Remove MaximalFlushInsertionPhase
authortzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 23 Aug 2019 23:08:06 +0000 (23:08 +0000)
committertzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 23 Aug 2019 23:08:06 +0000 (23:08 +0000)
https://bugs.webkit.org/show_bug.cgi?id=201036

Reviewed by Saam Barati.

JSTests:

Remove all the references to maximal flush

* stress/arith-ceil-on-various-types.js:
(checkCompileCountForUselessNegativeZero):
* stress/arith-floor-on-various-types.js:
(checkCompileCountForUselessNegativeZero):
* stress/arith-negate-on-various-types.js:
(checkCompileCountForUselessNegativeZero):
* stress/arith-round-on-various-types.js:
(checkCompileCountForUselessNegativeZero):
* stress/arith-trunc-on-various-types.js:
(checkCompileCountForUselessNegativeZero):
* stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
* stress/has-indexed-property-should-accept-non-int32.js:
* stress/has-indexed-property-with-worsening-array-mode.js:
* stress/known-int32-cant-be-used-across-bytecode-boundary.js:
* stress/read-dead-bytecode-locals-in-must-handle-values1.js:
* stress/read-dead-bytecode-locals-in-must-handle-values2.js:
* stress/rest-parameter-many-arguments.js:
* stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
* stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
* stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:

Source/JavaScriptCore:

Maximal flush has found too many false positives recently, so we decided it's finally time
to remove it instead of hacking it to fix the most recent false positive.

The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely
for the argument count that was being flushed in a much later block. Now, since that block was
the head of a loop, and there was a SetLocal in the same block to the same variable, this
generated a Phi of both values, which then led to the unification of their VariableAccessData
in the unification phase. This caused AI to assign the Int52 type to argument count, which
broke the AI’s assumption that it should always be an Int32.

* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleVarargsInlining):
* dfg/DFGMaximalFlushInsertionPhase.cpp: Removed.
* dfg/DFGMaximalFlushInsertionPhase.h: Removed.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249075 268f45cc-cd09-0410-ab3c-d52691b4dbfc

25 files changed:
JSTests/ChangeLog
JSTests/stress/arith-ceil-on-various-types.js
JSTests/stress/arith-floor-on-various-types.js
JSTests/stress/arith-negate-on-various-types.js
JSTests/stress/arith-round-on-various-types.js
JSTests/stress/arith-trunc-on-various-types.js
JSTests/stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js
JSTests/stress/has-indexed-property-should-accept-non-int32.js
JSTests/stress/has-indexed-property-with-worsening-array-mode.js
JSTests/stress/known-int32-cant-be-used-across-bytecode-boundary.js
JSTests/stress/read-dead-bytecode-locals-in-must-handle-values1.js
JSTests/stress/read-dead-bytecode-locals-in-must-handle-values2.js
JSTests/stress/rest-parameter-many-arguments.js
JSTests/stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js
JSTests/stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js
JSTests/stress/to-index-string-should-not-assume-incoming-value-is-uint32.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/Sources.txt
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGMaximalFlushInsertionPhase.cpp [deleted file]
Source/JavaScriptCore/dfg/DFGMaximalFlushInsertionPhase.h [deleted file]
Source/JavaScriptCore/dfg/DFGPlan.cpp
Source/JavaScriptCore/runtime/Options.cpp
Source/JavaScriptCore/runtime/Options.h

index 03c060c..b76ba95 100644 (file)
@@ -1,3 +1,33 @@
+2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
+
+        Remove MaximalFlushInsertionPhase
+        https://bugs.webkit.org/show_bug.cgi?id=201036
+
+        Reviewed by Saam Barati.
+
+        Remove all the references to maximal flush
+
+        * stress/arith-ceil-on-various-types.js:
+        (checkCompileCountForUselessNegativeZero):
+        * stress/arith-floor-on-various-types.js:
+        (checkCompileCountForUselessNegativeZero):
+        * stress/arith-negate-on-various-types.js:
+        (checkCompileCountForUselessNegativeZero):
+        * stress/arith-round-on-various-types.js:
+        (checkCompileCountForUselessNegativeZero):
+        * stress/arith-trunc-on-various-types.js:
+        (checkCompileCountForUselessNegativeZero):
+        * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
+        * stress/has-indexed-property-should-accept-non-int32.js:
+        * stress/has-indexed-property-with-worsening-array-mode.js:
+        * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
+        * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
+        * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
+        * stress/rest-parameter-many-arguments.js:
+        * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
+        * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
+        * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
+
 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
 
