--- /dev/null
+/*
+ * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGArgumentsSimplificationPhase.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "DFGAbstractState.h"
+#include "DFGBasicBlock.h"
+#include "DFGGraph.h"
+#include "DFGInsertionSet.h"
+#include "DFGPhase.h"
+#include "DFGValidate.h"
+#include "DFGVariableAccessDataDump.h"
+#include <wtf/HashSet.h>
+#include <wtf/HashMap.h>
+
+#if PLATFORM(IOS)
+#include "Operations.h"
+#endif
+
+namespace JSC { namespace DFG {
+
+namespace {
+
+struct ArgumentsAliasingData {
+ InlineCallFrame* callContext;
+ bool callContextSet;
+ bool multipleCallContexts;
+
+ bool assignedFromArguments;
+ bool assignedFromManyThings;
+
+ bool escapes;
+
+ ArgumentsAliasingData()
+ : callContext(0)
+ , callContextSet(false)
+ , multipleCallContexts(false)
+ , assignedFromArguments(false)
+ , assignedFromManyThings(false)
+ , escapes(false)
+ {
+ }
+
+ void mergeCallContext(InlineCallFrame* newCallContext)
+ {
+ if (multipleCallContexts)
+ return;
+
+ if (!callContextSet) {
+ callContext = newCallContext;
+ callContextSet = true;
+ return;
+ }
+
+ if (callContext == newCallContext)
+ return;
+
+ multipleCallContexts = true;
+ }
+
+ bool callContextIsValid()
+ {
+ return callContextSet && !multipleCallContexts;
+ }
+
+ void mergeArgumentsAssignment()
+ {
+ assignedFromArguments = true;
+ }
+
+ void mergeNonArgumentsAssignment()
+ {
+ assignedFromManyThings = true;
+ }
+
+ bool argumentsAssignmentIsValid()
+ {
+ return assignedFromArguments && !assignedFromManyThings;
+ }
+
+ bool isValid()
+ {
+ return callContextIsValid() && argumentsAssignmentIsValid() && !escapes;
+ }
+};
+
+} // end anonymous namespace
+
+class ArgumentsSimplificationPhase : public Phase {
+public:
+ ArgumentsSimplificationPhase(Graph& graph)
+ : Phase(graph, "arguments simplification")
+ {
+ }
+
+ bool run()
+ {
+ if (!m_graph.m_hasArguments)
+ return false;
+
+ bool changed = false;
+
+ // Record which arguments are known to escape no matter what.
+ for (unsigned i = codeBlock()->inlineCallFrames().size(); i--;) {
+ InlineCallFrame* inlineCallFrame = &codeBlock()->inlineCallFrames()[i];
+ if (m_graph.m_executablesWhoseArgumentsEscaped.contains(
+ m_graph.executableFor(inlineCallFrame)))
+ m_createsArguments.add(inlineCallFrame);
+ }
+
+ // Create data for variable access datas that we will want to analyze.
+ for (unsigned i = m_graph.m_variableAccessData.size(); i--;) {
+ VariableAccessData* variableAccessData = &m_graph.m_variableAccessData[i];
+ if (!variableAccessData->isRoot())
+ continue;
+ if (variableAccessData->isCaptured())
+ continue;
+ m_argumentsAliasing.add(variableAccessData, ArgumentsAliasingData());
+ }
+
+ // Figure out which variables are live, using a conservative approximation of
+ // liveness.
+ for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+ BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+ if (!block)
+ continue;
+ for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
+ Node* node = block->at(indexInBlock);
+ switch (node->op()) {
+ case GetLocal:
+ case Flush:
+ case PhantomLocal:
+ m_isLive.add(node->variableAccessData());
+ break;
+ default:
+ break;
+ }
+ }
+ }
+
+ // Figure out which variables alias the arguments and nothing else, and are
+ // used only for GetByVal and GetArrayLength accesses. At the same time,
+ // identify uses of CreateArguments that are not consistent with the arguments
+ // being aliased only to variables that satisfy these constraints.
