Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

10977 lines (8867 sloc) 402.21 kb
// Copyright 2012 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef V8_OBJECTS_H_
#define V8_OBJECTS_H_
#include <iosfwd>
#include "src/allocation.h"
#include "src/assert-scope.h"
#include "src/bailout-reason.h"
#include "src/base/bits.h"
#include "src/builtins.h"
#include "src/checks.h"
#include "src/elements-kind.h"
#include "src/field-index.h"
#include "src/flags.h"
#include "src/list.h"
#include "src/property-details.h"
#include "src/smart-pointers.h"
#include "src/unicode-inl.h"
#include "src/unicode-decoder.h"
#include "src/zone.h"
#include "src/arm/constants-arm.h" // NOLINT
#include "src/arm64/constants-arm64.h" // NOLINT
#include "src/mips/constants-mips.h" // NOLINT
#include "src/mips64/constants-mips64.h" // NOLINT
// Most object types in the V8 JavaScript are described in this file.
// Inheritance hierarchy:
// - Object
// - Smi (immediate small integer)
// - HeapObject (superclass for everything allocated in the heap)
// - JSReceiver (suitable for property access)
// - JSObject
// - JSArray
// - JSArrayBuffer
// - JSArrayBufferView
// - JSTypedArray
// - JSDataView
// - JSCollection
// - JSSet
// - JSMap
// - JSSetIterator
// - JSMapIterator
// - JSWeakCollection
// - JSWeakMap
// - JSWeakSet
// - JSRegExp
// - JSFunction
// - JSGeneratorObject
// - JSModule
// - GlobalObject
// - JSGlobalObject
// - JSBuiltinsObject
// - JSGlobalProxy
// - JSValue
// - JSDate
// - JSMessageObject
// - JSProxy
// - JSFunctionProxy
// - FixedArrayBase
// - ByteArray
// - FixedArray
// - DescriptorArray
// - HashTable
// - Dictionary
// - StringTable
// - CompilationCacheTable
// - CodeCacheHashTable
// - MapCache
// - OrderedHashTable
// - OrderedHashSet
// - OrderedHashMap
// - Context
// - TypeFeedbackVector
// - JSFunctionResultCache
// - ScopeInfo
// - TransitionArray
// - ScriptContextTable
// - FixedDoubleArray
// - ExternalArray
// - ExternalUint8ClampedArray
// - ExternalInt8Array
// - ExternalUint8Array
// - ExternalInt16Array
// - ExternalUint16Array
// - ExternalInt32Array
// - ExternalUint32Array
// - ExternalFloat32Array
// - Name
// - String
// - SeqString
// - SeqOneByteString
// - SeqTwoByteString
// - SlicedString
// - ConsString
// - ExternalString
// - ExternalOneByteString
// - ExternalTwoByteString
// - InternalizedString
// - SeqInternalizedString
// - SeqOneByteInternalizedString
// - SeqTwoByteInternalizedString
// - ConsInternalizedString
// - ExternalInternalizedString
// - ExternalOneByteInternalizedString
// - ExternalTwoByteInternalizedString
// - Symbol
// - HeapNumber
// - Cell
// - PropertyCell
// - Code
// - Map
// - Oddball
// - Foreign
// - SharedFunctionInfo
// - Struct
// - Box
// - DeclaredAccessorDescriptor
// - AccessorInfo
// - DeclaredAccessorInfo
// - ExecutableAccessorInfo
// - AccessorPair
// - AccessCheckInfo
// - InterceptorInfo
// - CallHandlerInfo
// - TemplateInfo
// - FunctionTemplateInfo
// - ObjectTemplateInfo
// - Script
// - SignatureInfo
// - TypeSwitchInfo
// - DebugInfo
// - BreakPointInfo
// - CodeCache
// - WeakCell
// Formats of Object*:
// Smi: [31 bit signed int] 0
// HeapObject: [32 bit direct pointer] (4 byte aligned) | 01
namespace v8 {
namespace internal {
enum KeyedAccessStoreMode {
enum ContextualMode {
enum MutableMode {
static const int kGrowICDelta = STORE_AND_GROW_NO_TRANSITION -
static inline KeyedAccessStoreMode GetGrowStoreMode(
KeyedAccessStoreMode store_mode) {
if (store_mode < STORE_AND_GROW_NO_TRANSITION) {
store_mode = static_cast<KeyedAccessStoreMode>(
static_cast<int>(store_mode) + kGrowICDelta);
return store_mode;
static inline bool IsTransitionStoreMode(KeyedAccessStoreMode store_mode) {
return store_mode > STANDARD_STORE &&
static inline KeyedAccessStoreMode GetNonTransitioningStoreMode(
KeyedAccessStoreMode store_mode) {
return store_mode;
if (store_mode >= STORE_AND_GROW_NO_TRANSITION) {
static inline bool IsGrowStoreMode(KeyedAccessStoreMode store_mode) {
return store_mode >= STORE_AND_GROW_NO_TRANSITION &&
enum IcCheckType { ELEMENT, PROPERTY };
// Setter that skips the write barrier if mode is SKIP_WRITE_BARRIER.
// Indicates whether a value can be loaded as a constant.
enum StoreMode {
// PropertyNormalizationMode is used to specify whether to keep
// inobject properties when normalizing properties of a JSObject.
enum PropertyNormalizationMode {
// Indicates how aggressively the prototype should be optimized. FAST_PROTOTYPE
// will give the fastest result by tailoring the map to the prototype, but that
// will cause polymorphism with other objects. REGULAR_PROTOTYPE is to be used
// (at least for now) when dynamically modifying the prototype chain of an
// object using __proto__ or Object.setPrototypeOf.
enum PrototypeOptimizationMode { REGULAR_PROTOTYPE, FAST_PROTOTYPE };
// Indicates whether transitions can be added to a source map or not.
enum TransitionFlag {
enum DebugExtraICState {
// Indicates whether the transition is simple: the target map of the transition
// either extends the current map with a new property, or it modifies the
// property that was added last to the current map.
enum SimpleTransitionFlag {
// Indicates whether we are only interested in the descriptors of a particular
// map, or in all descriptors in the descriptor array.
enum DescriptorFlag {
// The GC maintains a bit of information, the MarkingParity, which toggles
// from odd to even and back every time marking is completed. Incremental
// marking can visit an object twice during a marking phase, so algorithms that
// that piggy-back on marking can use the parity to ensure that they only
// perform an operation on an object once per marking phase: they record the
// MarkingParity when they visit an object, and only re-visit the object when it
// is marked again and the MarkingParity changes.
enum MarkingParity {
// ICs store extra state in a Code object. The default extra state is
// kNoExtraICState.
typedef int ExtraICState;
static const ExtraICState kNoExtraICState = 0;
// Instance size sentinel for objects of variable size.
const int kVariableSizeSentinel = 0;
// We may store the unsigned bit field as signed Smi value and do not
// use the sign bit.
const int kStubMajorKeyBits = 7;
const int kStubMinorKeyBits = kSmiValueSize - kStubMajorKeyBits - 1;
// All Maps have a field instance_type containing a InstanceType.
// It describes the type of the instances.
// As an example, a JavaScript object is a heap object and its map
// instance_type is JS_OBJECT_TYPE.
// The names of the string instance types are intended to systematically
// mirror their encoding in the instance_type field of the map. The default
// encoding is considered TWO_BYTE. It is not mentioned in the name. ONE_BYTE
// encoding is mentioned explicitly in the name. Likewise, the default
// representation is considered sequential. It is not mentioned in the
// name. The other representations (e.g. CONS, EXTERNAL) are explicitly
// mentioned. Finally, the string is either a STRING_TYPE (if it is a normal
// string) or a INTERNALIZED_STRING_TYPE (if it is a internalized string).
// NOTE: The following things are some that depend on the string types having
// instance_types that are less than those of all other types:
// HeapObject::Size, HeapObject::IterateBody, the typeof operator, and
// Object::IsString.
// NOTE: Everything following JS_VALUE_TYPE is considered a
// JSObject for GC purposes. The first four entries here have typeof
// 'object', whereas JS_FUNCTION_TYPE has typeof 'function'.
/* Note: the order of these external array */ \
/* types is relied upon in */ \
/* Object::IsExternalArray(). */ \
// Since string types are not consecutive, this macro is used to
// iterate over them.
V(STRING_TYPE, kVariableSizeSentinel, string, String) \
V(ONE_BYTE_STRING_TYPE, kVariableSizeSentinel, one_byte_string, \
OneByteString) \
V(CONS_STRING_TYPE, ConsString::kSize, cons_string, ConsString) \
V(CONS_ONE_BYTE_STRING_TYPE, ConsString::kSize, cons_one_byte_string, \
ConsOneByteString) \
V(SLICED_STRING_TYPE, SlicedString::kSize, sliced_string, SlicedString) \
V(SLICED_ONE_BYTE_STRING_TYPE, SlicedString::kSize, sliced_one_byte_string, \
SlicedOneByteString) \
V(EXTERNAL_STRING_TYPE, ExternalTwoByteString::kSize, external_string, \
ExternalString) \
V(EXTERNAL_ONE_BYTE_STRING_TYPE, ExternalOneByteString::kSize, \
external_one_byte_string, ExternalOneByteString) \
external_string_with_one_byte_data, ExternalStringWithOneByteData) \
V(SHORT_EXTERNAL_STRING_TYPE, ExternalTwoByteString::kShortSize, \
short_external_string, ShortExternalString) \
V(SHORT_EXTERNAL_ONE_BYTE_STRING_TYPE, ExternalOneByteString::kShortSize, \
short_external_one_byte_string, ShortExternalOneByteString) \
ExternalTwoByteString::kShortSize, \
short_external_string_with_one_byte_data, \
ShortExternalStringWithOneByteData) \
V(INTERNALIZED_STRING_TYPE, kVariableSizeSentinel, internalized_string, \
InternalizedString) \
one_byte_internalized_string, OneByteInternalizedString) \
external_internalized_string, ExternalInternalizedString) \
external_one_byte_internalized_string, ExternalOneByteInternalizedString) \
ExternalTwoByteString::kSize, \
external_internalized_string_with_one_byte_data, \
ExternalInternalizedStringWithOneByteData) \
ExternalTwoByteString::kShortSize, short_external_internalized_string, \
ShortExternalInternalizedString) \
ExternalOneByteString::kShortSize, \
short_external_one_byte_internalized_string, \
ShortExternalOneByteInternalizedString) \
ExternalTwoByteString::kShortSize, \
short_external_internalized_string_with_one_byte_data, \
// A struct is a simple object a set of object-valued fields. Including an
// object type in this causes the compiler to generate most of the boilerplate
// code for the class including allocation and garbage collection routines,
// casts and predicates. All you need to define is the class, methods and
// object verification routines. Easy, no?
// Note that for subtle reasons related to the ordering or numerical values of
// type tags, elements in this list have to be added to the INSTANCE_TYPE_LIST
// manually.
#define STRUCT_LIST(V) \
V(BOX, Box, box) \
DeclaredAccessorDescriptor, \
declared_accessor_descriptor) \
V(DECLARED_ACCESSOR_INFO, DeclaredAccessorInfo, declared_accessor_info) \
V(EXECUTABLE_ACCESSOR_INFO, ExecutableAccessorInfo, executable_accessor_info)\
V(ACCESSOR_PAIR, AccessorPair, accessor_pair) \
V(ACCESS_CHECK_INFO, AccessCheckInfo, access_check_info) \
V(INTERCEPTOR_INFO, InterceptorInfo, interceptor_info) \
V(CALL_HANDLER_INFO, CallHandlerInfo, call_handler_info) \
V(FUNCTION_TEMPLATE_INFO, FunctionTemplateInfo, function_template_info) \
V(OBJECT_TEMPLATE_INFO, ObjectTemplateInfo, object_template_info) \
V(SIGNATURE_INFO, SignatureInfo, signature_info) \
V(TYPE_SWITCH_INFO, TypeSwitchInfo, type_switch_info) \
V(SCRIPT, Script, script) \
V(ALLOCATION_SITE, AllocationSite, allocation_site) \
V(ALLOCATION_MEMENTO, AllocationMemento, allocation_memento) \
V(CODE_CACHE, CodeCache, code_cache) \
V(POLYMORPHIC_CODE_CACHE, PolymorphicCodeCache, polymorphic_code_cache) \
V(TYPE_FEEDBACK_INFO, TypeFeedbackInfo, type_feedback_info) \
V(ALIASED_ARGUMENTS_ENTRY, AliasedArgumentsEntry, aliased_arguments_entry) \
V(DEBUG_INFO, DebugInfo, debug_info) \
V(BREAK_POINT_INFO, BreakPointInfo, break_point_info)
// We use the full 8 bits of the instance_type field to encode heap object
// instance types. The high-order bit (bit 7) is set if the object is not a
// string, and cleared if it is a string.
const uint32_t kIsNotStringMask = 0x80;
const uint32_t kStringTag = 0x0;
const uint32_t kNotStringTag = 0x80;
// Bit 6 indicates that the object is an internalized string (if set) or not.
// Bit 7 has to be clear as well.
const uint32_t kIsNotInternalizedMask = 0x40;
const uint32_t kNotInternalizedTag = 0x40;
const uint32_t kInternalizedTag = 0x0;
// If bit 7 is clear then bit 2 indicates whether the string consists of
// two-byte characters or one-byte characters.
const uint32_t kStringEncodingMask = 0x4;
const uint32_t kTwoByteStringTag = 0x0;
const uint32_t kOneByteStringTag = 0x4;
// If bit 7 is clear, the low-order 2 bits indicate the representation
// of the string.
const uint32_t kStringRepresentationMask = 0x03;
enum StringRepresentationTag {
kSeqStringTag = 0x0,
kConsStringTag = 0x1,
kExternalStringTag = 0x2,
kSlicedStringTag = 0x3
const uint32_t kIsIndirectStringMask = 0x1;
const uint32_t kIsIndirectStringTag = 0x1;
STATIC_ASSERT((kSeqStringTag & kIsIndirectStringMask) == 0); // NOLINT
STATIC_ASSERT((kExternalStringTag & kIsIndirectStringMask) == 0); // NOLINT
STATIC_ASSERT((kConsStringTag &
kIsIndirectStringMask) == kIsIndirectStringTag); // NOLINT
STATIC_ASSERT((kSlicedStringTag &
kIsIndirectStringMask) == kIsIndirectStringTag); // NOLINT
// Use this mask to distinguish between cons and slice only after making
// sure that the string is one of the two (an indirect string).
const uint32_t kSlicedNotConsMask = kSlicedStringTag & ~kConsStringTag;
// If bit 7 is clear, then bit 3 indicates whether this two-byte
// string actually contains one byte data.
const uint32_t kOneByteDataHintMask = 0x08;
const uint32_t kOneByteDataHintTag = 0x08;
// If bit 7 is clear and string representation indicates an external string,
// then bit 4 indicates whether the data pointer is cached.
const uint32_t kShortExternalStringMask = 0x10;
const uint32_t kShortExternalStringTag = 0x10;
// A ConsString with an empty string as the right side is a candidate
// for being shortcut by the garbage collector. We don't allocate any
// non-flat internalized strings, so we do not shortcut them thereby
// avoiding turning internalized strings into strings. The bit-masks
// below contain the internalized bit as additional safety.
