mirror of
https://github.com/darlinghq/darling-JavaScriptCore.git
synced 2025-04-07 17:31:46 +00:00
395 lines
17 KiB
C++
395 lines
17 KiB
C++
/*
|
|
* Copyright (C) 2012-2015 Apple Inc. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
|
|
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
|
|
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
|
|
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "config.h"
|
|
#include "DFGCFGSimplificationPhase.h"
|
|
|
|
#if ENABLE(DFG_JIT)
|
|
|
|
#include "DFGBasicBlockInlines.h"
|
|
#include "DFGGraph.h"
|
|
#include "DFGPhase.h"
|
|
#include "JSCJSValueInlines.h"
|
|
|
|
namespace JSC { namespace DFG {
|
|
|
|
class CFGSimplificationPhase : public Phase {
|
|
public:
|
|
CFGSimplificationPhase(Graph& graph)
|
|
: Phase(graph, "CFG simplification")
|
|
{
|
|
}
|
|
|
|
bool canMergeBlocks(BasicBlock* block, BasicBlock* targetBlock)
|
|
{
|
|
return targetBlock->predecessors.size() == 1 && targetBlock != block;
|
|
}
|
|
|
|
bool run()
|
|
{
|
|
const bool extremeLogging = false;
|
|
|
|
bool outerChanged = false;
|
|
bool innerChanged;
|
|
|
|
do {
|
|
innerChanged = false;
|
|
for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
|
|
BasicBlock* block = m_graph.block(blockIndex);
|
|
if (!block)
|
|
continue;
|
|
ASSERT(block->isReachable);
|
|
|
|
auto canMergeWithBlock = [&] (BasicBlock* targetBlock) {
|
|
return canMergeBlocks(block, targetBlock);
|
|
};
|
|
|
|
switch (block->terminal()->op()) {
|
|
case Jump: {
|
|
// Successor with one predecessor -> merge.
|
|
if (canMergeWithBlock(block->successor(0))) {
|
|
ASSERT(block->successor(0)->predecessors[0] == block);
|
|
if (extremeLogging)
|
|
m_graph.dump();
|
|
m_graph.dethread();
|
|
mergeBlocks(block, block->successor(0), noBlocks());
|
|
innerChanged = outerChanged = true;
|
|
break;
|
|
}
|
|
|
|
// FIXME: Block only has a jump -> remove. This is tricky though because of
|
|
// liveness. What we really want is to slam in a phantom at the end of the
|
|
// block, after the terminal. But we can't right now. :-(
|
|
// Idea: what if I slam the ghosties into my successor? Nope, that's
|
|
// suboptimal, because if my successor has multiple predecessors then we'll
|
|
// be keeping alive things on other predecessor edges unnecessarily.
|
|
// What we really need is the notion of end-of-block ghosties!
|
|
// FIXME: Allow putting phantoms after terminals.
|
|
// https://bugs.webkit.org/show_bug.cgi?id=126778
|
|
break;
|
|
}
|
|
|
|
case Branch: {
|
|
// Branch on constant -> jettison the not-taken block and merge.
|
|
if (isKnownDirection(block->cfaBranchDirection)) {
|
|
bool condition = branchCondition(block->cfaBranchDirection);
|
|
BasicBlock* targetBlock = block->successorForCondition(condition);
|
|
BasicBlock* jettisonedBlock = block->successorForCondition(!condition);
|
|
if (canMergeWithBlock(targetBlock)) {
|
|
if (extremeLogging)
|
|
m_graph.dump();
|
|
m_graph.dethread();
|
|
if (targetBlock == jettisonedBlock)
|
|
mergeBlocks(block, targetBlock, noBlocks());
|
|
else
|
|
mergeBlocks(block, targetBlock, oneBlock(jettisonedBlock));
|
|
} else {
|
|
if (extremeLogging)
|
|
m_graph.dump();
|
|
m_graph.dethread();
|
|
|
|
Node* terminal = block->terminal();
|
|
ASSERT(terminal->isTerminal());
|
|
NodeOrigin boundaryNodeOrigin = terminal->origin;
|
|
|
|
if (targetBlock != jettisonedBlock)
|
|
jettisonBlock(block, jettisonedBlock, boundaryNodeOrigin);
|
|
|
|
block->replaceTerminal(
|
|
m_graph, SpecNone, Jump, boundaryNodeOrigin,
|
|
OpInfo(targetBlock));
|
|
|
|
ASSERT(block->terminal());
|
|
|
|
}
|
|
innerChanged = outerChanged = true;
|
|
break;
|
|
}
|
|
|
|
if (block->successor(0) == block->successor(1)) {
|
|
convertToJump(block, block->successor(0));
|
|
innerChanged = outerChanged = true;
|
|
break;
|
|
}
|
|
|
|
// Branch to same destination -> jump.
