| blob | f93329ee4546da51e23289501d3b79aaf4e4c56b |
1 //* -*- Mode: c++; c-basic-offset: 4; tab-width: 40; indent-tabs-mode: nil -*- */
2 /* vim: set ts=40 sw=4 et tw=99: */
3 /* ***** BEGIN LICENSE BLOCK *****
4 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
5 *
6 * The contents of this file are subject to the Mozilla Public License Version
7 * 1.1 (the "License"); you may not use this file except in compliance with
8 * the License. You may obtain a copy of the License at
9 * http://www.mozilla.org/MPL/
10 *
11 * Software distributed under the License is distributed on an "AS IS" basis,
12 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13 * for the specific language governing rights and limitations under the
14 * License.
15 *
16 * The Original Code is the Mozilla SpiderMonkey bytecode type inference
17 *
18 * The Initial Developer of the Original Code is
19 * Mozilla Foundation
20 * Portions created by the Initial Developer are Copyright (C) 2010
21 * the Initial Developer. All Rights Reserved.
22 *
23 * Contributor(s):
24 * Brian Hackett <bhackett@mozilla.com>
25 *
26 * Alternatively, the contents of this file may be used under the terms of
27 * either of the GNU General Public License Version 2 or later (the "GPL"),
28 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
29 * in which case the provisions of the GPL or the LGPL are applicable instead
30 * of those above. If you wish to allow use of your version of this file only
31 * under the terms of either the GPL or the LGPL, and not to allow others to
32 * use your version of this file under the terms of the MPL, indicate your
33 * decision by deleting the provisions above and replace them with the notice
34 * and other provisions required by the GPL or the LGPL. If you do not delete
35 * the provisions above, a recipient may use your version of this file under
36 * the terms of any one of the MPL, the GPL or the LGPL.
37 *
38 * ***** END LICENSE BLOCK ***** */
40 /* Definitions related to javascript type inference. */
42 #ifndef jsinfer_h___
43 #define jsinfer_h___
56 }
61 /* Type set entry for either a JSObject with singleton type or a non-singleton TypeObject. */
65 };
67 /*
68 * Information about a single concrete type. We pack this into a single word,
69 * where small values are particular primitive or other singleton types, and
70 * larger values are either specific JS objects or type objects.
71 */
72 class Type
73 {
83 }
88 }
93 }
97 }
101 }
103 /* Accessors for types that are either JSObject or TypeObject. */
108 }
112 /* Accessors for JSObject types */
116 }
120 /* Accessors for TypeObject types */
124 }
144 }
149 };
151 /* Get the type of a jsval, or zero for an unknown special value. */
154 /*
155 * Type inference memory management overview.
156 *
157 * Inference constructs a global web of constraints relating the contents of
158 * type sets particular to various scripts and type objects within a
159 * compartment. This data can consume a significant amount of memory, and to
160 * avoid this building up we try to clear it with some regularity. On each GC
161 * which occurs while we are not actively working with inference or other
162 * analysis information, we clear out all generated constraints, all type sets
163 * describing stack types within scripts, and (normally) all data describing
164 * type objects for particular JS objects (see the lazy type objects overview
165 * below). JIT code depends on this data and is cleared as well.
166 *
167 * All this data is allocated into compartment->pool. Some type inference data
168 * lives across GCs: type sets for scripts and non-singleton type objects, and
169 * propeties for such type objects. This data is also allocated into
170 * compartment->pool, but everything still live is copied to a new arena on GC.
171 */
173 /*
174 * A constraint which listens to additions to a type set and propagates those
175 * changes to other type sets.
176 */
177 class TypeConstraint
178 {
180 #ifdef DEBUG
183 #else
185 #endif
187 /* Next constraint listening to the same type set. */
192 {
193 #ifdef DEBUG
195 #endif
196 }
198 /* Register a new type for the set this constraint is listening to. */
201 /*
202 * For constraints attached to an object property's type set, mark the
203 * property as having been configured or received an own property.
