/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- * vim: set ts=8 sts=2 et sw=2 tw=80: * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "jit/RangeAnalysis.h" #include "mozilla/MathAlgorithms.h" #include #include "jsmath.h" #include "jit/CompileInfo.h" #include "jit/IonAnalysis.h" #include "jit/JitSpewer.h" #include "jit/MIR.h" #include "jit/MIRGenerator.h" #include "jit/MIRGraph.h" #include "js/Conversions.h" #include "js/ScalarType.h" // js::Scalar::Type #include "util/CheckedArithmetic.h" #include "vm/ArgumentsObject.h" #include "vm/TypedArrayObject.h" #include "vm/Uint8Clamped.h" #include "vm/BytecodeUtil-inl.h" using namespace js; using namespace js::jit; using JS::GenericNaN; using JS::ToInt32; using mozilla::Abs; using mozilla::CountLeadingZeroes32; using mozilla::ExponentComponent; using mozilla::FloorLog2; using mozilla::IsNegativeZero; using mozilla::NegativeInfinity; using mozilla::NumberEqualsInt32; using mozilla::PositiveInfinity; // [SMDOC] IonMonkey Range Analysis // // This algorithm is based on the paper "Eliminating Range Checks Using // Static Single Assignment Form" by Gough and Klaren. // // We associate a range object with each SSA name, and the ranges are consulted // in order to determine whether overflow is possible for arithmetic // computations. // // An important source of range information that requires care to take // advantage of is conditional control flow. Consider the code below: // // if (x < 0) { // y = x + 2000000000; // } else { // if (x < 1000000000) { // y = x * 2; // } else { // y = x - 3000000000; // } // } // // The arithmetic operations in this code cannot overflow, but it is not // sufficient to simply associate each name with a range, since the information // differs between basic blocks. The traditional dataflow approach would be // associate ranges with (name, basic block) pairs. This solution is not // satisfying, since we lose the benefit of SSA form: in SSA form, each // definition has a unique name, so there is no need to track information about // the control flow of the program. // // The approach used here is to add a new form of pseudo operation called a // beta node, which associates range information with a value. These beta // instructions take one argument and additionally have an auxiliary constant // range associated with them. Operationally, beta nodes are just copies, but // the invariant expressed by beta node copies is that the output will fall // inside the range given by the beta node. Gough and Klaeren refer to SSA // extended with these beta nodes as XSA form. The following shows the example // code transformed into XSA form: // // if (x < 0) { // x1 = Beta(x, [INT_MIN, -1]); // y1 = x1 + 2000000000; // } else { // x2 = Beta(x, [0, INT_MAX]); // if (x2 < 1000000000) { // x3 = Beta(x2, [INT_MIN, 999999999]); // y2 = x3*2; // } else { // x4 = Beta(x2, [1000000000, INT_MAX]); // y3 = x4 - 3000000000; // } // y4 = Phi(y2, y3); // } // y = Phi(y1, y4); // // We insert beta nodes for the purposes of range analysis (they might also be // usefully used for other forms of bounds check elimination) and remove them // after range analysis is performed. The remaining compiler phases do not ever // encounter beta nodes. static bool IsDominatedUse(MBasicBlock* block, MUse* use) { MNode* n = use->consumer(); bool isPhi = n->isDefinition() && n->toDefinition()->isPhi(); if (isPhi) { MPhi* phi = n->toDefinition()->toPhi(); return block->dominates(phi->block()->getPredecessor(phi->indexOf(use))); } return block->dominates(n->block()); } static inline void SpewRange(MDefinition* def) { #ifdef JS_JITSPEW if (JitSpewEnabled(JitSpew_Range) && def->type() != MIRType::None && def->range()) { JitSpewHeader(JitSpew_Range); Fprinter& out = JitSpewPrinter(); out.printf(" "); def->printName(out); out.printf(" has range "); def->range()->dump(out); out.printf("\n"); } #endif } #ifdef JS_JITSPEW static const char* TruncateKindString(TruncateKind kind) { switch (kind) { case TruncateKind::NoTruncate: return "NoTruncate"; case TruncateKind::TruncateAfterBailouts: return "TruncateAfterBailouts"; case TruncateKind::IndirectTruncate: return "IndirectTruncate"; case TruncateKind::Truncate: return "Truncate"; default: MOZ_CRASH("Unknown truncate kind."); } } static inline void SpewTruncate(MDefinition* def, TruncateKind kind, bool shouldClone) { if (JitSpewEnabled(JitSpew_Range)) { JitSpewHeader(JitSpew_Range); Fprinter& out = JitSpewPrinter(); out.printf(" "); out.printf("truncating "); def->printName(out); out.printf(" (kind: %s, clone: %d)\n", TruncateKindString(kind), shouldClone); } } #else static inline void SpewTruncate(MDefinition* def, TruncateKind kind, bool shouldClone) {} #endif TempAllocator& RangeAnalysis::alloc() const { return graph_.alloc(); } void RangeAnalysis::replaceDominatedUsesWith(MDefinition* orig, MDefinition* dom, MBasicBlock* block) { for (MUseIterator i(orig->usesBegin()); i != orig->usesEnd();) { MUse* use = *i++; if (use->consumer() != dom && IsDominatedUse(block, use)) { use->replaceProducer(dom); } } } bool RangeAnalysis::addBetaNodes() { JitSpew(JitSpew_Range, "Adding beta nodes"); for (PostorderIterator i(graph_.poBegin()); i != graph_.poEnd(); i++) { MBasicBlock* block = *i; JitSpew(JitSpew_Range, "Looking at block %u", block->id()); BranchDirection branch_dir; MTest* test = block->immediateDominatorBranch(&branch_dir); if (!test || !test->getOperand(0)->isCompare()) { continue; } MCompare* compare = test->getOperand(0)->toCompare(); if (!compare->isNumericComparison()) { continue; } // TODO: support unsigned comparisons if (compare->compareType() == MCompare::Compare_UInt32) { continue; } // isNumericComparison should return false for UIntPtr. MOZ_ASSERT(compare->compareType() != MCompare::Compare_UIntPtr); MDefinition* left = compare->getOperand(0); MDefinition* right = compare->getOperand(1); double bound; double conservativeLower = NegativeInfinity(); double conservativeUpper = PositiveInfinity(); MDefinition* val = nullptr; JSOp jsop = compare->jsop(); if (branch_dir == FALSE_BRANCH) { jsop = NegateCompareOp(jsop); conservativeLower = GenericNaN(); conservativeUpper = GenericNaN(); } MConstant* leftConst = left->maybeConstantValue(); MConstant* rightConst = right->maybeConstantValue(); if (leftConst && leftConst->isTypeRepresentableAsDouble()) { bound = leftConst->numberToDouble(); val = right; jsop = ReverseCompareOp(jsop); } else if (rightConst && rightConst->isTypeRepresentableAsDouble()) { bound = rightConst->numberToDouble(); val = left; } else if (left->type() == MIRType::Int32 && right->type() == MIRType::Int32) { MDefinition* smaller = nullptr; MDefinition* greater = nullptr; if (jsop == JSOp::Lt) { smaller = left; greater = right; } else if (jsop == JSOp::Gt) { smaller = right; greater = left; } if (smaller && greater) { if (!alloc().ensureBallast()) { return false; } MBeta* beta; beta = MBeta::New( alloc(), smaller, Range::NewInt32Range(alloc(), JSVAL_INT_MIN, JSVAL_INT_MAX - 1)); block->insertBefore(*block->begin(), beta); replaceDominatedUsesWith(smaller, beta, block); JitSpew(JitSpew_Range, " Adding beta node for smaller %u", smaller->id()); beta = MBeta::New( alloc(), greater, Range::NewInt32Range(alloc(), JSVAL_INT_MIN + 1, JSVAL_INT_MAX)); block->insertBefore(*block->begin(), beta); replaceDominatedUsesWith(greater, beta, block); JitSpew(JitSpew_Range, " Adding beta node for greater %u", greater->id()); } continue; } else { continue; } // At this point, one of the operands if the compare is a constant, and // val is the other operand. MOZ_ASSERT(val); Range comp; switch (jsop) { case JSOp::Le: comp.setDouble(conservativeLower, bound); break; case JSOp::Lt: // For integers, if x < c, the upper bound of x is c-1. if (val->type() == MIRType::Int32) { int32_t intbound; if (NumberEqualsInt32(bound, &intbound) && SafeSub(intbound, 1, &intbound)) { bound = intbound; } } comp.setDouble(conservativeLower, bound); // Negative zero is not less than zero. if (bound == 0) { comp.refineToExcludeNegativeZero(); } break; case JSOp::Ge: comp.setDouble(bound, conservativeUpper); break; case JSOp::Gt: // For integers, if x > c, the lower bound of x is c+1. if (val->type() == MIRType::Int32) { int32_t intbound; if (NumberEqualsInt32(bound, &intbound) && SafeAdd(intbound, 1, &intbound)) { bound = intbound; } } comp.setDouble(bound, conservativeUpper); // Negative zero is not greater than zero. if (bound == 0) { comp.refineToExcludeNegativeZero(); } break; case JSOp::StrictEq: case JSOp::Eq: comp.setDouble(bound, bound); break; case JSOp::StrictNe: case JSOp::Ne: // Negative zero is not not-equal to zero. if (bound == 0) { comp.refineToExcludeNegativeZero(); break; } continue; // well, we could have // [-\inf, bound-1] U [bound+1, \inf] but we only use // contiguous ranges. default: continue; } if (JitSpewEnabled(JitSpew_Range)) { JitSpewHeader(JitSpew_Range); Fprinter& out = JitSpewPrinter(); out.printf(" Adding beta node for %u with range ", val->id()); comp.dump(out); out.printf("\n"); } if (!alloc().ensureBallast()) { return false; } MBeta* beta = MBeta::New(alloc(), val, new (alloc()) Range(comp)); block->insertBefore(*block->begin(), beta); replaceDominatedUsesWith(val, beta, block); } return true; } bool RangeAnalysis::removeBetaNodes() { JitSpew(JitSpew_Range, "Removing beta nodes"); for (PostorderIterator i(graph_.poBegin()); i != graph_.poEnd(); i++) { MBasicBlock* block = *i; for (MDefinitionIterator iter(*i); iter;) { MDefinition* def = *iter++; if (def->isBeta()) { auto* beta = def->toBeta(); MDefinition* op = beta->input(); JitSpew(JitSpew_Range, " Removing beta node %u for %u", beta->id(), op->id()); beta->justReplaceAllUsesWith(op); block->discard(beta); } else { // We only place Beta nodes at the beginning of basic // blocks, so if we see something else, we can move on // to the next block. break; } } } return true; } void SymbolicBound::dump(GenericPrinter& out) const { if (loop) { out.printf("[loop] "); } sum.dump(out); } void SymbolicBound::dump() const { Fprinter out(stderr); dump(out); out.printf("\n"); out.finish(); } // Test whether the given range's exponent tells us anything that its lower // and upper bound values don't. static bool IsExponentInteresting(const Range* r) { // If it lacks either a lower or upper bound, the exponent is interesting. if (!r->hasInt32Bounds()) { return true; } // Otherwise if there's no fractional part, the lower and upper bounds, // which are integers, are perfectly precise. if (!r->canHaveFractionalPart()) { return false; } // Otherwise, if the bounds are conservatively rounded across a power-of-two // boundary, the exponent may imply a tighter range. return FloorLog2(std::max(Abs(r->lower()), Abs(r->upper()))) > r->exponent(); } void Range::dump(GenericPrinter& out) const { assertInvariants(); // Floating-point or Integer subset. if (canHaveFractionalPart_) { out.printf("F"); } else { out.printf("I"); } out.printf("["); if (!hasInt32LowerBound_) { out.printf("?"); } else { out.printf("%d", lower_); } if (symbolicLower_) { out.printf(" {"); symbolicLower_->dump(out); out.printf("}"); } out.printf(", "); if (!hasInt32UpperBound_) { out.printf("?"); } else { out.printf("%d", upper_); } if (symbolicUpper_) { out.printf(" {"); symbolicUpper_->dump(out); out.printf("}"); } out.printf("]"); bool includesNaN = max_exponent_ == IncludesInfinityAndNaN; bool includesNegativeInfinity = max_exponent_ >= IncludesInfinity && !hasInt32LowerBound_; bool includesPositiveInfinity = max_exponent_ >= IncludesInfinity && !hasInt32UpperBound_; bool includesNegativeZero = canBeNegativeZero_; if (includesNaN || includesNegativeInfinity || includesPositiveInfinity || includesNegativeZero) { out.printf(" ("); bool first = true; if (includesNaN) { if (first) { first = false; } else { out.printf(" "); } out.printf("U NaN"); } if (includesNegativeInfinity) { if (first) { first = false; } else { out.printf(" "); } out.printf("U -Infinity"); } if (includesPositiveInfinity) { if (first) { first = false; } else { out.printf(" "); } out.printf("U Infinity"); } if (includesNegativeZero) { if (first) { first = false; } else { out.printf(" "); } out.printf("U -0"); } out.printf(")"); } if (max_exponent_ < IncludesInfinity && IsExponentInteresting(this)) { out.printf(" (< pow(2, %d+1))", max_exponent_); } } void Range::dump() const { Fprinter out(stderr); dump(out); out.printf("\n"); out.finish(); } Range* Range::intersect(TempAllocator& alloc, const Range* lhs, const Range* rhs, bool* emptyRange) { *emptyRange = false; if (!lhs && !rhs) { return nullptr; } if (!lhs) { return new (alloc) Range(*rhs); } if (!rhs) { return new (alloc) Range(*lhs); } int32_t newLower = std::max(lhs->lower_, rhs->lower_); int32_t newUpper = std::min(lhs->upper_, rhs->upper_); // If upper < lower, then we have conflicting constraints. Consider: // // if (x < 0) { // if (x > 0) { // [Some code.] // } // } // // In this case, the block is unreachable. if (newUpper < newLower) { // If both ranges can be NaN, the result can still be NaN. if (!lhs->canBeNaN() || !rhs->canBeNaN()) { *emptyRange = true; } return nullptr; } bool newHasInt32LowerBound = lhs->hasInt32LowerBound_ || rhs->hasInt32LowerBound_; bool newHasInt32UpperBound = lhs->hasInt32UpperBound_ || rhs->hasInt32UpperBound_; FractionalPartFlag