From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- js/src/jit/RangeAnalysis.cpp | 3679 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 3679 insertions(+) create mode 100644 js/src/jit/RangeAnalysis.cpp (limited to 'js/src/jit/RangeAnalysis.cpp') diff --git a/js/src/jit/RangeAnalysis.cpp b/js/src/jit/RangeAnalysis.cpp new file mode 100644 index 0000000000..64b27b98ff --- /dev/null +++ b/js/src/jit/RangeAnalysis.cpp @@ -0,0 +1,3679 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * vim: set ts=8 sts=2 et sw=2 tw=80: + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "jit/RangeAnalysis.h" + +#include "mozilla/MathAlgorithms.h" + +#include + +#include "jsmath.h" + +#include "jit/CompileInfo.h" +#include "jit/IonAnalysis.h" +#include "jit/JitSpewer.h" +#include "jit/MIR.h" +#include "jit/MIRGenerator.h" +#include "jit/MIRGraph.h" +#include "js/Conversions.h" +#include "js/ScalarType.h" // js::Scalar::Type +#include "util/CheckedArithmetic.h" +#include "vm/ArgumentsObject.h" +#include "vm/TypedArrayObject.h" +#include "vm/Uint8Clamped.h" + +#include "vm/BytecodeUtil-inl.h" + +using namespace js; +using namespace js::jit; + +using JS::GenericNaN; +using JS::ToInt32; +using mozilla::Abs; +using mozilla::CountLeadingZeroes32; +using mozilla::ExponentComponent; +using mozilla::FloorLog2; +using mozilla::IsNegativeZero; +using mozilla::NegativeInfinity; +using mozilla::NumberEqualsInt32; +using mozilla::PositiveInfinity; + +// [SMDOC] IonMonkey Range Analysis +// +// This algorithm is based on the paper "Eliminating Range Checks Using +// Static Single Assignment Form" by Gough and Klaren. +// +// We associate a range object with each SSA name, and the ranges are consulted +// in order to determine whether overflow is possible for arithmetic +// computations. +// +// An important source of range information that requires care to take +// advantage of is conditional control flow. Consider the code below: +// +// if (x < 0) { +// y = x + 2000000000; +// } else { +// if (x < 1000000000) { +// y = x * 2; +// } else { +// y = x - 3000000000; +// } +// } +// +// The arithmetic operations in this code cannot overflow, but it is not +// sufficient to simply associate each name with a range, since the information +// differs between basic blocks. The traditional dataflow approach would be +// associate ranges with (name, basic block) pairs. This solution is not +// satisfying, since we lose the benefit of SSA form: in SSA form, each +// definition has a unique name, so there is no need to track information about +// the control flow of the program. +// +// The approach used here is to add a new form of pseudo operation called a +// beta node, which associates range information with a value. These beta +// instructions take one argument and additionally have an auxiliary constant +// range associated with them. Operationally, beta nodes are just copies, but +// the invariant expressed by beta node copies is that the output will fall +// inside the range given by the beta node. Gough and Klaeren refer to SSA +// extended with these beta nodes as XSA form. The following shows the example +// code transformed into XSA form: +// +// if (x < 0) { +// x1 = Beta(x, [INT_MIN, -1]); +// y1 = x1 + 2000000000; +// } else { +// x2 = Beta(x, [0, INT_MAX]); +// if (x2 < 1000000000) { +// x3 = Beta(x2, [INT_MIN, 999999999]); +// y2 = x3*2; +// } else { +// x4 = Beta(x2, [1000000000, INT_MAX]); +// y3 = x4 - 3000000000; +// } +// y4 = Phi(y2, y3); +// } +// y = Phi(y1, y4); +// +// We insert beta nodes for the purposes of range analysis (they might also be +// usefully used for other forms of bounds check elimination) and remove them +// after range analysis is performed. The remaining compiler phases do not ever +// encounter beta nodes. + +static bool IsDominatedUse(MBasicBlock* block, MUse* use) { + MNode* n = use->consumer(); + bool isPhi = n->isDefinition() && n->toDefinition()->isPhi(); + + if (isPhi) { + MPhi* phi = n->toDefinition()->toPhi(); + return block->dominates(phi->block()->getPredecessor(phi->indexOf(use))); + } + + return block->dominates(n->block()); +} + +static inline void SpewRange(MDefinition* def) { +#ifdef JS_JITSPEW + if (JitSpewEnabled(JitSpew_Range) && def->type() != MIRType::None && + def->range()) { + JitSpewHeader(JitSpew_Range); + Fprinter& out = JitSpewPrinter(); + out.printf(" "); + def->printName(out); + out.printf(" has range "); + def->range()->dump(out); + out.printf("\n"); + } +#endif +} + +#ifdef JS_JITSPEW +static const char* TruncateKindString(TruncateKind kind) { + switch (kind) { + case TruncateKind::NoTruncate: + return "NoTruncate"; + case TruncateKind::TruncateAfterBailouts: + return "TruncateAfterBailouts"; + case TruncateKind::IndirectTruncate: + return "IndirectTruncate"; + case TruncateKind::Truncate: + return "Truncate"; + default: + MOZ_CRASH("Unknown truncate kind."); + } +} + +static inline void SpewTruncate(MDefinition* def, TruncateKind kind, + bool shouldClone) { + if (JitSpewEnabled(JitSpew_Range)) { + JitSpewHeader(JitSpew_Range); + Fprinter& out = JitSpewPrinter(); + out.printf(" "); + out.printf("truncating "); + def->printName(out); + out.printf(" (kind: %s, clone: %d)\n", TruncateKindString(kind), + shouldClone); + } +} +#else +static inline void SpewTruncate(MDefinition* def, TruncateKind kind, + bool shouldClone) {} +#endif + +TempAllocator& RangeAnalysis::alloc() const { return graph_.alloc(); } + +void RangeAnalysis::replaceDominatedUsesWith(MDefinition* orig, + MDefinition* dom, + MBasicBlock* block) { + for (MUseIterator i(orig->usesBegin()); i != orig->usesEnd();) { + MUse* use = *i++; + if (use->consumer() != dom && IsDominatedUse(block, use)) { + use->replaceProducer(dom); + } + } +} + +bool RangeAnalysis::addBetaNodes() { + JitSpew(JitSpew_Range, "Adding beta nodes"); + + for (PostorderIterator i(graph_.poBegin()); i != graph_.poEnd(); i++) { + MBasicBlock* block = *i; + JitSpew(JitSpew_Range, "Looking at block %u", block->id()); + + BranchDirection branch_dir; + MTest* test = block->immediateDominatorBranch(&branch_dir); + + if (!test || !test->getOperand(0)->isCompare()) { + continue; + } + + MCompare* compare = test->getOperand(0)->toCompare(); + + if (!compare->isNumericComparison()) { + continue; + } + + // TODO: support unsigned comparisons + if (compare->compareType() == MCompare::Compare_UInt32) { + continue; + } + + // isNumericComparison should return false for UIntPtr. + MOZ_ASSERT(compare->compareType() != MCompare::Compare_UIntPtr); + + MDefinition* left = compare->getOperand(0); + MDefinition* right = compare->getOperand(1); + double bound; + double conservativeLower = NegativeInfinity(); + double conservativeUpper = PositiveInfinity(); + MDefinition* val = nullptr; + + JSOp jsop = compare->jsop(); + + if (branch_dir == FALSE_BRANCH) { + jsop = NegateCompareOp(jsop); + conservativeLower = GenericNaN(); + conservativeUpper = GenericNaN(); + } + + MConstant* leftConst = left->maybeConstantValue(); + MConstant* rightConst = right->maybeConstantValue(); + if (leftConst && leftConst->isTypeRepresentableAsDouble()) { + bound = leftConst->numberToDouble(); + val = right; + jsop = ReverseCompareOp(jsop); + } else if (rightConst && rightConst->isTypeRepresentableAsDouble()) { + bound = rightConst->numberToDouble(); + val = left; + } else if (left->type() == MIRType::Int32 && + right->type() == MIRType::Int32) { + MDefinition* smaller = nullptr; + MDefinition* greater = nullptr; + if (jsop == JSOp::Lt) { + smaller = left; + greater = right; + } else if (jsop == JSOp::Gt) { + smaller = right; + greater = left; + } + if (smaller && greater) { + if (!alloc().ensureBallast()) { + return false; + } + + MBeta* beta; + beta = MBeta::New( + alloc(), smaller, + Range::NewInt32Range(alloc(), JSVAL_INT_MIN, JSVAL_INT_MAX - 1)); + block->insertBefore(*block->begin(), beta); + replaceDominatedUsesWith(smaller, beta, block); + JitSpew(JitSpew_Range, " Adding beta node for smaller %u", + smaller->id()); + beta = MBeta::New( + alloc(), greater, + Range::NewInt32Range(alloc(), JSVAL_INT_MIN + 1, JSVAL_INT_MAX)); + block->insertBefore(*block->begin(), beta); + replaceDominatedUsesWith(greater, beta, block); + JitSpew(JitSpew_Range, " Adding beta node for greater %u", + greater->id()); + } + continue; + } else { + continue; + } + + // At this point, one of the operands if the compare is a constant, and + // val is the other operand. + MOZ_ASSERT(val); + + Range comp; + switch (jsop) { + case JSOp::Le: + comp.setDouble(conservativeLower, bound); + break; + case JSOp::Lt: + // For integers, if x < c, the upper bound of x is c-1. + if (val->type() == MIRType::Int32) { + int32_t intbound; + if (NumberEqualsInt32(bound, &intbound) && + SafeSub(intbound, 1, &intbound)) { + bound = intbound; + } + } + comp.setDouble(conservativeLower, bound); + + // Negative zero is not less than zero. + if (bound == 0) { + comp.refineToExcludeNegativeZero(); + } + break; + case JSOp::Ge: + comp.setDouble(bound, conservativeUpper); + break; + case JSOp::Gt: + // For integers, if x > c, the lower bound of x is c+1. + if (val->type() == MIRType::Int32) { + int32_t intbound; + if (NumberEqualsInt32(bound, &intbound) && + SafeAdd(intbound, 1, &intbound)) { + bound = intbound; + } + } + comp.setDouble(bound, conservativeUpper); + + // Negative zero is not greater than zero. + if (bound == 0) { + comp.refineToExcludeNegativeZero(); + } + break; + case JSOp::StrictEq: + case JSOp::Eq: + comp.setDouble(bound, bound); + break; + case JSOp::StrictNe: + case JSOp::Ne: + // Negative zero is not not-equal to zero. + if (bound == 0) { + comp.refineToExcludeNegativeZero(); + break; + } + continue; // well, we could have + // [-\inf, bound-1] U [bound+1, \inf] but we only use + // contiguous ranges. + default: + continue; + } + + if (JitSpewEnabled(JitSpew_Range)) { + JitSpewHeader(JitSpew_Range); + Fprinter& out = JitSpewPrinter(); + out.printf(" Adding beta node for %u with range ", val->id()); + comp.dump(out); + out.printf("\n"); + } + + if (!alloc().ensureBallast()) { + return false; + } + + MBeta* beta = MBeta::New(alloc(), val, new (alloc()) Range(comp)); + block->insertBefore(*block->begin(), beta); + replaceDominatedUsesWith(val, beta, block); + } + + return true; +} + +bool RangeAnalysis::removeBetaNodes() { + JitSpew(JitSpew_Range, "Removing beta nodes"); + + for (PostorderIterator i(graph_.poBegin()); i != graph_.poEnd(); i++) { + MBasicBlock* block = *i; + for (MDefinitionIterator iter(*i); iter;) { + MDefinition* def = *iter++; + if (def->isBeta()) { + auto* beta = def->toBeta(); + MDefinition* op = beta->input(); + JitSpew(JitSpew_Range, " Removing beta node %u for %u", beta->id(), + op->id()); + beta->justReplaceAllUsesWith(op); + block->discard(beta); + } else { + // We only place Beta nodes at the beginning of basic + // blocks, so if we see something else, we can move on + // to the next block. + break; + } + } + } + return true; +} + +void SymbolicBound::dump(GenericPrinter& out) const { + if (loop) { + out.printf("[loop] "); + } + sum.dump(out); +} + +void SymbolicBound::dump() const { + Fprinter out(stderr); + dump(out); + out.printf("\n"); + out.finish(); +} + +// Test whether the given range's exponent tells us anything that its lower +// and upper bound values don't. +static bool IsExponentInteresting(const Range* r) { + // If it lacks either a lower or upper bound, the exponent is interesting. + if (!r->hasInt32Bounds()) { + return true; + } + + // Otherwise if there's no fractional part, the lower and upper bounds, + // which are integers, are perfectly precise. + if (!r->canHaveFractionalPart()) { + return false; + } + + // Otherwise, if the bounds are conservatively rounded across a power-of-two + // boundary, the exponent may imply a tighter range. + return FloorLog2(std::max(Abs(r->lower()), Abs(r->upper()))) > r->exponent(); +} + +void Range::dump(GenericPrinter& out) const { + assertInvariants(); + + // Floating-point or Integer subset. + if (canHaveFractionalPart_) { + out.printf("F"); + } else { + out.printf("I"); + } + + out.printf("["); + + if (!hasInt32LowerBound_) { + out.printf("?"); + } else { + out.printf("%d", lower_); + } + if (symbolicLower_) { + out.printf(" {"); + symbolicLower_->dump(out); + out.printf("}"); + } + + out.printf(", "); + + if (!hasInt32UpperBound_) { + out.printf("?"); + } else { + out.printf("%d", upper_); + } + if (symbolicUpper_) { + out.printf(" {"); + symbolicUpper_->dump(out); + out.printf("}"); + } + + out.printf("]"); + + bool includesNaN = max_exponent_ == IncludesInfinityAndNaN; + bool includesNegativeInfinity = + max_exponent_ >= IncludesInfinity && !hasInt32LowerBound_; + bool includesPositiveInfinity = + max_exponent_ >= IncludesInfinity && !hasInt32UpperBound_; + bool includesNegativeZero = canBeNegativeZero_; + + if (includesNaN || includesNegativeInfinity || includesPositiveInfinity || + includesNegativeZero) { + out.printf(" ("); + bool first = true; + if (includesNaN) { + if (first) { + first = false; + } else { + out.printf(" "); + } + out.printf("U NaN"); + } + if (includesNegativeInfinity) { + if (first) { + first = false; + } else { + out.printf(" "); + } + out.printf("U -Infinity"); + } + if (includesPositiveInfinity) { + if (first) { + first = false; + } else { + out.printf(" "); + } + out.printf("U Infinity"); + } + if (includesNegativeZero) { + if (first) { + first = false; + } else { + out.printf(" "); + } + out.printf("U -0"); + } + out.printf(")"); + } + if (max_exponent_ < IncludesInfinity && IsExponentInteresting(this)) { + out.printf(" (< pow(2, %d+1))", max_exponent_); + } +} + +void Range::dump() const { + Fprinter out(stderr); + dump(out); + out.printf("\n"); + out.finish(); +} + +Range* Range::intersect(TempAllocator& alloc, const Range* lhs, + const Range* rhs, bool* emptyRange) { + *emptyRange = false; + + if (!lhs && !rhs) { + return nullptr; + } + + if (!lhs) { + return new (alloc) Range(*rhs); + } + if (!rhs) { + return new (alloc) Range(*lhs); + } + + int32_t newLower = std::max(lhs->lower_, rhs->lower_); + int32_t newUpper = std::min(lhs->upper_, rhs->upper_); + + // If upper < lower, then we have conflicting constraints. Consider: + // + // if (x < 0) { + // if (x > 0) { + // [Some code.] + // } + // } + // + // In this case, the block is unreachable. + if (newUpper < newLower) { + // If both ranges can be NaN, the result can still be NaN. + if (!lhs->canBeNaN() || !rhs->canBeNaN()) { + *emptyRange = true; + } + return nullptr; + } + + bool newHasInt32LowerBound = + lhs->hasInt32LowerBound_ || rhs->hasInt32LowerBound_; + bool newHasInt32UpperBound = + lhs->hasInt32UpperBound_ || rhs->hasInt32UpperBound_; + + FractionalPartFlag newCanHaveFractionalPart = FractionalPartFlag( + lhs->canHaveFractionalPart_ && rhs->canHaveFractionalPart_); + NegativeZeroFlag newMayIncludeNegativeZero = + NegativeZeroFlag(lhs->canBeNegativeZero_ && rhs->canBeNegativeZero_); + + uint16_t newExponent = std::min(lhs->max_exponent_, rhs->max_exponent_); + + // NaN is a special value which is neither greater than infinity or less than + // negative infinity. When we intersect two ranges like [?, 0] and [0, ?], we + // can end up thinking we have both a lower and upper bound, even though NaN + // is still possible. In this case, just be conservative, since any case where + // we can have NaN is not especially interesting. + if (newHasInt32LowerBound && newHasInt32UpperBound && + newExponent == IncludesInfinityAndNaN) { + return nullptr; + } + + // If one of the ranges has a fractional part and the other doesn't, it's + // possible that we will have computed a newExponent that's more precise + // than our newLower and newUpper. This is unusual, so we handle it here + // instead of in optimize(). + // + // For example, consider the range F[0,1.5]. Range analysis represents the + // lower and upper bound as integers, so we'd actually have + // F[0,2] (< pow(2, 0+1)). In this case, the exponent gives us a slightly + // more precise upper bound than the integer upper bound. + // + // When intersecting such a range with an integer range, the fractional part + // of the range is dropped. The max exponent of 0 remains valid, so the + // upper bound needs to be adjusted to 1. + // + // When intersecting F[0,2] (< pow(2, 0+1)) with a range like F[2,4], + // the naive intersection is I[2,2], but since the max exponent tells us + // that the value is always less than 2, the intersection is actually empty. + if (lhs->canHaveFractionalPart() != rhs->canHaveFractionalPart() || + (lhs->canHaveFractionalPart() && newHasInt32LowerBound && + newHasInt32UpperBound && newLower == newUpper)) { + refineInt32BoundsByExponent(newExponent, &newLower, &newHasInt32LowerBound, + &newUpper, &newHasInt32UpperBound); + + // If we're intersecting two ranges that don't overlap, this could also + // push the bounds past each other, since the actual intersection is + // the empty set. + if (newLower > newUpper) { + *emptyRange = true; + return nullptr; + } + } + + return new (alloc) + Range(newLower, newHasInt32LowerBound, newUpper, newHasInt32UpperBound, + newCanHaveFractionalPart, newMayIncludeNegativeZero, newExponent); +} + +void Range::unionWith(const Range* other) { + int32_t newLower = std::min(lower_, other->lower_); + int32_t newUpper = std::max(upper_, other->upper_); + + bool newHasInt32LowerBound = + hasInt32LowerBound_ && other->hasInt32LowerBound_; + bool newHasInt32UpperBound = + hasInt32UpperBound_ && other->hasInt32UpperBound_; + + FractionalPartFlag newCanHaveFractionalPart = FractionalPartFlag( + canHaveFractionalPart_ || other->canHaveFractionalPart_); + NegativeZeroFlag newMayIncludeNegativeZero = + NegativeZeroFlag(canBeNegativeZero_ || other->canBeNegativeZero_); + + uint16_t newExponent = std::max(max_exponent_, other->max_exponent_); + + rawInitialize(newLower, newHasInt32LowerBound, newUpper, + newHasInt32UpperBound, newCanHaveFractionalPart, + newMayIncludeNegativeZero, newExponent); +} + +Range::Range(const MDefinition* def) + : symbolicLower_(nullptr), symbolicUpper_(nullptr) { + if (const Range* other = def->range()) { + // The instruction has range information; use it. + *this = *other; + + // Simulate the effect of converting the value to its type. + // Note: we cannot clamp here, since ranges aren't allowed to shrink + // and truncation can increase range again. So doing wrapAround to + // mimick a possible truncation. + switch (def->type()) { + case MIRType::Int32: + // MToNumberInt32 cannot truncate. So we can safely clamp. + if (def->isToNumberInt32()) { + clampToInt32(); + } else { + wrapAroundToInt32(); + } + break; + case MIRType::Boolean: + wrapAroundToBoolean(); + break; + case MIRType::None: + MOZ_CRASH("Asking for the range of an instruction with no value"); + default: + break; + } + } else { + // Otherwise just use type information. We can trust the type here + // because we don't care what value the instruction actually produces, + // but what value we might get after we get past the bailouts. + switch (def->type()) { + case MIRType::Int32: + setInt32(JSVAL_INT_MIN, JSVAL_INT_MAX); + break; + case MIRType::Boolean: + setInt32(0, 1); + break; + case MIRType::None: + MOZ_CRASH("Asking for the range of an instruction with no value"); + default: + setUnknown(); + break; + } + } + + // As a special case, MUrsh is permitted to claim a result type of + // MIRType::Int32 while actually returning values in [0,UINT32_MAX] without + // bailouts. If range analysis hasn't ruled out values in + // (INT32_MAX,UINT32_MAX], set the range to be conservatively correct for + // use as either a uint32 or an int32. + if (!hasInt32UpperBound() && def->isUrsh() && + def->toUrsh()->bailoutsDisabled() && def->type() != MIRType::Int64) { + lower_ = INT32_MIN; + } + + assertInvariants(); +} + +static uint16_t ExponentImpliedByDouble(double d) { + // Handle the special values. + if (std::isnan(d)) { + return Range::IncludesInfinityAndNaN; + } + if (std::isinf(d)) { + return Range::IncludesInfinity; + } + + // Otherwise take the exponent part and clamp it at zero, since the Range + // class doesn't track fractional ranges. + return uint16_t(std::max(int_fast16_t(0), ExponentComponent(d))); +} + +void Range::setDouble(double l, double h) { + MOZ_ASSERT(!(l > h)); + + // Infer lower_, upper_, hasInt32LowerBound_, and hasInt32UpperBound_. + if (l >= INT32_MIN && l <= INT32_MAX) { + lower_ = int32_t(::floor(l)); + hasInt32LowerBound_ = true; + } else if (l >= INT32_MAX) { + lower_ = INT32_MAX; + hasInt32LowerBound_ = true; + } else { + lower_ = INT32_MIN; + hasInt32LowerBound_ = false; + } + if (h >= INT32_MIN && h <= INT32_MAX) { + upper_ = int32_t(::ceil(h)); + hasInt32UpperBound_ = true; + } else if (h <= INT32_MIN) { + upper_ = INT32_MIN; + hasInt32UpperBound_ = true; + } else { + upper_ = INT32_MAX; + hasInt32UpperBound_ = false; + } + + // Infer max_exponent_. + uint16_t lExp = ExponentImpliedByDouble(l); + uint16_t hExp = ExponentImpliedByDouble(h); + max_exponent_ = std::max(lExp, hExp); + + canHaveFractionalPart_ = ExcludesFractionalParts; + canBeNegativeZero_ = ExcludesNegativeZero; + + // Infer the canHaveFractionalPart_ setting. We can have a + // fractional part if the range crosses through the neighborhood of zero. We + // won't have a fractional value if the value is always beyond the point at + // which double precision can't represent fractional values. + uint16_t minExp = std::min(lExp, hExp); + bool includesNegative = std::isnan(l) || l < 0; + bool includesPositive = std::isnan(h) || h > 0; + bool crossesZero = includesNegative && includesPositive; + if (crossesZero || minExp < MaxTruncatableExponent) { + canHaveFractionalPart_ = IncludesFractionalParts; + } + + // Infer the canBeNegativeZero_ setting. We can have a negative zero if + // either bound is zero. + if (!(l > 0) && !(h < 0)) { + canBeNegativeZero_ = IncludesNegativeZero; + } + + optimize(); +} + +void Range::setDoubleSingleton(double d) { + setDouble(d, d); + + // The above setDouble call is for comparisons, and treats negative zero + // as equal to zero. We're aiming for a minimum range, so we can clear the + // negative zero flag if the value isn't actually negative zero. + if (!IsNegativeZero(d)) { + canBeNegativeZero_ = ExcludesNegativeZero; + } + + assertInvariants(); +} + +static inline bool MissingAnyInt32Bounds(const Range* lhs, const Range* rhs) { + return !lhs->hasInt32Bounds() || !rhs->hasInt32Bounds(); +} + +Range* Range::add(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + int64_t l = (int64_t)lhs->lower_ + (int64_t)rhs->lower_; + if (!lhs->hasInt32LowerBound() || !rhs->hasInt32LowerBound()) { + l = NoInt32LowerBound; + } + + int64_t h = (int64_t)lhs->upper_ + (int64_t)rhs->upper_; + if (!lhs->hasInt32UpperBound() || !rhs->hasInt32UpperBound()) { + h = NoInt32UpperBound; + } + + // The exponent is at most one greater than the greater of the operands' + // exponents, except for NaN and infinity cases. + uint16_t e = std::max(lhs->max_exponent_, rhs->max_exponent_); + if (e <= Range::MaxFiniteExponent) { + ++e; + } + + // Infinity + -Infinity is NaN. + if (lhs->canBeInfiniteOrNaN() && rhs->canBeInfiniteOrNaN()) { + e = Range::IncludesInfinityAndNaN; + } + + return new (alloc) Range( + l, h, + FractionalPartFlag(lhs->canHaveFractionalPart() || + rhs->canHaveFractionalPart()), + NegativeZeroFlag(lhs->canBeNegativeZero() && rhs->canBeNegativeZero()), + e); +} + +Range* Range::sub(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + int64_t l = (int64_t)lhs->lower_ - (int64_t)rhs->upper_; + if (!lhs->hasInt32LowerBound() || !rhs->hasInt32UpperBound()) { + l = NoInt32LowerBound; + } + + int64_t h = (int64_t)lhs->upper_ - (int64_t)rhs->lower_; + if (!lhs->hasInt32UpperBound() || !rhs->hasInt32LowerBound()) { + h = NoInt32UpperBound; + } + + // The exponent is at most one greater than the greater of the operands' + // exponents, except for NaN and infinity cases. + uint16_t e = std::max(lhs->max_exponent_, rhs->max_exponent_); + if (e <= Range::MaxFiniteExponent) { + ++e; + } + + // Infinity - Infinity is NaN. + if (lhs->canBeInfiniteOrNaN() && rhs->canBeInfiniteOrNaN()) { + e = Range::IncludesInfinityAndNaN; + } + + return new (alloc) + Range(l, h, + FractionalPartFlag(lhs->canHaveFractionalPart() || + rhs->canHaveFractionalPart()), + NegativeZeroFlag(lhs->canBeNegativeZero() && rhs->canBeZero()), e); +} + +Range* Range::and_(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + MOZ_ASSERT(lhs->isInt32()); + MOZ_ASSERT(rhs->isInt32()); + + // If both numbers can be negative, result can be negative in the whole range + if (lhs->lower() < 0 && rhs->lower() < 0) { + return Range::NewInt32Range(alloc, INT32_MIN, + std::max(lhs->upper(), rhs->upper())); + } + + // Only one of both numbers can be negative. + // - result can't be negative + // - Upper bound is minimum of both upper range, + int32_t lower = 0; + int32_t upper = std::min(lhs->upper(), rhs->upper()); + + // EXCEPT when upper bound of non negative number is max value, + // because negative value can return the whole max value. + // -1 & 5 = 5 + if (lhs->lower() < 0) { + upper = rhs->upper(); + } + if (rhs->lower() < 0) { + upper = lhs->upper(); + } + + return Range::NewInt32Range(alloc, lower, upper); +} + +Range* Range::or_(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + MOZ_ASSERT(lhs->isInt32()); + MOZ_ASSERT(rhs->isInt32()); + // When one operand is always 0 or always -1, it's a special case where we + // can compute a fully precise result. Handling these up front also + // protects the code below from calling CountLeadingZeroes32 with a zero + // operand or from shifting an int32_t by 32. + if (lhs->lower() == lhs->upper()) { + if (lhs->lower() == 0) { + return new (alloc) Range(*rhs); + } + if (lhs->lower() == -1) { + return new (alloc) Range(*lhs); + } + } + if (rhs->lower() == rhs->upper()) { + if (rhs->lower() == 0) { + return new (alloc) Range(*lhs); + } + if (rhs->lower() == -1) { + return new (alloc) Range(*rhs); + } + } + + // The code below uses CountLeadingZeroes32, which has undefined behavior + // if its operand is 0. We rely on the code above to protect it. + MOZ_ASSERT_IF(lhs->lower() >= 0, lhs->upper() != 0); + MOZ_ASSERT_IF(rhs->lower() >= 0, rhs->upper() != 0); + MOZ_ASSERT_IF(lhs->upper() < 0, lhs->lower() != -1); + MOZ_ASSERT_IF(rhs->upper() < 0, rhs->lower() != -1); + + int32_t lower = INT32_MIN; + int32_t upper = INT32_MAX; + + if (lhs->lower() >= 0 && rhs->lower() >= 0) { + // Both operands are non-negative, so the result won't be less than either. + lower = std::max(lhs->lower(), rhs->lower()); + // The result will have leading zeros where both operands have leading + // zeros. CountLeadingZeroes32 of a non-negative int32 will at least be 1 to + // account for the bit of sign. + upper = int32_t(UINT32_MAX >> std::min(CountLeadingZeroes32(lhs->upper()), + CountLeadingZeroes32(rhs->upper()))); + } else { + // The result will have leading ones where either operand has leading ones. + if (lhs->upper() < 0) { + unsigned leadingOnes = CountLeadingZeroes32(~lhs->lower()); + lower = std::max(lower, ~int32_t(UINT32_MAX >> leadingOnes)); + upper = -1; + } + if (rhs->upper() < 0) { + unsigned leadingOnes = CountLeadingZeroes32(~rhs->lower()); + lower = std::max(lower, ~int32_t(UINT32_MAX >> leadingOnes)); + upper = -1; + } + } + + return Range::NewInt32Range(alloc, lower, upper); +} + +Range* Range::xor_(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + MOZ_ASSERT(lhs->isInt32()); + MOZ_ASSERT(rhs->isInt32()); + int32_t lhsLower = lhs->lower(); + int32_t lhsUpper = lhs->upper(); + int32_t rhsLower = rhs->lower(); + int32_t rhsUpper = rhs->upper(); + bool invertAfter = false; + + // If either operand is negative, bitwise-negate it, and arrange to negate + // the result; ~((~x)^y) == x^y. If both are negative the negations on the + // result cancel each other out; effectively this is (~x)^(~y) == x^y. + // These transformations reduce the number of cases we have to handle below. + if (lhsUpper < 0) { + lhsLower = ~lhsLower; + lhsUpper = ~lhsUpper; + std::swap(lhsLower, lhsUpper); + invertAfter = !invertAfter; + } + if (rhsUpper < 0) { + rhsLower = ~rhsLower; + rhsUpper = ~rhsUpper; + std::swap(rhsLower, rhsUpper); + invertAfter = !invertAfter; + } + + // Handle cases where lhs or rhs is always zero specially, because they're + // easy cases where we can be perfectly precise, and because it protects the + // CountLeadingZeroes32 calls below from seeing 0 operands, which would be + // undefined behavior. + int32_t lower = INT32_MIN; + int32_t upper = INT32_MAX; + if (lhsLower == 0 && lhsUpper == 0) { + upper = rhsUpper; + lower = rhsLower; + } else if (rhsLower == 0 && rhsUpper == 0) { + upper = lhsUpper; + lower = lhsLower; + } else if (lhsLower >= 0 && rhsLower >= 0) { + // Both operands are non-negative. The result will be non-negative. + lower = 0; + // To compute the upper value, take each operand's upper value and + // set all bits that don't correspond to leading zero bits in the + // other to one. For each one, this gives an upper bound for the + // result, so we can take the minimum between the two. + unsigned lhsLeadingZeros = CountLeadingZeroes32(lhsUpper); + unsigned rhsLeadingZeros = CountLeadingZeroes32(rhsUpper); + upper = std::min(rhsUpper | int32_t(UINT32_MAX >> lhsLeadingZeros), + lhsUpper | int32_t(UINT32_MAX >> rhsLeadingZeros)); + } + + // If we bitwise-negated one (but not both) of the operands above, apply the + // bitwise-negate to the result, completing ~((~x)^y) == x^y. + if (invertAfter) { + lower = ~lower; + upper = ~upper; + std::swap(lower, upper); + } + + return Range::NewInt32Range(alloc, lower, upper); +} + +Range* Range::not_(TempAllocator& alloc, const Range* op) { + MOZ_ASSERT(op->isInt32()); + return Range::NewInt32Range(alloc, ~op->upper(), ~op->lower()); +} + +Range* Range::mul(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + FractionalPartFlag newCanHaveFractionalPart = FractionalPartFlag( + lhs->canHaveFractionalPart_ || rhs->canHaveFractionalPart_); + + NegativeZeroFlag newMayIncludeNegativeZero = NegativeZeroFlag( + (lhs->canHaveSignBitSet() && rhs->canBeFiniteNonNegative()) || + (rhs->canHaveSignBitSet() && lhs->canBeFiniteNonNegative())); + + uint16_t exponent; + if (!lhs->canBeInfiniteOrNaN() && !rhs->canBeInfiniteOrNaN()) { + // Two finite values. + exponent = lhs->numBits() + rhs->numBits() - 1; + if (exponent > Range::MaxFiniteExponent) { + exponent = Range::IncludesInfinity; + } + } else if (!lhs->canBeNaN() && !rhs->canBeNaN() && + !