/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
* vim: set ts=8 sts=2 et sw=2 tw=80:
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* JS::Value implementation. */
#ifndef js_Value_h
#define js_Value_h
#include "mozilla/Attributes.h"
#include "mozilla/Casting.h"
#include "mozilla/FloatingPoint.h"
#include "mozilla/Likely.h"
#include "mozilla/Maybe.h"
#include <limits> /* for std::numeric_limits */
#include <type_traits>
#include "jstypes.h"
#include "js/HeapAPI.h"
#include "js/RootingAPI.h"
#include "js/TypeDecls.h"
namespace JS {
class JS_PUBLIC_API Value;
}
// [SMDOC] JS::Value Boxing Formats
//
// JS::Value is a 64-bit value, on all architectures. It is conceptually a
// discriminated union of all the types of values that can be represented in SM:
// - Object Pointers
// - 64 bit IEEE 754 floats
// - 32-bit integer values
// - and quite a few more (see JSValueType)
//
// The ECMAScript standard specifies that ECMAScript numbers are IEEE 64-bit
// floating-point values. A JS::Value can represent any JavaScript number
// value directly, without referring to additional storage, or represent an
// object, string, or other ECMAScript value, and remember which type it is.
//
// This may seem surprising: how can a 64-bit type hold all the 64-bit IEEE
// values, and still distinguish them from objects, strings, and so on,
// which have 64-bit addresses ?
//
// This is possible for two reasons:
//
// - First, ECMAScript implementations aren't required to distinguish all
// the values the IEEE 64-bit format can represent.
//
// The IEEE 754 format for floating point numbers specifies that every
// floating-point value whose 11-bit exponent field is all ones, and whose
// 52-bit fraction field is non-zero, has the value NaN. EMCAScript requires
// only one NaN value. This means we can use one IEEE NaN to represent
// ECMAScript's NaN, and use all the other 2^52-2 NaN bitstrings to
// represent the other ECMAScript values.
//
// - Second, on the 64 bit architectures we suppport, only the
// lower 48 bits of an address are currently significant. The upper sixteen
// bits are required to be the sign-extension of bit 48. Furthermore, user
// code always runs in "positive addresses": those in which bit 48 is zero. So
// we only actually need 47 bits to store all possible object or string
// addresses, even on 64-bit platforms.
//
// Our memory initialization system ensures that all pointers we will store in
// objects use only 47 bits. See js::gc::MapAlignedPagesRandom.
//
// The introduction of 5-level page tables, supporting 57-bit virtual
// addresses, is a potential complication. For now, large addresses are
// opt-in, and we simply don't use them.
//
// With a 52-bit fraction field, and 47 bits needed for the 'payload', we
// have up to five bits left to store a 'tag' value, to indicate which
// branch of our discriminated union is live. (In practice, one of those
// bits is used up to simplify NaN representation; see micro-optimization 5
// below.)
//
// Thus, we define JS::Value representations in terms of the IEEE 64-bit
// floating-point format:
//
// - Any bitstring that IEEE calls a number or an infinity represents that
// ECMAScript number.
//
// - Any bitstring that IEEE calls a NaN represents either an ECMAScript NaN
// or a non-number ECMAScript value, as determined by a tag field stored
// towards the most significant end of the fraction field (exactly where
// depends on the address size). If the tag field indicates that this
// JS::Value is an object, the fraction field's least significant end
// holds the address of a JSObject; if a string, the address of a
// JSString; and so on.
//
// To enforce this invariant, anywhere that may provide a numerical value
// which may have a non-canonical NaN value (NaN, but not the one we've chosen
// for ECMAScript) we must convert that to the canonical NaN. See
// JS::CanonicalizeNaN.
//
// We have two boxing modes defined: NUNBOX32 and PUNBOX64.The first is
// "NaN unboxed boxing" (or Nunboxing), as non-Number payload are stored
// unaltered in the lower bits. The second is "Packed NaN boxing" (or
// punboxing), which is 'logically like nunboxing, but with all the unused bits
// sucked out' [1], as we rely on unused bits of the payload to pack the
// payload in the lower bits using Nunboxing.
//
// - In NUNBOX32 the tag is stored in the least-significant bits of the high
// word of the NaN. Since it's used on 32-bit systems, this has the nice
// property that boxed values are simply stored in the low-word of the 8-byte
// NaN.
//
// - In PUNBOX64, since we need to store more pointer bits (47, see above), the
// tag is stored in the 5 most significant bits of the fraction adjacent to
// the exponent.
//
// Tag values are carefully ordered to support a set of micro-optimizations. In
// particular:
//
// 1. Object is the highest tag, to simplify isPrimitive checks. (See
// ValueUpperExclPrimitiveTag)
// 2. Numbers (Double and Int32) are the lowest tags, to simplify isNumber
// checks. (See ValueUpperInclNumberTag)
// 3. Non-GC tags are ordered before GC-tags, to simplify isGCThing checks. (See
// ValueLowerInclGCThingTag)
// 4. The tags for Object and Null differ by a single flipped bit, to simplify
// toObjectOrNull. (See ValueObjectOrNullBit)
// 5. In PUNBOX64, the most significant bit of every non-Double tag is always
// set. This is to simplify isDouble checks. Note that the highest bitstring
// that corresponds to a non-NaN double is -Infinity:
// 0xfff0_0000_0000_0000
// But the canonical hardware NaN (produced by, for example, 0/0) is:
// 0x?ff8_0000_0000_0000
// on all platforms with JIT support*. (The most significant bit is the sign
// bit; it is 1 on x86, but 0 on ARM.) The most significant bit of the
// fraction field is set, which corresponds to the most significant of the 5
// tag bits. Because we only use tags that have the high bit set, any Value
// represented by a bitstring less than or equal to 0xfff8_..._0000 is a
// Double. (If we wanted to use all five bits, we could define 0x10 as
// JSVAL_TYPE_NAN, and mask off the most significant bit of the tag for
// IsDouble checks. This is not yet necessary, because we still have room
// left to allocate new tags.)
//
// * But see JS_NONCANONICAL_HARDWARE_NAN below.
//
// [1]:
// https://wingolog.org/archives/2011/05/18/value-representation-in-javascript-implementations#969f63bbe4eb912778c9da85feb0f5763e7a7862
/* JS::Value can store a full int32_t. */
#define JSVAL_INT_BITS 32
#define JSVAL_INT_MIN ((int32_t)0x80000000)
#define JSVAL_INT_MAX ((int32_t)0x7fffffff)
#if defined(JS_NUNBOX32)
# define JSVAL_TAG_SHIFT 32
#elif defined(JS_PUNBOX64)
# define JSVAL_TAG_SHIFT 47
#endif
// Use enums so that printing a JS::Value in the debugger shows nice
// symbolic type tags.
enum JSValueType : uint8_t {
JSVAL_TYPE_DOUBLE = 0x00,
JSVAL_TYPE_INT32 = 0x01,
JSVAL_TYPE_BOOLEAN = 0x02,
JSVAL_TYPE_UNDEFINED = 0x03,
JSVAL_TYPE_NULL = 0x04,
JSVAL_TYPE_MAGIC = 0x05,
JSVAL_TYPE_STRING = 0x06,
JSVAL_TYPE_SYMBOL = 0x07,
JSVAL_TYPE_PRIVATE_GCTHING = 0x08,
JSVAL_TYPE_BIGINT = 0x09,
#ifdef ENABLE_RECORD_TUPLE
JSVAL_TYPE_EXTENDED_PRIMITIVE = 0x0b,
#endif
JSVAL_TYPE_OBJECT = 0x0c,
// This type never appears in a Value; it's only an out-of-band value.
