// ----------------------------------------------------------------------
// Forward propogation
// ----------------------------------------------------------------------
// Return machine state after performing given instruction on entry machine state.
// Propogates stack shapes and args/locals points-to
private MachineState ForwardInstruction(InstructionContext context, int index, MachineState state, BoolRef changed)
{
var instruction = context.Block.Body[index];
switch (instruction.Flavor)
{
case InstructionFlavor.Unsupported:
throw new InvalidOperationException("unsupported opcode");
case InstructionFlavor.Misc:
{
var misci = (MiscInstruction)instruction;
switch (misci.Op)
{
case MiscOp.Nop:
case MiscOp.Break:
return state;
case MiscOp.Dup:
return state.Push(state.Peek(0));
case MiscOp.Pop:
return state.Pop(1);
case MiscOp.Ldnull:
return state.PushType(global.NullRef, BottomPT);
case MiscOp.Ckfinite:
state.PeekExpectedType(0, global.DoubleRef, changed);
// Assume the instruction can "peek" at top of stack, thus no need for pop/push.
return state;
case MiscOp.Throw:
state.PeekReferenceType(0);
return state.DiscardStack();
case MiscOp.Rethrow:
return state.DiscardStack();
case MiscOp.LdindRef:
{
var elemType = state.PeekPointerToReferenceType(0);
return state.PopPushType(1, elemType, BottomPT);
}
case MiscOp.StindRef:
{
var expElemType = state.PeekPointerToReferenceType(1);
state.PeekExpectedType(0, expElemType, changed);
return state.Pop(2);
}
case MiscOp.LdelemRef:
{
state.PeekIndexType(0);
// WARNING: Type may not be final
var elemType = state.PeekArrayOfReferenceType(1);
return state.PopPushType(2, elemType, BottomPT);
}
case MiscOp.StelemRef:
state.PeekReferenceType(0);
state.PeekIndexType(1);
state.PeekArrayOfReferenceType(2);
// Since the value type and array element type may be independently generalized,
// it is pointless to check that the first is assignable to the second.
// Instead this check is done at runtime.
return state.Pop(3);
case MiscOp.Ldlen:
state.PeekArrayOfAnyType(0);
return state.PopPushType(1, global.IntNativeRef, BottomPT);
case MiscOp.Ret:
{
if (state.Depth != 0)
throw new InvalidOperationException("stack should be empty");
return state; // empty
}
case MiscOp.RetVal:
{
state.PeekExpectedType(0, method.Result.Type, changed);
var newState = state.Pop(1);
if (newState.Depth != 0)
throw new InvalidOperationException("stack should be empty");
return newState; // empty
}
case MiscOp.Endfilter:
{
state.PeekExpectedType(0, global.Int32Ref, changed);
var newState = state.Pop(1);
if (newState.Depth != 0)
throw new InvalidOperationException("stack should be empty");
return newState; // empty
}
case MiscOp.Endfinally:
{
// Control could transfer to an outer finally/fault block, or to the target
// of a leave instruction. However these transitions are delt with separately.
return state.DiscardStack();
}
default:
throw new ArgumentOutOfRangeException();
}
}
case InstructionFlavor.Branch:
{
var bri = (BranchInstruction)instruction;
switch (bri.Op)
{
case BranchOp.Br:
UnifyBeforeState(state, bri.Target, changed);
return state;
case BranchOp.Brtrue:
{
// WARNING: Type may not be final
// NOTE: May capture skolemized types
bri.Type = state.PeekIntegerOrObjectOrPointerType(0, false);
var newState = state.Pop(1);
UnifyBeforeState(newState, bri.Target, changed);
return newState;
}
case BranchOp.Brfalse:
{
// WARNING: Type may not be final
// NOTE: May capture skolemized types
bri.Type = state.PeekIntegerOrObjectOrPointerType(0, true);
var newState = state.Pop(1);
UnifyBeforeState(newState, bri.Target, changed);
return newState;
}
case BranchOp.Breq:
case BranchOp.Brne:
{
// WARNING: Type may not be final
// NOTE: May capture skolemized types
bri.Type = state.Peek2ComparableTypes(0, true);
var newState = state.Pop(2);
UnifyBeforeState(newState, bri.Target, changed);
return newState;
}
case BranchOp.Leave:
{
// Control could transfer via finally blocks instead of directly to the leave target.
// Propogate only that the stack must be empty at target. Remaining machine state
// is dealt with separately.
