| blob | d8321079b72e9d11fb5a6fc6968b353f0696d76c |
1 /*
2 +----------------------------------------------------------------------+
3 | HipHop for PHP |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2010-2014 Facebook, Inc. (http://www.facebook.com) |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 */
18 #include <algorithm>
19 #include <utility>
47 // These are used a lot in this file.
51 // A Point is an id representing a program point, determined by IdMap.
54 /*
55 * IdMap stores a linear position id for program points before (even numbers)
56 * and after (odd numbers) each instruction. The distinction is necessary so we
57 * can insert sink points after the last instruction of a block.
58 */
62 {
69 }
70 }
71 }
87 };
89 /*
90 * IncSet holds a set of ids of IncRef instructions, representing a pending
91 * reference in a Value (defined below). We have to use a set of ids instead of
92 * just a single id because it's possible for the same pending reference to
93 * come from different instructions in different control flow paths.
94 */
102 }
104 }
106 /*
107 * Value represents what we know about the current state of a php value with a
108 * refcount. It holds lower bounds on the real refcount and optimized refcount
109 * of an object. As the analysis pass progresses, it uses this information to
110 * ensure that any optimizations will not affect what observers of the refcount
111 * see.
112 */
117 {}
123 }
125 /*
126 * Merge other's state with this state.
127 *
128 * Precondition:
129 * If realCounts do not match, the lesser value must be fromLoad. The idea
130 * is that fromLoad allows us to make more aggressive assumptions, so we
131 * shouldn't have both a higher count and fromLoad.
132 *
133 * For an example of where this is OK, consider:
134 *
135 * B0:
136 * t1 = LdLoc<0>
137 * IncRef t1
138 * DecRef t2
139 * JmpNZ B2
140 * B1:
141 * IncRef t1
142 * SpillStack t1
143 * TakeStack t1
144 * DecRef t1
145 * B2:
146 * ...
147 *
148 * The count of t1 at B2 will be 1 if coming from B0, and 0 if coming from
149 * B1, due to the SpillStack. However, the TakeStack marks t1 as fromLoad,
150 * which lets us know that there's at least one surviving reference, so we
151 * can move forward assuming the max of the two.
152 *
153 * Postconditions:
154 * 1. realCount becomes the max of the incoming value;
155 * 2. fromLoad is set if either incoming value has it;
156 * 3. pendingIncs is truncated to the size of the smaller of the two, then
157 * the sets at each index are merged. The two can differ when a value's
158 * count is observed in one branch of a conditional but not the other, and
159 * it's safe because any differences are resolved in mergeStates().
160 */
167 };
172 showFailure);
182 }
183 }
184 }
190 }
197 }
201 }
203 /* realCount is the number of live references currently owned by the
204 * jit. Since it represents references with lifetimes we can reliably track,
205 * it's also used as a lower bound of the refcount of the object. */
208 /* fromLoad represents whether or not the value came from a load
209 * instruction. This optimization is based on the idea of producing and
210 * consuming references, and most of our load instructions sometimes produce
211 * a reference and sometimes don't. Rather than splitting up all the loads
212 * into two flavors, we allow consumption of a value from a load even if
213 * there appear to be no live references. */
219 /* pendingIncs contains ids of IncRef instructions that have yet to be placed
220 * before an observer. The size of pendingIncs represents the delta between
221 * the real count and the optimized count. */
223 };
231 }
236 incs,
238 }
240 /*
241 * Frame represents a call frame and is used to track references to the current
242 * $this pointer.
243 */
248 {}
250 /* The canonical form of $this. For the outermost frame of the trace, this
251 * will be nullptr if we haven't loaded $this yet, or a LdThis if we
252 * have. For inlined frames, this will be the canonical SSATmp* for the $this
253 * pointer given to the SpillFrame. */
256 /* Latest live temp holding $this. This is updated whenever we see a new
257 * LdThis in a frame, and it's set to nullptr after any instructions that
258 * kill all live temps (calls, mostly). */
263 }
264 };
269 }
274 }
277 }
279 }
281 /*
282 * FrameStack contains a Frame struct for all live and pre-live frames.
