| blob | 6c6d82f1b86a4f41e147662321c3fa52061cec50 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* JS::Value implementation. */
9 #ifndef js_Value_h
10 #define js_Value_h
19 #include <type_traits>
29 }
31 // [SMDOC] JS::Value Boxing Formats
32 //
33 // JS::Value is a 64-bit value, on all architectures. It is conceptually a
34 // discriminated union of all the types of values that can be represented in SM:
35 // - Object Pointers
36 // - 64 bit IEEE 754 floats
37 // - 32-bit integer values
38 // - and quite a few more (see JSValueType)
39 //
40 // The ECMAScript standard specifies that ECMAScript numbers are IEEE 64-bit
41 // floating-point values. A JS::Value can represent any JavaScript number
42 // value directly, without referring to additional storage, or represent an
43 // object, string, or other ECMAScript value, and remember which type it is.
44 //
45 // This may seem surprising: how can a 64-bit type hold all the 64-bit IEEE
46 // values, and still distinguish them from objects, strings, and so on,
47 // which have 64-bit addresses ?
48 //
49 // This is possible for two reasons:
50 //
51 // - First, ECMAScript implementations aren't required to distinguish all
52 // the values the IEEE 64-bit format can represent.
53 //
54 // The IEEE 754 format for floating point numbers specifies that every
55 // floating-point value whose 11-bit exponent field is all ones, and whose
56 // 52-bit fraction field is non-zero, has the value NaN. EMCAScript requires
57 // only one NaN value. This means we can use one IEEE NaN to represent
58 // ECMAScript's NaN, and use all the other 2^52-2 NaN bitstrings to
59 // represent the other ECMAScript values.
60 //
61 // - Second, on the 64 bit architectures we suppport, only the
62 // lower 48 bits of an address are currently significant. The upper sixteen
63 // bits are required to be the sign-extension of bit 48. Furthermore, user
64 // code always runs in "positive addresses": those in which bit 48 is zero. So
65 // we only actually need 47 bits to store all possible object or string
66 // addresses, even on 64-bit platforms.
67 //
68 // Our memory initialization system ensures that all pointers we will store in
69 // objects use only 47 bits. See js::gc::MapAlignedPagesRandom.
70 //
71 // The introduction of 5-level page tables, supporting 57-bit virtual
72 // addresses, is a potential complication. For now, large addresses are
73 // opt-in, and we simply don't use them.
74 //
75 // With a 52-bit fraction field, and 47 bits needed for the 'payload', we
76 // have up to five bits left to store a 'tag' value, to indicate which
77 // branch of our discriminated union is live. (In practice, one of those
78 // bits is used up to simplify NaN representation; see micro-optimization 5
79 // below.)
80 //
81 // Thus, we define JS::Value representations in terms of the IEEE 64-bit
82 // floating-point format:
83 //
84 // - Any bitstring that IEEE calls a number or an infinity represents that
85 // ECMAScript number.
86 //
87 // - Any bitstring that IEEE calls a NaN represents either an ECMAScript NaN
88 // or a non-number ECMAScript value, as determined by a tag field stored
89 // towards the most significant end of the fraction field (exactly where
90 // depends on the address size). If the tag field indicates that this
91 // JS::Value is an object, the fraction field's least significant end
92 // holds the address of a JSObject; if a string, the address of a
93 // JSString; and so on.
94 //
95 // To enforce this invariant, anywhere that may provide a numerical value
96 // which may have a non-canonical NaN value (NaN, but not the one we've chosen
97 // for ECMAScript) we must convert that to the canonical NaN. See
98 // JS::CanonicalizeNaN.
99 //
100 // We have two boxing modes defined: NUNBOX32 and PUNBOX64.The first is
101 // "NaN unboxed boxing" (or Nunboxing), as non-Number payload are stored
102 // unaltered in the lower bits. The second is "Packed NaN boxing" (or
103 // punboxing), which is 'logically like nunboxing, but with all the unused bits
104 // sucked out' [1], as we rely on unused bits of the payload to pack the
105 // payload in the lower bits using Nunboxing.
