// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef V8_OBJECTS_MAP_H_
#define V8_OBJECTS_MAP_H_
#include "src/objects.h"
#include "src/objects/code.h"
#include "src/globals.h"
// Has to be the last include (doesn't have include guards):
#include "src/objects/object-macros.h"
namespace v8 {
namespace internal {
#define VISITOR_ID_LIST(V) \
V(AllocationSite) \
V(BigInt) \
V(ByteArray) \
V(BytecodeArray) \
V(Cell) \
V(Code) \
V(CodeDataContainer) \
V(ConsString) \
V(DataHandler) \
V(DataObject) \
V(EphemeronHashTable) \
V(FeedbackCell) \
V(FeedbackVector) \
V(FixedArray) \
V(FixedDoubleArray) \
V(FixedFloat64Array) \
V(FixedTypedArrayBase) \
V(FreeSpace) \
V(JSApiObject) \
V(JSArrayBuffer) \
V(JSFunction) \
V(JSObject) \
V(JSObjectFast) \
V(JSWeakCollection) \
V(Map) \
V(NativeContext) \
V(Oddball) \
V(PreParsedScopeData) \
V(PropertyArray) \
V(PropertyCell) \
V(PrototypeInfo) \
V(SeqOneByteString) \
V(SeqTwoByteString) \
V(SharedFunctionInfo) \
V(ShortcutCandidate) \
V(SlicedString) \
V(SmallOrderedHashMap) \
V(SmallOrderedHashSet) \
V(Struct) \
V(Symbol) \
V(ThinString) \
V(TransitionArray) \
V(UncompiledDataWithoutPreParsedScope) \
V(UncompiledDataWithPreParsedScope) \
V(WasmInstanceObject) \
V(WeakArray)
// For data objects, JS objects and structs along with generic visitor which
// can visit object of any size we provide visitors specialized by
// object size in words.
// Ids of specialized visitors are declared in a linear order (without
// holes) starting from the id of visitor specialized for 2 words objects
// (base visitor id) and ending with the id of generic visitor.
// Method GetVisitorIdForSize depends on this ordering to calculate visitor
// id of specialized visitor from given instance size, base visitor id and
// generic visitor's id.
enum VisitorId {
#define VISITOR_ID_ENUM_DECL(id) kVisit##id,
VISITOR_ID_LIST(VISITOR_ID_ENUM_DECL)
#undef VISITOR_ID_ENUM_DECL
kVisitorIdCount
};
typedef std::vector<Handle<Map>> MapHandles;
// All heap objects have a Map that describes their structure.
// A Map contains information about:
// - Size information about the object
// - How to iterate over an object (for garbage collection)
//
// Map layout:
// +---------------+---------------------------------------------+
// | _ Type _ | _ Description _ |
// +---------------+---------------------------------------------+
// | TaggedPointer | map - Always a pointer to the MetaMap root |
// +---------------+---------------------------------------------+
// | Int | The first int field |
// `---+----------+---------------------------------------------+
// | Byte | [instance_size] |
// +----------+---------------------------------------------+
// | Byte | If Map for a primitive type: |
// | | native context index for constructor fn |
// | | If Map for an Object type: |
// | | inobject properties start offset in words |
// +----------+---------------------------------------------+
// | Byte | [used_or_unused_instance_size_in_words] |
// | | For JSObject in fast mode this byte encodes |
// | | the size of the object that includes only |
// | | the used property fields or the slack size |
// | | in properties backing store. |
// +----------+---------------------------------------------+
// | Byte | [visitor_id] |
// +----+----------+---------------------------------------------+
// | Int | The second int field |
// `---+----------+---------------------------------------------+
// | Short | [instance_type] |
// +----------+---------------------------------------------+
// | Byte | [bit_field] |
// | | - has_non_instance_prototype (bit 0) |
// | | - is_callable (bit 1) |
// | | - has_named_interceptor (bit 2) |
// | | - has_indexed_interceptor (bit 3) |
// | | - is_undetectable (bit 4) |
// | | - is_access_check_needed (bit 5) |
// | | - is_constructor (bit 6) |
// | | - has_prototype_slot (bit 7) |
// +----------+---------------------------------------------+
// | Byte | [bit_field2] |
// | | - is_extensible (bit 0) |
// | | - is_prototype_map (bit 1) |
// | | - is_in_retained_map_list (bit 2) |
// | | - elements_kind (bits 3..7) |
// +----+----------+---------------------------------------------+
// | Int | [bit_field3] |
