diff -r 000000000000 -r 6474c204b198 js/src/jit/RangeAnalysis.cpp --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/js/src/jit/RangeAnalysis.cpp Wed Dec 31 06:09:35 2014 +0100 @@ -0,0 +1,2677 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- + * vim: set ts=8 sts=4 et sw=4 tw=99: + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "jit/RangeAnalysis.h" + +#include "mozilla/MathAlgorithms.h" + +#include "jsanalyze.h" + +#include "jit/Ion.h" +#include "jit/IonAnalysis.h" +#include "jit/IonSpewer.h" +#include "jit/MIR.h" +#include "jit/MIRGenerator.h" +#include "jit/MIRGraph.h" +#include "vm/NumericConversions.h" + +#include "jsopcodeinlines.h" + +using namespace js; +using namespace js::jit; + +using mozilla::Abs; +using mozilla::CountLeadingZeroes32; +using mozilla::NumberEqualsInt32; +using mozilla::ExponentComponent; +using mozilla::FloorLog2; +using mozilla::IsInfinite; +using mozilla::IsNaN; +using mozilla::IsNegative; +using mozilla::NegativeInfinity; +using mozilla::PositiveInfinity; +using mozilla::Swap; +using JS::GenericNaN; + +// This algorithm is based on the paper "Eliminating Range Checks Using +// Static Single Assignment Form" by Gough and Klaren. +// +// We associate a range object with each SSA name, and the ranges are consulted +// in order to determine whether overflow is possible for arithmetic +// computations. +// +// An important source of range information that requires care to take +// advantage of is conditional control flow. Consider the code below: +// +// if (x < 0) { +// y = x + 2000000000; +// } else { +// if (x < 1000000000) { +// y = x * 2; +// } else { +// y = x - 3000000000; +// } +// } +// +// The arithmetic operations in this code cannot overflow, but it is not +// sufficient to simply associate each name with a range, since the information +// differs between basic blocks. The traditional dataflow approach would be +// associate ranges with (name, basic block) pairs. This solution is not +// satisfying, since we lose the benefit of SSA form: in SSA form, each +// definition has a unique name, so there is no need to track information about +// the control flow of the program. +// +// The approach used here is to add a new form of pseudo operation called a +// beta node, which associates range information with a value. These beta +// instructions take one argument and additionally have an auxiliary constant +// range associated with them. Operationally, beta nodes are just copies, but +// the invariant expressed by beta node copies is that the output will fall +// inside the range given by the beta node. Gough and Klaeren refer to SSA +// extended with these beta nodes as XSA form. The following shows the example +// code transformed into XSA form: +// +// if (x < 0) { +// x1 = Beta(x, [INT_MIN, -1]); +// y1 = x1 + 2000000000; +// } else { +// x2 = Beta(x, [0, INT_MAX]); +// if (x2 < 1000000000) { +// x3 = Beta(x2, [INT_MIN, 999999999]); +// y2 = x3*2; +// } else { +// x4 = Beta(x2, [1000000000, INT_MAX]); +// y3 = x4 - 3000000000; +// } +// y4 = Phi(y2, y3); +// } +// y = Phi(y1, y4); +// +// We insert beta nodes for the purposes of range analysis (they might also be +// usefully used for other forms of bounds check elimination) and remove them +// after range analysis is performed. The remaining compiler phases do not ever +// encounter beta nodes. + +static bool +IsDominatedUse(MBasicBlock *block, MUse *use) +{ + MNode *n = use->consumer(); + bool isPhi = n->isDefinition() && n->toDefinition()->isPhi(); + + if (isPhi) + return block->dominates(n->block()->getPredecessor(use->index())); + + return block->dominates(n->block()); +} + +static inline void +SpewRange(MDefinition *def) +{ +#ifdef DEBUG + if (IonSpewEnabled(IonSpew_Range) && def->type() != MIRType_None && def->range()) { + IonSpewHeader(IonSpew_Range); + def->printName(IonSpewFile); + fprintf(IonSpewFile, " has range "); + def->range()->dump(IonSpewFile); + } +#endif +} + +TempAllocator & +RangeAnalysis::alloc() const +{ + return graph_.alloc(); +} + +void +RangeAnalysis::replaceDominatedUsesWith(MDefinition *orig, MDefinition *dom, + MBasicBlock *block) +{ + for (MUseIterator i(orig->usesBegin()); i != orig->usesEnd(); ) { + if (i->consumer() != dom && IsDominatedUse(block, *i)) + i = i->consumer()->replaceOperand(i, dom); + else + i++; + } +} + +bool +RangeAnalysis::addBetaNodes() +{ + IonSpew(IonSpew_Range, "Adding beta nodes"); + + for (PostorderIterator i(graph_.poBegin()); i != graph_.poEnd(); i++) { + MBasicBlock *block = *i; + IonSpew(IonSpew_Range, "Looking at block %d", block->id()); + + BranchDirection branch_dir; + MTest *test = block->immediateDominatorBranch(&branch_dir); + + if (!test || !test->getOperand(0)->isCompare()) + continue; + + MCompare *compare = test->getOperand(0)->toCompare(); + + // TODO: support unsigned comparisons + if (compare->compareType() == MCompare::Compare_UInt32) + continue; + + MDefinition *left = compare->getOperand(0); + MDefinition *right = compare->getOperand(1); + double bound; + double conservativeLower = NegativeInfinity(); + double conservativeUpper = PositiveInfinity(); + MDefinition *val = nullptr; + + JSOp jsop = compare->jsop(); + + if (branch_dir == FALSE_BRANCH) { + jsop = NegateCompareOp(jsop); + conservativeLower = GenericNaN(); + conservativeUpper = GenericNaN(); + } + + if (left->isConstant() && left->toConstant()->value().isNumber()) { + bound = left->toConstant()->value().toNumber(); + val = right; + jsop = ReverseCompareOp(jsop); + } else if (right->isConstant() && right->toConstant()->value().isNumber()) { + bound = right->toConstant()->value().toNumber(); + val = left; + } else if (left->type() == MIRType_Int32 && right->type() == MIRType_Int32) { + MDefinition *smaller = nullptr; + MDefinition *greater = nullptr; + if (jsop == JSOP_LT) { + smaller = left; + greater = right; + } else if (jsop == JSOP_GT) { + smaller = right; + greater = left; + } + if (smaller && greater) { + MBeta *beta; + beta = MBeta::New(alloc(), smaller, + Range::NewInt32Range(alloc(), JSVAL_INT_MIN, JSVAL_INT_MAX-1)); + block->insertBefore(*block->begin(), beta); + replaceDominatedUsesWith(smaller, beta, block); + IonSpew(IonSpew_Range, "Adding beta node for smaller %d", smaller->id()); + beta = MBeta::New(alloc(), greater, + Range::NewInt32Range(alloc(), JSVAL_INT_MIN+1, JSVAL_INT_MAX)); + block->insertBefore(*block->begin(), beta); + replaceDominatedUsesWith(greater, beta, block); + IonSpew(IonSpew_Range, "Adding beta node for greater %d", greater->id()); + } + continue; + } else { + continue; + } + + // At this point, one of the operands if the compare is a constant, and + // val is the other operand. + JS_ASSERT(val); + + Range comp; + switch (jsop) { + case JSOP_LE: + comp.setDouble(conservativeLower, bound); + break; + case JSOP_LT: + // For integers, if x < c, the upper bound of x is c-1. + if (val->type() == MIRType_Int32) { + int32_t intbound; + if (NumberEqualsInt32(bound, &intbound) && SafeSub(intbound, 1, &intbound)) + bound = intbound; + } + comp.setDouble(conservativeLower, bound); + break; + case JSOP_GE: + comp.setDouble(bound, conservativeUpper); + break; + case JSOP_GT: + // For integers, if x > c, the lower bound of x is c+1. + if (val->type() == MIRType_Int32) { + int32_t intbound; + if (NumberEqualsInt32(bound, &intbound) && SafeAdd(intbound, 1, &intbound)) + bound = intbound; + } + comp.setDouble(bound, conservativeUpper); + break; + case JSOP_EQ: + comp.setDouble(bound, bound); + break; + default: + continue; // well, for neq we could have + // [-\inf, bound-1] U [bound+1, \inf] but we only use contiguous ranges. + } + + if (IonSpewEnabled(IonSpew_Range)) { + IonSpewHeader(IonSpew_Range); + fprintf(IonSpewFile, "Adding beta node for %d with range ", val->id()); + comp.dump(IonSpewFile); + } + + MBeta *beta = MBeta::New(alloc(), val, new(alloc()) Range(comp)); + block->insertBefore(*block->begin(), beta); + replaceDominatedUsesWith(val, beta, block); + } + + return true; +} + +bool +RangeAnalysis::removeBetaNodes() +{ + IonSpew(IonSpew_Range, "Removing beta nodes"); + + for (PostorderIterator i(graph_.poBegin()); i != graph_.poEnd(); i++) { + MBasicBlock *block = *i; + for (MDefinitionIterator iter(*i); iter; ) { + MDefinition *def = *iter; + if (def->isBeta()) { + MDefinition *op = def->getOperand(0); + IonSpew(IonSpew_Range, "Removing beta node %d for %d", + def->id(), op->id()); + def->replaceAllUsesWith(op); + iter = block->discardDefAt(iter); + } else { + // We only place Beta nodes at the beginning of basic + // blocks, so if we see something else, we can move on + // to the next block. + break; + } + } + } + return true; +} + +void +SymbolicBound::print(Sprinter &sp) const +{ + if (loop) + sp.printf("[loop] "); + sum.print(sp); +} + +void +SymbolicBound::dump() const +{ + Sprinter sp(GetIonContext()->cx); + sp.init(); + print(sp); + fprintf(stderr, "%s\n", sp.string()); +} + +// Test whether the given range's exponent tells us anything that its lower +// and upper bound values don't. +static bool +IsExponentInteresting(const Range *r) +{ + // If it lacks either a lower or upper bound, the exponent is interesting. + if (!r->hasInt32Bounds()) + return true; + + // Otherwise if there's no fractional part, the lower and upper bounds, + // which are integers, are perfectly precise. + if (!r->canHaveFractionalPart()) + return false; + + // Otherwise, if the bounds are conservatively rounded across a power-of-two + // boundary, the exponent may imply a tighter range. + return FloorLog2(Max(Abs(r->lower()), Abs(r->upper()))) > r->exponent(); +} + +void +Range::print(Sprinter &sp) const +{ + assertInvariants(); + + // Floating-point or Integer subset. + if (canHaveFractionalPart_) + sp.printf("F"); + else + sp.printf("I"); + + sp.printf("["); + + if (!hasInt32LowerBound_) + sp.printf("?"); + else + sp.printf("%d", lower_); + if (symbolicLower_) { + sp.printf(" {"); + symbolicLower_->print(sp); + sp.printf("}"); + } + + sp.printf(", "); + + if (!hasInt32UpperBound_) + sp.printf("?"); + else + sp.printf("%d", upper_); + if (symbolicUpper_) { + sp.printf(" {"); + symbolicUpper_->print(sp); + sp.printf("}"); + } + + sp.printf("]"); + if (IsExponentInteresting(this)) { + if (max_exponent_ == IncludesInfinityAndNaN) + sp.printf(" (U inf U NaN)", max_exponent_); + else if (max_exponent_ == IncludesInfinity) + sp.printf(" (U inf)"); + else + sp.printf(" (< pow(2, %d+1))", max_exponent_); + } +} + +void +Range::dump(FILE *fp) const +{ + Sprinter sp(GetIonContext()->cx); + sp.init(); + print(sp); + fprintf(fp, "%s\n", sp.string()); +} + +void +Range::dump() const +{ + dump(stderr); +} + +Range * +Range::intersect(TempAllocator &alloc, const Range *lhs, const Range *rhs, bool *emptyRange) +{ + *emptyRange = false; + + if (!lhs && !rhs) + return nullptr; + + if (!lhs) + return new(alloc) Range(*rhs); + if (!rhs) + return new(alloc) Range(*lhs); + + int32_t newLower = Max(lhs->lower_, rhs->lower_); + int32_t newUpper = Min(lhs->upper_, rhs->upper_); + + // :TODO: This information could be used better. If upper < lower, then we + // have conflicting constraints. Consider: + // + // if (x < 0) { + // if (x > 0) { + // [Some code.] + // } + // } + // + // In this case, the block is dead. Right now, we just disregard this fact + // and make the range unbounded, rather than empty. + // + // Instead, we should use it to eliminate the dead block. + // (Bug 765127) + if (newUpper < newLower) { + // If both ranges can be NaN, the result can still be NaN. + if (!lhs->canBeNaN() || !rhs->canBeNaN()) + *emptyRange = true; + return nullptr; + } + + bool newHasInt32LowerBound = lhs->hasInt32LowerBound_ || rhs->hasInt32LowerBound_; + bool newHasInt32UpperBound = lhs->hasInt32UpperBound_ || rhs->hasInt32UpperBound_; + bool newFractional = lhs->canHaveFractionalPart_ && rhs->canHaveFractionalPart_; + uint16_t newExponent = Min(lhs->max_exponent_, rhs->max_exponent_); + + // NaN is a special value which is neither greater than infinity or less than + // negative infinity. When we intersect two ranges like [?, 0] and [0, ?], we + // can end up thinking we have both a lower and upper bound, even though NaN + // is still possible. In this case, just be conservative, since any case where + // we can have NaN is not especially interesting. + if (newHasInt32LowerBound && newHasInt32UpperBound && newExponent == IncludesInfinityAndNaN) + return nullptr; + + // If one of the ranges has a fractional part and the other doesn't, it's + // possible that we will have computed a newExponent that's more precise + // than our newLower and newUpper. This is unusual, so we handle it here + // instead of in optimize(). + // + // For example, consider the range F[0,1.5]. Range analysis represents the + // lower and upper bound as integers, so we'd actually have + // F[0,2] (< pow(2, 0+1)). In this case, the exponent gives us a slightly + // more precise upper bound than the integer upper bound. + // + // When intersecting such a range with an integer range, the fractional part + // of the range is dropped. The max exponent of 0 remains valid, so the + // upper bound needs to be adjusted to 1. + // + // When intersecting F[0,2] (< pow(2, 0+1)) with a range like F[2,4], + // the naive intersection is I[2,2], but since the max exponent tells us + // that the value is always less than 2, the intersection is actually empty. + if (lhs->canHaveFractionalPart_ != rhs->canHaveFractionalPart_ || + (lhs->canHaveFractionalPart_ && + newHasInt32LowerBound && newHasInt32UpperBound && + newLower == newUpper)) + { + refineInt32BoundsByExponent(newExponent, &newLower, &newUpper); + + // If we're intersecting two ranges that don't overlap, this could also + // push the bounds past each other, since the actual intersection is + // the empty set. + if (newLower > newUpper) { + *emptyRange = true; + return nullptr; + } + } + + return new(alloc) Range(newLower, newHasInt32LowerBound, newUpper, newHasInt32UpperBound, + newFractional, newExponent); +} + +void +Range::unionWith(const Range *other) +{ + int32_t newLower = Min(lower_, other->lower_); + int32_t newUpper = Max(upper_, other->upper_); + + bool newHasInt32LowerBound = hasInt32LowerBound_ && other->hasInt32LowerBound_; + bool newHasInt32UpperBound = hasInt32UpperBound_ && other->hasInt32UpperBound_; + bool newFractional = canHaveFractionalPart_ || other->canHaveFractionalPart_; + uint16_t newExponent = Max(max_exponent_, other->max_exponent_); + + rawInitialize(newLower, newHasInt32LowerBound, newUpper, newHasInt32UpperBound, + newFractional, newExponent); +} + +Range::Range(const MDefinition *def) + : symbolicLower_(nullptr), + symbolicUpper_(nullptr) +{ + if (const Range *other = def->range()) { + // The instruction has range information; use it. + *this = *other; + + // Simulate the effect of converting the value to its type. + switch (def->type()) { + case MIRType_Int32: + wrapAroundToInt32(); + break; + case MIRType_Boolean: + wrapAroundToBoolean(); + break; + case MIRType_None: + MOZ_ASSUME_UNREACHABLE("Asking for the range of an instruction with no value"); + default: + break; + } + } else { + // Otherwise just use type information. We can trust the type here + // because we don't care what value the instruction actually produces, + // but what value we might get after we get past the bailouts. + switch (def->type()) { + case MIRType_Int32: + setInt32(JSVAL_INT_MIN, JSVAL_INT_MAX); + break; + case MIRType_Boolean: + setInt32(0, 1); + break; + case MIRType_None: + MOZ_ASSUME_UNREACHABLE("Asking for the range of an instruction with no value"); + default: + setUnknown(); + break; + } + } + + // As a special case, MUrsh is permitted to claim a result type of + // MIRType_Int32 while actually returning values in [0,UINT32_MAX] without + // bailouts. If range analysis hasn't ruled out values in + // (INT32_MAX,UINT32_MAX], set the range to be conservatively correct for + // use as either a uint32 or an int32. + if (!hasInt32UpperBound() && def->isUrsh() && def->toUrsh()->bailoutsDisabled()) + lower_ = INT32_MIN; + + assertInvariants(); +} + +static uint16_t +ExponentImpliedByDouble(double d) +{ + // Handle the special values. + if (IsNaN(d)) + return Range::IncludesInfinityAndNaN; + if (IsInfinite(d)) + return Range::IncludesInfinity; + + // Otherwise take the exponent part and clamp it at zero, since the Range + // class doesn't track fractional ranges. + return uint16_t(Max(int_fast16_t(0), ExponentComponent(d))); +} + +void +Range::setDouble(double l, double h) +{ + // Infer lower_, upper_, hasInt32LowerBound_, and hasInt32UpperBound_. + if (l >= INT32_MIN && l <= INT32_MAX) { + lower_ = int32_t(floor(l)); + hasInt32LowerBound_ = true; + } else { + lower_ = INT32_MIN; + hasInt32LowerBound_ = false; + } + if (h >= INT32_MIN && h <= INT32_MAX) { + upper_ = int32_t(ceil(h)); + hasInt32UpperBound_ = true; + } else { + upper_ = INT32_MAX; + hasInt32UpperBound_ = false; + } + + // Infer max_exponent_. + uint16_t lExp = ExponentImpliedByDouble(l); + uint16_t hExp = ExponentImpliedByDouble(h); + max_exponent_ = Max(lExp, hExp); + + // Infer the canHaveFractionalPart_ field. We can have a fractional part + // if the range crosses through the neighborhood of zero. We won't have a + // fractional value if the value is always beyond the point at which + // double precision can't represent fractional values. + uint16_t minExp = Min(lExp, hExp); + bool includesNegative = IsNaN(l) || l < 0; + bool includesPositive = IsNaN(h) || h > 0; + bool crossesZero = includesNegative && includesPositive; + canHaveFractionalPart_ = crossesZero || minExp < MaxTruncatableExponent; + + optimize(); +} + +static inline bool +MissingAnyInt32Bounds(const Range *lhs, const Range *rhs) +{ + return !lhs->hasInt32Bounds() || !rhs->hasInt32Bounds(); +} + +Range * +Range::add(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + int64_t l = (int64_t) lhs->lower_ + (int64_t) rhs->lower_; + if (!lhs->hasInt32LowerBound() || !rhs->hasInt32LowerBound()) + l = NoInt32LowerBound; + + int64_t h = (int64_t) lhs->upper_ + (int64_t) rhs->upper_; + if (!lhs->hasInt32UpperBound() || !rhs->hasInt32UpperBound()) + h = NoInt32UpperBound; + + // The exponent is at most one greater than the greater of the operands' + // exponents, except for NaN and infinity cases. + uint16_t e = Max(lhs->max_exponent_, rhs->max_exponent_); + if (e <= Range::MaxFiniteExponent) + ++e; + + // Infinity + -Infinity is NaN. + if (lhs->canBeInfiniteOrNaN() && rhs->canBeInfiniteOrNaN()) + e = Range::IncludesInfinityAndNaN; + + return new(alloc) Range(l, h, lhs->canHaveFractionalPart() || rhs->canHaveFractionalPart(), e); +} + +Range * +Range::sub(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + int64_t l = (int64_t) lhs->lower_ - (int64_t) rhs->upper_; + if (!lhs->hasInt32LowerBound() || !rhs->hasInt32UpperBound()) + l = NoInt32LowerBound; + + int64_t h = (int64_t) lhs->upper_ - (int64_t) rhs->lower_; + if (!lhs->hasInt32UpperBound() || !rhs->hasInt32LowerBound()) + h = NoInt32UpperBound; + + // The exponent is at most one greater than the greater of the operands' + // exponents, except for NaN and infinity cases. + uint16_t e = Max(lhs->max_exponent_, rhs->max_exponent_); + if (e <= Range::MaxFiniteExponent) + ++e; + + // Infinity - Infinity is NaN. + if (lhs->canBeInfiniteOrNaN() && rhs->canBeInfiniteOrNaN()) + e = Range::IncludesInfinityAndNaN; + + return new(alloc) Range(l, h, lhs->canHaveFractionalPart() || rhs->canHaveFractionalPart(), e); +} + +Range * +Range::and_(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + JS_ASSERT(lhs->isInt32()); + JS_ASSERT(rhs->isInt32()); + + // If both numbers can be negative, result can be negative in the whole range + if (lhs->lower() < 0 && rhs->lower() < 0) + return Range::NewInt32Range(alloc, INT32_MIN, Max(lhs->upper(), rhs->upper())); + + // Only