diff options
Diffstat (limited to '')
-rw-r--r-- | js/src/jit/ScalarReplacement.cpp | 3086 |
1 files changed, 3086 insertions, 0 deletions
diff --git a/js/src/jit/ScalarReplacement.cpp b/js/src/jit/ScalarReplacement.cpp new file mode 100644 index 0000000000..0ded3601aa --- /dev/null +++ b/js/src/jit/ScalarReplacement.cpp @@ -0,0 +1,3086 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * vim: set ts=8 sts=2 et sw=2 tw=80: + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "jit/ScalarReplacement.h" + +#include "jit/IonAnalysis.h" +#include "jit/JitSpewer.h" +#include "jit/MIR.h" +#include "jit/MIRGenerator.h" +#include "jit/MIRGraph.h" +#include "jit/WarpBuilderShared.h" +#include "js/Vector.h" +#include "vm/ArgumentsObject.h" + +#include "gc/ObjectKind-inl.h" + +namespace js { +namespace jit { + +template <typename MemoryView> +class EmulateStateOf { + private: + using BlockState = typename MemoryView::BlockState; + + MIRGenerator* mir_; + MIRGraph& graph_; + + // Block state at the entrance of all basic blocks. + Vector<BlockState*, 8, SystemAllocPolicy> states_; + + public: + EmulateStateOf(MIRGenerator* mir, MIRGraph& graph) + : mir_(mir), graph_(graph) {} + + bool run(MemoryView& view); +}; + +template <typename MemoryView> +bool EmulateStateOf<MemoryView>::run(MemoryView& view) { + // Initialize the current block state of each block to an unknown state. + if (!states_.appendN(nullptr, graph_.numBlocks())) { + return false; + } + + // Initialize the first block which needs to be traversed in RPO. + MBasicBlock* startBlock = view.startingBlock(); + if (!view.initStartingState(&states_[startBlock->id()])) { + return false; + } + + // Iterate over each basic block which has a valid entry state, and merge + // the state in the successor blocks. + for (ReversePostorderIterator block = graph_.rpoBegin(startBlock); + block != graph_.rpoEnd(); block++) { + if (mir_->shouldCancel(MemoryView::phaseName)) { + return false; + } + + // Get the block state as the result of the merge of all predecessors + // which have already been visited in RPO. This means that backedges + // are not yet merged into the loop. + BlockState* state = states_[block->id()]; + if (!state) { + continue; + } + view.setEntryBlockState(state); + + // Iterates over resume points, phi and instructions. + for (MNodeIterator iter(*block); iter;) { + // Increment the iterator before visiting the instruction, as the + // visit function might discard itself from the basic block. + MNode* ins = *iter++; + if (ins->isDefinition()) { + MDefinition* def = ins->toDefinition(); + switch (def->op()) { +#define MIR_OP(op) \ + case MDefinition::Opcode::op: \ + view.visit##op(def->to##op()); \ + break; + MIR_OPCODE_LIST(MIR_OP) +#undef MIR_OP + } + } else { + view.visitResumePoint(ins->toResumePoint()); + } + if (!graph_.alloc().ensureBallast()) { + return false; + } + if (view.oom()) { + return false; + } + } + + // For each successor, merge the current state into the state of the + // successors. + for (size_t s = 0; s < block->numSuccessors(); s++) { + MBasicBlock* succ = block->getSuccessor(s); + if (!view.mergeIntoSuccessorState(*block, succ, &states_[succ->id()])) { + return false; + } + } + } + + states_.clear(); + return true; +} + +static inline bool IsOptimizableObjectInstruction(MInstruction* ins) { + return ins->isNewObject() || ins->isNewPlainObject() || + ins->isNewCallObject() || ins->isNewIterator(); +} + +static bool PhiOperandEqualTo(MDefinition* operand, MInstruction* newObject) { + if (operand == newObject) { + return true; + } + + switch (operand->op()) { + case MDefinition::Opcode::GuardShape: + return PhiOperandEqualTo(operand->toGuardShape()->input(), newObject); + + case MDefinition::Opcode::GuardToClass: + return PhiOperandEqualTo(operand->toGuardToClass()->input(), newObject); + + case MDefinition::Opcode::CheckIsObj: + return PhiOperandEqualTo(operand->toCheckIsObj()->input(), newObject); + + case MDefinition::Opcode::Unbox: + return PhiOperandEqualTo(operand->toUnbox()->input(), newObject); + + default: + return false; + } +} + +// Return true if all phi operands are equal to |newObject|. +static bool PhiOperandsEqualTo(MPhi* phi, MInstruction* newObject) { + MOZ_ASSERT(IsOptimizableObjectInstruction(newObject)); + + for (size_t i = 0, e = phi->numOperands(); i < e; i++) { + if (!PhiOperandEqualTo(phi->getOperand(i), newObject)) { + return false; + } + } + return true; +} + +static bool IsObjectEscaped(MDefinition* ins, MInstruction* newObject, + const Shape* shapeDefault = nullptr); + +// Returns False if the lambda is not escaped and if it is optimizable by +// ScalarReplacementOfObject. +static bool IsLambdaEscaped(MInstruction* ins, MInstruction* lambda, + MInstruction* newObject, const Shape* shape) { + MOZ_ASSERT(lambda->isLambda() || lambda->isFunctionWithProto()); + MOZ_ASSERT(IsOptimizableObjectInstruction(newObject)); + JitSpewDef(JitSpew_Escape, "Check lambda\n", ins); + JitSpewIndent spewIndent(JitSpew_Escape); + + // The scope chain is not escaped if none of the Lambdas which are + // capturing it are escaped. + for (MUseIterator i(ins->usesBegin()); i != ins->usesEnd(); i++) { + MNode* consumer = (*i)->consumer(); + if (!consumer->isDefinition()) { + // Cannot optimize if it is observable from fun.arguments or others. + if (!consumer->toResumePoint()->isRecoverableOperand(*i)) { + JitSpew(JitSpew_Escape, "Observable lambda cannot be recovered"); + return true; + } + continue; + } + + MDefinition* def = consumer->toDefinition(); + switch (def->op()) { + case MDefinition::Opcode::GuardToFunction: { + auto* guard = def->toGuardToFunction(); + if (IsLambdaEscaped(guard, lambda, newObject, shape)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::GuardFunctionScript: { + auto* guard = def->toGuardFunctionScript(); + BaseScript* actual; + if (lambda->isLambda()) { + actual = lambda->toLambda()->templateFunction()->baseScript(); + } else { + actual = lambda->toFunctionWithProto()->function()->baseScript(); + } + if (actual != guard->expected()) { + JitSpewDef(JitSpew_Escape, "has a non-matching script guard\n", + guard); + return true; + } + if (IsLambdaEscaped(guard, lambda, newObject, shape)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::FunctionEnvironment: { + if (IsObjectEscaped(def->toFunctionEnvironment(), newObject, shape)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + default: + JitSpewDef(JitSpew_Escape, "is escaped by\n", def); + return true; + } + } + JitSpew(JitSpew_Escape, "Lambda is not escaped"); + return false; +} + +static bool IsLambdaEscaped(MInstruction* lambda, MInstruction* newObject, + const Shape* shape) { + return IsLambdaEscaped(lambda, lambda, newObject, shape); +} + +// Returns False if the object is not escaped and if it is optimizable by +// ScalarReplacementOfObject. +// +// For the moment, this code is dumb as it only supports objects which are not +// changing shape. +static bool IsObjectEscaped(MDefinition* ins, MInstruction* newObject, + const Shape* shapeDefault) { + MOZ_ASSERT(ins->type() == MIRType::Object || ins->isPhi()); + MOZ_ASSERT(IsOptimizableObjectInstruction(newObject)); + + JitSpewDef(JitSpew_Escape, "Check object\n", ins); + JitSpewIndent spewIndent(JitSpew_Escape); + + const Shape* shape = shapeDefault; + if (!shape) { + if (ins->isNewPlainObject()) { + shape = ins->toNewPlainObject()->shape(); + } else if (JSObject* templateObj = MObjectState::templateObjectOf(ins)) { + shape = templateObj->shape(); + } + } + + if (!shape) { + JitSpew(JitSpew_Escape, "No shape defined."); + return true; + } + + // Check if the object is escaped. If the object is not the first argument + // of either a known Store / Load, then we consider it as escaped. This is a + // cheap and conservative escape analysis. + for (MUseIterator i(ins->usesBegin()); i != ins->usesEnd(); i++) { + MNode* consumer = (*i)->consumer(); + if (!consumer->isDefinition()) { + // Cannot optimize if it is observable from fun.arguments or others. + if (!consumer->toResumePoint()->isRecoverableOperand(*i)) { + JitSpew(JitSpew_Escape, "Observable object cannot be recovered"); + return true; + } + continue; + } + + MDefinition* def = consumer->toDefinition(); + switch (def->op()) { + case MDefinition::Opcode::StoreFixedSlot: + case MDefinition::Opcode::LoadFixedSlot: + // Not escaped if it is the first argument. + if (def->indexOf(*i) == 0) { + break; + } + + JitSpewDef(JitSpew_Escape, "is escaped by\n", def); + return true; + + case MDefinition::Opcode::PostWriteBarrier: + break; + + case MDefinition::Opcode::Slots: { +#ifdef DEBUG + // Assert that MSlots are only used by MStoreDynamicSlot and + // MLoadDynamicSlot. + MSlots* ins = def->toSlots(); + MOZ_ASSERT(ins->object() != 0); + for (MUseIterator i(ins->usesBegin()); i != ins->usesEnd(); i++) { + // toDefinition should normally never fail, since they don't get + // captured by resume points. + MDefinition* def = (*i)->consumer()->toDefinition(); + MOZ_ASSERT(def->op() == MDefinition::Opcode::StoreDynamicSlot || + def->op() == MDefinition::Opcode::LoadDynamicSlot); + } +#endif + break; + } + + case MDefinition::Opcode::GuardShape: { + MGuardShape* guard = def->toGuardShape(); + MOZ_ASSERT(!ins->isGuardShape()); + if (shape != guard->shape()) { + JitSpewDef(JitSpew_Escape, "has a non-matching guard shape\n", guard); + return true; + } + if (IsObjectEscaped(def->toInstruction(), newObject, shape)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::GuardToClass: { + MGuardToClass* guard = def->toGuardToClass(); + if (!shape || shape->getObjectClass() != guard->getClass()) { + JitSpewDef(JitSpew_Escape, "has a non-matching class guard\n", guard); + return true; + } + if (IsObjectEscaped(def->toInstruction(), newObject, shape)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::CheckIsObj: { + if (IsObjectEscaped(def->toInstruction(), newObject, shape)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::Unbox: { + if (def->type() != MIRType::Object) { + JitSpewDef(JitSpew_Escape, "has an invalid unbox\n", def); + return true; + } + if (IsObjectEscaped(def->toInstruction(), newObject, shape)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::Lambda: + case MDefinition::Opcode::FunctionWithProto: { + if (IsLambdaEscaped(def->toInstruction(), newObject, shape)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::Phi: { + auto* phi = def->toPhi(); + if (!PhiOperandsEqualTo(phi, newObject)) { + JitSpewDef(JitSpew_Escape, "has different phi operands\n", def); + return true; + } + if (IsObjectEscaped(phi, newObject, shape)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::Compare: { + bool canFold; + if (!def->toCompare()->tryFold(&canFold)) { + JitSpewDef(JitSpew_Escape, "has an unsupported compare\n", def); + return true; + } + break; + } + + // Doesn't escape the object. + case MDefinition::Opcode::IsObject: + break; + + // This instruction is a no-op used to verify that scalar replacement + // is working as expected in jit-test. + case