3d25eb06cc58d249a3d65b86085509dc66a2e43d
[WebKit.git] / Source / JavaScriptCore / dfg / DFGPredictionPropagationPhase.cpp
1 /*
2  * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "DFGPredictionPropagationPhase.h"
28
29 #if ENABLE(DFG_JIT)
30
31 #include "DFGGraph.h"
32 #include "DFGPhase.h"
33 #include "JSCInlines.h"
34
35 namespace JSC { namespace DFG {
36
37 namespace {
38
39 bool verboseFixPointLoops = false;
40
41 class PredictionPropagationPhase : public Phase {
42 public:
43     PredictionPropagationPhase(Graph& graph)
44         : Phase(graph, "prediction propagation")
45     {
46     }
47     
48     bool run()
49     {
50         ASSERT(m_graph.m_form == ThreadedCPS);
51         ASSERT(m_graph.m_unificationState == GloballyUnified);
52
53         propagateThroughArgumentPositions();
54
55         processInvariants();
56
57         m_pass = PrimaryPass;
58         propagateToFixpoint();
59         
60         m_pass = RareCasePass;
61         propagateToFixpoint();
62         
63         m_pass = DoubleVotingPass;
64         unsigned counter = 0;
65         do {
66             if (verboseFixPointLoops)
67                 ++counter;
68
69             m_changed = false;
70             doRoundOfDoubleVoting();
71             if (!m_changed)
72                 break;
73             m_changed = false;
74             propagateForward();
75         } while (m_changed);
76
77         if (verboseFixPointLoops)
78             dataLog("Iterated ", counter, " times in double voting fixpoint.\n");
79         
80         return true;
81     }
82     
83 private:
84     void propagateToFixpoint()
85     {
86         unsigned counter = 0;
87         do {
88             if (verboseFixPointLoops)
89                 ++counter;
90
91             m_changed = false;
92
93             // Forward propagation is near-optimal for both topologically-sorted and
94             // DFS-sorted code.
95             propagateForward();
96             if (!m_changed)
97                 break;
98             
99             // Backward propagation reduces the likelihood that pathological code will
100             // cause slowness. Loops (especially nested ones) resemble backward flow.
101             // This pass captures two cases: (1) it detects if the forward fixpoint
102             // found a sound solution and (2) short-circuits backward flow.
103             m_changed = false;
104             propagateBackward();
105         } while (m_changed);
106
107         if (verboseFixPointLoops)
108             dataLog("Iterated ", counter, " times in propagateToFixpoint.\n");
109     }
110     
111     bool setPrediction(SpeculatedType prediction)
112     {
113         ASSERT(m_currentNode->hasResult());
114         
115         // setPrediction() is used when we know that there is no way that we can change
116         // our minds about what the prediction is going to be. There is no semantic
117         // difference between setPrediction() and mergeSpeculation() other than the
118         // increased checking to validate this property.
119         ASSERT(m_currentNode->prediction() == SpecNone || m_currentNode->prediction() == prediction);
120         
121         return m_currentNode->predict(prediction);
122     }
123     
124     bool mergePrediction(SpeculatedType prediction)
125     {
126         ASSERT(m_currentNode->hasResult());
127         
128         return m_currentNode->predict(prediction);
129     }
130     
131     SpeculatedType speculatedDoubleTypeForPrediction(SpeculatedType value)
132     {
133         SpeculatedType result = SpecDoubleReal;
134         if (value & SpecDoubleImpureNaN)
135             result |= SpecDoubleImpureNaN;
136         if (value & SpecDoublePureNaN)
137             result |= SpecDoublePureNaN;
138         if (!isFullNumberOrBooleanSpeculation(value))
139             result |= SpecDoublePureNaN;
140         return result;
141     }
142
143     SpeculatedType speculatedDoubleTypeForPredictions(SpeculatedType left, SpeculatedType right)
144     {
145         return speculatedDoubleTypeForPrediction(mergeSpeculations(left, right));
146     }
147
148     void propagate(Node* node)
149     {
150         NodeType op = node->op();
151
152         bool changed = false;
153         
154         switch (op) {
155         case GetLocal: {
156             VariableAccessData* variable = node->variableAccessData();
157             SpeculatedType prediction = variable->prediction();
158             if (!variable->couldRepresentInt52() && (prediction & SpecInt52Only))
159                 prediction = (prediction | SpecAnyIntAsDouble) & ~SpecInt52Only;
160             if (prediction)
161                 changed |= mergePrediction(prediction);
162             break;
163         }
164             
165         case SetLocal: {
166             VariableAccessData* variableAccessData = node->variableAccessData();
167             changed |= variableAccessData->predict(node->child1()->prediction());
168             break;
169         }
170
171         case UInt32ToNumber: {
172             if (node->canSpeculateInt32(m_pass))
173                 changed |= mergePrediction(SpecInt32Only);
174             else if (enableInt52())
175                 changed |= mergePrediction(SpecAnyInt);
176             else
177                 changed |= mergePrediction(SpecBytecodeNumber);
178             break;
179         }
180
181         case ValueAdd: {
182             SpeculatedType left = node->child1()->prediction();
183             SpeculatedType right = node->child2()->prediction();
184             
185             if (left && right) {
186                 if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
187                     && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
188                     if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
189                         changed |= mergePrediction(SpecInt32Only);
190                     else if (m_graph.addShouldSpeculateAnyInt(node))
191                         changed |= mergePrediction(SpecInt52Only);
192                     else
193                         changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
194                 } else if (isStringOrStringObjectSpeculation(left) || isStringOrStringObjectSpeculation(right)) {
195                     // left or right is definitely something other than a number.
