blob: e12d4c62a1cb78000eaf2ed1d7af155756459a2e [file] [log] [blame]
/*
* Copyright (C) 2014-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "DFGDoesGC.h"
#if ENABLE(DFG_JIT)
#include "DFGClobberize.h"
#include "DFGGraph.h"
#include "DFGNode.h"
namespace JSC { namespace DFG {
bool doesGC(Graph& graph, Node* node)
{
if (clobbersHeap(graph, node))
return true;
// Now consider nodes that don't clobber the world but that still may GC. This includes all
// nodes. By default, we should assume every node can GC and return true. This includes the
// world-clobbering nodes. We should only return false if we have proven that the node cannot
// GC. Typical examples of how a node can GC is if the code emitted for the node does any of the
// following:
// 1. Allocates any objects.
// 2. Resolves a rope string, which allocates a string.
// 3. Produces a string (which allocates the string) except when we can prove that
// the string will always be one of the pre-allocated SmallStrings.
// 4. Triggers a structure transition (which can allocate a new structure)
// unless it is a known transition between previously allocated structures
// such as between Array types.
// 5. Calls to a JS function, which can execute arbitrary code including allocating objects.
// 6. Calls operations that uses DeferGC, because it may GC in its destructor.
switch (node->op()) {
case JSConstant:
case DoubleConstant:
case Int52Constant:
case LazyJSConstant:
case Identity:
case IdentityWithProfile:
case GetCallee:
case SetCallee:
case GetArgumentCountIncludingThis:
case SetArgumentCountIncludingThis:
case GetRestLength:
case GetLocal:
case SetLocal:
case MovHint:
case InitializeEntrypointArguments:
case ExitOK:
case Phantom:
case Upsilon:
case Phi:
case Flush:
case PhantomLocal:
case SetArgumentDefinitely:
case SetArgumentMaybe:
case ArithBitNot:
case ArithBitAnd:
case ArithBitOr:
case ArithBitXor:
case ArithBitLShift:
case ArithBitRShift:
case BitURShift:
case ValueToInt32:
case UInt32ToNumber:
case DoubleAsInt32:
case ArithAdd:
case ArithClz32:
case ArithSub:
case ArithNegate:
case ArithMul:
case ArithIMul:
case ArithDiv:
case ArithMod:
case ArithAbs:
case ArithMin:
case ArithMax:
case ArithPow:
case ArithSqrt:
case ArithRandom:
case ArithRound:
case ArithFloor:
case ArithCeil:
case ArithTrunc:
case ArithFRound:
case ArithUnary:
case CheckStructure:
case CheckStructureOrEmpty:
case CheckStructureImmediate:
case GetExecutable:
case GetButterfly:
case CheckJSCast:
case CheckNotJSCast:
case CheckArray:
case CheckArrayOrEmpty:
case CheckDetached:
case GetScope:
case SkipScope:
case GetGlobalObject:
case GetGlobalThis:
case GetClosureVar:
case PutClosureVar:
case GetInternalField:
case PutInternalField:
case GetRegExpObjectLastIndex:
case SetRegExpObjectLastIndex:
case RecordRegExpCachedResult:
case GetGlobalVar:
case GetGlobalLexicalVariable:
case PutGlobalVariable:
case CheckIsConstant:
case CheckNotEmpty:
case AssertNotEmpty:
case CheckIdent:
case CompareBelow:
case CompareBelowEq:
case CompareEqPtr:
case ProfileControlFlow:
case OverridesHasInstance:
case IsEmpty:
case TypeOfIsUndefined:
case TypeOfIsObject:
case TypeOfIsFunction:
case IsUndefinedOrNull:
case IsBoolean:
case IsNumber:
case IsBigInt:
case NumberIsInteger:
case IsObject:
case IsCallable:
case IsConstructor:
case IsCellWithType:
case IsTypedArrayView:
case TypeOf:
case ToBoolean:
case LogicalNot:
case Jump:
case Branch:
case EntrySwitch:
case CountExecution:
case SuperSamplerBegin:
case SuperSamplerEnd:
case CPUIntrinsic:
case NormalizeMapKey: // HeapBigInt => BigInt32 conversion does not involve GC.
