b623ac52733aabd7d5820de6fad88e9074a77984
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGPredictionPropagationPhase.cpp
1 /*
2  * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGPredictionPropagationPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "DFGGraph.h"
32 #include "DFGPhase.h"
33 #include "JSCInlines.h"
34
35 namespace JSC { namespace DFG {
36
37 namespace {
38
39 bool verboseFixPointLoops = false;
40
41 class PredictionPropagationPhase : public Phase {
42 public:
43     PredictionPropagationPhase(Graph& graph)
44         : Phase(graph, "prediction propagation")
45     {
46     }
47     
48     bool run()
49     {
50         ASSERT(m_graph.m_form == ThreadedCPS);
51         ASSERT(m_graph.m_unificationState == GloballyUnified);
52
53         propagateThroughArgumentPositions();
54
55         processInvariants();
56
57         m_pass = PrimaryPass;
58         propagateToFixpoint();
59         
60         m_pass = RareCasePass;
61         propagateToFixpoint();
62         
63         m_pass = DoubleVotingPass;
64         unsigned counter = 0;
65         do {
66             if (verboseFixPointLoops)
67                 ++counter;
68
69             m_changed = false;
70             doRoundOfDoubleVoting();
71             if (!m_changed)
72                 break;
73             m_changed = false;
74             propagateForward();
75         } while (m_changed);
76
77         if (verboseFixPointLoops)
78             dataLog("Iterated ", counter, " times in double voting fixpoint.\n");
79         
80         return true;
81     }
82     
83 private:
84     void propagateToFixpoint()
85     {
86         unsigned counter = 0;
87         do {
88             if (verboseFixPointLoops)
89                 ++counter;
90
91             m_changed = false;
92
93             // Forward propagation is near-optimal for both topologically-sorted and
94             // DFS-sorted code.
95             propagateForward();
96             if (!m_changed)
97                 break;
98             
99             // Backward propagation reduces the likelihood that pathological code will
100             // cause slowness. Loops (especially nested ones) resemble backward flow.
101             // This pass captures two cases: (1) it detects if the forward fixpoint
102             // found a sound solution and (2) short-circuits backward flow.
103             m_changed = false;
104             propagateBackward();
105         } while (m_changed);
106
107         if (verboseFixPointLoops)
108             dataLog("Iterated ", counter, " times in propagateToFixpoint.\n");
109     }
110     
111     bool setPrediction(SpeculatedType prediction)
112     {
113         ASSERT(m_currentNode->hasResult());
114         
115         // setPrediction() is used when we know that there is no way that we can change
116         // our minds about what the prediction is going to be. There is no semantic
117         // difference between setPrediction() and mergeSpeculation() other than the
118         // increased checking to validate this property.
119         ASSERT(m_currentNode->prediction() == SpecNone || m_currentNode->prediction() == prediction);
120         
121         return m_currentNode->predict(prediction);
122     }
123     
124     bool mergePrediction(SpeculatedType prediction)
125     {
126         ASSERT(m_currentNode->hasResult());
127         
128         return m_currentNode->predict(prediction);
129     }
130     
131     SpeculatedType speculatedDoubleTypeForPrediction(SpeculatedType value)
132     {
133         SpeculatedType result = SpecDoubleReal;
134         if (value & SpecDoubleImpureNaN)
135             result |= SpecDoubleImpureNaN;
136         if (value & SpecDoublePureNaN)
137             result |= SpecDoublePureNaN;
138         if (!isFullNumberOrBooleanSpeculation(value))
139             result |= SpecDoublePureNaN;
140         return result;
141     }
142
143     SpeculatedType speculatedDoubleTypeForPredictions(SpeculatedType left, SpeculatedType right)
144     {
145         return speculatedDoubleTypeForPrediction(mergeSpeculations(left, right));
146     }
147
148     void propagate(Node* node)
149     {
150         NodeType op = node->op();
151
152         bool changed = false;
153         
154         switch (op) {
155         case GetLocal: {
156             VariableAccessData* variable = node->variableAccessData();
157             SpeculatedType prediction = variable->prediction();
158             if (!variable->couldRepresentInt52() && (prediction & SpecInt52Only))
159                 prediction = (prediction | SpecAnyIntAsDouble) & ~SpecInt52Only;
160             if (prediction)
161                 changed |= mergePrediction(prediction);
162             break;
163         }
164             
165         case SetLocal: {
166             VariableAccessData* variableAccessData = node->variableAccessData();
167             changed |= variableAccessData->predict(node->child1()->prediction());
168             break;
169         }
170
171         case UInt32ToNumber: {
172             if (node->canSpeculateInt32(m_pass))
173                 changed |= mergePrediction(SpecInt32Only);
174             else if (enableInt52())
175                 changed |= mergePrediction(SpecAnyInt);
176             else
177                 changed |= mergePrediction(SpecBytecodeNumber);
178             break;
179         }
180
181         case ValueAdd: {
182             SpeculatedType left = node->child1()->prediction();
183             SpeculatedType right = node->child2()->prediction();
184             
185             if (left && right) {
186                 if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
187                     && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
188                     if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
189                         changed |= mergePrediction(SpecInt32Only);
190                     else if (m_graph.addShouldSpeculateAnyInt(node))
191                         changed |= mergePrediction(SpecInt52Only);
192                     else
193                         changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
194                 } else if (isStringOrStringObjectSpeculation(left) || isStringOrStringObjectSpeculation(right)) {
195                     // left or right is definitely something other than a number.
