| blob | 17a5edecab4591caca6b7c5c261807b15ef44d19 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sts=4 et sw=4 tw=99:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Definitions related to javascript type inference. */
9 #ifndef jsinfer_h
10 #define jsinfer_h
31 class TaggedProto
32 {
43 }
45 /* Skip nullptr and LazyProto. */
47 }
51 }
55 }
63 };
67 {
69 };
72 {
75 };
78 {
81 };
84 class TaggedProtoOperations
85 {
88 }
97 };
101 {
105 }
106 };
110 {
114 }
115 };
119 /*
120 * Execution Mode Overview
121 *
122 * JavaScript code can execute either sequentially or in parallel, such as in
123 * PJS. Functions which behave identically in either execution mode can take a
124 * ThreadSafeContext, and functions which have similar but not identical
125 * behavior between execution modes can be templated on the mode. Such
126 * functions use a context parameter type from ExecutionModeTraits below
127 * indicating whether they are only permitted constrained operations (such as
128 * thread safety, and side effects limited to being thread-local), or whether
129 * they can have arbitrary side effects.
130 */
133 /* Normal JavaScript execution. */
134 SequentialExecution,
136 /*
137 * JavaScript code to be executed in parallel worker threads in PJS in a
138 * fork join fashion.
139 */
140 ParallelExecution,
142 /*
143 * Modes after this point are internal and are not counted in
144 * NumExecutionModes below.
145 */
147 /*
148 * MIR analysis performed when invoking 'new' on a script, to determine
149 * definite properties. Used by the optimizing JIT.
150 */
151 DefinitePropertiesAnalysis,
153 /*
154 * MIR analysis performed when executing a script which uses its arguments,
155 * when it is not known whether a lazy arguments value can be used.
156 */
157 ArgumentsUsageAnalysis
158 };
162 {
174 }
175 }
177 /*
178 * Not as part of the enum so we don't get warnings about unhandled enum
179 * values.
180 */
184 struct ExecutionModeTraits
185 {
186 };
189 {
194 };
197 {
202 };
208 }
216 /*
217 * Information about a single concrete type. We pack this into a single word,
218 * where small values are particular primitive or other singleton types, and
219 * larger values are either specific JS objects or type objects.
220 */
221 class Type
222 {
232 }
237 }
242 }
246 }
250 }
254 }
258 }
260 /* Accessors for types that are either JSObject or TypeObject. */
265 }
269 }
273 /* Accessors for JSObject types */
277 }
282 /* Accessors for TypeObject types */
286 }
308 }
315 };
317 /* Get the type of a jsval, or zero for an unknown special value. */
320 /*
321 * Get the type of a possibly optimized out value. This generally only
322 * happens on unconditional type monitors on bailing out of Ion, such as
323 * for argument and local types.
324 */
327 /*
328 * Type inference memory management overview.
329 *
330 * Type information about the values observed within scripts and about the
331 * contents of the heap is accumulated as the program executes. Compilation
332 * accumulates constraints relating type information on the heap with the
333 * compilations that should be invalidated when those types change. Type
334 * information and constraints are allocated in the zone's typeLifoAlloc,
335 * and on GC all data referring to live things is copied into a new allocator.
336 * Thus, type set and constraints only hold weak references.
337 */
339 /*
340 * A constraint which listens to additions to a type set and propagates those
341 * changes to other type sets.
342 */
343 class TypeConstraint
344 {
346 /* Next constraint listening to the same type set. */
351 {}
353 /* Debugging name for this kind of constraint. */
356 /* Register a new type for the set this constraint is listening to. */
359 /*
360 * For constraints attached to an object property's type set, mark the
361 * property as having changed somehow.
362 */
365 /*
366 * For constraints attached to the JSID_EMPTY type set on an object,
367 * indicate a change in one of the object's dynamic property flags or other
368 * state.
369 */
372 /*
373 * If the data this constraint refers to is still live, copy it into the
374 * zone's new allocator. Type constraints only hold weak references.
