| blob | be6869dac9c46542c809bc4aaf5a4f7d5053c3dd |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* JS::Value implementation. */
9 #ifndef js_Value_h
10 #define js_Value_h
19 #include <type_traits>
29 }
31 // [SMDOC] JS::Value Boxing Formats
32 //
33 // JS::Value is a 64-bit value, on all architectures. It is conceptually a
34 // discriminated union of all the types of values that can be represented in SM:
35 // - Object Pointers
36 // - 64 bit IEEE 754 floats
37 // - 32-bit integer values
38 // - and quite a few more (see JSValueType)
39 //
40 // The ECMAScript standard specifies that ECMAScript numbers are IEEE 64-bit
41 // floating-point values. A JS::Value can represent any JavaScript number
42 // value directly, without referring to additional storage, or represent an
43 // object, string, or other ECMAScript value, and remember which type it is.
44 //
45 // This may seem surprising: how can a 64-bit type hold all the 64-bit IEEE
46 // values, and still distinguish them from objects, strings, and so on,
47 // which have 64-bit addresses ?
48 //
49 // This is possible for two reasons:
50 //
51 // - First, ECMAScript implementations aren't required to distinguish all
52 // the values the IEEE 64-bit format can represent.
53 //
54 // The IEEE 754 format for floating point numbers specifies that every
55 // floating-point value whose 11-bit exponent field is all ones, and whose
56 // 52-bit fraction field is non-zero, has the value NaN. EMCAScript requires
57 // only one NaN value. This means we can use one IEEE NaN to represent
58 // ECMAScript's NaN, and use all the other 2^52-2 NaN bitstrings to
59 // represent the other ECMAScript values.
60 //
61 // - Second, on the 64 bit architectures we suppport, only the
62 // lower 48 bits of an address are currently significant. The upper sixteen
63 // bits are required to be the sign-extension of bit 48. Furthermore, user
64 // code always runs in "positive addresses": those in which bit 48 is zero. So
65 // we only actually need 47 bits to store all possible object or string
66 // addresses, even on 64-bit platforms.
67 //
68 // Our memory initialization system ensures that all pointers we will store in
69 // objects use only 47 bits. See js::gc::MapAlignedPagesRandom.
70 //
71 // The introduction of 5-level page tables, supporting 57-bit virtual
72 // addresses, is a potential complication. For now, large addresses are
73 // opt-in, and we simply don't use them.
74 //
75 // With a 52-bit fraction field, and 47 bits needed for the 'payload', we
76 // have up to five bits left to store a 'tag' value, to indicate which
77 // branch of our discriminated union is live. (In practice, one of those
78 // bits is used up to simplify NaN representation; see micro-optimization 5
79 // below.)
80 //
81 // Thus, we define JS::Value representations in terms of the IEEE 64-bit
82 // floating-point format:
83 //
84 // - Any bitstring that IEEE calls a number or an infinity represents that
85 // ECMAScript number.
86 //
87 // - Any bitstring that IEEE calls a NaN represents either an ECMAScript NaN
88 // or a non-number ECMAScript value, as determined by a tag field stored
89 // towards the most significant end of the fraction field (exactly where
90 // depends on the address size). If the tag field indicates that this
91 // JS::Value is an object, the fraction field's least significant end
92 // holds the address of a JSObject; if a string, the address of a
93 // JSString; and so on.
94 //
95 // To enforce this invariant, anywhere that may provide a numerical value
96 // which may have a non-canonical NaN value (NaN, but not the one we've chosen
97 // for ECMAScript) we must convert that to the canonical NaN. See
98 // JS::CanonicalizeNaN.
99 //
100 // We have two boxing modes defined: NUNBOX32 and PUNBOX64.The first is
101 // "NaN unboxed boxing" (or Nunboxing), as non-Number payload are stored
102 // unaltered in the lower bits. The second is "Packed NaN boxing" (or
103 // punboxing), which is 'logically like nunboxing, but with all the unused bits
104 // sucked out' [1], as we rely on unused bits of the payload to pack the
105 // payload in the lower bits using Nunboxing.
106 //
107 // - In NUNBOX32 the tag is stored in the least-significant bits of the high
108 // word of the NaN. Since it's used on 32-bit systems, this has the nice
109 // property that boxed values are simply stored in the low-word of the 8-byte
110 // NaN.
111 //
112 // - In PUNBOX64, since we need to store more pointer bits (47, see above), the
113 // tag is stored in the 5 most significant bits of the fraction adjacent to
114 // the exponent.