// | | - enum_length (bit 0..9) |
// | | - number_of_own_descriptors (bit 10..19) |
// | | - is_dictionary_map (bit 20) |
// | | - owns_descriptors (bit 21) |
// | | - has_hidden_prototype (bit 22) |
// | | - is_deprecated (bit 23) |
// | | - is_unstable (bit 24) |
// | | - is_migration_target (bit 25) |
// | | - is_immutable_proto (bit 26) |
// | | - new_target_is_base (bit 27) |
// | | - may_have_interesting_symbols (bit 28) |
// | | - construction_counter (bit 29..31) |
// | | |
// +*************************************************************+
// | Int | On systems with 64bit pointer types, there |
// | | is an unused 32bits after bit_field3 |
// +*************************************************************+
// | TaggedPointer | [prototype] |
// +---------------+---------------------------------------------+
// | TaggedPointer | [constructor_or_backpointer] |
// +---------------+---------------------------------------------+
// | TaggedPointer | If Map is a prototype map: |
// | | [prototype_info] |
// | | Else: |
// | | [raw_transitions] |
// +---------------+---------------------------------------------+
// | TaggedPointer | [instance_descriptors] |
// +*************************************************************+
// ! TaggedPointer ! [layout_descriptors] !
// ! ! Field is only present if compile-time flag !
// ! ! FLAG_unbox_double_fields is enabled !
// ! ! (basically on 64 bit architectures) !
// +*************************************************************+
// | TaggedPointer | [dependent_code] |
// +---------------+---------------------------------------------+
class Map : public HeapObject {
public:
// Instance size.
// Size in bytes or kVariableSizeSentinel if instances do not have
// a fixed size.
DECL_INT_ACCESSORS(instance_size)
// Size in words or kVariableSizeSentinel if instances do not have
// a fixed size.
DECL_INT_ACCESSORS(instance_size_in_words)
// [inobject_properties_start_or_constructor_function_index]:
// Provides access to the inobject properties start offset in words in case of
// JSObject maps, or the constructor function index in case of primitive maps.
DECL_INT_ACCESSORS(inobject_properties_start_or_constructor_function_index)
// Get/set the in-object property area start offset in words in the object.
inline int GetInObjectPropertiesStartInWords() const;
inline void SetInObjectPropertiesStartInWords(int value);
// Count of properties allocated in the object (JSObject only).
inline int GetInObjectProperties() const;
// Index of the constructor function in the native context (primitives only),
// or the special sentinel value to indicate that there is no object wrapper
// for the primitive (i.e. in case of null or undefined).
static const int kNoConstructorFunctionIndex = 0;
inline int GetConstructorFunctionIndex() const;
inline void SetConstructorFunctionIndex(int value);
static MaybeHandle<JSFunction> GetConstructorFunction(
Handle<Map> map, Handle<Context> native_context);
// Retrieve interceptors.
inline InterceptorInfo* GetNamedInterceptor();
inline InterceptorInfo* GetIndexedInterceptor();
// Instance type.
DECL_PRIMITIVE_ACCESSORS(instance_type, InstanceType)
// Returns the size of the used in-object area including object header
// (only used for JSObject in fast mode, for the other kinds of objects it
// is equal to the instance size).
inline int UsedInstanceSize() const;
// Tells how many unused property fields (in-object or out-of object) are
// available in the instance (only used for JSObject in fast mode).
inline int UnusedPropertyFields() const;
// Tells how many unused in-object property words are present.
inline int UnusedInObjectProperties() const;
// Updates the counters tracking unused fields in the object.
inline void SetInObjectUnusedPropertyFields(int unused_property_fields);
// Updates the counters tracking unused fields in the property array.
inline void SetOutOfObjectUnusedPropertyFields(int unused_property_fields);
inline void CopyUnusedPropertyFields(Map* map);
inline void CopyUnusedPropertyFieldsAdjustedForInstanceSize(Map* map);
inline void AccountAddedPropertyField();
inline void AccountAddedOutOfObjectPropertyField(
int unused_in_property_array);
//
// Bit field.
