Disable FieldPRE when a type check bailout from a hoisted instruction triggers a rejit

Author: rajatd

lib/Backend/BailOut.cpp

@@ -1212,7 +1212,7 @@ BailOutRecord::BailOutFromLoopBodyHelper(Js::JavascriptCallStackLayout * layout,
 
 void BailOutRecord::UpdatePolymorphicFieldAccess(Js::JavascriptFunction * function, BailOutRecord const * bailOutRecord)
 {
-    Js::FunctionBody * executeFunction = bailOutRecord->type == Shared ? ((SharedBailOutRecord*)bailOutRecord)->functionBody : function->GetFunctionBody();
+    Js::FunctionBody * executeFunction = bailOutRecord->IsShared() ? ((SharedBailOutRecord*)bailOutRecord)->functionBody : function->GetFunctionBody();
     Js::DynamicProfileInfo *dynamicProfileInfo = nullptr;
     if (executeFunction->HasDynamicProfileInfo())
     {
@@ -1708,11 +1708,10 @@ void BailOutRecord::ScheduleFunctionCodeGen(Js::ScriptFunction * function, Js::S
 
     Assert(bailOutKind != IR::BailOutInvalid);
 
-    if ((executeFunction->HasDynamicProfileInfo() && callsCount == 0) ||
+    Js::DynamicProfileInfo * profileInfo = executeFunction->HasDynamicProfileInfo() ? executeFunction->GetAnyDynamicProfileInfo() : nullptr;
+    if ((profileInfo && callsCount == 0) ||
         PHASE_FORCE(Js::ReJITPhase, executeFunction))
     {
-        Js::DynamicProfileInfo * profileInfo = executeFunction->GetAnyDynamicProfileInfo();
-
         if ((bailOutKind & (IR::BailOutOnResultConditions | IR::BailOutOnDivSrcConditions)) || bailOutKind == IR::BailOutIntOnly || bailOutKind == IR::BailOnIntMin || bailOutKind == IR::BailOnDivResultNotInt)
         {
             // Note WRT BailOnIntMin: it wouldn't make sense to re-jit without changing anything here, as interpreter will not change the (int) type,
@@ -2155,7 +2154,6 @@ void BailOutRecord::ScheduleFunctionCodeGen(Js::ScriptFunction * function, Js::S
 
     if (!reThunk && rejitReason != RejitReason::None)
     {
-        Js::DynamicProfileInfo * profileInfo = executeFunction->GetAnyDynamicProfileInfo();
         // REVIEW: Temporary fix for RS1.  Disable Rejiting if it looks like it is not fixing the problem.
         //         For RS2, turn the rejitCount check into an assert and let's fix all these issues.
         if (profileInfo->GetRejitCount() >= 100 ||
@@ -2223,6 +2221,14 @@ void BailOutRecord::ScheduleFunctionCodeGen(Js::ScriptFunction * function, Js::S
     }
     else if (rejitReason != RejitReason::None)
     {
+        if (bailOutRecord->IsForLoopTop() && IR::IsTypeCheckBailOutKind(bailOutRecord->bailOutKind))
+        {
+            // Disable FieldPRE if we're triggering a type check rejit due to a bailout at the loop top.
+            // Most likely this was caused by a CheckFixedFld that was hoisted from a branch block where 
+            // only certain types flowed, to the loop top, where more types (different or non-equivalent)
+            // were flowing in.
+            profileInfo->DisableFieldPRE();
+        }
 #ifdef REJIT_STATS
         executeFunction->GetScriptContext()->LogRejit(executeFunction, rejitReason);
 #endif

lib/Backend/BailOut.h

@@ -27,8 +27,8 @@ class BailOutInfo
     BailOutInfo(uint32 bailOutOffset, Func* bailOutFunc) :
         bailOutOffset(bailOutOffset), bailOutFunc(bailOutFunc),
         byteCodeUpwardExposedUsed(nullptr), polymorphicCacheIndex((uint)-1), startCallCount(0), startCallInfo(nullptr), bailOutInstr(nullptr),
-        totalOutParamCount(0), argOutSyms(nullptr), bailOutRecord(nullptr), wasCloned(false), isInvertedBranch(false), sharedBailOutKind(true), outParamInlinedArgSlot(nullptr),
-        liveVarSyms(nullptr), liveLosslessInt32Syms(nullptr), liveFloat64Syms(nullptr),
+        totalOutParamCount(0), argOutSyms(nullptr), bailOutRecord(nullptr), wasCloned(false), isInvertedBranch(false), sharedBailOutKind(true), isLoopTopBailOutInfo(false),
+        outParamInlinedArgSlot(nullptr), liveVarSyms(nullptr), liveLosslessInt32Syms(nullptr), liveFloat64Syms(nullptr),
         branchConditionOpnd(nullptr),
         stackLiteralBailOutInfoCount(0), stackLiteralBailOutInfo(nullptr)
     {
@@ -70,6 +70,7 @@ class BailOutInfo
     bool wasCloned;
     bool isInvertedBranch;
     bool sharedBailOutKind;
+    bool isLoopTopBailOutInfo;
 
