summaryrefslogtreecommitdiffstats
path: root/js/src/vm/ArgumentsObject.h
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--js/src/vm/ArgumentsObject.h566
1 files changed, 566 insertions, 0 deletions
diff --git a/js/src/vm/ArgumentsObject.h b/js/src/vm/ArgumentsObject.h
new file mode 100644
index 0000000000..93ad790f88
--- /dev/null
+++ b/js/src/vm/ArgumentsObject.h
@@ -0,0 +1,566 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ * vim: set ts=8 sts=2 et sw=2 tw=80:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef vm_ArgumentsObject_h
+#define vm_ArgumentsObject_h
+
+#include "mozilla/MemoryReporting.h"
+
+#include "gc/Barrier.h"
+#include "util/BitArray.h"
+#include "vm/NativeObject.h"
+
+namespace js {
+
+class AbstractFramePtr;
+class ArgumentsObject;
+class ScriptFrameIter;
+
+namespace jit {
+class JitFrameLayout;
+} // namespace jit
+
+// RareArgumentsData stores the deleted-elements bits for an arguments object.
+// Because |delete arguments[i]| is uncommon, we allocate this data the first
+// time an element is deleted.
+class RareArgumentsData {
+ // Pointer to an array of bits indicating, for every argument in
+ // [0, initialLength) whether the element has been deleted. See
+ // ArgumentsObject::isElementDeleted comment.
+ size_t deletedBits_[1];
+
+ RareArgumentsData() = default;
+ RareArgumentsData(const RareArgumentsData&) = delete;
+ void operator=(const RareArgumentsData&) = delete;
+
+ public:
+ static RareArgumentsData* create(JSContext* cx, ArgumentsObject* obj);
+ static size_t bytesRequired(size_t numActuals);
+
+ bool isElementDeleted(size_t len, size_t i) const {
+ MOZ_ASSERT(i < len);
+ return IsBitArrayElementSet(deletedBits_, len, i);
+ }
+ void markElementDeleted(size_t len, size_t i) {
+ MOZ_ASSERT(i < len);
+ SetBitArrayElement(deletedBits_, len, i);
+ }
+};
+
+// ArgumentsData stores the initial indexed arguments provided to a function
+// call. It is used to store arguments[i] -- up until the corresponding
+// property is modified, when the relevant value is flagged to memorialize the
+// modification.
+struct ArgumentsData {
+ /*
+ * numArgs = std::max(numFormalArgs, numActualArgs)
+ * The array 'args' has numArgs elements.
+ */
+ uint32_t numArgs;
+
+ RareArgumentsData* rareData;
+
+ /*
+ * This array holds either the current argument value or the magic
+ * forwarding value. The latter means that the function has both a
+ * CallObject and an ArgumentsObject AND the particular formal variable is
+ * aliased by the CallObject. In such cases, the CallObject holds the
+ * canonical value so any element access to the arguments object should load
+ * the value out of the CallObject (which is pointed to by MAYBE_CALL_SLOT).
+ */
+ GCPtr<Value> args[1];
+
+ /* For jit use: */
+ static ptrdiff_t offsetOfArgs() { return offsetof(ArgumentsData, args); }
+
+ /* Iterate args. */
+ GCPtr<Value>* begin() { return args; }
+ const GCPtr<Value>* begin() const { return args; }
+ GCPtr<Value>* end() { return args + numArgs; }
+ const GCPtr<Value>* end() const { return args + numArgs; }
+
+ static size_t bytesRequired(size_t numArgs) {
+ return offsetof(ArgumentsData, args) + numArgs * sizeof(Value);
+ }
+};
+
+// Maximum supported value of arguments.length. This bounds the
+// maximum number of arguments that can be supplied to a spread call
+// or Function.prototype.apply. This value also bounds the number of
+// elements parsed in an array initializer. NB: keep this in sync
+// with the copy in builtin/SelfHostingDefines.h.