case GetMapBucketHead:
case GetMapBucketNext:
case LoadKeyFromMapBucket:
case LoadValueFromMapBucket:
case ExtractValueFromWeakMapGet:
case WeakMapGet:
case WeakSetAdd:
case WeakMapSet:
case Unreachable:
case ExtractOSREntryLocal:
case ExtractCatchLocal:
case ClearCatchLocals:
case LoopHint:
case StoreBarrier:
case FencedStoreBarrier:
case InvalidationPoint:
case NotifyWrite:
case AssertInBounds:
case CheckInBounds:
case CheckInBoundsInt52:
case ConstantStoragePointer:
case Check:
case CheckVarargs:
case CheckTypeInfoFlags:
case MultiGetByOffset:
case MultiDeleteByOffset:
case ValueRep:
case DoubleRep:
case Int52Rep:
case GetGetter:
case GetSetter:
case GetArrayLength:
case GetTypedArrayLengthAsInt52:
case GetVectorLength:
case StringCharCodeAt:
case StringCodePointAt:
case GetTypedArrayByteOffset:
case GetTypedArrayByteOffsetAsInt52:
case GetPrototypeOf:
case PutStructure:
case GetByOffset:
case GetGetterSetterByOffset:
case FiatInt52:
case BooleanToNumber:
case CheckBadValue:
case BottomValue:
case PhantomNewObject:
case PhantomNewFunction:
case PhantomNewGeneratorFunction:
case PhantomNewAsyncFunction:
case PhantomNewAsyncGeneratorFunction:
case PhantomNewInternalFieldObject:
case PhantomCreateActivation:
case PhantomDirectArguments:
case PhantomCreateRest:
case PhantomNewArrayWithSpread:
case PhantomNewArrayBuffer:
case PhantomSpread:
case PhantomClonedArguments:
case PhantomNewRegexp:
case GetMyArgumentByVal:
case GetMyArgumentByValOutOfBounds:
case ForwardVarargs:
case PutHint:
case KillStack:
case GetStack:
case GetFromArguments:
case GetArgument:
case LogShadowChickenPrologue:
case LogShadowChickenTail:
case NukeStructureAndSetButterfly:
case AtomicsAdd:
case AtomicsAnd:
case AtomicsCompareExchange:
case AtomicsExchange:
case AtomicsLoad:
case AtomicsOr:
case AtomicsStore:
case AtomicsSub:
case AtomicsXor:
case AtomicsIsLockFree:
case MatchStructure:
case FilterCallLinkStatus:
case FilterGetByStatus:
case FilterPutByStatus:
case FilterInByStatus:
case FilterDeleteByStatus:
case FilterCheckPrivateBrandStatus:
case FilterSetPrivateBrandStatus:
case DateGetInt32OrNaN:
case DateGetTime:
case DataViewGetInt:
case DataViewGetFloat:
case DataViewSet:
case PutByOffset:
return false;
#if ASSERT_ENABLED
case ArrayPush:
case ArrayPop:
case PushWithScope:
case CreateActivation:
case CreateDirectArguments:
case CreateScopedArguments:
case CreateClonedArguments:
case CreateArgumentsButterfly:
case Call:
case CallEval:
case CallForwardVarargs:
case CallObjectConstructor:
case CallVarargs:
case CheckTierUpAndOSREnter:
case CheckTierUpAtReturn:
case CheckTierUpInLoop:
case Construct:
case ConstructForwardVarargs:
case ConstructVarargs:
case DefineDataProperty:
case DefineAccessorProperty:
case DeleteById:
case DeleteByVal:
case DirectCall:
case DirectConstruct:
case DirectTailCall:
case DirectTailCallInlinedCaller:
case ForceOSRExit:
case FunctionToString:
case GetById:
case GetByIdDirect:
case GetByIdDirectFlush:
case GetByIdFlush:
case GetByIdWithThis:
case GetByValWithThis:
case GetDynamicVar:
case GetMapBucket:
case HasIndexedProperty:
case HasOwnProperty:
case InById:
case InByVal:
case HasPrivateName:
case HasPrivateBrand:
case InstanceOf:
case InstanceOfCustom:
case VarargsLength:
case LoadVarargs:
case NumberToStringWithRadix:
case NumberToStringWithValidRadixConstant:
case ProfileType:
case PutById:
case PutByIdDirect:
case PutByIdFlush:
case PutByIdWithThis:
case PutByValWithThis:
case PutDynamicVar:
case PutGetterById:
case PutGetterByVal:
case PutGetterSetterById:
case PutSetterById:
case PutSetterByVal:
case PutPrivateName:
case PutPrivateNameById:
case GetPrivateName:
case GetPrivateNameById:
case SetPrivateBrand:
case CheckPrivateBrand:
case PutStack:
case PutToArguments:
case RegExpExec:
case RegExpExecNonGlobalOrSticky:
case RegExpMatchFast:
case RegExpMatchFastGlobal:
case RegExpTest:
case RegExpTestInline:
case ResolveScope:
case ResolveScopeForHoistingFuncDeclInEval:
case Return:
case StringCharAt:
case TailCall:
case TailCallForwardVarargs:
case TailCallForwardVarargsInlinedCaller:
case TailCallInlinedCaller:
case TailCallVarargs:
case TailCallVarargsInlinedCaller:
case Throw:
case ToNumber:
case ToNumeric:
case ToObject:
case ToPrimitive:
case ToPropertyKey:
case ToThis:
case TryGetById:
case CreateThis:
case CreatePromise:
case CreateGenerator:
case CreateAsyncGenerator:
case ObjectAssign:
case ObjectCreate:
case ObjectKeys:
case ObjectGetOwnPropertyNames:
case AllocatePropertyStorage:
case ReallocatePropertyStorage:
case Arrayify:
case ArrayifyToStructure:
case NewObject:
case NewGenerator:
case NewAsyncGenerator:
case NewArray:
case NewArrayWithSpread:
case NewInternalFieldObject:
case Spread:
case NewArrayWithSize:
case NewArrayBuffer:
case NewRegexp:
case NewStringObject:
case NewSymbol:
case MakeRope:
case NewFunction:
case NewGeneratorFunction:
case NewAsyncGeneratorFunction:
case NewAsyncFunction:
case NewTypedArray:
case ThrowStaticError:
case GetPropertyEnumerator:
case EnumeratorInByVal:
case EnumeratorHasOwnProperty:
case EnumeratorNextUpdatePropertyName:
case EnumeratorNextUpdateIndexAndMode:
case MaterializeNewObject:
case MaterializeNewInternalFieldObject:
case MaterializeCreateActivation:
case SetFunctionName:
case StrCat:
case StringReplace:
case StringReplaceRegExp:
case StringSlice:
case StringValueOf:
case CreateRest:
case ToLowerCase:
case CallDOMGetter:
case CallDOM:
case ArraySlice:
case ArrayIndexOf:
case ParseInt: // We might resolve a rope even though we don't clobber anything.
case SetAdd:
case MapSet:
case ValueBitAnd:
case ValueBitOr:
case ValueBitXor:
case ValueBitLShift:
case ValueBitRShift:
case ValueAdd:
case ValueSub:
case ValueMul:
case ValueDiv:
case ValueMod:
case ValuePow:
case ValueBitNot:
case ValueNegate:
#else // not ASSERT_ENABLED
// See comment at the top for why the default for all nodes should be to
// return true.
default:
#endif // not ASSERT_ENABLED
return true;
case CallNumberConstructor:
switch (node->child1().useKind()) {
case BigInt32Use:
return false;
default:
break;
}
return true;
case CallStringConstructor:
case ToString:
switch (node->child1().useKind()) {
case StringObjectUse:
case StringOrStringObjectUse:
return false;
default:
break;
}
return true;
case CheckTraps:
// FIXME: https://bugs.webkit.org/show_bug.cgi?id=194323
ASSERT(Options::usePollingTraps());
return true;
case CompareEq:
case CompareLess:
case CompareLessEq:
case CompareGreater:
case CompareGreaterEq:
// FIXME: Add AnyBigIntUse and HeapBigIntUse specific optimizations in DFG / FTL code generation and ensure it does not perform GC.