283 */
285 /* Push a possibly empty Frame representing a pre-live ActRec. We don't yet
286 * know if the call with be inlined or not. */
289 }
291 /* Push a new frame representing a newly defined FramePtr for an inlined
292 * call. */
298 }
300 /* Pop an inlined frame to represent an InlineReturn, forgetting what we know
301 * about its $this pointer. */
311 }
313 /* Pop a non-inlined frame. This is only called if a trace includes a RetC in
314 * the outermost function. */
318 }
322 }
326 }
328 /* Map from the instruction defining the frame to a Frame object. */
331 /* Similar to live, but for frames that have been popped. We keep track of
332 * these because we often refer to a LdThis from an inlined function after
333 * it's returned. */
336 /* Frames that have been pushed but not activated. */
338 };
342 /*
343 * State holds all the information we care about during the analysis pass, and
344 * is used to propagate and merge state across control flow edges.
345 */
347 /* values maps from live SSATmps to the currently known state about the
348 * value. */
351 /* canon keeps track of values that have been through passthrough
352 * instructions, like CheckType and AssertType. */
353 CanonMap canon;
355 /* frames keeps track of live $this pointers in call frames. */
356 FrameStack frames;
357 };
367 }
371 Indent _i;
375 }
376 }
380 Indent _i;
383 }
384 }
388 Indent _i;
392 }
393 }
396 }
402 {}
407 {}
410 State state;
411 };
415 /*
416 * One SinkPoint exists for each optimizable IncRef in each control flow path
417 * dominated by it.
418 */
424 {}
426 /* The position of the sink point, from IdMap. */
427 Point id;
429 /* In some very rare situations we may know that we want to insert a
430 * SinkPoint for a value without having a live SSATmp for that value. This
431 * means it's not safe to sink the IncRef to that point, but if the
432 * instruction immediately after the SinkPoint is a DecRef of the same value,
433 * it's safe to eliminate both instructions. */
436 /* The current version of the value, if it has been through a passthrough
437 * instruction. Keeping track of this allows us to sink an IncRef of a Cell
438 * past a CheckType and turn it into a cheaper IncRef. */
440 };
445 // Maps values to SinkPoints for their IncRefs
448 // Maps ids of DecRef instructions to the incoming lower bound of the object's
449 // refcount. Only DecRefs that cannot go to zero are in this map, so there
450 // will be no entries with a value of less than 2.
452 };
454 /*
455 * We often want to insert sink points on control flow edges. idForEdge returns
456 * the appropriate id to use for the given edge, assuming it is not a critical
457 * edge.
458 */
467 };
471 };
474 // from has two outgoing edges. Use the beginning of to.
480 // from has one outgoing edges. Use the end of from.
489 }
490 }
491 }
496 /*
497 * SinkPointAnalyzer is responsible for inspecting a trace and determining two
498 * things: the latest safe point to sink each IncRef to, and which DecRefs
499 * cannot take their src to 0.
500 */
511 {}
521 Indent _i;
530 }
535 }
541 // This block is terminal. Ensure that all live references have been
542 // accounted for.
544 Indent _i;
556 };
558 // Terminal block. Everything must be resolved.
562 showFailure);
563 }
564 }
566 // Propagate current state to the next block, if one exists. If we have a
567 // taken branch, that information will be propagated in processInst().
571 Indent _i;
574 }
578 }
581 }
588 {}
591 Value value;
592 };
594 Value value;
596 };
602 Indent _i;
604 Indent __i;
606 }
607 };
611 /*
612 * Short circuit the easy, common case: one incoming state. (This
613 * is just to save JIT time.)
614 *
615 * Except if it's a DefLabel---there could still be unconsumed
616 * references that need to be forwarded through the DefLabel (for
617 * example in the case of a control flow diamond where one side
618 * was optimized away because the branch turned into a Nop).
619 */
622 }
625 State retState;
629 // If the current block begins with a DefLabel, we start by taking
630 // unconsumed references for each dest of the label that produces a
631 // reference.
