| /* |
| * Copyright (C) 2012-2016 Apple Inc. All rights reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions |
| * are met: |
| * 1. Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * 2. Redistributions in binary form must reproduce the above copyright |
| * notice, this list of conditions and the following disclaimer in the |
| * documentation and/or other materials provided with the distribution. |
| * |
| * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY |
| * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR |
| * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
| * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
| * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
| * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
| * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| */ |
| |
| #include "config.h" |
| #include "DFGFixupPhase.h" |
| |
| #if ENABLE(DFG_JIT) |
| |
| #include "ArrayPrototype.h" |
| #include "DFGGraph.h" |
| #include "DFGInferredTypeCheck.h" |
| #include "DFGInsertionSet.h" |
| #include "DFGPhase.h" |
| #include "DFGPredictionPropagationPhase.h" |
| #include "DFGVariableAccessDataDump.h" |
| #include "JSCInlines.h" |
| #include "TypeLocation.h" |
| |
| namespace JSC { namespace DFG { |
| |
| class FixupPhase : public Phase { |
| public: |
| FixupPhase(Graph& graph) |
| : Phase(graph, "fixup") |
| , m_insertionSet(graph) |
| { |
| } |
| |
| bool run() |
| { |
| ASSERT(m_graph.m_fixpointState == BeforeFixpoint); |
| ASSERT(m_graph.m_form == ThreadedCPS); |
| |
| m_profitabilityChanged = false; |
| for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) |
| fixupBlock(m_graph.block(blockIndex)); |
| |
| while (m_profitabilityChanged) { |
| m_profitabilityChanged = false; |
| |
| for (unsigned i = m_graph.m_argumentPositions.size(); i--;) |
| m_graph.m_argumentPositions[i].mergeArgumentUnboxingAwareness(); |
| |
| for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) |
| fixupGetAndSetLocalsInBlock(m_graph.block(blockIndex)); |
| } |
| |
| for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) |
| fixupChecksInBlock(m_graph.block(blockIndex)); |
| |
| m_graph.m_planStage = PlanStage::AfterFixup; |
| |
| return true; |
| } |
| |
| private: |
| void fixupBlock(BasicBlock* block) |
| { |
| if (!block) |
| return; |
| ASSERT(block->isReachable); |
| m_block = block; |
| for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) { |
| m_currentNode = block->at(m_indexInBlock); |
| fixupNode(m_currentNode); |
| } |
| m_insertionSet.execute(block); |
| } |
| |
| void fixupNode(Node* node) |
| { |
| NodeType op = node->op(); |
| |
| switch (op) { |
| case SetLocal: { |
| // This gets handled by fixupGetAndSetLocalsInBlock(). |
| return; |
| } |
| |
| case BitAnd: |
| case BitOr: |
| case BitXor: |
| case BitRShift: |
| case BitLShift: |
| case BitURShift: { |
| if (Node::shouldSpeculateUntypedForBitOps(node->child1().node(), node->child2().node())) { |
| fixEdge<UntypedUse>(node->child1()); |
| fixEdge<UntypedUse>(node->child2()); |
| break; |
| } |
| fixIntConvertingEdge(node->child1()); |
| fixIntConvertingEdge(node->child2()); |
| break; |
| } |
| |
| case ArithIMul: { |
| fixIntConvertingEdge(node->child1()); |
| fixIntConvertingEdge(node->child2()); |
| node->setOp(ArithMul); |
| node->setArithMode(Arith::Unchecked); |
| node->child1().setUseKind(Int32Use); |
| node->child2().setUseKind(Int32Use); |
| break; |
| } |
| |
| case ArithClz32: { |
| if (node->child1()->shouldSpeculateNotCell()) { |
| fixIntConvertingEdge(node->child1()); |
| node->clearFlags(NodeMustGenerate); |
| } else |
| fixEdge<UntypedUse>(node->child1()); |
| break; |
| } |
| |
| case UInt32ToNumber: { |
| fixIntConvertingEdge(node->child1()); |
| if (bytecodeCanTruncateInteger(node->arithNodeFlags())) |
| node->convertToIdentity(); |
| else if (node->canSpeculateInt32(FixupPass)) |
| node->setArithMode(Arith::CheckOverflow); |
| else { |
| node->setArithMode(Arith::DoOverflow); |
| node->clearFlags(NodeMustGenerate); |
| node->setResult(enableInt52() ? NodeResultInt52 : NodeResultDouble); |
| } |
| break; |
| } |
| |
| case ValueAdd: { |
| if (attemptToMakeIntegerAdd(node)) { |
| node->setOp(ArithAdd); |
| break; |
| } |
| if (Node::shouldSpeculateNumberOrBooleanExpectingDefined(node->child1().node(), node->child2().node())) { |
| fixDoubleOrBooleanEdge(node->child1()); |
| fixDoubleOrBooleanEdge(node->child2()); |
| node->setOp(ArithAdd); |
| node->setResult(NodeResultDouble); |
| break; |
| } |
| |
| if (attemptToMakeFastStringAdd(node)) |
| break; |
| |
| fixEdge<UntypedUse>(node->child1()); |
| fixEdge<UntypedUse>(node->child2()); |
| node->setResult(NodeResultJS); |
| break; |
| } |
| |
| case StrCat: { |
| if (attemptToMakeFastStringAdd(node)) |
| break; |
| |
| // FIXME: Remove empty string arguments and possibly turn this into a ToString operation. That |
| // would require a form of ToString that takes a KnownPrimitiveUse. This is necessary because |
| // the implementation of StrCat doesn't dynamically optimize for empty strings. |
| // https://bugs.webkit.org/show_bug.cgi?id=148540 |
| m_graph.doToChildren( |
| node, |
| [&] (Edge& edge) { |
| fixEdge<KnownPrimitiveUse>(edge); |
| }); |
| break; |
| } |
| |
| case MakeRope: { |
| fixupMakeRope(node); |
| break; |
| } |
| |
| case ArithAdd: |
| case ArithSub: { |
| if (op == ArithSub |
| && Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) { |
| fixEdge<UntypedUse>(node->child1()); |
| fixEdge<UntypedUse>(node->child2()); |
| node->setResult(NodeResultJS); |
| break; |
| } |
| if (attemptToMakeIntegerAdd(node)) |
| break; |
| fixDoubleOrBooleanEdge(node->child1()); |
| fixDoubleOrBooleanEdge(node->child2()); |
| node->setResult(NodeResultDouble); |
| break; |
| } |
| |
| case ArithNegate: { |
| if (node->child1()->shouldSpeculateInt32OrBoolean() && node->canSpeculateInt32(FixupPass)) { |
| fixIntOrBooleanEdge(node->child1()); |
| if (bytecodeCanTruncateInteger(node->arithNodeFlags())) |
| node->setArithMode(Arith::Unchecked); |
| else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) |
| node->setArithMode(Arith::CheckOverflow); |
| else |
| node->setArithMode(Arith::CheckOverflowAndNegativeZero); |
| node->setResult(NodeResultInt32); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) { |
| fixEdge<Int52RepUse>(node->child1()); |
| if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) |
| node->setArithMode(Arith::CheckOverflow); |
| else |
| node->setArithMode(Arith::CheckOverflowAndNegativeZero); |
| node->setResult(NodeResultInt52); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| if (node->child1()->shouldSpeculateNotCell()) { |
| fixDoubleOrBooleanEdge(node->child1()); |
| node->setResult(NodeResultDouble); |
| node->clearFlags(NodeMustGenerate); |
| } else |
| fixEdge<UntypedUse>(node->child1()); |
| break; |
| } |
| |
| case ArithMul: { |
| Edge& leftChild = node->child1(); |
| Edge& rightChild = node->child2(); |
| if (Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node())) { |
| fixEdge<UntypedUse>(leftChild); |
| fixEdge<UntypedUse>(rightChild); |
| node->setResult(NodeResultJS); |
| break; |
| } |
| if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) { |
| fixIntOrBooleanEdge(leftChild); |
| fixIntOrBooleanEdge(rightChild); |
| if (bytecodeCanTruncateInteger(node->arithNodeFlags())) |
| node->setArithMode(Arith::Unchecked); |
| else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) |
| || leftChild.node() == rightChild.node()) |
| node->setArithMode(Arith::CheckOverflow); |
| else |
| node->setArithMode(Arith::CheckOverflowAndNegativeZero); |
| break; |
| } |
| if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) { |
| fixEdge<Int52RepUse>(leftChild); |
| fixEdge<Int52RepUse>(rightChild); |
| if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()) |
| || leftChild.node() == rightChild.node()) |
| node->setArithMode(Arith::CheckOverflow); |
| else |
| node->setArithMode(Arith::CheckOverflowAndNegativeZero); |
| node->setResult(NodeResultInt52); |
| break; |
| } |
| fixDoubleOrBooleanEdge(leftChild); |
| fixDoubleOrBooleanEdge(rightChild); |
| node->setResult(NodeResultDouble); |
| break; |
| } |
| |
| case ArithDiv: |
| case ArithMod: { |
| Edge& leftChild = node->child1(); |
| Edge& rightChild = node->child2(); |
| if (op == ArithDiv |
| && Node::shouldSpeculateUntypedForArithmetic(leftChild.node(), rightChild.node()) |
| && m_graph.hasExitSite(node->origin.semantic, BadType)) { |
| fixEdge<UntypedUse>(leftChild); |
| fixEdge<UntypedUse>(rightChild); |
| node->setResult(NodeResultJS); |
| break; |
| } |
| if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) { |
| if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) { |
| fixIntOrBooleanEdge(leftChild); |
| fixIntOrBooleanEdge(rightChild); |
| if (bytecodeCanTruncateInteger(node->arithNodeFlags())) |
| node->setArithMode(Arith::Unchecked); |
| else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) |
| node->setArithMode(Arith::CheckOverflow); |
| else |
| node->setArithMode(Arith::CheckOverflowAndNegativeZero); |
| break; |
| } |
| |
| // This will cause conversion nodes to be inserted later. |
| fixDoubleOrBooleanEdge(leftChild); |
| fixDoubleOrBooleanEdge(rightChild); |
| |
| // We don't need to do ref'ing on the children because we're stealing them from |
| // the original division. |
| Node* newDivision = m_insertionSet.insertNode( |
| m_indexInBlock, SpecBytecodeDouble, *node); |
| newDivision->setResult(NodeResultDouble); |
| |
| node->setOp(DoubleAsInt32); |
| node->children.initialize(Edge(newDivision, DoubleRepUse), Edge(), Edge()); |
| if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) |
| node->setArithMode(Arith::CheckOverflow); |
| else |
| node->setArithMode(Arith::CheckOverflowAndNegativeZero); |
| break; |
| } |
| fixDoubleOrBooleanEdge(leftChild); |
| fixDoubleOrBooleanEdge(rightChild); |
| node->setResult(NodeResultDouble); |
| break; |
| } |
| |
| case ArithMin: |
| case ArithMax: { |
| if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) { |
| fixIntOrBooleanEdge(node->child1()); |
| fixIntOrBooleanEdge(node->child2()); |
| break; |
| } |
| fixDoubleOrBooleanEdge(node->child1()); |
| fixDoubleOrBooleanEdge(node->child2()); |
| node->setResult(NodeResultDouble); |
| break; |
| } |
| |
| case ArithAbs: { |
| if (node->child1()->shouldSpeculateInt32OrBoolean() |
| && node->canSpeculateInt32(FixupPass)) { |
| fixIntOrBooleanEdge(node->child1()); |
| if (bytecodeCanTruncateInteger(node->arithNodeFlags())) |
| node->setArithMode(Arith::Unchecked); |
| else |
| node->setArithMode(Arith::CheckOverflow); |
| node->clearFlags(NodeMustGenerate); |
| node->setResult(NodeResultInt32); |
| break; |
| } |
| |
| if (node->child1()->shouldSpeculateNotCell()) { |
| fixDoubleOrBooleanEdge(node->child1()); |
| node->clearFlags(NodeMustGenerate); |
| } else |
| fixEdge<UntypedUse>(node->child1()); |
| node->setResult(NodeResultDouble); |
| break; |
| } |
| |
| case ArithPow: { |
| if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) { |
| fixDoubleOrBooleanEdge(node->child1()); |
| fixIntOrBooleanEdge(node->child2()); |
