Improve escape analysis

[turbofan] Improve escape analysis

This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a
  constant
* Handling of JSStoreProperty: invalidate all information,
  as the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n

Committed: https://crrev.com/5b5821142bafd94733ae4c817260a74e13fa1090
Cr-Commit-Position: refs/heads/master@{#32656}

[sigurds, 2015-12-04 12:59:35]

Patchset #1 (id:1) has been deleted

[sigurds, 2015-12-04 13:01:44]

Patchset #1 (id:20001) has been deleted

[sigurds, 2015-12-04 13:17:37]

Description was changed from

==========
Fix deopt.


Fix a ton


Make phi escaping uses for alloc/finishregion


Fix --always-opt conseq and add unit test


Fix bug with loads.


Fix more old compilers.


Make old compilers happy


More comments


Comments.


Move stuff


Add unit tests


Add deopt support in back-end


Implement escape deopt on IR level

BUG=
==========

to

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixed bugs triggered
by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a 
  constant.
* Handling of JSStoreProperty: invalidate all information, as
  the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
==========

[sigurds, 2015-12-04 13:17:37]

sigurds@chromium.org changed reviewers:
+ mstarzinger@chromium.org

[sigurds, 2015-12-04 13:18:46]

Patchset #1 (id:40001) has been deleted

[sigurds, 2015-12-04 13:19:07]

Description was changed from

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixed bugs triggered
by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a 
  constant.
* Handling of JSStoreProperty: invalidate all information, as
  the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
==========

to

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a 
  constant.
* Handling of JSStoreProperty: invalidate all information, as
  the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
==========

[sigurds, 2015-12-04 13:19:20]

Description was changed from

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a 
  constant.
* Handling of JSStoreProperty: invalidate all information, as
  the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
==========

to

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a 
  constant.
* Handling of JSStoreProperty: invalidate all information,
  as the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
==========

[sigurds, 2015-12-04 13:20:43]

Description was changed from

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a 
  constant.
* Handling of JSStoreProperty: invalidate all information,
  as the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
==========

to

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a 
  constant
* Handling of JSStoreProperty: invalidate all information,
  as the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
==========

[sigurds, 2015-12-04 13:22:13]

Please take a look

[Michael Starzinger, 2015-12-04 13:39:39]

https://codereview.chromium.org/1499143002/diff/60001/src/compiler/escape-ana...
File src/compiler/escape-analysis.cc (right):

https://codereview.chromium.org/1499143002/diff/60001/src/compiler/escape-ana...
src/compiler/escape-analysis.cc:692: case IrOpcode::kJSStoreProperty:
I don't think special handling the JSStore operators here is the right approach.
Conceptually there is not much difference between a {JSStoreNamed} with the
receiver being an {Allocate} node and for example a {JSCallFunction} taking the
{Allocate} as an argument. I think the only scalable approach is treat all value
(i.e. non-effect) uses of the {Allocate} in the default case, because virtually
all JS-level operators behave like calls and need to be treated as escaping
uses.

https://codereview.chromium.org/1499143002/diff/60001/src/compiler/escape-ana...
src/compiler/escape-analysis.cc:988: // DebugPrintObject(object, from->id());
nit: Looks like leftover debug code, let's drop it.

[sigurds, 2015-12-07 10:16:08]

PTAL :)

https://codereview.chromium.org/1499143002/diff/60001/src/compiler/escape-ana...
File src/compiler/escape-analysis.cc (right):

https://codereview.chromium.org/1499143002/diff/60001/src/compiler/escape-ana...
src/compiler/escape-analysis.cc:692: case IrOpcode::kJSStoreProperty:
On 2015/12/04 13:39:39, Michael Starzinger wrote:
> I don't think special handling the JSStore operators here is the right
approach.
> Conceptually there is not much difference between a {JSStoreNamed} with the
> receiver being an {Allocate} node and for example a {JSCallFunction} taking
the
> {Allocate} as an argument. I think the only scalable approach is treat all
value
> (i.e. non-effect) uses of the {Allocate} in the default case, because
virtually
> all JS-level operators behave like calls and need to be treated as escaping
> uses.

Yes, the updated CL adresses the issue.

https://codereview.chromium.org/1499143002/diff/60001/src/compiler/escape-ana...
src/compiler/escape-analysis.cc:988: // DebugPrintObject(object, from->id());
On 2015/12/04 13:39:39, Michael Starzinger wrote:
> nit: Looks like leftover debug code, let's drop it.

Done.

[Michael Starzinger, 2015-12-07 13:03:04]

LGTM.

[sigurds, 2015-12-07 13:05:00]

The CQ bit was checked by sigurds@chromium.org

[commit-bot: I haz the power, 2015-12-07 13:05:11]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1499143002/100001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1499143002/100001

[commit-bot: I haz the power, 2015-12-07 13:28:58]

Description was changed from

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a 
  constant
* Handling of JSStoreProperty: invalidate all information,
  as the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
==========

to

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a 
  constant
* Handling of JSStoreProperty: invalidate all information,
  as the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
==========

[commit-bot: I haz the power, 2015-12-07 13:28:58]

Committed patchset #3 (id:100001)

[commit-bot: I haz the power, 2015-12-07 13:29:13]

Description was changed from

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a 
  constant
* Handling of JSStoreProperty: invalidate all information,
  as the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
==========

to

==========
[turbofan] Improve escape analysis

This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a
  constant
* Handling of JSStoreProperty: invalidate all information,
  as the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n

Committed: https://crrev.com/5b5821142bafd94733ae4c817260a74e13fa1090
Cr-Commit-Position: refs/heads/master@{#32656}
==========

[commit-bot: I haz the power, 2015-12-07 13:29:14]

Patchset 3 (id:??) landed as
https://crrev.com/5b5821142bafd94733ae4c817260a74e13fa1090
Cr-Commit-Position: refs/heads/master@{#32656}