115 //
116 // Tag values are carefully ordered to support a set of micro-optimizations. In
117 // particular:
118 //
119 // 1. Object is the highest tag, to simplify isPrimitive checks. (See
120 // ValueUpperExclPrimitiveTag)
121 // 2. Numbers (Double and Int32) are the lowest tags, to simplify isNumber
122 // checks. (See ValueUpperInclNumberTag)
123 // 3. Non-GC tags are ordered before GC-tags, to simplify isGCThing checks. (See
124 // ValueLowerInclGCThingTag)
125 // 4. The tags for Object and Null differ by a single flipped bit, to simplify
126 // toObjectOrNull. (See ValueObjectOrNullBit)
127 // 5. In PUNBOX64, the most significant bit of every non-Double tag is always
128 // set. This is to simplify isDouble checks. Note that the highest bitstring
129 // that corresponds to a non-NaN double is -Infinity:
130 // 0xfff0_0000_0000_0000
131 // But the canonical hardware NaN (produced by, for example, 0/0) is:
132 // 0x?ff8_0000_0000_0000
133 // on all platforms with JIT support*. (The most significant bit is the sign
134 // bit; it is 1 on x86, but 0 on ARM.) The most significant bit of the
135 // fraction field is set, which corresponds to the most significant of the 5
136 // tag bits. Because we only use tags that have the high bit set, any Value
137 // represented by a bitstring less than or equal to 0xfff8_..._0000 is a
138 // Double. (If we wanted to use all five bits, we could define 0x10 as
139 // JSVAL_TYPE_NAN, and mask off the most significant bit of the tag for
140 // IsDouble checks. This is not yet necessary, because we still have room
141 // left to allocate new tags.)
142 //
143 // * But see JS_NONCANONICAL_HARDWARE_NAN below.
144 //
145 // [1]:
146 // https://wingolog.org/archives/2011/05/18/value-representation-in-javascript-implementations#969f63bbe4eb912778c9da85feb0f5763e7a7862
148 /* JS::Value can store a full int32_t. */
149 #define JSVAL_INT_BITS 32
150 #define JSVAL_INT_MIN ((int32_t)0x80000000)
151 #define JSVAL_INT_MAX ((int32_t)0x7fffffff)
153 #if defined(JS_NUNBOX32)
154 # define JSVAL_TAG_SHIFT 32
155 #elif defined(JS_PUNBOX64)
156 # define JSVAL_TAG_SHIFT 47
157 #endif
159 // Use enums so that printing a JS::Value in the debugger shows nice
160 // symbolic type tags.
173 #ifdef ENABLE_RECORD_TUPLE
175 #endif
178 // This type never appears in a Value; it's only an out-of-band value.
180 };
194 #ifdef ENABLE_RECORD_TUPLE
196 #endif
198 };
204 #if defined(JS_NUNBOX32)
217 # ifdef ENABLE_RECORD_TUPLE
218 JSVAL_TAG_EXTENDED_PRIMITIVE =
220 # endif
222 };
227 #elif defined(JS_PUNBOX64)
240 # ifdef ENABLE_RECORD_TUPLE
241 JSVAL_TAG_EXTENDED_PRIMITIVE =
243 # endif
245 };
251 // See Bug 584653 for why we include 0xFFFFFFFF.
252 JSVAL_SHIFTED_TAG_MAX_DOUBLE =
255 JSVAL_SHIFTED_TAG_UNDEFINED =
262 JSVAL_SHIFTED_TAG_PRIVATE_GCTHING =
265 # ifdef ENABLE_RECORD_TUPLE
266 JSVAL_SHIFTED_TAG_EXTENDED_PRIMITIVE =
268 # endif
270 };
275 #endif
280 #if defined(JS_NUNBOX32)
285 }
289 }
295 #elif defined(JS_PUNBOX64)
300 }
304 }
308 // This should only be used in toGCThing. See the 'Spectre mitigations' comment.
311 // Mask used to combine an unbox operation with getting the chunk base.
317 }
318 # define JSVAL_TYPE_TO_SHIFTED_TAG(type) \
319 (JS::detail::ValueTypeToShiftedTag(type))
329 // JSVAL_TYPE_OBJECT and JSVAL_TYPE_NULL differ by one bit. We can use this to
330 // implement toObjectOrNull more efficiently.
337 // All 64-bit platforms that we support actually have a 48-bit address space
338 // for user-mode pointers, with the top 16 bits all set to zero.