| break; |
| } |
| |
| fixDoubleOrBooleanEdge(node->child1()); |
| fixDoubleOrBooleanEdge(node->child2()); |
| break; |
| } |
| |
| case ArithRandom: { |
| node->setResult(NodeResultDouble); |
| break; |
| } |
| |
| case ArithRound: |
| case ArithFloor: |
| case ArithCeil: |
| case ArithTrunc: { |
| if (node->child1()->shouldSpeculateInt32OrBoolean() && m_graph.roundShouldSpeculateInt32(node, FixupPass)) { |
| fixIntOrBooleanEdge(node->child1()); |
| insertCheck<Int32Use>(node->child1().node()); |
| node->convertToIdentity(); |
| break; |
| } |
| if (node->child1()->shouldSpeculateNotCell()) { |
| fixDoubleOrBooleanEdge(node->child1()); |
| |
| if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) { |
| node->setResult(NodeResultInt32); |
| if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) |
| node->setArithRoundingMode(Arith::RoundingMode::Int32); |
| else |
| node->setArithRoundingMode(Arith::RoundingMode::Int32WithNegativeZeroCheck); |
| } else { |
| node->setResult(NodeResultDouble); |
| node->setArithRoundingMode(Arith::RoundingMode::Double); |
| } |
| node->clearFlags(NodeMustGenerate); |
| } else |
| fixEdge<UntypedUse>(node->child1()); |
| break; |
| } |
| |
| case ArithCos: |
| case ArithFRound: |
| case ArithLog: |
| case ArithSin: |
| case ArithSqrt: |
| case ArithTan: { |
| Edge& child1 = node->child1(); |
| if (child1->shouldSpeculateNotCell()) { |
| fixDoubleOrBooleanEdge(child1); |
| node->clearFlags(NodeMustGenerate); |
| } else |
| fixEdge<UntypedUse>(child1); |
| break; |
| } |
| |
| case LogicalNot: { |
| if (node->child1()->shouldSpeculateBoolean()) { |
| if (node->child1()->result() == NodeResultBoolean) { |
| // This is necessary in case we have a bytecode instruction implemented by: |
| // |
| // a: CompareEq(...) |
| // b: LogicalNot(@a) |
| // |
| // In that case, CompareEq might have a side-effect. Then, we need to make |
| // sure that we know that Branch does not exit. |
| fixEdge<KnownBooleanUse>(node->child1()); |
| } else |
| fixEdge<BooleanUse>(node->child1()); |
| } else if (node->child1()->shouldSpeculateObjectOrOther()) |
| fixEdge<ObjectOrOtherUse>(node->child1()); |
| else if (node->child1()->shouldSpeculateInt32OrBoolean()) |
| fixIntOrBooleanEdge(node->child1()); |
| else if (node->child1()->shouldSpeculateNumber()) |
| fixEdge<DoubleRepUse>(node->child1()); |
| else if (node->child1()->shouldSpeculateString()) |
| fixEdge<StringUse>(node->child1()); |
| else if (node->child1()->shouldSpeculateStringOrOther()) |
| fixEdge<StringOrOtherUse>(node->child1()); |
| else { |
| WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint(); |
| if (masqueradesAsUndefinedWatchpoint->isStillValid()) |
| m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint); |
| } |
| break; |
| } |
| |
| case CompareEq: |
| case CompareLess: |
| case CompareLessEq: |
| case CompareGreater: |
| case CompareGreaterEq: { |
| if (node->op() == CompareEq |
| && Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) { |
| fixEdge<BooleanUse>(node->child1()); |
| fixEdge<BooleanUse>(node->child2()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| if (Node::shouldSpeculateInt32OrBoolean(node->child1().node(), node->child2().node())) { |
| fixIntOrBooleanEdge(node->child1()); |
| fixIntOrBooleanEdge(node->child2()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| if (enableInt52() |
| && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) { |
| fixEdge<Int52RepUse>(node->child1()); |
| fixEdge<Int52RepUse>(node->child2()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| if (Node::shouldSpeculateNumberOrBoolean(node->child1().node(), node->child2().node())) { |
| fixDoubleOrBooleanEdge(node->child1()); |
| fixDoubleOrBooleanEdge(node->child2()); |
| } |
| if (node->op() != CompareEq |
| && node->child1()->shouldSpeculateNotCell() |
| && node->child2()->shouldSpeculateNotCell()) { |
| if (node->child1()->shouldSpeculateNumberOrBoolean()) |
| fixDoubleOrBooleanEdge(node->child1()); |
| else |
| fixEdge<DoubleRepUse>(node->child1()); |
| if (node->child2()->shouldSpeculateNumberOrBoolean()) |
| fixDoubleOrBooleanEdge(node->child2()); |
| else |
| fixEdge<DoubleRepUse>(node->child2()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) { |
| fixEdge<StringIdentUse>(node->child1()); |
| fixEdge<StringIdentUse>(node->child2()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && GPRInfo::numberOfRegisters >= 7) { |
| fixEdge<StringUse>(node->child1()); |
| fixEdge<StringUse>(node->child2()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| |
| if (node->op() != CompareEq) |
| break; |
| if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) { |
| fixEdge<SymbolUse>(node->child1()); |
| fixEdge<SymbolUse>(node->child2()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) { |
| fixEdge<ObjectUse>(node->child1()); |
| fixEdge<ObjectUse>(node->child2()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| |
| // If either child can be proved to be Null or Undefined, comparing them is greatly simplified. |
| bool oneArgumentIsUsedAsSpecOther = false; |
| if (node->child1()->isUndefinedOrNullConstant()) { |
| fixEdge<OtherUse>(node->child1()); |
| oneArgumentIsUsedAsSpecOther = true; |
| } else if (node->child1()->shouldSpeculateOther()) { |
| m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child1().node(), OtherUse)); |
| fixEdge<OtherUse>(node->child1()); |
| oneArgumentIsUsedAsSpecOther = true; |
| } |
| if (node->child2()->isUndefinedOrNullConstant()) { |
| fixEdge<OtherUse>(node->child2()); |
| oneArgumentIsUsedAsSpecOther = true; |
| } else if (node->child2()->shouldSpeculateOther()) { |
| m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child2().node(), OtherUse)); |
| fixEdge<OtherUse>(node->child2()); |
| oneArgumentIsUsedAsSpecOther = true; |
| } |
| if (oneArgumentIsUsedAsSpecOther) { |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| |
| if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObjectOrOther()) { |
| fixEdge<ObjectUse>(node->child1()); |
| fixEdge<ObjectOrOtherUse>(node->child2()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| if (node->child1()->shouldSpeculateObjectOrOther() && node->child2()->shouldSpeculateObject()) { |
| fixEdge<ObjectOrOtherUse>(node->child1()); |
| fixEdge<ObjectUse>(node->child2()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| |
| break; |
| } |
| |
| case CompareStrictEq: { |
| if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) { |
| fixEdge<BooleanUse>(node->child1()); |
| fixEdge<BooleanUse>(node->child2()); |
| break; |
| } |
| if (Node::shouldSpeculateInt32(node->child1().node(), node->child2().node())) { |
| fixEdge<Int32Use>(node->child1()); |
| fixEdge<Int32Use>(node->child2()); |
| break; |
| } |
| if (enableInt52() |
| && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) { |
| fixEdge<Int52RepUse>(node->child1()); |
| fixEdge<Int52RepUse>(node->child2()); |
| break; |
| } |
| if (Node::shouldSpeculateNumber(node->child1().node(), node->child2().node())) { |
| fixEdge<DoubleRepUse>(node->child1()); |
| fixEdge<DoubleRepUse>(node->child2()); |
| break; |
| } |
| if (Node::shouldSpeculateSymbol(node->child1().node(), node->child2().node())) { |
| fixEdge<SymbolUse>(node->child1()); |
| fixEdge<SymbolUse>(node->child2()); |
| break; |
| } |
| if (node->child1()->shouldSpeculateStringIdent() && node->child2()->shouldSpeculateStringIdent()) { |
| fixEdge<StringIdentUse>(node->child1()); |
| fixEdge<StringIdentUse>(node->child2()); |
| break; |
| } |
| if (node->child1()->shouldSpeculateString() && node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 7) || isFTL(m_graph.m_plan.mode))) { |
| fixEdge<StringUse>(node->child1()); |
| fixEdge<StringUse>(node->child2()); |
| break; |
| } |
| WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint(); |
| if (masqueradesAsUndefinedWatchpoint->isStillValid()) { |
| |
| if (node->child1()->shouldSpeculateObject()) { |
| m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint); |
| fixEdge<ObjectUse>(node->child1()); |
| break; |
| } |
| if (node->child2()->shouldSpeculateObject()) { |
| m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint); |
| fixEdge<ObjectUse>(node->child2()); |
| break; |
| } |
| |
| } else if (node->child1()->shouldSpeculateObject() && node->child2()->shouldSpeculateObject()) { |
| fixEdge<ObjectUse>(node->child1()); |
| fixEdge<ObjectUse>(node->child2()); |
| break; |
| } |
| if (node->child1()->shouldSpeculateSymbol()) { |
| fixEdge<SymbolUse>(node->child1()); |
| break; |
| } |
| if (node->child2()->shouldSpeculateSymbol()) { |
| fixEdge<SymbolUse>(node->child2()); |
| break; |
| } |
| if (node->child1()->shouldSpeculateMisc()) { |
| fixEdge<MiscUse>(node->child1()); |
| break; |
| } |
| if (node->child2()->shouldSpeculateMisc()) { |
| fixEdge<MiscUse>(node->child2()); |
| break; |
| } |
| if (node->child1()->shouldSpeculateStringIdent() |
| && node->child2()->shouldSpeculateNotStringVar()) { |
| fixEdge<StringIdentUse>(node->child1()); |
| fixEdge<NotStringVarUse>(node->child2()); |
| break; |
| } |
| if (node->child2()->shouldSpeculateStringIdent() |
| && node->child1()->shouldSpeculateNotStringVar()) { |
| fixEdge<StringIdentUse>(node->child2()); |
| fixEdge<NotStringVarUse>(node->child1()); |
| break; |
| } |
| if (node->child1()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) { |
| fixEdge<StringUse>(node->child1()); |
| break; |
| } |
| if (node->child2()->shouldSpeculateString() && ((GPRInfo::numberOfRegisters >= 8) || isFTL(m_graph.m_plan.mode))) { |
| fixEdge<StringUse>(node->child2()); |
| break; |
| } |
| break; |
| } |
| |
| case StringFromCharCode: |
| if (node->child1()->shouldSpeculateInt32()) |
| fixEdge<Int32Use>(node->child1()); |
| else |
| fixEdge<UntypedUse>(node->child1()); |
| break; |
| |
| case StringCharAt: |
| case StringCharCodeAt: { |
| // Currently we have no good way of refining these. |
| ASSERT(node->arrayMode() == ArrayMode(Array::String)); |
| blessArrayOperation(node->child1(), node->child2(), node->child3()); |
| fixEdge<KnownCellUse>(node->child1()); |
| fixEdge<Int32Use>(node->child2()); |
| break; |
| } |
| |
| case GetByVal: { |
| if (!node->prediction()) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, ForceOSRExit, node->origin); |
| } |
| |
| node->setArrayMode( |
| node->arrayMode().refine( |
| m_graph, node, |
| node->child1()->prediction(), |
| node->child2()->prediction(), |
| SpecNone)); |
| |
| blessArrayOperation(node->child1(), node->child2(), node->child3()); |
| |
| ArrayMode arrayMode = node->arrayMode(); |
| switch (arrayMode.type()) { |
| case Array::Contiguous: |
| case Array::Double: |
| if (arrayMode.arrayClass() == Array::OriginalArray |
| && arrayMode.speculation() == Array::InBounds) { |
| JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic); |
| if (globalObject->arrayPrototypeChainIsSane()) { |
| // Check if SaneChain will work on a per-type basis. Note that: |
| // |
| // 1) We don't want double arrays to sometimes return undefined, since |
| // that would require a change to the return type and it would pessimise |