638 Indent _i;
646 Indent _i;
654 });
666 }
667 });
670 }
671 }
673 // Now, we build a map from values to their merged incoming state and which
674 // blocks provide information about the value.
678 // Task #5216936: add support for merging states with
679 // different FrameStacks, and get rid of the TRACE_PUNT below.
683 }
686 }
699 }
701 // Register this block as an incoming provider of the value.
703 }
704 }
706 // Now, for each incoming value, insert it into the resulting state. If
707 // there is a difference in a value's state between incoming branches,
708 // resolve it by inserting sink points on the appropriate incoming edges.
712 // If the value wasn't provided by every incoming branch, we're hosed
713 // unless it was just fromLoad in some branches.
718 "While merging incoming states for B{}, value {} not provided by"
719 " all preds but has nontrivial state `{}' from B{}."
724 );
725 }
726 }
742 }
743 }
745 // Only put the merged state in the result if it provides useful
746 // information.
750 }
751 }
754 Indent _i;
757 }
759 /* If control flow after something like a CheckType rejoins, we need to make
760 * sure we only reference values that dominate the join. In the example
761 * below, t4 is not defined in B3 and therefore cannot be used in B4:
762 *
763 * B1:
764 * t4:Obj = CheckType<Obj> t3:Cell -> B3
765 * fallthrough to B2
766 *
767 * B2:
768 * IncRef t4:Obj
769 * Jmp B4
770 *
771 * B3:
772 * IncRef t3:Cell
773 * Jmp B4
774 *
775 * B2's incoming state will have a mapping from t3 -> t4, and B3 will have no
776 * mapping for t3. We need to look at all the incoming mappings and pick the
777 * most specific value defined in all incoming paths (t3 in this case).
778 */
780 CanonMap retMap;
784 };
786 // First, build a map from canonical values to the values they map to and
787 // how many incoming branches have the mapped value available.
795 }
796 }
797 }
801 // Build a list of versions of this value that exist in all incoming
802 // branches.
807 }
808 }
811 // None of the derived values exist, so use trueRoot. This is
812 // equivalent to not having an entry in the map.
815 // Only one derived value exists in all incoming branches, so use that
816 // value.
819 }
821 // We found more than one value coming in from all branches, so find the
822 // most derived one. This is the one temp that doesn't appear as an
823 // ancestor of any of the others.
826 // trueRoot shouldn't be in the set
830 // For each ancestor of val, if it's not yet in ancestors, add it and
831 // continue. If it is in ancestors we've already visited it and all of
832 // its ancestors, so do nothing more.
839 }
840 }
841 }
843 // There should now be exactly one value in tmps that isn't
844 // ancestors. This is the value to use in the merge map. The sets are
845 // sorted, so walk them in parallel to find the discrepancy.
854 }
855 }
857 }
860 }
865 Indent _i;
871 // If an instruction's branch is ever taken, none of its sources will be
872 // consumed. This means we should propagate state across this edge before
873 // consuming any values and modifying the current state.
876 Indent _i;
881 // Since we can't insert sink points after the branch but before the
882 // instruction consumes its sources, we have to insert them before the
883 // whole instruction. This happens after we've already propagated the
884 // state to taken, so we keep a pointer to the propagated state so we can
885 // update it when needed.
889 }
894 // We only consider an IncRef optimizable if it's not an IncRefCtx/TakeRef
895 // and the value doesn't have an optimized count of 0. This prevents any
896 // subsequent instructions from taking in a source with count 0.
903 // Even if the IncRef isn't optimizable, it still needs to be tracked
904 // as a live reference.
906 }
908 }
910 // TakeStack is used to indicate that we've logically popped a value off
911 // the stack, in place of a LdStack.
915 }
917 // Completely resolve the deficit for any sources to Jmp. This isn't a
918 // perfect solution but it's vastly simpler than other options and
919 // probably good enough for our purposes.
922 }
924 // Make sure it's not a RetCtrl from Ret{C,V}
927 // The EndCatch in Function{Suspend,Return}Hook's catch block is
928 // special: it happens after locals and $this have been
929 // decreffed, so we don't want to do the normal cleanup
935 // When leaving a trace, we need to account for all live references in
936 // locals and $this pointers.
