| blob | 9069ce4037c0cfad761ad823ba0d9dabe747ff08 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sts=4 et sw=4 tw=99:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Definitions related to javascript type inference. */
9 #ifndef jsinfer_h
10 #define jsinfer_h
32 class TaggedProto
33 {
44 }
46 /* Skip nullptr and LazyProto. */
48 }
52 }
56 }
64 };
68 {
70 };
73 {
76 };
79 {
82 };
85 class TaggedProtoOperations
86 {
89 }
98 };
102 {
106 }
107 };
111 {
115 }
116 };
120 /*
121 * Execution Mode Overview
122 *
123 * JavaScript code can execute either sequentially or in parallel, such as in
124 * PJS. Functions which behave identically in either execution mode can take a
125 * ThreadSafeContext, and functions which have similar but not identical
126 * behavior between execution modes can be templated on the mode. Such
127 * functions use a context parameter type from ExecutionModeTraits below
128 * indicating whether they are only permitted constrained operations (such as
129 * thread safety, and side effects limited to being thread-local), or whether
130 * they can have arbitrary side effects.
131 */
134 /* Normal JavaScript execution. */
135 SequentialExecution,
137 /*
138 * JavaScript code to be executed in parallel worker threads in PJS in a
139 * fork join fashion.
140 */
141 ParallelExecution,
143 /*
144 * Modes after this point are internal and are not counted in
145 * NumExecutionModes below.
146 */
148 /*
149 * MIR analysis performed when invoking 'new' on a script, to determine
150 * definite properties. Used by the optimizing JIT.
151 */
152 DefinitePropertiesAnalysis,
154 /*
155 * MIR analysis performed when executing a script which uses its arguments,
156 * when it is not known whether a lazy arguments value can be used.
157 */
158 ArgumentsUsageAnalysis
159 };
163 {
175 }
176 }
178 /*
179 * Not as part of the enum so we don't get warnings about unhandled enum
180 * values.
181 */
185 struct ExecutionModeTraits
186 {
187 };
190 {
195 };
198 {
203 };
209 }
217 /*
218 * Information about a single concrete type. We pack this into a single word,
219 * where small values are particular primitive or other singleton types, and
220 * larger values are either specific JS objects or type objects.
221 */
222 class Type
223 {
233 }
238 }
243 }
247 }
251 }
255 }
259 }
261 /* Accessors for types that are either JSObject or TypeObject. */
266 }
270 }
274 /* Accessors for JSObject types */
278 }
283 /* Accessors for TypeObject types */
287 }
309 }
316 };
318 /* Get the type of a jsval, or zero for an unknown special value. */
321 /*
322 * Get the type of a possibly optimized out or uninitialized let value. This
323 * generally only happens on unconditional type monitors on bailing out of
324 * Ion, such as for argument and local types.
325 */
328 /*
329 * Type inference memory management overview.
330 *
331 * Type information about the values observed within scripts and about the
332 * contents of the heap is accumulated as the program executes. Compilation
333 * accumulates constraints relating type information on the heap with the
334 * compilations that should be invalidated when those types change. Type
335 * information and constraints are allocated in the zone's typeLifoAlloc,
336 * and on GC all data referring to live things is copied into a new allocator.
337 * Thus, type set and constraints only hold weak references.
338 */
340 /*
341 * A constraint which listens to additions to a type set and propagates those
342 * changes to other type sets.
343 */
344 class TypeConstraint
345 {
347 /* Next constraint listening to the same type set. */
352 {}
354 /* Debugging name for this kind of constraint. */
357 /* Register a new type for the set this constraint is listening to. */
360 /*
361 * For constraints attached to an object property's type set, mark the
362 * property as having changed somehow.
363 */
366 /*
367 * For constraints attached to the JSID_EMPTY type set on an object,
368 * indicate a change in one of the object's dynamic property flags or other
369 * state.
370 */
373 /*
374 * If the data this constraint refers to is still live, copy it into the
375 * zone's new allocator. Type constraints only hold weak references.