196                     changed |= mergePrediction(SpecString);
197                 } else {
198                     changed |= mergePrediction(SpecInt32Only);
199                     if (node->mayHaveDoubleResult())
200                         changed |= mergePrediction(SpecBytecodeDouble);
201                     if (node->mayHaveNonNumberResult())
202                         changed |= mergePrediction(SpecString);
203                 }
204             }
205             break;
206         }
207
208         case ArithAdd: {
209             SpeculatedType left = node->child1()->prediction();
210             SpeculatedType right = node->child2()->prediction();
211             
212             if (left && right) {
213                 if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
214                     changed |= mergePrediction(SpecInt32Only);
215                 else if (m_graph.addShouldSpeculateAnyInt(node))
216                     changed |= mergePrediction(SpecInt52Only);
217                 else if (isFullNumberOrBooleanSpeculation(left) && isFullNumberOrBooleanSpeculation(right))
218                     changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
219                 else if (node->mayHaveNonIntResult() || (left & SpecBytecodeDouble) || (right & SpecBytecodeDouble))
220                     changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
221                 else
222                     changed |= mergePrediction(SpecInt32Only);
223             }
224             break;
225         }
226             
227         case ArithSub: {
228             SpeculatedType left = node->child1()->prediction();
229             SpeculatedType right = node->child2()->prediction();
230
231             if (left && right) {
232                 if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
233                     && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
234                     if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
235                         changed |= mergePrediction(SpecInt32Only);
236                     else if (m_graph.addShouldSpeculateAnyInt(node))
237                         changed |= mergePrediction(SpecInt52Only);
238                     else
239                         changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
240                 } else if (node->mayHaveNonIntResult() || (left & SpecBytecodeDouble) || (right & SpecBytecodeDouble))
241                     changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
242                 else
243                     changed |= mergePrediction(SpecInt32Only);
244             }
245             break;
246         }
247
248         case ArithNegate: {
249             SpeculatedType prediction = node->child1()->prediction();
250             if (prediction) {
251                 if (isInt32OrBooleanSpeculation(prediction) && node->canSpeculateInt32(m_pass))
252                     changed |= mergePrediction(SpecInt32Only);
253                 else if (m_graph.unaryArithShouldSpeculateAnyInt(node, m_pass))
254                     changed |= mergePrediction(SpecInt52Only);
255                 else if (isBytecodeNumberSpeculation(prediction))
256                     changed |= mergePrediction(speculatedDoubleTypeForPrediction(node->child1()->prediction()));
257                 else {
258                     changed |= mergePrediction(SpecInt32Only);
259                     if (node->mayHaveDoubleResult())
260                         changed |= mergePrediction(SpecBytecodeDouble);
261                 }
262             }
263             break;
264         }
265         case ArithMin:
266         case ArithMax: {
267             SpeculatedType left = node->child1()->prediction();
268             SpeculatedType right = node->child2()->prediction();
269             
270             if (left && right) {
271                 if (Node::shouldSpeculateInt32OrBooleanForArithmetic(node->child1().node(), node->child2().node())
272                     && node->canSpeculateInt32(m_pass))
273                     changed |= mergePrediction(SpecInt32Only);
274                 else
275                     changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
276             }
277             break;
278         }
279
280         case ArithMul: {
281             SpeculatedType left = node->child1()->prediction();
282             SpeculatedType right = node->child2()->prediction();
283             
284             if (left && right) {
285                 // FIXME: We're currently relying on prediction propagation and backwards propagation
286                 // whenever we can, and only falling back on result flags if that fails. And the result
287                 // flags logic doesn't know how to use backwards propagation. We should get rid of the
288                 // prediction propagation logic and rely solely on the result type.