| // things a lot. So, we'd only want to do that if we actually had |
| // evidence that we could read from a hole. That's pretty annoying. |
| // Likely the best way to handle that case is with an equivalent of |
| // SaneChain for OutOfBounds. For now we just detect when Undefined and |
| // NaN are indistinguishable according to backwards propagation, and just |
| // use SaneChain in that case. This happens to catch a lot of cases. |
| // |
| // 2) We don't want int32 array loads to have to do a hole check just to |
| // coerce to Undefined, since that would mean twice the checks. |
| // |
| // This has two implications. First, we have to do more checks than we'd |
| // like. It's unfortunate that we have to do the hole check. Second, |
| // some accesses that hit a hole will now need to take the full-blown |
| // out-of-bounds slow path. We can fix that with: |
| // https://bugs.webkit.org/show_bug.cgi?id=144668 |
| |
| bool canDoSaneChain = false; |
| switch (arrayMode.type()) { |
| case Array::Contiguous: |
| // This is happens to be entirely natural. We already would have |
| // returned any JSValue, and now we'll return Undefined. We still do |
| // the check but it doesn't require taking any kind of slow path. |
| canDoSaneChain = true; |
| break; |
| |
| case Array::Double: |
| if (!(node->flags() & NodeBytecodeUsesAsOther)) { |
| // Holes look like NaN already, so if the user doesn't care |
| // about the difference between Undefined and NaN then we can |
| // do this. |
| canDoSaneChain = true; |
| } |
| break; |
| |
| default: |
| break; |
| } |
| |
| if (canDoSaneChain) { |
| m_graph.watchpoints().addLazily( |
| globalObject->arrayPrototype()->structure()->transitionWatchpointSet()); |
| m_graph.watchpoints().addLazily( |
| globalObject->objectPrototype()->structure()->transitionWatchpointSet()); |
| if (globalObject->arrayPrototypeChainIsSane()) |
| node->setArrayMode(arrayMode.withSpeculation(Array::SaneChain)); |
| } |
| } |
| } |
| break; |
| |
| case Array::String: |
| if ((node->prediction() & ~SpecString) |
| || m_graph.hasExitSite(node->origin.semantic, OutOfBounds)) |
| node->setArrayMode(arrayMode.withSpeculation(Array::OutOfBounds)); |
| break; |
| |
| default: |
| break; |
| } |
| |
| arrayMode = node->arrayMode(); |
| switch (arrayMode.type()) { |
| case Array::SelectUsingPredictions: |
| case Array::Unprofiled: |
| RELEASE_ASSERT_NOT_REACHED(); |
| break; |
| case Array::Generic: |
| #if USE(JSVALUE32_64) |
| fixEdge<CellUse>(node->child1()); // Speculating cell due to register pressure on 32-bit. |
| #endif |
| break; |
| case Array::ForceExit: |
| break; |
| default: |
| fixEdge<KnownCellUse>(node->child1()); |
| fixEdge<Int32Use>(node->child2()); |
| break; |
| } |
| |
| switch (arrayMode.type()) { |
| case Array::Double: |
| if (!arrayMode.isOutOfBounds()) |
| node->setResult(NodeResultDouble); |
| break; |
| |
| case Array::Float32Array: |
| case Array::Float64Array: |
| node->setResult(NodeResultDouble); |
| break; |
| |
| case Array::Uint32Array: |
| if (node->shouldSpeculateInt32()) |
| break; |
| if (node->shouldSpeculateAnyInt() && enableInt52()) |
| node->setResult(NodeResultInt52); |
| else |
| node->setResult(NodeResultDouble); |
| break; |
| |
| default: |
| break; |
| } |
| |
| break; |
| } |
| |
| case PutByValDirect: |
| case PutByVal: |
| case PutByValAlias: { |
| Edge& child1 = m_graph.varArgChild(node, 0); |
| Edge& child2 = m_graph.varArgChild(node, 1); |
| Edge& child3 = m_graph.varArgChild(node, 2); |
| |
| node->setArrayMode( |
| node->arrayMode().refine( |
| m_graph, node, |
| child1->prediction(), |
| child2->prediction(), |
| child3->prediction())); |
| |
| blessArrayOperation(child1, child2, m_graph.varArgChild(node, 3)); |
| |
| switch (node->arrayMode().modeForPut().type()) { |
| case Array::SelectUsingPredictions: |
| case Array::SelectUsingArguments: |
| case Array::Unprofiled: |
| case Array::Undecided: |
| RELEASE_ASSERT_NOT_REACHED(); |
| break; |
| case Array::ForceExit: |
| case Array::Generic: |
| #if USE(JSVALUE32_64) |
| // Due to register pressure on 32-bit, we speculate cell and |
| // ignore the base-is-not-cell case entirely by letting the |
| // baseline JIT handle it. |
| fixEdge<CellUse>(child1); |
| #endif |
| break; |
| case Array::Int32: |
| fixEdge<KnownCellUse>(child1); |
| fixEdge<Int32Use>(child2); |
| fixEdge<Int32Use>(child3); |
| break; |
| case Array::Double: |
| fixEdge<KnownCellUse>(child1); |
| fixEdge<Int32Use>(child2); |
| fixEdge<DoubleRepRealUse>(child3); |
| break; |
| case Array::Int8Array: |
| case Array::Int16Array: |
| case Array::Int32Array: |
| case Array::Uint8Array: |
| case Array::Uint8ClampedArray: |
| case Array::Uint16Array: |
| case Array::Uint32Array: |
| fixEdge<KnownCellUse>(child1); |
| fixEdge<Int32Use>(child2); |
| if (child3->shouldSpeculateInt32()) |
| fixIntOrBooleanEdge(child3); |
| else if (child3->shouldSpeculateAnyInt()) |
| fixEdge<Int52RepUse>(child3); |
| else |
| fixDoubleOrBooleanEdge(child3); |
| break; |
| case Array::Float32Array: |
| case Array::Float64Array: |
| fixEdge<KnownCellUse>(child1); |
| fixEdge<Int32Use>(child2); |
| fixDoubleOrBooleanEdge(child3); |
| break; |
| case Array::Contiguous: |
| case Array::ArrayStorage: |
| case Array::SlowPutArrayStorage: |
| fixEdge<KnownCellUse>(child1); |
| fixEdge<Int32Use>(child2); |
| speculateForBarrier(child3); |
| break; |
| default: |
| fixEdge<KnownCellUse>(child1); |
| fixEdge<Int32Use>(child2); |
| break; |
| } |
| break; |
| } |
| |
| case ArrayPush: { |
| // May need to refine the array mode in case the value prediction contravenes |
| // the array prediction. For example, we may have evidence showing that the |
| // array is in Int32 mode, but the value we're storing is likely to be a double. |
| // Then we should turn this into a conversion to Double array followed by the |
| // push. On the other hand, we absolutely don't want to refine based on the |
| // base prediction. If it has non-cell garbage in it, then we want that to be |
| // ignored. That's because ArrayPush can't handle any array modes that aren't |
| // array-related - so if refine() turned this into a "Generic" ArrayPush then |
| // that would break things. |
| node->setArrayMode( |
| node->arrayMode().refine( |
| m_graph, node, |
| node->child1()->prediction() & SpecCell, |
| SpecInt32Only, |
| node->child2()->prediction())); |
| blessArrayOperation(node->child1(), Edge(), node->child3()); |
| fixEdge<KnownCellUse>(node->child1()); |
| |
| switch (node->arrayMode().type()) { |
| case Array::Int32: |
| fixEdge<Int32Use>(node->child2()); |
| break; |
| case Array::Double: |
| fixEdge<DoubleRepRealUse>(node->child2()); |
| break; |
| case Array::Contiguous: |
| case Array::ArrayStorage: |
| speculateForBarrier(node->child2()); |
| break; |
| default: |
| break; |
| } |
| break; |
| } |
| |
| case ArrayPop: { |
| blessArrayOperation(node->child1(), Edge(), node->child2()); |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| |
| case ArraySlice: { |
| fixEdge<KnownCellUse>(m_graph.varArgChild(node, 0)); |
| fixEdge<Int32Use>(m_graph.varArgChild(node, 1)); |
| if (node->numChildren() == 4) |
| fixEdge<Int32Use>(m_graph.varArgChild(node, 2)); |
| break; |
| } |
| |
| case RegExpExec: |
| case RegExpTest: { |
| fixEdge<KnownCellUse>(node->child1()); |
| |
| if (node->child2()->shouldSpeculateRegExpObject()) { |
| fixEdge<RegExpObjectUse>(node->child2()); |
| |
| if (node->child3()->shouldSpeculateString()) |
| fixEdge<StringUse>(node->child3()); |
| } |
| break; |
| } |
| |
| case StringReplace: |
| case StringReplaceRegExp: { |
| if (node->child2()->shouldSpeculateString()) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child2().node(), StringUse)); |
| fixEdge<StringUse>(node->child2()); |
| } else if (op == StringReplace) { |
| if (node->child2()->shouldSpeculateRegExpObject()) |
| addStringReplacePrimordialChecks(node->child2().node()); |
| else |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, ForceOSRExit, node->origin); |
| } |
| |
| if (node->child1()->shouldSpeculateString() |
| && node->child2()->shouldSpeculateRegExpObject() |
| && node->child3()->shouldSpeculateString()) { |
| |
| fixEdge<StringUse>(node->child1()); |
| fixEdge<RegExpObjectUse>(node->child2()); |
| fixEdge<StringUse>(node->child3()); |
| break; |
| } |
| break; |
| } |
| |
| case Branch: { |
| if (node->child1()->shouldSpeculateBoolean()) { |
| if (node->child1()->result() == NodeResultBoolean) { |
| // This is necessary in case we have a bytecode instruction implemented by: |
| // |
| // a: CompareEq(...) |
| // b: Branch(@a) |
| // |
| // In that case, CompareEq might have a side-effect. Then, we need to make |
| // sure that we know that Branch does not exit. |
| fixEdge<KnownBooleanUse>(node->child1()); |
| } else |
| fixEdge<BooleanUse>(node->child1()); |
| } else if (node->child1()->shouldSpeculateObjectOrOther()) |
| fixEdge<ObjectOrOtherUse>(node->child1()); |
| else if (node->child1()->shouldSpeculateInt32OrBoolean()) |
| fixIntOrBooleanEdge(node->child1()); |
| else if (node->child1()->shouldSpeculateNumber()) |
| fixEdge<DoubleRepUse>(node->child1()); |
| else if (node->child1()->shouldSpeculateString()) |
| fixEdge<StringUse>(node->child1()); |
| else if (node->child1()->shouldSpeculateStringOrOther()) |
| fixEdge<StringOrOtherUse>(node->child1()); |
| else { |
| WatchpointSet* masqueradesAsUndefinedWatchpoint = m_graph.globalObjectFor(node->origin.semantic)->masqueradesAsUndefinedWatchpoint(); |
| if (masqueradesAsUndefinedWatchpoint->isStillValid()) |
| m_graph.watchpoints().addLazily(masqueradesAsUndefinedWatchpoint); |
| } |
| break; |
| } |
| |
| case Switch: { |
| SwitchData* data = node->switchData(); |
| switch (data->kind) { |
| case SwitchImm: |
| if (node->child1()->shouldSpeculateInt32()) |
| fixEdge<Int32Use>(node->child1()); |
| break; |
| case SwitchChar: |
| if (node->child1()->shouldSpeculateString()) |
| fixEdge<StringUse>(node->child1()); |
| break; |
| case SwitchString: |
| if (node->child1()->shouldSpeculateStringIdent()) |
| fixEdge<StringIdentUse>(node->child1()); |
| else if (node->child1()->shouldSpeculateString()) |
| fixEdge<StringUse>(node->child1()); |
| break; |
| case SwitchCell: |
| if (node->child1()->shouldSpeculateCell()) |
| fixEdge<CellUse>(node->child1()); |
| // else it's fine for this to have UntypedUse; we will handle this by just making |
| // non-cells take the default case. |
| break; |
| } |
| break; |
| } |
| |
| case ToPrimitive: { |
| fixupToPrimitive(node); |
| break; |
| } |
| |
| case ToNumber: { |
| fixupToNumber(node); |
| break; |
| } |
| |
| case ToString: |
| case CallStringConstructor: { |
| fixupToStringOrCallStringConstructor(node); |
| break; |
| } |
| |
| case NewStringObject: { |
| fixEdge<KnownStringUse>(node->child1()); |
| break; |
| } |
| |
| case NewArrayWithSpread: { |
| watchHavingABadTime(node); |
| |
| BitVector* bitVector = node->bitVector(); |
| for (unsigned i = node->numChildren(); i--;) { |
| if (bitVector->get(i)) |
| fixEdge<KnownCellUse>(m_graph.m_varArgChildren[node->firstChild() + i]); |
