/**
* Trace back to the guard that provided the type of val, if
* any. Constrain it so its type will not be relaxed beyond the given
* DataTypeCategory. Always returns val, for convenience.
*/
SSATmp* TraceBuilder::constrainValue(SSATmp* const val, DataTypeCategory cat) {
if (!val) {
FTRACE(1, "constrainValue(nullptr, {}), bailing\n", cat);
return nullptr;
}
FTRACE(1, "constrainValue({}, {})\n", *val->inst(), cat);
// If cat is DataTypeGeneric, there's nothing to do.
if (cat == DataTypeGeneric) return val;
auto inst = val->inst();
if (inst->op() == LdLoc || inst->op() == LdLocAddr) {
// We've hit a LdLoc(Addr). If the source of the value is non-null and not
// a FramePtr, it's a real value that was killed by a Call. The value won't
// be live but it's ok to use it to track down the guard.
auto source = inst->extra<LdLocData>()->valSrc;
if (!source) {
// val was newly created in this trace. Nothing to constrain.
FTRACE(2, " - valSrc is null, bailing\n");
return val;
}
// If valSrc is a FramePtr, it represents the frame the value was
// originally loaded from. Look for the guard for this local.
if (source->isA(Type::FramePtr)) {
constrainLocal(inst->extra<LocalId>()->locId, source, cat,
"constrainValue");
return val;
}
// Otherwise, keep chasing down the source of val.
constrainValue(source, cat);
} else if (inst->op() == LdStack) {
constrainStack(inst->src(0), inst->extra<StackOffset>()->offset, cat);
} else if (inst->op() == CheckType) {
// Constrain this CheckType and keep going on its source value, in case
// there are more guards to constrain.
constrainGuard(inst, cat);
constrainValue(inst->src(0), cat);
} else if (inst->op() == StRef || inst->op() == StRefNT) {
// TODO(t2598894): This can be tightened up. As a conservative
// approximation, pass the constraint through to the source of the value.
constrainValue(inst->src(1), cat);
} else if (inst->isPassthrough()) {
constrainValue(inst->getPassthroughValue(), cat);
} else {
// Any instructions not special cased above produce a new value, so
// there's no guard for us to constrain.
FTRACE(2, " - value is new in this trace, bailing\n");
}
return val;
}
void TraceBuilder::constrainLocal(uint32_t locId, SSATmp* valSrc,
DataTypeCategory cat,
const std::string& why) {
FTRACE(1, "constrainLocal({}, {}, {}, {})\n",
locId, valSrc ? valSrc->inst()->toString() : "null", cat, why);
if (!valSrc) return;
if (!valSrc->isA(Type::FramePtr)) {
constrainValue(valSrc, cat);
return;
}
// When valSrc is a FramePtr, that means we loaded the value the local had
// coming into the trace. Trace through the FramePtr chain, looking for a
// guard for this local id. If we find it, constrain the guard. If we don't
// find it, there wasn't a guard for this local so there's nothing to
// constrain.
for (auto fpInst = valSrc->inst();
fpInst->op() != DefFP && fpInst->op() != DefInlineFP;
fpInst = fpInst->src(0)->inst()) {
FTRACE(2, " - fp = {}\n", *fpInst);
assert(fpInst->dst()->isA(Type::FramePtr));
auto instLoc = [fpInst]{ return fpInst->extra<LocalId>()->locId; };
switch (fpInst->op()) {
case GuardLoc:
case CheckLoc:
if (instLoc() != locId) break;
FTRACE(2, " - found guard to constrain\n");
constrainGuard(fpInst, cat);
return;
case AssertLoc:
if (instLoc() != locId) break;
// If the refined the type of the local satisfies the constraint we're
// trying to apply, we can stop here. This can happen if we assert a
// more general type than what we already know. Otherwise we need to
// keep tracing back to the guard.