//
DECL_PRIMITIVE_ACCESSORS(bit_field, byte)
// Bit positions for |bit_field|.
#define MAP_BIT_FIELD_FIELDS(V, _) \
V(HasNonInstancePrototypeBit, bool, 1, _) \
V(IsCallableBit, bool, 1, _) \
V(HasNamedInterceptorBit, bool, 1, _) \
V(HasIndexedInterceptorBit, bool, 1, _) \
V(IsUndetectableBit, bool, 1, _) \
V(IsAccessCheckNeededBit, bool, 1, _) \
V(IsConstructorBit, bool, 1, _) \
V(HasPrototypeSlotBit, bool, 1, _)
DEFINE_BIT_FIELDS(MAP_BIT_FIELD_FIELDS)
#undef MAP_BIT_FIELD_FIELDS
//
// Bit field 2.
//
DECL_PRIMITIVE_ACCESSORS(bit_field2, byte)
// Bit positions for |bit_field2|.
#define MAP_BIT_FIELD2_FIELDS(V, _) \
V(IsExtensibleBit, bool, 1, _) \
V(IsPrototypeMapBit, bool, 1, _) \
V(IsInRetainedMapListBit, bool, 1, _) \
V(ElementsKindBits, ElementsKind, 5, _)
DEFINE_BIT_FIELDS(MAP_BIT_FIELD2_FIELDS)
#undef MAP_BIT_FIELD2_FIELDS
//
// Bit field 3.
//
DECL_PRIMITIVE_ACCESSORS(bit_field3, uint32_t)
// Bit positions for |bit_field3|.
#define MAP_BIT_FIELD3_FIELDS(V, _) \
V(EnumLengthBits, int, kDescriptorIndexBitCount, _) \
V(NumberOfOwnDescriptorsBits, int, kDescriptorIndexBitCount, _) \
V(IsDictionaryMapBit, bool, 1, _) \
V(OwnsDescriptorsBit, bool, 1, _) \
V(HasHiddenPrototypeBit, bool, 1, _) \
V(IsDeprecatedBit, bool, 1, _) \
V(IsUnstableBit, bool, 1, _) \
V(IsMigrationTargetBit, bool, 1, _) \
V(IsImmutablePrototypeBit, bool, 1, _) \
V(NewTargetIsBaseBit, bool, 1, _) \
V(MayHaveInterestingSymbolsBit, bool, 1, _) \
V(ConstructionCounterBits, int, 3, _)
DEFINE_BIT_FIELDS(MAP_BIT_FIELD3_FIELDS)
#undef MAP_BIT_FIELD3_FIELDS
STATIC_ASSERT(NumberOfOwnDescriptorsBits::kMax >= kMaxNumberOfDescriptors);
static const int kSlackTrackingCounterStart = 7;
static const int kSlackTrackingCounterEnd = 1;
static const int kNoSlackTracking = 0;
STATIC_ASSERT(kSlackTrackingCounterStart <= ConstructionCounterBits::kMax);
// Inobject slack tracking is the way to reclaim unused inobject space.
//
// The instance size is initially determined by adding some slack to
// expected_nof_properties (to allow for a few extra properties added
// after the constructor). There is no guarantee that the extra space
// will not be wasted.
//
// Here is the algorithm to reclaim the unused inobject space:
// - Detect the first constructor call for this JSFunction.
// When it happens enter the "in progress" state: initialize construction
// counter in the initial_map.
// - While the tracking is in progress initialize unused properties of a new
// object with one_pointer_filler_map instead of undefined_value (the "used"
// part is initialized with undefined_value as usual). This way they can
// be resized quickly and safely.