376 */
378 };
380 /* Flags and other state stored in TypeSet::flags */
392 /* Mask containing all primitives */
395 TYPE_FLAG_SYMBOL,
397 /* Mask/shift for the number of objects in objectSet */
401 TYPE_FLAG_DOMOBJECT_COUNT_LIMIT =
404 /* Whether the contents of this type set are totally unknown. */
407 /* Mask of normal type flags on a type set. */
410 /* Additional flags for HeapTypeSet sets. */
412 /*
413 * Whether the property has ever been deleted or reconfigured to behave
414 * differently from a plain data property, other than making the property
415 * non-writable.
416 */
419 /* Whether the property has ever been made non-writable. */
422 /* Whether the property might not be constant. */
425 /*
426 * Whether the property is definitely in a particular slot on all objects
427 * from which it has not been deleted or reconfigured. For singletons
428 * this may be a fixed or dynamic slot, and for other objects this will be
429 * a fixed slot.
430 *
431 * If the property is definite, mask and shift storing the slot + 1.
432 * Otherwise these bits are clear.
433 */
436 };
439 /* Flags and other state stored in TypeObject::flags */
441 /* Whether this type object is associated with some allocation site. */
444 /*
445 * If set, the object's prototype might be in the nursery and can't be
446 * used during Ion compilation (which may be occurring off thread).
447 */
450 /*
451 * Whether we have ensured all type sets in the compartment contain
452 * ANYOBJECT instead of this object.
453 */
456 /* Mask/shift for the number of properties in propertySet */
459 OBJECT_FLAG_PROPERTY_COUNT_LIMIT =
462 /* Whether any objects this represents may have sparse indexes. */
465 /* Whether any objects this represents may not have packed dense elements. */
468 /*
469 * Whether any objects this represents may be arrays whose length does not
470 * fit in an int32.
471 */
474 /* Whether any objects have been iterated over. */
477 /* For a global object, whether flags were set on the RegExpStatics. */
480 /*
481 * For the function on a run-once script, whether the function has actually
482 * run multiple times.
483 */
486 /*
487 * For a global object, whether any array buffers in this compartment with
488 * typed object views have been neutered.
489 */
492 /*
493 * Whether objects with this type should be allocated directly in the
494 * tenured heap.
495 */
498 /* Whether objects with this type might have copy on write elements. */
501 /*
502 * Whether all properties of this object are considered unknown.
503 * If set, all other flags in DYNAMIC_MASK will also be set.
504 */
507 /* Flags which indicate dynamic properties of represented objects. */
510 /* Mask for objects created with unknown properties. */
511 OBJECT_FLAG_UNKNOWN_MASK =
512 OBJECT_FLAG_DYNAMIC_MASK
515 // Mask/shift for the kind of addendum attached to this type object.
519 // Mask/shift for this type object's generation. If out of sync with the
520 // TypeZone's generation, this TypeObject hasn't been swept yet.
523 };
530 /*
531 * Information about the set of types associated with an lvalue. There are
532 * three kinds of type sets:
533 *
534 * - StackTypeSet are associated with TypeScripts, for arguments and values
535 * observed at property reads. These are implicitly frozen on compilation
536 * and do not have constraints attached to them.
537 *
538 * - HeapTypeSet are associated with the properties of TypeObjects. These
539 * may have constraints added to them to trigger invalidation of compiled
540 * code.
541 *
542 * - TemporaryTypeSet are created during compilation and do not outlive
543 * that compilation.
544 */
545 class TypeSet
546 {
548 /* Flags for this type set. */
549 TypeFlags flags;
551 /* Possible objects this type set can represent. */
558 {}
562 /* Whether this set contains a specific type. */
573 }
577 }
580 }
583 }
588 }
590 /* Join two type sets into a new set. The result should not be modified further. */
592 /* Return the intersection of the 2 TypeSets. The result should not be modified further */
593 static TemporaryTypeSet* intersectSets(TemporaryTypeSet* a, TemporaryTypeSet* b, LifoAlloc* alloc);
595 /* Add a type to this set using the specified allocator. */
598 /* Get a list of all types in this set. */
602 /*
603 * Iterate through the objects in this set. getObjectCount overapproximates
604 * in the hash case (see SET_ARRAY_SIZE in jsinferinlines.h), and getObject
605 * may return nullptr.