JSVAL_TYPE_UNKNOWN = 0x20
};
namespace JS {
enum class ValueType : uint8_t {
Double = JSVAL_TYPE_DOUBLE,
Int32 = JSVAL_TYPE_INT32,
Boolean = JSVAL_TYPE_BOOLEAN,
Undefined = JSVAL_TYPE_UNDEFINED,
Null = JSVAL_TYPE_NULL,
Magic = JSVAL_TYPE_MAGIC,
String = JSVAL_TYPE_STRING,
Symbol = JSVAL_TYPE_SYMBOL,
PrivateGCThing = JSVAL_TYPE_PRIVATE_GCTHING,
BigInt = JSVAL_TYPE_BIGINT,
#ifdef ENABLE_RECORD_TUPLE
ExtendedPrimitive = JSVAL_TYPE_EXTENDED_PRIMITIVE,
#endif
Object = JSVAL_TYPE_OBJECT,
};
} // namespace JS
static_assert(sizeof(JSValueType) == 1,
"compiler typed enum support is apparently buggy");
#if defined(JS_NUNBOX32)
enum JSValueTag : uint32_t {
JSVAL_TAG_CLEAR = 0xFFFFFF80,
JSVAL_TAG_INT32 = JSVAL_TAG_CLEAR | JSVAL_TYPE_INT32,
JSVAL_TAG_UNDEFINED = JSVAL_TAG_CLEAR | JSVAL_TYPE_UNDEFINED,
JSVAL_TAG_NULL = JSVAL_TAG_CLEAR | JSVAL_TYPE_NULL,
JSVAL_TAG_BOOLEAN = JSVAL_TAG_CLEAR | JSVAL_TYPE_BOOLEAN,
JSVAL_TAG_MAGIC = JSVAL_TAG_CLEAR | JSVAL_TYPE_MAGIC,
JSVAL_TAG_STRING = JSVAL_TAG_CLEAR | JSVAL_TYPE_STRING,
JSVAL_TAG_SYMBOL = JSVAL_TAG_CLEAR | JSVAL_TYPE_SYMBOL,
JSVAL_TAG_PRIVATE_GCTHING = JSVAL_TAG_CLEAR | JSVAL_TYPE_PRIVATE_GCTHING,
JSVAL_TAG_BIGINT = JSVAL_TAG_CLEAR | JSVAL_TYPE_BIGINT,
# ifdef ENABLE_RECORD_TUPLE
JSVAL_TAG_EXTENDED_PRIMITIVE =
JSVAL_TAG_CLEAR | JSVAL_TYPE_EXTENDED_PRIMITIVE,
# endif
JSVAL_TAG_OBJECT = JSVAL_TAG_CLEAR | JSVAL_TYPE_OBJECT
};
static_assert(sizeof(JSValueTag) == sizeof(uint32_t),
"compiler typed enum support is apparently buggy");
#elif defined(JS_PUNBOX64)
enum JSValueTag : uint32_t {
JSVAL_TAG_MAX_DOUBLE = 0x1FFF0,
JSVAL_TAG_INT32 = JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_INT32,
JSVAL_TAG_UNDEFINED = JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_UNDEFINED,
JSVAL_TAG_NULL = JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_NULL,
JSVAL_TAG_BOOLEAN = JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_BOOLEAN,
JSVAL_TAG_MAGIC = JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_MAGIC,
JSVAL_TAG_STRING = JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_STRING,
JSVAL_TAG_SYMBOL = JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_SYMBOL,
JSVAL_TAG_PRIVATE_GCTHING = JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_PRIVATE_GCTHING,
JSVAL_TAG_BIGINT = JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_BIGINT,
# ifdef ENABLE_RECORD_TUPLE
JSVAL_TAG_EXTENDED_PRIMITIVE =
JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_EXTENDED_PRIMITIVE,
# endif
JSVAL_TAG_OBJECT = JSVAL_TAG_MAX_DOUBLE | JSVAL_TYPE_OBJECT
};
static_assert(sizeof(JSValueTag) == sizeof(uint32_t),
"compiler typed enum support is apparently buggy");
enum JSValueShiftedTag : uint64_t {
// See Bug 584653 for why we include 0xFFFFFFFF.
JSVAL_SHIFTED_TAG_MAX_DOUBLE =
((uint64_t(JSVAL_TAG_MAX_DOUBLE) << JSVAL_TAG_SHIFT) | 0xFFFFFFFF),
JSVAL_SHIFTED_TAG_INT32 = (uint64_t(JSVAL_TAG_INT32) << JSVAL_TAG_SHIFT),
JSVAL_SHIFTED_TAG_UNDEFINED =
(uint64_t(JSVAL_TAG_UNDEFINED) << JSVAL_TAG_SHIFT),
JSVAL_SHIFTED_TAG_NULL = (uint64_t(JSVAL_TAG_NULL) << JSVAL_TAG_SHIFT),
JSVAL_SHIFTED_TAG_BOOLEAN = (uint64_t(JSVAL_TAG_BOOLEAN) << JSVAL_TAG_SHIFT),
JSVAL_SHIFTED_TAG_MAGIC = (uint64_t(JSVAL_TAG_MAGIC) << JSVAL_TAG_SHIFT),
JSVAL_SHIFTED_TAG_STRING = (uint64_t(JSVAL_TAG_STRING) << JSVAL_TAG_SHIFT),
JSVAL_SHIFTED_TAG_SYMBOL = (uint64_t(JSVAL_TAG_SYMBOL) << JSVAL_TAG_SHIFT),
JSVAL_SHIFTED_TAG_PRIVATE_GCTHING =
(uint64_t(JSVAL_TAG_PRIVATE_GCTHING) << JSVAL_TAG_SHIFT),
JSVAL_SHIFTED_TAG_BIGINT = (uint64_t(JSVAL_TAG_BIGINT) << JSVAL_TAG_SHIFT),
# ifdef ENABLE_RECORD_TUPLE
JSVAL_SHIFTED_TAG_EXTENDED_PRIMITIVE =
(uint64_t(JSVAL_TYPE_EXTENDED_PRIMITIVE) << JSVAL_TAG_SHIFT),
# endif
JSVAL_SHIFTED_TAG_OBJECT = (uint64_t(JSVAL_TAG_OBJECT) << JSVAL_TAG_SHIFT)
};
static_assert(sizeof(JSValueShiftedTag) == sizeof(uint64_t),
"compiler typed enum support is apparently buggy");
#endif
namespace JS {
namespace detail {
#if defined(JS_NUNBOX32)
constexpr JSValueTag ValueTypeToTag(JSValueType type) {
return static_cast<JSValueTag>(JSVAL_TAG_CLEAR |
std::underlying_type_t<JSValueType>(type));
}
constexpr bool ValueIsDouble(uint64_t bits) {
return uint32_t(bits >> JSVAL_TAG_SHIFT) <= uint32_t(JSVAL_TAG_CLEAR);
}
constexpr JSValueTag ValueUpperExclPrimitiveTag = JSVAL_TAG_OBJECT;
constexpr JSValueTag ValueUpperInclNumberTag = JSVAL_TAG_INT32;
constexpr JSValueTag ValueLowerInclGCThingTag = JSVAL_TAG_STRING;
#elif defined(JS_PUNBOX64)
constexpr JSValueTag ValueTypeToTag(JSValueType type) {
return static_cast<JSValueTag>(JSVAL_TAG_MAX_DOUBLE |
std::underlying_type_t<JSValueType>(type));
}
constexpr bool ValueIsDouble(uint64_t bits) {
return bits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE;
}
constexpr uint64_t ValueTagMask = 0xFFFF'8000'0000'0000;
// This should only be used in toGCThing. See the 'Spectre mitigations' comment.