newCanHaveFractionalPart = FractionalPartFlag( lhs->canHaveFractionalPart_ && rhs->canHaveFractionalPart_); NegativeZeroFlag newMayIncludeNegativeZero = NegativeZeroFlag(lhs->canBeNegativeZero_ && rhs->canBeNegativeZero_); uint16_t newExponent = std::min(lhs->max_exponent_, rhs->max_exponent_); // NaN is a special value which is neither greater than infinity or less than // negative infinity. When we intersect two ranges like [?, 0] and [0, ?], we // can end up thinking we have both a lower and upper bound, even though NaN // is still possible. In this case, just be conservative, since any case where // we can have NaN is not especially interesting. if (newHasInt32LowerBound && newHasInt32UpperBound && newExponent == IncludesInfinityAndNaN) { return nullptr; } // If one of the ranges has a fractional part and the other doesn't, it's // possible that we will have computed a newExponent that's more precise // than our newLower and newUpper. This is unusual, so we handle it here // instead of in optimize(). // // For example, consider the range F[0,1.5]. Range analysis represents the // lower and upper bound as integers, so we'd actually have // F[0,2] (< pow(2, 0+1)). In this case, the exponent gives us a slightly // more precise upper bound than the integer upper bound. // // When intersecting such a range with an integer range, the fractional part // of the range is dropped. The max exponent of 0 remains valid, so the // upper bound needs to be adjusted to 1. // // When intersecting F[0,2] (< pow(2, 0+1)) with a range like F[2,4], // the naive intersection is I[2,2], but since the max exponent tells us // that the value is always less than 2, the intersection is actually empty. if (lhs->canHaveFractionalPart() != rhs->canHaveFractionalPart() || (lhs->canHaveFractionalPart() && newHasInt32LowerBound && newHasInt32UpperBound && newLower == newUpper)) { refineInt32BoundsByExponent(newExponent, &newLower, &newHasInt32LowerBound, &newUpper, &newHasInt32UpperBound); // If we're intersecting two ranges that don't overlap, this could also // push the bounds past each other, since the actual intersection is // the empty set. if (newLower > newUpper) { *emptyRange = true; return nullptr; } } return new (alloc) Range(newLower, newHasInt32LowerBound, newUpper, newHasInt32UpperBound, newCanHaveFractionalPart, newMayIncludeNegativeZero, newExponent); } void Range::unionWith(const Range* other) { int32_t newLower = std::min(lower_, other->lower_); int32_t newUpper = std::max(upper_, other->upper_); bool newHasInt32LowerBound = hasInt32LowerBound_ && other->hasInt32LowerBound_; bool newHasInt32UpperBound = hasInt32UpperBound_ && other->hasInt32UpperBound_; FractionalPartFlag newCanHaveFractionalPart = FractionalPartFlag( canHaveFractionalPart_ || other->canHaveFractionalPart_); NegativeZeroFlag newMayIncludeNegativeZero = NegativeZeroFlag(canBeNegativeZero_ || other->canBeNegativeZero_); uint16_t newExponent = std::max(max_exponent_, other->max_exponent_); rawInitialize(newLower, newHasInt32LowerBound, newUpper, newHasInt32UpperBound, newCanHaveFractionalPart, newMayIncludeNegativeZero, newExponent); } Range::Range(const MDefinition* def) : symbolicLower_(nullptr), symbolicUpper_(nullptr) { if (const Range* other = def->range()) { // The instruction has range information; use it. *this = *other; // Simulate the effect of converting the value to its type. // Note: we cannot clamp here, since ranges aren't allowed to shrink // and truncation can increase range again. So doing wrapAround to // mimick a possible truncation. switch (def->type()) { case MIRType::Int32: // MToNumberInt32 cannot truncate. So we can safely clamp. if (def->isToNumberInt32()) { clampToInt32(); } else { wrapAroundToInt32(); } break; case MIRType::Boolean: wrapAroundToBoolean(); break; case MIRType::None: MOZ_CRASH("Asking for the range of an instruction with no value"); default: break; } } else { // Otherwise just use type information. We can trust the type here // because we don't care what value the instruction actually produces, // but what value we might get after we get past the bailouts. switch (def->type()) { case MIRType::Int32: setInt32(JSVAL_INT_MIN, JSVAL_INT_MAX); break; case MIRType::Boolean: setInt32(0, 1); break; case MIRType::None: MOZ_CRASH("Asking for the range of an instruction with no value"); default: setUnknown(); break; } } // As a special case, MUrsh is permitted to claim a result type of // MIRType::Int32 while actually returning values in [0,UINT32_MAX] without // bailouts. If range analysis hasn't ruled out values in // (INT32_MAX,UINT32_MAX], set the range to be conservatively correct for // use as either a uint32 or an int32. if (!hasInt32UpperBound() && def->isUrsh() && def->toUrsh()->bailoutsDisabled() && def->type() != MIRType::Int64) { lower_ = INT32_MIN; } assertInvariants(); } static uint16_t ExponentImpliedByDouble(double d) { // Handle the special values. if (std::isnan(d)) { return Range::IncludesInfinityAndNaN; } if (std::isinf(d)) { return Range::IncludesInfinity; } // Otherwise take the exponent part and clamp it at zero, since the Range // class doesn't track fractional ranges. return uint16_t(std::max(int_fast16_t(0), ExponentComponent(d))); } void Range::setDouble(double l, double h) { MOZ_ASSERT(!(l > h)); // Infer lower_, upper_, hasInt32LowerBound_, and hasInt32UpperBound_. if (l >= INT32_MIN && l <= INT32_MAX) { lower_ = int32_t(::floor(l)); hasInt32LowerBound_ = true; } else if (l >= INT32_MAX) { lower_ = INT32_MAX; hasInt32LowerBound_ = true; } else { lower_ = INT32_MIN; hasInt32LowerBound_ = false; } if (h >= INT32_MIN && h <= INT32_MAX) { upper_ = int32_t(::ceil(h)); hasInt32UpperBound_ = true; } else if (h <= INT32_MIN) { upper_ = INT32_MIN; hasInt32UpperBound_ = true; } else { upper_ = INT32_MAX; hasInt32UpperBound_ = false; } // Infer max_exponent_. uint16_t lExp = ExponentImpliedByDouble(l); uint16_t hExp = ExponentImpliedByDouble(h); max_exponent_ = std::max(lExp, hExp); canHaveFractionalPart_ = ExcludesFractionalParts; canBeNegativeZero_ = ExcludesNegativeZero; // Infer the canHaveFractionalPart_ setting. We can have a // fractional part if the range crosses through the neighborhood of zero. We // won't have a fractional value if the value is always beyond the point at // which double precision can't represent fractional values. uint16_t minExp = std::min(lExp, hExp); bool includesNegative = std::isnan(l) || l < 0; bool includesPositive = std::isnan(h) || h > 0; bool crossesZero = includesNegative && includesPositive; if (crossesZero || minExp < MaxTruncatableExponent) { canHaveFractionalPart_ = IncludesFractionalParts; } // Infer the canBeNegativeZero_ setting. We can have a negative zero if // either bound is zero. if (!(l > 0) && !(h < 0)) { canBeNegativeZero_ = IncludesNegativeZero; } optimize(); } void Range::setDoubleSingleton(double d) { setDouble(d, d); // The above setDouble call is for comparisons, and treats negative zero // as equal to zero. We're aiming for a minimum range, so we can clear the // negative zero flag if the value isn't actually negative zero. if (!IsNegativeZero(d)) { canBeNegativeZero_ = ExcludesNegativeZero; } assertInvariants(); } static inline bool MissingAnyInt32Bounds(const Range* lhs, const Range* rhs) { return !lhs->hasInt32Bounds() || !rhs->hasInt32Bounds(); } Range* Range::add(TempAllocator& alloc, const Range* lhs, const Range* rhs) { int64_t l = (int64_t)lhs->lower_ + (int64_t)rhs->lower_; if (!lhs->hasInt32LowerBound() || !rhs->hasInt32LowerBound()) { l = NoInt32LowerBound; } int64_t h = (int64_t)lhs->upper_ + (int64_t)rhs->upper_; if (!lhs->hasInt32UpperBound() || !rhs->hasInt32UpperBound()) { h = NoInt32UpperBound; } // The exponent is at most one greater than the greater of the operands' // exponents, except for NaN and infinity cases. uint16_t e = std::max(lhs->max_exponent_, rhs->max_exponent_); if (e <= Range::MaxFiniteExponent) { ++e; } // Infinity + -Infinity is NaN. if (lhs->canBeInfiniteOrNaN() && rhs->canBeInfiniteOrNaN()) { e = Range::IncludesInfinityAndNaN; } return new (alloc) Range( l, h, FractionalPartFlag(lhs->canHaveFractionalPart() || rhs->canHaveFractionalPart()), NegativeZeroFlag(lhs->canBeNegativeZero() && rhs->canBeNegativeZero()), e); } Range* Range::sub(TempAllocator& alloc, const Range* lhs, const Range* rhs) { int64_t l = (int64_t)lhs->lower_ - (int64_t)rhs->upper_; if (!lhs->hasInt32LowerBound() || !rhs->hasInt32UpperBound()) { l = NoInt32LowerBound; } int64_t h = (int64_t)lhs->upper_ - (int64_t)rhs->lower_; if (!lhs->hasInt32UpperBound() || !rhs->hasInt32LowerBound()) { h = NoInt32UpperBound; } // The exponent is at most one greater than the greater of the operands' // exponents, except for NaN and infinity cases. uint16_t e = std::max(lhs->max_exponent_, rhs->max_exponent_); if (e <= Range::MaxFiniteExponent) { ++e; } // Infinity - Infinity is NaN. if (lhs->canBeInfiniteOrNaN() && rhs->canBeInfiniteOrNaN()) { e = Range::IncludesInfinityAndNaN; } return new (alloc) Range(l, h, FractionalPartFlag(lhs->canHaveFractionalPart() || rhs->canHaveFractionalPart()), NegativeZeroFlag(lhs->canBeNegativeZero() && rhs->canBeZero()), e); } Range* Range::and_(TempAllocator& alloc, const Range* lhs, const Range* rhs) { MOZ_ASSERT(lhs->isInt32()); MOZ_ASSERT(rhs->isInt32()); // If both numbers can be negative, result can be negative in the whole range if (lhs->lower() < 0 && rhs->lower() < 0) { return Range::NewInt32Range(alloc, INT32_MIN, std::max(lhs->upper(), rhs->upper())); } // Only one of both numbers can be negative. // - result can't be negative // - Upper bound is minimum of both upper range, int32_t lower = 0; int32_t upper = std::min(lhs->upper(), rhs->upper()); // EXCEPT when upper bound of non negative number is max value, // because negative value can return the whole max value. // -1 & 5 = 5 if (lhs->lower() < 0) { upper = rhs->upper(); } if (rhs->lower() < 0) { upper = lhs->upper(); } return Range::NewInt32Range(alloc, lower, upper); } Range* Range::or_(TempAllocator& alloc, const Range* lhs, const Range* rhs) { MOZ_ASSERT(lhs->isInt32()); MOZ_ASSERT(rhs->isInt32()); // When one operand is always 0 or always -1, it's a special case where we // can compute a fully precise result. Handling these up front also // protects the code below from calling CountLeadingZeroes32 with a zero // operand or from shifting an int32_t by 32. if (lhs->lower() == lhs->upper()) { if (lhs->lower() == 0) { return new (alloc) Range(*rhs); } if (lhs->lower() == -1) { return new (alloc) Range(*lhs); } } if (rhs->lower() == rhs->upper()) { if (rhs->lower() == 0) { return new (alloc) Range(*lhs); } if (rhs->lower() == -1) { return new (alloc) Range(*rhs); } } // The code below uses CountLeadingZeroes32, which has undefined behavior // if its operand is 0. We rely on the code above to protect it. MOZ_ASSERT_IF(lhs->lower() >= 0, lhs->upper() != 0); MOZ_ASSERT_IF(rhs->lower() >= 0, rhs->upper() != 0); MOZ_ASSERT_IF(lhs->upper() < 0, lhs->lower() != -1); MOZ_ASSERT_IF(rhs->upper() < 0, rhs->lower() != -1); int32_t lower = INT32_MIN; int32_t upper = INT32_MAX; if (lhs->lower() >= 0 && rhs->lower() >= 0) { // Both operands are non-negative, so the result won't be less than either. lower = std::max(lhs->lower(), rhs->lower()); // The result will have leading zeros where both operands have leading // zeros. CountLeadingZeroes32 of a non-negative int32 will at least be 1 to // account for the bit of sign. upper = int32_t(UINT32_MAX >> std::min(CountLeadingZeroes32(lhs->upper()), CountLeadingZeroes32(rhs->upper()))); } else { // The result will have leading ones where either operand has leading ones. if (lhs->upper() < 0) { unsigned leadingOnes = CountLeadingZeroes32(~lhs->lower()); lower = std::max(lower, ~int32_t(UINT32_MAX >> leadingOnes)); upper = -1; } if (rhs->upper() < 0) { unsigned leadingOnes = CountLeadingZeroes32(~rhs->lower()); lower = std::max(lower, ~int32_t(UINT32_MAX >> leadingOnes)); upper = -1; } } return Range::NewInt32Range(alloc, lower, upper); } Range* Range::xor_(TempAllocator& alloc, const Range* lhs, const Range* rhs) { MOZ_ASSERT(lhs->isInt32()); MOZ_ASSERT(rhs->isInt32()); int32_t lhsLower = lhs->lower(); int32_t lhsUpper = lhs->upper(); int32_t rhsLower = rhs->lower(); int32_t rhsUpper = rhs->upper(); bool invertAfter = false; // If either operand is negative, bitwise-negate it, and arrange to negate // the result; ~((~x)^y) == x^y. If both are negative the negations on the // result cancel each other out; effectively this is (~x)^(~y) == x^y. // These transformations reduce the number of cases we have to handle below. if (lhsUpper < 0) { lhsLower = ~lhsLower; lhsUpper = ~lhsUpper; std::swap(lhsLower, lhsUpper); invertAfter = !invertAfter; } if (rhsUpper < 0) { rhsLower = ~rhsLower; rhsUpper = ~rhsUpper; std::swap(rhsLower, rhsUpper); invertAfter = !invertAfter; } // Handle cases where lhs or rhs is always zero specially, because they're // easy cases where we can be perfectly precise, and because it protects the // CountLeadingZeroes32 calls below from seeing 0 operands, which would be // undefined behavior. int32_t lower = INT32_MIN; int32_t upper = INT32_MAX; if (lhsLower == 0 && lhsUpper == 0) { upper = rhsUpper; lower = rhsLower; } else if (rhsLower == 0 && rhsUpper == 0) { upper = lhsUpper; lower = lhsLower; } else if (lhsLower >= 0 && rhsLower >= 0) { // Both operands are non-negative. The result will be non-negative. lower = 0; // To compute the upper value, take each operand's upper value and // set all bits that don't correspond to leading zero bits in the // other to one. For each one, this gives an upper bound for the // result, so we can take the minimum between the two. unsigned lhsLeadingZeros = CountLeadingZeroes32(lhsUpper); unsigned rhsLeadingZeros = CountLeadingZeroes32(rhsUpper); upper = std::min(rhsUpper | int32_t(UINT32_MAX >> lhsLeadingZeros), lhsUpper | int32_t(UINT32_MAX >> rhsLeadingZeros)); } // If we bitwise-negated one (but not both) of the operands above, apply the // bitwise-negate to the result, completing ~((~x)^y) == x^y. if (invertAfter) { lower = ~lower; upper = ~upper; std::swap(lower, upper); } return Range::NewInt32Range(alloc, lower, upper); } Range* Range::not_(TempAllocator& alloc, const Range* op) { MOZ_ASSERT(op->isInt32()); return Range::NewInt32Range(alloc, ~op->upper(), ~op->lower()); } Range* Range::mul(TempAllocator& alloc, const Range* lhs, const Range* rhs) { FractionalPartFlag newCanHaveFractionalPart = FractionalPartFlag( lhs->canHaveFractionalPart_ || rhs->canHaveFractionalPart_); NegativeZeroFlag newMayIncludeNegativeZero = NegativeZeroFlag( (lhs->canHaveSignBitSet() && rhs->canBeFiniteNonNegative()) || (rhs->canHaveSignBitSet() && lhs->canBeFiniteNonNegative())); uint16_t exponent; if (!lhs->canBeInfiniteOrNaN() && !rhs->canBeInfiniteOrNaN()) { // Two finite values. exponent = lhs->numBits() + rhs->numBits() - 1; if (exponent > Range::MaxFiniteExponent) { exponent = Range::IncludesInfinity; } } else if (!lhs->canBeNaN() && !rhs->canBeNaN() && !