(lhs->canBeZero() && rhs->canBeInfiniteOrNaN()) && + !(rhs->canBeZero() && lhs->canBeInfiniteOrNaN())) { + // Two values that multiplied together won't produce a NaN. + exponent = Range::IncludesInfinity; + } else { + // Could be anything. + exponent = Range::IncludesInfinityAndNaN; + } + + if (MissingAnyInt32Bounds(lhs, rhs)) { + return new (alloc) + Range(NoInt32LowerBound, NoInt32UpperBound, newCanHaveFractionalPart, + newMayIncludeNegativeZero, exponent); + } + int64_t a = (int64_t)lhs->lower() * (int64_t)rhs->lower(); + int64_t b = (int64_t)lhs->lower() * (int64_t)rhs->upper(); + int64_t c = (int64_t)lhs->upper() * (int64_t)rhs->lower(); + int64_t d = (int64_t)lhs->upper() * (int64_t)rhs->upper(); + return new (alloc) + Range(std::min(std::min(a, b), std::min(c, d)), + std::max(std::max(a, b), std::max(c, d)), newCanHaveFractionalPart, + newMayIncludeNegativeZero, exponent); +} + +Range* Range::lsh(TempAllocator& alloc, const Range* lhs, int32_t c) { + MOZ_ASSERT(lhs->isInt32()); + int32_t shift = c & 0x1f; + + // If the shift doesn't loose bits or shift bits into the sign bit, we + // can simply compute the correct range by shifting. + if ((int32_t)((uint32_t)lhs->lower() << shift << 1 >> shift >> 1) == + lhs->lower() && + (int32_t)((uint32_t)lhs->upper() << shift << 1 >> shift >> 1) == + lhs->upper()) { + return Range::NewInt32Range(alloc, uint32_t(lhs->lower()) << shift, + uint32_t(lhs->upper()) << shift); + } + + return Range::NewInt32Range(alloc, INT32_MIN, INT32_MAX); +} + +Range* Range::rsh(TempAllocator& alloc, const Range* lhs, int32_t c) { + MOZ_ASSERT(lhs->isInt32()); + int32_t shift = c & 0x1f; + return Range::NewInt32Range(alloc, lhs->lower() >> shift, + lhs->upper() >> shift); +} + +Range* Range::ursh(TempAllocator& alloc, const Range* lhs, int32_t c) { + // ursh's left operand is uint32, not int32, but for range analysis we + // currently approximate it as int32. We assume here that the range has + // already been adjusted accordingly by our callers. + MOZ_ASSERT(lhs->isInt32()); + + int32_t shift = c & 0x1f; + + // If the value is always non-negative or always negative, we can simply + // compute the correct range by shifting. + if (lhs->isFiniteNonNegative() || lhs->isFiniteNegative()) { + return Range::NewUInt32Range(alloc, uint32_t(lhs->lower()) >> shift, + uint32_t(lhs->upper()) >> shift); + } + + // Otherwise return the most general range after the shift. + return Range::NewUInt32Range(alloc, 0, UINT32_MAX >> shift); +} + +Range* Range::lsh(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + MOZ_ASSERT(lhs->isInt32()); + MOZ_ASSERT(rhs->isInt32()); + return Range::NewInt32Range(alloc, INT32_MIN, INT32_MAX); +} + +Range* Range::rsh(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + MOZ_ASSERT(lhs->isInt32()); + MOZ_ASSERT(rhs->isInt32()); + + // Canonicalize the shift range to 0 to 31. + int32_t shiftLower = rhs->lower(); + int32_t shiftUpper = rhs->upper(); + if ((int64_t(shiftUpper) - int64_t(shiftLower)) >= 31) { + shiftLower = 0; + shiftUpper = 31; + } else { + shiftLower &= 0x1f; + shiftUpper &= 0x1f; + if (shiftLower > shiftUpper) { + shiftLower = 0; + shiftUpper = 31; + } + } + MOZ_ASSERT(shiftLower >= 0 && shiftUpper <= 31); + + // The lhs bounds are signed, thus the minimum is either the lower bound + // shift by the smallest shift if negative or the lower bound shifted by the + // biggest shift otherwise. And the opposite for the maximum. + int32_t lhsLower = lhs->lower(); + int32_t min = lhsLower < 0 ? lhsLower >> shiftLower : lhsLower >> shiftUpper; + int32_t lhsUpper = lhs->upper(); + int32_t max = lhsUpper >= 0 ? lhsUpper >> shiftLower : lhsUpper >> shiftUpper; + + return Range::NewInt32Range(alloc, min, max); +} + +Range* Range::ursh(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + // ursh's left operand is uint32, not int32, but for range analysis we + // currently approximate it as int32. We assume here that the range has + // already been adjusted accordingly by our callers. + MOZ_ASSERT(lhs->isInt32()); + MOZ_ASSERT(rhs->isInt32()); + return Range::NewUInt32Range( + alloc, 0, lhs->isFiniteNonNegative() ? lhs->upper() : UINT32_MAX); +} + +Range* Range::abs(TempAllocator& alloc, const Range* op) { + int32_t l = op->lower_; + int32_t u = op->upper_; + FractionalPartFlag canHaveFractionalPart = op->canHaveFractionalPart_; + + // Abs never produces a negative zero. + NegativeZeroFlag canBeNegativeZero = ExcludesNegativeZero; + + return new (alloc) Range( + std::max(std::max(int32_t(0), l), u == INT32_MIN ? INT32_MAX : -u), true, + std::max(std::max(int32_t(0), u), l == INT32_MIN ? INT32_MAX : -l), + op->hasInt32Bounds() && l != INT32_MIN, canHaveFractionalPart, + canBeNegativeZero, op->max_exponent_); +} + +Range* Range::min(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + // If either operand is NaN, the result is NaN. + if (lhs->canBeNaN() || rhs->canBeNaN()) { + return nullptr; + } + + FractionalPartFlag newCanHaveFractionalPart = FractionalPartFlag( + lhs->canHaveFractionalPart_ || rhs->canHaveFractionalPart_); + NegativeZeroFlag newMayIncludeNegativeZero = + NegativeZeroFlag(lhs->canBeNegativeZero_ || rhs->canBeNegativeZero_); + + return new (alloc) Range(std::min(lhs->lower_, rhs->lower_), + lhs->hasInt32LowerBound_ && rhs->hasInt32LowerBound_, + std::min(lhs->upper_, rhs->upper_), + lhs->hasInt32UpperBound_ || rhs->hasInt32UpperBound_, + newCanHaveFractionalPart, newMayIncludeNegativeZero, + std::max(lhs->max_exponent_, rhs->max_exponent_)); +} + +Range* Range::max(TempAllocator& alloc, const Range* lhs, const Range* rhs) { + // If either operand is NaN, the result is NaN. + if (lhs->canBeNaN() || rhs->canBeNaN()) { + return nullptr; + } + + FractionalPartFlag newCanHaveFractionalPart = FractionalPartFlag( + lhs->canHaveFractionalPart_ || rhs->canHaveFractionalPart_); + NegativeZeroFlag newMayIncludeNegativeZero = + NegativeZeroFlag(lhs->canBeNegativeZero_ || rhs->canBeNegativeZero_); + + return new (alloc) Range(std::max(lhs->lower_, rhs->lower_), + lhs->hasInt32LowerBound_ || rhs->hasInt32LowerBound_, + std::max(lhs->upper_, rhs->upper_), + lhs->hasInt32UpperBound_ && rhs->hasInt32UpperBound_, + newCanHaveFractionalPart, newMayIncludeNegativeZero, + std::max(lhs->max_exponent_, rhs->max_exponent_)); +} + +Range* Range::floor(TempAllocator& alloc, const Range* op) { + Range* copy = new (alloc) Range(*op); + // Decrement lower bound of copy range if op have a factional part and lower + // bound is Int32 defined. Also we avoid to decrement when op have a + // fractional part but lower_ >= JSVAL_INT_MAX. + if (op->canHaveFractionalPart() && op->hasInt32LowerBound()) { + copy->setLowerInit(int64_t(copy->lower_) - 1); + } + + // Also refine max_exponent_ because floor may have decremented int value + // If we've got int32 defined bounds, just deduce it using defined bounds. + // But, if we don't have those, value's max_exponent_ may have changed. + // Because we're looking to maintain an over estimation, if we can, + // we increment it. + if (copy->hasInt32Bounds()) + copy->max_exponent_ = copy->exponentImpliedByInt32Bounds(); + else if (copy->max_exponent_ < MaxFiniteExponent) + copy->max_exponent_++; + + copy->canHaveFractionalPart_ = ExcludesFractionalParts; + copy->assertInvariants(); + return copy; +} + +Range* Range::ceil(TempAllocator& alloc, const Range* op) { + Range* copy = new (alloc) Range(*op); + + // We need to refine max_exponent_ because ceil may have incremented the int + // value. If we have got int32 bounds defined, just deduce it using the + // defined bounds. Else we can just increment its value, as we are looking to + // maintain an over estimation. + if (copy->hasInt32Bounds()) { + copy->max_exponent_ = copy->exponentImpliedByInt32Bounds(); + } else if (copy->max_exponent_ < MaxFiniteExponent) { + copy->max_exponent_++; + } + + // If the range is definitely above 0 or below -1, we don't need to include + // -0; otherwise we do. + + copy->canBeNegativeZero_ = ((copy->lower_ > 0) || (copy->upper_ <= -1)) + ? copy->canBeNegativeZero_ + : IncludesNegativeZero; + + copy->canHaveFractionalPart_ = ExcludesFractionalParts; + copy->assertInvariants(); + return copy; +} + +Range* Range::sign(TempAllocator& alloc, const Range* op) { + if (op->canBeNaN()) { + return nullptr; + } + + return new (alloc) Range(std::max(std::min(op->lower_, 1), -1), + std::max(std::min(op->upper_, 1), -1), + Range::ExcludesFractionalParts, + NegativeZeroFlag(op->canBeNegativeZero()), 0); +} + +Range* Range::NaNToZero(TempAllocator& alloc, const Range* op) { + Range* copy = new (alloc) Range(*op); + if (copy->canBeNaN()) { + copy->max_exponent_ = Range::IncludesInfinity; + if (!copy->canBeZero()) { + Range zero; + zero.setDoubleSingleton(0); + copy->unionWith(&zero); + } + } + copy->refineToExcludeNegativeZero(); + return copy; +} + +bool Range::negativeZeroMul(const Range* lhs, const Range* rhs) { + // The result can only be negative zero if both sides are finite and they + // have differing signs. + return (lhs->canHaveSignBitSet() && rhs->canBeFiniteNonNegative()) || + (rhs->canHaveSignBitSet() && lhs->canBeFiniteNonNegative()); +} + +bool Range::update(const Range* other) { + bool changed = lower_ != other->lower_ || + hasInt32LowerBound_ != other->hasInt32LowerBound_ || + upper_ != other->upper_ || + hasInt32UpperBound_ != other->hasInt32UpperBound_ || + canHaveFractionalPart_ != other->canHaveFractionalPart_ || + canBeNegativeZero_ != other->canBeNegativeZero_ || + max_exponent_ != other->max_exponent_; + if (changed) { + lower_ = other->lower_; + hasInt32LowerBound_ = other->hasInt32LowerBound_; + upper_ = other->upper_; + hasInt32UpperBound_ = other->hasInt32UpperBound_; + canHaveFractionalPart_ = other->canHaveFractionalPart_; + canBeNegativeZero_ = other->canBeNegativeZero_; + max_exponent_ = other->max_exponent_; + assertInvariants(); + } + + return changed; +} + +/////////////////////////////////////////////////////////////////////////////// +// Range Computation for MIR Nodes +/////////////////////////////////////////////////////////////////////////////// + +void MPhi::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32 && type() != MIRType::Double) { + return; + } + + Range* range = nullptr; + for (size_t i = 0, e = numOperands(); i < e; i++) { + if (getOperand(i)->block()->unreachable()) { + JitSpew(JitSpew_Range, "Ignoring unreachable input %u", + getOperand(i)->id()); + continue; + } + + // Peek at the pre-bailout range so we can take a short-cut; if any of + // the operands has an unknown range, this phi has an unknown range. + if (!getOperand(i)->range()) { + return; + } + + Range input(getOperand(i)); + + if (range) { + range->unionWith(&input); + } else { + range = new (alloc) Range(input); + } + } + + setRange(range); +} + +void MBeta::computeRange(TempAllocator& alloc) { + bool emptyRange = false; + + Range opRange(getOperand(0)); + Range* range = Range::intersect(alloc, &opRange, comparison_, &emptyRange); + if (emptyRange) { + JitSpew(JitSpew_Range, "Marking block for inst %u unreachable", id()); + block()->setUnreachableUnchecked(); + } else { + setRange(range); + } +} + +void MConstant::computeRange(TempAllocator& alloc) { + if (isTypeRepresentableAsDouble()) { + double d = numberToDouble(); + setRange(Range::NewDoubleSingletonRange(alloc, d)); + } else if (type() == MIRType::Boolean) { + bool b = toBoolean(); + setRange(Range::NewInt32Range(alloc, b, b)); + } +} + +void MCharCodeAt::computeRange(TempAllocator& alloc) { + // ECMA 262 says that the integer will be non-negative and at most 65535. + setRange(Range::NewInt32Range(alloc, 0, 65535)); +} + +void MClampToUint8::computeRange(TempAllocator& alloc) { + setRange(Range::NewUInt32Range(alloc, 0, 255)); +} + +void MBitAnd::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32) { + return; + } + + Range left(getOperand(0)); + Range right(getOperand(1)); + left.wrapAroundToInt32(); + right.wrapAroundToInt32(); + + setRange(Range::and_(alloc, &left, &right)); +} + +void MBitOr::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32) { + return; + } + + Range