289                 if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
290                     && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
291                     if (m_graph.binaryArithShouldSpeculateInt32(node, m_pass))
292                         changed |= mergePrediction(SpecInt32Only);
293                     else if (m_graph.binaryArithShouldSpeculateAnyInt(node, m_pass))
294                         changed |= mergePrediction(SpecInt52Only);
295                     else
296                         changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
297                 } else {
298                     if (node->mayHaveNonIntResult()
299                         || (left & SpecBytecodeDouble)
300                         || (right & SpecBytecodeDouble))
301                         changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
302                     else
303                         changed |= mergePrediction(SpecInt32Only);
304                 }
305             }
306             break;
307         }
308
309         case ArithDiv:
310         case ArithMod: {
311             SpeculatedType left = node->child1()->prediction();
312             SpeculatedType right = node->child2()->prediction();
313             
314             if (left && right) {
315                 if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
316                     && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
317                     if (m_graph.binaryArithShouldSpeculateInt32(node, m_pass))
318                         changed |= mergePrediction(SpecInt32Only);
319                     else
320                         changed |= mergePrediction(SpecBytecodeDouble);
321                 } else
322                     changed |= mergePrediction(SpecInt32Only | SpecBytecodeDouble);
323             }
324             break;
325         }
326
327         case ArithAbs: {
328             SpeculatedType childPrediction = node->child1()->prediction();
329             if (isInt32OrBooleanSpeculation(childPrediction)
330                 && node->canSpeculateInt32(m_pass))
331                 changed |= mergePrediction(SpecInt32Only);
332             else
333                 changed |= mergePrediction(SpecBytecodeDouble);
334             break;
335         }
336
337         case GetByVal:
338         case AtomicsAdd:
339         case AtomicsAnd:
340         case AtomicsCompareExchange:
341         case AtomicsExchange:
342         case AtomicsLoad:
343         case AtomicsOr:
344         case AtomicsStore:
345         case AtomicsSub:
346         case AtomicsXor: {
347             Edge child1 = m_graph.child(node, 0);
348             if (!child1->prediction())
349                 break;
350             
351             Edge child2 = m_graph.child(node, 1);
352             ArrayMode arrayMode = node->arrayMode().refine(
353                 m_graph, node,
354                 child1->prediction(),
355                 child2->prediction(),
356                 SpecNone);
357             
358             switch (arrayMode.type()) {
359             case Array::Int32:
360                 if (arrayMode.isOutOfBounds())
361                     changed |= mergePrediction(node->getHeapPrediction() | SpecInt32Only);
362                 else
363                     changed |= mergePrediction(SpecInt32Only);
364                 break;
365             case Array::Double:
366                 if (arrayMode.isOutOfBounds())
367                     changed |= mergePrediction(node->getHeapPrediction() | SpecDoubleReal);
368                 else if (node->getHeapPrediction() & SpecNonIntAsDouble)
369                     changed |= mergePrediction(SpecDoubleReal);
370                 else
371                     changed |= mergePrediction(SpecAnyIntAsDouble);
372                 break;
373             case Array::Float32Array:
374             case Array::Float64Array:
375                 changed |= mergePrediction(SpecFullDouble);
376                 break;
377             case Array::Uint32Array:
378                 if (isInt32SpeculationForArithmetic(node->getHeapPrediction()) && node->op() == GetByVal)
379                     changed |= mergePrediction(SpecInt32Only);
380                 else if (enableInt52())
381                     changed |= mergePrediction(SpecAnyInt);
382                 else
383                     changed |= mergePrediction(SpecInt32Only | SpecAnyIntAsDouble);
384                 break;
385             case Array::Int8Array:
386             case Array::Uint8Array:
387             case Array::Int16Array:
388             case Array::Uint16Array:
389             case Array::Int32Array:
390                 changed |= mergePrediction(SpecInt32Only);
391                 break;
392             default:
393                 changed |= mergePrediction(node->getHeapPrediction());
394                 break;
395             }
396             break;
397         }
398             
399         case ToThis: {
400             // ToThis in methods for primitive types should speculate primitive types in strict mode.
401             ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
402             if (ecmaMode == StrictMode) {
403                 if (node->child1()->shouldSpeculateBoolean()) {
404                     changed |= mergePrediction(SpecBoolean);
405                     break;
406                 }
407
408                 if (node->child1()->shouldSpeculateInt32()) {
409                     changed |= mergePrediction(SpecInt32Only);
410                     break;
411                 }
412
413                 if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
414                     changed |= mergePrediction(SpecAnyInt);
415                     break;
416                 }
417
418                 if (node->child1()->shouldSpeculateNumber()) {
419                     changed |= mergePrediction(SpecBytecodeNumber);
420                     break;
421                 }
422
423                 if (node->child1()->shouldSpeculateSymbol()) {
424                     changed |= mergePrediction(SpecSymbol);
425                     break;
426                 }
427
428                 if (node->child1()->shouldSpeculateStringIdent()) {
429                     changed |= mergePrediction(SpecStringIdent);
430                     break;
431                 }
432
433                 if (node->child1()->shouldSpeculateString()) {
434                     changed |= mergePrediction(SpecString);
435                     break;
436                 }
437             } else {
438                 if (node->child1()->shouldSpeculateString()) {
439                     changed |= mergePrediction(SpecStringObject);
440                     break;
441                 }
442             }
443
444             SpeculatedType prediction = node->child1()->prediction();
445             if (prediction) {
446                 if (prediction & ~SpecObject) {
447                     // Wrapper objects are created only in sloppy mode.