         [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
index 29c2e4a..6e1ff17 100644 (file)
@@ -140,11 +140,6 @@ testSingleTypeCall();
 
 function checkCompileCountForUselessNegativeZero(testFunction)
 {
-    if (jscOptions().useMaximalFlushInsertionPhase) {
-        // If we forced a flush after the operation, the negative zero becomes
-        // observable and we may be overly optimistic.
-        return numberOfDFGCompiles(testFunction) <= 2;
-    }
     return numberOfDFGCompiles(testFunction) <= 1;
 }
 
index ff740cc..0fd34f0 100644 (file)
@@ -140,11 +140,6 @@ testSingleTypeCall();
 
 function checkCompileCountForUselessNegativeZero(testFunction)
 {
-    if (jscOptions().useMaximalFlushInsertionPhase) {
-        // If we forced a flush after the operation, the negative zero becomes
-        // observable and we may be overly optimistic.
-        return numberOfDFGCompiles(testFunction) <= 2;
-    }
     return numberOfDFGCompiles(testFunction) <= 1;
 }
 
index 7d3f192..6390587 100644 (file)
@@ -120,11 +120,6 @@ testSingleTypeCall();
 
 function checkCompileCountForUselessNegativeZero(testFunction)
 {
-    if (jscOptions().useMaximalFlushInsertionPhase) {
-        // If we forced a flush after the operation, the negative zero becomes
-        // observable and we may be overly optimistic.
-        return numberOfDFGCompiles(testFunction) <= 2;
-    }
     return numberOfDFGCompiles(testFunction) <= 1;
 }
 
index eb89339..7e493a3 100644 (file)
@@ -140,11 +140,6 @@ testSingleTypeCall();
 
 function checkCompileCountForUselessNegativeZero(testFunction)
 {
-    if (jscOptions().useMaximalFlushInsertionPhase) {
-        // If we forced a flush after the operation, the negative zero becomes
-        // observable and we may be overly optimistic.
-        return numberOfDFGCompiles(testFunction) <= 2;
-    }
     return numberOfDFGCompiles(testFunction) <= 1;
 }
 
index 8469846..075155c 100644 (file)
@@ -140,11 +140,6 @@ testSingleTypeCall();
 
 function checkCompileCountForUselessNegativeZero(testFunction)
 {
-    if (jscOptions().useMaximalFlushInsertionPhase) {
-        // If we forced a flush after the operation, the negative zero becomes
-        // observable and we may be overly optimistic.
-        return numberOfDFGCompiles(testFunction) <= 2;
-    }
     return numberOfDFGCompiles(testFunction) <= 1;
 }
 
index 61ffa55..d21b37e 100644 (file)
@@ -1,4 +1,4 @@
-//@ runDefault("--collectContinuously=true", "--collectContinuouslyPeriodMS=0.15", "--useMaximalFlushInsertionPhase=true", "--useLLInt=false", "--useFTLJIT=false", "--jitPolicyScale=0")
+//@ runDefault("--collectContinuously=true", "--collectContinuouslyPeriodMS=0.15", "--useLLInt=false", "--useFTLJIT=false", "--jitPolicyScale=0")
 
