| blob | a31c2be87d1fa3af0051bec870600c653cbb518f |
1 /*
2 +----------------------------------------------------------------------+
3 | HipHop for PHP |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2010-present Facebook, Inc. (http://www.facebook.com) |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 */
28 #include <folly/Optional.h>
37 ) {
44 // This can happen when ptr is TBottom from a passthrough instruction with
45 // a src that isn't TBottom. The most common cause of this is something
46 // like "t5:Bottom = CheckType<Str> t2:Int". It means ptr isn't really a
47 // pointer, so return AEmpty to avoid unnecessarily pessimizing any
48 // optimizations.
51 }
57 }
61 }
63 // For phis, union all incoming values, taking care to not recurse infinitely
64 // in the presence of loops.
68 }
79 }
86 });
88 }
97 };
98 }
100 }
106 };
107 }
109 }
114 AProp {
117 }
118 };
119 }
121 }
126 }
128 // nullptr tvRef pointer, representing an instruction that doesn't use
129 // it.
131 }
133 }
144 }
148 }
150 };
155 }
157 // The result of ElemArray{,W,U} is either the address of an array element,
158 // or &immutable_null_base.
162 // Takes a PtrToGen as its first operand, so we can't easily grab an array
163 // base.
166 }
168 // These instructions can only get at tvRef when given it as a
169 // src. Otherwise they can only return pointers to properties or
170 // &immutable_null_base.
177 );
182 }
183 }();
185 }
187 // Like the Prop* instructions, but for array elements. These could also
188 // return pointers to collection elements but those don't exist in
189 // AliasClass yet.
196 );
201 }
202 }();
204 }
207 }
210 }();
215 /*
216 * None of the above worked, so try to make the smallest union we can based
217 * on the pointer type.
218 */
228 }
230 //////////////////////////////////////////////////////////////////////
237 }
238 }
240 }
242 // Return an AliasClass containing all locations pointed to by any MemToGen
243 // sources to an instruction.
246 }
248 // Return an AliasClass representing a range of the eval stack that contains
249 // everything below a logical depth.
253 }
255 //////////////////////////////////////////////////////////////////////
257 /*
258 * Helper functions for alias classes representing an ActRec on the stack
259 * (whether pre-live or live).
260 */
262 // Return an AliasClass representing an entire ActRec at base + offset.
265 base,
266 // The offset is the bottom of where the ActRec is stored, but AliasClass
267 // needs an offset to the highest cell.
270 };
271 }
273 // Return an AliasClass representing just the context field of an ActRec at base
274 // + offset.
277 }
279 // Return AliasClass representing just the func field of an ActRec at base +
280 // offset.
283 }
294 }();
298 }
300 //////////////////////////////////////////////////////////////////////
302 // Determine an AliasClass representing any locals in the instruction's frame
303 // which might be accessed via debug_backtrace().
314 }
318 }();
320 // Either there's no func or no frame-pointer. Either way, be conservative and
321 // assume anything can be read. This can happen in test code, for instance.
325 // The 86metadata variable can also exist in a VarEnv, but accessing that is
326 // considered a heap effect, so we can ignore it.
330 };
338 // First non param local contains reified generics
341 }
344 // There is no way to access the SSATmp for ObjectData of `this` here,
345 // so be very pessimistic
347 }
353 }
355 /////////////////////////////////////////////////////////////////////
357 /*
358 * Modify a GeneralEffects to take potential VM re-entry into account. This
359 * affects may-load, may-store, and kills information for the instruction. The
360 * GeneralEffects should already contain AHeapAny in both loads and stores if
361 * it affects those locations for reasons other than re-entry, but does not
362 * need to if it doesn't.
363 *
364 * For loads, we need to take into account any locals potentially accessed by
365 * debug_backtrace().
366 *
367 * For kills, locations on the eval stack below the re-entry depth should all
368 * be added.
