summaryrefslogtreecommitdiffstats
path: root/js/src/jit/EffectiveAddressAnalysis.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'js/src/jit/EffectiveAddressAnalysis.cpp')
-rw-r--r--js/src/jit/EffectiveAddressAnalysis.cpp277
1 files changed, 277 insertions, 0 deletions
diff --git a/js/src/jit/EffectiveAddressAnalysis.cpp b/js/src/jit/EffectiveAddressAnalysis.cpp
new file mode 100644
index 000000000..a17da8747
--- /dev/null
+++ b/js/src/jit/EffectiveAddressAnalysis.cpp
@@ -0,0 +1,277 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "jit/EffectiveAddressAnalysis.h"
+#include "jit/IonAnalysis.h"
+#include "jit/MIR.h"
+#include "jit/MIRGraph.h"
+
+using namespace js;
+using namespace jit;
+
+static void
+AnalyzeLsh(TempAllocator& alloc, MLsh* lsh)
+{
+ if (lsh->specialization() != MIRType::Int32)
+ return;
+
+ if (lsh->isRecoveredOnBailout())
+ return;
+
+ MDefinition* index = lsh->lhs();
+ MOZ_ASSERT(index->type() == MIRType::Int32);
+
+ MConstant* shiftValue = lsh->rhs()->maybeConstantValue();
+ if (!shiftValue)
+ return;
+
+ if (shiftValue->type() != MIRType::Int32 || !IsShiftInScaleRange(shiftValue->toInt32()))
+ return;
+
+ Scale scale = ShiftToScale(shiftValue->toInt32());
+
+ int32_t displacement = 0;
+ MInstruction* last = lsh;
+ MDefinition* base = nullptr;
+ while (true) {
+ if (!last->hasOneUse())
+ break;
+
+ MUseIterator use = last->usesBegin();
+ if (!use->consumer()->isDefinition() || !use->consumer()->toDefinition()->isAdd())
+ break;
+
+ MAdd* add = use->consumer()->toDefinition()->toAdd();
+ if (add->specialization() != MIRType::Int32 || !add->isTruncated())
+ break;
+
+ MDefinition* other = add->getOperand(1 - add->indexOf(*use));
+
+ if (MConstant* otherConst = other->maybeConstantValue()) {
+ displacement += otherConst->toInt32();
+ } else {
+ if (base)
+ break;
+ base = other;
+ }
+
+ last = add;
+ if (last->isRecoveredOnBailout())
+ return;
+ }
+
+ if (!base) {
+ uint32_t elemSize = 1 << ScaleToShift(scale);
+ if (displacement % elemSize != 0)
+ return;
+
+ if (!last->hasOneUse())
+ return;
+
+ MUseIterator use = last->usesBegin();
+ if (!use->consumer()->isDefinition() || !use->consumer()->toDefinition()->isBitAnd())
+ return;
+
+ MBitAnd* bitAnd = use->consumer()->toDefinition()->toBitAnd();
+ if (bitAnd->isRecoveredOnBailout())
+ return;
+
+ MDefinition* other = bitAnd->getOperand(1 - bitAnd->indexOf(*use));
+ MConstant* otherConst = other->maybeConstantValue();
+ if (!otherConst || otherConst->type() != MIRType::Int32)
+ return;
+
+ uint32_t bitsClearedByShift = elemSize - 1;
+ uint32_t bitsClearedByMask = ~uint32_t(otherConst->toInt32());
+ if ((bitsClearedByShift & bitsClearedByMask) != bitsClearedByMask)
+ return;
+
+ bitAnd->replaceAllUsesWith(last);
+ return;
+ }
+
+ if (base->isRecoveredOnBailout())
+ return;
+
+ MEffectiveAddress* eaddr = MEffectiveAddress::New(alloc, base, index, scale, displacement);
+ last->replaceAllUsesWith(eaddr);
+ last->block()->insertAfter(last, eaddr);
+}
+
+// Transform:
+//
+// [AddI]
+// addl $9, %esi
+// [LoadUnboxedScalar]
+// movsd 0x0(%rbx,%rsi,8), %xmm4
+//
+// into:
+//
+// [LoadUnboxedScalar]
+// movsd 0x48(%rbx,%rsi,8), %xmm4
+//
+// This is possible when the AddI is only used by the LoadUnboxedScalar opcode.
+static void
+AnalyzeLoadUnboxedScalar(TempAllocator& alloc, MLoadUnboxedScalar* load)
+{
+ if (load->isRecoveredOnBailout())
+ return;
+
+ if (!load->getOperand(1)->isAdd())
+ return;
+
+ JitSpew(JitSpew_EAA, "analyze: %s%u", load->opName(), load->id());
+
+ MAdd* add = load->getOperand(1)->toAdd();
+
+ if (add->specialization() != MIRType::Int32 || !add->hasUses() ||
+ add->truncateKind() != MDefinition::TruncateKind::Truncate)
+ {
+ return;
+ }
+
+ MDefinition* lhs = add->lhs();
+ MDefinition* rhs = add->rhs();
+ MDefinition* constant = nullptr;
+ MDefinition* node = nullptr;
+
+ if (lhs->isConstant()) {
+ constant = lhs;
+ node = rhs;
+ } else if (rhs->isConstant()) {
+ constant = rhs;
+ node = lhs;
+ } else
+ return;
+
+ MOZ_ASSERT(constant->type() == MIRType::Int32);
+
+ size_t storageSize = Scalar::byteSize(load->storageType());
+ int32_t c1 = load->offsetAdjustment();
+ int32_t c2 = 0;
+ if (!SafeMul(constant->maybeConstantValue()->toInt32(), storageSize, &c2))
+ return;
+
+ int32_t offset = 0;
+ if (!SafeAdd(c1, c2, &offset))
+ return;
+
+ JitSpew(JitSpew_EAA, "set offset: %d + %d = %d on: %s%u", c1, c2, offset,
+ load->opName(), load->id());
+ load->setOffsetAdjustment(offset);
+ load->replaceOperand(1, node);
+
+ if (!add->hasLiveDefUses() && DeadIfUnused(add) && add->canRecoverOnBailout()) {
+ JitSpew(JitSpew_EAA, "mark as recovered on bailout: %s%u",
+ add->opName(), add->id());
+ add->setRecoveredOnBailoutUnchecked();
+ }
+}
+
+template<typename AsmJSMemoryAccess>
+bool
+EffectiveAddressAnalysis::tryAddDisplacement(AsmJSMemoryAccess* ins, int32_t o)
+{
+#ifdef WASM_HUGE_MEMORY
+ // Compute the new offset. Check for overflow.