196                     changed |= mergePrediction(SpecString);
197                 } else {
198                     changed |= mergePrediction(SpecInt32Only);
199                     if (node->mayHaveDoubleResult())
200                         changed |= mergePrediction(SpecBytecodeDouble);
201                     if (node->mayHaveNonNumberResult())
202                         changed |= mergePrediction(SpecString);
203                 }
204             }
205             break;
206         }
207
208         case ArithAdd: {
209             SpeculatedType left = node->child1()->prediction();
210             SpeculatedType right = node->child2()->prediction();
211             
212             if (left && right) {
213                 if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
214                     changed |= mergePrediction(SpecInt32Only);
215                 else if (m_graph.addShouldSpeculateAnyInt(node))
216                     changed |= mergePrediction(SpecInt52Only);
217                 else if (isFullNumberOrBooleanSpeculation(left) && isFullNumberOrBooleanSpeculation(right))
218                     changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
219                 else if (node->mayHaveNonIntResult() || (left & SpecBytecodeDouble) || (right & SpecBytecodeDouble))
220                     changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
221                 else
222                     changed |= mergePrediction(SpecInt32Only);
223             }
224             break;
225         }
226             
227         case ArithSub: {
228             SpeculatedType left = node->child1()->prediction();
229             SpeculatedType right = node->child2()->prediction();
230
231             if (left && right) {
232                 if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
233                     && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
234                     if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
235                         changed |= mergePrediction(SpecInt32Only);
236                     else if (m_graph.addShouldSpeculateAnyInt(node))
237                         changed |= mergePrediction(SpecInt52Only);
238                     else
239                         changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
240                 } else if (node->mayHaveNonIntResult() || (left & SpecBytecodeDouble) || (right & SpecBytecodeDouble))
241                     changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
242                 else
243                     changed |= mergePrediction(SpecInt32Only);
244             }
245             break;
246         }
247
248         case ArithNegate: {
249             SpeculatedType prediction = node->child1()->prediction();
250             if (prediction) {
251                 if (isInt32OrBooleanSpeculation(prediction) && node->canSpeculateInt32(m_pass))
252                     changed |= mergePrediction(SpecInt32Only);
253                 else if (m_graph.unaryArithShouldSpeculateAnyInt(node, m_pass))
254                     changed |= mergePrediction(SpecInt52Only);
255                 else if (isBytecodeNumberSpeculation(prediction))
256                     changed |= mergePrediction(speculatedDoubleTypeForPrediction(node->child1()->prediction()));
257                 else {
258                     changed |= mergePrediction(SpecInt32Only);
259                     if (node->mayHaveDoubleResult())
260                         changed |= mergePrediction(SpecBytecodeDouble);
261                 }
262             }
263             break;
264         }
265         case ArithMin:
266         case ArithMax: {
267             SpeculatedType left = node->child1()->prediction();
268             SpeculatedType right = node->child2()->prediction();
269             
270             if (left && right) {
271                 if (Node::shouldSpeculateInt32OrBooleanForArithmetic(node->child1().node(), node->child2().node())
272                     && node->canSpeculateInt32(m_pass))
273                     changed |= mergePrediction(SpecInt32Only);
274                 else
275                     changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
276             }
277             break;
278         }
279
280         case ArithMul: {
281             SpeculatedType left = node->child1()->prediction();
282             SpeculatedType right = node->child2()->prediction();
283             
284             if (left && right) {
285                 // FIXME: We're currently relying on prediction propagation and backwards propagation
286                 // whenever we can, and only falling back on result flags if that fails. And the result
287                 // flags logic doesn't know how to use backwards propagation. We should get rid of the
288                 // prediction propagation logic and rely solely on the result type.