| else |
| fixEdge<UntypedUse>(m_graph.m_varArgChildren[node->firstChild() + i]); |
| } |
| |
| break; |
| } |
| |
| case Spread: { |
| // Note: We care about performing the protocol on our child's global object, not necessarily ours. |
| |
| watchHavingABadTime(node->child1().node()); |
| |
| JSGlobalObject* globalObject = m_graph.globalObjectFor(node->child1()->origin.semantic); |
| // When we go down the fast path, we don't consult the prototype chain, so we must prove |
| // that it doesn't contain any indexed properties, and that any holes will result in |
| // jsUndefined(). |
| InlineWatchpointSet& objectPrototypeTransition = globalObject->objectPrototype()->structure()->transitionWatchpointSet(); |
| InlineWatchpointSet& arrayPrototypeTransition = globalObject->arrayPrototype()->structure()->transitionWatchpointSet(); |
| if (node->child1()->shouldSpeculateArray() |
| && arrayPrototypeTransition.isStillValid() |
| && objectPrototypeTransition.isStillValid() |
| && globalObject->arrayPrototypeChainIsSane() |
| && m_graph.isWatchingArrayIteratorProtocolWatchpoint(node->child1().node()) |
| && m_graph.isWatchingHavingABadTimeWatchpoint(node->child1().node())) { |
| m_graph.watchpoints().addLazily(objectPrototypeTransition); |
| m_graph.watchpoints().addLazily(arrayPrototypeTransition); |
| fixEdge<ArrayUse>(node->child1()); |
| } else |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| |
| case NewArray: { |
| watchHavingABadTime(node); |
| |
| for (unsigned i = m_graph.varArgNumChildren(node); i--;) { |
| node->setIndexingType( |
| leastUpperBoundOfIndexingTypeAndType( |
| node->indexingType(), m_graph.varArgChild(node, i)->prediction())); |
| } |
| switch (node->indexingType()) { |
| case ALL_BLANK_INDEXING_TYPES: |
| CRASH(); |
| break; |
| case ALL_UNDECIDED_INDEXING_TYPES: |
| if (node->numChildren()) { |
| // This will only happen if the children have no type predictions. We |
| // would have already exited by now, but insert a forced exit just to |
| // be safe. |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, ForceOSRExit, node->origin); |
| } |
| break; |
| case ALL_INT32_INDEXING_TYPES: |
| for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex) |
| fixEdge<Int32Use>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]); |
| break; |
| case ALL_DOUBLE_INDEXING_TYPES: |
| for (unsigned operandIndex = 0; operandIndex < node->numChildren(); ++operandIndex) |
| fixEdge<DoubleRepRealUse>(m_graph.m_varArgChildren[node->firstChild() + operandIndex]); |
| break; |
| case ALL_CONTIGUOUS_INDEXING_TYPES: |
| case ALL_ARRAY_STORAGE_INDEXING_TYPES: |
| break; |
| default: |
| CRASH(); |
| break; |
| } |
| break; |
| } |
| |
| case NewTypedArray: { |
| watchHavingABadTime(node); |
| |
| if (node->child1()->shouldSpeculateInt32()) { |
| fixEdge<Int32Use>(node->child1()); |
| node->clearFlags(NodeMustGenerate); |
| break; |
| } |
| break; |
| } |
| |
| case NewArrayWithSize: { |
| watchHavingABadTime(node); |
| fixEdge<Int32Use>(node->child1()); |
| break; |
| } |
| |
| case NewArrayBuffer: { |
| watchHavingABadTime(node); |
| break; |
| } |
| |
| case CallObjectConstructor: { |
| if (node->child1()->shouldSpeculateObject()) { |
| fixEdge<ObjectUse>(node->child1()); |
| node->convertToIdentity(); |
| break; |
| } |
| |
| fixEdge<UntypedUse>(node->child1()); |
| break; |
| } |
| |
| case ToThis: { |
| fixupToThis(node); |
| break; |
| } |
| |
| case PutStructure: { |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| |
| case GetClosureVar: |
| case GetFromArguments: { |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| |
| case PutClosureVar: |
| case PutToArguments: { |
| fixEdge<KnownCellUse>(node->child1()); |
| speculateForBarrier(node->child2()); |
| break; |
| } |
| |
| case SkipScope: |
| case GetScope: |
| case GetGetter: |
| case GetSetter: |
| case GetGlobalObject: { |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| |
| case AllocatePropertyStorage: |
| case ReallocatePropertyStorage: { |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| |
| case NukeStructureAndSetButterfly: { |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| |
| case TryGetById: { |
| if (node->child1()->shouldSpeculateCell()) |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| |
| case GetById: |
| case GetByIdFlush: { |
| // FIXME: This should be done in the ByteCodeParser based on reading the |
| // PolymorphicAccess, which will surely tell us that this is a AccessCase::ArrayLength. |
| // https://bugs.webkit.org/show_bug.cgi?id=154990 |
| if (node->child1()->shouldSpeculateCellOrOther() |
| && !m_graph.hasExitSite(node->origin.semantic, BadType) |
| && !m_graph.hasExitSite(node->origin.semantic, BadCache) |
| && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType) |
| && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) { |
| |
| auto uid = m_graph.identifiers()[node->identifierNumber()]; |
| |
| if (uid == vm().propertyNames->length.impl()) { |
| attemptToMakeGetArrayLength(node); |
| break; |
| } |
| |
| if (uid == vm().propertyNames->lastIndex.impl() |
| && node->child1()->shouldSpeculateRegExpObject()) { |
| node->setOp(GetRegExpObjectLastIndex); |
| node->clearFlags(NodeMustGenerate); |
| fixEdge<RegExpObjectUse>(node->child1()); |
| break; |
| } |
| } |
| |
| if (node->child1()->shouldSpeculateCell()) |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| |
| case PutById: |
| case PutByIdFlush: |
| case PutByIdDirect: { |
| if (node->child1()->shouldSpeculateCellOrOther() |
| && !m_graph.hasExitSite(node->origin.semantic, BadType) |
| && !m_graph.hasExitSite(node->origin.semantic, BadCache) |
| && !m_graph.hasExitSite(node->origin.semantic, BadIndexingType) |
| && !m_graph.hasExitSite(node->origin.semantic, ExoticObjectMode)) { |
| |
| auto uid = m_graph.identifiers()[node->identifierNumber()]; |
| |
| if (uid == vm().propertyNames->lastIndex.impl() |
| && node->child1()->shouldSpeculateRegExpObject()) { |
| node->setOp(SetRegExpObjectLastIndex); |
| fixEdge<RegExpObjectUse>(node->child1()); |
| speculateForBarrier(node->child2()); |
| break; |
| } |
| } |
| |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| |
| case PutGetterById: |
| case PutSetterById: { |
| fixEdge<KnownCellUse>(node->child1()); |
| fixEdge<KnownCellUse>(node->child2()); |
| break; |
| } |
| |
| case PutGetterSetterById: { |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| |
| case PutGetterByVal: |
| case PutSetterByVal: { |
| fixEdge<KnownCellUse>(node->child1()); |
| fixEdge<KnownCellUse>(node->child3()); |
| break; |
| } |
| |
| case GetExecutable: { |
| fixEdge<FunctionUse>(node->child1()); |
| break; |
| } |
| |
| case OverridesHasInstance: |
| case CheckStructure: |
| case CheckCell: |
| case CreateThis: |
| case GetButterfly: { |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| |
| case CheckStringIdent: { |
| fixEdge<StringIdentUse>(node->child1()); |
| break; |
| } |
| |
| case Arrayify: |
| case ArrayifyToStructure: { |
| fixEdge<CellUse>(node->child1()); |
| if (node->child2()) |
| fixEdge<Int32Use>(node->child2()); |
| break; |
| } |
| |
| case GetByOffset: |
| case GetGetterSetterByOffset: { |
| if (!node->child1()->hasStorageResult()) |
| fixEdge<KnownCellUse>(node->child1()); |
| fixEdge<KnownCellUse>(node->child2()); |
| break; |
| } |
| |
| case MultiGetByOffset: { |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| |
| case PutByOffset: { |
| if (!node->child1()->hasStorageResult()) |
| fixEdge<KnownCellUse>(node->child1()); |
| fixEdge<KnownCellUse>(node->child2()); |
| unsigned index = indexForChecks(); |
| insertInferredTypeCheck( |
| m_insertionSet, index, originForCheck(index), node->child3().node(), |
| node->storageAccessData().inferredType); |
| speculateForBarrier(node->child3()); |
| break; |
| } |
| |
| case MultiPutByOffset: { |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| |
| case InstanceOf: { |
| if (!(node->child1()->prediction() & ~SpecCell)) |
| fixEdge<CellUse>(node->child1()); |
| fixEdge<CellUse>(node->child2()); |
| break; |
| } |
| |
| case InstanceOfCustom: |
| fixEdge<CellUse>(node->child2()); |
| break; |
| |
| case In: { |
| // FIXME: We should at some point have array profiling on op_in, in which |
| // case we would be able to turn this into a kind of GetByVal. |
| |
| fixEdge<CellUse>(node->child2()); |
| break; |
| } |
| |
| case HasOwnProperty: { |
| fixEdge<ObjectUse>(node->child1()); |
| #if CPU(X86) && USE(JSVALUE32_64) |
| // We don't have enough registers to do anything interesting on x86. |
| fixEdge<UntypedUse>(node->child2()); |
| #else |
| if (node->child2()->shouldSpeculateString()) |
| fixEdge<StringUse>(node->child2()); |
| else if (node->child2()->shouldSpeculateSymbol()) |
| fixEdge<SymbolUse>(node->child2()); |
| else |
| fixEdge<UntypedUse>(node->child2()); |
| #endif |
| break; |
| } |
| |
| case Check: { |
| m_graph.doToChildren( |
| node, |
| [&] (Edge& edge) { |
| switch (edge.useKind()) { |
| case NumberUse: |
| if (edge->shouldSpeculateInt32ForArithmetic()) |
| edge.setUseKind(Int32Use); |
| break; |
| default: |
| break; |
| } |
| observeUseKindOnEdge(edge); |
| }); |
| break; |
| } |
| |
| case Phantom: |
| // Phantoms are meaningless past Fixup. We recreate them on-demand in the backend. |
| node->remove(); |
| break; |
| |
| case FiatInt52: { |
| RELEASE_ASSERT(enableInt52()); |
| node->convertToIdentity(); |
| fixEdge<Int52RepUse>(node->child1()); |
| node->setResult(NodeResultInt52); |
| break; |
| } |
| |
| case GetArrayLength: { |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| |
| case GetTypedArrayByteOffset: { |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| |
| case Phi: |
| case Upsilon: |
| case GetIndexedPropertyStorage: |
| case LastNodeType: |
| case CheckTierUpInLoop: |
| case CheckTierUpAtReturn: |
| case CheckTierUpAndOSREnter: |
| case InvalidationPoint: |
| case CheckArray: |
| case CheckInBounds: |
| case ConstantStoragePointer: |
| case DoubleAsInt32: |
| case ValueToInt32: |
| case DoubleRep: |
| case ValueRep: |
| case Int52Rep: |
| case Int52Constant: |
| case Identity: // This should have been cleaned up. |
| case BooleanToNumber: |
| case PhantomNewObject: |
| case PhantomNewFunction: |
| case PhantomNewGeneratorFunction: |
| case PhantomNewAsyncFunction: |
| case PhantomCreateActivation: |
| case PhantomDirectArguments: |
| case PhantomCreateRest: |
| case PhantomSpread: |
| case PhantomNewArrayWithSpread: |
| case PhantomClonedArguments: |
| case GetMyArgumentByVal: |
| case GetMyArgumentByValOutOfBounds: |
| case PutHint: |
| case CheckStructureImmediate: |
| case MaterializeNewObject: |
| case MaterializeCreateActivation: |
| case PutStack: |
| case KillStack: |
| case GetStack: |
| case StoreBarrier: |
| case FencedStoreBarrier: |
| case GetRegExpObjectLastIndex: |
| case SetRegExpObjectLastIndex: |
| case RecordRegExpCachedResult: |
| // These are just nodes that we don't currently expect to see during fixup. |
| // If we ever wanted to insert them prior to fixup, then we just have to create |
| // fixup rules for them. |
| DFG_CRASH(m_graph, node, "Unexpected node during fixup"); |