369 *
370 * Important note: because of the `kills' set modifications, an instruction may
371 * not report that it can re-enter if it actually can't. The reason this can
372 * go wrong is that if the instruction was in an inlined function, if we've
373 * removed the DefInlineFP its spOff will not be meaningful (unless it's a
374 * DecRef instruction, which we explicitly adjust in dce.cpp). In this case
375 * the `kills' set will refer to the wrong stack locations. In general this
376 * means instructions that can re-enter must have catch traces---but a few
377 * other instructions are exceptions, either since they are not allowed in
378 * inlined functions or because they take the (possibly-inlined) FramePtr as a
379 * source.
380 */
385 ReleaseVVAndSkip,
386 LIterInit,
387 LIterInitK,
388 LIterNext,
389 LIterNextK,
390 IterFree,
391 GenericRetDecRefs,
392 MemoSetStaticCache,
393 MemoSetLSBCache,
394 MemoSetInstanceCache,
395 MemoSetStaticValue,
396 MemoSetLSBValue,
397 MemoSetInstanceValue);
399 may_reenter_is_ok,
401 inst
402 );
404 /*
405 * We want to union `killed_stack' into whatever else the instruction already
406 * said it must kill, but if we end up with an unrepresentable AliasClass we
407 * can't return a set that's too big (the `kills' set is unlike the other
408 * AliasClasses in GeneralEffects in that means it kills /everything/ in the
409 * set, since it's must-information).
410 *
411 * If we can't represent the union, just take the stack, in part because we
412 * have some debugging asserts about this right now---but also nothing
413 * actually uses may_reenter with a non-AEmpty kills at the time of this
414 * writing anyway.
415 */
422 );
425 }();
431 new_kills
432 };
433 }
435 //////////////////////////////////////////////////////////////////////
439 }
442 AliasClass stores,
443 AliasClass kill) {
445 }
448 AliasClass stores,
449 AliasClass move) {
452 }
454 //////////////////////////////////////////////////////////////////////
456 /*
457 * Helper for iterator instructions. They all affect some locals, but are
458 * otherwise the same.
459 *
460 * N.B. Currently the memory for frame iterator slots is not part of the
461 * AliasClass lattice, since we never really manipulate them from the TC yet,
462 * so we don't report the effect these instructions have on it.
463 */
466 AliasClass locals) {
472 inst,
476 AMIStateAny
477 )
478 );
479 }
481 /*
482 * Construct effects for InterpOne, using the information in its extra data.
483 *
484 * We always consider an InterpOne as potentially doing anything to the heap,
485 * potentially re-entering, potentially raising warnings in the current frame,
486 * potentially reading any locals, and potentially reading/writing any stack
487 * location that isn't below the bottom of the stack.
488 *
489 * The extra data for the InterpOne comes with some additional information
490 * about which local(s) it may modify, which is all we try to be more precise
491 * about right now.
492 */
502 }
503 }
513 }
514 }
525 }
528 }
530 ////////////////////////////////////////////////////////////////////////////////
532 /*
533 * Construct effects for member instructions that take &tvRef as their last
534 * argument.
535 *
536 * These instructions never load tvRef, but they might store to it.
537 */
558 }
563 }
566 }
568 //////////////////////////////////////////////////////////////////////
579 }
581 }();
586 AMIStatePropS
587 );
588 }
590 //////////////////////////////////////////////////////////////////////
595 //////////////////////////////////////////////////////////////////////
596 // Region exits
598 // These exits don't leave the current php function, and could head to code
599 // that could read or write anything as far as we know (including frame
600 // locals).
603 AUnknown,
605 };
608 AUnknown,
610 };
613 AUnknown,
615 };
618 AUnknown,
622 };
625 AUnknown,
629 };
631 //////////////////////////////////////////////////////////////////////
632 // Unusual instructions
634 /*
635 * The ReturnHook sets up the ActRec so the unwinder knows everything is
636 * already released (i.e. it calls ar->setLocalsDecRefd()).