375 */
377 };
379 /* Flags and other state stored in TypeSet::flags */
391 /* Mask containing all primitives */
394 TYPE_FLAG_SYMBOL,
396 /* Mask/shift for the number of objects in objectSet */
399 TYPE_FLAG_OBJECT_COUNT_LIMIT =
402 /* Whether the contents of this type set are totally unknown. */
405 /* Mask of normal type flags on a type set. */
408 /* Additional flags for HeapTypeSet sets. */
410 /*
411 * Whether the property has ever been deleted or reconfigured to behave
412 * differently from a plain data property, other than making the property
413 * non-writable.
414 */
417 /* Whether the property has ever been made non-writable. */
420 /* Whether the property might not be constant. */
423 /*
424 * Whether the property is definitely in a particular slot on all objects
425 * from which it has not been deleted or reconfigured. For singletons
426 * this may be a fixed or dynamic slot, and for other objects this will be
427 * a fixed slot.
428 *
429 * If the property is definite, mask and shift storing the slot + 1.
430 * Otherwise these bits are clear.
431 */
434 };
437 /* Flags and other state stored in TypeObject::flags */
439 /* Whether this type object is associated with some allocation site. */
442 /*
443 * If set, the object's prototype might be in the nursery and can't be
444 * used during Ion compilation (which may be occurring off thread).
445 */
448 /*
449 * Whether we have ensured all type sets in the compartment contain
450 * ANYOBJECT instead of this object.
451 */
454 /* Mask/shift for the number of properties in propertySet */
457 OBJECT_FLAG_PROPERTY_COUNT_LIMIT =
460 /* Whether any objects this represents may have sparse indexes. */
463 /* Whether any objects this represents may not have packed dense elements. */
466 /*
467 * Whether any objects this represents may be arrays whose length does not
468 * fit in an int32.
469 */
472 /* Whether any objects have been iterated over. */
475 /* For a global object, whether flags were set on the RegExpStatics. */
478 /*
479 * For the function on a run-once script, whether the function has actually
480 * run multiple times.
481 */
484 /*
485 * Whether objects with this type should be allocated directly in the
486 * tenured heap.
487 */
490 /* Whether objects with this type might have copy on write elements. */
493 /*
494 * Whether all properties of this object are considered unknown.
495 * If set, all other flags in DYNAMIC_MASK will also be set.
496 */
499 /* Flags which indicate dynamic properties of represented objects. */
502 /* Mask for objects created with unknown properties. */
503 OBJECT_FLAG_UNKNOWN_MASK =
504 OBJECT_FLAG_DYNAMIC_MASK
505 | OBJECT_FLAG_SETS_MARKED_UNKNOWN
506 };
513 /*
514 * Information about the set of types associated with an lvalue. There are
515 * three kinds of type sets:
516 *
517 * - StackTypeSet are associated with TypeScripts, for arguments and values
518 * observed at property reads. These are implicitly frozen on compilation
519 * and do not have constraints attached to them.
520 *
521 * - HeapTypeSet are associated with the properties of TypeObjects. These
522 * may have constraints added to them to trigger invalidation of compiled
523 * code.
524 *
525 * - TemporaryTypeSet are created during compilation and do not outlive
526 * that compilation.
527 */
528 class TypeSet
529 {
531 /* Flags for this type set. */
532 TypeFlags flags;
534 /* Possible objects this type set can represent. */
541 {}
545 /* Whether this set contains a specific type. */
556 }
560 }
563 }
566 }
571 }
573 /* Join two type sets into a new set. The result should not be modified further. */
576 /* Add a type to this set using the specified allocator. */
579 /* Get a list of all types in this set. */
583 /*
584 * Iterate through the objects in this set. getObjectCount overapproximates
585 * in the hash case (see SET_ARRAY_SIZE in jsinferinlines.h), and getObject
586 * may return nullptr.
587 */
595 /* The Class of an object in this set. */
599 // Note: the cast is required to work around an MSVC issue.
601 }
606 }
608 /* Whether any values in this set might have the specified type. */
611 /*
612 * Get whether this type set is known to be a subset of other.