606 */
614 /* The Class of an object in this set. */
618 // Note: the cast is required to work around an MSVC issue.
620 }
625 }
627 /* Whether any values in this set might have the specified type. */
630 /* Whether all objects have JSCLASS_IS_DOMJSCLASS set. */
633 /*
634 * Get whether this type set is known to be a subset of other.
635 * This variant doesn't freeze constraints. That variant is called knownSubset
636 */
639 /*
640 * Get whether the objects in this TypeSet are a subset of the objects
641 * in other.
642 */
645 /* Whether this TypeSet contains exactly the same types as other. */
648 }
650 /* Forward all types in this set to the specified constraint. */
653 // Clone a type set into an arbitrary allocator.
657 // Create a new TemporaryTypeSet where undefined and/or null has been filtered out.
659 // Create a new TemporaryTypeSet where the type has been set to object.
663 // Trigger a read barrier on all the contents of a type set.
669 }
673 };
675 // If there is an OOM while sweeping types, the type information is deoptimized
676 // so that it stays correct (i.e. overapproximates the possible types in the
677 // zone), but constraints might not have been triggered on the deoptimization
678 // or even copied over completely. In this case, destroy all JIT code and new
679 // script information in the zone, the only things whose correctness depends on
680 // the type constraints.
681 class AutoClearTypeInferenceStateOnOOM
682 {
689 {}
695 }
696 };
698 /* Superclass common to stack and heap type sets. */
700 {
702 /* Chain of constraints which propagate changes out from this type set. */
707 /*
708 * Add a type to this set, calling any constraint handlers if this is a new
709 * possible type.
710 */
713 /* Add a new constraint to this set. */
717 };
720 {
722 };
725 {
729 /* Mark this type set as representing a non-data property. */
733 /* Mark this type set as representing a non-writable property. */
736 // Mark this type set as being non-constant.
738 };
742 CompilerConstraintList*
746 {
754 }
756 /*
757 * Constraints for JIT compilation.
758 *
759 * Methods for JIT compilation. These must be used when a script is
760 * currently being compiled (see AutoEnterCompilation) and will add
761 * constraints ensuring that if the return value change in the future due
762 * to new type information, the script's jitcode will be discarded.
763 */
765 /* Get any type tag which all values in this set must have. */
770 /* Whether this value may be an object. */
773 /*
774 * Whether this typeset represents a potentially sentineled object value:
775 * the value may be an object or null or undefined.
776 * Returns false if the value cannot ever be an object.
777 */
784 }
786 /* Whether the type set contains objects with any of a set of flags. */
789 /* Get the class shared by all objects in this set, or nullptr. */
792 /* Result returned from forAllClasses */
798 // and true for others, or set contains an unknown or non-object
799 // type
800 };
802 /* Apply func to the members of the set and return an appropriate result.
803 * The iteration may end early if the result becomes known early.
804 */
807 /* Get the prototype shared by all objects in this set, or nullptr. */
810 /* Get the typed array type of all objects in this set, or Scalar::MaxTypedArrayViewType. */
813 /* Get the shared typed array type of all objects in this set, or Scalar::MaxTypedArrayViewType. */
816 /* Whether clasp->isCallable() is true for one or more objects in this set. */
819 /* Whether clasp->emulatesUndefined() is true for one or more objects in this set. */
822 /* Get the single value which can appear in this type set, otherwise nullptr. */
825 /* Whether any objects in the type set needs a barrier on id. */
828 /*
829 * Whether this set contains all types in other, except (possibly) the
830 * specified type.
831 */
835 /* All types in the set should use eager double conversion. */
836 AlwaysConvertToDoubles,
838 /* Some types in the set should use eager double conversion. */
839 MaybeConvertToDoubles,
841 /* No types should use eager double conversion. */
842 DontConvertToDoubles,
844 /* Some types should use eager double conversion, others cannot. */
845 AmbiguousDoubleConversion
846 };
848 /*
849 * Whether known double optimizations are possible for element accesses on
850 * objects in this type set.