950 // This only happens during a RetC, and it happens instead of a normal
951 // DecRef on $this.
955 // All other instructions take the generic path.
958 }
961 }
963 /* jit::canonical() traces through passthrough instructions to get the root
964 * of a value. Since we're tracking the state of inlined frames in the trace,
965 * there are often cases where the root value for a LdThis is really a value
966 * up in some enclosing frame. */
977 }
979 }
981 /*
982 * Consumes all local values, including those in callers if we're inlined.
983 */
986 Indent _i;
990 }
991 );
992 }
994 /*
995 * Consumes all locals in the current frame, not including inline callers.
996 */
999 Indent _i;
1003 }
1004 }
1005 }
1015 // Record DecRefs that won't go to 0
1019 }
1024 // When spilling an Object to a pre-live ActRec, we can reliably track
1025 // the reference in the frame. This allows us to optimize away many
1026 // refcounting operations on $this in inlined calls.
1030 Indent _i;
1036 }
1039 }
1058 }
1060 // InterpOne can push and pop ActRecs.
1070 // This isn't optimal, but InterpOne of FCallBuiltin is rare enough
1071 // that it doesn't matter.
1073 }
1076 // InterpOneCF's normal path leaves the trace, so consume all live
1077 // references.
1080 }
1081 }
1085 Indent _i;
1090 Call,
1091 CallArray,
1092 ContEnter)) {
1096 // If the StkPtr being consumed points to a pre-live ActRec, observe
1097 // its $this pointer since many of our helper functions decref it.
1104 }
1105 }
1106 }
1115 }
1116 }
1118 // Many instructions have complicated effects on the state of the
1119 // locals. Get this information from FrameState.
1121 Indent _i;
1123 }
1125 /*
1126 * Process a normal call to a prelive frame. Consume $this, if any, and pop
1127 * the prelive frame.
1128 */
1130 // If we have no prelive frames the FPush* was in a different trace.
1135 }
1141 }
1143 /*
1144 * Call, CallArray, and ContEnter destroy all live values. They also might
1145 * throw and we can't attach catch traces to them. Resolve the opt delta for
1146 * any live $this pointers and forget the "current" this pointer so we don't
1147 * reuse it after the call.
1148 */
1156 }
1157 });
1158 }
1160 /*
1161 * Consume the $this pointer for a Frame, if it has one. If currentThis is
1162 * nullptr but mainThis exists we use an "erase-only" sink point, which means
1163 * it's not safe to actually sink the IncRef but it's safe to erase the
1164 * IncRef/DecRef pair (usually because the value has been smashed by a Call).
1165 */
1171 }
1172 }
1174 /*
1175 * When we leave a trace, we have to account for all the references we're
1176 * tracking in pre-live frames and inlined frames.
1177 */
1181 });
1182 }
1184 /* When an instruction consumes a reference to a value, two things in our
1185 * tracked state must be updated. We first ensure that the behavior of DecRef
1186 * and COW will not be affected by the difference between the real count and
1187 * the optimized count. This is done by inserting as many IncRef sink points
1188 * as needed before the instruction. Second, the real count of the value is
1189 * decremented to reflect the consumption of the reference. If there is no
1190 * reference to consume, this is either a bug in this analysis pass or the
1191 * incoming IR, so abort with a (hopefully) helpful error. */
1199 }
1206 Indent _i;
1214 // Note that we're treating consumers and observers the same here, which is
1215 // necessary until we have better alias analysis.
1220 }
1222 /* DecRef and COW both care about the same thing: is _count == 1 coming into
1223 * the operation? */
1226 };
1227 /* When deciding if something is a user-visible reference, we need to know if
1228 * _count >= 2. */
1231 };
1238 }
1239 }
1245 // If the current instruction has a taken branch, we need to tell the
1246 // propagated state that we used one of the pending IncRefs.
1250 }
1251 }
1263 };
1268 };
1270 // This is ok as long as the value came from a load (see the Value struct
1271 // for why).
1273 showFailure);
1278 };
1280 }
1281 }
1285 }
1289 }
1292 // If any locals are RefDatas, the behavior of get_defined_vars can
1293 // depend on whether or not the count is >= 2.