one of both numbers can be negative. + // - result can't be negative + // - Upper bound is minimum of both upper range, + int32_t lower = 0; + int32_t upper = Min(lhs->upper(), rhs->upper()); + + // EXCEPT when upper bound of non negative number is max value, + // because negative value can return the whole max value. + // -1 & 5 = 5 + if (lhs->lower() < 0) + upper = rhs->upper(); + if (rhs->lower() < 0) + upper = lhs->upper(); + + return Range::NewInt32Range(alloc, lower, upper); +} + +Range * +Range::or_(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + JS_ASSERT(lhs->isInt32()); + JS_ASSERT(rhs->isInt32()); + // When one operand is always 0 or always -1, it's a special case where we + // can compute a fully precise result. Handling these up front also + // protects the code below from calling CountLeadingZeroes32 with a zero + // operand or from shifting an int32_t by 32. + if (lhs->lower() == lhs->upper()) { + if (lhs->lower() == 0) + return new(alloc) Range(*rhs); + if (lhs->lower() == -1) + return new(alloc) Range(*lhs);; + } + if (rhs->lower() == rhs->upper()) { + if (rhs->lower() == 0) + return new(alloc) Range(*lhs); + if (rhs->lower() == -1) + return new(alloc) Range(*rhs);; + } + + // The code below uses CountLeadingZeroes32, which has undefined behavior + // if its operand is 0. We rely on the code above to protect it. + JS_ASSERT_IF(lhs->lower() >= 0, lhs->upper() != 0); + JS_ASSERT_IF(rhs->lower() >= 0, rhs->upper() != 0); + JS_ASSERT_IF(lhs->upper() < 0, lhs->lower() != -1); + JS_ASSERT_IF(rhs->upper() < 0, rhs->lower() != -1); + + int32_t lower = INT32_MIN; + int32_t upper = INT32_MAX; + + if (lhs->lower() >= 0 && rhs->lower() >= 0) { + // Both operands are non-negative, so the result won't be less than either. + lower = Max(lhs->lower(), rhs->lower()); + // The result will have leading zeros where both operands have leading zeros. + // CountLeadingZeroes32 of a non-negative int32 will at least be 1 to account + // for the bit of sign. + upper = int32_t(UINT32_MAX >> Min(CountLeadingZeroes32(lhs->upper()), + CountLeadingZeroes32(rhs->upper()))); + } else { + // The result will have leading ones where either operand has leading ones. + if (lhs->upper() < 0) { + unsigned leadingOnes = CountLeadingZeroes32(~lhs->lower()); + lower = Max(lower, ~int32_t(UINT32_MAX >> leadingOnes)); + upper = -1; + } + if (rhs->upper() < 0) { + unsigned leadingOnes = CountLeadingZeroes32(~rhs->lower()); + lower = Max(lower, ~int32_t(UINT32_MAX >> leadingOnes)); + upper = -1; + } + } + + return Range::NewInt32Range(alloc, lower, upper); +} + +Range * +Range::xor_(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + JS_ASSERT(lhs->isInt32()); + JS_ASSERT(rhs->isInt32()); + int32_t lhsLower = lhs->lower(); + int32_t lhsUpper = lhs->upper(); + int32_t rhsLower = rhs->lower(); + int32_t rhsUpper = rhs->upper(); + bool invertAfter = false; + + // If either operand is negative, bitwise-negate it, and arrange to negate + // the result; ~((~x)^y) == x^y. If both are negative the negations on the + // result cancel each other out; effectively this is (~x)^(~y) == x^y. + // These transformations reduce the number of cases we have to handle below. + if (lhsUpper < 0) { + lhsLower = ~lhsLower; + lhsUpper = ~lhsUpper; + Swap(lhsLower, lhsUpper); + invertAfter = !invertAfter; + } + if (rhsUpper < 0) { + rhsLower = ~rhsLower; + rhsUpper = ~rhsUpper; + Swap(rhsLower, rhsUpper); + invertAfter = !invertAfter; + } + + // Handle cases where lhs or rhs is always zero specially, because they're + // easy cases where we can be perfectly precise, and because it protects the + // CountLeadingZeroes32 calls below from seeing 0 operands, which would be + // undefined behavior. + int32_t lower = INT32_MIN; + int32_t upper = INT32_MAX; + if (lhsLower == 0 && lhsUpper == 0) { + upper = rhsUpper; + lower = rhsLower; + } else if (rhsLower == 0 && rhsUpper == 0) { + upper = lhsUpper; + lower = lhsLower; + } else if (lhsLower >= 0 && rhsLower >= 0) { + // Both operands are non-negative. The result will be non-negative. + lower = 0; + // To compute the upper value, take each operand's upper value and + // set all bits that don't correspond to leading zero bits in the + // other to one. For each one, this gives an upper bound for the + // result, so we can take the minimum between the two. + unsigned lhsLeadingZeros = CountLeadingZeroes32(lhsUpper); + unsigned rhsLeadingZeros = CountLeadingZeroes32(rhsUpper); + upper = Min(rhsUpper | int32_t(UINT32_MAX >> lhsLeadingZeros), + lhsUpper | int32_t(UINT32_MAX >> rhsLeadingZeros)); + } + + // If we bitwise-negated one (but not both) of the operands above, apply the + // bitwise-negate to the result, completing ~((~x)^y) == x^y. + if (invertAfter) { + lower = ~lower; + upper = ~upper; + Swap(lower, upper); + } + + return Range::NewInt32Range(alloc, lower, upper); +} + +Range * +Range::not_(TempAllocator &alloc, const Range *op) +{ + JS_ASSERT(op->isInt32()); + return Range::NewInt32Range(alloc, ~op->upper(), ~op->lower()); +} + +Range * +Range::mul(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + bool fractional = lhs->canHaveFractionalPart() || rhs->canHaveFractionalPart(); + + uint16_t exponent; + if (!lhs->canBeInfiniteOrNaN() && !rhs->canBeInfiniteOrNaN()) { + // Two finite values. + exponent = lhs->numBits() + rhs->numBits() - 1; + if (exponent > Range::MaxFiniteExponent) + exponent = Range::IncludesInfinity; + } else if (!lhs->canBeNaN() && + !rhs->canBeNaN() && + !(lhs->canBeZero() && rhs->canBeInfiniteOrNaN()) && + !(rhs->canBeZero() && lhs->canBeInfiniteOrNaN())) + { + // Two values that multiplied together won't produce a NaN. + exponent = Range::IncludesInfinity; + } else { + // Could be anything. + exponent = Range::IncludesInfinityAndNaN; + } + + if (MissingAnyInt32Bounds(lhs, rhs)) + return new(alloc) Range(NoInt32LowerBound, NoInt32UpperBound, fractional, exponent); + int64_t a = (int64_t)lhs->lower() * (int64_t)rhs->lower(); + int64_t b = (int64_t)lhs->lower() * (int64_t)rhs->upper(); + int64_t c = (int64_t)lhs->upper() * (int64_t)rhs->lower(); + int64_t d = (int64_t)lhs->upper() * (int64_t)rhs->upper(); + return new(alloc) Range( + Min( Min(a, b), Min(c, d) ), + Max( Max(a, b), Max(c, d) ), + fractional, exponent); +} + +Range * +Range::lsh(TempAllocator &alloc, const Range *lhs, int32_t c) +{ + JS_ASSERT(lhs->isInt32()); + int32_t shift = c & 0x1f; + + // If the shift doesn't loose bits or shift bits into the sign bit, we + // can simply compute the correct range by shifting. + if ((int32_t)((uint32_t)lhs->lower() << shift << 1 >> shift >> 1) == lhs->lower() && + (int32_t)((uint32_t)lhs->upper() << shift << 1 >> shift >> 1) == lhs->upper()) + { + return Range::NewInt32Range(alloc, + uint32_t(lhs->lower()) << shift, + uint32_t(lhs->upper()) << shift); + } + + return Range::NewInt32Range(alloc, INT32_MIN, INT32_MAX); +} + +Range * +Range::rsh(TempAllocator &alloc, const Range *lhs, int32_t c) +{ + JS_ASSERT(lhs->isInt32()); + int32_t shift = c & 0x1f; + return Range::NewInt32Range(alloc, + lhs->lower() >> shift, + lhs->upper() >> shift); +} + +Range * +Range::ursh(TempAllocator &alloc, const Range *lhs, int32_t c) +{ + // ursh's left operand is uint32, not int32, but for range analysis we + // currently approximate it as int32. We assume here that the range has + // already been adjusted accordingly by our callers. + JS_ASSERT(lhs->isInt32()); + + int32_t shift = c & 0x1f; + + // If the value is always non-negative or always negative, we can simply + // compute the correct range by shifting. + if (lhs->isFiniteNonNegative() || lhs->isFiniteNegative()) { + return Range::NewUInt32Range(alloc, + uint32_t(lhs->lower()) >> shift, + uint32_t(lhs->upper()) >> shift); + } + + // Otherwise return the most general range after the shift. + return Range::NewUInt32Range(alloc, 0, UINT32_MAX >> shift); +} + +Range * +Range::lsh(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + JS_ASSERT(lhs->isInt32()); + JS_ASSERT(rhs->isInt32()); + return Range::NewInt32Range(alloc, INT32_MIN, INT32_MAX); +} + +Range * +Range::rsh(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + JS_ASSERT(lhs->isInt32()); + JS_ASSERT(rhs->isInt32()); + return Range::NewInt32Range(alloc, Min(lhs->lower(), 0), Max(lhs->upper(), 0)); +} + +Range * +Range::ursh(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + // ursh's left operand is uint32, not int32, but for range analysis we + // currently approximate it as int32. We assume here that the range has + // already been adjusted accordingly by our callers. + JS_ASSERT(lhs->isInt32()); + JS_ASSERT(rhs->isInt32()); + return Range::NewUInt32Range(alloc, 0, lhs->isFiniteNonNegative() ? lhs->upper() : UINT32_MAX); +} + +Range * +Range::abs(TempAllocator &alloc, const Range *op) +{ + int32_t l = op->lower_; + int32_t u = op->upper_; + + return new(alloc) Range(Max(Max(int32_t(0), l), u == INT32_MIN ? INT32_MAX : -u), + true, + Max(Max(int32_t(0), u), l == INT32_MIN ? INT32_MAX : -l), + op->hasInt32Bounds() && l != INT32_MIN, + op->canHaveFractionalPart_, + op->max_exponent_); +} + +Range * +Range::min(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + // If either operand is NaN, the result is NaN. + if (lhs->canBeNaN() || rhs->canBeNaN()) + return nullptr; + + return new(alloc) Range(Min(lhs->lower_, rhs->lower_), + lhs->hasInt32LowerBound_ && rhs->hasInt32LowerBound_, + Min(lhs->upper_, rhs->upper_), + lhs->hasInt32UpperBound_ || rhs->hasInt32UpperBound_, + lhs->canHaveFractionalPart_ || rhs->canHaveFractionalPart_, + Max(lhs->max_exponent_, rhs->max_exponent_)); +} + +Range * +Range::max(TempAllocator &alloc, const Range *lhs, const Range *rhs) +{ + // If either operand is NaN, the result is NaN. + if (lhs->canBeNaN() || rhs->canBeNaN()) + return nullptr; + + return new(alloc) Range(Max(lhs->lower_, rhs->lower_), + lhs->hasInt32LowerBound_ || rhs->hasInt32LowerBound_, + Max(lhs->upper_, rhs->upper_), + lhs->hasInt32UpperBound_ && rhs->hasInt32UpperBound_, + lhs->canHaveFractionalPart_ || rhs->canHaveFractionalPart_, + Max(lhs->max_exponent_, rhs->max_exponent_)); +} + +bool +Range::negativeZeroMul(const Range *lhs, const Range *rhs) +{ + // The result can only be negative zero if both sides are finite and they + // have differing signs. + return (lhs->canBeFiniteNegative() && rhs->canBeFiniteNonNegative()) || + (rhs->canBeFiniteNegative() && lhs->canBeFiniteNonNegative()); +} + +bool +Range::update(const Range *other) +{ + bool changed = + lower_ != other->lower_ || + hasInt32LowerBound_ != other->hasInt32LowerBound_ || + upper_ != other->upper_ || + hasInt32UpperBound_ != other->hasInt32UpperBound_ || + canHaveFractionalPart_ != other->canHaveFractionalPart_ || + max_exponent_ != other->max_exponent_; + if (changed) { + lower_ = other->lower_; + hasInt32LowerBound_ = other->hasInt32LowerBound_; + upper_ = other->upper_; + hasInt32UpperBound_ = other->hasInt32UpperBound_; + canHaveFractionalPart_ = other->canHaveFractionalPart_; + max_exponent_ = other->max_exponent_; + assertInvariants(); + } + + return changed; +} + +/////////////////////////////////////////////////////////////////////////////// +// Range Computation for MIR Nodes +/////////////////////////////////////////////////////////////////////////////// + +void +MPhi::computeRange(TempAllocator &alloc) +{ + if (type() != MIRType_Int32 && type() != MIRType_Double) + return; + + Range *range = nullptr; + for (size_t i = 0, e = numOperands(); i < e; i++) { + if (getOperand(i)->block()->unreachable()) { + IonSpew(IonSpew_Range, "Ignoring unreachable input %d", getOperand(i)->id()); + continue; + } + + // Peek at the pre-bailout range so we can take a short-cut; if any of + // the operands has an unknown range, this phi has an unknown range. + if (!getOperand(i)->range()) + return; + + Range input(getOperand(i)); + + if (range) + range->unionWith(&input); + else + range = new(alloc) Range(input); + } + + setRange(range); +} + +void +MBeta::computeRange(TempAllocator &alloc) +{ + bool emptyRange = false; + + Range opRange(getOperand(0)); + Range *range = Range::intersect(alloc, &opRange, comparison_, &emptyRange); + if (emptyRange) { + IonSpew(IonSpew_Range, "Marking block for inst %d unreachable", id()); + block()->setUnreachable(); + } else { + setRange(range); + } +} + +void +MConstant::computeRange(TempAllocator &alloc) +{ + if (value().isNumber()) { + double d = value().toNumber(); + setRange(Range::NewDoubleRange(alloc, d, d)); + } else if (value().isBoolean()) { + bool b = value().toBoolean(); + setRange(Range::NewInt32Range(alloc, b, b)); + } +} + +void +MCharCodeAt::computeRange(TempAllocator &alloc) +{ + // ECMA 262 says that the integer will be non-negative and at most 65535. + setRange(Range::NewInt32Range(alloc, 0, 65535)); +} + +void +MClampToUint8::computeRange(TempAllocator &alloc) +{ + setRange(Range::NewUInt32Range(alloc, 0, 255)); +} + +void +MBitAnd::computeRange(TempAllocator &alloc) +{ + Range left(getOperand(0)); + Range right(getOperand(1)); + left.wrapAroundToInt32(); + right.wrapAroundToInt32(); + + setRange(Range::and_(alloc, &left, &right)); +} + +void +MBitOr::computeRange(TempAllocator &alloc) +{ + Range left(getOperand(0)); + Range right(getOperand(1)); + left.wrapAroundToInt32(); + right.wrapAroundToInt32(); + + setRange(Range::or_(alloc, &left, &right)); +} + +void +MBitXor::computeRange(TempAllocator &alloc) +{ + Range left(getOperand(0)); + Range right(getOperand(1)); + left.wrapAroundToInt32(); + right.wrapAroundToInt32(); + + setRange(Range::xor_(alloc, &left, &right)); +} + +void +MBitNot::computeRange(TempAllocator &alloc) +{ + Range op(getOperand(0)); + op.wrapAroundToInt32(); + + setRange(Range::not_(alloc, &op)); +} + +void +MLsh::computeRange(TempAllocator &alloc) +{ + Range left(getOperand(0)); + Range right(getOperand(1)); + left.wrapAroundToInt32(); + + MDefinition *rhs = getOperand(1); + if (!rhs->isConstant()) { + right.wrapAroundToShiftCount(); + setRange(Range::lsh(alloc, &left, &right)); + return; + } + + int32_t c = rhs->toConstant()->value().toInt32(); + setRange(Range::lsh(alloc, &left, c)); +} + +void +MRsh::computeRange(TempAllocator &alloc) +{ + Range left(getOperand(0)); + Range right(getOperand(1)); + left.wrapAroundToInt32(); + + MDefinition *rhs = getOperand(1); + if (!rhs->isConstant()) { + right.wrapAroundToShiftCount(); + setRange(Range::rsh(alloc, &left, &right)); + return; + } + + int32_t c = rhs->toConstant()->value().toInt32(); + setRange(Range::rsh(alloc, &left, c)); +} + +void +MUrsh::computeRange(TempAllocator &alloc) +{ + Range left(getOperand(0)); + Range right(getOperand(1)); + + // ursh can be thought of as converting its left operand to uint32, or it + // can be thought of as converting its left operand to int32, and then + // reinterpreting the int32 bits as a uint32 value. Both approaches yield + // the same result. Since we lack support for full uint32 ranges, we use + // the second interpretation, though it does cause us to be conservative. + left.wrapAroundToInt32(); + right.wrapAroundToShiftCount(); + + MDefinition *rhs = getOperand(1); + if (!rhs->isConstant()) { + setRange(Range::ursh(alloc, &left, &right)); + } else { + int32_t c = rhs->toConstant()->value().toInt32(); + setRange(Range::ursh(alloc, &left, c)); + } + + JS_ASSERT(range()->lower() >= 0); +} + +void +MAbs::computeRange(TempAllocator &alloc) +{ + if (specialization_ != MIRType_Int32 && specialization_ != MIRType_Double) + return; + + Range other(getOperand(0)); + Range *next = Range::abs(alloc, &other); + if (implicitTruncate_) + next->wrapAroundToInt32(); + setRange(next); +} + +void +MMinMax::computeRange(TempAllocator &alloc) +{ + if (specialization_ != MIRType_Int32 && specialization_ != MIRType_Double) + return; + + Range left(getOperand(0)); + Range right(getOperand(1)); + setRange(isMax() ? Range::max(alloc, &left, &right) : Range::min(alloc, &left, &right)); +} + +void +MAdd::computeRange(TempAllocator &alloc) +{ + if (specialization() != MIRType_Int32 && specialization() != MIRType_Double) + return; + Range left(getOperand(0)); + Range right(getOperand(1)); + Range *next = Range::add(alloc, &left, &right); + if (isTruncated()) + next->wrapAroundToInt32(); + setRange(next); +} + +void +MSub::computeRange(TempAllocator &alloc) +{ + if (specialization() != MIRType_Int32 && specialization() != MIRType_Double) + return; + Range left(getOperand(0)); + Range right(getOperand(1)); + Range *next = Range::sub(alloc, &left, &right); + if (isTruncated()) + next->wrapAroundToInt32(); + setRange(next); +} + +void +MMul::computeRange(TempAllocator &alloc) +{ + if (specialization() != MIRType_Int32 && specialization() != MIRType_Double) + return; + Range left(getOperand(0)); + Range right(getOperand(1)); + if (canBeNegativeZero()) + canBeNegativeZero_ = Range::negativeZeroMul(&left, &right); + Range *next = Range::mul(alloc, &left, &right); + // Truncated multiplications could overflow in both directions + if (isTruncated()) + next->wrapAroundToInt32(); + setRange(next); +} + +void +MMod::computeRange(TempAllocator &alloc) +{ + if (specialization() != MIRType_Int32 && specialization() != MIRType_Double) + return; + Range lhs(getOperand(0)); + Range rhs(getOperand(1)); + + // If either operand is a NaN, the result is NaN. This also conservatively + // handles Infinity cases. + if (!lhs.hasInt32Bounds() || !rhs.hasInt32Bounds()) + return; + + // If RHS can be zero, the result can be NaN. + if (rhs.lower() <= 0 && rhs.upper() >= 0) + return; + + // If both operands are non-negative integers, we can optimize this to an + // unsigned mod. + if (specialization() == MIRType_Int32 && lhs.lower() >= 0 && rhs.lower() > 0 && + !lhs.canHaveFractionalPart() && !rhs.canHaveFractionalPart()) + { + unsigned_ = true; + } + + // For unsigned mod, we have to convert both operands to unsigned. + // Note that we handled the case of a zero rhs above. + if (unsigned_) { + // The result of an unsigned mod will never be unsigned-greater than + // either operand. + uint32_t lhsBound = Max(lhs.lower(), lhs.upper()); + uint32_t rhsBound = Max(rhs.lower(), rhs.upper()); + + // If either range crosses through -1 as a signed value, it could be + // the maximum unsigned value when interpreted as unsigned. If the range + // doesn't include -1, then the simple max value we computed above is + // correct. + if (lhs.lower() <= -1 && lhs.upper() >= -1) + lhsBound = UINT32_MAX; + if (rhs.lower() <= -1 && rhs.upper() >= -1) + rhsBound = UINT32_MAX; + + // The result will never be equal to the rhs, and we shouldn't have + // any rounding to worry about. + JS_ASSERT(!lhs.canHaveFractionalPart() && !rhs.canHaveFractionalPart()); + --rhsBound; + + // This gives us two upper bounds, so we can take the best one. + setRange(Range::NewUInt32Range(alloc, 0, Min(lhsBound, rhsBound))); + return; + } + + // Math.abs(lhs % rhs) == Math.abs(lhs) % Math.abs(rhs). + // First, the absolute value of the result will always be less than the + // absolute value of rhs. (And if rhs is zero, the result is NaN). + int64_t a = Abs(rhs.lower()); + int64_t b = Abs(rhs.upper()); + if (a == 0 && b == 0) + return; + int64_t rhsAbsBound = Max(a, b); + + // If the value is known to be integer, less-than abs(rhs) is equivalent + // to less-than-or-equal abs(rhs)-1. This is important for being able to + // say that the result of x%256 is an 8-bit unsigned number. + if (!lhs.canHaveFractionalPart() && !rhs.canHaveFractionalPart()) + --rhsAbsBound; + + // Next, the absolute value of the result will never be greater than the + // absolute value of lhs. + int64_t lhsAbsBound = Max(Abs(lhs.lower()), Abs(lhs.upper())); + + // This gives us two upper bounds, so we can take the best one. + int64_t absBound = Min(lhsAbsBound, rhsAbsBound); + + // Now consider the sign of the result. + // If lhs is non-negative, the result will be non-negative. + // If lhs is non-positive, the result will be non-positive. + int64_t lower = lhs.lower() >= 0 ? 