613 * This variant doesn't freeze constraints. That variant is called knownSubset
614 */
617 /*
618 * Get whether the objects in this TypeSet are a subset of the objects
619 * in other.
620 */
623 /* Forward all types in this set to the specified constraint. */
626 // Clone a type set into an arbitrary allocator.
630 // Create a new TemporaryTypeSet where undefined and/or null has been filtered out.
633 // Create a new TemporaryTypeSet where the type has been set to object.
636 // Trigger a read barrier on all the contents of a type set.
642 }
646 };
648 /* Superclass common to stack and heap type sets. */
650 {
652 /* Chain of constraints which propagate changes out from this type set. */
657 /*
658 * Add a type to this set, calling any constraint handlers if this is a new
659 * possible type.
660 */
663 /* Add a new constraint to this set. */
667 };
670 {
672 };
675 {
679 /* Mark this type set as representing a non-data property. */
683 /* Mark this type set as representing a non-writable property. */
686 // Mark this type set as being non-constant.
688 };
692 CompilerConstraintList*
696 {
704 }
706 /*
707 * Constraints for JIT compilation.
708 *
709 * Methods for JIT compilation. These must be used when a script is
710 * currently being compiled (see AutoEnterCompilation) and will add
711 * constraints ensuring that if the return value change in the future due
712 * to new type information, the script's jitcode will be discarded.
713 */
715 /* Get any type tag which all values in this set must have. */
720 /* Whether this value may be an object. */
723 /*
724 * Whether this typeset represents a potentially sentineled object value:
725 * the value may be an object or null or undefined.
726 * Returns false if the value cannot ever be an object.
727 */
734 }
736 /* Whether the type set contains objects with any of a set of flags. */
739 /* Get the class shared by all objects in this set, or nullptr. */
742 /* Result returned from forAllClasses */
748 // and true for others, or set contains an unknown or non-object
749 // type
750 };
752 /* Apply func to the members of the set and return an appropriate result.
753 * The iteration may end early if the result becomes known early.
754 */
757 /* Get the prototype shared by all objects in this set, or nullptr. */
760 /* Get the typed array type of all objects in this set, or TypedArrayObject::TYPE_MAX. */
763 /* Whether all objects have JSCLASS_IS_DOMJSCLASS set. */
766 /* Whether clasp->isCallable() is true for one or more objects in this set. */
769 /* Whether clasp->emulatesUndefined() is true for one or more objects in this set. */
772 /* Get the single value which can appear in this type set, otherwise nullptr. */
775 /* Whether any objects in the type set needs a barrier on id. */
778 /* Whether any objects in the type set might treat id as a constant property. */
782 /*
783 * Whether this set contains all types in other, except (possibly) the
784 * specified type.
785 */
789 /* All types in the set should use eager double conversion. */
790 AlwaysConvertToDoubles,
792 /* Some types in the set should use eager double conversion. */
793 MaybeConvertToDoubles,
795 /* No types should use eager double conversion. */
796 DontConvertToDoubles,
798 /* Some types should use eager double conversion, others cannot. */
799 AmbiguousDoubleConversion
800 };
802 /*
803 * Whether known double optimizations are possible for element accesses on
804 * objects in this type set.
805 */
807 };
809 bool
812 bool
816 /* Is this a reasonable PC to be doing inlining on? */
819 /* Type information about a property. */
820 struct Property
821 {
822 /* Identifier for this property, JSID_VOID for the aggregate integer index property. */
823 HeapId id;
825 /* Possible types for this property, including types inherited from prototypes. */
826 HeapTypeSet types;
830 {}
834 {}
838 };
840 /*
841 * Information attached to a TypeObject if it is always constructed using 'new'
842 * on a particular script. This is used to manage state related to the definite
843 * properties on the type object: these definite properties depend on type
844 * information which could change as the script executes (e.g. a scripted
845 * setter is added to a prototype object), and we need to ensure both that the
846 * appropriate type constraints are in place when necessary, and that we can
847 * remove the definite property information and repair the JS stack if the
848 * constraints are violated.