340 }
347 #define JSVAL_TYPE_TO_TAG(type) (JS::detail::ValueTypeToTag(type))
350 /** a hole in a native object's elements */
351 JS_ELEMENTS_HOLE,
353 /** there is not a pending iterator value */
354 JS_NO_ITER_VALUE,
356 /** exception value thrown when closing a generator */
357 JS_GENERATOR_CLOSING,
359 /** used in debug builds to catch tracing errors */
360 JS_ARG_POISON,
362 /** an empty subnode in the AST serializer */
363 JS_SERIALIZE_NO_NODE,
365 /** magic value passed to natives to indicate construction */
366 JS_IS_CONSTRUCTING,
368 /** see class js::HashableValue */
369 JS_HASH_KEY_EMPTY,
371 /** error while running Ion code */
372 JS_ION_ERROR,
374 /** missing recover instruction result */
375 JS_ION_BAILOUT,
377 /** optimized out slot */
378 JS_OPTIMIZED_OUT,
380 /** uninitialized lexical bindings that produce ReferenceError on touch. */
381 JS_UNINITIALIZED_LEXICAL,
383 /** arguments object can't be created because environment is dead. */
384 JS_MISSING_ARGUMENTS,
386 /** for local use */
387 JS_GENERIC_MAGIC,
389 /**
390 * When an error object is created without the error cause argument, we set
391 * the error's cause slot to this magic value.
392 */
393 JS_ERROR_WITHOUT_CAUSE,
395 JS_WHY_MAGIC_COUNT
396 };
400 #ifdef ENABLE_RECORD_TUPLE
401 // Re-defined in vm/RecordTupleBoxShared.h. We cannot include that
402 // file because it circularly includes this one.
407 #endif
414 // IEEE-754 bit pattern for double-precision positive infinity.
419 // This is a quiet NaN on IEEE-754[2008] compatible platforms, including X86,
420 // ARM, SPARC, RISC-V and modern MIPS.
421 //
422 // Note: The default sign bit for a hardware synthesized NaN differs between X86
423 // and ARM. Both values are considered compatible values on both
424 // platforms.
428 #if defined(__sparc__)
429 // Some architectures (not to name names) generate NaNs with bit patterns that
430 // are incompatible with JS::Value's bit pattern restrictions. Instead we must
431 // canonicalize all hardware values before storing in JS::Value.
432 # define JS_NONCANONICAL_HARDWARE_NAN
433 #endif
435 #if defined(__mips__) && !defined(__mips_nan_2008)
436 // These builds may run on hardware that has differing polarity of the signaling
437 // NaN bit. While the kernel may handle the trap for us, it is a performance
438 // issue so instead we compute the NaN to use on startup. The runtime value must
439 // still meet `ValueIsDouble` requirements which are checked on startup.
441 // In particular, we expect one of the following values on MIPS:
442 // - 0x7FF7FFFFFFFFFFFF Legacy
443 // - 0x7FF8000000000000 IEEE-754[2008]
444 # define JS_RUNTIME_CANONICAL_NAN
445 #endif
447 #if defined(JS_RUNTIME_CANONICAL_NAN)
449 #else
453 #endif
456 // Return a quiet NaN that is compatible with JS::Value restrictions.
458 #if !defined(JS_RUNTIME_CANONICAL_NAN)
461 #endif
464 }
466 // Return the infinity the engine uses
469 }
471 // Convert an arbitrary double to one compatible with JS::Value representation
472 // by replacing any NaN value with a canonical one.
476 }
478 }
480 /**
481 * [SMDOC] JS::Value type
482 *
483 * JS::Value is the interface for a single JavaScript Engine value. A few
484 * general notes on JS::Value:
485 *
486 * - JS::Value has setX() and isX() members for X in
487 *
488 * { Int32, Double, String, Symbol, BigInt, Boolean, Undefined, Null,
489 * Object, Magic }
490 *
491 * JS::Value also contains toX() for each of the non-singleton types.
492 *
493 * - Magic is a singleton type whose payload contains either a JSWhyMagic
494 * "reason" for the magic value or a uint32_t value. By providing JSWhyMagic
495 * values when creating and checking for magic values, it is possible to
496 * assert, at runtime, that only magic values with the expected reason flow
497 * through a particular value. For example, if cx->exception has a magic
498 * value, the reason must be JS_GENERATOR_CLOSING.
499 *
500 * - The JS::Value operations are preferred. The JSVAL_* operations remain for
501 * compatibility; they may be removed at some point. These operations mostly
502 * provide similar functionality. But there are a few key differences. One
503 * is that JS::Value gives null a separate type.
504 * Also, to help prevent mistakenly boxing a nullable JSObject* as an object,
505 * Value::setObject takes a JSObject&. (Conversely, Value::toObject returns a
506 * JSObject&.) A convenience member Value::setObjectOrNull is provided.