if (typeFitsConstraint(fpInst->typeParam(), cat)) return;
break;
case FreeActRec:
always_assert(0 && "Attempt to read a local after freeing its frame");
default:
not_reached();
}
}
FTRACE(2, " - no guard to constrain\n");
}
void TraceBuilder::constrainStack(SSATmp* sp, int32_t idx,
DataTypeCategory cat) {
FTRACE(1, "constrainStack({}, {}, {})\n", *sp->inst(), idx, cat);
assert(sp->isA(Type::StkPtr));
// We've hit a LdStack. Use getStackValue to find the instruction that gave
// us the type of the stack element. If it's a GuardStk or CheckStk, it's our
// target. If it's anything else, the value is new so there's no guard to
// relax.
auto typeSrc = getStackValue(sp, idx).typeSrc;
FTRACE(1, " - typeSrc = {}\n", *typeSrc);
if (typeSrc->op() == GuardStk || typeSrc->op() == CheckStk) {
constrainGuard(typeSrc, cat);
}
}
bool IRBuilder::constrainStack(SSATmp* sp, int32_t idx,
TypeConstraint tc) {
if (!shouldConstrainGuards()) return false;
FTRACE(1, "constrainStack({}, {}, {})\n", *sp->inst(), idx, tc);
assert(sp->isA(Type::StkPtr));
// We've hit a LdStack. If getStackValue gives us a value, recurse on
// that. Otherwise, look at the instruction that gave us the type of the
// stack element. If it's a GuardStk or CheckStk, it's our target. If it's
// anything else, the value is new so there's no guard to relax.
auto stackInfo = getStackValue(sp, idx);
if (stackInfo.value) {
FTRACE(1, " - value = {}\n", *stackInfo.value->inst());
return constrainValue(stackInfo.value, tc);
} else {
auto typeSrc = stackInfo.typeSrc;
FTRACE(1, " - typeSrc = {}\n", *typeSrc);
return typeSrc->is(GuardStk, CheckStk) && constrainGuard(typeSrc, tc);
}
}
bool IRBuilder::constrainLocal(uint32_t locId, SSATmp* typeSrc,
TypeConstraint tc,
const std::string& why) {
if (!shouldConstrainGuards()) return false;
always_assert(IMPLIES(tc.innerCat > DataTypeGeneric,
tc.category >= DataTypeCountness));
ITRACE(1, "constrainLocal({}, {}, {}, {})\n",
locId, typeSrc ? typeSrc->inst()->toString() : "null", tc, why);
Indent _i;
if (!typeSrc) return false;
if (!typeSrc->isA(Type::FramePtr)) {
return constrainValue(typeSrc, tc);
}
// When typeSrc is a FramePtr, that means we loaded the value the local had
// coming into the trace. Trace through the FramePtr chain, looking for a
// guard for this local id. If we find it, constrain the guard. If we don't
// find it, there wasn't a guard for this local so there's nothing to
// constrain.
auto guard = guardForLocal(locId, typeSrc);
while (guard) {
if (guard->is(AssertLoc)) {
// If the refined type of the local satisfies the constraint we're
// trying to apply, we can stop here. This can happen if we assert a
// more general type than what we already know. Otherwise we need to
// keep tracing back to the guard.
if (typeFitsConstraint(guard->typeParam(), tc)) return false;
guard = guardForLocal(locId, guard->src(0));
} else {
assert(guard->is(GuardLoc, CheckLoc));
ITRACE(2, "found guard to constrain\n");
return constrainGuard(guard, tc);
}
}
ITRACE(2, "no guard to constrain\n");
return false;
}
void TraceBuilder::constrainLocal(uint32_t locId, SSATmp* valSrc,
TypeConstraint tc,
const std::string& why) {
if (!shouldConstrainGuards()) return;
FTRACE(1, "constrainLocal({}, {}, {}, {})\n",
locId, valSrc ? valSrc->inst()->toString() : "null", tc, why);
if (!valSrc) return;
if (!valSrc->isA(Type::FramePtr)) {
constrainValue(valSrc, tc);
return;
}
// When valSrc is a FramePtr, that means we loaded the value the local had
// coming into the trace. Trace through the FramePtr chain, looking for a
// guard for this local id. If we find it, constrain the guard. If we don't
// find it, there wasn't a guard for this local so there's nothing to
// constrain.