106 //
107 // - In NUNBOX32 the tag is stored in the least-significant bits of the high
108 // word of the NaN. Since it's used on 32-bit systems, this has the nice
109 // property that boxed values are simply stored in the low-word of the 8-byte
110 // NaN.
111 //
112 // - In PUNBOX64, since we need to store more pointer bits (47, see above), the
113 // tag is stored in the 5 most significant bits of the fraction adjacent to
114 // the exponent.
115 //
116 // Tag values are carefully ordered to support a set of micro-optimizations. In
117 // particular:
118 //
119 // 1. Object is the highest tag, to simplify isPrimitive checks. (See
120 // ValueUpperExclPrimitiveTag)
121 // 2. Numbers (Double and Int32) are the lowest tags, to simplify isNumber
122 // checks. (See ValueUpperInclNumberTag)
123 // 3. Non-GC tags are ordered before GC-tags, to simplify isGCThing checks. (See
124 // ValueLowerInclGCThingTag)
125 // 4. The tags for Object and Null differ by a single flipped bit, to simplify
126 // toObjectOrNull. (See ValueObjectOrNullBit)
127 // 5. In PUNBOX64, the most significant bit of every non-Double tag is always
128 // set. This is to simplify isDouble checks. Note that the highest bitstring
129 // that corresponds to a non-NaN double is -Infinity:
130 // 0xfff0_0000_0000_0000
131 // But the canonical hardware NaN (produced by, for example, 0/0) is:
132 // 0x?ff8_0000_0000_0000
133 // on all platforms with JIT support*. (The most significant bit is the sign
134 // bit; it is 1 on x86, but 0 on ARM.) The most significant bit of the
135 // fraction field is set, which corresponds to the most significant of the 5
136 // tag bits. Because we only use tags that have the high bit set, any Value
137 // represented by a bitstring less than or equal to 0xfff8_..._0000 is a
138 // Double. (If we wanted to use all five bits, we could define 0x10 as
139 // JSVAL_TYPE_NAN, and mask off the most significant bit of the tag for
140 // IsDouble checks. This is not yet necessary, because we still have room
141 // left to allocate new tags.)
142 //
143 // * But see JS_NONCANONICAL_HARDWARE_NAN below.
144 //
145 // [1]:
146 // https://wingolog.org/archives/2011/05/18/value-representation-in-javascript-implementations#969f63bbe4eb912778c9da85feb0f5763e7a7862
148 /* JS::Value can store a full int32_t. */
149 #define JSVAL_INT_BITS 32
150 #define JSVAL_INT_MIN ((int32_t)0x80000000)
151 #define JSVAL_INT_MAX ((int32_t)0x7fffffff)
153 #if defined(JS_NUNBOX32)
154 # define JSVAL_TAG_SHIFT 32
155 #elif defined(JS_PUNBOX64)
156 # define JSVAL_TAG_SHIFT 47
157 #endif
159 // Use enums so that printing a JS::Value in the debugger shows nice
160 // symbolic type tags.
173 #ifdef ENABLE_RECORD_TUPLE
175 #endif
178 // This type never appears in a Value; it's only an out-of-band value.
180 };
194 #ifdef ENABLE_RECORD_TUPLE
196 #endif
198 };
204 #if defined(JS_NUNBOX32)
217 # ifdef ENABLE_RECORD_TUPLE
218 JSVAL_TAG_EXTENDED_PRIMITIVE =
220 # endif
222 };
227 #elif defined(JS_PUNBOX64)
240 # ifdef ENABLE_RECORD_TUPLE
241 JSVAL_TAG_EXTENDED_PRIMITIVE =
243 # endif
245 };
251 // See Bug 584653 for why we include 0xFFFFFFFF.