+ for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+ BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+ if (!block)
+ continue;
+ for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
+ Node* node = block->at(indexInBlock);
+ switch (node->op()) {
+ case CreateArguments: {
+ // Ignore this op. If we see a lone CreateArguments then we want to
+ // completely ignore it because:
+ // 1) The default would be to see that the child is a GetLocal on the
+ // arguments register and conclude that we have an arguments escape.
+ // 2) The fact that a CreateArguments exists does not mean that it
+ // will continue to exist after we're done with this phase. As far
+ // as this phase is concerned, a CreateArguments only "exists" if it
+ // is used in a manner that necessitates its existance.
+ break;
+ }
+
+ case TearOffArguments: {
+ // Ignore arguments tear off, because it's only relevant if we actually
+ // need to create the arguments.
+ break;
+ }
+
+ case SetLocal: {
+ Node* source = node->child1().node();
+ VariableAccessData* variableAccessData = node->variableAccessData();
+ int argumentsRegister =
+ m_graph.uncheckedArgumentsRegisterFor(node->codeOrigin);
+ if (source->op() != CreateArguments && source->op() != PhantomArguments) {
+ // Make sure that the source of the SetLocal knows that if it's
+ // a variable that we think is aliased to the arguments, then it
+ // may escape at this point. In future, we could track transitive
+ // aliasing. But not yet.
+ observeBadArgumentsUse(source);
+
+ // If this is an assignment to the arguments register, then
+ // pretend as if the arguments were created. We don't want to
+ // optimize code that explicitly assigns to the arguments,
+ // because that seems too ugly.
+
+ // But, before getting rid of CreateArguments, we will have
+ // an assignment to the arguments registers with JSValue().
+ // That's because CSE will refuse to get rid of the
+ // init_lazy_reg since it treats CreateArguments as reading
+ // local variables. That could be fixed, but it's easier to
+ // work around this here.
+ if (source->op() == JSConstant
+ && !source->valueOfJSConstant(codeBlock()))
+ break;
+
+ // If the variable is totally dead, then ignore it.
+ if (!m_isLive.contains(variableAccessData))
+ break;
+
+ if (argumentsRegister != InvalidVirtualRegister
+ && (variableAccessData->local() == argumentsRegister
+ || variableAccessData->local() == unmodifiedArgumentsRegister(argumentsRegister))) {
+ m_createsArguments.add(node->codeOrigin.inlineCallFrame);
+ break;
+ }
+
+ if (variableAccessData->isCaptured())
+ break;
+
+ // Make sure that if it's a variable that we think is aliased to
+ // the arguments, that we know that it might actually not be.
+ ArgumentsAliasingData& data =
+ m_argumentsAliasing.find(variableAccessData)->value;
+ data.mergeNonArgumentsAssignment();
+ data.mergeCallContext(node->codeOrigin.inlineCallFrame);
+ break;
+ }
+ if (argumentsRegister != InvalidVirtualRegister
+ && (variableAccessData->local() == argumentsRegister
+ || variableAccessData->local() == unmodifiedArgumentsRegister(argumentsRegister))) {
+ if (node->codeOrigin.inlineCallFrame == source->codeOrigin.inlineCallFrame)
+ break;
+ m_createsArguments.add(source->codeOrigin.inlineCallFrame);
+ break;
+ }
+ if (variableAccessData->isCaptured()) {
+ m_createsArguments.add(source->codeOrigin.inlineCallFrame);
+ break;
+ }
+ ArgumentsAliasingData& data =
+ m_argumentsAliasing.find(variableAccessData)->value;
+ data.mergeArgumentsAssignment();
+ // This ensures that the variable's uses are in the same context as
+ // the arguments it is aliasing.
+ data.mergeCallContext(node->codeOrigin.inlineCallFrame);
+ data.mergeCallContext(source->codeOrigin.inlineCallFrame);
+ break;
+ }
+
+ case GetLocal:
+ case Phi: /* FIXME: https://bugs.webkit.org/show_bug.cgi?id=108555 */ {
+ VariableAccessData* variableAccessData = node->variableAccessData();
+ if (variableAccessData->isCaptured())
+ break;
+ ArgumentsAliasingData& data =
+ m_argumentsAliasing.find(variableAccessData)->value;
+ data.mergeCallContext(node->codeOrigin.inlineCallFrame);
+ break;
+ }
+
+ case Flush: {
+ VariableAccessData* variableAccessData = node->variableAccessData();
+ if (variableAccessData->isCaptured())
+ break;
+ ArgumentsAliasingData& data =
+ m_argumentsAliasing.find(variableAccessData)->value;
+ data.mergeCallContext(node->codeOrigin.inlineCallFrame);
+
+ // If a variable is used in a flush then by definition it escapes.
