Hoist and combine array bounds checks
https://bugs.webkit.org/show_bug.cgi?id=125433
Source/JavaScriptCore:
Reviewed by Mark Hahnenberg.
This adds a phase for reasoning about overflow checks and array bounds checks. It's
block-local, and removes both overflow checks and bounds checks in one go.
This also improves reasoning about commutative operations, and CSE between
CheckOverflow and Unchecked arithmetic.
This strangely uncovered a DFG backend bug where we were trying to extract an int32
from a constant even when that constant was just simply a number. I fixed that bug.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGArithMode.h:
(JSC::DFG::subsumes):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsic):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::int32ToDoubleCSE):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGEdge.cpp:
(JSC::DFG::Edge::dump):
* dfg/DFGEdge.h:
(JSC::DFG::Edge::sanitized):
(JSC::DFG::Edge::hash):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::valueOfInt32Constant):
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::insertConstant):
* dfg/DFGIntegerCheckCombiningPhase.cpp: Added.
(JSC::DFG::IntegerCheckCombiningPhase::IntegerCheckCombiningPhase):
(JSC::DFG::IntegerCheckCombiningPhase::run):
(JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
(JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
(JSC::DFG::IntegerCheckCombiningPhase::isValid):
(JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
(JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
(JSC::DFG::performIntegerCheckCombining):
* dfg/DFGIntegerCheckCombiningPhase.h: Added.
* dfg/DFGNode.h:
(JSC::DFG::Node::willHaveCodeGenOrOSR):
* dfg/DFGNodeType.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAdd):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
(JSC::DFG::StrengthReductionPhase::handleCommutativity):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionFalse):
* runtime/Identifier.h:
* runtime/Intrinsic.h:
* runtime/JSObject.h:
* tests/stress/get-by-id-untyped.js: Added.
(foo):
* tests/stress/inverted-additive-subsumption.js: Added.
(foo):
* tests/stress/redundant-add-overflow-checks.js: Added.
(foo):
* tests/stress/redundant-array-bounds-checks-addition-skip-first.js: Added.
(foo):
(arraycmp):
* tests/stress/redundant-array-bounds-checks-addition.js: Added.
(foo):
(arraycmp):
* tests/stress/redundant-array-bounds-checks-unchecked-addition.js: Added.
(foo):
(arraycmp):
* tests/stress/redundant-array-bounds-checks.js: Added.
(foo):
(arraycmp):
* tests/stress/tricky-array-bounds-checks.js: Added.
(foo):
(arraycmp):
Source/WTF:
Reviewed by Mark Hahnenberg.
* GNUmakefile.list.am:
* WTF.vcxproj/WTF.vcxproj:
* WTF.xcodeproj/project.pbxproj:
* wtf/CMakeLists.txt:
* wtf/HashMethod.h: Added.
(WTF::HashMethod::operator()):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@164059 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index dab217b..33c7cef 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -941,6 +941,7 @@
case DoubleAsInt32:
case Int32ToDouble:
case ValueToInt32:
+ case HardPhantom: // HardPhantom would be trivial to handle but anyway we assert that we won't see it here yet.
// These are just nodes that we don't currently expect to see during fixup.
// If we ever wanted to insert them prior to fixup, then we just have to create
// fixup rules for them.