 // This test exercises DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
 
index 5e5486b..181ca9c 100644 (file)
@@ -1,4 +1,4 @@
-//@ runDefault("--useRandomizingFuzzerAgent=1", "--jitPolicyScale=0", "--useMaximalFlushInsertionPhase=1", "--useConcurrentJIT=0")
+//@ runDefault("--useRandomizingFuzzerAgent=1", "--jitPolicyScale=0", "--useConcurrentJIT=0")
 function foo(obj) {
   for (var x in obj) {
     if (0 > 0) {
index f942410..cff3585 100644 (file)
@@ -1,4 +1,4 @@
-//@ requireOptions("--watchdog=1000", "--watchdog-exception-ok", "--useMaximalFlushInsertionPhase=1")
+//@ requireOptions("--watchdog=1000", "--watchdog-exception-ok")
 // This test only seems to reproduce the issue when it runs in an infinite loop. So we use the watchdog to time it out.
 for (let x in [0]) {
   break
index fc0c4ab..dd860ef 100644 (file)
@@ -1,4 +1,4 @@
-//@ runDefault("--useConcurrentJIT=0", "--useMaximalFlushInsertionPhase=1")
+//@ runDefault("--useConcurrentJIT=0")
 
 function foo() {
     var x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13;
index 9e2ae38..439bfac 100644 (file)
@@ -1,4 +1,4 @@
-//@ runDefault("--useMaximalFlushInsertionPhase=1", "--useConcurrentJIT=0")
+//@ runDefault("--useConcurrentJIT=0")
 function bar(x) {
   if (x) {
     return;
index feb3cfa..0ea1bd4 100644 (file)
@@ -1,4 +1,4 @@
-//@ runDefault("--useMaximalFlushInsertionPhase=1", "--useConcurrentJIT=0")
+//@ runDefault("--useConcurrentJIT=0")
 function bar(c) {
     if (c > 1) {
         bar(parseInt(c * 2))
index 16a1f28..76a0173 100644 (file)
@@ -1,5 +1,4 @@
 //@ skip if $architecture == "x86"
-//@ if $architecture == "x86" then defaultSpotCheckNoMaximalFlush else defaultRun end
 
 function assert(b) {
     if (!b)
index 9f8a9b8..42f03e3 100644 (file)
@@ -1,4 +1,4 @@
-//@ runDefault("--useMaximalFlushInsertionPhase=1", "--jitPolicyScale=0", "--useConcurrentJIT=0")
+//@ runDefault("--jitPolicyScale=0", "--useConcurrentJIT=0")
 
 function f0() {
 }
index 5c8b25a..2073e28 100644 (file)
@@ -1,4 +1,4 @@
-//@ runDefault("--useMaximalFlushInsertionPhase=1", "--useRandomizingFuzzerAgent=1")
+//@ runDefault("--useRandomizingFuzzerAgent=1")
 
 function foo() {
     for (var x in ['a', 'b']) {
index e76c4c3..1542547 100644 (file)
@@ -1,3 +1,32 @@
+2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
+
+        Remove MaximalFlushInsertionPhase
+        https://bugs.webkit.org/show_bug.cgi?id=201036
+
+        Reviewed by Saam Barati.
+
+        Maximal flush has found too many false positives recently, so we decided it's finally time
+        to remove it instead of hacking it to fix the most recent false positive.
+
+        The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely
+        for the argument count that was being flushed in a much later block. Now, since that block was
+        the head of a loop, and there was a SetLocal in the same block to the same variable, this
+        generated a Phi of both values, which then led to the unification of their VariableAccessData
+        in the unification phase. This caused AI to assign the Int52 type to argument count, which
+        broke the AI’s assumption that it should always be an Int32.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleVarargsInlining):
+        * dfg/DFGMaximalFlushInsertionPhase.cpp: Removed.
+        * dfg/DFGMaximalFlushInsertionPhase.h: Removed.
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+        * runtime/Options.h:
+
 2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>
 