+ data.escapes = true;
+ break;
+ }
+
+ case SetArgument: {
+ VariableAccessData* variableAccessData = node->variableAccessData();
+ if (variableAccessData->isCaptured())
+ break;
+ ArgumentsAliasingData& data =
+ m_argumentsAliasing.find(variableAccessData)->value;
+ data.mergeNonArgumentsAssignment();
+ data.mergeCallContext(node->codeOrigin.inlineCallFrame);
+ break;
+ }
+
+ case GetByVal: {
+ if (node->arrayMode().type() != Array::Arguments) {
+ observeBadArgumentsUses(node);
+ break;
+ }
+
+ // That's so awful and pretty much impossible since it would
+ // imply that the arguments were predicted integer, but it's
+ // good to be defensive and thorough.
+ observeBadArgumentsUse(node->child2().node());
+ observeProperArgumentsUse(node, node->child1());
+ break;
+ }
+
+ case GetArrayLength: {
+ if (node->arrayMode().type() != Array::Arguments) {
+ observeBadArgumentsUses(node);
+ break;
+ }
+
+ observeProperArgumentsUse(node, node->child1());
+ break;
+ }
+
+ case Phantom:
+ // We don't care about phantom uses, since phantom uses are all about
+ // just keeping things alive for OSR exit. If something - like the
+ // CreateArguments - is just being kept alive, then this transformation
+ // will not break this, since the Phantom will now just keep alive a
+ // PhantomArguments and OSR exit will still do the right things.
+ break;
+
+ case CheckStructure:
+ case ForwardCheckStructure:
+ case StructureTransitionWatchpoint:
+ case ForwardStructureTransitionWatchpoint:
+ case CheckArray:
+ // We don't care about these because if we get uses of the relevant
+ // variable then we can safely get rid of these, too. This of course
+ // relies on there not being any information transferred by the CFA
+ // from a CheckStructure on one variable to the information about the
+ // structures of another variable.
+ break;
+
+ default:
+ observeBadArgumentsUses(node);
+ break;
+ }
+ }
+ }
+
+ // Now we know which variables are aliased to arguments. But if any of them are
+ // found to have escaped, or were otherwise invalidated, then we need to mark
+ // the arguments as requiring creation. This is a property of SetLocals to
+ // variables that are neither the correct arguments register nor are marked as
+ // being arguments-aliased.
+ for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+ BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+ if (!block)
+ continue;
+ for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
+ Node* node = block->at(indexInBlock);
+ if (node->op() != SetLocal)
+ continue;
+ Node* source = node->child1().node();
+ if (source->op() != CreateArguments)
+ continue;
+ VariableAccessData* variableAccessData = node->variableAccessData();
+ if (variableAccessData->isCaptured()) {
+ // The captured case would have already been taken care of in the
+ // previous pass.
