| blob | 2a5bcbcd735f34fb95e4c65c1d544a82ce2aa181 |
1 /*
2 +----------------------------------------------------------------------+
3 | HipHop for PHP |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2010-2014 Facebook, Inc. (http://www.facebook.com) |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 */
18 #include <vector>
19 #include <algorithm>
20 #include <string>
21 #include <utility>
23 #include <folly/Optional.h>
24 #include <folly/Format.h>
35 //////////////////////////////////////////////////////////////////////
39 //////////////////////////////////////////////////////////////////////
41 /*
42 * Note: the couldBe comparisons here with sempty() are asking "can this string
43 * be a non-reference counted empty string". What actually matters is whether
44 * it can be an empty string at all. Currently, all reference counted strings
45 * are TStr, which has no values and may also be non-reference
46 * counted---emptiness isn't separately tracked like it is for arrays, so if
47 * anything happened that could make it reference counted this check will
48 * return true.
49 *
50 * This means this code is fine for now, but if we implement #3837503
51 * (non-static strings with values in the type system) it will need to change.
52 */
58 }
64 }
71 //////////////////////////////////////////////////////////////////////
73 /*
74 * Tag indicating what sort of thing contains the current base.
75 *
76 * The base is always the unboxed version of the type, and its
77 * location could be inside of a Ref. So, for example, a base with
78 * BaseLoc::Frame could be located inside of a Ref that is pointed
79 * to by the Frame. (We may want to distinguish these two cases at
80 * some point if we start trying to track real information about
81 * Refs, but not yet.)
82 */
84 /*
85 * Base is in a number of possible places after an Elem op. It
86 * cannot possibly be in an object property (although it certainly
87 * may alias one). See miElem for details. Not all post-elem ops
88 * use this location (see LocalArrChain).
89 *
90 * If it is definitely in an array, the locTy in the Base will be
91 * a subtype of TArr.
92 */
93 PostElem,
95 /*
96 * Base is in possible locations after a Prop op. This means it
97 * possibly lives in a property on an object, but possibly not
98 * (e.g. it could be a null in tvScratch). See miProp for
99 * details.
100 *
101 * If it is definitely known to be a property in an object, the
102 * locTy in the Base will be a subtype of TObj.
103 */
104 PostProp,
106 /*
107 * Known to be a static property on an object. This is only
108 * possible as an initial base.
109 */
110 StaticObjProp,
112 /*
113 * The base is inside of a local that contains a specialized array
114 * type, and the arrayChain is non-empty.
115 *
116 * When the location is set to this, the chain will continue as
117 * long as we keep staying inside specialized array types. If it
118 * moves to something like a ?Arr type, we must leave the chain
119 * when the base moves.
120 */
121 LocalArrChain,
123 /*
124 * Known to be contained in the current frame as a local, as the
125 * frame $this, by the evaluation stack, or inside $GLOBALS. Only
126 * possible as initial bases.
127 */
128 Frame,
129 FrameThis,
130 EvalStack,
131 Global,
133 /*
134 * If we've execute an operation that's known to fatal, we use
135 * this BaseLoc.
136 */
137 Fataled,
138 };
141 Type type;
142 BaseLoc loc;
144 /*
145 * We also need to track effects of intermediate dims on the type
146 * of the base. So we have a type, name, and possibly associated
147 * local for the base's container.
148 *
149 * For StaticObjProp, locName this is the name of the property if
150 * known, or nullptr, and locTy is the type of the class
151 * containing the static property.
152 *
153 * Similarly, if loc is PostProp, locName is the name of the
154 * property if it was known, and locTy gives as much information
155 * about the object type it is in. (If we actually *know* it is
156 * in an object, locTy will be a subtype of TObj.)
157 */
158 Type locTy;
159 SString locName;
161 };
175 }
177 }();
181 locStr,
185 }
189 }
199 {}
201 /*
202 * Return the current MElem. Only valid after the first base has
203 * been processed.
204 */
208 }
210 /*
211 * Return the current MemberCode. Only valid after the first base
212 * has been processed.
213 */
219 /*
220 * The current base. Updated as we move through the vector
221 * instruction.
222 */
223 Base base;
225 /*
226 * Chains of operations on array elements will all affect the type
227 * of something further back in the member instruction. Currently
228 * this is just used for locals. This vector tracks the base,key
229 * type pair that was used at each stage. See resolveArrayChain.
