WebKit · webkit-commit-queue · May 20, 2023 · May 20, 2023
@@ -0,0 +1,16 @@
+//@requireOptions("--thresholdForFTLOptimizeSoon=0", "--validateAbstractInterpreterState=1")
+function foo() {
+    let a = Object;
+    let b = Object;
+    let c = Array.prototype;
+    for (let i = 0; i < 10; i++) {
+        for (let j = 0; j < 100; j++) {
+            let xs = [0, 1];
+            for (let x in xs) { }
+        }
+    }
+}
+
+for (let i = 0; i < 100; i++) {
+    foo();
+}
@@ -4614,6 +4614,7 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
             }
         }
         m_state.setNonCellTypeForTupleNode(node, 0, SpecInt32Only);
+        clearForNode(node);
         break;
     }
 

@@ -501,7 +501,7 @@ class ArgumentsEliminationPhase : public Phase {
     // object's payload. Conservatively this means that the stack region doesn't get stored to.
     void eliminateCandidatesThatInterfere()
     {
-        performLivenessAnalysis(m_graph);
+        performGraphPackingAndLivenessAnalysis(m_graph);
         m_graph.initializeNodeOwners();
         CombinedLiveness combinedLiveness(m_graph);
 

@@ -55,7 +55,7 @@ class CFAPhase : public Phase {
     {
         ASSERT(m_graph.m_form == ThreadedCPS || m_graph.m_form == SSA);
         ASSERT(m_graph.m_unificationState == GloballyUnified);
-        ASSERT(m_graph.m_refCountState == EverythingIsLive);
+        ASSERT(m_graph.m_refCountState == EverythingIsLive || Options::validateAbstractInterpreterState() && m_graph.m_refCountState == ExactRefCount);
 
         m_count = 0;
 

@@ -106,7 +106,14 @@ class FlowMap {
     ALWAYS_INLINE const T& at(unsigned nodeIndex, NodeFlowProjection::Kind kind) const { return const_cast<FlowMap*>(this)->at(nodeIndex, kind); }
     ALWAYS_INLINE const T& at(Node* node, NodeFlowProjection::Kind kind) const { return const_cast<FlowMap*>(this)->at(node, kind); }
     ALWAYS_INLINE const T& at(NodeFlowProjection projection) const { return const_cast<FlowMap*>(this)->at(projection); }
-
+
+    ALWAYS_INLINE void clear()
+    {
+        m_map.clear();
+        m_shadowMap.clear();
+        resize();
+    }
+
 private:
     Graph& m_graph;
     Vector<T, 0, UnsafeVectorOverflow> m_map;

@@ -685,6 +685,11 @@ void Graph::packNodeIndices()
     m_nodes.packIndices();
 }
 
+void Graph::clearAbstractValues()
+{
+    m_abstractValuesCache->clear();
+}
+
 void Graph::dethread()
 {
     if (m_form == LoadStore || m_form == SSA)

@@ -237,6 +237,7 @@ class Graph final : public virtual Scannable {
     unsigned maxNodeCount() const { return m_nodes.size(); }
     Node* nodeAt(unsigned index) const { return m_nodes[index]; }
     void packNodeIndices();
+    void clearAbstractValues();
 
     void dethread();
 

@@ -88,7 +88,6 @@ class InPlaceAbstractState {
 
     ALWAYS_INLINE void clearForNode(NodeFlowProjection node)
     {
-        ASSERT(!node->isTuple());
         AbstractValue& value = m_abstractValues.at(node);
         value.clear();
         value.m_effectEpoch = m_effectEpoch;

@@ -185,10 +185,12 @@ class LivenessAnalysisPhase : public Phase {
 
 } // anonymous namespace
 
-bool performLivenessAnalysis(Graph& graph)
+bool performGraphPackingAndLivenessAnalysis(Graph& graph)
 {
     graph.packNodeIndices();
-
+#ifndef NDEBUG
+    graph.clearAbstractValues();
+#endif
     return runPhase<LivenessAnalysisPhase>(graph);
 }
 

@@ -34,7 +34,7 @@ class Graph;
 
 // Computes BasicBlock::ssa->liveAtHead/liveAtTail.
 