637 *
638 * The eval stack is also dead at this point (the return value is passed to
639 * ReturnHook as src(1), and the ReturnHook may not access the stack).
640 */
642 // Note, this instruction can re-enter, but doesn't need the may_reenter()
643 // treatmeant because of the special kill semantics for locals and stack.
647 );
649 // The suspend hooks can load anything (re-entering the VM), but can't write
650 // to frame locals.
656 // TODO: may-load here probably doesn't need to include AFrameAny normally.
660 /*
661 * If we're returning from a function, it's ReturnEffects. The RetCtrl
662 * opcode also suspends resumables, which we model as having any possible
663 * effects.
664 */
667 // Suspending can go anywhere, and doesn't even kill locals.
669 }
672 };
679 // Suspending can go anywhere, and doesn't even kill locals.
683 /*
684 * The may-store information here is AUnknown: even though we know it
685 * doesn't really "store" to the frame locals, the values that used to be
686 * there are no longer available because they are DecRef'd, which we are
687 * required to report as may-store information to make it visible to
688 * reference count optimizations. It's conceptually the same as if it was
689 * storing an Uninit over each of the locals, but the stores of uninits
690 * would be dead so we're not actually doing that.
691 */
699 );
701 AUnknown,
703 };
704 }
706 /*
707 * DefInlineFP has some special treatment here.
708 *
709 * It's logically `publishing' a pointer to a pre-live ActRec, making it
710 * live. It doesn't actually load from this ActRec, but after it's done this
711 * the set of things that can load from it is large enough that the easiest
712 * way to model this is to consider it as a load on behalf of `publishing'
713 * the ActRec. Once it's published, it's a live activation record, and
714 * doesn't get written to as if it were a stack slot anymore (we've
715 * effectively converted AStack locations into a frame until the
716 * InlineReturn).
717 *
718 * Note: We may push the publishing of the inline frame below the start of
719 * the inline function so that we can avoid spilling the inline frame in the
720 * common case. Because of this we cannot add the stack positions within the
721 * inline function to the kill set here as they may be live having been stored
722 * on the main trace.
723 *
724 * TODO(#3634984): Additionally, DefInlineFP is marking may-load on all the
725 * locals of the outer frame. This is probably not necessary anymore, but we
726 * added it originally because a store sinking prototype needed to know it
727 * can't push StLocs past a DefInlineFP, because of reserved registers.
728 * Right now it's just here because we need to think about and test it before
729 * removing that set.
730 */
741 /*
742 * Notice that the stack positions and frame locals described here are
743 * exactly the set of alias locations that are about to be overlapping
744 * inside the inlined frame. Likewise, ClsRefSlots from the caller and the
745 * callee are about to be jumbled.
746 */
748 }
750 /*
751 * BeginInlining is similar to DefInlineFP, however, it must always be the
752 * first instruction in the inlined call and has no effect serving only as
753 * a marker to memory effects that the stack cells within the inlined call
754 * are now dead.
755 *
756 * Unlike DefInlineFP it does not load the SpillFrame, which we hope to push
757 * off the main trace or elide entirely.
758 */
760 /*
761 * SP relative offset of the first non-frame cell within the inlined call.
762 */
765 AEmpty,
766 AEmpty,
767 /*
768 * This prevents stack slots from the caller from being sunk into the
769 * callee. Note that some of these stack slots overlap with the frame
770 * locals of the callee-- those slots are inacessible in the inlined
771 * call as frame and stack locations may not alias.
772 */
774 );
775 }
780 }
788 }
793 // This instruction doesn't actually load but SpillFrame cannot be pushed
794 // past it
796 }
802 AUnknown,
804 };
809 // NB: on the failure path, these C++ helpers do a fixup and read frame
810 // locals before they throw. They can also invoke the user error handler and
811 // go do whatever they want to non-frame locations.
812 //
813 // TODO(#5372569): if we combine dv inits into the same regions we could
814 // possibly avoid storing KindOfUninits if we modify this.