849 */
850 struct TypeNewScript
851 {
852 HeapPtrFunction fun;
854 /*
855 * Template object to use for newly constructed objects. Reflects all
856 * definite properties the object will have and the allocation kind to use
857 * for the object. The allocation kind --- and template object itself ---
858 * is subject to change if objects allocated with this type are given
859 * dynamic slots later on due to new properties being added after the
860 * constructor function finishes.
861 */
862 HeapPtrObject templateObject;
864 /*
865 * Order in which properties become initialized. We need this in case a
866 * scripted setter is added to one of the object's prototypes while it is
867 * in the middle of being initialized, so we can walk the stack and fixup
868 * any objects which look for in-progress objects which were prematurely
869 * set with their final shape. Property assignments in inner frames are
870 * preceded by a series of SETPROP_FRAME entries specifying the stack down
871 * to the frame containing the write.
872 */
875 SETPROP,
876 SETPROP_FRAME,
877 DONE
882 {}
883 };
888 };
890 /*
891 * Lazy type objects overview.
892 *
893 * Type objects which represent at most one JS object are constructed lazily.
894 * These include types for native functions, standard classes, scripted
895 * functions defined at the top level of global/eval scripts, and in some
896 * other cases. Typical web workloads often create many windows (and many
897 * copies of standard natives) and many scripts, with comparatively few
898 * non-singleton types.
899 *
900 * We can recover the type information for the object from examining it,
901 * so don't normally track the possible types of its properties as it is
902 * updated. Property type sets for the object are only constructed when an
903 * analyzed script attaches constraints to it: the script is querying that
904 * property off the object or another which delegates to it, and the analysis
905 * information is sensitive to changes in the property's type. Future changes
906 * to the property (whether those uncovered by analysis or those occurring
907 * in the VM) will treat these properties like those of any other type object.
908 */
910 /* Type information about an object accessed by a script. */
912 {
914 /* Class shared by object using this type. */
917 /* Prototype shared by objects using this type. */
918 HeapPtrObject proto_;
920 /*
921 * Whether there is a singleton JS object with this type. That JS object
922 * must appear in type sets instead of this; we include the back reference
923 * here to allow reverting the JS object to a lazy type.
924 */
925 HeapPtrObject singleton_;
931 }
936 }
940 }
944 }
946 // For use during marking, don't call otherwise.
953 }
957 }
959 /*
960 * Value held by singleton if this is a standin type for a singleton JS
961 * object whose type has not been constructed yet.
962 */
967 /* Flags for this object. */
968 TypeObjectFlags flags_;
970 /*
971 * If specified, holds information about properties which are definitely
972 * added to objects of this type after being constructed by a particular
973 * script.
974 */
975 HeapPtrTypeNewScript newScript_;
981 }
985 }
989 }
993 }
998 /*
999 * Properties of this object. This may contain JSID_VOID, representing the
1000 * types of all integer indexes of the object, and/or JSID_EMPTY, holding
1001 * constraints listening to changes to the object's state.
1002 *
1003 * The type sets in the properties of a type object describe the possible
1004 * values that can be read out of that property in actual JS objects.
1005 * Properties only account for native properties (those with a slot and no
1006 * specialized getter hook) and the elements of dense arrays. For accesses
1007 * on such properties, the correspondence is as follows:
1008 *
1009 * 1. If the type has unknownProperties(), the possible properties and
1010 * value types for associated JSObjects are unknown.
1011 *
1012 * 2. Otherwise, for any JSObject obj with TypeObject type, and any jsid id
1013 * which is a property in obj, before obj->getProperty(id) the property
1014 * in type for id must reflect the result of the getProperty.
1015 *
1016 * There is an exception for properties of global JS objects which
1017 * are undefined at the point where the property was (lazily) generated.
1018 * In such cases the property type set will remain empty, and the
1019 * 'undefined' type will only be added after a subsequent assignment or
1020 * deletion. After these properties have been assigned a defined value,
1021 * the only way they can become undefined again is after such an assign
1022 * or deletion.