851 */
853 };
855 bool
858 bool
862 /* Is this a reasonable PC to be doing inlining on? */
865 /* Type information about a property. */
866 struct Property
867 {
868 /* Identifier for this property, JSID_VOID for the aggregate integer index property. */
869 HeapId id;
871 /* Possible types for this property, including types inherited from prototypes. */
872 HeapTypeSet types;
876 {}
880 {}
884 };
886 // New script properties analyses overview.
887 //
888 // When constructing objects using 'new' on a script, we attempt to determine
889 // the properties which that object will eventually have. This is done via two
890 // analyses. One of these, the definite properties analysis, is static, and the
891 // other, the acquired properties analysis, is dynamic. As objects are
892 // constructed using 'new' on some script to create objects of type T, our
893 // analysis strategy is as follows:
894 //
895 // - When the first objects are created, no analysis is immediately performed.
896 // Instead, all objects of type T are accumulated in an array.
897 //
898 // - After a certain number of such objects have been created, the definite
899 // properties analysis is performed. This analyzes the body of the
900 // constructor script and any other functions it calls to look for properties
901 // which will definitely be added by the constructor in a particular order,
902 // creating an object with shape S.
903 //
904 // - The properties in S are compared with the greatest common prefix P of the
905 // shapes of the objects that have been created. If P has more properties
906 // than S, the acquired properties analysis is performed.
907 //
908 // - The acquired properties analysis marks all properties in P as definite
909 // in T, and creates a new type object IT for objects which are partially
910 // initialized. Objects of type IT are initially created with shape S, and if
911 // they are later given shape P, their type can be changed to T.
912 //
913 // For objects which are rarely created, the definite properties analysis can
914 // be triggered after only one or a few objects have been allocated, when code
915 // being Ion compiled might access them. In this case type information in the
916 // constructor might not be good enough for the definite properties analysis to
917 // compute useful information, but the acquired properties analysis will still
918 // be able to identify definite properties in this case.
919 //
920 // This layered approach is designed to maximize performance on easily
921 // analyzable code, while still allowing us to determine definite properties
922 // robustly when code consistently adds the same properties to objects, but in
923 // complex ways which can't be understood statically.
924 class TypeNewScript
925 {
929 SETPROP,
930 SETPROP_FRAME,
931 DONE
936 {}
937 };
940 // Scripted function which this information was computed for.
941 // If instances of the associated type object are created without calling
942 // 'new' on this function, the new script information is cleared.
943 RelocatablePtrFunction fun;
945 // If fewer than PRELIMINARY_OBJECT_COUNT instances of the type are
946 // created, this array holds pointers to each of those objects. When the
947 // threshold has been reached, the definite and acquired properties
948 // analyses are performed and this array is cleared. The pointers in this
949 // array are weak.
953 // After the new script properties analyses have been performed, a template
954 // object to use for newly constructed objects. The shape of this object
955 // reflects all definite properties the object will have, and the
956 // allocation kind to use. Note that this is actually a PlainObject, but is
957 // JSObject here to avoid cyclic include dependencies.
958 RelocatablePtrPlainObject templateObject_;
960 // Order in which definite properties become initialized. We need this in
961 // case the definite properties are invalidated (such as by adding a setter
962 // to an object on the prototype chain) while an object is in the middle of
963 // being initialized, so we can walk the stack and fixup any objects which
964 // look for in-progress objects which were prematurely set with an incorrect
965 // shape. Property assignments in inner frames are preceded by a series of
966 // SETPROP_FRAME entries specifying the stack down to the frame containing
967 // the write.
970 // If there are additional properties found by the acquired properties
971 // analysis which were not found by the definite properties analysis, this
972 // shape contains all such additional properties (plus the definite
973 // properties). When an object of this type acquires this shape, it is
974 // fully initialized and its type can be changed to initializedType.
975 RelocatablePtrShape initializedShape_;
977 // Type object with definite properties set for all properties found by
978 // both the definite and acquired properties analyses.