204 */
207 /*
208 * For constraints attached to the JSID_EMPTY type set on an object, mark a
209 * change in one of the object's dynamic property flags. If force is set,
210 * recompilation is always triggered.
211 */
213 };
215 /* Flags and other state stored in TypeSet::flags */
226 /* Mask/shift for the number of objects in objectSet */
229 TYPE_FLAG_OBJECT_COUNT_LIMIT =
232 /* Whether the contents of this type set are totally unknown. */
235 /* Mask of normal type flags on a type set. */
238 /* Flags for type sets which are on object properties. */
240 /*
241 * Whether there are subset constraints propagating the possible types
242 * for this property inherited from the object's prototypes. Reset on GC.
243 */
246 /* Whether this property has ever been directly written. */
249 /*
250 * Whether the property has ever been deleted or reconfigured to behave
251 * differently from a normal native property (e.g. made non-writable or
252 * given a scripted getter or setter).
253 */
256 /*
257 * Whether the property is definitely in a particular inline slot on all
258 * objects from which it has not been deleted or reconfigured. Implies
259 * OWN_PROPERTY and unlike OWN/CONFIGURED property, this cannot change.
260 */
263 /* If the property is definite, mask and shift storing the slot. */
266 };
269 /* Flags and other state stored in TypeObject::flags */
271 /* Objects with this type are functions. */
274 /* If set, newScript information should not be installed on this object. */
277 /*
278 * If set, type constraints covering the correctness of the newScript
279 * definite properties need to be regenerated before compiling any jitcode
280 * which depends on this information.
281 */
284 /*
285 * Whether we have ensured all type sets in the compartment contain
286 * ANYOBJECT instead of this object.
287 */
290 /* Mask/shift for the number of properties in propertySet */
293 OBJECT_FLAG_PROPERTY_COUNT_LIMIT =
296 /*
297 * Some objects are not dense arrays, or are dense arrays whose length
298 * property does not fit in an int32_t.
299 */
302 /* Whether any objects this represents are not packed arrays. */
305 /* Whether any objects this represents are not typed arrays. */
308 /* Whether any represented script is considered uninlineable. */
311 /* Whether any objects have an equality hook. */
314 /* Whether any objects have been iterated over. */
317 /* Outer function which has been marked reentrant. */
320 /* For a global object, whether flags were set on the RegExpStatics. */
323 /* Flags which indicate dynamic properties of represented objects. */
326 /*
327 * Whether all properties of this object are considered unknown.
328 * If set, all flags in DYNAMIC_MASK will also be set.
329 */
332 /* Mask for objects created with unknown properties. */
333 OBJECT_FLAG_UNKNOWN_MASK =
334 OBJECT_FLAG_DYNAMIC_MASK
335 | OBJECT_FLAG_UNKNOWN_PROPERTIES
336 | OBJECT_FLAG_SETS_MARKED_UNKNOWN
337 };
340 /* Information about the set of types associated with an lvalue. */
341 class TypeSet
342 {
343 /* Flags for this type set. */
344 TypeFlags flags;
346 /* Possible objects this type set can represent. */
351 /* Chain of constraints which propagate changes out from this type set. */
356 {}
363 /* Whether this set contains a specific type. */
375 }
379 }
384 }
386 /*
387 * Add a type to this set, calling any constraint handlers if this is a new
388 * possible type.
389 */
392 /* Mark this type set as representing an own property or configured property. */
395 /*
396 * Iterate through the objects in this set. getObjectCount overapproximates
397 * in the hash case (see SET_ARRAY_SIZE in jsinferinlines.h), and getObject
398 * may return NULL.
399 */
409 }
413 }
419 FILTER_ALL_PRIMITIVES,
420 FILTER_NULL_VOID,
421 FILTER_VOID
422 };
424 /* Add specific kinds of constraints to this set. */
443 /*
444 * Make an type set with the specified debugging name, not embedded in
445 * another structure.
