| blob | e0b286db1145bf0247ec1175467fb5f24ab334f4 |
1 /*
2 +----------------------------------------------------------------------+
3 | HipHop for PHP |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2010-present Facebook, Inc. (http://www.facebook.com) |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 */
28 #include <folly/Optional.h>
37 ) {
44 // This can happen when ptr is TBottom from a passthrough instruction with
45 // a src that isn't TBottom. The most common cause of this is something
46 // like "t5:Bottom = CheckType<Str> t2:Int". It means ptr isn't really a
47 // pointer, so return AEmpty to avoid unnecessarily pessimizing any
48 // optimizations.
51 }
57 }
61 }
63 // For phis, union all incoming values, taking care to not recurse infinitely
64 // in the presence of loops.
68 }
79 }
86 });
88 }
97 };
98 }
100 }
106 };
107 }
109 }
114 AProp {
117 }
118 };
119 }
121 }
126 }
128 // nullptr tvRef pointer, representing an instruction that doesn't use
129 // it.
131 }
133 }
144 }
148 }
150 };
155 }
157 // The result of ElemArray{,W,U} is either the address of an array element,
158 // or &immutable_null_base.
162 // Takes a PtrToGen as its first operand, so we can't easily grab an array
163 // base.
166 }
168 // These instructions can only get at tvRef when given it as a
169 // src. Otherwise they can only return pointers to properties or
170 // &immutable_null_base.
177 );
182 }
183 }();
185 }
187 // Like the Prop* instructions, but for array elements. These could also
188 // return pointers to collection elements but those don't exist in
189 // AliasClass yet.
196 );
201 }
202 }();
204 }
207 }
210 }();
215 /*
216 * None of the above worked, so try to make the smallest union we can based
217 * on the pointer type.
218 */
228 }
230 //////////////////////////////////////////////////////////////////////
237 }
238 }
240 }
242 // Return an AliasClass containing all locations pointed to by any MemToGen
243 // sources to an instruction.
246 }
248 // Return an AliasClass representing a range of the eval stack that contains
249 // everything below a logical depth.
253 }
255 //////////////////////////////////////////////////////////////////////
257 /*
258 * Helper functions for alias classes representing an ActRec on the stack
259 * (whether pre-live or live).
260 */
262 // Return an AliasClass representing an entire ActRec at base + offset.
265 base,
266 // The offset is the bottom of where the ActRec is stored, but AliasClass
267 // needs an offset to the highest cell.
270 };
271 }
273 // Return an AliasClass representing just the context field of an ActRec at base
274 // + offset.
277 }
279 // Return AliasClass representing just the func field of an ActRec at base +
280 // offset.
283 }
294 }();
298 }
300 //////////////////////////////////////////////////////////////////////
302 // Determine an AliasClass representing any locals in the instruction's frame
303 // which might be accessed via debug_backtrace().
314 }
318 }();
320 // Either there's no func or no frame-pointer. Either way, be conservative and
321 // assume anything can be read. This can happen in test code, for instance.
325 // The 86metadata variable can also exist in a VarEnv, but accessing that is
326 // considered a heap effect, so we can ignore it.
330 };
338 // First non param local contains reified generics
341 }
344 // There is no way to access the SSATmp for ObjectData of `this` here,
345 // so be very pessimistic
347 }
353 }
355 /////////////////////////////////////////////////////////////////////
357 /*
358 * Modify a GeneralEffects to take potential VM re-entry into account. This
359 * affects may-load, may-store, and kills information for the instruction. The
360 * GeneralEffects should already contain AHeapAny in both loads and stores if
361 * it affects those locations for reasons other than re-entry, but does not
362 * need to if it doesn't.
363 *
364 * For loads, we need to take into account any locals potentially accessed by
365 * debug_backtrace().
366 *
367 * For kills, locations on the eval stack below the re-entry depth should all
368 * be added.
369 *
370 * Important note: because of the `kills' set modifications, an instruction may
371 * not report that it can re-enter if it actually can't. The reason this can
372 * go wrong is that if the instruction was in an inlined function, if we've
373 * removed the DefInlineFP its spOff will not be meaningful (unless it's a
374 * DecRef instruction, which we explicitly adjust in dce.cpp). In this case
375 * the `kills' set will refer to the wrong stack locations. In general this
376 * means instructions that can re-enter must have catch traces---but a few
377 * other instructions are exceptions, either since they are not allowed in
378 * inlined functions or because they take the (possibly-inlined) FramePtr as a
379 * source.