UnifyBeforeState
(new MachineState(methEnv, method.ValueParameters.Count, method.Locals.Count),
bri.Target,
changed);
return state.DiscardStack();
}
case BranchOp.BrLt:
case BranchOp.BrLe:
case BranchOp.BrGt:
case BranchOp.BrGe:
{
// WARNING: Type may not be final
// NOTE: May capture skolemized types
bri.Type = state.Peek2ComparableTypes(0, false);
var newState = state.Pop(2);
UnifyBeforeState(newState, bri.Target, changed);
return newState;
}
default:
throw new ArgumentOutOfRangeException();
}
}
case InstructionFlavor.Switch:
{
var switchi = (SwitchInstruction)instruction;
state.PeekExpectedType(0, global.Int32Ref, changed);
var newState = state.Pop(1);
for (var i = 0; i < switchi.CaseTargets.Count; i++)
UnifyBeforeState(newState, switchi.CaseTargets[i], changed);
return newState;
}
case InstructionFlavor.Compare:
{
var cmpi = (CompareInstruction)instruction;
// WARNING: Capured type may not be final
// NOTE: May capture skolemized types
switch (cmpi.Op)
{
case CompareOp.Ceq:
case CompareOp.CnePseudo:
cmpi.Type = state.Peek2ComparableTypes(0, true);
return state.PopPushType(2, global.Int32Ref, BottomPT);
case CompareOp.Clt:
case CompareOp.Cgt:
case CompareOp.CgePseudo:
case CompareOp.ClePseudo:
cmpi.Type = state.Peek2ComparableTypes(0, false);
return state.PopPushType(2, global.Int32Ref, BottomPT);
case CompareOp.CtruePseudo:
case CompareOp.CfalsePseudo:
cmpi.Type = state.PeekIntegerOrObjectOrPointerType(0, true);
return state.PopPushType(1, global.Int32Ref, BottomPT);
default:
throw new ArgumentOutOfRangeException();
}
}
case InstructionFlavor.ArgLocal:
{
var argi = (ArgLocalInstruction)instruction;
var type = method.ArgLocalType(argi.ArgLocal, argi.Index);
switch (argi.Op)
{
case ArgLocalOp.Ld:
return state.PushType(type, state.ArgLocalPointsTo(argi.ArgLocal, argi.Index));
case ArgLocalOp.Lda:
return state.PushType(methEnv.Global.ManagedPointerTypeConstructorRef.ApplyTo(type), ArgLocalPT(argi.ArgLocal, argi.Index));
case ArgLocalOp.St:
{
state.PeekExpectedType(0, type, changed);
var pointsTo = state.PeekPointsTo(0);
if (!pointsTo.IsBottom)
{
if (!(type.Style(methEnv) is ManagedPointerTypeStyle))
throw new InvalidOperationException
("stack indicates pointer, but parameter or local type does not");
if (pointsTo.PointsOutsideOfHeap)
throw new InvalidOperationException("arguments cannot point outside of the heap");
}
return state.PopAddArgLocalPointsTo(1, argi.ArgLocal, argi.Index, pointsTo);
}
default:
throw new ArgumentOutOfRangeException();
}
}
case InstructionFlavor.Field:
{
var fieldi = (FieldInstruction)instruction;
var fieldEnv = fieldi.Field.Enter(methEnv);
var fieldType = fieldEnv.SubstituteType(fieldEnv.Field.FieldType);
switch (fieldi.Op)
{
case FieldOp.Ldfld:
if (fieldi.IsStatic)
return state.PushType(fieldType, BottomPT);
else
{
fieldi.IsViaPointer = state.PeekDereferencableExpectedType
(0, fieldi.Field.DefiningType, true, changed);
return state.PopPushType(1, fieldType, BottomPT);
}
case FieldOp.Ldflda:
if (fieldi.IsStatic)
return state.PushType(methEnv.Global.ManagedPointerTypeConstructorRef.ApplyTo(fieldType), HeapPT);
else
{
// Underlying type cannot be a struct, otherwise would have a pointer into
// the stack
fieldi.IsViaPointer = state.PeekDereferencableExpectedType
(0, fieldi.Field.DefiningType, false, changed);
return state.PopPushType
(1, methEnv.Global.ManagedPointerTypeConstructorRef.ApplyTo(fieldType), HeapPT);
}
case FieldOp.Stfld:
if (fieldi.IsStatic)
{
state.PeekExpectedType(0, fieldType, changed);
return state.Pop(1);
}
else
{
state.PeekExpectedType(0, fieldType, changed);
fieldi.IsViaPointer = state.PeekDereferencableExpectedType
(1, fieldi.Field.DefiningType, false, changed);
return state.Pop(2);
}
case FieldOp.Ldtoken:
return state.PushType(global.RuntimeFieldHandleRef, BottomPT);
default:
throw new ArgumentOutOfRangeException();
}
}
case InstructionFlavor.Method:
{
var methi = (MethodInstruction)instruction;
var sig = (CST.MethodSignature)methi.Method.ExternalSignature;
switch (methi.Op)
{
case MethodOp.Call:
{
for (var i = sig.Parameters.Count - 1; i >= 1; i--)