 #if DBG
     bool wasCopied;
@@ -201,9 +202,13 @@ class BailOutRecord
     {
         Normal = 0,
         Branch = 1,
-        Shared = 2
+        Shared = 2,
+        SharedForLoopTop = 3
     };
     BailoutRecordType GetType() { return type; }
+    void SetType(BailoutRecordType type) { this->type = type; }
+    bool IsShared() const { return type == Shared || type == SharedForLoopTop; }
+    bool IsForLoopTop() const { return type == SharedForLoopTop; }
 protected:
     struct BailOutReturnValue
     {

lib/Backend/FlowGraph.cpp

@@ -3345,6 +3345,19 @@ BasicBlock::IsLandingPad()
     return nextBlock && nextBlock->loop && nextBlock->isLoopHeader && nextBlock->loop->landingPad == this;
 }
 
+BailOutInfo *
+BasicBlock::CreateLoopTopBailOutInfo(GlobOpt * globOpt)
+{
+    IR::Instr * firstInstr = this->GetFirstInstr();
+    BailOutInfo* bailOutInfo = JitAnew(globOpt->func->m_alloc, BailOutInfo, firstInstr->GetByteCodeOffset(), firstInstr->m_func);
+    bailOutInfo->isLoopTopBailOutInfo = true;
+    globOpt->FillBailOutInfo(this, bailOutInfo);
+#if ENABLE_DEBUG_CONFIG_OPTIONS
+    bailOutInfo->bailOutOpcode = Js::OpCode::LoopBodyStart;
+#endif
+    return bailOutInfo;
+}
+
 IR::Instr *
 FlowGraph::RemoveInstr(IR::Instr *instr, GlobOpt * globOpt)
 {
@@ -4539,13 +4552,7 @@ BasicBlock::MergePredBlocksValueMaps(GlobOpt* globOpt)
         {
             // Capture bail out info in case we have optimization that needs it
             Assert(this->loop->bailOutInfo == nullptr);
-            IR::Instr * firstInstr = this->GetFirstInstr();
-            this->loop->bailOutInfo = JitAnew(globOpt->func->m_alloc, BailOutInfo,
-                firstInstr->GetByteCodeOffset(), firstInstr->m_func);
-            globOpt->FillBailOutInfo(this, this->loop->bailOutInfo);
-#if ENABLE_DEBUG_CONFIG_OPTIONS
-            this->loop->bailOutInfo->bailOutOpcode = Js::OpCode::LoopBodyStart;
-#endif
+            this->loop->bailOutInfo = this->CreateLoopTopBailOutInfo(globOpt);
         }
 
         // If loop pre-pass, don't insert convert from type-spec to var

lib/Backend/FlowGraph.h

@@ -346,6 +346,7 @@ class BasicBlock
     }
 
     bool IsLandingPad();
+    BailOutInfo * CreateLoopTopBailOutInfo(GlobOpt * globOpt);
 
     // GlobOpt Stuff
 public:

lib/Backend/GlobOptFields.cpp

@@ -117,6 +117,11 @@ GlobOpt::DoFieldPRE(Loop *loop) const
         return true;
     }
 
+    if (this->func->HasProfileInfo() && this->func->GetReadOnlyProfileInfo()->IsFieldPREDisabled())
+    {
+        return false;
+    }
+
     return DoFieldOpts(loop);
 }
 

lib/Backend/JITTimeProfileInfo.cpp

@@ -147,6 +147,7 @@ JITTimeProfileInfo::InitializeJITProfileData(
     data->flags |= profileInfo->IsPowIntIntTypeSpecDisabled() ? Flags_disablePowIntIntTypeSpec : 0;
     data->flags |= profileInfo->IsTagCheckDisabled() ? Flags_disableTagCheck : 0;
     data->flags |= profileInfo->IsOptimizeTryFinallyDisabled() ? Flags_disableOptimizeTryFinally : 0;
+    data->flags |= profileInfo->IsFieldPREDisabled() ? Flags_disableFieldPRE : 0;
 }
 
 const Js::LdLenInfo *
@@ -509,6 +510,12 @@ JITTimeProfileInfo::IsOptimizeTryFinallyDisabled() const
     return TestFlag(Flags_disableOptimizeTryFinally);
 }
 
