1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/js/src/jit/MIR.cpp Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,3473 @@
1.4 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
1.5 + * vim: set ts=8 sts=4 et sw=4 tw=99:
1.6 + * This Source Code Form is subject to the terms of the Mozilla Public
1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.9 +
1.10 +#include "jit/MIR.h"
1.11 +
1.12 +#include "mozilla/FloatingPoint.h"
1.13 +
1.14 +#include <ctype.h>
1.15 +
1.16 +#include "jslibmath.h"
1.17 +#include "jsstr.h"
1.18 +
1.19 +#include "jit/BaselineInspector.h"
1.20 +#include "jit/IonBuilder.h"
1.21 +#include "jit/IonSpewer.h"
1.22 +#include "jit/MIRGraph.h"
1.23 +#include "jit/RangeAnalysis.h"
1.24 +
1.25 +#include "jsatominlines.h"
1.26 +#include "jsinferinlines.h"
1.27 +#include "jsobjinlines.h"
1.28 +
1.29 +using namespace js;
1.30 +using namespace js::jit;
1.31 +
1.32 +using mozilla::NumbersAreIdentical;
1.33 +using mozilla::IsFloat32Representable;
1.34 +using mozilla::Maybe;
1.35 +
1.36 +template<size_t Op> static void
1.37 +ConvertDefinitionToDouble(TempAllocator &alloc, MDefinition *def, MInstruction *consumer)
1.38 +{
1.39 + MInstruction *replace = MToDouble::New(alloc, def);
1.40 + consumer->replaceOperand(Op, replace);
1.41 + consumer->block()->insertBefore(consumer, replace);
1.42 +}
1.43 +
1.44 +static bool
1.45 +CheckUsesAreFloat32Consumers(MInstruction *ins)
1.46 +{
1.47 + bool allConsumerUses = true;
1.48 + for (MUseDefIterator use(ins); allConsumerUses && use; use++)
1.49 + allConsumerUses &= use.def()->canConsumeFloat32(use.use());
1.50 + return allConsumerUses;
1.51 +}
1.52 +
1.53 +void
1.54 +MDefinition::PrintOpcodeName(FILE *fp, MDefinition::Opcode op)
1.55 +{
1.56 + static const char * const names[] =
1.57 + {
1.58 +#define NAME(x) #x,
1.59 + MIR_OPCODE_LIST(NAME)
1.60 +#undef NAME
1.61 + };
1.62 + const char *name = names[op];
1.63 + size_t len = strlen(name);
1.64 + for (size_t i = 0; i < len; i++)
1.65 + fprintf(fp, "%c", tolower(name[i]));
1.66 +}
1.67 +
1.68 +static inline bool
1.69 +EqualValues(bool useGVN, MDefinition *left, MDefinition *right)
1.70 +{
1.71 + if (useGVN)
1.72 + return left->valueNumber() == right->valueNumber();
1.73 +
1.74 + return left == right;
1.75 +}
1.76 +
1.77 +static MConstant *
1.78 +EvaluateConstantOperands(TempAllocator &alloc, MBinaryInstruction *ins, bool *ptypeChange = nullptr)
1.79 +{
1.80 + MDefinition *left = ins->getOperand(0);
1.81 + MDefinition *right = ins->getOperand(1);
1.82 +
1.83 + if (!left->isConstant() || !right->isConstant())
1.84 + return nullptr;
1.85 +
1.86 + Value lhs = left->toConstant()->value();
1.87 + Value rhs = right->toConstant()->value();
1.88 + Value ret = UndefinedValue();
1.89 +
1.90 + switch (ins->op()) {
1.91 + case MDefinition::Op_BitAnd:
1.92 + ret = Int32Value(lhs.toInt32() & rhs.toInt32());
1.93 + break;
1.94 + case MDefinition::Op_BitOr:
1.95 + ret = Int32Value(lhs.toInt32() | rhs.toInt32());
1.96 + break;
1.97 + case MDefinition::Op_BitXor:
1.98 + ret = Int32Value(lhs.toInt32() ^ rhs.toInt32());
1.99 + break;
1.100 + case MDefinition::Op_Lsh:
1.101 + ret = Int32Value(uint32_t(lhs.toInt32()) << (rhs.toInt32() & 0x1F));
1.102 + break;
1.103 + case MDefinition::Op_Rsh:
1.104 + ret = Int32Value(lhs.toInt32() >> (rhs.toInt32() & 0x1F));
1.105 + break;
1.106 + case MDefinition::Op_Ursh:
1.107 + ret.setNumber(uint32_t(lhs.toInt32()) >> (rhs.toInt32() & 0x1F));
1.108 + break;
1.109 + case MDefinition::Op_Add:
1.110 + ret.setNumber(lhs.toNumber() + rhs.toNumber());
1.111 + break;
1.112 + case MDefinition::Op_Sub:
1.113 + ret.setNumber(lhs.toNumber() - rhs.toNumber());
1.114 + break;
1.115 + case MDefinition::Op_Mul:
1.116 + ret.setNumber(lhs.toNumber() * rhs.toNumber());
1.117 + break;
1.118 + case MDefinition::Op_Div:
1.119 + ret.setNumber(NumberDiv(lhs.toNumber(), rhs.toNumber()));
1.120 + break;
1.121 + case MDefinition::Op_Mod:
1.122 + ret.setNumber(NumberMod(lhs.toNumber(), rhs.toNumber()));
1.123 + break;
1.124 + default:
1.125 + MOZ_ASSUME_UNREACHABLE("NYI");
1.126 + }
1.127 +
1.128 + // setNumber eagerly transforms a number to int32.
1.129 + // Transform back to double, if the output type is double.
1.130 + if (ins->type() == MIRType_Double && ret.isInt32())
1.131 + ret.setDouble(ret.toNumber());
1.132 +
1.133 + if (ins->type() != MIRTypeFromValue(ret)) {
1.134 + if (ptypeChange)
1.135 + *ptypeChange = true;
1.136 + return nullptr;
1.137 + }
1.138 +
1.139 + return MConstant::New(alloc, ret);
1.140 +}
1.141 +
1.142 +void
1.143 +MDefinition::printName(FILE *fp) const
1.144 +{
1.145 + PrintOpcodeName(fp, op());
1.146 + fprintf(fp, "%u", id());
1.147 +
1.148 + if (valueNumber() != 0)
1.149 + fprintf(fp, "-vn%u", valueNumber());
1.150 +}
1.151 +
1.152 +HashNumber
1.153 +MDefinition::valueHash() const
1.154 +{
1.155 + HashNumber out = op();
1.156 + for (size_t i = 0, e = numOperands(); i < e; i++) {
1.157 + uint32_t valueNumber = getOperand(i)->valueNumber();
1.158 + out = valueNumber + (out << 6) + (out << 16) - out;
1.159 + }
1.160 + return out;
1.161 +}
1.162 +
1.163 +bool
1.164 +MDefinition::congruentIfOperandsEqual(const MDefinition *ins) const
1.165 +{
1.166 + if (op() != ins->op())
1.167 + return false;
1.168 +
1.169 + if (type() != ins->type())
1.170 + return false;
1.171 +
1.172 + if (isEffectful() || ins->isEffectful())
1.173 + return false;
1.174 +
1.175 + if (numOperands() != ins->numOperands())
1.176 + return false;
1.177 +
1.178 + for (size_t i = 0, e = numOperands(); i < e; i++) {
1.179 + if (getOperand(i)->valueNumber() != ins->getOperand(i)->valueNumber())
1.180 + return false;
1.181 + }
1.182 +
1.183 + return true;
1.184 +}
1.185 +
1.186 +MDefinition *
1.187 +MDefinition::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.188 +{
1.189 + // In the default case, there are no constants to fold.
1.190 + return this;
1.191 +}
1.192 +
1.193 +void
1.194 +MDefinition::analyzeEdgeCasesForward()
1.195 +{
1.196 +}
1.197 +
1.198 +void
1.199 +MDefinition::analyzeEdgeCasesBackward()
1.200 +{
1.201 +}
1.202 +
1.203 +static bool
1.204 +MaybeEmulatesUndefined(MDefinition *op)
1.205 +{
1.206 + if (!op->mightBeType(MIRType_Object))
1.207 + return false;
1.208 +
1.209 + types::TemporaryTypeSet *types = op->resultTypeSet();
1.210 + if (!types)
1.211 + return true;
1.212 +
1.213 + return types->maybeEmulatesUndefined();
1.214 +}
1.215 +
1.216 +static bool
1.217 +MaybeCallable(MDefinition *op)
1.218 +{
1.219 + if (!op->mightBeType(MIRType_Object))
1.220 + return false;
1.221 +
1.222 + types::TemporaryTypeSet *types = op->resultTypeSet();
1.223 + if (!types)
1.224 + return true;
1.225 +
1.226 + return types->maybeCallable();
1.227 +}
1.228 +
1.229 +MTest *
1.230 +MTest::New(TempAllocator &alloc, MDefinition *ins, MBasicBlock *ifTrue, MBasicBlock *ifFalse)
1.231 +{
1.232 + return new(alloc) MTest(ins, ifTrue, ifFalse);
1.233 +}
1.234 +
1.235 +void
1.236 +MTest::infer()
1.237 +{
1.238 + JS_ASSERT(operandMightEmulateUndefined());
1.239 +
1.240 + if (!MaybeEmulatesUndefined(getOperand(0)))
1.241 + markOperandCantEmulateUndefined();
1.242 +}
1.243 +
1.244 +MDefinition *
1.245 +MTest::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.246 +{
1.247 + MDefinition *op = getOperand(0);
1.248 +
1.249 + if (op->isNot())
1.250 + return MTest::New(alloc, op->toNot()->operand(), ifFalse(), ifTrue());
1.251 +
1.252 + return this;
1.253 +}
1.254 +
1.255 +void
1.256 +MTest::filtersUndefinedOrNull(bool trueBranch, MDefinition **subject, bool *filtersUndefined,
1.257 + bool *filtersNull)
1.258 +{
1.259 + MDefinition *ins = getOperand(0);
1.260 + if (ins->isCompare()) {
1.261 + ins->toCompare()->filtersUndefinedOrNull(trueBranch, subject, filtersUndefined, filtersNull);
1.262 + return;
1.263 + }
1.264 +
1.265 + if (!trueBranch && ins->isNot()) {
1.266 + *subject = ins->getOperand(0);
1.267 + *filtersUndefined = *filtersNull = true;
1.268 + return;
1.269 + }
1.270 +
1.271 + if (trueBranch) {
1.272 + *subject = ins;
1.273 + *filtersUndefined = *filtersNull = true;
1.274 + return;
1.275 + }
1.276 +
1.277 + *filtersUndefined = *filtersNull = false;
1.278 + *subject = nullptr;
1.279 +}
1.280 +
1.281 +void
1.282 +MDefinition::printOpcode(FILE *fp) const
1.283 +{
1.284 + PrintOpcodeName(fp, op());
1.285 + for (size_t j = 0, e = numOperands(); j < e; j++) {
1.286 + fprintf(fp, " ");
1.287 + getOperand(j)->printName(fp);
1.288 + }
1.289 +}
1.290 +
1.291 +void
1.292 +MDefinition::dump(FILE *fp) const
1.293 +{
1.294 + printName(fp);
1.295 + fprintf(fp, " = ");
1.296 + printOpcode(fp);
1.297 + fprintf(fp, "\n");
1.298 +}
1.299 +
1.300 +void
1.301 +MDefinition::dump() const
1.302 +{
1.303 + dump(stderr);
1.304 +}
1.305 +
1.306 +size_t
1.307 +MDefinition::useCount() const
1.308 +{
1.309 + size_t count = 0;
1.310 + for (MUseIterator i(uses_.begin()); i != uses_.end(); i++)
1.311 + count++;
1.312 + return count;
1.313 +}
1.314 +
1.315 +size_t
1.316 +MDefinition::defUseCount() const
1.317 +{
1.318 + size_t count = 0;
1.319 + for (MUseIterator i(uses_.begin()); i != uses_.end(); i++)
1.320 + if ((*i)->consumer()->isDefinition())
1.321 + count++;
1.322 + return count;
1.323 +}
1.324 +
1.325 +bool
1.326 +MDefinition::hasOneUse() const
1.327 +{
1.328 + MUseIterator i(uses_.begin());
1.329 + if (i == uses_.end())
1.330 + return false;
1.331 + i++;
1.332 + return i == uses_.end();
1.333 +}
1.334 +
1.335 +bool
1.336 +MDefinition::hasOneDefUse() const
1.337 +{
1.338 + bool hasOneDefUse = false;
1.339 + for (MUseIterator i(uses_.begin()); i != uses_.end(); i++) {
1.340 + if (!(*i)->consumer()->isDefinition())
1.341 + continue;
1.342 +
1.343 + // We already have a definition use. So 1+
1.344 + if (hasOneDefUse)
1.345 + return false;
1.346 +
1.347 + // We saw one definition. Loop to test if there is another.
1.348 + hasOneDefUse = true;
1.349 + }
1.350 +
1.351 + return hasOneDefUse;
1.352 +}
1.353 +
1.354 +bool
1.355 +MDefinition::hasDefUses() const
1.356 +{
1.357 + for (MUseIterator i(uses_.begin()); i != uses_.end(); i++) {
1.358 + if ((*i)->consumer()->isDefinition())
1.359 + return true;
1.360 + }
1.361 +
1.362 + return false;
1.363 +}
1.364 +
1.365 +MUseIterator
1.366 +MDefinition::removeUse(MUseIterator use)
1.367 +{
1.368 + return uses_.removeAt(use);
1.369 +}
1.370 +
1.371 +MUseIterator
1.372 +MNode::replaceOperand(MUseIterator use, MDefinition *def)
1.373 +{
1.374 + JS_ASSERT(def != nullptr);
1.375 + uint32_t index = use->index();
1.376 + MDefinition *prev = use->producer();
1.377 +
1.378 + JS_ASSERT(use->index() < numOperands());
1.379 + JS_ASSERT(use->producer() == getOperand(index));
1.380 + JS_ASSERT(use->consumer() == this);
1.381 +
1.382 + if (prev == def)
1.383 + return use;
1.384 +
1.385 + MUseIterator result(prev->removeUse(use));
1.386 + setOperand(index, def);
1.387 + return result;
1.388 +}
1.389 +
1.390 +void
1.391 +MNode::replaceOperand(size_t index, MDefinition *def)
1.392 +{
1.393 + JS_ASSERT(def != nullptr);
1.394 + MUse *use = getUseFor(index);
1.395 + MDefinition *prev = use->producer();
1.396 +
1.397 + JS_ASSERT(use->index() == index);
1.398 + JS_ASSERT(use->index() < numOperands());
1.399 + JS_ASSERT(use->producer() == getOperand(index));
1.400 + JS_ASSERT(use->consumer() == this);
1.401 +
1.402 + if (prev == def)
1.403 + return;
1.404 +
1.405 + prev->removeUse(use);
1.406 + setOperand(index, def);
1.407 +}
1.408 +
1.409 +void
1.410 +MNode::discardOperand(size_t index)
1.411 +{
1.412 + MUse *use = getUseFor(index);
1.413 +
1.414 + JS_ASSERT(use->index() == index);
1.415 + JS_ASSERT(use->producer() == getOperand(index));
1.416 + JS_ASSERT(use->consumer() == this);
1.417 +
1.418 + use->producer()->removeUse(use);
1.419 +
1.420 +#ifdef DEBUG
1.421 + // Causes any producer/consumer lookups to trip asserts.
1.422 + use->set(nullptr, nullptr, index);
1.423 +#endif
1.424 +}
1.425 +
1.426 +void
1.427 +MDefinition::replaceAllUsesWith(MDefinition *dom)
1.428 +{
1.429 + JS_ASSERT(dom != nullptr);
1.430 + if (dom == this)
1.431 + return;
1.432 +
1.433 + for (size_t i = 0, e = numOperands(); i < e; i++)
1.434 + getOperand(i)->setUseRemovedUnchecked();
1.435 +
1.436 + for (MUseIterator i(usesBegin()); i != usesEnd(); ) {
1.437 + JS_ASSERT(i->producer() == this);
1.438 + i = i->consumer()->replaceOperand(i, dom);
1.439 + }
1.440 +}
1.441 +
1.442 +bool
1.443 +MDefinition::emptyResultTypeSet() const
1.444 +{
1.445 + return resultTypeSet() && resultTypeSet()->empty();
1.446 +}
1.447 +
1.448 +MConstant *
1.449 +MConstant::New(TempAllocator &alloc, const Value &v, types::CompilerConstraintList *constraints)
1.450 +{
1.451 + return new(alloc) MConstant(v, constraints);
1.452 +}
1.453 +
1.454 +MConstant *
1.455 +MConstant::NewAsmJS(TempAllocator &alloc, const Value &v, MIRType type)
1.456 +{
1.457 + MConstant *constant = new(alloc) MConstant(v, nullptr);
1.458 + constant->setResultType(type);
1.459 + return constant;
1.460 +}
1.461 +
1.462 +types::TemporaryTypeSet *
1.463 +jit::MakeSingletonTypeSet(types::CompilerConstraintList *constraints, JSObject *obj)
1.464 +{
1.465 + // Invalidate when this object's TypeObject gets unknown properties. This
1.466 + // happens for instance when we mutate an object's __proto__, in this case
1.467 + // we want to invalidate and mark this TypeSet as containing AnyObject
1.468 + // (because mutating __proto__ will change an object's TypeObject).
1.469 + JS_ASSERT(constraints);
1.470 + types::TypeObjectKey *objType = types::TypeObjectKey::get(obj);
1.471 + objType->hasFlags(constraints, types::OBJECT_FLAG_UNKNOWN_PROPERTIES);
1.472 +
1.473 + return GetIonContext()->temp->lifoAlloc()->new_<types::TemporaryTypeSet>(types::Type::ObjectType(obj));
1.474 +}
1.475 +
1.476 +MConstant::MConstant(const js::Value &vp, types::CompilerConstraintList *constraints)
1.477 + : value_(vp)
1.478 +{
1.479 + setResultType(MIRTypeFromValue(vp));
1.480 + if (vp.isObject()) {
1.481 + // Create a singleton type set for the object. This isn't necessary for
1.482 + // other types as the result type encodes all needed information.