380 */
385 ReleaseVVAndSkip,
386 LIterInit,
387 LIterInitK,
388 LIterNext,
389 LIterNextK,
390 IterFree,
391 GenericRetDecRefs,
392 MemoSetStaticCache,
393 MemoSetLSBCache,
394 MemoSetInstanceCache,
395 MemoSetStaticValue,
396 MemoSetLSBValue,
397 MemoSetInstanceValue);
399 may_reenter_is_ok,
401 inst
402 );
404 /*
405 * We want to union `killed_stack' into whatever else the instruction already
406 * said it must kill, but if we end up with an unrepresentable AliasClass we
407 * can't return a set that's too big (the `kills' set is unlike the other
408 * AliasClasses in GeneralEffects in that means it kills /everything/ in the
409 * set, since it's must-information).
410 *
411 * If we can't represent the union, just take the stack, in part because we
412 * have some debugging asserts about this right now---but also nothing
413 * actually uses may_reenter with a non-AEmpty kills at the time of this
414 * writing anyway.
415 */
422 );
425 }();
431 new_kills
432 };
433 }
435 //////////////////////////////////////////////////////////////////////
439 }
442 AliasClass stores,
443 AliasClass kill) {
445 }
448 AliasClass stores,
449 AliasClass move) {
452 }
454 //////////////////////////////////////////////////////////////////////
456 /*
457 * Helper for iterator instructions. They all affect some locals, but are
458 * otherwise the same.
459 *
460 * N.B. Currently the memory for frame iterator slots is not part of the
461 * AliasClass lattice, since we never really manipulate them from the TC yet,
462 * so we don't report the effect these instructions have on it.
463 */
466 AliasClass locals) {
472 inst,
476 AMIStateAny
477 )
478 );
479 }
481 /*
482 * Construct effects for InterpOne, using the information in its extra data.
483 *
484 * We always consider an InterpOne as potentially doing anything to the heap,
485 * potentially re-entering, potentially raising warnings in the current frame,
486 * potentially reading any locals, and potentially reading/writing any stack
487 * location that isn't below the bottom of the stack.
488 *
489 * The extra data for the InterpOne comes with some additional information
490 * about which local(s) it may modify, which is all we try to be more precise
491 * about right now.
492 */
502 }
503 }
513 }
514 }
525 }
528 }
530 ////////////////////////////////////////////////////////////////////////////////
532 /*
533 * Construct effects for member instructions that take &tvRef as their last
534 * argument.
535 *
536 * These instructions never load tvRef, but they might store to it.
537 */
558 }
563 }
566 }
568 //////////////////////////////////////////////////////////////////////
579 }
581 }();
586 AMIStatePropS
587 );
588 }
590 //////////////////////////////////////////////////////////////////////
595 //////////////////////////////////////////////////////////////////////
596 // Region exits
598 // These exits don't leave the current php function, and could head to code
599 // that could read or write anything as far as we know (including frame
600 // locals).
603 AUnknown,
605 };
608 AUnknown,
610 };
613 AUnknown,
615 };
618 AUnknown,
622 };
625 AUnknown,
629 };
631 //////////////////////////////////////////////////////////////////////
632 // Unusual instructions
634 /*
635 * The ReturnHook sets up the ActRec so the unwinder knows everything is
636 * already released (i.e. it calls ar->setLocalsDecRefd()).
637 *
638 * The eval stack is also dead at this point (the return value is passed to
639 * ReturnHook as src(1), and the ReturnHook may not access the stack).
640 */
642 // Note, this instruction can re-enter, but doesn't need the may_reenter()
643 // treatmeant because of the special kill semantics for locals and stack.
647 );
649 // The suspend hooks can load anything (re-entering the VM), but can't write
650 // to frame locals.
656 // TODO: may-load here probably doesn't need to include AFrameAny normally.
660 /*
661 * If we're returning from a function, it's ReturnEffects. The RetCtrl
662 * opcode also suspends resumables, which we model as having any possible
663 * effects.
664 */
667 // Suspending can go anywhere, and doesn't even kill locals.
669 }
672 };
679 // Suspending can go anywhere, and doesn't even kill locals.
683 /*
684 * The may-store information here is AUnknown: even though we know it
685 * doesn't really "store" to the frame locals, the values that used to be
686 * there are no longer available because they are DecRef'd, which we are
687 * required to report as may-store information to make it visible to
688 * reference count optimizations. It's conceptually the same as if it was
689 * storing an Uninit over each of the locals, but the stores of uninits
690 * would be dead so we're not actually doing that.
691 */
699 );
701 AUnknown,
703 };
704 }
706 /*
707 * DefInlineFP has some special treatment here.