// - Once enough objects have been created compute the 'slack'
// (traverse the map transition tree starting from the
// initial_map and find the lowest value of unused_property_fields).
// - Traverse the transition tree again and decrease the instance size
// of every map. Existing objects will resize automatically (they are
// filled with one_pointer_filler_map). All further allocations will
// use the adjusted instance size.
// - SharedFunctionInfo's expected_nof_properties left unmodified since
// allocations made using different closures could actually create different
// kind of objects (see prototype inheritance pattern).
//
// Important: inobject slack tracking is not attempted during the snapshot
// creation.
static const int kGenerousAllocationCount =
kSlackTrackingCounterStart - kSlackTrackingCounterEnd + 1;
// Starts the tracking by initializing object constructions countdown counter.
void StartInobjectSlackTracking();
// True if the object constructions countdown counter is a range
// [kSlackTrackingCounterEnd, kSlackTrackingCounterStart].
inline bool IsInobjectSlackTrackingInProgress() const;
// Does the tracking step.
inline void InobjectSlackTrackingStep(Isolate* isolate);
// Computes inobject slack for the transition tree starting at this initial
// map.
int ComputeMinObjectSlack(Isolate* isolate);
inline int InstanceSizeFromSlack(int slack) const;
// Completes inobject slack tracking for the transition tree starting at this
// initial map.
void CompleteInobjectSlackTracking(Isolate* isolate);
// Tells whether the object in the prototype property will be used
// for instances created from this function. If the prototype
// property is set to a value that is not a JSObject, the prototype
// property will not be used to create instances of the function.
// See ECMA-262, 13.2.2.
DECL_BOOLEAN_ACCESSORS(has_non_instance_prototype)
// Tells whether the instance has a [[Construct]] internal method.
// This property is implemented according to ES6, section 7.2.4.
DECL_BOOLEAN_ACCESSORS(is_constructor)
// Tells whether the instance with this map may have properties for
// interesting symbols on it.
// An "interesting symbol" is one for which Name::IsInterestingSymbol()
// returns true, i.e. a well-known symbol like @@toStringTag.
DECL_BOOLEAN_ACCESSORS(may_have_interesting_symbols)
DECL_BOOLEAN_ACCESSORS(has_prototype_slot)
// Tells whether the instance with this map has a hidden prototype.
DECL_BOOLEAN_ACCESSORS(has_hidden_prototype)
// Records and queries whether the instance has a named interceptor.
DECL_BOOLEAN_ACCESSORS(has_named_interceptor)
// Records and queries whether the instance has an indexed interceptor.
DECL_BOOLEAN_ACCESSORS(has_indexed_interceptor)
// Tells whether the instance is undetectable.
// An undetectable object is a special class of JSObject: 'typeof' operator
// returns undefined, ToBoolean returns false. Otherwise it behaves like
// a normal JS object. It is useful for implementing undetectable
// document.all in Firefox & Safari.
// See https://bugzilla.mozilla.org/show_bug.cgi?id=248549.
DECL_BOOLEAN_ACCESSORS(is_undetectable)
// Tells whether the instance has a [[Call]] internal method.
// This property is implemented according to ES6, section 7.2.3.
DECL_BOOLEAN_ACCESSORS(is_callable)
DECL_BOOLEAN_ACCESSORS(new_target_is_base)
DECL_BOOLEAN_ACCESSORS(is_extensible)
DECL_BOOLEAN_ACCESSORS(is_prototype_map)
inline bool is_abandoned_prototype_map() const;
// Whether the instance has been added to the retained map list by
// Heap::AddRetainedMap.