+ continue;
+ }
+
+ ArgumentsAliasingData& data =
+ m_argumentsAliasing.find(variableAccessData)->value;
+ if (data.isValid())
+ continue;
+
+ m_createsArguments.add(source->codeOrigin.inlineCallFrame);
+ }
+ }
+
+#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
+ dataLogF("Arguments aliasing states:\n");
+ for (unsigned i = 0; i < m_graph.m_variableAccessData.size(); ++i) {
+ VariableAccessData* variableAccessData = &m_graph.m_variableAccessData[i];
+ if (!variableAccessData->isRoot())
+ continue;
+ dataLog(" r", variableAccessData->local(), "(", VariableAccessDataDump(m_graph, variableAccessData), "): ");
+ if (variableAccessData->isCaptured())
+ dataLogF("Captured");
+ else {
+ ArgumentsAliasingData& data =
+ m_argumentsAliasing.find(variableAccessData)->value;
+ bool first = true;
+ if (data.callContextIsValid()) {
+ if (!first)
+ dataLogF(", ");
+ dataLogF("Have Call Context: %p", data.callContext);
+ first = false;
+ if (!m_createsArguments.contains(data.callContext))
+ dataLogF(" (Does Not Create Arguments)");
+ }
+ if (data.argumentsAssignmentIsValid()) {
+ if (!first)
+ dataLogF(", ");
+ dataLogF("Arguments Assignment Is Valid");
+ first = false;
+ }
+ if (!data.escapes) {
+ if (!first)
+ dataLogF(", ");
+ dataLogF("Does Not Escape");
+ first = false;
+ }
+ if (!first)
+ dataLogF(", ");
+ if (data.isValid()) {
+ if (m_createsArguments.contains(data.callContext))
+ dataLogF("VALID");
+ else
+ dataLogF("INVALID (due to argument creation)");
+ } else
+ dataLogF("INVALID (due to bad variable use)");
+ }
+ dataLogF("\n");
+ }
+#endif
+
+ InsertionSet insertionSet(m_graph);
+
+ for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+ BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+ if (!block)
+ continue;
+ for (unsigned indexInBlock = 0; indexInBlock < block->size(); indexInBlock++) {
+ Node* node = block->at(indexInBlock);
+ switch (node->op()) {
+ case SetLocal: {
+ Node* source = node->child1().node();
+ if (source->op() != CreateArguments)
+ break;
+
+ if (m_createsArguments.contains(source->codeOrigin.inlineCallFrame))
+ break;
+
+ VariableAccessData* variableAccessData = node->variableAccessData();
+
+ if (m_graph.argumentsRegisterFor(node->codeOrigin) == variableAccessData->local()
+ || unmodifiedArgumentsRegister(m_graph.argumentsRegisterFor(node->codeOrigin)) == variableAccessData->local())
+ break;
+
+ ASSERT(!variableAccessData->isCaptured());
+
+ // If this is a store into a VariableAccessData* that is marked as
+ // arguments aliasing for an InlineCallFrame* that does not create
+ // arguments, then flag the VariableAccessData as being an
+ // arguments-aliased. This'll let the OSR exit machinery do the right
+ // things. Note also that the SetLocal should become dead as soon as
+ // we replace all uses of this variable with GetMyArgumentsLength and
+ // GetMyArgumentByVal.
+ ASSERT(m_argumentsAliasing.find(variableAccessData)->value.isValid());
+ if (variableAccessData->mergeIsArgumentsAlias(true)) {
+ changed = true;
+
+ // Make sure that the variable knows, that it may now hold non-cell values.
+ variableAccessData->predict(SpecEmpty);
+ }
+
+ // Make sure that the SetLocal doesn't check that the input is a Cell.
+ if (node->child1().useKind() != UntypedUse) {
+ node->child1().setUseKind(UntypedUse);
+ changed = true;
+ }
+ break;
+ }
+
+ case PhantomLocal: {
+ VariableAccessData* variableAccessData = node->variableAccessData();
+
+ if (variableAccessData->isCaptured()
+ || !m_argumentsAliasing.find(variableAccessData)->value.isValid()
+ || m_createsArguments.contains(node->codeOrigin.inlineCallFrame))
+ break;
+
+ // Turn PhantomLocals into just GetLocals. This will preserve the threading
+ // of the local through to this point, but will allow it to die, causing
+ // only OSR to know about it.
+
+ node->setOpAndDefaultFlags(GetLocal);
+ break;
+ }
+
+ case Flush: {
+ VariableAccessData* variableAccessData = node->variableAccessData();
+
+ if (variableAccessData->isCaptured()
+ || !m_argumentsAliasing.find(variableAccessData)->value.isValid()
+ || m_createsArguments.contains(node->codeOrigin.inlineCallFrame))
+ break;
+
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
+
+ case Phantom: {
+ // It's highly likely that we will have a Phantom referencing either
+ // CreateArguments, or a local op for the arguments register, or a
+ // local op for an arguments-aliased variable. In any of those cases,
+ // we should remove the phantom reference, since:
+ // 1) Phantoms only exist to aid OSR exit. But arguments simplification
+ // has its own OSR exit story, which is to inform OSR exit to reify
+ // the arguments as necessary.
