/* * Copyright 2023 WebAssembly Community Group participants * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include "ir/subtype-exprs.h" #include "ir/subtypes.h" #include "ir/type-updating.h" #include "ir/utils.h" #include "pass.h" #include "support/unique_deferring_queue.h" #include "wasm-traversal.h" #include "wasm-type.h" #include "wasm.h" // Compute and use the minimal subtype relation required to maintain module // validity and behavior. This minimal relation will be a subset of the original // subtype relation. Start by walking the IR and collecting pairs of types that // need to be in the subtype relation for each expression to validate. For // example, a local.set requires that the type of its operand be a subtype of // the local's type. Casts do not generate subtypings at this point because it // is not necessary for the cast target to be a subtype of the cast source for // the cast to validate. // // From that initial subtype relation, we then start finding new subtypings that // are required by the subtypings we have found already. These transitively // required subtypings come from two sources. // // The first source is type definitions. Consider these type definitions: // // (type $A (sub (struct (ref $X)))) // (type $B (sub $A (struct (ref $Y)))) // // If we have determined that $B must remain a subtype of $A, then we know that // $Y must remain a subtype of $X as well, since the type definitions would not // be valid otherwise. Similarly, knowing that $X must remain a subtype of $Y // may transitively require other subtypings as well based on their type // definitions. // // The second source of transitive subtyping requirements is casts. Although // casting from one type to another does not necessarily require that those // types are related, we do need to make sure that we do not change the // behavior of casts by removing subtype relationships they might observe. For // example, consider this module: // // (module // ;; original subtyping: $bot <: $mid <: $top // (type $top (sub (struct))) // (type $mid (sub $top (struct))) // (type $bot (sub $mid (struct))) // // (func $f // (local $top (ref $top)) // (local $mid (ref $mid)) // // ;; Requires $bot <: $top // (local.set $top (struct.new $bot)) // // ;; Cast $top to $mid // (local.set $mid (ref.cast (ref $mid) (local.get $top))) // ) // ) // // The only subtype relation directly required by the IR for this module is $bot // <: $top. However, if we optimized the module so that $bot <: $top was the // only subtype relation, we would change the behavior of the cast. In the // original module, a value of type (ref $bot) is cast to (ref $mid). The cast // succeeds because in the original module, $bot <: $mid. If we optimize so that // we have $bot <: $top and no other subtypings, though, the cast will fail // because the value of type (ref $bot) no longer inhabits (ref $mid). To // prevent the cast's behavior from changing, we need to ensure that $bot <: // $mid. // // The set of subtyping requirements generated by a cast from $src to $dest is // that for every known remaining subtype $v of $src, if $v <: $dest in the // original module, then $v <: $dest in the optimized module. In other words, // for every type $v of values we know can flow into the cast, if the cast would // have succeeded for values of type $v before, then we know the cast must // continue to succeed for values of type $v. These requirements arising from // casts can also generate transitive requirements because we learn about new // types of values that can flow into casts as we learn about new subtypes of // cast sources. // // Starting with the initial subtype relation determined by walking the IR, // repeatedly search for new subtypings by analyzing type definitions and casts // in lock step until we reach a fixed point. This is the minimal subtype // relation that preserves module validity and behavior that can be found // without a more precise analysis of types that might flow into each cast. namespace wasm { namespace { struct Unsubtyping : WalkerPass< ControlFlowWalker>> { // The new set of supertype relations. std::unordered_map supertypes; // Map from cast source types to their destinations. std::unordered_map> castTypes; // The set of subtypes that need to have their type definitions analyzed to // transitively find other subtype relations they depend on. We add to it // every time we find a new subtype relationship we need to keep. UniqueDeferredQueue work; void run(Module* wasm) override { if (!wasm->features.hasGC()) { return; } analyzePublicTypes(*wasm); walkModule(wasm); analyzeTransitiveDependencies(); optimizeTypes(*wasm); // Cast types may be refinable if their source and target types are no // longer related. TODO: Experiment with running this only after checking // whether it is necessary. ReFinalize().run(getPassRunner(), wasm); } // Note that sub must remain a subtype of super. void noteSubtype(HeapType sub, HeapType super) { if (sub == super || sub.isBottom() || super.isBottom()) { return; } auto [it, inserted] = supertypes.insert({sub, super}); if (inserted) { work.push(sub); // TODO: Incrementally check all subtypes (inclusive) of sub against super // and all its supertypes if we have already analyzed casts. return; } // We already had a recorded supertype. The new supertype might be deeper, // shallower, or identical to the old supertype. auto oldSuper = it->second; if (super == oldSuper) { return; } // There are two different supertypes, but each type can only have a single // direct subtype so the supertype chain cannot fork and one of the // supertypes must be a supertype of the other. Recursively record that // relationship as well. if (HeapType::isSubType(super, oldSuper)) { // sub <: super <: oldSuper it->second = super; work.push(sub); // TODO: Incrementally check all subtypes (inclusive) of sub against super // if we have already analyzed casts. noteSubtype(super, oldSuper); } else { // sub <: oldSuper <: super noteSubtype(oldSuper, super); } } void noteSubtype(Type sub, Type super) { if (sub.isTuple()) { assert(super.isTuple() && sub.size() == super.size()); for (size_t i = 0, size = sub.size(); i < size; ++i) { noteSubtype(sub[i], super[i]); } return; } if (!sub.isRef() || !super.isRef()) { return; } noteSubtype(sub.getHeapType(), super.getHeapType()); } // Note a subtyping where one or both sides are expressions. void noteSubtype(Expression* sub, Type super) { noteSubtype(sub->type, super); } void noteSubtype(Type sub, Expression* super) { noteSubtype(sub, super->type); } void noteSubtype(Expression* sub, Expression* super) { noteSubtype(sub->type, super->type); } void noteNonFlowSubtype(Expression* sub, Type super) { // This expression's type must be a subtype of |super|, but the value does // not flow anywhere - this is a static constraint. As the value does not // flow, it cannot reach anywhere else, which means we need this in order to // validate but it does not interact with casts. Given that, if super is a // basic type then we can simply ignore this: we only remove subtyping // between user types, so subtyping wrt basic types is unchanged, and so // this constraint will never be a problem. // // This is sort of a hack because in general to be precise we should not // just consider basic types here - in general, we should note for each // constraint whether it is a flow-based one or not, and only take the // flow-based ones into account when looking at the impact of casts. // However, in practice this is enough as the only non-trivial case of // |noteNonFlowSubtype| is for RefEq, which uses a basic type (eqref). Other // cases of non-flow subtyping end up trivial, e.g., the target of a // CallRef is compared to itself (and we ignore constraints of A :> A). // However, if we change how |noteNonFlowSubtype| is used in // SubtypingDiscoverer then we may need to generalize this. if (super.isRef() && super.getHeapType().isBasic()) { return; } // Otherwise, we must take this into account. noteSubtype(sub, super); } void noteCast(HeapType src, HeapType dest) { if (src == dest || dest.isBottom()) { return; } assert(HeapType::isSubType(dest, src)); castTypes[src].insert(dest); } void noteCast(Type src, Type dest) { assert(!src.isTuple() && !dest.isTuple()); if (src == Type::unreachable) { return; } assert(src.isRef() && dest.isRef()); noteCast(src.getHeapType(), dest.getHeapType()); } // Note a cast where one or both sides are expressions. void noteCast(Expression* src, Type dest) { noteCast(src->type, dest); } void noteCast(Expression* src, Expression* dest) { noteCast(src->type, dest->type); } void analyzePublicTypes(Module& wasm) { // We cannot change supertypes for anything public. for (auto type : ModuleUtils::getPublicHeapTypes(wasm)) { if (auto super = type.getDeclaredSuperType()) { noteSubtype(type, *super); } } } void analyzeTransitiveDependencies() { // While we have found new subtypings and have not reached a fixed point... while (!work.empty()) { // Subtype relationships that we are keeping might depend on other subtype // relationships that we are not yet planning to keep. Transitively find // all the relationships we need to keep all our type definitions valid. while (!work.empty()) { auto type = work.pop(); auto super = supertypes.at(type); if (super.isBasic()) { continue; } switch (type.getKind()) { case HeapTypeKind::Func: { auto sig = type.getSignature(); auto superSig = super.getSignature(); noteSubtype(superSig.params, sig.params); noteSubtype(sig.results, superSig.results); break; } case HeapTypeKind::Struct: { const auto& fields = type.getStruct().fields; const auto& superFields = super.getStruct().fields; for (size_t i = 0, size = superFields.size(); i < size; ++i) { noteSubtype(fields[i].type, superFields[i].type); } break; } case HeapTypeKind::Array: { auto elem = type.getArray().element; noteSubtype(elem.type, super.getArray().element.type); break; } case HeapTypeKind::Cont: WASM_UNREACHABLE("TODO: cont"); case HeapTypeKind::Basic: WASM_UNREACHABLE("unexpected kind"); } } // Analyze all casts at once. // TODO: This is expensive. Analyze casts incrementally after we // initially analyze them. analyzeCasts(); } } void analyzeCasts() { // For each cast (src, dest) pair, any type that remains a subtype of src // (meaning its values can inhabit locations typed src) and that was // originally a subtype of dest (meaning its values would have passed the // cast) should remain a subtype of dest so that its values continue to pass // the cast. // // For every type, walk up its new supertype chain to find cast sources and // compare against their associated cast destinations. for (auto it = supertypes.begin(); it != supertypes.end(); ++it) { auto type = it->first; for (auto srcIt = it; srcIt != supertypes.end(); srcIt = supertypes.find(srcIt->second)) { auto src = srcIt->second; auto destsIt = castTypes.find(src); if (destsIt == castTypes.end()) { continue; } for (auto dest : destsIt->second) { if (HeapType::isSubType(type, dest)) { noteSubtype(type, dest); } } } } } void optimizeTypes(Module& wasm) { struct Rewriter : GlobalTypeRewriter { Unsubtyping& parent; Rewriter(Unsubtyping& parent, Module& wasm) : GlobalTypeRewriter(wasm), parent(parent) {} std::optional getDeclaredSuperType(HeapType type) override { if (auto it = parent.supertypes.find(type); it != parent.supertypes.end() && !it->second.isBasic()) { return it->second; } return std::nullopt; } }; Rewriter(*this, wasm).update(); } void doWalkModule(Module* wasm) { // Visit the functions in parallel, filling in `supertypes` and `castTypes` // on separate instances which will later be merged. ModuleUtils::ParallelFunctionAnalysis analysis( *wasm, [&](Function* func, Unsubtyping& unsubtyping) { if (!func->imported()) { unsubtyping.walkFunctionInModule(func, wasm); } }); // Collect the results from the functions. for (auto& [_, unsubtyping] : analysis.map) { for (auto [sub, super] : unsubtyping.supertypes) { noteSubtype(sub, super); } for (auto& [src, dests] : unsubtyping.castTypes) { for (auto dest : dests) { noteCast(src, dest); } } } // Collect constraints from top-level items. for (auto& global : wasm->globals) { visitGlobal(global.get()); } for (auto& seg : wasm->elementSegments) { visitElementSegment(seg.get()); } // Visit the rest of the code that is not in functions. walkModuleCode(wasm); } }; } // anonymous namespace Pass* createUnsubtypingPass() { return new Unsubtyping(); } } // namespace wasm