448                     if (ecmaMode != StrictMode) {
449                         prediction &= SpecObject;
450                         prediction = mergeSpeculations(prediction, SpecObjectOther);
451                     }
452                 }
453                 changed |= mergePrediction(prediction);
454             }
455             break;
456         }
457             
458         case ToPrimitive: {
459             SpeculatedType child = node->child1()->prediction();
460             if (child)
461                 changed |= mergePrediction(resultOfToPrimitive(child));
462             break;
463         }
464
465         default:
466             break;
467         }
468
469         m_changed |= changed;
470     }
471         
472     void propagateForward()
473     {
474         for (Node* node : m_dependentNodes) {
475             m_currentNode = node;
476             propagate(m_currentNode);
477         }
478     }
479
480     void propagateBackward()
481     {
482         for (unsigned i = m_dependentNodes.size(); i--;) {
483             m_currentNode = m_dependentNodes[i];
484             propagate(m_currentNode);
485         }
486     }
487     
488     void doDoubleVoting(Node* node, float weight)
489     {
490         // Loop pre-headers created by OSR entrypoint creation may have NaN weight to indicate
491         // that we actually don't know they weight. Assume that they execute once. This turns
492         // out to be an OK assumption since the pre-header doesn't have any meaningful code.
493         if (weight != weight)
494             weight = 1;
495         
496         switch (node->op()) {
497         case ValueAdd:
498         case ArithAdd:
499         case ArithSub: {
500             SpeculatedType left = node->child1()->prediction();
501             SpeculatedType right = node->child2()->prediction();
502                 
503             DoubleBallot ballot;
504                 
505             if (isFullNumberSpeculation(left)
506                 && isFullNumberSpeculation(right)
507                 && !m_graph.addShouldSpeculateInt32(node, m_pass)
508                 && !m_graph.addShouldSpeculateAnyInt(node))
509                 ballot = VoteDouble;
510             else
511                 ballot = VoteValue;
512                 
513             m_graph.voteNode(node->child1(), ballot, weight);
514             m_graph.voteNode(node->child2(), ballot, weight);
515             break;
516         }
517
518         case ArithMul: {
519             SpeculatedType left = node->child1()->prediction();
520             SpeculatedType right = node->child2()->prediction();
521                 
522             DoubleBallot ballot;
523                 
524             if (isFullNumberSpeculation(left)
525                 && isFullNumberSpeculation(right)
526                 && !m_graph.binaryArithShouldSpeculateInt32(node, m_pass)
527                 && !m_graph.binaryArithShouldSpeculateAnyInt(node, m_pass))
528                 ballot = VoteDouble;
529             else
530                 ballot = VoteValue;
531                 
532             m_graph.voteNode(node->child1(), ballot, weight);
533             m_graph.voteNode(node->child2(), ballot, weight);
534             break;
535         }
536
537         case ArithMin:
538         case ArithMax:
539         case ArithMod:
540         case ArithDiv: {
541             SpeculatedType left = node->child1()->prediction();
542             SpeculatedType right = node->child2()->prediction();
543                 
544             DoubleBallot ballot;
545                 
546             if (isFullNumberSpeculation(left)
547                 && isFullNumberSpeculation(right)
548                 && !m_graph.binaryArithShouldSpeculateInt32(node, m_pass))
549                 ballot = VoteDouble;
550             else
551                 ballot = VoteValue;
552                 
553             m_graph.voteNode(node->child1(), ballot, weight);
554             m_graph.voteNode(node->child2(), ballot, weight);
555             break;
556         }
557
558         case ArithAbs:
559             DoubleBallot ballot;
560             if (node->child1()->shouldSpeculateNumber()
561                 && !m_graph.unaryArithShouldSpeculateInt32(node, m_pass))
562                 ballot = VoteDouble;
563             else
564                 ballot = VoteValue;
565                 
566             m_graph.voteNode(node->child1(), ballot, weight);
567             break;
568                 
569         case ArithSqrt:
570         case ArithUnary:
571             if (node->child1()->shouldSpeculateNumber())
572                 m_graph.voteNode(node->child1(), VoteDouble, weight);
573             else
574                 m_graph.voteNode(node->child1(), VoteValue, weight);
575             break;
576                 
577         case SetLocal: {
578             SpeculatedType prediction = node->child1()->prediction();
579             if (isDoubleSpeculation(prediction))
580                 node->variableAccessData()->vote(VoteDouble, weight);
581             else if (!isFullNumberSpeculation(prediction)
582                 || isInt32Speculation(prediction) || isAnyIntSpeculation(prediction))
583                 node->variableAccessData()->vote(VoteValue, weight);
584             break;
585         }
586
587         case PutByValDirect:
588         case PutByVal:
589         case PutByValAlias: {
590             Edge child1 = m_graph.varArgChild(node, 0);
591             Edge child2 = m_graph.varArgChild(node, 1);
592             Edge child3 = m_graph.varArgChild(node, 2);
593             m_graph.voteNode(child1, VoteValue, weight);
594             m_graph.voteNode(child2, VoteValue, weight);
595             switch (node->arrayMode().type()) {
596             case Array::Double:
597                 m_graph.voteNode(child3, VoteDouble, weight);
598                 break;
599             default:
600                 m_graph.voteNode(child3, VoteValue, weight);
601                 break;
602             }
603             break;
604         }
605             
606         case MovHint:
607             // Ignore these since they have no effect on in-DFG execution.