MDefinition::Opcode::AssertRecoveredOnBailout: + break; + + // This is just a special flavor of constant which lets us optimize + // out some guards in certain circumstances. We'll turn this into a + // regular constant later. + case MDefinition::Opcode::ConstantProto: + break; + + // We definitely don't need barriers for objects that don't exist. + case MDefinition::Opcode::AssertCanElidePostWriteBarrier: + break; + + default: + JitSpewDef(JitSpew_Escape, "is escaped by\n", def); + return true; + } + } + + JitSpew(JitSpew_Escape, "Object is not escaped"); + return false; +} + +class ObjectMemoryView : public MDefinitionVisitorDefaultNoop { + public: + using BlockState = MObjectState; + static const char phaseName[]; + + private: + TempAllocator& alloc_; + MConstant* undefinedVal_; + MInstruction* obj_; + MBasicBlock* startBlock_; + BlockState* state_; + + // Used to improve the memory usage by sharing common modification. + const MResumePoint* lastResumePoint_; + + bool oom_; + + public: + ObjectMemoryView(TempAllocator& alloc, MInstruction* obj); + + MBasicBlock* startingBlock(); + bool initStartingState(BlockState** pState); + + void setEntryBlockState(BlockState* state); + bool mergeIntoSuccessorState(MBasicBlock* curr, MBasicBlock* succ, + BlockState** pSuccState); + +#ifdef DEBUG + void assertSuccess(); +#else + void assertSuccess() {} +#endif + + bool oom() const { return oom_; } + + private: + MDefinition* functionForCallObject(MDefinition* ins); + + public: + void visitResumePoint(MResumePoint* rp); + void visitObjectState(MObjectState* ins); + void visitStoreFixedSlot(MStoreFixedSlot* ins); + void visitLoadFixedSlot(MLoadFixedSlot* ins); + void visitPostWriteBarrier(MPostWriteBarrier* ins); + void visitStoreDynamicSlot(MStoreDynamicSlot* ins); + void visitLoadDynamicSlot(MLoadDynamicSlot* ins); + void visitGuardShape(MGuardShape* ins); + void visitGuardToClass(MGuardToClass* ins); + void visitCheckIsObj(MCheckIsObj* ins); + void visitUnbox(MUnbox* ins); + void visitFunctionEnvironment(MFunctionEnvironment* ins); + void visitGuardToFunction(MGuardToFunction* ins); + void visitGuardFunctionScript(MGuardFunctionScript* ins); + void visitLambda(MLambda* ins); + void visitFunctionWithProto(MFunctionWithProto* ins); + void visitPhi(MPhi* ins); + void visitCompare(MCompare* ins); + void visitConstantProto(MConstantProto* ins); + void visitIsObject(MIsObject* ins); + void visitAssertCanElidePostWriteBarrier( + MAssertCanElidePostWriteBarrier* ins); +}; + +/* static */ const char ObjectMemoryView::phaseName[] = + "Scalar Replacement of Object"; + +ObjectMemoryView::ObjectMemoryView(TempAllocator& alloc, MInstruction* obj) + : alloc_(alloc), + undefinedVal_(nullptr), + obj_(obj), + startBlock_(obj->block()), + state_(nullptr), + lastResumePoint_(nullptr), + oom_(false) { + // Annotate snapshots RValue such that we recover the store first. + obj_->setIncompleteObject(); + + // Annotate the instruction such that we do not replace it by a + // Magic(JS_OPTIMIZED_OUT) in case of removed uses. + obj_->setImplicitlyUsedUnchecked(); +} + +MBasicBlock* ObjectMemoryView::startingBlock() { return startBlock_; } + +bool ObjectMemoryView::initStartingState(BlockState** pState) { + // Uninitialized slots have an "undefined" value. + undefinedVal_ = MConstant::New(alloc_, UndefinedValue()); + startBlock_->insertBefore(obj_, undefinedVal_); + + // Create a new block state and insert at it at the location of the new + // object. + BlockState* state = BlockState::New(alloc_, obj_); + if (!state) { + return false; + } + + startBlock_->insertAfter(obj_, state); + + // Initialize the properties of the object state. + state->initFromTemplateObject(alloc_, undefinedVal_); + + // Hold out of resume point until it is visited. + state->setInWorklist(); + + *pState = state; + return true; +} + +void ObjectMemoryView::setEntryBlockState(BlockState* state) { state_ = state; } + +bool ObjectMemoryView::mergeIntoSuccessorState(MBasicBlock* curr, + MBasicBlock* succ, + BlockState** pSuccState) { + BlockState* succState = *pSuccState; + + // When a block has no state yet, create an empty one for the + // successor. + if (!succState) { + // If the successor is not dominated then the object cannot flow + // in this basic block without a Phi. We know that no Phi exist + // in non-dominated successors as the conservative escaped + // analysis fails otherwise. Such condition can succeed if the + // successor is a join at the end of a if-block and the object + // only exists within the branch. + if (!startBlock_->dominates(succ)) { + return true; + } + + // If there is only one predecessor, carry over the last state of the + // block to the successor. As the block state is immutable, if the + // current block has multiple successors, they will share the same entry + // state. + if (succ->numPredecessors() <= 1 || !state_->numSlots()) { + *pSuccState = state_; + return true; + } + + // If we have multiple predecessors, then we allocate one Phi node for + // each predecessor, and create a new block state which only has phi + // nodes. These would later be removed by the removal of redundant phi + // nodes. + succState = BlockState::Copy(alloc_, state_); + if (!succState) { + return false; + } + + size_t numPreds = succ->numPredecessors(); + for (size_t slot = 0; slot < state_->numSlots(); slot++) { + MPhi* phi = MPhi::New(alloc_.fallible()); + if (!phi || !phi->reserveLength(numPreds)) { + return false; + } + + // Fill the input of the successors Phi with undefined + // values, and each block later fills the Phi inputs. + for (size_t p = 0; p < numPreds; p++) { + phi->addInput(undefinedVal_); + } + + // Add Phi in the list of Phis of the basic block. + succ->addPhi(phi); + succState->setSlot(slot, phi); + } + + // Insert the newly created block state instruction at the beginning + // of the successor block, after all the phi nodes. Note that it + // would be captured by the entry resume point of the successor + // block. + succ->insertBefore(succ->safeInsertTop(), succState); + *pSuccState = succState; + } + + MOZ_ASSERT_IF(succ == startBlock_, startBlock_->isLoopHeader()); + if (succ->numPredecessors() > 1 && succState->numSlots() && + succ != startBlock_) { + // We need to re-compute successorWithPhis as the previous EliminatePhis + // phase might have removed all the Phis from the successor block. + size_t currIndex; + MOZ_ASSERT(!succ->phisEmpty()); + if (curr->successorWithPhis()) { + MOZ_ASSERT(curr->successorWithPhis() == succ); + currIndex = curr->positionInPhiSuccessor(); + } else { + currIndex = succ->indexForPredecessor(curr); + curr->setSuccessorWithPhis(succ, currIndex); + } + MOZ_ASSERT(succ->getPredecessor(currIndex) == curr); + + // Copy the current slot states to the index of current block in all the + // Phi created during the first visit of the successor. + for (size_t slot = 0; slot < state_->numSlots(); slot++) { + MPhi* phi = succState->getSlot(slot)->toPhi(); + phi->replaceOperand(currIndex, state_->getSlot(slot)); + } + } + + return true; +} + +#ifdef DEBUG +void ObjectMemoryView::assertSuccess() { + for (MUseIterator i(obj_->usesBegin()); i != obj_->usesEnd(); i++) { + MNode* ins = (*i)->consumer(); + MDefinition* def = nullptr; + + // Resume points have been replaced by the object state. + if (ins->isResumePoint() || + (def = ins->toDefinition())->isRecoveredOnBailout()) { + MOZ_ASSERT(obj_->isIncompleteObject()); + continue; + } + + // The only remaining uses would be removed by DCE, which will also + // recover the object on bailouts. + MOZ_ASSERT(def->isSlots() || def->isLambda() || def->isFunctionWithProto()); + MOZ_ASSERT(!def->hasDefUses()); + } +} +#endif + +void ObjectMemoryView::visitResumePoint(MResumePoint* rp) { + // As long as the MObjectState is not yet seen next to the allocation, we do + // not patch the resume point to recover the side effects. + if (!state_->isInWorklist()) { + rp->addStore(alloc_, state_, lastResumePoint_); + lastResumePoint_ = rp; + } +} + +void ObjectMemoryView::visitObjectState(MObjectState* ins) { + if (ins->isInWorklist()) { + ins->setNotInWorklist(); + } +} + +void ObjectMemoryView::visitStoreFixedSlot(MStoreFixedSlot* ins) { + // Skip stores made on other objects. + if (ins->object() != obj_) { + return; + } + + // Clone the state and update the slot value. + if (state_->hasFixedSlot(ins->slot())) { + state_ = BlockState::Copy(alloc_, state_); + if (!state_) { + oom_ = true; + return; + } + + state_->setFixedSlot(ins->slot(), ins->value()); + ins->block()->insertBefore(ins->toInstruction(), state_); + } else { + // UnsafeSetReserveSlot can access baked-in slots which are guarded by + // conditions, which are not seen by the escape analysis. + MBail* bailout = MBail::New(alloc_, BailoutKind::Inevitable); + ins->block()->insertBefore(ins, bailout); + } + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitLoadFixedSlot(MLoadFixedSlot* ins) { + // Skip loads made on other objects. + if (ins->object() != obj_) { + return; + } + + // Replace load by the slot value. + if (state_->hasFixedSlot(ins->slot())) { + ins->replaceAllUsesWith(state_->getFixedSlot(ins->slot())); + } else { + // UnsafeGetReserveSlot can access baked-in slots which are guarded by + // conditions, which are not seen by the escape analysis. + MBail* bailout = MBail::New(alloc_, BailoutKind::Inevitable); + ins->block()->insertBefore(ins, bailout); + ins->replaceAllUsesWith(undefinedVal_); + } + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitPostWriteBarrier(MPostWriteBarrier* ins) { + // Skip loads made on other objects. + if (ins->object() != obj_) { + return; + } + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitStoreDynamicSlot(MStoreDynamicSlot* ins) { + // Skip stores made on other objects. + MSlots* slots = ins->slots()->toSlots(); + if (slots->object() != obj_) { + // Guard objects are replaced when they are visited. + MOZ_ASSERT(!slots->object()->isGuardShape() || + slots->object()->toGuardShape()->object() != obj_); + return; + } + + // Clone the state and update the slot value. + if (state_->hasDynamicSlot(ins->slot())) { + state_ = BlockState::Copy(alloc_, state_); + if (!state_) { + oom_ = true; + return; + } + + state_->setDynamicSlot(ins->slot(), ins->value()); + ins->block()->insertBefore(ins->toInstruction(), state_); + } else { + // UnsafeSetReserveSlot can access baked-in slots which are guarded by + // conditions, which are not seen by the escape analysis. + MBail* bailout = MBail::New(alloc_, BailoutKind::Inevitable); + ins->block()->insertBefore(ins, bailout); + } + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitLoadDynamicSlot(MLoadDynamicSlot* ins) { + // Skip loads made on other objects. + MSlots* slots = ins->slots()->toSlots(); + if (slots->object() != obj_) { + // Guard objects are replaced when they are visited. + MOZ_ASSERT(!slots->object()->isGuardShape() || + slots->object()->toGuardShape()->object() != obj_); + return; + } + + // Replace load by the slot value. + if (state_->hasDynamicSlot(ins->slot())) { + ins->replaceAllUsesWith(state_->getDynamicSlot(ins->slot())); + } else { + // UnsafeGetReserveSlot can access baked-in slots which are guarded by + // conditions, which are not seen by the escape analysis. + MBail* bailout = MBail::New(alloc_, BailoutKind::Inevitable); + ins->block()->insertBefore(ins, bailout); + ins->replaceAllUsesWith(undefinedVal_); + } + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitGuardShape(MGuardShape* ins) { + // Skip guards on other objects. + if (ins->object() != obj_) { + return; + } + + // Replace the guard by its object. + ins->replaceAllUsesWith(obj_); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitGuardToClass(MGuardToClass* ins) { + // Skip guards on other objects. + if (ins->object() != obj_) { + return; + } + + // Replace the guard by its object. + ins->replaceAllUsesWith(obj_); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitCheckIsObj(MCheckIsObj* ins) { + // Skip checks on other objects. + if (ins->input() != obj_) { + return; + } + + // Replace the check by its object. + ins->replaceAllUsesWith(obj_); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitUnbox(MUnbox* ins) { + // Skip unrelated unboxes. + if (ins->input() != obj_) { + return; + } + MOZ_ASSERT(ins->type() == MIRType::Object); + + // Replace the unbox with the object. + ins->replaceAllUsesWith(obj_); + + // Remove the unbox. + ins->block()->discard(ins); +} + +MDefinition* ObjectMemoryView::functionForCallObject(MDefinition* ins) { + // Return early when we don't replace MNewCallObject. + if (!obj_->isNewCallObject()) { + return nullptr; + } + + // Unwrap instructions until we found either MLambda or MFunctionWithProto. + // Return the function instruction if their environment chain matches the + // MNewCallObject we're about to replace. + while (true) { + switch (ins->op()) { + case MDefinition::Opcode::Lambda: { + if (ins->toLambda()->environmentChain() == obj_) { + return ins; + } + return nullptr; + } + case MDefinition::Opcode::FunctionWithProto: { + if (ins->toFunctionWithProto()->environmentChain() == obj_) { + return ins; + } + return nullptr; + } + case MDefinition::Opcode::FunctionEnvironment: + ins = ins->toFunctionEnvironment()->function(); + break; + case MDefinition::Opcode::GuardToFunction: + ins = ins->toGuardToFunction()->object(); + break; + case MDefinition::Opcode::GuardFunctionScript: + ins = ins->toGuardFunctionScript()->function(); + break; + default: + return nullptr; + } + } +} + +void ObjectMemoryView::visitFunctionEnvironment(MFunctionEnvironment* ins) { + // Skip function environment which are not aliases of the NewCallObject. + if (!functionForCallObject(ins)) { + return; + } + + // Replace the function environment by the scope chain of the lambda. + ins->replaceAllUsesWith(obj_); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitGuardToFunction(MGuardToFunction* ins) { + // Skip guards on other objects. + auto* function = functionForCallObject(ins); + if (!function) { + return; + } + + // Replace the guard by its object. + ins->replaceAllUsesWith(function); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitGuardFunctionScript(MGuardFunctionScript* ins) { + // Skip guards on other objects. + auto* function = functionForCallObject(ins); + if (!function) { + return; + } + + // Replace the guard by its object. + ins->replaceAllUsesWith(function); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitLambda(MLambda* ins) { + if (ins->environmentChain() != obj_) { + return; + } + + // In order to recover the lambda we need to recover the scope chain, as the + // lambda is holding it. + ins->setIncompleteObject(); +} + +void ObjectMemoryView::visitFunctionWithProto(MFunctionWithProto* ins) { + if (ins->environmentChain() != obj_) { + return; + } + + ins->setIncompleteObject(); +} + +void ObjectMemoryView::visitPhi(MPhi* ins) { + // Skip phis on other objects. + if (!PhiOperandsEqualTo(ins, obj_)) { + return; + } + + // Replace the phi by its object. + ins->replaceAllUsesWith(obj_); + + // Remove original instruction. + ins->block()->discardPhi(ins); +} + +void ObjectMemoryView::visitCompare(MCompare* ins) { + // Skip unrelated comparisons. + if (ins->lhs() != obj_ && ins->rhs() != obj_) { + return; + } + + bool folded; + MOZ_ALWAYS_TRUE(ins->tryFold(&folded)); + + auto* cst = MConstant::New(alloc_, BooleanValue(folded)); + ins->block()->insertBefore(ins, cst); + + // Replace the comparison with a constant. + ins->replaceAllUsesWith(cst); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitConstantProto(MConstantProto* ins) { + if (ins->getReceiverObject() != obj_) { + return; + } + + auto* cst = ins->protoObject(); + ins->replaceAllUsesWith(cst); + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitIsObject(MIsObject* ins) { + // Skip unrelated tests. + if (ins->input() != obj_) { + return; + } + + auto* cst = MConstant::New(alloc_, BooleanValue(true)); + ins->block()->insertBefore(ins, cst); + + // Replace the test with a constant. + ins->replaceAllUsesWith(cst); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ObjectMemoryView::visitAssertCanElidePostWriteBarrier( + MAssertCanElidePostWriteBarrier* ins) { + if (ins->object() != obj_) { + return; + } + + ins->block()->discard(ins); +} + +static bool IndexOf(MDefinition* ins, int32_t* res) { + MOZ_ASSERT(ins->isLoadElement() || ins->isStoreElement()); + MDefinition* indexDef = ins->getOperand(1); // ins->index(); + if (indexDef->isSpectreMaskIndex()) { + indexDef = indexDef->toSpectreMaskIndex()->index(); + } + if (indexDef->isBoundsCheck()) { + indexDef = indexDef->toBoundsCheck()->index(); + } + if (indexDef->isToNumberInt32()) { + indexDef = indexDef->toToNumberInt32()->getOperand(0); + } + MConstant* indexDefConst = indexDef->maybeConstantValue(); + if (!indexDefConst || indexDefConst->type() != MIRType::Int32) { + return false; + } + *res = indexDefConst->toInt32(); + return true; +} + +static inline bool IsOptimizableArrayInstruction(MInstruction* ins) { + return ins->isNewArray() || ins->isNewArrayObject(); +} + +// We don't support storing holes when doing scalar replacement, so any +// optimizable MNewArrayObject instruction is guaranteed to be packed. +static inline bool IsPackedArray(MInstruction* ins) { + return ins->isNewArrayObject(); +} + +// Returns False if the elements is not escaped and if it is optimizable by +// ScalarReplacementOfArray. +static bool IsElementEscaped(MDefinition* def, MInstruction* newArray, + uint32_t arraySize) { + MOZ_ASSERT(def->isElements()); + MOZ_ASSERT(IsOptimizableArrayInstruction(newArray)); + + JitSpewDef(JitSpew_Escape, "Check elements\n", def); + JitSpewIndent spewIndent(JitSpew_Escape); + + for (MUseIterator i(def->usesBegin()); i != def->usesEnd(); i++) { + // The MIRType::Elements cannot be captured in a resume point as + // it does not represent a value allocation. + MDefinition* access = (*i)->consumer()->toDefinition(); + + switch (access->op()) { + case MDefinition::Opcode::LoadElement: { + MOZ_ASSERT(access->toLoadElement()->elements() == def); + + // If the index is not a constant then this index can alias + // all others. We do not handle this case. + int32_t index; + if (!IndexOf(access, &index)) { + JitSpewDef(JitSpew_Escape, + "has a load element with a non-trivial index\n", access); + return true; + } + if (index < 0 || arraySize <= uint32_t(index)) { + JitSpewDef(JitSpew_Escape, + "has a load element with an out-of-bound index\n", access); + return true; + } + break; + } + + case MDefinition::Opcode::StoreElement: { + MStoreElement* storeElem = access->toStoreElement(); + MOZ_ASSERT(storeElem->elements() == def); + + // StoreElement must bail out if it stores to a hole, in case + // there is a setter on the prototype chain. If this StoreElement + // might store to a hole, we can't scalar-replace it. + if (storeElem->needsHoleCheck()) { + JitSpewDef(JitSpew_Escape, "has a store element with a hole check\n", + storeElem); + return true; + } + + // If the index is not a constant then this index can alias + // all others. We do not handle this case. + int32_t index; + if (!IndexOf(storeElem, &index)) { + JitSpewDef(JitSpew_Escape, + "has a store element with a non-trivial index\n", + storeElem); + return true; + } + if (index < 0 || arraySize <= uint32_t(index)) { + JitSpewDef(JitSpew_Escape, + "has a store element with an out-of-bound index\n", + storeElem); + return true; + } + + // Dense element holes are written using MStoreHoleValueElement instead + // of MStoreElement. + MOZ_ASSERT(storeElem->value()->type() != MIRType::MagicHole); + break; + } + + case MDefinition::Opcode::SetInitializedLength: + MOZ_ASSERT(access->toSetInitializedLength()->elements() == def); + break; + + case MDefinition::Opcode::InitializedLength: + MOZ_ASSERT(access->toInitializedLength()->elements() == def); + break; + + case MDefinition::Opcode::ArrayLength: + MOZ_ASSERT(access->toArrayLength()->elements() == def); + break; + + case MDefinition::Opcode::ApplyArray: + MOZ_ASSERT(access->toApplyArray()->getElements() == def); + if (!IsPackedArray(newArray)) { + JitSpewDef(JitSpew_Escape, "is not guaranteed to be packed\n", + access); + return true; + } + break; + + case MDefinition::Opcode::ConstructArray: + MOZ_ASSERT(access->toConstructArray()->getElements() == def); + if (!IsPackedArray(newArray)) { + JitSpewDef(JitSpew_Escape, "is not guaranteed to be packed\n", + access); + return true; + } + break; + + default: + JitSpewDef(JitSpew_Escape, "is escaped by\n", access); + return true; + } + } + JitSpew(JitSpew_Escape, "Elements is not escaped"); + return false; +} + +// Returns False if the array is not escaped and if it is optimizable by +// ScalarReplacementOfArray. +// +// For the moment, this code is dumb as it only supports arrays which are not +// changing length, with only access with known constants. +static bool IsArrayEscaped(MInstruction* ins, MInstruction* newArray) { + MOZ_ASSERT(ins->type() == MIRType::Object); + MOZ_ASSERT(IsOptimizableArrayInstruction(newArray)); + + JitSpewDef(JitSpew_Escape, "Check array\n", ins); + JitSpewIndent spewIndent(JitSpew_Escape); + + const Shape* shape; + uint32_t length; + if (newArray->isNewArrayObject()) { + length = newArray->toNewArrayObject()->length(); + shape = newArray->toNewArrayObject()->shape(); + } else { + length = newArray->toNewArray()->length(); + JSObject* templateObject = newArray->toNewArray()->templateObject(); + if (!templateObject) { + JitSpew(JitSpew_Escape, "No template object defined."); + return true; + } + shape = templateObject->shape(); + } + + if (length >= 16) { + JitSpew(JitSpew_Escape, "Array has too many elements"); + return true; + } + + // Check if the object is escaped. If the object is not the first argument + // of either a known Store / Load, then we consider it as escaped. This is a + // cheap and conservative escape analysis. + for (MUseIterator i(ins->usesBegin()); i != ins->usesEnd(); i++) { + MNode* consumer = (*i)->consumer(); + if (!consumer->isDefinition()) { + // Cannot optimize if it is observable from fun.arguments or others. + if (!consumer->toResumePoint()->isRecoverableOperand(*i)) { + JitSpew(JitSpew_Escape, "Observable array cannot be recovered"); + return true; + } + continue; + } + + MDefinition* def = consumer->toDefinition(); + switch (def->op()) { + case MDefinition::Opcode::Elements: { + MElements* elem = def->toElements(); + MOZ_ASSERT(elem->object() == ins); + if (IsElementEscaped(elem, newArray, length)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", elem); + return true; + } + + break; + } + + case MDefinition::Opcode::GuardShape: { + MGuardShape* guard = def->toGuardShape(); + if (shape != guard->shape()) { + JitSpewDef(JitSpew_Escape, "has a non-matching guard shape\n", guard); + return true; + } + if (IsArrayEscaped(guard, newArray)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + + break; + } + + case MDefinition::Opcode::GuardToClass: { + MGuardToClass* guard = def->toGuardToClass(); + if (shape->getObjectClass() != guard->getClass()) { + JitSpewDef(JitSpew_Escape, "has a non-matching class guard\n", guard); + return true; + } + if (IsArrayEscaped(guard, newArray)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + + break; + } + + case MDefinition::Opcode::GuardArrayIsPacked: { + auto* guard = def->toGuardArrayIsPacked(); + if (!IsPackedArray(newArray)) { + JitSpewDef(JitSpew_Escape, "is not guaranteed to be packed\n", def); + return true; + } + if (IsArrayEscaped(guard, newArray)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::Unbox: { + if (def->type() != MIRType::Object) { + JitSpewDef(JitSpew_Escape, "has an invalid unbox\n", def); + return true; + } + if (IsArrayEscaped(def->toInstruction(), newArray)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + // This instruction is supported for |JSOp::OptimizeSpreadCall|. + case MDefinition::Opcode::Compare: { + bool canFold; + if (!def->toCompare()->tryFold(&canFold)) { + JitSpewDef(JitSpew_Escape, "has an unsupported compare\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::PostWriteBarrier: + case MDefinition::Opcode::PostWriteElementBarrier: + break; + + // This instruction is a no-op used to verify that scalar replacement + // is working as expected in jit-test. + case MDefinition::Opcode::AssertRecoveredOnBailout: + break; + + default: + JitSpewDef(JitSpew_Escape, "is escaped by\n", def); + return true; + } + } + + JitSpew(JitSpew_Escape, "Array is not escaped"); + return false; +} + +// This class replaces every MStoreElement and MSetInitializedLength by an +// MArrayState which emulates the content of the array. All MLoadElement, +// MInitializedLength and MArrayLength are replaced by the corresponding value. +// +// In order to restore the value of the array correctly in case of bailouts, we +// replace all reference of the allocation by the MArrayState definition. +class ArrayMemoryView : public MDefinitionVisitorDefaultNoop { + public: + using BlockState = MArrayState; + static const char* phaseName; + + private: + TempAllocator& alloc_; + MConstant* undefinedVal_; + MConstant* length_; + MInstruction* arr_; + MBasicBlock* startBlock_; + BlockState* state_; + + // Used to improve the memory usage by sharing common modification. + const MResumePoint* lastResumePoint_; + + bool oom_; + + public: + ArrayMemoryView(TempAllocator& alloc, MInstruction* arr); + + MBasicBlock* startingBlock(); + bool initStartingState(BlockState** pState); + + void setEntryBlockState(BlockState* state); + bool mergeIntoSuccessorState(MBasicBlock* curr, MBasicBlock* succ, + BlockState** pSuccState); + +#ifdef DEBUG + void assertSuccess(); +#else + void assertSuccess() {} +#endif + + bool oom() const { return oom_; } + + private: + bool isArrayStateElements(MDefinition* elements); + void discardInstruction(MInstruction* ins, MDefinition* elements); + + public: + void visitResumePoint(MResumePoint* rp); + void visitArrayState(MArrayState* ins); + void visitStoreElement(MStoreElement* ins); + void visitLoadElement(MLoadElement* ins); + void visitSetInitializedLength(MSetInitializedLength* ins); + void visitInitializedLength(MInitializedLength* ins); + void visitArrayLength(MArrayLength* ins); + void visitPostWriteBarrier(MPostWriteBarrier* ins); + void visitPostWriteElementBarrier(MPostWriteElementBarrier* ins); + void visitGuardShape(MGuardShape* ins); + void visitGuardToClass(MGuardToClass* ins); + void visitGuardArrayIsPacked(MGuardArrayIsPacked* ins); + void visitUnbox(MUnbox* ins); + void visitCompare(MCompare* ins); + void visitApplyArray(MApplyArray* ins); + void visitConstructArray(MConstructArray* ins); +}; + +const char* ArrayMemoryView::phaseName = "Scalar Replacement of Array"; + +ArrayMemoryView::ArrayMemoryView(TempAllocator& alloc, MInstruction* arr) + : alloc_(alloc), + undefinedVal_(nullptr), + length_(nullptr), + arr_(arr), + startBlock_(arr->block()), + state_(nullptr), + lastResumePoint_(nullptr), + oom_(false) { + // Annotate snapshots RValue such that we recover the store first. + arr_->setIncompleteObject(); + + // Annotate the instruction such that we do not replace it by a + // Magic(JS_OPTIMIZED_OUT) in case of removed uses. + arr_->setImplicitlyUsedUnchecked(); +} + +MBasicBlock* ArrayMemoryView::startingBlock() { return startBlock_; } + +bool ArrayMemoryView::initStartingState(BlockState** pState) { + // Uninitialized elements have an "undefined" value. + undefinedVal_ = MConstant::New(alloc_, UndefinedValue()); + MConstant* initLength = MConstant::New(alloc_, Int32Value(0)); + arr_->block()->insertBefore(arr_, undefinedVal_); + arr_->block()->insertBefore(arr_, initLength); + + // Create a new block state and insert at it at the location of the new array. + BlockState* state = BlockState::New(alloc_, arr_, initLength); + if (!state) { + return false; + } + + startBlock_->insertAfter(arr_, state); + + // Initialize the elements of the array state. + state->initFromTemplateObject(alloc_, undefinedVal_); + + // Hold out of resume point until it is visited. + state->setInWorklist(); + + *pState = state; + return true; +} + +void ArrayMemoryView::setEntryBlockState(BlockState* state) { state_ = state; } + +bool ArrayMemoryView::mergeIntoSuccessorState(MBasicBlock* curr, + MBasicBlock* succ, + BlockState** pSuccState) { + BlockState* succState = *pSuccState; + + // When a block has no state yet, create an empty one for the + // successor. + if (!succState) { + // If the successor is not dominated then the array cannot flow + // in this basic block without a Phi. We know that no Phi exist + // in non-dominated successors as the conservative escaped + // analysis fails otherwise. Such condition can succeed if the + // successor is a join at the end of a if-block and the array + // only exists within the branch. + if (!startBlock_->dominates(succ)) { + return true; + } + + // If there is only one predecessor, carry over the last state of the + // block to the successor. As the block state is immutable, if the + // current block has multiple successors, they will share the same entry + // state. + if (succ->numPredecessors() <= 1 || !state_->numElements()) { + *pSuccState = state_; + return true; + } + + // If we have multiple predecessors, then we allocate one Phi node for + // each predecessor, and create a new block state which only has phi + // nodes. These would later be removed by the removal of redundant phi + // nodes. + succState = BlockState::Copy(alloc_, state_); + if (!succState) { + return false; + } + + size_t numPreds = succ->numPredecessors(); + for (size_t index = 0; index < state_->numElements(); index++) { + MPhi* phi = MPhi::New(alloc_.fallible()); + if (!phi || !phi->reserveLength(numPreds)) { + return false; + } + + // Fill the input of the successors Phi with undefined + // values, and each block later fills the Phi inputs. + for (size_t p = 0; p < numPreds; p++) { + phi->addInput(undefinedVal_); + } + + // Add Phi in the list of Phis of the basic block. + succ->addPhi(phi); + succState->setElement(index, phi); + } + + // Insert the newly created block state instruction at the beginning + // of the successor block, after all the phi nodes. Note that it + // would be captured by the entry resume point of the successor + // block. + succ->insertBefore(succ->safeInsertTop(), succState); + *pSuccState = succState; + } + + MOZ_ASSERT_IF(succ == startBlock_, startBlock_->isLoopHeader()); + if (succ->numPredecessors() > 1 && succState->numElements() && + succ != startBlock_) { + // We need to re-compute successorWithPhis as the previous EliminatePhis + // phase might have removed all the Phis from the successor block. + size_t currIndex; + MOZ_ASSERT(!succ->phisEmpty()); + if (curr->successorWithPhis()) { + MOZ_ASSERT(curr->successorWithPhis() == succ); + currIndex = curr->positionInPhiSuccessor(); + } else { + currIndex = succ->indexForPredecessor(curr); + curr->setSuccessorWithPhis(succ, currIndex); + } + MOZ_ASSERT(succ->getPredecessor(currIndex) == curr); + + // Copy the current element states to the index of current block in all + // the Phi created during the first visit of the successor. + for (size_t index = 0; index < state_->numElements(); index++) { + MPhi* phi = succState->getElement(index)->toPhi(); + phi->replaceOperand(currIndex, state_->getElement(index)); + } + } + + return true; +} + +#ifdef DEBUG +void ArrayMemoryView::assertSuccess() { MOZ_ASSERT(!arr_->hasLiveDefUses()); } +#endif + +void ArrayMemoryView::visitResumePoint(MResumePoint* rp) { + // As long as the MArrayState is not yet seen next to the allocation, we do + // not patch the resume point to recover the side effects. + if (!state_->isInWorklist()) { + rp->addStore(alloc_, state_, lastResumePoint_); + lastResumePoint_ = rp; + } +} + +void ArrayMemoryView::visitArrayState(MArrayState* ins) { + if (ins->isInWorklist()) { + ins->setNotInWorklist(); + } +} + +bool ArrayMemoryView::isArrayStateElements(MDefinition* elements) { + return elements->isElements() && elements->toElements()->object() == arr_; +} + +void ArrayMemoryView::discardInstruction(MInstruction* ins, + MDefinition* elements) { + MOZ_ASSERT(elements->isElements()); + ins->block()->discard(ins); + if (!elements->hasLiveDefUses()) { + elements->block()->discard(elements->toInstruction()); + } +} + +void ArrayMemoryView::visitStoreElement(MStoreElement* ins) { + // Skip other array objects. + MDefinition* elements = ins->elements(); + if (!isArrayStateElements(elements)) { + return; + } + + // Register value of the setter in the state. + int32_t index; + MOZ_ALWAYS_TRUE(IndexOf(ins, &index)); + state_ = BlockState::Copy(alloc_, state_); + if (!state_) { + oom_ = true; + return; + } + + state_->setElement(index, ins->value()); + ins->block()->insertBefore(ins, state_); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +void ArrayMemoryView::visitLoadElement(MLoadElement* ins) { + // Skip other array objects. + MDefinition* elements = ins->elements(); + if (!isArrayStateElements(elements)) { + return; + } + + // Replace