[turbofan] Bailout for call sites w/o feedback.

If a JSCallFunction node doesn't have any callee information, either from feedback taken on input nodes, i.e. on property loads, or from the CallIC, we insert a soft deoptimization exit instead. R=jarin@chromium.org BUG=v8:5267 Review-Url: https://codereview.chromium.org/2361773002 Cr-Commit-Position: refs/heads/master@{#39619}

[turbofan] Bailout for call sites w/o feedback.
If a JSCallFunction node doesn't have any callee information, either from feedback taken on input nodes, i.e. on property loads, or from the CallIC, we insert a soft deoptimization exit instead. R=jarin@chromium.org BUG=v8:5267 Review-Url: https://codereview.chromium.org/2361773002 Cr-Commit-Position: refs/heads/master@{#39619}
b63de989 · bmeurer · Commit bot · 7c498d97 · b63de989 · b63de989
Commit b63de989 authored Sep 22, 2016 by bmeurer Committed by Commit bot Sep 22, 2016
Showing with 32 additions and 9 deletions

js-call-reducer.cc src/compiler/js-call-reducer.cc +14 -0

js-call-reducer.h src/compiler/js-call-reducer.h +8 -4

pipeline.cc src/compiler/pipeline.cc +9 -5

deoptimize-reason.h src/deoptimize-reason.h +1 -0

No files found.
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -281,6 +281,20 @@ Reduction JSCallReducer::ReduceJSCallFunction(Node* node) {
  // Extract feedback from the {node} using the CallICNexus.
  if (!p.feedback().IsValid()) return NoChange();
  CallICNexus nexus(p.feedback().vector(), p.feedback().slot());
+  if (nexus.IsUninitialized() && (flags() & kBailoutOnUninitialized)) {
+    Node* frame_state = NodeProperties::FindFrameStateBefore(node);
+    Node* deoptimize = graph()->NewNode(
+        common()->Deoptimize(
+            DeoptimizeKind::kSoft,
+            DeoptimizeReason::kInsufficientTypeFeedbackForCall),
+        frame_state, effect, control);
+    // TODO(bmeurer): This should be on the AdvancedReducer somehow.
+    NodeProperties::MergeControlToEnd(graph(), common(), deoptimize);
+    Revisit(graph()->end());
+    node->TrimInputCount(0);
+    NodeProperties::ChangeOp(node, common()->Dead());
+    return Changed(node);
+  }
  Handle<Object> feedback(nexus.GetFeedback(), isolate());
  if (feedback->IsAllocationSite()) {
    // Retrieve the Array function from the {node}.

--- a/src/compiler/js-call-reducer.h
+++ b/src/compiler/js-call-reducer.h
@@ -20,18 +20,22 @@ class SimplifiedOperatorBuilder;

 // Performs strength reduction on {JSCallConstruct} and {JSCallFunction} nodes,
 // which might allow inlining or other optimizations to be performed afterwards.
-class JSCallReducer final : public Reducer {
+class JSCallReducer final : public AdvancedReducer {
 public:
  // Flags that control the mode of operation.
  enum Flag {
    kNoFlags = 0u,
-    kDeoptimizationEnabled = 1u << 0,
+    kBailoutOnUninitialized = 1u << 0,
+    kDeoptimizationEnabled = 1u << 1
  };
  typedef base::Flags<Flag> Flags;

-  JSCallReducer(JSGraph* jsgraph, Flags flags,
+  JSCallReducer(Editor* editor, JSGraph* jsgraph, Flags flags,
                MaybeHandle<Context> native_context)
-      : jsgraph_(jsgraph), flags_(flags), native_context_(native_context) {}
+      : AdvancedReducer(editor),
+        jsgraph_(jsgraph),
+        flags_(flags),
+        native_context_(native_context) {}

  Reduction Reduce(Node* node) final;


--- a/src/compiler/pipeline.cc
+++ b/src/compiler/pipeline.cc
@@ -793,11 +793,15 @@ struct InliningPhase {
                                              data->common());
    CommonOperatorReducer common_reducer(&graph_reducer, data->graph(),
                                         data->common(), data->machine());
-    JSCallReducer call_reducer(data->jsgraph(),
-                               data->info()->is_deoptimization_enabled()
-                                   ? JSCallReducer::kDeoptimizationEnabled
-                                   : JSCallReducer::kNoFlags,
-                               data->native_context());
+    JSCallReducer::Flags call_reducer_flags = JSCallReducer::kNoFlags;
+    if (data->info()->is_bailout_on_uninitialized()) {
+      call_reducer_flags |= JSCallReducer::kBailoutOnUninitialized;
+    }
+    if (data->info()->is_deoptimization_enabled()) {
+      call_reducer_flags |= JSCallReducer::kDeoptimizationEnabled;
+    }
+    JSCallReducer call_reducer(&graph_reducer, data->jsgraph(),
+                               call_reducer_flags, data->native_context());
    JSContextSpecialization context_specialization(
        &graph_reducer, data->jsgraph(),
        data->info()->is_function_context_specializing()

--- a/src/deoptimize-reason.h
+++ b/src/deoptimize-reason.h
@@ -23,6 +23,7 @@ namespace internal {
  V(ForcedDeoptToRuntime, "Forced deopt to runtime")                          \
  V(Hole, "hole")                                                             \
  V(InstanceMigrationFailed, "instance migration failed")                     \
+  V(InsufficientTypeFeedbackForCall, "Insufficient type feedback for call")   \
  V(InsufficientTypeFeedbackForCallWithArguments,                             \
    "Insufficient type feedback for call with arguments")                     \
  V(FastPathFailed, "Falling off the fast path")                              \