(lhs->canBeZero() && rhs->canBeInfiniteOrNaN()) && !(rhs->canBeZero() && lhs->canBeInfiniteOrNaN())) { // Two values that multiplied together won't produce a NaN. exponent = Range::IncludesInfinity; } else { // Could be anything. exponent = Range::IncludesInfinityAndNaN; } if (MissingAnyInt32Bounds(lhs, rhs)) { return new (alloc) Range(NoInt32LowerBound, NoInt32UpperBound, newCanHaveFractionalPart, newMayIncludeNegativeZero, exponent); } int64_t a = (int64_t)lhs->lower() * (int64_t)rhs->lower(); int64_t b = (int64_t)lhs->lower() * (int64_t)rhs->upper(); int64_t c = (int64_t)lhs->upper() * (int64_t)rhs->lower(); int64_t d = (int64_t)lhs->upper() * (int64_t)rhs->upper(); return new (alloc) Range(std::min(std::min(a, b), std::min(c, d)), std::max(std::max(a, b), std::max(c, d)), newCanHaveFractionalPart, newMayIncludeNegativeZero, exponent); } Range* Range::lsh(TempAllocator& alloc, const Range* lhs, int32_t c) { MOZ_ASSERT(lhs->isInt32()); int32_t shift = c & 0x1f; // If the shift doesn't loose bits or shift bits into the sign bit, we // can simply compute the correct range by shifting. if ((int32_t)((uint32_t)lhs->lower() << shift << 1 >> shift >> 1) == lhs->lower() && (int32_t)((uint32_t)lhs->upper() << shift << 1 >> shift >> 1) == lhs->upper()) { return Range::NewInt32Range(alloc, uint32_t(lhs->lower()) << shift, uint32_t(lhs->upper()) << shift); } return Range::NewInt32Range(alloc, INT32_MIN, INT32_MAX); } Range* Range::rsh(TempAllocator& alloc, const Range* lhs, int32_t c) { MOZ_ASSERT(lhs->isInt32()); int32_t shift = c & 0x1f; return Range::NewInt32Range(alloc, lhs->lower() >> shift, lhs->upper() >> shift); } Range* Range::ursh(TempAllocator& alloc, const Range* lhs, int32_t c) { // ursh's left operand is uint32, not int32, but for range analysis we // currently approximate it as int32. We assume here that the range has // already been adjusted accordingly by our callers. MOZ_ASSERT(lhs->isInt32()); int32_t shift = c & 0x1f; // If the value is always non-negative or always negative, we can simply // compute the correct range by shifting. if (lhs->isFiniteNonNegative() || lhs->isFiniteNegative()) { return Range::NewUInt32Range(alloc, uint32_t(lhs->lower()) >> shift, uint32_t(lhs->upper()) >> shift); } // Otherwise return the most general range after the shift. return Range::NewUInt32Range(alloc, 0, UINT32_MAX >> shift); } Range* Range::lsh(TempAllocator& alloc, const Range* lhs, const Range* rhs) { MOZ_ASSERT(lhs->isInt32()); MOZ_ASSERT(rhs->isInt32()); return Range::NewInt32Range(alloc, INT32_MIN, INT32_MAX); } Range* Range::rsh(TempAllocator& alloc, const Range* lhs, const Range* rhs) { MOZ_ASSERT(lhs->isInt32()); MOZ_ASSERT(rhs->isInt32()); // Canonicalize the shift range to 0 to 31. int32_t shiftLower = rhs->lower(); int32_t shiftUpper = rhs->upper(); if ((int64_t(shiftUpper) - int64_t(shiftLower)) >= 31) { shiftLower = 0; shiftUpper = 31; } else { shiftLower &= 0x1f; shiftUpper &= 0x1f; if (shiftLower > shiftUpper) { shiftLower = 0; shiftUpper = 31; } } MOZ_ASSERT(shiftLower >= 0 && shiftUpper <= 31); // The lhs bounds are signed, thus the minimum is either the lower bound // shift by the smallest shift if negative or the lower bound shifted by the // biggest shift otherwise. And the opposite for the maximum. int32_t lhsLower = lhs->lower(); int32_t min = lhsLower < 0 ? lhsLower >> shiftLower : lhsLower >> shiftUpper; int32_t lhsUpper = lhs->upper(); int32_t max = lhsUpper >= 0 ? lhsUpper >> shiftLower : lhsUpper >> shiftUpper; return Range::NewInt32Range(alloc, min, max); } Range* Range::ursh(TempAllocator& alloc, const Range* lhs, const Range* rhs) { // ursh's left operand is uint32, not int32, but for range analysis we // currently approximate it as int32. We assume here that the range has // already been adjusted accordingly by our callers. MOZ_ASSERT(lhs->isInt32()); MOZ_ASSERT(rhs->isInt32()); return Range::NewUInt32Range( alloc, 0, lhs->isFiniteNonNegative() ? lhs->upper() : UINT32_MAX); } Range* Range::abs(TempAllocator& alloc, const Range* op) { int32_t l = op->lower_; int32_t u = op->upper_; FractionalPartFlag canHaveFractionalPart = op->canHaveFractionalPart_; // Abs never produces a negative zero. NegativeZeroFlag canBeNegativeZero = ExcludesNegativeZero; return new (alloc) Range( std::max(std::max(int32_t(0), l), u == INT32_MIN ? INT32_MAX : -u), true, std::max(std::max(int32_t(0), u), l == INT32_MIN ? INT32_MAX : -l), op->hasInt32Bounds() && l != INT32_MIN, canHaveFractionalPart, canBeNegativeZero, op->max_exponent_); } Range* Range::min(TempAllocator& alloc, const Range* lhs, const Range* rhs) { // If either operand is NaN, the result is NaN. if (lhs->canBeNaN() || rhs->canBeNaN()) { return nullptr; } FractionalPartFlag newCanHaveFractionalPart = FractionalPartFlag( lhs->canHaveFractionalPart_ || rhs->canHaveFractionalPart_); NegativeZeroFlag newMayIncludeNegativeZero = NegativeZeroFlag(lhs->canBeNegativeZero_ || rhs->canBeNegativeZero_); return new (alloc) Range(std::min(lhs->lower_, rhs->lower_), lhs->hasInt32LowerBound_ && rhs->hasInt32LowerBound_, std::min(lhs->upper_, rhs->upper_), lhs->hasInt32UpperBound_ || rhs->hasInt32UpperBound_, newCanHaveFractionalPart, newMayIncludeNegativeZero, std::max(lhs->max_exponent_, rhs->max_exponent_)); } Range* Range::max(TempAllocator& alloc, const Range* lhs, const Range* rhs) { // If either operand is NaN, the result is NaN. if (lhs->canBeNaN() || rhs->canBeNaN()) { return nullptr; } FractionalPartFlag newCanHaveFractionalPart = FractionalPartFlag( lhs->canHaveFractionalPart_ || rhs->canHaveFractionalPart_); NegativeZeroFlag newMayIncludeNegativeZero = NegativeZeroFlag(lhs->canBeNegativeZero_ || rhs->canBeNegativeZero_); return new (alloc) Range(std::max(lhs->lower_, rhs->lower_), lhs->hasInt32LowerBound_ || rhs->hasInt32LowerBound_, std::max(lhs->upper_, rhs->upper_), lhs->hasInt32UpperBound_ && rhs->hasInt32UpperBound_, newCanHaveFractionalPart, newMayIncludeNegativeZero, std::max(lhs->max_exponent_, rhs->max_exponent_)); } Range* Range::floor(TempAllocator& alloc, const Range* op) { Range* copy = new (alloc) Range(*op); // Decrement lower bound of copy range if op have a factional part and lower // bound is Int32 defined. Also we avoid to decrement when op have a // fractional part but lower_ >= JSVAL_INT_MAX. if (op->canHaveFractionalPart() && op->hasInt32LowerBound()) { copy->setLowerInit(int64_t(copy->lower_) - 1); } // Also refine max_exponent_ because floor may have decremented int value // If we've got int32 defined bounds, just deduce it using defined bounds. // But, if we don't have those, value's max_exponent_ may have changed. // Because we're looking to maintain an over estimation, if we can, // we increment it. if (copy->hasInt32Bounds()) copy->max_exponent_ = copy->exponentImpliedByInt32Bounds(); else if (copy->max_exponent_ < MaxFiniteExponent) copy->max_exponent_++; copy->canHaveFractionalPart_ = ExcludesFractionalParts; copy->assertInvariants(); return copy; } Range* Range::ceil(TempAllocator& alloc, const Range* op) { Range* copy = new (alloc) Range(*op); // We need to refine max_exponent_ because ceil may have incremented the int // value. If we have got int32 bounds defined, just deduce it using the // defined bounds. Else we can just increment its value, as we are looking to // maintain an over estimation. if (copy->hasInt32Bounds()) { copy->max_exponent_ = copy->exponentImpliedByInt32Bounds(); } else if (copy->max_exponent_ < MaxFiniteExponent) { copy->max_exponent_++; } // If the range is definitely above 0 or below -1, we don't need to include // -0; otherwise we do. copy->canBeNegativeZero_ = ((copy->lower_ > 0) || (copy->upper_ <= -1)) ? copy->canBeNegativeZero_ : IncludesNegativeZero; copy->canHaveFractionalPart_ = ExcludesFractionalParts; copy->assertInvariants(); return copy; } Range* Range::sign(TempAllocator& alloc, const Range* op) { if (op->canBeNaN()) { return nullptr; } return new (alloc) Range(std::max(std::min(op->lower_, 1), -1), std::max(std::min(op->upper_, 1), -1), Range::ExcludesFractionalParts, NegativeZeroFlag(op->canBeNegativeZero()), 0); } Range* Range::NaNToZero(TempAllocator& alloc, const Range* op) { Range* copy = new (alloc) Range(*op); if (copy->canBeNaN()) { copy->max_exponent_ = Range::IncludesInfinity; if (!copy->canBeZero()) { Range zero; zero.setDoubleSingleton(0); copy->unionWith(&zero); } } copy->refineToExcludeNegativeZero(); return copy; } bool Range::negativeZeroMul(const Range* lhs, const Range* rhs) { // The result can only be negative zero if both sides are finite and they // have differing signs. return (lhs->canHaveSignBitSet() && rhs->canBeFiniteNonNegative()) || (rhs->canHaveSignBitSet() && lhs->canBeFiniteNonNegative()); } bool Range::update(const Range* other) { bool changed = lower_ != other->lower_ || hasInt32LowerBound_ != other->hasInt32LowerBound_ || upper_ != other->upper_ || hasInt32UpperBound_ != other->hasInt32UpperBound_ || canHaveFractionalPart_ != other->canHaveFractionalPart_ || canBeNegativeZero_ != other->canBeNegativeZero_ || max_exponent_ != other->max_exponent_; if (changed) { lower_ = other->lower_; hasInt32LowerBound_ = other->hasInt32LowerBound_; upper_ = other->upper_; hasInt32UpperBound_ = other->hasInt32UpperBound_; canHaveFractionalPart_ = other->canHaveFractionalPart_; canBeNegativeZero_ = other->canBeNegativeZero_; max_exponent_ = other->max_exponent_; assertInvariants(); } return changed; } /////////////////////////////////////////////////////////////////////////////// // Range Computation for MIR Nodes /////////////////////////////////////////////////////////////////////////////// void MPhi::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32 && type() != MIRType::Double) { return; } Range* range = nullptr; for (size_t i = 0, e = numOperands(); i < e; i++) { if (getOperand(i)->block()->unreachable()) { JitSpew(JitSpew_Range, "Ignoring unreachable input %u", getOperand(i)->id()); continue; } // Peek at the pre-bailout range so we can take a short-cut; if any of // the operands has an unknown range, this phi has an unknown range. if (!getOperand(i)->range()) { return; } Range input(getOperand(i)); if (range) { range->unionWith(&input); } else { range = new (alloc) Range(input); } } setRange(range); } void MBeta::computeRange(TempAllocator& alloc) { bool emptyRange = false; Range opRange(getOperand(0)); Range* range = Range::intersect(alloc, &opRange, comparison_, &emptyRange); if (emptyRange) { JitSpew(JitSpew_Range, "Marking block for inst %u unreachable", id()); block()->setUnreachableUnchecked(); } else { setRange(range); } } void MConstant::computeRange(TempAllocator& alloc) { if (isTypeRepresentableAsDouble()) { double d = numberToDouble(); setRange(Range::NewDoubleSingletonRange(alloc, d)); } else if (type() == MIRType::Boolean) { bool b = toBoolean(); setRange(Range::NewInt32Range(alloc, b, b)); } } void MCharCodeAt::computeRange(TempAllocator& alloc) { // ECMA 262 says that the integer will be non-negative and at most 65535. setRange(Range::NewInt32Range(alloc, 0, 65535)); } void MClampToUint8::computeRange(TempAllocator& alloc) { setRange(Range::NewUInt32Range(alloc, 0, 255)); } void MBitAnd::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32) { return; } Range left(getOperand(0)); Range right(getOperand(1)); left.wrapAroundToInt32(); right.wrapAroundToInt32(); setRange(Range::and_(alloc, &left, &right)); } void MBitOr::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32) { return; } Range left(getOperand(0)); Range right(getOperand(1)); left.wrapAroundToInt32(); right.wrapAroundToInt32(); setRange(Range::or_(alloc, &left, &right)); } void