+ // 2) The Phantom may keep the CreateArguments node alive, which is
+ // precisely what we don't want.
+ for (unsigned i = 0; i < AdjacencyList::Size; ++i)
+ removeArgumentsReferencingPhantomChild(node, i);
+ break;
+ }
+
+ case CheckStructure:
+ case ForwardCheckStructure:
+ case StructureTransitionWatchpoint:
+ case ForwardStructureTransitionWatchpoint:
+ case CheckArray: {
+ // We can just get rid of this node, if it references a phantom argument.
+ if (!isOKToOptimize(node->child1().node()))
+ break;
+ node->convertToPhantom();
+ node->children.setChild1(Edge());
+ break;
+ }
+
+ case GetByVal: {
+ if (node->arrayMode().type() != Array::Arguments)
+ break;
+
+ // This can be simplified to GetMyArgumentByVal if we know that
+ // it satisfies either condition (1) or (2):
+ // 1) Its first child is a valid ArgumentsAliasingData and the
+ // InlineCallFrame* is not marked as creating arguments.
+ // 2) Its first child is CreateArguments and its InlineCallFrame*
+ // is not marked as creating arguments.
+
+ if (!isOKToOptimize(node->child1().node()))
+ break;
+
+ node->children.child1() = node->children.child2();
+ node->children.child2() = Edge();
+ node->setOpAndDefaultFlags(GetMyArgumentByVal);
+ changed = true;
+ --indexInBlock; // Force reconsideration of this op now that it's a GetMyArgumentByVal.
+ break;
+ }
+
+ case GetArrayLength: {
+ if (node->arrayMode().type() != Array::Arguments)
+ break;
+
+ if (!isOKToOptimize(node->child1().node()))
+ break;
+
+ node->children.child1() = Edge();
+ node->setOpAndDefaultFlags(GetMyArgumentsLength);
+ changed = true;
+ --indexInBlock; // Force reconsideration of this op noew that it's a GetMyArgumentsLength.
+ break;
+ }
+
+ case GetMyArgumentsLength:
+ case GetMyArgumentsLengthSafe: {
+ if (m_createsArguments.contains(node->codeOrigin.inlineCallFrame)) {
+ ASSERT(node->op() == GetMyArgumentsLengthSafe);
+ break;
+ }
+ if (node->op() == GetMyArgumentsLengthSafe) {
+ node->setOp(GetMyArgumentsLength);
+ changed = true;
+ }
+
+ CodeOrigin codeOrigin = node->codeOrigin;
+ if (!codeOrigin.inlineCallFrame)
+ break;
+
+ // We know exactly what this will return. But only after we have checked
+ // that nobody has escaped our arguments.
+ insertionSet.insertNode(
+ indexInBlock, SpecNone, CheckArgumentsNotCreated, codeOrigin);
+
+ m_graph.convertToConstant(
+ node, jsNumber(codeOrigin.inlineCallFrame->arguments.size() - 1));
+ changed = true;
+ break;
+ }
+
+ case GetMyArgumentByVal:
+ case GetMyArgumentByValSafe: {
+ if (m_createsArguments.contains(node->codeOrigin.inlineCallFrame)) {
+ ASSERT(node->op() == GetMyArgumentByValSafe);
+ break;
+ }
+ if (node->op() == GetMyArgumentByValSafe) {
+ node->setOp(GetMyArgumentByVal);
+ changed = true;
+ }
+ if (!node->codeOrigin.inlineCallFrame)
+ break;
+ if (!node->child1()->hasConstant())
+ break;
+ JSValue value = node->child1()->valueOfJSConstant(codeBlock());
+ if (!value.isInt32())
+ break;
+ int32_t index = value.asInt32();
+ if (index < 0
+ || static_cast<size_t>(index + 1) >=
+ node->codeOrigin.inlineCallFrame->arguments.size())
+ break;
+
+ // We know which argument this is accessing. But only after we have checked
+ // that nobody has escaped our arguments. We also need to ensure that the
+ // index is kept alive. That's somewhat pointless since it's a constant, but
+ // it's important because this is one of those invariants that we like to
+ // have in the DFG. Note finally that we use the GetLocalUnlinked opcode
+ // here, since this is being done _after_ the prediction propagation phase
+ // has run - therefore it makes little sense to link the GetLocal operation
+ // into the VariableAccessData and Phi graphs.