         Unreviewed WinCairo build fix following r249058.
index daea466..8cadc58 100644 (file)
                79DFCBDB1D88C59600527D03 /* HasOwnPropertyCache.h in Headers */ = {isa = PBXBuildFile; fileRef = 79DFCBDA1D88C59600527D03 /* HasOwnPropertyCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
                79EE0C001B4AFB85000385C9 /* VariableEnvironment.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EE0BFE1B4AFB85000385C9 /* VariableEnvironment.h */; settings = {ATTRIBUTES = (Private, ); }; };
                79EFD4841EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EFD4821EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h */; settings = {ATTRIBUTES = (Private, ); }; };
-               79F8FC1F1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 79F8FC1D1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h */; };
                79FC8A081E32E9F000D88F0E /* DFGRegisteredStructure.h in Headers */ = {isa = PBXBuildFile; fileRef = 79FC8A071E32E9F000D88F0E /* DFGRegisteredStructure.h */; settings = {ATTRIBUTES = (Private, ); }; };
                7A9774A8206B82E4008D03D0 /* JSWeakValue.h in Headers */ = {isa = PBXBuildFile; fileRef = 7A9774A7206B82C9008D03D0 /* JSWeakValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
                7BC547D31B6959A100959B58 /* WasmFormat.h in Headers */ = {isa = PBXBuildFile; fileRef = 7BC547D21B69599B00959B58 /* WasmFormat.h */; settings = {ATTRIBUTES = (Private, ); }; };
                79EE0BFE1B4AFB85000385C9 /* VariableEnvironment.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VariableEnvironment.h; sourceTree = "<group>"; };
                79EFD4811EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSWebAssemblyCodeBlockHeapCellType.cpp; path = js/JSWebAssemblyCodeBlockHeapCellType.cpp; sourceTree = "<group>"; };
                79EFD4821EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = JSWebAssemblyCodeBlockHeapCellType.h; path = js/JSWebAssemblyCodeBlockHeapCellType.h; sourceTree = "<group>"; };
-               79F8FC1C1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGMaximalFlushInsertionPhase.cpp; path = dfg/DFGMaximalFlushInsertionPhase.cpp; sourceTree = "<group>"; };
-               79F8FC1D1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGMaximalFlushInsertionPhase.h; path = dfg/DFGMaximalFlushInsertionPhase.h; sourceTree = "<group>"; };
                79FC8A071E32E9F000D88F0E /* DFGRegisteredStructure.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGRegisteredStructure.h; path = dfg/DFGRegisteredStructure.h; sourceTree = "<group>"; };
                7A9774A6206B828C008D03D0 /* JSWeakValue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSWeakValue.cpp; sourceTree = "<group>"; };
                7A9774A7206B82C9008D03D0 /* JSWeakValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSWeakValue.h; sourceTree = "<group>"; };
                                A7D89CED17A0B8CC00773AD8 /* DFGLivenessAnalysisPhase.h */,
                                A767B5B317A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.cpp */,
                                A767B5B417A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.h */,
-                               79F8FC1C1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.cpp */,
-                               79F8FC1D1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h */,
                                0F5874EB194FEB1200AAB2C1 /* DFGMayExit.cpp */,
                                0F5874EC194FEB1200AAB2C1 /* DFGMayExit.h */,
                                0F1725FE1B48719A00AC3A55 /* DFGMinifiedGraph.cpp */,
                                79C4B15E1BA2158F00FD592E /* DFGLiveCatchVariablePreservationPhase.h in Headers */,
                                A7D89CFC17A0B8CC00773AD8 /* DFGLivenessAnalysisPhase.h in Headers */,
                                A767B5B617A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.h in Headers */,
-                               79F8FC1F1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h in Headers */,
                                0F5874EE194FEB1200AAB2C1 /* DFGMayExit.h in Headers */,
                                0F2BDC451522801B00CD8910 /* DFGMinifiedGraph.h in Headers */,
                                0F2E892D16D02BAF009E4FD2 /* DFGMinifiedID.h in Headers */,
index 0c36de0..262193b 100644 (file)
@@ -364,7 +364,6 @@ dfg/DFGLazyJSValue.cpp
 dfg/DFGLazyNode.cpp
 dfg/DFGLivenessAnalysisPhase.cpp
 dfg/DFGLoopPreHeaderCreationPhase.cpp
-dfg/DFGMaximalFlushInsertionPhase.cpp
 dfg/DFGMayExit.cpp
 dfg/DFGMinifiedGraph.cpp
 dfg/DFGMinifiedNode.cpp
index 1374919..32eef6a 100644 (file)
@@ -1862,8 +1862,6 @@ bool ByteCodeParser::handleVarargsInlining(Node* callTargetNode, VirtualRegister
     registerOffset -= CallFrame::headerSizeInRegisters;
     registerOffset = -WTF::roundUpToMultipleOf(stackAlignmentRegisters(), -registerOffset);
 