1.483 + setResultTypeSet(MakeSingletonTypeSet(constraints, &vp.toObject()));
1.484 + }
1.485 +
1.486 + setMovable();
1.487 +}
1.488 +
1.489 +HashNumber
1.490 +MConstant::valueHash() const
1.491 +{
1.492 + // This disregards some state, since values are 64 bits. But for a hash,
1.493 + // it's completely acceptable.
1.494 + return (HashNumber)JSVAL_TO_IMPL(value_).asBits;
1.495 +}
1.496 +bool
1.497 +MConstant::congruentTo(const MDefinition *ins) const
1.498 +{
1.499 + if (!ins->isConstant())
1.500 + return false;
1.501 + return ins->toConstant()->value() == value();
1.502 +}
1.503 +
1.504 +void
1.505 +MConstant::printOpcode(FILE *fp) const
1.506 +{
1.507 + PrintOpcodeName(fp, op());
1.508 + fprintf(fp, " ");
1.509 + switch (type()) {
1.510 + case MIRType_Undefined:
1.511 + fprintf(fp, "undefined");
1.512 + break;
1.513 + case MIRType_Null:
1.514 + fprintf(fp, "null");
1.515 + break;
1.516 + case MIRType_Boolean:
1.517 + fprintf(fp, value().toBoolean() ? "true" : "false");
1.518 + break;
1.519 + case MIRType_Int32:
1.520 + fprintf(fp, "0x%x", value().toInt32());
1.521 + break;
1.522 + case MIRType_Double:
1.523 + fprintf(fp, "%f", value().toDouble());
1.524 + break;
1.525 + case MIRType_Float32:
1.526 + {
1.527 + float val = value().toDouble();
1.528 + fprintf(fp, "%f", val);
1.529 + break;
1.530 + }
1.531 + case MIRType_Object:
1.532 + if (value().toObject().is<JSFunction>()) {
1.533 + JSFunction *fun = &value().toObject().as<JSFunction>();
1.534 + if (fun->displayAtom()) {
1.535 + fputs("function ", fp);
1.536 + FileEscapedString(fp, fun->displayAtom(), 0);
1.537 + } else {
1.538 + fputs("unnamed function", fp);
1.539 + }
1.540 + if (fun->hasScript()) {
1.541 + JSScript *script = fun->nonLazyScript();
1.542 + fprintf(fp, " (%s:%d)",
1.543 + script->filename() ? script->filename() : "", (int) script->lineno());
1.544 + }
1.545 + fprintf(fp, " at %p", (void *) fun);
1.546 + break;
1.547 + }
1.548 + fprintf(fp, "object %p (%s)", (void *)&value().toObject(),
1.549 + value().toObject().getClass()->name);
1.550 + break;
1.551 + case MIRType_String:
1.552 + fprintf(fp, "string %p", (void *)value().toString());
1.553 + break;
1.554 + case MIRType_MagicOptimizedArguments:
1.555 + fprintf(fp, "magic lazyargs");
1.556 + break;
1.557 + case MIRType_MagicHole:
1.558 + fprintf(fp, "magic hole");
1.559 + break;
1.560 + case MIRType_MagicIsConstructing:
1.561 + fprintf(fp, "magic is-constructing");
1.562 + break;
1.563 + case MIRType_MagicOptimizedOut:
1.564 + fprintf(fp, "magic optimized-out");
1.565 + break;
1.566 + default:
1.567 + MOZ_ASSUME_UNREACHABLE("unexpected type");
1.568 + }
1.569 +}
1.570 +
1.571 +bool
1.572 +MConstant::canProduceFloat32() const
1.573 +{
1.574 + if (!IsNumberType(type()))
1.575 + return false;
1.576 +
1.577 + if (type() == MIRType_Int32)
1.578 + return IsFloat32Representable(static_cast<double>(value_.toInt32()));
1.579 + if (type() == MIRType_Double)
1.580 + return IsFloat32Representable(value_.toDouble());
1.581 + return true;
1.582 +}
1.583 +
1.584 +MCloneLiteral *
1.585 +MCloneLiteral::New(TempAllocator &alloc, MDefinition *obj)
1.586 +{
1.587 + return new(alloc) MCloneLiteral(obj);
1.588 +}
1.589 +
1.590 +void
1.591 +MControlInstruction::printOpcode(FILE *fp) const
1.592 +{
1.593 + MDefinition::printOpcode(fp);
1.594 + for (size_t j = 0; j < numSuccessors(); j++)
1.595 + fprintf(fp, " block%d", getSuccessor(j)->id());
1.596 +}
1.597 +
1.598 +void
1.599 +MCompare::printOpcode(FILE *fp) const
1.600 +{
1.601 + MDefinition::printOpcode(fp);
1.602 + fprintf(fp, " %s", js_CodeName[jsop()]);
1.603 +}
1.604 +
1.605 +void
1.606 +MConstantElements::printOpcode(FILE *fp) const
1.607 +{
1.608 + PrintOpcodeName(fp, op());
1.609 + fprintf(fp, " %p", value());
1.610 +}
1.611 +
1.612 +void
1.613 +MLoadTypedArrayElement::printOpcode(FILE *fp) const
1.614 +{
1.615 + MDefinition::printOpcode(fp);
1.616 + fprintf(fp, " %s", ScalarTypeDescr::typeName(arrayType()));
1.617 +}
1.618 +
1.619 +void
1.620 +MAssertRange::printOpcode(FILE *fp) const
1.621 +{
1.622 + MDefinition::printOpcode(fp);
1.623 + Sprinter sp(GetIonContext()->cx);
1.624 + sp.init();
1.625 + assertedRange()->print(sp);
1.626 + fprintf(fp, " %s", sp.string());
1.627 +}
1.628 +
1.629 +const char *
1.630 +MMathFunction::FunctionName(Function function)
1.631 +{
1.632 + switch (function) {
1.633 + case Log: return "Log";
1.634 + case Sin: return "Sin";
1.635 + case Cos: return "Cos";
1.636 + case Exp: return "Exp";
1.637 + case Tan: return "Tan";
1.638 + case ACos: return "ACos";
1.639 + case ASin: return "ASin";
1.640 + case ATan: return "ATan";
1.641 + case Log10: return "Log10";
1.642 + case Log2: return "Log2";
1.643 + case Log1P: return "Log1P";
1.644 + case ExpM1: return "ExpM1";
1.645 + case CosH: return "CosH";
1.646 + case SinH: return "SinH";
1.647 + case TanH: return "TanH";
1.648 + case ACosH: return "ACosH";
1.649 + case ASinH: return "ASinH";
1.650 + case ATanH: return "ATanH";
1.651 + case Sign: return "Sign";
1.652 + case Trunc: return "Trunc";
1.653 + case Cbrt: return "Cbrt";
1.654 + case Floor: return "Floor";
1.655 + case Ceil: return "Ceil";
1.656 + case Round: return "Round";
1.657 + default:
1.658 + MOZ_ASSUME_UNREACHABLE("Unknown math function");
1.659 + }
1.660 +}
1.661 +
1.662 +void
1.663 +MMathFunction::printOpcode(FILE *fp) const
1.664 +{
1.665 + MDefinition::printOpcode(fp);
1.666 + fprintf(fp, " %s", FunctionName(function()));
1.667 +}
1.668 +
1.669 +MParameter *
1.670 +MParameter::New(TempAllocator &alloc, int32_t index, types::TemporaryTypeSet *types)
1.671 +{
1.672 + return new(alloc) MParameter(index, types);
1.673 +}
1.674 +
1.675 +void
1.676 +MParameter::printOpcode(FILE *fp) const
1.677 +{
1.678 + PrintOpcodeName(fp, op());
1.679 + fprintf(fp, " %d", index());
1.680 +}
1.681 +
1.682 +HashNumber
1.683 +MParameter::valueHash() const
1.684 +{
1.685 + return index_; // Why not?
1.686 +}
1.687 +
1.688 +bool
1.689 +MParameter::congruentTo(const MDefinition *ins) const
1.690 +{
1.691 + if (!ins->isParameter())
1.692 + return false;
1.693 +
1.694 + return ins->toParameter()->index() == index_;
1.695 +}
1.696 +
1.697 +MCall *
1.698 +MCall::New(TempAllocator &alloc, JSFunction *target, size_t maxArgc, size_t numActualArgs,
1.699 + bool construct, bool isDOMCall)
1.700 +{
1.701 + JS_ASSERT(maxArgc >= numActualArgs);
1.702 + MCall *ins;
1.703 + if (isDOMCall) {
1.704 + JS_ASSERT(!construct);
1.705 + ins = new(alloc) MCallDOMNative(target, numActualArgs);
1.706 + } else {
1.707 + ins = new(alloc) MCall(target, numActualArgs, construct);
1.708 + }
1.709 + if (!ins->init(alloc, maxArgc + NumNonArgumentOperands))
1.710 + return nullptr;
1.711 + return ins;
1.712 +}
1.713 +
1.714 +AliasSet
1.715 +MCallDOMNative::getAliasSet() const
1.716 +{
1.717 + const JSJitInfo *jitInfo = getJitInfo();
1.718 +
1.719 + JS_ASSERT(jitInfo->aliasSet() != JSJitInfo::AliasNone);
1.720 + // If we don't know anything about the types of our arguments, we have to
1.721 + // assume that type-coercions can have side-effects, so we need to alias
1.722 + // everything.
1.723 + if (jitInfo->aliasSet() != JSJitInfo::AliasDOMSets || !jitInfo->isTypedMethodJitInfo())
1.724 + return AliasSet::Store(AliasSet::Any);
1.725 +
1.726 + uint32_t argIndex = 0;
1.727 + const JSTypedMethodJitInfo *methodInfo =
1.728 + reinterpret_cast<const JSTypedMethodJitInfo*>(jitInfo);
1.729 + for (const JSJitInfo::ArgType *argType = methodInfo->argTypes;
1.730 + *argType != JSJitInfo::ArgTypeListEnd;
1.731 + ++argType, ++argIndex)
1.732 + {
1.733 + if (argIndex >= numActualArgs()) {
1.734 + // Passing through undefined can't have side-effects
1.735 + continue;
1.736 + }
1.737 + // getArg(0) is "this", so skip it
1.738 + MDefinition *arg = getArg(argIndex+1);
1.739 + MIRType actualType = arg->type();
1.740 + // The only way to reliably avoid side-effects given the informtion we
1.741 + // have here is if we're passing in a known primitive value to an
1.742 + // argument that expects a primitive value. XXXbz maybe we need to
1.743 + // communicate better information. For example, a sequence argument
1.744 + // will sort of unavoidably have side effects, while a typed array
1.745 + // argument won't have any, but both are claimed to be
1.746 + // JSJitInfo::Object.
1.747 + if ((actualType == MIRType_Value || actualType == MIRType_Object) ||
1.748 + (*argType & JSJitInfo::Object))
1.749 + {
1.750 + return AliasSet::Store(AliasSet::Any);
1.751 + }
1.752 + }
1.753 +
1.754 + // We checked all the args, and they check out. So we only
1.755 + // alias DOM mutations.
1.756 + return AliasSet::Load(AliasSet::DOMProperty);
1.757 +}
1.758 +
1.759 +void
1.760 +MCallDOMNative::computeMovable()
1.761 +{
1.762 + // We are movable if the jitinfo says we can be and if we're also not
1.763 + // effectful. The jitinfo can't check for the latter, since it depends on
1.764 + // the types of our arguments.
1.765 + const JSJitInfo *jitInfo = getJitInfo();
1.766 +
1.767 + JS_ASSERT_IF(jitInfo->isMovable,
1.768 + jitInfo->aliasSet() != JSJitInfo::AliasEverything);
1.769 +
1.770 + if (jitInfo->isMovable && !isEffectful())
1.771 + setMovable();
1.772 +}
1.773 +
1.774 +bool
1.775 +MCallDOMNative::congruentTo(const MDefinition *ins) const
1.776 +{
1.777 + if (!isMovable())
1.778 + return false;
1.779 +
1.780 + if (!ins->isCall())
1.781 + return false;
1.782 +
1.783 + const MCall *call = ins->toCall();
1.784 +
1.785 + if (!call->isCallDOMNative())
1.786 + return false;
1.787 +
1.788 + if (getSingleTarget() != call->getSingleTarget())
1.789 + return false;
1.790 +
1.791 + if (isConstructing() != call->isConstructing())
1.792 + return false;
1.793 +
1.794 + if (numActualArgs() != call->numActualArgs())
1.795 + return false;
1.796 +
1.797 + if (needsArgCheck() != call->needsArgCheck())
1.798 + return false;
1.799 +
1.800 + if (!congruentIfOperandsEqual(call))
1.801 + return false;
1.802 +
1.803 + // The other call had better be movable at this point!
1.804 + JS_ASSERT(call->isMovable());
1.805 +
1.806 + return true;
1.807 +}
1.808 +
1.809 +const JSJitInfo *
1.810 +MCallDOMNative::getJitInfo() const
1.811 +{
1.812 + JS_ASSERT(getSingleTarget() && getSingleTarget()->isNative());
1.813 +
1.814 + const JSJitInfo *jitInfo = getSingleTarget()->jitInfo();
1.815 + JS_ASSERT(jitInfo);
1.816 +
1.817 + return jitInfo;
1.818 +}
1.819 +
1.820 +MApplyArgs *
1.821 +MApplyArgs::New(TempAllocator &alloc, JSFunction *target, MDefinition *fun, MDefinition *argc,
1.822 + MDefinition *self)
1.823 +{
1.824 + return new(alloc) MApplyArgs(target, fun, argc, self);
1.825 +}
1.826 +
1.827 +MDefinition*
1.828 +MStringLength::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.829 +{
1.830 + if ((type() == MIRType_Int32) && (string()->isConstant())) {
1.831 + Value value = string()->toConstant()->value();
1.832 + JSAtom *atom = &value.toString()->asAtom();
1.833 + return MConstant::New(alloc, Int32Value(atom->length()));
1.834 + }
1.835 +
1.836 + return this;
1.837 +}
1.838 +
1.839 +void
1.840 +MFloor::trySpecializeFloat32(TempAllocator &alloc)
1.841 +{
1.842 + // No need to look at the output, as it's an integer (see IonBuilder::inlineMathFloor)
1.843 + if (!input()->canProduceFloat32()) {
1.844 + if (input()->type() == MIRType_Float32)
1.845 + ConvertDefinitionToDouble<0>(alloc, input(), this);
1.846 + return;
1.847 + }
1.848 +
1.849 + if (type() == MIRType_Double)
1.850 + setResultType(MIRType_Float32);
1.851 +
1.852 + setPolicyType(MIRType_Float32);
1.853 +}
1.854 +
1.855 +void
1.856 +MRound::trySpecializeFloat32(TempAllocator &alloc)
1.857 +{
1.858 + // No need to look at the output, as it's an integer (unique way to have
1.859 + // this instruction in IonBuilder::inlineMathRound)
1.860 + JS_ASSERT(type() == MIRType_Int32);
1.861 +
1.862 + if (!input()->canProduceFloat32()) {
1.863 + if (input()->type() == MIRType_Float32)
1.864 + ConvertDefinitionToDouble<0>(alloc, input(), this);
1.865 + return;
1.866 + }
1.867 +
1.868 + setPolicyType(MIRType_Float32);
1.869 +}
1.870 +
1.871 +MCompare *
1.872 +MCompare::New(TempAllocator &alloc, MDefinition *left, MDefinition *right, JSOp op)
1.873 +{
1.874 + return new(alloc) MCompare(left, right, op);
1.875 +}
1.876 +
1.877 +MCompare *
1.878 +MCompare::NewAsmJS(TempAllocator &alloc, MDefinition *left, MDefinition *right, JSOp op,
1.879 + CompareType compareType)
1.880 +{
1.881 + JS_ASSERT(compareType == Compare_Int32 || compareType == Compare_UInt32 ||
1.882 + compareType == Compare_Double || compareType == Compare_Float32);
1.883 + MCompare *comp = new(alloc) MCompare(left, right, op);
1.884 + comp->compareType_ = compareType;
1.885 + comp->operandMightEmulateUndefined_ = false;
1.886 + comp->setResultType(MIRType_Int32);
1.887 + return comp;
1.888 +}
1.889 +
1.890 +MTableSwitch *
1.891 +MTableSwitch::New(TempAllocator &alloc, MDefinition *ins, int32_t low, int32_t high)
1.892 +{
1.893 + return new(alloc) MTableSwitch(alloc, ins, low, high);
1.894 +}
1.895 +
1.896 +MGoto *
1.897 +MGoto::New(TempAllocator &alloc, MBasicBlock *target)
1.898 +{
1.899 + JS_ASSERT(target);
1.900 + return new(alloc) MGoto(target);
1.901 +}
1.902 +
1.903 +void
1.904 +MUnbox::printOpcode(FILE *fp) const
1.905 +{
1.906 + PrintOpcodeName(fp, op());
1.907 + fprintf(fp, " ");
1.908 + getOperand(0)->printName(fp);
1.909 + fprintf(fp, " ");
1.910 +
1.911 + switch (type()) {
1.912 + case MIRType_Int32: fprintf(fp, "to Int32"); break;
1.913 + case MIRType_Double: fprintf(fp, "to Double"); break;
1.914 + case MIRType_Boolean: fprintf(fp, "to Boolean"); break;
1.915 + case MIRType_String: fprintf(fp, "to String"); break;
1.916 + case MIRType_Object: fprintf(fp, "to Object"); break;
1.917 + default: break;
1.918 + }
1.919 +
1.920 + switch (mode()) {
1.921 + case Fallible: fprintf(fp, " (fallible)"); break;
1.922 + case Infallible: fprintf(fp, " (infallible)"); break;
1.923 + case TypeBarrier: fprintf(fp, " (typebarrier)"); break;
1.924 + default: break;
1.925 + }
1.926 +}
1.927 +
1.928 +void
1.929 +MTypeBarrier::printOpcode(FILE *fp) const
1.930 +{
1.931 + PrintOpcodeName(fp, op());
1.932 + fprintf(fp, " ");
1.933 + getOperand(0)->printName(fp);
1.934 +}
1.935 +
1.936 +void
1.937 +MPhi::removeOperand(size_t index)
1.938 +{
1.939 + MUse *use = getUseFor(index);
1.940 +
1.941 + JS_ASSERT(index < inputs_.length());
1.942 + JS_ASSERT(inputs_.length() > 1);
1.943 +
1.944 + JS_ASSERT(use->index() == index);
1.945 + JS_ASSERT(use->producer() == getOperand(index));
1.946 + JS_ASSERT(use->consumer() == this);
1.947 +
1.948 + // Remove use from producer's use chain.