819 // VerifyParamFail might coerce the parameter to the desired type rather than
820 // throwing.
825 }
830 }
831 // However the following ones can't read locals from our frame on the way
832 // out, except as a side effect of raising a warning.
837 // In PHP 7 VerifyRetFail can coerce the return type in weak files-- even in
838 // a strict file we may still coerce int to float. This is not true of HH
839 // files.
848 }
859 {
862 // Kills. Everything on the stack below the incoming parameters.
864 // Stack. The act-rec, incoming parameters, and everything below.
869 ),
870 // Locals.
872 // Callee.
874 };
875 }
878 {
881 // Kills. Everything on the stack below the sent value.
883 // Stack. The value being sent, and everything below.
885 // Locals.
887 // Callee. Stored inside the generator object, not used by ContEnter.
888 AEmpty
889 };
890 }
893 {
896 // Kills. Everything on the stack below the incoming parameters.
898 // Stack. The act-rec, incoming parameters, and everything below.
903 ),
904 // Locals.
906 // Callee.
908 };
909 }
912 {
920 }
921 }
922 }
924 }();
927 AEmpty,
928 AMIStateAny
929 );
930 }
932 // Resumable suspension takes everything from the frame and moves it into the
933 // heap.
944 return nlocals
947 }();
953 }();
956 AHeapAny,
957 frame | clsrefs
958 );
959 }
961 // AGWH construction updates the AsyncGenerator object.
966 {
970 AliasIdSet {
972 }
973 };
975 }
978 {
982 AliasIdSet {
984 }
985 };
987 }
989 // This re-enters to call extension-defined instance constructors.
993 // Closures don't ever throw or reenter on construction
1005 //////////////////////////////////////////////////////////////////////
1006 // Iterator instructions
1012 inst,
1015 );
1018 inst,
1021 );
1026 {
1030 }
1033 {
1037 }
1042 //////////////////////////////////////////////////////////////////////
1043 // Instructions that explicitly manipulate locals
1049 };
1052 {
1058 }
1060 }
1067 // Note: LdLocPseudoMain is both a guard and a load, so it must not be a
1068 // PureLoad.
1071 AEmpty
1072 );
1075 // This can store to globals or locals, but we don't have globals supported
1076 // in AliasClass yet.
1079 //////////////////////////////////////////////////////////////////////
1080 // Instructions that manipulate class-ref slots
1085 };
1090 };
1096 };
1102 };
1108 );
1114 );
1116 //////////////////////////////////////////////////////////////////////
1117 // Pointer-based loads and stores
1124 // TODO(#5962341): These take non-constant offset arguments, and are
1125 // currently only used for collections and class property inits, so we aren't
1126 // hooked up yet.
1130 ? AHeapAny
1133 };
1137 ? AHeapAny
1138 : AUnknown
1139 };
1154 {
1157 }
1170 AEmpty
1171 );
1174 AEmpty,
1176 );
1180 AHeapAny,
1182 );
1186 AHeapAny,
1188 );
1194 //////////////////////////////////////////////////////////////////////
1195 // Object/Ref loads/stores
1208 // Writes to memo slots, but these are not modeled.
1211 // Loads $obj->trace, stores $obj->file and $obj->line.
1215 //////////////////////////////////////////////////////////////////////
1216 // Array loads and stores
1222 };
1230 };
1231 }
1234 {
1240 };
1242 }
1245 {
1246 // NewKeysetArray is reading elements from the stack, but writes to a
1247 // completely new array, so we can treat the store set as empty.
1253 };
1255 }
1260 {
1261 // NewStructArray is reading elements from the stack, but writes to a
1262 // completely new array, so we can treat the store set as empty.
1268 };
1270 }
1273 {
1279 };
1281 }
1285 // Only reads the memo value (which isn't modeled here).
1291 // Writes to the memo value (which isn't modeled), but can re-enter to run
1292 // a destructor.