left(getOperand(0)); + Range right(getOperand(1)); + left.wrapAroundToInt32(); + right.wrapAroundToInt32(); + + setRange(Range::or_(alloc, &left, &right)); +} + +void MBitXor::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32) { + return; + } + + Range left(getOperand(0)); + Range right(getOperand(1)); + left.wrapAroundToInt32(); + right.wrapAroundToInt32(); + + setRange(Range::xor_(alloc, &left, &right)); +} + +void MBitNot::computeRange(TempAllocator& alloc) { + if (type() == MIRType::Int64) { + return; + } + MOZ_ASSERT(type() == MIRType::Int32); + + Range op(getOperand(0)); + op.wrapAroundToInt32(); + + setRange(Range::not_(alloc, &op)); +} + +void MLsh::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32) { + return; + } + + Range left(getOperand(0)); + Range right(getOperand(1)); + left.wrapAroundToInt32(); + + MConstant* rhsConst = getOperand(1)->maybeConstantValue(); + if (rhsConst && rhsConst->type() == MIRType::Int32) { + int32_t c = rhsConst->toInt32(); + setRange(Range::lsh(alloc, &left, c)); + return; + } + + right.wrapAroundToShiftCount(); + setRange(Range::lsh(alloc, &left, &right)); +} + +void MRsh::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32) { + return; + } + + Range left(getOperand(0)); + Range right(getOperand(1)); + left.wrapAroundToInt32(); + + MConstant* rhsConst = getOperand(1)->maybeConstantValue(); + if (rhsConst && rhsConst->type() == MIRType::Int32) { + int32_t c = rhsConst->toInt32(); + setRange(Range::rsh(alloc, &left, c)); + return; + } + + right.wrapAroundToShiftCount(); + setRange(Range::rsh(alloc, &left, &right)); +} + +void MUrsh::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32) { + return; + } + + Range left(getOperand(0)); + Range right(getOperand(1)); + + // ursh can be thought of as converting its left operand to uint32, or it + // can be thought of as converting its left operand to int32, and then + // reinterpreting the int32 bits as a uint32 value. Both approaches yield + // the same result. Since we lack support for full uint32 ranges, we use + // the second interpretation, though it does cause us to be conservative. + left.wrapAroundToInt32(); + right.wrapAroundToShiftCount(); + + MConstant* rhsConst = getOperand(1)->maybeConstantValue(); + if (rhsConst && rhsConst->type() == MIRType::Int32) { + int32_t c = rhsConst->toInt32(); + setRange(Range::ursh(alloc, &left, c)); + } else { + setRange(Range::ursh(alloc, &left, &right)); + } + + MOZ_ASSERT(range()->lower() >= 0); +} + +void MAbs::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32 && type() != MIRType::Double) { + return; + } + + Range other(getOperand(0)); + Range* next = Range::abs(alloc, &other); + if (implicitTruncate_) { + next->wrapAroundToInt32(); + } + setRange(next); +} + +void MFloor::computeRange(TempAllocator& alloc) { + Range other(getOperand(0)); + setRange(Range::floor(alloc, &other)); +} + +void MCeil::computeRange(TempAllocator& alloc) { + Range other(getOperand(0)); + setRange(Range::ceil(alloc, &other)); +} + +void MClz::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32) { + return; + } + setRange(Range::NewUInt32Range(alloc, 0, 32)); +} + +void MCtz::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32) { + return; + } + setRange(Range::NewUInt32Range(alloc, 0, 32)); +} + +void MPopcnt::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32) { + return; + } + setRange(Range::NewUInt32Range(alloc, 0, 32)); +} + +void MMinMax::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32 && type() != MIRType::Double) { + return; + } + + Range left(getOperand(0)); + Range right(getOperand(1)); + setRange(isMax() ? Range::max(alloc, &left, &right) + : Range::min(alloc, &left, &right)); +} + +void MAdd::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32 && type() != MIRType::Double) { + return; + } + Range left(getOperand(0)); + Range right(getOperand(1)); + Range* next = Range::add(alloc, &left, &right); + if (isTruncated()) { + next->wrapAroundToInt32(); + } + setRange(next); +} + +void MSub::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32 && type() != MIRType::Double) { + return; + } + Range left(getOperand(0)); + Range right(getOperand(1)); + Range* next = Range::sub(alloc, &left, &right); + if (isTruncated()) { + next->wrapAroundToInt32(); + } + setRange(next); +} + +void MMul::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32 && type() != MIRType::Double) { + return; + } + Range left(getOperand(0)); + Range right(getOperand(1)); + if (canBeNegativeZero()) { + canBeNegativeZero_ = Range::negativeZeroMul(&left, &right); + } + Range* next = Range::mul(alloc, &left, &right); + if (!next->canBeNegativeZero()) { + canBeNegativeZero_ = false; + } + // Truncated multiplications could overflow in both directions + if (isTruncated()) { + next->wrapAroundToInt32(); + } + setRange(next); +} + +void MMod::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32 && type() != MIRType::Double) { + return; + } + Range lhs(getOperand(0)); + Range rhs(getOperand(1)); + + // If either operand is a NaN, the result is NaN. This also conservatively + // handles Infinity cases. + if (!lhs.hasInt32Bounds() || !rhs.hasInt32Bounds()) { + return; + } + + // If RHS can be zero, the result can be NaN. + if (rhs.lower() <= 0 && rhs.upper() >= 0) { + return; + } + + // If both operands are non-negative integers, we can optimize this to an + // unsigned mod. + if (type() == MIRType::Int32 && rhs.lower() > 0) { + bool hasDoubles = lhs.lower() < 0 || lhs.canHaveFractionalPart() || + rhs.canHaveFractionalPart(); + // It is not possible to check that lhs.lower() >= 0, since the range + // of a ursh with rhs a 0 constant is wrapped around the int32 range in + // Range::Range(). However, IsUint32Type() will only return true for + // nodes that lie in the range [0, UINT32_MAX]. + bool hasUint32s = + IsUint32Type(getOperand(0)) && + getOperand(1)->type() == MIRType::Int32 && + (IsUint32Type(getOperand(1)) || getOperand(1)->isConstant()); + if (!hasDoubles || hasUint32s) { + unsigned_ = true; + } + } + + // For unsigned mod, we have to convert both operands to unsigned. + // Note that we handled the case of a zero rhs above. + if (unsigned_) { + // The result of an unsigned mod will never be unsigned-greater than + // either operand. + uint32_t lhsBound = std::max(lhs.lower(), lhs.upper()); + uint32_t rhsBound = std::max(rhs.lower(), rhs.upper()); + + // If either range crosses through -1 as a signed value, it could be + // the maximum unsigned value when interpreted as unsigned. If the range + // doesn't include -1, then the simple max value we computed above is + // correct. + if (lhs.lower() <= -1 && lhs.upper() >= -1) { + lhsBound = UINT32_MAX; + } + if (rhs.lower() <= -1 && rhs.upper() >= -1) { + rhsBound = UINT32_MAX; + } + + // The result will never be equal to the rhs, and we shouldn't have + // any rounding to worry about. + MOZ_ASSERT(!lhs.canHaveFractionalPart() && !rhs.canHaveFractionalPart()); + --rhsBound; + + // This gives us two upper bounds, so we can take the best one. + setRange(Range::NewUInt32Range(alloc, 0, std::min(lhsBound, rhsBound))); + return; + } + + // Math.abs(lhs % rhs) == Math.abs(lhs) % Math.abs(rhs). + // First, the absolute value of the result will always be less than the + // absolute value of rhs. (And if rhs is zero, the result is NaN). + int64_t a = Abs(rhs.lower()); + int64_t b = Abs(rhs.upper()); + if (a == 0 && b == 0) { + return; + } + int64_t rhsAbsBound = std::max(a, b); + + // If the value is known to be integer, less-than abs(rhs) is equivalent + // to less-than-or-equal abs(rhs)-1. This is important for being able to + // say that the result of x%256 is an 8-bit unsigned number. + if (!lhs.canHaveFractionalPart() && !rhs.canHaveFractionalPart()) { + --rhsAbsBound; + } + + // Next, the absolute value of the result will never be greater than the + // absolute value of lhs. + int64_t lhsAbsBound = + std::max(Abs(lhs.lower()), Abs(lhs.upper())); + + // This gives us two upper bounds, so we can take the best one. + int64_t absBound = std::min(lhsAbsBound, rhsAbsBound); + + // Now consider the sign of the result. + // If lhs is non-negative, the result will be non-negative. + // If lhs is non-positive, the result will be non-positive. + int64_t lower = lhs.lower() >= 0 ? 0 : -absBound; + int64_t upper = lhs.upper() <= 0 ? 0 : absBound; + + Range::FractionalPartFlag newCanHaveFractionalPart = + Range::FractionalPartFlag(lhs.canHaveFractionalPart() || + rhs.canHaveFractionalPart()); + + // If the lhs can have the sign bit set and we can return a zero, it'll be a + // negative zero. + Range::NegativeZeroFlag newMayIncludeNegativeZero = + Range::NegativeZeroFlag(lhs.canHaveSignBitSet()); + + setRange(new (alloc) Range(lower, upper, newCanHaveFractionalPart, + newMayIncludeNegativeZero, + std::min(lhs.exponent(), rhs.exponent()))); +} + +void MDiv::computeRange(TempAllocator& alloc) { + if (type() != MIRType::Int32 && type() != MIRType::Double) { + return; + } + Range lhs(getOperand(0)); + Range rhs(getOperand(1)); + + // If either operand is a NaN, the result is NaN. This also conservatively + // handles Infinity cases. + if (!lhs.hasInt32Bounds() || !rhs.hasInt32Bounds()) { + return; + } + + // Something simple for now: When dividing by a positive rhs, the result + // won't be further from zero than lhs. + if (lhs.lower() >= 0 && rhs.lower() >= 1) { + setRange(new (alloc) Range(0, lhs.upper(), Range::IncludesFractionalParts, + Range::IncludesNegativeZero, lhs.exponent())); + } else if (unsigned_ && rhs.lower() >= 1) { + // We shouldn't set the unsigned flag if the inputs can have + // fractional parts. + MOZ_ASSERT(!lhs.canHaveFractionalPart() && !rhs.canHaveFractionalPart()); + // We shouldn't set the unsigned flag if the inputs can be + // negative zero. + MOZ_ASSERT(!lhs.canBeNegativeZero() && !rhs.canBeNegativeZero()); + // Unsigned division by a non-zero rhs will return a uint32 value. + setRange(Range::NewUInt32Range(alloc, 0, UINT32_MAX)); + } +} + +void MSqrt::computeRange(TempAllocator& alloc) { + Range input(getOperand(0)); + + // If either operand is a NaN, the result is NaN. This also conservatively + // handles Infinity cases. + if (!input.hasInt32Bounds()) { + return; + } + + // Sqrt of a negative non-zero value is NaN. + if (input.lower() < 0) { + return; + } + + // Something simple for now: When taking the sqrt of a positive value, the + // result won't be further from zero than the input. + // And, sqrt of an integer may have a fractional part. + setRange(new (alloc) Range(0, input.upper(), Range::IncludesFractionalParts, + input.canBeNegativeZero(), input.exponent())); +} + +void MToDouble::computeRange(TempAllocator& alloc) { + setRange(new (alloc) Range(getOperand(0))); +} + +void MToFloat32::computeRange(TempAllocator& alloc) {} + +void MTruncateToInt32::computeRange(TempAllocator& alloc) { + Range* output = new (alloc) Range(getOperand(0)); + output->wrapAroundToInt32(); + setRange(output); +} + +void MToNumberInt32::computeRange(TempAllocator& alloc) { + // No clamping since this computes the range *before* bailouts. + setRange(new (alloc) Range(getOperand(0))); +} + +void MBooleanToInt32::computeRange(TempAllocator& alloc) { + setRange(Range::NewUInt32Range(alloc, 0, 1)); +} + +void MLimitedTruncate::computeRange(TempAllocator& alloc) { + Range* output = new (alloc) Range(input()); + setRange(output); +} + +static Range* GetArrayBufferViewRange(TempAllocator& alloc, Scalar::Type type) { + switch (type) { + case Scalar::Uint8Clamped: + case Scalar::Uint8: + return Range::NewUInt32Range(alloc, 0, UINT8_MAX); + case Scalar::Uint16: + return Range::NewUInt32Range(alloc, 0, UINT16_MAX); + case Scalar::Uint32: + return Range::NewUInt32Range(alloc, 0, UINT32_MAX); + + case Scalar::Int8: + return Range::NewInt32Range(alloc, INT8_MIN, INT8_MAX); + case Scalar::Int16: + return Range::NewInt32Range(alloc, INT16_MIN, INT16_MAX); + case Scalar::Int32: + return Range::NewInt32Range(alloc, INT32_MIN, INT32_MAX); + + case Scalar::BigInt64: + case Scalar::BigUint64: + case Scalar::Int64: + case Scalar::Simd128: + case Scalar::Float32: + case Scalar::Float64: + case Scalar::MaxTypedArrayViewType: + break; + } + return nullptr; +} + +void MLoadUnboxedScalar::computeRange(TempAllocator& alloc) { + // We have an Int32 type and if this is a UInt32 load it may produce a value + // outside of our range, but we have a bailout to handle those cases. + setRange(GetArrayBufferViewRange(alloc, storageType())); +} + +void MLoadDataViewElement::computeRange(TempAllocator& alloc) { + // We have an Int32 type and if this is a UInt32 load it may produce a value + // outside of our range, but we have a bailout to handle those cases. + setRange(GetArrayBufferViewRange(alloc, storageType())); +} + +void MArrayLength::computeRange(TempAllocator& alloc) { + // Array lengths can go up to UINT32_MAX. We will bail out if the array + // length > INT32_MAX. + MOZ_ASSERT(type() == MIRType::Int32); + setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); +} + +void MInitializedLength::computeRange(TempAllocator& alloc) { + setRange( + Range::NewUInt32Range(alloc, 0, NativeObject::MAX_DENSE_ELEMENTS_COUNT)); +} + +void MArrayBufferViewLength::computeRange(TempAllocator& alloc) { + if constexpr (ArrayBufferObject::MaxByteLength <= INT32_MAX) { + setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); + } +} + +void MArrayBufferViewByteOffset::computeRange(TempAllocator& alloc) { + if constexpr (ArrayBufferObject::MaxByteLength <= INT32_MAX) { + setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); + } +} + +void MTypedArrayElementSize::computeRange(TempAllocator& alloc) { + constexpr auto MaxTypedArraySize = sizeof(double); + +#define ASSERT_MAX_SIZE(_, T, N) \ + static_assert(sizeof(T) <= MaxTypedArraySize, \ + "unexpected typed array type exceeding 64-bits storage"); + JS_FOR_EACH_TYPED_ARRAY(ASSERT_MAX_SIZE) +#undef ASSERT_MAX_SIZE + + setRange(Range::NewUInt32Range(alloc, 0, MaxTypedArraySize)); +} + +void MStringLength::computeRange(TempAllocator& alloc) { + static_assert(JSString::MAX_LENGTH <= UINT32_MAX, + "NewUInt32Range requires a uint32 value"); + setRange(Range::NewUInt32Range(alloc, 