289                 if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
290                     && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
291                     if (m_graph.binaryArithShouldSpeculateInt32(node, m_pass))
292                         changed |= mergePrediction(SpecInt32Only);
293                     else if (m_graph.binaryArithShouldSpeculateAnyInt(node, m_pass))
294                         changed |= mergePrediction(SpecInt52Only);
295                     else
296                         changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
297                 } else {
298                     if (node->mayHaveNonIntResult()
299                         || (left & SpecBytecodeDouble)
300                         || (right & SpecBytecodeDouble))
301                         changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
302                     else
303                         changed |= mergePrediction(SpecInt32Only);
304                 }
305             }
306             break;
307         }
308
309         case ArithDiv:
310         case ArithMod: {
311             SpeculatedType left = node->child1()->prediction();
312             SpeculatedType right = node->child2()->prediction();
313             
314             if (left && right) {
315                 if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
316                     && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
317                     if (m_graph.binaryArithShouldSpeculateInt32(node, m_pass))
318                         changed |= mergePrediction(SpecInt32Only);
319                     else
320                         changed |= mergePrediction(SpecBytecodeDouble);
321                 } else
322                     changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
323             }
324             break;
325         }
326
327         case ArithAbs: {
328             SpeculatedType childPrediction = node->child1()->prediction();
329             if (isInt32OrBooleanSpeculation(childPrediction)
330                 && node->canSpeculateInt32(m_pass))
331                 changed |= mergePrediction(SpecInt32Only);
332             else
333                 changed |= mergePrediction(SpecBytecodeDouble);
334             break;
335         }
336
337         case GetByVal:
338         case AtomicsAdd:
339         case AtomicsAnd:
340         case AtomicsCompareExchange:
341         case AtomicsExchange:
342         case AtomicsLoad:
343         case AtomicsOr:
344         case AtomicsStore:
345         case AtomicsSub:
346         case AtomicsXor: {
347             Edge child1 = m_graph.child(node, 0);
348             if (!child1->prediction())
349                 break;
350             
351             Edge child2 = m_graph.child(node, 1);
352             ArrayMode arrayMode = node->arrayMode().refine(
353                 m_graph, node,
354                 child1->prediction(),
355                 child2->prediction(),
356                 SpecNone);
357             
358             switch (arrayMode.type()) {
359             case Array::Int32:
360                 if (arrayMode.isOutOfBounds())
361                     changed |= mergePrediction(node->getHeapPrediction() | SpecInt32Only);
362                 else
363                     changed |= mergePrediction(SpecInt32Only);
364                 break;
365             case Array::Double:
366                 if (arrayMode.isOutOfBounds())
367                     changed |= mergePrediction(node->getHeapPrediction() | SpecDoubleReal);
368                 else if (node->getHeapPrediction() & SpecNonIntAsDouble)
369                     changed |= mergePrediction(SpecDoubleReal);
370                 else
371                     changed |= mergePrediction(SpecAnyIntAsDouble);
372                 break;
373             case Array::Float32Array:
374             case Array::Float64Array:
375                 changed |= mergePrediction(SpecFullDouble);
376                 break;
377             case Array::Uint32Array:
378                 if (isInt32SpeculationForArithmetic(node->getHeapPrediction()) && node->op() == GetByVal)
379                     changed |= mergePrediction(SpecInt32Only);
380                 else if (enableInt52())
381                     changed |= mergePrediction(SpecAnyInt);
382                 else
383                     changed |= mergePrediction(SpecInt32Only | SpecAnyIntAsDouble);
384                 break;
385             case Array::Int8Array:
386             case Array::Uint8Array:
387             case Array::Int16Array:
388             case Array::Uint16Array:
389             case Array::Int32Array:
390                 changed |= mergePrediction(SpecInt32Only);
391                 break;
392             default:
393                 changed |= mergePrediction(node->getHeapPrediction());
394                 break;
395             }
396             break;
397         }
398             
399         case ToThis: {
400             // ToThis in methods for primitive types should speculate primitive types in strict mode.
401             ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
402             if (ecmaMode == StrictMode) {
403                 if (node->child1()->shouldSpeculateBoolean()) {
404                     changed |= mergePrediction(SpecBoolean);
405                     break;
406                 }
407
408                 if (node->child1()->shouldSpeculateInt32()) {
409                     changed |= mergePrediction(SpecInt32Only);
410                     break;
411                 }
412
413                 if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
414                     changed |= mergePrediction(SpecAnyInt);
415                     break;
416                 }
417
418                 if (node->child1()->shouldSpeculateNumber()) {
419                     changed |= mergePrediction(SpecBytecodeNumber);
420                     break;
421                 }
422
423                 if (node->child1()->shouldSpeculateSymbol()) {
424                     changed |= mergePrediction(SpecSymbol);
425                     break;
426                 }
427
428                 if (node->child1()->shouldSpeculateStringIdent()) {
429                     changed |= mergePrediction(SpecStringIdent);
430                     break;
431                 }
432
433                 if (node->child1()->shouldSpeculateString()) {
434                     changed |= mergePrediction(SpecString);
435                     break;
436                 }
437             } else {
438                 if (node->child1()->shouldSpeculateString()) {
439                     changed |= mergePrediction(SpecStringObject);
440                     break;
441                 }
442             }
443
444             SpeculatedType prediction = node->child1()->prediction();
445             if (prediction) {
446                 if (prediction & ~SpecObject) {
447                     // Wrapper objects are created only in sloppy mode.