// See, and
const uint32_t kShortcutTypeMask =
kIsNotStringMask |
kIsNotInternalizedMask |
const uint32_t kShortcutTypeTag = kConsStringTag | kNotInternalizedTag;
static inline bool IsShortcutCandidate(int type) {
return ((type & kShortcutTypeMask) == kShortcutTypeTag);
enum InstanceType {
// String types.
kTwoByteStringTag | kSeqStringTag | kInternalizedTag,
kOneByteStringTag | kSeqStringTag | kInternalizedTag,
kTwoByteStringTag | kExternalStringTag | kInternalizedTag,
kOneByteStringTag | kExternalStringTag | kInternalizedTag,
kShortExternalStringTag |
kShortExternalStringTag | kInternalizedTag,
CONS_STRING_TYPE = kTwoByteStringTag | kConsStringTag | kNotInternalizedTag,
kOneByteStringTag | kConsStringTag | kNotInternalizedTag,
kTwoByteStringTag | kSlicedStringTag | kNotInternalizedTag,
kOneByteStringTag | kSlicedStringTag | kNotInternalizedTag,
// Non-string names
// Objects allocated in their own spaces (never in new space).
// "Data", objects that cannot contain non-map-word pointers to heap
// objects.
// Structs.
// All the following types are subtypes of JSReceiver, which corresponds to
// objects in the JS sense. The first and the last type in this range are
// the two forms of function. This organization enables using the same
// compares for checking the JS_RECEIVER/SPEC_OBJECT range and the
// Pseudo-types
// Boundaries for testing for an external array.
// Boundaries for testing for a fixed typed array.
// Boundary for promotion to old data space/old pointer space.
// Boundary for objects represented as JSReceiver (i.e. JSObject or JSProxy).
// Note that there is no range for JSObject or JSProxy, since their subtypes
// are not continuous in this enum! The enum ranges instead reflect the
// external class names, where proxies are treated as either ordinary objects,
// or functions.
// Boundaries for testing the types represented as JSObject
// Boundaries for testing the types represented as JSProxy
// Boundaries for testing whether the type is a JavaScript object.
// Boundaries for testing the types for which typeof is "object".
// Note that the types for which typeof is "function" are not continuous.
// Define this so that we can put assertions on discrete checks.
const int kExternalArrayTypeCount =
STATIC_ASSERT(JS_OBJECT_TYPE == Internals::kJSObjectType);
STATIC_ASSERT(FIRST_NONSTRING_TYPE == Internals::kFirstNonstringType);
STATIC_ASSERT(ODDBALL_TYPE == Internals::kOddballType);
STATIC_ASSERT(FOREIGN_TYPE == Internals::kForeignType);
enum FixedArraySubInstanceType {
enum CompareResult {
LESS = -1,
EQUAL = 0,
inline bool name() const; \
inline void set_##name(bool value); \
#define DECL_ACCESSORS(name, type) \
inline type* name() const; \
inline void set_##name(type* value, \
WriteBarrierMode mode = UPDATE_WRITE_BARRIER); \
#define DECLARE_CAST(type) \
INLINE(static type* cast(Object* object)); \
INLINE(static const type* cast(const Object* object));
class AccessorPair;
class AllocationSite;
class AllocationSiteCreationContext;
class AllocationSiteUsageContext;
class DictionaryElementsAccessor;
class ElementsAccessor;
class FixedArrayBase;
class GlobalObject;
class LayoutDescriptor;
class LookupIterator;
class ObjectVisitor;
class StringStream;
class TypeFeedbackVector;
class WeakCell;
// We cannot just say "class HeapType;" if it is created from a template... =8-?
template<class> class TypeImpl;
struct HeapTypeConfig;
typedef TypeImpl<HeapTypeConfig> HeapType;
// A template-ized version of the IsXXX functions.
template <class C> inline bool Is(Object* obj);
#define DECLARE_VERIFIER(Name) void Name##Verify();
#define DECLARE_PRINTER(Name) void Name##Print(std::ostream& os); // NOLINT
V(Smi) \
V(HeapObject) \
V(HeapNumber) \
V(MutableHeapNumber) \
V(Name) \
V(UniqueName) \
V(String) \
V(SeqString) \
V(ExternalString) \
V(ConsString) \
V(SlicedString) \
V(ExternalTwoByteString) \
V(ExternalOneByteString) \
V(SeqTwoByteString) \
V(SeqOneByteString) \
V(InternalizedString) \
V(Symbol) \
V(ExternalArray) \
V(ExternalInt8Array) \
V(ExternalUint8Array) \
V(ExternalInt16Array) \
V(ExternalUint16Array) \
V(ExternalInt32Array) \
V(ExternalUint32Array) \
V(ExternalFloat32Array) \
V(ExternalFloat64Array) \
V(ExternalUint8ClampedArray) \
V(FixedTypedArrayBase) \
V(FixedUint8Array) \
V(FixedInt8Array) \
V(FixedUint16Array) \
V(FixedInt16Array) \
V(FixedUint32Array) \
V(FixedInt32Array) \
V(FixedFloat32Array) \
V(FixedFloat64Array) \
V(FixedUint8ClampedArray) \
V(ByteArray) \
V(FreeSpace) \
V(JSReceiver) \
V(JSObject) \
V(JSContextExtensionObject) \
V(JSGeneratorObject) \
V(JSModule) \
V(LayoutDescriptor) \
V(Map) \
V(DescriptorArray) \
V(TransitionArray) \
V(TypeFeedbackVector) \
V(DeoptimizationInputData) \
V(DeoptimizationOutputData) \
V(DependentCode) \
V(FixedArray) \
V(FixedDoubleArray) \
V(ConstantPoolArray) \
V(Context) \
V(ScriptContextTable) \
V(NativeContext) \
V(ScopeInfo) \
V(JSFunction) \
V(Code) \
V(Oddball) \
V(SharedFunctionInfo) \
V(JSValue) \
V(JSDate) \
V(JSMessageObject) \
V(StringWrapper) \
V(Foreign) \
V(Boolean) \
V(JSArray) \
V(JSArrayBuffer) \
V(JSArrayBufferView) \
V(JSTypedArray) \
V(JSDataView) \
V(JSProxy) \
V(JSFunctionProxy) \
V(JSSet) \
V(JSMap) \
V(JSSetIterator) \
V(JSMapIterator) \
V(JSWeakCollection) \
V(JSWeakMap) \
V(JSWeakSet) \
V(JSRegExp) \
V(HashTable) \
V(Dictionary) \
V(StringTable) \
V(JSFunctionResultCache) \
V(NormalizedMapCache) \
V(CompilationCacheTable) \
V(CodeCacheHashTable) \
V(PolymorphicCodeCacheHashTable) \
V(MapCache) \
V(Primitive) \
V(GlobalObject) \
V(JSGlobalObject) \
V(JSBuiltinsObject) \
V(JSGlobalProxy) \
V(UndetectableObject) \
V(AccessCheckNeeded) \
V(Cell) \
V(PropertyCell) \
V(WeakCell) \
V(ObjectHashTable) \
V(WeakHashTable) \
// Object is the abstract superclass for all classes in the
// object hierarchy.
// Object does not use any virtual functions to avoid the
// allocation of the C++ vtable.
// Since both Smi and HeapObject are subclasses of Object no
// data members can be present in Object.
class Object {
// Type testing.
bool IsObject() const { return true; }
#define IS_TYPE_FUNCTION_DECL(type_) INLINE(bool Is##type_() const);
// A non-keyed store is of the form a.x = foo or a["x"] = foo whereas
// a keyed store is of the form a[expression] = foo.
enum StoreFromKeyed {
INLINE(bool IsFixedArrayBase() const);
INLINE(bool IsExternal() const);
INLINE(bool IsAccessorInfo() const);
INLINE(bool IsStruct() const);
INLINE(bool Is##Name() const);
INLINE(bool IsSpecObject()) const;
INLINE(bool IsSpecFunction()) const;
INLINE(bool IsTemplateInfo()) const;
INLINE(bool IsNameDictionary() const);
INLINE(bool IsSeededNumberDictionary() const);
INLINE(bool IsUnseededNumberDictionary() const);
INLINE(bool IsOrderedHashSet() const);
INLINE(bool IsOrderedHashMap() const);
bool IsCallable() const;
// Oddball testing.
INLINE(bool IsUndefined() const);
INLINE(bool IsNull() const);
INLINE(bool IsTheHole() const);
INLINE(bool IsException() const);
INLINE(bool IsUninitialized() const);
INLINE(bool IsTrue() const);
INLINE(bool IsFalse() const);
INLINE(bool IsArgumentsMarker() const);
// Filler objects (fillers and free space objects).
INLINE(bool IsFiller() const);
// Extract the number.
inline double Number();
INLINE(bool IsNaN() const);
INLINE(bool IsMinusZero() const);
bool ToInt32(int32_t* value);
bool ToUint32(uint32_t* value);
inline Representation OptimalRepresentation() {
if (!FLAG_track_fields) return Representation::Tagged();
if (IsSmi()) {
return Representation::Smi();
} else if (FLAG_track_double_fields && IsHeapNumber()) {
return Representation::Double();
} else if (FLAG_track_computed_fields && IsUninitialized()) {
return Representation::None();
} else if (FLAG_track_heap_object_fields) {
return Representation::HeapObject();
} else {
return Representation::Tagged();
inline bool FitsRepresentation(Representation representation) {
if (FLAG_track_fields && representation.IsNone()) {
return false;
} else if (FLAG_track_fields && representation.IsSmi()) {
return IsSmi();
} else if (FLAG_track_double_fields && representation.IsDouble()) {
return IsMutableHeapNumber() || IsNumber();
} else if (FLAG_track_heap_object_fields && representation.IsHeapObject()) {
return IsHeapObject();
return true;
Handle<HeapType> OptimalType(Isolate* isolate, Representation representation);
inline static Handle<Object> NewStorageFor(Isolate* isolate,
Handle<Object> object,
Representation representation);
inline static Handle<Object> WrapForRead(Isolate* isolate,
Handle<Object> object,
Representation representation);
// Returns true if the object is of the correct type to be used as a
// implementation of a JSObject's elements.
inline bool HasValidElements();
inline bool HasSpecificClassOf(String* name);
bool BooleanValue(); // ECMA-262 9.2.
// Convert to a JSObject if needed.
// native_context is used when creating wrapper object.
static inline MaybeHandle<JSReceiver> ToObject(Isolate* isolate,
Handle<Object> object);
static MaybeHandle<JSReceiver> ToObject(Isolate* isolate,
Handle<Object> object,
Handle<Context> context);
// Converts this to a Smi if possible.
static MUST_USE_RESULT inline MaybeHandle<Smi> ToSmi(Isolate* isolate,
Handle<Object> object);
MUST_USE_RESULT static MaybeHandle<Object> GetProperty(LookupIterator* it);
// Implementation of [[Put]], ECMA-262 5th edition, section 8.12.5.
MUST_USE_RESULT static MaybeHandle<Object> SetProperty(
Handle<Object> object, Handle<Name> key, Handle<Object> value,
StrictMode strict_mode,
StoreFromKeyed store_mode = MAY_BE_STORE_FROM_KEYED);
MUST_USE_RESULT static MaybeHandle<Object> SetProperty(
LookupIterator* it, Handle<Object> value, StrictMode strict_mode,
StoreFromKeyed store_mode,
StorePropertyMode data_store_mode = NORMAL_PROPERTY);
MUST_USE_RESULT static MaybeHandle<Object> WriteToReadOnlyProperty(
LookupIterator* it, Handle<Object> value, StrictMode strict_mode);
MUST_USE_RESULT static MaybeHandle<Object> WriteToReadOnlyElement(
Isolate* isolate, Handle<Object> receiver, uint32_t index,
Handle<Object> value, StrictMode strict_mode);
MUST_USE_RESULT static MaybeHandle<Object> SetDataProperty(
LookupIterator* it, Handle<Object> value);
MUST_USE_RESULT static MaybeHandle<Object> AddDataProperty(
LookupIterator* it, Handle<Object> value, PropertyAttributes attributes,
StrictMode strict_mode, StoreFromKeyed store_mode);
MUST_USE_RESULT static inline MaybeHandle<Object> GetPropertyOrElement(
Handle<Object> object,
Handle<Name> key);
MUST_USE_RESULT static inline MaybeHandle<Object> GetProperty(
Isolate* isolate,
Handle<Object> object,
const char* key);
MUST_USE_RESULT static inline MaybeHandle<Object> GetProperty(
Handle<Object> object,
Handle<Name> key);
MUST_USE_RESULT static MaybeHandle<Object> GetPropertyWithAccessor(
Handle<Object> receiver,
Handle<Name> name,
Handle<JSObject> holder,
Handle<Object> structure);
MUST_USE_RESULT static MaybeHandle<Object> SetPropertyWithAccessor(
Handle<Object> receiver, Handle<Name> name, Handle<Object> value,
Handle<JSObject> holder, Handle<Object> structure,
StrictMode strict_mode);
MUST_USE_RESULT static MaybeHandle<Object> GetPropertyWithDefinedGetter(
Handle<Object> receiver,
Handle<JSReceiver> getter);
MUST_USE_RESULT static MaybeHandle<Object> SetPropertyWithDefinedSetter(
Handle<Object> receiver,
Handle<JSReceiver> setter,
Handle<Object> value);
MUST_USE_RESULT static inline MaybeHandle<Object> GetElement(
Isolate* isolate,
Handle<Object> object,
uint32_t index);
MUST_USE_RESULT static MaybeHandle<Object> GetElementWithReceiver(
Isolate* isolate,
Handle<Object> object,
Handle<Object> receiver,
uint32_t index);
MUST_USE_RESULT static MaybeHandle<Object> SetElementWithReceiver(
Isolate* isolate, Handle<Object> object, Handle<Object> receiver,
uint32_t index, Handle<Object> value, StrictMode strict_mode);
static inline Handle<Object> GetPrototypeSkipHiddenPrototypes(
Isolate* isolate, Handle<Object> receiver);
// Returns the permanent hash code associated with this object. May return
// undefined if not yet created.