507 *
508 * - Note that JS::Value is 8 bytes on 32 and 64-bit architectures. Thus, on
509 * 32-bit user code should avoid copying jsval/JS::Value as much as possible,
510 * preferring to pass by const Value&.
511 *
512 * Spectre mitigations
513 * ===================
514 * To mitigate Spectre attacks, we do the following:
515 *
516 * - On 64-bit platforms, when unboxing a Value, we XOR the bits with the
517 * expected type tag (instead of masking the payload bits). This guarantees
518 * that toString, toObject, toSymbol will return an invalid pointer (because
519 * some high bits will be set) when called on a Value with a different type
520 * tag.
521 *
522 * - On 32-bit platforms,when unboxing an object/string/symbol Value, we use a
523 * conditional move (not speculated) to zero the payload register if the type
524 * doesn't match.
525 */
537 #if defined(JS_NONCANONICAL_HARDWARE_NAN)
539 #endif
541 }
546 "32-bit Value's tag_ must have size 4 to complement the "
549 "32-bit Value's JSWhyMagic payload field must not inflate "
553 #if defined(JS_NUNBOX32)
555 #elif defined(JS_PUNBOX64)
557 #endif
560 PayloadType payload) {
562 }
565 PayloadType payload) {
567 }
573 }
577 /**
578 * Returns false if creating a NumberValue containing the given type would
579 * be lossy, true otherwise.
580 */
584 }
586 /*** Mutators ***/
591 }
596 }
601 }
606 }
612 }
618 }
624 }
628 #ifdef ENABLE_RECORD_TUPLE
630 #endif
633 }
635 #ifdef ENABLE_RECORD_TUPLE
639 asBits_ =
642 }
643 #endif
648 }
656 }
661 }
668 }
675 }
678 }
685 }
688 }
703 }
704 }
713 }
714 }
715 }
716 }
723 }
724 }
730 }
739 #if defined(JS_NUNBOX32)
742 #elif defined(JS_PUNBOX64)
743 // Note: the 'Spectre mitigations' comment at the top of this class
744 // explains why we use XOR here.
747 #endif
748 }
751 /*** JIT-only interfaces to interact with and create raw Values ***/
752 #if defined(JS_NUNBOX32)
756 #elif defined(JS_PUNBOX64)
759 }
760 #endif
762 /*** Value type queries ***/
764 /*
765 * N.B. GCC, in some but not all cases, chooses to emit signed comparison
766 * of JSValueTag even though its underlying type has been forced to be
767 * uint32_t. Thus, all comparisons should explicitly cast operands to
768 * uint32_t.
769 */
772 #if defined(JS_NUNBOX32)
774 #elif defined(JS_PUNBOX64)
776 #endif
777 }
780 #if defined(JS_NUNBOX32)
782 #elif defined(JS_PUNBOX64)
784 #endif
785 }
793 }
798 #if defined(JS_NUNBOX32)
801 #elif defined(JS_PUNBOX64)
803 #endif
804 }
813 #if defined(JS_NUNBOX32)
815 #elif defined(JS_PUNBOX64)
818 #endif
819 }
821 #ifdef ENABLE_RECORD_TUPLE
824 }
825 #endif
829 }
832 #if defined(JS_NUNBOX32)
834 #elif defined(JS_PUNBOX64)
836 #endif
837 }
844 #if defined(JS_NUNBOX32)
845 /* gcc sometimes generates signed < without explicit casts. */
847 #elif defined(JS_PUNBOX64)
849 #endif
850 }
856 }
860 }
867 }
870 }
872 // Like isMagic, but without the release assertion.
876 }
879 }
893 }
894 #ifdef ENABLE_RECORD_TUPLE
897 }
898 #endif
900 }
905 }
910 }
912 /*** Comparison ***/
920 /*** Extract the value's typed payload ***/
925 }
930 }
935 }
940 }
945 }
950 }
954 #if defined(JS_PUNBOX64)
956 #endif
958 }
962 #if defined(JS_NUNBOX32)
964 #elif defined(JS_PUNBOX64)
965 // Note: the 'Spectre mitigations' comment at the top of this class
966 // explains why we use XOR here and in other to* methods.
971 #endif
972 }
974 #ifdef ENABLE_RECORD_TUPLE
977 # if defined(JS_PUNBOX64)
979 # endif
981 }
982 #endif
985 #ifdef ENABLE_RECORD_TUPLE
987 #else
989 #endif
990 }
994 #if defined(JS_NUNBOX32)
996 #elif defined(JS_PUNBOX64)
1000 #endif
1001 }
1007 #if defined(JS_NUNBOX32)
1009 #elif defined(JS_PUNBOX64)
1011 #endif
1012 }
1020 }
1025 }
1030 }
1032 /*
1033 * Private API
1034 *
1035 * Private setters/getters allow the caller to read/write arbitrary
1036 * word-size pointers or uint32s. After storing to a value with
1037 * setPrivateX, it is the caller's responsibility to only read using
1038 * toPrivateX. Private values are given a type which ensures they
1039 * aren't marked by the GC.
