1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
|
/*
* Copyright (C) 2011 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef DFGAbstractState_h
#define DFGAbstractState_h
#include <wtf/Platform.h>
#if ENABLE(DFG_JIT)
#include "DFGAbstractValue.h"
#include "DFGGraph.h"
#include "DFGNode.h"
#include <wtf/Vector.h>
namespace JSC {
class CodeBlock;
namespace DFG {
struct BasicBlock;
// This implements the notion of an abstract state for flow-sensitive intraprocedural
// control flow analysis (CFA), with a focus on the elimination of redundant type checks.
// It also implements most of the mechanisms of abstract interpretation that such an
// analysis would use. This class should be used in two idioms:
//
// 1) Performing the CFA. In this case, AbstractState should be run over all basic
// blocks repeatedly until convergence is reached. Convergence is defined by
// endBasicBlock(AbstractState::MergeToSuccessors) returning false for all blocks.
//
// 2) Rematerializing the results of a previously executed CFA. In this case,
// AbstractState should be run over whatever basic block you're interested in up
// to the point of the node at which you'd like to interrogate the known type
// of all other nodes. At this point it's safe to discard the AbstractState entirely,
// call reset(), or to run it to the end of the basic block and call
// endBasicBlock(AbstractState::DontMerge). The latter option is safest because
// it performs some useful integrity checks.
//
// After the CFA is run, the inter-block state is saved at the heads and tails of all
// basic blocks. This allows the intra-block state to be rematerialized by just
// executing the CFA for that block. If you need to know inter-block state only, then
// you only need to examine the BasicBlock::m_valuesAtHead or m_valuesAtTail fields.
//
// Running this analysis involves the following, modulo the inter-block state
// merging and convergence fixpoint:
//
// AbstractState state(codeBlock, graph);
// state.beginBasicBlock(basicBlock);
// bool endReached = true;
// for (NodeIndex idx = basicBlock.begin; idx < basicBlock.end; ++idx) {
// if (!state.execute(idx))
// break;
// }
// bool result = state.endBasicBlock(<either Merge or DontMerge>);
class AbstractState {
public:
enum MergeMode {
// Don't merge the state in AbstractState with basic blocks.
DontMerge,
// Merge the state in AbstractState with the tail of the basic
// block being analyzed.
MergeToTail,
// Merge the state in AbstractState with the tail of the basic
// block, and with the heads of successor blocks.
MergeToSuccessors
};
enum BranchDirection {
// This is not a branch and so there is no branch direction, or
// the branch direction has yet to be set.
InvalidBranchDirection,
// The branch takes the true case.
TakeTrue,
// The branch takes the false case.
TakeFalse,
// For all we know, the branch could go either direction, so we
// have to assume the worst.
TakeBoth
};
static const char* branchDirectionToString(BranchDirection branchDirection)
{
switch (branchDirection) {
case InvalidBranchDirection:
return "Invalid";
case TakeTrue:
return "TakeTrue";
case TakeFalse:
return "TakeFalse";
case TakeBoth:
return "TakeBoth";
}
}
AbstractState(Graph&);
~AbstractState();
AbstractValue& forNode(NodeIndex nodeIndex)
{
return m_nodes[nodeIndex];
}
AbstractValue& forNode(Edge nodeUse)
{
return forNode(nodeUse.index());
}
Operands<AbstractValue>& variables()
{
return m_variables;
}
// Call this before beginning CFA to initialize the abstract values of
// arguments, and to indicate which blocks should be listed for CFA
// execution.
static void initialize(Graph&);
// Start abstractly executing the given basic block. Initializes the
// notion of abstract state to what we believe it to be at the head
// of the basic block, according to the basic block's data structures.
// This method also sets cfaShouldRevisit to false.
void beginBasicBlock(BasicBlock*);
// Finish abstractly executing a basic block. If MergeToTail or
// MergeToSuccessors is passed, then this merges everything we have
// learned about how the state changes during this block's execution into
// the block's data structures. There are three return modes, depending
// on the value of mergeMode:
//
// DontMerge:
// Always returns false.
//
// MergeToTail:
// Returns true if the state of the block at the tail was changed.
// This means that you must call mergeToSuccessors(), and if that
// returns true, then you must revisit (at least) the successor
// blocks. False will always be returned if the block is terminal
// (i.e. ends in Throw or Return, or has a ForceOSRExit inside it).