Object* GetHash();
// Returns the permanent hash code associated with this object depending on
// the actual object type. May create and store a hash code if needed and none
// exists.
static Handle<Smi> GetOrCreateHash(Isolate* isolate, Handle<Object> object);
// Checks whether this object has the same value as the given one. This
// function is implemented according to ES5, section 9.12 and can be used
// to implement the Harmony "egal" function.
bool SameValue(Object* other);
// Checks whether this object has the same value as the given one.
// +0 and -0 are treated equal. Everything else is the same as SameValue.
// This function is implemented according to ES6, section 7.2.4 and is used
// by ES6 Map and Set.
bool SameValueZero(Object* other);
// Tries to convert an object to an array index. Returns true and sets
// the output parameter if it succeeds.
inline bool ToArrayIndex(uint32_t* index);
// Returns true if this is a JSValue containing a string and the index is
// < the length of the string. Used to implement [] on strings.
inline bool IsStringObjectWithCharacterAt(uint32_t index);
// Verify a pointer is a valid object pointer.
static void VerifyPointer(Object* p);
inline void VerifyApiCallResultType();
// Prints this object without details.
void ShortPrint(FILE* out = stdout);
// Prints this object without details to a message accumulator.
void ShortPrint(StringStream* accumulator);
// Layout description.
static const int kHeaderSize = 0; // Object does not take up any space.
// For our gdb macros, we should perhaps change these in the future.
void Print();
// Prints this object with details.
void Print(std::ostream& os); // NOLINT
friend class LookupIterator;
friend class PrototypeIterator;
// Return the map of the root of object's prototype chain.
Map* GetRootMap(Isolate* isolate);
struct Brief {
explicit Brief(const Object* const v) : value(v) {}
const Object* value;
std::ostream& operator<<(std::ostream& os, const Brief& v);
// Smi represents integer Numbers that can be stored in 31 bits.
// Smis are immediate which means they are NOT allocated in the heap.
// The this pointer has the following format: [31 bit signed int] 0
// For long smis it has the following format:
// [32 bit signed int] [31 bits zero padding] 0
// Smi stands for small integer.
class Smi: public Object {
// Returns the integer value.
inline int value() const;
// Convert a value to a Smi object.
static inline Smi* FromInt(int value);
static inline Smi* FromIntptr(intptr_t value);
// Returns whether value can be represented in a Smi.
static inline bool IsValid(intptr_t value);
// Dispatched behavior.
void SmiPrint(std::ostream& os) const; // NOLINT
static const int kMinValue =
(static_cast<unsigned int>(-1)) << (kSmiValueSize - 1);
static const int kMaxValue = -(kMinValue + 1);
// Heap objects typically have a map pointer in their first word. However,
// during GC other data (e.g. mark bits, forwarding addresses) is sometimes
// encoded in the first word. The class MapWord is an abstraction of the
// value in a heap object's first word.
class MapWord BASE_EMBEDDED {
// Normal state: the map word contains a map pointer.
// Create a map word from a map pointer.
static inline MapWord FromMap(const Map* map);
// View this map word as a map pointer.
inline Map* ToMap();
// Scavenge collection: the map word of live objects in the from space
// contains a forwarding address (a heap object pointer in the to space).
// True if this map word is a forwarding address for a scavenge
// collection. Only valid during a scavenge collection (specifically,
// when all map words are heap object pointers, i.e. not during a full GC).
inline bool IsForwardingAddress();
// Create a map word from a forwarding address.
static inline MapWord FromForwardingAddress(HeapObject* object);
// View this map word as a forwarding address.
inline HeapObject* ToForwardingAddress();
static inline MapWord FromRawValue(uintptr_t value) {
return MapWord(value);
inline uintptr_t ToRawValue() {
return value_;
// HeapObject calls the private constructor and directly reads the value.
friend class HeapObject;
explicit MapWord(uintptr_t value) : value_(value) {}
uintptr_t value_;
// HeapObject is the superclass for all classes describing heap allocated
// objects.
class HeapObject: public Object {
// [map]: Contains a map which contains the object's reflective
// information.
inline Map* map() const;
inline void set_map(Map* value);
// The no-write-barrier version. This is OK if the object is white and in
// new space, or if the value is an immortal immutable object, like the maps
// of primitive (non-JS) objects like strings, heap numbers etc.
inline void set_map_no_write_barrier(Map* value);
// Get the map using acquire load.
inline Map* synchronized_map();
inline MapWord synchronized_map_word() const;
// Set the map using release store
inline void synchronized_set_map(Map* value);
inline void synchronized_set_map_no_write_barrier(Map* value);
inline void synchronized_set_map_word(MapWord map_word);
// During garbage collection, the map word of a heap object does not
// necessarily contain a map pointer.
inline MapWord map_word() const;
inline void set_map_word(MapWord map_word);
// The Heap the object was allocated in. Used also to access Isolate.
inline Heap* GetHeap() const;
// Convenience method to get current isolate.
inline Isolate* GetIsolate() const;
// Converts an address to a HeapObject pointer.
static inline HeapObject* FromAddress(Address address);
// Returns the address of this HeapObject.
inline Address address();
// Iterates over pointers contained in the object (including the Map)
void Iterate(ObjectVisitor* v);
// Iterates over all pointers contained in the object except the
// first map pointer. The object type is given in the first
// parameter. This function does not access the map pointer in the
// object, and so is safe to call while the map pointer is modified.
void IterateBody(InstanceType type, int object_size, ObjectVisitor* v);
// Returns the heap object's size in bytes
inline int Size();
// Returns true if this heap object may contain raw values, i.e., values that
// look like pointers to heap objects.
inline bool MayContainRawValues();
// Given a heap object's map pointer, returns the heap size in bytes
// Useful when the map pointer field is used for other purposes.
// GC internal.
inline int SizeFromMap(Map* map);
// Returns the field at offset in obj, as a read/write Object* reference.
// Does no checking, and is safe to use during GC, while maps are invalid.
// Does not invoke write barrier, so should only be assigned to
// during marking GC.
static inline Object** RawField(HeapObject* obj, int offset);
// Adds the |code| object related to |name| to the code cache of this map. If
// this map is a dictionary map that is shared, the map copied and installed
// onto the object.
static void UpdateMapCodeCache(Handle<HeapObject> object,
Handle<Name> name,
Handle<Code> code);
// Return the write barrier mode for this. Callers of this function
// must be able to present a reference to an DisallowHeapAllocation
// object as a sign that they are not going to use this function
// from code that allocates and thus invalidates the returned write
// barrier mode.
inline WriteBarrierMode GetWriteBarrierMode(
const DisallowHeapAllocation& promise);
// Dispatched behavior.
void HeapObjectShortPrint(std::ostream& os); // NOLINT
void PrintHeader(std::ostream& os, const char* id); // NOLINT
inline void VerifyObjectField(int offset);
inline void VerifySmiField(int offset);
// Verify a pointer is a valid HeapObject pointer that points to object
// areas in the heap.
static void VerifyHeapPointer(Object* p);
// Layout description.
// First field in a heap object is map.
static const int kMapOffset = Object::kHeaderSize;
static const int kHeaderSize = kMapOffset + kPointerSize;
STATIC_ASSERT(kMapOffset == Internals::kHeapObjectMapOffset);
// helpers for calling an ObjectVisitor to iterate over pointers in the
// half-open range [start, end) specified as integer offsets
inline void IteratePointers(ObjectVisitor* v, int start, int end);
// as above, for the single element at "offset"
inline void IteratePointer(ObjectVisitor* v, int offset);
// as above, for the next code link of a code object.
inline void IterateNextCodeLink(ObjectVisitor* v, int offset);
// This class describes a body of an object of a fixed size
// in which all pointer fields are located in the [start_offset, end_offset)
// interval.
template<int start_offset, int end_offset, int size>
class FixedBodyDescriptor {
static const int kStartOffset = start_offset;
static const int kEndOffset = end_offset;
static const int kSize = size;
static inline void IterateBody(HeapObject* obj, ObjectVisitor* v);
template<typename StaticVisitor>
static inline void IterateBody(HeapObject* obj) {
StaticVisitor::VisitPointers(HeapObject::RawField(obj, start_offset),
HeapObject::RawField(obj, end_offset));
// This class describes a body of an object of a variable size
// in which all pointer fields are located in the [start_offset, object_size)
// interval.
template<int start_offset>
class FlexibleBodyDescriptor {
static const int kStartOffset = start_offset;
static inline void IterateBody(HeapObject* obj,
int object_size,
ObjectVisitor* v);
template<typename StaticVisitor>
static inline void IterateBody(HeapObject* obj, int object_size) {
StaticVisitor::VisitPointers(HeapObject::RawField(obj, start_offset),
HeapObject::RawField(obj, object_size));
// The HeapNumber class describes heap allocated numbers that cannot be
// represented in a Smi (small integer)
class HeapNumber: public HeapObject {
// [value]: number value.
inline double value() const;
inline void set_value(double value);
// Dispatched behavior.
bool HeapNumberBooleanValue();
void HeapNumberPrint(std::ostream& os); // NOLINT
inline int get_exponent();
inline int get_sign();
// Layout description.
static const int kValueOffset = HeapObject::kHeaderSize;
// IEEE doubles are two 32 bit words. The first is just mantissa, the second
// is a mixture of sign, exponent and mantissa. The offsets of two 32 bit
// words within double numbers are endian dependent and they are set
// accordingly.
static const int kMantissaOffset = kValueOffset;
static const int kExponentOffset = kValueOffset + 4;
#elif defined(V8_TARGET_BIG_ENDIAN)
static const int kMantissaOffset = kValueOffset + 4;
static const int kExponentOffset = kValueOffset;
#error Unknown byte ordering
static const int kSize = kValueOffset + kDoubleSize;
static const uint32_t kSignMask = 0x80000000u;
static const uint32_t kExponentMask = 0x7ff00000u;
static const uint32_t kMantissaMask = 0xfffffu;
static const int kMantissaBits = 52;
static const int kExponentBits = 11;
static const int kExponentBias = 1023;
static const int kExponentShift = 20;
static const int kInfinityOrNanExponent =
(kExponentMask >> kExponentShift) - kExponentBias;
static const int kMantissaBitsInTopWord = 20;
static const int kNonMantissaBitsInTopWord = 12;
enum EnsureElementsMode {
// Indicates whether a property should be set or (re)defined. Setting of a
// property causes attributes to remain unchanged, writability to be checked
// and callbacks to be called. Defining of a property causes attributes to
// be updated and callbacks to be overridden.
enum SetPropertyMode {
// Indicator for one component of an AccessorPair.
enum AccessorComponent {
// JSReceiver includes types on which properties can be defined, i.e.,
// JSObject and JSProxy.
class JSReceiver: public HeapObject {
enum DeleteMode {
MUST_USE_RESULT static MaybeHandle<Object> SetElement(
Handle<JSReceiver> object,
uint32_t index,
Handle<Object> value,
PropertyAttributes attributes,
StrictMode strict_mode);
// Implementation of [[HasProperty]], ECMA-262 5th edition, section 8.12.6.
MUST_USE_RESULT static inline Maybe<bool> HasProperty(
Handle<JSReceiver> object, Handle<Name> name);
MUST_USE_RESULT static inline Maybe<bool> HasOwnProperty(Handle<JSReceiver>,
Handle<Name> name);
MUST_USE_RESULT static inline Maybe<bool> HasElement(
Handle<JSReceiver> object, uint32_t index);
MUST_USE_RESULT static inline Maybe<bool> HasOwnElement(
Handle<JSReceiver> object, uint32_t index);
// Implementation of [[Delete]], ECMA-262 5th edition, section 8.12.7.
MUST_USE_RESULT static MaybeHandle<Object> DeleteProperty(
Handle<JSReceiver> object,
Handle<Name> name,
DeleteMode mode = NORMAL_DELETION);
MUST_USE_RESULT static MaybeHandle<Object> DeleteElement(
Handle<JSReceiver> object,
uint32_t index,
DeleteMode mode = NORMAL_DELETION);
// Tests for the fast common case for property enumeration.
bool IsSimpleEnum();
// Returns the class name ([[Class]] property in the specification).
String* class_name();
// Returns the constructor name (the name (possibly, inferred name) of the
// function that was used to instantiate the object).
String* constructor_name();
MUST_USE_RESULT static inline Maybe<PropertyAttributes> GetPropertyAttributes(
Handle<JSReceiver> object, Handle<Name> name);
MUST_USE_RESULT static Maybe<PropertyAttributes> GetPropertyAttributes(
LookupIterator* it);
MUST_USE_RESULT static Maybe<PropertyAttributes> GetOwnPropertyAttributes(
Handle<JSReceiver> object, Handle<Name> name);
MUST_USE_RESULT static inline Maybe<PropertyAttributes> GetElementAttribute(
Handle<JSReceiver> object, uint32_t index);
MUST_USE_RESULT static inline Maybe<PropertyAttributes>
GetOwnElementAttribute(Handle<JSReceiver> object, uint32_t index);
// Retrieves a permanent object identity hash code. The undefined value might
// be returned in case no hash was created yet.
inline Object* GetIdentityHash();
// Retrieves a permanent object identity hash code. May create and store a
// hash code if needed and none exists.
inline static Handle<Smi> GetOrCreateIdentityHash(
Handle<JSReceiver> object);
enum KeyCollectionType { OWN_ONLY, INCLUDE_PROTOS };
// Computes the enumerable keys for a JSObject. Used for implementing
// "for (n in object) { }".
MUST_USE_RESULT static MaybeHandle<FixedArray> GetKeys(
Handle<JSReceiver> object,
KeyCollectionType type);
// Forward declaration for JSObject::GetOrCreateHiddenPropertiesHashTable.
class ObjectHashTable;
// Forward declaration for JSObject::Copy.
class AllocationSite;
// The JSObject describes real heap allocated JavaScript objects with
// properties.
// Note that the map of JSObject changes during execution to enable inline
// caching.
class JSObject: public JSReceiver {
// [properties]: Backing storage for properties.
// properties is a FixedArray in the fast case and a Dictionary in the
// slow case.
DECL_ACCESSORS(properties, FixedArray) // Get and set fast properties.
inline void initialize_properties();
inline bool HasFastProperties();
inline NameDictionary* property_dictionary(); // Gets slow properties.
// [elements]: The elements (properties with names that are integers).
// Elements can be in two general modes: fast and slow. Each mode
// corrensponds to a set of object representations of elements that
// have something in common.
// In the fast mode elements is a FixedArray and so each element can
// be quickly accessed. This fact is used in the generated code. The
// elements array can have one of three maps in this mode:
// fixed_array_map, sloppy_arguments_elements_map or
// fixed_cow_array_map (for copy-on-write arrays). In the latter case
// the elements array may be shared by a few objects and so before
// writing to any element the array must be copied. Use
// EnsureWritableFastElements in this case.
// In the slow mode the elements is either a NumberDictionary, an
// ExternalArray, or a FixedArray parameter map for a (sloppy)
// arguments object.