1299 // Reads some (non-zero) set of locals for keys, and reads/writes from the
1300 // memo cache (which isn't modeled). The set can re-enter to run a
1301 // destructor.
1307 AliasIdSet{
1311 }
1312 }
1313 };
1314 }
1321 };
1322 }();
1327 }
1329 }
1333 // Reads some set of locals for keys, and reads/writes from the memo cache
1334 // (which isn't modeled). The set can re-enter to run a destructor.
1337 // Unlike MemoGet/SetStaticCache, we can have an empty key range here.
1343 AliasIdSet{
1347 }
1348 }
1349 };
1350 }
1357 };
1358 }();
1362 }
1373 };
1374 }
1378 };
1379 }
1381 }
1391 }
1397 AEmpty);
1398 }
1400 }
1457 AEmpty);
1462 //////////////////////////////////////////////////////////////////////
1463 // Member instructions
1468 /*
1469 * Various minstr opcodes that take a PtrToGen in src 0, which may or may not
1470 * point to a frame local or the evaluation stack. Some may read or write to
1471 * that pointer while some only read. They can all re-enter the VM and access
1472 * arbitrary heap locations.
1473 */
1483 AHeapAny,
1484 AMIStatePropS
1485 );
1497 /*
1498 * SetRange behaves like a simpler version of SetElem.
1499 */
1505 AMIStatePropS
1506 );
1520 // Right now we generally can't limit any of these better than general
1521 // re-entry rules, since they can raise warnings and re-enter.
1525 AMIStatePropS
1526 );
1531 /*
1532 * Intermediate minstr operations. In addition to a base pointer like the
1533 * operations above, these may take a pointer to MInstrState::tvRef, which
1534 * they may store to (but not read from).
1535 */
1544 /*
1545 * Collection accessors can read from their inner array buffer, but stores
1546 * COW and behave as if they only affect collection memory locations. We
1547 * don't track those, so it's returning AEmpty for now.
1548 */
1560 AProp {
1563 },
1564 AEmpty
1565 );
1569 AEmpty
1570 );
1572 //////////////////////////////////////////////////////////////////////
1573 // Instructions that allocate new objects, without reading any other memory
1574 // at all, so any effects they have on some types of memory locations we
1575 // track are isolated from anything else we care about.
1598 // AllocObj re-enters to call constructors, but if it weren't for that we
1599 // could ignore its loads and stores since it's a new object.
1602 // Similar to AllocObj but also stores the reification
1605 //////////////////////////////////////////////////////////////////////
1606 // Instructions that explicitly manipulate the stack.
1611 };
1617 };
1620 // Technically these writes affect the caller's stack, but there is no way
1621 // to actually observe them from within the callee. They can also only
1622 // occur once on any exit path from a function.
1626 {
1633 };
1634 }
1639 AEmpty
1640 );
1642 // The following may re-enter, and also deal with a stack slot.
1644 {
1647 };
1649 }
1652 {
1656 }
1658 }
1663 };
1667 };
1672 AEmpty
1673 );
1678 AEmpty
1679 );
1682 // Unreachable code kills every memory location.
1691 };
1693 }
1695 //////////////////////////////////////////////////////////////////////
1696 // Instructions that never read or write memory locations tracked by this
1697 // module.
1838 AProp {
1841 },
1843 };
1845 //////////////////////////////////////////////////////////////////////
1846 // Instructions that technically do some things w/ memory, but not in any way
1847 // we currently care about. They however don't return IrrelevantEffects
1848 // because we assume (in refcount-opts) that IrrelevantEffects instructions
1849 // can't even inspect Countable reference count fields, and several of these
1850 // can. All GeneralEffects instructions are assumed to possibly do so.
1993 // Some that touch memory we might care about later, but currently don't:
2006 //////////////////////////////////////////////////////////////////////
2007 // Instructions that can re-enter the VM and touch most heap things. They
2008 // also may generally write to the eval stack below an offset (see
2009 // alias-class.h above AStack for more).