auto guard = guardForLocal(locId, valSrc);
while (guard) {
if (guard->is(AssertLoc)) {
// If the refined the type of the local satisfies the constraint we're
// trying to apply, we can stop here. This can happen if we assert a
// more general type than what we already know. Otherwise we need to
// keep tracing back to the guard.
if (typeFitsConstraint(guard->typeParam(), tc.category)) return;
guard = guardForLocal(locId, guard->src(0));
} else {
assert(guard->is(GuardLoc, AssertLoc));
FTRACE(2, " - found guard to constrain\n");
constrainGuard(guard, tc);
return;
}
}
FTRACE(2, " - no guard to constrain\n");
}
/**
* Trace back to the guard that provided the type of val, if
* any. Constrain it so its type will not be relaxed beyond the given
* DataTypeCategory. Returns true iff one or more guard instructions
* were constrained.
*/
bool IRBuilder::constrainValue(SSATmp* const val,
TypeConstraint tc) {
if (!shouldConstrainGuards()) return false;
if (!val) {
FTRACE(1, "constrainValue(nullptr, {}), bailing\n", tc);
return false;
}
FTRACE(1, "constrainValue({}, {})\n", *val->inst(), tc);
auto inst = val->inst();
if (inst->is(LdLoc, LdLocAddr)) {
// We've hit a LdLoc(Addr). If the source of the value is non-null and not
// a FramePtr, it's a real value that was killed by a Call. The value won't
// be live but it's ok to use it to track down the guard.
auto source = inst->extra<LocalData>()->typeSrc;
if (!source) {
// val was newly created in this trace. Nothing to constrain.
FTRACE(2, " - typeSrc is null, bailing\n");
return false;
}
// If valSrc is a FramePtr, it represents the frame the value was
// originally loaded from. Look for the guard for this local.
if (source->isA(Type::FramePtr)) {
return constrainLocal(inst->extra<LocalId>()->locId, source, tc,
"constrainValue");
}
// Otherwise, keep chasing down the source of val.
return constrainValue(source, tc);
} else if (inst->is(LdStack, LdStackAddr)) {
return constrainStack(inst->src(0), inst->extra<StackOffset>()->offset,
tc);
} else if (inst->is(CheckType, AssertType)) {
// If the dest type of the instruction fits the constraint we want, we can
// stop here without constraining any further. Otherwise, continue through
// to the source.
auto changed = false;
if (inst->is(CheckType)) changed = constrainGuard(inst, tc) || changed;
auto dstType = inst->typeParam();
if (!typeFitsConstraint(dstType, tc.category)) {
changed = constrainValue(inst->src(0), tc) || changed;
}
return changed;
} else if (inst->is(StRef)) {
// StRef requires that src(0) is boxed so we're relying on callers to
// appropriately constrain the values they pass to it. Any innerCat in tc
// should be applied to the value being stored.
tc.category = tc.innerCat;
tc.innerCat = DataTypeGeneric;
tc.assertedType = Type::Gen;
return constrainValue(inst->src(1), tc);
} else if (inst->is(Box, BoxPtr, Unbox, UnboxPtr)) {
// All Box/Unbox opcodes are similar to StRef/LdRef in some situations and
// Mov in others (determined at runtime), so we need to constrain both
// outer and inner.
auto maxCat = std::max(tc.category, tc.innerCat);
tc.category = maxCat;
tc.innerCat = maxCat;
tc.assertedType = Type::Gen;
return constrainValue(inst->src(0), tc);
} else if (inst->is(LdRef)) {
// Like StRef, we're relying on the caller to have appropriately
// constrained the outer type of the box. Constrain the inner type of the
// box with tc.
tc.innerCat = tc.category;
tc.category = DataTypeGeneric;
tc.assertedType = Type::Gen;
return constrainValue(inst->src(0), tc);
} else if (inst->isPassthrough()) {
return constrainValue(inst->getPassthroughValue(), tc);
} else {
// Any instructions not special cased above produce a new value, so
// there's no guard for us to constrain.