MBitXor::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32) { return; } Range left(getOperand(0)); Range right(getOperand(1)); left.wrapAroundToInt32(); right.wrapAroundToInt32(); setRange(Range::xor_(alloc, &left, &right)); } void MBitNot::computeRange(TempAllocator& alloc) { if (type() == MIRType::Int64) { return; } MOZ_ASSERT(type() == MIRType::Int32); Range op(getOperand(0)); op.wrapAroundToInt32(); setRange(Range::not_(alloc, &op)); } void MLsh::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32) { return; } Range left(getOperand(0)); Range right(getOperand(1)); left.wrapAroundToInt32(); MConstant* rhsConst = getOperand(1)->maybeConstantValue(); if (rhsConst && rhsConst->type() == MIRType::Int32) { int32_t c = rhsConst->toInt32(); setRange(Range::lsh(alloc, &left, c)); return; } right.wrapAroundToShiftCount(); setRange(Range::lsh(alloc, &left, &right)); } void MRsh::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32) { return; } Range left(getOperand(0)); Range right(getOperand(1)); left.wrapAroundToInt32(); MConstant* rhsConst = getOperand(1)->maybeConstantValue(); if (rhsConst && rhsConst->type() == MIRType::Int32) { int32_t c = rhsConst->toInt32(); setRange(Range::rsh(alloc, &left, c)); return; } right.wrapAroundToShiftCount(); setRange(Range::rsh(alloc, &left, &right)); } void MUrsh::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32) { return; } Range left(getOperand(0)); Range right(getOperand(1)); // ursh can be thought of as converting its left operand to uint32, or it // can be thought of as converting its left operand to int32, and then // reinterpreting the int32 bits as a uint32 value. Both approaches yield // the same result. Since we lack support for full uint32 ranges, we use // the second interpretation, though it does cause us to be conservative. left.wrapAroundToInt32(); right.wrapAroundToShiftCount(); MConstant* rhsConst = getOperand(1)->maybeConstantValue(); if (rhsConst && rhsConst->type() == MIRType::Int32) { int32_t c = rhsConst->toInt32(); setRange(Range::ursh(alloc, &left, c)); } else { setRange(Range::ursh(alloc, &left, &right)); } MOZ_ASSERT(range()->lower() >= 0); } void MAbs::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32 && type() != MIRType::Double) { return; } Range other(getOperand(0)); Range* next = Range::abs(alloc, &other); if (implicitTruncate_) { next->wrapAroundToInt32(); } setRange(next); } void MFloor::computeRange(TempAllocator& alloc) { Range other(getOperand(0)); setRange(Range::floor(alloc, &other)); } void MCeil::computeRange(TempAllocator& alloc) { Range other(getOperand(0)); setRange(Range::ceil(alloc, &other)); } void MClz::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32) { return; } setRange(Range::NewUInt32Range(alloc, 0, 32)); } void MCtz::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32) { return; } setRange(Range::NewUInt32Range(alloc, 0, 32)); } void MPopcnt::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32) { return; } setRange(Range::NewUInt32Range(alloc, 0, 32)); } void MMinMax::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32 && type() != MIRType::Double) { return; } Range left(getOperand(0)); Range right(getOperand(1)); setRange(isMax() ? Range::max(alloc, &left, &right) : Range::min(alloc, &left, &right)); } void MAdd::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32 && type() != MIRType::Double) { return; } Range left(getOperand(0)); Range right(getOperand(1)); Range* next = Range::add(alloc, &left, &right); if (isTruncated()) { next->wrapAroundToInt32(); } setRange(next); } void MSub::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32 && type() != MIRType::Double) { return; } Range left(getOperand(0)); Range right(getOperand(1)); Range* next = Range::sub(alloc, &left, &right); if (isTruncated()) { next->wrapAroundToInt32(); } setRange(next); } void MMul::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32 && type() != MIRType::Double) { return; } Range left(getOperand(0)); Range right(getOperand(1)); if (canBeNegativeZero()) { canBeNegativeZero_ = Range::negativeZeroMul(&left, &right); } Range* next = Range::mul(alloc, &left, &right); if (!next->canBeNegativeZero()) { canBeNegativeZero_ = false; } // Truncated multiplications could overflow in both directions if (isTruncated()) { next->wrapAroundToInt32(); } setRange(next); } void MMod::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32 && type() != MIRType::Double) { return; } Range lhs(getOperand(0)); Range rhs(getOperand(1)); // If either operand is a NaN, the result is NaN. This also conservatively // handles Infinity cases. if (!lhs.hasInt32Bounds() || !rhs.hasInt32Bounds()) { return; } // If RHS can be zero, the result can be NaN. if (rhs.lower() <= 0 && rhs.upper() >= 0) { return; } // If both operands are non-negative integers, we can optimize this to an // unsigned mod. if (type() == MIRType::Int32 && rhs.lower() > 0) { bool hasDoubles = lhs.lower() < 0 || lhs.canHaveFractionalPart() || rhs.canHaveFractionalPart(); // It is not possible to check that lhs.lower() >= 0, since the range // of a ursh with rhs a 0 constant is wrapped around the int32 range in // Range::Range(). However, IsUint32Type() will only return true for // nodes that lie in the range [0, UINT32_MAX]. bool hasUint32s = IsUint32Type(getOperand(0)) && getOperand(1)->type() == MIRType::Int32 && (IsUint32Type(getOperand(1)) || getOperand(1)->isConstant()); if (!hasDoubles || hasUint32s) { unsigned_ = true; } } // For unsigned mod, we have to convert both operands to unsigned. // Note that we handled the case of a zero rhs above. if (unsigned_) { // The result of an unsigned mod will never be unsigned-greater than // either operand. uint32_t lhsBound = std::max(lhs.lower(), lhs.upper()); uint32_t rhsBound = std::max(rhs.lower(), rhs.upper()); // If either range crosses through -1 as a signed value, it could be // the maximum unsigned value when interpreted as unsigned. If the range // doesn't include -1, then the simple max value we computed above is // correct. if (lhs.lower() <= -1 && lhs.upper() >= -1) { lhsBound = UINT32_MAX; } if (rhs.lower() <= -1 && rhs.upper() >= -1) { rhsBound = UINT32_MAX; } // The result will never be equal to the rhs, and we shouldn't have // any rounding to worry about. MOZ_ASSERT(!lhs.canHaveFractionalPart() && !rhs.canHaveFractionalPart()); --rhsBound; // This gives us two upper bounds, so we can take the best one. setRange(Range::NewUInt32Range(alloc, 0, std::min(lhsBound, rhsBound))); return; } // Math.abs(lhs % rhs) == Math.abs(lhs) % Math.abs(rhs). // First, the absolute value of the result will always be less than the // absolute value of rhs. (And if rhs is zero, the result is NaN). int64_t a = Abs(rhs.lower()); int64_t b = Abs(rhs.upper()); if (a == 0 && b == 0) { return; } int64_t rhsAbsBound = std::max(a, b); // If the value is known to be integer, less-than abs(rhs) is equivalent // to less-than-or-equal abs(rhs)-1. This is important for being able to // say that the result of x%256 is an 8-bit unsigned number. if (!lhs.canHaveFractionalPart() && !rhs.canHaveFractionalPart()) { --rhsAbsBound; } // Next, the absolute value of the result will never be greater than the // absolute value of lhs. int64_t lhsAbsBound = std::max(Abs(lhs.lower()), Abs(lhs.upper())); // This gives us two upper bounds, so we can take the best one. int64_t absBound = std::min(lhsAbsBound, rhsAbsBound); // Now consider the sign of the result. // If lhs is non-negative, the result will be non-negative. // If lhs is non-positive, the result will be non-positive. int64_t lower = lhs.lower() >= 0 ? 0 : -absBound; int64_t upper = lhs.upper() <= 0 ? 0 : absBound; Range::FractionalPartFlag newCanHaveFractionalPart = Range::FractionalPartFlag(lhs.canHaveFractionalPart() || rhs.canHaveFractionalPart()); // If the lhs can have the sign bit set and we can return a zero, it'll be a // negative zero. Range::NegativeZeroFlag newMayIncludeNegativeZero = Range::NegativeZeroFlag(lhs.canHaveSignBitSet()); setRange(new (alloc) Range(lower, upper, newCanHaveFractionalPart, newMayIncludeNegativeZero, std::min(lhs.exponent(), rhs.exponent()))); } void MDiv::computeRange(TempAllocator& alloc) { if (type() != MIRType::Int32 && type() != MIRType::Double) { return; } Range lhs(getOperand(0)); Range rhs(getOperand(1)); // If either operand is a NaN, the result is NaN. This also conservatively // handles Infinity cases. if (!lhs.hasInt32Bounds() || !rhs.hasInt32Bounds()) { return; } // Something simple for now: When dividing by a positive rhs, the result // won't be further from zero than lhs. if (lhs.lower() >= 0 && rhs.lower() >= 1) { setRange(new (alloc) Range(0, lhs.upper(), Range::IncludesFractionalParts, Range::IncludesNegativeZero, lhs.exponent())); } else if (unsigned_ && rhs.lower() >= 1) { // We shouldn't set the unsigned flag if the inputs can have // fractional parts. MOZ_ASSERT(!lhs.canHaveFractionalPart() && !rhs.canHaveFractionalPart()); // We shouldn't set the unsigned flag if the inputs can be // negative zero. MOZ_ASSERT(!lhs.canBeNegativeZero() && !rhs.canBeNegativeZero()); // Unsigned division by a non-zero rhs will return a uint32 value. setRange(Range::NewUInt32Range(alloc, 0, UINT32_MAX)); } } void MSqrt::computeRange(TempAllocator& alloc) { Range input(getOperand(0)); // If either operand is a NaN, the result is NaN. This also conservatively // handles Infinity cases. if (!input.hasInt32Bounds()) { return; } // Sqrt of a negative non-zero value is NaN. if (input.lower() < 0) { return; } // Something simple for now: When taking the sqrt of a positive value, the // result won't be further from zero than the input. // And, sqrt of an integer may have a fractional part. setRange(new (alloc) Range(0, input.upper(), Range::IncludesFractionalParts, input.canBeNegativeZero(), input.exponent())); } void MToDouble::computeRange(TempAllocator& alloc) { setRange(new (alloc) Range(getOperand(0))); } void MToFloat32::computeRange(TempAllocator& alloc) {} void MTruncateToInt32::computeRange(TempAllocator& alloc) { Range* output = new (alloc) Range(getOperand(0)); output->wrapAroundToInt32(); setRange(output); } void MToNumberInt32::computeRange(TempAllocator& alloc) { // No clamping since this computes the range *before* bailouts. setRange(new (alloc) Range(getOperand(0))); } void MBooleanToInt32::computeRange(TempAllocator& alloc) { setRange(Range::NewUInt32Range(alloc, 0, 1)); } void MLimitedTruncate::computeRange(TempAllocator& alloc) { Range* output = new (alloc) Range(input()); setRange(output); } static Range* GetArrayBufferViewRange(TempAllocator& alloc, Scalar::Type type) { switch (type) { case Scalar::Uint8Clamped: case Scalar::Uint8: return Range::NewUInt32Range(alloc, 0, UINT8_MAX); case Scalar::Uint16: return Range::NewUInt32Range(alloc, 0, UINT16_MAX); case Scalar::Uint32: return Range::NewUInt32Range(alloc, 0, UINT32_MAX); case Scalar::Int8: return Range::NewInt32Range(alloc, INT8_MIN, INT8_MAX); case Scalar::Int16: return Range::NewInt32Range(alloc, INT16_MIN, INT16_MAX); case Scalar::Int32: return Range::NewInt32Range(alloc, INT32_MIN, INT32_MAX); case Scalar::BigInt64: case Scalar::BigUint64: case Scalar::Int64: case Scalar::Simd128: case Scalar::Float32: case Scalar::Float64: case Scalar::MaxTypedArrayViewType: break; } return nullptr; } void MLoadUnboxedScalar::computeRange(TempAllocator& alloc) { // We have an Int32 type and if this is a UInt32 load it may produce a value // outside of our range, but we have a bailout to handle those cases. setRange(GetArrayBufferViewRange(alloc, storageType())); } void MLoadDataViewElement::computeRange(TempAllocator& alloc) { // We have an Int32 type and if this is a UInt32 load it may produce a value // outside of our range, but we have a bailout to handle those cases. setRange(GetArrayBufferViewRange(alloc, storageType())); } void MArrayLength::computeRange(TempAllocator& alloc) { // Array lengths can go up to UINT32_MAX. We will bail out if the array // length > INT32_MAX. MOZ_ASSERT(type() == MIRType::Int32); setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); } void MInitializedLength::computeRange(TempAllocator& alloc) { setRange( Range::NewUInt32Range(alloc, 0, NativeObject::MAX_DENSE_ELEMENTS_COUNT)); } void MArrayBufferViewLength::computeRange(TempAllocator& alloc) { if constexpr (ArrayBufferObject::MaxByteLength <= INT32_MAX) { setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); } } void MArrayBufferViewByteOffset::computeRange(TempAllocator& alloc) { if constexpr (ArrayBufferObject::MaxByteLength <= INT32_MAX) { setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); } } void MTypedArrayElementSize::computeRange(TempAllocator& alloc) { constexpr auto MaxTypedArraySize = sizeof(double); #define ASSERT_MAX_SIZE(_, T, N) \ static_assert(sizeof(T) <= MaxTypedArraySize, \ "unexpected typed array type exceeding 64-bits storage"); JS_FOR_EACH_TYPED_ARRAY(ASSERT_MAX_SIZE) #undef ASSERT_MAX_SIZE setRange(Range::NewUInt32Range(alloc, 0, MaxTypedArraySize)); } void MStringLength::computeRange(TempAllocator& alloc) { static_assert(JSString::MAX_LENGTH <= UINT32_MAX, "NewUInt32Range requires a uint32 value"); setRange(Range::NewUInt32Range(alloc, 0, JSString::MAX_LENGTH)); } void MArgumentsLength::computeRange(TempAllocator& alloc) { // This