230 */
233 /*
234 * Current index in mcodes vector (or 0 if we still haven't done
235 * the base).
236 */
239 /*
240 * One above next stack slot to read, going forward in the mvec
241 * (deeper to higher on stack).
242 */
244 };
246 //////////////////////////////////////////////////////////////////////
248 /*
249 * A note about bases.
250 *
251 * Generally type inference needs to know two kinds of things about
252 * the base to handle effects on tracked locations:
253 *
254 * - Could the base be a location we're tracking deeper structure
255 * on, so the next operation actually affects something inside
256 * of it. For example, could the base be an object with the
257 * same type as $this, or an array in a local variable.
258 *
259 * - Could the base be something (regardless of type) that is
260 * inside one of the things we're tracking. I.e., the base
261 * might be whatever (an array or a bool or something), but
262 * living inside a property inside an object with the same type
263 * as $this, or living inside of an array in the local frame.
264 *
265 * The first cases apply because final operations are going to
266 * directly affect the type of these elements. The second case is
267 * because vector operations may change the base at each step if it
268 * is a defining instruction.
269 *
270 * Note that both of these cases can apply to the same base in some
271 * cases: you might have an object property on $this that could be
272 * an object of the type of $this.
273 *
274 * The functions below with names "couldBeIn*" detect the second
275 * case. The effects on the tracked location in the second case are
276 * handled in the functions with names "handleIn*{Prop,Elem,..}".
277 * The effects for the first case are generally handled in the
278 * miFinal op functions.
279 *
280 * Control flow insensitive vs. control flow sensitive types:
281 *
282 * Things are also slightly complicated by the fact that we are
283 * analyzing some control flow insensitve types along side precisely
284 * tracked types. For effects on locals, we perform the type
285 * effects of each operation on base.type, and then allow moveBase()
286 * to make the updates to the local when we know what its final type
287 * will be.
288 *
289 * This approach doesn't do as well for possible properties in $this
290 * or self::, because we may see situations where the base could be
291 * one of these properties but we're not sure---perhaps because it
292 * came off a property with the same name on an object with an
293 * unknown type (i.e. base.type is InitCell but couldBeInThis is
294 * true). In these situations, we can get away with just merging
295 * Obj=stdClass into the thisProp (because it 'could' promote)
296 * instead of merging the whole InitCell, which possibly lets us
297 * leave the type at ?Obj in some cases.
298 *
299 * This is why there's two fairly different mechanisms for handling
300 * the effects of defining ops on base types.
301 */
303 //////////////////////////////////////////////////////////////////////
309 }
315 }
319 }
328 }
330 }
336 }
340 }
342 //////////////////////////////////////////////////////////////////////
345 // NullSafe (Q) props do not promote an emptyish base to stdClass instance.
348 }
356 }
358 }
362 });
363 }
366 // NullSafe (Q) props do not promote an emptyish base to stdClass instance.
369 }
378 }
380 }
383 }
386 // NullSafe (Q) props do not promote an emptyish base to stdClass instance.
389 }
401 }
402 }
411 }
413 }
417 });
418 }
427 }
429 }
431 }
433 }
444 // Might be possible to only merge a TArrE, but for now this is ok.
446 }
447 }
449 // Currently NewElem and Elem InFoo effects don't need to do
450 // anything different from each other.
463 }
464 }
472 /*
473 * We need to ensure that the type could become non-static, but since we're
474 * never going to see anything specialized from lookup_public_static the
475 * first time we're running with collect.publicStatics, we can't do much
476 * right now since we don't have a type for the union of all counted types.
477 *
478 * Merging InitCell is correct, but very conservative, for now.
479 */
482 }
484 //////////////////////////////////////////////////////////////////////
486 // MInstrs can throw in between each op, so the states of locals
487 // need to be propagated across factored exit edges.
491 }
492 }
494 //////////////////////////////////////////////////////////////////////
504 );
505 }
507 // Run backwards through an array chain doing array_set operations
508 // to produce the array type that incorporates the effects of any
509 // intermediate defining dims.
514 }
516 }
532 }
537 // Note: these miThrows probably can be left out if base is
538 // folly::none (i.e. we're on the last dim).
545 }
552 }
554 /*
555 * We have a chain in progress, but it's not done. But we still
556 * need to throw any type effects on the local across factored
557 * edges.