| break; |
| |
| case PutGlobalVariable: { |
| fixEdge<CellUse>(node->child1()); |
| speculateForBarrier(node->child2()); |
| break; |
| } |
| |
| case IsObject: |
| if (node->child1()->shouldSpeculateObject()) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child1().node(), ObjectUse)); |
| m_graph.convertToConstant(node, jsBoolean(true)); |
| observeUseKindOnNode<ObjectUse>(node); |
| } |
| break; |
| |
| case IsCellWithType: { |
| fixupIsCellWithType(node); |
| break; |
| } |
| |
| case GetEnumerableLength: { |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| case HasGenericProperty: { |
| fixEdge<CellUse>(node->child2()); |
| break; |
| } |
| case HasStructureProperty: { |
| fixEdge<StringUse>(node->child2()); |
| fixEdge<KnownCellUse>(node->child3()); |
| break; |
| } |
| case HasIndexedProperty: { |
| node->setArrayMode( |
| node->arrayMode().refine( |
| m_graph, node, |
| node->child1()->prediction(), |
| node->child2()->prediction(), |
| SpecNone)); |
| |
| blessArrayOperation(node->child1(), node->child2(), node->child3()); |
| fixEdge<CellUse>(node->child1()); |
| fixEdge<KnownInt32Use>(node->child2()); |
| break; |
| } |
| case GetDirectPname: { |
| Edge& base = m_graph.varArgChild(node, 0); |
| Edge& property = m_graph.varArgChild(node, 1); |
| Edge& index = m_graph.varArgChild(node, 2); |
| Edge& enumerator = m_graph.varArgChild(node, 3); |
| fixEdge<CellUse>(base); |
| fixEdge<KnownCellUse>(property); |
| fixEdge<KnownInt32Use>(index); |
| fixEdge<KnownCellUse>(enumerator); |
| break; |
| } |
| case GetPropertyEnumerator: { |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| case GetEnumeratorStructurePname: { |
| fixEdge<KnownCellUse>(node->child1()); |
| fixEdge<KnownInt32Use>(node->child2()); |
| break; |
| } |
| case GetEnumeratorGenericPname: { |
| fixEdge<KnownCellUse>(node->child1()); |
| fixEdge<KnownInt32Use>(node->child2()); |
| break; |
| } |
| case ToIndexString: { |
| fixEdge<KnownInt32Use>(node->child1()); |
| break; |
| } |
| case ProfileType: { |
| // We want to insert type checks based on the instructionTypeSet of the TypeLocation, not the globalTypeSet. |
| // Because the instructionTypeSet is contained in globalTypeSet, if we produce a type check for |
| // type T for the instructionTypeSet, the global type set must also have information for type T. |
| // So if it the type check succeeds for type T in the instructionTypeSet, a type check for type T |
| // in the globalTypeSet would've also succeeded. |
| // (The other direction does not hold in general). |
| |
| RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet; |
| RuntimeTypeMask seenTypes = typeSet->seenTypes(); |
| if (typeSet->doesTypeConformTo(TypeAnyInt)) { |
| if (node->child1()->shouldSpeculateInt32()) { |
| fixEdge<Int32Use>(node->child1()); |
| node->remove(); |
| break; |
| } |
| |
| if (enableInt52()) { |
| fixEdge<AnyIntUse>(node->child1()); |
| node->remove(); |
| break; |
| } |
| |
| // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged. |
| } |
| |
| if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) { |
| fixEdge<NumberUse>(node->child1()); |
| node->remove(); |
| } else if (typeSet->doesTypeConformTo(TypeString)) { |
| fixEdge<StringUse>(node->child1()); |
| node->remove(); |
| } else if (typeSet->doesTypeConformTo(TypeBoolean)) { |
| fixEdge<BooleanUse>(node->child1()); |
| node->remove(); |
| } else if (typeSet->doesTypeConformTo(TypeUndefined | TypeNull) && (seenTypes & TypeUndefined) && (seenTypes & TypeNull)) { |
| fixEdge<OtherUse>(node->child1()); |
| node->remove(); |
| } else if (typeSet->doesTypeConformTo(TypeObject)) { |
| StructureSet set; |
| { |
| ConcurrentJSLocker locker(typeSet->m_lock); |
| set = typeSet->structureSet(locker); |
| } |
| if (!set.isEmpty()) { |
| fixEdge<CellUse>(node->child1()); |
| node->convertToCheckStructure(m_graph.addStructureSet(set)); |
| } |
| } |
| |
| break; |
| } |
| |
| case CreateClonedArguments: { |
| watchHavingABadTime(node); |
| break; |
| } |
| |
| case CreateScopedArguments: |
| case CreateActivation: |
| case NewFunction: |
| case NewGeneratorFunction: |
| case NewAsyncFunction: { |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| |
| case SetFunctionName: { |
| // The first child is guaranteed to be a cell because op_set_function_name is only used |
| // on a newly instantiated function object (the first child). |
| fixEdge<KnownCellUse>(node->child1()); |
| fixEdge<UntypedUse>(node->child2()); |
| break; |
| } |
| |
| case CreateRest: { |
| watchHavingABadTime(node); |
| fixEdge<KnownInt32Use>(node->child1()); |
| break; |
| } |
| |
| case ResolveScope: |
| case GetDynamicVar: |
| case PutDynamicVar: { |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| |
| case LogShadowChickenPrologue: { |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| } |
| case LogShadowChickenTail: { |
| fixEdge<UntypedUse>(node->child1()); |
| fixEdge<KnownCellUse>(node->child2()); |
| break; |
| } |
| |
| case GetMapBucket: |
| if (node->child1().useKind() == MapObjectUse) |
| fixEdge<MapObjectUse>(node->child1()); |
| else if (node->child1().useKind() == SetObjectUse) |
| fixEdge<SetObjectUse>(node->child1()); |
| else |
| RELEASE_ASSERT_NOT_REACHED(); |
| |
| #if USE(JSVALUE64) |
| if (node->child2()->shouldSpeculateBoolean()) |
| fixEdge<BooleanUse>(node->child2()); |
| else if (node->child2()->shouldSpeculateInt32()) |
| fixEdge<Int32Use>(node->child2()); |
| else if (node->child2()->shouldSpeculateSymbol()) |
| fixEdge<SymbolUse>(node->child2()); |
| else if (node->child2()->shouldSpeculateObject()) |
| fixEdge<ObjectUse>(node->child2()); |
| else if (node->child2()->shouldSpeculateString()) |
| fixEdge<StringUse>(node->child2()); |
| else if (node->child2()->shouldSpeculateCell()) |
| fixEdge<CellUse>(node->child2()); |
| else |
| fixEdge<UntypedUse>(node->child2()); |
| #else |
| fixEdge<UntypedUse>(node->child2()); |
| #endif // USE(JSVALUE64) |
| |
| fixEdge<Int32Use>(node->child3()); |
| break; |
| |
| case LoadFromJSMapBucket: |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| |
| case IsNonEmptyMapBucket: |
| fixEdge<KnownCellUse>(node->child1()); |
| break; |
| |
| case MapHash: { |
| #if USE(JSVALUE64) |
| if (node->child1()->shouldSpeculateBoolean()) { |
| fixEdge<BooleanUse>(node->child1()); |
| break; |
| } |
| |
| if (node->child1()->shouldSpeculateInt32()) { |
| fixEdge<Int32Use>(node->child1()); |
| break; |
| } |
| |
| if (node->child1()->shouldSpeculateSymbol()) { |
| fixEdge<SymbolUse>(node->child1()); |
| break; |
| } |
| |
| if (node->child1()->shouldSpeculateObject()) { |
| fixEdge<ObjectUse>(node->child1()); |
| break; |
| } |
| |
| if (node->child1()->shouldSpeculateString()) { |
| fixEdge<StringUse>(node->child1()); |
| break; |
| } |
| |
| if (node->child1()->shouldSpeculateCell()) { |
| fixEdge<CellUse>(node->child1()); |
| break; |
| } |
| |
| fixEdge<UntypedUse>(node->child1()); |
| #else |
| fixEdge<UntypedUse>(node->child1()); |
| #endif // USE(JSVALUE64) |
| break; |
| } |
| |
| case DefineDataProperty: { |
| fixEdge<CellUse>(m_graph.varArgChild(node, 0)); |
| Edge& propertyEdge = m_graph.varArgChild(node, 1); |
| if (propertyEdge->shouldSpeculateSymbol()) |
| fixEdge<SymbolUse>(propertyEdge); |
| else if (propertyEdge->shouldSpeculateStringIdent()) |
| fixEdge<StringIdentUse>(propertyEdge); |
| else if (propertyEdge->shouldSpeculateString()) |
| fixEdge<StringUse>(propertyEdge); |
| else |
| fixEdge<UntypedUse>(propertyEdge); |
| fixEdge<UntypedUse>(m_graph.varArgChild(node, 2)); |
| fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 3)); |
| break; |
| } |
| |
| case ToLowerCase: { |
| // We currently only support StringUse since that will ensure that |
| // ToLowerCase is a pure operation. If we decide to update this with |
| // more types in the future, we need to ensure that the clobberize rules |
| // are correct. |
| fixEdge<StringUse>(node->child1()); |
| break; |
| } |
| |
| case DefineAccessorProperty: { |
| fixEdge<CellUse>(m_graph.varArgChild(node, 0)); |
| Edge& propertyEdge = m_graph.varArgChild(node, 1); |
| if (propertyEdge->shouldSpeculateSymbol()) |
| fixEdge<SymbolUse>(propertyEdge); |
| else if (propertyEdge->shouldSpeculateStringIdent()) |
| fixEdge<StringIdentUse>(propertyEdge); |
| else if (propertyEdge->shouldSpeculateString()) |
| fixEdge<StringUse>(propertyEdge); |
| else |
| fixEdge<UntypedUse>(propertyEdge); |
| fixEdge<CellUse>(m_graph.varArgChild(node, 2)); |
| fixEdge<CellUse>(m_graph.varArgChild(node, 3)); |
| fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 4)); |
| break; |
| } |
| |
| case CheckDOM: { |
| fixupCheckDOM(node); |
| break; |
| } |
| |
| case CallDOMGetter: { |
| DOMJIT::CallDOMGetterPatchpoint* patchpoint = node->callDOMGetterData()->patchpoint; |
| fixEdge<CellUse>(node->child1()); // DOM. |
| if (patchpoint->requireGlobalObject) |
| fixEdge<KnownCellUse>(node->child2()); // GlobalObject. |
| break; |
| } |
| |
| case CallDOM: { |
| fixupCallDOM(node); |
| break; |
| } |
| |
| case Call: { |
| attemptToMakeCallDOM(node); |
| break; |
| } |
| |
| #if !ASSERT_DISABLED |
| // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes. |
| case SetArgument: |
| case JSConstant: |
| case LazyJSConstant: |
| case DoubleConstant: |
| case GetLocal: |
| case GetCallee: |
| case GetArgumentCountIncludingThis: |
| case GetRestLength: |
| case GetArgument: |
| case Flush: |
| case PhantomLocal: |
| case GetLocalUnlinked: |
| case GetGlobalVar: |
| case GetGlobalLexicalVariable: |
| case NotifyWrite: |
| case DirectCall: |
| case CheckTypeInfoFlags: |
| case TailCallInlinedCaller: |
| case DirectTailCallInlinedCaller: |
| case Construct: |
| case DirectConstruct: |
| case CallVarargs: |
| case CallEval: |
| case TailCallVarargsInlinedCaller: |
| case ConstructVarargs: |
| case CallForwardVarargs: |
| case ConstructForwardVarargs: |
| case TailCallForwardVarargs: |
| case TailCallForwardVarargsInlinedCaller: |
| case LoadVarargs: |
| case ForwardVarargs: |
| case ProfileControlFlow: |
| case NewObject: |
| case NewRegexp: |
| case DeleteById: |
| case DeleteByVal: |
| case IsTypedArrayView: |
| case IsEmpty: |
| case IsUndefined: |
| case IsBoolean: |
| case IsNumber: |
| case IsObjectOrNull: |
| case IsFunction: |
| case CreateDirectArguments: |
| case Jump: |
| case Return: |
| case TailCall: |
| case DirectTailCall: |
| case TailCallVarargs: |
| case Throw: |
| case ThrowStaticError: |
| case CountExecution: |
| case ForceOSRExit: |
| case CheckBadCell: |
| case CheckNotEmpty: |
| case CheckWatchdogTimer: |
| case Unreachable: |
| case ExtractOSREntryLocal: |
| case LoopHint: |
| case MovHint: |
| case ZombieHint: |
| case ExitOK: |
| case BottomValue: |
| case TypeOf: |
| case GetByIdWithThis: |
| case PutByIdWithThis: |
| case PutByValWithThis: |
| case GetByValWithThis: |
| case CompareEqPtr: |
| break; |
| #else |
| default: |
| break; |
| #endif |
| } |
| } |
| |
| void watchHavingABadTime(Node* node) |
| { |
| JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic); |
| |