is is a conservative upper bound on what |TooManyActualArguments| // checks. If exceeded, Ion will not be entered in the first place. static_assert(ARGS_LENGTH_MAX <= UINT32_MAX, "NewUInt32Range requires a uint32 value"); setRange(Range::NewUInt32Range(alloc, 0, ARGS_LENGTH_MAX)); } void MBoundsCheck::computeRange(TempAllocator& alloc) { // Just transfer the incoming index range to the output. The length() is // also interesting, but it is handled as a bailout check, and we're // computing a pre-bailout range here. setRange(new (alloc) Range(index())); } void MSpectreMaskIndex::computeRange(TempAllocator& alloc) { // Just transfer the incoming index range to the output for now. setRange(new (alloc) Range(index())); } void MInt32ToIntPtr::computeRange(TempAllocator& alloc) { setRange(new (alloc) Range(input())); } void MNonNegativeIntPtrToInt32::computeRange(TempAllocator& alloc) { // We will bail out if the IntPtr value > INT32_MAX. setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); } void MArrayPush::computeRange(TempAllocator& alloc) { // MArrayPush returns the new array length. It bails out if the new length // doesn't fit in an Int32. MOZ_ASSERT(type() == MIRType::Int32); setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); } void MMathFunction::computeRange(TempAllocator& alloc) { Range opRange(getOperand(0)); switch (function()) { case UnaryMathFunction::SinNative: case UnaryMathFunction::SinFdlibm: case UnaryMathFunction::CosNative: case UnaryMathFunction::CosFdlibm: if (!opRange.canBeInfiniteOrNaN()) { setRange(Range::NewDoubleRange(alloc, -1.0, 1.0)); } break; default: break; } } void MSign::computeRange(TempAllocator& alloc) { Range opRange(getOperand(0)); setRange(Range::sign(alloc, &opRange)); } void MRandom::computeRange(TempAllocator& alloc) { Range* r = Range::NewDoubleRange(alloc, 0.0, 1.0); // Random never returns negative zero. r->refineToExcludeNegativeZero(); setRange(r); } void MNaNToZero::computeRange(TempAllocator& alloc) { Range other(input()); setRange(Range::NaNToZero(alloc, &other)); } /////////////////////////////////////////////////////////////////////////////// // Range Analysis /////////////////////////////////////////////////////////////////////////////// static BranchDirection NegateBranchDirection(BranchDirection dir) { return (dir == FALSE_BRANCH) ? TRUE_BRANCH : FALSE_BRANCH; } bool RangeAnalysis::analyzeLoop(MBasicBlock* header) { MOZ_ASSERT(header->hasUniqueBackedge()); // Try to compute an upper bound on the number of times the loop backedge // will be taken. Look for tests that dominate the backedge and which have // an edge leaving the loop body. MBasicBlock* backedge = header->backedge(); // Ignore trivial infinite loops. if (backedge == header) { return true; } bool canOsr; size_t numBlocks = MarkLoopBlocks(graph_, header, &canOsr); // Ignore broken loops. if (numBlocks == 0) { return true; } LoopIterationBound* iterationBound = nullptr; MBasicBlock* block = backedge; do { BranchDirection direction; MTest* branch = block->immediateDominatorBranch(&direction); if (block == block->immediateDominator()) { break; } block = block->immediateDominator(); if (branch) { direction = NegateBranchDirection(direction); MBasicBlock* otherBlock = branch->branchSuccessor(direction); if (!otherBlock->isMarked()) { if (!alloc().ensureBallast()) { return false; } iterationBound = analyzeLoopIterationCount(header, branch, direction); if (iterationBound) { break; } } } } while (block != header); if (!iterationBound) { UnmarkLoopBlocks(graph_, header); return true; } if (!loopIterationBounds.append(iterationBound)) { return false; } #ifdef DEBUG if (JitSpewEnabled(JitSpew_Range)) { Sprinter sp(GetJitContext()->cx); if (!sp.init()) { return false; } iterationBound->boundSum.dump(sp); JitSpew(JitSpew_Range, "computed symbolic bound on backedges: %s", sp.string()); } #endif // Try to compute symbolic bounds for the phi nodes at the head of this // loop, expressed in terms of the iteration bound just computed. for (MPhiIterator iter(header->phisBegin()); iter != header->phisEnd(); iter++) { analyzeLoopPhi(iterationBound, *iter); } if (!mir->compilingWasm() && !mir->outerInfo().hadBoundsCheckBailout()) { // Try to hoist any bounds checks from the loop using symbolic bounds. Vector hoistedChecks(alloc()); for (ReversePostorderIterator iter(graph_.rpoBegin(header)); iter != graph_.rpoEnd(); iter++) { MBasicBlock* block = *iter; if (!block->isMarked()) { continue; } for (MDefinitionIterator iter(block); iter; iter++) { MDefinition* def = *iter; if (def->isBoundsCheck() && def->isMovable()) { if (!alloc().ensureBallast()) { return false; } if (tryHoistBoundsCheck(header, def->toBoundsCheck())) { if (!hoistedChecks.append(def->toBoundsCheck())) { return false; } } } } } // Note: replace all uses of the original bounds check with the // actual index. This is usually done during bounds check elimination, // but in this case it's safe to do it here since the load/store is // definitely not loop-invariant, so we will never move it before // one of the bounds checks we just added. for (size_t i = 0; i < hoistedChecks.length(); i++) { MBoundsCheck* ins = hoistedChecks[i]; ins->replaceAllUsesWith(ins->index()); ins->block()->discard(ins); } } UnmarkLoopBlocks(graph_, header); return true; } // Unbox beta nodes in order to hoist instruction properly, and not be limited // by the beta nodes which are added after each branch. static inline MDefinition* DefinitionOrBetaInputDefinition(MDefinition* ins) { while (ins->isBeta()) { ins = ins->toBeta()->input(); } return ins; } LoopIterationBound* RangeAnalysis::analyzeLoopIterationCount( MBasicBlock* header, MTest* test, BranchDirection direction) { SimpleLinearSum lhs(nullptr, 0); MDefinition* rhs; bool lessEqual; if (!ExtractLinearInequality(test, direction, &lhs, &rhs, &lessEqual)) { return nullptr; } // Ensure the rhs is a loop invariant term. if (rhs && rhs->block()->isMarked()) { if (lhs.term && lhs.term->block()->isMarked()) { return nullptr; } MDefinition* temp = lhs.term; lhs.term = rhs; rhs = temp; if (!SafeSub(0, lhs.constant, &lhs.constant)) { return nullptr; } lessEqual = !lessEqual; } MOZ_ASSERT_IF(rhs, !rhs->block()->isMarked()); // Ensure the lhs is a phi node from the start of the loop body. if (!lhs.term || !lhs.term->isPhi() || lhs.term->block() != header) { return nullptr; } // Check that the value of the lhs changes by a constant amount with each // loop iteration. This requires that the lhs be written in every loop // iteration with a value that is a constant difference from its value at // the start of the iteration. if (lhs.term->toPhi()->numOperands() != 2) { return nullptr; } // The first operand of the phi should be the lhs' value at the start of // the first executed iteration, and not a value written which could // replace the second operand below during the middle of execution. MDefinition* lhsInitial = lhs.term->toPhi()->getLoopPredecessorOperand(); if (lhsInitial->block()->isMarked()) { return nullptr; } // The second operand of the phi should be a value written by an add/sub // in every loop iteration, i.e. in a block which dominates the backedge. MDefinition* lhsWrite = DefinitionOrBetaInputDefinition( lhs.term->toPhi()->getLoopBackedgeOperand()); if (!lhsWrite->isAdd() && !lhsWrite->isSub()) { return nullptr; } if (!lhsWrite->block()->isMarked()) { return nullptr; } MBasicBlock* bb = header->backedge(); for (; bb != lhsWrite->block() && bb != header; bb = bb->immediateDominator()) { } if (bb != lhsWrite->block()) { return nullptr; } SimpleLinearSum lhsModified = ExtractLinearSum(lhsWrite); // Check that the value of the lhs at the backedge is of the form // 'old(lhs) + N'. We can be sure that old(lhs) is the value at the start // of the iteration, and not that written to lhs in a previous iteration, // as such a previous value could not appear directly in the addition: // it could not be stored in lhs as the lhs add/sub executes in every // iteration, and if it were stored in another variable its use here would // be as an operand to a phi node for that variable. if (lhsModified.term != lhs.term) { return nullptr; } LinearSum iterationBound(alloc()); LinearSum currentIteration(alloc()); if (lhsModified.constant == 1 && !lessEqual) { // The value of lhs is 'initial(lhs) + iterCount' and this will end // execution of the loop if 'lhs + lhsN >= rhs'. Thus, an upper bound // on the number of backedges executed is: // // initial(lhs) + iterCount + lhsN == rhs // iterCount == rhsN - initial(lhs) - lhsN if (rhs) { if (!iterationBound.add(rhs, 1)) { return nullptr; } } if (!iterationBound.add(lhsInitial, -1)) { return nullptr; } int32_t lhsConstant; if (!SafeSub(0, lhs.constant, &lhsConstant)) { return nullptr; } if (!iterationBound.add(lhsConstant)) { return nullptr; } if (!currentIteration.add(lhs.term, 1)) { return nullptr; } if (!currentIteration.add(lhsInitial, -1)) { return nullptr; } } else if (lhsModified.constant == -1 && lessEqual) { // The value of lhs is 'initial(lhs) - iterCount'. Similar to the above // case, an upper bound on the number of backedges executed is: // // initial(lhs) - iterCount + lhsN == rhs // iterCount == initial(lhs) - rhs + lhsN if (!iterationBound.add(lhsInitial, 1)) { return nullptr; } if (rhs) { if (!iterationBound.add(rhs, -1)) { return nullptr; } } if (!iterationBound.add(lhs.constant)) { return nullptr; } if (!currentIteration.add(lhsInitial, 1)) { return nullptr; } if (!currentIteration.add(lhs.term, -1)) { return nullptr; } } else { return nullptr; } return new (alloc()) LoopIterationBound(header, test, iterationBound, currentIteration); } void RangeAnalysis::analyzeLoopPhi(LoopIterationBound* loopBound, MPhi* phi) { // Given a bound on the number of backedges taken, compute an upper and // lower bound for a phi node that may change by a constant amount each // iteration. Unlike for the case when computing the iteration bound // itself, the phi does not need to change the same amount every iteration, // but is required to change at most N and be either nondecreasing or // nonincreasing. MOZ_ASSERT(phi->numOperands() == 2); MDefinition* initial = phi->getLoopPredecessorOperand(); if (initial->block()->isMarked()) { return; } SimpleLinearSum modified = ExtractLinearSum(phi->getLoopBackedgeOperand(), MathSpace::Infinite); if (modified.term != phi || modified.constant == 0) { return; } if (!phi->range()) { phi->setRange(new (alloc()) Range(phi)); } LinearSum initialSum(alloc()); if (!initialSum.add(initial, 1)) { return; } // The phi may change by N each iteration, and is either nondecreasing or // nonincreasing. initial(phi) is either a lower or upper bound for the // phi, and initial(phi) + loopBound * N is either an upper or lower bound, // at all points within the loop, provided that loopBound >= 0. // // We are more interested, however, in the bound for phi at points // dominated by the loop bound's test; if the test dominates e.g. a bounds // check we want to hoist from the loop, using the value of the phi at the // head of the loop for this will usually be too imprecise to hoist the // check. These points will execute only if the backedge executes at least // one more time (as the test passed and the test dominates the backedge), // so we know both that loopBound >= 1 and that the phi's value has changed // at most loopBound - 1 times. Thus, another upper or lower bound for the // phi is initial(phi) + (loopBound - 1) * N, without requiring us to // ensure that loopBound >= 0. LinearSum limitSum(loopBound->boundSum); if (!limitSum.multiply(modified.constant) || !limitSum.add(initialSum)) { return; } int32_t negativeConstant; if (!SafeSub(0, modified.constant, &negativeConstant) || !limitSum.add(negativeConstant)) { return; } Range* initRange = initial->range(); if (modified.constant > 0) { if (initRange && initRange->hasInt32LowerBound()) { phi->range()->refineLower(initRange->lower()); } phi->range()->setSymbolicLower( SymbolicBound::New(alloc(), nullptr, initialSum)); phi->range()->setSymbolicUpper( SymbolicBound::New(alloc(), loopBound, limitSum)); } else { if (initRange && initRange->hasInt32UpperBound()) { phi->range()->refineUpper(initRange->upper()); } phi->range()->setSymbolicUpper( SymbolicBound::New(alloc(), nullptr, initialSum)); phi->range()->setSymbolicLower( SymbolicBound::New(alloc(), loopBound, limitSum)); } JitSpew(JitSpew_Range, "added symbolic range on %u", phi->id()); SpewRange(phi); } // Whether bound is valid at the specified bounds check instruction in a loop, // and may be used to hoist ins. static inline bool SymbolicBoundIsValid(MBasicBlock* header, MBoundsCheck* ins, const SymbolicBound* bound) { if (!bound->loop) { return true; } if (ins->block() == header) { return false; } MBasicBlock* bb = ins->block()->immediateDominator(); while (bb != header && bb != bound->loop->test->block()) { bb = bb->immediateDominator(); } return bb == bound->loop->test->block(); } bool RangeAnalysis::tryHoistBoundsCheck(MBasicBlock* header, MBoundsCheck* ins) { // The bounds check's length must be loop invariant or a constant. MDefinition* length = DefinitionOrBetaInputDefinition(ins->length()); if (length->block()->isMarked() && !length->isConstant()) { return false; } // The bounds check's index should not be loop invariant (else