constexpr uint64_t ValueGCThingPayloadMask = 0x0000'7FFF'FFFF'FFFF;
// Mask used to combine an unbox operation with getting the chunk base.
constexpr uint64_t ValueGCThingPayloadChunkMask =
ValueGCThingPayloadMask & ~js::gc::ChunkMask;
constexpr uint64_t ValueTypeToShiftedTag(JSValueType type) {
return static_cast<uint64_t>(ValueTypeToTag(type)) << JSVAL_TAG_SHIFT;
}
# define JSVAL_TYPE_TO_SHIFTED_TAG(type) \
(JS::detail::ValueTypeToShiftedTag(type))
constexpr JSValueTag ValueUpperExclPrimitiveTag = JSVAL_TAG_OBJECT;
constexpr JSValueTag ValueUpperInclNumberTag = JSVAL_TAG_INT32;
constexpr JSValueTag ValueLowerInclGCThingTag = JSVAL_TAG_STRING;
constexpr uint64_t ValueUpperExclShiftedPrimitiveTag = JSVAL_SHIFTED_TAG_OBJECT;
constexpr uint64_t ValueUpperExclShiftedNumberTag = JSVAL_SHIFTED_TAG_BOOLEAN;
constexpr uint64_t ValueLowerInclShiftedGCThingTag = JSVAL_SHIFTED_TAG_STRING;
// JSVAL_TYPE_OBJECT and JSVAL_TYPE_NULL differ by one bit. We can use this to
// implement toObjectOrNull more efficiently.
constexpr uint64_t ValueObjectOrNullBit = 0x8ULL << JSVAL_TAG_SHIFT;
static_assert(
(JSVAL_SHIFTED_TAG_NULL ^ JSVAL_SHIFTED_TAG_OBJECT) == ValueObjectOrNullBit,
"ValueObjectOrNullBit must be consistent with object and null tags");
constexpr uint64_t IsValidUserModePointer(uint64_t bits) {
// All 64-bit platforms that we support actually have a 48-bit address space
// for user-mode pointers, with the top 16 bits all set to zero.
return (bits & 0xFFFF'0000'0000'0000) == 0;
}
#endif /* JS_PUNBOX64 */
} // namespace detail
} // namespace JS
#define JSVAL_TYPE_TO_TAG(type) (JS::detail::ValueTypeToTag(type))
enum JSWhyMagic {
/** a hole in a native object's elements */
JS_ELEMENTS_HOLE,
/** there is not a pending iterator value */
JS_NO_ITER_VALUE,
/** exception value thrown when closing a generator */
JS_GENERATOR_CLOSING,
/** used in debug builds to catch tracing errors */
JS_ARG_POISON,
/** an empty subnode in the AST serializer */
JS_SERIALIZE_NO_NODE,
/** magic value passed to natives to indicate construction */
JS_IS_CONSTRUCTING,
/** see class js::HashableValue */
JS_HASH_KEY_EMPTY,
/** error while running Ion code */
JS_ION_ERROR,
/** missing recover instruction result */
JS_ION_BAILOUT,
/** optimized out slot */
JS_OPTIMIZED_OUT,
/** uninitialized lexical bindings that produce ReferenceError on touch. */
JS_UNINITIALIZED_LEXICAL,
/** arguments object can't be created because environment is dead. */
JS_MISSING_ARGUMENTS,
/** for local use */
JS_GENERIC_MAGIC,
/**
* When an error object is created without the error cause argument, we set
* the error's cause slot to this magic value.
*/
JS_ERROR_WITHOUT_CAUSE,
JS_WHY_MAGIC_COUNT
};
namespace js {
static inline JS::Value PoisonedObjectValue(uintptr_t poison);
#ifdef ENABLE_RECORD_TUPLE
// Re-defined in vm/RecordTupleBoxShared.h. We cannot include that
// file because it circularly includes this one.
bool IsExtendedPrimitive(const JSObject& obj);
namespace gc {
bool MaybeForwardedIsExtendedPrimitive(const JSObject& obj);
} // namespace gc
#endif
} // namespace js
namespace JS {
namespace detail {
// IEEE-754 bit pattern for double-precision positive infinity.
constexpr int InfinitySignBit = 0;
constexpr uint64_t InfinityBits =
mozilla::InfinityBits<double, detail::InfinitySignBit>::value;
// This is a quiet NaN on IEEE-754[2008] compatible platforms, including X86,
// ARM, SPARC, RISC-V and modern MIPS.
//
// Note: The default sign bit for a hardware synthesized NaN differs between X86
// and ARM. Both values are considered compatible values on both
// platforms.
constexpr int CanonicalizedNaNSignBit = 0;
constexpr uint64_t CanonicalizedNaNSignificand = 0x8000000000000;
#if defined(__sparc__)
// Some architectures (not to name names) generate NaNs with bit patterns that
// are incompatible with JS::Value's bit pattern restrictions. Instead we must
// canonicalize all hardware values before storing in JS::Value.
# define JS_NONCANONICAL_HARDWARE_NAN
#endif
#if defined(__mips__) && !defined(__mips_nan_2008)
// These builds may run on hardware that has differing polarity of the signaling
// NaN bit. While the kernel may handle the trap for us, it is a performance
// issue so instead we compute the NaN to use on startup. The runtime value must
// still meet `ValueIsDouble` requirements which are checked on startup.
// In particular, we expect one of the following values on MIPS:
// - 0x7FF7FFFFFFFFFFFF Legacy
// - 0x7FF8000000000000 IEEE-754[2008]
# define JS_RUNTIME_CANONICAL_NAN
#endif
#if defined(JS_RUNTIME_CANONICAL_NAN)
extern uint64_t CanonicalizedNaNBits;
#else
constexpr uint64_t CanonicalizedNaNBits =
mozilla::SpecificNaNBits<double, detail::CanonicalizedNaNSignBit,
detail::CanonicalizedNaNSignificand>::value;
#endif
} // namespace detail
// Return a quiet NaN that is compatible with JS::Value restrictions.
static MOZ_ALWAYS_INLINE double GenericNaN() {
#if !defined(JS_RUNTIME_CANONICAL_NAN)
static_assert(detail::ValueIsDouble(detail::CanonicalizedNaNBits),
"Canonical NaN must be compatible with JS::Value");
#endif
return mozilla::BitwiseCast<double>(detail::CanonicalizedNaNBits);
}
// Convert an arbitrary double to one compatible with JS::Value representation
// by replacing any NaN value with a canonical one.
static MOZ_ALWAYS_INLINE double CanonicalizeNaN(double d) {
if (MOZ_UNLIKELY(std::isnan(d))) {
return GenericNaN();
}
return d;
}
/**
* [SMDOC] JS::Value type
*
* JS::Value is the interface for a single JavaScript Engine value. A few
* general notes on JS::Value:
*
* - JS::Value has setX() and isX() members for X in
*
* { Int32, Double, String, Symbol, BigInt, Boolean, Undefined, Null,
* Object, Magic }
*
* JS::Value also contains toX() for each of the non-singleton types.