252 JSVAL_SHIFTED_TAG_MAX_DOUBLE =
255 JSVAL_SHIFTED_TAG_UNDEFINED =
262 JSVAL_SHIFTED_TAG_PRIVATE_GCTHING =
265 # ifdef ENABLE_RECORD_TUPLE
266 JSVAL_SHIFTED_TAG_EXTENDED_PRIMITIVE =
268 # endif
270 };
275 #endif
280 #if defined(JS_NUNBOX32)
285 }
289 }
295 #elif defined(JS_PUNBOX64)
300 }
304 }
308 // This should only be used in toGCThing. See the 'Spectre mitigations' comment.
311 // Mask used to combine an unbox operation with getting the chunk base.
317 }
318 # define JSVAL_TYPE_TO_SHIFTED_TAG(type) \
319 (JS::detail::ValueTypeToShiftedTag(type))
329 // JSVAL_TYPE_OBJECT and JSVAL_TYPE_NULL differ by one bit. We can use this to
330 // implement toObjectOrNull more efficiently.
337 // All 64-bit platforms that we support actually have a 48-bit address space
338 // for user-mode pointers, with the top 16 bits all set to zero.
340 }
347 #define JSVAL_TYPE_TO_TAG(type) (JS::detail::ValueTypeToTag(type))
350 /** a hole in a native object's elements */
351 JS_ELEMENTS_HOLE,
353 /** there is not a pending iterator value */
354 JS_NO_ITER_VALUE,
356 /** exception value thrown when closing a generator */
357 JS_GENERATOR_CLOSING,
359 /** used in debug builds to catch tracing errors */
360 JS_ARG_POISON,
362 /** an empty subnode in the AST serializer */
363 JS_SERIALIZE_NO_NODE,
365 /** magic value passed to natives to indicate construction */
366 JS_IS_CONSTRUCTING,
368 /** see class js::HashableValue */
369 JS_HASH_KEY_EMPTY,
371 /** error while running Ion code */
372 JS_ION_ERROR,
374 /** missing recover instruction result */
375 JS_ION_BAILOUT,
377 /** optimized out slot */
378 JS_OPTIMIZED_OUT,
380 /** uninitialized lexical bindings that produce ReferenceError on touch. */
381 JS_UNINITIALIZED_LEXICAL,
383 /** arguments object can't be created because environment is dead. */
384 JS_MISSING_ARGUMENTS,
386 /** exception value thrown when interrupting irregexp */
387 JS_INTERRUPT_REGEXP,
389 /** for local use */
390 JS_GENERIC_MAGIC,
392 /**
393 * When an error object is created without the error cause argument, we set
394 * the error's cause slot to this magic value.
395 */
396 JS_ERROR_WITHOUT_CAUSE,
398 JS_WHY_MAGIC_COUNT
399 };
406 #ifdef ENABLE_RECORD_TUPLE
407 // Re-defined in vm/RecordTupleBoxShared.h. We cannot include that
408 // file because it circularly includes this one.
413 #endif
420 // IEEE-754 bit pattern for double-precision positive infinity.
425 // This is a quiet NaN on IEEE-754[2008] compatible platforms, including X86,
426 // ARM, SPARC, RISC-V and modern MIPS.
427 //
428 // Note: The default sign bit for a hardware synthesized NaN differs between X86
429 // and ARM. Both values are considered compatible values on both
430 // platforms.
434 #if defined(__sparc__)
435 // Some architectures (not to name names) generate NaNs with bit patterns that
436 // are incompatible with JS::Value's bit pattern restrictions. Instead we must
437 // canonicalize all hardware values before storing in JS::Value.
438 # define JS_NONCANONICAL_HARDWARE_NAN
439 #endif
441 #if defined(__mips__) && !defined(__mips_nan_2008)
442 // These builds may run on hardware that has differing polarity of the signaling
443 // NaN bit. While the kernel may handle the trap for us, it is a performance
444 // issue so instead we compute the NaN to use on startup. The runtime value must
445 // still meet `ValueIsDouble` requirements which are checked on startup.
