[torque] compute fixed-point when typing Torque IR

This is important for transient types, which might be invalidated in a loop syntactically below the vulnerable use. Bug: v8:7793 Change-Id: Ia97c03282eefbc44d54beb8edc61f5d44af2c947 Reviewed-on: https://chromium-review.googlesource.com/c/1331547Reviewed-by: Daniel Clifford <danno@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#57478}

[torque] compute fixed-point when typing Torque IR
This is important for transient types, which might be invalidated in a loop syntactically below the vulnerable use. Bug: v8:7793 Change-Id: Ia97c03282eefbc44d54beb8edc61f5d44af2c947 Reviewed-on: https://chromium-review.googlesource.com/c/1331547Reviewed-by: Daniel Clifford <danno@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#57478}
b50ad96b · Tobias Tebbi · Commit Bot · d75e327d · b50ad96b · b50ad96b
Commit b50ad96b authored Nov 12, 2018 by Tobias Tebbi Committed by Commit Bot Nov 13, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 4 deletions

cfg.cc src/torque/cfg.cc +8 -1

cfg.h src/torque/cfg.h +15 -3

No files found.
--- a/src/torque/cfg.cc
+++ b/src/torque/cfg.cc
@@ -20,13 +20,20 @@ void Block::SetInputTypes(const Stack<const Type*>& input_types) {

  DCHECK_EQ(input_types.Size(), input_types_->Size());
  Stack<const Type*> merged_types;
+  bool widened = false;
  auto c2_iterator = input_types.begin();
  for (const Type* c1 : *input_types_) {
    const Type* merged_type = TypeOracle::GetUnionType(c1, *c2_iterator++);
+    if (!merged_type->IsSubtypeOf(c1)) {
+      widened = true;
+    }
    merged_types.Push(merged_type);
  }
  if (merged_types.Size() == input_types_->Size()) {
-    input_types_ = merged_types;
+    if (widened) {
+      input_types_ = merged_types;
+      Retype();
+    }
    return;
  }


--- a/src/torque/cfg.h
+++ b/src/torque/cfg.h
@@ -19,11 +19,15 @@ namespace v8 {
 namespace internal {
 namespace torque {

+class ControlFlowGraph;
+
 class Block {
 public:
-  explicit Block(size_t id, base::Optional<Stack<const Type*>> input_types,
+  explicit Block(ControlFlowGraph* cfg, size_t id,
+                 base::Optional<Stack<const Type*>> input_types,
                 bool is_deferred)
-      : input_types_(std::move(input_types)),
+      : cfg_(cfg),
+        input_types_(std::move(input_types)),
        id_(id),
        is_deferred_(is_deferred) {}
  void Add(Instruction instruction) {
@@ -34,6 +38,12 @@ class Block {
  bool HasInputTypes() const { return input_types_ != base::nullopt; }
  const Stack<const Type*>& InputTypes() const { return *input_types_; }
  void SetInputTypes(const Stack<const Type*>& input_types);
+  void Retype() {
+    Stack<const Type*> current_stack = InputTypes();
+    for (const Instruction& instruction : instructions()) {
+      instruction.TypeInstruction(&current_stack, cfg_);
+    }
+  }

  const std::vector<Instruction>& instructions() const { return instructions_; }
  bool IsComplete() const {
@@ -43,6 +53,7 @@ class Block {
  bool IsDeferred() const { return is_deferred_; }

 private:
+  ControlFlowGraph* cfg_;
  std::vector<Instruction> instructions_;
  base::Optional<Stack<const Type*>> input_types_;
  const size_t id_;
@@ -58,7 +69,8 @@ class ControlFlowGraph {

  Block* NewBlock(base::Optional<Stack<const Type*>> input_types,
                  bool is_deferred) {
-    blocks_.emplace_back(next_block_id_++, std::move(input_types), is_deferred);
+    blocks_.emplace_back(this, next_block_id_++, std::move(input_types),
+                         is_deferred);
    return &blocks_.back();
  }
  void PlaceBlock(Block* block) { placed_blocks_.push_back(block); }