by the value contained at the index. + int32_t index; + MOZ_ALWAYS_TRUE(IndexOf(ins, &index)); + + // The only way to store a hole value in a new array is with + // StoreHoleValueElement, which IsElementEscaped does not allow. + // Therefore, we do not have to do a hole check. + MDefinition* element = state_->getElement(index); + MOZ_ASSERT(element->type() != MIRType::MagicHole); + + ins->replaceAllUsesWith(element); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +void ArrayMemoryView::visitSetInitializedLength(MSetInitializedLength* ins) { + // Skip other array objects. + MDefinition* elements = ins->elements(); + if (!isArrayStateElements(elements)) { + return; + } + + // Replace by the new initialized length. Note that the argument of + // MSetInitializedLength is the last index and not the initialized length. + // To obtain the length, we need to add 1 to it, and thus we need to create + // a new constant that we register in the ArrayState. + state_ = BlockState::Copy(alloc_, state_); + if (!state_) { + oom_ = true; + return; + } + + int32_t initLengthValue = ins->index()->maybeConstantValue()->toInt32() + 1; + MConstant* initLength = MConstant::New(alloc_, Int32Value(initLengthValue)); + ins->block()->insertBefore(ins, initLength); + ins->block()->insertBefore(ins, state_); + state_->setInitializedLength(initLength); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +void ArrayMemoryView::visitInitializedLength(MInitializedLength* ins) { + // Skip other array objects. + MDefinition* elements = ins->elements(); + if (!isArrayStateElements(elements)) { + return; + } + + // Replace by the value of the length. + ins->replaceAllUsesWith(state_->initializedLength()); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +void ArrayMemoryView::visitArrayLength(MArrayLength* ins) { + // Skip other array objects. + MDefinition* elements = ins->elements(); + if (!isArrayStateElements(elements)) { + return; + } + + // Replace by the value of the length. + if (!length_) { + length_ = MConstant::New(alloc_, Int32Value(state_->numElements())); + arr_->block()->insertBefore(arr_, length_); + } + ins->replaceAllUsesWith(length_); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +void ArrayMemoryView::visitPostWriteBarrier(MPostWriteBarrier* ins) { + // Skip barriers on other objects. + if (ins->object() != arr_) { + return; + } + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArrayMemoryView::visitPostWriteElementBarrier( + MPostWriteElementBarrier* ins) { + // Skip barriers on other objects. + if (ins->object() != arr_) { + return; + } + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArrayMemoryView::visitGuardShape(MGuardShape* ins) { + // Skip guards on other objects. + if (ins->object() != arr_) { + return; + } + + // Replace the guard by its object. + ins->replaceAllUsesWith(arr_); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArrayMemoryView::visitGuardToClass(MGuardToClass* ins) { + // Skip guards on other objects. + if (ins->object() != arr_) { + return; + } + + // Replace the guard by its object. + ins->replaceAllUsesWith(arr_); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArrayMemoryView::visitGuardArrayIsPacked(MGuardArrayIsPacked* ins) { + // Skip guards on other objects. + if (ins->array() != arr_) { + return; + } + + // Replace the guard by its object. + ins->replaceAllUsesWith(arr_); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArrayMemoryView::visitUnbox(MUnbox* ins) { + // Skip unrelated unboxes. + if (ins->getOperand(0) != arr_) { + return; + } + MOZ_ASSERT(ins->type() == MIRType::Object); + + // Replace the unbox with the array object. + ins->replaceAllUsesWith(arr_); + + // Remove the unbox. + ins->block()->discard(ins); +} + +void ArrayMemoryView::visitCompare(MCompare* ins) { + // Skip unrelated comparisons. + if (ins->lhs() != arr_ && ins->rhs() != arr_) { + return; + } + + bool folded; + MOZ_ALWAYS_TRUE(ins->tryFold(&folded)); + + auto* cst = MConstant::New(alloc_, BooleanValue(folded)); + ins->block()->insertBefore(ins, cst); + + // Replace the comparison with a constant. + ins->replaceAllUsesWith(cst); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArrayMemoryView::visitApplyArray(MApplyArray* ins) { + // Skip other array objects. + MDefinition* elements = ins->getElements(); + if (!isArrayStateElements(elements)) { + return; + } + + uint32_t numElements = state_->numElements(); + + CallInfo callInfo(alloc_, /*constructing=*/false, ins->ignoresReturnValue()); + if (!callInfo.initForApplyArray(ins->getFunction(), ins->getThis(), + numElements)) { + oom_ = true; + return; + } + + for (uint32_t i = 0; i < numElements; i++) { + auto* element = state_->getElement(i); + MOZ_ASSERT(element->type() != MIRType::MagicHole); + + callInfo.initArg(i, element); + } + + auto addUndefined = [this]() { return undefinedVal_; }; + + bool needsThisCheck = false; + bool isDOMCall = false; + auto* call = MakeCall(alloc_, addUndefined, callInfo, needsThisCheck, + ins->getSingleTarget(), isDOMCall); + if (!call) { + oom_ = true; + return; + } + if (!ins->maybeCrossRealm()) { + call->setNotCrossRealm(); + } + + ins->block()->insertBefore(ins, call); + ins->replaceAllUsesWith(call); + + call->stealResumePoint(ins); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +void ArrayMemoryView::visitConstructArray(MConstructArray* ins) { + // Skip other array objects. + MDefinition* elements = ins->getElements(); + if (!isArrayStateElements(elements)) { + return; + } + + uint32_t numElements = state_->numElements(); + + CallInfo callInfo(alloc_, /*constructing=*/true, ins->ignoresReturnValue()); + if (!callInfo.initForConstructArray(ins->getFunction(), ins->getThis(), + ins->getNewTarget(), numElements)) { + oom_ = true; + return; + } + + for (uint32_t i = 0; i < numElements; i++) { + auto* element = state_->getElement(i); + MOZ_ASSERT(element->type() != MIRType::MagicHole); + + callInfo.initArg(i, element); + } + + auto addUndefined = [this]() { return undefinedVal_; }; + + bool needsThisCheck = ins->needsThisCheck(); + bool isDOMCall = false; + auto* call = MakeCall(alloc_, addUndefined, callInfo, needsThisCheck, + ins->getSingleTarget(), isDOMCall); + if (!call) { + oom_ = true; + return; + } + if (!ins->maybeCrossRealm()) { + call->setNotCrossRealm(); + } + + ins->block()->insertBefore(ins, call); + ins->replaceAllUsesWith(call); + + call->stealResumePoint(ins); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +static inline bool IsOptimizableArgumentsInstruction(MInstruction* ins) { + return ins->isCreateArgumentsObject() || + ins->isCreateInlinedArgumentsObject(); +} + +class ArgumentsReplacer : public MDefinitionVisitorDefaultNoop { + private: + MIRGenerator* mir_; + MIRGraph& graph_; + MInstruction* args_; + + bool oom_ = false; + + TempAllocator& alloc() { return graph_.alloc(); } + + bool isInlinedArguments() const { + return args_->isCreateInlinedArgumentsObject(); + } + + MNewArrayObject* inlineArgsArray(MInstruction* ins, Shape* shape, + uint32_t begin, uint32_t count); + + void visitGuardToClass(MGuardToClass* ins); + void visitGuardProto(MGuardProto* ins); + void visitGuardArgumentsObjectFlags(MGuardArgumentsObjectFlags* ins); + void visitUnbox(MUnbox* ins); + void visitGetArgumentsObjectArg(MGetArgumentsObjectArg* ins); + void visitLoadArgumentsObjectArg(MLoadArgumentsObjectArg* ins); + void visitLoadArgumentsObjectArgHole(MLoadArgumentsObjectArgHole* ins); + void visitInArgumentsObjectArg(MInArgumentsObjectArg* ins); + void visitArgumentsObjectLength(MArgumentsObjectLength* ins); + void visitApplyArgsObj(MApplyArgsObj* ins); + void visitArrayFromArgumentsObject(MArrayFromArgumentsObject* ins); + void visitArgumentsSlice(MArgumentsSlice* ins); + void visitLoadFixedSlot(MLoadFixedSlot* ins); + + bool oom() const { return oom_; } + + public: + ArgumentsReplacer(MIRGenerator* mir, MIRGraph& graph, MInstruction* args) + : mir_(mir), graph_(graph), args_(args) { + MOZ_ASSERT(IsOptimizableArgumentsInstruction(args_)); + } + + bool escapes(MInstruction* ins, bool guardedForMapped = false); + bool run(); + void assertSuccess(); +}; + +// Returns false if the arguments object does not escape. +bool ArgumentsReplacer::escapes(MInstruction* ins, bool guardedForMapped) { + MOZ_ASSERT(ins->type() == MIRType::Object); + + JitSpewDef(JitSpew_Escape, "Check arguments object\n", ins); + JitSpewIndent spewIndent(JitSpew_Escape); + + // We can replace inlined arguments in scripts with OSR entries, but + // the outermost arguments object has already been allocated before + // we enter via OSR and can't be replaced. + if (ins->isCreateArgumentsObject() && graph_.osrBlock()) { + JitSpew(JitSpew_Escape, "Can't replace outermost OSR arguments"); + return true; + } + + // Check all uses to see whether they can be supported without + // allocating an ArgumentsObject. + for (MUseIterator i(ins->usesBegin()); i != ins->usesEnd(); i++) { + MNode* consumer = (*i)->consumer(); + + // If a resume point can observe this instruction, we can only optimize + // if it is recoverable. + if (consumer->isResumePoint()) { + if (!consumer->toResumePoint()->isRecoverableOperand(*i)) { + JitSpew(JitSpew_Escape, "Observable args object cannot be recovered"); + return true; + } + continue; + } + + MDefinition* def = consumer->toDefinition(); + switch (def->op()) { + case MDefinition::Opcode::GuardToClass: { + MGuardToClass* guard = def->toGuardToClass(); + if (!guard->isArgumentsObjectClass()) { + JitSpewDef(JitSpew_Escape, "has a non-matching class guard\n", guard); + return true; + } + bool isMapped = guard->getClass() == &MappedArgumentsObject::class_; + if (escapes(guard, isMapped)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::GuardProto: { + if (escapes(def->toInstruction(), guardedForMapped)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::GuardArgumentsObjectFlags: { + if (escapes(def->toInstruction(), guardedForMapped)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::Unbox: { + if (def->type() != MIRType::Object) { + JitSpewDef(JitSpew_Escape, "has an invalid unbox\n", def); + return true; + } + if (escapes(def->toInstruction())) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::LoadFixedSlot: { + MLoadFixedSlot* load = def->toLoadFixedSlot(); + + // We can replace arguments.callee. + if (load->slot() == ArgumentsObject::CALLEE_SLOT) { + MOZ_ASSERT(guardedForMapped); + continue; + } + JitSpew(JitSpew_Escape, "is escaped by unsupported LoadFixedSlot\n"); + return true; + } + + case MDefinition::Opcode::ApplyArgsObj: { + if (ins == def->toApplyArgsObj()->getThis()) { + JitSpew(JitSpew_Escape, "is escaped as |this| arg of ApplyArgsObj\n"); + return true; + } + MOZ_ASSERT(ins == def->toApplyArgsObj()->getArgsObj()); + break; + } + + // This is a replaceable consumer. + case MDefinition::Opcode::ArgumentsObjectLength: + case MDefinition::Opcode::GetArgumentsObjectArg: + case MDefinition::Opcode::LoadArgumentsObjectArg: + case MDefinition::Opcode::LoadArgumentsObjectArgHole: + case MDefinition::Opcode::InArgumentsObjectArg: + case MDefinition::Opcode::ArrayFromArgumentsObject: + case MDefinition::Opcode::ArgumentsSlice: + break; + + // This instruction is a no-op used to test that scalar replacement + // is working as expected. + case MDefinition::Opcode::AssertRecoveredOnBailout: + break; + + default: + JitSpewDef(JitSpew_Escape, "is escaped by\n", def); + return true; + } + } + + JitSpew(JitSpew_Escape, "ArgumentsObject is not escaped"); + return false; +} + +// Replacing the arguments object is simpler than replacing an object +// or array, because the arguments object does not change state. +bool ArgumentsReplacer::run() { + MBasicBlock* startBlock = args_->block(); + + // Iterate over each basic block. + for (ReversePostorderIterator block = graph_.rpoBegin(startBlock); + block != graph_.rpoEnd(); block++) { + if (mir_->shouldCancel("Scalar replacement of Arguments Object")) { + return false; + } + + // Iterates over phis and instructions. + // We do not have to visit resume points. Any resume points that capture + // the argument object will be handled by the Sink pass. + for (MDefinitionIterator iter(*block); iter;) { + // Increment the iterator before visiting the instruction, as the + // visit function might discard itself from the basic block. + MDefinition* def = *iter++; + switch (def->op()) { +#define MIR_OP(op) \ + case MDefinition::Opcode::op: \ + visit##op(def->to##op()); \ + break; + MIR_OPCODE_LIST(MIR_OP) +#undef MIR_OP + } + if (!graph_.alloc().ensureBallast()) { + return false; + } + if (oom()) { + return false; + } + } + } + + assertSuccess(); + return true; +} + +void ArgumentsReplacer::assertSuccess() { + MOZ_ASSERT(args_->canRecoverOnBailout()); + MOZ_ASSERT(!args_->hasLiveDefUses()); +} + +void ArgumentsReplacer::visitGuardToClass(MGuardToClass* ins) { + // Skip guards on other objects. + if (ins->object() != args_) { + return; + } + MOZ_ASSERT(ins->isArgumentsObjectClass()); + + // Replace the guard with the args object. + ins->replaceAllUsesWith(args_); + + // Remove the guard. + ins->block()->discard(ins); +} + +void ArgumentsReplacer::visitGuardProto(MGuardProto* ins) { + // Skip guards on other objects. + if (ins->object() != args_) { + return; + } + + // The prototype can only be changed through explicit operations, for example + // by calling |Reflect.setPrototype|. We have already determined that the args + // object doesn't escape, so its prototype can't be mutated. + + // Replace the guard with the args object. + ins->replaceAllUsesWith(args_); + + // Remove the guard. + ins->block()->discard(ins); +} + +void ArgumentsReplacer::visitGuardArgumentsObjectFlags( + MGuardArgumentsObjectFlags* ins) { + // Skip other arguments objects. + if (ins->argsObject() != args_) { + return; + } + +#ifdef DEBUG + // Each *_OVERRIDDEN_BIT can only be set by setting or deleting a + // property of the args object. We have already determined that the + // args object doesn't escape, so its properties can't be mutated. + // + // FORWARDED_ARGUMENTS_BIT is set if any mapped argument is closed + // over, which is an immutable property of the script. Because we + // are replacing the args object for a known script, we can check + // the flag once, which is done when we first attach the CacheIR, + // and rely on it. (Note that this wouldn't be true if we didn't + // know the origin of args_, because it could be passed in from + // another function.) + uint32_t supportedBits = ArgumentsObject::LENGTH_OVERRIDDEN_BIT | + ArgumentsObject::ITERATOR_OVERRIDDEN_BIT | + ArgumentsObject::ELEMENT_OVERRIDDEN_BIT | + ArgumentsObject::CALLEE_OVERRIDDEN_BIT | + ArgumentsObject::FORWARDED_ARGUMENTS_BIT; + + MOZ_ASSERT((ins->flags() & ~supportedBits) == 0); + MOZ_ASSERT_IF(ins->flags() & ArgumentsObject::FORWARDED_ARGUMENTS_BIT, + !args_->block()->info().anyFormalIsForwarded()); +#endif + + // Replace the guard with the args object. + ins->replaceAllUsesWith(args_); + + // Remove the guard. + ins->block()->discard(ins); +} + +void ArgumentsReplacer::visitUnbox(MUnbox* ins) { + // Skip unrelated unboxes. + if (ins->getOperand(0) != args_) { + return; + } + MOZ_ASSERT(ins->type() == MIRType::Object); + + // Replace the unbox with the args object. + ins->replaceAllUsesWith(args_); + + // Remove the unbox. + ins->block()->discard(ins); +} + +void ArgumentsReplacer::visitGetArgumentsObjectArg( + MGetArgumentsObjectArg* ins) { + // Skip other arguments objects. + if (ins->argsObject() != args_) { + return; + } + + // We don't support setting arguments in ArgumentsReplacer::escapes, + // so we can load the initial value of the argument without worrying + // about it being stale. + MDefinition* getArg; + if (isInlinedArguments()) { + // Inlined frames have direct access to the actual arguments. + auto* actualArgs = args_->toCreateInlinedArgumentsObject(); + if (ins->argno() < actualArgs->numActuals()) { + getArg = actualArgs->getArg(ins->argno()); + } else { + // Omitted arguments are not mapped to the arguments object, and + // will always be undefined. + auto* undef = MConstant::New(alloc(), UndefinedValue()); + ins->block()->insertBefore(ins, undef); + getArg = undef; + } + } else { + // Load the argument from the frame. + auto* index = MConstant::New(alloc(), Int32Value(ins->argno())); + ins->block()->insertBefore(ins, index); + + auto* loadArg = MGetFrameArgument::New(alloc(), index); + ins->block()->insertBefore(ins, loadArg); + getArg = loadArg; + } + ins->replaceAllUsesWith(getArg); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArgumentsReplacer::visitLoadArgumentsObjectArg( + MLoadArgumentsObjectArg* ins) { + // Skip other arguments objects. + if (ins->argsObject() != args_) { + return; + } + + MDefinition* index = ins->index(); + + MInstruction* loadArg; + if (isInlinedArguments()) { + auto* actualArgs = args_->toCreateInlinedArgumentsObject(); + + // Insert bounds check. + auto* length = + MConstant::New(alloc(), Int32Value(actualArgs->numActuals())); + ins->block()->insertBefore(ins, length); + + MInstruction* check = MBoundsCheck::New(alloc(), index, length); + check->setBailoutKind(ins->bailoutKind()); + ins->block()->insertBefore(ins, check); + + if (mir_->outerInfo().hadBoundsCheckBailout()) { + check->setNotMovable(); + } + + loadArg = MGetInlinedArgument::New(alloc(), check, actualArgs); + if (!loadArg) { + oom_ = true; + return; + } + } else { + // Insert bounds check. + auto* length = MArgumentsLength::New(alloc()); + ins->block()->insertBefore(ins, length); + + MInstruction* check = MBoundsCheck::New(alloc(), index, length); + check->setBailoutKind(ins->bailoutKind()); + ins->block()->insertBefore(ins, check); + + if (mir_->outerInfo().hadBoundsCheckBailout()) { + check->setNotMovable(); + } + + if (JitOptions.spectreIndexMasking) { + check = MSpectreMaskIndex::New(alloc(), check, length); + ins->block()->insertBefore(ins, check); + } + + loadArg = MGetFrameArgument::New(alloc(), check); + } + ins->block()->insertBefore(ins, loadArg); + ins->replaceAllUsesWith(loadArg); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArgumentsReplacer::visitLoadArgumentsObjectArgHole( + MLoadArgumentsObjectArgHole* ins) { + // Skip other arguments objects. + if (ins->argsObject() != args_) { + return; + } + + MDefinition* index = ins->index(); + + MInstruction* loadArg; + if (isInlinedArguments()) { + auto* actualArgs = args_->toCreateInlinedArgumentsObject(); + + loadArg = MGetInlinedArgumentHole::New(alloc(), index, actualArgs); + if (!loadArg) { + oom_ = true; + return; + } + } else { + auto* length = MArgumentsLength::New(alloc()); + ins->block()->insertBefore(ins, length); + + loadArg = MGetFrameArgumentHole::New(alloc(), index, length); + } + loadArg->setBailoutKind(ins->bailoutKind()); + ins->block()->insertBefore(ins, loadArg); + ins->replaceAllUsesWith(loadArg); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArgumentsReplacer::visitInArgumentsObjectArg(MInArgumentsObjectArg* ins) { + // Skip other arguments objects. + if (ins->argsObject() != args_) { + return; + } + + MDefinition* index = ins->index(); + + // Ensure the index is non-negative. + auto* guardedIndex = MGuardInt32IsNonNegative::New(alloc(), index); + guardedIndex->setBailoutKind(ins->bailoutKind()); + ins->block()->insertBefore(ins, guardedIndex); + + MInstruction* length; + if (isInlinedArguments()) { + uint32_t argc = args_->toCreateInlinedArgumentsObject()->numActuals(); + length = MConstant::New(alloc(), Int32Value(argc)); + } else { + length = MArgumentsLength::New(alloc()); + } + ins->block()->insertBefore(ins, length); + + auto* compare = MCompare::New(alloc(), guardedIndex, length, JSOp::Lt, + MCompare::Compare_Int32); + ins->block()->insertBefore(ins, compare); + ins->replaceAllUsesWith(compare); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArgumentsReplacer::visitArgumentsObjectLength( + MArgumentsObjectLength* ins) { + // Skip other arguments objects. + if (ins->argsObject() != args_) { + return; + } + + MInstruction* length; + if (isInlinedArguments()) { + uint32_t argc = args_->toCreateInlinedArgumentsObject()->numActuals(); + length = MConstant::New(alloc(), Int32Value(argc)); + } else { + length = MArgumentsLength::New(alloc()); + } + ins->block()->insertBefore(ins, length); + ins->replaceAllUsesWith(length); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArgumentsReplacer::visitApplyArgsObj(MApplyArgsObj* ins) { + // Skip other arguments objects. + if (ins->getArgsObj() != args_) { + return; + } + + MInstruction* newIns; + if (isInlinedArguments()) { + auto* actualArgs = args_->toCreateInlinedArgumentsObject(); + CallInfo callInfo(alloc(), /*constructing=*/false, + ins->ignoresReturnValue()); + + callInfo.initForApplyInlinedArgs(ins->getFunction(), ins->getThis(), + actualArgs->numActuals()); + for (uint32_t i = 0; i < actualArgs->numActuals(); i++) { + callInfo.initArg(i, actualArgs->getArg(i)); + } + + auto addUndefined = [this, &ins]() -> MConstant* { + MConstant* undef = MConstant::New(alloc(), UndefinedValue()); + ins->block()->insertBefore(ins, undef); + return undef; + }; + + bool needsThisCheck = false; + bool isDOMCall = false; + auto* call = MakeCall(alloc(), addUndefined, callInfo, needsThisCheck, + ins->getSingleTarget(), isDOMCall); + if (!call) { + oom_ = true; + return; + } + if (!ins->maybeCrossRealm()) { + call->setNotCrossRealm(); + } + newIns = call; + } else { + auto* numArgs = MArgumentsLength::New(alloc()); + ins->block()->insertBefore(ins, numArgs); + + // TODO: Should we rename MApplyArgs? + auto* apply = MApplyArgs::New(alloc(), ins->getSingleTarget(), + ins->getFunction(), numArgs, ins->getThis()); + apply->setBailoutKind(ins->bailoutKind()); + if (!ins->maybeCrossRealm()) { + apply->setNotCrossRealm(); + } + if (ins->ignoresReturnValue()) { + apply->setIgnoresReturnValue(); + } + newIns = apply; + } + + ins->block()->insertBefore(ins, newIns); + ins->replaceAllUsesWith(newIns); + + newIns->stealResumePoint(ins); + ins->block()->discard(ins); +} + +MNewArrayObject* ArgumentsReplacer::inlineArgsArray(MInstruction* ins, + Shape* shape, + uint32_t