| blob | 80aea48b42d92eb871c299b915154b0e22e03cb0 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef vm_Stack_h
8 #define vm_Stack_h
13 #include <algorithm>
14 #include <type_traits>
42 }
47 // [SMDOC] VM stack layout
48 //
49 // A JSRuntime's stack consists of a linked list of activations. Every
50 // activation contains a number of scripted frames that are either running in
51 // the interpreter (InterpreterActivation) or JIT code (JitActivation). The
52 // frames inside a single activation are contiguous: whenever C++ calls back
53 // into JS, a new activation is pushed.
54 //
55 // Every activation is tied to a single JSContext and JS::Compartment. This
56 // means we can reconstruct a given context's stack by skipping activations
57 // belonging to other contexts. This happens whenever an embedding enters the JS
58 // engine on cx1 and then, from a native called by the JS engine, reenters the
59 // VM on cx2.
61 // Interpreter frames (InterpreterFrame)
62 //
63 // Each interpreter script activation (global or function code) is given a
64 // fixed-size header (js::InterpreterFrame). The frame contains bookkeeping
65 // information about the activation and links to the previous frame.
66 //
67 // The values after an InterpreterFrame in memory are its locals followed by its
68 // expression stack. InterpreterFrame::argv_ points to the frame's arguments.
69 // Missing formal arguments are padded with |undefined|, so the number of
70 // arguments is always >= the number of formals.
71 //
72 // The top of an activation's current frame's expression stack is pointed to by
73 // the activation's "current regs", which contains the stack pointer 'sp'. In
74 // the interpreter, sp is adjusted as individual values are pushed and popped
75 // from the stack and the InterpreterRegs struct (pointed to by the
76 // InterpreterActivation) is a local var of js::Interpret.
82 /*****************************************************************************/
91 /**
92 * Pointer to a live JS or WASM stack frame.
93 */
105 };
113 }
118 }
123 }
129 }
133 }
139 }
146 }
149 }
156 }
159 }
165 }
171 }
174 }
252 };
257 };
261 /*****************************************************************************/
269 /* Function prologue state */
270 HAS_INITIAL_ENV =
274 /* Lazy frame initialization */
277 /* Debugger state */
280 /*
281 * See comment above 'isDebuggee' in Realm.h for explanation of
282 * invariants of debuggee compartments, scripts, and frames.
283 */
286 /* Used in tracking calls and profiling (see vm/GeckoProfiler.cpp) */
289 /*
290 * If set, we entered one of the JITs and ScriptFrameIter should skip
291 * this frame.
292 */
295 /*
296 * If set, this frame has been on the stack when
297 * |js::SavedStacks::saveCurrentStack| was called, and so there is a
298 * |js::SavedFrame| object cached for this frame.
299 */
301 };
310 /*
311 * Previous frame and its pc and sp. Always nullptr for
312 * InterpreterActivation's entry frame, always non-nullptr for inline
313 * frames.
314 */
319 /*
320 * For an eval-in-frame DEBUGGER_EVAL frame, the frame in whose scope
321 * we're evaluating code. Iteration treats this as our previous frame.
322 */
323 AbstractFramePtr evalInFramePrev_;
331 }
333 /*
334 * The utilities are private since they are not able to assert that only
335 * unaliased vars/formals are accessed. Normal code should prefer the
336 * InterpreterFrame::unaliased* members (or InterpreterRegs::stackDepth for
337 * the usual "depth is at least" assertions).
338 */
347 /*
348 * Frame initialization, called by InterpreterStack operations after acquiring
349 * the raw memory for the frame:
350 */
352 /* Used for Invoke and Interpret. */
357 /* Used for eval, module or global frames. */
362 /*
363 * Frame prologue/epilogue
364 *
365 * Every stack frame must have 'prologue' called before executing the
366 * first op and 'epilogue' called after executing the last op and before
367 * popping the frame (whether the exit is exceptional or not).
368 *
369 * For inline JS calls/returns, it is easy to call the prologue/epilogue
370 * exactly once. When calling JS from C++, Invoke/Execute push the stack
371 * frame but do *not* call the prologue/epilogue. That means Interpret
372 * must call the prologue/epilogue for the entry frame. This scheme
373 * simplifies jit compilation.