FTRACE(2, " - value is new in this trace, bailing\n");
return false;
}
// TODO(t2598894): Should be able to do something with LdMem<T> here
}
/**
* Trace back to the guard that provided the type of val, if
* any. Constrain it so its type will not be relaxed beyond the given
* DataTypeCategory. Returns true iff one or more guard instructions
* were constrained.
*/
bool TraceBuilder::constrainValue(SSATmp* const val,
TypeConstraint tc) {
if (!shouldConstrainGuards()) return false;
if (!val) {
FTRACE(1, "constrainValue(nullptr, {}), bailing\n", tc);
return false;
}
FTRACE(1, "constrainValue({}, {})\n", *val->inst(), tc);
auto inst = val->inst();
if (inst->is(LdLoc, LdLocAddr)) {
// We've hit a LdLoc(Addr). If the source of the value is non-null and not
// a FramePtr, it's a real value that was killed by a Call. The value won't
// be live but it's ok to use it to track down the guard.
auto source = inst->extra<LocalData>()->valSrc;
if (!source) {
// val was newly created in this trace. Nothing to constrain.
FTRACE(2, " - valSrc is null, bailing\n");
return false;
}
// If valSrc is a FramePtr, it represents the frame the value was
// originally loaded from. Look for the guard for this local.
if (source->isA(Type::FramePtr)) {
return constrainLocal(inst->extra<LocalId>()->locId, source, tc,
"constrainValue");
}
// Otherwise, keep chasing down the source of val.
return constrainValue(source, tc);
} else if (inst->is(LdStack, LdStackAddr)) {
return constrainStack(inst->src(0), inst->extra<StackOffset>()->offset,
tc);
} else if (inst->is(CheckType, AssertType)) {
// If the dest type of the instruction fits the constraint we want, we can
// stop here without constraining any further. Otherwise, continue through
// to the source.
auto changed = false;
if (inst->is(CheckType)) changed = constrainGuard(inst, tc) || changed;
auto dstType = inst->typeParam();
if (!typeFitsConstraint(dstType, tc.category)) {
changed = constrainValue(inst->src(0), tc) || changed;
}
return changed;
} else if (inst->is(StRef, StRefNT, Box, BoxPtr)) {
// If our caller cares about the inner type, propagate that through.
// Otherwise we're done.
if (tc.innerCat) {
auto src = inst->src(inst->is(StRef, StRefNT) ? 1 : 0);
tc.innerCat.reset();
return constrainValue(src, tc);
}
return false;
} else if (inst->is(LdRef, Unbox, UnboxPtr)) {
// Pass through to the source of the box, remembering that we care about
// the inner type of the box.
assert(!tc.innerCat);
tc.innerCat = tc.category;
return constrainValue(inst->src(0), tc);
} else if (inst->isPassthrough()) {
return constrainValue(inst->getPassthroughValue(), tc);
} else {
// Any instructions not special cased above produce a new value, so
// there's no guard for us to constrain.
FTRACE(2, " - value is new in this trace, bailing\n");
return false;
}
// TODO(t2598894): Should be able to do something with LdMem<T> here
}
/**
* Trace back to the guard that provided the type of val, if
* any. Constrain it so its type will not be relaxed beyond the given
* DataTypeCategory. Returns true iff one or more guard instructions
* were constrained.