+static const unsigned ARGS_LENGTH_MAX = 500 * 1000;
+
+// Maximum number of arguments supported in jitcode. This bounds the
+// maximum number of arguments that can be supplied to a spread call
+// or Function.prototype.apply without entering the VM. We limit the
+// number of parameters we can handle to a number that does not risk
+// us allocating too much stack, notably on Windows where there is a
+// 4K guard page that has to be touched to extend the stack. The value
+// "3000" is the size of the guard page minus an arbitrary, but large,
+// safety margin. See bug 1351278.
+static const uint32_t JIT_ARGS_LENGTH_MAX = 3000 / sizeof(JS::Value);
+
+static_assert(JIT_ARGS_LENGTH_MAX <= ARGS_LENGTH_MAX,
+ "maximum jit arguments should be <= maximum arguments");
+
+/*
+ * [SMDOC] ArgumentsObject
+ *
+ * ArgumentsObject instances represent |arguments| objects created to store
+ * function arguments when a function is called. It's expensive to create such
+ * objects if they're never used, so they're only created when they are
+ * potentially used.
+ *
+ * Arguments objects are complicated because, for non-strict mode code, they
+ * must alias any named arguments which were provided to the function. Gnarly
+ * example:
+ *
+ * function f(a, b, c, d)
+ * {
+ * arguments[0] = "seta";
+ * assertEq(a, "seta");
+ * b = "setb";
+ * assertEq(arguments[1], "setb");
+ * c = "setc";
+ * assertEq(arguments[2], undefined);
+ * arguments[3] = "setd";
+ * assertEq(d, undefined);
+ * }
+ * f("arga", "argb");
+ *
+ * ES5's strict mode behaves more sanely, and named arguments don't alias
+ * elements of an arguments object.
+ *
+ * ArgumentsObject instances use the following reserved slots:
+ *
+ * INITIAL_LENGTH_SLOT
+ * Stores the initial value of arguments.length, plus a bit indicating
+ * whether arguments.length and/or arguments[@@iterator] have been
+ * modified. Use initialLength(), hasOverriddenLength(), and
+ * hasOverriddenIterator() to access these values. If arguments.length has
+ * been modified, then the current value of arguments.length is stored in
+ * another slot associated with a new property.
+ * DATA_SLOT
+ * Stores an ArgumentsData*, described above.
+ * MAYBE_CALL_SLOT
+ * Stores the CallObject, if the callee has aliased bindings. See
+ * the ArgumentsData::args comment.
+ * CALLEE_SLOT
+ * Stores the initial arguments.callee. This value can be overridden on
+ * mapped arguments objects, see hasOverriddenCallee.
+ */
+class ArgumentsObject : public NativeObject {
+ public:
+ static const uint32_t INITIAL_LENGTH_SLOT = 0;
+ static const uint32_t DATA_SLOT = 1;
+ static const uint32_t MAYBE_CALL_SLOT = 2;
+ static const uint32_t CALLEE_SLOT = 3;
+
+ static const uint32_t LENGTH_OVERRIDDEN_BIT = 0x1;
+ static const uint32_t ITERATOR_OVERRIDDEN_BIT = 0x2;
+ static const uint32_t ELEMENT_OVERRIDDEN_BIT = 0x4;
+ static const uint32_t CALLEE_OVERRIDDEN_BIT = 0x8;
+ static const uint32_t FORWARDED_ARGUMENTS_BIT = 0x10;
+ static const uint32_t PACKED_BITS_COUNT = 5;
+ static const uint32_t PACKED_BITS_MASK = (1 << PACKED_BITS_COUNT) - 1;
+
+ static_assert(ARGS_LENGTH_MAX <= (UINT32_MAX >> PACKED_BITS_COUNT),
+ "Max arguments length must fit in available bits");
+
+// Our ability to inline functions that use |arguments| is limited by
+// the number of registers available to represent Value operands to
+// CreateInlinedArgumentsObject.