*
* - Magic is a singleton type whose payload contains either a JSWhyMagic
* "reason" for the magic value or a uint32_t value. By providing JSWhyMagic
* values when creating and checking for magic values, it is possible to
* assert, at runtime, that only magic values with the expected reason flow
* through a particular value. For example, if cx->exception has a magic
* value, the reason must be JS_GENERATOR_CLOSING.
*
* - The JS::Value operations are preferred. The JSVAL_* operations remain for
* compatibility; they may be removed at some point. These operations mostly
* provide similar functionality. But there are a few key differences. One
* is that JS::Value gives null a separate type.
* Also, to help prevent mistakenly boxing a nullable JSObject* as an object,
* Value::setObject takes a JSObject&. (Conversely, Value::toObject returns a
* JSObject&.) A convenience member Value::setObjectOrNull is provided.
*
* - Note that JS::Value is 8 bytes on 32 and 64-bit architectures. Thus, on
* 32-bit user code should avoid copying jsval/JS::Value as much as possible,
* preferring to pass by const Value&.
*
* Spectre mitigations
* ===================
* To mitigate Spectre attacks, we do the following:
*
* - On 64-bit platforms, when unboxing a Value, we XOR the bits with the
* expected type tag (instead of masking the payload bits). This guarantees
* that toString, toObject, toSymbol will return an invalid pointer (because
* some high bits will be set) when called on a Value with a different type
* tag.
*
* - On 32-bit platforms,when unboxing an object/string/symbol Value, we use a
* conditional move (not speculated) to zero the payload register if the type
* doesn't match.
*/
class alignas(8) Value {
private:
uint64_t asBits_;
public:
constexpr Value() : asBits_(bitsFromTagAndPayload(JSVAL_TAG_UNDEFINED, 0)) {}
private:
explicit constexpr Value(uint64_t asBits) : asBits_(asBits) {}
static uint64_t bitsFromDouble(double d) {
#if defined(JS_NONCANONICAL_HARDWARE_NAN)
d = CanonicalizeNaN(d);
#endif
return mozilla::BitwiseCast<uint64_t>(d);
}
static_assert(sizeof(JSValueType) == 1,
"type bits must fit in a single byte");
static_assert(sizeof(JSValueTag) == 4,
"32-bit Value's tag_ must have size 4 to complement the "
"payload union's size 4");
static_assert(sizeof(JSWhyMagic) <= 4,
"32-bit Value's JSWhyMagic payload field must not inflate "
"the payload beyond 4 bytes");
public:
#if defined(JS_NUNBOX32)
using PayloadType = uint32_t;
#elif defined(JS_PUNBOX64)
using PayloadType = uint64_t;
#endif
static constexpr uint64_t bitsFromTagAndPayload(JSValueTag tag,
PayloadType payload) {
return (uint64_t(tag) << JSVAL_TAG_SHIFT) | payload;
}
static constexpr Value fromTagAndPayload(JSValueTag tag,
PayloadType payload) {
return fromRawBits(bitsFromTagAndPayload(tag, payload));
}
static constexpr Value fromRawBits(uint64_t asBits) { return Value(asBits); }
static constexpr Value fromInt32(int32_t i) {
return fromTagAndPayload(JSVAL_TAG_INT32, uint32_t(i));
}
static Value fromDouble(double d) { return fromRawBits(bitsFromDouble(d)); }
/**
* Returns false if creating a NumberValue containing the given type would
* be lossy, true otherwise.
*/
template <typename T>
static bool isNumberRepresentable(const T t) {
return T(double(t)) == t;
}
/*** Mutators ***/
void setNull() {
asBits_ = bitsFromTagAndPayload(JSVAL_TAG_NULL, 0);
MOZ_ASSERT(isNull());
}
void setUndefined() {
asBits_ = bitsFromTagAndPayload(JSVAL_TAG_UNDEFINED, 0);
MOZ_ASSERT(isUndefined());
}
void setInt32(int32_t i) {
asBits_ = bitsFromTagAndPayload(JSVAL_TAG_INT32, uint32_t(i));
MOZ_ASSERT(toInt32() == i);
}
void setDouble(double d) {
asBits_ = bitsFromDouble(d);
MOZ_ASSERT(isDouble());
}
void setString(JSString* str) {
MOZ_ASSERT(js::gc::IsCellPointerValid(str));
asBits_ = bitsFromTagAndPayload(JSVAL_TAG_STRING, PayloadType(str));
MOZ_ASSERT(toString() == str);
}
void setSymbol(JS::Symbol* sym) {
MOZ_ASSERT(js::gc::IsCellPointerValid(sym));
asBits_ = bitsFromTagAndPayload(JSVAL_TAG_SYMBOL, PayloadType(sym));
MOZ_ASSERT(toSymbol() == sym);
}
void setBigInt(JS::BigInt* bi) {
MOZ_ASSERT(js::gc::IsCellPointerValid(bi));
asBits_ = bitsFromTagAndPayload(JSVAL_TAG_BIGINT, PayloadType(bi));
MOZ_ASSERT(toBigInt() == bi);
}
void setObject(JSObject& obj) {
MOZ_ASSERT(js::gc::IsCellPointerValid(&obj));
#ifdef ENABLE_RECORD_TUPLE
MOZ_ASSERT(!js::gc::MaybeForwardedIsExtendedPrimitive(obj));
#endif
setObjectNoCheck(&obj);
MOZ_ASSERT(&toObject() == &obj);
}
#ifdef ENABLE_RECORD_TUPLE
void setExtendedPrimitive(JSObject& obj) {
MOZ_ASSERT(js::gc::IsCellPointerValid(&obj));
MOZ_ASSERT(js::gc::MaybeForwardedIsExtendedPrimitive(obj));
asBits_ =
bitsFromTagAndPayload(JSVAL_TAG_EXTENDED_PRIMITIVE, PayloadType(&obj));
MOZ_ASSERT(&toExtendedPrimitive() == &obj);
}
#endif
private:
void setObjectNoCheck(JSObject* obj) {
asBits_ = bitsFromTagAndPayload(JSVAL_TAG_OBJECT, PayloadType(obj));
}
friend inline Value js::PoisonedObjectValue(uintptr_t poison);
public:
void setBoolean(bool b) {
asBits_ = bitsFromTagAndPayload(JSVAL_TAG_BOOLEAN, uint32_t(b));
MOZ_ASSERT(toBoolean() == b);
}
void setMagic(JSWhyMagic why) {
asBits_ = bitsFromTagAndPayload(JSVAL_TAG_MAGIC, uint32_t(why));
MOZ_ASSERT(whyMagic() == why);
}
void setMagicUint32(uint32_t payload) {
MOZ_ASSERT(payload >= JS_WHY_MAGIC_COUNT,
"This should only be used for non-standard magic values");
asBits_ = bitsFromTagAndPayload(JSVAL_TAG_MAGIC, payload);
MOZ_ASSERT(magicUint32() == payload);
}
void setNumber(float f) {
int32_t i;
if (mozilla::NumberIsInt32(f, &i)) {
setInt32(i);
return;
}
setDouble(double(f));
}
void setNumber(double d) {
int32_t i;
if (mozilla::NumberIsInt32(d, &i)) {
setInt32(i);
return;
}
setDouble(d);
}
template <typename T>
void setNumber(const T t) {
static_assert(std::is_integral<T>::value, "must be integral type");
MOZ_ASSERT(isNumberRepresentable(t), "value creation would be lossy");
if constexpr (std::numeric_limits<T>::is_signed) {
if constexpr (sizeof(t) <= sizeof(int32_t)) {
setInt32(int32_t(t));
} else {
if (JSVAL_INT_MIN <= t && t <= JSVAL_INT_MAX) {
setInt32(int32_t(t));
} else {
setDouble(double(t));
}
}
} else {
if constexpr (sizeof(t) <= sizeof(uint16_t)) {
setInt32(int32_t(t));
} else {
if (t <= JSVAL_INT_MAX) {
setInt32(int32_t(t));
} else {
setDouble(double(t));
}
}
}
}
void setObjectOrNull(JSObject* arg) {
if (arg) {
setObject(*arg);
} else {
setNull();
}
}
void swap(Value& rhs) {
uint64_t tmp = rhs.asBits_;
rhs.asBits_ = asBits_;
asBits_ = tmp;
}
private:
JSValueTag toTag() const { return JSValueTag(asBits_ >> JSVAL_TAG_SHIFT); }
template <typename T, JSValueTag Tag>
T* unboxGCPointer() const {
MOZ_ASSERT((asBits_ & js::gc::CellAlignMask) == 0,
"GC pointer is not aligned. Is this memory corruption?");
#if defined(JS_NUNBOX32)
uintptr_t payload = uint32_t(asBits_);
return reinterpret_cast<T*>(payload);
#elif defined(JS_PUNBOX64)
// Note: the 'Spectre mitigations' comment at the top of this class
// explains why we use XOR here.