0 : -absBound; + int64_t upper = lhs.upper() <= 0 ? 0 : absBound; + + setRange(new(alloc) Range(lower, upper, lhs.canHaveFractionalPart() || rhs.canHaveFractionalPart(), + Min(lhs.exponent(), rhs.exponent()))); +} + +void +MDiv::computeRange(TempAllocator &alloc) +{ + if (specialization() != MIRType_Int32 && specialization() != MIRType_Double) + return; + Range lhs(getOperand(0)); + Range rhs(getOperand(1)); + + // If either operand is a NaN, the result is NaN. This also conservatively + // handles Infinity cases. + if (!lhs.hasInt32Bounds() || !rhs.hasInt32Bounds()) + return; + + // Something simple for now: When dividing by a positive rhs, the result + // won't be further from zero than lhs. + if (lhs.lower() >= 0 && rhs.lower() >= 1) { + setRange(new(alloc) Range(0, lhs.upper(), true, lhs.exponent())); + } else if (unsigned_ && rhs.lower() >= 1) { + // We shouldn't set the unsigned flag if the inputs can have + // fractional parts. + JS_ASSERT(!lhs.canHaveFractionalPart() && !rhs.canHaveFractionalPart()); + // Unsigned division by a non-zero rhs will return a uint32 value. + setRange(Range::NewUInt32Range(alloc, 0, UINT32_MAX)); + } +} + +void +MSqrt::computeRange(TempAllocator &alloc) +{ + Range input(getOperand(0)); + + // If either operand is a NaN, the result is NaN. This also conservatively + // handles Infinity cases. + if (!input.hasInt32Bounds()) + return; + + // Sqrt of a negative non-zero value is NaN. + if (input.lower() < 0) + return; + + // Something simple for now: When taking the sqrt of a positive value, the + // result won't be further from zero than the input. + setRange(new(alloc) Range(0, input.upper(), true, input.exponent())); +} + +void +MToDouble::computeRange(TempAllocator &alloc) +{ + setRange(new(alloc) Range(getOperand(0))); +} + +void +MToFloat32::computeRange(TempAllocator &alloc) +{ +} + +void +MTruncateToInt32::computeRange(TempAllocator &alloc) +{ + Range *output = new(alloc) Range(getOperand(0)); + output->wrapAroundToInt32(); + setRange(output); +} + +void +MToInt32::computeRange(TempAllocator &alloc) +{ + Range *output = new(alloc) Range(getOperand(0)); + output->clampToInt32(); + setRange(output); +} + +static Range *GetTypedArrayRange(TempAllocator &alloc, int type) +{ + switch (type) { + case ScalarTypeDescr::TYPE_UINT8_CLAMPED: + case ScalarTypeDescr::TYPE_UINT8: + return Range::NewUInt32Range(alloc, 0, UINT8_MAX); + case ScalarTypeDescr::TYPE_UINT16: + return Range::NewUInt32Range(alloc, 0, UINT16_MAX); + case ScalarTypeDescr::TYPE_UINT32: + return Range::NewUInt32Range(alloc, 0, UINT32_MAX); + + case ScalarTypeDescr::TYPE_INT8: + return Range::NewInt32Range(alloc, INT8_MIN, INT8_MAX); + case ScalarTypeDescr::TYPE_INT16: + return Range::NewInt32Range(alloc, INT16_MIN, INT16_MAX); + case ScalarTypeDescr::TYPE_INT32: + return Range::NewInt32Range(alloc, INT32_MIN, INT32_MAX); + + case ScalarTypeDescr::TYPE_FLOAT32: + case ScalarTypeDescr::TYPE_FLOAT64: + break; + } + + return nullptr; +} + +void +MLoadTypedArrayElement::computeRange(TempAllocator &alloc) +{ + // We have an Int32 type and if this is a UInt32 load it may produce a value + // outside of our range, but we have a bailout to handle those cases. + setRange(GetTypedArrayRange(alloc, arrayType())); +} + +void +MLoadTypedArrayElementStatic::computeRange(TempAllocator &alloc) +{ + // We don't currently use MLoadTypedArrayElementStatic for uint32, so we + // don't have to worry about it returning a value outside our type. + JS_ASSERT(typedArray_->type() != ScalarTypeDescr::TYPE_UINT32); + + setRange(GetTypedArrayRange(alloc, typedArray_->type())); +} + +void +MArrayLength::computeRange(TempAllocator &alloc) +{ + // Array lengths can go up to UINT32_MAX, but we only create MArrayLength + // nodes when the value is known to be int32 (see the + // OBJECT_FLAG_LENGTH_OVERFLOW flag). + setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); +} + +void +MInitializedLength::computeRange(TempAllocator &alloc) +{ + setRange(Range::NewUInt32Range(alloc, 0, JSObject::NELEMENTS_LIMIT)); +} + +void +MTypedArrayLength::computeRange(TempAllocator &alloc) +{ + setRange(Range::NewUInt32Range(alloc, 0, INT32_MAX)); +} + +void +MStringLength::computeRange(TempAllocator &alloc) +{ + static_assert(JSString::MAX_LENGTH <= UINT32_MAX, + "NewUInt32Range requires a uint32 value"); + setRange(Range::NewUInt32Range(alloc, 0, JSString::MAX_LENGTH)); +} + +void +MArgumentsLength::computeRange(TempAllocator &alloc) +{ + // This is is a conservative upper bound on what |TooManyArguments| checks. + // If exceeded, Ion will not be entered in the first place. + static_assert(SNAPSHOT_MAX_NARGS <= UINT32_MAX, + "NewUInt32Range requires a uint32 value"); + setRange(Range::NewUInt32Range(alloc, 0, SNAPSHOT_MAX_NARGS)); +} + +void +MBoundsCheck::computeRange(TempAllocator &alloc) +{ + // Just transfer the incoming index range to the output. The length() is + // also interesting, but it is handled as a bailout check, and we're + // computing a pre-bailout range here. + setRange(new(alloc) Range(index())); +} + +void +MArrayPush::computeRange(TempAllocator &alloc) +{ + // MArrayPush returns the new array length. + setRange(Range::NewUInt32Range(alloc, 0, UINT32_MAX)); +} + +void +MMathFunction::computeRange(TempAllocator &alloc) +{ + Range opRange(getOperand(0)); + switch (function()) { + case Sin: + case Cos: + if (!opRange.canBeInfiniteOrNaN()) + setRange(Range::NewDoubleRange(alloc, -1.0, 1.0)); + break; + case Sign: + if (!opRange.canBeNaN()) { + // Note that Math.sign(-0) is -0, and we treat -0 as equal to 0. + int32_t lower = -1; + int32_t upper = 1; + if (opRange.hasInt32LowerBound() && opRange.lower() >= 0) + lower = 0; + if (opRange.hasInt32UpperBound() && opRange.upper() <= 0) + upper = 0; + setRange(Range::NewInt32Range(alloc, lower, upper)); + } + break; + default: + break; + } +} + +void +MRandom::computeRange(TempAllocator &alloc) +{ + setRange(Range::NewDoubleRange(alloc, 0.0, 1.0)); +} + +/////////////////////////////////////////////////////////////////////////////// +// Range Analysis +/////////////////////////////////////////////////////////////////////////////// + +bool +RangeAnalysis::markBlocksInLoopBody(MBasicBlock *header, MBasicBlock *backedge) +{ + Vector worklist(alloc()); + + // Mark the header as being in the loop. This terminates the walk. + header->mark(); + + backedge->mark(); + if (!worklist.append(backedge)) + return false; + + // If we haven't reached the loop header yet, walk up the predecessors + // we haven't seen already. + while (!worklist.empty()) { + MBasicBlock *current = worklist.popCopy(); + for (size_t i = 0; i < current->numPredecessors(); i++) { + MBasicBlock *pred = current->getPredecessor(i); + + if (pred->isMarked()) + continue; + + pred->mark(); + if (!worklist.append(pred)) + return false; + } + } + + return true; +} + +bool +RangeAnalysis::analyzeLoop(MBasicBlock *header) +{ + JS_ASSERT(header->hasUniqueBackedge()); + + // Try to compute an upper bound on the number of times the loop backedge + // will be taken. Look for tests that dominate the backedge and which have + // an edge leaving the loop body. + MBasicBlock *backedge = header->backedge(); + + // Ignore trivial infinite loops. + if (backedge == header) + return true; + + if (!markBlocksInLoopBody(header, backedge)) + return false; + + LoopIterationBound *iterationBound = nullptr; + + MBasicBlock *block = backedge; + do { + BranchDirection direction; + MTest *branch = block->immediateDominatorBranch(&direction); + + if (block == block->immediateDominator()) + break; + + block = block->immediateDominator(); + + if (branch) { + direction = NegateBranchDirection(direction); + MBasicBlock *otherBlock = branch->branchSuccessor(direction); + if (!otherBlock->isMarked()) { + iterationBound = + analyzeLoopIterationCount(header, branch, direction); + if (iterationBound) + break; + } + } + } while (block != header); + + if (!iterationBound) { + graph_.unmarkBlocks(); + return true; + } + +#ifdef DEBUG + if (IonSpewEnabled(IonSpew_Range)) { + Sprinter sp(GetIonContext()->cx); + sp.init(); + iterationBound->sum.print(sp); + IonSpew(IonSpew_Range, "computed symbolic bound on backedges: %s", + sp.string()); + } +#endif + + // Try to compute symbolic bounds for the phi nodes at the head of this + // loop, expressed in terms of the iteration bound just computed. + + for (MPhiIterator iter(header->phisBegin()); iter != header->phisEnd(); iter++) + analyzeLoopPhi(header, iterationBound, *iter); + + if (!mir->compilingAsmJS()) { + // Try to hoist any bounds checks from the loop using symbolic bounds. + + Vector hoistedChecks(alloc()); + + for (ReversePostorderIterator iter(graph_.rpoBegin(header)); iter != graph_.rpoEnd(); iter++) { + MBasicBlock *block = *iter; + if (!block->isMarked()) + continue; + + for (MDefinitionIterator iter(block); iter; iter++) { + MDefinition *def = *iter; + if (def->isBoundsCheck() && def->isMovable()) { + if (tryHoistBoundsCheck(header, def->toBoundsCheck())) { + if (!hoistedChecks.append(def->toBoundsCheck())) + return false; + } + } + } + } + + // Note: replace all uses of the original bounds check with the + // actual index. This is usually done during bounds check elimination, + // but in this case it's safe to do it here since the load/store is + // definitely not loop-invariant, so we will never move it before + // one of the bounds checks we just added. + for (size_t i = 0; i < hoistedChecks.length(); i++) { + MBoundsCheck *ins = hoistedChecks[i]; + ins->replaceAllUsesWith(ins->index()); + ins->block()->discard(ins); + } + } + + graph_.unmarkBlocks(); + return true; +} + +LoopIterationBound * +RangeAnalysis::analyzeLoopIterationCount(MBasicBlock *header, + MTest *test, BranchDirection direction) +{ + SimpleLinearSum lhs(nullptr, 0); + MDefinition *rhs; + bool lessEqual; + if (!ExtractLinearInequality(test, direction, &lhs, &rhs, &lessEqual)) + return nullptr; + + // Ensure the rhs is a loop invariant term. + if (rhs && rhs->block()->isMarked()) { + if (lhs.term && lhs.term->block()->isMarked()) + return nullptr; + MDefinition *temp = lhs.term; + lhs.term = rhs; + rhs = temp; + if (!SafeSub(0, lhs.constant, &lhs.constant)) + return nullptr; + lessEqual = !lessEqual; + } + + JS_ASSERT_IF(rhs, !rhs->block()->isMarked()); + + // Ensure the lhs is a phi node from the start of the loop body. + if (!lhs.term || !lhs.term->isPhi() || lhs.term->block() != header) + return nullptr; + + // Check that the value of the lhs changes by a constant amount with each + // loop iteration. This requires that the lhs be written in every loop + // iteration with a value that is a constant difference from its value at + // the start of the iteration. + + if (lhs.term->toPhi()->numOperands() != 2) + return nullptr; + + // The first operand of the phi should be the lhs' value at the start of + // the first executed iteration, and not a value written which could + // replace the second operand below during the middle of execution. + MDefinition *lhsInitial = lhs.term->toPhi()->getOperand(0); + if (lhsInitial->block()->isMarked()) + return nullptr; + + // The second operand of the phi should be a value written by an add/sub + // in every loop iteration, i.e. in a block which dominates the backedge. + MDefinition *lhsWrite = lhs.term->toPhi()->getOperand(1); + if (lhsWrite->isBeta()) + lhsWrite = lhsWrite->getOperand(0); + if (!lhsWrite->isAdd() && !lhsWrite->isSub()) + return nullptr; + if (!lhsWrite->block()->isMarked()) + return nullptr; + MBasicBlock *bb = header->backedge(); + for (; bb != lhsWrite->block() && bb != header; bb = bb->immediateDominator()) {} + if (bb != lhsWrite->block()) + return nullptr; + + SimpleLinearSum lhsModified = ExtractLinearSum(lhsWrite); + + // Check that the value of the lhs at the backedge is of the form + // 'old(lhs) + N'. We can be sure that old(lhs) is the value at the start + // of the iteration, and not that written to lhs in a previous iteration, + // as such a previous value could not appear directly in the addition: + // it could not be stored in lhs as the lhs add/sub executes in every + // iteration, and if it were stored in another variable its use here would + // be as an operand to a phi node for that variable. + if (lhsModified.term != lhs.term) + return nullptr; + + LinearSum bound(alloc()); + + if (lhsModified.constant == 1 && !lessEqual) { + // The value of lhs is 'initial(lhs) + iterCount' and this will end + // execution of the loop if 'lhs + lhsN >= rhs'. Thus, an upper bound + // on the number of backedges executed is: + // + // initial(lhs) + iterCount + lhsN == rhs + // iterCount == rhsN - initial(lhs) - lhsN + + if (rhs) { + if (!bound.add(rhs, 1)) + return nullptr; + } + if (!bound.add(lhsInitial, -1)) + return nullptr; + + int32_t lhsConstant; + if (!SafeSub(0, lhs.constant, &lhsConstant)) + return nullptr; + if (!bound.add(lhsConstant)) + return nullptr; + } else if (lhsModified.constant == -1 && lessEqual) { + // The value of lhs is 'initial(lhs) - iterCount'. Similar to the above + // case, an upper bound on the number of backedges executed is: + // + // initial(lhs) - iterCount + lhsN == rhs + // iterCount == initial(lhs) - rhs + lhsN + + if (!bound.add(lhsInitial, 1)) + return nullptr; + if (rhs) { + if (!bound.add(rhs, -1)) + return nullptr; + } + if (!bound.add(lhs.constant)) + return nullptr; + } else { + return nullptr; + } + + return new(alloc()) LoopIterationBound(header, test, bound); +} + +void +RangeAnalysis::analyzeLoopPhi(MBasicBlock *header, LoopIterationBound *loopBound, MPhi *phi) +{ + // Given a bound on the number of backedges taken, compute an upper and + // lower bound for a phi node that may change by a constant amount each + // iteration. Unlike for the case when computing the iteration bound + // itself, the phi does not need to change the same amount every iteration, + // but is required to change at most N and be either nondecreasing or + // nonincreasing. + + JS_ASSERT(phi->numOperands() == 2); + + MBasicBlock *preLoop = header->loopPredecessor(); + JS_ASSERT(!preLoop->isMarked() && preLoop->successorWithPhis() == header); + + MBasicBlock *backedge = header->backedge(); + JS_ASSERT(backedge->isMarked() && backedge->successorWithPhis() == header); + + MDefinition *initial = phi->getOperand(preLoop->positionInPhiSuccessor()); + if (initial->block()->isMarked()) + return; + + SimpleLinearSum modified = ExtractLinearSum(phi->getOperand(backedge->positionInPhiSuccessor())); + + if (modified.term != phi || modified.constant == 0) + return; + + if (!phi->range()) + phi->setRange(new(alloc()) Range()); + + LinearSum initialSum(alloc()); + if (!initialSum.add(initial, 1)) + return; + + // The phi may change by N each iteration, and is either nondecreasing or + // nonincreasing. initial(phi) is either a lower or upper bound for the + // phi, and initial(phi) + loopBound * N is either an upper or lower bound, + // at all points within the loop, provided that loopBound >= 0. + // + // We are more interested, however, in the bound for phi at points + // dominated by the loop bound's test; if the test dominates e.g. a bounds + // check we want to hoist from the loop, using the value of the phi at the + // head of the loop for this will usually be too imprecise to hoist the + // check. These points will execute only if the backedge executes at least + // one more time (as the test passed and the test dominates the backedge), + // so we know both that loopBound >= 1 and that the phi's value has changed + // at most loopBound - 1 times. Thus, another upper or lower bound for the + // phi is initial(phi) + (loopBound - 1) * N, without requiring us to + // ensure that loopBound >= 0. + + LinearSum limitSum(loopBound->sum); + if (!limitSum.multiply(modified.constant) || !limitSum.add(initialSum)) + return; + + int32_t negativeConstant; + if (!SafeSub(0, modified.constant, &negativeConstant) || !limitSum.add(negativeConstant)) + return; + + Range *initRange = initial->range(); + if (modified.constant > 0) { + if (initRange && initRange->hasInt32LowerBound()) + phi->range()->refineLower(initRange->lower()); + phi->range()->setSymbolicLower(SymbolicBound::New(alloc(), nullptr, initialSum)); + phi->range()->setSymbolicUpper(SymbolicBound::New(alloc(), loopBound, limitSum)); + } else { + if (initRange && initRange->hasInt32UpperBound()) + phi->range()->refineUpper(initRange->upper()); + phi->range()->setSymbolicUpper(SymbolicBound::New(alloc(), nullptr, initialSum)); + phi->range()->setSymbolicLower(SymbolicBound::New(alloc(), loopBound, limitSum)); + } + + IonSpew(IonSpew_Range, "added symbolic range on %d", phi->id()); + SpewRange(phi); +} + +// Whether bound is valid at the specified bounds check instruction in a loop, +// and may be used to hoist ins. +static inline bool +SymbolicBoundIsValid(MBasicBlock *header, MBoundsCheck *ins, const SymbolicBound *bound) +{ + if (!bound->loop) + return true; + if (ins->block() == header) + return false; + MBasicBlock *bb = ins->block()->immediateDominator(); + while (bb != header && bb != bound->loop->test->block()) + bb = bb->immediateDominator(); + return bb == bound->loop->test->block(); +} + +// Convert all components of a linear sum *except* its constant to a definition, +// adding any necessary instructions to the end of block. +static inline MDefinition * +ConvertLinearSum(TempAllocator &alloc, MBasicBlock *block, const LinearSum &sum) +{ + MDefinition *def = nullptr; + + for (size_t i = 0; i < sum.numTerms(); i++) { + LinearTerm term = sum.term(i); + JS_ASSERT(!term.term->isConstant()); + if (term.scale == 1) { + if (def) { + def = MAdd::New(alloc, def, term.term); + def->toAdd()->setInt32(); + block->insertBefore(block->lastIns(), def->toInstruction()); + def->computeRange(alloc); + } else { + def = term.term; + } + } else if (term.scale == -1) { + if (!def) { + def = MConstant::New(alloc, Int32Value(0)); + block->insertBefore(block->lastIns(), def->toInstruction()); + def->computeRange(alloc); + } + def = MSub::New(alloc, def, term.term); + def->toSub()->setInt32(); + block->insertBefore(block->lastIns(), def->toInstruction()); + def->computeRange(alloc); + } else { + JS_ASSERT(term.scale != 0); + MConstant *factor = MConstant::New(alloc, Int32Value(term.scale)); + block->insertBefore(block->lastIns(), factor); + MMul *mul = MMul::New(alloc, term.term, factor); + mul->setInt32(); + block->insertBefore(block->lastIns(), mul); + mul->computeRange(alloc); + if (def) { + def = MAdd::New(alloc, def, mul); + def->toAdd()->setInt32(); + block->insertBefore(block->lastIns(), def->toInstruction()); + def->computeRange(alloc); + } else { + def = mul; + } + } + } + + if (!def) { + def = MConstant::New(alloc, Int32Value(0)); + block->insertBefore(block->lastIns(), def->toInstruction()); + def->computeRange(alloc); + } + + return def; +} + +bool +RangeAnalysis::tryHoistBoundsCheck(MBasicBlock *header, MBoundsCheck *ins) +{ + // The bounds check's length must be loop invariant. + if (ins->length()->block()->isMarked()) + return false; + + // The bounds check's index should not be loop invariant (else we would + // already have hoisted it during LICM). + SimpleLinearSum index = ExtractLinearSum(ins->index()); + if (!index.term || !index.term->block()->isMarked()) + return false; + + // Check for a symbolic lower and upper bound on the index. If either + // condition depends on an iteration bound for the loop, only hoist if + // the bounds check is dominated by the iteration bound's test. + if (!index.term->range()) + return false; + const SymbolicBound *lower = index.term->range()->symbolicLower(); + if (!lower || !SymbolicBoundIsValid(header, ins, lower)) + return false; + const SymbolicBound *upper = index.term->range()->symbolicUpper(); + if (!upper || !SymbolicBoundIsValid(header, ins, upper)) + return false; + + MBasicBlock *preLoop = header->loopPredecessor(); + JS_ASSERT(!preLoop->isMarked()); + + MDefinition *lowerTerm = ConvertLinearSum(alloc(), preLoop, lower->sum); + if (!lowerTerm) + return false; + + MDefinition *upperTerm = ConvertLinearSum(alloc(), preLoop, upper->sum); + if (!upperTerm) + return false; + + // We are checking that index + indexConstant >= 0, and know that + // index >= lowerTerm + lowerConstant. Thus, check that: + // + // lowerTerm + lowerConstant + indexConstant >= 0 + // lowerTerm >= -lowerConstant - indexConstant + + int32_t lowerConstant = 0; + if (!SafeSub(lowerConstant, index.constant, &lowerConstant)) + return false; + if (!SafeSub(lowerConstant, lower->sum.constant(), &lowerConstant)) + return false; + + // We are checking that index < boundsLength, and know that + // index <= upperTerm + upperConstant. Thus, check that: + // + // upperTerm + upperConstant < boundsLength + + int32_t upperConstant = index.constant; + if (!SafeAdd(upper->sum.constant(), upperConstant, &upperConstant)) + return false; + + MBoundsCheckLower *lowerCheck = MBoundsCheckLower::New(alloc(), lowerTerm); + lowerCheck->setMinimum(lowerConstant); + + MBoundsCheck *upperCheck = MBoundsCheck::New(alloc(), upperTerm, ins->length()); + upperCheck->setMinimum(upperConstant); + upperCheck->setMaximum(upperConstant); + + // Hoist the loop invariant upper and lower bounds checks. + preLoop->insertBefore(preLoop->lastIns(), lowerCheck); + preLoop->insertBefore(preLoop->lastIns(), upperCheck); + + return true; +} + +bool +RangeAnalysis::analyze() +{ + IonSpew(IonSpew_Range, "Doing range propagation"); + + for (ReversePostorderIterator iter(graph_.rpoBegin()); iter != graph_.rpoEnd(); iter++) { + MBasicBlock *block = *iter; + + if (block->unreachable()) + continue; + + for (MDefinitionIterator iter(block); iter; iter++) { + MDefinition *def = *iter; + + def->computeRange(alloc()); + IonSpew(IonSpew_Range, "computing range on %d", def->id()); + SpewRange(def); + } + + if (block->isLoopHeader()) { + if (!analyzeLoop(block)) + return false; + } + + // First pass at collecting range info - while the beta nodes are still + // around and before truncation. + for (MInstructionIterator iter(block->begin()); iter != block->end(); iter++) { + iter->collectRangeInfoPreTrunc(); + + // Would have been nice to implement this using collectRangeInfoPreTrunc() + // methods but it needs the minAsmJSHeapLength(). + if (mir->compilingAsmJS()) { + uint32_t minHeapLength = mir->minAsmJSHeapLength(); + if (iter->isAsmJSLoadHeap()) { + MAsmJSLoadHeap *ins = iter->toAsmJSLoadHeap(); + Range *range = ins->ptr()->range(); + if (range && range->hasInt32LowerBound() && range->lower() >= 0 && + range->hasInt32UpperBound() && (uint32_t) range->upper() < minHeapLength) { + ins->setSkipBoundsCheck(true); + } + } else if (iter->isAsmJSStoreHeap()) { + MAsmJSStoreHeap *ins = iter->toAsmJSStoreHeap(); + Range *range = ins->ptr()->range(); + if (range && range->hasInt32LowerBound() && range->lower() >= 0 && + range->hasInt32UpperBound() && (uint32_t) range->upper() < minHeapLength) { + ins->setSkipBoundsCheck(true); + } + } + } + } + } + + return true; +} + +bool +RangeAnalysis::addRangeAssertions() +{ + if (!js_JitOptions.checkRangeAnalysis) + return true; + + // Check the computed range for this instruction, if the option is set. Note + // that this code is quite invasive; it adds numerous additional + // instructions for each MInstruction with a computed range, and it uses + // registers, so it also affects register allocation. + for (ReversePostorderIterator iter(graph_.rpoBegin()); iter != graph_.rpoEnd(); iter++) { + MBasicBlock *block = *iter; + + for (MDefinitionIterator iter(block); iter; iter++) { + MDefinition *ins = *iter; + + // Perform range checking for all numeric and numeric-like types. + if (!IsNumberType(ins->type()) && + ins->type() != MIRType_Boolean && + ins->type() != MIRType_Value) + { + continue; + } + + Range r(ins); + + // Don't insert assertions if there's nothing interesting to assert. + if (r.isUnknown() || (ins->type() == MIRType_Int32 && r.isUnknownInt32())) + continue; + + MAssertRange *guard = MAssertRange::New(alloc(), ins, new(alloc()) Range(r)); + + // Beta nodes and interrupt checks are required to be located at the + // beginnings of basic blocks, so we must insert range assertions + // after any such instructions. + MInstructionIterator insertIter = ins->isPhi() + ? block->begin() + : block->begin(ins->toInstruction()); + while (insertIter->isBeta() || + insertIter->isInterruptCheck() || + insertIter->isInterruptCheckPar() || + insertIter->isConstant()) + { + insertIter++; + } + + if (*insertIter == *iter) + block->insertAfter(*insertIter, guard); + else + block->insertBefore(*insertIter, guard); + } + } + + return true; +} + +/////////////////////////////////////////////////////////////////////////////// +// Range based Truncation +/////////////////////////////////////////////////////////////////////////////// + +void +Range::clampToInt32() +{ + if (isInt32()) + return; + int32_t l = hasInt32LowerBound() ? lower() : JSVAL_INT_MIN; + int32_t h = hasInt32UpperBound() ? upper() : JSVAL_INT_MAX; + setInt32(l, h); +} + +void +Range::wrapAroundToInt32() +{ + if (!hasInt32Bounds()) { + setInt32(JSVAL_INT_MIN, JSVAL_INT_MAX); + } else if (canHaveFractionalPart()) { + canHaveFractionalPart_ = false; + + // Clearing the fractional field may provide an opportunity to refine + // lower_ or upper_. + refineInt32BoundsByExponent(max_exponent_, &lower_, &upper_); + + assertInvariants(); + } +} + +void +Range::wrapAroundToShiftCount() +{ + wrapAroundToInt32(); + if (lower() < 0 || upper() >= 32) + setInt32(0, 31); +} + +void +Range::wrapAroundToBoolean() +{ + wrapAroundToInt32(); + if (!isBoolean()) + setInt32(0, 1); +} + +bool +MDefinition::truncate() +{ + // No procedure defined for truncating this instruction. + return false; +} + +bool +MConstant::truncate() +{ + if (!value_.isDouble()) + return false; + + // Truncate the double to int, since all uses truncates it. + int32_t res = ToInt32(value_.toDouble()); + value_.setInt32(res); + setResultType(MIRType_Int32); + if (range()) + range()->setInt32(res, res); + return true; +} + +bool +MAdd::truncate() +{ + // Remember analysis, needed for fallible checks. + setTruncated(true); + + if (type() == MIRType_Double || type() == MIRType_Int32) { + specialization_ = MIRType_Int32; + setResultType(MIRType_Int32); + if (range()) + range()->wrapAroundToInt32(); + return true; + } + + return false; +} + +bool +MSub::truncate() +{ + // Remember analysis, needed for fallible checks. + setTruncated(true); + + if (type() == MIRType_Double || type() == MIRType_Int32) { + specialization_ = MIRType_Int32; + setResultType(MIRType_Int32); + if (range()) + range()->wrapAroundToInt32(); + return true; + } + + return false; +} + +bool +MMul::truncate() +{ + // Remember analysis, needed to remove negative zero checks. + setTruncated(true); + + if (type() == MIRType_Double || type() == MIRType_Int32) { + specialization_ = MIRType_Int32; + setResultType(MIRType_Int32); + setCanBeNegativeZero(false); + if (range()) + range()->wrapAroundToInt32(); + return true; + } + + return false; +} + +bool +MDiv::truncate() +{ + // Remember analysis, needed to remove negative zero checks. + setTruncatedIndirectly(true); + + // Check if this division only flows in bitwise instructions. + if (!isTruncated()) { + bool allUsesExplictlyTruncate = true; + for (MUseDefIterator use(this); allUsesExplictlyTruncate && use; use++) { + switch (use.def()->op()) { + case MDefinition::Op_BitAnd: + case MDefinition::Op_BitOr: + case MDefinition::Op_BitXor: + case MDefinition::Op_Lsh: + case MDefinition::Op_Rsh: + case MDefinition::Op_Ursh: + break; + default: + allUsesExplictlyTruncate = false; + } + } + + if (allUsesExplictlyTruncate) + setTruncated(true); + } + + // Divisions where the lhs and rhs are unsigned and the result is + // truncated can be lowered more efficiently. + if (specialization() == MIRType_Int32 && tryUseUnsignedOperands()) { + unsigned_ = true; + return true; + } + + // No modifications. + return false; +} + +bool +MMod::truncate() +{ + // Remember analysis, needed to remove negative zero checks. + setTruncated(true); + + // As for division, handle unsigned modulus with a truncated result. + if (specialization() == MIRType_Int32 && tryUseUnsignedOperands()) { + unsigned_ = true; + return true; + } + + // No modifications. + return false; +} + +bool +MToDouble::truncate() +{ + JS_ASSERT(type() == MIRType_Double); + + // We use the return type to flag that this MToDouble should be replaced by + // a MTruncateToInt32 when modifying the graph. + setResultType(MIRType_Int32); + if (range()) + range()->wrapAroundToInt32(); + + return true; +} + +bool +MLoadTypedArrayElementStatic::truncate() +{ + setInfallible(); + return false; +} + +bool +MDefinition::isOperandTruncated(size_t index) const +{ + return false; +} + +bool +MTruncateToInt32::isOperandTruncated(size_t index) const +{ + return true; +} + +bool +MBinaryBitwiseInstruction::isOperandTruncated(size_t index) const +{ + return true; +} + +bool +MAdd::isOperandTruncated(size_t index) const +{ + return isTruncated(); +} + +bool +MSub::isOperandTruncated(size_t index) const +{ + return isTruncated(); +} + +bool +MMul::isOperandTruncated(size_t index) const +{ + return isTruncated(); +} + +bool +MToDouble::isOperandTruncated(size_t index) const +{ + // The return type is used to flag that we are replacing this Double by a + // Truncate of its operand if needed. + return type() == MIRType_Int32; +} + +bool +MStoreTypedArrayElement::isOperandTruncated(size_t index) const +{ + return