+
+ CodeOrigin codeOrigin = node->codeOrigin;
+ AdjacencyList children = node->children;
+
+ node->convertToGetLocalUnlinked(
+ static_cast<VirtualRegister>(
+ node->codeOrigin.inlineCallFrame->stackOffset +
+ m_graph.baselineCodeBlockFor(node->codeOrigin)->argumentIndexAfterCapture(index)));
+
+ insertionSet.insertNode(
+ indexInBlock, SpecNone, CheckArgumentsNotCreated,
+ codeOrigin);
+ insertionSet.insertNode(
+ indexInBlock, SpecNone, Phantom, codeOrigin,
+ children);
+
+ changed = true;
+ break;
+ }
+
+ case TearOffArguments: {
+ if (m_createsArguments.contains(node->codeOrigin.inlineCallFrame))
+ continue;
+
+ node->setOpAndDefaultFlags(Nop);
+ m_graph.clearAndDerefChild1(node);
+ m_graph.clearAndDerefChild2(node);
+ break;
+ }
+
+ default:
+ break;
+ }
+ }
+ insertionSet.execute(block);
+ }
+
+ for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+ BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+ if (!block)
+ continue;
+ for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
+ Node* node = block->at(indexInBlock);
+ if (node->op() != CreateArguments)
+ continue;
+ // If this is a CreateArguments for an InlineCallFrame* that does
+ // not create arguments, then replace it with a PhantomArguments.
+ // PhantomArguments is a non-executing node that just indicates
+ // that the node should be reified as an arguments object on OSR
+ // exit.
+ if (m_createsArguments.contains(node->codeOrigin.inlineCallFrame))
+ continue;
+ insertionSet.insertNode(
+ indexInBlock, SpecNone, Phantom, node->codeOrigin, node->children);
+ node->setOpAndDefaultFlags(PhantomArguments);
+ node->children.reset();
+ changed = true;
+ }
+ insertionSet.execute(block);
+ }
+
+ if (changed) {
+ m_graph.dethread();
+ m_graph.m_form = LoadStore;
+ }
+
+ return changed;
+ }
+
+private:
+ HashSet<InlineCallFrame*,
+ DefaultHash<InlineCallFrame*>::Hash,
+ NullableHashTraits<InlineCallFrame*> > m_createsArguments;
+ HashMap<VariableAccessData*, ArgumentsAliasingData,
+ DefaultHash<VariableAccessData*>::Hash,
+ NullableHashTraits<VariableAccessData*> > m_argumentsAliasing;
+ HashSet<VariableAccessData*> m_isLive;
+
+ void observeBadArgumentsUse(Node* node)
+ {
+ if (!node)
+ return;
+
+ switch (node->op()) {
+ case CreateArguments: {
+ m_createsArguments.add(node->codeOrigin.inlineCallFrame);
+ break;
+ }
+
+ case GetLocal: {
+ int argumentsRegister = m_graph.uncheckedArgumentsRegisterFor(node->codeOrigin);
+ if (argumentsRegister != InvalidVirtualRegister
+ && (node->local() == argumentsRegister
+ || node->local() == unmodifiedArgumentsRegister(argumentsRegister))) {
+ m_createsArguments.add(node->codeOrigin.inlineCallFrame);
+ break;
+ }
+
+ VariableAccessData* variableAccessData = node->variableAccessData();
+ if (variableAccessData->isCaptured())
+ break;
+
+ ArgumentsAliasingData& data = m_argumentsAliasing.find(variableAccessData)->value;
+ data.escapes = true;
+ break;
+ }
+
+ default:
+ break;
+ }
+ }
+
+ void observeBadArgumentsUses(Node* node)
+ {
+ for (unsigned i = m_graph.numChildren(node); i--;)
+ observeBadArgumentsUse(m_graph.child(node, i).node());
+ }
+
+ void observeProperArgumentsUse(Node* node, Edge edge)
+ {
+ if (edge->op() != GetLocal) {
+ // When can this happen? At least two cases that I can think
+ // of:
+ //
+ // 1) Aliased use of arguments in the same basic block,
+ // like:
+ //
+ // var a = arguments;
+ // var x = arguments[i];
+ //
+ // 2) If we're accessing arguments we got from the heap!