446 */
449 /*
450 * Methods for JIT compilation. If a script is currently being compiled
451 * (see AutoEnterCompilation) these will add constraints ensuring that if
452 * the return value change in the future due to new type information, the
453 * currently compiled script will be marked for recompilation.
454 */
456 /* Completely freeze the contents of this type set. */
459 /* Get any type tag which all values in this set must have. */
464 /* Whether the type set or a particular object has any of a set of flags. */
468 /*
469 * Watch for a generic object state change on a type object. This currently
470 * includes reallocations of slot pointers for global objects, and changes
471 * to newScript data on types.
472 */
475 /*
476 * For type sets on a property, return true if the property has any 'own'
477 * values assigned. If configurable is set, return 'true' if the property
478 * has additionally been reconfigured as non-configurable, non-enumerable
479 * or non-writable (this only applies to properties that have changed after
480 * having been created, not to e.g. properties non-writable on creation).
481 */
484 /* Get whether this type set is non-empty. */
487 /* Get whether this type set is known to be a subset of other. */
490 /*
491 * Get the typed array type of all objects in this set. Returns
492 * TypedArray::TYPE_MAX if the set contains different array types.
493 */
496 /* Get the single value which can appear in this type set, otherwise NULL. */
499 /* Whether all objects in this set are parented to a particular global. */
504 /*
505 * Whether a location with this TypeSet needs a write barrier (i.e., whether
506 * it can hold GC things). The type set is frozen if no barrier is needed.
507 */
510 /* The type set is frozen if no barrier is needed. */
516 }
518 };
520 /*
521 * Handler which persists information about dynamic types pushed within a
522 * script which can affect its behavior and are not covered by JOF_TYPESET ops,
523 * such as integer operations which overflow to a double. These persist across
524 * GCs, and are used to re-seed script types when they are reanalyzed.
525 */
526 struct TypeResult
527 {
529 Type type;
534 {}
535 };
537 /*
538 * Type barriers overview.
539 *
540 * Type barriers are a technique for using dynamic type information to improve
541 * the inferred types within scripts. At certain opcodes --- those with the
542 * JOF_TYPESET format --- we will construct a type set storing the set of types
543 * which we have observed to be pushed at that opcode, and will only use those
544 * observed types when doing propagation downstream from the bytecode. For
545 * example, in the following script:
546 *
547 * function foo(x) {
548 * return x.f + 10;
549 * }
550 *
551 * Suppose we know the type of 'x' and that the type of its 'f' property is
552 * either an int or float. To account for all possible behaviors statically,
553 * we would mark the result of the 'x.f' access as an int or float, as well
554 * as the result of the addition and the return value of foo (and everywhere
555 * the result of 'foo' is used). When dealing with polymorphic code, this is
556 * undesirable behavior --- the type imprecision surrounding the polymorphism
557 * will tend to leak to many places in the program.
558 *
559 * Instead, we will keep track of the types that have been dynamically observed
560 * to have been produced by the 'x.f', and only use those observed types
561 * downstream from the access. If the 'x.f' has only ever produced integers,
562 * we will treat its result as an integer and mark the result of foo as an
563 * integer.
564 *
565 * The set of observed types will be a subset of the set of possible types,
566 * and if the two sets are different, a type barriers will be added at the
567 * bytecode which checks the dynamic result every time the bytecode executes
568 * and makes sure it is in the set of observed types. If it is not, that
569 * observed set is updated, and the new type information is automatically
570 * propagated along the already-generated type constraints to the places
571 * where the result of the bytecode is used.
572 *
573 * Observing new types at a bytecode removes type barriers at the bytecode
574 * (this removal happens lazily, see ScriptAnalysis::pruneTypeBarriers), and if
575 * all type barriers at a bytecode are removed --- the set of observed types
576 * grows to match the set of possible types --- then the result of the bytecode
577 * no longer needs to be dynamically checked (unless the set of possible types
578 * grows, triggering the generation of new type barriers).