*/
bool IRBuilder::constrainValue(SSATmp* const val, TypeConstraint tc) {
if (!shouldConstrainGuards()) return false;
always_assert(IMPLIES(tc.innerCat > DataTypeGeneric,
tc.category >= DataTypeCountness));
if (!val) {
ITRACE(1, "constrainValue(nullptr, {}), bailing\n", tc);
return false;
}
ITRACE(1, "constrainValue({}, {})\n", *val->inst(), tc);
Indent _i;
auto inst = val->inst();
if (inst->is(LdLoc, LdLocAddr)) {
// We've hit a LdLoc(Addr). If the source of the value is non-null and not
// a FramePtr, it's a real value that was killed by a Call. The value won't
// be live but it's ok to use it to track down the guard.
auto source = inst->extra<LocalData>()->typeSrc;
if (!source) {
// val was newly created in this trace. Nothing to constrain.
ITRACE(2, "typeSrc is null, bailing\n");
return false;
}
// If typeSrc is a FramePtr, it represents the frame the value was
// originally loaded from. Look for the guard for this local.
if (source->isA(Type::FramePtr)) {
return constrainLocal(inst->extra<LocalId>()->locId, source, tc,
"constrainValue");
}
// Otherwise, keep chasing down the source of val.
return constrainValue(source, tc);
} else if (inst->is(LdStack, LdStackAddr)) {
return constrainStack(inst->src(0), inst->extra<StackOffset>()->offset,
tc);
} else if (inst->is(AssertType)) {
// Sometimes code in HhbcTranslator asks for a value with DataTypeSpecific
// but can tolerate a less specific value. If that happens, there's nothing
// to constrain.
if (!typeFitsConstraint(val->type(), tc)) return false;
// If the immutable typeParam fits the constraint, we're done.
auto const typeParam = inst->typeParam();
if (typeFitsConstraint(typeParam, tc)) return false;
auto const newTc = relaxConstraint(tc, typeParam, inst->src(0)->type());
ITRACE(1, "tracing through {}, orig tc: {}, new tc: {}\n",
*inst, tc, newTc);
return constrainValue(inst->src(0), newTc);
} else if (inst->is(CheckType)) {
// Sometimes code in HhbcTranslator asks for a value with DataTypeSpecific
// but can tolerate a less specific value. If that happens, there's nothing
// to constrain.
if (!typeFitsConstraint(val->type(), tc)) return false;
bool changed = false;
auto const typeParam = inst->typeParam();
auto const srcType = inst->src(0)->type();
// Constrain the guard on the CheckType, but first relax the constraint
// based on what's known about srcType.
auto const guardTc = relaxConstraint(tc, srcType, typeParam);
changed = constrainGuard(inst, guardTc) || changed;
// Relax typeParam with its current constraint. This is used below to
// recursively relax the constraint on the source, if needed.
auto constraint = m_guardConstraints[inst];
constraint.category = std::max(constraint.category, guardTc.category);
constraint.innerCat = std::max(constraint.innerCat, guardTc.innerCat);
auto const knownType = refineType(relaxType(typeParam, constraint),
constraint.assertedType);
if (!typeFitsConstraint(knownType, tc)) {
auto const newTc = relaxConstraint(tc, knownType, srcType);
ITRACE(1, "tracing through {}, orig tc: {}, new tc: {}\n",
*inst, tc, newTc);
changed = constrainValue(inst->src(0), newTc) || changed;
}
return changed;
} else if (inst->is(StRef)) {
// StRef requires that src(0) is boxed so we're relying on callers to
// appropriately constrain the values they pass to it. Any innerCat in tc
// should be applied to the value being stored.
tc.category = tc.innerCat;
tc.innerCat = DataTypeGeneric;
tc.assertedType = Type::Gen;
return constrainValue(inst->src(1), tc);
} else if (inst->is(Box, BoxPtr, Unbox, UnboxPtr)) {
// All Box/Unbox opcodes are similar to StRef/LdRef in some situations and
// Mov in others (determined at runtime), so we need to constrain both
// outer and inner.
auto maxCat = std::max(tc.category, tc.innerCat);
tc.category = maxCat;
tc.innerCat = maxCat;
tc.assertedType = Type::Gen;
return constrainValue(inst->src(0), tc);
} else if (inst->is(LdRef)) {
// Constrain the inner type of the box with tc, using DataTypeCountness for
// the outer constraint to preserve the fact that it's a box.
tc.innerCat = tc.category;
tc.category = DataTypeCountness;
tc.assertedType = Type::Gen;
return constrainValue(inst->src(0), tc);
} else if (inst->isPassthrough()) {
return constrainValue(inst->getPassthroughValue(), tc);
} else {
// Any instructions not special cased above produce a new value, so
// there's no guard for us to constrain.