979 RelocatablePtrTypeObject initializedType_;
986 }
997 }
1000 }
1004 }
1008 }
1012 }
1017 #ifdef JSGC_COMPACTING
1019 #endif
1028 };
1030 /*
1031 * Lazy type objects overview.
1032 *
1033 * Type objects which represent at most one JS object are constructed lazily.
1034 * These include types for native functions, standard classes, scripted
1035 * functions defined at the top level of global/eval scripts, and in some
1036 * other cases. Typical web workloads often create many windows (and many
1037 * copies of standard natives) and many scripts, with comparatively few
1038 * non-singleton types.
1039 *
1040 * We can recover the type information for the object from examining it,
1041 * so don't normally track the possible types of its properties as it is
1042 * updated. Property type sets for the object are only constructed when an
1043 * analyzed script attaches constraints to it: the script is querying that
1044 * property off the object or another which delegates to it, and the analysis
1045 * information is sensitive to changes in the property's type. Future changes
1046 * to the property (whether those uncovered by analysis or those occurring
1047 * in the VM) will treat these properties like those of any other type object.
1048 */
1050 /* Type information about an object accessed by a script. */
1052 {
1054 /* Class shared by object using this type. */
1057 /* Prototype shared by objects using this type. */
1058 HeapPtrObject proto_;
1060 /*
1061 * Whether there is a singleton JS object with this type. That JS object
1062 * must appear in type sets instead of this; we include the back reference
1063 * here to allow reverting the JS object to a lazy type.
1064 */
1065 HeapPtrObject singleton_;
1071 }
1076 }
1080 }
1084 }
1086 // For use during marking, don't call otherwise.
1093 }
1097 }
1099 /*
1100 * Value held by singleton if this is a standin type for a singleton JS
1101 * object whose type has not been constructed yet.
1102 */
1107 /* Flags for this object. */
1108 TypeObjectFlags flags_;
1111 Addendum_NewScript,
1112 Addendum_TypeDescr
1113 };
1115 // If non-null, holds additional information about this object, whose
1116 // format is indicated by the object's addendum kind.
1124 }
1130 }
1137 }
1142 }
1147 }
1152 }
1156 }
1159 // Note: there is no need to sweep when accessing the type descriptor
1160 // of an object, as it is strongly held and immutable.
1164 }
1169 }
1173 }
1176 /*
1177 * Properties of this object. This may contain JSID_VOID, representing the
1178 * types of all integer indexes of the object, and/or JSID_EMPTY, holding
1179 * constraints listening to changes to the object's state.
1180 *
1181 * The type sets in the properties of a type object describe the possible
1182 * values that can be read out of that property in actual JS objects.
1183 * In native objects, property types account for plain data properties
1184 * (those with a slot and no getter or setter hook) and dense elements.
1185 * In typed objects, property types account for object and value properties
1186 * and elements in the object.
1187 *
1188 * For accesses on these properties, the correspondence is as follows:
1189 *
1190 * 1. If the type has unknownProperties(), the possible properties and
1191 * value types for associated JSObjects are unknown.
1192 *
1193 * 2. Otherwise, for any JSObject obj with TypeObject type, and any jsid id
1194 * which is a property in obj, before obj->getProperty(id) the property
1195 * in type for id must reflect the result of the getProperty.
1196 *
1197 * There are several exceptions to this:
1198 *
1199 * 1. For properties of global JS objects which are undefined at the point
1200 * where the property was (lazily) generated, the property type set will
1201 * remain empty, and the 'undefined' type will only be added after a
1202 * subsequent assignment or deletion. After these properties have been
1203 * assigned a defined value, the only way they can become undefined
1204 * again is after such an assign or deletion.
1205 *
1206 * 2. Array lengths are special cased by the compiler and VM and are not
1207 * reflected in property types.
1208 *
1209 * 3. In typed objects, the initial values of properties (null pointers and
1210 * undefined values) are not reflected in the property types. These
1211 * values are always possible when reading the property.
1212 *
1213 * We establish these by using write barriers on calls to setProperty and
1214 * defineProperty which are on native properties, and on any jitcode which
1215 * might update the property with a new type.