579 *
580 * Barriers are only relevant for accesses on properties whose types inference
581 * actually tracks (see propertySet comment under TypeObject). Accesses on
582 * other properties may be able to produce additional unobserved types even
583 * without a barrier present, and can only be compiled to jitcode with special
584 * knowledge of the property in question (e.g. for lengths of arrays, or
585 * elements of typed arrays).
586 */
588 /*
589 * Barrier introduced at some bytecode. These are added when, during inference,
590 * we block a type from being propagated as would normally be done for a subset
591 * constraint. The propagation is technically possible, but we suspect it will
592 * not happen dynamically and this type needs to be watched for. These are only
593 * added at reads of properties and at scripted call sites.
594 */
595 struct TypeBarrier
596 {
597 /* Next barrier on the same bytecode. */
600 /* Target type set into which propagation was blocked. */
603 /*
604 * Type which was not added to the target. If target ends up containing the
605 * type somehow, this barrier can be removed.
606 */
607 Type type;
609 /*
610 * If specified, this barrier can be removed if object has a non-undefined
611 * value in property id.
612 */
614 jsid singletonId;
619 {}
620 };
622 /* Type information about a property. */
623 struct Property
624 {
625 /* Identifier for this property, JSID_VOID for the aggregate integer index property. */
626 HeapId id;
628 /* Possible types for this property, including types inherited from prototypes. */
629 TypeSet types;
636 };
638 /*
639 * Information attached to a TypeObject if it is always constructed using 'new'
640 * on a particular script. This is used to manage state related to the definite
641 * properties on the type object: these definite properties depend on type
642 * information which could change as the script executes (e.g. a scripted
643 * setter is added to a prototype object), and we need to ensure both that the
644 * appropriate type constraints are in place when necessary, and that we can
645 * remove the definite property information and repair the JS stack if the
646 * constraints are violated.
647 */
648 struct TypeNewScript
649 {
650 HeapPtrFunction fun;
652 /* Allocation kind to use for newly constructed objects. */
655 /*
656 * Shape to use for newly constructed objects. Reflects all definite
657 * properties the object will have.
658 */
659 HeapPtrShape shape;
661 /*
662 * Order in which properties become initialized. We need this in case a
663 * scripted setter is added to one of the object's prototypes while it is
664 * in the middle of being initialized, so we can walk the stack and fixup
665 * any objects which look for in-progress objects which were prematurely
666 * set with their final shape. Initialization can traverse stack frames,
667 * in which case FRAME_PUSH/FRAME_POP are used.
668 */
671 SETPROP,
672 FRAME_PUSH,
673 FRAME_POP,
674 DONE
679 {}
680 };
685 };
687 /*
688 * Lazy type objects overview.
689 *
690 * Type objects which represent at most one JS object are constructed lazily.
691 * These include types for native functions, standard classes, scripted
692 * functions defined at the top level of global/eval scripts, and in some
693 * other cases. Typical web workloads often create many windows (and many
694 * copies of standard natives) and many scripts, with comparatively few
695 * non-singleton types.
696 *
697 * We can recover the type information for the object from examining it,
698 * so don't normally track the possible types of its properties as it is
699 * updated. Property type sets for the object are only constructed when an
700 * analyzed script attaches constraints to it: the script is querying that
701 * property off the object or another which delegates to it, and the analysis
702 * information is sensitive to changes in the property's type. Future changes
703 * to the property (whether those uncovered by analysis or those occurring
704 * in the VM) will treat these properties like those of any other type object.
705 *
706 * When a GC occurs, we wipe out all analysis information for all the
707 * compartment's scripts, so can destroy all properties on singleton type
708 * objects at the same time. If there is no reference on the stack to the
709 * type object itself, the type object is also destroyed, and the JS object
710 * reverts to having a lazy type.
711 */
713 /* Type information about an object accessed by a script. */
715 {
716 /* Prototype shared by objects using this type. */
717 HeapPtrObject proto;
719 /*
720 * Whether there is a singleton JS object with this type. That JS object
721 * must appear in type sets instead of this; we include the back reference
722 * here to allow reverting the JS object to a lazy type.