1.949 + use->producer()->removeUse(use);
1.950 +
1.951 + // If we have phi(..., a, b, c, d, ..., z) and we plan
1.952 + // on removing a, then first shift downward so that we have
1.953 + // phi(..., b, c, d, ..., z, z):
1.954 + size_t length = inputs_.length();
1.955 + for (size_t i = index; i < length - 1; i++) {
1.956 + MUse *next = MPhi::getUseFor(i + 1);
1.957 + next->producer()->removeUse(next);
1.958 + MPhi::setOperand(i, next->producer());
1.959 + }
1.960 +
1.961 + // truncate the inputs_ list:
1.962 + inputs_.shrinkBy(1);
1.963 +}
1.964 +
1.965 +MDefinition *
1.966 +MPhi::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.967 +{
1.968 + JS_ASSERT(!inputs_.empty());
1.969 +
1.970 + MDefinition *first = getOperand(0);
1.971 +
1.972 + for (size_t i = 1; i < inputs_.length(); i++) {
1.973 + // Phis need dominator information to fold based on value numbers. For
1.974 + // simplicity, we only compare SSA names right now (bug 714727).
1.975 + if (!EqualValues(false, getOperand(i), first))
1.976 + return this;
1.977 + }
1.978 +
1.979 + return first;
1.980 +}
1.981 +
1.982 +bool
1.983 +MPhi::congruentTo(const MDefinition *ins) const
1.984 +{
1.985 + if (!ins->isPhi())
1.986 + return false;
1.987 + // Since we do not know which predecessor we are merging from, we must
1.988 + // assume that phi instructions in different blocks are not equal.
1.989 + // (Bug 674656)
1.990 + if (ins->block()->id() != block()->id())
1.991 + return false;
1.992 +
1.993 + return congruentIfOperandsEqual(ins);
1.994 +}
1.995 +
1.996 +bool
1.997 +MPhi::reserveLength(size_t length)
1.998 +{
1.999 + // Initializes a new MPhi to have an Operand vector of at least the given
1.1000 + // capacity. This permits use of addInput() instead of addInputSlow(), the
1.1001 + // latter of which may call realloc_().
1.1002 + JS_ASSERT(numOperands() == 0);
1.1003 +#if DEBUG
1.1004 + capacity_ = length;
1.1005 +#endif
1.1006 + return inputs_.reserve(length);
1.1007 +}
1.1008 +
1.1009 +static inline types::TemporaryTypeSet *
1.1010 +MakeMIRTypeSet(MIRType type)
1.1011 +{
1.1012 + JS_ASSERT(type != MIRType_Value);
1.1013 + types::Type ntype = type == MIRType_Object
1.1014 + ? types::Type::AnyObjectType()
1.1015 + : types::Type::PrimitiveType(ValueTypeFromMIRType(type));
1.1016 + return GetIonContext()->temp->lifoAlloc()->new_<types::TemporaryTypeSet>(ntype);
1.1017 +}
1.1018 +
1.1019 +bool
1.1020 +jit::MergeTypes(MIRType *ptype, types::TemporaryTypeSet **ptypeSet,
1.1021 + MIRType newType, types::TemporaryTypeSet *newTypeSet)
1.1022 +{
1.1023 + if (newTypeSet && newTypeSet->empty())
1.1024 + return true;
1.1025 + if (newType != *ptype) {
1.1026 + if (IsNumberType(newType) && IsNumberType(*ptype)) {
1.1027 + *ptype = MIRType_Double;
1.1028 + } else if (*ptype != MIRType_Value) {
1.1029 + if (!*ptypeSet) {
1.1030 + *ptypeSet = MakeMIRTypeSet(*ptype);
1.1031 + if (!*ptypeSet)
1.1032 + return false;
1.1033 + }
1.1034 + *ptype = MIRType_Value;
1.1035 + } else if (*ptypeSet && (*ptypeSet)->empty()) {
1.1036 + *ptype = newType;
1.1037 + }
1.1038 + }
1.1039 + if (*ptypeSet) {
1.1040 + LifoAlloc *alloc = GetIonContext()->temp->lifoAlloc();
1.1041 + if (!newTypeSet && newType != MIRType_Value) {
1.1042 + newTypeSet = MakeMIRTypeSet(newType);
1.1043 + if (!newTypeSet)
1.1044 + return false;
1.1045 + }
1.1046 + if (newTypeSet) {
1.1047 + if (!newTypeSet->isSubset(*ptypeSet))
1.1048 + *ptypeSet = types::TypeSet::unionSets(*ptypeSet, newTypeSet, alloc);
1.1049 + } else {
1.1050 + *ptypeSet = nullptr;
1.1051 + }
1.1052 + }
1.1053 + return true;
1.1054 +}
1.1055 +
1.1056 +bool
1.1057 +MPhi::specializeType()
1.1058 +{
1.1059 +#ifdef DEBUG
1.1060 + JS_ASSERT(!specialized_);
1.1061 + specialized_ = true;
1.1062 +#endif
1.1063 +
1.1064 + JS_ASSERT(!inputs_.empty());
1.1065 +
1.1066 + size_t start;
1.1067 + if (hasBackedgeType_) {
1.1068 + // The type of this phi has already been populated with potential types
1.1069 + // that could come in via loop backedges.
1.1070 + start = 0;
1.1071 + } else {
1.1072 + setResultType(getOperand(0)->type());
1.1073 + setResultTypeSet(getOperand(0)->resultTypeSet());
1.1074 + start = 1;
1.1075 + }
1.1076 +
1.1077 + MIRType resultType = this->type();
1.1078 + types::TemporaryTypeSet *resultTypeSet = this->resultTypeSet();
1.1079 +
1.1080 + for (size_t i = start; i < inputs_.length(); i++) {
1.1081 + MDefinition *def = getOperand(i);
1.1082 + if (!MergeTypes(&resultType, &resultTypeSet, def->type(), def->resultTypeSet()))
1.1083 + return false;
1.1084 + }
1.1085 +
1.1086 + setResultType(resultType);
1.1087 + setResultTypeSet(resultTypeSet);
1.1088 + return true;
1.1089 +}
1.1090 +
1.1091 +bool
1.1092 +MPhi::addBackedgeType(MIRType type, types::TemporaryTypeSet *typeSet)
1.1093 +{
1.1094 + JS_ASSERT(!specialized_);
1.1095 +
1.1096 + if (hasBackedgeType_) {
1.1097 + MIRType resultType = this->type();
1.1098 + types::TemporaryTypeSet *resultTypeSet = this->resultTypeSet();
1.1099 +
1.1100 + if (!MergeTypes(&resultType, &resultTypeSet, type, typeSet))
1.1101 + return false;
1.1102 +
1.1103 + setResultType(resultType);
1.1104 + setResultTypeSet(resultTypeSet);
1.1105 + } else {
1.1106 + setResultType(type);
1.1107 + setResultTypeSet(typeSet);
1.1108 + hasBackedgeType_ = true;
1.1109 + }
1.1110 + return true;
1.1111 +}
1.1112 +
1.1113 +bool
1.1114 +MPhi::typeIncludes(MDefinition *def)
1.1115 +{
1.1116 + if (def->type() == MIRType_Int32 && this->type() == MIRType_Double)
1.1117 + return true;
1.1118 +
1.1119 + if (types::TemporaryTypeSet *types = def->resultTypeSet()) {
1.1120 + if (this->resultTypeSet())
1.1121 + return types->isSubset(this->resultTypeSet());
1.1122 + if (this->type() == MIRType_Value || types->empty())
1.1123 + return true;
1.1124 + return this->type() == types->getKnownMIRType();
1.1125 + }
1.1126 +
1.1127 + if (def->type() == MIRType_Value) {
1.1128 + // This phi must be able to be any value.
1.1129 + return this->type() == MIRType_Value
1.1130 + && (!this->resultTypeSet() || this->resultTypeSet()->unknown());
1.1131 + }
1.1132 +
1.1133 + return this->mightBeType(def->type());
1.1134 +}
1.1135 +
1.1136 +void
1.1137 +MPhi::addInput(MDefinition *ins)
1.1138 +{
1.1139 + // This can only been done if the length was reserved through reserveLength,
1.1140 + // else the slower addInputSlow need to get called.
1.1141 + JS_ASSERT(inputs_.length() < capacity_);
1.1142 +
1.1143 + uint32_t index = inputs_.length();
1.1144 + inputs_.append(MUse());
1.1145 + MPhi::setOperand(index, ins);
1.1146 +}
1.1147 +
1.1148 +bool
1.1149 +MPhi::addInputSlow(MDefinition *ins, bool *ptypeChange)
1.1150 +{
1.1151 + // The list of inputs to an MPhi is given as a vector of MUse nodes,
1.1152 + // each of which is in the list of the producer MDefinition.
1.1153 + // Because appending to a vector may reallocate the vector, it is possible
1.1154 + // that this operation may cause the producers' linked lists to reference
1.1155 + // invalid memory. Therefore, in the event of moving reallocation, each
1.1156 + // MUse must be removed and reinserted from/into its producer's use chain.
1.1157 + uint32_t index = inputs_.length();
1.1158 + bool performingRealloc = !inputs_.canAppendWithoutRealloc(1);
1.1159 +
1.1160 + // Remove all MUses from all use lists, in case realloc_() moves.
1.1161 + if (performingRealloc) {
1.1162 + for (uint32_t i = 0; i < index; i++) {
1.1163 + MUse *use = &inputs_[i];
1.1164 + use->producer()->removeUse(use);
1.1165 + }
1.1166 + }
1.1167 +
1.1168 + // Insert the new input.
1.1169 + if (!inputs_.append(MUse()))
1.1170 + return false;
1.1171 +
1.1172 + MPhi::setOperand(index, ins);
1.1173 +
1.1174 + if (ptypeChange) {
1.1175 + MIRType resultType = this->type();
1.1176 + types::TemporaryTypeSet *resultTypeSet = this->resultTypeSet();
1.1177 +
1.1178 + if (!MergeTypes(&resultType, &resultTypeSet, ins->type(), ins->resultTypeSet()))
1.1179 + return false;
1.1180 +
1.1181 + if (resultType != this->type() || resultTypeSet != this->resultTypeSet()) {
1.1182 + *ptypeChange = true;
1.1183 + setResultType(resultType);
1.1184 + setResultTypeSet(resultTypeSet);
1.1185 + }
1.1186 + }
1.1187 +
1.1188 + // Add all previously-removed MUses back.
1.1189 + if (performingRealloc) {
1.1190 + for (uint32_t i = 0; i < index; i++) {
1.1191 + MUse *use = &inputs_[i];
1.1192 + use->producer()->addUse(use);
1.1193 + }
1.1194 + }
1.1195 +
1.1196 + return true;
1.1197 +}
1.1198 +
1.1199 +void
1.1200 +MCall::addArg(size_t argnum, MDefinition *arg)
1.1201 +{
1.1202 + // The operand vector is initialized in reverse order by the IonBuilder.
1.1203 + // It cannot be checked for consistency until all arguments are added.
1.1204 + setOperand(argnum + NumNonArgumentOperands, arg);
1.1205 +}
1.1206 +
1.1207 +void
1.1208 +MBitNot::infer()
1.1209 +{
1.1210 + if (getOperand(0)->mightBeType(MIRType_Object))
1.1211 + specialization_ = MIRType_None;
1.1212 + else
1.1213 + specialization_ = MIRType_Int32;
1.1214 +}
1.1215 +
1.1216 +static inline bool
1.1217 +IsConstant(MDefinition *def, double v)
1.1218 +{
1.1219 + if (!def->isConstant())
1.1220 + return false;
1.1221 +
1.1222 + return NumbersAreIdentical(def->toConstant()->value().toNumber(), v);
1.1223 +}
1.1224 +
1.1225 +MDefinition *
1.1226 +MBinaryBitwiseInstruction::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.1227 +{
1.1228 + if (specialization_ != MIRType_Int32)
1.1229 + return this;
1.1230 +
1.1231 + if (MDefinition *folded = EvaluateConstantOperands(alloc, this))
1.1232 + return folded;
1.1233 +
1.1234 + return this;
1.1235 +}
1.1236 +
1.1237 +MDefinition *
1.1238 +MBinaryBitwiseInstruction::foldUnnecessaryBitop()
1.1239 +{
1.1240 + if (specialization_ != MIRType_Int32)
1.1241 + return this;
1.1242 +
1.1243 + // Eliminate bitwise operations that are no-ops when used on integer
1.1244 + // inputs, such as (x | 0).
1.1245 +
1.1246 + MDefinition *lhs = getOperand(0);
1.1247 + MDefinition *rhs = getOperand(1);
1.1248 +
1.1249 + if (IsConstant(lhs, 0))
1.1250 + return foldIfZero(0);
1.1251 +
1.1252 + if (IsConstant(rhs, 0))
1.1253 + return foldIfZero(1);
1.1254 +
1.1255 + if (IsConstant(lhs, -1))
1.1256 + return foldIfNegOne(0);
1.1257 +
1.1258 + if (IsConstant(rhs, -1))
1.1259 + return foldIfNegOne(1);
1.1260 +
1.1261 + if (EqualValues(false, lhs, rhs))
1.1262 + return foldIfEqual();
1.1263 +
1.1264 + return this;
1.1265 +}
1.1266 +
1.1267 +void
1.1268 +MBinaryBitwiseInstruction::infer(BaselineInspector *, jsbytecode *)
1.1269 +{
1.1270 + if (getOperand(0)->mightBeType(MIRType_Object) || getOperand(1)->mightBeType(MIRType_Object))
1.1271 + specialization_ = MIRType_None;
1.1272 + else
1.1273 + specializeAsInt32();
1.1274 +}
1.1275 +
1.1276 +void
1.1277 +MBinaryBitwiseInstruction::specializeAsInt32()
1.1278 +{
1.1279 + specialization_ = MIRType_Int32;
1.1280 + JS_ASSERT(type() == MIRType_Int32);
1.1281 +
1.1282 + if (isBitOr() || isBitAnd() || isBitXor())
1.1283 + setCommutative();
1.1284 +}
1.1285 +
1.1286 +void
1.1287 +MShiftInstruction::infer(BaselineInspector *, jsbytecode *)
1.1288 +{
1.1289 + if (getOperand(0)->mightBeType(MIRType_Object) || getOperand(1)->mightBeType(MIRType_Object))
1.1290 + specialization_ = MIRType_None;
1.1291 + else
1.1292 + specialization_ = MIRType_Int32;
1.1293 +}
1.1294 +
1.1295 +void
1.1296 +MUrsh::infer(BaselineInspector *inspector, jsbytecode *pc)
1.1297 +{
1.1298 + if (getOperand(0)->mightBeType(MIRType_Object) || getOperand(1)->mightBeType(MIRType_Object)) {
1.1299 + specialization_ = MIRType_None;
1.1300 + setResultType(MIRType_Value);
1.1301 + return;
1.1302 + }
1.1303 +
1.1304 + if (inspector->hasSeenDoubleResult(pc)) {
1.1305 + specialization_ = MIRType_Double;
1.1306 + setResultType(MIRType_Double);
1.1307 + return;
1.1308 + }
1.1309 +
1.1310 + specialization_ = MIRType_Int32;
1.1311 + setResultType(MIRType_Int32);
1.1312 +}
1.1313 +
1.1314 +static inline bool
1.1315 +NeedNegativeZeroCheck(MDefinition *def)
1.1316 +{
1.1317 + // Test if all uses have the same semantics for -0 and 0
1.1318 + for (MUseIterator use = def->usesBegin(); use != def->usesEnd(); use++) {
1.1319 + if (use->consumer()->isResumePoint())
1.1320 + continue;
1.1321 +
1.1322 + MDefinition *use_def = use->consumer()->toDefinition();
1.1323 + switch (use_def->op()) {
1.1324 + case MDefinition::Op_Add: {
1.1325 + // If add is truncating -0 and 0 are observed as the same.
1.1326 + if (use_def->toAdd()->isTruncated())
1.1327 + break;
1.1328 +
1.1329 + // x + y gives -0, when both x and y are -0
1.1330 +
1.1331 + // Figure out the order in which the addition's operands will
1.1332 + // execute. EdgeCaseAnalysis::analyzeLate has renumbered the MIR
1.1333 + // definitions for us so that this just requires comparing ids.
1.1334 + MDefinition *first = use_def->toAdd()->getOperand(0);
1.1335 + MDefinition *second = use_def->toAdd()->getOperand(1);
1.1336 + if (first->id() > second->id()) {
1.1337 + MDefinition *temp = first;
1.1338 + first = second;
1.1339 + second = temp;
1.1340 + }
1.1341 +
1.1342 + if (def == first) {
1.1343 + // Negative zero checks can be removed on the first executed
1.1344 + // operand only if it is guaranteed the second executed operand
1.1345 + // will produce a value other than -0. While the second is
1.1346 + // typed as an int32, a bailout taken between execution of the
1.1347 + // operands may change that type and cause a -0 to flow to the
1.1348 + // second.
1.1349 + //
1.1350 + // There is no way to test whether there are any bailouts
1.1351 + // between execution of the operands, so remove negative
1.1352 + // zero checks from the first only if the second's type is
1.1353 + // independent from type changes that may occur after bailing.
1.1354 + switch (second->op()) {
1.1355 + case MDefinition::Op_Constant:
1.1356 + case MDefinition::Op_BitAnd:
1.1357 + case MDefinition::Op_BitOr:
1.1358 + case MDefinition::Op_BitXor:
1.1359 + case MDefinition::Op_BitNot:
1.1360 + case MDefinition::Op_Lsh:
1.1361 + case MDefinition::Op_Rsh:
1.1362 + break;
1.1363 + default:
1.1364 + return true;
1.1365 + }
1.1366 + }
1.1367 +
1.1368 + // The negative zero check can always be removed on the second
1.1369 + // executed operand; by the time this executes the first will have
1.1370 + // been evaluated as int32 and the addition's result cannot be -0.