-    Vector<VirtualRegister> setArgumentMaybes;
-    
     auto insertChecks = [&] (CodeBlock* codeBlock) {
         emitFunctionChecks(callVariant, callTargetNode, thisArgument);
         
@@ -1928,8 +1926,6 @@ bool ByteCodeParser::handleVarargsInlining(Node* callTargetNode, VirtualRegister
             }
             
             Node* setArgument = addToGraph(numSetArguments >= mandatoryMinimum ? SetArgumentMaybe : SetArgumentDefinitely, OpInfo(variable));
-            if (numSetArguments >= mandatoryMinimum && Options::useMaximalFlushInsertionPhase())
-                setArgumentMaybes.append(variable->local());
             m_currentBlock->variablesAtTail.setOperand(variable->local(), setArgument);
             ++numSetArguments;
         }
@@ -1944,8 +1940,6 @@ bool ByteCodeParser::handleVarargsInlining(Node* callTargetNode, VirtualRegister
     // calling LoadVarargs twice.
     inlineCall(callTargetNode, result, callVariant, registerOffset, maxNumArguments, kind, nullptr, insertChecks);
 
-    for (VirtualRegister reg : setArgumentMaybes)
-        setDirect(reg, jsConstant(jsUndefined()), ImmediateNakedSet);
 