723 */
724 HeapPtrObject singleton;
726 /*
727 * Value held by singleton if this is a standin type for a singleton JS
728 * object whose type has not been constructed yet.
729 */
733 /* Flags for this object. */
734 TypeObjectFlags flags;
736 /*
737 * Estimate of the contribution of this object to the type sets it appears in.
738 * This is the sum of the sizes of those sets at the point when the object
739 * was added.
740 *
741 * When the contribution exceeds the CONTRIBUTION_LIMIT, any type sets the
742 * object is added to are instead marked as unknown. If we get to this point
743 * we are probably not adding types which will let us do meaningful optimization
744 * later, and we want to ensure in such cases that our time/space complexity
745 * is linear, not worst-case cubic as it would otherwise be.
746 */
750 /*
751 * If non-NULL, objects of this type have always been constructed using
752 * 'new' on the specified script, which adds some number of properties to
753 * the object in a definite order before the object escapes.
754 */
757 /*
758 * Properties of this object. This may contain JSID_VOID, representing the
759 * types of all integer indexes of the object, and/or JSID_EMPTY, holding
760 * constraints listening to changes to the object's state.
761 *
762 * The type sets in the properties of a type object describe the possible
763 * values that can be read out of that property in actual JS objects.
764 * Properties only account for native properties (those with a slot and no
765 * specialized getter hook) and the elements of dense arrays. For accesses
766 * on such properties, the correspondence is as follows:
767 *
768 * 1. If the type has unknownProperties(), the possible properties and
769 * value types for associated JSObjects are unknown.
770 *
771 * 2. Otherwise, for any JSObject obj with TypeObject type, and any jsid id
772 * which is a property in obj, before obj->getProperty(id) the property
773 * in type for id must reflect the result of the getProperty.
774 *
775 * There is an exception for properties of singleton JS objects which
776 * are undefined at the point where the property was (lazily) generated.
777 * In such cases the property type set will remain empty, and the
778 * 'undefined' type will only be added after a subsequent assignment or
779 * deletion. After these properties have been assigned a defined value,
780 * the only way they can become undefined again is after such an assign
781 * or deletion.
782 *
783 * We establish these by using write barriers on calls to setProperty and
784 * defineProperty which are on native properties, and by using the inference
785 * analysis to determine the side effects of code which is JIT-compiled.
786 */
789 /* If this is an interpreted function, the function object. */
790 HeapPtrFunction interpretedFunction;
792 #if JS_BITS_PER_WORD == 32
794 #endif
803 }
807 }
813 }
815 /*
816 * Get or create a property of this object. Only call this for properties which
817 * a script accesses explicitly. 'assign' indicates whether this is for an
818 * assignment, and the own types of the property will be used instead of
819 * aggregate types.
820 */
823 /* Get a property only if it already exists. */
829 /* Set flags on this object which are implied by the specified key. */
832 /*
833 * Get the global object which all objects of this type are parented to,
834 * or NULL if there is none known.
835 */
838 /* Helpers */
864 /*
865 * Type objects don't have explicit finalizers. Memory owned by a type
866 * object pending deletion is released when weak references are sweeped
867 * from all the compartment's type objects.
868 */
883 }
884 };
886 /*
887 * Entries for the per-compartment set of type objects which are the default
888 * 'new' or the lazy types of some prototype.
889 */
890 struct TypeObjectEntry
891 {
896 };
899 /* Whether to use a new type object when calling 'new' at script/pc. */
900 bool
903 /* Whether to use a new type object for an initializer opcode at script/pc. */
904 bool
907 /*
908 * Whether Array.prototype, or an object on its proto chain, has an
909 * indexed property.
910 */
911 bool
914 /*
915 * Type information about a callsite. this is separated from the bytecode
916 * information itself so we can handle higher order functions not called
917 * directly via a bytecode.