1.1371 + break;
1.1372 + }
1.1373 + case MDefinition::Op_Sub:
1.1374 + // If sub is truncating -0 and 0 are observed as the same
1.1375 + if (use_def->toSub()->isTruncated())
1.1376 + break;
1.1377 + /* Fall through... */
1.1378 + case MDefinition::Op_StoreElement:
1.1379 + case MDefinition::Op_StoreElementHole:
1.1380 + case MDefinition::Op_LoadElement:
1.1381 + case MDefinition::Op_LoadElementHole:
1.1382 + case MDefinition::Op_LoadTypedArrayElement:
1.1383 + case MDefinition::Op_LoadTypedArrayElementHole:
1.1384 + case MDefinition::Op_CharCodeAt:
1.1385 + case MDefinition::Op_Mod:
1.1386 + // Only allowed to remove check when definition is the second operand
1.1387 + if (use_def->getOperand(0) == def)
1.1388 + return true;
1.1389 + for (size_t i = 2, e = use_def->numOperands(); i < e; i++) {
1.1390 + if (use_def->getOperand(i) == def)
1.1391 + return true;
1.1392 + }
1.1393 + break;
1.1394 + case MDefinition::Op_BoundsCheck:
1.1395 + // Only allowed to remove check when definition is the first operand
1.1396 + if (use_def->toBoundsCheck()->getOperand(1) == def)
1.1397 + return true;
1.1398 + break;
1.1399 + case MDefinition::Op_ToString:
1.1400 + case MDefinition::Op_FromCharCode:
1.1401 + case MDefinition::Op_TableSwitch:
1.1402 + case MDefinition::Op_Compare:
1.1403 + case MDefinition::Op_BitAnd:
1.1404 + case MDefinition::Op_BitOr:
1.1405 + case MDefinition::Op_BitXor:
1.1406 + case MDefinition::Op_Abs:
1.1407 + case MDefinition::Op_TruncateToInt32:
1.1408 + // Always allowed to remove check. No matter which operand.
1.1409 + break;
1.1410 + default:
1.1411 + return true;
1.1412 + }
1.1413 + }
1.1414 + return false;
1.1415 +}
1.1416 +
1.1417 +MDefinition *
1.1418 +MBinaryArithInstruction::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.1419 +{
1.1420 + if (specialization_ == MIRType_None)
1.1421 + return this;
1.1422 +
1.1423 + MDefinition *lhs = getOperand(0);
1.1424 + MDefinition *rhs = getOperand(1);
1.1425 + if (MDefinition *folded = EvaluateConstantOperands(alloc, this))
1.1426 + return folded;
1.1427 +
1.1428 + // 0 + -0 = 0. So we can't remove addition
1.1429 + if (isAdd() && specialization_ != MIRType_Int32)
1.1430 + return this;
1.1431 +
1.1432 + if (IsConstant(rhs, getIdentity()))
1.1433 + return lhs;
1.1434 +
1.1435 + // subtraction isn't commutative. So we can't remove subtraction when lhs equals 0
1.1436 + if (isSub())
1.1437 + return this;
1.1438 +
1.1439 + if (IsConstant(lhs, getIdentity()))
1.1440 + return rhs; // x op id => x
1.1441 +
1.1442 + return this;
1.1443 +}
1.1444 +
1.1445 +void
1.1446 +MBinaryArithInstruction::trySpecializeFloat32(TempAllocator &alloc)
1.1447 +{
1.1448 + MDefinition *left = lhs();
1.1449 + MDefinition *right = rhs();
1.1450 +
1.1451 + if (!left->canProduceFloat32() || !right->canProduceFloat32()
1.1452 + || !CheckUsesAreFloat32Consumers(this))
1.1453 + {
1.1454 + if (left->type() == MIRType_Float32)
1.1455 + ConvertDefinitionToDouble<0>(alloc, left, this);
1.1456 + if (right->type() == MIRType_Float32)
1.1457 + ConvertDefinitionToDouble<1>(alloc, right, this);
1.1458 + return;
1.1459 + }
1.1460 +
1.1461 + specialization_ = MIRType_Float32;
1.1462 + setResultType(MIRType_Float32);
1.1463 +}
1.1464 +
1.1465 +bool
1.1466 +MAbs::fallible() const
1.1467 +{
1.1468 + return !implicitTruncate_ && (!range() || !range()->hasInt32Bounds());
1.1469 +}
1.1470 +
1.1471 +void
1.1472 +MAbs::trySpecializeFloat32(TempAllocator &alloc)
1.1473 +{
1.1474 + if (!input()->canProduceFloat32() || !CheckUsesAreFloat32Consumers(this)) {
1.1475 + if (input()->type() == MIRType_Float32)
1.1476 + ConvertDefinitionToDouble<0>(alloc, input(), this);
1.1477 + return;
1.1478 + }
1.1479 +
1.1480 + setResultType(MIRType_Float32);
1.1481 + specialization_ = MIRType_Float32;
1.1482 +}
1.1483 +
1.1484 +MDefinition *
1.1485 +MDiv::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.1486 +{
1.1487 + if (specialization_ == MIRType_None)
1.1488 + return this;
1.1489 +
1.1490 + if (MDefinition *folded = EvaluateConstantOperands(alloc, this))
1.1491 + return folded;
1.1492 +
1.1493 + return this;
1.1494 +}
1.1495 +
1.1496 +void
1.1497 +MDiv::analyzeEdgeCasesForward()
1.1498 +{
1.1499 + // This is only meaningful when doing integer division.
1.1500 + if (specialization_ != MIRType_Int32)
1.1501 + return;
1.1502 +
1.1503 + // Try removing divide by zero check
1.1504 + if (rhs()->isConstant() && !rhs()->toConstant()->value().isInt32(0))
1.1505 + canBeDivideByZero_ = false;
1.1506 +
1.1507 + // If lhs is a constant int != INT32_MIN, then
1.1508 + // negative overflow check can be skipped.
1.1509 + if (lhs()->isConstant() && !lhs()->toConstant()->value().isInt32(INT32_MIN))
1.1510 + canBeNegativeOverflow_ = false;
1.1511 +
1.1512 + // If rhs is a constant int != -1, likewise.
1.1513 + if (rhs()->isConstant() && !rhs()->toConstant()->value().isInt32(-1))
1.1514 + canBeNegativeOverflow_ = false;
1.1515 +
1.1516 + // If lhs is != 0, then negative zero check can be skipped.
1.1517 + if (lhs()->isConstant() && !lhs()->toConstant()->value().isInt32(0))
1.1518 + setCanBeNegativeZero(false);
1.1519 +
1.1520 + // If rhs is >= 0, likewise.
1.1521 + if (rhs()->isConstant()) {
1.1522 + const js::Value &val = rhs()->toConstant()->value();
1.1523 + if (val.isInt32() && val.toInt32() >= 0)
1.1524 + setCanBeNegativeZero(false);
1.1525 + }
1.1526 +}
1.1527 +
1.1528 +void
1.1529 +MDiv::analyzeEdgeCasesBackward()
1.1530 +{
1.1531 + if (canBeNegativeZero() && !NeedNegativeZeroCheck(this))
1.1532 + setCanBeNegativeZero(false);
1.1533 +}
1.1534 +
1.1535 +bool
1.1536 +MDiv::fallible() const
1.1537 +{
1.1538 + return !isTruncated();
1.1539 +}
1.1540 +
1.1541 +bool
1.1542 +MMod::canBeDivideByZero() const
1.1543 +{
1.1544 + JS_ASSERT(specialization_ == MIRType_Int32);
1.1545 + return !rhs()->isConstant() || rhs()->toConstant()->value().toInt32() == 0;
1.1546 +}
1.1547 +
1.1548 +bool
1.1549 +MMod::canBePowerOfTwoDivisor() const
1.1550 +{
1.1551 + JS_ASSERT(specialization_ == MIRType_Int32);
1.1552 +
1.1553 + if (!rhs()->isConstant())
1.1554 + return true;
1.1555 +
1.1556 + int32_t i = rhs()->toConstant()->value().toInt32();
1.1557 + if (i <= 0 || !IsPowerOfTwo(i))
1.1558 + return false;
1.1559 +
1.1560 + return true;
1.1561 +}
1.1562 +
1.1563 +MDefinition *
1.1564 +MMod::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.1565 +{
1.1566 + if (specialization_ == MIRType_None)
1.1567 + return this;
1.1568 +
1.1569 + if (MDefinition *folded = EvaluateConstantOperands(alloc, this))
1.1570 + return folded;
1.1571 +
1.1572 + return this;
1.1573 +}
1.1574 +
1.1575 +bool
1.1576 +MMod::fallible() const
1.1577 +{
1.1578 + return !isTruncated() &&
1.1579 + (isUnsigned() || canBeDivideByZero() || canBeNegativeDividend());
1.1580 +}
1.1581 +
1.1582 +void
1.1583 +MMathFunction::trySpecializeFloat32(TempAllocator &alloc)
1.1584 +{
1.1585 + if (!input()->canProduceFloat32() || !CheckUsesAreFloat32Consumers(this)) {
1.1586 + if (input()->type() == MIRType_Float32)
1.1587 + ConvertDefinitionToDouble<0>(alloc, input(), this);
1.1588 + return;
1.1589 + }
1.1590 +
1.1591 + setResultType(MIRType_Float32);
1.1592 + setPolicyType(MIRType_Float32);
1.1593 +}
1.1594 +
1.1595 +bool
1.1596 +MAdd::fallible() const
1.1597 +{
1.1598 + // the add is fallible if range analysis does not say that it is finite, AND
1.1599 + // either the truncation analysis shows that there are non-truncated uses.
1.1600 + if (isTruncated())
1.1601 + return false;
1.1602 + if (range() && range()->hasInt32Bounds())
1.1603 + return false;
1.1604 + return true;
1.1605 +}
1.1606 +
1.1607 +bool
1.1608 +MSub::fallible() const
1.1609 +{
1.1610 + // see comment in MAdd::fallible()
1.1611 + if (isTruncated())
1.1612 + return false;
1.1613 + if (range() && range()->hasInt32Bounds())
1.1614 + return false;
1.1615 + return true;
1.1616 +}
1.1617 +
1.1618 +MDefinition *
1.1619 +MMul::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.1620 +{
1.1621 + MDefinition *out = MBinaryArithInstruction::foldsTo(alloc, useValueNumbers);
1.1622 + if (out != this)
1.1623 + return out;
1.1624 +
1.1625 + if (specialization() != MIRType_Int32)
1.1626 + return this;
1.1627 +
1.1628 + if (EqualValues(useValueNumbers, lhs(), rhs()))
1.1629 + setCanBeNegativeZero(false);
1.1630 +
1.1631 + return this;
1.1632 +}
1.1633 +
1.1634 +void
1.1635 +MMul::analyzeEdgeCasesForward()
1.1636 +{
1.1637 + // Try to remove the check for negative zero
1.1638 + // This only makes sense when using the integer multiplication
1.1639 + if (specialization() != MIRType_Int32)
1.1640 + return;
1.1641 +
1.1642 + // If lhs is > 0, no need for negative zero check.
1.1643 + if (lhs()->isConstant()) {
1.1644 + const js::Value &val = lhs()->toConstant()->value();
1.1645 + if (val.isInt32() && val.toInt32() > 0)
1.1646 + setCanBeNegativeZero(false);
1.1647 + }
1.1648 +
1.1649 + // If rhs is > 0, likewise.
1.1650 + if (rhs()->isConstant()) {
1.1651 + const js::Value &val = rhs()->toConstant()->value();
1.1652 + if (val.isInt32() && val.toInt32() > 0)
1.1653 + setCanBeNegativeZero(false);
1.1654 + }
1.1655 +}
1.1656 +
1.1657 +void
1.1658 +MMul::analyzeEdgeCasesBackward()
1.1659 +{
1.1660 + if (canBeNegativeZero() && !NeedNegativeZeroCheck(this))
1.1661 + setCanBeNegativeZero(false);
1.1662 +}
1.1663 +
1.1664 +bool
1.1665 +MMul::updateForReplacement(MDefinition *ins_)
1.1666 +{
1.1667 + MMul *ins = ins_->toMul();
1.1668 + bool negativeZero = canBeNegativeZero() || ins->canBeNegativeZero();
1.1669 + setCanBeNegativeZero(negativeZero);
1.1670 + // Remove the imul annotation when merging imul and normal multiplication.
1.1671 + if (mode_ == Integer && ins->mode() != Integer)
1.1672 + mode_ = Normal;
1.1673 + return true;
1.1674 +}
1.1675 +
1.1676 +bool
1.1677 +MMul::canOverflow() const
1.1678 +{
1.1679 + if (isTruncated())
1.1680 + return false;
1.1681 + return !range() || !range()->hasInt32Bounds();
1.1682 +}
1.1683 +
1.1684 +bool
1.1685 +MUrsh::fallible() const
1.1686 +{
1.1687 + if (bailoutsDisabled())
1.1688 + return false;
1.1689 + return !range() || !range()->hasInt32Bounds();
1.1690 +}
1.1691 +
1.1692 +static inline bool
1.1693 +KnownNonStringPrimitive(MDefinition *op)
1.1694 +{
1.1695 + return !op->mightBeType(MIRType_Object)
1.1696 + && !op->mightBeType(MIRType_String)
1.1697 + && !op->mightBeType(MIRType_MagicOptimizedArguments)
1.1698 + && !op->mightBeType(MIRType_MagicHole)
1.1699 + && !op->mightBeType(MIRType_MagicIsConstructing);
1.1700 +}
1.1701 +
1.1702 +void
1.1703 +MBinaryArithInstruction::infer(TempAllocator &alloc, BaselineInspector *inspector, jsbytecode *pc)
1.1704 +{
1.1705 + JS_ASSERT(this->type() == MIRType_Value);
1.1706 +
1.1707 + specialization_ = MIRType_None;
1.1708 +
1.1709 + // Don't specialize if one operand could be an object. If we specialize
1.1710 + // as int32 or double based on baseline feedback, we could DCE this
1.1711 + // instruction and fail to invoke any valueOf methods.
1.1712 + if (getOperand(0)->mightBeType(MIRType_Object) || getOperand(1)->mightBeType(MIRType_Object))
1.1713 + return;
1.1714 +
1.1715 + // Anything complex - strings and objects - are not specialized
1.1716 + // unless baseline type hints suggest it might be profitable
1.1717 + if (!KnownNonStringPrimitive(getOperand(0)) || !KnownNonStringPrimitive(getOperand(1)))
1.1718 + return inferFallback(inspector, pc);
1.1719 +
1.1720 + // Retrieve type information of lhs and rhs.
1.1721 + MIRType lhs = getOperand(0)->type();
1.1722 + MIRType rhs = getOperand(1)->type();
1.1723 +
1.1724 + // Guess a result type based on the inputs.
1.1725 + // Don't specialize for neither-integer-nor-double results.
1.1726 + if (lhs == MIRType_Int32 && rhs == MIRType_Int32)
1.1727 + setResultType(MIRType_Int32);
1.1728 + // Double operations are prioritary over float32 operations (i.e. if any operand needs
1.1729 + // a double as an input, convert all operands to doubles)
1.1730 + else if (IsFloatingPointType(lhs) || IsFloatingPointType(rhs))
1.1731 + setResultType(MIRType_Double);
1.1732 + else
1.1733 + return inferFallback(inspector, pc);
1.1734 +
1.1735 + // If the operation has ever overflowed, use a double specialization.
1.1736 + if (inspector->hasSeenDoubleResult(pc))
1.1737 + setResultType(MIRType_Double);
1.1738 +
1.1739 + // If the operation will always overflow on its constant operands, use a
1.1740 + // double specialization so that it can be constant folded later.
1.1741 + if ((isMul() || isDiv()) && lhs == MIRType_Int32 && rhs == MIRType_Int32) {
1.1742 + bool typeChange = false;
1.1743 + EvaluateConstantOperands(alloc, this, &typeChange);
1.1744 + if (typeChange)
1.1745 + setResultType(MIRType_Double);
1.1746 + }
1.1747 +
1.1748 + JS_ASSERT(lhs < MIRType_String || lhs == MIRType_Value);
1.1749 + JS_ASSERT(rhs < MIRType_String || rhs == MIRType_Value);
1.1750 +
1.1751 + MIRType rval = this->type();
1.1752 +
1.1753 + // Don't specialize values when result isn't double
1.1754 + if (lhs == MIRType_Value || rhs == MIRType_Value) {
1.1755 + if (!IsFloatingPointType(rval)) {
1.1756 + specialization_ = MIRType_None;
1.1757 + return;
1.1758 + }
1.1759 + }
1.1760 +
1.1761 + // Don't specialize as int32 if one of the operands is undefined,
1.1762 + // since ToNumber(undefined) is NaN.
1.1763 + if (rval == MIRType_Int32 && (lhs == MIRType_Undefined || rhs == MIRType_Undefined)) {
1.1764 + specialization_ = MIRType_None;
1.1765 + return;
1.1766 + }
1.1767 +
1.1768 + specialization_ = rval;
1.1769 +
1.1770 + if (isAdd() || isMul())
1.1771 + setCommutative();
1.1772 + setResultType(rval);
1.1773 +}
1.1774 +
1.1775 +void
1.1776 +MBinaryArithInstruction::inferFallback(BaselineInspector *inspector,
1.1777 + jsbytecode *pc)
1.1778 +{
1.1779 + // Try to specialize based on what baseline observed in practice.
1.1780 + specialization_ = inspector->expectedBinaryArithSpecialization(pc);
1.1781 + if (specialization_ != MIRType_None) {
1.1782 + setResultType(specialization_);
1.1783 + return;
1.1784 + }
1.1785 +
1.1786 + // In parallel execution, for now anyhow, we *only* support adding
1.1787 + // and manipulating numbers (not strings or objects). So no
1.1788 + // matter what we can specialize to double...if the result ought
1.1789 + // to have been something else, we'll fail in the various type
1.1790 + // guards that get inserted later.
1.1791 + if (block()->info().executionMode() == ParallelExecution) {
1.1792 + specialization_ = MIRType_Double;
1.1793 + setResultType(MIRType_Double);
1.1794 + return;
1.1795 + }
1.1796 +
1.1797 + // If we can't specialize because we have no type information at all for
1.1798 + // the lhs or rhs, mark the binary instruction as having no possible types
1.1799 + // either to avoid degrading subsequent analysis.