608             break;
609             
610         default:
611             m_graph.voteChildren(node, VoteValue, weight);
612             break;
613         }
614     }
615     
616     void doRoundOfDoubleVoting()
617     {
618         for (unsigned i = 0; i < m_graph.m_variableAccessData.size(); ++i)
619             m_graph.m_variableAccessData[i].find()->clearVotes();
620         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
621             BasicBlock* block = m_graph.block(blockIndex);
622             if (!block)
623                 continue;
624             ASSERT(block->isReachable);
625             for (unsigned i = 0; i < block->size(); ++i) {
626                 m_currentNode = block->at(i);
627                 doDoubleVoting(m_currentNode, block->executionCount);
628             }
629         }
630         for (unsigned i = 0; i < m_graph.m_variableAccessData.size(); ++i) {
631             VariableAccessData* variableAccessData = &m_graph.m_variableAccessData[i];
632             if (!variableAccessData->isRoot())
633                 continue;
634             m_changed |= variableAccessData->tallyVotesForShouldUseDoubleFormat();
635         }
636         propagateThroughArgumentPositions();
637         for (unsigned i = 0; i < m_graph.m_variableAccessData.size(); ++i) {
638             VariableAccessData* variableAccessData = &m_graph.m_variableAccessData[i];
639             if (!variableAccessData->isRoot())
640                 continue;
641             m_changed |= variableAccessData->makePredictionForDoubleFormat();
642         }
643     }
644     
645     void propagateThroughArgumentPositions()
646     {
647         for (unsigned i = 0; i < m_graph.m_argumentPositions.size(); ++i)
648             m_changed |= m_graph.m_argumentPositions[i].mergeArgumentPredictionAwareness();
649     }
650
651     // Sets any predictions that do not depends on other nodes.
652     void processInvariants()
653     {
654         for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
655             for (Node* node : *block) {
656                 m_currentNode = node;
657                 processInvariantsForNode();
658             }
659         }
660     }
661
662     void processInvariantsForNode()
663     {
664         switch (m_currentNode->op()) {
665         case JSConstant: {
666             SpeculatedType type = speculationFromValue(m_currentNode->asJSValue());
667             if (type == SpecAnyIntAsDouble && enableInt52())
668                 type = SpecInt52Only;
669             setPrediction(type);
670             break;
671         }
672         case DoubleConstant: {
673             SpeculatedType type = speculationFromValue(m_currentNode->asJSValue());
674             setPrediction(type);
675             break;
676         }
677         case BitAnd:
678         case BitOr:
679         case BitXor:
680         case BitRShift:
681         case BitLShift:
682         case BitURShift:
683         case ArithIMul:
684         case ArithClz32: {
685             setPrediction(SpecInt32Only);
686             break;
687         }
688
689         case ArrayPop:
690         case ArrayPush:
691         case RegExpExec:
692         case RegExpTest:
693         case StringReplace:
694         case StringReplaceRegExp:
695         case GetById:
696         case GetByIdFlush:
697         case GetByIdWithThis:
698         case TryGetById:
699         case GetByValWithThis:
700         case GetByOffset:
701         case MultiGetByOffset:
702         case GetDirectPname:
703         case Call:
704         case DirectCall:
705         case TailCallInlinedCaller:
706         case DirectTailCallInlinedCaller:
707         case Construct:
708         case DirectConstruct:
709         case CallVarargs:
710         case CallEval:
711         case TailCallVarargsInlinedCaller:
712         case ConstructVarargs:
713         case CallForwardVarargs:
714         case ConstructForwardVarargs:
715         case TailCallForwardVarargsInlinedCaller:
716         case GetGlobalVar:
717         case GetGlobalLexicalVariable:
718         case GetClosureVar:
719         case GetFromArguments:
720         case LoadFromJSMapBucket:
721         case ToNumber:
722         case GetArgument:
723         case CallDOMGetter: {
724             setPrediction(m_currentNode->getHeapPrediction());
725             break;
726         }
727
728         case ResolveScopeForHoistingFuncDeclInEval:
729         case GetDynamicVar: {
730             setPrediction(SpecBytecodeTop);
731             break;
732         }
733             
734         case GetGetterSetterByOffset:
735         case GetExecutable: {
736             setPrediction(SpecCellOther);
737             break;
738         }
739
740         case GetGetter:
741         case GetSetter:
742         case GetCallee:
743         case NewFunction:
744         case NewGeneratorFunction:
745         case NewAsyncFunction: {
746             setPrediction(SpecFunction);