918 */
919 struct TypeCallsite
920 {
924 /* Whether this is a 'NEW' call. */
927 /* Types of each argument to the call. */
931 /* Types of the this variable. */
934 /* Type set receiving the return value of this call. */
939 };
941 /*
942 * Information attached to outer and inner function scripts nested in one
943 * another for tracking the reentrance state for outer functions. This state is
944 * used to generate fast accesses to the args and vars of the outer function.
945 *
946 * A function is non-reentrant if, at any point in time, only the most recent
947 * activation (i.e. call object) is live. An activation is live if either the
948 * activation is on the stack, or a transitive inner function parented to the
949 * activation is on the stack.
950 *
951 * Because inner functions can be (and, quite often, are) stored in object
952 * properties and it is difficult to build a fast and robust escape analysis
953 * to cope with such flow, we detect reentrance dynamically. For the outer
954 * function, we keep track of the call object for the most recent activation,
955 * and the number of frames for the function and its inner functions which are
956 * on the stack.
957 *
958 * If the outer function is called while frames associated with a previous
959 * activation are on the stack, the outer function is reentrant. If an inner
960 * function is called whose scope does not match the most recent activation,
961 * the outer function is reentrant.
962 *
963 * The situation gets trickier when there are several levels of nesting.
964 *
965 * function foo() {
966 * var a;
967 * function bar() {
968 * var b;
969 * function baz() { return a + b; }
970 * }
971 * }
972 *
973 * At calls to 'baz', we don't want to do the scope check for the activations
974 * of both 'foo' and 'bar', but rather 'bar' only. For this to work, a call to
975 * 'baz' which is a reentrant call on 'foo' must also be a reentrant call on
976 * 'bar'. When 'foo' is called, we clear the most recent call object for 'bar'.
977 */
978 struct TypeScriptNesting
979 {
980 /*
981 * If this is an inner function, the outer function. If non-NULL, this will
982 * be the immediate nested parent of the script (even if that parent has
983 * been marked reentrant). May be NULL even if the script has a nested
984 * parent, if NAME accesses cannot be tracked into the parent (either the
985 * script extends its scope with eval() etc., or the parent can make new
986 * scope chain objects with 'let' or 'with').
987 */
990 /* If this is an outer function, list of inner functions. */
993 /* Link for children list of parent. */
996 /* If this is an outer function, the most recent activation. */
999 /*
1000 * If this is an outer function, pointers to the most recent activation's
1001 * arguments and variables arrays. These could be referring either to stack
1002 * values in activeCall's frame (if it has not finished yet) or to the
1003 * internal slots of activeCall (if the frame has finished). Pointers to
1004 * these fields can be embedded directly in JIT code (though remember to
1005 * use 'addDependency == true' when calling resolveNameAccess).
1006 */
1010 /* Number of frames for this function on the stack. */
1015 };
1017 /* Construct nesting information for script wrt its parent. */
1020 /* Track nesting state when calling or finishing an outer/inner function. */
1024 /* Persistent type information for a script, retained across GCs. */
1025 class TypeScript
1026 {
1029 /* Analysis information for the script, cleared on each GC. */
1032 /*
1033 * Information about the scope in which a script executes. This information
1034 * is not set until the script has executed at least once and SetScope
1035 * called, before that 'global' will be poisoned per GLOBAL_MISSING_SCOPE.
1036 */
1039 /* Global object for the script, if compileAndGo. */
1044 /* Nesting state for outer or inner function scripts. */
1047 /* Dynamic types generated at points within this script. */
1054 /* Array of type type sets for variables and JOF_TYPESET ops. */
1066 /* Follows slot layout in jsanalyze.h, can get this/arg/local type sets. */
1069 #ifdef DEBUG
1070 /* Check that correct types were inferred for the values pushed by this bytecode. */
1071 static void CheckBytecode(JSContext *cx, JSScript *script, jsbytecode *pc, const js::Value *sp);
1072 #endif
1074 /* Get the default 'new' object for a given standard class, per the script's global. */
1077 /* Get a type object for an allocation site in this script. */
1078 static inline TypeObject *InitObject(JSContext *cx, JSScript *script, jsbytecode *pc, JSProtoKey kind);
1080 /*
1081 * Monitor a bytecode pushing a value which is not accounted for by the
1082 * inference type constraints, such as integer overflow.