     VERBOSE_LOG("Successful inlining (varargs, monomorphic).\nStack: ", currentCodeOrigin(), "\n");
     return true;
diff --git a/Source/JavaScriptCore/dfg/DFGMaximalFlushInsertionPhase.cpp b/Source/JavaScriptCore/dfg/DFGMaximalFlushInsertionPhase.cpp
deleted file mode 100644 (file)
index d04e8ff..0000000
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include "config.h"
-#include "DFGMaximalFlushInsertionPhase.h"
-
-#if ENABLE(DFG_JIT)
-
-#include "DFGBasicBlockInlines.h"
-#include "DFGGraph.h"
-#include "DFGInsertionSet.h"
-#include "DFGPhase.h"
-#include "JSCInlines.h"
-
-namespace JSC { namespace DFG {
-
-class MaximalFlushInsertionPhase : public Phase {
-public:
-    MaximalFlushInsertionPhase(Graph& graph)
-        : Phase(graph, "maximal flush insertion phase")
-    {
-    }
-    
-    bool run()
-    {
-        DFG_ASSERT(m_graph, nullptr, m_graph.m_form == LoadStore);
-
-        InsertionSet insertionSet(m_graph);
-        for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
-            treatRegularBlock(block, insertionSet);
-            insertionSet.execute(block);
-        }
-
-        for (BasicBlock* entrypoint : m_graph.m_roots) {
-            treatRootBlock(entrypoint, insertionSet);
-            insertionSet.execute(entrypoint);
-        }
-
-        return true;
-    }
-
-    void treatRegularBlock(BasicBlock* block, InsertionSet& insertionSet)
-    {
-        Operands<VariableAccessData*> currentBlockAccessData(block->variablesAtTail.numberOfArguments(), block->variablesAtTail.numberOfLocals(), nullptr);
-        // Insert a Flush before every SetLocal to properly pattern the graph such that 
-        // any range between SetLocal and Flush has access to the local on the stack.
-        {
-            for (unsigned i = 0; i < block->size(); i++) {
-                Node* node = block->at(i);
-                bool isPrimordialSetArgument = false;
-                if (node->op() == SetArgumentDefinitely && node->local().isArgument()) {
-                    auto iter = m_graph.m_rootToArguments.find(block);
-                    if (iter != m_graph.m_rootToArguments.end())
-                        isPrimordialSetArgument = node == iter->value[node->local().toArgument()];
-                }
-
-                if (node->op() == SetLocal || (node->op() == SetArgumentDefinitely && !isPrimordialSetArgument) || node->op() == SetArgumentMaybe) {
-                    VirtualRegister operand = node->local();
-                    VariableAccessData* flushAccessData = currentBlockAccessData.operand(operand);
-                    if (!flushAccessData)
-                        flushAccessData = newVariableAccessData(operand);
-
-                    insertionSet.insertNode(i, SpecNone, 
-                        Flush, node->origin, OpInfo(flushAccessData));
-                }
-
-                if (node->accessesStack(m_graph))
-                    currentBlockAccessData.operand(node->local()) = node->variableAccessData();
-            }
-        }
-
-        // Flush everything at the end of the block.
-        {
-            NodeOrigin origin = block->at(block->size() - 1)->origin;
-            auto insertFlushAtEnd = [&] (VirtualRegister operand) {
-                VariableAccessData* accessData = currentBlockAccessData.operand(operand);
-                if (!accessData)
-                    accessData = newVariableAccessData(operand);
-
-                currentBlockAccessData.operand(operand) = accessData;
-
-                insertionSet.insertNode(block->size(), SpecNone, 
-                    Flush, origin, OpInfo(accessData));
-            };
-
-            for (unsigned i = 0; i < block->variablesAtTail.numberOfLocals(); i++)
-                insertFlushAtEnd(virtualRegisterForLocal(i));
-            for (unsigned i = 0; i < block->variablesAtTail.numberOfArguments(); i++)
-                insertFlushAtEnd(virtualRegisterForArgument(i));
-        }
-    }
-
-    void treatRootBlock(BasicBlock* block, InsertionSet& insertionSet)
-    {
-        Operands<VariableAccessData*> initialAccessData(block->variablesAtTail.numberOfArguments(), block->variablesAtTail.numberOfLocals(), nullptr);
-        Operands<Node*> initialAccessNodes(block->variablesAtTail.numberOfArguments(), block->variablesAtTail.numberOfLocals(), nullptr);
-        for (auto* node : *block) {
-            if (!node->accessesStack(m_graph))
-                continue;
-
-            VirtualRegister operand = node->local();
-            if (initialAccessData.operand(operand))
-                continue;
-
-            DFG_ASSERT(m_graph, node, node->op() != SetLocal); // We should have inserted a Flush before this!
-            initialAccessData.operand(operand) = node->variableAccessData();
-            initialAccessNodes.operand(operand) = node;
-        }
-
-        // We want every Flush to be able to reach backwards to
-        // a SetLocal. Doing this in the root block achieves this goal.
-        NodeOrigin origin = block->at(0)->origin;
-        Node* undefined = insertionSet.insertConstant(0, origin, jsUndefined());
-
-        for (unsigned i = 0; i < block->variablesAtTail.numberOfLocals(); i++) {
-            VirtualRegister operand = virtualRegisterForLocal(i);
-            DFG_ASSERT(m_graph, nullptr, initialAccessNodes.operand(operand)->op() == Flush); // We should have inserted a Flush before any SetLocal/SetArgumentDefinitely/SetArgumentMaybe for the local that we are analyzing now.
-            VariableAccessData* accessData = initialAccessData.operand(operand);
-            DFG_ASSERT(m_graph, nullptr, accessData);
-            insertionSet.insertNode(0, SpecNone, 
-                SetLocal, origin, OpInfo(accessData), Edge(undefined));
-            accessData->mergeShouldNeverUnbox(true); // We don't know if we can exit here.
-        }
-    }
-
-
-    VariableAccessData* newVariableAccessData(VirtualRegister operand)
-    {
-        ASSERT(!operand.isConstant());
-        
-        m_graph.m_variableAccessData.append(operand);
-        return &m_graph.m_variableAccessData.last();
-    }
-};
-
-bool performMaximalFlushInsertion(Graph& graph)
-{
-    return runPhase<MaximalFlushInsertionPhase>(graph);
-}
-
-} } // namespace JSC::DFG
-
-#endif // ENABLE(DFG_JIT)
diff --git a/Source/JavaScriptCore/dfg/DFGMaximalFlushInsertionPhase.h b/Source/JavaScriptCore/dfg/DFGMaximalFlushInsertionPhase.h
deleted file mode 100644 (file)
index af310e9..0000000
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#if ENABLE(DFG_JIT)
-
-namespace JSC { namespace DFG {
-
-class Graph;
-
-// This phase ensures we keep all locals/arguments flushed.
-// What this means is: any node inbetween a SetLocal and a Flush should
-// be able to observe that particular local on the stack. This phase patterns
-// the graph by inserting a Flush before each SetLocal such that the Flush 
-// we inserted can do a backwards search through all paths in the CFG and 
-// reach a SetLocal.
-// ....
-// SetLocal(locX)
-// <
-// |
-// ... We ensure that locX is available on the stack to any nodes in this region that may ask for locX.
-// |
-// >
-// Flush(locX)
-// SetLocal(locX)
-
-bool performMaximalFlushInsertion(Graph&);
-
-} } // namespace JSC::DFG
-
-#endif // ENABLE(DFG_JIT)
index b6949aa..5592b5a 100644 (file)
@@ -51,7 +51,6 @@
 #include "DFGLiveCatchVariablePreservationPhase.h"
 #include "DFGLivenessAnalysisPhase.h"
 #include "DFGLoopPreHeaderCreationPhase.h"
-#include "DFGMaximalFlushInsertionPhase.h"
 #include "DFGMovHintRemovalPhase.h"
 #include "DFGOSRAvailabilityAnalysisPhase.h"
 #include "DFGOSREntrypointCreationPhase.h"
@@ -285,9 +284,6 @@ Plan::CompilationPath Plan::compileInThreadImpl()
 