constexpr uint64_t shiftedTag = uint64_t(Tag) << JSVAL_TAG_SHIFT;
return reinterpret_cast<T*>(uintptr_t(asBits_ ^ shiftedTag));
#endif
}
public:
/*** JIT-only interfaces to interact with and create raw Values ***/
#if defined(JS_NUNBOX32)
PayloadType toNunboxPayload() const { return uint32_t(asBits_); }
JSValueTag toNunboxTag() const { return toTag(); }
#elif defined(JS_PUNBOX64)
const void* bitsAsPunboxPointer() const {
return reinterpret_cast<void*>(asBits_);
}
#endif
/*** Value type queries ***/
/*
* N.B. GCC, in some but not all cases, chooses to emit signed comparison
* of JSValueTag even though its underlying type has been forced to be
* uint32_t. Thus, all comparisons should explicitly cast operands to
* uint32_t.
*/
bool isUndefined() const {
#if defined(JS_NUNBOX32)
return toTag() == JSVAL_TAG_UNDEFINED;
#elif defined(JS_PUNBOX64)
return asBits_ == JSVAL_SHIFTED_TAG_UNDEFINED;
#endif
}
bool isNull() const {
#if defined(JS_NUNBOX32)
return toTag() == JSVAL_TAG_NULL;
#elif defined(JS_PUNBOX64)
return asBits_ == JSVAL_SHIFTED_TAG_NULL;
#endif
}
bool isNullOrUndefined() const { return isNull() || isUndefined(); }
bool isInt32() const { return toTag() == JSVAL_TAG_INT32; }
bool isInt32(int32_t i32) const {
return asBits_ == bitsFromTagAndPayload(JSVAL_TAG_INT32, uint32_t(i32));
}
bool isDouble() const { return detail::ValueIsDouble(asBits_); }
bool isNumber() const {
#if defined(JS_NUNBOX32)
MOZ_ASSERT(toTag() != JSVAL_TAG_CLEAR);
return uint32_t(toTag()) <= uint32_t(detail::ValueUpperInclNumberTag);
#elif defined(JS_PUNBOX64)
return asBits_ < detail::ValueUpperExclShiftedNumberTag;
#endif
}
bool isString() const { return toTag() == JSVAL_TAG_STRING; }
bool isSymbol() const { return toTag() == JSVAL_TAG_SYMBOL; }
bool isBigInt() const { return toTag() == JSVAL_TAG_BIGINT; }
bool isObject() const {
#if defined(JS_NUNBOX32)
return toTag() == JSVAL_TAG_OBJECT;
#elif defined(JS_PUNBOX64)
MOZ_ASSERT((asBits_ >> JSVAL_TAG_SHIFT) <= JSVAL_TAG_OBJECT);
return asBits_ >= JSVAL_SHIFTED_TAG_OBJECT;
#endif
}
#ifdef ENABLE_RECORD_TUPLE
bool isExtendedPrimitive() const {
return toTag() == JSVAL_TAG_EXTENDED_PRIMITIVE;
}
#endif
bool hasObjectPayload() const {
return isObject() || IF_RECORD_TUPLE(isExtendedPrimitive(), false);
}
bool isPrimitive() const {
#if defined(JS_NUNBOX32)
return uint32_t(toTag()) < uint32_t(detail::ValueUpperExclPrimitiveTag);
#elif defined(JS_PUNBOX64)
return asBits_ < detail::ValueUpperExclShiftedPrimitiveTag;
#endif
}
bool isObjectOrNull() const { return isObject() || isNull(); }
bool isNumeric() const { return isNumber() || isBigInt(); }
bool isGCThing() const {
#if defined(JS_NUNBOX32)
/* gcc sometimes generates signed < without explicit casts. */
return uint32_t(toTag()) >= uint32_t(detail::ValueLowerInclGCThingTag);
#elif defined(JS_PUNBOX64)
return asBits_ >= detail::ValueLowerInclShiftedGCThingTag;
#endif
}
bool isBoolean() const { return toTag() == JSVAL_TAG_BOOLEAN; }
bool isTrue() const {
return asBits_ == bitsFromTagAndPayload(JSVAL_TAG_BOOLEAN, uint32_t(true));
}
bool isFalse() const {
return asBits_ == bitsFromTagAndPayload(JSVAL_TAG_BOOLEAN, uint32_t(false));
}
bool isMagic() const { return toTag() == JSVAL_TAG_MAGIC; }
bool isMagic(JSWhyMagic why) const {
if (!isMagic()) {
return false;
}
MOZ_RELEASE_ASSERT(whyMagic() == why);
return true;
}
JS::TraceKind traceKind() const {
MOZ_ASSERT(isGCThing());
static_assert((JSVAL_TAG_STRING & 0x03) == size_t(JS::TraceKind::String),
"Value type tags must correspond with JS::TraceKinds.");
static_assert((JSVAL_TAG_SYMBOL & 0x03) == size_t(JS::TraceKind::Symbol),
"Value type tags must correspond with JS::TraceKinds.");
static_assert((JSVAL_TAG_OBJECT & 0x03) == size_t(JS::TraceKind::Object),
"Value type tags must correspond with JS::TraceKinds.");
static_assert((JSVAL_TAG_BIGINT & 0x03) == size_t(JS::TraceKind::BigInt),
"Value type tags must correspond with JS::TraceKinds.");
if (MOZ_UNLIKELY(isPrivateGCThing())) {
return JS::GCThingTraceKind(toGCThing());
}
#ifdef ENABLE_RECORD_TUPLE
if (isExtendedPrimitive()) {
return JS::TraceKind::Object;
}
#endif
return JS::TraceKind(toTag() & 0x03);
}
JSWhyMagic whyMagic() const {
MOZ_ASSERT(magicUint32() < JS_WHY_MAGIC_COUNT);
return static_cast<JSWhyMagic>(magicUint32());
}
uint32_t magicUint32() const {
MOZ_ASSERT(isMagic());
return uint32_t(asBits_);
}
/*** Comparison ***/
bool operator==(const Value& rhs) const { return asBits_ == rhs.asBits_; }
bool operator!=(const Value& rhs) const { return asBits_ != rhs.asBits_; }
friend inline bool SameType(const Value& lhs, const Value& rhs);
/*** Extract the value's typed payload ***/
int32_t toInt32() const {