1.1800 + if (getOperand(0)->emptyResultTypeSet() || getOperand(1)->emptyResultTypeSet()) {
1.1801 + LifoAlloc *alloc = GetIonContext()->temp->lifoAlloc();
1.1802 + types::TemporaryTypeSet *types = alloc->new_<types::TemporaryTypeSet>();
1.1803 + if (types)
1.1804 + setResultTypeSet(types);
1.1805 + }
1.1806 +}
1.1807 +
1.1808 +static bool
1.1809 +SafelyCoercesToDouble(MDefinition *op)
1.1810 +{
1.1811 + // Strings are unhandled -- visitToDouble() doesn't support them yet.
1.1812 + // Null is unhandled -- ToDouble(null) == 0, but (0 == null) is false.
1.1813 + return KnownNonStringPrimitive(op) && !op->mightBeType(MIRType_Null);
1.1814 +}
1.1815 +
1.1816 +static bool
1.1817 +ObjectOrSimplePrimitive(MDefinition *op)
1.1818 +{
1.1819 + // Return true if op is either undefined/null/boolean/int32 or an object.
1.1820 + return !op->mightBeType(MIRType_String)
1.1821 + && !op->mightBeType(MIRType_Double)
1.1822 + && !op->mightBeType(MIRType_Float32)
1.1823 + && !op->mightBeType(MIRType_MagicOptimizedArguments)
1.1824 + && !op->mightBeType(MIRType_MagicHole)
1.1825 + && !op->mightBeType(MIRType_MagicIsConstructing);
1.1826 +}
1.1827 +
1.1828 +static bool
1.1829 +CanDoValueBitwiseCmp(MDefinition *lhs, MDefinition *rhs, bool looseEq)
1.1830 +{
1.1831 + // Only primitive (not double/string) or objects are supported.
1.1832 + // I.e. Undefined/Null/Boolean/Int32 and Object
1.1833 + if (!ObjectOrSimplePrimitive(lhs) || !ObjectOrSimplePrimitive(rhs))
1.1834 + return false;
1.1835 +
1.1836 + // Objects that emulate undefined are not supported.
1.1837 + if (MaybeEmulatesUndefined(lhs) || MaybeEmulatesUndefined(rhs))
1.1838 + return false;
1.1839 +
1.1840 + // In the loose comparison more values could be the same,
1.1841 + // but value comparison reporting otherwise.
1.1842 + if (looseEq) {
1.1843 +
1.1844 + // Undefined compared loosy to Null is not supported,
1.1845 + // because tag is different, but value can be the same (undefined == null).
1.1846 + if ((lhs->mightBeType(MIRType_Undefined) && rhs->mightBeType(MIRType_Null)) ||
1.1847 + (lhs->mightBeType(MIRType_Null) && rhs->mightBeType(MIRType_Undefined)))
1.1848 + {
1.1849 + return false;
1.1850 + }
1.1851 +
1.1852 + // Int32 compared loosy to Boolean is not supported,
1.1853 + // because tag is different, but value can be the same (1 == true).
1.1854 + if ((lhs->mightBeType(MIRType_Int32) && rhs->mightBeType(MIRType_Boolean)) ||
1.1855 + (lhs->mightBeType(MIRType_Boolean) && rhs->mightBeType(MIRType_Int32)))
1.1856 + {
1.1857 + return false;
1.1858 + }
1.1859 +
1.1860 + // For loosy comparison of an object with a Boolean/Number/String
1.1861 + // the valueOf the object is taken. Therefore not supported.
1.1862 + bool simpleLHS = lhs->mightBeType(MIRType_Boolean) || lhs->mightBeType(MIRType_Int32);
1.1863 + bool simpleRHS = rhs->mightBeType(MIRType_Boolean) || rhs->mightBeType(MIRType_Int32);
1.1864 + if ((lhs->mightBeType(MIRType_Object) && simpleRHS) ||
1.1865 + (rhs->mightBeType(MIRType_Object) && simpleLHS))
1.1866 + {
1.1867 + return false;
1.1868 + }
1.1869 + }
1.1870 +
1.1871 + return true;
1.1872 +}
1.1873 +
1.1874 +MIRType
1.1875 +MCompare::inputType()
1.1876 +{
1.1877 + switch(compareType_) {
1.1878 + case Compare_Undefined:
1.1879 + return MIRType_Undefined;
1.1880 + case Compare_Null:
1.1881 + return MIRType_Null;
1.1882 + case Compare_Boolean:
1.1883 + return MIRType_Boolean;
1.1884 + case Compare_UInt32:
1.1885 + case Compare_Int32:
1.1886 + case Compare_Int32MaybeCoerceBoth:
1.1887 + case Compare_Int32MaybeCoerceLHS:
1.1888 + case Compare_Int32MaybeCoerceRHS:
1.1889 + return MIRType_Int32;
1.1890 + case Compare_Double:
1.1891 + case Compare_DoubleMaybeCoerceLHS:
1.1892 + case Compare_DoubleMaybeCoerceRHS:
1.1893 + return MIRType_Double;
1.1894 + case Compare_Float32:
1.1895 + return MIRType_Float32;
1.1896 + case Compare_String:
1.1897 + case Compare_StrictString:
1.1898 + return MIRType_String;
1.1899 + case Compare_Object:
1.1900 + return MIRType_Object;
1.1901 + case Compare_Unknown:
1.1902 + case Compare_Value:
1.1903 + return MIRType_Value;
1.1904 + default:
1.1905 + MOZ_ASSUME_UNREACHABLE("No known conversion");
1.1906 + }
1.1907 +}
1.1908 +
1.1909 +static inline bool
1.1910 +MustBeUInt32(MDefinition *def, MDefinition **pwrapped)
1.1911 +{
1.1912 + if (def->isUrsh()) {
1.1913 + *pwrapped = def->toUrsh()->getOperand(0);
1.1914 + MDefinition *rhs = def->toUrsh()->getOperand(1);
1.1915 + return !def->toUrsh()->bailoutsDisabled()
1.1916 + && rhs->isConstant()
1.1917 + && rhs->toConstant()->value().isInt32()
1.1918 + && rhs->toConstant()->value().toInt32() == 0;
1.1919 + }
1.1920 +
1.1921 + if (def->isConstant()) {
1.1922 + *pwrapped = def;
1.1923 + return def->toConstant()->value().isInt32()
1.1924 + && def->toConstant()->value().toInt32() >= 0;
1.1925 + }
1.1926 +
1.1927 + return false;
1.1928 +}
1.1929 +
1.1930 +bool
1.1931 +MBinaryInstruction::tryUseUnsignedOperands()
1.1932 +{
1.1933 + MDefinition *newlhs, *newrhs;
1.1934 + if (MustBeUInt32(getOperand(0), &newlhs) && MustBeUInt32(getOperand(1), &newrhs)) {
1.1935 + if (newlhs->type() != MIRType_Int32 || newrhs->type() != MIRType_Int32)
1.1936 + return false;
1.1937 + if (newlhs != getOperand(0)) {
1.1938 + getOperand(0)->setImplicitlyUsedUnchecked();
1.1939 + replaceOperand(0, newlhs);
1.1940 + }
1.1941 + if (newrhs != getOperand(1)) {
1.1942 + getOperand(1)->setImplicitlyUsedUnchecked();
1.1943 + replaceOperand(1, newrhs);
1.1944 + }
1.1945 + return true;
1.1946 + }
1.1947 + return false;
1.1948 +}
1.1949 +
1.1950 +void
1.1951 +MCompare::infer(BaselineInspector *inspector, jsbytecode *pc)
1.1952 +{
1.1953 + JS_ASSERT(operandMightEmulateUndefined());
1.1954 +
1.1955 + if (!MaybeEmulatesUndefined(getOperand(0)) && !MaybeEmulatesUndefined(getOperand(1)))
1.1956 + markNoOperandEmulatesUndefined();
1.1957 +
1.1958 + MIRType lhs = getOperand(0)->type();
1.1959 + MIRType rhs = getOperand(1)->type();
1.1960 +
1.1961 + bool looseEq = jsop() == JSOP_EQ || jsop() == JSOP_NE;
1.1962 + bool strictEq = jsop() == JSOP_STRICTEQ || jsop() == JSOP_STRICTNE;
1.1963 + bool relationalEq = !(looseEq || strictEq);
1.1964 +
1.1965 + // Comparisons on unsigned integers may be treated as UInt32.
1.1966 + if (tryUseUnsignedOperands()) {
1.1967 + compareType_ = Compare_UInt32;
1.1968 + return;
1.1969 + }
1.1970 +
1.1971 + // Integer to integer or boolean to boolean comparisons may be treated as Int32.
1.1972 + if ((lhs == MIRType_Int32 && rhs == MIRType_Int32) ||
1.1973 + (lhs == MIRType_Boolean && rhs == MIRType_Boolean))
1.1974 + {
1.1975 + compareType_ = Compare_Int32MaybeCoerceBoth;
1.1976 + return;
1.1977 + }
1.1978 +
1.1979 + // Loose/relational cross-integer/boolean comparisons may be treated as Int32.
1.1980 + if (!strictEq &&
1.1981 + (lhs == MIRType_Int32 || lhs == MIRType_Boolean) &&
1.1982 + (rhs == MIRType_Int32 || rhs == MIRType_Boolean))
1.1983 + {
1.1984 + compareType_ = Compare_Int32MaybeCoerceBoth;
1.1985 + return;
1.1986 + }
1.1987 +
1.1988 + // Numeric comparisons against a double coerce to double.
1.1989 + if (IsNumberType(lhs) && IsNumberType(rhs)) {
1.1990 + compareType_ = Compare_Double;
1.1991 + return;
1.1992 + }
1.1993 +
1.1994 + // Any comparison is allowed except strict eq.
1.1995 + if (!strictEq && IsFloatingPointType(lhs) && SafelyCoercesToDouble(getOperand(1))) {
1.1996 + compareType_ = Compare_DoubleMaybeCoerceRHS;
1.1997 + return;
1.1998 + }
1.1999 + if (!strictEq && IsFloatingPointType(rhs) && SafelyCoercesToDouble(getOperand(0))) {
1.2000 + compareType_ = Compare_DoubleMaybeCoerceLHS;
1.2001 + return;
1.2002 + }
1.2003 +
1.2004 + // Handle object comparison.
1.2005 + if (!relationalEq && lhs == MIRType_Object && rhs == MIRType_Object) {
1.2006 + compareType_ = Compare_Object;
1.2007 + return;
1.2008 + }
1.2009 +
1.2010 + // Handle string comparisons. (Relational string compares are still unsupported).
1.2011 + if (!relationalEq && lhs == MIRType_String && rhs == MIRType_String) {
1.2012 + compareType_ = Compare_String;
1.2013 + return;
1.2014 + }
1.2015 +
1.2016 + if (strictEq && lhs == MIRType_String) {
1.2017 + // Lowering expects the rhs to be definitly string.
1.2018 + compareType_ = Compare_StrictString;
1.2019 + swapOperands();
1.2020 + return;
1.2021 + }
1.2022 +
1.2023 + if (strictEq && rhs == MIRType_String) {
1.2024 + compareType_ = Compare_StrictString;
1.2025 + return;
1.2026 + }
1.2027 +
1.2028 + // Handle compare with lhs being Undefined or Null.
1.2029 + if (!relationalEq && IsNullOrUndefined(lhs)) {
1.2030 + // Lowering expects the rhs to be null/undefined, so we have to
1.2031 + // swap the operands. This is necessary since we may not know which
1.2032 + // operand was null/undefined during lowering (both operands may have
1.2033 + // MIRType_Value).
1.2034 + compareType_ = (lhs == MIRType_Null) ? Compare_Null : Compare_Undefined;
1.2035 + swapOperands();
1.2036 + return;
1.2037 + }
1.2038 +
1.2039 + // Handle compare with rhs being Undefined or Null.
1.2040 + if (!relationalEq && IsNullOrUndefined(rhs)) {
1.2041 + compareType_ = (rhs == MIRType_Null) ? Compare_Null : Compare_Undefined;
1.2042 + return;
1.2043 + }
1.2044 +
1.2045 + // Handle strict comparison with lhs/rhs being typed Boolean.
1.2046 + if (strictEq && (lhs == MIRType_Boolean || rhs == MIRType_Boolean)) {
1.2047 + // bool/bool case got an int32 specialization earlier.
1.2048 + JS_ASSERT(!(lhs == MIRType_Boolean && rhs == MIRType_Boolean));
1.2049 +
1.2050 + // Ensure the boolean is on the right so that the type policy knows
1.2051 + // which side to unbox.
1.2052 + if (lhs == MIRType_Boolean)
1.2053 + swapOperands();
1.2054 +
1.2055 + compareType_ = Compare_Boolean;
1.2056 + return;
1.2057 + }
1.2058 +
1.2059 + // Determine if we can do the compare based on a quick value check.
1.2060 + if (!relationalEq && CanDoValueBitwiseCmp(getOperand(0), getOperand(1), looseEq)) {
1.2061 + compareType_ = Compare_Value;
1.2062 + return;
1.2063 + }
1.2064 +
1.2065 + // Type information is not good enough to pick out a particular type of
1.2066 + // comparison we can do here. Try to specialize based on any baseline
1.2067 + // caches that have been generated for the opcode. These will cause the
1.2068 + // instruction's type policy to insert fallible unboxes to the appropriate
1.2069 + // input types.
1.2070 +
1.2071 + if (!strictEq)
1.2072 + compareType_ = inspector->expectedCompareType(pc);
1.2073 +}
1.2074 +
1.2075 +MBitNot *
1.2076 +MBitNot::New(TempAllocator &alloc, MDefinition *input)
1.2077 +{
1.2078 + return new(alloc) MBitNot(input);
1.2079 +}
1.2080 +
1.2081 +MBitNot *
1.2082 +MBitNot::NewAsmJS(TempAllocator &alloc, MDefinition *input)
1.2083 +{
1.2084 + MBitNot *ins = new(alloc) MBitNot(input);
1.2085 + ins->specialization_ = MIRType_Int32;
1.2086 + JS_ASSERT(ins->type() == MIRType_Int32);
1.2087 + return ins;
1.2088 +}
1.2089 +
1.2090 +MDefinition *
1.2091 +MBitNot::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2092 +{
1.2093 + if (specialization_ != MIRType_Int32)
1.2094 + return this;
1.2095 +
1.2096 + MDefinition *input = getOperand(0);
1.2097 +
1.2098 + if (input->isConstant()) {
1.2099 + js::Value v = Int32Value(~(input->toConstant()->value().toInt32()));
1.2100 + return MConstant::New(alloc, v);
1.2101 + }
1.2102 +
1.2103 + if (input->isBitNot() && input->toBitNot()->specialization_ == MIRType_Int32) {
1.2104 + JS_ASSERT(input->toBitNot()->getOperand(0)->type() == MIRType_Int32);
1.2105 + return input->toBitNot()->getOperand(0); // ~~x => x
1.2106 + }
1.2107 +
1.2108 + return this;
1.2109 +}
1.2110 +
1.2111 +MDefinition *
1.2112 +MTypeOf::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2113 +{
1.2114 + // Note: we can't use input->type() here, type analysis has
1.2115 + // boxed the input.
1.2116 + JS_ASSERT(input()->type() == MIRType_Value);
1.2117 +
1.2118 + JSType type;
1.2119 +
1.2120 + switch (inputType()) {
1.2121 + case MIRType_Double:
1.2122 + case MIRType_Int32:
1.2123 + type = JSTYPE_NUMBER;
1.2124 + break;
1.2125 + case MIRType_String:
1.2126 + type = JSTYPE_STRING;
1.2127 + break;
1.2128 + case MIRType_Null:
1.2129 + type = JSTYPE_OBJECT;
1.2130 + break;
1.2131 + case MIRType_Undefined:
1.2132 + type = JSTYPE_VOID;
1.2133 + break;
1.2134 + case MIRType_Boolean:
1.2135 + type = JSTYPE_BOOLEAN;
1.2136 + break;
1.2137 + case MIRType_Object:
1.2138 + if (!inputMaybeCallableOrEmulatesUndefined()) {
1.2139 + // Object is not callable and does not emulate undefined, so it's
1.2140 + // safe to fold to "object".