447 // In particular, we expect one of the following values on MIPS:
448 // - 0x7FF7FFFFFFFFFFFF Legacy
449 // - 0x7FF8000000000000 IEEE-754[2008]
450 # define JS_RUNTIME_CANONICAL_NAN
451 #endif
453 #if defined(JS_RUNTIME_CANONICAL_NAN)
455 #else
459 #endif
462 // Return a quiet NaN that is compatible with JS::Value restrictions.
464 #if !defined(JS_RUNTIME_CANONICAL_NAN)
467 #endif
470 }
472 // Return the infinity the engine uses
475 }
477 // Convert an arbitrary double to one compatible with JS::Value representation
478 // by replacing any NaN value with a canonical one.
482 }
484 }
486 /**
487 * [SMDOC] JS::Value type
488 *
489 * JS::Value is the interface for a single JavaScript Engine value. A few
490 * general notes on JS::Value:
491 *
492 * - JS::Value has setX() and isX() members for X in
493 *
494 * { Int32, Double, String, Symbol, BigInt, Boolean, Undefined, Null,
495 * Object, Magic }
496 *
497 * JS::Value also contains toX() for each of the non-singleton types.
498 *
499 * - Magic is a singleton type whose payload contains either a JSWhyMagic
500 * "reason" for the magic value or a uint32_t value. By providing JSWhyMagic
501 * values when creating and checking for magic values, it is possible to
502 * assert, at runtime, that only magic values with the expected reason flow
503 * through a particular value. For example, if cx->exception has a magic
504 * value, the reason must be JS_GENERATOR_CLOSING.
505 *
506 * - The JS::Value operations are preferred. The JSVAL_* operations remain for
507 * compatibility; they may be removed at some point. These operations mostly
508 * provide similar functionality. But there are a few key differences. One
509 * is that JS::Value gives null a separate type.
510 * Also, to help prevent mistakenly boxing a nullable JSObject* as an object,
511 * Value::setObject takes a JSObject&. (Conversely, Value::toObject returns a
512 * JSObject&.) A convenience member Value::setObjectOrNull is provided.
513 *
514 * - Note that JS::Value is 8 bytes on 32 and 64-bit architectures. Thus, on
515 * 32-bit user code should avoid copying jsval/JS::Value as much as possible,
516 * preferring to pass by const Value&.
517 *
518 * Spectre mitigations
519 * ===================
520 * To mitigate Spectre attacks, we do the following:
521 *
522 * - On 64-bit platforms, when unboxing a Value, we XOR the bits with the
523 * expected type tag (instead of masking the payload bits). This guarantees
524 * that toString, toObject, toSymbol will return an invalid pointer (because
525 * some high bits will be set) when called on a Value with a different type
526 * tag.
527 *
528 * - On 32-bit platforms,when unboxing an object/string/symbol Value, we use a
529 * conditional move (not speculated) to zero the payload register if the type
530 * doesn't match.
531 */
543 #if defined(JS_NONCANONICAL_HARDWARE_NAN)
545 #endif
547 }
552 "32-bit Value's tag_ must have size 4 to complement the "
555 "32-bit Value's JSWhyMagic payload field must not inflate "
559 #if defined(JS_NUNBOX32)
561 #elif defined(JS_PUNBOX64)
563 #endif
566 PayloadType payload) {
568 }
571 PayloadType payload) {
573 }
579 }
583 /**
584 * Returns false if creating a NumberValue containing the given type would
585 * be lossy, true otherwise.