0, JSString::MAX_LENGTH)); +} + +void MArgumentsLength::computeRange(TempAllocator& alloc) { + // This is is a conservative upper bound on what |TooManyActualArguments| + // checks. If exceeded, Ion will not be entered in the first place. + static_assert(ARGS_LENGTH_MAX <= UINT32_MAX, + "NewUInt32Range requires a uint32 value"); + setRange(Range::NewUInt32Range(alloc, 0, ARGS_LENGTH_MAX)); +} + +void MBoundsCheck::computeRange(TempAllocator& alloc) { + // Just transfer the incoming index range to the output. The length() is + // also interesting, but it is handled as a bailout check, and we're + // computing a pre-bailout range here. + setRange(new (alloc) Range(index())); +} + +void MSpectreMaskIndex::computeRange(TempAllocator& alloc) { + // Just transfer the incoming index range to the output for now. + setRange(new (alloc) Range(index())); +} + +void MInt32ToIntPtr::computeRange(TempAllocator& alloc) { + setRange(new (alloc) Range(input())); +} + +void MNonNegativeIntPtrToInt32::computeRange(TempAllocator& alloc) { + // We will bail out if the IntPtr value > INT32_MAX. + setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); +} + +void MArrayPush::computeRange(TempAllocator& alloc) { + // MArrayPush returns the new array length. It bails out if the new length + // doesn't fit in an Int32. + MOZ_ASSERT(type() == MIRType::Int32); + setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); +} + +void MMathFunction::computeRange(TempAllocator& alloc) { + Range opRange(getOperand(0)); + switch (function()) { + case UnaryMathFunction::SinNative: + case UnaryMathFunction::SinFdlibm: + case UnaryMathFunction::CosNative: + case UnaryMathFunction::CosFdlibm: + if (!opRange.canBeInfiniteOrNaN()) { + setRange(Range::NewDoubleRange(alloc, -1.0, 1.0)); + } + break; + default: + break; + } +} + +void MSign::computeRange(TempAllocator& alloc) { + Range opRange(getOperand(0)); + setRange(Range::sign(alloc, &opRange)); +} + +void MRandom::computeRange(TempAllocator& alloc) { + Range* r = Range::NewDoubleRange(alloc, 0.0, 1.0); + + // Random never returns negative zero. + r->refineToExcludeNegativeZero(); + + setRange(r); +} + +void MNaNToZero::computeRange(TempAllocator& alloc) { + Range other(input()); + setRange(Range::NaNToZero(alloc, &other)); +} + +/////////////////////////////////////////////////////////////////////////////// +// Range Analysis +/////////////////////////////////////////////////////////////////////////////// + +static BranchDirection NegateBranchDirection(BranchDirection dir) { + return (dir == FALSE_BRANCH) ? TRUE_BRANCH : FALSE_BRANCH; +} + +bool RangeAnalysis::analyzeLoop(MBasicBlock* header) { + MOZ_ASSERT(header->hasUniqueBackedge()); + + // Try to compute an upper bound on the number of times the loop backedge + // will be taken. Look for tests that dominate the backedge and which have + // an edge leaving the loop body. + MBasicBlock* backedge = header->backedge(); + + // Ignore trivial infinite loops. + if (backedge == header) { + return true; + } + + bool canOsr; + size_t numBlocks = MarkLoopBlocks(graph_, header, &canOsr); + + // Ignore broken loops. + if (numBlocks == 0) { + return true; + } + + LoopIterationBound* iterationBound = nullptr; + + MBasicBlock* block = backedge; + do { + BranchDirection direction; + MTest* branch = block->immediateDominatorBranch(&direction); + + if (block == block->immediateDominator()) { + break; + } + + block = block->immediateDominator(); + + if (branch) { + direction = NegateBranchDirection(direction); + MBasicBlock* otherBlock = branch->branchSuccessor(direction); + if (!otherBlock->isMarked()) { + if (!alloc().ensureBallast()) { + return false; + } + iterationBound = analyzeLoopIterationCount(header, branch, direction); + if (iterationBound) { + break; + } + } + } + } while (block != header); + + if (!iterationBound) { + UnmarkLoopBlocks(graph_, header); + return true; + } + + if (!loopIterationBounds.append(iterationBound)) { + return false; + } + +#ifdef DEBUG + if (JitSpewEnabled(JitSpew_Range)) { + Sprinter sp(GetJitContext()->cx); + if (!sp.init()) { + return false; + } + iterationBound->boundSum.dump(sp); + JitSpew(JitSpew_Range, "computed symbolic bound on backedges: %s", + sp.string()); + } +#endif + + // Try to compute symbolic bounds for the phi nodes at the head of this + // loop, expressed in terms of the iteration bound just computed. + + for (MPhiIterator iter(header->phisBegin()); iter != header->phisEnd(); + iter++) { + analyzeLoopPhi(iterationBound, *iter); + } + + if (!mir->compilingWasm() && !mir->outerInfo().hadBoundsCheckBailout()) { + // Try to hoist any bounds checks from the loop using symbolic bounds. + + Vector hoistedChecks(alloc()); + + for (ReversePostorderIterator iter(graph_.rpoBegin(header)); + iter != graph_.rpoEnd(); iter++) { + MBasicBlock* block = *iter; + if (!block->isMarked()) { + continue; + } + + for (MDefinitionIterator iter(block); iter; iter++) { + MDefinition* def = *iter; + if (def->isBoundsCheck() && def->isMovable()) { + if (!alloc().ensureBallast()) { + return false; + } + if (tryHoistBoundsCheck(header, def->toBoundsCheck())) { + if (!hoistedChecks.append(def->toBoundsCheck())) { + return false; + } + } + } + } + } + + // Note: replace all uses of the original bounds check with the + // actual index. This is usually done during bounds check elimination, + // but in this case it's safe to do it here since the load/store is + // definitely not loop-invariant, so we will never move it before + // one of the bounds checks we just added. + for (size_t i = 0; i < hoistedChecks.length(); i++) { + MBoundsCheck* ins = hoistedChecks[i]; + ins->replaceAllUsesWith(ins->index()); + ins->block()->discard(ins); + } + } + + UnmarkLoopBlocks(graph_, header); + return true; +} + +// Unbox beta nodes in order to hoist instruction properly, and not be limited +// by the beta nodes which are added after each branch. +static inline MDefinition* DefinitionOrBetaInputDefinition(MDefinition* ins) { + while (ins->isBeta()) { + ins = ins->toBeta()->input(); + } + return ins; +} + +LoopIterationBound* RangeAnalysis::analyzeLoopIterationCount( + MBasicBlock* header, MTest* test, BranchDirection direction) { + SimpleLinearSum lhs(nullptr, 0); + MDefinition* rhs; + bool lessEqual; + if (!ExtractLinearInequality(test, direction, &lhs, &rhs, &lessEqual)) { + return nullptr; + } + + // Ensure the rhs is a loop invariant term. + if (rhs && rhs->block()->isMarked()) { + if (lhs.term && lhs.term->block()->isMarked()) { + return nullptr; + } + MDefinition* temp = lhs.term; + lhs.term = rhs; + rhs = temp; + if (!SafeSub(0, lhs.constant, &lhs.constant)) { + return nullptr; + } + lessEqual = !lessEqual; + } + + MOZ_ASSERT_IF(rhs, !rhs->block()->isMarked()); + + // Ensure the lhs is a phi node from the start of the loop body. + if (!lhs.term || !lhs.term->isPhi() || lhs.term->block() != header) { + return nullptr; + } + + // Check that the value of the lhs changes by a constant amount with each + // loop iteration. This requires that the lhs be written in every loop + // iteration with a value that is a constant difference from its value at + // the start of the iteration. + + if (lhs.term->toPhi()->numOperands() != 2) { + return nullptr; + } + + // The first operand of the phi should be the lhs' value at the start of + // the first executed iteration, and not a value written which could + // replace the second operand below during the middle of execution. + MDefinition* lhsInitial = lhs.term->toPhi()->getLoopPredecessorOperand(); + if (lhsInitial->block()->isMarked()) { + return nullptr; + } + + // The second operand of the phi should be a value written by an add/sub + // in every loop iteration, i.e. in a block which dominates the backedge. + MDefinition* lhsWrite = DefinitionOrBetaInputDefinition( + lhs.term->toPhi()->getLoopBackedgeOperand()); + if (!lhsWrite->isAdd() && !lhsWrite->isSub()) { + return nullptr; + } + if (!lhsWrite->block()->isMarked()) { + return nullptr; + } + MBasicBlock* bb = header->backedge(); + for (; bb != lhsWrite->block() && bb != header; + bb = bb->immediateDominator()) { + } + if (bb != lhsWrite->block()) { + return nullptr; + } + + SimpleLinearSum lhsModified = ExtractLinearSum(lhsWrite); + + // Check that the value of the lhs at the backedge is of the form + // 'old(lhs) + N'. We can be sure that old(lhs) is the value at the start + // of the iteration, and not that written to lhs in a previous iteration, + // as such a previous value could not appear directly in the addition: + // it could not be stored in lhs as the lhs add/sub executes in every + // iteration, and if it were stored in another variable its use here would + // be as an operand to a phi node for that variable. + if (lhsModified.term != lhs.term) { + return nullptr; + } + + LinearSum iterationBound(alloc()); + LinearSum currentIteration(alloc()); + + if (lhsModified.constant == 1 && !lessEqual) { + // The value of lhs is 'initial(lhs) + iterCount' and this will end + // execution of the loop if 'lhs + lhsN >= rhs'. Thus, an upper bound + // on the number of backedges executed is: + // + // initial(lhs) + iterCount + lhsN == rhs + // iterCount == rhsN - initial(lhs) - lhsN + + if (rhs) { + if (!iterationBound.add(rhs, 1)) { + return nullptr; + } + } + if (!iterationBound.add(lhsInitial, -1)) { + return nullptr; + } + + int32_t lhsConstant; + if (!SafeSub(0, lhs.constant, &lhsConstant)) { + return nullptr; + } + if (!iterationBound.add(lhsConstant)) { + return nullptr; + } + + if (!currentIteration.add(lhs.term, 1)) { + return nullptr; + } + if (!currentIteration.add(lhsInitial, -1)) { + return nullptr; + } + } else if (lhsModified.constant == -1 && lessEqual) { + // The value of lhs is 'initial(lhs) - iterCount'. Similar to the above + // case, an upper bound on the number of backedges executed is: + // + // initial(lhs) - iterCount + lhsN == rhs + // iterCount == initial(lhs) - rhs + lhsN + + if (!iterationBound.add(lhsInitial, 1)) { + return nullptr; + } + if (rhs) { + if (!iterationBound.add(rhs, -1)) { + return nullptr; + } + } + if (!iterationBound.add(lhs.constant)) { + return nullptr; + } + + if (!currentIteration.add(lhsInitial, 1)) { + return nullptr; + } + if (!currentIteration.add(lhs.term, -1)) { + return nullptr; + } + } else { + return nullptr; + } + + return new (alloc()) + LoopIterationBound(header, test, iterationBound, currentIteration); +} + +void RangeAnalysis::analyzeLoopPhi(LoopIterationBound* loopBound, MPhi* phi) { + // Given a bound on the number of backedges taken, compute an upper and + // lower bound for a phi node that may change by a constant amount each + // iteration. Unlike for the case when computing the iteration bound + // itself, the phi does not need to change the same amount every iteration, + // but is required to change at most N and be either nondecreasing or + // nonincreasing. + + MOZ_ASSERT(phi->numOperands() == 2); + + MDefinition* initial = phi->getLoopPredecessorOperand(); + if (initial->block()->isMarked()) { + return; + } + + SimpleLinearSum modified = + ExtractLinearSum(phi->getLoopBackedgeOperand(), MathSpace::Infinite); + + if (modified.term != phi || modified.constant == 0) { + return; + } + + if (!phi->range()) { + phi->setRange(new (alloc()) Range(phi)); + } + + LinearSum initialSum(alloc()); + if (!initialSum.add(initial, 1)) { + return; + } + + // The phi may change by N each iteration, and is either nondecreasing or + // nonincreasing. initial(phi) is either a lower or upper bound for the + // phi, and initial(phi) + loopBound * N is either an upper or lower bound, + // at all points within the loop, provided that loopBound >= 0. + // + // We are more interested, however, in the bound for phi at points + // dominated by the loop bound's test; if the test dominates e.g. a bounds + // check we want to hoist from the loop, using the value of the phi at the + // head of the loop for this will usually be too imprecise to hoist the + // check. These points will execute only if the backedge executes at least + // one more time (as the test passed and the test dominates the backedge), + // so we know both that loopBound >= 1 and that the phi's value has changed + // at most loopBound - 1 times. Thus, another upper or lower bound for the + // phi is initial(phi) + (loopBound - 1) * N, without requiring us to + // ensure that loopBound >= 0. + + LinearSum limitSum(loopBound->boundSum); + if (!limitSum.multiply(modified.constant) || !limitSum.add(initialSum)) { + return; + } + + int32_t negativeConstant; + if (!SafeSub(0, modified.constant, &negativeConstant) || + !limitSum.add(negativeConstant)) { + return; + } + + Range* initRange = initial->range(); + if (modified.constant > 0) { + if (initRange && initRange->hasInt32LowerBound()) { + phi->range()->refineLower(initRange->lower()); + } + phi->range()->setSymbolicLower( + SymbolicBound::New(alloc(), nullptr, initialSum)); + phi->range()->setSymbolicUpper( + SymbolicBound::New(alloc(), loopBound, limitSum)); + } else { + if (initRange && initRange->hasInt32UpperBound()) { + phi->range()->refineUpper(initRange->upper()); + } + phi->range()->setSymbolicUpper( + SymbolicBound::New(alloc(), nullptr, initialSum)); + phi->range()->setSymbolicLower( + SymbolicBound::New(alloc(), loopBound, limitSum)); + } + + JitSpew(JitSpew_Range, "added symbolic range on %u", phi->id()); + SpewRange(phi); +} + +// Whether bound is valid at the specified bounds check instruction in a loop, +// and may be used to hoist ins. +static inline bool SymbolicBoundIsValid(MBasicBlock* header, MBoundsCheck* ins, + const SymbolicBound* bound) { + if (!bound->loop) { + return true; + } + if (ins->block() == header) { + return false; + } + MBasicBlock* bb = ins->block()->immediateDominator(); + while (bb != header && bb != bound->loop->test->block()) { + bb = bb->immediateDominator(); + } + return bb == bound->loop->test->block(); +} + +bool RangeAnalysis::tryHoistBoundsCheck(MBasicBlock* header, + MBoundsCheck* ins) { + // The bounds check's length must be loop invariant or a constant. + MDefinition* length = DefinitionOrBetaInputDefinition(ins->length()); + if (length->block()->isMarked() && !length->isConstant()) { + return