DECL_ACCESSORS(elements, FixedArrayBase)
inline void initialize_elements();
static void ResetElements(Handle<JSObject> object);
static inline void SetMapAndElements(Handle<JSObject> object,
Handle<Map> map,
Handle<FixedArrayBase> elements);
inline ElementsKind GetElementsKind();
inline ElementsAccessor* GetElementsAccessor();
// Returns true if an object has elements of FAST_SMI_ELEMENTS ElementsKind.
inline bool HasFastSmiElements();
// Returns true if an object has elements of FAST_ELEMENTS ElementsKind.
inline bool HasFastObjectElements();
// Returns true if an object has elements of FAST_ELEMENTS or
inline bool HasFastSmiOrObjectElements();
// Returns true if an object has any of the fast elements kinds.
inline bool HasFastElements();
// Returns true if an object has elements of FAST_DOUBLE_ELEMENTS
// ElementsKind.
inline bool HasFastDoubleElements();
// Returns true if an object has elements of FAST_HOLEY_*_ELEMENTS
// ElementsKind.
inline bool HasFastHoleyElements();
inline bool HasSloppyArgumentsElements();
inline bool HasDictionaryElements();
inline bool HasExternalUint8ClampedElements();
inline bool HasExternalArrayElements();
inline bool HasExternalInt8Elements();
inline bool HasExternalUint8Elements();
inline bool HasExternalInt16Elements();
inline bool HasExternalUint16Elements();
inline bool HasExternalInt32Elements();
inline bool HasExternalUint32Elements();
inline bool HasExternalFloat32Elements();
inline bool HasExternalFloat64Elements();
inline bool HasFixedTypedArrayElements();
inline bool HasFixedUint8ClampedElements();
inline bool HasFixedArrayElements();
inline bool HasFixedInt8Elements();
inline bool HasFixedUint8Elements();
inline bool HasFixedInt16Elements();
inline bool HasFixedUint16Elements();
inline bool HasFixedInt32Elements();
inline bool HasFixedUint32Elements();
inline bool HasFixedFloat32Elements();
inline bool HasFixedFloat64Elements();
bool HasFastArgumentsElements();
bool HasDictionaryArgumentsElements();
inline SeededNumberDictionary* element_dictionary(); // Gets slow elements.
// Requires: HasFastElements().
static Handle<FixedArray> EnsureWritableFastElements(
Handle<JSObject> object);
// Collects elements starting at index 0.
// Undefined values are placed after non-undefined values.
// Returns the number of non-undefined values.
static Handle<Object> PrepareElementsForSort(Handle<JSObject> object,
uint32_t limit);
// As PrepareElementsForSort, but only on objects where elements is
// a dictionary, and it will stay a dictionary. Collates undefined and
// unexisting elements below limit from position zero of the elements.
static Handle<Object> PrepareSlowElementsForSort(Handle<JSObject> object,
uint32_t limit);
MUST_USE_RESULT static MaybeHandle<Object> SetPropertyWithInterceptor(
LookupIterator* it, Handle<Object> value);
// SetLocalPropertyIgnoreAttributes converts callbacks to fields. We need to
// grant an exemption to ExecutableAccessor callbacks in some cases.
enum ExecutableAccessorInfoHandling {
MUST_USE_RESULT static MaybeHandle<Object> SetOwnPropertyIgnoreAttributes(
Handle<JSObject> object,
Handle<Name> key,
Handle<Object> value,
PropertyAttributes attributes,
ExecutableAccessorInfoHandling handling = DEFAULT_HANDLING);
static void AddProperty(Handle<JSObject> object, Handle<Name> key,
Handle<Object> value, PropertyAttributes attributes);
// Extend the receiver with a single fast property appeared first in the
// passed map. This also extends the property backing store if necessary.
static void AllocateStorageForMap(Handle<JSObject> object, Handle<Map> map);
// Migrates the given object to a map whose field representations are the
// lowest upper bound of all known representations for that field.
static void MigrateInstance(Handle<JSObject> instance);
// Migrates the given object only if the target map is already available,
// or returns false if such a map is not yet available.
static bool TryMigrateInstance(Handle<JSObject> instance);
// Sets the property value in a normalized object given (key, value, details).
// Handles the special representation of JS global objects.
static void SetNormalizedProperty(Handle<JSObject> object,
Handle<Name> key,
Handle<Object> value,
PropertyDetails details);
static void OptimizeAsPrototype(Handle<JSObject> object,
PrototypeOptimizationMode mode);
static void ReoptimizeIfPrototype(Handle<JSObject> object);
// Retrieve interceptors.
InterceptorInfo* GetNamedInterceptor();
InterceptorInfo* GetIndexedInterceptor();
// Used from JSReceiver.
MUST_USE_RESULT static Maybe<PropertyAttributes>
GetPropertyAttributesWithInterceptor(Handle<JSObject> holder,
Handle<Object> receiver,
Handle<Name> name);
MUST_USE_RESULT static Maybe<PropertyAttributes>
GetPropertyAttributesWithFailedAccessCheck(LookupIterator* it);
MUST_USE_RESULT static Maybe<PropertyAttributes>
GetElementAttributeWithReceiver(Handle<JSObject> object,
Handle<JSReceiver> receiver,
uint32_t index, bool check_prototype);
// Retrieves an AccessorPair property from the given object. Might return
// undefined if the property doesn't exist or is of a different kind.
MUST_USE_RESULT static MaybeHandle<Object> GetAccessor(
Handle<JSObject> object,
Handle<Name> name,
AccessorComponent component);
// Defines an AccessorPair property on the given object.
// TODO(mstarzinger): Rename to SetAccessor().
static MaybeHandle<Object> DefineAccessor(Handle<JSObject> object,
Handle<Name> name,
Handle<Object> getter,
Handle<Object> setter,
PropertyAttributes attributes);
// Defines an AccessorInfo property on the given object.
MUST_USE_RESULT static MaybeHandle<Object> SetAccessor(
Handle<JSObject> object,
Handle<AccessorInfo> info);
MUST_USE_RESULT static MaybeHandle<Object> GetPropertyWithInterceptor(
Handle<JSObject> object,
Handle<Object> receiver,
Handle<Name> name);
// Accessors for hidden properties object.
// Hidden properties are not own properties of the object itself.
// Instead they are stored in an auxiliary structure kept as an own
// property with a special name Heap::hidden_string(). But if the
// receiver is a JSGlobalProxy then the auxiliary object is a property
// of its prototype, and if it's a detached proxy, then you can't have
// hidden properties.
// Sets a hidden property on this object. Returns this object if successful,
// undefined if called on a detached proxy.
static Handle<Object> SetHiddenProperty(Handle<JSObject> object,
Handle<Name> key,
Handle<Object> value);
// Gets the value of a hidden property with the given key. Returns the hole
// if the property doesn't exist (or if called on a detached proxy),
// otherwise returns the value set for the key.
Object* GetHiddenProperty(Handle<Name> key);
// Deletes a hidden property. Deleting a non-existing property is
// considered successful.
static void DeleteHiddenProperty(Handle<JSObject> object,
Handle<Name> key);
// Returns true if the object has a property with the hidden string as name.
static bool HasHiddenProperties(Handle<JSObject> object);
static void SetIdentityHash(Handle<JSObject> object, Handle<Smi> hash);
static inline void ValidateElements(Handle<JSObject> object);
// Makes sure that this object can contain HeapObject as elements.
static inline void EnsureCanContainHeapObjectElements(Handle<JSObject> obj);
// Makes sure that this object can contain the specified elements.
static inline void EnsureCanContainElements(
Handle<JSObject> object,
Object** elements,
uint32_t count,
EnsureElementsMode mode);
static inline void EnsureCanContainElements(
Handle<JSObject> object,
Handle<FixedArrayBase> elements,
uint32_t length,
EnsureElementsMode mode);
static void EnsureCanContainElements(
Handle<JSObject> object,
Arguments* arguments,
uint32_t first_arg,
uint32_t arg_count,
EnsureElementsMode mode);
// Would we convert a fast elements array to dictionary mode given
// an access at key?
bool WouldConvertToSlowElements(Handle<Object> key);
// Do we want to keep the elements in fast case when increasing the
// capacity?
bool ShouldConvertToSlowElements(int new_capacity);
// Returns true if the backing storage for the slow-case elements of
// this object takes up nearly as much space as a fast-case backing
// storage would. In that case the JSObject should have fast
// elements.
bool ShouldConvertToFastElements();
// Returns true if the elements of JSObject contains only values that can be
// represented in a FixedDoubleArray and has at least one value that can only
// be represented as a double and not a Smi.
bool ShouldConvertToFastDoubleElements(bool* has_smi_only_elements);
// Computes the new capacity when expanding the elements of a JSObject.
static int NewElementsCapacity(int old_capacity) {
// (old_capacity + 50%) + 16
return old_capacity + (old_capacity >> 1) + 16;
// These methods do not perform access checks!
MUST_USE_RESULT static MaybeHandle<AccessorPair> GetOwnElementAccessorPair(
Handle<JSObject> object, uint32_t index);
MUST_USE_RESULT static MaybeHandle<Object> SetFastElement(
Handle<JSObject> object,
uint32_t index,
Handle<Object> value,
StrictMode strict_mode,
bool check_prototype);
MUST_USE_RESULT static MaybeHandle<Object> SetOwnElement(
Handle<JSObject> object,
uint32_t index,
Handle<Object> value,
StrictMode strict_mode);
// Empty handle is returned if the element cannot be set to the given value.
MUST_USE_RESULT static MaybeHandle<Object> SetElement(
Handle<JSObject> object,
uint32_t index,
Handle<Object> value,
PropertyAttributes attributes,
StrictMode strict_mode,
bool check_prototype = true,
SetPropertyMode set_mode = SET_PROPERTY);
// Returns the index'th element.
// The undefined object if index is out of bounds.
MUST_USE_RESULT static MaybeHandle<Object> GetElementWithInterceptor(
Handle<JSObject> object,
Handle<Object> receiver,
uint32_t index);
enum SetFastElementsCapacitySmiMode {
// Replace the elements' backing store with fast elements of the given
// capacity. Update the length for JSArrays. Returns the new backing
// store.
static Handle<FixedArray> SetFastElementsCapacityAndLength(
Handle<JSObject> object,
int capacity,
int length,
SetFastElementsCapacitySmiMode smi_mode);
static void SetFastDoubleElementsCapacityAndLength(
Handle<JSObject> object,
int capacity,
int length);
// Lookup interceptors are used for handling properties controlled by host
// objects.
inline bool HasNamedInterceptor();
inline bool HasIndexedInterceptor();
// Computes the enumerable keys from interceptors. Used for debug mirrors and
// by JSReceiver::GetKeys.
MUST_USE_RESULT static MaybeHandle<JSObject> GetKeysForNamedInterceptor(
Handle<JSObject> object,
Handle<JSReceiver> receiver);
MUST_USE_RESULT static MaybeHandle<JSObject> GetKeysForIndexedInterceptor(
Handle<JSObject> object,
Handle<JSReceiver> receiver);
// Support functions for v8 api (needed for correct interceptor behavior).
MUST_USE_RESULT static Maybe<bool> HasRealNamedProperty(
Handle<JSObject> object, Handle<Name> key);
MUST_USE_RESULT static Maybe<bool> HasRealElementProperty(
Handle<JSObject> object, uint32_t index);
MUST_USE_RESULT static Maybe<bool> HasRealNamedCallbackProperty(
Handle<JSObject> object, Handle<Name> key);
// Get the header size for a JSObject. Used to compute the index of
// internal fields as well as the number of internal fields.
inline int GetHeaderSize();
inline int GetInternalFieldCount();
inline int GetInternalFieldOffset(int index);
inline Object* GetInternalField(int index);
inline void SetInternalField(int index, Object* value);
inline void SetInternalField(int index, Smi* value);
// Returns the number of properties on this object filtering out properties
// with the specified attributes (ignoring interceptors).
int NumberOfOwnProperties(PropertyAttributes filter = NONE);
// Fill in details for properties into storage starting at the specified
// index.
void GetOwnPropertyNames(
FixedArray* storage, int index, PropertyAttributes filter = NONE);
// Returns the number of properties on this object filtering out properties
// with the specified attributes (ignoring interceptors).
int NumberOfOwnElements(PropertyAttributes filter);
// Returns the number of enumerable elements (ignoring interceptors).
int NumberOfEnumElements();
// Returns the number of elements on this object filtering out elements
// with the specified attributes (ignoring interceptors).
int GetOwnElementKeys(FixedArray* storage, PropertyAttributes filter);
// Count and fill in the enumerable elements into storage.
// (storage->length() == NumberOfEnumElements()).
// If storage is NULL, will count the elements without adding
// them to any storage.
// Returns the number of enumerable elements.
int GetEnumElementKeys(FixedArray* storage);
// Returns a new map with all transitions dropped from the object's current
// map and the ElementsKind set.
static Handle<Map> GetElementsTransitionMap(Handle<JSObject> object,
ElementsKind to_kind);
static void TransitionElementsKind(Handle<JSObject> object,
ElementsKind to_kind);
static void MigrateToMap(Handle<JSObject> object, Handle<Map> new_map);
// Convert the object to use the canonical dictionary
// representation. If the object is expected to have additional properties
// added this number can be indicated to have the backing store allocated to
// an initial capacity for holding these properties.
static void NormalizeProperties(Handle<JSObject> object,
PropertyNormalizationMode mode,
int expected_additional_properties,
const char* reason);
// Convert and update the elements backing store to be a
// SeededNumberDictionary dictionary. Returns the backing after conversion.
static Handle<SeededNumberDictionary> NormalizeElements(
Handle<JSObject> object);
// Transform slow named properties to fast variants.
static void MigrateSlowToFast(Handle<JSObject> object,
int unused_property_fields, const char* reason);
inline bool IsUnboxedDoubleField(FieldIndex index);
// Access fast-case object properties at index.
static Handle<Object> FastPropertyAt(Handle<JSObject> object,
Representation representation,
FieldIndex index);
inline Object* RawFastPropertyAt(FieldIndex index);
inline double RawFastDoublePropertyAt(FieldIndex index);
inline void FastPropertyAtPut(FieldIndex index, Object* value);
inline void RawFastPropertyAtPut(FieldIndex index, Object* value);
inline void RawFastDoublePropertyAtPut(FieldIndex index, double value);
void WriteToField(int descriptor, Object* value);
// Access to in object properties.
inline int GetInObjectPropertyOffset(int index);
inline Object* InObjectPropertyAt(int index);
inline Object* InObjectPropertyAtPut(int index,
Object* value,
WriteBarrierMode mode
// Set the object's prototype (only JSReceiver and null are allowed values).