747             break;
748         }
749             
750         case GetArgumentCountIncludingThis: {
751             setPrediction(SpecInt32Only);
752             break;
753         }
754
755         case MapHash:
756             setPrediction(SpecInt32Only);
757             break;
758         case GetMapBucket:
759             setPrediction(SpecCellOther);
760             break;
761         case IsNonEmptyMapBucket:
762             setPrediction(SpecBoolean);
763             break;
764
765         case GetRestLength:
766         case ArrayIndexOf: {
767             setPrediction(SpecInt32Only);
768             break;
769         }
770
771         case GetTypedArrayByteOffset:
772         case GetArrayLength:
773         case GetVectorLength: {
774             setPrediction(SpecInt32Only);
775             break;
776         }
777
778         case StringCharCodeAt: {
779             setPrediction(SpecInt32Only);
780             break;
781         }
782
783         case ToLowerCase:
784             setPrediction(SpecString);
785             break;
786
787         case ArithPow:
788         case ArithSqrt:
789         case ArithFRound:
790         case ArithUnary: {
791             setPrediction(SpecBytecodeDouble);
792             break;
793         }
794
795         case ArithRound:
796         case ArithFloor:
797         case ArithCeil:
798         case ArithTrunc: {
799             if (isInt32OrBooleanSpeculation(m_currentNode->getHeapPrediction())
800                 && m_graph.roundShouldSpeculateInt32(m_currentNode, m_pass))
801                 setPrediction(SpecInt32Only);
802             else
803                 setPrediction(SpecBytecodeDouble);
804             break;
805         }
806
807         case ArithRandom: {
808             setPrediction(SpecDoubleReal);
809             break;
810         }
811         case DeleteByVal:
812         case DeleteById:
813         case LogicalNot:
814         case CompareLess:
815         case CompareLessEq:
816         case CompareGreater:
817         case CompareGreaterEq:
818         case CompareEq:
819         case CompareStrictEq:
820         case CompareEqPtr:
821         case OverridesHasInstance:
822         case InstanceOf:
823         case InstanceOfCustom:
824         case IsEmpty:
825         case IsUndefined:
826         case IsBoolean:
827         case IsNumber:
828         case IsObject:
829         case IsObjectOrNull:
830         case IsFunction:
831         case IsCellWithType:
832         case IsTypedArrayView: {
833             setPrediction(SpecBoolean);
834             break;
835         }
836
837         case TypeOf: {
838             setPrediction(SpecStringIdent);
839             break;
840         }
841         case GetButterfly:
842         case GetIndexedPropertyStorage:
843         case AllocatePropertyStorage:
844         case ReallocatePropertyStorage: {
845             setPrediction(SpecOther);
846             break;
847         }
848
849         case CheckSubClass:
850             break;
851
852         case CallObjectConstructor: {
853             setPrediction(SpecObject);
854             break;
855         }
856         case SkipScope:
857         case GetGlobalObject: {
858             setPrediction(SpecObjectOther);
859             break;
860         }
861
862         case ResolveScope: {
863             setPrediction(SpecObjectOther);
864             break;
865         }
866             
867         case CreateThis:
868         case NewObject: {
869             setPrediction(SpecFinalObject);
870             break;
871         }
872             
873         case ArraySlice:
874         case NewArrayWithSpread:
875         case NewArray:
876         case NewArrayWithSize:
877         case CreateRest:
878         case NewArrayBuffer: {
879             setPrediction(SpecArray);
880             break;
881         }
882
883         case Spread:
884             setPrediction(SpecCellOther);
885             break;
886             
887         case NewTypedArray: {
888             setPrediction(speculationFromTypedArrayType(m_currentNode->typedArrayType()));
889             break;
890         }
891             
892         case NewRegexp: {
893             setPrediction(SpecRegExpObject);
894             break;
895         }
896             
897         case CreateActivation: {
898             setPrediction(SpecObjectOther);
899             break;
900         }
901         
902         case StringFromCharCode: {
903             setPrediction(SpecString);
904             m_currentNode->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt);
905             break;
906         }
907         case StringCharAt:
908         case CallStringConstructor:
909         case ToString:
910         case NumberToStringWithRadix:
911         case MakeRope:
912         case StrCat: {
913             setPrediction(SpecString);
914             break;
915         }
916         case NewStringObject: {
917             setPrediction(SpecStringObject);