state.PeekExpectedType(sig.Parameters.Count - 1 - i, sig.Parameters[i], changed);
if (methi.Constrained != null)
{
if (!methi.IsVirtual || methi.Method.IsStatic)
throw new InvalidOperationException
("constrained only valid on virtual calls to instance methods");
var thisType = sig.Parameters[0];
var constrainedPtr = methEnv.Global.ManagedPointerTypeConstructorRef.ApplyTo(methi.Constrained);
var constrainedBox = methEnv.Global.BoxTypeConstructorRef.ApplyTo(methi.Constrained);
var cs = methi.Constrained.Style(methEnv);
if (cs is ValueTypeStyle)
{
if (thisType.Style(methEnv) is ManagedPointerTypeStyle)
{
// We pass the argument pointer as is
if (!methi.Constrained.IsAssignableTo(methEnv, thisType.Arguments[0]))
throw new InvalidOperationException
("constrained type is not assignable to method's first argument type");
}
else
{
// *Case 1* Morally we deref the argument pointer and box the contents,
// but since no supertype of a value type may mutate the underlying value,
// we don't need to take a copy of the value when boxing, so in practice
// this is a no-op
if (!constrainedBox.IsAssignableTo(methEnv, thisType))
throw new InvalidOperationException
("constrained type is not assignable to method's first argument type");
}
}
else if (cs is ReferenceTypeStyle)
{
// *Case 2* We dereference the pointer and pass the object reference
if (!methi.Constrained.IsAssignableTo(methEnv, thisType))
throw new InvalidOperationException
("constrained type is not assignable to method's first argument type");
}
else if (cs is ParameterTypeStyle)
{
// Since we are calling an instance method, we know the first argument cannot be
// a "naked" type parameter, but is either a class or an interface.
// We must decide between cases 1 and 2 above at runtime, but checking as
// per case 1 is sufficient now.
// NOTE: As for box/classcast/isinst below, if the parameter is
// instantiated to a reference type then the type box type is considered
// equivalent to the underyling reference type.
if (!constrainedBox.IsAssignableTo(methEnv, thisType))
throw new InvalidOperationException
("constrained type is not assignable to method's first argument type");
}
else
throw new InvalidOperationException
("constrained must be value, reference or parameter type");
state.PeekExpectedType(sig.Parameters.Count - 1, constrainedPtr, changed);
}
else if (sig.Parameters.Count > 0)
state.PeekExpectedType(sig.Parameters.Count - 1, sig.Parameters[0], changed);
if (sig.Result == null)
return state.Pop(sig.Parameters.Count);
else
return state.PopPushType(sig.Parameters.Count, sig.Result, BottomPT);
}
case MethodOp.Ldftn:
{
// NOTE: Verified CLR allows only the two "blessed" sequences:
// dup; ldvirtftn; newobj <delegate ctor>
// ldftn; newobj <delegate ctor>
// It is thus possible to check the delegate will capture an instance which
// implements the loaded method. However, we don't check that here.
if (methi.IsVirtual)
{
if (methi.Method.IsStatic)
throw new InvalidOperationException("cannot ldvirtftn of a static method");
var objectType = default(TypeRef);
if (sig.Parameters[0].Style(methEnv) is ManagedPointerTypeStyle)
// Object should be a box
objectType = methEnv.Global.BoxTypeConstructorRef.ApplyTo(sig.Parameters[0].Arguments[0]);
else
// Object should match parameter
objectType = sig.Parameters[0];
state.PeekExpectedType(0, objectType, changed);
return state.PopPushType(1, sig.WithoutThis().ToCodePointer(methEnv.Global), BottomPT);
}
else
{
if (methi.Method.IsStatic)
return state.PushType(sig.ToCodePointer(methEnv.Global), BottomPT);
else
return state.PushType(sig.WithoutThis().ToCodePointer(methEnv.Global), BottomPT);
}
}
case MethodOp.Newobj:
{
if (methi.Method.IsStatic || sig.Result != null)
throw new InvalidOperationException("not a constructor");
for (var i = sig.Parameters.Count - 1; i >= 1; i--)
state.PeekExpectedType(sig.Parameters.Count - 1 - i, sig.Parameters[i], changed);
// First argument to constructor is created by runtime. If definining type is
// a value type, first argument will be a pointer, but result left on stack
// will be the value itself.