2012 {
2014 // It could decref the inner ref.
2018 // TKeyset can't re-enter, but it will decref any contained
2019 // strings. Without this, an incref of a string contained in
2020 // a Keyset could be sunk past the decref of the Keyset.
2022 }
2023 // Need to add affected to the `store' set. See comments about
2024 // `GeneralEffects' in memory-effects.h.
2029 // Could re-enter to run a destructor. Keysets are exempt because they
2030 // can only contain strings or integers.
2032 }
2034 }
2044 {
2045 AliasClass effects =
2048 }
2051 {
2052 AliasClass effects =
2055 }
2059 {
2060 AliasClass effects =
2063 }
2242 // debug_backtrace() traverses stack and WaitHandles on the heap.
2247 // This instruction doesn't touch memory we track, except that it may
2248 // re-enter to construct php Exception objects. During this re-entry anything
2249 // can happen (e.g. a surprise flag check could cause a php signal handler to
2250 // run arbitrary code).
2254 //////////////////////////////////////////////////////////////////////
2255 // The following instructions are used for debugging memory optimizations.
2256 // We can't ignore them, because they can prevent future optimizations;
2257 // eg t1 = LdStk<N>; DbgTrashStk<N>; StStk<N> t1
2258 // If we ignore the DbgTrashStk it looks like the StStk is redundant
2264 };
2269 };
2274 };
2278 //////////////////////////////////////////////////////////////////////
2280 }
2283 }
2285 //////////////////////////////////////////////////////////////////////
2290 };
2295 "Non frame pointer in memory effects"
2296 );
2297 };
2302 "Non obj pointer in memory effects"
2303 );
2304 };
2311 };
2314 me,
2321 // Locations may-moved always should also count as may-loads.
2325 // Any instruction that can raise an error can run a user error handler
2326 // and have arbitrary effects on the heap.
2329 /*
2330 * They also ought to kill /something/ on the stack, because of
2331 * possible re-entry. It's not incorrect to leave things out of the
2332 * kills set, but this assertion is here because we shouldn't do it on
2333 * purpose, so this is here until we have a reason not to assert it.
2334 *
2335 * The mayRaiseError instructions should all be going through
2336 * may_reenter right now, which will kill the stack below the re-entry
2337 * depth---unless the marker for `inst' doesn't have an fp set.
2338 */
2341 }
2342 },
2363 );
2366 }
2368 //////////////////////////////////////////////////////////////////////
2370 }
2375 // These instructions have special handling because they occur as functions
2376 // suspend or return. Their ability to reenter is handled in
2377 // memory_effects_impl, and comments in that function explain why.
2379 ReturnHook,
2380 SuspendHookAwaitEF,
2381 SuspendHookAwaitEG,
2382 SuspendHookAwaitR,
2383 SuspendHookCreateCont,
2384 SuspendHookYield
2385 );
2392 "Instruction {} has effects {}, but has been marked as MayRaiseError "
2394 inst,
2396 );
2398 };
2400 // Calls are implicitly MayRaise, all other instructions must use the
2401 // GeneralEffects or UnknownEffects class of memory effects
2403 inner,
2415 );
2416 }();
2419 }
2423 }
2425 //////////////////////////////////////////////////////////////////////
2430 me,
2437 };
2438 },
2441 },
2444 },
2450 };
2451 },
2454 },
2460 };
2461 },
2467 };
2468 },
2475 };
2476 },
2479 },
2482 );
2483 }
2485 //////////////////////////////////////////////////////////////////////
2490 effects,
2497 );
2498 },
2501 },
2507 );
2508 },
2514 );
2515 },
2522 );
2523 },
2529 );
2530 },
2536 );
2537 }
2539 //////////////////////////////////////////////////////////////////////
2546 };
2547 }
2549 //////////////////////////////////////////////////////////////////////
2551 }}