1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
|
/*
* Copyright (C) 2013-2015 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "DFGLICMPhase.h"
#if ENABLE(DFG_JIT)
#include "DFGAbstractInterpreterInlines.h"
#include "DFGAtTailAbstractState.h"
#include "DFGBasicBlockInlines.h"
#include "DFGClobberSet.h"
#include "DFGClobberize.h"
#include "DFGEdgeDominates.h"
#include "DFGGraph.h"
#include "DFGInsertionSet.h"
#include "DFGNaturalLoops.h"
#include "DFGPhase.h"
#include "DFGSafeToExecute.h"
#include "JSCInlines.h"
namespace JSC { namespace DFG {
namespace {
struct LoopData {
LoopData()
: preHeader(nullptr)
{
}
ClobberSet writes;
BasicBlock* preHeader;
};
} // anonymous namespace
class LICMPhase : public Phase {
static const bool verbose = false;
public:
LICMPhase(Graph& graph)
: Phase(graph, "LICM")
, m_state(graph)
, m_interpreter(graph, m_state)
{
}
bool run()
{
DFG_ASSERT(m_graph, nullptr, m_graph.m_form == SSA);
m_graph.ensureDominators();
m_graph.ensureNaturalLoops();
if (verbose) {
dataLog("Graph before LICM:\n");
m_graph.dump();
}
m_data.resize(m_graph.m_naturalLoops->numLoops());
// Figure out the set of things each loop writes to, not including blocks that
// belong to inner loops. We fix this later.
for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
BasicBlock* block = m_graph.block(blockIndex);
if (!block)
continue;
// Skip blocks that are proved to not execute.
// FIXME: This shouldn't be needed.
// https://bugs.webkit.org/show_bug.cgi?id=128584
if (!block->cfaHasVisited)
continue;
const NaturalLoop* loop = m_graph.m_naturalLoops->innerMostLoopOf(block);
if (!loop)
continue;
LoopData& data = m_data[loop->index()];
for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
Node* node = block->at(nodeIndex);
// Don't look beyond parts of the code that definitely always exit.
// FIXME: This shouldn't be needed.
// https://bugs.webkit.org/show_bug.cgi?id=128584
if (node->op() == ForceOSRExit)
break;
addWrites(m_graph, node, data.writes);
}
}
// For each loop:
// - Identify its pre-header.
// - Make sure its outer loops know what it clobbers.
for (unsigned loopIndex = m_graph.m_naturalLoops->numLoops(); loopIndex--;) {
const NaturalLoop& loop = m_graph.m_naturalLoops->loop(loopIndex);
LoopData& data = m_data[loop.index()];
for (
const NaturalLoop* outerLoop = m_graph.m_naturalLoops->innerMostOuterLoop(loop);
outerLoop;
outerLoop = m_graph.m_naturalLoops->innerMostOuterLoop(*outerLoop))
m_data[outerLoop->index()].writes.addAll(data.writes);
BasicBlock* header = loop.header();
BasicBlock* preHeader = nullptr;
unsigned numberOfPreHeaders = 0; // We're cool if this is 1.
// This is guaranteed because we expect the CFG not to have unreachable code. Therefore, a
// loop header must have a predecessor. (Also, we don't allow the root block to be a loop,
// which cuts out the one other way of having a loop header with only one predecessor.)
DFG_ASSERT(m_graph, header->at(0), header->predecessors.size() > 1);
for (unsigned i = header->predecessors.size(); i--;) {
BasicBlock* predecessor = header->predecessors[i];
if (m_graph.m_dominators->dominates(header, predecessor))
continue;
preHeader = predecessor;
++numberOfPreHeaders;
}
// We need to validate the pre-header. There are a bunch of things that could be wrong
// about it:
//
// - There might be more than one. This means that pre-header creation either did not run,
// or some CFG transformation destroyed the pre-headers.
//
// - It may not be legal to exit at the pre-header. That would be a real bummer. Currently,
// LICM assumes that it can always hoist checks. See
// https://bugs.webkit.org/show_bug.cgi?id=148545. Though even with that fixed, we anyway
// would need to check if it's OK to exit at the pre-header since if we can't then we
// would have to restrict hoisting to non-exiting nodes.
if (numberOfPreHeaders != 1)
continue;
// This is guaranteed because the header has multiple predecessors and critical edges are
// broken. Therefore the predecessors must all have one successor, which implies that they
// must end in a Jump.
DFG_ASSERT(m_graph, preHeader->terminal(), preHeader->terminal()->op() == Jump);
if (!preHeader->terminal()->origin.exitOK)
continue;
data.preHeader = preHeader;
}
m_graph.initializeNodeOwners();
// Walk all basic blocks that belong to loops, looking for hoisting opportunities.
// We try to hoist to the outer-most loop that permits it. Hoisting is valid if:
// - The node doesn't write anything.
// - The node doesn't read anything that the loop writes.
// - The preHeader is valid (i.e. it passed the validation above).
// - The preHeader's state at tail makes the node safe to execute.
// - The loop's children all belong to nodes that strictly dominate the loop header.
// - The preHeader's state at tail is still valid. This is mostly to save compile
// time and preserve some kind of sanity, if we hoist something that must exit.
//
// Also, we need to remember to:
// - Update the state-at-tail with the node we hoisted, so future hoist candidates
// know about any type checks we hoisted.
//
// For maximum profit, we walk blocks in DFS order to ensure that we generally
// tend to hoist dominators before dominatees.