MUST_USE_RESULT static MaybeHandle<Object> SetPrototype(
Handle<JSObject> object, Handle<Object> value, bool from_javascript);
// Initializes the body after properties slot, properties slot is
// initialized by set_properties. Fill the pre-allocated fields with
// pre_allocated_value and the rest with filler_value.
// Note: this call does not update write barrier, the caller is responsible
// to ensure that |filler_value| can be collected without WB here.
inline void InitializeBody(Map* map,
Object* pre_allocated_value,
Object* filler_value);
// Check whether this object references another object
bool ReferencesObject(Object* obj);
// Disalow further properties to be added to the object.
MUST_USE_RESULT static MaybeHandle<Object> PreventExtensions(
Handle<JSObject> object);
// ES5 Object.freeze
MUST_USE_RESULT static MaybeHandle<Object> Freeze(Handle<JSObject> object);
// Called the first time an object is observed with ES7 Object.observe.
static void SetObserved(Handle<JSObject> object);
// Copy object.
enum DeepCopyHints { kNoHints = 0, kObjectIsShallow = 1 };
static Handle<JSObject> Copy(Handle<JSObject> object);
MUST_USE_RESULT static MaybeHandle<JSObject> DeepCopy(
Handle<JSObject> object,
AllocationSiteUsageContext* site_context,
DeepCopyHints hints = kNoHints);
MUST_USE_RESULT static MaybeHandle<JSObject> DeepWalk(
Handle<JSObject> object,
AllocationSiteCreationContext* site_context);
static Handle<Object> GetDataProperty(Handle<JSObject> object,
Handle<Name> key);
static Handle<Object> GetDataProperty(LookupIterator* it);
// Dispatched behavior.
void JSObjectShortPrint(StringStream* accumulator);
void PrintProperties(std::ostream& os); // NOLINT
void PrintElements(std::ostream& os); // NOLINT
void PrintTransitions(std::ostream& os); // NOLINT
static void PrintElementsTransition(
FILE* file, Handle<JSObject> object,
ElementsKind from_kind, Handle<FixedArrayBase> from_elements,
ElementsKind to_kind, Handle<FixedArrayBase> to_elements);
void PrintInstanceMigration(FILE* file, Map* original_map, Map* new_map);
#ifdef DEBUG
// Structure for collecting spill information about JSObjects.
class SpillInformation {
void Clear();
void Print();
int number_of_objects_;
int number_of_objects_with_fast_properties_;
int number_of_objects_with_fast_elements_;
int number_of_fast_used_fields_;
int number_of_fast_unused_fields_;
int number_of_slow_used_properties_;
int number_of_slow_unused_properties_;
int number_of_fast_used_elements_;
int number_of_fast_unused_elements_;
int number_of_slow_used_elements_;
int number_of_slow_unused_elements_;
void IncrementSpillStatistics(SpillInformation* info);
// If a GC was caused while constructing this object, the elements pointer
// may point to a one pointer filler map. The object won't be rooted, but
// our heap verification code could stumble across it.
bool ElementsAreSafeToExamine();
Object* SlowReverseLookup(Object* value);
// Maximal number of elements (numbered 0 .. kMaxElementCount - 1).
// Also maximal value of JSArray's length property.
static const uint32_t kMaxElementCount = 0xffffffffu;
// Constants for heuristics controlling conversion of fast elements
// to slow elements.
// Maximal gap that can be introduced by adding an element beyond
// the current elements length.
static const uint32_t kMaxGap = 1024;
// Maximal length of fast elements array that won't be checked for
// being dense enough on expansion.
static const int kMaxUncheckedFastElementsLength = 5000;
// Same as above but for old arrays. This limit is more strict. We
// don't want to be wasteful with long lived objects.
static const int kMaxUncheckedOldFastElementsLength = 500;
// Note that Page::kMaxRegularHeapObjectSize puts a limit on
// permissible values (see the DCHECK in
static const int kInitialMaxFastElementArray = 100000;
// This constant applies only to the initial map of "$Object" aka
// "global.Object" and not to arbitrary other JSObject maps.
static const int kInitialGlobalObjectUnusedPropertiesCount = 4;
static const int kMaxInstanceSize = 255 * kPointerSize;
// When extending the backing storage for property values, we increase
// its size by more than the 1 entry necessary, so sequentially adding fields
// to the same object requires fewer allocations and copies.
static const int kFieldsAdded = 3;
// Layout description.
static const int kPropertiesOffset = HeapObject::kHeaderSize;
static const int kElementsOffset = kPropertiesOffset + kPointerSize;
static const int kHeaderSize = kElementsOffset + kPointerSize;
STATIC_ASSERT(kHeaderSize == Internals::kJSObjectHeaderSize);
class BodyDescriptor : public FlexibleBodyDescriptor<kPropertiesOffset> {
static inline int SizeOf(Map* map, HeapObject* object);
Context* GetCreationContext();
// Enqueue change record for Object.observe. May cause GC.
MUST_USE_RESULT static MaybeHandle<Object> EnqueueChangeRecord(
Handle<JSObject> object, const char* type, Handle<Name> name,
Handle<Object> old_value);
friend class DictionaryElementsAccessor;
friend class JSReceiver;
friend class Object;
static void MigrateFastToFast(Handle<JSObject> object, Handle<Map> new_map);
static void MigrateFastToSlow(Handle<JSObject> object,
Handle<Map> new_map,
int expected_additional_properties);
static void UpdateAllocationSite(Handle<JSObject> object,
ElementsKind to_kind);
// Used from Object::GetProperty().
MUST_USE_RESULT static MaybeHandle<Object> GetPropertyWithFailedAccessCheck(
LookupIterator* it);
MUST_USE_RESULT static MaybeHandle<Object> GetElementWithCallback(
Handle<JSObject> object,
Handle<Object> receiver,
Handle<Object> structure,
uint32_t index,
Handle<Object> holder);
MUST_USE_RESULT static Maybe<PropertyAttributes>
GetElementAttributeWithInterceptor(Handle<JSObject> object,
Handle<JSReceiver> receiver,
uint32_t index, bool continue_search);
// Queries indexed interceptor on an object for property attributes.
// We determine property attributes as follows:
// - if interceptor has a query callback, then the property attributes are
// the result of query callback for index.
// - otherwise if interceptor has a getter callback and it returns
// non-empty value on index, then the property attributes is NONE
// (property is present, and it is enumerable, configurable, writable)
// - otherwise there are no property attributes that can be inferred for
// interceptor, and this function returns ABSENT.
MUST_USE_RESULT static Maybe<PropertyAttributes>
GetElementAttributeFromInterceptor(Handle<JSObject> object,
Handle<Object> receiver,
uint32_t index);
MUST_USE_RESULT static Maybe<PropertyAttributes>
GetElementAttributeWithoutInterceptor(Handle<JSObject> object,
Handle<JSReceiver> receiver,
uint32_t index,
bool continue_search);
MUST_USE_RESULT static MaybeHandle<Object> SetElementWithCallback(
Handle<Object> object, Handle<Object> structure, uint32_t index,
Handle<Object> value, Handle<JSObject> holder, StrictMode strict_mode);
MUST_USE_RESULT static MaybeHandle<Object> SetElementWithInterceptor(
Handle<JSObject> object,
uint32_t index,
Handle<Object> value,
PropertyAttributes attributes,
StrictMode strict_mode,
bool check_prototype,
SetPropertyMode set_mode);
MUST_USE_RESULT static MaybeHandle<Object> SetElementWithoutInterceptor(
Handle<JSObject> object,
uint32_t index,
Handle<Object> value,
PropertyAttributes attributes,
StrictMode strict_mode,
bool check_prototype,
SetPropertyMode set_mode);
static MaybeHandle<Object> SetElementWithCallbackSetterInPrototypes(
Handle<JSObject> object,
uint32_t index,
Handle<Object> value,
bool* found,
StrictMode strict_mode);
MUST_USE_RESULT static MaybeHandle<Object> SetDictionaryElement(
Handle<JSObject> object,
uint32_t index,
Handle<Object> value,
PropertyAttributes attributes,
StrictMode strict_mode,
bool check_prototype,
SetPropertyMode set_mode = SET_PROPERTY);
MUST_USE_RESULT static MaybeHandle<Object> SetFastDoubleElement(
Handle<JSObject> object,
uint32_t index,
Handle<Object> value,
StrictMode strict_mode,
bool check_prototype = true);
MUST_USE_RESULT static MaybeHandle<Object> SetPropertyWithFailedAccessCheck(
LookupIterator* it, Handle<Object> value, StrictMode strict_mode);
// Add a property to a slow-case object.
static void AddSlowProperty(Handle<JSObject> object,
Handle<Name> name,
Handle<Object> value,
PropertyAttributes attributes);
MUST_USE_RESULT static MaybeHandle<Object> DeleteProperty(
Handle<JSObject> object,
Handle<Name> name,
DeleteMode mode);
MUST_USE_RESULT static MaybeHandle<Object> DeletePropertyWithInterceptor(
Handle<JSObject> holder, Handle<JSObject> receiver, Handle<Name> name);
// Deletes the named property in a normalized object.
static Handle<Object> DeleteNormalizedProperty(Handle<JSObject> object,
Handle<Name> name,
DeleteMode mode);
MUST_USE_RESULT static MaybeHandle<Object> DeleteElement(
Handle<JSObject> object,
uint32_t index,
DeleteMode mode);
MUST_USE_RESULT static MaybeHandle<Object> DeleteElementWithInterceptor(
Handle<JSObject> object,
uint32_t index);
bool ReferencesObjectFromElements(FixedArray* elements,
ElementsKind kind,
Object* object);
// Returns true if most of the elements backing storage is used.
bool HasDenseElements();
// Gets the current elements capacity and the number of used elements.
void GetElementsCapacityAndUsage(int* capacity, int* used);
static bool CanSetCallback(Handle<JSObject> object, Handle<Name> name);
static void SetElementCallback(Handle<JSObject> object,
uint32_t index,
Handle<Object> structure,
PropertyAttributes attributes);
static void SetPropertyCallback(Handle<JSObject> object,
Handle<Name> name,
Handle<Object> structure,
PropertyAttributes attributes);
static void DefineElementAccessor(Handle<JSObject> object,
uint32_t index,
Handle<Object> getter,
Handle<Object> setter,
PropertyAttributes attributes);
// Return the hash table backing store or the inline stored identity hash,
// whatever is found.
MUST_USE_RESULT Object* GetHiddenPropertiesHashTable();
// Return the hash table backing store for hidden properties. If there is no
// backing store, allocate one.
static Handle<ObjectHashTable> GetOrCreateHiddenPropertiesHashtable(
Handle<JSObject> object);
// Set the hidden property backing store to either a hash table or
// the inline-stored identity hash.
static Handle<Object> SetHiddenPropertiesHashTable(
Handle<JSObject> object,
Handle<Object> value);
MUST_USE_RESULT Object* GetIdentityHash();
static Handle<Smi> GetOrCreateIdentityHash(Handle<JSObject> object);
// Common superclass for FixedArrays that allow implementations to share
// common accessors and some code paths.
class FixedArrayBase: public HeapObject {
// [length]: length of the array.
inline int length() const;
inline void set_length(int value);
// Get and set the length using acquire loads and release stores.
inline int synchronized_length() const;
inline void synchronized_set_length(int value);
// Layout description.
// Length is smi tagged when it is stored.
static const int kLengthOffset = HeapObject::kHeaderSize;
static const int kHeaderSize = kLengthOffset + kPointerSize;
class FixedDoubleArray;
class IncrementalMarking;
// FixedArray describes fixed-sized arrays with element type Object*.
class FixedArray: public FixedArrayBase {
// Setter and getter for elements.
inline Object* get(int index) const;
static inline Handle<Object> get(Handle<FixedArray> array, int index);
// Setter that uses write barrier.
inline void set(int index, Object* value);
inline bool is_the_hole(int index);
// Setter that doesn't need write barrier.
inline void set(int index, Smi* value);
// Setter with explicit barrier mode.
inline void set(int index, Object* value, WriteBarrierMode mode);
// Setters for frequently used oddballs located in old space.
inline void set_undefined(int index);
inline void set_null(int index);
inline void set_the_hole(int index);
inline Object** GetFirstElementAddress();
inline bool ContainsOnlySmisOrHoles();
// Gives access to raw memory which stores the array's data.
inline Object** data_start();
inline void FillWithHoles(int from, int to);
// Shrink length and insert filler objects.
void Shrink(int length);
// Copy operation.
static Handle<FixedArray> CopySize(Handle<FixedArray> array,
int new_length,
PretenureFlag pretenure = NOT_TENURED);
// Add the elements of a JSArray to this FixedArray.
MUST_USE_RESULT static MaybeHandle<FixedArray> AddKeysFromArrayLike(
Handle<FixedArray> content,
Handle<JSObject> array);
// Computes the union of keys and return the result.
// Used for implementing "for (n in object) { }"
MUST_USE_RESULT static MaybeHandle<FixedArray> UnionOfKeys(
Handle<FixedArray> first,
Handle<FixedArray> second);
// Copy a sub array from the receiver to dest.
void CopyTo(int pos, FixedArray* dest, int dest_pos, int len);
// Garbage collection support.
static int SizeFor(int length) { return kHeaderSize + length * kPointerSize; }
// Code Generation support.
static int OffsetOfElementAt(int index) { return SizeFor(index); }
// Garbage collection support.
Object** RawFieldOfElementAt(int index) {
return HeapObject::RawField(this, OffsetOfElementAt(index));
// Maximal allowed size, in bytes, of a single FixedArray.
// Prevents overflowing size computations, as well as extreme memory
// consumption.
static const int kMaxSize = 128 * MB * kPointerSize;
// Maximally allowed length of a FixedArray.
static const int kMaxLength = (kMaxSize - kHeaderSize) / kPointerSize;
// Dispatched behavior.