708 *
709 * It's logically `publishing' a pointer to a pre-live ActRec, making it
710 * live. It doesn't actually load from this ActRec, but after it's done this
711 * the set of things that can load from it is large enough that the easiest
712 * way to model this is to consider it as a load on behalf of `publishing'
713 * the ActRec. Once it's published, it's a live activation record, and
714 * doesn't get written to as if it were a stack slot anymore (we've
715 * effectively converted AStack locations into a frame until the
716 * InlineReturn).
717 *
718 * Note: We may push the publishing of the inline frame below the start of
719 * the inline function so that we can avoid spilling the inline frame in the
720 * common case. Because of this we cannot add the stack positions within the
721 * inline function to the kill set here as they may be live having been stored
722 * on the main trace.
723 *
724 * TODO(#3634984): Additionally, DefInlineFP is marking may-load on all the
725 * locals of the outer frame. This is probably not necessary anymore, but we
726 * added it originally because a store sinking prototype needed to know it
727 * can't push StLocs past a DefInlineFP, because of reserved registers.
728 * Right now it's just here because we need to think about and test it before
729 * removing that set.
730 */
740 /*
741 * Notice that the stack positions and frame locals described here are
742 * exactly the set of alias locations that are about to be overlapping
743 * inside the inlined frame. Likewise, ClsRefSlots from the caller and the
744 * callee are about to be jumbled.
745 */
747 }
749 /*
750 * BeginInlining is similar to DefInlineFP, however, it must always be the
751 * first instruction in the inlined call and has no effect serving only as
752 * a marker to memory effects that the stack cells within the inlined call
753 * are now dead.
754 *
755 * Unlike DefInlineFP it does not load the SpillFrame, which we hope to push
756 * off the main trace or elide entirely.
757 */
759 /*
760 * SP relative offset of the first non-frame cell within the inlined call.
761 */
764 AEmpty,
765 AEmpty,
766 /*
767 * This prevents stack slots from the caller from being sunk into the
768 * callee. Note that some of these stack slots overlap with the frame
769 * locals of the callee-- those slots are inacessible in the inlined
770 * call as frame and stack locations may not alias.
771 */
773 );
774 }
779 }
787 }
792 // This instruction doesn't actually load but SpillFrame cannot be pushed
793 // past it
795 }
801 AUnknown,
803 };
808 // NB: on the failure path, these C++ helpers do a fixup and read frame
809 // locals before they throw. They can also invoke the user error handler and
810 // go do whatever they want to non-frame locations.
811 //
812 // TODO(#5372569): if we combine dv inits into the same regions we could
813 // possibly avoid storing KindOfUninits if we modify this.
818 // VerifyParamFail might coerce the parameter to the desired type rather than
819 // throwing.
826 }
833 }
834 // However the following ones can't read locals from our frame on the way
835 // out, except as a side effect of raising a warning.
852 {
855 // Kills. Everything on the stack below the incoming parameters.
857 // Stack. The act-rec, incoming parameters, and everything below.
862 ),
863 // Locals.
865 // Callee.
867 };
868 }
871 {
874 // Kills. Everything on the stack below the sent value.
876 // Stack. The value being sent, and everything below.
878 // Locals.
880 // Callee. Stored inside the generator object, not used by ContEnter.
881 AEmpty
882 };
883 }
886 {
889 // Kills. Everything on the stack below the incoming parameters.
891 // Stack. The act-rec, incoming parameters, and everything below.
896 ),
897 // Locals.
899 // Callee.
901 };
902 }
905 {
913 }
914 }
915 }
917 }();
925 AMIStateAny
926 );
927 }
928 }
930 // Resumable suspension takes everything from the frame and moves it into the
931 // heap.
943 return nlocals
946 }();
952 }();
955 AHeapAny,
956 frame | clsrefs
957 );
958 }
960 // AGWH construction updates the AsyncGenerator object.
965 {
969 AliasIdSet {
971 }
972 };
974 }
977 {
981 AliasIdSet {
983 }
984 };
986 }
988 // This re-enters to call extension-defined instance constructors.
992 // Closures don't ever throw or reenter on construction
1004 //////////////////////////////////////////////////////////////////////
1005 // Iterator instructions
1011 inst,
1014 );
1017 inst,
1020 );
1025 {
1029 }
1032 {
1036 }
1041 //////////////////////////////////////////////////////////////////////
1042 // Instructions that explicitly manipulate locals
1048 nullptr
1049 };
1052 {
1058 }
1060 }
1067 // Note: LdLocPseudoMain is both a guard and a load, so it must not be a
1068 // PureLoad.
1071 AEmpty
1072 );
1075 // This can store to globals or locals, but we don't have globals supported
1076 // in AliasClass yet.