448                     if (ecmaMode != StrictMode) {
449                         prediction &= SpecObject;
450                         prediction = mergeSpeculations(prediction, SpecObjectOther);
451                     }
452                 }
453                 changed |= mergePrediction(prediction);
454             }
455             break;
456         }
457             
458         case ToPrimitive: {
459             SpeculatedType child = node->child1()->prediction();
460             if (child)
461                 changed |= mergePrediction(resultOfToPrimitive(child));
462             break;
463         }
464
465         default:
466             break;
467         }
468
469         m_changed |= changed;
470     }
471         
472     void propagateForward()
473     {
474         for (Node* node : m_dependentNodes) {
475             m_currentNode = node;
476             propagate(m_currentNode);
477         }
478     }
479
480     void propagateBackward()
481     {
482         for (unsigned i = m_dependentNodes.size(); i--;) {
483             m_currentNode = m_dependentNodes[i];
484             propagate(m_currentNode);
485         }
486     }
487     
488     void doDoubleVoting(Node* node, float weight)
489     {
490         // Loop pre-headers created by OSR entrypoint creation may have NaN weight to indicate
491         // that we actually don't know they weight. Assume that they execute once. This turns
492         // out to be an OK assumption since the pre-header doesn't have any meaningful code.
493         if (weight != weight)
494             weight = 1;
495         
496         switch (node->op()) {
497         case ValueAdd:
498         case ArithAdd:
499         case ArithSub: {
500             SpeculatedType left = node->child1()->prediction();
501             SpeculatedType right = node->child2()->prediction();
502                 
503             DoubleBallot ballot;
504                 
505             if (isFullNumberSpeculation(left)
506                 && isFullNumberSpeculation(right)
507                 && !m_graph.addShouldSpeculateInt32(node, m_pass)
508                 && !m_graph.addShouldSpeculateAnyInt(node))
509                 ballot = VoteDouble;
510             else
511                 ballot = VoteValue;
512                 
513             m_graph.voteNode(node->child1(), ballot, weight);
514             m_graph.voteNode(node->child2(), ballot, weight);
515             break;
516         }
517
518         case ArithMul: {
519             SpeculatedType left = node->child1()->prediction();
520             SpeculatedType right = node->child2()->prediction();
521                 
522             DoubleBallot ballot;
523                 
524             if (isFullNumberSpeculation(left)
525                 && isFullNumberSpeculation(right)
526                 && !m_graph.binaryArithShouldSpeculateInt32(node, m_pass)
527                 && !m_graph.binaryArithShouldSpeculateAnyInt(node, m_pass))
528                 ballot = VoteDouble;
529             else
530                 ballot = VoteValue;
531                 
532             m_graph.voteNode(node->child1(), ballot, weight);
533             m_graph.voteNode(node->child2(), ballot, weight);
534             break;
535         }
536
537         case ArithMin:
538         case ArithMax:
539         case ArithMod:
540         case ArithDiv: {
541             SpeculatedType left = node->child1()->prediction();
542             SpeculatedType right = node->child2()->prediction();
543                 
544             DoubleBallot ballot;
545                 
546             if (isFullNumberSpeculation(left)
547                 && isFullNumberSpeculation(right)
548                 && !m_graph.binaryArithShouldSpeculateInt32(node, m_pass))
549                 ballot = VoteDouble;
550             else
551                 ballot = VoteValue;
552                 
553             m_graph.voteNode(node->child1(), ballot, weight);
554             m_graph.voteNode(node->child2(), ballot, weight);
555             break;
556         }
557
558         case ArithAbs:
559             DoubleBallot ballot;
560             if (node->child1()->shouldSpeculateNumber()
561                 && !m_graph.unaryArithShouldSpeculateInt32(node, m_pass))
562                 ballot = VoteDouble;
563             else
564                 ballot = VoteValue;
565                 
566             m_graph.voteNode(node->child1(), ballot, weight);
567             break;
568                 
569         case ArithSqrt:
570         case ArithCos:
571         case ArithSin:
572         case ArithTan:
573         case ArithLog:
574             if (node->child1()->shouldSpeculateNumber())
575                 m_graph.voteNode(node->child1(), VoteDouble, weight);
576             else
577                 m_graph.voteNode(node->child1(), VoteValue, weight);
578             break;
579                 
580         case SetLocal: {
581             SpeculatedType prediction = node->child1()->prediction();
582             if (isDoubleSpeculation(prediction))
583                 node->variableAccessData()->vote(VoteDouble, weight);
584             else if (!isFullNumberSpeculation(prediction)
585                 || isInt32Speculation(prediction) || isAnyIntSpeculation(prediction))
586                 node->variableAccessData()->vote(VoteValue, weight);
587             break;
588         }
589
590         case PutByValDirect:
591         case PutByVal:
592         case PutByValAlias: {
593             Edge child1 = m_graph.varArgChild(node, 0);
594             Edge child2 = m_graph.varArgChild(node, 1);
595             Edge child3 = m_graph.varArgChild(node, 2);
596             m_graph.voteNode(child1, VoteValue, weight);
597             m_graph.voteNode(child2, VoteValue, weight);
598             switch (node->arrayMode().type()) {
599             case Array::Double:
600                 m_graph.voteNode(child3, VoteDouble, weight);
601                 break;
602             default:
603                 m_graph.voteNode(child3, VoteValue, weight);
604                 break;
605             }
606             break;
607         }
608             
609         case MovHint:
610             // Ignore these since they have no effect on in-DFG execution.