#ifdef DEBUG
// Checks if two FixedArrays have identical contents.
bool IsEqualTo(FixedArray* other);
// Swap two elements in a pair of arrays. If this array and the
// numbers array are the same object, the elements are only swapped
// once.
void SwapPairs(FixedArray* numbers, int i, int j);
// Sort prefix of this array and the numbers array as pairs wrt. the
// numbers. If the numbers array and the this array are the same
// object, the prefix of this array is sorted.
void SortPairs(FixedArray* numbers, uint32_t len);
class BodyDescriptor : public FlexibleBodyDescriptor<kHeaderSize> {
static inline int SizeOf(Map* map, HeapObject* object) {
return SizeFor(reinterpret_cast<FixedArray*>(object)->length());
// Set operation on FixedArray without using write barriers. Can
// only be used for storing old space objects or smis.
static inline void NoWriteBarrierSet(FixedArray* array,
int index,
Object* value);
// Set operation on FixedArray without incremental write barrier. Can
// only be used if the object is guaranteed to be white (whiteness witness
// is present).
static inline void NoIncrementalWriteBarrierSet(FixedArray* array,
int index,
Object* value);
STATIC_ASSERT(kHeaderSize == Internals::kFixedArrayHeaderSize);
// FixedDoubleArray describes fixed-sized arrays with element type double.
class FixedDoubleArray: public FixedArrayBase {
// Setter and getter for elements.
inline double get_scalar(int index);
inline int64_t get_representation(int index);
static inline Handle<Object> get(Handle<FixedDoubleArray> array, int index);
inline void set(int index, double value);
inline void set_the_hole(int index);
// Checking for the hole.
inline bool is_the_hole(int index);
// Garbage collection support.
inline static int SizeFor(int length) {
return kHeaderSize + length * kDoubleSize;
// Gives access to raw memory which stores the array's data.
inline double* data_start();
inline void FillWithHoles(int from, int to);
// Code Generation support.
static int OffsetOfElementAt(int index) { return SizeFor(index); }
inline static bool is_the_hole_nan(double value);
inline static double hole_nan_as_double();
inline static double canonical_not_the_hole_nan_as_double();
// Maximal allowed size, in bytes, of a single FixedDoubleArray.
// Prevents overflowing size computations, as well as extreme memory
// consumption.
static const int kMaxSize = 512 * MB;
// Maximally allowed length of a FixedArray.
static const int kMaxLength = (kMaxSize - kHeaderSize) / kDoubleSize;
// Dispatched behavior.
// ConstantPoolArray describes a fixed-sized array containing constant pool
// entries.
// A ConstantPoolArray can be structured in two different ways depending upon
// whether it is extended or small. The is_extended_layout() method can be used
// to discover which layout the constant pool has.
// The format of a small constant pool is:
// [kSmallLayout1Offset] : Small section layout bitmap 1
// [kSmallLayout2Offset] : Small section layout bitmap 2
// [first_index(INT64, SMALL_SECTION)] : 64 bit entries
// ... : ...
// [first_index(CODE_PTR, SMALL_SECTION)] : code pointer entries
// ... : ...
// [first_index(HEAP_PTR, SMALL_SECTION)] : heap pointer entries
// ... : ...
// [first_index(INT32, SMALL_SECTION)] : 32 bit entries
// ... : ...
// If the constant pool has an extended layout, the extended section constant
// pool also contains an extended section, which has the following format at
// location get_extended_section_header_offset():
// [kExtendedInt64CountOffset] : count of extended 64 bit entries
// [kExtendedCodePtrCountOffset] : count of extended code pointers
// [kExtendedHeapPtrCountOffset] : count of extended heap pointers
// [kExtendedInt32CountOffset] : count of extended 32 bit entries
// [first_index(INT64, EXTENDED_SECTION)] : 64 bit entries
// ... : ...
// [first_index(CODE_PTR, EXTENDED_SECTION)]: code pointer entries
// ... : ...
// [first_index(HEAP_PTR, EXTENDED_SECTION)]: heap pointer entries
// ... : ...
// [first_index(INT32, EXTENDED_SECTION)] : 32 bit entries
// ... : ...
class ConstantPoolArray: public HeapObject {
enum WeakObjectState {
enum Type {
INT64 = 0,
// Number of types stored by the ConstantPoolArrays.
enum LayoutSection {
class NumberOfEntries BASE_EMBEDDED {
inline NumberOfEntries() {
for (int i = 0; i < NUMBER_OF_TYPES; i++) {
element_counts_[i] = 0;
inline NumberOfEntries(int int64_count, int code_ptr_count,
int heap_ptr_count, int int32_count) {
element_counts_[INT64] = int64_count;
element_counts_[CODE_PTR] = code_ptr_count;
element_counts_[HEAP_PTR] = heap_ptr_count;
element_counts_[INT32] = int32_count;
inline NumberOfEntries(ConstantPoolArray* array, LayoutSection section) {
element_counts_[INT64] = array->number_of_entries(INT64, section);
element_counts_[CODE_PTR] = array->number_of_entries(CODE_PTR, section);
element_counts_[HEAP_PTR] = array->number_of_entries(HEAP_PTR, section);
element_counts_[INT32] = array->number_of_entries(INT32, section);
inline void increment(Type type);
inline int equals(const NumberOfEntries& other) const;
inline bool is_empty() const;
inline int count_of(Type type) const;
inline int base_of(Type type) const;
inline int total_count() const;
inline int are_in_range(int min, int max) const;
int element_counts_[NUMBER_OF_TYPES];
class Iterator BASE_EMBEDDED {
inline Iterator(ConstantPoolArray* array, Type type)
: array_(array),
next_index_(array->first_index(type, SMALL_SECTION)) {
inline Iterator(ConstantPoolArray* array, Type type, LayoutSection section)
: array_(array),
next_index_(array->first_index(type, section)) {
inline int next_index();
inline bool is_finished();
inline void update_section();
ConstantPoolArray* array_;
const Type type_;
const LayoutSection final_section_;
LayoutSection current_section_;
int next_index_;
// Getters for the first index, the last index and the count of entries of
// a given type for a given layout section.
inline int first_index(Type type, LayoutSection layout_section);
inline int last_index(Type type, LayoutSection layout_section);
inline int number_of_entries(Type type, LayoutSection layout_section);
// Returns the type of the entry at the given index.
inline Type get_type(int index);
inline bool offset_is_type(int offset, Type type);
// Setter and getter for pool elements.
inline Address get_code_ptr_entry(int index);
inline Object* get_heap_ptr_entry(int index);
inline int64_t get_int64_entry(int index);
inline int32_t get_int32_entry(int index);
inline double get_int64_entry_as_double(int index);
inline void set(int index, Address value);
inline void set(int index, Object* value);
inline void set(int index, int64_t value);
inline void set(int index, double value);
inline void set(int index, int32_t value);
// Setters which take a raw offset rather than an index (for code generation).
inline void set_at_offset(int offset, int32_t value);
inline void set_at_offset(int offset, int64_t value);
inline void set_at_offset(int offset, double value);
inline void set_at_offset(int offset, Address value);
inline void set_at_offset(int offset, Object* value);
// Setter and getter for weak objects state
inline void set_weak_object_state(WeakObjectState state);
inline WeakObjectState get_weak_object_state();
// Returns true if the constant pool has an extended layout, false if it has
// only the small layout.
inline bool is_extended_layout();
// Returns the last LayoutSection in this constant pool array.
inline LayoutSection final_section();
// Set up initial state for a small layout constant pool array.
inline void Init(const NumberOfEntries& small);
// Set up initial state for an extended layout constant pool array.
inline void InitExtended(const NumberOfEntries& small,
const NumberOfEntries& extended);
// Clears the pointer entries with GC safe values.
void ClearPtrEntries(Isolate* isolate);
// returns the total number of entries in the constant pool array.
inline int length();
// Garbage collection support.
inline int size();
inline static int MaxInt64Offset(int number_of_int64) {
return kFirstEntryOffset + (number_of_int64 * kInt64Size);
inline static int SizeFor(const NumberOfEntries& small) {
int size = kFirstEntryOffset +
(small.count_of(INT64) * kInt64Size) +
(small.count_of(CODE_PTR) * kPointerSize) +
(small.count_of(HEAP_PTR) * kPointerSize) +
(small.count_of(INT32) * kInt32Size);
return RoundUp(size, kPointerSize);
inline static int SizeForExtended(const NumberOfEntries& small,
const NumberOfEntries& extended) {
int size = SizeFor(small);
size = RoundUp(size, kInt64Size); // Align extended header to 64 bits.
size += kExtendedFirstOffset +
(extended.count_of(INT64) * kInt64Size) +
(extended.count_of(CODE_PTR) * kPointerSize) +
(extended.count_of(HEAP_PTR) * kPointerSize) +
(extended.count_of(INT32) * kInt32Size);
return RoundUp(size, kPointerSize);
inline static int entry_size(Type type) {
switch (type) {
case INT32:
return kInt32Size;
case INT64:
return kInt64Size;
case CODE_PTR:
case HEAP_PTR:
return kPointerSize;
return 0;
// Code Generation support.
inline int OffsetOfElementAt(int index) {
int offset;
LayoutSection section;
if (is_extended_layout() && index >= first_extended_section_index()) {
offset = get_extended_section_header_offset() + kExtendedFirstOffset;
} else {
section = SMALL_SECTION;
offset = kFirstEntryOffset;
// Add offsets for the preceding type sections.
DCHECK(index <= last_index(LAST_TYPE, section));
for (Type type = FIRST_TYPE; index > last_index(type, section);
type = next_type(type)) {
offset += entry_size(type) * number_of_entries(type, section);
// Add offset for the index in it's type.
Type type = get_type(index);
offset += entry_size(type) * (index - first_index(type, section));
return offset;
// Garbage collection support.
Object** RawFieldOfElementAt(int index) {
return HeapObject::RawField(this, OffsetOfElementAt(index));
// Small Layout description.
static const int kSmallLayout1Offset = HeapObject::kHeaderSize;
static const int kSmallLayout2Offset = kSmallLayout1Offset + kInt32Size;
static const int kHeaderSize = kSmallLayout2Offset + kInt32Size;
static const int kFirstEntryOffset = ROUND_UP(kHeaderSize, kInt64Size);
static const int kSmallLayoutCountBits = 10;
static const int kMaxSmallEntriesPerType = (1 << kSmallLayoutCountBits) - 1;
// Fields in kSmallLayout1Offset.
class Int64CountField: public BitField<int, 1, kSmallLayoutCountBits> {};
class CodePtrCountField: public BitField<int, 11, kSmallLayoutCountBits> {};
class HeapPtrCountField: public BitField<int, 21, kSmallLayoutCountBits> {};
class IsExtendedField: public BitField<bool, 31, 1> {};
// Fields in kSmallLayout2Offset.
class Int32CountField: public BitField<int, 1, kSmallLayoutCountBits> {};
class TotalCountField: public BitField<int, 11, 12> {};
class WeakObjectStateField: public BitField<WeakObjectState, 23, 2> {};
// Extended layout description, which starts at
// get_extended_section_header_offset().
static const int kExtendedInt64CountOffset = 0;
static const int kExtendedCodePtrCountOffset =
kExtendedInt64CountOffset + kInt32Size;
static const int kExtendedHeapPtrCountOffset =
kExtendedCodePtrCountOffset + kInt32Size;
static const int kExtendedInt32CountOffset =
kExtendedHeapPtrCountOffset + kInt32Size;
static const int kExtendedFirstOffset =
kExtendedInt32CountOffset + kInt32Size;
// Dispatched behavior.
void ConstantPoolIterateBody(ObjectVisitor* v);
inline int first_extended_section_index();
inline int get_extended_section_header_offset();
inline static Type next_type(Type type) {
int type_int = static_cast<int>(type);
return static_cast<Type>(++type_int);
// DescriptorArrays are fixed arrays used to hold instance descriptors.
// The format of the these objects is:
// [0]: Number of descriptors
// [1]: Either Smi(0) if uninitialized, or a pointer to small fixed array:
// [0]: pointer to fixed array with enum cache
// [1]: either Smi(0) or pointer to fixed array with indices
// [2]: first key
// [2 + number of descriptors * kDescriptorSize]: start of slack
class DescriptorArray: public FixedArray {
// Returns true for both shared empty_descriptor_array and for smis, which the
// map uses to encode additional bit fields when the descriptor array is not
// yet used.
inline bool IsEmpty();
// Returns the number of descriptors in the array.
int number_of_descriptors() {
DCHECK(length() >= kFirstIndex || IsEmpty());
int len = length();
return len == 0 ? 0 : Smi::cast(get(kDescriptorLengthIndex))->value();
int number_of_descriptors_storage() {
int len = length();
return len == 0 ? 0 : (len - kFirstIndex) / kDescriptorSize;
int NumberOfSlackDescriptors() {
return number_of_descriptors_storage() - number_of_descriptors();
inline void SetNumberOfDescriptors(int number_of_descriptors);
inline int number_of_entries() { return number_of_descriptors(); }
bool HasEnumCache() {
return !IsEmpty() && !get(kEnumCacheIndex)->IsSmi();
void CopyEnumCacheFrom(DescriptorArray* array) {
set(kEnumCacheIndex, array->get(kEnumCacheIndex));
FixedArray* GetEnumCache() {
FixedArray* bridge = FixedArray::cast(get(kEnumCacheIndex));
return FixedArray::cast(bridge->get(kEnumCacheBridgeCacheIndex));
bool HasEnumIndicesCache() {
if (IsEmpty()) return false;
Object* object = get(kEnumCacheIndex);
if (object->IsSmi()) return false;
FixedArray* bridge = FixedArray::cast(object);
return !bridge->get(kEnumCacheBridgeIndicesCacheIndex)->IsSmi();
FixedArray* GetEnumIndicesCache() {
FixedArray* bridge = FixedArray::cast(get(kEnumCacheIndex));
return FixedArray::cast(bridge->get(kEnumCacheBridgeIndicesCacheIndex));
Object** GetEnumCacheSlot() {
return HeapObject::RawField(reinterpret_cast<HeapObject*>(this),
void ClearEnumCache();
// Initialize or change the enum cache,
// using the supplied storage for the small "bridge".
void SetEnumCache(FixedArray* bridge_storage,
FixedArray* new_cache,
Object* new_index_cache);
bool CanHoldValue(int descriptor, Object* value);
// Accessors for fetching instance descriptor at descriptor number.
inline Name* GetKey(int descriptor_number);
inline Object** GetKeySlot(int descriptor_number);
inline Object* GetValue(int descriptor_number);
inline void SetValue(int descriptor_number, Object* value);
inline Object** GetValueSlot(int descriptor_number);
static inline int GetValueOffset(int descriptor_number);
inline Object** GetDescriptorStartSlot(int descriptor_number);
inline Object** GetDescriptorEndSlot(int descriptor_number);
inline PropertyDetails GetDetails(int descriptor_number);
inline PropertyType GetType(int descriptor_number);
inline int GetFieldIndex(int descriptor_number);
inline HeapType* GetFieldType(int descriptor_number);
inline Object* GetConstant(int descriptor_number);
inline Object* GetCallbacksObject(int descriptor_number);
inline AccessorDescriptor* GetCallbacks(int descriptor_number);
inline Name* GetSortedKey(int descriptor_number);
inline int GetSortedKeyIndex(int descriptor_number);
inline void SetSortedKey(int pointer, int descriptor_number);
inline void SetRepresentation(int descriptor_number,
Representation representation);
// Accessor for complete descriptor.
inline void Get(int descriptor_number, Descriptor* desc);
inline void Set(int descriptor_number, Descriptor* desc);
void Replace(int descriptor_number, Descriptor* descriptor);
// Append automatically sets the enumeration index. This should only be used
// to add descriptors in bulk at the end, followed by sorting the descriptor
// array.
inline void Append(Descriptor* desc);
static Handle<DescriptorArray> CopyUpTo(Handle<DescriptorArray> desc,
int enumeration_index,
int slack = 0);
static Handle<DescriptorArray> CopyUpToAddAttributes(
Handle<DescriptorArray> desc,
int enumeration_index,
PropertyAttributes attributes,
int slack = 0);
// Sort the instance descriptors by the hash codes of their keys.
void Sort();
// Search the instance descriptors for given name.