1079 //////////////////////////////////////////////////////////////////////
1080 // Instructions that manipulate class-ref slots
1085 };
1090 };
1096 nullptr
1097 };
1103 nullptr
1104 };
1110 );
1116 );
1118 //////////////////////////////////////////////////////////////////////
1119 // Pointer-based loads and stores
1126 // TODO(#5962341): These take non-constant offset arguments, and are
1127 // currently only used for collections and class property inits, so we aren't
1128 // hooked up yet.
1132 ? AHeapAny
1136 };
1140 ? AHeapAny
1141 : AUnknown
1142 };
1157 {
1160 }
1173 AEmpty
1174 );
1177 AEmpty,
1179 );
1183 AHeapAny,
1185 );
1189 AHeapAny,
1191 );
1197 //////////////////////////////////////////////////////////////////////
1198 // Object/Ref loads/stores
1211 // Writes to memo slots, but these are not modeled.
1214 // Loads $obj->trace, stores $obj->file and $obj->line.
1218 //////////////////////////////////////////////////////////////////////
1219 // Array loads and stores
1226 };
1234 };
1235 }
1238 {
1244 };
1246 }
1249 {
1250 // NewKeysetArray is reading elements from the stack, but writes to a
1251 // completely new array, so we can treat the store set as empty.
1257 };
1259 }
1264 {
1265 // NewStructArray is reading elements from the stack, but writes to a
1266 // completely new array, so we can treat the store set as empty.
1272 };
1274 }
1277 {
1283 };
1285 }
1289 // Only reads the memo value (which isn't modeled here).
1295 // Writes to the memo value (which isn't modeled), but can re-enter to run
1296 // a destructor.
1303 // Reads some (non-zero) set of locals for keys, and reads/writes from the
1304 // memo cache (which isn't modeled). The set can re-enter to run a
1305 // destructor.
1311 AliasIdSet{
1315 }
1316 }
1317 };
1318 }
1325 };
1326 }();
1331 }
1333 }
1337 // Reads some set of locals for keys, and reads/writes from the memo cache
1338 // (which isn't modeled). The set can re-enter to run a destructor.
1341 // Unlike MemoGet/SetStaticCache, we can have an empty key range here.
1347 AliasIdSet{
1351 }
1352 }
1353 };
1354 }
1361 };
1362 }();
1366 }
1377 };
1378 }
1382 };
1383 }
1385 }
1395 }
1401 AEmpty);
1402 }
1404 }
1461 AEmpty);
1466 //////////////////////////////////////////////////////////////////////
1467 // Member instructions
1472 /*
1473 * Various minstr opcodes that take a PtrToGen in src 0, which may or may not
1474 * point to a frame local or the evaluation stack. Some may read or write to
1475 * that pointer while some only read. They can all re-enter the VM and access
1476 * arbitrary heap locations.
1477 */
1487 AHeapAny,
1488 AMIStatePropS
1489 );
1500 /*
1501 * SetRange behaves like a simpler version of SetElem.
1502 */
1508 AMIStatePropS
1509 );
1523 // Right now we generally can't limit any of these better than general
1524 // re-entry rules, since they can raise warnings and re-enter.
1528 AMIStatePropS
1529 );
1534 /*
1535 * Intermediate minstr operations. In addition to a base pointer like the
1536 * operations above, these may take a pointer to MInstrState::tvRef, which
1537 * they may store to (but not read from).
1538 */
1547 /*
1548 * Collection accessors can read from their inner array buffer, but stores
1549 * COW and behave as if they only affect collection memory locations. We
1550 * don't track those, so it's returning AEmpty for now.
1551 */
1563 AProp {
1566 },
1567 AEmpty
1568 );
1572 AEmpty
1573 );
1575 //////////////////////////////////////////////////////////////////////
1576 // Instructions that allocate new objects, without reading any other memory
1577 // at all, so any effects they have on some types of memory locations we
1578 // track are isolated from anything else we care about.
1601 // AllocObj re-enters to call constructors, but if it weren't for that we
1602 // could ignore its loads and stores since it's a new object.
1605 // Similar to AllocObj but also stores the reification
1608 //////////////////////////////////////////////////////////////////////
1609 // Instructions that explicitly manipulate the stack.
1614 };
1620 nullptr
1621 };
1624 // Technically these writes affect the caller's stack, but there is no way
1625 // to actually observe them from within the callee. They can also only
1626 // occur once on any exit path from a function.
1630 {
1637 };
1638 }
1643 AEmpty
1644 );
1649 };
1653 };
1658 AEmpty
1659 );
1662 // Unreachable code kills every memory location.