1301 }
1302 );
1303 }
1308 }
1309 }
1311 /* Completely resolve the delta between realCount and optCount. */
1319 Indent _i;
1327 }
1328 }
1332 /* Remember that oldVal has been replace by newVal, either because of a
1333 * passthrough instruction or something from FrameState. */
1340 }
1344 // LdLoc's output is the new value of the local we loaded, and this has
1345 // already been tracked in setLocalValue().
1349 // If this function can't have a $this pointer everything after the
1350 // LdThis is unreachable. More importantly, we aren't going to decref
1351 // the non-existent $this pointer in RetC, so don't track a reference
1352 // to it.
1354 }
1361 // Nobody has tried to load $this in the current frame yet. Set it as
1362 // the main $this for the frame and indicate that we're tracking a
1363 // reference to it.
1366 }
1368 }
1376 }
1379 // If we're doing CheckType or AssertType from a counted type to an
1380 // uncounted type, we need to do something with the pending references
1381 // that won't be consumed now that the type is uncounted. Since we now
1382 // know that for its entire lifetime, the value has been an uncounted
1383 // type, we consume a live reference and drop all pending IncRefs on
1384 // the floor. This will result in any IncRefs of this value being sunk
1385 // to the CheckType's taken branch, and erased completely from the path
1386 // falling through the CheckType.
1397 // Going from notCounted to maybeCounted. This sounds silly, but it's
1398 // possible so we have to handle it "correctly". Treat it like a
1399 // load instruction.
1402 }
1403 }
1406 }
1408 // Define any values produced by the instruction.
1417 Indent _i;
1424 }
1425 }
1426 }
1428 ///// LocalStateHook overrides /////
1430 // TrackLoc is only used for the dests of labels, and those references are
1431 // handled in mergeStates.
1435 }
1437 // When a local's value is updated by StLoc(NT), the consumption of the old
1438 // value should've been visible to us, so we ignore that here.
1441 Indent _i;
1443 }
1448 Indent _i;
1453 }
1454 }
1461 // Similar to what we do when processing the CheckType directly, we
1462 // "consume" the value on behalf of the CheckType.
1468 }
1469 }
1473 Indent _i;
1475 }
1481 Indent _i;
1483 }
1490 }
1492 /* The IRUnit being processed and its blocks */
1496 /* Current block and current instruction */
1500 /* Map between linear ids and IRInstruction* */
1503 /* Current state of the world */
1504 State m_state;
1506 /* Sometimes present pointer to state propagated to m_inst's taken
1507 * branch. See consumeValue() for usage. */
1509 SavedStates m_savedStates;
1511 /* Analysis results to be returned to caller */
1512 SinkPointsMap m_ret;
1514 /* Used to track local state and other information about the trace */
1515 FrameState m_frameState;
1516 };
1518 ////////// Refcount validation pass //////////
1522 /*
1523 * Simulate the effect of block b on refcounts of SSATmps.
1524 */
1535 }
1536 }
1537 }
1538 }
1540 /*
1541 * Populate each block in BlockMap with a map of the refcount delta for each
1542 * SSATmp. Ideally, we want to maintain the map for every path through the
1543 * trace. However, to avoid the exponential cost, we use a linear-time
1544 * approximation here using an idea similar to Random Interpretation (Gulwani
1545 * and Necula, POPL 2003). The logic for phi-nodes in the approximiation
1546 * considers each predecessor equally likely, and uses the average as the
1547 * incoming ref-count for the phi-node.
1548 */
1560 }
1561 });
1563 }
1564 }
1568 /*
1569 * Validate that orig and opt have the same ref-count deltas for SSATmps in
1570 * each exit block.
1571 */
1576 }
1580 it2++) {
1585 // The optimization does some nontrivial state tracking to keep track
1586 // of $this pointers, so this is probably a false positive.
