Google Git
Sign in
webkit / WebKit / 0728b8a6689ce9c083789efe93de28df91426a6d / . / Source / JavaScriptCore / dfg / DFGSafeToExecute.h
blob: 9dc43522685b91c9e96a0733ed5f0ae77095071b [file] [log] [blame]
/*
* Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef DFGSafeToExecute_h
#define DFGSafeToExecute_h
#if ENABLE(DFG_JIT)
#include "DFGGraph.h"
namespace JSC { namespace DFG {
template<typename AbstractStateType>
class SafeToExecuteEdge {
public:
SafeToExecuteEdge(AbstractStateType& state)
: m_state(state)
, m_result(true)
{
}
void operator()(Node*, Edge edge)
{
switch (edge.useKind()) {
case UntypedUse:
case Int32Use:
case DoubleRepUse:
case DoubleRepRealUse:
case Int52RepUse:
case NumberUse:
case BooleanUse:
case CellUse:
case ObjectUse:
case FinalObjectUse:
case ObjectOrOtherUse:
case StringIdentUse:
case StringUse:
case StringObjectUse:
case StringOrStringObjectUse:
case NotStringVarUse:
case NotCellUse:
case OtherUse:
case MiscUse:
case MachineIntUse:
case DoubleRepMachineIntUse:
return;
case KnownInt32Use:
if (m_state.forNode(edge).m_type & ~SpecInt32)
m_result = false;
return;
case KnownCellUse:
if (m_state.forNode(edge).m_type & ~SpecCell)
m_result = false;
return;
case KnownStringUse:
if (m_state.forNode(edge).m_type & ~SpecString)
m_result = false;
return;
case LastUseKind:
RELEASE_ASSERT_NOT_REACHED();
break;
}
RELEASE_ASSERT_NOT_REACHED();
}
bool result() const { return m_result; }
private:
AbstractStateType& m_state;
bool m_result;
};
// Determines if it's safe to execute a node within the given abstract state. This may
// return false conservatively. If it returns true, then you can hoist the given node
// up to the given point and expect that it will not crash. This doesn't guarantee that
// the node will produce the result you wanted other than not crashing.
template<typename AbstractStateType>
bool safeToExecute(AbstractStateType& state, Graph& graph, Node* node)
{
SafeToExecuteEdge<AbstractStateType> safeToExecuteEdge(state);
DFG_NODE_DO_TO_CHILDREN(graph, node, safeToExecuteEdge);
if (!safeToExecuteEdge.result())
return false;
switch (node->op()) {
case JSConstant:
case DoubleConstant:
case Int52Constant:
case WeakJSConstant:
case Identity:
case ToThis:
case CreateThis:
case GetCallee:
case GetLocal:
case SetLocal:
case MovHint:
case ZombieHint:
case GetArgument:
case Phantom:
case HardPhantom:
case Upsilon:
case Phi:
case Flush:
case PhantomLocal:
case GetLocalUnlinked:
case SetArgument:
case BitAnd:
case BitOr:
case BitXor:
case BitLShift:
case BitRShift:
case BitURShift:
case ValueToInt32:
case UInt32ToNumber:
case DoubleAsInt32:
case ArithAdd:
case ArithSub:
case ArithNegate:
case ArithMul:
case ArithIMul:
case ArithDiv:
case ArithMod:
case ArithAbs:
case ArithMin:
case ArithMax:
case ArithSqrt:
case ArithFRound:
case ArithSin:
case ArithCos:
case ValueAdd:
case GetById:
case GetByIdFlush:
case PutById:
case PutByIdFlush:
case PutByIdDirect:
case CheckStructure:
case CheckExecutable:
case GetButterfly:
case CheckArray:
case Arrayify:
case ArrayifyToStructure:
case GetScope:
case GetMyScope:
case SkipTopScope:
case SkipScope:
case GetClosureRegisters:
case GetClosureVar:
case PutClosureVar:
case GetGlobalVar:
case PutGlobalVar:
case VariableWatchpoint:
case VarInjectionWatchpoint:
case CheckFunction:
case AllocationProfileWatchpoint:
case RegExpExec:
case RegExpTest:
case CompareLess:
case CompareLessEq:
case CompareGreater:
case CompareGreaterEq:
case CompareEq:
case CompareEqConstant:
case CompareStrictEq:
case Call:
case Construct:
case NewObject:
case NewArray:
case NewArrayWithSize:
case NewArrayBuffer:
case NewRegexp:
case Breakpoint:
case ProfileWillCall:
case ProfileDidCall:
case CheckHasInstance:
case InstanceOf:
case IsUndefined:
case IsBoolean:
case IsNumber:
case IsString:
case IsObject:
case IsFunction:
case TypeOf:
case LogicalNot:
case ToPrimitive:
case ToString:
case NewStringObject:
case MakeRope:
case In:
case CreateActivation:
case TearOffActivation:
case CreateArguments:
case PhantomArguments:
case TearOffArguments:
case GetMyArgumentsLength:
case GetMyArgumentByVal:
case GetMyArgumentsLengthSafe:
case GetMyArgumentByValSafe:
case CheckArgumentsNotCreated:
case NewFunctionNoCheck:
case NewFunction:
case NewFunctionExpression:
case Jump:
case Branch:
case Switch:
case Return:
case Throw:
case ThrowReferenceError:
case CountExecution:
case ForceOSRExit:
case CheckWatchdogTimer:
case StringFromCharCode:
case NewTypedArray:
case Unreachable:
case ExtractOSREntryLocal:
case CheckTierUpInLoop:
case CheckTierUpAtReturn:
case CheckTierUpAndOSREnter:
case LoopHint:
case StoreBarrier:
case StoreBarrierWithNullCheck:
case InvalidationPoint:
case NotifyWrite:
case FunctionReentryWatchpoint:
case TypedArrayWatchpoint:
case CheckInBounds:
case ConstantStoragePointer:
case Check:
case MultiGetByOffset:
case MultiPutByOffset:
case ValueRep:
case DoubleRep:
case Int52Rep:
case BooleanToNumber:
case FiatInt52:
case GetGetter:
case GetSetter:
return true;
case GetByVal:
case GetIndexedPropertyStorage:
case GetArrayLength:
case ArrayPush:
case ArrayPop:
case StringCharAt:
case StringCharCodeAt:
return node->arrayMode().alreadyChecked(graph, node, state.forNode(node->child1()));
case GetTypedArrayByteOffset:
return !(state.forNode(node->child1()).m_type & ~(SpecTypedArrayView));
case PutByValDirect:
case PutByVal:
case PutByValAlias:
return node->arrayMode().modeForPut().alreadyChecked(
graph, node, state.forNode(graph.varArgChild(node, 0)));
case PutStructure:
case PhantomPutStructure:
case AllocatePropertyStorage:
case ReallocatePropertyStorage:
return state.forNode(node->child1()).m_structure.isSubsetOf(
StructureSet(node->transition()->previous));
case GetByOffset:
case GetGetterSetterByOffset:
case PutByOffset: {
StructureAbstractValue& value = state.forNode(node->child1()).m_structure;
if (value.isTop())
return false;
PropertyOffset offset = graph.m_storageAccessData[node->storageAccessDataIndex()].offset;
for (unsigned i = value.size(); i--;) {
if (!value[i]->isValidOffset(offset))
return false;
}
return true;
}
case LastNodeType:
RELEASE_ASSERT_NOT_REACHED();
return false;
}
RELEASE_ASSERT_NOT_REACHED();
return false;
}
} } // namespace JSC::DFG
#endif // ENABLE(DFG_JIT)
#endif // DFGSafeToExecute_h