586 */
590 }
592 /*** Mutators ***/
597 }
602 }
607 }
612 }
618 }
624 }
630 }
634 #ifdef ENABLE_RECORD_TUPLE
636 #endif
639 }
641 #ifdef ENABLE_RECORD_TUPLE
645 asBits_ =
648 }
649 #endif
653 #ifdef DEBUG
655 #endif
658 }
661 #ifdef DEBUG
663 #endif
667 }
675 }
680 }
687 }
694 }
697 }
704 }
707 }
722 }
723 }
732 }
733 }
734 }
735 }
742 }
743 }
749 }
758 #if defined(JS_NUNBOX32)
761 #elif defined(JS_PUNBOX64)
762 // Note: the 'Spectre mitigations' comment at the top of this class
763 // explains why we use XOR here.
766 #endif
767 }
770 /*** JIT-only interfaces to interact with and create raw Values ***/
771 #if defined(JS_NUNBOX32)
775 #elif defined(JS_PUNBOX64)
778 }
779 #endif
781 /*** Value type queries ***/
783 /*
784 * N.B. GCC, in some but not all cases, chooses to emit signed comparison
785 * of JSValueTag even though its underlying type has been forced to be
786 * uint32_t. Thus, all comparisons should explicitly cast operands to
787 * uint32_t.
788 */
791 #if defined(JS_NUNBOX32)
793 #elif defined(JS_PUNBOX64)
795 #endif
796 }
799 #if defined(JS_NUNBOX32)
801 #elif defined(JS_PUNBOX64)
803 #endif
804 }
812 }
817 #if defined(JS_NUNBOX32)
820 #elif defined(JS_PUNBOX64)
822 #endif
823 }
832 #if defined(JS_NUNBOX32)
834 #elif defined(JS_PUNBOX64)
837 #endif
838 }
840 #ifdef ENABLE_RECORD_TUPLE
843 }
844 #endif
848 }
851 #if defined(JS_NUNBOX32)
853 #elif defined(JS_PUNBOX64)
855 #endif
856 }
863 #if defined(JS_NUNBOX32)
864 /* gcc sometimes generates signed < without explicit casts. */
866 #elif defined(JS_PUNBOX64)
868 #endif
869 }
875 }
879 }
886 }
889 }
891 // Like isMagic, but without the release assertion.
895 }
898 }
912 }
913 #ifdef ENABLE_RECORD_TUPLE
916 }
917 #endif
919 }
924 }
929 }
931 /*** Comparison ***/
939 /*** Extract the value's typed payload ***/
944 }
949 }
954 }
959 }
964 }
969 }
973 #if defined(JS_PUNBOX64)
975 #endif
977 }
981 #if defined(JS_NUNBOX32)
983 #elif defined(JS_PUNBOX64)
984 // Note: the 'Spectre mitigations' comment at the top of this class
985 // explains why we use XOR here and in other to* methods.
990 #endif
991 }
993 #ifdef ENABLE_RECORD_TUPLE
996 # if defined(JS_PUNBOX64)
998 # endif
1000 }
1001 #endif
1004 #ifdef ENABLE_RECORD_TUPLE
1006 #else
1008 #endif
1009 }
1013 #if defined(JS_NUNBOX32)
1015 #elif defined(JS_PUNBOX64)
1019 #endif
1020 }
1026 #if defined(JS_NUNBOX32)
1028 #elif defined(JS_PUNBOX64)
1030 #endif
1031 }
1039 }
1044 }
1049 }
1051 /*
1052 * Private API
1053 *
1054 * Private setters/getters allow the caller to read/write arbitrary
1055 * word-size pointers or uint32s. After storing to a value with
1056 * setPrivateX, it is the caller's responsibility to only read using
1057 * toPrivateX. Private values are given a type which ensures they
1058 * aren't marked by the GC.
1059 */
1062 #if defined(JS_PUNBOX64)
1064 #endif
1067 }
1071 #if defined(JS_PUNBOX64)
1073 #endif
1075 }
1079 }
1084 }
1088 /*
1089 * Private GC Thing API
1090 *
1091 * Non-JSObject, JSString, and JS::Symbol cells may be put into the 64-bit
1092 * payload as private GC things. Such Values are considered isGCThing(), and
1093 * as such, automatically marked. Their traceKind() is gotten via their
1094 * cells.