+bool
+JITTimeProfileInfo::IsFieldPREDisabled() const
+{
+    return TestFlag(Flags_disableFieldPRE);
+}
+
 bool
 JITTimeProfileInfo::HasLdFldCallSiteInfo() const
 {

lib/Backend/JITTimeProfileInfo.h

@@ -67,6 +67,7 @@ class JITTimeProfileInfo
     bool IsPowIntIntTypeSpecDisabled() const;
     bool IsTagCheckDisabled() const;
     bool IsOptimizeTryFinallyDisabled() const;
+    bool IsFieldPREDisabled() const;
 
 private:
     enum ProfileDataFlags : int64
@@ -108,7 +109,8 @@ class JITTimeProfileInfo
         Flags_disableLoopImplicitCallInfo = 1ll << 33,
         Flags_disablePowIntIntTypeSpec = 1ll << 34,
         Flags_disableTagCheck = 1ll << 35,
-        Flags_disableOptimizeTryFinally = 1ll << 36
+        Flags_disableOptimizeTryFinally = 1ll << 36,
+        Flags_disableFieldPRE = 1ll << 37
     };
 
     Js::ProfileId GetProfiledArrayCallSiteCount() const;

lib/Backend/Lower.cpp

@@ -13495,7 +13495,7 @@ Lowerer::GenerateBailOut(IR::Instr * instr, IR::BranchInstr * branchInstr, IR::L
                 indexOpnd, IR::IntConstOpnd::New(bailOutInfo->polymorphicCacheIndex, TyUint32, this->m_func), instr, false);
         }
 
-        if (bailOutInfo->bailOutRecord->GetType() == BailOutRecord::BailoutRecordType::Shared)
+        if (bailOutInfo->bailOutRecord->IsShared())
         {
             IR::Opnd *functionBodyOpnd;
             if (this->m_func->IsOOPJIT())
@@ -13629,6 +13629,10 @@ Lowerer::GenerateBailOut(IR::Instr * instr, IR::BranchInstr * branchInstr, IR::L
         {
             bailOutRecord = NativeCodeDataNewZ(this->m_func->GetNativeCodeDataAllocator(),
                 SharedBailOutRecord, bailOutInfo->bailOutOffset, bailOutInfo->polymorphicCacheIndex, instr->GetBailOutKind(), bailOutInfo->bailOutFunc);
+            if (bailOutInfo->isLoopTopBailOutInfo)
+            {
+                bailOutRecord->SetType(BailOutRecord::BailoutRecordType::SharedForLoopTop);
+            }
         }
         else
         {

lib/Runtime/Language/DynamicProfileInfo.cpp

@@ -1735,6 +1735,7 @@ namespace Js
                 _u(" disableStackArgOpt : %s\n")
                 _u(" disableTagCheck : %s\n")
                 _u(" disableOptimizeTryFinally : %s\n"),
+                _u(" disableFieldPRE : %s\n"),
                 IsTrueOrFalse(this->bits.disableAggressiveIntTypeSpec),
                 IsTrueOrFalse(this->bits.disableAggressiveIntTypeSpec_jitLoopBody),
                 IsTrueOrFalse(this->bits.disableAggressiveMulIntTypeSpec),
@@ -1771,7 +1772,8 @@ namespace Js
                 IsTrueOrFalse(this->bits.disablePowIntIntTypeSpec),
                 IsTrueOrFalse(this->bits.disableStackArgOpt),
                 IsTrueOrFalse(this->bits.disableTagCheck),
-                IsTrueOrFalse(this->bits.disableOptimizeTryFinally));
+                IsTrueOrFalse(this->bits.disableOptimizeTryFinally),
+                IsTrueOrFalse(this->bits.disableFieldPRE));
         }
     }
 

lib/Runtime/Language/DynamicProfileInfo.h

@@ -568,6 +568,7 @@ namespace Js
             Field(bool) disableStackArgOpt : 1;
             Field(bool) disableTagCheck : 1;
             Field(bool) disableOptimizeTryFinally : 1;
+            Field(bool) disableFieldPRE : 1;
         };
         Field(Bits) bits;
 
@@ -868,6 +869,8 @@ namespace Js
         void DisableTagCheck() { this->bits.disableTagCheck = true; }
         bool IsOptimizeTryFinallyDisabled() const { return bits.disableOptimizeTryFinally; }
         void DisableOptimizeTryFinally() { this->bits.disableOptimizeTryFinally = true; }
+        bool IsFieldPREDisabled() const { return bits.disableFieldPRE; }
+        void DisableFieldPRE() { this->bits.disableFieldPRE = true; }
 
         static bool IsCallSiteNoInfo(Js::LocalFunctionId functionId) { return functionId == CallSiteNoInfo; }
         int IncRejitCount() { return this->rejitCount++; }