MOZ_ASSERT(isInt32());
return int32_t(asBits_);
}
double toDouble() const {
MOZ_ASSERT(isDouble());
return mozilla::BitwiseCast<double>(asBits_);
}
double toNumber() const {
MOZ_ASSERT(isNumber());
return isDouble() ? toDouble() : double(toInt32());
}
JSString* toString() const {
MOZ_ASSERT(isString());
return unboxGCPointer<JSString, JSVAL_TAG_STRING>();
}
JS::Symbol* toSymbol() const {
MOZ_ASSERT(isSymbol());
return unboxGCPointer<JS::Symbol, JSVAL_TAG_SYMBOL>();
}
JS::BigInt* toBigInt() const {
MOZ_ASSERT(isBigInt());
return unboxGCPointer<JS::BigInt, JSVAL_TAG_BIGINT>();
}
JSObject& toObject() const {
MOZ_ASSERT(isObject());
#if defined(JS_PUNBOX64)
MOZ_ASSERT((asBits_ & detail::ValueGCThingPayloadMask) != 0);
#endif
return *unboxGCPointer<JSObject, JSVAL_TAG_OBJECT>();
}
JSObject* toObjectOrNull() const {
MOZ_ASSERT(isObjectOrNull());
#if defined(JS_NUNBOX32)
return reinterpret_cast<JSObject*>(uintptr_t(asBits_));
#elif defined(JS_PUNBOX64)
// Note: the 'Spectre mitigations' comment at the top of this class
// explains why we use XOR here and in other to* methods.
uint64_t ptrBits =
(asBits_ ^ JSVAL_SHIFTED_TAG_OBJECT) & ~detail::ValueObjectOrNullBit;
MOZ_ASSERT((ptrBits & 0x7) == 0);
return reinterpret_cast<JSObject*>(ptrBits);
#endif
}
#ifdef ENABLE_RECORD_TUPLE
JSObject& toExtendedPrimitive() const {
MOZ_ASSERT(isExtendedPrimitive());
# if defined(JS_PUNBOX64)
MOZ_ASSERT((asBits_ & detail::ValueGCThingPayloadMask) != 0);
# endif
return *unboxGCPointer<JSObject, JSVAL_TAG_EXTENDED_PRIMITIVE>();
}
#endif
JSObject& getObjectPayload() const {
#ifdef ENABLE_RECORD_TUPLE
return isExtendedPrimitive() ? toExtendedPrimitive() : toObject();
#else
return toObject();
#endif
}
js::gc::Cell* toGCThing() const {
MOZ_ASSERT(isGCThing());
#if defined(JS_NUNBOX32)
return reinterpret_cast<js::gc::Cell*>(uintptr_t(asBits_));
#elif defined(JS_PUNBOX64)
uint64_t ptrBits = asBits_ & detail::ValueGCThingPayloadMask;
MOZ_ASSERT((ptrBits & 0x7) == 0);
return reinterpret_cast<js::gc::Cell*>(ptrBits);
#endif
}
GCCellPtr toGCCellPtr() const { return GCCellPtr(toGCThing(), traceKind()); }
bool toBoolean() const {
MOZ_ASSERT(isBoolean());
#if defined(JS_NUNBOX32)
return bool(toNunboxPayload());
#elif defined(JS_PUNBOX64)
return bool(asBits_ & 0x1);
#endif
}
constexpr uint64_t asRawBits() const { return asBits_; }
JSValueType extractNonDoubleType() const {
uint32_t type = toTag() & 0xF;
MOZ_ASSERT(type > JSVAL_TYPE_DOUBLE);
return JSValueType(type);
}
JS::ValueType type() const {
if (isDouble()) {
return JS::ValueType::Double;
}
JSValueType type = extractNonDoubleType();
MOZ_ASSERT(type <= JSVAL_TYPE_OBJECT);
return JS::ValueType(type);
}
/*
* Private API
*
* Private setters/getters allow the caller to read/write arbitrary
* word-size pointers or uint32s. After storing to a value with
* setPrivateX, it is the caller's responsibility to only read using
* toPrivateX. Private values are given a type which ensures they
* aren't marked by the GC.
*/
void setPrivate(void* ptr) {
#if defined(JS_PUNBOX64)
MOZ_ASSERT(detail::IsValidUserModePointer(uintptr_t(ptr)));
#endif
asBits_ = uintptr_t(ptr);
MOZ_ASSERT(isDouble());
}
void* toPrivate() const {
MOZ_ASSERT(isDouble());
#if defined(JS_PUNBOX64)
MOZ_ASSERT(detail::IsValidUserModePointer(asBits_));
#endif
return reinterpret_cast<void*>(uintptr_t(asBits_));
}
void setPrivateUint32(uint32_t ui) {
MOZ_ASSERT(uint32_t(int32_t(ui)) == ui);
setInt32(int32_t(ui));
}
uint32_t toPrivateUint32() const { return uint32_t(toInt32()); }
/*
* Private GC Thing API
*
* Non-JSObject, JSString, and JS::Symbol cells may be put into the 64-bit
* payload as private GC things. Such Values are considered isGCThing(), and
* as such, automatically marked. Their traceKind() is gotten via their
* cells.
*/
void setPrivateGCThing(js::gc::Cell* cell) {
MOZ_ASSERT(JS::GCThingTraceKind(cell) != JS::TraceKind::String,
"Private GC thing Values must not be strings. Make a "
"StringValue instead.");
MOZ_ASSERT(JS::GCThingTraceKind(cell) != JS::TraceKind::Symbol,
"Private GC thing Values must not be symbols. Make a "
"SymbolValue instead.");
MOZ_ASSERT(JS::GCThingTraceKind(cell) != JS::TraceKind::BigInt,
"Private GC thing Values must not be BigInts. Make a "
"BigIntValue instead.");
MOZ_ASSERT(JS::GCThingTraceKind(cell) != JS::TraceKind::Object,
"Private GC thing Values must not be objects. Make an "
"ObjectValue instead.");
MOZ_ASSERT(js::gc::IsCellPointerValid(cell));
#if defined(JS_PUNBOX64)
// VisualStudio cannot contain parenthesized C++ style cast and shift
// inside decltype in template parameter:
// AssertionConditionType<decltype((uintptr_t(x) >> 1))>
// It throws syntax error.