INLINE(int Search(Name* name, int number_of_own_descriptors));
// As the above, but uses DescriptorLookupCache and updates it when
// necessary.
INLINE(int SearchWithCache(Name* name, Map* map));
// Allocates a DescriptorArray, but returns the singleton
// empty descriptor array object if number_of_descriptors is 0.
static Handle<DescriptorArray> Allocate(Isolate* isolate,
int number_of_descriptors,
int slack = 0);
// Constant for denoting key was not found.
static const int kNotFound = -1;
static const int kDescriptorLengthIndex = 0;
static const int kEnumCacheIndex = 1;
static const int kFirstIndex = 2;
// The length of the "bridge" to the enum cache.
static const int kEnumCacheBridgeLength = 2;
static const int kEnumCacheBridgeCacheIndex = 0;
static const int kEnumCacheBridgeIndicesCacheIndex = 1;
// Layout description.
static const int kDescriptorLengthOffset = FixedArray::kHeaderSize;
static const int kEnumCacheOffset = kDescriptorLengthOffset + kPointerSize;
static const int kFirstOffset = kEnumCacheOffset + kPointerSize;
// Layout description for the bridge array.
static const int kEnumCacheBridgeCacheOffset = FixedArray::kHeaderSize;
// Layout of descriptor.
static const int kDescriptorKey = 0;
static const int kDescriptorDetails = 1;
static const int kDescriptorValue = 2;
static const int kDescriptorSize = 3;
// For our gdb macros, we should perhaps change these in the future.
void Print();
// Print all the descriptors.
void PrintDescriptors(std::ostream& os); // NOLINT
#ifdef DEBUG
// Is the descriptor array sorted and without duplicates?
bool IsSortedNoDuplicates(int valid_descriptors = -1);
// Is the descriptor array consistent with the back pointers in targets?
bool IsConsistentWithBackPointers(Map* current_map);
// Are two DescriptorArrays equal?
bool IsEqualTo(DescriptorArray* other);
// Returns the fixed array length required to hold number_of_descriptors
// descriptors.
static int LengthFor(int number_of_descriptors) {
return ToKeyIndex(number_of_descriptors);
// WhitenessWitness is used to prove that a descriptor array is white
// (unmarked), so incremental write barriers can be skipped because the
// marking invariant cannot be broken and slots pointing into evacuation
// candidates will be discovered when the object is scanned. A witness is
// always stack-allocated right after creating an array. By allocating a
// witness, incremental marking is globally disabled. The witness is then
// passed along wherever needed to statically prove that the array is known to
// be white.
class WhitenessWitness {
inline explicit WhitenessWitness(DescriptorArray* array);
inline ~WhitenessWitness();
IncrementalMarking* marking_;
// An entry in a DescriptorArray, represented as an (array, index) pair.
class Entry {
inline explicit Entry(DescriptorArray* descs, int index) :
descs_(descs), index_(index) { }
inline PropertyType type() { return descs_->GetType(index_); }
inline Object* GetCallbackObject() { return descs_->GetValue(index_); }
DescriptorArray* descs_;
int index_;
// Conversion from descriptor number to array indices.
static int ToKeyIndex(int descriptor_number) {
return kFirstIndex +
(descriptor_number * kDescriptorSize) +
static int ToDetailsIndex(int descriptor_number) {
return kFirstIndex +
(descriptor_number * kDescriptorSize) +
static int ToValueIndex(int descriptor_number) {
return kFirstIndex +
(descriptor_number * kDescriptorSize) +
// Transfer a complete descriptor from the src descriptor array to this
// descriptor array.
void CopyFrom(int index, DescriptorArray* src, const WhitenessWitness&);
inline void Set(int descriptor_number,
Descriptor* desc,
const WhitenessWitness&);
// Swap first and second descriptor.
inline void SwapSortedKeys(int first, int second);
template <SearchMode search_mode, typename T>
inline int Search(T* array, Name* name, int valid_entries = 0,
int* out_insertion_index = NULL);
// HashTable is a subclass of FixedArray that implements a hash table
// that uses open addressing and quadratic probing.
// In order for the quadratic probing to work, elements that have not
// yet been used and elements that have been deleted are
// distinguished. Probing continues when deleted elements are
// encountered and stops when unused elements are encountered.
// - Elements with key == undefined have not been used yet.
// - Elements with key == the_hole have been deleted.
// The hash table class is parameterized with a Shape and a Key.
// Shape must be a class with the following interface:
// class ExampleShape {
// public:
// // Tells whether key matches other.
// static bool IsMatch(Key key, Object* other);
// // Returns the hash value for key.
// static uint32_t Hash(Key key);
// // Returns the hash value for object.
// static uint32_t HashForObject(Key key, Object* object);
// // Convert key to an object.
// static inline Handle<Object> AsHandle(Isolate* isolate, Key key);
// // The prefix size indicates number of elements in the beginning
// // of the backing storage.
// static const int kPrefixSize = ..;
// // The Element size indicates number of elements per entry.
// static const int kEntrySize = ..;
// };
// The prefix size indicates an amount of memory in the
// beginning of the backing storage that can be used for non-element
// information by subclasses.
template<typename Key>
class BaseShape {
static const bool UsesSeed = false;
static uint32_t Hash(Key key) { return 0; }
static uint32_t SeededHash(Key key, uint32_t seed) {
return Hash(key);
static uint32_t HashForObject(Key key, Object* object) { return 0; }
static uint32_t SeededHashForObject(Key key, uint32_t seed, Object* object) {
return HashForObject(key, object);
template<typename Derived, typename Shape, typename Key>
class HashTable: public FixedArray {
// Wrapper methods
inline uint32_t Hash(Key key) {
if (Shape::UsesSeed) {
return Shape::SeededHash(key, GetHeap()->HashSeed());
} else {
return Shape::Hash(key);
inline uint32_t HashForObject(Key key, Object* object) {
if (Shape::UsesSeed) {
return Shape::SeededHashForObject(key, GetHeap()->HashSeed(), object);
} else {
return Shape::HashForObject(key, object);
// Returns the number of elements in the hash table.
int NumberOfElements() {
return Smi::cast(get(kNumberOfElementsIndex))->value();
// Returns the number of deleted elements in the hash table.
int NumberOfDeletedElements() {
return Smi::cast(get(kNumberOfDeletedElementsIndex))->value();
// Returns the capacity of the hash table.
int Capacity() {
return Smi::cast(get(kCapacityIndex))->value();
// ElementAdded should be called whenever an element is added to a
// hash table.
void ElementAdded() { SetNumberOfElements(NumberOfElements() + 1); }
// ElementRemoved should be called whenever an element is removed from
// a hash table.
void ElementRemoved() {
SetNumberOfElements(NumberOfElements() - 1);
SetNumberOfDeletedElements(NumberOfDeletedElements() + 1);
void ElementsRemoved(int n) {
SetNumberOfElements(NumberOfElements() - n);
SetNumberOfDeletedElements(NumberOfDeletedElements() + n);
// Returns a new HashTable object.
MUST_USE_RESULT static Handle<Derived> New(
Isolate* isolate,
int at_least_space_for,
MinimumCapacity capacity_option = USE_DEFAULT_MINIMUM_CAPACITY,
PretenureFlag pretenure = NOT_TENURED);
// Computes the required capacity for a table holding the given
// number of elements. May be more than HashTable::kMaxCapacity.
static int ComputeCapacity(int at_least_space_for);
// Returns the key at entry.
Object* KeyAt(int entry) { return get(EntryToIndex(entry)); }
// Tells whether k is a real key. The hole and undefined are not allowed
// as keys and can be used to indicate missing or deleted elements.
bool IsKey(Object* k) {
return !k->IsTheHole() && !k->IsUndefined();
// Garbage collection support.
void IteratePrefix(ObjectVisitor* visitor);
void IterateElements(ObjectVisitor* visitor);
// Compute the probe offset (quadratic probing).
INLINE(static uint32_t GetProbeOffset(uint32_t n)) {
return (n + n * n) >> 1;
static const int kNumberOfElementsIndex = 0;
static const int kNumberOfDeletedElementsIndex = 1;
static const int kCapacityIndex = 2;
static const int kPrefixStartIndex = 3;
static const int kElementsStartIndex =
kPrefixStartIndex + Shape::kPrefixSize;
static const int kEntrySize = Shape::kEntrySize;
static const int kElementsStartOffset =
kHeaderSize + kElementsStartIndex * kPointerSize;
static const int kCapacityOffset =
kHeaderSize + kCapacityIndex * kPointerSize;
// Constant used for denoting a absent entry.
static const int kNotFound = -1;
// Maximal capacity of HashTable. Based on maximal length of underlying
// FixedArray. Staying below kMaxCapacity also ensures that EntryToIndex
// cannot overflow.
static const int kMaxCapacity =
(FixedArray::kMaxLength - kElementsStartOffset) / kEntrySize;
// Find entry for key otherwise return kNotFound.
inline int FindEntry(Key key);
int FindEntry(Isolate* isolate, Key key);
// Rehashes the table in-place.
void Rehash(Key key);
friend class ObjectHashTable;
// Find the entry at which to insert element with the given key that
// has the given hash value.
uint32_t FindInsertionEntry(uint32_t hash);
// Returns the index for an entry (of the key)
static inline int EntryToIndex(int entry) {
return (entry * kEntrySize) + kElementsStartIndex;
// Update the number of elements in the hash table.
void SetNumberOfElements(int nof) {
set(kNumberOfElementsIndex, Smi::FromInt(nof));
// Update the number of deleted elements in the hash table.
void SetNumberOfDeletedElements(int nod) {
set(kNumberOfDeletedElementsIndex, Smi::FromInt(nod));
// Sets the capacity of the hash table.
void SetCapacity(int capacity) {
// To scale a computed hash code to fit within the hash table, we
// use bit-wise AND with a mask, so the capacity must be positive
// and non-zero.
DCHECK(capacity > 0);
DCHECK(capacity <= kMaxCapacity);
set(kCapacityIndex, Smi::FromInt(capacity));
// Returns probe entry.
static uint32_t GetProbe(uint32_t hash, uint32_t number, uint32_t size) {
return (hash + GetProbeOffset(number)) & (size - 1);
inline static uint32_t FirstProbe(uint32_t hash, uint32_t size) {
return hash & (size - 1);
inline static uint32_t NextProbe(
uint32_t last, uint32_t number, uint32_t size) {
return (last + number) & (size - 1);
// Attempt to shrink hash table after removal of key.
MUST_USE_RESULT static Handle<Derived> Shrink(Handle<Derived> table, Key key);
// Ensure enough space for n additional elements.
MUST_USE_RESULT static Handle<Derived> EnsureCapacity(
Handle<Derived> table,
int n,
Key key,
PretenureFlag pretenure = NOT_TENURED);
// Returns _expected_ if one of entries given by the first _probe_ probes is
// equal to _expected_. Otherwise, returns the entry given by the probe
// number _probe_.
uint32_t EntryForProbe(Key key, Object* k, int probe, uint32_t expected);
void Swap(uint32_t entry1, uint32_t entry2, WriteBarrierMode mode);
// Rehashes this hash-table into the new table.
void Rehash(Handle<Derived> new_table, Key key);
// HashTableKey is an abstract superclass for virtual key behavior.
class HashTableKey {
// Returns whether the other object matches this key.
virtual bool IsMatch(Object* other) = 0;
// Returns the hash value for this key.
virtual uint32_t Hash() = 0;
// Returns the hash value for object.
virtual uint32_t HashForObject(Object* key) = 0;
// Returns the key object for storing into the hash table.
MUST_USE_RESULT virtual Handle<Object> AsHandle(Isolate* isolate) = 0;
// Required.
virtual ~HashTableKey() {}
class StringTableShape : public BaseShape<HashTableKey*> {
static inline bool IsMatch(HashTableKey* key, Object* value) {
return key->IsMatch(value);
static inline uint32_t Hash(HashTableKey* key) {
return key->Hash();
static inline uint32_t HashForObject(HashTableKey* key, Object* object) {
return key->HashForObject(object);
static inline Handle<Object> AsHandle(Isolate* isolate, HashTableKey* key);
static const int kPrefixSize = 0;
static const int kEntrySize = 1;
class SeqOneByteString;
// StringTable.
// No special elements in the prefix and the element size is 1
// because only the string itself (the key) needs to be stored.
class StringTable: public HashTable<StringTable,
HashTableKey*> {
// Find string in the string table. If it is not there yet, it is
// added. The return value is the string found.
static Handle<String> LookupString(Isolate* isolate, Handle<String> key);
static Handle<String> LookupKey(Isolate* isolate, HashTableKey* key);
// Tries to internalize given string and returns string handle on success
// or an empty handle otherwise.
MUST_USE_RESULT static MaybeHandle<String> InternalizeStringIfExists(
Isolate* isolate,
Handle<String> string);
// Looks up a string that is equal to the given string and returns
// string handle if it is found, or an empty handle otherwise.
MUST_USE_RESULT static MaybeHandle<String> LookupStringIfExists(
Isolate* isolate,
Handle<String> str);
MUST_USE_RESULT static MaybeHandle<String> LookupTwoCharsStringIfExists(
Isolate* isolate,
uint16_t c1,
uint16_t c2);
static void EnsureCapacityForDeserialization(Isolate* isolate, int expected);
template <bool seq_one_byte>
friend class JsonParser;
template <typename Derived, typename Shape, typename Key>
class Dictionary: public HashTable<Derived, Shape, Key> {
typedef HashTable<Derived, Shape, Key> DerivedHashTable;
// Returns the value at entry.
Object* ValueAt(int entry) {
return this->get(DerivedHashTable::EntryToIndex(entry) + 1);
// Set the value for entry.
void ValueAtPut(int entry, Object* value) {
this->set(DerivedHashTable::EntryToIndex(entry) + 1, value);
// Returns the property details for the property at entry.
PropertyDetails DetailsAt(int entry) {
DCHECK(entry >= 0); // Not found is -1, which is not caught by get().
return PropertyDetails(
Smi::cast(this->get(DerivedHashTable::EntryToIndex(entry) + 2)));
// Set the details for entry.
void DetailsAtPut(int entry, PropertyDetails value) {
this->set(DerivedHashTable::EntryToIndex(entry) + 2, value.AsSmi());
// Sorting support
void CopyValuesTo(FixedArray* elements);
// Delete a property from the dictionary.
static Handle<Object> DeleteProperty(
Handle<Derived> dictionary,
int entry,
JSObject::DeleteMode mode);
// Attempt to shrink the dictionary after deletion of key.
