane.
if (!isStringPrototypeMethodSane(globalObject, m_vm.propertyNames->valueOf.impl()))
return false;
return isStringPrototypeMethodSane(globalObject, m_vm.propertyNames->toString.impl());
}
bool Graph::willCatchExceptionInMachineFrame(CodeOrigin codeOrigin, CodeOrigin& opCatchOriginOut, HandlerInfo*& catchHandlerOut)
{
if (!m_hasExceptionHandlers)
return false;
BytecodeIndex bytecodeIndexToCheck = codeOrigin.bytecodeIndex();
while (1) {
InlineCallFrame* inlineCallFrame = codeOrigin.inlineCallFrame();
CodeBlock* codeBlock = baselineCodeBlockFor(inlineCallFrame);
if (HandlerInfo* handler = codeBlock->handlerForBytecodeIndex(bytecodeIndexToCheck)) {
opCatchOriginOut = CodeOrigin(BytecodeIndex(handler->target), inlineCallFrame);
catchHandlerOut = handler;
return true;
}
if (!inlineCallFrame)
return false;
bytecodeIndexToCheck = inlineCallFrame->directCaller.bytecodeIndex();
codeOrigin = inlineCallFrame->directCaller;
}
RELEASE_ASSERT_NOT_REACHED();
}
bool Graph::canDoFastSpread(Node* node, const AbstractValue& value)
{
// The parameter 'value' is the AbstractValue for child1 (the thing being spread).
ASSERT(node->op() == Spread);
if (node->child1().useKind() != ArrayUse) {
// Note: we only speculate on ArrayUse when we've set up the necessary watchpoints
// to prove that the iteration protocol is non-observable starting from ArrayPrototype.
return false;
}
// FIXME: We should add profiling of the incoming operand to Spread
// so we can speculate in such a way that we guarantee that this
// function would return true:
// https://bugs.webkit.org/show_bug.cgi?id=171198
if (!value.m_structure.isFinite())
return false;
ArrayPrototype* arrayPrototype = globalObjectFor(node->child1()->origin.semantic)->arrayPrototype();
bool allGood = true;
value.m_structure.forEach([&] (RegisteredStructure structure) {
allGood &= structure->hasMonoProto()
&& structure->storedPrototype() == arrayPrototype
&& !structure->isDictionary()
&& structure->getConcurrently(m_vm.propertyNames->iteratorSymbol.impl()) == invalidOffset
&& !structure->mayInterceptIndexedAccesses();
});
return allGood;
}
void Graph::clearCPSCFGData()
{
m_cpsNaturalLoops = nullptr;
m_cpsDominators = nullptr;
m_cpsCFG = nullptr;
}
void Prefix::dump(PrintStream& out) const
{
if (!m_enabled)
return;
if (!noHeader) {
if (nodeIndex >= 0)
out.printf("%3d ", nodeIndex);
else
out.printf(" ");
if (blockIndex >= 0)
out.printf("%2d ", blockIndex);
else
out.printf(" ");
if (phaseNumber >= 0)
out.printf("%2d: ", phaseNumber);
else
out.printf(" : ");
}
if (prefixStr)
out.printf("%s", prefixStr);
}
} } // namespace JSC::DFG
#endif // ENABLE(DFG_JIT)