| // If this global object is not having a bad time, watch it. We go down this path anytime the code |
| // does an array allocation. The types of array allocations may change if we start to have a bad |
| // time. It's easier to reason about this if we know that whenever the types change after we start |
| // optimizing, the code just gets thrown out. Doing this at FixupPhase is just early enough, since |
| // prior to this point nobody should have been doing optimizations based on the indexing type of |
| // the allocation. |
| if (!globalObject->isHavingABadTime()) { |
| m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint()); |
| m_graph.freeze(globalObject); |
| } |
| } |
| |
| template<UseKind useKind> |
| void createToString(Node* node, Edge& edge) |
| { |
| edge.setNode(m_insertionSet.insertNode( |
| m_indexInBlock, SpecString, ToString, node->origin, |
| Edge(edge.node(), useKind))); |
| } |
| |
| template<UseKind useKind> |
| void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node) |
| { |
| ASSERT(arrayMode == ArrayMode(Array::Generic)); |
| |
| if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) |
| return; |
| |
| createToString<useKind>(node, node->child1()); |
| arrayMode = ArrayMode(Array::String); |
| } |
| |
| template<UseKind useKind> |
| bool isStringObjectUse() |
| { |
| switch (useKind) { |
| case StringObjectUse: |
| case StringOrStringObjectUse: |
| return true; |
| default: |
| return false; |
| } |
| } |
| |
| template<UseKind useKind> |
| void convertStringAddUse(Node* node, Edge& edge) |
| { |
| if (useKind == StringUse) { |
| observeUseKindOnNode<StringUse>(edge.node()); |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(edge.node(), StringUse)); |
| edge.setUseKind(KnownStringUse); |
| return; |
| } |
| |
| observeUseKindOnNode<useKind>(edge.node()); |
| createToString<useKind>(node, edge); |
| } |
| |
| void convertToMakeRope(Node* node) |
| { |
| node->setOpAndDefaultFlags(MakeRope); |
| fixupMakeRope(node); |
| } |
| |
| void fixupMakeRope(Node* node) |
| { |
| for (unsigned i = 0; i < AdjacencyList::Size; ++i) { |
| Edge& edge = node->children.child(i); |
| if (!edge) |
| break; |
| edge.setUseKind(KnownStringUse); |
| JSString* string = edge->dynamicCastConstant<JSString*>(); |
| if (!string) |
| continue; |
| if (string->length()) |
| continue; |
| |
| // Don't allow the MakeRope to have zero children. |
| if (!i && !node->child2()) |
| break; |
| |
| node->children.removeEdge(i--); |
| } |
| |
| if (!node->child2()) { |
| ASSERT(!node->child3()); |
| node->convertToIdentity(); |
| } |
| } |
| |
| void fixupIsCellWithType(Node* node) |
| { |
| switch (node->speculatedTypeForQuery()) { |
| case SpecString: |
| if (node->child1()->shouldSpeculateString()) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child1().node(), StringUse)); |
| m_graph.convertToConstant(node, jsBoolean(true)); |
| observeUseKindOnNode<StringUse>(node); |
| return; |
| } |
| break; |
| |
| case SpecProxyObject: |
| if (node->child1()->shouldSpeculateProxyObject()) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child1().node(), ProxyObjectUse)); |
| m_graph.convertToConstant(node, jsBoolean(true)); |
| observeUseKindOnNode<ProxyObjectUse>(node); |
| return; |
| } |
| break; |
| |
| case SpecRegExpObject: |
| if (node->child1()->shouldSpeculateRegExpObject()) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child1().node(), RegExpObjectUse)); |
| m_graph.convertToConstant(node, jsBoolean(true)); |
| observeUseKindOnNode<RegExpObjectUse>(node); |
| return; |
| } |
| break; |
| |
| case SpecArray: |
| if (node->child1()->shouldSpeculateArray()) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child1().node(), ArrayUse)); |
| m_graph.convertToConstant(node, jsBoolean(true)); |
| observeUseKindOnNode<ArrayUse>(node); |
| return; |
| } |
| break; |
| |
| case SpecDerivedArray: |
| if (node->child1()->shouldSpeculateDerivedArray()) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child1().node(), DerivedArrayUse)); |
| m_graph.convertToConstant(node, jsBoolean(true)); |
| observeUseKindOnNode<DerivedArrayUse>(node); |
| return; |
| } |
| break; |
| } |
| |
| if (node->child1()->shouldSpeculateCell()) { |
| fixEdge<CellUse>(node->child1()); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateNotCell()) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child1().node(), NotCellUse)); |
| m_graph.convertToConstant(node, jsBoolean(false)); |
| observeUseKindOnNode<NotCellUse>(node); |
| return; |
| } |
| } |
| |
| void fixupToThis(Node* node) |
| { |
| ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode; |
| |
| if (ecmaMode == StrictMode) { |
| if (node->child1()->shouldSpeculateBoolean()) { |
| fixEdge<BooleanUse>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateInt32()) { |
| fixEdge<Int32Use>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| |
| if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) { |
| fixEdge<Int52RepUse>(node->child1()); |
| node->convertToIdentity(); |
| node->setResult(NodeResultInt52); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateNumber()) { |
| fixEdge<DoubleRepUse>(node->child1()); |
| node->convertToIdentity(); |
| node->setResult(NodeResultDouble); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateSymbol()) { |
| fixEdge<SymbolUse>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateStringIdent()) { |
| fixEdge<StringIdentUse>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateString()) { |
| fixEdge<StringUse>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| } |
| |
| if (node->child1()->shouldSpeculateOther()) { |
| if (ecmaMode == StrictMode) { |
| fixEdge<OtherUse>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(node->child1().node(), OtherUse)); |
| observeUseKindOnNode<OtherUse>(node->child1().node()); |
| m_graph.convertToConstant( |
| node, m_graph.globalThisObjectFor(node->origin.semantic)); |
| return; |
| } |
| |
| // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical, |
| // however, since we cover all the missing cases in constant folding. |
| // https://bugs.webkit.org/show_bug.cgi?id=157213 |
| if (node->child1()->shouldSpeculateStringObject()) { |
| fixEdge<StringObjectUse>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| |
| if (isFinalObjectSpeculation(node->child1()->prediction())) { |
| fixEdge<FinalObjectUse>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| } |
| |
| void fixupToPrimitive(Node* node) |
| { |
| if (node->child1()->shouldSpeculateInt32()) { |
| fixEdge<Int32Use>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateString()) { |
| fixEdge<StringUse>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateStringObject() |
| && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) { |
| fixEdge<StringObjectUse>(node->child1()); |
| node->convertToToString(); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateStringOrStringObject() |
| && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) { |
| fixEdge<StringOrStringObjectUse>(node->child1()); |
| node->convertToToString(); |
| return; |
| } |
| } |
| |
| void fixupToNumber(Node* node) |
| { |
| // If the prediction of the child is Number, we attempt to convert ToNumber to Identity. |
| if (node->child1()->shouldSpeculateNumber()) { |
| if (isInt32Speculation(node->getHeapPrediction())) { |
| // If the both predictions of this node and the child is Int32, we just convert ToNumber to Identity, that's simple. |
| if (node->child1()->shouldSpeculateInt32()) { |
| fixEdge<Int32Use>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| |
| // The another case is that the predicted type of the child is Int32, but the heap prediction tell the users that this will produce non Int32 values. |
| // In that case, let's receive the child value as a Double value and convert it to Int32. This case happens in misc-bugs-847389-jpeg2000. |
| fixEdge<DoubleRepUse>(node->child1()); |
| node->setOp(DoubleAsInt32); |
| if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) |
| node->setArithMode(Arith::CheckOverflow); |
| else |
| node->setArithMode(Arith::CheckOverflowAndNegativeZero); |
| return; |
| } |
| |
| fixEdge<DoubleRepUse>(node->child1()); |
| node->convertToIdentity(); |
| node->setResult(NodeResultDouble); |
| return; |
| } |
| |
| fixEdge<UntypedUse>(node->child1()); |
| node->setResult(NodeResultJS); |
| } |
| |
| void fixupToStringOrCallStringConstructor(Node* node) |
| { |
| if (node->child1()->shouldSpeculateString()) { |
| fixEdge<StringUse>(node->child1()); |
| node->convertToIdentity(); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateStringObject() |
| && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) { |
| fixEdge<StringObjectUse>(node->child1()); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateStringOrStringObject() |
| && m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) { |
| fixEdge<StringOrStringObjectUse>(node->child1()); |
| return; |
| } |
| |
| if (node->child1()->shouldSpeculateCell()) { |
| fixEdge<CellUse>(node->child1()); |
| return; |
| } |
| } |
| |
| bool attemptToMakeFastStringAdd(Node* node) |
| { |
| bool goodToGo = true; |
| m_graph.doToChildren( |
| node, |
| [&] (Edge& edge) { |
| if (edge->shouldSpeculateString()) |
| return; |
| if (m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) { |
| if (edge->shouldSpeculateStringObject()) |
| return; |
| if (edge->shouldSpeculateStringOrStringObject()) |
| return; |
| } |
| goodToGo = false; |
| }); |
| if (!goodToGo) |
| return false; |
| |
| m_graph.doToChildren( |
| node, |
| [&] (Edge& edge) { |
| if (edge->shouldSpeculateString()) { |
| convertStringAddUse<StringUse>(node, edge); |
| return; |
| } |
| ASSERT(m_graph.canOptimizeStringObjectAccess(node->origin.semantic)); |
| if (edge->shouldSpeculateStringObject()) { |
| convertStringAddUse<StringObjectUse>(node, edge); |
| return; |
| } |
| if (edge->shouldSpeculateStringOrStringObject()) { |
| convertStringAddUse<StringOrStringObjectUse>(node, edge); |
| return; |
| } |
| RELEASE_ASSERT_NOT_REACHED(); |
| }); |
| |
| convertToMakeRope(node); |
| return true; |
| } |
| |
| void fixupGetAndSetLocalsInBlock(BasicBlock* block) |
| { |
| if (!block) |
| return; |
| ASSERT(block->isReachable); |
| m_block = block; |
| for (m_indexInBlock = 0; m_indexInBlock < block->size(); ++m_indexInBlock) { |
| Node* node = m_currentNode = block->at(m_indexInBlock); |
| if (node->op() != SetLocal && node->op() != GetLocal) |
| continue; |
| |
| VariableAccessData* variable = node->variableAccessData(); |
| switch (node->op()) { |
| case GetLocal: |
| switch (variable->flushFormat()) { |
| case FlushedDouble: |
| node->setResult(NodeResultDouble); |
| break; |
| case FlushedInt52: |
| node->setResult(NodeResultInt52); |
| break; |
| default: |
| break; |
| } |
| break; |
| |
| case SetLocal: |
| // NOTE: Any type checks we put here may get hoisted by fixupChecksInBlock(). So, if we |
| // add new type checking use kind for SetLocals, we need to modify that code as well. |
| |
| switch (variable->flushFormat()) { |
| case FlushedJSValue: |
| break; |
| case FlushedDouble: |
| fixEdge<DoubleRepUse>(node->child1()); |