1216 */
1220 /* If this is an interpreted function, the function object. */
1221 HeapPtrFunction interpretedFunction;
1223 #if JS_BITS_PER_WORD == 32
1225 #endif
1232 }
1236 }
1242 }
1246 }
1250 }
1256 }
1260 }
1265 }
1267 /*
1268 * Get or create a property of this object. Only call this for properties which
1269 * a script accesses explicitly.
1270 */
1273 /* Get a property only if it already exists. */
1279 /* Helpers */
1301 #ifdef DEBUG
1303 #endif
1307 }
1314 }
1316 #ifdef JSGC_COMPACTING
1318 #endif
1328 }
1332 }
1336 }
1340 }
1348 }
1349 };
1351 /*
1352 * Entries for the per-compartment set of type objects which are the default
1353 * types to use for some prototype. An optional associated object is used which
1354 * allows multiple type objects to be created with the same prototype. The
1355 * associated object may be a function (for types constructed with 'new') or a
1356 * type descriptor (for typed objects). These entries are also used for the set
1357 * of lazy type objects in the compartment, which use a null associated object
1358 * (though there are only a few of these per compartment).
1359 */
1360 struct NewTypeObjectEntry
1361 {
1362 ReadBarrieredTypeObject object;
1364 // Note: This pointer is only used for equality and does not need a read barrier.
1369 {}
1373 TaggedProto hashProto;
1374 TaggedProto matchProto;
1379 {}
1381 /*
1382 * For use by generational post barriers only. Look up an entry whose
1383 * proto has been moved, but was hashed with the original value.
1384 */
1385 Lookup(const Class* clasp, TaggedProto hashProto, TaggedProto matchProto, JSObject* associated)
1387 {}
1389 };
1394 };
1397 /* Whether to use a new type object when calling 'new' at script/pc. */
1398 bool
1401 bool
1404 /*
1405 * Whether Array.prototype, or an object on its proto chain, has an
1406 * indexed property.
1407 */
1408 bool
1411 /* Whether obj or any of its prototypes have an indexed property. */
1412 bool
1413 TypeCanHaveExtraIndexedProperties(CompilerConstraintList* constraints, TemporaryTypeSet* types);
1415 /* Persistent type information for a script, retained across GCs. */
1416 class TypeScript
1417 {
1420 // Variable-size array
1424 /* Array of type sets for variables and JOF_TYPESET ops. */
1426 // Ensure typeArray_ is the last data member of TypeScript.
1430 }
1433 // Ensure typeArray_ is the last data member of TypeScript.
1437 }
1444 /* Get the type set for values observed at an opcode. */
1451 /* Get a type object for an allocation site in this script. */
1453 JSProtoKey kind);
1455 /*
1456 * Monitor a bytecode pushing any value. This must be called for any opcode
1457 * which is JOF_TYPESET, and where either the script has not been analyzed
1458 * by type inference or where the pc has type barriers. For simplicity, we
1459 * always monitor JOF_TYPESET opcodes in the interpreter and stub calls,
1460 * and only look at barriers when generating JIT code for the script.
1461 */
1466 /* Monitor an assignment at a SETELEM on a non-integer identifier. */
1469 /* Add a type for a variable in a script. */
1476 /*
1477 * Freeze all the stack type sets in a script, for a compilation. Returns
1478 * copies of the type sets which will be checked against the actual ones
1479 * under FinishCompilation, to detect any type changes.
1480 */
1492 }
1494 #ifdef DEBUG
1496 #endif
1497 };
1499 void
1502 ArrayObject*
1505 ArrayObject*
1510 // Allocate a CompilerOutput for a finished compilation and generate the type
1511 // constraints for the compilation. Returns whether the type constraints
1512 // still hold.
1513 bool
1517 // Update the actual types in any scripts queried by constraints with any
1518 // speculative types added during the definite properties analysis.
1519 void
1524 ReadBarrieredTypeObject,
1525 ArrayTableKey,
1530 typedef HashMap<ObjectTableKey,ObjectTableEntry,ObjectTableKey,SystemAllocPolicy> ObjectTypeTable;
1534 ReadBarrieredTypeObject,
1535 AllocationSiteKey,
1540 // Type set entry for either a JSObject with singleton type or a non-singleton TypeObject.