+#if defined(JS_CODEGEN_X86)
+ static const uint32_t MaxInlinedArgs = 1;
+#else
+ static const uint32_t MaxInlinedArgs = 3;
+#endif
+
+ protected:
+ template <typename CopyArgs>
+ static ArgumentsObject* create(JSContext* cx, HandleFunction callee,
+ unsigned numActuals, CopyArgs& copy);
+
+ ArgumentsData* data() const {
+ return reinterpret_cast<ArgumentsData*>(
+ getFixedSlot(DATA_SLOT).toPrivate());
+ }
+
+ RareArgumentsData* maybeRareData() const { return data()->rareData; }
+
+ [[nodiscard]] bool createRareData(JSContext* cx);
+
+ RareArgumentsData* getOrCreateRareData(JSContext* cx) {
+ if (!data()->rareData && !createRareData(cx)) {
+ return nullptr;
+ }
+ return data()->rareData;
+ }
+
+ static bool obj_delProperty(JSContext* cx, HandleObject obj, HandleId id,
+ ObjectOpResult& result);
+
+ static bool obj_mayResolve(const JSAtomState& names, jsid id, JSObject*);
+
+ public:
+ static const uint32_t RESERVED_SLOTS = 4;
+ static const gc::AllocKind FINALIZE_KIND = gc::AllocKind::OBJECT4_BACKGROUND;
+
+ /* Create an arguments object for a frame that is expecting them. */
+ static ArgumentsObject* createExpected(JSContext* cx, AbstractFramePtr frame);
+
+ /*
+ * Purposefully disconnect the returned arguments object from the frame
+ * by always creating a new copy that does not alias formal parameters.
+ * This allows function-local analysis to determine that formals are
+ * not aliased and generally simplifies arguments objects.
+ */
+ static ArgumentsObject* createUnexpected(JSContext* cx,
+ ScriptFrameIter& iter);
+ static ArgumentsObject* createUnexpected(JSContext* cx,
+ AbstractFramePtr frame);
+
+ static ArgumentsObject* createForIon(JSContext* cx,
+ jit::JitFrameLayout* frame,
+ HandleObject scopeChain);
+ static ArgumentsObject* createForInlinedIon(JSContext* cx, Value* args,
+ HandleFunction callee,
+ HandleObject scopeChain,
+ uint32_t numActuals);
+ static ArgumentsObject* createFromValueArray(JSContext* cx,
+ HandleValueArray argsArray,
+ HandleFunction callee,
+ HandleObject scopeChain,
+ uint32_t numActuals);
+
+ private:
+ template <typename CopyArgs>
+ static ArgumentsObject* finishPure(JSContext* cx, ArgumentsObject* obj,
+ JSFunction* callee, JSObject* callObj,
+ unsigned numActuals, CopyArgs& copy);
+
+ public:
+ /*
+ * Allocate ArgumentsData and fill reserved slots after allocating an
+ * ArgumentsObject in Ion code.
+ */
+ static ArgumentsObject* finishForIonPure(JSContext* cx,
+ jit::JitFrameLayout* frame,
+ JSObject* scopeChain,
+ ArgumentsObject* obj);
+
+ /*
+ * Allocate ArgumentsData for inlined arguments and fill reserved slots after
+ * allocating an ArgumentsObject in Ion code.
+ */
+ static ArgumentsObject* finishInlineForIonPure(
+ JSContext* cx, JSObject* rawCallObj, JSFunction* rawCallee, Value* args,
+ uint32_t numActuals, ArgumentsObject* obj);
+
+ static ArgumentsObject* createTemplateObject(JSContext* cx, bool mapped);
+
+ /*
+ * Return the initial length of the arguments. This may differ from the
+ * current value of arguments.length!
+ */
+ uint32_t initialLength() const {
+ uint32_t argc = uint32_t(getFixedSlot(INITIAL_LENGTH_SLOT).toInt32()) >>
+ PACKED_BITS_COUNT;
+ MOZ_ASSERT(argc <= ARGS_LENGTH_MAX);
+ return argc;
+ }
+
+ // True iff arguments.length has been assigned or deleted.
+ bool hasOverriddenLength() const {
+ const Value& v = getFixedSlot(INITIAL_LENGTH_SLOT);
+ return v.toInt32() & LENGTH_OVERRIDDEN_BIT;
+ }
+
+ void markLengthOverridden() {
+ uint32_t v =
+ getFixedSlot(INITIAL_LENGTH_SLOT).toInt32() | LENGTH_OVERRIDDEN_BIT;
+ setFixedSlot(INITIAL_LENGTH_SLOT, Int32Value(v));
+ }
+
+ // Create the default "length" property and set LENGTH_OVERRIDDEN_BIT.