1095 */
1099 "Private GC thing Values must not be strings. Make a "
1102 "Private GC thing Values must not be symbols. Make a "
1105 "Private GC thing Values must not be BigInts. Make a "
1108 "Private GC thing Values must not be objects. Make an "
1112 #if defined(JS_PUNBOX64)
1113 // VisualStudio cannot contain parenthesized C++ style cast and shift
1114 // inside decltype in template parameter:
1115 // AssertionConditionType<decltype((uintptr_t(x) >> 1))>
1116 // It throws syntax error.
1118 #endif
1119 asBits_ =
1121 }
1125 #if defined(DEBUG) || defined(JS_JITSPEW)
1132 #endif
1136 "Value size must leave three tag bits, be a binary power, and "
1140 #ifdef DEBUG
1143 #endif
1146 }
1147 }
1149 /************************************************************************/
1152 Value v;
1155 }
1162 Value v;
1165 }
1169 }
1173 }
1177 }
1180 Value v;
1183 }
1186 Value v;
1189 }
1192 Value v;
1195 }
1198 Value v;
1201 }
1204 Value v;
1207 }
1210 Value v;
1213 }
1216 Value v;
1219 }
1222 Value v;
1225 }
1227 #ifdef ENABLE_RECORD_TUPLE
1229 Value v;
1232 }
1233 #endif
1236 Value v;
1239 }
1242 Value v;
1245 }
1250 }
1254 Value v;
1257 }
1260 Value v;
1263 }
1266 Value v;
1269 }
1273 }
1276 Value v;
1279 }
1282 Value v;
1285 }
1288 #if defined(JS_NUNBOX32)
1291 #elif defined(JS_PUNBOX64)
1294 #endif
1295 }
1299 /************************************************************************/
1310 // This should only be called as part of root marking since that's the only
1311 // time we should trace unbarriered GC thing pointers. This will assert if
1312 // called at other times.
1314 }
1317 }
1320 }
1321 };
1331 }
1335 }
1339 }
1344 }
1345 }
1346 };
1351 /**
1352 * A class designed for CRTP use in implementing the non-mutating parts of the
1353 * Value interface in Value-like classes. Wrapper must be a class inheriting
1354 * ValueOperations<Wrapper> with a visible get() method returning a const
1355 * reference to the Value abstracted by Wrapper.
1356 */
1361 }
1377 #ifdef ENABLE_RECORD_TUPLE
1379 #endif
1400 #ifdef ENABLE_RECORD_TUPLE
1403 }
1404 #endif
1415 }
1420 };
1422 /**
1423 * A class designed for CRTP use in implementing all the mutating parts of the
1424 * Value interface in Value-like classes. Wrapper must be a class inheriting
1425 * MutableWrappedPtrOperations<Wrapper> with visible get() methods returning
1426 * const and non-const references to the Value abstracted by Wrapper.
1427 */
1433 // Call Wrapper::set to trigger any barriers.
1435 }
1449 }
1455 #ifdef ENABLE_RECORD_TUPLE
1458 }
1459 #endif
1464 }
1465 };
1467 /*
1468 * Augment the generic Heap<T> interface when T = Value with
1469 * type-querying, value-extracting, and mutating operations.
1470 */
1478 // If the Value is a GC pointer type, call |f| with the pointer cast to that
1479 // type and return the result wrapped in a Maybe, otherwise return None().
1487 }
1488 #ifdef ENABLE_RECORD_TUPLE
1490 #endif
1495 }
1500 }
1505 }
1509 }
1519 }
1520 }
1523 }
1525 // If the Value is a GC pointer type, call |f| with the pointer cast to that
1526 // type. Return whether this happened.
1533 })
1535 }
1541 }
1545 #ifdef DEBUG
1551 }
1552 }
1556 }
1559 #endif
1561 /************************************************************************/