index == 2 && !isFloatArray(); +} + +bool +MStoreTypedArrayElementHole::isOperandTruncated(size_t index) const +{ + return index == 3 && !isFloatArray(); +} + +bool +MStoreTypedArrayElementStatic::isOperandTruncated(size_t index) const +{ + return index == 1 && !isFloatArray(); +} + +bool +MCompare::truncate() +{ + if (!isDoubleComparison()) + return false; + + // If both operands are naturally in the int32 range, we can convert from + // a double comparison to being an int32 comparison. + if (!Range(lhs()).isInt32() || !Range(rhs()).isInt32()) + return false; + + compareType_ = Compare_Int32; + + // Truncating the operands won't change their value, but it will change + // their type, which we need because we now expect integer inputs. + truncateOperands_ = true; + + return true; +} + +bool +MCompare::isOperandTruncated(size_t index) const +{ + // If we're doing an int32 comparison on operands which were previously + // floating-point, convert them! + JS_ASSERT_IF(truncateOperands_, isInt32Comparison()); + return truncateOperands_; +} + +// Ensure that all observables uses can work with a truncated +// version of the |candidate|'s result. +static bool +AllUsesTruncate(MInstruction *candidate) +{ + // If the value naturally produces an int32 value (before bailout checks) + // that needs no conversion, we don't have to worry about resume points + // seeing truncated values. + bool needsConversion = !candidate->range() || !candidate->range()->isInt32(); + + for (MUseIterator use(candidate->usesBegin()); use != candidate->usesEnd(); use++) { + if (!use->consumer()->isDefinition()) { + // We can only skip testing resume points, if all original uses are + // still present, or if the value does not need conversion. + // Otherwise a branch removed by UCE might rely on the non-truncated + // value, and any bailout with a truncated value might lead an + // incorrect value. + if (candidate->isUseRemoved() && needsConversion) + return false; + continue; + } + + if (!use->consumer()->toDefinition()->isOperandTruncated(use->index())) + return false; + } + + return true; +} + +static bool +CanTruncate(MInstruction *candidate) +{ + // Compare operations might coerce its inputs to int32 if the ranges are + // correct. So we do not need to check if all uses are coerced. + if (candidate->isCompare()) + return true; + + // Set truncated flag if range analysis ensure that it has no + // rounding errors and no fractional part. Note that we can't use + // the MDefinition Range constructor, because we need to know if + // the value will have rounding errors before any bailout checks. + const Range *r = candidate->range(); + bool canHaveRoundingErrors = !r || r->canHaveRoundingErrors(); + + // Special case integer division: the result of a/b can be infinite + // but cannot actually have rounding errors induced by truncation. + if (candidate->isDiv() && candidate->toDiv()->specialization() == MIRType_Int32) + canHaveRoundingErrors = false; + + if (canHaveRoundingErrors) + return false; + + // Ensure all observable uses are truncated. + return AllUsesTruncate(candidate); +} + +static void +RemoveTruncatesOnOutput(MInstruction *truncated) +{ + // Compare returns a boolean so it doen't have any output truncates. + if (truncated->isCompare()) + return; + + JS_ASSERT(truncated->type() == MIRType_Int32); + JS_ASSERT(Range(truncated).isInt32()); + + for (MUseDefIterator use(truncated); use; use++) { + MDefinition *def = use.def(); + if (!def->isTruncateToInt32() || !def->isToInt32()) + continue; + + def->replaceAllUsesWith(truncated); + } +} + +static void +AdjustTruncatedInputs(TempAllocator &alloc, MInstruction *truncated) +{ + MBasicBlock *block = truncated->block(); + for (size_t i = 0, e = truncated->numOperands(); i < e; i++) { + if (!truncated->isOperandTruncated(i)) + continue; + + MDefinition *input = truncated->getOperand(i); + if (input->type() == MIRType_Int32) + continue; + + if (input->isToDouble() && input->getOperand(0)->type() == MIRType_Int32) { + JS_ASSERT(input->range()->isInt32()); + truncated->replaceOperand(i, input->getOperand(0)); + } else { + MTruncateToInt32 *op = MTruncateToInt32::New(alloc, truncated->getOperand(i)); + block->insertBefore(truncated, op); + truncated->replaceOperand(i, op); + } + } + + if (truncated->isToDouble()) { + truncated->replaceAllUsesWith(truncated->getOperand(0)); + block->discard(truncated); + } +} + +// Iterate backward on all instruction and attempt to truncate operations for +// each instruction which respect the following list of predicates: Has been +// analyzed by range analysis, the range has no rounding errors, all uses cases +// are truncating the result. +// +// If the truncation of the operation is successful, then the instruction is +// queue for later updating the graph to restore the type correctness by +// converting the operands that need to be truncated. +// +// We iterate backward because it is likely that a truncated operation truncates +// some of its operands. +bool +RangeAnalysis::truncate() +{ + IonSpew(IonSpew_Range, "Do range-base truncation (backward loop)"); + + Vector worklist; + Vector bitops; + + for (PostorderIterator block(graph_.poBegin()); block != graph_.poEnd(); block++) { + for (MInstructionReverseIterator iter(block->rbegin()); iter != block->rend(); iter++) { + if (iter->type() == MIRType_None) + continue; + + // Remember all bitop instructions for folding after range analysis. + switch (iter->op()) { + case MDefinition::Op_BitAnd: + case MDefinition::Op_BitOr: + case MDefinition::Op_BitXor: + case MDefinition::Op_Lsh: + case MDefinition::Op_Rsh: + case MDefinition::Op_Ursh: + if (!bitops.append(static_cast(*iter))) + return false; + default:; + } + + if (!CanTruncate(*iter)) + continue; + + // Truncate this instruction if possible. + if (!iter->truncate()) + continue; + + // Delay updates of inputs/outputs to avoid creating node which + // would be removed by the truncation of the next operations. + iter->setInWorklist(); + if (!worklist.append(*iter)) + return false; + } + } + + // Update inputs/outputs of truncated instructions. + IonSpew(IonSpew_Range, "Do graph type fixup (dequeue)"); + while (!worklist.empty()) { + MInstruction *ins = worklist.popCopy(); + ins->setNotInWorklist(); + RemoveTruncatesOnOutput(ins); + AdjustTruncatedInputs(alloc(), ins); + } + + // Fold any unnecessary bitops in the graph, such as (x | 0) on an integer + // input. This is done after range analysis rather than during GVN as the + // presence of the bitop can change which instructions are truncated. + for (size_t i = 0; i < bitops.length(); i++) { + MBinaryBitwiseInstruction *ins = bitops[i]; + MDefinition *folded = ins->foldUnnecessaryBitop(); + if (folded != ins) + ins->replaceAllUsesWith(folded); + } + + return true; +} + +/////////////////////////////////////////////////////////////////////////////// +// Collect Range information of operands +/////////////////////////////////////////////////////////////////////////////// + +void +MInArray::collectRangeInfoPreTrunc() +{ + Range indexRange(index()); + if (indexRange.isFiniteNonNegative()) + needsNegativeIntCheck_ = false; +} + +void +MLoadElementHole::collectRangeInfoPreTrunc() +{ + Range indexRange(index()); + if (indexRange.isFiniteNonNegative()) + needsNegativeIntCheck_ = false; +} + +void +MDiv::collectRangeInfoPreTrunc() +{ + Range lhsRange(lhs()); + if (lhsRange.isFiniteNonNegative()) + canBeNegativeDividend_ = false; +} + +void +MMod::collectRangeInfoPreTrunc() +{ + Range lhsRange(lhs()); + if (lhsRange.isFiniteNonNegative()) + canBeNegativeDividend_ = false; +} + +void +MBoundsCheckLower::collectRangeInfoPreTrunc() +{ + Range indexRange(index()); + if (indexRange.hasInt32LowerBound() && indexRange.lower() >= minimum_) + fallible_ = false; +} + +void +MCompare::collectRangeInfoPreTrunc() +{ + if (!Range(lhs()).canBeNaN() && !Range(rhs()).canBeNaN()) + operandsAreNeverNaN_ = true; +} + +void +MNot::collectRangeInfoPreTrunc() +{ + if (!Range(operand()).canBeNaN()) + operandIsNeverNaN_ = true; +} + +void +MPowHalf::collectRangeInfoPreTrunc() +{ + Range inputRange(input()); + if (!inputRange.canBeInfiniteOrNaN() || inputRange.hasInt32LowerBound()) + operandIsNeverNegativeInfinity_ = true; + if (!inputRange.canBeZero()) + operandIsNeverNegativeZero_ = true; + if (!inputRange.canBeNaN()) + operandIsNeverNaN_ = true; +} + +void +MUrsh::collectRangeInfoPreTrunc() +{ + Range lhsRange(lhs()), rhsRange(rhs()); + + // As in MUrsh::computeRange(), convert the inputs. + lhsRange.wrapAroundToInt32(); + rhsRange.wrapAroundToShiftCount(); + + // If the most significant bit of our result is always going to be zero, + // we can optimize by disabling bailout checks for enforcing an int32 range. + if (lhsRange.lower() >= 0 || rhsRange.lower() >= 1) + bailoutsDisabled_ = true; +} + +bool +RangeAnalysis::prepareForUCE(bool *shouldRemoveDeadCode) +{ + *shouldRemoveDeadCode = false; + + for (ReversePostorderIterator iter(graph_.rpoBegin()); iter != graph_.rpoEnd(); iter++) { + MBasicBlock *block = *iter; + + if (!block->unreachable()) + continue; + + MControlInstruction *cond = block->getPredecessor(0)->lastIns(); + if (!cond->isTest()) + continue; + + // Replace the condition of the test control instruction by a constant + // chosen based which of the successors has the unreachable flag which is + // added by MBeta::computeRange on its own block. + MTest *test = cond->toTest(); + MConstant *constant = nullptr; + if (block == test->ifTrue()) { + constant = MConstant::New(alloc(), BooleanValue(false)); + } else { + JS_ASSERT(block == test->ifFalse()); + constant = MConstant::New(alloc(), BooleanValue(true)); + } + test->block()->insertBefore(test, constant); + test->replaceOperand(0, constant); + IonSpew(IonSpew_Range, "Update condition of %d to reflect unreachable branches.", + test->id()); + + *shouldRemoveDeadCode = true; + } + + return true; +}