+
+ if (edge->op() == CreateArguments
+ && node->codeOrigin.inlineCallFrame
+ != edge->codeOrigin.inlineCallFrame)
+ m_createsArguments.add(edge->codeOrigin.inlineCallFrame);
+
+ return;
+ }
+
+ VariableAccessData* variableAccessData = edge->variableAccessData();
+ if (edge->local() == m_graph.uncheckedArgumentsRegisterFor(edge->codeOrigin)
+ && node->codeOrigin.inlineCallFrame != edge->codeOrigin.inlineCallFrame) {
+ m_createsArguments.add(edge->codeOrigin.inlineCallFrame);
+ return;
+ }
+
+ if (variableAccessData->isCaptured())
+ return;
+
+ ArgumentsAliasingData& data = m_argumentsAliasing.find(variableAccessData)->value;
+ data.mergeCallContext(node->codeOrigin.inlineCallFrame);
+ }
+
+ bool isOKToOptimize(Node* source)
+ {
+ if (m_createsArguments.contains(source->codeOrigin.inlineCallFrame))
+ return false;
+
+ switch (source->op()) {
+ case GetLocal: {
+ VariableAccessData* variableAccessData = source->variableAccessData();
+ int argumentsRegister = m_graph.uncheckedArgumentsRegisterFor(source->codeOrigin);
+ if (argumentsRegister == InvalidVirtualRegister)
+ break;
+ if (argumentsRegister == variableAccessData->local())
+ return true;
+ if (unmodifiedArgumentsRegister(argumentsRegister) == variableAccessData->local())
+ return true;
+ if (variableAccessData->isCaptured())
+ break;
+ ArgumentsAliasingData& data =
+ m_argumentsAliasing.find(variableAccessData)->value;
+ if (!data.isValid())
+ break;
+
+ return true;
+ }
+
+ case CreateArguments: {
+ return true;
+ }
+
+ default:
+ break;
+ }
+
+ return false;
+ }
+
+ void removeArgumentsReferencingPhantomChild(Node* node, unsigned edgeIndex)
+ {
+ Edge edge = node->children.child(edgeIndex);
+ if (!edge)
+ return;
+
+ switch (edge->op()) {
+ case Phi: // Arises if we had CSE on a GetLocal of the arguments register.
+ case GetLocal: // Arises if we had CSE on an arguments access to a variable aliased to the arguments.
+ case SetLocal: { // Arises if we had CSE on a GetLocal of the arguments register.
+ VariableAccessData* variableAccessData = edge->variableAccessData();
+ bool isDeadArgumentsRegister =
+ variableAccessData->local() ==
+ m_graph.uncheckedArgumentsRegisterFor(edge->codeOrigin)
+ && !m_createsArguments.contains(edge->codeOrigin.inlineCallFrame);
+ bool isAliasedArgumentsRegister =
+ !variableAccessData->isCaptured()
+ && m_argumentsAliasing.find(variableAccessData)->value.isValid()
+ && !m_createsArguments.contains(edge->codeOrigin.inlineCallFrame);
+ if (!isDeadArgumentsRegister && !isAliasedArgumentsRegister)
+ break;
+ node->children.removeEdge(edgeIndex);
+ break;
+ }
+
+ case CreateArguments: { // Arises if we CSE two GetLocals to the arguments register and then CSE the second use of the GetLocal to the first.
+ if (m_createsArguments.contains(edge->codeOrigin.inlineCallFrame))
+ break;
+ node->children.removeEdge(edgeIndex);
+ break;
+ }
+
+ default:
+ break;
+ }
+ }
+};
+
+bool performArgumentsSimplification(Graph& graph)
+{
+ SamplingRegion samplingRegion("DFG Arguments Simplification Phase");
+ return runPhase<ArgumentsSimplificationPhase>(graph);
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+
projects / apple / javascriptcore.git / blobdiff