611             break;
612             
613         default:
614             m_graph.voteChildren(node, VoteValue, weight);
615             break;
616         }
617     }
618     
619     void doRoundOfDoubleVoting()
620     {
621         for (unsigned i = 0; i < m_graph.m_variableAccessData.size(); ++i)
622             m_graph.m_variableAccessData[i].find()->clearVotes();
623         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
624             BasicBlock* block = m_graph.block(blockIndex);
625             if (!block)
626                 continue;
627             ASSERT(block->isReachable);
628             for (unsigned i = 0; i < block->size(); ++i) {
629                 m_currentNode = block->at(i);
630                 doDoubleVoting(m_currentNode, block->executionCount);
631             }
632         }
633         for (unsigned i = 0; i < m_graph.m_variableAccessData.size(); ++i) {
634             VariableAccessData* variableAccessData = &m_graph.m_variableAccessData[i];
635             if (!variableAccessData->isRoot())
636                 continue;
637             m_changed |= variableAccessData->tallyVotesForShouldUseDoubleFormat();
638         }
639         propagateThroughArgumentPositions();
640         for (unsigned i = 0; i < m_graph.m_variableAccessData.size(); ++i) {
641             VariableAccessData* variableAccessData = &m_graph.m_variableAccessData[i];
642             if (!variableAccessData->isRoot())
643                 continue;
644             m_changed |= variableAccessData->makePredictionForDoubleFormat();
645         }
646     }
647     
648     void propagateThroughArgumentPositions()
649     {
650         for (unsigned i = 0; i < m_graph.m_argumentPositions.size(); ++i)
651             m_changed |= m_graph.m_argumentPositions[i].mergeArgumentPredictionAwareness();
652     }
653
654     // Sets any predictions that do not depends on other nodes.
655     void processInvariants()
656     {
657         for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
658             for (Node* node : *block) {
659                 m_currentNode = node;
660                 processInvariantsForNode();
661             }
662         }
663     }
664
665     void processInvariantsForNode()
666     {
667         switch (m_currentNode->op()) {
668         case JSConstant: {
669             SpeculatedType type = speculationFromValue(m_currentNode->asJSValue());
670             if (type == SpecAnyIntAsDouble && enableInt52())
671                 type = SpecInt52Only;
672             setPrediction(type);
673             break;
674         }
675         case DoubleConstant: {
676             SpeculatedType type = speculationFromValue(m_currentNode->asJSValue());
677             setPrediction(type);
678             break;
679         }
680         case BitAnd:
681         case BitOr:
682         case BitXor:
683         case BitRShift:
684         case BitLShift:
685         case BitURShift:
686         case ArithIMul:
687         case ArithClz32: {
688             setPrediction(SpecInt32Only);
689             break;
690         }
691
692         case ArrayPop:
693         case ArrayPush:
694         case RegExpExec:
695         case RegExpTest:
696         case StringReplace:
697         case StringReplaceRegExp:
698         case GetById:
699         case GetByIdFlush:
700         case GetByIdWithThis:
701         case TryGetById:
702         case GetByValWithThis:
703         case GetByOffset:
704         case MultiGetByOffset:
705         case GetDirectPname:
706         case Call:
707         case DirectCall:
708         case TailCallInlinedCaller:
709         case DirectTailCallInlinedCaller:
710         case Construct:
711         case DirectConstruct:
712         case CallVarargs:
713         case CallEval:
714         case TailCallVarargsInlinedCaller:
715         case ConstructVarargs:
716         case CallForwardVarargs:
717         case ConstructForwardVarargs:
718         case TailCallForwardVarargsInlinedCaller:
719         case GetGlobalVar:
720         case GetGlobalLexicalVariable:
721         case GetClosureVar:
722         case GetFromArguments:
723         case LoadFromJSMapBucket:
724         case ToNumber:
725         case GetArgument:
726         case CallDOMGetter: {
727             setPrediction(m_currentNode->getHeapPrediction());
728             break;
729         }
730
731         case ResolveScopeForHoistingFuncDeclInEval:
732         case GetDynamicVar: {
733             setPrediction(SpecBytecodeTop);
734             break;
735         }
736             
737         case GetGetterSetterByOffset:
738         case GetExecutable: {
739             setPrediction(SpecCellOther);
740             break;
741         }
742
743         case GetGetter:
744         case GetSetter:
745         case GetCallee:
746         case NewFunction:
747         case NewGeneratorFunction:
748         case NewAsyncFunction: {
749             setPrediction(SpecFunction);
750             break;