918             break;
919         }
920             
921         case CreateDirectArguments: {
922             setPrediction(SpecDirectArguments);
923             break;
924         }
925             
926         case CreateScopedArguments: {
927             setPrediction(SpecScopedArguments);
928             break;
929         }
930             
931         case CreateClonedArguments: {
932             setPrediction(SpecObjectOther);
933             break;
934         }
935             
936         case FiatInt52: {
937             RELEASE_ASSERT(enableInt52());
938             setPrediction(SpecAnyInt);
939             break;
940         }
941
942         case GetScope:
943             setPrediction(SpecObjectOther);
944             break;
945
946         case In:
947             setPrediction(SpecBoolean);
948             break;
949
950         case HasOwnProperty:
951             setPrediction(SpecBoolean);
952             break;
953
954         case GetEnumerableLength: {
955             setPrediction(SpecInt32Only);
956             break;
957         }
958         case HasGenericProperty:
959         case HasStructureProperty:
960         case HasIndexedProperty: {
961             setPrediction(SpecBoolean);
962             break;
963         }
964         case GetPropertyEnumerator: {
965             setPrediction(SpecCell);
966             break;
967         }
968         case GetEnumeratorStructurePname: {
969             setPrediction(SpecCell | SpecOther);
970             break;
971         }
972         case GetEnumeratorGenericPname: {
973             setPrediction(SpecCell | SpecOther);
974             break;
975         }
976         case ToIndexString: {
977             setPrediction(SpecString);
978             break;
979         }
980         case ParseInt: {
981             // We expect this node to almost always produce an int32. However,
982             // it's possible it produces NaN or integers out of int32 range. We
983             // rely on the heap prediction since the parseInt() call profiled
984             // its result.
985             setPrediction(m_currentNode->getHeapPrediction());
986             break;
987         }
988
989         case GetLocal:
990         case SetLocal:
991         case UInt32ToNumber:
992         case ValueAdd:
993         case ArithAdd:
994         case ArithSub:
995         case ArithNegate:
996         case ArithMin:
997         case ArithMax:
998         case ArithMul:
999         case ArithDiv:
1000         case ArithMod:
1001         case ArithAbs:
1002         case GetByVal:
1003         case ToThis:
1004         case ToPrimitive: 
1005         case AtomicsAdd:
1006         case AtomicsAnd:
1007         case AtomicsCompareExchange:
1008         case AtomicsExchange:
1009         case AtomicsLoad:
1010         case AtomicsOr:
1011         case AtomicsStore:
1012         case AtomicsSub:
1013         case AtomicsXor: {
1014             m_dependentNodes.append(m_currentNode);
1015             break;
1016         }
1017             
1018         case AtomicsIsLockFree: {
1019             setPrediction(SpecBoolean);
1020             break;
1021         }
1022
1023         case PutByValAlias:
1024         case DoubleAsInt32:
1025         case GetLocalUnlinked:
1026         case CheckArray:
1027         case CheckTypeInfoFlags:
1028         case Arrayify:
1029         case ArrayifyToStructure:
1030         case CheckTierUpInLoop:
1031         case CheckTierUpAtReturn:
1032         case CheckTierUpAndOSREnter:
1033         case InvalidationPoint:
1034         case CheckInBounds:
1035         case ValueToInt32:
1036         case DoubleRep:
1037         case ValueRep:
1038         case Int52Rep:
1039         case Int52Constant:
1040         case Identity:
1041         case BooleanToNumber:
1042         case PhantomNewObject:
1043         case PhantomNewFunction:
1044         case PhantomNewGeneratorFunction:
1045         case PhantomNewAsyncFunction:
1046         case PhantomCreateActivation:
1047         case PhantomDirectArguments:
1048         case PhantomCreateRest:
1049         case PhantomSpread:
1050         case PhantomNewArrayWithSpread:
1051         case PhantomClonedArguments:
1052         case GetMyArgumentByVal:
1053         case GetMyArgumentByValOutOfBounds:
1054         case PutHint:
1055         case CheckStructureImmediate:
1056         case MaterializeNewObject:
1057         case MaterializeCreateActivation:
1058         case PutStack:
1059         case KillStack:
1060         case StoreBarrier:
1061         case FencedStoreBarrier:
1062         case GetStack:
1063         case GetRegExpObjectLastIndex:
1064         case SetRegExpObjectLastIndex:
1065         case RecordRegExpCachedResult:
1066         case LazyJSConstant:
1067         case CallDOM: {
1068             // This node should never be visible at this stage of compilation. It is
1069             // inserted by fixup(), which follows this phase.