-bool performLivenessAnalysis(Graph&);
+bool performGraphPackingAndLivenessAnalysis(Graph&);
 
 } } // namespace JSC::DFG
 

@@ -817,7 +817,7 @@ class ObjectAllocationSinkingPhase : public Phase {
         m_graph.computeRefCounts();
         m_graph.initializeNodeOwners();
         m_graph.ensureSSADominators();
-        performLivenessAnalysis(m_graph);
+        performGraphPackingAndLivenessAnalysis(m_graph);
         performOSRAvailabilityAnalysis(m_graph);
         m_combinedLiveness = CombinedLiveness(m_graph);
 

@@ -375,7 +375,7 @@ Plan::CompilationPath Plan::compileInThreadImpl()
 
         RUN_PHASE(performConstantHoisting);
         RUN_PHASE(performGlobalCSE);
-        RUN_PHASE(performLivenessAnalysis);
+        RUN_PHASE(performGraphPackingAndLivenessAnalysis);
         RUN_PHASE(performCFA);
         RUN_PHASE(performConstantFolding);
         RUN_PHASE(performCFGSimplification);
@@ -391,7 +391,7 @@ Plan::CompilationPath Plan::compileInThreadImpl()
         if (changed) {
             // State-at-tail and state-at-head will be invalid if we did strength reduction since
             // it might increase live ranges.
-            RUN_PHASE(performLivenessAnalysis);
+            RUN_PHASE(performGraphPackingAndLivenessAnalysis);
             RUN_PHASE(performCFA);
             RUN_PHASE(performConstantFolding);
             RUN_PHASE(performCFGSimplification);
@@ -402,7 +402,7 @@ Plan::CompilationPath Plan::compileInThreadImpl()
         // wrong with running LICM earlier, if we wanted to put other CFG transforms above this point.
         // Alternatively, we could run loop pre-header creation after SSA conversion - but if we did that
         // then we'd need to do some simple SSA fix-up.
-        RUN_PHASE(performLivenessAnalysis);
+        RUN_PHASE(performGraphPackingAndLivenessAnalysis);
         RUN_PHASE(performCFA);
         RUN_PHASE(performLICM);
 
@@ -413,7 +413,7 @@ Plan::CompilationPath Plan::compileInThreadImpl()
         // by IntegerRangeOptimization.
         //
         // Ideally, the dependencies should be explicit. See https://bugs.webkit.org/show_bug.cgi?id=157534.
-        RUN_PHASE(performLivenessAnalysis);
+        RUN_PHASE(performGraphPackingAndLivenessAnalysis);
         RUN_PHASE(performIntegerRangeOptimization);
 
         RUN_PHASE(performCleanUp);
@@ -424,14 +424,14 @@ Plan::CompilationPath Plan::compileInThreadImpl()
         // about code motion assumes that it's OK to insert GC points in random places.
         dfg.m_fixpointState = FixpointConverged;
 
-        RUN_PHASE(performLivenessAnalysis);
+        RUN_PHASE(performGraphPackingAndLivenessAnalysis);
         RUN_PHASE(performCFA);
         RUN_PHASE(performGlobalStoreBarrierInsertion);
         RUN_PHASE(performStoreBarrierClustering);
         RUN_PHASE(performCleanUp);
         RUN_PHASE(performDCE); // We rely on this to kill dead code that won't be recognized as dead by B3.
         RUN_PHASE(performStackLayout);
-        RUN_PHASE(performLivenessAnalysis);
+        RUN_PHASE(performGraphPackingAndLivenessAnalysis);
         RUN_PHASE(performOSRAvailabilityAnalysis);
 
         if (FTL::canCompile(dfg) == FTL::CannotCompile) {

@@ -41,6 +41,7 @@
 #include "CallFrameShuffler.h"
 #include "ClonedArguments.h"
 #include "DFGAbstractInterpreterInlines.h"
+#include "DFGCFAPhase.h"
 #include "DFGCapabilities.h"
 #include "DFGClobberize.h"
 #include "DFGDoesGC.h"
@@ -166,8 +167,9 @@ class LowerDFGToB3 {
         , m_state(state.graph)
         , m_interpreter(state.graph, m_state)
     {
-        if (Options::validateAbstractInterpreterState()) {
-            performLivenessAnalysis(m_graph);
+        if (UNLIKELY(Options::validateAbstractInterpreterState())) {
+            performGraphPackingAndLivenessAnalysis(m_graph);
+            performCFA(m_graph);
 
             // We only use node liveness here, not combined liveness, as we only track
             // AI state for live nodes.
@@ -615,7 +617,7 @@ class LowerDFGToB3 {
                 continue;
             if (node->op() == CheckInBoundsInt52)
                 continue;
-            if (node->op() == EnumeratorNextUpdateIndexAndMode) {
+            if (node->isTuple()) {
                 ASSERT(m_interpreter.hasClearedAbstractState(node));
                 continue;
             }
@@ -726,7 +728,7 @@ class LowerDFGToB3 {
         m_interpreter.startExecuting();
         m_interpreter.executeKnownEdgeTypes(m_node);
 
-        if (Options::validateAbstractInterpreterState())
+        if (UNLIKELY(Options::validateAbstractInterpreterState()))
             validateAIState(m_node);
 
         if constexpr (validateDFGDoesGC) {