1023 *
1024 * There is another exception for array lengths, which are special cased
1025 * by the compiler and VM and are not reflected in property types.
1026 *
1027 * We establish these by using write barriers on calls to setProperty and
1028 * defineProperty which are on native properties, and on any jitcode which
1029 * might update the property with a new type.
1030 */
1034 /* If this is an interpreted function, the function object. */
1035 HeapPtrFunction interpretedFunction;
1037 #if JS_BITS_PER_WORD == 32
1039 #endif
1046 }
1050 }
1056 }
1060 }
1064 }
1069 // Only types associated with particular allocation sites or 'new'
1070 // scripts can be marked as needing pretenuring. Other types can be
1071 // used for different purposes across the compartment and can't use
1072 // this bit reliably.
1076 }
1081 }
1083 /*
1084 * Get or create a property of this object. Only call this for properties which
1085 * a script accesses explicitly.
1086 */
1089 /* Get a property only if it already exists. */
1095 /* Helpers */
1120 /*
1121 * Type objects don't have explicit finalizers. Memory owned by a type
1122 * object pending deletion is released when weak references are sweeped
1123 * from all the compartment's type objects.
1124 */
1131 }
1135 }
1143 }
1144 };
1146 /*
1147 * Entries for the per-compartment set of type objects which are 'new' types to
1148 * use for some prototype and constructed with an optional script. This also
1149 * includes entries for the set of lazy type objects in the compartment, which
1150 * use a null script (though there are only a few of these per compartment).
1151 */
1152 struct TypeObjectWithNewScriptEntry
1153 {
1154 ReadBarrieredTypeObject object;
1156 // Note: This pointer is only used for equality and does not need a read barrier.
1161 {}
1165 TaggedProto hashProto;
1166 TaggedProto matchProto;
1171 {}
1173 #ifdef JSGC_GENERATIONAL
1174 /*
1175 * For use by generational post barriers only. Look up an entry whose
1176 * proto has been moved, but was hashed with the original value.
1177 */
1178 Lookup(const Class* clasp, TaggedProto hashProto, TaggedProto matchProto, JSFunction* newFunction)
1180 {}
1181 #endif
1183 };
1187 static void rekey(TypeObjectWithNewScriptEntry& k, const TypeObjectWithNewScriptEntry& newKey) { k = newKey; }
1188 };
1190 TypeObjectWithNewScriptEntry,
1193 /* Whether to use a new type object when calling 'new' at script/pc. */
1194 bool
1197 bool
1200 /*
1201 * Whether Array.prototype, or an object on its proto chain, has an
1202 * indexed property.
1203 */
1204 bool
1207 /* Whether obj or any of its prototypes have an indexed property. */
1208 bool
1209 TypeCanHaveExtraIndexedProperties(CompilerConstraintList* constraints, TemporaryTypeSet* types);
1211 /* Persistent type information for a script, retained across GCs. */
1212 class TypeScript
1213 {
1216 // Variable-size array
1220 /* Array of type type sets for variables and JOF_TYPESET ops. */
1222 // Ensure typeArray_ is the last data member of TypeScript.
1226 }
1229 // Ensure typeArray_ is the last data member of TypeScript.
1233 }
1240 /* Get the type set for values observed at an opcode. */
1247 /* Get a type object for an allocation site in this script. */
1249 JSProtoKey kind);
1251 /*
1252 * Monitor a bytecode pushing any value. This must be called for any opcode
1253 * which is JOF_TYPESET, and where either the script has not been analyzed
1254 * by type inference or where the pc has type barriers. For simplicity, we
1255 * always monitor JOF_TYPESET opcodes in the interpreter and stub calls,
1256 * and only look at barriers when generating JIT code for the script.
1257 */
1262 /* Monitor an assignment at a SETELEM on a non-integer identifier. */
1265 /* Add a type for a variable in a script. */
1272 /*
1273 * Freeze all the stack type sets in a script, for a compilation. Returns
1274 * copies of the type sets which will be checked against the actual ones
1275 * under FinishCompilation, to detect any type changes.