374 *
375 * An important corner case is what happens when an error occurs (OOM,
376 * over-recursed) after pushing the stack frame but before 'prologue' is
377 * called or completes fully. To simplify usage, 'epilogue' does not assume
378 * 'prologue' has completed and handles all the intermediate state details.
379 */
388 /*
389 * Initialize locals of newly-pushed frame to undefined.
390 */
393 /*
394 * Stack frame type
395 *
396 * A stack frame may have one of four types, which determines which
397 * members of the frame may be accessed and other invariants:
398 *
399 * global frame: execution of global code
400 * function frame: execution of function code
401 * module frame: execution of a module
402 * eval frame: execution of eval code
403 */
413 /*
414 * Previous frame
415 *
416 * A frame's 'prev' frame is either null or the previous frame pointed to
417 * by cx->regs->fp when this frame was pushed. Often, given two prev-linked
418 * frames, the next-frame is a function or eval that was called by the
419 * prev-frame, but not always: the prev-frame may have called a native that
420 * reentered the VM through JS_CallFunctionValue on the same context
421 * (without calling JS_SaveFrameChain) which pushed the next-frame. Thus,
422 * 'prev' has little semantic meaning and basically just tells the VM what
423 * to set cx->regs->fp to when this frame is popped.
424 */
431 }
433 /*
434 * (Unaliased) locals and arguments
435 *
436 * Only non-eval function frames have arguments. The arguments pushed by
437 * the caller are the 'actual' arguments. The declared arguments of the
438 * callee are the 'formal' arguments. When the caller passes less actual
439 * arguments, missing formal arguments are padded with |undefined|.
440 *
441 * When a local/formal variable is aliased (accessed by nested closures,
442 * environment operations, or 'arguments'), the canonical location for
443 * that value is the slot of an environment object. Aliased locals don't
444 * have stack slots assigned to them. These functions assert that
445 * accesses to stack values are unaliased.
446 */
461 }
465 }
467 /* Watch out, this exposes a pointer to the unaliased formal arg array. */
471 }
473 /*
474 * Arguments object
475 *
476 * If a non-eval function has script->needsArgsObj, an arguments object is
477 * created in the prologue and stored in the local variable for the
478 * 'arguments' binding (script->argumentsLocal). Since this local is
479 * mutable, the arguments object can be overwritten and we can "lose" the
480 * arguments object. Thus, InterpreterFrame keeps an explicit argsObj_ field
481 * so that the original arguments object is always available.
482 */
489 /*
490 * Environment chain
491 *
492 * In theory, the environment chain would contain an object for every
493 * lexical scope. However, only objects that are required for dynamic
494 * lookup are actually created.
495 *
496 * Given that an InterpreterFrame corresponds roughly to a ES Execution
497 * Context (ES 10.3), GetVariablesObject corresponds to the
498 * VariableEnvironment component of a Exection Context. Intuitively, the
499 * variables object is where new bindings (variables and functions) are
500 * stored. One might expect that this is either the Call object or
501 * envChain.globalObj for function or global code, respectively, however
502 * the JSAPI allows calls of Execute to specify a variables object on the
503 * environment chain other than the call/global object. This allows
504 * embeddings to run multiple scripts under the same global, each time
505 * using a new variables object to collect and discard the script's global
506 * variables.
507 */
525 // Push a VarEnvironmentObject for function frames of functions that have
526 // parameter expressions with closed over var bindings.
529 /*
530 * For lexical envs with aliased locals, these interfaces push and pop
531 * entries on the environment chain. The "freshen" operation replaces the
532 * current lexical env with a fresh copy of it, to implement semantics
533 * providing distinct bindings per iteration of a for(;;) loop whose head
534 * has a lexical declaration. The "recreate" operation replaces the
535 * current lexical env with a copy of it containing uninitialized
536 * bindings, to implement semantics providing distinct bindings per
537 * iteration of a for-in/of loop.
538 */
546 /*
547 * Script
548 *
549 * All frames have an associated JSScript which holds the bytecode being
550 * executed for the frame.