558 */
561 }
562 }
564 //////////////////////////////////////////////////////////////////////
566 /*
567 * The following handleBase{Elem,Prop}* functions are used to implement the
568 * 'normal' portion of the effects on base types, which are mostly what are
569 * done by intermediate dims. (Contrast with the handleInXXX{Elem,Prop}
570 * functions, which handle the effects on the type of the thing that's
571 * /containing/ the base.)
572 *
573 * The contract with these functions is that they should handle all the effects
574 * on the base type /except/ for the case of the base being a subtype of
575 * TArr---the caller is responsible for that. The reason for this is that for
576 * tracking effects on specialized array types (e.g. LocalArrChain), the final
577 * ops generally need to do completely different things to the array, so this
578 * allows reuse of this shared part of the type transitions. The
579 * miIntermediate routines must handle subtypes of TArr outside of calls to
580 * this as well.
581 */
586 // We're conservative with unsets on array types for now.
588 }
591 }
592 }
595 // NullSafe (Q) props do not promote an emptyish base to stdClass instance.
598 }
604 }
608 }
609 }
614 // When the base is actually a subtype of array, we handle it in the callers
615 // of these functions.
621 }
622 // Intermediate ElemD operations on strings fatal, unless the
623 // string is empty, which promotes to array. So for any string
624 // here we can assume it promoted to an empty array.
628 }
631 }
633 /*
634 * If the base still couldBe some kind of array (but isn't a subtype of TArr,
635 * which would be handled outside this routine), we need to give up on any
636 * information better than TArr here (or track the effects, but we're not
637 * doing that yet).
638 */
641 }
642 }
646 // Technically we don't need to do TStr case.
647 }
649 //////////////////////////////////////////////////////////////////////
667 }
669 }
671 // Returns nullptr if it's an unknown key or not a string.
675 }
683 }
685 }
687 //////////////////////////////////////////////////////////////////////
688 // base ops
697 TBottom,
699 locBase };
700 }
702 // We're changing the local to define it, but we don't need to do
703 // an miThrow yet---the promotions (to array or stdClass) on
704 // previously uninitialized locals happen before raising warnings
705 // that could throw, so we can wait until the first moveBase.
709 TBottom,
711 locBase };
712 }
722 }
723 }
727 }
729 }
739 {
743 }
745 {
748 }
756 // The first moveBase() on these unknown local bases will cause
757 // a env.loseNonRefLocalTypes.
765 {
769 }
771 {
775 }
779 }
781 }
783 //////////////////////////////////////////////////////////////////////
784 // intermediate ops
792 /*
793 * MIA_unset Props doesn't promote "emptyish" things to stdClass,
794 * or affect arrays, however it can define a property on an object
795 * base. This means we don't need any couldBeInFoo logic, but if
796 * the base could actually be $this, and a declared property could
797 * be Uninit, we need to merge InitNull.
798 *
799 * We're trying to handle this case correctly as far as the type
800 * inference here is concerned, but the runtime doesn't actually
801 * behave this way right now for declared properties. Note that
802 * it never hurts to merge more types than a thisProp could
803 * actually be, so this is fine.
804 *
805 * See TODO(#3602740): unset with intermediate dims on previously
806 * declared properties doesn't define them to null.
807 */
813 }
817 });
818 }
819 }
826 }
835 thisTy,
836 name });
839 }
841 }
843 // We know for sure we're going to be in an object property.
848 name });
850 }
852 /*
853 * Otherwise, intermediate props with define can promote a null, false, or ""
854 * to stdClass. Those cases, and others, if it's not MIA_define, will set
855 * the base to a null value in tvScratch. The base may also legitimately be
856 * an object and our next base is in an object property.
857 *
858 * If we know for sure we're promoting to stdClass, we can put the locType
859 * pointing at that. Otherwise we conservatively treat all these cases as
860 * "possibly" being inside of an object property with "PostProp" with locType
861 * TTop.
862 */
869 }
876 /*
877 * Elem dims with MIA_unset can change a base from a static array
878 * into a reference counted array. It never promotes emptyish
879 * types, however.
880 *
881 * We only need to handle this for self props, because we don't
882 * track static-ness on this props. The similar effect on local
883 * bases is handled in miBase.
884 */
889 }
903 TBottom,
907 }
908 }
915 }
919 }
921 /*
922 * Other cases could leave the base as anything (if nothing else,
923 * via ArrayAccess on an object).