1671 };
1673 }
1675 //////////////////////////////////////////////////////////////////////
1676 // Instructions that never read or write memory locations tracked by this
1677 // module.
1818 AProp {
1821 },
1824 };
1826 //////////////////////////////////////////////////////////////////////
1827 // Instructions that technically do some things w/ memory, but not in any way
1828 // we currently care about. They however don't return IrrelevantEffects
1829 // because we assume (in refcount-opts) that IrrelevantEffects instructions
1830 // can't even inspect Countable reference count fields, and several of these
1831 // can. All GeneralEffects instructions are assumed to possibly do so.
1975 // Some that touch memory we might care about later, but currently don't:
1988 //////////////////////////////////////////////////////////////////////
1989 // Instructions that can re-enter the VM and touch most heap things. They
1990 // also may generally write to the eval stack below an offset (see
1991 // alias-class.h above AStack for more).
1994 {
1996 // It could decref the inner ref.
2000 // TKeyset can't re-enter, but it will decref any contained
2001 // strings. Without this, an incref of a string contained in
2002 // a Keyset could be sunk past the decref of the Keyset.
2004 }
2005 // Need to add affected to the `store' set. See comments about
2006 // `GeneralEffects' in memory-effects.h.
2011 // Could re-enter to run a destructor. Keysets are exempt because they
2012 // can only contain strings or integers.
2014 }
2016 }
2026 {
2027 AliasClass effects =
2030 }
2033 {
2034 AliasClass effects =
2037 }
2212 // debug_backtrace() traverses stack and WaitHandles on the heap.
2217 // This instruction doesn't touch memory we track, except that it may
2218 // re-enter to construct php Exception objects. During this re-entry anything
2219 // can happen (e.g. a surprise flag check could cause a php signal handler to
2220 // run arbitrary code).
2224 //////////////////////////////////////////////////////////////////////
2225 // The following instructions are used for debugging memory optimizations.
2226 // We can't ignore them, because they can prevent future optimizations;
2227 // eg t1 = LdStk<N>; DbgTrashStk<N>; StStk<N> t1
2228 // If we ignore the DbgTrashStk it looks like the StStk is redundant
2234 };
2239 };
2244 };
2248 //////////////////////////////////////////////////////////////////////
2250 }
2253 }
2255 //////////////////////////////////////////////////////////////////////
2260 };
2265 "frame offset is above base frame"
2266 );
2267 };
2272 "Non obj pointer in memory effects"
2273 );
2274 };
2281 };
2284 me,
2291 // Locations may-moved always should also count as may-loads.
2295 // Any instruction that can raise an error can run a user error handler
2296 // and have arbitrary effects on the heap.
2299 /*
2300 * They also ought to kill /something/ on the stack, because of
2301 * possible re-entry. It's not incorrect to leave things out of the
2302 * kills set, but this assertion is here because we shouldn't do it on
2303 * purpose, so this is here until we have a reason not to assert it.
2304 *
2305 * The mayRaiseError instructions should all be going through
2306 * may_reenter right now, which will kill the stack below the re-entry
2307 * depth---unless the marker for `inst' doesn't have an fp set.
2308 */
2311 }
2312 },
2333 );
2336 }
2338 //////////////////////////////////////////////////////////////////////
2340 }
2345 // These instructions have special handling because they occur as functions
2346 // suspend or return. Their ability to reenter is handled in
2347 // memory_effects_impl, and comments in that function explain why.
2349 ReturnHook,
2350 SuspendHookAwaitEF,
2351 SuspendHookAwaitEG,
2352 SuspendHookAwaitR,
2353 SuspendHookCreateCont,
2354 SuspendHookYield
2355 );
2362 "Instruction {} has effects {}, but has been marked as MayRaiseError "
2364 inst,
2366 );
2368 };
2370 // Calls are implicitly MayRaise, all other instructions must use the
2371 // GeneralEffects or UnknownEffects class of memory effects
2373 inner,
2385 );
2386 }();
2389 }
2393 }
2395 //////////////////////////////////////////////////////////////////////
2400 me,
2407 };
2408 },
2411 },
2414 },
2420 };
2421 },
2424 },
2430 };
2431 },
2437 };
2438 },
2445 };
2446 },
2449 },
2452 );
2453 }
2455 //////////////////////////////////////////////////////////////////////
2460 effects,
2467 );
2468 },
2471 },
2477 );
2478 },
2484 );
2485 },
2492 );
2493 },
2499 );
2500 },
2506 );
2507 }
2509 //////////////////////////////////////////////////////////////////////
2516 };
2517 }
2519 //////////////////////////////////////////////////////////////////////
2521 }}