ITRACE(2, "value is new in this trace, bailing\n");
return false;
}
// TODO(t2598894): Should be able to do something with LdMem<T> here
}
bool IRBuilder::constrainStack(SSATmp* sp, int32_t idx,
TypeConstraint tc) {
if (!shouldConstrainGuards()) return false;
always_assert(IMPLIES(tc.innerCat > DataTypeGeneric,
tc.category >= DataTypeCountness));
ITRACE(1, "constrainStack({}, {}, {})\n", *sp->inst(), idx, tc);
Indent _i;
assert(sp->isA(Type::StkPtr));
// We've hit a LdStack. If getStackValue gives us a value, recurse on
// that. Otherwise, look at the instruction that gave us the type of the
// stack element. If it's a GuardStk or CheckStk, it's our target. If it's
// anything else, the value is new so there's no guard to relax.
auto stackInfo = getStackValue(sp, idx);
// Sometimes code in HhbcTranslator asks for a value with DataTypeSpecific
// but can tolerate a less specific value. If that happens, there's nothing
// to constrain.
if (!typeFitsConstraint(stackInfo.knownType, tc)) return false;
IRInstruction* typeSrc = stackInfo.typeSrc;
if (stackInfo.value) {
ITRACE(1, "value = {}\n", *stackInfo.value->inst());
return constrainValue(stackInfo.value, tc);
} else if (typeSrc->is(AssertStk)) {
// If the immutable typeParam fits the constraint, we're done.
auto const typeParam = typeSrc->typeParam();
if (typeFitsConstraint(typeParam, tc)) return false;
auto const srcIdx = typeSrc->extra<StackOffset>()->offset;
auto const srcType = getStackValue(typeSrc->src(0), srcIdx).knownType;
auto const newTc = relaxConstraint(tc, typeParam, srcType);
ITRACE(1, "tracing through {}, orig tc: {}, new tc: {}\n",
*typeSrc, tc, newTc);
return constrainStack(typeSrc->src(0), srcIdx, newTc);
} else if (typeSrc->is(CheckStk)) {
auto changed = false;
auto const typeParam = typeSrc->typeParam();
auto const srcIdx = typeSrc->extra<StackOffset>()->offset;
auto const srcType = getStackValue(typeSrc->src(0), srcIdx).knownType;
// Constrain the guard on the CheckType, but first relax the constraint
// based on what's known about srcType.
auto const guardTc = relaxConstraint(tc, srcType, typeParam);
changed = constrainGuard(typeSrc, guardTc) || changed;
// Relax typeParam with its current constraint. This is used below to
// recursively relax the constraint on the source, if needed.
auto constraint = m_guardConstraints[typeSrc];
constraint.category = std::max(constraint.category, guardTc.category);
constraint.innerCat = std::max(constraint.innerCat, guardTc.innerCat);
auto const knownType = refineType(relaxType(typeParam, constraint),
constraint.assertedType);
if (!typeFitsConstraint(knownType, tc)) {
auto const newTc = relaxConstraint(tc, knownType, srcType);
ITRACE(1, "tracing through {}, orig tc: {}, new tc: {}\n",
*typeSrc, tc, newTc);
changed = constrainStack(typeSrc->src(0), srcIdx, newTc) || changed;
}
return changed;
} else {
ITRACE(1, "typeSrc = {}\n", *typeSrc);
return typeSrc->is(GuardStk) && constrainGuard(typeSrc, tc);
}
}