924 *
925 * The resulting BaseLoc is either inside an array, is the global
926 * init_null_variant, or inside tvScratch. We represent this with
927 * the PostElem base location with locType TTop.
928 */
930 }
936 }
950 TBottom,
954 }
959 }
962 }
968 }
970 //////////////////////////////////////////////////////////////////////
971 // final prop ops
980 }
981 }
983 }
991 }
992 }
994 }
1008 }
1009 }
1011 }
1030 }
1032 });
1035 }
1039 }
1042 }
1060 }
1061 }
1067 }
1068 }
1071 }
1085 }
1086 }
1088 }
1103 }
1104 }
1106 }
1112 /*
1113 * Unset does define intermediate dims but with slightly different
1114 * rules than sets. It only applies to object properties.
1115 *
1116 * Note that this can't affect self props, because static
1117 * properties can never be unset. It also can't change anything
1118 * about an inner array type.
1119 */
1127 }
1128 }
1129 }
1131 //////////////////////////////////////////////////////////////////////
1132 // Final elem ops
1134 // This is a helper for final defining Elem operations that need to
1135 // handle array chains and frame effects, but don't yet do anything
1136 // better than supplying a single type.
1141 }
1146 }
1147 }
1148 }
1158 }
1169 }
1180 // Note: we must handle the string-related cases before doing the
1181 // general handleBaseElemD, since operates on strings as if this
1182 // was an intermediate ElemD.
1188 // Note here that a string type stays a string (with a changed character,
1189 // and loss of staticness), unless it was the empty string, where it
1190 // becomes an array. Do it conservatively for now:
1192 }
1195 }
1196 }
1198 /*
1199 * In some unusual cases with illegal keys, SetM pushes null
1200 * instead of the right hand side.
1201 *
1202 * There are also some special cases for SetM for different base types:
1203 * 1. If the base is a string, SetM pushes a new string with the
1204 * value of the first character of the right hand side converted
1205 * to a string (or something like that).
1206 * 2. If the base is a primitive type, SetM pushes null.
1207 * 3. If the base is an object, and it does not implement ArrayAccess,
1208 * it is still ok to push the right hand side, because it is a
1209 * fatal.
1210 *
1211 * We push the right hand side on the stack only if the base is an
1212 * array, object or emptyish.
1213 */
1224 }
1231 }
1232 }
1234 // ArrayAccess on $this will always push the rhs, even if things
1235 // were weird.
1239 }
1251 }
1262 }
1274 }
1282 // We don't handle inner-array types with unset yet.
1286 }
1287 }
1289 //////////////////////////////////////////////////////////////////////
1290 // Final new elem ops
1292 // This is a helper for final defining Elem operations that need to
1293 // handle array chains and frame effects, but don't yet do anything
1294 // better than supplying a single type.
1299 }
1304 }
1305 }
1315 }
1329 }
1335 }
1337 // ArrayAccess on $this will always push the rhs.
1340 // TODO(#3343813): we should push the type of the rhs when we can;
1341 // SetM for a new elem still has some weird cases where it pushes
1342 // null instead to handle. (E.g. if the base is a number.)
1344 }
1355 }
1365 }
1376 }
1378 //////////////////////////////////////////////////////////////////////
1381 // Same thing for now for props and elems, regardless of the base.
1382 // MW would be a fatal.
1386 }
1390 // Elem case (MW would be a fatal):
1394 }
1399 // MW is a fatal.
1403 }
1405 }
1411 }
1417 }
1423 }
1429 }
1435 }
1440 // The MW case is a fatal.
1442 }
1451 }
1461 }
1463 //////////////////////////////////////////////////////////////////////
1476 }
1479 // If the final operation was either a define, a NewElem, or an
1480 // unset, there may be pending effects in local array chains or on
1481 // local types, so we need to move the base one last time. The
1482 // other cases should have no effects here.
1484 }
1486 //////////////////////////////////////////////////////////////////////
1488 }
1490 #define MII(m, ...) \
1491 void minstr(ISS& env, const bc::m##M& op) { \
1492 miImpl(env, op, getMInstrInfo(Op::m##M), op.mvec); \
1493 }
1494 MINSTRS
1495 #undef MII
1497 //////////////////////////////////////////////////////////////////////
1499 }}