false; + } + + // The bounds check's index should not be loop invariant (else we would + // already have hoisted it during LICM). + SimpleLinearSum index = ExtractLinearSum(ins->index()); + if (!index.term || !index.term->block()->isMarked()) { + return false; + } + + // Check for a symbolic lower and upper bound on the index. If either + // condition depends on an iteration bound for the loop, only hoist if + // the bounds check is dominated by the iteration bound's test. + if (!index.term->range()) { + return false; + } + const SymbolicBound* lower = index.term->range()->symbolicLower(); + if (!lower || !SymbolicBoundIsValid(header, ins, lower)) { + return false; + } + const SymbolicBound* upper = index.term->range()->symbolicUpper(); + if (!upper || !SymbolicBoundIsValid(header, ins, upper)) { + return false; + } + + MBasicBlock* preLoop = header->loopPredecessor(); + MOZ_ASSERT(!preLoop->isMarked()); + + MDefinition* lowerTerm = ConvertLinearSum(alloc(), preLoop, lower->sum, + BailoutKind::HoistBoundsCheck); + if (!lowerTerm) { + return false; + } + + MDefinition* upperTerm = ConvertLinearSum(alloc(), preLoop, upper->sum, + BailoutKind::HoistBoundsCheck); + if (!upperTerm) { + return false; + } + + // We are checking that index + indexConstant >= 0, and know that + // index >= lowerTerm + lowerConstant. Thus, check that: + // + // lowerTerm + lowerConstant + indexConstant >= 0 + // lowerTerm >= -lowerConstant - indexConstant + + int32_t lowerConstant = 0; + if (!SafeSub(lowerConstant, index.constant, &lowerConstant)) { + return false; + } + if (!SafeSub(lowerConstant, lower->sum.constant(), &lowerConstant)) { + return false; + } + + // We are checking that index < boundsLength, and know that + // index <= upperTerm + upperConstant. Thus, check that: + // + // upperTerm + upperConstant < boundsLength + + int32_t upperConstant = index.constant; + if (!SafeAdd(upper->sum.constant(), upperConstant, &upperConstant)) { + return false; + } + + // Hoist the loop invariant lower bounds checks. + MBoundsCheckLower* lowerCheck = MBoundsCheckLower::New(alloc(), lowerTerm); + lowerCheck->setMinimum(lowerConstant); + lowerCheck->computeRange(alloc()); + lowerCheck->collectRangeInfoPreTrunc(); + lowerCheck->setBailoutKind(BailoutKind::HoistBoundsCheck); + preLoop->insertBefore(preLoop->lastIns(), lowerCheck); + + // A common pattern for iterating over typed arrays is this: + // + // for (var i = 0; i < ta.length; i++) { + // use ta[i]; + // } + // + // Here |upperTerm| (= ta.length) is a NonNegativeIntPtrToInt32 instruction. + // Unwrap this if |length| is also an IntPtr so that we don't add an + // unnecessary bounds check and Int32ToIntPtr below. + if (upperTerm->isNonNegativeIntPtrToInt32() && + length->type() == MIRType::IntPtr) { + upperTerm = upperTerm->toNonNegativeIntPtrToInt32()->input(); + } + + // Hoist the loop invariant upper bounds checks. + if (upperTerm != length || upperConstant >= 0) { + // Hoist the bound check's length if it isn't already loop invariant. + if (length->block()->isMarked()) { + MOZ_ASSERT(length->isConstant()); + MInstruction* lengthIns = length->toInstruction(); + lengthIns->block()->moveBefore(preLoop->lastIns(), lengthIns); + } + + // If the length is IntPtr, convert the upperTerm to that as well for the + // bounds check. + if (length->type() == MIRType::IntPtr && + upperTerm->type() == MIRType::Int32) { + upperTerm = MInt32ToIntPtr::New(alloc(), upperTerm); + upperTerm->computeRange(alloc()); + upperTerm->collectRangeInfoPreTrunc(); + preLoop->insertBefore(preLoop->lastIns(), upperTerm->toInstruction()); + } + + MBoundsCheck* upperCheck = MBoundsCheck::New(alloc(), upperTerm, length); + upperCheck->setMinimum(upperConstant); + upperCheck->setMaximum(upperConstant); + upperCheck->computeRange(alloc()); + upperCheck->collectRangeInfoPreTrunc(); + upperCheck->setBailoutKind(BailoutKind::HoistBoundsCheck); + preLoop->insertBefore(preLoop->lastIns(), upperCheck); + } + + return true; +} + +bool RangeAnalysis::analyze() { + JitSpew(JitSpew_Range, "Doing range propagation"); + + for (ReversePostorderIterator iter(graph_.rpoBegin()); + iter != graph_.rpoEnd(); iter++) { + MBasicBlock* block = *iter; + // No blocks are supposed to be unreachable, except when we have an OSR + // block, in which case the Value Numbering phase add fixup blocks which + // are unreachable. + MOZ_ASSERT(!block->unreachable() || graph_.osrBlock()); + + // If the block's immediate dominator is unreachable, the block is + // unreachable. Iterating in RPO, we'll always see the immediate + // dominator before the block. + if (block->immediateDominator()->unreachable()) { + block->setUnreachableUnchecked(); + continue; + } + + for (MDefinitionIterator iter(block); iter; iter++) { + MDefinition* def = *iter; + if (!alloc().ensureBallast()) { + return false; + } + + def->computeRange(alloc()); + JitSpew(JitSpew_Range, "computing range on %u", def->id()); + SpewRange(def); + } + + // Beta node range analysis may have marked this block unreachable. If + // so, it's no longer interesting to continue processing it. + if (block->unreachable()) { + continue; + } + + if (block->isLoopHeader()) { + if (!analyzeLoop(block)) { + return false; + } + } + + // First pass at collecting range info - while the beta nodes are still + // around and before truncation. + for (MInstructionIterator iter(block->begin()); iter != block->end(); + iter++) { + iter->collectRangeInfoPreTrunc(); + } + } + + return true; +} + +bool RangeAnalysis::addRangeAssertions() { + if (!JitOptions.checkRangeAnalysis) { + return true; + } + + // Check the computed range for this instruction, if the option is set. Note + // that this code is quite invasive; it adds numerous additional + // instructions for each MInstruction with a computed range, and it uses + // registers, so it also affects register allocation. + for (ReversePostorderIterator iter(graph_.rpoBegin()); + iter != graph_.rpoEnd(); iter++) { + MBasicBlock* block = *iter; + + // Do not add assertions in unreachable blocks. + if (block->unreachable()) { + continue; + } + + for (MDefinitionIterator iter(block); iter; iter++) { + MDefinition* ins = *iter; + + // Perform range checking for all numeric and numeric-like types. + if (!IsNumberType(ins->type()) && ins->type() != MIRType::Boolean && + ins->type() != MIRType::Value && ins->type() != MIRType::IntPtr) { + continue; + } + + // MIsNoIter is fused with the MTest that follows it and emitted as + // LIsNoIterAndBranch. Similarly, MIteratorHasIndices is fused to + // become LIteratorHasIndicesAndBranch. Skip them to avoid complicating + // lowering. + if (ins->isIsNoIter() || ins->isIteratorHasIndices()) { + MOZ_ASSERT(ins->hasOneUse()); + continue; + } + + Range r(ins); + + MOZ_ASSERT_IF(ins->type() == MIRType::Int64, r.isUnknown()); + + // Don't insert assertions if there's nothing interesting to assert. + if (r.isUnknown() || + (ins->type() == MIRType::Int32 && r.isUnknownInt32())) { + continue; + } + + // Don't add a use to an instruction that is recovered on bailout. + if (ins->isRecoveredOnBailout()) { + continue; + } + + if (!alloc().ensureBallast()) { + return false; + } + MAssertRange* guard = + MAssertRange::New(alloc(), ins, new (alloc()) Range(r)); + + // Beta nodes and interrupt checks are required to be located at the + // beginnings of basic blocks, so we must insert range assertions + // after any such instructions. + MInstruction* insertAt = nullptr; + if (block->graph().osrBlock() == block) { + insertAt = ins->toInstruction(); + } else { + insertAt = block->safeInsertTop(ins); + } + + if (insertAt == *iter) { + block->insertAfter(insertAt, guard); + } else { + block->insertBefore(insertAt, guard); + } + } + } + + return true; +} + +/////////////////////////////////////////////////////////////////////////////// +// Range based Truncation +/////////////////////////////////////////////////////////////////////////////// + +void Range::clampToInt32() { + if (isInt32()) { + return; + } + int32_t l = hasInt32LowerBound() ? lower() : JSVAL_INT_MIN; + int32_t h = hasInt32UpperBound() ? upper() : JSVAL_INT_MAX; + setInt32(l, h); +} + +void Range::wrapAroundToInt32() { + if (!hasInt32Bounds()) { + setInt32(JSVAL_INT_MIN, JSVAL_INT_MAX); + } else if (canHaveFractionalPart()) { + // Clearing the fractional field may provide an opportunity to refine + // lower_ or upper_. + canHaveFractionalPart_ = ExcludesFractionalParts; + canBeNegativeZero_ = ExcludesNegativeZero; + refineInt32BoundsByExponent(max_exponent_, &lower_, &hasInt32LowerBound_, + &upper_, &hasInt32UpperBound_); + + assertInvariants(); + } else { + // If nothing else, we can clear the negative zero flag. + canBeNegativeZero_ = ExcludesNegativeZero; + } + MOZ_ASSERT(isInt32()); +} + +void Range::wrapAroundToShiftCount() { + wrapAroundToInt32(); + if (lower() < 0 || upper() >= 32) { + setInt32(0, 31); + } +} + +void Range::wrapAroundToBoolean() { + wrapAroundToInt32(); + if (!isBoolean()) { + setInt32(0, 1); + } + MOZ_ASSERT(isBoolean()); +} + +bool MDefinition::canTruncate() const { + // No procedure defined for truncating this instruction. + return false; +} + +void MDefinition::truncate(TruncateKind kind) { + MOZ_CRASH("No procedure defined for truncating this instruction."); +} + +bool MConstant::canTruncate() const { return IsFloatingPointType(type()); } + +void MConstant::truncate(TruncateKind kind) { + MOZ_ASSERT(canTruncate()); + + // Truncate the double to int, since all uses truncates it. + int32_t res = ToInt32(numberToDouble()); + payload_.asBits = 0; + payload_.i32 = res; + setResultType(MIRType::Int32); + if (range()) { + range()->setInt32(res, res); + } +} + +bool MPhi::canTruncate() const { + return type() == MIRType::Double || type() == MIRType::Int32; +} + +void MPhi::truncate(TruncateKind kind) { + MOZ_ASSERT(canTruncate()); + truncateKind_ = kind; + setResultType(MIRType::Int32); + if (kind >= TruncateKind::IndirectTruncate && range()) { + range()->wrapAroundToInt32(); + } +} + +bool MAdd::canTruncate() const { + return type() == MIRType::Double || type() == MIRType::Int32; +} + +void MAdd::truncate(TruncateKind kind) { + MOZ_ASSERT(canTruncate()); + + // Remember analysis, needed for fallible checks. + setTruncateKind(kind); + + setSpecialization(MIRType::Int32); + if (truncateKind() >= TruncateKind::IndirectTruncate && range()) { + range()->wrapAroundToInt32(); + } +} + +bool MSub::canTruncate() const { + return type() == MIRType::Double || type() == MIRType::Int32; +} + +void MSub::truncate(TruncateKind kind) { + MOZ_ASSERT(canTruncate()); + + // Remember analysis, needed for fallible checks. + setTruncateKind(kind); + setSpecialization(MIRType::Int32); + if (truncateKind() >= TruncateKind::IndirectTruncate && range()) { + range()->wrapAroundToInt32(); + } +} + +bool MMul::canTruncate() const { + return type() == MIRType::Double || type() == MIRType::Int32; +} + +void MMul::truncate(TruncateKind kind) { + MOZ_ASSERT(canTruncate()); + + // Remember analysis, needed for fallible checks. + setTruncateKind(kind); + setSpecialization(MIRType::Int32); + if (truncateKind() >= TruncateKind::IndirectTruncate) { + setCanBeNegativeZero(false); + if (range()) { + range()->wrapAroundToInt32(); + } + } +} + +bool MDiv::canTruncate() const { + return type() == MIRType::Double || type() == MIRType::Int32; +} + +void MDiv::truncate(TruncateKind kind) { + MOZ_ASSERT(canTruncate()); + + // Remember analysis, needed for fallible checks. + setTruncateKind(kind); + setSpecialization(MIRType::Int32); + + // Divisions where the lhs and rhs are unsigned and the result is + // truncated can be lowered more efficiently. + if (unsignedOperands()) { + replaceWithUnsignedOperands(); + unsigned_ = true; + } +} + +bool MMod::canTruncate() const { + return type() == MIRType::Double || type() == MIRType::Int32; +} + +void MMod::truncate(TruncateKind kind) { + // As for division, handle unsigned modulus with a truncated result. + MOZ_ASSERT(canTruncate()); + + // Remember analysis, needed for fallible checks. + setTruncateKind(kind); + setSpecialization(MIRType::Int32); + + if (unsignedOperands()) { + replaceWithUnsignedOperands(); + unsigned_ = true; + } +} + +bool MToDouble::canTruncate() const { + MOZ_ASSERT(type() == MIRType::Double); + return true; +} + +void MToDouble::truncate(TruncateKind kind) { + MOZ_ASSERT(canTruncate()); + setTruncateKind(kind); + + // We use the return type to flag that this MToDouble should be replaced by + // a MTruncateToInt32 when modifying the graph. + setResultType(MIRType::Int32); + if (truncateKind() >= TruncateKind::IndirectTruncate) { + if (range()) { + range()->wrapAroundToInt32(); + } + } +} + +bool MLimitedTruncate::canTruncate() const { return true; } + +void MLimitedTruncate::truncate(TruncateKind kind) { + MOZ_ASSERT(canTruncate()); + setTruncateKind(kind); + setResultType(MIRType::Int32); + if (kind >= TruncateKind::IndirectTruncate && range()) { + range()->wrapAroundToInt32(); + } +} + +bool MCompare::canTruncate() const { + if (!isDoubleComparison()) { + return false; + } + + // If both operands are naturally in the int32 range, we can convert from + // a double comparison to being an int32 comparison. + if (!Range(lhs()).isInt32() || !Range(rhs()).isInt32()) { + return false; + } + + return true; +} + +void MCompare::truncate(TruncateKind kind) { + MOZ_ASSERT(canTruncate()); + compareType_ = Compare_Int32; + + // Truncating the operands won't change their value because we don't force a + // truncation, but it will change their type, which we need because we + // now expect integer inputs. + truncateOperands_ = true; +} + +TruncateKind MDefinition::operandTruncateKind(size_t index) const { + // Generic routine: We don't know anything. + return TruncateKind::NoTruncate; +} + +TruncateKind MPhi::operandTruncateKind(size_t index) const { + // The truncation applied to a phi is effectively applied to the phi's + // operands. + return truncateKind_; +} + +TruncateKind MTruncateToInt32::operandTruncateKind(size_t index) const { + // This operator is an explicit truncate to int32. + return TruncateKind::Truncate; +} + +TruncateKind MBinaryBitwiseInstruction::operandTruncateKind( + size_t index) const { + // The bitwise