+ uint32_t oldOffset = ins->offset();
+ uint32_t newOffset = oldOffset + o;
+ if (o < 0 ? (newOffset >= oldOffset) : (newOffset < oldOffset))
+ return false;
+
+ // The offset must ultimately be written into the offset immediate of a load
+ // or store instruction so don't allow folding of the offset is bigger.
+ if (newOffset >= wasm::OffsetGuardLimit)
+ return false;
+
+ // Everything checks out. This is the new offset.
+ ins->setOffset(newOffset);
+ return true;
+#else
+ return false;
+#endif
+}
+
+template<typename AsmJSMemoryAccess>
+void
+EffectiveAddressAnalysis::analyzeAsmJSHeapAccess(AsmJSMemoryAccess* ins)
+{
+ MDefinition* base = ins->base();
+
+ if (base->isConstant()) {
+ // Look for heap[i] where i is a constant offset, and fold the offset.
+ // By doing the folding now, we simplify the task of codegen; the offset
+ // is always the address mode immediate. This also allows it to avoid
+ // a situation where the sum of a constant pointer value and a non-zero
+ // offset doesn't actually fit into the address mode immediate.
+ int32_t imm = base->toConstant()->toInt32();
+ if (imm != 0 && tryAddDisplacement(ins, imm)) {
+ MInstruction* zero = MConstant::New(graph_.alloc(), Int32Value(0));
+ ins->block()->insertBefore(ins, zero);
+ ins->replaceBase(zero);
+ }
+
+ // If the index is within the minimum heap length, we can optimize
+ // away the bounds check.
+ if (imm >= 0) {
+ int32_t end = (uint32_t)imm + ins->byteSize();
+ if (end >= imm && (uint32_t)end <= mir_->minWasmHeapLength())
+ ins->removeBoundsCheck();
+ }
+ } else if (base->isAdd()) {
+ // Look for heap[a+i] where i is a constant offset, and fold the offset.
+ // Alignment masks have already been moved out of the way by the
+ // Alignment Mask Analysis pass.
+ MDefinition* op0 = base->toAdd()->getOperand(0);
+ MDefinition* op1 = base->toAdd()->getOperand(1);
+ if (op0->isConstant())
+ mozilla::Swap(op0, op1);
+ if (op1->isConstant()) {
+ int32_t imm = op1->toConstant()->toInt32();
+ if (tryAddDisplacement(ins, imm))
+ ins->replaceBase(op0);
+ }
+ }
+}
+
+// This analysis converts patterns of the form:
+// truncate(x + (y << {0,1,2,3}))
+// truncate(x + (y << {0,1,2,3}) + imm32)
+// into a single lea instruction, and patterns of the form:
+// asmload(x + imm32)
+// asmload(x << {0,1,2,3})
+// asmload((x << {0,1,2,3}) + imm32)
+// asmload((x << {0,1,2,3}) & mask) (where mask is redundant with shift)
+// asmload(((x << {0,1,2,3}) + imm32) & mask) (where mask is redundant with shift + imm32)
+// into a single asmload instruction (and for asmstore too).
+//
+// Additionally, we should consider the general forms:
+// truncate(x + y + imm32)
+// truncate((y << {0,1,2,3}) + imm32)
+bool
+EffectiveAddressAnalysis::analyze()
+{
+ for (ReversePostorderIterator block(graph_.rpoBegin()); block != graph_.rpoEnd(); block++) {
+ for (MInstructionIterator i = block->begin(); i != block->end(); i++) {
+ if (!graph_.alloc().ensureBallast())
+ return false;
+
+ // Note that we don't check for MAsmJSCompareExchangeHeap
+ // or MAsmJSAtomicBinopHeap, because the backend and the OOB
+ // mechanism don't support non-zero offsets for them yet
+ // (TODO bug 1254935).
+ if (i->isLsh())
+ AnalyzeLsh(graph_.alloc(), i->toLsh());
+ else if (i->isLoadUnboxedScalar())
+ AnalyzeLoadUnboxedScalar(graph_.alloc(), i->toLoadUnboxedScalar());
+ else if (i->isAsmJSLoadHeap())
+ analyzeAsmJSHeapAccess(i->toAsmJSLoadHeap());
+ else if (i->isAsmJSStoreHeap())
+ analyzeAsmJSHeapAccess(i->toAsmJSStoreHeap());
+ }
+ }
+ return true;
+}