//
// MergeToSuccessors:
// Returns true if the state of the block at the tail was changed,
// and, if the state at the heads of successors was changed.
// A true return means that you must revisit (at least) the successor
// blocks. This also sets cfaShouldRevisit to true for basic blocks
// that must be visited next.
//
// If you'd like to know what direction the branch at the end of the
// basic block is thought to have taken, you can pass a non-0 pointer
// for BranchDirection.
bool endBasicBlock(MergeMode, BranchDirection* = 0);
// Reset the AbstractState. This throws away any results, and at this point
// you can safely call beginBasicBlock() on any basic block.
void reset();
// Abstractly executes the given node. The new abstract state is stored into an
// abstract register file stored in *this. Loads of local variables (that span
// basic blocks) interrogate the basic block's notion of the state at the head.
// Stores to local variables are handled in endBasicBlock(). This returns true
// if execution should continue past this node. Notably, it will return true
// for block terminals, so long as those terminals are not Return or variants
// of Throw.
bool execute(unsigned);
// Is the execution state still valid? This will be false if execute() has
// returned false previously.
bool isValid() const { return m_isValid; }
// Merge the abstract state stored at the first block's tail into the second
// block's head. Returns true if the second block's state changed. If so,
// that block must be abstractly interpreted again. This also sets
// to->cfaShouldRevisit to true, if it returns true, or if to has not been
// visited yet.
bool merge(BasicBlock* from, BasicBlock* to);
// Merge the abstract state stored at the block's tail into all of its
// successors. Returns true if any of the successors' states changed. Note
// that this is automatically called in endBasicBlock() if MergeMode is
// MergeToSuccessors.
bool mergeToSuccessors(Graph&, BasicBlock*, BranchDirection);
void dump(FILE* out);
private:
void clobberWorld(const CodeOrigin&, unsigned indexInBlock);
void clobberStructures(unsigned indexInBlock);
bool mergeStateAtTail(AbstractValue& destination, AbstractValue& inVariable, NodeIndex);
static bool mergeVariableBetweenBlocks(AbstractValue& destination, AbstractValue& source, NodeIndex destinationNodeIndex, NodeIndex sourceNodeIndex);
void speculateInt32Unary(Node& node, bool forceCanExit = false)
{
AbstractValue& childValue = forNode(node.child1());
node.setCanExit(forceCanExit || !isInt32Prediction(childValue.m_type));
childValue.filter(PredictInt32);
}
void speculateNumberUnary(Node& node)
{
AbstractValue& childValue = forNode(node.child1());
node.setCanExit(!isNumberPrediction(childValue.m_type));
childValue.filter(PredictNumber);
}
void speculateBooleanUnary(Node& node)
{
AbstractValue& childValue = forNode(node.child1());
node.setCanExit(!isBooleanPrediction(childValue.m_type));
childValue.filter(PredictBoolean);
}
void speculateInt32Binary(Node& node, bool forceCanExit = false)
{
AbstractValue& childValue1 = forNode(node.child1());
AbstractValue& childValue2 = forNode(node.child2());
node.setCanExit(
forceCanExit
|| !isInt32Prediction(childValue1.m_type)
|| !isInt32Prediction(childValue2.m_type));
childValue1.filter(PredictInt32);
childValue2.filter(PredictInt32);
}
void speculateNumberBinary(Node& node)
{
AbstractValue& childValue1 = forNode(node.child1());
AbstractValue& childValue2 = forNode(node.child2());
node.setCanExit(
!isNumberPrediction(childValue1.m_type)
|| !isNumberPrediction(childValue2.m_type));
childValue1.filter(PredictNumber);
childValue2.filter(PredictNumber);
}
CodeBlock* m_codeBlock;
Graph& m_graph;
Vector<AbstractValue, 64> m_nodes;
Operands<AbstractValue> m_variables;
BasicBlock* m_block;
bool m_haveStructures;
bool m_foundConstants;
bool m_isValid;
BranchDirection m_branchDirection; // This is only set for blocks that end in Branch and that execute to completion (i.e. m_isValid == true).
};
} } // namespace JSC::DFG
#endif // ENABLE(DFG_JIT)
#endif // DFGAbstractState_h
|