| break; |
| case FlushedInt32: |
| fixEdge<Int32Use>(node->child1()); |
| break; |
| case FlushedInt52: |
| fixEdge<Int52RepUse>(node->child1()); |
| break; |
| case FlushedCell: |
| fixEdge<CellUse>(node->child1()); |
| break; |
| case FlushedBoolean: |
| fixEdge<BooleanUse>(node->child1()); |
| break; |
| default: |
| RELEASE_ASSERT_NOT_REACHED(); |
| break; |
| } |
| break; |
| |
| default: |
| RELEASE_ASSERT_NOT_REACHED(); |
| break; |
| } |
| } |
| m_insertionSet.execute(block); |
| } |
| |
| void addStringReplacePrimordialChecks(Node* searchRegExp) |
| { |
| Node* node = m_currentNode; |
| |
| // Check that structure of searchRegExp is RegExp object |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, node->origin, |
| Edge(searchRegExp, RegExpObjectUse)); |
| |
| auto emitPrimordialCheckFor = [&] (JSValue primordialProperty, UniquedStringImpl* propertyUID) { |
| unsigned index = m_graph.identifiers().ensure(propertyUID); |
| |
| Node* actualProperty = m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, TryGetById, node->origin, |
| OpInfo(index), OpInfo(SpecFunction), Edge(searchRegExp, CellUse)); |
| |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, CheckCell, node->origin, |
| OpInfo(m_graph.freeze(primordialProperty)), Edge(actualProperty, CellUse)); |
| }; |
| |
| JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic); |
| |
| // Check that searchRegExp.exec is the primordial RegExp.prototype.exec |
| emitPrimordialCheckFor(globalObject->regExpProtoExecFunction(), vm().propertyNames->exec.impl()); |
| // Check that searchRegExp.global is the primordial RegExp.prototype.global |
| emitPrimordialCheckFor(globalObject->regExpProtoGlobalGetter(), vm().propertyNames->global.impl()); |
| // Check that searchRegExp.unicode is the primordial RegExp.prototype.unicode |
| emitPrimordialCheckFor(globalObject->regExpProtoUnicodeGetter(), vm().propertyNames->unicode.impl()); |
| // Check that searchRegExp[Symbol.match] is the primordial RegExp.prototype[Symbol.replace] |
| emitPrimordialCheckFor(globalObject->regExpProtoSymbolReplaceFunction(), vm().propertyNames->replaceSymbol.impl()); |
| } |
| |
| Node* checkArray(ArrayMode arrayMode, const NodeOrigin& origin, Node* array, Node* index, bool (*storageCheck)(const ArrayMode&) = canCSEStorage) |
| { |
| ASSERT(arrayMode.isSpecific()); |
| |
| if (arrayMode.type() == Array::String) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Check, origin, Edge(array, StringUse)); |
| } else { |
| // Note that we only need to be using a structure check if we opt for SaneChain, since |
| // that needs to protect against JSArray's __proto__ being changed. |
| Structure* structure = arrayMode.originalArrayStructure(m_graph, origin.semantic); |
| |
| Edge indexEdge = index ? Edge(index, Int32Use) : Edge(); |
| |
| if (arrayMode.doesConversion()) { |
| if (structure) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, ArrayifyToStructure, origin, |
| OpInfo(m_graph.registerStructure(structure)), OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge); |
| } else { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, Arrayify, origin, |
| OpInfo(arrayMode.asWord()), Edge(array, CellUse), indexEdge); |
| } |
| } else { |
| if (structure) { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, CheckStructure, origin, |
| OpInfo(m_graph.addStructureSet(structure)), Edge(array, CellUse)); |
| } else { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, CheckArray, origin, |
| OpInfo(arrayMode.asWord()), Edge(array, CellUse)); |
| } |
| } |
| } |
| |
| if (!storageCheck(arrayMode)) |
| return nullptr; |
| |
| if (arrayMode.usesButterfly()) { |
| return m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse)); |
| } |
| |
| return m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin, |
| OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse)); |
| } |
| |
| void blessArrayOperation(Edge base, Edge index, Edge& storageChild) |
| { |
| Node* node = m_currentNode; |
| |
| switch (node->arrayMode().type()) { |
| case Array::ForceExit: { |
| m_insertionSet.insertNode( |
| m_indexInBlock, SpecNone, ForceOSRExit, node->origin); |
| return; |
| } |
| |
| case Array::SelectUsingPredictions: |
| case Array::Unprofiled: |
| RELEASE_ASSERT_NOT_REACHED(); |
| return; |
| |
| case Array::Generic: |
| return; |
| |
| default: { |
| Node* storage = checkArray(node->arrayMode(), node->origin, base.node(), index.node()); |
| if (!storage) |
| return; |
| |
| storageChild = Edge(storage); |
| return; |
| } } |
| } |
| |
| bool alwaysUnboxSimplePrimitives() |
| { |
| #if USE(JSVALUE64) |
| return false; |
| #else |
| // Any boolean, int, or cell value is profitable to unbox on 32-bit because it |
| // reduces traffic. |
| return true; |
| #endif |
| } |
| |
| template<UseKind useKind> |
| void observeUseKindOnNode(Node* node) |
| { |
| if (useKind == UntypedUse) |
| return; |
| observeUseKindOnNode(node, useKind); |
| } |
| |
| void observeUseKindOnEdge(Edge edge) |
| { |
| observeUseKindOnNode(edge.node(), edge.useKind()); |
| } |
| |
| void observeUseKindOnNode(Node* node, UseKind useKind) |
| { |
| if (node->op() != GetLocal) |
| return; |
| |
| // FIXME: The way this uses alwaysUnboxSimplePrimitives() is suspicious. |
| // https://bugs.webkit.org/show_bug.cgi?id=121518 |
| |
| VariableAccessData* variable = node->variableAccessData(); |
| switch (useKind) { |
| case Int32Use: |
| case KnownInt32Use: |
| if (alwaysUnboxSimplePrimitives() |
| || isInt32Speculation(variable->prediction())) |
| m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true); |
| break; |
| case NumberUse: |
| case RealNumberUse: |
| case DoubleRepUse: |
| case DoubleRepRealUse: |
| if (variable->doubleFormatState() == UsingDoubleFormat) |
| m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true); |
| break; |
| case BooleanUse: |
| case KnownBooleanUse: |
| if (alwaysUnboxSimplePrimitives() |
| || isBooleanSpeculation(variable->prediction())) |
| m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true); |
| break; |
| case Int52RepUse: |
| if (isAnyIntSpeculation(variable->prediction())) |
| m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true); |
| break; |
| case CellUse: |
| case KnownCellUse: |
| case ObjectUse: |
| case FunctionUse: |
| case StringUse: |
| case KnownStringUse: |
| case SymbolUse: |
| case StringObjectUse: |
| case StringOrStringObjectUse: |
| if (alwaysUnboxSimplePrimitives() |
| || isCellSpeculation(variable->prediction())) |
| m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true); |
| break; |
| default: |
| break; |
| } |
| } |
| |
| template<UseKind useKind> |
| void fixEdge(Edge& edge) |
| { |
| observeUseKindOnNode<useKind>(edge.node()); |
| edge.setUseKind(useKind); |
| } |
| |
| unsigned indexForChecks() |
| { |
| unsigned index = m_indexInBlock; |
| while (!m_block->at(index)->origin.exitOK) |
| index--; |
| return index; |
| } |
| |
| NodeOrigin originForCheck(unsigned index) |
| { |
| return m_block->at(index)->origin.withSemantic(m_currentNode->origin.semantic); |
| } |
| |
| void speculateForBarrier(Edge value) |
| { |
| // Currently, the DFG won't take advantage of this speculation. But, we want to do it in |
| // the DFG anyway because if such a speculation would be wrong, we want to know before |
| // we do an expensive compile. |
| |
| if (value->shouldSpeculateInt32()) { |
| insertCheck<Int32Use>(value.node()); |
| return; |
| } |
| |
| if (value->shouldSpeculateBoolean()) { |
| insertCheck<BooleanUse>(value.node()); |
| return; |
| } |
| |
| if (value->shouldSpeculateOther()) { |
| insertCheck<OtherUse>(value.node()); |
| return; |
| } |
| |
| if (value->shouldSpeculateNumber()) { |
| insertCheck<NumberUse>(value.node()); |
| return; |
| } |
| |
| if (value->shouldSpeculateNotCell()) { |
| insertCheck<NotCellUse>(value.node()); |
| return; |
| } |
| } |
| |
| template<UseKind useKind> |
| void insertCheck(Node* node) |
| { |
| observeUseKindOnNode<useKind>(node); |
| unsigned index = indexForChecks(); |
| m_insertionSet.insertNode(index, SpecNone, Check, originForCheck(index), Edge(node, useKind)); |
| } |
| |
| void fixIntConvertingEdge(Edge& edge) |
| { |
| Node* node = edge.node(); |
| if (node->shouldSpeculateInt32OrBoolean()) { |
| fixIntOrBooleanEdge(edge); |
| return; |
| } |
| |
| UseKind useKind; |
| if (node->shouldSpeculateAnyInt()) |
| useKind = Int52RepUse; |
| else if (node->shouldSpeculateNumber()) |
| useKind = DoubleRepUse; |
| else |
| useKind = NotCellUse; |
| Node* newNode = m_insertionSet.insertNode( |
| m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin, |
| Edge(node, useKind)); |
| observeUseKindOnNode(node, useKind); |
| |
| edge = Edge(newNode, KnownInt32Use); |
| } |
| |
| void fixIntOrBooleanEdge(Edge& edge) |
| { |
| Node* node = edge.node(); |
| if (!node->sawBooleans()) { |
| fixEdge<Int32Use>(edge); |
| return; |
| } |
| |
| UseKind useKind; |
| if (node->shouldSpeculateBoolean()) |
| useKind = BooleanUse; |
| else |
| useKind = UntypedUse; |
| Node* newNode = m_insertionSet.insertNode( |
| m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin, |
| Edge(node, useKind)); |
| observeUseKindOnNode(node, useKind); |
| |
| edge = Edge(newNode, Int32Use); |
| } |
| |
| void fixDoubleOrBooleanEdge(Edge& edge) |
| { |
| Node* node = edge.node(); |
| if (!node->sawBooleans()) { |
| fixEdge<DoubleRepUse>(edge); |
| return; |
| } |
| |
| UseKind useKind; |
| if (node->shouldSpeculateBoolean()) |
| useKind = BooleanUse; |
| else |
| useKind = UntypedUse; |
| Node* newNode = m_insertionSet.insertNode( |
| m_indexInBlock, SpecInt32Only, BooleanToNumber, m_currentNode->origin, |
| Edge(node, useKind)); |
| observeUseKindOnNode(node, useKind); |
| |
| edge = Edge(newNode, DoubleRepUse); |
| } |
| |
| void truncateConstantToInt32(Edge& edge) |
| { |
| Node* oldNode = edge.node(); |
| |
| JSValue value = oldNode->asJSValue(); |
| if (value.isInt32()) |
| return; |
| |
| value = jsNumber(JSC::toInt32(value.asNumber())); |
| ASSERT(value.isInt32()); |
| edge.setNode(m_insertionSet.insertNode( |
| m_indexInBlock, SpecInt32Only, JSConstant, m_currentNode->origin, |
| OpInfo(m_graph.freeze(value)))); |
| } |
| |
| void truncateConstantsIfNecessary(Node* node, AddSpeculationMode mode) |
| { |
| if (mode != SpeculateInt32AndTruncateConstants) |
| return; |
| |
| ASSERT(node->child1()->hasConstant() || node->child2()->hasConstant()); |
| if (node->child1()->hasConstant()) |
| truncateConstantToInt32(node->child1()); |
| else |
| truncateConstantToInt32(node->child2()); |
| } |
| |
| bool attemptToMakeIntegerAdd(Node* node) |
| { |
| AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass); |
| if (mode != DontSpeculateInt32) { |
| truncateConstantsIfNecessary(node, mode); |
| fixIntOrBooleanEdge(node->child1()); |
| fixIntOrBooleanEdge(node->child2()); |
| if (bytecodeCanTruncateInteger(node->arithNodeFlags())) |
| node->setArithMode(Arith::Unchecked); |
| else |
| node->setArithMode(Arith::CheckOverflow); |
| return true; |
| } |
| |
| if (m_graph.addShouldSpeculateAnyInt(node)) { |
| fixEdge<Int52RepUse>(node->child1()); |