1.2141 + type = JSTYPE_OBJECT;
1.2142 + break;
1.2143 + }
1.2144 + // FALL THROUGH
1.2145 + default:
1.2146 + return this;
1.2147 + }
1.2148 +
1.2149 + return MConstant::New(alloc, StringValue(TypeName(type, GetIonContext()->runtime->names())));
1.2150 +}
1.2151 +
1.2152 +void
1.2153 +MTypeOf::infer()
1.2154 +{
1.2155 + JS_ASSERT(inputMaybeCallableOrEmulatesUndefined());
1.2156 +
1.2157 + if (!MaybeEmulatesUndefined(input()) && !MaybeCallable(input()))
1.2158 + markInputNotCallableOrEmulatesUndefined();
1.2159 +}
1.2160 +
1.2161 +MBitAnd *
1.2162 +MBitAnd::New(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2163 +{
1.2164 + return new(alloc) MBitAnd(left, right);
1.2165 +}
1.2166 +
1.2167 +MBitAnd *
1.2168 +MBitAnd::NewAsmJS(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2169 +{
1.2170 + MBitAnd *ins = new(alloc) MBitAnd(left, right);
1.2171 + ins->specializeAsInt32();
1.2172 + return ins;
1.2173 +}
1.2174 +
1.2175 +MBitOr *
1.2176 +MBitOr::New(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2177 +{
1.2178 + return new(alloc) MBitOr(left, right);
1.2179 +}
1.2180 +
1.2181 +MBitOr *
1.2182 +MBitOr::NewAsmJS(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2183 +{
1.2184 + MBitOr *ins = new(alloc) MBitOr(left, right);
1.2185 + ins->specializeAsInt32();
1.2186 + return ins;
1.2187 +}
1.2188 +
1.2189 +MBitXor *
1.2190 +MBitXor::New(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2191 +{
1.2192 + return new(alloc) MBitXor(left, right);
1.2193 +}
1.2194 +
1.2195 +MBitXor *
1.2196 +MBitXor::NewAsmJS(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2197 +{
1.2198 + MBitXor *ins = new(alloc) MBitXor(left, right);
1.2199 + ins->specializeAsInt32();
1.2200 + return ins;
1.2201 +}
1.2202 +
1.2203 +MLsh *
1.2204 +MLsh::New(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2205 +{
1.2206 + return new(alloc) MLsh(left, right);
1.2207 +}
1.2208 +
1.2209 +MLsh *
1.2210 +MLsh::NewAsmJS(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2211 +{
1.2212 + MLsh *ins = new(alloc) MLsh(left, right);
1.2213 + ins->specializeAsInt32();
1.2214 + return ins;
1.2215 +}
1.2216 +
1.2217 +MRsh *
1.2218 +MRsh::New(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2219 +{
1.2220 + return new(alloc) MRsh(left, right);
1.2221 +}
1.2222 +
1.2223 +MRsh *
1.2224 +MRsh::NewAsmJS(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2225 +{
1.2226 + MRsh *ins = new(alloc) MRsh(left, right);
1.2227 + ins->specializeAsInt32();
1.2228 + return ins;
1.2229 +}
1.2230 +
1.2231 +MUrsh *
1.2232 +MUrsh::New(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2233 +{
1.2234 + return new(alloc) MUrsh(left, right);
1.2235 +}
1.2236 +
1.2237 +MUrsh *
1.2238 +MUrsh::NewAsmJS(TempAllocator &alloc, MDefinition *left, MDefinition *right)
1.2239 +{
1.2240 + MUrsh *ins = new(alloc) MUrsh(left, right);
1.2241 + ins->specializeAsInt32();
1.2242 +
1.2243 + // Since Ion has no UInt32 type, we use Int32 and we have a special
1.2244 + // exception to the type rules: we can return values in
1.2245 + // (INT32_MIN,UINT32_MAX] and still claim that we have an Int32 type
1.2246 + // without bailing out. This is necessary because Ion has no UInt32
1.2247 + // type and we can't have bailouts in asm.js code.
1.2248 + ins->bailoutsDisabled_ = true;
1.2249 +
1.2250 + return ins;
1.2251 +}
1.2252 +
1.2253 +MResumePoint *
1.2254 +MResumePoint::New(TempAllocator &alloc, MBasicBlock *block, jsbytecode *pc, MResumePoint *parent,
1.2255 + Mode mode)
1.2256 +{
1.2257 + MResumePoint *resume = new(alloc) MResumePoint(block, pc, parent, mode);
1.2258 + if (!resume->init(alloc))
1.2259 + return nullptr;
1.2260 + resume->inherit(block);
1.2261 + return resume;
1.2262 +}
1.2263 +
1.2264 +MResumePoint::MResumePoint(MBasicBlock *block, jsbytecode *pc, MResumePoint *caller,
1.2265 + Mode mode)
1.2266 + : MNode(block),
1.2267 + stackDepth_(block->stackDepth()),
1.2268 + pc_(pc),
1.2269 + caller_(caller),
1.2270 + instruction_(nullptr),
1.2271 + mode_(mode)
1.2272 +{
1.2273 + block->addResumePoint(this);
1.2274 +}
1.2275 +
1.2276 +void
1.2277 +MResumePoint::inherit(MBasicBlock *block)
1.2278 +{
1.2279 + for (size_t i = 0; i < stackDepth(); i++) {
1.2280 + MDefinition *def = block->getSlot(i);
1.2281 + setOperand(i, def);
1.2282 + }
1.2283 +}
1.2284 +
1.2285 +MDefinition *
1.2286 +MToInt32::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2287 +{
1.2288 + MDefinition *input = getOperand(0);
1.2289 + if (input->type() == MIRType_Int32)
1.2290 + return input;
1.2291 + return this;
1.2292 +}
1.2293 +
1.2294 +void
1.2295 +MToInt32::analyzeEdgeCasesBackward()
1.2296 +{
1.2297 + if (!NeedNegativeZeroCheck(this))
1.2298 + setCanBeNegativeZero(false);
1.2299 +}
1.2300 +
1.2301 +MDefinition *
1.2302 +MTruncateToInt32::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2303 +{
1.2304 + MDefinition *input = getOperand(0);
1.2305 + if (input->type() == MIRType_Int32)
1.2306 + return input;
1.2307 +
1.2308 + if (input->type() == MIRType_Double && input->isConstant()) {
1.2309 + const Value &v = input->toConstant()->value();
1.2310 + int32_t ret = ToInt32(v.toDouble());
1.2311 + return MConstant::New(alloc, Int32Value(ret));
1.2312 + }
1.2313 +
1.2314 + return this;
1.2315 +}
1.2316 +
1.2317 +MDefinition *
1.2318 +MToDouble::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2319 +{
1.2320 + MDefinition *in = input();
1.2321 + if (in->type() == MIRType_Double)
1.2322 + return in;
1.2323 +
1.2324 + if (in->isConstant()) {
1.2325 + const Value &v = in->toConstant()->value();
1.2326 + if (v.isNumber()) {
1.2327 + double out = v.toNumber();
1.2328 + return MConstant::New(alloc, DoubleValue(out));
1.2329 + }
1.2330 + }
1.2331 +
1.2332 + return this;
1.2333 +}
1.2334 +
1.2335 +MDefinition *
1.2336 +MToFloat32::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2337 +{
1.2338 + if (input()->type() == MIRType_Float32)
1.2339 + return input();
1.2340 +
1.2341 + // If x is a Float32, Float32(Double(x)) == x
1.2342 + if (input()->isToDouble() && input()->toToDouble()->input()->type() == MIRType_Float32)
1.2343 + return input()->toToDouble()->input();
1.2344 +
1.2345 + if (input()->isConstant()) {
1.2346 + const Value &v = input()->toConstant()->value();
1.2347 + if (v.isNumber()) {
1.2348 + float out = v.toNumber();
1.2349 + MConstant *c = MConstant::New(alloc, DoubleValue(out));
1.2350 + c->setResultType(MIRType_Float32);
1.2351 + return c;
1.2352 + }
1.2353 + }
1.2354 + return this;
1.2355 +}
1.2356 +
1.2357 +MDefinition *
1.2358 +MToString::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2359 +{
1.2360 + MDefinition *in = input();
1.2361 + if (in->type() == MIRType_String)
1.2362 + return in;
1.2363 + return this;
1.2364 +}
1.2365 +
1.2366 +MDefinition *
1.2367 +MClampToUint8::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2368 +{
1.2369 + if (input()->isConstant()) {
1.2370 + const Value &v = input()->toConstant()->value();
1.2371 + if (v.isDouble()) {
1.2372 + int32_t clamped = ClampDoubleToUint8(v.toDouble());
1.2373 + return MConstant::New(alloc, Int32Value(clamped));
1.2374 + }
1.2375 + if (v.isInt32()) {
1.2376 + int32_t clamped = ClampIntForUint8Array(v.toInt32());
1.2377 + return MConstant::New(alloc, Int32Value(clamped));
1.2378 + }
1.2379 + }
1.2380 + return this;
1.2381 +}
1.2382 +
1.2383 +bool
1.2384 +MCompare::tryFold(bool *result)
1.2385 +{
1.2386 + JSOp op = jsop();
1.2387 +
1.2388 + if (compareType_ == Compare_Null || compareType_ == Compare_Undefined) {
1.2389 + JS_ASSERT(op == JSOP_EQ || op == JSOP_STRICTEQ ||
1.2390 + op == JSOP_NE || op == JSOP_STRICTNE);
1.2391 +
1.2392 + // The LHS is the value we want to test against null or undefined.
1.2393 + switch (lhs()->type()) {
1.2394 + case MIRType_Value:
1.2395 + return false;
1.2396 + case MIRType_Undefined:
1.2397 + case MIRType_Null:
1.2398 + if (lhs()->type() == inputType()) {
1.2399 + // Both sides have the same type, null or undefined.
1.2400 + *result = (op == JSOP_EQ || op == JSOP_STRICTEQ);
1.2401 + } else {
1.2402 + // One side is null, the other side is undefined. The result is only
1.2403 + // true for loose equality.
1.2404 + *result = (op == JSOP_EQ || op == JSOP_STRICTNE);
1.2405 + }
1.2406 + return true;
1.2407 + case MIRType_Object:
1.2408 + if ((op == JSOP_EQ || op == JSOP_NE) && operandMightEmulateUndefined())
1.2409 + return false;
1.2410 + /* FALL THROUGH */
1.2411 + case MIRType_Int32:
1.2412 + case MIRType_Double:
1.2413 + case MIRType_Float32:
1.2414 + case MIRType_String:
1.2415 + case MIRType_Boolean:
1.2416 + *result = (op == JSOP_NE || op == JSOP_STRICTNE);
1.2417 + return true;
1.2418 + default:
1.2419 + MOZ_ASSUME_UNREACHABLE("Unexpected type");
1.2420 + }
1.2421 + }
1.2422 +
1.2423 + if (compareType_ == Compare_Boolean) {
1.2424 + JS_ASSERT(op == JSOP_STRICTEQ || op == JSOP_STRICTNE);
1.2425 + JS_ASSERT(rhs()->type() == MIRType_Boolean);
1.2426 +
1.2427 + switch (lhs()->type()) {
1.2428 + case MIRType_Value:
1.2429 + return false;
1.2430 + case MIRType_Int32:
1.2431 + case MIRType_Double:
1.2432 + case MIRType_Float32:
1.2433 + case MIRType_String:
1.2434 + case MIRType_Object:
1.2435 + case MIRType_Null:
1.2436 + case MIRType_Undefined:
1.2437 + *result = (op == JSOP_STRICTNE);
1.2438 + return true;
1.2439 + case MIRType_Boolean:
1.2440 + // Int32 specialization should handle this.
1.2441 + MOZ_ASSUME_UNREACHABLE("Wrong specialization");
1.2442 + default:
1.2443 + MOZ_ASSUME_UNREACHABLE("Unexpected type");
1.2444 + }
1.2445 + }
1.2446 +
1.2447 + if (compareType_ == Compare_StrictString) {
1.2448 + JS_ASSERT(op == JSOP_STRICTEQ || op == JSOP_STRICTNE);
1.2449 + JS_ASSERT(rhs()->type() == MIRType_String);
1.2450 +
1.2451 + switch (lhs()->type()) {
1.2452 + case MIRType_Value:
1.2453 + return false;
1.2454 + case MIRType_Boolean:
1.2455 + case MIRType_Int32:
1.2456 + case MIRType_Double:
1.2457 + case MIRType_Float32:
1.2458 + case MIRType_Object:
1.2459 + case MIRType_Null:
1.2460 + case MIRType_Undefined:
1.2461 + *result = (op == JSOP_STRICTNE);
1.2462 + return true;
1.2463 + case MIRType_String:
1.2464 + // Compare_String specialization should handle this.
1.2465 + MOZ_ASSUME_UNREACHABLE("Wrong specialization");
1.2466 + default:
1.2467 + MOZ_ASSUME_UNREACHABLE("Unexpected type");
1.2468 + }
1.2469 + }
1.2470 +
1.2471 + return false;
1.2472 +}
1.2473 +
1.2474 +bool
1.2475 +MCompare::evaluateConstantOperands(bool *result)
1.2476 +{
1.2477 + if (type() != MIRType_Boolean && type() != MIRType_Int32)
1.2478 + return false;
1.2479 +
1.2480 + MDefinition *left = getOperand(0);
1.2481 + MDefinition *right = getOperand(1);
1.2482 +
1.2483 + if (!left->isConstant() || !right->isConstant())
1.2484 + return false;
1.2485 +
1.2486 + Value lhs = left->toConstant()->value();
1.2487 + Value rhs = right->toConstant()->value();
1.2488 +
1.2489 + // Fold away some String equality comparisons.
1.2490 + if (lhs.isString() && rhs.isString()) {
1.2491 + int32_t comp = 0; // Default to equal.
1.2492 + if (left != right)
1.2493 + comp = CompareAtoms(&lhs.toString()->asAtom(), &rhs.toString()->asAtom());
1.2494 +
1.2495 + switch (jsop_) {
1.2496 + case JSOP_LT:
1.2497 + *result = (comp < 0);
1.2498 + break;
1.2499 + case JSOP_LE:
1.2500 + *result = (comp <= 0);
1.2501 + break;
1.2502 + case JSOP_GT:
1.2503 + *result = (comp > 0);
1.2504 + break;
1.2505 + case JSOP_GE:
1.2506 + *result = (comp >= 0);
1.2507 + break;
1.2508 + case JSOP_STRICTEQ: // Fall through.
1.2509 + case JSOP_EQ:
1.2510 + *result = (comp == 0);
1.2511 + break;
1.2512 + case JSOP_STRICTNE: // Fall through.
1.2513 + case JSOP_NE:
1.2514 + *result = (comp != 0);
1.2515 + break;
1.2516 + default:
1.2517 + MOZ_ASSUME_UNREACHABLE("Unexpected op.");
1.2518 + }
1.2519 +
1.2520 + return true;
1.2521 + }
1.2522 +
1.2523 + if (compareType_ == Compare_UInt32) {
1.2524 + uint32_t lhsUint = uint32_t(lhs.toInt32());
1.2525 + uint32_t rhsUint = uint32_t(rhs.toInt32());
1.2526 +
1.2527 + switch (jsop_) {
1.2528 + case JSOP_LT:
1.2529 + *result = (lhsUint < rhsUint);
1.2530 + break;
1.2531 + case JSOP_LE:
1.2532 + *result = (lhsUint <= rhsUint);
1.2533 + break;
1.2534 + case JSOP_GT:
1.2535 + *result = (lhsUint > rhsUint);
1.2536 + break;
1.2537 + case JSOP_GE:
1.2538 + *result = (lhsUint >= rhsUint);
1.2539 + break;
1.2540 + case JSOP_EQ:
1.2541 + case JSOP_STRICTEQ:
1.2542 + *result = (lhsUint == rhsUint);
1.2543 + break;
1.2544 + case JSOP_NE:
1.2545 + case JSOP_STRICTNE:
1.2546 + *result = (lhsUint != rhsUint);
1.2547 + break;
1.2548 + default:
1.2549 + MOZ_ASSUME_UNREACHABLE("Unexpected op.");
1.2550 + }
1.2551 +
1.2552 + return true;
1.2553 + }
1.2554 +
1.2555 + if (!lhs.isNumber() || !rhs.isNumber())
1.2556 + return false;
1.2557 +
1.2558 + switch (jsop_) {
1.2559 + case JSOP_LT:
1.2560 + *result = (lhs.toNumber() < rhs.toNumber());
1.2561 + break;
1.2562 + case JSOP_LE:
1.2563 + *result = (lhs.toNumber() <= rhs.toNumber());
1.2564 + break;
1.2565 + case JSOP_GT:
1.2566 + *result = (lhs.toNumber() > rhs.toNumber());
1.2567 + break;
1.2568 + case JSOP_GE:
1.2569 + *result = (lhs.toNumber() >= rhs.toNumber());
1.2570 + break;
1.2571 + case JSOP_EQ:
1.2572 + *result = (lhs.toNumber() == rhs.toNumber());
1.2573 + break;
1.2574 + case JSOP_NE:
1.2575 + *result = (lhs.toNumber() != rhs.toNumber());
1.2576 + break;
1.2577 + default:
1.2578 + return false;
1.2579 + }
1.2580 +
1.2581 + return true;
1.2582 +}
1.2583 +
1.2584 +MDefinition *
1.2585 +MCompare::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2586 +{
1.2587 + bool result;
1.2588 +
1.2589 + if (tryFold(&result) || evaluateConstantOperands(&result)) {
1.2590 + if (type() == MIRType_Int32)
1.2591 + return MConstant::New(alloc, Int32Value(result));
1.2592 +
1.2593 + JS_ASSERT(type() == MIRType_Boolean);
1.2594 + return MConstant::New(alloc, BooleanValue(result));
1.2595 + }
1.2596 +
1.2597 + return this;
1.2598 +}
1.2599 +
1.2600 +void
1.2601 +MCompare::trySpecializeFloat32(TempAllocator &alloc)
1.2602 +{
1.2603 + MDefinition *lhs = getOperand(0);
1.2604 + MDefinition *rhs = getOperand(1);
1.2605 +
1.2606 + if (lhs->canProduceFloat32() && rhs->canProduceFloat32() && compareType_ == Compare_Double) {
1.2607 + compareType_ = Compare_Float32;
1.2608 + } else {
1.2609 + if (lhs->type() == MIRType_Float32)
1.2610 + ConvertDefinitionToDouble<0>(alloc, lhs, this);
1.2611 + if (rhs->type() == MIRType_Float32)
1.2612 + ConvertDefinitionToDouble<1>(alloc, rhs, this);
1.2613 + }
1.2614 +}
1.2615 +
1.2616 +void
1.2617 +MCompare::filtersUndefinedOrNull(bool trueBranch, MDefinition **subject, bool *filtersUndefined,
1.2618 + bool *filtersNull)
1.2619 +{
1.2620 + *filtersNull = *filtersUndefined = false;
1.2621 + *subject = nullptr;
1.2622 +
1.2623 + if (compareType() != Compare_Undefined && compareType() != Compare_Null)
1.2624 + return;
1.2625 +
1.2626 + JS_ASSERT(jsop() == JSOP_STRICTNE || jsop() == JSOP_NE ||
1.2627 + jsop() == JSOP_STRICTEQ || jsop() == JSOP_EQ);
1.2628 +
1.2629 + // JSOP_*NE only removes undefined/null from if/true branch
1.2630 + if (!trueBranch && (jsop() == JSOP_STRICTNE || jsop() == JSOP_NE))
1.2631 + return;
1.2632 +
1.2633 + // JSOP_*EQ only removes undefined/null from else/false branch
1.2634 + if (trueBranch && (jsop() == JSOP_STRICTEQ || jsop() == JSOP_EQ))
1.2635 + return;
1.2636 +
1.2637 + if (jsop() == JSOP_STRICTEQ || jsop() == JSOP_STRICTNE) {
1.2638 + *filtersUndefined = compareType() == Compare_Undefined;
1.2639 + *filtersNull = compareType() == Compare_Null;
1.2640 + } else {
1.2641 + *filtersUndefined = *filtersNull = true;
1.2642 + }
1.2643 +
1.2644 + *subject = lhs();
1.2645 +}
1.2646 +
1.2647 +void
1.2648 +MNot::infer()
1.2649 +{
1.2650 + JS_ASSERT(operandMightEmulateUndefined());
1.2651 +
1.2652 + if (!MaybeEmulatesUndefined(getOperand(0)))
1.2653 + markOperandCantEmulateUndefined();
1.2654 +}
1.2655 +
1.2656 +MDefinition *
1.2657 +MNot::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2658 +{
1.2659 + // Fold if the input is constant
1.2660 + if (operand()->isConstant()) {
1.2661 + bool result = operand()->toConstant()->valueToBoolean();
1.2662 + if (type() == MIRType_Int32)
1.2663 + return MConstant::New(alloc, Int32Value(!result));
1.2664 +
1.2665 + // ToBoolean can't cause side effects, so this is safe.