|
|
// FIXME: this will currently not be hit because of the lack of jump-only
|
|
// block simplification.
|
|
|
|
break;
|
|
}
|
|
|
|
case Switch: {
|
|
SwitchData* data = block->terminal()->switchData();
|
|
|
|
// Prune out cases that end up jumping to default.
|
|
for (unsigned i = 0; i < data->cases.size(); ++i) {
|
|
if (data->cases[i].target.block == data->fallThrough.block) {
|
|
data->fallThrough.count += data->cases[i].target.count;
|
|
data->cases[i--] = data->cases.last();
|
|
data->cases.removeLast();
|
|
}
|
|
}
|
|
|
|
// If there are no cases other than default then this turns
|
|
// into a jump.
|
|
if (data->cases.isEmpty()) {
|
|
convertToJump(block, data->fallThrough.block);
|
|
innerChanged = outerChanged = true;
|
|
break;
|
|
}
|
|
|
|
// Switch on constant -> jettison all other targets and merge.
|
|
Node* terminal = block->terminal();
|
|
if (terminal->child1()->hasConstant()) {
|
|
FrozenValue* value = terminal->child1()->constant();
|
|
TriState found = TriState::False;
|
|
BasicBlock* targetBlock = nullptr;
|
|
for (unsigned i = data->cases.size(); found == TriState::False && i--;) {
|
|
found = data->cases[i].value.strictEqual(value);
|
|
if (found == TriState::True)
|
|
targetBlock = data->cases[i].target.block;
|
|
}
|
|
|
|
if (found == TriState::Indeterminate)
|
|
break;
|
|
if (found == TriState::False)
|
|
targetBlock = data->fallThrough.block;
|
|
ASSERT(targetBlock);
|
|
|
|
Vector<BasicBlock*, 1> jettisonedBlocks;
|
|
for (BasicBlock* successor : terminal->successors()) {
|
|
if (successor != targetBlock && !jettisonedBlocks.contains(successor))
|
|
jettisonedBlocks.append(successor);
|
|
}
|
|
|
|
if (canMergeWithBlock(targetBlock)) {
|
|
if (extremeLogging)
|
|
m_graph.dump();
|
|
m_graph.dethread();
|
|
|
|
mergeBlocks(block, targetBlock, jettisonedBlocks);
|
|
} else {
|
|
if (extremeLogging)
|
|
m_graph.dump();
|
|
m_graph.dethread();
|
|
|
|
NodeOrigin boundaryNodeOrigin = terminal->origin;
|
|
|
|
for (unsigned i = jettisonedBlocks.size(); i--;)
|
|
jettisonBlock(block, jettisonedBlocks[i], boundaryNodeOrigin);
|
|
|
|
block->replaceTerminal(
|
|
m_graph, SpecNone, Jump, boundaryNodeOrigin, OpInfo(targetBlock));
|
|
}
|
|
innerChanged = outerChanged = true;
|
|
break;
|
|
}
|
|
break;
|
|
}
|
|
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (innerChanged) {
|
|
// Here's the reason for this pass:
|
|
// Blocks: A, B, C, D, E, F
|
|
// A -> B, C
|
|
// B -> F
|
|
// C -> D, E
|
|
// D -> F
|
|
// E -> F
|
|
//
|
|
// Assume that A's branch is determined to go to B. Then the rest of this phase
|
|
// is smart enough to simplify down to:
|
|
// A -> B
|
|
// B -> F
|
|
// C -> D, E
|
|
// D -> F
|
|
// E -> F
|
|
//
|
|
// We will also merge A and B. But then we don't have any other mechanism to
|
|
// remove D, E as predecessors for F. Worse, the rest of this phase does not
|
|
// know how to fix the Phi functions of F to ensure that they no longer refer
|
|
// to variables in D, E. In general, we need a way to handle Phi simplification
|
|
// upon:
|
|
// 1) Removal of a predecessor due to branch simplification. The branch
|
|
// simplifier already does that.