1276 */
1289 }
1291 #ifdef DEBUG
1293 #endif
1294 };
1296 void
1299 JSObject*
1302 JSObject*
1307 // Allocate a CompilerOutput for a finished compilation and generate the type
1308 // constraints for the compilation. Returns whether the type constraints
1309 // still hold.
1310 bool
1314 // Update the actual types in any scripts queried by constraints with any
1315 // speculative types added during the definite properties analysis.
1316 void
1321 ReadBarrieredTypeObject,
1322 ArrayTableKey,
1327 typedef HashMap<ObjectTableKey,ObjectTableEntry,ObjectTableKey,SystemAllocPolicy> ObjectTypeTable;
1331 ReadBarrieredTypeObject,
1332 AllocationSiteKey,
1337 // Type set entry for either a JSObject with singleton type or a non-singleton TypeObject.
1338 struct TypeObjectKey
1339 {
1346 }
1350 }
1354 }
1357 }
1380 };
1382 // Representation of a heap type property which may or may not be instantiated.
1383 // Heap properties for singleton types are instantiated lazily as they are used
1384 // by the compiler, but this is only done on the main thread. If we are
1385 // compiling off thread and use a property which has not yet been instantiated,
1386 // it will be treated as empty and non-configured and will be instantiated when
1387 // rejoining to the main thread. If it is in fact not empty, the compilation
1388 // will fail; to avoid this, we try to instantiate singleton property types
1389 // during generation of baseline caches.
1390 class HeapTypeSetKey
1391 {
1394 // Object and property being accessed.
1396 jsid id_;
1398 // If instantiated, the underlying heap type set.
1404 {}
1421 };
1423 /*
1424 * Information about the result of the compilation of a script. This structure
1425 * stored in the TypeCompartment is indexed by the RecompileInfo. This
1426 * indirection enables the invalidation of all constraints related to the same
1427 * compilation.
1428 */
1429 class CompilerOutput
1430 {
1431 // If this compilation has not been invalidated, the associated script and
1432 // kind of compilation being performed.
1436 // Whether this compilation is about to be invalidated.
1439 // During sweeping, the list of compiler outputs is compacted and invalidated
1440 // outputs are removed. This gives the new index for a valid compiler output.
1449 {}
1454 {}
1463 }
1466 }
1470 }
1473 }
1479 }
1482 }
1486 }
1487 };
1489 class RecompileInfo
1490 {
1496 {}
1500 }
1504 };
1506 /* Type information for a compartment. */
1507 struct TypeCompartment
1508 {
1509 /* Constraint solving worklist structures. */
1511 /* Number of scripts in this compartment. */
1514 /* Table for referencing types of objects keyed to an allocation site. */
1517 /* Tables for determining types of singleton/JSON objects. */
1537 /* Prints results of this compartment if spew is enabled or force is set. */
1540 /*
1541 * Make a function or non-function object associated with an optional
1542 * script. The 'key' parameter here may be an array, typed array, function
1543 * or JSProto_Object to indicate a type whose class is unknown (not just
1544 * js_ObjectClass).
1545 */
1549 /* Get or make an object for an allocation site, and add to the allocation site table. */
1552 /* Mark any type set containing obj as having a generic object type. */
1563 };
1567 struct TypeZone
1568 {
1571 /* Pool for type information in this zone. */
1575 /*
1576 * All Ion compilations that have occured in this zone, for indexing via
1577 * RecompileInfo. This includes both valid and invalid compilations, though
1578 * invalidated compilations are swept on GC.
1579 */
1582 /* Pending recompilations to perform before execution of JIT code can resume. */
1593 /* Mark a script as needing recompilation once inference has finished. */
1598 };
1603 SPEW_COUNT
1604 };
1606 #ifdef DEBUG
1616 /* Check that the type property for id in obj contains value. */
1619 #else
1628 #endif
1630 /* Print a warning, dump state and abort the program. */