     RUN_PHASE(performLiveCatchVariablePreservationPhase);
 
-    if (Options::useMaximalFlushInsertionPhase())
-        RUN_PHASE(performMaximalFlushInsertion);
-    
     RUN_PHASE(performCPSRethreading);
     RUN_PHASE(performUnification);
     RUN_PHASE(performPredictionInjection);
index ea996be..b30a7c5 100644 (file)
@@ -471,11 +471,6 @@ static void recomputeDependentOptions()
         Options::maximumEvalCacheableSourceLength() = 150000;
         Options::useConcurrentJIT() = false;
     }
-    if (Options::useMaximalFlushInsertionPhase()) {
-        Options::useOSREntryToDFG() = false;
-        Options::useOSREntryToFTL() = false;
-    }
-    
 #if ENABLE(SEPARATED_WX_HEAP)
     // Override globally for now. Longer term we'll just make the default
     // be to have this option enabled, and have platforms that don't support
index 1288ba3..44fbc30 100644 (file)
@@ -310,8 +310,6 @@ constexpr bool enableWebAssemblyStreamingApi = false;
     \
     v(unsigned, maximumVarargsForInlining, 100, Normal, nullptr) \
     \
-    v(bool, useMaximalFlushInsertionPhase, false, Normal, "Setting to true allows the DFG's MaximalFlushInsertionPhase to run.") \
-    \
     v(unsigned, maximumBinaryStringSwitchCaseLength, 50, Normal, nullptr) \
     v(unsigned, maximumBinaryStringSwitchTotalLength, 2000, Normal, nullptr) \
     \
@@ -545,7 +543,6 @@ enum OptionEquivalence {
     v(enableArchitectureSpecificOptimizations, useArchitectureSpecificOptimizations, SameOption) \
     v(enablePolyvariantCallInlining, usePolyvariantCallInlining, SameOption) \
     v(enablePolyvariantByIdInlining, usePolyvariantByIdInlining, SameOption) \
-    v(enableMaximalFlushInsertionPhase, useMaximalFlushInsertionPhase, SameOption) \
     v(objectsAreImmortal, useImmortalObjects, SameOption) \
     v(showObjectStatistics, dumpObjectStatistics, SameOption) \
     v(disableGC, useGC, InvertedOption) \