|
|
// 2) Invalidation of a predecessor because said predecessor was rendered
|
|
// unreachable. We do this here.
|
|
//
|
|
// This implies that when a block is unreachable, we must inspect its
|
|
// successors' Phi functions to remove any references from them into the
|
|
// removed block.
|
|
|
|
m_graph.invalidateCFG();
|
|
m_graph.resetReachability();
|
|
m_graph.killUnreachableBlocks();
|
|
}
|
|
|
|
if (Options::validateGraphAtEachPhase())
|
|
validate();
|
|
} while (innerChanged);
|
|
|
|
return outerChanged;
|
|
}
|
|
|
|
private:
|
|
void convertToJump(BasicBlock* block, BasicBlock* targetBlock)
|
|
{
|
|
ASSERT(targetBlock);
|
|
ASSERT(targetBlock->isReachable);
|
|
if (canMergeBlocks(block, targetBlock)) {
|
|
m_graph.dethread();
|
|
mergeBlocks(block, targetBlock, noBlocks());
|
|
} else {
|
|
Node* branch = block->terminal();
|
|
ASSERT(branch->op() == Branch || branch->op() == Switch);
|
|
|
|
block->replaceTerminal(
|
|
m_graph, SpecNone, Jump, branch->origin, OpInfo(targetBlock));
|
|
}
|
|
}
|
|
|
|
void keepOperandAlive(BasicBlock* block, BasicBlock* jettisonedBlock, NodeOrigin nodeOrigin, Operand operand)
|
|
{
|
|
Node* livenessNode = jettisonedBlock->variablesAtHead.operand(operand);
|
|
if (!livenessNode)
|
|
return;
|
|
NodeType nodeType;
|
|
if (livenessNode->flags() & NodeIsFlushed)
|
|
nodeType = Flush;
|
|
else {
|
|
// This seems like it shouldn't be necessary because we could just rematerialize
|
|
// PhantomLocals or something similar using bytecode liveness. However, in ThreadedCPS, it's
|
|
// worth the sanity to maintain this eagerly. See
|
|
// https://bugs.webkit.org/show_bug.cgi?id=144086
|
|
nodeType = PhantomLocal;
|
|
}
|
|
block->appendNode(
|
|
m_graph, SpecNone, nodeType, nodeOrigin,
|
|
OpInfo(livenessNode->variableAccessData()));
|
|
}
|
|
|
|
void jettisonBlock(BasicBlock* block, BasicBlock* jettisonedBlock, NodeOrigin boundaryNodeOrigin)
|
|
{
|
|
for (size_t i = 0; i < jettisonedBlock->variablesAtHead.size(); ++i)
|
|
keepOperandAlive(block, jettisonedBlock, boundaryNodeOrigin, jettisonedBlock->variablesAtHead.operandForIndex(i));
|
|
|
|
fixJettisonedPredecessors(block, jettisonedBlock);
|
|
}
|
|
|
|
void fixJettisonedPredecessors(BasicBlock* block, BasicBlock* jettisonedBlock)
|
|
{
|
|
jettisonedBlock->removePredecessor(block);
|
|
}
|
|
|
|
Vector<BasicBlock*, 1> noBlocks()
|
|
{
|
|
return Vector<BasicBlock*, 1>();
|
|
}
|
|
|
|
Vector<BasicBlock*, 1> oneBlock(BasicBlock* block)
|
|
{
|
|
Vector<BasicBlock*, 1> result;
|
|
result.append(block);
|
|
return result;
|
|
}
|
|
|
|
void mergeBlocks(
|
|
BasicBlock* firstBlock, BasicBlock* secondBlock,
|
|
Vector<BasicBlock*, 1> jettisonedBlocks)
|
|
{
|
|
RELEASE_ASSERT(canMergeBlocks(firstBlock, secondBlock));
|
|
// This will add all of the nodes in secondBlock to firstBlock, but in so doing
|
|
// it will also ensure that any GetLocals from the second block that refer to
|
|
// SetLocals in the first block are relinked. If jettisonedBlock is not NoBlock,
|
|
// then Phantoms are inserted for anything that the jettisonedBlock would have
|
|
// kept alive.