1040 */
1043 #if defined(JS_PUNBOX64)
1045 #endif
1048 }
1052 #if defined(JS_PUNBOX64)
1054 #endif
1056 }
1061 }
1065 /*
1066 * Private GC Thing API
1067 *
1068 * Non-JSObject, JSString, and JS::Symbol cells may be put into the 64-bit
1069 * payload as private GC things. Such Values are considered isGCThing(), and
1070 * as such, automatically marked. Their traceKind() is gotten via their
1071 * cells.
1072 */
1076 "Private GC thing Values must not be strings. Make a "
1079 "Private GC thing Values must not be symbols. Make a "
1082 "Private GC thing Values must not be BigInts. Make a "
1085 "Private GC thing Values must not be objects. Make an "
1089 #if defined(JS_PUNBOX64)
1090 // VisualStudio cannot contain parenthesized C++ style cast and shift
1091 // inside decltype in template parameter:
1092 // AssertionConditionType<decltype((uintptr_t(x) >> 1))>
1093 // It throws syntax error.
1095 #endif
1096 asBits_ =
1098 }
1104 "Value size must leave three tag bits, be a binary power, and "
1108 #ifdef DEBUG
1111 #endif
1114 }
1115 }
1117 /************************************************************************/
1120 Value v;
1123 }
1130 Value v;
1133 }
1137 }
1141 }
1145 }
1148 Value v;
1151 }
1154 Value v;
1157 }
1160 Value v;
1163 }
1166 Value v;
1169 }
1172 Value v;
1175 }
1178 Value v;
1181 }
1184 Value v;
1187 }
1190 Value v;
1193 }
1195 #ifdef ENABLE_RECORD_TUPLE
1197 Value v;
1200 }
1201 #endif
1204 Value v;
1207 }
1210 Value v;
1213 }
1218 }
1222 Value v;
1225 }
1228 Value v;
1231 }
1234 Value v;
1237 }
1241 }
1244 Value v;
1247 }
1250 Value v;
1253 }
1256 #if defined(JS_NUNBOX32)
1259 #elif defined(JS_PUNBOX64)
1262 #endif
1263 }
1267 /************************************************************************/
1278 // This should only be called as part of root marking since that's the only
1279 // time we should trace unbarriered GC thing pointers. This will assert if
1280 // called at other times.
1282 }
1285 }
1288 }
1289 };
1299 }
1303 }
1308 }
1309 }
1310 };
1315 /**
1316 * A class designed for CRTP use in implementing the non-mutating parts of the
1317 * Value interface in Value-like classes. Wrapper must be a class inheriting
1318 * ValueOperations<Wrapper> with a visible get() method returning a const
1319 * reference to the Value abstracted by Wrapper.
1320 */
1325 }
1341 #ifdef ENABLE_RECORD_TUPLE
1343 #endif
1364 #ifdef ENABLE_RECORD_TUPLE
1367 }
1368 #endif
1379 }
1384 };
1386 /**
1387 * A class designed for CRTP use in implementing all the mutating parts of the
1388 * Value interface in Value-like classes. Wrapper must be a class inheriting
1389 * MutableWrappedPtrOperations<Wrapper> with visible get() methods returning
1390 * const and non-const references to the Value abstracted by Wrapper.
1391 */
1397 // Call Wrapper::set to trigger any barriers.
1399 }
1413 }
1419 #ifdef ENABLE_RECORD_TUPLE
1422 }
1423 #endif
1428 }
1429 };
1431 /*
1432 * Augment the generic Heap<T> interface when T = Value with
1433 * type-querying, value-extracting, and mutating operations.
1434 */
1442 // If the Value is a GC pointer type, call |f| with the pointer cast to that
1443 // type and return the result wrapped in a Maybe, otherwise return None().
1451 }
1452 #ifdef ENABLE_RECORD_TUPLE
1454 #endif
1459 }
1464 }
1469 }
1473 }
1483 }
1484 }
1487 }
1489 // If the Value is a GC pointer type, call |f| with the pointer cast to that
1490 // type. Return whether this happened.
1497 })
1499 }
1505 }
1509 #ifdef DEBUG
1515 }
1516 }
1520 }
1523 #endif
1525 /************************************************************************/