operators truncate to int32. + return TruncateKind::Truncate; +} + +TruncateKind MLimitedTruncate::operandTruncateKind(size_t index) const { + return std::min(truncateKind(), truncateLimit_); +} + +TruncateKind MAdd::operandTruncateKind(size_t index) const { + // This operator is doing some arithmetic. If its result is truncated, + // it's an indirect truncate for its operands. + return std::min(truncateKind(), TruncateKind::IndirectTruncate); +} + +TruncateKind MSub::operandTruncateKind(size_t index) const { + // See the comment in MAdd::operandTruncateKind. + return std::min(truncateKind(), TruncateKind::IndirectTruncate); +} + +TruncateKind MMul::operandTruncateKind(size_t index) const { + // See the comment in MAdd::operandTruncateKind. + return std::min(truncateKind(), TruncateKind::IndirectTruncate); +} + +TruncateKind MToDouble::operandTruncateKind(size_t index) const { + // MToDouble propagates its truncate kind to its operand. + return truncateKind(); +} + +TruncateKind MStoreUnboxedScalar::operandTruncateKind(size_t index) const { + // An integer store truncates the stored value. + return (index == 2 && isIntegerWrite()) ? TruncateKind::Truncate + : TruncateKind::NoTruncate; +} + +TruncateKind MStoreDataViewElement::operandTruncateKind(size_t index) const { + // An integer store truncates the stored value. + return (index == 2 && isIntegerWrite()) ? TruncateKind::Truncate + : TruncateKind::NoTruncate; +} + +TruncateKind MStoreTypedArrayElementHole::operandTruncateKind( + size_t index) const { + // An integer store truncates the stored value. + return (index == 3 && isIntegerWrite()) ? TruncateKind::Truncate + : TruncateKind::NoTruncate; +} + +TruncateKind MDiv::operandTruncateKind(size_t index) const { + return std::min(truncateKind(), TruncateKind::TruncateAfterBailouts); +} + +TruncateKind MMod::operandTruncateKind(size_t index) const { + return std::min(truncateKind(), TruncateKind::TruncateAfterBailouts); +} + +TruncateKind MCompare::operandTruncateKind(size_t index) const { + // If we're doing an int32 comparison on operands which were previously + // floating-point, convert them! + MOZ_ASSERT_IF(truncateOperands_, isInt32Comparison()); + return truncateOperands_ ? TruncateKind::TruncateAfterBailouts + : TruncateKind::NoTruncate; +} + +static bool TruncateTest(TempAllocator& alloc, MTest* test) { + // If all possible inputs to the test are either int32 or boolean, + // convert those inputs to int32 so that an int32 test can be performed. + + if (test->input()->type() != MIRType::Value) { + return true; + } + + if (!test->input()->isPhi() || !test->input()->hasOneDefUse() || + test->input()->isImplicitlyUsed()) { + return true; + } + + MPhi* phi = test->input()->toPhi(); + for (size_t i = 0; i < phi->numOperands(); i++) { + MDefinition* def = phi->getOperand(i); + if (!def->isBox()) { + return true; + } + MDefinition* inner = def->getOperand(0); + if (inner->type() != MIRType::Boolean && inner->type() != MIRType::Int32) { + return true; + } + } + + for (size_t i = 0; i < phi->numOperands(); i++) { + MDefinition* inner = phi->getOperand(i)->getOperand(0); + if (inner->type() != MIRType::Int32) { + if (!alloc.ensureBallast()) { + return false; + } + MBasicBlock* block = inner->block(); + inner = MToNumberInt32::New(alloc, inner); + block->insertBefore(block->lastIns(), inner->toInstruction()); + } + MOZ_ASSERT(inner->type() == MIRType::Int32); + phi->replaceOperand(i, inner); + } + + phi->setResultType(MIRType::Int32); + return true; +} + +// Truncating instruction result is an optimization which implies +// knowing all uses of an instruction. This implies that if one of +// the uses got removed, then Range Analysis is not be allowed to do +// any modification which can change the result, especially if the +// result can be observed. +// +// This corner can easily be understood with UCE examples, but it +// might also happen with type inference assumptions. Note: Type +// inference is implicitly branches where other types might be +// flowing into. +static bool CloneForDeadBranches(TempAllocator& alloc, + MInstruction* candidate) { + // Compare returns a boolean so it doesn't have to be recovered on bailout + // because the output would remain correct. + if (candidate->isCompare()) { + return true; + } + + MOZ_ASSERT(candidate->canClone()); + if (!alloc.ensureBallast()) { + return false; + } + + MDefinitionVector operands(alloc); + size_t end = candidate->numOperands(); + if (!operands.reserve(end)) { + return false; + } + for (size_t i = 0; i < end; ++i) { + operands.infallibleAppend(candidate->getOperand(i)); + } + + MInstruction* clone = candidate->clone(alloc, operands); + if (!clone) { + return false; + } + clone->setRange(nullptr); + + // Set ImplicitlyUsed flag on the cloned instruction in order to chain recover + // instruction for the bailout path. + clone->setImplicitlyUsedUnchecked(); + + candidate->block()->insertBefore(candidate, clone); + + if (!candidate->maybeConstantValue()) { + MOZ_ASSERT(clone->canRecoverOnBailout()); + clone->setRecoveredOnBailout(); + } + + // Replace the candidate by its recovered on bailout clone within recovered + // instructions and resume points operands. + for (MUseIterator i(candidate->usesBegin()); i != candidate->usesEnd();) { + MUse* use = *i++; + MNode* ins = use->consumer(); + if (ins->isDefinition() && !ins->toDefinition()->isRecoveredOnBailout()) { + continue; + } + + use->replaceProducer(clone); + } + + return true; +} + +// Examine all the users of |candidate| and determine the most aggressive +// truncate kind that satisfies all of them. +static TruncateKind ComputeRequestedTruncateKind(MDefinition* candidate, + bool* shouldClone) { + bool isCapturedResult = + false; // Check if used by a recovered instruction or a resume point. + bool isObservableResult = + false; // Check if it can be read from another frame. + bool isRecoverableResult = true; // Check if it can safely be reconstructed. + bool isImplicitlyUsed = candidate->isImplicitlyUsed(); + bool hasTryBlock = candidate->block()->graph().hasTryBlock(); + + TruncateKind kind = TruncateKind::Truncate; + for (MUseIterator use(candidate->usesBegin()); use != candidate->usesEnd(); + use++) { + if (use->consumer()->isResumePoint()) { + // Truncation is a destructive optimization, as such, we need to pay + // attention to removed branches and prevent optimization + // destructive optimizations if we have no alternative. (see + // ImplicitlyUsed flag) + isCapturedResult = true; + isObservableResult = + isObservableResult || + use->consumer()->toResumePoint()->isObservableOperand(*use); + isRecoverableResult = + isRecoverableResult && + use->consumer()->toResumePoint()->isRecoverableOperand(*use); + continue; + } + + MDefinition* consumer = use->consumer()->toDefinition(); + if (consumer->isRecoveredOnBailout()) { + isCapturedResult = true; + isImplicitlyUsed = isImplicitlyUsed || consumer->isImplicitlyUsed(); + continue; + } + + TruncateKind consumerKind = + consumer->operandTruncateKind(consumer->indexOf(*use)); + kind = std::min(kind, consumerKind); + if (kind == TruncateKind::NoTruncate) { + break; + } + } + + // We cannot do full trunction on guarded instructions. + if (candidate->isGuard() || candidate->isGuardRangeBailouts()) { + kind = std::min(kind, TruncateKind::TruncateAfterBailouts); + } + + // If the value naturally produces an int32 value (before bailout checks) + // that needs no conversion, we don't have to worry about resume points + // seeing truncated values. + bool needsConversion = !candidate->range() || !candidate->range()->isInt32(); + + // If the instruction is explicitly truncated (not indirectly) by all its + // uses and if it is not implicitly used, then we can safely encode its + // truncated result as part of the resume point operands. This is safe, + // because even if we resume with a truncated double, the next baseline + // instruction operating on this instruction is going to be a no-op. + // + // Note, that if the result can be observed from another frame, then this + // optimization is not safe. Similarly, if this function contains a try + // block, the result could be observed from a catch block, which we do + // not compile. + bool safeToConvert = kind == TruncateKind::Truncate && !isImplicitlyUsed && + !isObservableResult && !hasTryBlock; + + // If the candidate instruction appears as operand of a resume point or a + // recover instruction, and we have to truncate its result, then we might + // have to either recover the result during the bailout, or avoid the + // truncation. + if (isCapturedResult && needsConversion && !safeToConvert) { + // If the result can be recovered from all the resume points (not needed + // for iterating over the inlined frames), and this instruction can be + // recovered on bailout, then we can clone it and use the cloned + // instruction to encode the recover instruction. Otherwise, we should + // keep the original result and bailout if the value is not in the int32 + // range. + if (!JitOptions.disableRecoverIns && isRecoverableResult && + candidate->canRecoverOnBailout()) { + *shouldClone = true; + } else { + kind = std::min(kind, TruncateKind::TruncateAfterBailouts); + } + } + + return kind; +} + +static TruncateKind ComputeTruncateKind(MDefinition* candidate, + bool* shouldClone) { + // Compare operations might coerce its inputs to int32 if the ranges are + // correct. So we do not need to check if all uses are coerced. + if (candidate->isCompare()) { + return TruncateKind::TruncateAfterBailouts; + } + + // Set truncated flag if range analysis ensure that it has no + // rounding errors and no fractional part. Note that we can't use + // the MDefinition Range constructor, because we need to know if + // the value will have rounding errors before any bailout checks. + const Range* r = candidate->range(); + bool canHaveRoundingErrors = !r || r->canHaveRoundingErrors(); + + // Special case integer division and modulo: a/b can be infinite, and a%b + // can be NaN but cannot actually have rounding errors induced by truncation. + if ((candidate->isDiv() || candidate->isMod()) && + candidate->type() == MIRType::Int32) { + canHaveRoundingErrors = false; + } + + if (canHaveRoundingErrors) { + return TruncateKind::NoTruncate; + } + + // Ensure all observable uses are truncated. + return ComputeRequestedTruncateKind(candidate, shouldClone); +} + +static void RemoveTruncatesOnOutput(MDefinition* truncated) { + // Compare returns a boolean so it doen't have any output truncates. + if (truncated->isCompare()) { + return; + } + + MOZ_ASSERT(truncated->type() == MIRType::Int32); + MOZ_ASSERT(Range(truncated).isInt32()); + + for (MUseDefIterator use(truncated); use; use++) { + MDefinition* def = use.def(); + if (!def->isTruncateToInt32() || !def->isToNumberInt32()) { + continue; + } + + def->replaceAllUsesWith(truncated); + } +} + +void RangeAnalysis::adjustTruncatedInputs(MDefinition* truncated) { + MBasicBlock* block = truncated->block(); + for (size_t i = 0, e = truncated->numOperands(); i < e; i++) { + TruncateKind kind = truncated->operandTruncateKind(i); + if (kind == TruncateKind::NoTruncate) { + continue; + } + + MDefinition* input = truncated->getOperand(i); + if (input->type() == MIRType::Int32) { + continue; + } + + if (input->isToDouble() && input->getOperand(0)->type() == MIRType::Int32) { + truncated->replaceOperand(i, input->getOperand(0)); + } else { + MInstruction* op; + if (kind == TruncateKind::TruncateAfterBailouts) { + MOZ_ASSERT(!mir->outerInfo().hadEagerTruncationBailout()); + op = MToNumberInt32::New(alloc(), truncated->getOperand(i)); + op->setBailoutKind(BailoutKind::EagerTruncation); + } else { + op = MTruncateToInt32::New(alloc(), truncated->getOperand(i)); + } + + if (truncated->isPhi()) { + MBasicBlock* pred = block->getPredecessor(i); + pred->insertBefore(pred->lastIns(), op); + } else { + block->insertBefore(truncated->toInstruction(), op); + } + truncated->replaceOperand(i, op); + } + } + + if (truncated->isToDouble()) { + truncated->replaceAllUsesWith(truncated->toToDouble()->getOperand(0)); + block->discard(truncated->toToDouble()); + } +} + +bool RangeAnalysis::canTruncate(MDefinition* def, TruncateKind kind) const { + if (kind == TruncateKind::NoTruncate) { + return false; + } + + // Range Analysis is sometimes eager to do optimizations, even if we + // are not able to truncate an instruction. In such case, we + // speculatively compile the instruction to an int32 instruction + // while adding a guard. This is what is implied by + // TruncateAfterBailout. + // + // If a previous compilation was invalidated because a speculative + // truncation bailed out, we no longer attempt to make this kind of + // eager optimization. + if (mir->outerInfo().hadEagerTruncationBailout()) { + if (kind == TruncateKind::TruncateAfterBailouts) { + return false; + } + // MDiv and MMod always require TruncateAfterBailout for their operands. + // See MDiv::operandTruncateKind and MMod::operandTruncateKind. + if (def->isDiv() || def->isMod()) { + return false; + } + } + + return true; +} + +// Iterate backward on all instruction and attempt to truncate operations for +// each instruction which respect the following list of predicates: Has been +// analyzed by range analysis, the range has no rounding errors, all uses cases +// are truncating the result. +// +// If the truncation of the operation is successful, then the instruction is +// queue for later updating the graph to restore the type correctness by +// converting the operands that need to be truncated. +// +// We iterate backward because it is likely that a truncated operation truncates +// some of its operands. +bool RangeAnalysis::truncate() { + JitSpew(JitSpew_Range, "Do range-base truncation (backward loop)"); + + // Automatic truncation is disabled for wasm because the truncation logic + // is based on IonMonkey which assumes that we can bailout if the truncation + // logic fails. As wasm code has no bailout mechanism, it is safer to avoid + // any automatic truncations. + MOZ_ASSERT(!mir->compilingWasm()); + + Vector worklist; + + for (PostorderIterator block(graph_.poBegin()); block != graph_.poEnd(); + block++) { + for (MInstructionReverseIterator iter(block->rbegin()); + iter != block->rend(); iter++) { + if (iter->isRecoveredOnBailout()) { + continue; + } + + if (iter->type() == MIRType::None) { + if (iter->isTest()) { + if (!TruncateTest(alloc(), iter->toTest())) { + return false; + } + } + continue; + } + + // Remember all bitop instructions for folding after range analysis. + switch (iter->op()) { + case MDefinition::Opcode::BitAnd: + case MDefinition::Opcode::BitOr: + case MDefinition::Opcode::BitXor: + case MDefinition::Opcode::Lsh: + case MDefinition::Opcode::Rsh: + case MDefinition::Opcode::Ursh: + if (!bitops.append(static_cast(*iter))) { + return false; + } + break; + default:; + } + + bool shouldClone = false; + TruncateKind kind = ComputeTruncateKind(*iter, &shouldClone); + + // Truncate this instruction if possible. + if (!canTruncate(*iter, kind) || !iter->canTruncate()) { + continue; + } + + SpewTruncate(*iter, kind, shouldClone); + + // If needed, clone the current instruction for keeping it for the + // bailout path. This give us the ability to truncate instructions + // even after the removal of branches. + if (shouldClone && !CloneForDeadBranches(alloc(), *iter)) { + return false; + } + + // TruncateAfterBailouts keeps the bailout code as-is and + // continues with truncated operations, with the expectation + // that we are unlikely to bail out. If we do bail out, then we + // will set a flag in FinishBailoutToBaseline to prevent eager + // truncation when we recompile, to avoid bailout loops. + if (kind == TruncateKind::TruncateAfterBailouts) { + iter->setBailoutKind(BailoutKind::EagerTruncation); + } + + iter->truncate(kind); + + // Delay updates of inputs/outputs to avoid creating node which + // would be removed by the truncation of the next operations. + iter->setInWorklist(); + if (!worklist.append(*iter)) { + return false; + } + } + for (MPhiIterator iter(block->phisBegin()), end(block->phisEnd()); + iter != end; ++iter) { + bool shouldClone = false; + TruncateKind kind = ComputeTruncateKind(*iter, &shouldClone); + + // Truncate this phi if possible. + if (shouldClone || !canTruncate(*iter, kind) || !iter->canTruncate()) { + continue; + } + + SpewTruncate(*iter, kind, shouldClone); + + iter->truncate(kind); + + // Delay updates of inputs/outputs to avoid creating node which + // would be removed by the truncation of the next operations. + iter->setInWorklist(); + if (!worklist.append(*iter)) { + return false; + } + } + } + + // Update inputs/outputs of truncated instructions. + JitSpew(JitSpew_Range, "Do graph type fixup (dequeue)"); + while (!worklist.empty()) { + if (!alloc().ensureBallast()) { + return false; + } + MDefinition* def = worklist.popCopy(); + def->setNotInWorklist(); + RemoveTruncatesOnOutput(def); + adjustTruncatedInputs(def); + } + + return true; +} + +bool RangeAnalysis::removeUnnecessaryBitops() { + JitSpew(JitSpew_Range, "Begin (removeUnnecessaryBitops)"); + // Note: This operation change the semantic of the program in a way which + // uniquely works with Int32, Recover Instructions added by the Sink phase + // expects the MIR Graph to still have a valid flow as-if they were double + // operations instead of Int32 operations. Thus, this phase should be + // executed after the Sink phase, and before DCE. + + // Fold any unnecessary bitops in the graph, such as (x | 0) on an integer + // input. This is done after range analysis rather than during GVN as the + // presence of the bitop can change which instructions are truncated. + for (size_t i = 0; i < bitops.length(); i++) { + MBinaryBitwiseInstruction* ins = bitops[i]; + if (ins->isRecoveredOnBailout()) { + continue; + } + + MDefinition* folded = ins->foldUnnecessaryBitop(); + if (folded != ins) { + ins->replaceAllLiveUsesWith(folded); + ins->setRecoveredOnBailout(); + } + } + + bitops.clear(); + return true; +} + +/////////////////////////////////////////////////////////////////////////////// +// Collect Range information of operands +/////////////////////////////////////////////////////////////////////////////// + +void MInArray::collectRangeInfoPreTrunc() { + Range indexRange(index()); + if (indexRange.isFiniteNonNegative()) { + needsNegativeIntCheck_ = false; + setNotGuard(); + } +} + +void MLoadElementHole::collectRangeInfoPreTrunc() { + Range indexRange(index()); + if (indexRange.isFiniteNonNegative()) { + needsNegativeIntCheck_ = false; + setNotGuard(); + } +} + +void MInt32ToIntPtr::collectRangeInfoPreTrunc() { + Range inputRange(input()); + if (inputRange.isFiniteNonNegative()) { + canBeNegative_ = false; + } +} + +void MClz::collectRangeInfoPreTrunc() { + Range inputRange(input()); + if (!inputRange.canBeZero()) { + operandIsNeverZero_ = true; + } +} + +void MCtz::collectRangeInfoPreTrunc() { + Range inputRange(input()); + if (!inputRange.canBeZero()) { + operandIsNeverZero_ = true; + } +} + +void MDiv::collectRangeInfoPreTrunc() { + Range lhsRange(lhs()); + Range rhsRange(rhs()); + + // Test if Dividend is non-negative. + if (lhsRange.isFiniteNonNegative()) { + canBeNegativeDividend_ = false; + } + + // Try removing divide by zero check. + if (!rhsRange.canBeZero()) { + canBeDivideByZero_ = false; + } + + // If lhsRange does not contain INT32_MIN in its range, + // negative overflow check can be skipped. + if (!lhsRange.contains(INT32_MIN)) { + canBeNegativeOverflow_ = false; + } + + // If rhsRange does not contain -1 likewise. + if (!rhsRange.contains(-1)) { + canBeNegativeOverflow_ = false; + } + + // If lhsRange does not contain a zero, + // negative zero check can be skipped. + if (!lhsRange.canBeZero()) { + canBeNegativeZero_ = false; + } + + // If rhsRange >= 0 negative zero check can be skipped. + if (rhsRange.isFiniteNonNegative()) { + canBeNegativeZero_ = false; + } + + if (fallible()) { + setGuardRangeBailoutsUnchecked(); + } +} + +void MMul::collectRangeInfoPreTrunc() { + Range lhsRange(lhs()); + Range rhsRange(rhs()); + + // If lhsRange contains only positive then we can skip negative zero check. + if (lhsRange.isFiniteNonNegative() && !lhsRange.canBeZero()) { + setCanBeNegativeZero(false); + } + + // Likewise rhsRange. + if (rhsRange.isFiniteNonNegative() && !rhsRange.canBeZero()) { + setCanBeNegativeZero(false); + } + + // If rhsRange and lhsRange contain Non-negative integers only, + // We skip negative zero check. + if (rhsRange.isFiniteNonNegative() && lhsRange.isFiniteNonNegative()) { + setCanBeNegativeZero(false); + } + + // If rhsRange and lhsRange < 0. Then we skip negative zero check. + if (rhsRange.isFiniteNegative() && lhsRange.isFiniteNegative()) { + setCanBeNegativeZero(false); + } +} + +void MMod::collectRangeInfoPreTrunc() { + Range lhsRange(lhs()); + Range rhsRange(rhs()); + if (lhsRange.isFiniteNonNegative()) { + canBeNegativeDividend_ = false; + } + if (!rhsRange.canBeZero()) { + canBeDivideByZero_ = false; + } + if (type() == MIRType::Int32 && fallible()) { + setGuardRangeBailoutsUnchecked(); + } +} + +void MToNumberInt32::collectRangeInfoPreTrunc() { + Range inputRange(input()); + if (!inputRange.canBeNegativeZero()) { + needsNegativeZeroCheck_ = false; + } +} + +void MBoundsCheck::collectRangeInfoPreTrunc() { + Range indexRange(index()); + Range lengthRange(length()); + if (!indexRange.hasInt32LowerBound() || !indexRange.hasInt32UpperBound()) { + return; + } + if (!lengthRange.hasInt32LowerBound() || lengthRange.canBeNaN()) { + return; + } + + int64_t indexLower = indexRange.lower(); + int64_t indexUpper = indexRange.upper(); + int64_t lengthLower = lengthRange.lower(); + int64_t min = minimum(); + int64_t max = maximum(); + + if (indexLower + min >= 0 && indexUpper + max < lengthLower) { + fallible_ = false; + } +} + +void MBoundsCheckLower::collectRangeInfoPreTrunc() { + Range indexRange(index()); + if (indexRange.hasInt32LowerBound() && indexRange.lower() >= minimum_) { + fallible_ = false; + } +} + +void MCompare::collectRangeInfoPreTrunc() { + if (!Range(lhs()).canBeNaN() && !Range(rhs()).canBeNaN()) { + operandsAreNeverNaN_ = true; + } +} + +void MNot::collectRangeInfoPreTrunc() { + if (!Range(input()).canBeNaN()) { + operandIsNeverNaN_ = true; + } +} + +void MPowHalf::collectRangeInfoPreTrunc() { + Range inputRange(input()); + if (!inputRange.canBeInfiniteOrNaN() || inputRange.hasInt32LowerBound()) { + operandIsNeverNegativeInfinity_ = true; + } + if (!inputRange.canBeNegativeZero()) { + operandIsNeverNegativeZero_ = true; + } + if (!inputRange.canBeNaN()) { + operandIsNeverNaN_ = true; + } +} + +void MUrsh::collectRangeInfoPreTrunc() { + if (type() == MIRType::Int64) { + return; + } + + Range lhsRange(lhs()), rhsRange(rhs()); + + // As in MUrsh::computeRange(), convert the inputs. + lhsRange.wrapAroundToInt32(); + rhsRange.wrapAroundToShiftCount(); + + // If the most significant bit of our result is always going to be zero, + // we can optimize by disabling bailout checks for enforcing an int32 range. + if (lhsRange.lower() >= 0 || rhsRange.lower() >= 1) { + bailoutsDisabled_ = true; + } +} + +static bool DoesMaskMatchRange(int32_t mask, Range& range) { + // Check if range is positive, because the bitand operator in `(-3) & 0xff` + // can't be eliminated. + if (range.lower() >= 0) { + MOZ_ASSERT(range.isInt32()); + // Check that the mask value has all bits set given the range upper bound. + // Note that the upper bound does not have to be exactly the mask value. For + // example, consider `x & 0xfff` where `x` is a uint8. That expression can + // still be optimized to `x`. + int bits = 1 + FloorLog2(range.upper()); + uint32_t maskNeeded = (bits == 32) ? 0xffffffff : (uint32_t(1) << bits) - 1; + if ((mask & maskNeeded) == maskNeeded) { + return true; + } + } + + return false; +} + +void MBinaryBitwiseInstruction::collectRangeInfoPreTrunc() { + Range lhsRange(lhs()); + Range rhsRange(rhs()); + + if (lhs()->isConstant() && lhs()->type() == MIRType::Int32 && + DoesMaskMatchRange(lhs()->toConstant()->toInt32(), rhsRange)) { + maskMatchesRightRange = true; + } + + if (rhs()->isConstant() && rhs()->type() == MIRType::Int32 && + DoesMaskMatchRange(rhs()->toConstant()->toInt32(), lhsRange)) { + maskMatchesLeftRange = true; + } +} + +void MNaNToZero::collectRangeInfoPreTrunc() { + Range inputRange(input()); + + if (!inputRange.canBeNaN()) { + operandIsNeverNaN_ = true; + } + if (!inputRange.canBeNegativeZero()) { + operandIsNeverNegativeZero_ = true; + } +} + +bool RangeAnalysis::prepareForUCE(bool* shouldRemoveDeadCode) { + *shouldRemoveDeadCode = false; + + for (ReversePostorderIterator iter(graph_.rpoBegin()); + iter != graph_.rpoEnd(); iter++) { + MBasicBlock* block = *iter; + + if (!block->unreachable()) { + continue; + } + + // Filter out unreachable fake entries. + if (block->numPredecessors() == 0) { + // Ignore fixup blocks added by the Value Numbering phase, in order + // to keep the dominator tree as-is when we have OSR Block which are + // no longer reachable from the main entry point of the graph. + MOZ_ASSERT(graph_.osrBlock()); + continue; + } + + MControlInstruction* cond = block->getPredecessor(0)->lastIns(); + if (!cond->isTest()) { + continue; + } + + // Replace the condition of the test control instruction by a constant + // chosen based which of the successors has the unreachable flag which is + // added by MBeta::computeRange on its own block. + MTest* test = cond->toTest(); + MDefinition* condition = test->input(); + + // If the false-branch is unreachable, then the test condition must be true. + // If the true-branch is unreachable, then the test condition must be false. + MOZ_ASSERT(block == test->ifTrue() || block == test->ifFalse()); + bool value = block == test->ifFalse(); + MConstant* constant = + MConstant::New(alloc().fallible(), BooleanValue(value)); + if (!constant) { + return false; + } + + condition->setGuardRangeBailoutsUnchecked(); + + test->block()->insertBefore(test, constant); + + test->replaceOperand(0, constant); + JitSpew(JitSpew_Range, + "Update condition of %u to reflect unreachable branches.", + test->id()); + + *shouldRemoveDeadCode = true; + } + + return tryRemovingGuards(); +} + +bool RangeAnalysis::tryRemovingGuards() { + MDefinitionVector guards(alloc()); + + for (ReversePostorderIterator block = graph_.rpoBegin(); + block != graph_.rpoEnd(); block++) { + for (MDefinitionIterator iter(*block); iter; iter++) { + if (!iter->isGuardRangeBailouts()) { + continue; + } + + iter->setInWorklist(); + if (!guards.append(*iter)) { + return false; + } + } + } + + // Flag all fallible instructions which were indirectly used in the + // computation of the condition, such that we do not ignore + // bailout-paths which are used to shrink the input range of the + // operands of the condition. + for (size_t i = 0; i < guards.length(); i++) { + MDefinition* guard = guards[i]; + + // If this ins is a guard even without guardRangeBailouts, + // there is no reason in trying to hoist the guardRangeBailouts check. + guard->setNotGuardRangeBailouts(); + if (!DeadIfUnused(guard)) { + guard->setGuardRangeBailouts(); + continue; + } + guard->setGuardRangeBailouts(); + + if (!guard->isPhi()) { + if (!guard->range()) { + continue; + } + + // Filter the range of the instruction based on its MIRType. + Range typeFilteredRange(guard); + + // If the output range is updated by adding the inner range, + // then the MIRType act as an effectful filter. As we do not know if + // this filtered Range might change or not the result of the + // previous comparison, we have to keep this instruction as a guard + // because it has to bailout in order to restrict the Range to its + // MIRType. + if (typeFilteredRange.update(guard->range())) { + continue; + } + } + + guard->setNotGuardRangeBailouts(); + + // Propagate the guard to its operands. + for (size_t op = 0, e = guard->numOperands(); op < e; op++) { + MDefinition* operand = guard->getOperand(op); + + // Already marked. + if (operand->isInWorklist()) { + continue; + } + + MOZ_ASSERT(!operand->isGuardRangeBailouts()); + + operand->setInWorklist(); + operand->setGuardRangeBailouts(); + if (!guards.append(operand)) { + return false; + } + } + } + + for (size_t i = 0; i < guards.length(); i++) { + MDefinition* guard = guards[i]; + guard->setNotInWorklist(); + } + + return true; +} -- cgit v1.2.3