751         }
752             
753         case GetArgumentCountIncludingThis: {
754             setPrediction(SpecInt32Only);
755             break;
756         }
757
758         case MapHash:
759             setPrediction(SpecInt32Only);
760             break;
761         case GetMapBucket:
762             setPrediction(SpecCellOther);
763             break;
764         case IsNonEmptyMapBucket:
765             setPrediction(SpecBoolean);
766             break;
767
768         case GetRestLength: {
769             setPrediction(SpecInt32Only);
770             break;
771         }
772
773         case GetTypedArrayByteOffset:
774         case GetArrayLength: {
775             setPrediction(SpecInt32Only);
776             break;
777         }
778
779         case StringCharCodeAt: {
780             setPrediction(SpecInt32Only);
781             break;
782         }
783
784         case ToLowerCase:
785             setPrediction(SpecString);
786             break;
787
788         case ArithPow:
789         case ArithSqrt:
790         case ArithFRound:
791         case ArithSin:
792         case ArithCos:
793         case ArithTan:
794         case ArithLog: {
795             setPrediction(SpecBytecodeDouble);
796             break;
797         }
798
799         case ArithRound:
800         case ArithFloor:
801         case ArithCeil:
802         case ArithTrunc: {
803             if (isInt32OrBooleanSpeculation(m_currentNode->getHeapPrediction())
804                 && m_graph.roundShouldSpeculateInt32(m_currentNode, m_pass))
805                 setPrediction(SpecInt32Only);
806             else
807                 setPrediction(SpecBytecodeDouble);
808             break;
809         }
810
811         case ArithRandom: {
812             setPrediction(SpecDoubleReal);
813             break;
814         }
815         case DeleteByVal:
816         case DeleteById:
817         case LogicalNot:
818         case CompareLess:
819         case CompareLessEq:
820         case CompareGreater:
821         case CompareGreaterEq:
822         case CompareEq:
823         case CompareStrictEq:
824         case CompareEqPtr:
825         case OverridesHasInstance:
826         case InstanceOf:
827         case InstanceOfCustom:
828         case IsEmpty:
829         case IsUndefined:
830         case IsBoolean:
831         case IsNumber:
832         case IsObject:
833         case IsObjectOrNull:
834         case IsFunction:
835         case IsCellWithType:
836         case IsTypedArrayView: {
837             setPrediction(SpecBoolean);
838             break;
839         }
840
841         case TypeOf: {
842             setPrediction(SpecStringIdent);
843             break;
844         }
845         case GetButterfly:
846         case GetIndexedPropertyStorage:
847         case AllocatePropertyStorage:
848         case ReallocatePropertyStorage: {
849             setPrediction(SpecOther);
850             break;
851         }
852
853         case CheckDOM:
854             break;
855
856         case CallObjectConstructor: {
857             setPrediction(SpecObject);
858             break;
859         }
860         case SkipScope:
861         case GetGlobalObject: {
862             setPrediction(SpecObjectOther);
863             break;
864         }
865
866         case ResolveScope: {
867             setPrediction(SpecObjectOther);
868             break;
869         }
870             
871         case CreateThis:
872         case NewObject: {
873             setPrediction(SpecFinalObject);
874             break;
875         }
876             
877         case ArraySlice:
878         case NewArrayWithSpread:
879         case NewArray:
880         case NewArrayWithSize:
881         case CreateRest:
882         case NewArrayBuffer: {
883             setPrediction(SpecArray);
884             break;
885         }
886
887         case Spread:
888             setPrediction(SpecCellOther);
889             break;
890             
891         case NewTypedArray: {
892             setPrediction(speculationFromTypedArrayType(m_currentNode->typedArrayType()));
893             break;
894         }
895             
896         case NewRegexp: {
897             setPrediction(SpecRegExpObject);
898             break;
899         }
900             
901         case CreateActivation: {
902             setPrediction(SpecObjectOther);
903             break;
904         }
905         
906         case StringFromCharCode: {
907             setPrediction(SpecString);
908             m_currentNode->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt);
909             break;
910         }
911         case StringCharAt:
912         case CallStringConstructor:
913         case ToString:
914         case NumberToStringWithRadix:
915         case MakeRope:
916         case StrCat: {
917             setPrediction(SpecString);
918             break;
919         }
920         case NewStringObject: {
921             setPrediction(SpecStringObject);