we would // already have hoisted it during LICM). SimpleLinearSum index = ExtractLinearSum(ins->index()); if (!index.term || !index.term->block()->isMarked()) { return false; } // Check for a symbolic lower and upper bound on the index. If either // condition depends on an iteration bound for the loop, only hoist if // the bounds check is dominated by the iteration bound's test. if (!index.term->range()) { return false; } const SymbolicBound* lower = index.term->range()->symbolicLower(); if (!lower || !SymbolicBoundIsValid(header, ins, lower)) { return false; } const SymbolicBound* upper = index.term->range()->symbolicUpper(); if (!upper || !SymbolicBoundIsValid(header, ins, upper)) { return false; } MBasicBlock* preLoop = header->loopPredecessor(); MOZ_ASSERT(!preLoop->isMarked()); MDefinition* lowerTerm = ConvertLinearSum(alloc(), preLoop, lower->sum, BailoutKind::HoistBoundsCheck); if (!lowerTerm) { return false; } MDefinition* upperTerm = ConvertLinearSum(alloc(), preLoop, upper->sum, BailoutKind::HoistBoundsCheck); if (!upperTerm) { return false; } // We are checking that index + indexConstant >= 0, and know that // index >= lowerTerm + lowerConstant. Thus, check that: // // lowerTerm + lowerConstant + indexConstant >= 0 // lowerTerm >= -lowerConstant - indexConstant int32_t lowerConstant = 0; if (!SafeSub(lowerConstant, index.constant, &lowerConstant)) { return false; } if (!SafeSub(lowerConstant, lower->sum.constant(), &lowerConstant)) { return false; } // We are checking that index < boundsLength, and know that // index <= upperTerm + upperConstant. Thus, check that: // // upperTerm + upperConstant < boundsLength int32_t upperConstant = index.constant; if (!SafeAdd(upper->sum.constant(), upperConstant, &upperConstant)) { return false; } // Hoist the loop invariant lower bounds checks. MBoundsCheckLower* lowerCheck = MBoundsCheckLower::New(alloc(), lowerTerm); lowerCheck->setMinimum(lowerConstant); lowerCheck->computeRange(alloc()); lowerCheck->collectRangeInfoPreTrunc(); lowerCheck->setBailoutKind(BailoutKind::HoistBoundsCheck); preLoop->insertBefore(preLoop->lastIns(), lowerCheck); // A common pattern for iterating over typed arrays is this: // // for (var i = 0; i < ta.length; i++) { // use ta[i]; // } // // Here |upperTerm| (= ta.length) is a NonNegativeIntPtrToInt32 instruction. // Unwrap this if |length| is also an IntPtr so that we don't add an // unnecessary bounds check and Int32ToIntPtr below. if (upperTerm->isNonNegativeIntPtrToInt32() && length->type() == MIRType::IntPtr) { upperTerm = upperTerm->toNonNegativeIntPtrToInt32()->input(); } // Hoist the loop invariant upper bounds checks. if (upperTerm != length || upperConstant >= 0) { // Hoist the bound check's length if it isn't already loop invariant. if (length->block()->isMarked()) { MOZ_ASSERT(length->isConstant()); MInstruction* lengthIns = length->toInstruction(); lengthIns->block()->moveBefore(preLoop->lastIns(), lengthIns); } // If the length is IntPtr, convert the upperTerm to that as well for the // bounds check. if (length->type() == MIRType::IntPtr && upperTerm->type() == MIRType::Int32) { upperTerm = MInt32ToIntPtr::New(alloc(), upperTerm); upperTerm->computeRange(alloc()); upperTerm->collectRangeInfoPreTrunc(); preLoop->insertBefore(preLoop->lastIns(), upperTerm->toInstruction()); } MBoundsCheck* upperCheck = MBoundsCheck::New(alloc(), upperTerm, length); upperCheck->setMinimum(upperConstant); upperCheck->setMaximum(upperConstant); upperCheck->computeRange(alloc()); upperCheck->collectRangeInfoPreTrunc(); upperCheck->setBailoutKind(BailoutKind::HoistBoundsCheck); preLoop->insertBefore(preLoop->lastIns(), upperCheck); } return true; } bool RangeAnalysis::analyze() { JitSpew(JitSpew_Range, "Doing range propagation"); for (ReversePostorderIterator iter(graph_.rpoBegin()); iter != graph_.rpoEnd(); iter++) { MBasicBlock* block = *iter; // No blocks are supposed to be unreachable, except when we have an OSR // block, in which case the Value Numbering phase add fixup blocks which // are unreachable. MOZ_ASSERT(!block->unreachable() || graph_.osrBlock()); // If the block's immediate dominator is unreachable, the block is // unreachable. Iterating in RPO, we'll always see the immediate // dominator before the block. if (block->immediateDominator()->unreachable()) { block->setUnreachableUnchecked(); continue; } for (MDefinitionIterator iter(block); iter; iter++) { MDefinition* def = *iter; if (!alloc().ensureBallast()) { return false; } def->computeRange(alloc()); JitSpew(JitSpew_Range, "computing range on %u", def->id()); SpewRange(def); } // Beta node range analysis may have marked this block unreachable. If // so, it's no longer interesting to continue processing it. if (block->unreachable()) { continue; } if (block->isLoopHeader()) { if (!analyzeLoop(block)) { return false; } } // First pass at collecting range info - while the beta nodes are still // around and before truncation. for (MInstructionIterator iter(block->begin()); iter != block->end(); iter++) { iter->collectRangeInfoPreTrunc(); } } return true; } bool RangeAnalysis::addRangeAssertions() { if (!JitOptions.checkRangeAnalysis) { return true; } // Check the computed range for this instruction, if the option is set. Note // that this code is quite invasive; it adds numerous additional // instructions for each MInstruction with a computed range, and it uses // registers, so it also affects register allocation. for (ReversePostorderIterator iter(graph_.rpoBegin()); iter != graph_.rpoEnd(); iter++) { MBasicBlock* block = *iter; // Do not add assertions in unreachable blocks. if (block->unreachable()) { continue; } for (MDefinitionIterator iter(block); iter; iter++) { MDefinition* ins = *iter; // Perform range checking for all numeric and numeric-like types. if (!IsNumberType(ins->type()) && ins->type() != MIRType::Boolean && ins->type() != MIRType::Value && ins->type() != MIRType::IntPtr) { continue; } // MIsNoIter is fused with the MTest that follows it and emitted as // LIsNoIterAndBranch. Similarly, MIteratorHasIndices is fused to // become LIteratorHasIndicesAndBranch. Skip them to avoid complicating // lowering. if (ins->isIsNoIter() || ins->isIteratorHasIndices()) { MOZ_ASSERT(ins->hasOneUse()); continue; } Range r(ins); MOZ_ASSERT_IF(ins->type() == MIRType::Int64, r.isUnknown()); // Don't insert assertions if there's nothing interesting to assert. if (r.isUnknown() || (ins->type() == MIRType::Int32 && r.isUnknownInt32())) { continue; } // Don't add a use to an instruction that is recovered on bailout. if (ins->isRecoveredOnBailout()) { continue; } if (!alloc().ensureBallast()) { return false; } MAssertRange* guard = MAssertRange::New(alloc(), ins, new (alloc()) Range(r)); // Beta nodes and interrupt checks are required to be located at the // beginnings of basic blocks, so we must insert range assertions // after any such instructions. MInstruction* insertAt = nullptr; if (block->graph().osrBlock() == block) { insertAt = ins->toInstruction(); } else { insertAt = block->safeInsertTop(ins); } if (insertAt == *iter) { block->insertAfter(insertAt, guard); } else { block->insertBefore(insertAt, guard); } } } return true; } /////////////////////////////////////////////////////////////////////////////// // Range based Truncation /////////////////////////////////////////////////////////////////////////////// void Range::clampToInt32() { if (isInt32()) { return; } int32_t l = hasInt32LowerBound() ? lower() : JSVAL_INT_MIN; int32_t h = hasInt32UpperBound() ? upper() : JSVAL_INT_MAX; setInt32(l, h); } void Range::wrapAroundToInt32() { if (!hasInt32Bounds()) { setInt32(JSVAL_INT_MIN, JSVAL_INT_MAX); } else if (canHaveFractionalPart()) { // Clearing the fractional field may provide an opportunity to refine // lower_ or upper_. canHaveFractionalPart_ = ExcludesFractionalParts; canBeNegativeZero_ = ExcludesNegativeZero; refineInt32BoundsByExponent(max_exponent_, &lower_, &hasInt32LowerBound_, &upper_, &hasInt32UpperBound_); assertInvariants(); } else { // If nothing else, we can clear the negative zero flag. canBeNegativeZero_ = ExcludesNegativeZero; } MOZ_ASSERT(isInt32()); } void Range::wrapAroundToShiftCount() { wrapAroundToInt32(); if (lower() < 0 || upper() >= 32) { setInt32(0, 31); } } void Range::wrapAroundToBoolean() { wrapAroundToInt32(); if (!isBoolean()) { setInt32(0, 1); } MOZ_ASSERT(isBoolean()); } bool MDefinition::canTruncate() const { // No procedure defined for truncating this instruction. return false; } void MDefinition::truncate(TruncateKind kind) { MOZ_CRASH("No procedure defined for truncating this instruction."); } bool MConstant::canTruncate() const { return IsFloatingPointType(type()); } void MConstant::truncate(TruncateKind kind) { MOZ_ASSERT(canTruncate()); // Truncate the double to int, since all uses truncates it. int32_t res = ToInt32(numberToDouble()); payload_.asBits = 0; payload_.i32 = res; setResultType(MIRType::Int32); if (range()) { range()->setInt32(res, res); } } bool MPhi::canTruncate() const { return type() == MIRType::Double || type() == MIRType::Int32; } void MPhi::truncate(TruncateKind kind) { MOZ_ASSERT(canTruncate()); truncateKind_ = kind; setResultType(MIRType::Int32); if (kind >= TruncateKind::IndirectTruncate && range()) { range()->wrapAroundToInt32(); } } bool MAdd::canTruncate() const { return type() == MIRType::Double || type() == MIRType::Int32; } void MAdd::truncate(TruncateKind kind) { MOZ_ASSERT(canTruncate()); // Remember analysis, needed for fallible checks. setTruncateKind(kind); setSpecialization(MIRType::Int32); if (truncateKind() >= TruncateKind::IndirectTruncate && range()) { range()->wrapAroundToInt32(); } } bool MSub::canTruncate() const { return type() == MIRType::Double || type() == MIRType::Int32; } void MSub::truncate(TruncateKind kind) { MOZ_ASSERT(canTruncate()); // Remember analysis, needed for fallible checks. setTruncateKind(kind); setSpecialization(MIRType::Int32); if (truncateKind() >= TruncateKind::IndirectTruncate && range()) { range()->wrapAroundToInt32(); } } bool MMul::canTruncate() const { return type() == MIRType::Double || type() == MIRType::Int32; } void MMul::truncate(TruncateKind kind) { MOZ_ASSERT(canTruncate()); // Remember analysis, needed for fallible checks. setTruncateKind(kind); setSpecialization(MIRType::Int32); if (truncateKind() >= TruncateKind::IndirectTruncate) { setCanBeNegativeZero(false); if (range()) { range()->wrapAroundToInt32(); } } } bool MDiv::canTruncate() const { return type() == MIRType::Double || type() == MIRType::Int32; } void MDiv::truncate(TruncateKind kind) { MOZ_ASSERT(canTruncate()); // Remember analysis, needed for fallible checks. setTruncateKind(kind); setSpecialization(MIRType::Int32); // Divisions where the lhs and rhs are unsigned and the result is // truncated can be lowered more efficiently. if (unsignedOperands()) { replaceWithUnsignedOperands(); unsigned_ = true; } } bool MMod::canTruncate() const { return type() == MIRType::Double || type() == MIRType::Int32; } void MMod::truncate(TruncateKind kind) { // As for division, handle unsigned modulus with a truncated result. MOZ_ASSERT(canTruncate()); // Remember analysis, needed for fallible checks. setTruncateKind(kind); setSpecialization(MIRType::Int32); if (unsignedOperands()) { replaceWithUnsignedOperands(); unsigned_ = true; } } bool MToDouble::canTruncate() const { MOZ_ASSERT(type() == MIRType::Double); return true; } void MToDouble::truncate(TruncateKind kind) { MOZ_ASSERT(canTruncate()); setTruncateKind(kind); // We use the return type to flag that this MToDouble should be replaced by // a MTruncateToInt32 when modifying the graph. setResultType(MIRType::Int32); if (truncateKind() >= TruncateKind::IndirectTruncate) { if (range()) { range()->wrapAroundToInt32(); } } } bool MLimitedTruncate::canTruncate() const { return true; } void MLimitedTruncate::truncate(TruncateKind kind) { MOZ_ASSERT(canTruncate()); setTruncateKind(kind); setResultType(MIRType::Int32); if (kind >= TruncateKind::IndirectTruncate && range()) { range()->wrapAroundToInt32(); } } bool MCompare::canTruncate() const { if (!isDoubleComparison()) { return false; } // If both operands are naturally in the int32 range, we can convert from // a double comparison to being an int32 comparison. if (!Range(lhs()).isInt32() || !Range(rhs()).isInt32()) { return false; } return true; } void MCompare::truncate(TruncateKind kind) { MOZ_ASSERT(canTruncate()); compareType_ = Compare_Int32; // Truncating the operands won't change their value because we don't force a // truncation, but it will change their type, which we need because we // now expect integer inputs. truncateOperands_ = true; } TruncateKind MDefinition::operandTruncateKind(size_t index) const { // Generic routine: We don't know anything. return TruncateKind::NoTruncate; } TruncateKind MPhi::operandTruncateKind(size_t index) const { // The truncation applied to a phi is effectively applied to the phi's // operands. return truncateKind_; } TruncateKind MTruncateToInt32::operandTruncateKind(size_t index) const { // This operator is an explicit truncate to int32. return TruncateKind::Truncate; } TruncateKind MBinaryBitwiseInstruction::operandTruncateKind( size_t index) const { // The bitwise operators truncate to int32. return TruncateKind::Truncate; } TruncateKind