+ static bool reifyLength(JSContext* cx, Handle<ArgumentsObject*> obj);
+
+ // True iff arguments[@@iterator] has been assigned or deleted.
+ bool hasOverriddenIterator() const {
+ const Value& v = getFixedSlot(INITIAL_LENGTH_SLOT);
+ return v.toInt32() & ITERATOR_OVERRIDDEN_BIT;
+ }
+
+ void markIteratorOverridden() {
+ uint32_t v =
+ getFixedSlot(INITIAL_LENGTH_SLOT).toInt32() | ITERATOR_OVERRIDDEN_BIT;
+ setFixedSlot(INITIAL_LENGTH_SLOT, Int32Value(v));
+ }
+
+ // Create the default @@iterator property and set ITERATOR_OVERRIDDEN_BIT.
+ static bool reifyIterator(JSContext* cx, Handle<ArgumentsObject*> obj);
+
+ /*
+ * Return the arguments iterator function.
+ */
+ static bool getArgumentsIterator(JSContext* cx, MutableHandleValue val);
+
+ // True iff any element has been assigned or deleted.
+ bool hasOverriddenElement() const {
+ const Value& v = getFixedSlot(INITIAL_LENGTH_SLOT);
+ return v.toInt32() & ELEMENT_OVERRIDDEN_BIT;
+ }
+
+ void markElementOverridden() {
+ uint32_t v =
+ getFixedSlot(INITIAL_LENGTH_SLOT).toInt32() | ELEMENT_OVERRIDDEN_BIT;
+ setFixedSlot(INITIAL_LENGTH_SLOT, Int32Value(v));
+ }
+
+ private:
+ /*
+ * Because the arguments object is a real object, its elements may be
+ * deleted. This is implemented by setting a 'deleted' flag for the arg
+ * which is read by argument object resolve and getter/setter hooks.
+ *
+ * NB: an element, once deleted, stays deleted. Thus:
+ *
+ * function f(x) { delete arguments[0]; arguments[0] = 42; return x }
+ * assertEq(f(1), 1);
+ *
+ * This works because, once a property is deleted from an arguments object,
+ * it gets regular properties with regular getters/setters that don't alias
+ * ArgumentsData::args.
+ */
+ bool isElementDeleted(uint32_t i) const {
+ MOZ_ASSERT(i < data()->numArgs);
+ if (i >= initialLength()) {
+ return false;
+ }
+ bool result = maybeRareData() &&
+ maybeRareData()->isElementDeleted(initialLength(), i);
+ MOZ_ASSERT_IF(result, hasOverriddenElement());
+ return result;
+ }
+
+ protected:
+ bool markElementDeleted(JSContext* cx, uint32_t i);
+
+ public:
+ /*
+ * Return true iff the index is a valid element index for this arguments
+ * object.
+ *
+ * Returning true here doesn't imply that the element value can be read
+ * through |ArgumentsObject::element()|. For example unmapped arguments
+ * objects can have an element index property redefined without having marked
+ * the element as deleted. Instead use |maybeGetElement()| or manually check
+ * for |hasOverriddenElement()|.
+ */
+ bool isElement(uint32_t i) const {
+ return i < initialLength() && !isElementDeleted(i);
+ }
+
+ /*
+ * An ArgumentsObject serves two roles:
+ * - a real object, accessed through regular object operations, e.g..,
+ * GetElement corresponding to 'arguments[i]';
+ * - a VM-internal data structure, storing the value of arguments (formal
+ * and actual) that are accessed directly by the VM when a reading the
+ * value of a formal parameter.
+ * There are two ways to access the ArgumentsData::args corresponding to
+ * these two use cases:
+ * - object access should use elements(i) which will take care of
+ * forwarding when the value is the magic forwarding value;
+ * - VM argument access should use arg(i) which will assert that the
+ * value is not the magic forwarding value (since, if such forwarding was
+ * needed, the frontend should have emitted JSOp::GetAliasedVar).