MUST_USE_RESULT static inline Handle<Derived> Shrink(
Handle<Derived> dictionary,
Key key) {
return DerivedHashTable::Shrink(dictionary, key);
// Returns the number of elements in the dictionary filtering out properties
// with the specified attributes.
int NumberOfElementsFilterAttributes(PropertyAttributes filter);
// Returns the number of enumerable elements in the dictionary.
int NumberOfEnumElements();
// Returns true if the dictionary contains any elements that are non-writable,
// non-configurable, non-enumerable, or have getters/setters.
bool HasComplexElements();
enum SortMode { UNSORTED, SORTED };
// Copies keys to preallocated fixed array.
void CopyKeysTo(FixedArray* storage,
PropertyAttributes filter,
SortMode sort_mode);
// Fill in details for properties into storage.
void CopyKeysTo(FixedArray* storage,
int index,
PropertyAttributes filter,
SortMode sort_mode);
// Accessors for next enumeration index.
void SetNextEnumerationIndex(int index) {
DCHECK(index != 0);
this->set(kNextEnumerationIndexIndex, Smi::FromInt(index));
int NextEnumerationIndex() {
return Smi::cast(this->get(kNextEnumerationIndexIndex))->value();
// Creates a new dictionary.
MUST_USE_RESULT static Handle<Derived> New(
Isolate* isolate,
int at_least_space_for,
PretenureFlag pretenure = NOT_TENURED);
// Ensure enough space for n additional elements.
static Handle<Derived> EnsureCapacity(Handle<Derived> obj, int n, Key key);
void Print(std::ostream& os); // NOLINT
// Returns the key (slow).
Object* SlowReverseLookup(Object* value);
// Sets the entry to (key, value) pair.
inline void SetEntry(int entry,
Handle<Object> key,
Handle<Object> value);
inline void SetEntry(int entry,
Handle<Object> key,
Handle<Object> value,
PropertyDetails details);
MUST_USE_RESULT static Handle<Derived> Add(
Handle<Derived> dictionary,
Key key,
Handle<Object> value,
PropertyDetails details);
// Returns iteration indices array for the |dictionary|.
// Values are direct indices in the |HashTable| array.
static Handle<FixedArray> BuildIterationIndicesArray(
Handle<Derived> dictionary);
// Generic at put operation.
MUST_USE_RESULT static Handle<Derived> AtPut(
Handle<Derived> dictionary,
Key key,
Handle<Object> value);
// Add entry to dictionary.
static void AddEntry(
Handle<Derived> dictionary,
Key key,
Handle<Object> value,
PropertyDetails details,
uint32_t hash);
// Generate new enumeration indices to avoid enumeration index overflow.
// Returns iteration indices array for the |dictionary|.
static Handle<FixedArray> GenerateNewEnumerationIndices(
Handle<Derived> dictionary);
static const int kMaxNumberKeyIndex = DerivedHashTable::kPrefixStartIndex;
static const int kNextEnumerationIndexIndex = kMaxNumberKeyIndex + 1;
class NameDictionaryShape : public BaseShape<Handle<Name> > {
static inline bool IsMatch(Handle<Name> key, Object* other);
static inline uint32_t Hash(Handle<Name> key);
static inline uint32_t HashForObject(Handle<Name> key, Object* object);
static inline Handle<Object> AsHandle(Isolate* isolate, Handle<Name> key);
static const int kPrefixSize = 2;
static const int kEntrySize = 3;
static const bool kIsEnumerable = true;
class NameDictionary: public Dictionary<NameDictionary,
Handle<Name> > {
typedef Dictionary<
NameDictionary, NameDictionaryShape, Handle<Name> > DerivedDictionary;
// Copies enumerable keys to preallocated fixed array.
void CopyEnumKeysTo(FixedArray* storage);
inline static Handle<FixedArray> DoGenerateNewEnumerationIndices(
Handle<NameDictionary> dictionary);
// Find entry for key, otherwise return kNotFound. Optimized version of
// HashTable::FindEntry.
int FindEntry(Handle<Name> key);
class NumberDictionaryShape : public BaseShape<uint32_t> {
static inline bool IsMatch(uint32_t key, Object* other);
static inline Handle<Object> AsHandle(Isolate* isolate, uint32_t key);
static const int kEntrySize = 3;
static const bool kIsEnumerable = false;
class SeededNumberDictionaryShape : public NumberDictionaryShape {
static const bool UsesSeed = true;
static const int kPrefixSize = 2;
static inline uint32_t SeededHash(uint32_t key, uint32_t seed);
static inline uint32_t SeededHashForObject(uint32_t key,
uint32_t seed,
Object* object);
class UnseededNumberDictionaryShape : public NumberDictionaryShape {
static const int kPrefixSize = 0;
static inline uint32_t Hash(uint32_t key);
static inline uint32_t HashForObject(uint32_t key, Object* object);
class SeededNumberDictionary
: public Dictionary<SeededNumberDictionary,
uint32_t> {
// Type specific at put (default NONE attributes is used when adding).
MUST_USE_RESULT static Handle<SeededNumberDictionary> AtNumberPut(
Handle<SeededNumberDictionary> dictionary,
uint32_t key,
Handle<Object> value);
MUST_USE_RESULT static Handle<SeededNumberDictionary> AddNumberEntry(
Handle<SeededNumberDictionary> dictionary,
uint32_t key,
Handle<Object> value,
PropertyDetails details);
// Set an existing entry or add a new one if needed.
// Return the updated dictionary.
MUST_USE_RESULT static Handle<SeededNumberDictionary> Set(
Handle<SeededNumberDictionary> dictionary,
uint32_t key,
Handle<Object> value,
PropertyDetails details);
void UpdateMaxNumberKey(uint32_t key);
// If slow elements are required we will never go back to fast-case
// for the elements kept in this dictionary. We require slow
// elements if an element has been added at an index larger than
// kRequiresSlowElementsLimit or set_requires_slow_elements() has been called
// when defining a getter or setter with a number key.
inline bool requires_slow_elements();
inline void set_requires_slow_elements();
// Get the value of the max number key that has been added to this
// dictionary. max_number_key can only be called if
// requires_slow_elements returns false.
inline uint32_t max_number_key();
// Bit masks.
static const int kRequiresSlowElementsMask = 1;
static const int kRequiresSlowElementsTagSize = 1;
static const uint32_t kRequiresSlowElementsLimit = (1 << 29) - 1;
class UnseededNumberDictionary
: public Dictionary<UnseededNumberDictionary,
uint32_t> {
// Type specific at put (default NONE attributes is used when adding).
MUST_USE_RESULT static Handle<UnseededNumberDictionary> AtNumberPut(
Handle<UnseededNumberDictionary> dictionary,
uint32_t key,
Handle<Object> value);
MUST_USE_RESULT static Handle<UnseededNumberDictionary> AddNumberEntry(
Handle<UnseededNumberDictionary> dictionary,
uint32_t key,
Handle<Object> value);
// Set an existing entry or add a new one if needed.
// Return the updated dictionary.
MUST_USE_RESULT static Handle<UnseededNumberDictionary> Set(
Handle<UnseededNumberDictionary> dictionary,
uint32_t key,
Handle<Object> value);
class ObjectHashTableShape : public BaseShape<Handle<Object> > {
static inline bool IsMatch(Handle<Object> key, Object* other);
static inline uint32_t Hash(Handle<Object> key);
static inline uint32_t HashForObject(Handle<Object> key, Object* object);
static inline Handle<Object> AsHandle(Isolate* isolate, Handle<Object> key);
static const int kPrefixSize = 0;
static const int kEntrySize = 2;
// ObjectHashTable maps keys that are arbitrary objects to object values by
// using the identity hash of the key for hashing purposes.
class ObjectHashTable: public HashTable<ObjectHashTable,
Handle<Object> > {
typedef HashTable<
ObjectHashTable, ObjectHashTableShape, Handle<Object> > DerivedHashTable;
// Attempt to shrink hash table after removal of key.
MUST_USE_RESULT static inline Handle<ObjectHashTable> Shrink(
Handle<ObjectHashTable> table,
Handle<Object> key);
// Looks up the value associated with the given key. The hole value is
// returned in case the key is not present.
Object* Lookup(Handle<Object> key);
// Adds (or overwrites) the value associated with the given key.
static Handle<ObjectHashTable> Put(Handle<ObjectHashTable> table,
Handle<Object> key,
Handle<Object> value);
// Returns an ObjectHashTable (possibly |table|) where |key| has been removed.
static Handle<ObjectHashTable> Remove(Handle<ObjectHashTable> table,
Handle<Object> key,
bool* was_present);
friend class MarkCompactCollector;
void AddEntry(int entry, Object* key, Object* value);
void RemoveEntry(int entry);
// Returns the index to the value of an entry.
static inline int EntryToValueIndex(int entry) {
return EntryToIndex(entry) + 1;
// OrderedHashTable is a HashTable with Object keys that preserves
// insertion order. There are Map and Set interfaces (OrderedHashMap
// and OrderedHashTable, below). It is meant to be used by JSMap/JSSet.
// Only Object* keys are supported, with Object::SameValueZero() used as the
// equality operator and Object::GetHash() for the hash function.
// Based on the "Deterministic Hash Table" as described by Jason Orendorff at
// Originally attributed to Tyler Close.
// Memory layout:
// [0]: bucket count
// [1]: element count
// [2]: deleted element count
// [3..(3 + NumberOfBuckets() - 1)]: "hash table", where each item is an
// offset into the data table (see below) where the
// first item in this bucket is stored.
// [3 + NumberOfBuckets()..length]: "data table", an array of length
// Capacity() * kEntrySize, where the first entrysize
// items are handled by the derived class and the
// item at kChainOffset is another entry into the
// data table indicating the next entry in this hash
// bucket.
// When we transition the table to a new version we obsolete it and reuse parts
// of the memory to store information how to transition an iterator to the new
// table:
// Memory layout for obsolete table:
// [0]: bucket count
// [1]: Next newer table
// [2]: Number of removed holes or -1 when the table was cleared.
// [3..(3 + NumberOfRemovedHoles() - 1)]: The indexes of the removed holes.
// [3 + NumberOfRemovedHoles()..length]: Not used
template<class Derived, class Iterator, int entrysize>
class OrderedHashTable: public FixedArray {
// Returns an OrderedHashTable with a capacity of at least |capacity|.
static Handle<Derived> Allocate(
Isolate* isolate, int capacity, PretenureFlag pretenure = NOT_TENURED);
// Returns an OrderedHashTable (possibly |table|) with enough space
// to add at least one new element.
static Handle<Derived> EnsureGrowable(Handle<Derived> table);
// Returns an OrderedHashTable (possibly |table|) that's shrunken
// if possible.
static Handle<Derived> Shrink(Handle<Derived> table);
// Returns a new empty OrderedHashTable and records the clearing so that
// exisiting iterators can be updated.
static Handle<Derived> Clear(Handle<Derived> table);
// Returns an OrderedHashTable (possibly |table|) where |key| has been
// removed.
static Handle<Derived> Remove(Handle<Derived> table, Handle<Object> key,
bool* was_present);
// Returns kNotFound if the key isn't present.
int FindEntry(Handle<Object> key, int hash);
// Like the above, but doesn't require the caller to provide a hash.
int FindEntry(Handle<Object> key);
int NumberOfElements() {
return Smi::cast(get(kNumberOfElementsIndex))->value();
int NumberOfDeletedElements() {
return Smi::cast(get(kNumberOfDeletedElementsIndex))->value();
int UsedCapacity() { return NumberOfElements() + NumberOfDeletedElements(); }
int NumberOfBuckets() {
return Smi::cast(get(kNumberOfBucketsIndex))->value();
// Returns the index into the data table where the new entry
// should be placed. The table is assumed to have enough space
// for a new entry.
int AddEntry(int hash);
// Removes the entry, and puts the_hole in entrysize pointers
// (leaving the hash table chain intact).
void RemoveEntry(int entry);
// Returns an index into |this| for the given entry.
int EntryToIndex(int entry) {
return kHashTableStartIndex + NumberOfBuckets() + (entry * kEntrySize);
Object* KeyAt(int entry) { return get(EntryToIndex(entry)); }
bool IsObsolete() {
return !get(kNextTableIndex)->IsSmi();
// The next newer table. This is only valid if the table is obsolete.
Derived* NextTable() {
return Derived::cast(get(kNextTableIndex));
// When the table is obsolete we store the indexes of the removed holes.
int RemovedIndexAt(int index) {
return Smi::cast(get(kRemovedHolesIndex + index))->value();
static const int kNotFound = -1;
static const int kMinCapacity = 4;
static Handle<Derived> Rehash(Handle<Derived> table, int new_capacity);
void SetNumberOfBuckets(int num) {
set(kNumberOfBucketsIndex, Smi::FromInt(num));
void SetNumberOfElements(int num) {
set(kNumberOfElementsIndex, Smi::FromInt(num));
void SetNumberOfDeletedElements(int num) {
set(kNumberOfDeletedElementsIndex, Smi::FromInt(num));
int Capacity() {
return NumberOfBuckets() * kLoadFactor;
// Returns the next entry for the given entry.
int ChainAt(int entry) {
return Smi::cast(get(EntryToIndex(entry) + kChainOffset))->value();
int HashToBucket(int hash) {
return hash & (NumberOfBuckets() - 1);
int HashToEntry(int hash) {
int bucket = HashToBucket(hash);
return Smi::cast(get(kHashTableStartIndex + bucket))->value();
void SetNextTable(Derived* next_table) {
set(kNextTableIndex, next_table);
void SetRemovedIndexAt(int index, int removed_index) {
return set(kRemovedHolesIndex + index, Smi::FromInt(removed_index));
static const int kNumberOfBucketsIndex = 0;
static const int kNumberOfElementsIndex = kNumberOfBucketsIndex + 1;
static const int kNumberOfDeletedElementsIndex = kNumberOfElementsIndex + 1;
static const int kHashTableStartIndex = kNumberOfDeletedElementsIndex + 1;
static const int kNextTableIndex = kNumberOfElementsIndex;
static const int kRemovedHolesIndex = kHashTableStartIndex;
static const int kEntrySize = entrysize + 1;
static const int kChainOffset = entrysize;
static const int kLoadFactor = 2;
static const int kMaxCapacity =
(FixedArray::kMaxLength - kHashTableStartIndex)
/ (1 + (kEntrySize * kLoadFactor));
class JSSetIterator;
class OrderedHashSet: public OrderedHashTable<
OrderedHashSet, JSSetIterator, 1> {
bool Contains(Handle<Object> key);