551 */
555 /* Return the previous frame's pc. */
559 }
561 /* Return the previous frame's sp. */
565 }
567 /*
568 * Return the 'this' argument passed to a non-eval function frame. This is
569 * not necessarily the frame's this-binding, for instance non-strict
570 * functions will box primitive 'this' values and thisArgument() will
571 * return the original, unboxed Value.
572 */
576 }
578 /*
579 * Callee
580 *
581 * Only function frames have a true callee. An eval frame in a function has
582 * the same callee as its containing function frame. An async module has to
583 * create a wrapper callee to allow passing the script to generators for
584 * pausing and resuming.
585 */
590 }
595 }
597 /*
598 * New Target
599 *
600 * Only non-arrow function frames have a meaningful newTarget.
601 */
609 }
611 }
613 /* Profiler flags */
617 }
623 /* Return value */
630 }
632 }
639 }
641 // Copy values from this frame into a private Array, owned by the
642 // GeneratorObject, for suspending.
646 // Copy values from the Array into this stack frame, for resuming.
654 }
656 /*
657 * Other flags
658 */
665 /*
666 * These two queries should not be used in general: the presence/absence of
667 * the call/args object is determined by the static(ish) properties of the
668 * JSFunction/JSScript. These queries should only be performed when probing
669 * a stack frame that may be in the middle of the prologue (during which
670 * time the call/args object are created).
671 */
677 }
682 }
684 /*
685 * Debugger eval frames.
686 *
687 * - If evalInFramePrev_ is non-null, frame was created for an "eval in
688 * frame" call, which can push a successor to any live frame; so its
689 * logical "prev" frame is not necessarily the previous frame in memory.
690 * Iteration should treat evalInFramePrev_ as this frame's previous frame.
691 *
692 * - Don't bother to JIT it, because it's probably short-lived.
693 *
694 * - It is required to have a environment chain object outside the
695 * js::EnvironmentObject hierarchy: either a global object, or a
696 * DebugEnvironmentProxy.
697 */
700 }
722 // Entered Baseline/Ion from the interpreter.
726 };
728 /*****************************************************************************/
744 }
749 }
755 // This code is called when resuming from async and generator code.
756 // In the case of modules, we don't have arguments, so we can't use
757 // numActualArgs, which asserts 'hasArgs'.
762 }
767 }
773 }
777 }
782 };
784 /*****************************************************************************/
790 LifoAlloc allocator_;
792 // Number of interpreter frames on the stack, for over-recursion checks.
800 HandleScript script,
801 MaybeConstruct constructing,
805 frameCount_--;
807 }
814 // For execution of eval, module or global code.
816 HandleObject envChain,
817 AbstractFramePtr evalInFrame);
819 // Called to invoke a function.
821 MaybeConstruct constructing);
823 // The interpreter can push light-weight, "inline" frames without entering a
824 // new InterpreterActivation or recursively calling Interpret.
827 MaybeConstruct constructing);
838 }
839 };
843 /*****************************************************************************/
845 /** Base class for all function call args. */
848 /** Base class for all function construction args. */
850 // Only js::Construct (or internal methods that call the qualified CallArgs
851 // versions) should do these things!
856 };
860 /** Function call/construct args of statically-unknown count. */
862 class GenericArgsBase
865 RootedValueVector v_;
873 JSMSG_TOO_MANY_ARGUMENTS);
875 }
877 // callee, this, arguments[, new.target iff constructing]
882 }
888 }
890 }
891 };
893 /** Function call/construct args of statically-known count. */
895 class FixedArgsBase
897 // Add +1 here to avoid noisy warning on gcc when N=0 (0 <= unsigned).
908 }
909 }
910 };
914 /** Function call args of statically-unknown count. */
920 };
922 /** Function call args of statically-unknown count. */
923 class InvokeArgsMaybeIgnoresReturnValue
933 }
936 }
937 };
939 /** Function call args of statically-known count. */
946 };
948 /** Function construct args of statically-unknown count. */
954 };
956 /** Function call args of statically-known count. */
963 };
971 }
975 }
978 }
980 #ifdef ENABLE_PORTABLE_BASELINE_INTERP
992 DEFAULT_SIZE);
993 }
995 };
1008 }
1012 }
1013 };