+ */
+ const Value& element(uint32_t i) const;
+
+ inline void setElement(uint32_t i, const Value& v);
+
+ const Value& arg(unsigned i) const {
+ MOZ_ASSERT(i < data()->numArgs);
+ const Value& v = data()->args[i];
+ MOZ_ASSERT(!v.isMagic());
+ return v;
+ }
+
+ void setArg(unsigned i, const Value& v) {
+ MOZ_ASSERT(i < data()->numArgs);
+ GCPtr<Value>& lhs = data()->args[i];
+ MOZ_ASSERT(!lhs.isMagic());
+ lhs = v;
+ }
+
+ /*
+ * Test if an argument is forwarded, i.e. its actual value is stored in the
+ * CallObject and can't be directly read from |ArgumentsData::args|.
+ */
+ bool argIsForwarded(unsigned i) const {
+ MOZ_ASSERT(i < data()->numArgs);
+ const Value& v = data()->args[i];
+ MOZ_ASSERT_IF(IsMagicScopeSlotValue(v), anyArgIsForwarded());
+ return IsMagicScopeSlotValue(v);
+ }
+
+ bool anyArgIsForwarded() const {
+ const Value& v = getFixedSlot(INITIAL_LENGTH_SLOT);
+ return v.toInt32() & FORWARDED_ARGUMENTS_BIT;
+ }
+
+ void markArgumentForwarded() {
+ uint32_t v =
+ getFixedSlot(INITIAL_LENGTH_SLOT).toInt32() | FORWARDED_ARGUMENTS_BIT;
+ setFixedSlot(INITIAL_LENGTH_SLOT, Int32Value(v));
+ }
+
+ /*
+ * Attempt to speedily and efficiently access the i-th element of this
+ * arguments object. Return true if the element was speedily returned.
+ * Return false if the element must be looked up more slowly using
+ * getProperty or some similar method. The second overload copies the
+ * elements [start, start + count) into the locations starting at 'vp'.
+ *
+ * NB: Returning false does not indicate error!
+ */
+ bool maybeGetElement(uint32_t i, MutableHandleValue vp) {
+ if (i >= initialLength() || hasOverriddenElement()) {
+ return false;
+ }
+ vp.set(element(i));
+ return true;
+ }
+
+ inline bool maybeGetElements(uint32_t start, uint32_t count, js::Value* vp);
+
+ /*
+ * Measures things hanging off this ArgumentsObject that are counted by the
+ * |miscSize| argument in JSObject::sizeOfExcludingThis().
+ */
+ size_t sizeOfMisc(mozilla::MallocSizeOf mallocSizeOf) const {
+ if (!data()) { // Template arguments objects have no data.
+ return 0;
+ }
+ return mallocSizeOf(data()) + mallocSizeOf(maybeRareData());
+ }
+ size_t sizeOfData() const {
+ return ArgumentsData::bytesRequired(data()->numArgs) +
+ (maybeRareData() ? RareArgumentsData::bytesRequired(initialLength())
+ : 0);
+ }
+
+ static void finalize(JS::GCContext* gcx, JSObject* obj);
+ static void trace(JSTracer* trc, JSObject* obj);
+ static size_t objectMoved(JSObject* dst, JSObject* src);
+
+ /* For jit use: */
+ static size_t getDataSlotOffset() { return getFixedSlotOffset(DATA_SLOT); }
+ static size_t getInitialLengthSlotOffset() {
+ return getFixedSlotOffset(INITIAL_LENGTH_SLOT);
+ }
+
+ static Value MagicEnvSlotValue(uint32_t slot) {
+ // When forwarding slots to a backing CallObject, the slot numbers are
+ // stored as uint32 magic values. This raises an ambiguity if we have
+ // also copied JS_OPTIMIZED_OUT magic from a JIT frame or
+ // JS_UNINITIALIZED_LEXICAL magic on the CallObject. To distinguish
+ // normal magic values (those with a JSWhyMagic) and uint32 magic
+ // values, we add the maximum JSWhyMagic value to the slot
+ // number. This is safe as ARGS_LENGTH_MAX is well below UINT32_MAX.