1588 }
1595 }
1596 }
1597 }
1599 }
1611 });
1624 }
1631 }
1633 }
1641 });
1645 }
1648 }
1650 /* Using the information from SinkPointAnalyzer, sink IncRefs when and where
1651 * appropriate. This pass only removes and inserts IncRef instructions. */
1654 Indent _i;
1660 Indent _i;
1667 Indent _i;
1669 // Eval.HHIRRefcountOptsAlwaysSink allows us to stress test the sinking
1670 // logic.
1673 // There are no sink points for this IncRef. This can only happen if
1674 // the value started out as a maybeCounted type and was refined to a
1675 // notCounted type by an AssertType (if it was refined by a CheckType
1676 // there should be a sink point on the taken branch). In this case
1677 // we'll intentionally delete the IncRef down below without sinking any
1678 // copies anywhere.
1680 }
1682 // For each sink point of this IncRef, check if doing the sink would
1683 // allow us to optimize it. If we find no optimizable sink points, don't
1684 // bother sinking.
1688 // An "erase only" sink point means we've proven that it's safe to
1689 // sink the IncRef to this point but we don't have access to the
1690 // value, probably because the SSATmp was killed by a Call. For now
1691 // we refuse to optimize this case, but it's possible to use this
1692 // sink point as long as we've proven that doing so will eliminte the
1693 // Inc/Dec pair.
1697 }
1702 // If inst is a DecRef that won't go to zero of the same value as the
1703 // IncRef, we're good.
1707 }
1709 // If the current type of the value is more specific than the
1710 // original source of the IncRef, sink it to get a possibly cheaper
1711 // IncRef.
1714 }
1717 };
1721 }
1722 }
1728 }
1731 Indent __i;
1735 }
1751 }
1752 }
1753 }
1755 }
1757 /* If an IncRef of a value is followed immediately by a DecRef of the same
1758 * value that is guaranteed to not destroy the value, erase both
1759 * instructions. */
1773 // We can't erase an IncRef/DecRef pair but we can turn the DecRef into
1774 // the cheaper DecRefNZ.
1778 }
1783 }
1785 }
1787 /* After this pass completes, we don't need the TakeStack/TakeRef instructions
1788 * anymore. This pass converts them to Nop, and dce removes them. */
1794 }
1795 }
1796 }
1797 }
1799 }
1801 /* optimizeRefcounts attempts to remove IncRef/DecRef pairs when we can prove
1802 * that doing so won't alter the visible behavior of the program. It does so in
1803 * three phases:
1804 *
1805 * - Analysis: Each reachable instruction is inspected to determine its effect
1806 * on the refcount of its sources and dests. We keep track of two values for
1807 * each SSATmp: the real count and the optimized count. The real count is a
1808 * lower bound on the refcount of the object, assuming all IncRefs and
1809 * DecRefs are left as is. The optimized count is a lower bound with as many
1810 * IncRefs delayed as possible. When we get to an instruction that consumes a
1811 * reference to one of its sources, we ensure that the delta between
1812 * realCount and optCount won't cause a behavioral difference by logically
1813 * inserting as many IncRefs as needed. This phase doesn't modify the code;
1814 * it just records where the IncRefs may be sunk to.
1815 *
1816 * - IncRef sinking: Using the result of the previous phase, any IncRefs for
1817 * which sinking would enable optimizations are moved to their sink
1818 * points. Depending on the cfg being optimized, this may change the number
1819 * of IncRef instructions present in the trace. The number of IncRefs
1820 * executed in each control flow path will not be modified.
1821 *
1822 * - IncRef/DecRef removal: All of the hard work was done in the first two
1823 * passes, leaving a simple peephole optimization. When an IncRef has been
1824 * pushed down to right before the DecRef consuming its reference and that
1825 * DecRef is guaranteed to not destroy the object, we can delete both
1826 * instructions.
1827 *
1828 * SinkPointAnalyzer verifies that each produced reference is consumed exactly
1829 * once in all paths as it walks through the trace. After the optimization is
1830 * complete, a separate validation pass is run to ensure the net effect on the
1831 * refcount of each object has not changed.
1832 */
1839 }
1844 Indent _i;
1849 BlockMap before;
1852 }
1859 BlockMap after;
1864 }
1865 }
1868 }
1870 } }