1070             DFG_CRASH(m_graph, m_currentNode, "Unexpected node during prediction propagation");
1071             break;
1072         }
1073         
1074         case Phi:
1075             // Phis should not be visible here since we're iterating the all-but-Phi's
1076             // part of basic blocks.
1077             RELEASE_ASSERT_NOT_REACHED();
1078             break;
1079             
1080         case Upsilon:
1081             // These don't get inserted until we go into SSA.
1082             RELEASE_ASSERT_NOT_REACHED();
1083             break;
1084
1085 #ifndef NDEBUG
1086         // These get ignored because they don't return anything.
1087         case PutByValDirect:
1088         case PutByValWithThis:
1089         case PutByIdWithThis:
1090         case PutByVal:
1091         case PutClosureVar:
1092         case PutToArguments:
1093         case Return:
1094         case TailCall:
1095         case DirectTailCall:
1096         case TailCallVarargs:
1097         case TailCallForwardVarargs:
1098         case Throw:
1099         case PutById:
1100         case PutByIdFlush:
1101         case PutByIdDirect:
1102         case PutByOffset:
1103         case MultiPutByOffset:
1104         case PutGetterById:
1105         case PutSetterById:
1106         case PutGetterSetterById:
1107         case PutGetterByVal:
1108         case PutSetterByVal:
1109         case DefineDataProperty:
1110         case DefineAccessorProperty:
1111         case DFG::Jump:
1112         case Branch:
1113         case Switch:
1114         case ProfileType:
1115         case ProfileControlFlow:
1116         case ThrowStaticError:
1117         case ForceOSRExit:
1118         case SetArgument:
1119         case SetFunctionName:
1120         case CheckStructure:
1121         case CheckCell:
1122         case CheckNotEmpty:
1123         case CheckStringIdent:
1124         case CheckBadCell:
1125         case PutStructure:
1126         case Phantom:
1127         case Check:
1128         case PutGlobalVariable:
1129         case CheckTraps:
1130         case LogShadowChickenPrologue:
1131         case LogShadowChickenTail:
1132         case Unreachable:
1133         case LoopHint:
1134         case NotifyWrite:
1135         case ConstantStoragePointer:
1136         case MovHint:
1137         case ZombieHint:
1138         case ExitOK:
1139         case LoadVarargs:
1140         case ForwardVarargs:
1141         case PutDynamicVar:
1142         case NukeStructureAndSetButterfly:
1143             break;
1144             
1145         // This gets ignored because it only pretends to produce a value.
1146         case BottomValue:
1147             break;
1148             
1149         // This gets ignored because it already has a prediction.
1150         case ExtractOSREntryLocal:
1151             break;
1152             
1153         // These gets ignored because it doesn't do anything.
1154         case CountExecution:
1155         case PhantomLocal:
1156         case Flush:
1157             break;
1158             
1159         case LastNodeType:
1160             RELEASE_ASSERT_NOT_REACHED();
1161             break;
1162 #else
1163         default:
1164             break;
1165 #endif
1166         }
1167     }
1168
1169     SpeculatedType resultOfToPrimitive(SpeculatedType type)
1170     {
1171         if (type & SpecObject) {
1172             // We try to be optimistic here about StringObjects since it's unlikely that
1173             // someone overrides the valueOf or toString methods.
1174             if (type & SpecStringObject && m_graph.canOptimizeStringObjectAccess(m_currentNode->origin.semantic))
1175                 return mergeSpeculations(type & ~SpecObject, SpecString);
1176
1177             return mergeSpeculations(type & ~SpecObject, SpecPrimitive);
1178         }
1179
1180         return type;
1181     }
1182
1183     Vector<Node*> m_dependentNodes;
1184     Node* m_currentNode;
1185     bool m_changed;
1186     PredictionPass m_pass; // We use different logic for considering predictions depending on how far along we are in propagation.
1187 };
1188
1189 } // Anonymous namespace.
1190     
1191 bool performPredictionPropagation(Graph& graph)
1192 {
1193     return runPhase<PredictionPropagationPhase>(graph);
1194 }
1195
1196 } } // namespace JSC::DFG
1197
1198 #endif // ENABLE(DFG_JIT)
1199