MOZ_ASSERT((((uintptr_t)cell) >> JSVAL_TAG_SHIFT) == 0);
#endif
asBits_ =
bitsFromTagAndPayload(JSVAL_TAG_PRIVATE_GCTHING, PayloadType(cell));
}
bool isPrivateGCThing() const { return toTag() == JSVAL_TAG_PRIVATE_GCTHING; }
} JS_HAZ_GC_POINTER MOZ_NON_PARAM;
static_assert(sizeof(Value) == 8,
"Value size must leave three tag bits, be a binary power, and "
"is ubiquitously depended upon everywhere");
static MOZ_ALWAYS_INLINE void ExposeValueToActiveJS(const Value& v) {
#ifdef DEBUG
Value tmp = v;
MOZ_ASSERT(!js::gc::EdgeNeedsSweepUnbarrieredSlow(&tmp));
#endif
if (v.isGCThing()) {
js::gc::ExposeGCThingToActiveJS(v.toGCCellPtr());
}
}
/************************************************************************/
static inline MOZ_MAY_CALL_AFTER_MUST_RETURN Value NullValue() {
Value v;
v.setNull();
return v;
}
static constexpr Value UndefinedValue() { return Value(); }
static constexpr Value Int32Value(int32_t i32) { return Value::fromInt32(i32); }
static inline Value DoubleValue(double dbl) {
Value v;
v.setDouble(dbl);
return v;
}
static inline Value CanonicalizedDoubleValue(double d) {
return Value::fromDouble(CanonicalizeNaN(d));
}
static inline Value NaNValue() {
return Value::fromRawBits(detail::CanonicalizedNaNBits);
}
static inline Value InfinityValue() {
return Value::fromRawBits(detail::InfinityBits);
}
static inline Value Float32Value(float f) {
Value v;
v.setDouble(f);
return v;
}
static inline Value StringValue(JSString* str) {
Value v;
v.setString(str);
return v;
}
static inline Value SymbolValue(JS::Symbol* sym) {
Value v;
v.setSymbol(sym);
return v;
}
static inline Value BigIntValue(JS::BigInt* bi) {
Value v;
v.setBigInt(bi);
return v;
}
static inline Value BooleanValue(bool boo) {
Value v;
v.setBoolean(boo);
return v;
}
static inline Value TrueValue() {
Value v;
v.setBoolean(true);
return v;
}
static inline Value FalseValue() {
Value v;
v.setBoolean(false);
return v;
}
static inline Value ObjectValue(JSObject& obj) {
Value v;
v.setObject(obj);
return v;
}
#ifdef ENABLE_RECORD_TUPLE
static inline Value ExtendedPrimitiveValue(JSObject& obj) {
Value v;
v.setExtendedPrimitive(obj);
return v;
}
#endif
static inline Value MagicValue(JSWhyMagic why) {
Value v;
v.setMagic(why);
return v;
}
static inline Value MagicValueUint32(uint32_t payload) {
Value v;
v.setMagicUint32(payload);
return v;
}
static constexpr Value NumberValue(uint32_t i) {
return i <= JSVAL_INT_MAX ? Int32Value(int32_t(i))
: Value::fromDouble(double(i));
}
template <typename T>
static inline Value NumberValue(const T t) {
Value v;
v.setNumber(t);
return v;
}
static inline Value ObjectOrNullValue(JSObject* obj) {
Value v;
v.setObjectOrNull(obj);
return v;
}
static inline Value PrivateValue(void* ptr) {
Value v;
v.setPrivate(ptr);
return v;
}
static inline Value PrivateValue(uintptr_t ptr) {
return PrivateValue(reinterpret_cast<void*>(ptr));
}
static inline Value PrivateUint32Value(uint32_t ui) {
Value v;
v.setPrivateUint32(ui);
return v;
}
static inline Value PrivateGCThingValue(js::gc::Cell* cell) {
Value v;
v.setPrivateGCThing(cell);
return v;
}
inline bool SameType(const Value& lhs, const Value& rhs) {
#if defined(JS_NUNBOX32)
JSValueTag ltag = lhs.toTag(), rtag = rhs.toTag();
return ltag == rtag || (ltag < JSVAL_TAG_CLEAR && rtag < JSVAL_TAG_CLEAR);
#elif defined(JS_PUNBOX64)
return (lhs.isDouble() && rhs.isDouble()) ||
(((lhs.asBits_ ^ rhs.asBits_) & 0xFFFF800000000000ULL) == 0);
#endif
}
} // namespace JS
/************************************************************************/
namespace JS {
JS_PUBLIC_API void HeapValuePostWriteBarrier(Value* valuep, const Value& prev,
const Value& next);
JS_PUBLIC_API void HeapValueWriteBarriers(Value* valuep, const Value& prev,
const Value& next);
template <>
struct GCPolicy<JS::Value> {
static void trace(JSTracer* trc, Value* v, const char* name) {
// This should only be called as part of root marking since that's the only
// time we should trace unbarriered GC thing pointers. This will assert if
// called at other times.
TraceRoot(trc, v, name);
}
static bool isTenured(const Value& thing) {
return !thing.isGCThing() || !IsInsideNursery(thing.toGCThing());
}
static bool isValid(const Value& value) {
return !value.isGCThing() || js::gc::IsCellPointerValid(value.toGCThing());
}
};
} // namespace JS
namespace js {
template <>
struct BarrierMethods<JS::Value> {
static gc::Cell* asGCThingOrNull(const JS::Value& v) {
return v.isGCThing() ? v.toGCThing() : nullptr;
}
static void postWriteBarrier(JS::Value* v, const JS::Value& prev,
const JS::Value& next) {
JS::HeapValuePostWriteBarrier(v, prev, next);
}
static void exposeToJS(const JS::Value& v) { JS::ExposeValueToActiveJS(v); }
static void readBarrier(const JS::Value& v) {
if (v.isGCThing()) {
js::gc::IncrementalReadBarrier(v.toGCCellPtr());
}
}
};
template <class Wrapper>
class MutableValueOperations;
/**
* A class designed for CRTP use in implementing the non-mutating parts of the
* Value interface in Value-like classes. Wrapper must be a class inheriting
* ValueOperations<Wrapper> with a visible get() method returning a const
* reference to the Value abstracted by Wrapper.