Vector<const NaturalLoop*> loopStack;
bool changed = false;
for (BasicBlock* block : m_graph.blocksInPreOrder()) {
const NaturalLoop* loop = m_graph.m_naturalLoops->innerMostLoopOf(block);
if (!loop)
continue;
loopStack.resize(0);
for (
const NaturalLoop* current = loop;
current;
current = m_graph.m_naturalLoops->innerMostOuterLoop(*current))
loopStack.append(current);
// Remember: the loop stack has the inner-most loop at index 0, so if we want
// to bias hoisting to outer loops then we need to use a reverse loop.
if (verbose) {
dataLog(
"Attempting to hoist out of block ", *block, " in loops:\n");
for (unsigned stackIndex = loopStack.size(); stackIndex--;) {
dataLog(
" ", *loopStack[stackIndex], ", which writes ",
m_data[loopStack[stackIndex]->index()].writes, "\n");
}
}
for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
Node*& nodeRef = block->at(nodeIndex);
if (doesWrites(m_graph, nodeRef)) {
if (verbose)
dataLog(" Not hoisting ", nodeRef, " because it writes things.\n");
continue;
}
for (unsigned stackIndex = loopStack.size(); stackIndex--;)
changed |= attemptHoist(block, nodeRef, loopStack[stackIndex]);
}
}
return changed;
}
private:
bool attemptHoist(BasicBlock* fromBlock, Node*& nodeRef, const NaturalLoop* loop)
{
Node* node = nodeRef;
LoopData& data = m_data[loop->index()];
if (!data.preHeader) {
if (verbose)
dataLog(" Not hoisting ", node, " because the pre-header is invalid.\n");
return false;
}
if (!data.preHeader->cfaDidFinish) {
if (verbose)
dataLog(" Not hoisting ", node, " because CFA is invalid.\n");
return false;
}
if (!edgesDominate(m_graph, node, data.preHeader)) {
if (verbose) {
dataLog(
" Not hoisting ", node, " because it isn't loop invariant.\n");
}
return false;
}
// FIXME: At this point if the hoisting of the full node fails but the node has type checks,
// we could still hoist just the checks.
// https://bugs.webkit.org/show_bug.cgi?id=144525
// FIXME: If a node has a type check - even something like a CheckStructure - then we should
// only hoist the node if we know that it will execute on every loop iteration or if we know
// that the type check will always succeed at the loop pre-header through some other means
// (like looking at prediction propagation results). Otherwise, we might make a mistake like
// this:
//
// var o = ...; // sometimes null and sometimes an object with structure S1.
// for (...) {
// if (o)
// ... = o.f; // CheckStructure and GetByOffset, which we will currently hoist.
// }
//
// When we encounter such code, we'll hoist the CheckStructure and GetByOffset and then we
// will have a recompile. We'll then end up thinking that the get_by_id needs to be
// polymorphic, which is false.
//
// We can counter this by either having a control flow equivalence check, or by consulting
// prediction propagation to see if the check would always succeed. Prediction propagation
// would not be enough for things like:
//
// var p = ...; // some boolean predicate
// var o = {};
// if (p)
// o.f = 42;
// for (...) {
// if (p)
// ... = o.f;
// }
//
// Prediction propagation can't tell us anything about the structure, and the CheckStructure
// will appear to be hoistable because the loop doesn't clobber structures. The cell check
// in the CheckStructure will be hoistable though, since prediction propagation can tell us
// that o is always SpecFinalObject. In cases like this, control flow equivalence is the
// only effective guard.
//
// https://bugs.webkit.org/show_bug.cgi?id=144527
if (readsOverlap(m_graph, node, data.writes)) {
if (verbose) {
dataLog(
" Not hoisting ", node,
" because it reads things that the loop writes.\n");
}
return false;
}
m_state.initializeTo(data.preHeader);
if (!safeToExecute(m_state, m_graph, node)) {
if (verbose) {
dataLog(
" Not hoisting ", node, " because it isn't safe to execute.\n");
}
return false;
}
if (verbose) {
dataLog(
" Hoisting ", node, " from ", *fromBlock, " to ", *data.preHeader,
"\n");
}
// FIXME: We should adjust the Check: flags on the edges of node. There are phases that assume
// that those flags are correct even if AI is stale.
// https://bugs.webkit.org/show_bug.cgi?id=148544
data.preHeader->insertBeforeTerminal(node);
node->owner = data.preHeader;
NodeOrigin originalOrigin = node->origin;
node->origin = data.preHeader->terminal()->origin.withSemantic(node->origin.semantic);
// Modify the states at the end of the preHeader of the loop we hoisted to,
// and all pre-headers inside the loop. This isn't a stability bottleneck right now
// because most loops are small and most blocks belong to few loops.
for (unsigned bodyIndex = loop->size(); bodyIndex--;) {
BasicBlock* subBlock = loop->at(bodyIndex);
const NaturalLoop* subLoop = m_graph.m_naturalLoops->headerOf(subBlock);
if (!subLoop)
continue;
BasicBlock* subPreHeader = m_data[subLoop->index()].preHeader;
if (!subPreHeader->cfaDidFinish)
continue;
m_state.initializeTo(subPreHeader);
m_interpreter.execute(node);
}
// It just so happens that all of the nodes we currently know how to hoist
// don't have var-arg children. That may change and then we can fix this
// code. But for now we just assert that's the case.
DFG_ASSERT(m_graph, node, !(node->flags() & NodeHasVarArgs));
nodeRef = m_graph.addNode(SpecNone, Check, originalOrigin, node->children);
return true;
}
AtTailAbstractState m_state;
AbstractInterpreter<AtTailAbstractState> m_interpreter;
Vector<LoopData> m_data;
};
bool performLICM(Graph& graph)
{
SamplingRegion samplingRegion("DFG LICM Phase");
return runPhase<LICMPhase>(graph);
}
} } // namespace JSC::DFG
#endif // ENABLE(DFG_JIT)
|