1.2666 + return MConstant::New(alloc, BooleanValue(!result));
1.2667 + }
1.2668 +
1.2669 + // NOT of an undefined or null value is always true
1.2670 + if (operand()->type() == MIRType_Undefined || operand()->type() == MIRType_Null)
1.2671 + return MConstant::New(alloc, BooleanValue(true));
1.2672 +
1.2673 + // NOT of an object that can't emulate undefined is always false.
1.2674 + if (operand()->type() == MIRType_Object && !operandMightEmulateUndefined())
1.2675 + return MConstant::New(alloc, BooleanValue(false));
1.2676 +
1.2677 + return this;
1.2678 +}
1.2679 +
1.2680 +void
1.2681 +MNot::trySpecializeFloat32(TempAllocator &alloc)
1.2682 +{
1.2683 + MDefinition *in = input();
1.2684 + if (!in->canProduceFloat32() && in->type() == MIRType_Float32)
1.2685 + ConvertDefinitionToDouble<0>(alloc, in, this);
1.2686 +}
1.2687 +
1.2688 +void
1.2689 +MBeta::printOpcode(FILE *fp) const
1.2690 +{
1.2691 + MDefinition::printOpcode(fp);
1.2692 +
1.2693 + Sprinter sp(GetIonContext()->cx);
1.2694 + sp.init();
1.2695 + comparison_->print(sp);
1.2696 + fprintf(fp, " %s", sp.string());
1.2697 +}
1.2698 +
1.2699 +bool
1.2700 +MNewObject::shouldUseVM() const
1.2701 +{
1.2702 + return templateObject()->hasSingletonType() ||
1.2703 + templateObject()->hasDynamicSlots();
1.2704 +}
1.2705 +
1.2706 +bool
1.2707 +MNewArray::shouldUseVM() const
1.2708 +{
1.2709 + JS_ASSERT(count() < JSObject::NELEMENTS_LIMIT);
1.2710 +
1.2711 + size_t arraySlots =
1.2712 + gc::GetGCKindSlots(templateObject()->tenuredGetAllocKind()) - ObjectElements::VALUES_PER_HEADER;
1.2713 +
1.2714 + // Allocate space using the VMCall
1.2715 + // when mir hints it needs to get allocated immediately,
1.2716 + // but only when data doesn't fit the available array slots.
1.2717 + bool allocating = isAllocating() && count() > arraySlots;
1.2718 +
1.2719 + return templateObject()->hasSingletonType() || allocating;
1.2720 +}
1.2721 +
1.2722 +bool
1.2723 +MLoadFixedSlot::mightAlias(const MDefinition *store) const
1.2724 +{
1.2725 + if (store->isStoreFixedSlot() && store->toStoreFixedSlot()->slot() != slot())
1.2726 + return false;
1.2727 + return true;
1.2728 +}
1.2729 +
1.2730 +bool
1.2731 +MAsmJSLoadHeap::mightAlias(const MDefinition *def) const
1.2732 +{
1.2733 + if (def->isAsmJSStoreHeap()) {
1.2734 + const MAsmJSStoreHeap *store = def->toAsmJSStoreHeap();
1.2735 + if (store->viewType() != viewType())
1.2736 + return true;
1.2737 + if (!ptr()->isConstant() || !store->ptr()->isConstant())
1.2738 + return true;
1.2739 + const MConstant *otherPtr = store->ptr()->toConstant();
1.2740 + return ptr()->toConstant()->value() == otherPtr->value();
1.2741 + }
1.2742 + return true;
1.2743 +}
1.2744 +
1.2745 +bool
1.2746 +MAsmJSLoadHeap::congruentTo(const MDefinition *ins) const
1.2747 +{
1.2748 + if (!ins->isAsmJSLoadHeap())
1.2749 + return false;
1.2750 + const MAsmJSLoadHeap *load = ins->toAsmJSLoadHeap();
1.2751 + return load->viewType() == viewType() && congruentIfOperandsEqual(load);
1.2752 +}
1.2753 +
1.2754 +bool
1.2755 +MAsmJSLoadGlobalVar::mightAlias(const MDefinition *def) const
1.2756 +{
1.2757 + if (def->isAsmJSStoreGlobalVar()) {
1.2758 + const MAsmJSStoreGlobalVar *store = def->toAsmJSStoreGlobalVar();
1.2759 + return store->globalDataOffset() == globalDataOffset_;
1.2760 + }
1.2761 + return true;
1.2762 +}
1.2763 +
1.2764 +bool
1.2765 +MAsmJSLoadGlobalVar::congruentTo(const MDefinition *ins) const
1.2766 +{
1.2767 + if (ins->isAsmJSLoadGlobalVar()) {
1.2768 + const MAsmJSLoadGlobalVar *load = ins->toAsmJSLoadGlobalVar();
1.2769 + return globalDataOffset_ == load->globalDataOffset_;
1.2770 + }
1.2771 + return false;
1.2772 +}
1.2773 +
1.2774 +bool
1.2775 +MLoadSlot::mightAlias(const MDefinition *store) const
1.2776 +{
1.2777 + if (store->isStoreSlot() && store->toStoreSlot()->slot() != slot())
1.2778 + return false;
1.2779 + return true;
1.2780 +}
1.2781 +
1.2782 +void
1.2783 +InlinePropertyTable::trimTo(ObjectVector &targets, BoolVector &choiceSet)
1.2784 +{
1.2785 + for (size_t i = 0; i < targets.length(); i++) {
1.2786 + // If the target was inlined, don't erase the entry.
1.2787 + if (choiceSet[i])
1.2788 + continue;
1.2789 +
1.2790 + JSFunction *target = &targets[i]->as<JSFunction>();
1.2791 +
1.2792 + // Eliminate all entries containing the vetoed function from the map.
1.2793 + size_t j = 0;
1.2794 + while (j < numEntries()) {
1.2795 + if (entries_[j]->func == target)
1.2796 + entries_.erase(&entries_[j]);
1.2797 + else
1.2798 + j++;
1.2799 + }
1.2800 + }
1.2801 +}
1.2802 +
1.2803 +void
1.2804 +InlinePropertyTable::trimToTargets(ObjectVector &targets)
1.2805 +{
1.2806 + IonSpew(IonSpew_Inlining, "Got inlineable property cache with %d cases",
1.2807 + (int)numEntries());
1.2808 +
1.2809 + size_t i = 0;
1.2810 + while (i < numEntries()) {
1.2811 + bool foundFunc = false;
1.2812 + for (size_t j = 0; j < targets.length(); j++) {
1.2813 + if (entries_[i]->func == targets[j]) {
1.2814 + foundFunc = true;
1.2815 + break;
1.2816 + }
1.2817 + }
1.2818 + if (!foundFunc)
1.2819 + entries_.erase(&(entries_[i]));
1.2820 + else
1.2821 + i++;
1.2822 + }
1.2823 +
1.2824 + IonSpew(IonSpew_Inlining, "%d inlineable cases left after trimming to %d targets",
1.2825 + (int)numEntries(), (int)targets.length());
1.2826 +}
1.2827 +
1.2828 +bool
1.2829 +InlinePropertyTable::hasFunction(JSFunction *func) const
1.2830 +{
1.2831 + for (size_t i = 0; i < numEntries(); i++) {
1.2832 + if (entries_[i]->func == func)
1.2833 + return true;
1.2834 + }
1.2835 + return false;
1.2836 +}
1.2837 +
1.2838 +types::TemporaryTypeSet *
1.2839 +InlinePropertyTable::buildTypeSetForFunction(JSFunction *func) const
1.2840 +{
1.2841 + LifoAlloc *alloc = GetIonContext()->temp->lifoAlloc();
1.2842 + types::TemporaryTypeSet *types = alloc->new_<types::TemporaryTypeSet>();
1.2843 + if (!types)
1.2844 + return nullptr;
1.2845 + for (size_t i = 0; i < numEntries(); i++) {
1.2846 + if (entries_[i]->func == func)
1.2847 + types->addType(types::Type::ObjectType(entries_[i]->typeObj), alloc);
1.2848 + }
1.2849 + return types;
1.2850 +}
1.2851 +
1.2852 +void *
1.2853 +MLoadTypedArrayElementStatic::base() const
1.2854 +{
1.2855 + return typedArray_->viewData();
1.2856 +}
1.2857 +
1.2858 +size_t
1.2859 +MLoadTypedArrayElementStatic::length() const
1.2860 +{
1.2861 + return typedArray_->byteLength();
1.2862 +}
1.2863 +
1.2864 +void *
1.2865 +MStoreTypedArrayElementStatic::base() const
1.2866 +{
1.2867 + return typedArray_->viewData();
1.2868 +}
1.2869 +
1.2870 +bool
1.2871 +MGetElementCache::allowDoubleResult() const
1.2872 +{
1.2873 + if (!resultTypeSet())
1.2874 + return true;
1.2875 +
1.2876 + return resultTypeSet()->hasType(types::Type::DoubleType());
1.2877 +}
1.2878 +
1.2879 +size_t
1.2880 +MStoreTypedArrayElementStatic::length() const
1.2881 +{
1.2882 + return typedArray_->byteLength();
1.2883 +}
1.2884 +
1.2885 +bool
1.2886 +MGetPropertyPolymorphic::mightAlias(const MDefinition *store) const
1.2887 +{
1.2888 + // Allow hoisting this instruction if the store does not write to a
1.2889 + // slot read by this instruction.
1.2890 +
1.2891 + if (!store->isStoreFixedSlot() && !store->isStoreSlot())
1.2892 + return true;
1.2893 +
1.2894 + for (size_t i = 0; i < numShapes(); i++) {
1.2895 + const Shape *shape = this->shape(i);
1.2896 + if (shape->slot() < shape->numFixedSlots()) {
1.2897 + // Fixed slot.
1.2898 + uint32_t slot = shape->slot();
1.2899 + if (store->isStoreFixedSlot() && store->toStoreFixedSlot()->slot() != slot)
1.2900 + continue;
1.2901 + if (store->isStoreSlot())
1.2902 + continue;
1.2903 + } else {
1.2904 + // Dynamic slot.
1.2905 + uint32_t slot = shape->slot() - shape->numFixedSlots();
1.2906 + if (store->isStoreSlot() && store->toStoreSlot()->slot() != slot)
1.2907 + continue;
1.2908 + if (store->isStoreFixedSlot())
1.2909 + continue;
1.2910 + }
1.2911 +
1.2912 + return true;
1.2913 + }
1.2914 +
1.2915 + return false;
1.2916 +}
1.2917 +
1.2918 +void
1.2919 +MGetPropertyCache::setBlock(MBasicBlock *block)
1.2920 +{
1.2921 + MDefinition::setBlock(block);
1.2922 + // Track where we started.
1.2923 + if (!location_.pc) {
1.2924 + location_.pc = block->trackedPc();
1.2925 + location_.script = block->info().script();
1.2926 + }
1.2927 +}
1.2928 +
1.2929 +bool
1.2930 +MGetPropertyCache::updateForReplacement(MDefinition *ins) {
1.2931 + MGetPropertyCache *other = ins->toGetPropertyCache();
1.2932 + location_.append(&other->location_);
1.2933 + return true;
1.2934 +}
1.2935 +
1.2936 +MDefinition *
1.2937 +MAsmJSUnsignedToDouble::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2938 +{
1.2939 + if (input()->isConstant()) {
1.2940 + const Value &v = input()->toConstant()->value();
1.2941 + if (v.isInt32())
1.2942 + return MConstant::New(alloc, DoubleValue(uint32_t(v.toInt32())));
1.2943 + }
1.2944 +
1.2945 + return this;
1.2946 +}
1.2947 +
1.2948 +MDefinition *
1.2949 +MAsmJSUnsignedToFloat32::foldsTo(TempAllocator &alloc, bool useValueNumbers)
1.2950 +{
1.2951 + if (input()->isConstant()) {
1.2952 + const Value &v = input()->toConstant()->value();
1.2953 + if (v.isInt32()) {
1.2954 + double dval = double(uint32_t(v.toInt32()));
1.2955 + if (IsFloat32Representable(dval))
1.2956 + return MConstant::NewAsmJS(alloc, JS::Float32Value(float(dval)), MIRType_Float32);
1.2957 + }
1.2958 + }
1.2959 +
1.2960 + return this;
1.2961 +}
1.2962 +
1.2963 +MAsmJSCall *
1.2964 +MAsmJSCall::New(TempAllocator &alloc, const CallSiteDesc &desc, Callee callee,
1.2965 + const Args &args, MIRType resultType, size_t spIncrement)
1.2966 +{
1.2967 + MAsmJSCall *call = new(alloc) MAsmJSCall(desc, callee, spIncrement);
1.2968 + call->setResultType(resultType);
1.2969 +
1.2970 + if (!call->argRegs_.init(alloc, args.length()))
1.2971 + return nullptr;
1.2972 + for (size_t i = 0; i < call->argRegs_.length(); i++)
1.2973 + call->argRegs_[i] = args[i].reg;
1.2974 +
1.2975 + if (!call->operands_.init(alloc, call->argRegs_.length() + (callee.which() == Callee::Dynamic ? 1 : 0)))
1.2976 + return nullptr;
1.2977 + for (size_t i = 0; i < call->argRegs_.length(); i++)
1.2978 + call->setOperand(i, args[i].def);
1.2979 + if (callee.which() == Callee::Dynamic)
1.2980 + call->setOperand(call->argRegs_.length(), callee.dynamic());
1.2981 +
1.2982 + return call;
1.2983 +}
1.2984 +
1.2985 +void
1.2986 +MSqrt::trySpecializeFloat32(TempAllocator &alloc) {
1.2987 + if (!input()->canProduceFloat32() || !CheckUsesAreFloat32Consumers(this)) {
1.2988 + if (input()->type() == MIRType_Float32)
1.2989 + ConvertDefinitionToDouble<0>(alloc, input(), this);
1.2990 + return;
1.2991 + }
1.2992 +
1.2993 + setResultType(MIRType_Float32);
1.2994 + setPolicyType(MIRType_Float32);
1.2995 +}
1.2996 +
1.2997 +bool
1.2998 +jit::ElementAccessIsDenseNative(MDefinition *obj, MDefinition *id)
1.2999 +{
1.3000 + if (obj->mightBeType(MIRType_String))
1.3001 + return false;
1.3002 +
1.3003 + if (id->type() != MIRType_Int32 && id->type() != MIRType_Double)
1.3004 + return false;
1.3005 +
1.3006 + types::TemporaryTypeSet *types = obj->resultTypeSet();
1.3007 + if (!types)
1.3008 + return false;
1.3009 +
1.3010 + // Typed arrays are native classes but do not have dense elements.
1.3011 + const Class *clasp = types->getKnownClass();
1.3012 + return clasp && clasp->isNative() && !IsTypedArrayClass(clasp);
1.3013 +}
1.3014 +
1.3015 +bool
1.3016 +jit::ElementAccessIsTypedArray(MDefinition *obj, MDefinition *id,
1.3017 + ScalarTypeDescr::Type *arrayType)
1.3018 +{
1.3019 + if (obj->mightBeType(MIRType_String))
1.3020 + return false;
1.3021 +
1.3022 + if (id->type() != MIRType_Int32 && id->type() != MIRType_Double)
1.3023 + return false;
1.3024 +
1.3025 + types::TemporaryTypeSet *types = obj->resultTypeSet();
1.3026 + if (!types)
1.3027 + return false;
1.3028 +
1.3029 + *arrayType = (ScalarTypeDescr::Type) types->getTypedArrayType();
1.3030 + return *arrayType != ScalarTypeDescr::TYPE_MAX;
1.3031 +}
1.3032 +
1.3033 +bool
1.3034 +jit::ElementAccessIsPacked(types::CompilerConstraintList *constraints, MDefinition *obj)
1.3035 +{
1.3036 + types::TemporaryTypeSet *types = obj->resultTypeSet();
1.3037 + return types && !types->hasObjectFlags(constraints, types::OBJECT_FLAG_NON_PACKED);
1.3038 +}
1.3039 +
1.3040 +bool
1.3041 +jit::ElementAccessHasExtraIndexedProperty(types::CompilerConstraintList *constraints,
1.3042 + MDefinition *obj)
1.3043 +{
1.3044 + types::TemporaryTypeSet *types = obj->resultTypeSet();
1.3045 +
1.3046 + if (!types || types->hasObjectFlags(constraints, types::OBJECT_FLAG_LENGTH_OVERFLOW))
1.3047 + return true;
1.3048 +
1.3049 + return types::TypeCanHaveExtraIndexedProperties(constraints, types);
1.3050 +}
1.3051 +
1.3052 +MIRType
1.3053 +jit::DenseNativeElementType(types::CompilerConstraintList *constraints, MDefinition *obj)
1.3054 +{
1.3055 + types::TemporaryTypeSet *types = obj->resultTypeSet();
1.3056 + MIRType elementType = MIRType_None;
1.3057 + unsigned count = types->getObjectCount();
1.3058 +
1.3059 + for (unsigned i = 0; i < count; i++) {
1.3060 + types::TypeObjectKey *object = types->getObject(i);
1.3061 + if (!object)
1.3062 + continue;
1.3063 +
1.3064 + if (object->unknownProperties())
1.3065 + return MIRType_None;
1.3066 +
1.3067 + types::HeapTypeSetKey elementTypes = object->property(JSID_VOID);
1.3068 +
1.3069 + MIRType type = elementTypes.knownMIRType(constraints);
1.3070 + if (type == MIRType_None)
1.3071 + return MIRType_None;
1.3072 +
1.3073 + if (elementType == MIRType_None)
1.3074 + elementType = type;
1.3075 + else if (elementType != type)
1.3076 + return MIRType_None;
1.3077 + }
1.3078 +
1.3079 + return elementType;
1.3080 +}
1.3081 +
1.3082 +static bool
1.3083 +PropertyReadNeedsTypeBarrier(types::CompilerConstraintList *constraints,
1.3084 + types::TypeObjectKey *object, PropertyName *name,
1.3085 + types::TypeSet *observed)
1.3086 +{
1.3087 + // If the object being read from has types for the property which haven't
1.3088 + // been observed at this access site, the read could produce a new type and
1.3089 + // a barrier is needed. Note that this only covers reads from properties
1.3090 + // which are accounted for by type information, i.e. native data properties
1.3091 + // and elements.