1083 */
1093 /*
1094 * Monitor a bytecode pushing any value. This must be called for any opcode
1095 * which is JOF_TYPESET, and where either the script has not been analyzed
1096 * by type inference or where the pc has type barriers. For simplicity, we
1097 * always monitor JOF_TYPESET opcodes in the interpreter and stub calls,
1098 * and only look at barriers when generating JIT code for the script.
1099 */
1104 /* Monitor an assignment at a SETELEM on a non-integer identifier. */
1107 /* Add a type for a variable in a script. */
1111 static inline void SetLocal(JSContext *cx, JSScript *script, unsigned local, const js::Value &value);
1113 static inline void SetArgument(JSContext *cx, JSScript *script, unsigned arg, const js::Value &value);
1118 };
1121 typedef HashMap<ArrayTableKey,ReadBarriered<TypeObject>,ArrayTableKey,SystemAllocPolicy> ArrayTypeTable;
1125 typedef HashMap<ObjectTableKey,ObjectTableEntry,ObjectTableKey,SystemAllocPolicy> ObjectTypeTable;
1128 typedef HashMap<AllocationSiteKey,ReadBarriered<TypeObject>,AllocationSiteKey,SystemAllocPolicy> AllocationSiteTable;
1130 struct RecompileInfo
1131 {
1142 }
1143 };
1145 /* Type information for a compartment. */
1146 struct TypeCompartment
1147 {
1148 /* Constraint solving worklist structures. */
1150 /*
1151 * Worklist of types which need to be propagated to constraints. We use a
1152 * worklist to avoid blowing the native stack.
1153 */
1154 struct PendingWork
1155 {
1158 Type type;
1159 };
1164 /* Whether we are currently resolving the pending worklist. */
1167 /* Whether type inference is enabled in this compartment. */
1170 /*
1171 * Bit set if all current types must be marked as unknown, and all scripts
1172 * recompiled. Caused by OOM failure within inference operations.
1173 */
1176 /* Number of scripts in this compartment. */
1179 /* Pending recompilations to perform before execution of JIT code can resume. */
1182 /*
1183 * Number of recompilation events and inline frame expansions that have
1184 * occurred in this compartment. If these change, code should not count on
1185 * compiled code or the current stack being intact.
1186 */
1190 /*
1191 * Script currently being compiled. All constraints which look for type
1192 * changes inducing recompilation are keyed to this script. Note: script
1193 * compilation is not reentrant.
1194 */
1195 RecompileInfo compiledInfo;
1197 /* Table for referencing types of objects keyed to an allocation site. */
1200 /* Tables for determining types of singleton/JSON objects. */
1208 /* Logging fields */
1210 /* Counts of stack type sets with some number of possible operand types. */
1220 /* Add a type to register with a list of constraints. */
1224 /* Resolve pending type registrations, excluding delayed ones. */
1227 /* Prints results of this compartment if spew is enabled or force is set. */
1230 /*
1231 * Make a function or non-function object associated with an optional
1232 * script. The 'key' parameter here may be an array, typed array, function
1233 * or JSProto_Object to indicate a type whose class is unknown (not just
1234 * js_ObjectClass).
1235 */
1239 /* Make an object for an allocation site. */
1245 /* Mark all types as needing destruction once inference has 'finished'. */
1249 /* Mark a script as needing recompilation once inference has finished. */
1253 /* Monitor future effects on a bytecode. */
1257 /* Mark any type set containing obj as having a generic object type. */
1262 };
1267 SPEW_COUNT
1268 };
1270 #ifdef DEBUG
1280 /* Check that the type property for id in obj contains value. */
1283 #else
1292 #endif
1294 /* Print a warning, dump state and abort the program. */
1302 }