+ static_assert(UINT32_MAX - JS_WHY_MAGIC_COUNT > ARGS_LENGTH_MAX);
+ return JS::MagicValueUint32(slot + JS_WHY_MAGIC_COUNT);
+ }
+ static uint32_t SlotFromMagicScopeSlotValue(const Value& v) {
+ static_assert(UINT32_MAX - JS_WHY_MAGIC_COUNT > ARGS_LENGTH_MAX);
+ return v.magicUint32() - JS_WHY_MAGIC_COUNT;
+ }
+ static bool IsMagicScopeSlotValue(const Value& v) {
+ return v.isMagic() && v.magicUint32() > JS_WHY_MAGIC_COUNT;
+ }
+
+ static void MaybeForwardToCallObject(AbstractFramePtr frame,
+ ArgumentsObject* obj,
+ ArgumentsData* data);
+ static void MaybeForwardToCallObject(JSFunction* callee, JSObject* callObj,
+ ArgumentsObject* obj,
+ ArgumentsData* data);
+};
+
+class MappedArgumentsObject : public ArgumentsObject {
+ static const JSClassOps classOps_;
+ static const ClassExtension classExt_;
+ static const ObjectOps objectOps_;
+
+ public:
+ static const JSClass class_;
+
+ JSFunction& callee() const {
+ return getFixedSlot(CALLEE_SLOT).toObject().as<JSFunction>();
+ }
+
+ bool hasOverriddenCallee() const {
+ const Value& v = getFixedSlot(INITIAL_LENGTH_SLOT);
+ return v.toInt32() & CALLEE_OVERRIDDEN_BIT;
+ }
+
+ void markCalleeOverridden() {
+ uint32_t v =
+ getFixedSlot(INITIAL_LENGTH_SLOT).toInt32() | CALLEE_OVERRIDDEN_BIT;
+ setFixedSlot(INITIAL_LENGTH_SLOT, Int32Value(v));
+ }
+
+ static size_t getCalleeSlotOffset() {
+ return getFixedSlotOffset(CALLEE_SLOT);
+ }
+
+ // Create the default "callee" property and set CALLEE_OVERRIDDEN_BIT.
+ static bool reifyCallee(JSContext* cx, Handle<MappedArgumentsObject*> obj);
+
+ private:
+ static bool obj_enumerate(JSContext* cx, HandleObject obj);
+ static bool obj_resolve(JSContext* cx, HandleObject obj, HandleId id,
+ bool* resolvedp);
+ static bool obj_defineProperty(JSContext* cx, HandleObject obj, HandleId id,
+ Handle<JS::PropertyDescriptor> desc,
+ ObjectOpResult& result);
+};
+
+class UnmappedArgumentsObject : public ArgumentsObject {
+ static const JSClassOps classOps_;
+ static const ClassExtension classExt_;
+
+ public:
+ static const JSClass class_;
+
+ private:
+ static bool obj_enumerate(JSContext* cx, HandleObject obj);
+ static bool obj_resolve(JSContext* cx, HandleObject obj, HandleId id,
+ bool* resolvedp);
+};
+
+extern bool MappedArgGetter(JSContext* cx, HandleObject obj, HandleId id,
+ MutableHandleValue vp);
+
+extern bool MappedArgSetter(JSContext* cx, HandleObject obj, HandleId id,
+ HandleValue v, ObjectOpResult& result);
+
+extern bool UnmappedArgGetter(JSContext* cx, HandleObject obj, HandleId id,
+ MutableHandleValue vp);
+
+extern bool UnmappedArgSetter(JSContext* cx, HandleObject obj, HandleId id,
+ HandleValue v, ObjectOpResult& result);
+
+} // namespace js
+
+template <>
+inline bool JSObject::is<js::ArgumentsObject>() const {
+ return is<js::MappedArgumentsObject>() || is<js::UnmappedArgumentsObject>();
+}
+
+#endif /* vm_ArgumentsObject_h */