DECL_BOOLEAN_ACCESSORS(is_in_retained_map_list)
DECL_PRIMITIVE_ACCESSORS(elements_kind, ElementsKind)
// Tells whether the instance has fast elements that are only Smis.
inline bool has_fast_smi_elements() const;
// Tells whether the instance has fast elements.
inline bool has_fast_object_elements() const;
inline bool has_fast_smi_or_object_elements() const;
inline bool has_fast_double_elements() const;
inline bool has_fast_elements() const;
inline bool has_sloppy_arguments_elements() const;
inline bool has_fast_sloppy_arguments_elements() const;
inline bool has_fast_string_wrapper_elements() const;
inline bool has_fixed_typed_array_elements() const;
inline bool has_dictionary_elements() const;
static bool IsValidElementsTransition(ElementsKind from_kind,
ElementsKind to_kind);
// Returns true if the current map doesn't have DICTIONARY_ELEMENTS but if a
// map with DICTIONARY_ELEMENTS was found in the prototype chain.
bool DictionaryElementsInPrototypeChainOnly(Isolate* isolate);
inline Map* ElementsTransitionMap();
inline FixedArrayBase* GetInitialElements() const;
// [raw_transitions]: Provides access to the transitions storage field.
// Don't call set_raw_transitions() directly to overwrite transitions, use
// the TransitionArray::ReplaceTransitions() wrapper instead!
DECL_ACCESSORS(raw_transitions, MaybeObject)
// [prototype_info]: Per-prototype metadata. Aliased with transitions
// (which prototype maps don't have).
DECL_ACCESSORS(prototype_info, Object)
// PrototypeInfo is created lazily using this helper (which installs it on
// the given prototype's map).
static Handle<PrototypeInfo> GetOrCreatePrototypeInfo(
Handle<JSObject> prototype, Isolate* isolate);
static Handle<PrototypeInfo> GetOrCreatePrototypeInfo(
Handle<Map> prototype_map, Isolate* isolate);
inline bool should_be_fast_prototype_map() const;
static void SetShouldBeFastPrototypeMap(Handle<Map> map, bool value,
Isolate* isolate);
// [prototype chain validity cell]: Associated with a prototype object,
// stored in that object's map, indicates that prototype chains through this
// object are currently valid. The cell will be invalidated and replaced when
// the prototype chain changes. When there's nothing to guard (for example,
// when direct prototype is null or Proxy) this function returns Smi with
// |kPrototypeChainValid| sentinel value.
static Handle<Object> GetOrCreatePrototypeChainValidityCell(Handle<Map> map,
Isolate* isolate);
static const int kPrototypeChainValid = 0;
static const int kPrototypeChainInvalid = 1;
static bool IsPrototypeChainInvalidated(Map* map);
// Return the map of the root of object's prototype chain.
Map* GetPrototypeChainRootMap(Isolate* isolate) const;
Map* FindRootMap(Isolate* isolate) const;
Map* FindFieldOwner(Isolate* isolate, int descriptor) const;
inline int GetInObjectPropertyOffset(int index) const;
int NumberOfFields() const;
bool HasOutOfObjectProperties() const;
// Returns true if transition to the given map requires special
// synchronization with the concurrent marker.
bool TransitionRequiresSynchronizationWithGC(Map* target) const;
// Returns true if transition to the given map removes a tagged in-object
// field.
bool TransitionRemovesTaggedField(Map* target) const;
// Returns true if transition to the given map replaces a tagged in-object
// field with an untagged in-object field.
bool TransitionChangesTaggedFieldToUntaggedField(Map* target) const;
// TODO(ishell): candidate with JSObject::MigrateToMap().
bool InstancesNeedRewriting(Map* target) const;
bool InstancesNeedRewriting(Map* target, int target_number_of_fields,
int target_inobject, int target_unused,
int* old_number_of_fields) const;
// TODO(ishell): moveit!
static Handle<Map> GeneralizeAllFields(Isolate* isolate, Handle<Map> map);
V8_WARN_UNUSED_RESULT static Handle<FieldType> GeneralizeFieldType(
Representation rep1, Handle<FieldType> type1, Representation rep2,
Handle<FieldType> type2, Isolate* isolate);
static void GeneralizeField(Isolate* isolate, Handle<Map> map,
int modify_index, PropertyConstness new_constness,
Representation new_representation,
Handle<FieldType> new_field_type);
// Returns true if |descriptor|'th property is a field that may be generalized
// by just updating current map.
static inline bool IsInplaceGeneralizableField(PropertyConstness constness,
Representation representation,
FieldType* field_type);
// Generalizes constness, representation and field_type if objects with given
// instance type can have fast elements that can be transitioned by stubs or
// optimized code to more general elements kind.