922             break;
923         }
924             
925         case CreateDirectArguments: {
926             setPrediction(SpecDirectArguments);
927             break;
928         }
929             
930         case CreateScopedArguments: {
931             setPrediction(SpecScopedArguments);
932             break;
933         }
934             
935         case CreateClonedArguments: {
936             setPrediction(SpecObjectOther);
937             break;
938         }
939             
940         case FiatInt52: {
941             RELEASE_ASSERT(enableInt52());
942             setPrediction(SpecAnyInt);
943             break;
944         }
945
946         case GetScope:
947             setPrediction(SpecObjectOther);
948             break;
949
950         case In:
951             setPrediction(SpecBoolean);
952             break;
953
954         case HasOwnProperty:
955             setPrediction(SpecBoolean);
956             break;
957
958         case GetEnumerableLength: {
959             setPrediction(SpecInt32Only);
960             break;
961         }
962         case HasGenericProperty:
963         case HasStructureProperty:
964         case HasIndexedProperty: {
965             setPrediction(SpecBoolean);
966             break;
967         }
968         case GetPropertyEnumerator: {
969             setPrediction(SpecCell);
970             break;
971         }
972         case GetEnumeratorStructurePname: {
973             setPrediction(SpecCell | SpecOther);
974             break;
975         }
976         case GetEnumeratorGenericPname: {
977             setPrediction(SpecCell | SpecOther);
978             break;
979         }
980         case ToIndexString: {
981             setPrediction(SpecString);
982             break;
983         }
984         case ParseInt: {
985             // We expect this node to almost always produce an int32. However,
986             // it's possible it produces NaN or integers out of int32 range. We
987             // rely on the heap prediction since the parseInt() call profiled
988             // its result.
989             setPrediction(m_currentNode->getHeapPrediction());
990             break;
991         }
992
993         case GetLocal:
994         case SetLocal:
995         case UInt32ToNumber:
996         case ValueAdd:
997         case ArithAdd:
998         case ArithSub:
999         case ArithNegate:
1000         case ArithMin:
1001         case ArithMax:
1002         case ArithMul:
1003         case ArithDiv:
1004         case ArithMod:
1005         case ArithAbs:
1006         case GetByVal:
1007         case ToThis:
1008         case ToPrimitive: 
1009         case AtomicsAdd:
1010         case AtomicsAnd:
1011         case AtomicsCompareExchange:
1012         case AtomicsExchange:
1013         case AtomicsLoad:
1014         case AtomicsOr:
1015         case AtomicsStore:
1016         case AtomicsSub:
1017         case AtomicsXor: {
1018             m_dependentNodes.append(m_currentNode);
1019             break;
1020         }
1021             
1022         case AtomicsIsLockFree: {
1023             setPrediction(SpecBoolean);
1024             break;
1025         }
1026
1027         case PutByValAlias:
1028         case DoubleAsInt32:
1029         case GetLocalUnlinked:
1030         case CheckArray:
1031         case CheckTypeInfoFlags:
1032         case Arrayify:
1033         case ArrayifyToStructure:
1034         case CheckTierUpInLoop:
1035         case CheckTierUpAtReturn:
1036         case CheckTierUpAndOSREnter:
1037         case InvalidationPoint:
1038         case CheckInBounds:
1039         case ValueToInt32:
1040         case DoubleRep:
1041         case ValueRep:
1042         case Int52Rep:
1043         case Int52Constant:
1044         case Identity:
1045         case BooleanToNumber:
1046         case PhantomNewObject:
1047         case PhantomNewFunction:
1048         case PhantomNewGeneratorFunction:
1049         case PhantomNewAsyncFunction:
1050         case PhantomCreateActivation:
1051         case PhantomDirectArguments:
1052         case PhantomCreateRest:
1053         case PhantomSpread:
1054         case PhantomNewArrayWithSpread:
1055         case PhantomClonedArguments:
1056         case GetMyArgumentByVal:
1057         case GetMyArgumentByValOutOfBounds:
1058         case PutHint:
1059         case CheckStructureImmediate:
1060         case MaterializeNewObject:
1061         case MaterializeCreateActivation:
1062         case PutStack:
1063         case KillStack:
1064         case StoreBarrier:
1065         case FencedStoreBarrier:
1066         case GetStack:
1067         case GetRegExpObjectLastIndex:
1068         case SetRegExpObjectLastIndex:
1069         case RecordRegExpCachedResult:
1070         case LazyJSConstant:
1071         case CallDOM: {
1072             // This node should never be visible at this stage of compilation. It is
1073             // inserted by fixup(), which follows this phase.