1.3092 + //
1.3093 + // We also need a barrier if the object is a proxy, because then all bets
1.3094 + // are off, just as if it has unknown properties.
1.3095 + if (object->unknownProperties() || observed->empty() ||
1.3096 + object->clasp()->isProxy())
1.3097 + {
1.3098 + return true;
1.3099 + }
1.3100 +
1.3101 + jsid id = name ? NameToId(name) : JSID_VOID;
1.3102 + types::HeapTypeSetKey property = object->property(id);
1.3103 + if (property.maybeTypes() && !TypeSetIncludes(observed, MIRType_Value, property.maybeTypes()))
1.3104 + return true;
1.3105 +
1.3106 + // Type information for global objects is not required to reflect the
1.3107 + // initial 'undefined' value for properties, in particular global
1.3108 + // variables declared with 'var'. Until the property is assigned a value
1.3109 + // other than undefined, a barrier is required.
1.3110 + if (JSObject *obj = object->singleton()) {
1.3111 + if (name && types::CanHaveEmptyPropertyTypesForOwnProperty(obj) &&
1.3112 + (!property.maybeTypes() || property.maybeTypes()->empty()))
1.3113 + {
1.3114 + return true;
1.3115 + }
1.3116 + }
1.3117 +
1.3118 + property.freeze(constraints);
1.3119 + return false;
1.3120 +}
1.3121 +
1.3122 +bool
1.3123 +jit::PropertyReadNeedsTypeBarrier(JSContext *propertycx,
1.3124 + types::CompilerConstraintList *constraints,
1.3125 + types::TypeObjectKey *object, PropertyName *name,
1.3126 + types::TemporaryTypeSet *observed, bool updateObserved)
1.3127 +{
1.3128 + // If this access has never executed, try to add types to the observed set
1.3129 + // according to any property which exists on the object or its prototype.
1.3130 + if (updateObserved && observed->empty() && name) {
1.3131 + JSObject *obj;
1.3132 + if (object->singleton())
1.3133 + obj = object->singleton();
1.3134 + else if (object->hasTenuredProto())
1.3135 + obj = object->proto().toObjectOrNull();
1.3136 + else
1.3137 + obj = nullptr;
1.3138 +
1.3139 + while (obj) {
1.3140 + if (!obj->getClass()->isNative())
1.3141 + break;
1.3142 +
1.3143 + types::TypeObjectKey *typeObj = types::TypeObjectKey::get(obj);
1.3144 + if (propertycx)
1.3145 + typeObj->ensureTrackedProperty(propertycx, NameToId(name));
1.3146 +
1.3147 + if (!typeObj->unknownProperties()) {
1.3148 + types::HeapTypeSetKey property = typeObj->property(NameToId(name));
1.3149 + if (property.maybeTypes()) {
1.3150 + types::TypeSet::TypeList types;
1.3151 + if (!property.maybeTypes()->enumerateTypes(&types))
1.3152 + break;
1.3153 + if (types.length()) {
1.3154 + // Note: the return value here is ignored.
1.3155 + observed->addType(types[0], GetIonContext()->temp->lifoAlloc());
1.3156 + break;
1.3157 + }
1.3158 + }
1.3159 + }
1.3160 +
1.3161 + if (!obj->hasTenuredProto())
1.3162 + break;
1.3163 + obj = obj->getProto();
1.3164 + }
1.3165 + }
1.3166 +
1.3167 + return PropertyReadNeedsTypeBarrier(constraints, object, name, observed);
1.3168 +}
1.3169 +
1.3170 +bool
1.3171 +jit::PropertyReadNeedsTypeBarrier(JSContext *propertycx,
1.3172 + types::CompilerConstraintList *constraints,
1.3173 + MDefinition *obj, PropertyName *name,
1.3174 + types::TemporaryTypeSet *observed)
1.3175 +{
1.3176 + if (observed->unknown())
1.3177 + return false;
1.3178 +
1.3179 + types::TypeSet *types = obj->resultTypeSet();
1.3180 + if (!types || types->unknownObject())
1.3181 + return true;
1.3182 +
1.3183 + bool updateObserved = types->getObjectCount() == 1;
1.3184 + for (size_t i = 0; i < types->getObjectCount(); i++) {
1.3185 + types::TypeObjectKey *object = types->getObject(i);
1.3186 + if (object) {
1.3187 + if (PropertyReadNeedsTypeBarrier(propertycx, constraints, object, name,
1.3188 + observed, updateObserved))
1.3189 + {
1.3190 + return true;
1.3191 + }
1.3192 + }
1.3193 + }
1.3194 +
1.3195 + return false;
1.3196 +}
1.3197 +
1.3198 +bool
1.3199 +jit::PropertyReadOnPrototypeNeedsTypeBarrier(types::CompilerConstraintList *constraints,
1.3200 + MDefinition *obj, PropertyName *name,
1.3201 + types::TemporaryTypeSet *observed)
1.3202 +{
1.3203 + if (observed->unknown())
1.3204 + return false;
1.3205 +
1.3206 + types::TypeSet *types = obj->resultTypeSet();
1.3207 + if (!types || types->unknownObject())
1.3208 + return true;
1.3209 +
1.3210 + for (size_t i = 0; i < types->getObjectCount(); i++) {
1.3211 + types::TypeObjectKey *object = types->getObject(i);
1.3212 + if (!object)
1.3213 + continue;
1.3214 + while (true) {
1.3215 + if (!object->hasTenuredProto())
1.3216 + return true;
1.3217 + if (!object->proto().isObject())
1.3218 + break;
1.3219 + object = types::TypeObjectKey::get(object->proto().toObject());
1.3220 + if (PropertyReadNeedsTypeBarrier(constraints, object, name, observed))
1.3221 + return true;
1.3222 + }
1.3223 + }
1.3224 +
1.3225 + return false;
1.3226 +}
1.3227 +
1.3228 +bool
1.3229 +jit::PropertyReadIsIdempotent(types::CompilerConstraintList *constraints,
1.3230 + MDefinition *obj, PropertyName *name)
1.3231 +{
1.3232 + // Determine if reading a property from obj is likely to be idempotent.
1.3233 +
1.3234 + types::TypeSet *types = obj->resultTypeSet();
1.3235 + if (!types || types->unknownObject())
1.3236 + return false;
1.3237 +
1.3238 + for (size_t i = 0; i < types->getObjectCount(); i++) {
1.3239 + types::TypeObjectKey *object = types->getObject(i);
1.3240 + if (object) {
1.3241 + if (object->unknownProperties())
1.3242 + return false;
1.3243 +
1.3244 + // Check if the property has been reconfigured or is a getter.
1.3245 + types::HeapTypeSetKey property = object->property(NameToId(name));
1.3246 + if (property.nonData(constraints))
1.3247 + return false;
1.3248 + }
1.3249 + }
1.3250 +
1.3251 + return true;
1.3252 +}
1.3253 +
1.3254 +void
1.3255 +jit::AddObjectsForPropertyRead(MDefinition *obj, PropertyName *name,
1.3256 + types::TemporaryTypeSet *observed)
1.3257 +{
1.3258 + // Add objects to observed which *could* be observed by reading name from obj,
1.3259 + // to hopefully avoid unnecessary type barriers and code invalidations.
1.3260 +
1.3261 + LifoAlloc *alloc = GetIonContext()->temp->lifoAlloc();
1.3262 +
1.3263 + types::TemporaryTypeSet *types = obj->resultTypeSet();
1.3264 + if (!types || types->unknownObject()) {
1.3265 + observed->addType(types::Type::AnyObjectType(), alloc);
1.3266 + return;
1.3267 + }
1.3268 +
1.3269 + for (size_t i = 0; i < types->getObjectCount(); i++) {
1.3270 + types::TypeObjectKey *object = types->getObject(i);
1.3271 + if (!object)
1.3272 + continue;
1.3273 +
1.3274 + if (object->unknownProperties()) {
1.3275 + observed->addType(types::Type::AnyObjectType(), alloc);
1.3276 + return;
1.3277 + }
1.3278 +
1.3279 + jsid id = name ? NameToId(name) : JSID_VOID;
1.3280 + types::HeapTypeSetKey property = object->property(id);
1.3281 + types::HeapTypeSet *types = property.maybeTypes();
1.3282 + if (!types)
1.3283 + continue;
1.3284 +
1.3285 + if (types->unknownObject()) {
1.3286 + observed->addType(types::Type::AnyObjectType(), alloc);
1.3287 + return;
1.3288 + }
1.3289 +
1.3290 + for (size_t i = 0; i < types->getObjectCount(); i++) {
1.3291 + types::TypeObjectKey *object = types->getObject(i);
1.3292 + if (object)
1.3293 + observed->addType(types::Type::ObjectType(object), alloc);
1.3294 + }
1.3295 + }
1.3296 +}
1.3297 +
1.3298 +static bool
1.3299 +TryAddTypeBarrierForWrite(TempAllocator &alloc, types::CompilerConstraintList *constraints,
1.3300 + MBasicBlock *current, types::TemporaryTypeSet *objTypes,
1.3301 + PropertyName *name, MDefinition **pvalue)
1.3302 +{
1.3303 + // Return whether pvalue was modified to include a type barrier ensuring
1.3304 + // that writing the value to objTypes/id will not require changing type
1.3305 + // information.
1.3306 +
1.3307 + // All objects in the set must have the same types for name. Otherwise, we
1.3308 + // could bail out without subsequently triggering a type change that
1.3309 + // invalidates the compiled code.
1.3310 + Maybe<types::HeapTypeSetKey> aggregateProperty;
1.3311 +
1.3312 + for (size_t i = 0; i < objTypes->getObjectCount(); i++) {
1.3313 + types::TypeObjectKey *object = objTypes->getObject(i);
1.3314 + if (!object)
1.3315 + continue;
1.3316 +
1.3317 + if (object->unknownProperties())
1.3318 + return false;
1.3319 +
1.3320 + jsid id = name ? NameToId(name) : JSID_VOID;
1.3321 + types::HeapTypeSetKey property = object->property(id);
1.3322 + if (!property.maybeTypes())
1.3323 + return false;
1.3324 +
1.3325 + if (TypeSetIncludes(property.maybeTypes(), (*pvalue)->type(), (*pvalue)->resultTypeSet()))
1.3326 + return false;
1.3327 +
1.3328 + // This freeze is not required for correctness, but ensures that we
1.3329 + // will recompile if the property types change and the barrier can
1.3330 + // potentially be removed.
1.3331 + property.freeze(constraints);
1.3332 +
1.3333 + if (aggregateProperty.empty()) {
1.3334 + aggregateProperty.construct(property);
1.3335 + } else {
1.3336 + if (!aggregateProperty.ref().maybeTypes()->isSubset(property.maybeTypes()) ||
1.3337 + !property.maybeTypes()->isSubset(aggregateProperty.ref().maybeTypes()))
1.3338 + {
1.3339 + return false;
1.3340 + }
1.3341 + }
1.3342 + }
1.3343 +
1.3344 + JS_ASSERT(!aggregateProperty.empty());
1.3345 +
1.3346 + MIRType propertyType = aggregateProperty.ref().knownMIRType(constraints);
1.3347 + switch (propertyType) {
1.3348 + case MIRType_Boolean:
1.3349 + case MIRType_Int32:
1.3350 + case MIRType_Double:
1.3351 + case MIRType_String: {
1.3352 + // The property is a particular primitive type, guard by unboxing the
1.3353 + // value before the write.
1.3354 + if (!(*pvalue)->mightBeType(propertyType)) {
1.3355 + // The value's type does not match the property type. Just do a VM
1.3356 + // call as it will always trigger invalidation of the compiled code.
1.3357 + JS_ASSERT_IF((*pvalue)->type() != MIRType_Value, (*pvalue)->type() != propertyType);
1.3358 + return false;
1.3359 + }
1.3360 + MInstruction *ins = MUnbox::New(alloc, *pvalue, propertyType, MUnbox::Fallible);
1.3361 + current->add(ins);
1.3362 + *pvalue = ins;
1.3363 + return true;
1.3364 + }
1.3365 + default:;
1.3366 + }
1.3367 +
1.3368 + if ((*pvalue)->type() != MIRType_Value)
1.3369 + return false;
1.3370 +
1.3371 + types::TemporaryTypeSet *types = aggregateProperty.ref().maybeTypes()->clone(alloc.lifoAlloc());
1.3372 + if (!types)
1.3373 + return false;
1.3374 +
1.3375 + MInstruction *ins = MMonitorTypes::New(alloc, *pvalue, types);
1.3376 + current->add(ins);
1.3377 + return true;
1.3378 +}
1.3379 +
1.3380 +static MInstruction *
1.3381 +AddTypeGuard(TempAllocator &alloc, MBasicBlock *current, MDefinition *obj,
1.3382 + types::TypeObjectKey *type, bool bailOnEquality)
1.3383 +{
1.3384 + MInstruction *guard;
1.3385 +
1.3386 + if (type->isTypeObject())
1.3387 + guard = MGuardObjectType::New(alloc, obj, type->asTypeObject(), bailOnEquality);
1.3388 + else
1.3389 + guard = MGuardObjectIdentity::New(alloc, obj, type->asSingleObject(), bailOnEquality);
1.3390 +
1.3391 + current->add(guard);
1.3392 +
1.3393 + // For now, never move type object guards.
1.3394 + guard->setNotMovable();
1.3395 +
1.3396 + return guard;
1.3397 +}
1.3398 +
1.3399 +bool
1.3400 +jit::PropertyWriteNeedsTypeBarrier(TempAllocator &alloc, types::CompilerConstraintList *constraints,
1.3401 + MBasicBlock *current, MDefinition **pobj,
1.3402 + PropertyName *name, MDefinition **pvalue, bool canModify)
1.3403 +{
1.3404 + // If any value being written is not reflected in the type information for
1.3405 + // objects which obj could represent, a type barrier is needed when writing
1.3406 + // the value. As for propertyReadNeedsTypeBarrier, this only applies for
1.3407 + // properties that are accounted for by type information, i.e. normal data
1.3408 + // properties and elements.
1.3409 +
1.3410 + types::TemporaryTypeSet *types = (*pobj)->resultTypeSet();
1.3411 + if (!types || types->unknownObject())
1.3412 + return true;
1.3413 +
1.3414 + // If all of the objects being written to have property types which already
1.3415 + // reflect the value, no barrier at all is needed. Additionally, if all
1.3416 + // objects being written to have the same types for the property, and those
1.3417 + // types do *not* reflect the value, add a type barrier for the value.
1.3418 +
1.3419 + bool success = true;
1.3420 + for (size_t i = 0; i < types->getObjectCount(); i++) {
1.3421 + types::TypeObjectKey *object = types->getObject(i);
1.3422 + if (!object || object->unknownProperties())
1.3423 + continue;
1.3424 +
1.3425 + // TI doesn't track TypedArray objects and should never insert a type
1.3426 + // barrier for them.
1.3427 + if (!name && IsTypedArrayClass(object->clasp()))
1.3428 + continue;
1.3429 +
1.3430 + jsid id = name ? NameToId(name) : JSID_VOID;
1.3431 + types::HeapTypeSetKey property = object->property(id);
1.3432 + if (!TypeSetIncludes(property.maybeTypes(), (*pvalue)->type(), (*pvalue)->resultTypeSet())) {
1.3433 + // Either pobj or pvalue needs to be modified to filter out the
1.3434 + // types which the value could have but are not in the property,
1.3435 + // or a VM call is required. A VM call is always required if pobj
1.3436 + // and pvalue cannot be modified.
1.3437 + if (!canModify)
1.3438 + return true;
1.3439 + success = TryAddTypeBarrierForWrite(alloc, constraints, current, types, name, pvalue);
1.3440 + break;
1.3441 + }
1.3442 + }
1.3443 +
1.3444 + if (success)
1.3445 + return false;
1.3446 +
1.3447 + // If all of the objects except one have property types which reflect the
1.3448 + // value, and the remaining object has no types at all for the property,
1.3449 + // add a guard that the object does not have that remaining object's type.
1.3450 +
1.3451 + if (types->getObjectCount() <= 1)
1.3452 + return true;
1.3453 +
1.3454 + types::TypeObjectKey *excluded = nullptr;
1.3455 + for (size_t i = 0; i < types->getObjectCount(); i++) {
1.3456 + types::TypeObjectKey *object = types->getObject(i);
1.3457 + if (!object || object->unknownProperties())
1.3458 + continue;
1.3459 + if (!name && IsTypedArrayClass(object->clasp()))
1.3460 + continue;
1.3461 +
1.3462 + jsid id = name ? NameToId(name) : JSID_VOID;
1.3463 + types::HeapTypeSetKey property = object->property(id);
1.3464 + if (TypeSetIncludes(property.maybeTypes(), (*pvalue)->type(), (*pvalue)->resultTypeSet()))
1.3465 + continue;
1.3466 +
1.3467 + if ((property.maybeTypes() && !property.maybeTypes()->empty()) || excluded)
1.3468 + return true;
1.3469 + excluded = object;
1.3470 + }
1.3471 +
1.3472 + JS_ASSERT(excluded);
1.3473 +
1.3474 + *pobj = AddTypeGuard(alloc, current, *pobj, excluded, /* bailOnEquality = */ true);
1.3475 + return false;
1.3476 +}