MLimitedTruncate::operandTruncateKind(size_t index) const { return std::min(truncateKind(), truncateLimit_); } TruncateKind MAdd::operandTruncateKind(size_t index) const { // This operator is doing some arithmetic. If its result is truncated, // it's an indirect truncate for its operands. return std::min(truncateKind(), TruncateKind::IndirectTruncate); } TruncateKind MSub::operandTruncateKind(size_t index) const { // See the comment in MAdd::operandTruncateKind. return std::min(truncateKind(), TruncateKind::IndirectTruncate); } TruncateKind MMul::operandTruncateKind(size_t index) const { // See the comment in MAdd::operandTruncateKind. return std::min(truncateKind(), TruncateKind::IndirectTruncate); } TruncateKind MToDouble::operandTruncateKind(size_t index) const { // MToDouble propagates its truncate kind to its operand. return truncateKind(); } TruncateKind MStoreUnboxedScalar::operandTruncateKind(size_t index) const { // An integer store truncates the stored value. return (index == 2 && isIntegerWrite()) ? TruncateKind::Truncate : TruncateKind::NoTruncate; } TruncateKind MStoreDataViewElement::operandTruncateKind(size_t index) const { // An integer store truncates the stored value. return (index == 2 && isIntegerWrite()) ? TruncateKind::Truncate : TruncateKind::NoTruncate; } TruncateKind MStoreTypedArrayElementHole::operandTruncateKind( size_t index) const { // An integer store truncates the stored value. return (index == 3 && isIntegerWrite()) ? TruncateKind::Truncate : TruncateKind::NoTruncate; } TruncateKind MDiv::operandTruncateKind(size_t index) const { return std::min(truncateKind(), TruncateKind::TruncateAfterBailouts); } TruncateKind MMod::operandTruncateKind(size_t index) const { return std::min(truncateKind(), TruncateKind::TruncateAfterBailouts); } TruncateKind MCompare::operandTruncateKind(size_t index) const { // If we're doing an int32 comparison on operands which were previously // floating-point, convert them! MOZ_ASSERT_IF(truncateOperands_, isInt32Comparison()); return truncateOperands_ ? TruncateKind::TruncateAfterBailouts : TruncateKind::NoTruncate; } static bool TruncateTest(TempAllocator& alloc, MTest* test) { // If all possible inputs to the test are either int32 or boolean, // convert those inputs to int32 so that an int32 test can be performed. if (test->input()->type() != MIRType::Value) { return true; } if (!test->input()->isPhi() || !test->input()->hasOneDefUse() || test->input()->isImplicitlyUsed()) { return true; } MPhi* phi = test->input()->toPhi(); for (size_t i = 0; i < phi->numOperands(); i++) { MDefinition* def = phi->getOperand(i); if (!def->isBox()) { return true; } MDefinition* inner = def->getOperand(0); if (inner->type() != MIRType::Boolean && inner->type() != MIRType::Int32) { return true; } } for (size_t i = 0; i < phi->numOperands(); i++) { MDefinition* inner = phi->getOperand(i)->getOperand(0); if (inner->type() != MIRType::Int32) { if (!alloc.ensureBallast()) { return false; } MBasicBlock* block = inner->block(); inner = MToNumberInt32::New(alloc, inner); block->insertBefore(block->lastIns(), inner->toInstruction()); } MOZ_ASSERT(inner->type() == MIRType::Int32); phi->replaceOperand(i, inner); } phi->setResultType(MIRType::Int32); return true; } // Truncating instruction result is an optimization which implies // knowing all uses of an instruction. This implies that if one of // the uses got removed, then Range Analysis is not be allowed to do // any modification which can change the result, especially if the // result can be observed. // // This corner can easily be understood with UCE examples, but it // might also happen with type inference assumptions. Note: Type // inference is implicitly branches where other types might be // flowing into. static bool CloneForDeadBranches(TempAllocator& alloc, MInstruction* candidate) { // Compare returns a boolean so it doesn't have to be recovered on bailout // because the output would remain correct. if (candidate->isCompare()) { return true; } MOZ_ASSERT(candidate->canClone()); if (!alloc.ensureBallast()) { return false; } MDefinitionVector operands(alloc); size_t end = candidate->numOperands(); if (!operands.reserve(end)) { return false; } for (size_t i = 0; i < end; ++i) { operands.infallibleAppend(candidate->getOperand(i)); } MInstruction* clone = candidate->clone(alloc, operands); if (!clone) { return false; } clone->setRange(nullptr); // Set ImplicitlyUsed flag on the cloned instruction in order to chain recover // instruction for the bailout path. clone->setImplicitlyUsedUnchecked(); candidate->block()->insertBefore(candidate, clone); if (!candidate->maybeConstantValue()) { MOZ_ASSERT(clone->canRecoverOnBailout()); clone->setRecoveredOnBailout(); } // Replace the candidate by its recovered on bailout clone within recovered // instructions and resume points operands. for (MUseIterator i(candidate->usesBegin()); i != candidate->usesEnd();) { MUse* use = *i++; MNode* ins = use->consumer(); if (ins->isDefinition() && !ins->toDefinition()->isRecoveredOnBailout()) { continue; } use->replaceProducer(clone); } return true; } // Examine all the users of |candidate| and determine the most aggressive // truncate kind that satisfies all of them. static TruncateKind ComputeRequestedTruncateKind(MDefinition* candidate, bool* shouldClone) { bool isCapturedResult = false; // Check if used by a recovered instruction or a resume point. bool isObservableResult = false; // Check if it can be read from another frame. bool isRecoverableResult = true; // Check if it can safely be reconstructed. bool isImplicitlyUsed = candidate->isImplicitlyUsed(); bool hasTryBlock = candidate->block()->graph().hasTryBlock(); TruncateKind kind = TruncateKind::Truncate; for (MUseIterator use(candidate->usesBegin()); use != candidate->usesEnd(); use++) { if (use->consumer()->isResumePoint()) { // Truncation is a destructive optimization, as such, we need to pay // attention to removed branches and prevent optimization // destructive optimizations if we have no alternative. (see // ImplicitlyUsed flag) isCapturedResult = true; isObservableResult = isObservableResult || use->consumer()->toResumePoint()->isObservableOperand(*use); isRecoverableResult = isRecoverableResult && use->consumer()->toResumePoint()->isRecoverableOperand(*use); continue; } MDefinition* consumer = use->consumer()->toDefinition(); if (consumer->isRecoveredOnBailout()) { isCapturedResult = true; isImplicitlyUsed = isImplicitlyUsed || consumer->isImplicitlyUsed(); continue; } TruncateKind consumerKind = consumer->operandTruncateKind(consumer->indexOf(*use)); kind = std::min(kind, consumerKind); if (kind == TruncateKind::NoTruncate) { break; } } // We cannot do full trunction on guarded instructions. if (candidate->isGuard() || candidate->isGuardRangeBailouts()) { kind = std::min(kind, TruncateKind::TruncateAfterBailouts); } // If the value naturally produces an int32 value (before bailout checks) // that needs no conversion, we don't have to worry about resume points // seeing truncated values. bool needsConversion = !candidate->range() || !candidate->range()->isInt32(); // If the instruction is explicitly truncated (not indirectly) by all its // uses and if it is not implicitly used, then we can safely encode its // truncated result as part of the resume point operands. This is safe, // because even if we resume with a truncated double, the next baseline // instruction operating on this instruction is going to be a no-op. // // Note, that if the result can be observed from another frame, then this // optimization is not safe. Similarly, if this function contains a try // block, the result could be observed from a catch block, which we do // not compile. bool safeToConvert = kind == TruncateKind::Truncate && !isImplicitlyUsed && !isObservableResult && !hasTryBlock; // If the candidate instruction appears as operand of a resume point or a // recover instruction, and we have to truncate its result, then we might // have to either recover the result during the bailout, or avoid the // truncation. if (isCapturedResult && needsConversion && !safeToConvert) { // If the result can be recovered from all the resume points (not needed // for iterating over the inlined frames), and this instruction can be // recovered on bailout, then we can clone it and use the cloned // instruction to encode the recover instruction. Otherwise, we should // keep the original result and bailout if the value is not in the int32 // range. if (!JitOptions.disableRecoverIns && isRecoverableResult && candidate->canRecoverOnBailout()) { *shouldClone = true; } else { kind = std::min(kind, TruncateKind::TruncateAfterBailouts); } } return kind; } static TruncateKind ComputeTruncateKind(MDefinition* candidate, bool* shouldClone) { // Compare operations might coerce its inputs to int32 if the ranges are // correct. So we do not need to check if all uses are coerced. if (candidate->isCompare()) { return TruncateKind::TruncateAfterBailouts; } // Set truncated flag if range analysis ensure that it has no // rounding errors and no fractional part. Note that we can't use // the MDefinition Range constructor, because we need to know if // the value will have rounding errors before any bailout checks. const Range* r = candidate->range(); bool canHaveRoundingErrors = !r || r->canHaveRoundingErrors(); // Special case integer division and modulo: a/b can be infinite, and a%b // can be NaN but cannot actually have rounding errors induced by truncation. if ((candidate->isDiv() || candidate->isMod()) && candidate->type() == MIRType::Int32) { canHaveRoundingErrors = false; } if (canHaveRoundingErrors) { return TruncateKind::NoTruncate; } // Ensure all observable uses are truncated. return ComputeRequestedTruncateKind(candidate, shouldClone); } static void RemoveTruncatesOnOutput(MDefinition* truncated) { // Compare returns a boolean so it doen't have any output truncates. if (truncated->isCompare()) { return; } MOZ_ASSERT(truncated->type() == MIRType::Int32); MOZ_ASSERT(Range(truncated).isInt32()); for (MUseDefIterator use(truncated); use; use++) { MDefinition* def = use.def(); if (!def->isTruncateToInt32() || !def->isToNumberInt32()) { continue; } def->replaceAllUsesWith(truncated); } } void RangeAnalysis::adjustTruncatedInputs(MDefinition* truncated) { MBasicBlock* block = truncated->block(); for (size_t i = 0, e = truncated->numOperands(); i < e; i++) { TruncateKind kind = truncated->operandTruncateKind(i); if (kind == TruncateKind::NoTruncate) { continue; } MDefinition* input = truncated->getOperand(i); if (input->type() == MIRType::Int32) { continue; } if (input->isToDouble() && input->getOperand(0)->type() == MIRType::Int32) { truncated->replaceOperand(i, input->getOperand(0)); } else { MInstruction* op; if (kind == TruncateKind::TruncateAfterBailouts) { MOZ_ASSERT(!mir->outerInfo().hadEagerTruncationBailout()); op = MToNumberInt32::New(alloc(), truncated->getOperand(i)); op->setBailoutKind(BailoutKind::EagerTruncation); } else { op = MTruncateToInt32::New(alloc(), truncated->getOperand(i)); } if (truncated->isPhi()) { MBasicBlock* pred = block->getPredecessor(i); pred->insertBefore(pred->lastIns(), op); } else { block->insertBefore(truncated->toInstruction(), op); } truncated->replaceOperand(i, op); } } if (truncated->isToDouble()) { truncated->replaceAllUsesWith(truncated->toToDouble()->getOperand(0)); block->discard(truncated->toToDouble()); } } bool RangeAnalysis::canTruncate(MDefinition* def, TruncateKind kind) const { if (kind == TruncateKind::NoTruncate) { return false; } // Range Analysis is sometimes eager to do optimizations, even if we // are not able to truncate an instruction. In such case, we // speculatively compile the instruction to an int32 instruction // while adding a guard. This is what is implied by // TruncateAfterBailout. // // If a previous compilation was invalidated because a speculative // truncation bailed out, we no longer attempt to make this kind of // eager optimization. if (mir->outerInfo().hadEagerTruncationBailout()) { if (kind == TruncateKind::TruncateAfterBailouts) { return false; } // MDiv and MMod always require TruncateAfterBailout for their operands. // See MDiv::operandTruncateKind and MMod::operandTruncateKind. if (def->isDiv() || def->isMod()) { return false; } } return true; } // Iterate backward on all instruction and attempt to truncate operations for // each instruction which respect the following list of predicates: Has been // analyzed by range analysis, the range has no rounding errors, all uses cases // are truncating the result. // // If the truncation of the operation is successful, then the instruction is // queue for later updating the graph to restore the type correctness by // converting the operands that need to be truncated. // // We iterate backward because it is likely that a truncated operation truncates // some of its operands. bool RangeAnalysis::truncate() { JitSpew(JitSpew_Range, "Do range-base truncation (backward loop)"); // Automatic truncation is disabled for wasm because the truncation logic // is based on IonMonkey which assumes that we can bailout if the truncation // logic fails. As wasm code has no bailout mechanism, it is safer to avoid // any automatic truncations. MOZ_ASSERT(!mir->compilingWasm()); Vector worklist; for (PostorderIterator block(graph_.poBegin()); block != graph_.poEnd(); block++) { for (MInstructionReverseIterator iter(block->rbegin()); iter != block->rend(); iter++) { if (iter->isRecoveredOnBailout()) { continue; } if (iter->type() == MIRType::None) { if (iter->isTest()) { if (!TruncateTest(alloc(), iter->toTest())) { return false; } } continue; } // Remember all bitop instructions for folding after range analysis. switch (iter->op()) { case MDefinition::Opcode::BitAnd: case MDefinition::Opcode::BitOr: case MDefinition::Opcode::BitXor: case MDefinition::Opcode::Lsh: case MDefinition::Opcode::Rsh: case MDefinition::Opcode::Ursh: if (!bitops.append(static_cast(*iter))) { return false; } break; default:; } bool shouldClone = false; TruncateKind kind = ComputeTruncateKind(*iter, &shouldClone); // Truncate this instruction if possible. if (!canTruncate(*iter, kind) || !iter->canTruncate()) { continue; } SpewTruncate(*iter, kind, shouldClone); // If needed, clone the current instruction for keeping it for the // bailout path. This give us the ability to truncate instructions // even after the removal of branches. if (shouldClone && !CloneForDeadBranches(alloc(), *iter)) { return false; } // TruncateAfterBailouts keeps the bailout code as-is and // continues with truncated operations, with the expectation // that we are unlikely to bail out. If we do bail out, then we // will set a flag in FinishBailoutToBaseline to prevent eager // truncation when we recompile, to avoid bailout loops. if (kind == TruncateKind::TruncateAfterBailouts) { iter->setBailoutKind(BailoutKind::EagerTruncation); } iter->truncate(kind); // Delay updates of inputs/outputs to avoid creating node which // would be removed by the truncation of the next operations. iter->setInWorklist(); if (!worklist.append(*iter)) { return false; } } for (MPhiIterator iter(block->phisBegin()), end(block->phisEnd()); iter != end; ++iter) { bool shouldClone = false; TruncateKind kind = ComputeTruncateKind(*iter, &shouldClone); // Truncate this phi if possible. if (shouldClone || !canTruncate(*iter, kind) || !iter->canTruncate()) { continue; } SpewTruncate(*iter, kind, shouldClone); iter->truncate(kind); // Delay updates of inputs/outputs to avoid creating node which // would be removed by the truncation of the next operations. iter->setInWorklist(); if (!worklist.append(*iter)) { return false; } } } // Update inputs/outputs of truncated instructions. JitSpew(JitSpew_Range, "Do graph type fixup (dequeue)"); while (!worklist.empty()) { if (!alloc().ensureBallast()) { return false; } MDefinition* def = worklist.popCopy(); def->setNotInWorklist(); RemoveTruncatesOnOutput(def); adjustTruncatedInputs(def); } return true; } bool RangeAnalysis::removeUnnecessaryBitops() { JitSpew(JitSpew_Range, "Begin (removeUnnecessaryBitops)"); // Note: This operation change the semantic of the program in a way which // uniquely works with Int32, Recover Instructions added by the Sink phase // expects the MIR Graph to still have a valid flow as-if they were double // operations instead of Int32 operations. Thus, this phase should be // executed after the Sink phase, and before DCE. // Fold any unnecessary bitops in the graph, such as (x | 0) on an integer // input. This is done after range analysis rather than during GVN as the // presence of the bitop can change which instructions are truncated. for (size_t i = 0; i < bitops.length(); i++) { MBinaryBitwiseInstruction* ins = bitops[i]; if (ins->isRecoveredOnBailout()) { continue; } MDefinition* folded = ins->foldUnnecessaryBitop(); if (folded != ins) { ins->replaceAllLiveUsesWith(folded); ins->setRecoveredOnBailout(); } } bitops.clear(); return true; } /////////////////////////////////////////////////////////////////////////////// // Collect Range information of operands /////////////////////////////////////////////////////////////////////////////// void MInArray::collectRangeInfoPreTrunc() { Range indexRange(index()); if (indexRange.isFiniteNonNegative()) { needsNegativeIntCheck_ = false; setNotGuard(); } } void MLoadElementHole::collectRangeInfoPreTrunc() { Range indexRange(index()); if (indexRange.isFiniteNonNegative()) { needsNegativeIntCheck_ = false; setNotGuard(); } } void MInt32ToIntPtr::collectRangeInfoPreTrunc() { Range inputRange(input()); if (inputRange.isFiniteNonNegative()) { canBeNegative_ = false; } } void MClz::collectRangeInfoPreTrunc() { Range inputRange(input()); if (!inputRange.canBeZero()) { operandIsNeverZero_ = true; } } void MCtz::collectRangeInfoPreTrunc() { Range inputRange(input()); if (!inputRange.canBeZero()) { operandIsNeverZero_ = true; } } void MDiv::collectRangeInfoPreTrunc() { Range lhsRange(lhs()); Range rhsRange(rhs()); // Test if Dividend is non-negative. if (lhsRange.isFiniteNonNegative()) { canBeNegativeDividend_ = false; } // Try removing divide by zero check. if (!rhsRange.canBeZero()) { canBeDivideByZero_ = false; } // If lhsRange does not contain INT32_MIN in its range, // negative overflow check can be skipped. if (!lhsRange.contains(INT32_MIN)) { canBeNegativeOverflow_ = false; } // If rhsRange does not contain -1 likewise. if (!rhsRange.contains(-1)) { canBeNegativeOverflow_ = false; } // If lhsRange does not contain a zero, // negative zero check can be skipped. if (!lhsRange.canBeZero()) { canBeNegativeZero_ = false; } // If rhsRange >= 0 negative zero check can be skipped. if (rhsRange.isFiniteNonNegative()) { canBeNegativeZero_ = false; } if (fallible()) { setGuardRangeBailoutsUnchecked(); } } void MMul::collectRangeInfoPreTrunc() { Range lhsRange(lhs()); Range rhsRange(rhs()); // If lhsRange contains only positive then we can skip negative zero check. if (lhsRange.isFiniteNonNegative() && !lhsRange.canBeZero()) { setCanBeNegativeZero(false); } // Likewise rhsRange. if (rhsRange.isFiniteNonNegative() && !rhsRange.canBeZero()) { setCanBeNegativeZero(false); } // If rhsRange and lhsRange contain Non-negative integers only, // We skip negative zero check. if (rhsRange.isFiniteNonNegative() && lhsRange.isFiniteNonNegative()) { setCanBeNegativeZero(false); } // If rhsRange and lhsRange < 0. Then we skip negative zero check. if (rhsRange.isFiniteNegative() && lhsRange.isFiniteNegative()) { setCanBeNegativeZero(false); } } void MMod::collectRangeInfoPreTrunc() { Range lhsRange(lhs()); Range rhsRange(rhs()); if (lhsRange.isFiniteNonNegative()) { canBeNegativeDividend_ = false; } if (!rhsRange.canBeZero()) { canBeDivideByZero_ = false; } if (type() == MIRType::Int32 && fallible()) { setGuardRangeBailoutsUnchecked(); } } void MToNumberInt32::collectRangeInfoPreTrunc() { Range inputRange(input()); if (!inputRange.canBeNegativeZero()) { needsNegativeZeroCheck_ = false; } } void MBoundsCheck::collectRangeInfoPreTrunc() { Range indexRange(index()); Range lengthRange(length()); if (!indexRange.hasInt32LowerBound() || !indexRange.hasInt32UpperBound()) { return; } if (!lengthRange.hasInt32LowerBound() || lengthRange.canBeNaN()) { return; } int64_t indexLower = indexRange.lower(); int64_t indexUpper = indexRange.upper(); int64_t lengthLower = lengthRange.lower(); int64_t min = minimum(); int64_t max = maximum(); if (indexLower + min >= 0 && indexUpper + max < lengthLower) { fallible_ = false; } } void MBoundsCheckLower::collectRangeInfoPreTrunc() { Range indexRange(index()); if (indexRange.hasInt32LowerBound() && indexRange.lower() >= minimum_) { fallible_ = false; } } void MCompare::collectRangeInfoPreTrunc() { if (!Range(lhs()).canBeNaN() && !Range(rhs()).canBeNaN()) { operandsAreNeverNaN_ = true; } } void MNot::collectRangeInfoPreTrunc() { if (!Range(input()).canBeNaN()) { operandIsNeverNaN_ = true; } } void MPowHalf::collectRangeInfoPreTrunc() { Range inputRange(input()); if (!inputRange.canBeInfiniteOrNaN() || inputRange.hasInt32LowerBound()) { operandIsNeverNegativeInfinity_ = true; } if (!inputRange.canBeNegativeZero()) { operandIsNeverNegativeZero_ = true; } if (!inputRange.canBeNaN()) { operandIsNeverNaN_ = true; } } void MUrsh::collectRangeInfoPreTrunc() { if (type() == MIRType::Int64) { return; } Range lhsRange(lhs()), rhsRange(rhs()); // As in MUrsh::computeRange(), convert the inputs. lhsRange.wrapAroundToInt32(); rhsRange.wrapAroundToShiftCount(); // If the most significant bit of our result is always going to be zero, // we can optimize by disabling bailout checks for enforcing an int32 range. if (lhsRange.lower() >= 0 || rhsRange.lower() >= 1) { bailoutsDisabled_ = true; } } static bool DoesMaskMatchRange(int32_t mask, Range& range) { // Check if range is positive, because the bitand operator in `(-3) & 0xff` // can't be eliminated. if (range.lower() >= 0) { MOZ_ASSERT(range.isInt32()); // Check that the mask value has all bits set given the range upper bound. // Note that the upper bound does not have to be exactly the mask value. For // example, consider `x & 0xfff` where `x` is a uint8. That expression can // still be optimized to `x`. int bits = 1 + FloorLog2(range.upper()); uint32_t maskNeeded = (bits == 32) ? 0xffffffff : (uint32_t(1) << bits) - 1; if ((mask & maskNeeded) == maskNeeded) { return true; } } return false; } void MBinaryBitwiseInstruction::collectRangeInfoPreTrunc() { Range lhsRange(lhs()); Range rhsRange(rhs()); if (lhs()->isConstant() && lhs()->type() == MIRType::Int32 && DoesMaskMatchRange(lhs()->toConstant()->toInt32(), rhsRange)) { maskMatchesRightRange = true; } if (rhs()->isConstant() && rhs()->type() == MIRType::Int32 && DoesMaskMatchRange(rhs()->toConstant()->toInt32(), lhsRange)) { maskMatchesLeftRange = true; } } void MNaNToZero::collectRangeInfoPreTrunc() { Range inputRange(input()); if (!inputRange.canBeNaN()) { operandIsNeverNaN_ = true; } if (!inputRange.canBeNegativeZero()) { operandIsNeverNegativeZero_ = true; } } bool RangeAnalysis::prepareForUCE(bool* shouldRemoveDeadCode) { *shouldRemoveDeadCode = false; for (ReversePostorderIterator iter(graph_.rpoBegin()); iter != graph_.rpoEnd(); iter++) { MBasicBlock* block = *iter; if (!block->unreachable()) { continue; } // Filter out unreachable fake entries. if (block->numPredecessors() == 0) { // Ignore fixup blocks added by the Value Numbering phase, in order // to keep the dominator tree as-is when we have OSR Block which are // no longer reachable from the main entry point of the graph. MOZ_ASSERT(graph_.osrBlock()); continue; } MControlInstruction* cond = block->getPredecessor(0)->lastIns(); if (!cond->isTest()) { continue; } // Replace the condition of the test control instruction by a constant // chosen based which of the successors has the unreachable flag which is // added by MBeta::computeRange on its own block. MTest* test = cond->toTest(); MDefinition* condition = test->input(); // If the false-branch is unreachable, then the test condition must be true. // If the true-branch is unreachable, then the test condition must be false. MOZ_ASSERT(block == test->ifTrue() || block == test->ifFalse()); bool value = block == test->ifFalse(); MConstant* constant = MConstant::New(alloc().fallible(), BooleanValue(value)); if (!constant) { return false; } condition->setGuardRangeBailoutsUnchecked(); test->block()->insertBefore(test, constant); test->replaceOperand(0, constant); JitSpew(JitSpew_Range, "Update condition of %u to reflect unreachable branches.", test->id()); *shouldRemoveDeadCode = true; } return tryRemovingGuards(); } bool RangeAnalysis::tryRemovingGuards() { MDefinitionVector guards(alloc()); for (ReversePostorderIterator block = graph_.rpoBegin(); block != graph_.rpoEnd(); block++) { for (MDefinitionIterator iter(*block); iter; iter++) { if (!iter->isGuardRangeBailouts()) { continue; } iter->setInWorklist(); if (!guards.append(*iter)) { return false; } } } // Flag all fallible instructions which were indirectly used in the // computation of the condition, such that we do not ignore // bailout-paths which are used to shrink the input range of the // operands of the condition. for (size_t i = 0; i < guards.length(); i++) { MDefinition* guard = guards[i]; // If this ins is a guard even without guardRangeBailouts, // there is no reason in trying to hoist the guardRangeBailouts check. guard->setNotGuardRangeBailouts(); if (!DeadIfUnused(guard)) { guard->setGuardRangeBailouts(); continue; } guard->setGuardRangeBailouts(); if (!guard->isPhi()) { if (!guard->range()) { continue; } // Filter the range of the instruction based on its MIRType. Range typeFilteredRange(guard); // If the output range is updated by adding the inner range, // then the MIRType act as an effectful filter. As we do not know if // this filtered Range might change or not the result of the // previous comparison, we have to keep this instruction as a guard // because it has to bailout in order to restrict the Range to its // MIRType. if (typeFilteredRange.update(guard->range())) { continue; } } guard->setNotGuardRangeBailouts(); // Propagate the guard to its operands. for (size_t op = 0, e = guard->numOperands(); op < e; op++) { MDefinition* operand = guard->getOperand(op); // Already marked. if (operand->isInWorklist()) { continue; } MOZ_ASSERT(!operand->isGuardRangeBailouts()); operand->setInWorklist(); operand->setGuardRangeBailouts(); if (!guards.append(operand)) { return false; } } } for (size_t i = 0; i < guards.length(); i++) { MDefinition* guard = guards[i]; guard->setNotInWorklist(); } return true; }