1074             DFG_CRASH(m_graph, m_currentNode, "Unexpected node during prediction propagation");
1075             break;
1076         }
1077         
1078         case Phi:
1079             // Phis should not be visible here since we're iterating the all-but-Phi's
1080             // part of basic blocks.
1081             RELEASE_ASSERT_NOT_REACHED();
1082             break;
1083             
1084         case Upsilon:
1085             // These don't get inserted until we go into SSA.
1086             RELEASE_ASSERT_NOT_REACHED();
1087             break;
1088
1089 #ifndef NDEBUG
1090         // These get ignored because they don't return anything.
1091         case PutByValDirect:
1092         case PutByValWithThis:
1093         case PutByIdWithThis:
1094         case PutByVal:
1095         case PutClosureVar:
1096         case PutToArguments:
1097         case Return:
1098         case TailCall:
1099         case DirectTailCall:
1100         case TailCallVarargs:
1101         case TailCallForwardVarargs:
1102         case Throw:
1103         case PutById:
1104         case PutByIdFlush:
1105         case PutByIdDirect:
1106         case PutByOffset:
1107         case MultiPutByOffset:
1108         case PutGetterById:
1109         case PutSetterById:
1110         case PutGetterSetterById:
1111         case PutGetterByVal:
1112         case PutSetterByVal:
1113         case DefineDataProperty:
1114         case DefineAccessorProperty:
1115         case DFG::Jump:
1116         case Branch:
1117         case Switch:
1118         case ProfileType:
1119         case ProfileControlFlow:
1120         case ThrowStaticError:
1121         case ForceOSRExit:
1122         case SetArgument:
1123         case SetFunctionName:
1124         case CheckStructure:
1125         case CheckCell:
1126         case CheckNotEmpty:
1127         case CheckStringIdent:
1128         case CheckBadCell:
1129         case PutStructure:
1130         case Phantom:
1131         case Check:
1132         case PutGlobalVariable:
1133         case CheckTraps:
1134         case LogShadowChickenPrologue:
1135         case LogShadowChickenTail:
1136         case Unreachable:
1137         case LoopHint:
1138         case NotifyWrite:
1139         case ConstantStoragePointer:
1140         case MovHint:
1141         case ZombieHint:
1142         case ExitOK:
1143         case LoadVarargs:
1144         case ForwardVarargs:
1145         case PutDynamicVar:
1146         case NukeStructureAndSetButterfly:
1147             break;
1148             
1149         // This gets ignored because it only pretends to produce a value.
1150         case BottomValue:
1151             break;
1152             
1153         // This gets ignored because it already has a prediction.
1154         case ExtractOSREntryLocal:
1155             break;
1156             
1157         // These gets ignored because it doesn't do anything.
1158         case CountExecution:
1159         case PhantomLocal:
1160         case Flush:
1161             break;
1162             
1163         case LastNodeType:
1164             RELEASE_ASSERT_NOT_REACHED();
1165             break;
1166 #else
1167         default:
1168             break;
1169 #endif
1170         }
1171     }
1172
1173     SpeculatedType resultOfToPrimitive(SpeculatedType type)
1174     {
1175         if (type & SpecObject) {
1176             // We try to be optimistic here about StringObjects since it's unlikely that
1177             // someone overrides the valueOf or toString methods.
1178             if (type & SpecStringObject && m_graph.canOptimizeStringObjectAccess(m_currentNode->origin.semantic))
1179                 return mergeSpeculations(type & ~SpecObject, SpecString);
1180
1181             return mergeSpeculations(type & ~SpecObject, SpecPrimitive);
1182         }
1183
1184         return type;
1185     }
1186
1187     Vector<Node*> m_dependentNodes;
1188     Node* m_currentNode;
1189     bool m_changed;
1190     PredictionPass m_pass; // We use different logic for considering predictions depending on how far along we are in propagation.
1191 };
1192
1193 } // Anonymous namespace.
1194     
1195 bool performPredictionPropagation(Graph& graph)
1196 {
1197     return runPhase<PredictionPropagationPhase>(graph);
1198 }
1199
1200 } } // namespace JSC::DFG
1201
1202 #endif // ENABLE(DFG_JIT)
1203