1541 struct TypeObjectKey
1542 {
1549 }
1553 }
1557 }
1560 }
1582 };
1584 // Representation of a heap type property which may or may not be instantiated.
1585 // Heap properties for singleton types are instantiated lazily as they are used
1586 // by the compiler, but this is only done on the main thread. If we are
1587 // compiling off thread and use a property which has not yet been instantiated,
1588 // it will be treated as empty and non-configured and will be instantiated when
1589 // rejoining to the main thread. If it is in fact not empty, the compilation
1590 // will fail; to avoid this, we try to instantiate singleton property types
1591 // during generation of baseline caches.
1592 class HeapTypeSetKey
1593 {
1596 // Object and property being accessed.
1598 jsid id_;
1600 // If instantiated, the underlying heap type set.
1606 {}
1618 bool isOwnProperty(CompilerConstraintList* constraints, bool allowEmptyTypesForGlobal = false);
1624 };
1626 /*
1627 * Information about the result of the compilation of a script. This structure
1628 * stored in the TypeCompartment is indexed by the RecompileInfo. This
1629 * indirection enables the invalidation of all constraints related to the same
1630 * compilation.
1631 */
1632 class CompilerOutput
1633 {
1634 // If this compilation has not been invalidated, the associated script and
1635 // kind of compilation being performed.
1639 // Whether this compilation is about to be invalidated.
1642 // During sweeping, the list of compiler outputs is compacted and invalidated
1643 // outputs are removed. This gives the new index for a valid compiler output.
1652 {}
1657 {}
1666 }
1669 }
1673 }
1676 }
1682 }
1686 }
1687 };
1689 class RecompileInfo
1690 {
1691 // Index in the TypeZone's compilerOutputs or sweepCompilerOutputs arrays,
1692 // depending on the generation value.
1695 // If out of sync with the TypeZone's generation, this index is for the
1696 // zone's sweepCompilerOutputs rather than compilerOutputs.
1702 {}
1706 {}
1711 };
1715 /* Type information for a compartment. */
1716 struct TypeCompartment
1717 {
1718 /* Number of scripts in this compartment. */
1721 /* Table for referencing types of objects keyed to an allocation site. */
1724 /* Tables for determining types of singleton/JSON objects. */
1743 /* Prints results of this compartment if spew is enabled or force is set. */
1746 /*
1747 * Make a function or non-function object associated with an optional
1748 * script. The 'key' parameter here may be an array, typed array, function
1749 * or JSProto_Object to indicate a type whose class is unknown (not just
1750 * js_ObjectClass).
1751 */
1755 /* Get or make an object for an allocation site, and add to the allocation site table. */
1758 /* Mark any type set containing obj as having a generic object type. */
1769 };
1775 struct TypeZone
1776 {
1779 /* Pool for type information in this zone. */
1781 LifoAlloc typeLifoAlloc;
1783 // Current generation for sweeping.
1786 /*
1787 * All Ion compilations that have occured in this zone, for indexing via
1788 * RecompileInfo. This includes both valid and invalid compilations, though
1789 * invalidated compilations are swept on GC.
1790 */
1794 // During incremental sweeping, allocator holding the old type information
1795 // for the zone.
1796 LifoAlloc sweepTypeLifoAlloc;
1798 // During incremental sweeping, the old compiler outputs for use by
1799 // recompile indexes with a stale generation.
1802 // During incremental sweeping, whether to try to destroy all type
1803 // information attached to scripts.
1806 // The topmost AutoEnterAnalysis on the stack, if there is one.
1818 /* Mark a script as needing recompilation once inference has finished. */
1823 };
1828 SPEW_COUNT
1829 };
1831 #ifdef DEBUG
1841 /* Check that the type property for id in obj contains value. */
1844 #else
1853 #endif
1855 /* Print a warning, dump state and abort the program. */
1861 // JS::ubi::Nodes can point to js::LazyScripts; they're js::gc::Cell instances
1862 // with no associated compartment.
1866 }
1867 }