|
|
|
|
// Remove the terminal of firstBlock since we don't need it anymore. Well, we don't
|
|
// really remove it; we actually turn it into a check.
|
|
Node* terminal = firstBlock->terminal();
|
|
ASSERT(terminal->isTerminal());
|
|
NodeOrigin boundaryNodeOrigin = terminal->origin;
|
|
terminal->remove(m_graph);
|
|
ASSERT(terminal->refCount() == 1);
|
|
|
|
for (unsigned i = jettisonedBlocks.size(); i--;) {
|
|
BasicBlock* jettisonedBlock = jettisonedBlocks[i];
|
|
|
|
// Time to insert ghosties for things that need to be kept alive in case we OSR
|
|
// exit prior to hitting the firstBlock's terminal, and end up going down a
|
|
// different path than secondBlock.
|
|
for (size_t i = 0; i < jettisonedBlock->variablesAtHead.size(); ++i)
|
|
keepOperandAlive(firstBlock, jettisonedBlock, boundaryNodeOrigin, jettisonedBlock->variablesAtHead.operandForIndex(i));
|
|
}
|
|
|
|
for (size_t i = 0; i < secondBlock->phis.size(); ++i)
|
|
firstBlock->phis.append(secondBlock->phis[i]);
|
|
|
|
for (size_t i = 0; i < secondBlock->size(); ++i)
|
|
firstBlock->append(secondBlock->at(i));
|
|
|
|
ASSERT(firstBlock->terminal()->isTerminal());
|
|
|
|
// Fix the predecessors of my new successors. This is tricky, since we are going to reset
|
|
// all predecessors anyway due to reachability analysis. But we need to fix the
|
|
// predecessors eagerly to ensure that we know what they are in case the next block we
|
|
// consider in this phase wishes to query the predecessors of one of the blocks we
|
|
// affected.
|
|
for (unsigned i = firstBlock->numSuccessors(); i--;) {
|
|
BasicBlock* successor = firstBlock->successor(i);
|
|
for (unsigned j = 0; j < successor->predecessors.size(); ++j) {
|
|
if (successor->predecessors[j] == secondBlock)
|
|
successor->predecessors[j] = firstBlock;
|
|
}
|
|
}
|
|
|
|
// Fix the predecessors of my former successors. Again, we'd rather not do this, but it's
|
|
// an unfortunate necessity. See above comment.
|
|
for (unsigned i = jettisonedBlocks.size(); i--;)
|
|
fixJettisonedPredecessors(firstBlock, jettisonedBlocks[i]);
|
|
|
|
firstBlock->valuesAtTail = secondBlock->valuesAtTail;
|
|
firstBlock->cfaBranchDirection = secondBlock->cfaBranchDirection;
|
|
|
|
m_graph.killBlock(secondBlock);
|
|
}
|
|
};
|
|
|
|
bool performCFGSimplification(Graph& graph)
|
|
{
|
|
return runPhase<CFGSimplificationPhase>(graph);
|
|
}
|
|
|
|
} } // namespace JSC::DFG
|
|
|
|
#endif // ENABLE(DFG_JIT)
|
|
|
|
|