// https://bugs.webkit.org/show_bug.cgi?id=210923
if (node->isBinaryUseKind(Int32Use)
#if USE(JSVALUE64)
|| node->isBinaryUseKind(Int52RepUse)
#endif
|| node->isBinaryUseKind(DoubleRepUse)
|| node->isBinaryUseKind(BigInt32Use)
|| node->isBinaryUseKind(StringIdentUse)
)
return false;
if (node->op() == CompareEq) {
if (node->isBinaryUseKind(BooleanUse)
|| node->isBinaryUseKind(SymbolUse)
|| node->isBinaryUseKind(ObjectUse)
|| node->isBinaryUseKind(ObjectUse, ObjectOrOtherUse) || node->isBinaryUseKind(ObjectOrOtherUse, ObjectUse))
return false;
}
return true;
case CompareStrictEq:
if (node->isBinaryUseKind(BooleanUse)
|| node->isBinaryUseKind(Int32Use)
#if USE(JSVALUE64)
|| node->isBinaryUseKind(Int52RepUse)
#endif
|| node->isBinaryUseKind(DoubleRepUse)
|| node->isBinaryUseKind(SymbolUse)
|| node->isBinaryUseKind(SymbolUse, UntypedUse)
|| node->isBinaryUseKind(UntypedUse, SymbolUse)
|| node->isBinaryUseKind(StringIdentUse)
|| node->isBinaryUseKind(ObjectUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, ObjectUse)
|| node->isBinaryUseKind(ObjectUse)
|| node->isBinaryUseKind(MiscUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, MiscUse)
|| node->isBinaryUseKind(StringIdentUse, NotStringVarUse) || node->isBinaryUseKind(NotStringVarUse, StringIdentUse)
|| node->isBinaryUseKind(NotDoubleUse, NeitherDoubleNorHeapBigIntNorStringUse) || node->isBinaryUseKind(NeitherDoubleNorHeapBigIntNorStringUse, NotDoubleUse))
return false;
return true;
case GetIndexedPropertyStorage:
case GetByVal:
case EnumeratorGetByVal:
if (node->arrayMode().type() == Array::String)
return true;
return false;
case EnumeratorNextExtractMode:
case EnumeratorNextExtractIndex:
return false;
case PutByValDirect:
case PutByVal:
case PutByValAlias:
if (!graph.m_plan.isFTL()) {
switch (node->arrayMode().modeForPut().type()) {
case Array::Int8Array:
case Array::Int16Array:
case Array::Int32Array:
case Array::Uint8Array:
case Array::Uint8ClampedArray:
case Array::Uint16Array:
case Array::Uint32Array:
return true;
default:
break;
}
}
return false;
case MapHash:
switch (node->child1().useKind()) {
case BooleanUse:
case Int32Use:
case SymbolUse:
case ObjectUse:
#if USE(BIGINT32)
case BigInt32Use:
#endif
case HeapBigIntUse:
return false;
default:
// We might resolve a rope.
return true;
}
case MultiPutByOffset:
return node->multiPutByOffsetData().reallocatesStorage();
case SameValue:
if (node->isBinaryUseKind(DoubleRepUse))
return false;
return true;
case StringFromCharCode:
// FIXME: Should we constant fold this case?
// https://bugs.webkit.org/show_bug.cgi?id=194308
if (node->child1()->isInt32Constant() && (node->child1()->asUInt32() <= maxSingleCharacterString))
return false;
return true;
case Switch:
switch (node->switchData()->kind) {
case SwitchCell:
ASSERT(graph.m_plan.isFTL());
FALLTHROUGH;
case SwitchImm:
return false;
case SwitchChar:
return true;
case SwitchString:
if (node->child1().useKind() == StringIdentUse)
return false;
ASSERT(node->child1().useKind() == StringUse || node->child1().useKind() == UntypedUse);
return true;
}
RELEASE_ASSERT_NOT_REACHED();
case Inc:
case Dec:
switch (node->child1().useKind()) {
case Int32Use:
case Int52RepUse:
case DoubleRepUse:
return false;
default:
return true;
}
case LastNodeType:
RELEASE_ASSERT_NOT_REACHED();
}
RELEASE_ASSERT_NOT_REACHED();
}
} } // namespace JSC::DFG
#endif // ENABLE(DFG_JIT)