*/
template <class Wrapper>
class WrappedPtrOperations<JS::Value, Wrapper> {
const JS::Value& value() const {
return static_cast<const Wrapper*>(this)->get();
}
public:
bool isUndefined() const { return value().isUndefined(); }
bool isNull() const { return value().isNull(); }
bool isBoolean() const { return value().isBoolean(); }
bool isTrue() const { return value().isTrue(); }
bool isFalse() const { return value().isFalse(); }
bool isNumber() const { return value().isNumber(); }
bool isInt32() const { return value().isInt32(); }
bool isInt32(int32_t i32) const { return value().isInt32(i32); }
bool isDouble() const { return value().isDouble(); }
bool isString() const { return value().isString(); }
bool isSymbol() const { return value().isSymbol(); }
bool isBigInt() const { return value().isBigInt(); }
bool isObject() const { return value().isObject(); }
#ifdef ENABLE_RECORD_TUPLE
bool isExtendedPrimitive() const { return value().isExtendedPrimitive(); }
#endif
bool hasObjectPayload() const { return value().hasObjectPayload(); }
bool isMagic() const { return value().isMagic(); }
bool isMagic(JSWhyMagic why) const { return value().isMagic(why); }
bool isGCThing() const { return value().isGCThing(); }
bool isPrivateGCThing() const { return value().isPrivateGCThing(); }
bool isPrimitive() const { return value().isPrimitive(); }
bool isNullOrUndefined() const { return value().isNullOrUndefined(); }
bool isObjectOrNull() const { return value().isObjectOrNull(); }
bool isNumeric() const { return value().isNumeric(); }
bool toBoolean() const { return value().toBoolean(); }
double toNumber() const { return value().toNumber(); }
int32_t toInt32() const { return value().toInt32(); }
double toDouble() const { return value().toDouble(); }
JSString* toString() const { return value().toString(); }
JS::Symbol* toSymbol() const { return value().toSymbol(); }
JS::BigInt* toBigInt() const { return value().toBigInt(); }
JSObject& toObject() const { return value().toObject(); }
JSObject* toObjectOrNull() const { return value().toObjectOrNull(); }
#ifdef ENABLE_RECORD_TUPLE
JSObject& toExtendedPrimitive() const {
return value().toExtendedPrimitive();
}
#endif
JSObject& getObjectPayload() const { return value().getObjectPayload(); }
JS::GCCellPtr toGCCellPtr() const { return value().toGCCellPtr(); }
gc::Cell* toGCThing() const { return value().toGCThing(); }
JS::TraceKind traceKind() const { return value().traceKind(); }
void* toPrivate() const { return value().toPrivate(); }
uint32_t toPrivateUint32() const { return value().toPrivateUint32(); }
uint64_t asRawBits() const { return value().asRawBits(); }
JSValueType extractNonDoubleType() const {
return value().extractNonDoubleType();
}
JS::ValueType type() const { return value().type(); }
JSWhyMagic whyMagic() const { return value().whyMagic(); }
uint32_t magicUint32() const { return value().magicUint32(); }
};
/**
* A class designed for CRTP use in implementing all the mutating parts of the
* Value interface in Value-like classes. Wrapper must be a class inheriting
* MutableWrappedPtrOperations<Wrapper> with visible get() methods returning
* const and non-const references to the Value abstracted by Wrapper.
*/
template <class Wrapper>
class MutableWrappedPtrOperations<JS::Value, Wrapper>
: public WrappedPtrOperations<JS::Value, Wrapper> {
protected:
void set(const JS::Value& v) {
// Call Wrapper::set to trigger any barriers.
static_cast<Wrapper*>(this)->set(v);
}
public:
void setNull() { set(JS::NullValue()); }
void setUndefined() { set(JS::UndefinedValue()); }
void setInt32(int32_t i) { set(JS::Int32Value(i)); }
void setDouble(double d) { set(JS::DoubleValue(d)); }
void setNaN() { set(JS::NaNValue()); }
void setInfinity() { set(JS::InfinityValue()); }
void setBoolean(bool b) { set(JS::BooleanValue(b)); }
void setMagic(JSWhyMagic why) { set(JS::MagicValue(why)); }
template <typename T>
void setNumber(T t) {
set(JS::NumberValue(t));
}
void setString(JSString* str) { set(JS::StringValue(str)); }
void setSymbol(JS::Symbol* sym) { set(JS::SymbolValue(sym)); }
void setBigInt(JS::BigInt* bi) { set(JS::BigIntValue(bi)); }
void setObject(JSObject& obj) { set(JS::ObjectValue(obj)); }
void setObjectOrNull(JSObject* arg) { set(JS::ObjectOrNullValue(arg)); }
#ifdef ENABLE_RECORD_TUPLE
void setExtendedPrimitive(JSObject& obj) {
return set(JS::ExtendedPrimitiveValue(obj));
}
#endif
void setPrivate(void* ptr) { set(JS::PrivateValue(ptr)); }
void setPrivateUint32(uint32_t ui) { set(JS::PrivateUint32Value(ui)); }
void setPrivateGCThing(js::gc::Cell* cell) {
set(JS::PrivateGCThingValue(cell));
}
};
/*
* Augment the generic Heap<T> interface when T = Value with
* type-querying, value-extracting, and mutating operations.
*/
template <typename Wrapper>
class HeapOperations<JS::Value, Wrapper>
: public MutableWrappedPtrOperations<JS::Value, Wrapper> {};
MOZ_HAVE_NORETURN MOZ_COLD MOZ_NEVER_INLINE void ReportBadValueTypeAndCrash(
const JS::Value& val);
// If the Value is a GC pointer type, call |f| with the pointer cast to that
// type and return the result wrapped in a Maybe, otherwise return None().
template <typename F>
auto MapGCThingTyped(const JS::Value& val, F&& f) {
switch (val.type()) {
case JS::ValueType::String: {
JSString* str = val.toString();
MOZ_ASSERT(gc::IsCellPointerValid(str));
return mozilla::Some(f(str));
}
#ifdef ENABLE_RECORD_TUPLE
case JS::ValueType::ExtendedPrimitive:
#endif
case JS::ValueType::Object: {
JSObject* obj = &val.getObjectPayload();
MOZ_ASSERT(gc::IsCellPointerValid(obj));
return mozilla::Some(f(obj));
}
case JS::ValueType::Symbol: {
JS::Symbol* sym = val.toSymbol();
MOZ_ASSERT(gc::IsCellPointerValid(sym));
return mozilla::Some(f(sym));
}
case JS::ValueType::BigInt: {
JS::BigInt* bi = val.toBigInt();
MOZ_ASSERT(gc::IsCellPointerValid(bi));
return mozilla::Some(f(bi));
}
case JS::ValueType::PrivateGCThing: {
MOZ_ASSERT(gc::IsCellPointerValid(val.toGCThing()));
return mozilla::Some(MapGCThingTyped(val.toGCCellPtr(), std::move(f)));
}
case JS::ValueType::Double:
case JS::ValueType::Int32:
case JS::ValueType::Boolean:
case JS::ValueType::Undefined:
case JS::ValueType::Null:
case JS::ValueType::Magic: {
MOZ_ASSERT(!val.isGCThing());
using ReturnType = decltype(f(static_cast<JSObject*>(nullptr)));
return mozilla::Maybe<ReturnType>();
}
}
ReportBadValueTypeAndCrash(val);
}
// If the Value is a GC pointer type, call |f| with the pointer cast to that
// type. Return whether this happened.
template <typename F>
bool ApplyGCThingTyped(const JS::Value& val, F&& f) {
return MapGCThingTyped(val,
[&f](auto t) {
f(t);
return true;
})
.isSome();
}
static inline JS::Value PoisonedObjectValue(uintptr_t poison) {
JS::Value v;
v.setObjectNoCheck(reinterpret_cast<JSObject*>(poison));
return v;
}
} // namespace js
#ifdef DEBUG
namespace JS {
MOZ_ALWAYS_INLINE void AssertValueIsNotGray(const Value& value) {
if (value.isGCThing()) {
AssertCellIsNotGray(value.toGCThing());
}
}
MOZ_ALWAYS_INLINE void AssertValueIsNotGray(const Heap<Value>& value) {
AssertValueIsNotGray(value.unbarrieredGet());
}
} // namespace JS
#endif
/************************************************************************/
namespace JS {
extern JS_PUBLIC_DATA const HandleValue NullHandleValue;
extern JS_PUBLIC_DATA const HandleValue UndefinedHandleValue;
extern JS_PUBLIC_DATA const HandleValue TrueHandleValue;
extern JS_PUBLIC_DATA const HandleValue FalseHandleValue;
extern JS_PUBLIC_DATA const Handle<mozilla::Maybe<Value>> NothingHandleValue;
} // namespace JS
#endif /* js_Value_h */