return state.PopPushType(sig.Parameters.Count - 1, methi.Method.DefiningType, BottomPT);
}
case MethodOp.Ldtoken:
return state.PushType(global.RuntimeMethodHandleRef, BottomPT);
default:
throw new ArgumentOutOfRangeException();
}
}
case InstructionFlavor.Type:
{
var typei = (TypeInstruction)instruction;
switch (typei.Op)
{
case TypeOp.Ldobj:
state.PeekReadPointerType(0, typei.Type);
return state.PopPushType(1, typei.Type, BottomPT);
case TypeOp.Stobj:
state.PeekExpectedType(0, typei.Type, changed);
state.PeekWritePointerType(1, typei.Type);
return state.Pop(2);
case TypeOp.Cpobj:
state.PeekReadPointerType(0, typei.Type);
state.PeekWritePointerType(1, typei.Type);
return state.Pop(2);
case TypeOp.Newarr:
state.PeekIndexType(0);
return state.PopPushType(1, methEnv.Global.ArrayTypeConstructorRef.ApplyTo(typei.Type), BottomPT);
case TypeOp.Initobj:
state.PeekWritePointerType(0, typei.Type);
return state.Pop(1);
case TypeOp.Castclass:
case TypeOp.Isinst:
case TypeOp.Box:
{
var resultType = default(TypeRef);
var s = typei.Type.Style(methEnv);
if (s is NullableTypeStyle)
resultType = methEnv.Global.BoxTypeConstructorRef.ApplyTo(typei.Type.Arguments[0]);
else if (s is ValueTypeStyle)
resultType = methEnv.Global.BoxTypeConstructorRef.ApplyTo(typei.Type);
else if (s is ReferenceTypeStyle)
resultType = typei.Type;
else if (s is ParameterTypeStyle)
// NOTE: As for constrained call above, if type parameter is instantitated to
// a ref type, then this box type is considered equivalent to the
// underlying reference type.
resultType = methEnv.Global.BoxTypeConstructorRef.ApplyTo(typei.Type);
else
throw new InvalidOperationException
("can only box/cast to reference, value or parameter type");
if (typei.Op == TypeOp.Box)
state.PeekExpectedType(0, typei.Type, changed);
else
state.PeekReferenceType(0);
return state.PopPushType(1, resultType, BottomPT);
}
case TypeOp.Unbox:
if (!(typei.Type.Style(methEnv) is ValueTypeStyle))
// Parameter types are not allowed
throw new InvalidOperationException("type must be a value type");
state.PeekBoxedType(0, typei.Type, changed);
return state.PopPushType(1, methEnv.Global.ManagedPointerTypeConstructorRef.ApplyTo(typei.Type), HeapPT);
case TypeOp.UnboxAny:
{
var s = typei.Type.Style(methEnv);
if (s is ValueTypeStyle)
state.PeekBoxedType(0, typei.Type, changed);
else if (!(s is ReferenceTypeStyle) && !(s is ParameterTypeStyle))
throw new InvalidOperationException("type must be value, reference or parameter type");
return state.PopPushType(1, typei.Type, BottomPT);
}
case TypeOp.Ldtoken:
return state.PushType(global.RuntimeTypeHandleRef, BottomPT);
case TypeOp.Ldelem:
state.PeekIndexType(0);
state.PeekReadArrayType(1, typei.Type, false);
return state.PopPushType(2, typei.Type, BottomPT);
case TypeOp.Stelem:
state.PeekExpectedType(0, typei.Type, changed);
state.PeekIndexType(1);
state.PeekWriteArrayType(2, typei.Type);
return state.Pop(3);
default:
throw new ArgumentOutOfRangeException();
}
}
case InstructionFlavor.LdElemAddr:
{
var ldelemai = (LdElemAddrInstruction)instruction;
state.PeekIndexType(0);
// WARNING: May prematurely fail for non-readonly loads
state.PeekReadArrayType(1, ldelemai.Type, !ldelemai.IsReadonly);
return state.PopPushType(2, methEnv.Global.ManagedPointerTypeConstructorRef.ApplyTo(ldelemai.Type), HeapPT);
}
case InstructionFlavor.LdInt32:
return state.PushType(global.Int32Ref, BottomPT);
case InstructionFlavor.LdInt64:
return state.PushType(global.Int64Ref, BottomPT);
case InstructionFlavor.LdSingle:
return state.PushType(global.DoubleRef, BottomPT);
case InstructionFlavor.LdDouble:
return state.PushType(global.DoubleRef, BottomPT);
case InstructionFlavor.LdString:
return state.PushType(global.StringRef, BottomPT);
case InstructionFlavor.Arith:
{
var arithi = (ArithInstruction)instruction;
switch (arithi.Op)
{
case ArithOp.Add:
case ArithOp.Sub:
case ArithOp.Mul:
case ArithOp.Div:
case ArithOp.Rem:
// NOTE: May capture skolemized types
arithi.Type = state.Peek2NumberTypes(0, true);
return state.PopPushType(2, arithi.Type, BottomPT);
case ArithOp.Neg:
// NOTE: May capture skolemized types
arithi.Type = state.PeekNumberType(0, true);
// Changing underlying value, so pop/push explicitly
return state.PopPushType(1, arithi.Type, BottomPT);
case ArithOp.BitAnd:
case ArithOp.BitOr:
case ArithOp.BitXor:
// NOTE: May capture skolemized types
arithi.Type = state.Peek2NumberTypes(0, false);
return state.PopPushType(2, arithi.Type, BottomPT);
case ArithOp.BitNot:
// NOTE: May capture skolemized types
arithi.Type = state.PeekNumberType(0, false);
// Changing underlying value, so pop/push explicitly
return state.PopPushType(1, arithi.Type, BottomPT);
case ArithOp.Shl:
case ArithOp.Shr:
state.PeekExpectedType(0, global.Int32Ref, changed);
// NOTE: May capture skolemized types
arithi.Type = state.PeekNumberType(1, false);
// Changing underlying value, so pop/push explicitly
return state.PopPushType(2, arithi.Type, BottomPT);
default:
throw new ArgumentOutOfRangeException();
}
}
case InstructionFlavor.Conv:
{
var convi = (ConvInstruction)instruction;
var mustBeInteger = (!convi.WithOverflow && convi.IsSourceUnsigned &&
convi.TargetNumberFlavor == NumberFlavor.Double);
// NOTE: May capture skolemized types
convi.SourceType = state.PeekNumberType(0, !mustBeInteger);
return state.PopPushType(1, TypeRef.NumberFrom(methEnv.Global, convi.TargetNumberFlavor), BottomPT);
}
case InstructionFlavor.Try:
{
var tryi = (TryInstruction)instruction;
// Isolation:
// - There is no way for the current stack shape to influence or be influenced by
// inference of the try, since the current stack shape must be empty.
// - There is no way for the try to influence the result stack shape, since it must be
// empty.
// - However pointers in arguments and locals may propogate into and out of try body
// via exceptional transitions. The latter are delt with separately.
if (state.Depth != 0)
throw new InvalidOperationException("stack should be empty");
var newState = ForwardBlock
(new TryBodyInstructionContext(context, index, tryi.Body), state, changed);
for (var j = 0; j < tryi.Handlers.Count; j++)
{
var h = tryi.Handlers[j];
var handlerContext = new TryHandlerInstructionContext(context, index, h.Body, j);
var initHandlerState = new MachineState
(methEnv, method.ValueParameters.Count, method.Locals.Count);
switch (h.Flavor)
{
case HandlerFlavor.Catch:
{
var catchh = (CatchTryInstructionHandler)h;
ForwardBlock(handlerContext, initHandlerState.PushType(catchh.Type, BottomPT), changed);
break;
}
case HandlerFlavor.Filter:
throw new NotSupportedException("filter handler blocks");
case HandlerFlavor.Fault:
case HandlerFlavor.Finally:
ForwardBlock(handlerContext, initHandlerState, changed);
break;
default:
throw new ArgumentOutOfRangeException();
}
}
return newState;
}
case InstructionFlavor.IfThenElsePseudo:
case InstructionFlavor.ShortCircuitingPseudo:
case InstructionFlavor.StructuralSwitchPseudo:
case InstructionFlavor.LoopPseudo:
case InstructionFlavor.WhileDoPseudo:
case InstructionFlavor.DoWhilePseudo:
case InstructionFlavor.LoopControlPseudo:
throw new InvalidOperationException("no machine state inference for psuedo-instructions");
default:
throw new ArgumentOutOfRangeException();
}
}