begin, + uint32_t count) { + auto* actualArgs = args_->toCreateInlinedArgumentsObject(); + + // Contrary to |WarpBuilder::build_Rest()|, we can always create + // MNewArrayObject, because we're guaranteed to have a shape and all + // arguments can be stored into fixed elements. + static_assert( + gc::CanUseFixedElementsForArray(ArgumentsObject::MaxInlinedArgs)); + + gc::Heap heap = gc::Heap::Default; + + // Allocate an array of the correct size. + auto* shapeConstant = MConstant::NewShape(alloc(), shape); + ins->block()->insertBefore(ins, shapeConstant); + + auto* newArray = MNewArrayObject::New(alloc(), shapeConstant, count, heap); + ins->block()->insertBefore(ins, newArray); + + if (count) { + auto* elements = MElements::New(alloc(), newArray); + ins->block()->insertBefore(ins, elements); + + MConstant* index = nullptr; + for (uint32_t i = 0; i < count; i++) { + index = MConstant::New(alloc(), Int32Value(i)); + ins->block()->insertBefore(ins, index); + + MDefinition* arg = actualArgs->getArg(begin + i); + auto* store = MStoreElement::NewUnbarriered(alloc(), elements, index, arg, + /* needsHoleCheck = */ false); + ins->block()->insertBefore(ins, store); + + auto* barrier = MPostWriteBarrier::New(alloc(), newArray, arg); + ins->block()->insertBefore(ins, barrier); + } + + auto* initLength = MSetInitializedLength::New(alloc(), elements, index); + ins->block()->insertBefore(ins, initLength); + } + + return newArray; +} + +void ArgumentsReplacer::visitArrayFromArgumentsObject( + MArrayFromArgumentsObject* ins) { + // Skip other arguments objects. + if (ins->argsObject() != args_) { + return; + } + + // We can only replace `arguments` because we've verified that the `arguments` + // object hasn't been modified in any way. This implies that the arguments + // stored in the stack frame haven't been changed either. + // + // The idea to replace `arguments` in spread calls `f(...arguments)` is now as + // follows: + // We replace |MArrayFromArgumentsObject| with the identical instructions we + // emit when building a rest-array object, cf. |WarpBuilder::build_Rest()|. In + // a next step, scalar replacement will then replace these new instructions + // themselves. + + Shape* shape = ins->shape(); + MOZ_ASSERT(shape); + + MDefinition* replacement; + if (isInlinedArguments()) { + auto* actualArgs = args_->toCreateInlinedArgumentsObject(); + uint32_t numActuals = actualArgs->numActuals(); + MOZ_ASSERT(numActuals <= ArgumentsObject::MaxInlinedArgs); + + replacement = inlineArgsArray(ins, shape, 0, numActuals); + } else { + // We can use |MRest| to read all arguments, because we've guaranteed that + // the arguments stored in the stack frame haven't changed; see the comment + // at the start of this method. + + auto* numActuals = MArgumentsLength::New(alloc()); + ins->block()->insertBefore(ins, numActuals); + + // Set |numFormals| to zero to read all arguments, including any formals. + uint32_t numFormals = 0; + + auto* rest = MRest::New(alloc(), numActuals, numFormals, shape); + ins->block()->insertBefore(ins, rest); + + replacement = rest; + } + + ins->replaceAllUsesWith(replacement); + + // Remove original instruction. + ins->block()->discard(ins); +} + +static uint32_t NormalizeSlice(MDefinition* def, uint32_t length) { + int32_t value = def->toConstant()->toInt32(); + if (value < 0) { + return std::max(int32_t(uint32_t(value) + length), 0); + } + return std::min(uint32_t(value), length); +} + +void ArgumentsReplacer::visitArgumentsSlice(MArgumentsSlice* ins) { + // Skip other arguments objects. + if (ins->object() != args_) { + return; + } + + // Optimise the common pattern |Array.prototype.slice.call(arguments, begin)|, + // where |begin| is a non-negative, constant int32. + // + // An absent end-index is replaced by |arguments.length|, so we try to match + // |Array.prototype.slice.call(arguments, begin, arguments.length)|. + if (isInlinedArguments()) { + // When this is an inlined arguments, |arguments.length| has been replaced + // by a constant. + if (ins->begin()->isConstant() && ins->end()->isConstant()) { + auto* actualArgs = args_->toCreateInlinedArgumentsObject(); + uint32_t numActuals = actualArgs->numActuals(); + MOZ_ASSERT(numActuals <= ArgumentsObject::MaxInlinedArgs); + + uint32_t begin = NormalizeSlice(ins->begin(), numActuals); + uint32_t end = NormalizeSlice(ins->end(), numActuals); + uint32_t count = end > begin ? end - begin : 0; + MOZ_ASSERT(count <= numActuals); + + Shape* shape = ins->templateObj()->shape(); + auto* newArray = inlineArgsArray(ins, shape, begin, count); + + ins->replaceAllUsesWith(newArray); + + // Remove original instruction. + ins->block()->discard(ins); + return; + } + } else { + // Otherwise |arguments.length| is emitted as MArgumentsLength. + if (ins->begin()->isConstant() && ins->end()->isArgumentsLength()) { + int32_t begin = ins->begin()->toConstant()->toInt32(); + if (begin >= 0) { + auto* numActuals = MArgumentsLength::New(alloc()); + ins->block()->insertBefore(ins, numActuals); + + // Set |numFormals| to read all arguments starting at |begin|. + uint32_t numFormals = begin; + + Shape* shape = ins->templateObj()->shape(); + + // Use MRest because it can be scalar replaced, which enables further + // optimizations. + auto* rest = MRest::New(alloc(), numActuals, numFormals, shape); + ins->block()->insertBefore(ins, rest); + + ins->replaceAllUsesWith(rest); + + // Remove original instruction. + ins->block()->discard(ins); + return; + } + } + } + + MInstruction* numArgs; + if (isInlinedArguments()) { + uint32_t argc = args_->toCreateInlinedArgumentsObject()->numActuals(); + numArgs = MConstant::New(alloc(), Int32Value(argc)); + } else { + numArgs = MArgumentsLength::New(alloc()); + } + ins->block()->insertBefore(ins, numArgs); + + auto* begin = MNormalizeSliceTerm::New(alloc(), ins->begin(), numArgs); + ins->block()->insertBefore(ins, begin); + + auto* end = MNormalizeSliceTerm::New(alloc(), ins->end(), numArgs); + ins->block()->insertBefore(ins, end); + + bool isMax = false; + auto* beginMin = MMinMax::New(alloc(), begin, end, MIRType::Int32, isMax); + ins->block()->insertBefore(ins, beginMin); + + // Safe to truncate because both operands are positive and end >= beginMin. + auto* count = MSub::New(alloc(), end, beginMin, MIRType::Int32); + count->setTruncateKind(TruncateKind::Truncate); + ins->block()->insertBefore(ins, count); + + MInstruction* replacement; + if (isInlinedArguments()) { + auto* actualArgs = args_->toCreateInlinedArgumentsObject(); + replacement = + MInlineArgumentsSlice::New(alloc(), beginMin, count, actualArgs, + ins->templateObj(), ins->initialHeap()); + } else { + replacement = MFrameArgumentsSlice::New( + alloc(), beginMin, count, ins->templateObj(), ins->initialHeap()); + } + ins->block()->insertBefore(ins, replacement); + + ins->replaceAllUsesWith(replacement); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void ArgumentsReplacer::visitLoadFixedSlot(MLoadFixedSlot* ins) { + // Skip other arguments objects. + if (ins->object() != args_) { + return; + } + + MOZ_ASSERT(ins->slot() == ArgumentsObject::CALLEE_SLOT); + + MDefinition* replacement; + if (isInlinedArguments()) { + replacement = args_->toCreateInlinedArgumentsObject()->getCallee(); + } else { + auto* callee = MCallee::New(alloc()); + ins->block()->insertBefore(ins, callee); + replacement = callee; + } + ins->replaceAllUsesWith(replacement); + + // Remove original instruction. + ins->block()->discard(ins); +} + +static inline bool IsOptimizableRestInstruction(MInstruction* ins) { + return ins->isRest(); +} + +class RestReplacer : public MDefinitionVisitorDefaultNoop { + private: + MIRGenerator* mir_; + MIRGraph& graph_; + MInstruction* rest_; + + TempAllocator& alloc() { return graph_.alloc(); } + MRest* rest() const { return rest_->toRest(); } + + bool isRestElements(MDefinition* elements); + void discardInstruction(MInstruction* ins, MDefinition* elements); + MDefinition* restLength(MInstruction* ins); + void visitLength(MInstruction* ins, MDefinition* elements); + + void visitGuardToClass(MGuardToClass* ins); + void visitGuardShape(MGuardShape* ins); + void visitGuardArrayIsPacked(MGuardArrayIsPacked* ins); + void visitUnbox(MUnbox* ins); + void visitCompare(MCompare* ins); + void visitLoadElement(MLoadElement* ins); + void visitArrayLength(MArrayLength* ins); + void visitInitializedLength(MInitializedLength* ins); + void visitApplyArray(MApplyArray* ins); + void visitConstructArray(MConstructArray* ins); + + bool escapes(MElements* ins); + + public: + RestReplacer(MIRGenerator* mir, MIRGraph& graph, MInstruction* rest) + : mir_(mir), graph_(graph), rest_(rest) { + MOZ_ASSERT(IsOptimizableRestInstruction(rest_)); + } + + bool escapes(MInstruction* ins); + bool run(); + void assertSuccess(); +}; + +// Returns false if the rest array object does not escape. +bool RestReplacer::escapes(MInstruction* ins) { + MOZ_ASSERT(ins->type() == MIRType::Object); + + JitSpewDef(JitSpew_Escape, "Check rest array\n", ins); + JitSpewIndent spewIndent(JitSpew_Escape); + + // We can replace rest arrays in scripts with OSR entries, but the outermost + // rest object has already been allocated before we enter via OSR and can't be + // replaced. + // See also the same restriction when replacing |arguments|. + if (graph_.osrBlock()) { + JitSpew(JitSpew_Escape, "Can't replace outermost OSR rest array"); + return true; + } + + // Check all uses to see whether they can be supported without allocating an + // ArrayObject for the rest parameter. + for (MUseIterator i(ins->usesBegin()); i != ins->usesEnd(); i++) { + MNode* consumer = (*i)->consumer(); + + // If a resume point can observe this instruction, we can only optimize + // if it is recoverable. + if (consumer->isResumePoint()) { + if (!consumer->toResumePoint()->isRecoverableOperand(*i)) { + JitSpew(JitSpew_Escape, "Observable rest array cannot be recovered"); + return true; + } + continue; + } + + MDefinition* def = consumer->toDefinition(); + switch (def->op()) { + case MDefinition::Opcode::Elements: { + auto* elem = def->toElements(); + MOZ_ASSERT(elem->object() == ins); + if (escapes(elem)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::GuardShape: { + const Shape* shape = rest()->shape(); + if (!shape) { + JitSpew(JitSpew_Escape, "No shape defined."); + return true; + } + + auto* guard = def->toGuardShape(); + if (shape != guard->shape()) { + JitSpewDef(JitSpew_Escape, "has a non-matching guard shape\n", def); + return true; + } + if (escapes(guard)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::GuardToClass: { + auto* guard = def->toGuardToClass(); + if (guard->getClass() != &ArrayObject::class_) { + JitSpewDef(JitSpew_Escape, "has a non-matching class guard\n", def); + return true; + } + if (escapes(guard)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::GuardArrayIsPacked: { + // Rest arrays are always packed as long as they aren't modified. + auto* guard = def->toGuardArrayIsPacked(); + if (escapes(guard)) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + case MDefinition::Opcode::Unbox: { + if (def->type() != MIRType::Object) { + JitSpewDef(JitSpew_Escape, "has an invalid unbox\n", def); + return true; + } + if (escapes(def->toInstruction())) { + JitSpewDef(JitSpew_Escape, "is indirectly escaped by\n", def); + return true; + } + break; + } + + // This instruction is supported for |JSOp::OptimizeSpreadCall|. + case MDefinition::Opcode::Compare: { + bool canFold; + if (!def->toCompare()->tryFold(&canFold)) { + JitSpewDef(JitSpew_Escape, "has an unsupported compare\n", def); + return true; + } + break; + } + + // This instruction is a no-op used to test that scalar replacement is + // working as expected. + case MDefinition::Opcode::AssertRecoveredOnBailout: + break; + + default: + JitSpewDef(JitSpew_Escape, "is escaped by\n", def); + return true; + } + } + + JitSpew(JitSpew_Escape, "Rest array object is not escaped"); + return false; +} + +bool RestReplacer::escapes(MElements* ins) { + JitSpewDef(JitSpew_Escape, "Check rest array elements\n", ins); + JitSpewIndent spewIndent(JitSpew_Escape); + + for (MUseIterator i(ins->usesBegin()); i != ins->usesEnd(); i++) { + // The MIRType::Elements cannot be captured in a resume point as it does not + // represent a value allocation. + MDefinition* def = (*i)->consumer()->toDefinition(); + + switch (def->op()) { + case MDefinition::Opcode::LoadElement: + MOZ_ASSERT(def->toLoadElement()->elements() == ins); + break; + + case MDefinition::Opcode::ArrayLength: + MOZ_ASSERT(def->toArrayLength()->elements() == ins); + break; + + case MDefinition::Opcode::InitializedLength: + MOZ_ASSERT(def->toInitializedLength()->elements() == ins); + break; + + case MDefinition::Opcode::ApplyArray: + MOZ_ASSERT(def->toApplyArray()->getElements() == ins); + break; + + case MDefinition::Opcode::ConstructArray: + MOZ_ASSERT(def->toConstructArray()->getElements() == ins); + break; + + default: + JitSpewDef(JitSpew_Escape, "is escaped by\n", def); + return true; + } + } + + JitSpew(JitSpew_Escape, "Rest array object is not escaped"); + return false; +} + +// Replacing the rest array object is simpler than replacing an object or array, +// because the rest array object does not change state. +bool RestReplacer::run() { + MBasicBlock* startBlock = rest_->block(); + + // Iterate over each basic block. + for (ReversePostorderIterator block = graph_.rpoBegin(startBlock); + block != graph_.rpoEnd(); block++) { + if (mir_->shouldCancel("Scalar replacement of rest array object")) { + return false; + } + + // Iterates over phis and instructions. + // We do not have to visit resume points. Any resume points that capture the + // rest array object will be handled by the Sink pass. + for (MDefinitionIterator iter(*block); iter;) { + // Increment the iterator before visiting the instruction, as the visit + // function might discard itself from the basic block. + MDefinition* def = *iter++; + switch (def->op()) { +#define MIR_OP(op) \ + case MDefinition::Opcode::op: \ + visit##op(def->to##op()); \ + break; + MIR_OPCODE_LIST(MIR_OP) +#undef MIR_OP + } + if (!graph_.alloc().ensureBallast()) { + return false; + } + } + } + + assertSuccess(); + return true; +} + +void RestReplacer::assertSuccess() { + MOZ_ASSERT(rest_->canRecoverOnBailout()); + MOZ_ASSERT(!rest_->hasLiveDefUses()); +} + +bool RestReplacer::isRestElements(MDefinition* elements) { + return elements->isElements() && elements->toElements()->object() == rest_; +} + +void RestReplacer::discardInstruction(MInstruction* ins, + MDefinition* elements) { + MOZ_ASSERT(elements->isElements()); + ins->block()->discard(ins); + if (!elements->hasLiveDefUses()) { + elements->block()->discard(elements->toInstruction()); + } +} + +void RestReplacer::visitGuardToClass(MGuardToClass* ins) { + // Skip guards on other objects. + if (ins->object() != rest_) { + return; + } + MOZ_ASSERT(ins->getClass() == &ArrayObject::class_); + + // Replace the guard with the array object. + ins->replaceAllUsesWith(rest_); + + // Remove the guard. + ins->block()->discard(ins); +} + +void RestReplacer::visitGuardShape(MGuardShape* ins) { + // Skip guards on other objects. + if (ins->object() != rest_) { + return; + } + + // Replace the guard with the array object. + ins->replaceAllUsesWith(rest_); + + // Remove the guard. + ins->block()->discard(ins); +} + +void RestReplacer::visitGuardArrayIsPacked(MGuardArrayIsPacked* ins) { + // Skip guards on other objects. + if (ins->array() != rest_) { + return; + } + + // Replace the guard by its object. + ins->replaceAllUsesWith(rest_); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void RestReplacer::visitUnbox(MUnbox* ins) { + // Skip unrelated unboxes. + if (ins->input() != rest_) { + return; + } + MOZ_ASSERT(ins->type() == MIRType::Object); + + // Replace the unbox with the array object. + ins->replaceAllUsesWith(rest_); + + // Remove the unbox. + ins->block()->discard(ins); +} + +void RestReplacer::visitCompare(MCompare* ins) { + // Skip unrelated comparisons. + if (ins->lhs() != rest_ && ins->rhs() != rest_) { + return; + } + + bool folded; + MOZ_ALWAYS_TRUE(ins->tryFold(&folded)); + + auto* cst = MConstant::New(alloc(), BooleanValue(folded)); + ins->block()->insertBefore(ins, cst); + + // Replace the comparison with a constant. + ins->replaceAllUsesWith(cst); + + // Remove original instruction. + ins->block()->discard(ins); +} + +void RestReplacer::visitLoadElement(MLoadElement* ins) { + // Skip other array objects. + MDefinition* elements = ins->elements(); + if (!isRestElements(elements)) { + return; + } + + MDefinition* index = ins->index(); + + // Adjust the index to skip any extra formals. + if (uint32_t formals = rest()->numFormals()) { + auto* numFormals = MConstant::New(alloc(), Int32Value(formals)); + ins->block()->insertBefore(ins, numFormals); + + auto* add = MAdd::New(alloc(), index, numFormals, TruncateKind::Truncate); + ins->block()->insertBefore(ins, add); + + index = add; + } + + auto* loadArg = MGetFrameArgument::New(alloc(), index); + + ins->block()->insertBefore(ins, loadArg); + ins->replaceAllUsesWith(loadArg); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +MDefinition* RestReplacer::restLength(MInstruction* ins) { + // Compute |Math.max(numActuals - numFormals, 0)| for the rest array length. + + auto* numActuals = rest()->numActuals(); + + if (uint32_t formals = rest()->numFormals()) { + auto* numFormals = MConstant::New(alloc(), Int32Value(formals)); + ins->block()->insertBefore(ins, numFormals); + + auto* length = MSub::New(alloc(), numActuals, numFormals, MIRType::Int32); + length->setTruncateKind(TruncateKind::Truncate); + ins->block()->insertBefore(ins, length); + + auto* zero = MConstant::New(alloc(), Int32Value(0)); + ins->block()->insertBefore(ins, zero); + + bool isMax = true; + auto* minmax = MMinMax::New(alloc(), length, zero, MIRType::Int32, isMax); + ins->block()->insertBefore(ins, minmax); + + return minmax; + } + + return numActuals; +} + +void RestReplacer::visitLength(MInstruction* ins, MDefinition* elements) { + MOZ_ASSERT(ins->isArrayLength() || ins->isInitializedLength()); + + // Skip other array objects. + if (!isRestElements(elements)) { + return; + } + + MDefinition* replacement = restLength(ins); + + ins->replaceAllUsesWith(replacement); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +void RestReplacer::visitArrayLength(MArrayLength* ins) { + visitLength(ins, ins->elements()); +} + +void RestReplacer::visitInitializedLength(MInitializedLength* ins) { + // The initialized length of a rest array is equal to its length. + visitLength(ins, ins->elements()); +} + +void RestReplacer::visitApplyArray(MApplyArray* ins) { + // Skip other array objects. + MDefinition* elements = ins->getElements(); + if (!isRestElements(elements)) { + return; + } + + auto* numActuals = restLength(ins); + + auto* apply = + MApplyArgs::New(alloc(), ins->getSingleTarget(), ins->getFunction(), + numActuals, ins->getThis(), rest()->numFormals()); + apply->setBailoutKind(ins->bailoutKind()); + if (!ins->maybeCrossRealm()) { + apply->setNotCrossRealm(); + } + if (ins->ignoresReturnValue()) { + apply->setIgnoresReturnValue(); + } + ins->block()->insertBefore(ins, apply); + + ins->replaceAllUsesWith(apply); + + apply->stealResumePoint(ins); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +void RestReplacer::visitConstructArray(MConstructArray* ins) { + // Skip other array objects. + MDefinition* elements = ins->getElements(); + if (!isRestElements(elements)) { + return; + } + + auto* numActuals = restLength(ins); + + auto* construct = MConstructArgs::New( + alloc(), ins->getSingleTarget(), ins->getFunction(), numActuals, + ins->getThis(), ins->getNewTarget(), rest()->numFormals()); + construct->setBailoutKind(ins->bailoutKind()); + if (!ins->maybeCrossRealm()) { + construct->setNotCrossRealm(); + } + + ins->block()->insertBefore(ins, construct); + ins->replaceAllUsesWith(construct); + + construct->stealResumePoint(ins); + + // Remove original instruction. + discardInstruction(ins, elements); +} + +bool ScalarReplacement(MIRGenerator* mir, MIRGraph& graph) { + JitSpew(JitSpew_Escape, "Begin (ScalarReplacement)"); + + EmulateStateOf<ObjectMemoryView> replaceObject(mir, graph); + EmulateStateOf<ArrayMemoryView> replaceArray(mir, graph); + bool addedPhi = false; + + for (ReversePostorderIterator block = graph.rpoBegin(); + block != graph.rpoEnd(); block++) { + if (mir->shouldCancel("Scalar Replacement (main loop)")) { + return false; + } + + for (MInstructionIterator ins = block->begin(); ins != block->end(); + ins++) { + if (IsOptimizableObjectInstruction(*ins) && + !IsObjectEscaped(*ins, *ins)) { + ObjectMemoryView view(graph.alloc(), *ins); + if (!replaceObject.run(view)) { + return false; + } + view.assertSuccess(); + addedPhi = true; + continue; + } + + if (IsOptimizableArrayInstruction(*ins) && !IsArrayEscaped(*ins, *ins)) { + ArrayMemoryView view(graph.alloc(), *ins); + if (!replaceArray.run(view)) { + return false; + } + view.assertSuccess(); + addedPhi = true; + continue; + } + + if (IsOptimizableArgumentsInstruction(*ins)) { + ArgumentsReplacer replacer(mir, graph, *ins); + if (replacer.escapes(*ins)) { + continue; + } + if (!replacer.run()) { + return false; + } + continue; + } + + if (IsOptimizableRestInstruction(*ins)) { + RestReplacer replacer(mir, graph, *ins); + if (replacer.escapes(*ins)) { + continue; + } + if (!replacer.run()) { + return false; + } + continue; + } + } + } + + if (addedPhi) { + // Phis added by Scalar Replacement are only redundant Phis which are + // not directly captured by any resume point but only by the MDefinition + // state. The conservative observability only focuses on Phis which are + // not used as resume points operands. + AssertExtendedGraphCoherency(graph); + if (!EliminatePhis(mir, graph, ConservativeObservability)) { + return false; + } + } + + return true; +} + +} /* namespace jit */ +} /* namespace js */ |