| fixEdge<Int52RepUse>(node->child2()); |
| node->setArithMode(Arith::CheckOverflow); |
| node->setResult(NodeResultInt52); |
| return true; |
| } |
| |
| return false; |
| } |
| |
| bool attemptToMakeGetArrayLength(Node* node) |
| { |
| if (!isInt32Speculation(node->prediction())) |
| return false; |
| CodeBlock* profiledBlock = m_graph.baselineCodeBlockFor(node->origin.semantic); |
| ArrayProfile* arrayProfile = |
| profiledBlock->getArrayProfile(node->origin.semantic.bytecodeIndex); |
| ArrayMode arrayMode = ArrayMode(Array::SelectUsingPredictions); |
| if (arrayProfile) { |
| ConcurrentJSLocker locker(profiledBlock->m_lock); |
| arrayProfile->computeUpdatedPrediction(locker, profiledBlock); |
| arrayMode = ArrayMode::fromObserved(locker, arrayProfile, Array::Read, false); |
| if (arrayMode.type() == Array::Unprofiled) { |
| // For normal array operations, it makes sense to treat Unprofiled |
| // accesses as ForceExit and get more data rather than using |
| // predictions and then possibly ending up with a Generic. But here, |
| // we treat anything that is Unprofiled as Generic and keep the |
| // GetById. I.e. ForceExit = Generic. So, there is no harm - and only |
| // profit - from treating the Unprofiled case as |
| // SelectUsingPredictions. |
| arrayMode = ArrayMode(Array::SelectUsingPredictions); |
| } |
| } |
| |
| arrayMode = arrayMode.refine( |
| m_graph, node, node->child1()->prediction(), node->prediction()); |
| |
| if (arrayMode.type() == Array::Generic) { |
| // Check if the input is something that we can't get array length for, but for which we |
| // could insert some conversions in order to transform it into something that we can do it |
| // for. |
| if (node->child1()->shouldSpeculateStringObject()) |
| attemptToForceStringArrayModeByToStringConversion<StringObjectUse>(arrayMode, node); |
| else if (node->child1()->shouldSpeculateStringOrStringObject()) |
| attemptToForceStringArrayModeByToStringConversion<StringOrStringObjectUse>(arrayMode, node); |
| } |
| |
| if (!arrayMode.supportsSelfLength()) |
| return false; |
| |
| convertToGetArrayLength(node, arrayMode); |
| return true; |
| } |
| |
| void convertToGetArrayLength(Node* node, ArrayMode arrayMode) |
| { |
| node->setOp(GetArrayLength); |
| node->clearFlags(NodeMustGenerate); |
| fixEdge<KnownCellUse>(node->child1()); |
| node->setArrayMode(arrayMode); |
| |
| Node* storage = checkArray(arrayMode, node->origin, node->child1().node(), 0, lengthNeedsStorage); |
| if (!storage) |
| return; |
| |
| node->child2() = Edge(storage); |
| } |
| |
| Node* prependGetArrayLength(NodeOrigin origin, Node* child, ArrayMode arrayMode) |
| { |
| Node* storage = checkArray(arrayMode, origin, child, 0, lengthNeedsStorage); |
| return m_insertionSet.insertNode( |
| m_indexInBlock, SpecInt32Only, GetArrayLength, origin, |
| OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage)); |
| } |
| |
| bool attemptToMakeCallDOM(Node* node) |
| { |
| if (m_graph.hasExitSite(node->origin.semantic, BadType)) |
| return false; |
| |
| const DOMJIT::Signature* signature = node->signature(); |
| if (!signature) |
| return false; |
| |
| { |
| unsigned index = 0; |
| bool shouldConvertToCallDOM = true; |
| m_graph.doToChildren(node, [&](Edge& edge) { |
| // Callee. Ignore this. DFGByteCodeParser already emit appropriate checks. |
| if (!index) |
| return; |
| |
| if (index == 1) { |
| // DOM node case. |
| if (edge->shouldSpeculateNotCell()) |
| shouldConvertToCallDOM = false; |
| } else { |
| switch (signature->arguments[index - 2]) { |
| case SpecString: |
| if (edge->shouldSpeculateNotString()) |
| shouldConvertToCallDOM = false; |
| break; |
| case SpecInt32Only: |
| if (edge->shouldSpeculateNotInt32()) |
| shouldConvertToCallDOM = false; |
| break; |
| case SpecBoolean: |
| if (edge->shouldSpeculateNotBoolean()) |
| shouldConvertToCallDOM = false; |
| break; |
| default: |
| RELEASE_ASSERT_NOT_REACHED(); |
| break; |
| } |
| } |
| ++index; |
| }); |
| if (!shouldConvertToCallDOM) |
| return false; |
| } |
| |
| Node* thisNode = m_graph.varArgChild(node, 1).node(); |
| Ref<DOMJIT::Patchpoint> checkDOMPatchpoint = signature->checkDOM(); |
| m_graph.m_domJITPatchpoints.append(checkDOMPatchpoint.ptr()); |
| Node* checkDOM = m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckDOM, node->origin, OpInfo(checkDOMPatchpoint.ptr()), OpInfo(signature->classInfo), Edge(thisNode)); |
| node->convertToCallDOM(m_graph); |
| fixupCheckDOM(checkDOM); |
| fixupCallDOM(node); |
| return true; |
| } |
| |
| void fixupCheckDOM(Node* node) |
| { |
| fixEdge<CellUse>(node->child1()); |
| } |
| |
| void fixupCallDOM(Node* node) |
| { |
| const DOMJIT::Signature* signature = node->signature(); |
| auto fixup = [&](Edge& edge, unsigned argumentIndex) { |
| if (!edge) |
| return; |
| switch (signature->arguments[argumentIndex]) { |
| case SpecString: |
| fixEdge<StringUse>(edge); |
| break; |
| case SpecInt32Only: |
| fixEdge<Int32Use>(edge); |
| break; |
| case SpecBoolean: |
| fixEdge<BooleanUse>(edge); |
| break; |
| default: |
| RELEASE_ASSERT_NOT_REACHED(); |
| break; |
| } |
| }; |
| fixEdge<CellUse>(node->child1()); // DOM. |
| fixup(node->child2(), 0); |
| fixup(node->child3(), 1); |
| } |
| |
| void fixupChecksInBlock(BasicBlock* block) |
| { |
| if (!block) |
| return; |
| ASSERT(block->isReachable); |
| m_block = block; |
| unsigned indexForChecks = UINT_MAX; |
| NodeOrigin originForChecks; |
| for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) { |
| Node* node = block->at(indexInBlock); |
| |
| // If this is a node at which we could exit, then save its index. If nodes after this one |
| // cannot exit, then we will hoist checks to here. |
| if (node->origin.exitOK) { |
| indexForChecks = indexInBlock; |
| originForChecks = node->origin; |
| } |
| |
| originForChecks = originForChecks.withSemantic(node->origin.semantic); |
| |
| // First, try to relax the representational demands of each node, in order to have |
| // fewer conversions. |
| switch (node->op()) { |
| case MovHint: |
| case Check: |
| m_graph.doToChildren( |
| node, |
| [&] (Edge& edge) { |
| switch (edge.useKind()) { |
| case DoubleRepUse: |
| case DoubleRepRealUse: |
| if (edge->hasDoubleResult()) |
| break; |
| |
| if (edge->hasInt52Result()) |
| edge.setUseKind(Int52RepUse); |
| else if (edge.useKind() == DoubleRepUse) |
| edge.setUseKind(NumberUse); |
| break; |
| |
| case Int52RepUse: |
| // Nothing we can really do. |
| break; |
| |
| case UntypedUse: |
| case NumberUse: |
| if (edge->hasDoubleResult()) |
| edge.setUseKind(DoubleRepUse); |
| else if (edge->hasInt52Result()) |
| edge.setUseKind(Int52RepUse); |
| break; |
| |
| case RealNumberUse: |
| if (edge->hasDoubleResult()) |
| edge.setUseKind(DoubleRepRealUse); |
| else if (edge->hasInt52Result()) |
| edge.setUseKind(Int52RepUse); |
| break; |
| |
| default: |
| break; |
| } |
| }); |
| break; |
| |
| case ValueToInt32: |
| if (node->child1().useKind() == DoubleRepUse |
| && !node->child1()->hasDoubleResult()) { |
| node->child1().setUseKind(NumberUse); |
| break; |
| } |
| break; |
| |
| default: |
| break; |
| } |
| |
| // Now, insert type conversions if necessary. |
| m_graph.doToChildren( |
| node, |
| [&] (Edge& edge) { |
| Node* result = nullptr; |
| |
| switch (edge.useKind()) { |
| case DoubleRepUse: |
| case DoubleRepRealUse: |
| case DoubleRepAnyIntUse: { |
| if (edge->hasDoubleResult()) |
| break; |
| |
| if (edge->isNumberConstant()) { |
| result = m_insertionSet.insertNode( |
| indexForChecks, SpecBytecodeDouble, DoubleConstant, originForChecks, |
| OpInfo(m_graph.freeze(jsDoubleNumber(edge->asNumber())))); |
| } else if (edge->hasInt52Result()) { |
| result = m_insertionSet.insertNode( |
| indexForChecks, SpecAnyIntAsDouble, DoubleRep, originForChecks, |
| Edge(edge.node(), Int52RepUse)); |
| } else { |
| UseKind useKind; |
| if (edge->shouldSpeculateDoubleReal()) |
| useKind = RealNumberUse; |
| else if (edge->shouldSpeculateNumber()) |
| useKind = NumberUse; |
| else |
| useKind = NotCellUse; |
| |
| result = m_insertionSet.insertNode( |
| indexForChecks, SpecBytecodeDouble, DoubleRep, originForChecks, |
| Edge(edge.node(), useKind)); |
| } |
| |
| edge.setNode(result); |
| break; |
| } |
| |
| case Int52RepUse: { |
| if (edge->hasInt52Result()) |
| break; |
| |
| if (edge->isAnyIntConstant()) { |
| result = m_insertionSet.insertNode( |
| indexForChecks, SpecAnyInt, Int52Constant, originForChecks, |
| OpInfo(edge->constant())); |
| } else if (edge->hasDoubleResult()) { |
| result = m_insertionSet.insertNode( |
| indexForChecks, SpecAnyInt, Int52Rep, originForChecks, |
| Edge(edge.node(), DoubleRepAnyIntUse)); |
| } else if (edge->shouldSpeculateInt32ForArithmetic()) { |
| result = m_insertionSet.insertNode( |
| indexForChecks, SpecInt32Only, Int52Rep, originForChecks, |
| Edge(edge.node(), Int32Use)); |
| } else { |
| result = m_insertionSet.insertNode( |
| indexForChecks, SpecAnyInt, Int52Rep, originForChecks, |
| Edge(edge.node(), AnyIntUse)); |
| } |
| |
| edge.setNode(result); |
| break; |
| } |
| |
| default: { |
| if (!edge->hasDoubleResult() && !edge->hasInt52Result()) |
| break; |
| |
| if (edge->hasDoubleResult()) { |
| result = m_insertionSet.insertNode( |
| indexForChecks, SpecBytecodeDouble, ValueRep, originForChecks, |
| Edge(edge.node(), DoubleRepUse)); |
| } else { |
| result = m_insertionSet.insertNode( |
| indexForChecks, SpecInt32Only | SpecAnyIntAsDouble, ValueRep, |
| originForChecks, Edge(edge.node(), Int52RepUse)); |
| } |
| |
| edge.setNode(result); |
| break; |
| } } |
| |
| // It's remotely possible that this node cannot do type checks, but we now have a |
| // type check on this node. We don't have to handle the general form of this |
| // problem. It only arises when ByteCodeParser emits an immediate SetLocal, rather |
| // than a delayed one. So, we only worry about those checks that we may have put on |
| // a SetLocal. Note that "indexForChecks != indexInBlock" is just another way of |
| // saying "!node->origin.exitOK". |
| if (indexForChecks != indexInBlock && mayHaveTypeCheck(edge.useKind())) { |
| UseKind knownUseKind; |
| |
| switch (edge.useKind()) { |
| case Int32Use: |
| knownUseKind = KnownInt32Use; |
| break; |
| case CellUse: |
| knownUseKind = KnownCellUse; |
| break; |
| case BooleanUse: |
| knownUseKind = KnownBooleanUse; |
| break; |
| default: |
| // This can only arise if we have a Check node, and in that case, we can |
| // just remove the original check. |
| DFG_ASSERT(m_graph, node, node->op() == Check); |
| knownUseKind = UntypedUse; |
| break; |
| } |
| |
| m_insertionSet.insertNode( |
| indexForChecks, SpecNone, Check, originForChecks, edge); |
| |
| edge.setUseKind(knownUseKind); |
| } |
| }); |
| } |
| |
| m_insertionSet.execute(block); |
| } |
| |
| BasicBlock* m_block; |
| unsigned m_indexInBlock; |
| Node* m_currentNode; |
| InsertionSet m_insertionSet; |
| bool m_profitabilityChanged; |
| }; |
| |
| bool performFixup(Graph& graph) |
| { |
| return runPhase<FixupPhase>(graph); |
| } |
| |
| } } // namespace JSC::DFG |
| |
| #endif // ENABLE(DFG_JIT) |
| |