// This generalization is necessary in order to ensure that elements kind
// transitions performed by stubs / optimized code don't silently transition
// PropertyConstness::kMutable fields back to VariableMode::kConst state or
// fields with HeapObject representation and "Any" type back to "Class" type.
static inline void GeneralizeIfCanHaveTransitionableFastElementsKind(
Isolate* isolate, InstanceType instance_type,
PropertyConstness* constness, Representation* representation,
Handle<FieldType>* field_type);
static Handle<Map> ReconfigureProperty(Isolate* isolate, Handle<Map> map,
int modify_index,
PropertyKind new_kind,
PropertyAttributes new_attributes,
Representation new_representation,
Handle<FieldType> new_field_type);
static Handle<Map> ReconfigureElementsKind(Isolate* isolate, Handle<Map> map,
ElementsKind new_elements_kind);
static Handle<Map> PrepareForDataProperty(Isolate* isolate,
Handle<Map> old_map,
int descriptor_number,
PropertyConstness constness,
Handle<Object> value);
static Handle<Map> Normalize(Isolate* isolate, Handle<Map> map,
PropertyNormalizationMode mode,
const char* reason);
// Tells whether the map is used for JSObjects in dictionary mode (ie
// normalized objects, ie objects for which HasFastProperties returns false).
// A map can never be used for both dictionary mode and fast mode JSObjects.
// False by default and for HeapObjects that are not JSObjects.
DECL_BOOLEAN_ACCESSORS(is_dictionary_map)
// Tells whether the instance needs security checks when accessing its
// properties.
DECL_BOOLEAN_ACCESSORS(is_access_check_needed)
// [prototype]: implicit prototype object.
DECL_ACCESSORS(prototype, Object)
// TODO(jkummerow): make set_prototype private.
static void SetPrototype(Isolate* isolate, Handle<Map> map,
Handle<Object> prototype,
bool enable_prototype_setup_mode = true);
// [constructor]: points back to the function or FunctionTemplateInfo
// responsible for this map.
// The field overlaps with the back pointer. All maps in a transition tree
// have the same constructor, so maps with back pointers can walk the
// back pointer chain until they find the map holding their constructor.
// Returns null_value if there's neither a constructor function nor a
// FunctionTemplateInfo available.
DECL_ACCESSORS(constructor_or_backpointer, Object)
inline Object* GetConstructor() const;
inline FunctionTemplateInfo* GetFunctionTemplateInfo() const;
inline void SetConstructor(Object* constructor,
WriteBarrierMode mode = UPDATE_WRITE_BARRIER);
// [back pointer]: points back to the parent map from which a transition
// leads to this map. The field overlaps with the constructor (see above).
inline Object* GetBackPointer() const;
inline void SetBackPointer(Object* value,
WriteBarrierMode mode = UPDATE_WRITE_BARRIER);
// [instance descriptors]: describes the object.
DECL_ACCESSORS(instance_descriptors, DescriptorArray)
// [layout descriptor]: describes the object layout.
DECL_ACCESSORS(layout_descriptor, LayoutDescriptor)
// |layout descriptor| accessor which can be used from GC.
inline LayoutDescriptor* layout_descriptor_gc_safe() const;
inline bool HasFastPointerLayout() const;
// |layout descriptor| accessor that is safe to call even when
// FLAG_unbox_double_fields is disabled (in this case Map does not contain
// |layout_descriptor| field at all).
inline LayoutDescriptor* GetLayoutDescriptor() const;
inline void UpdateDescriptors(DescriptorArray* descriptors,
LayoutDescriptor* layout_descriptor);
inline void InitializeDescriptors(DescriptorArray* descriptors,
LayoutDescriptor* layout_descriptor);
// [dependent code]: list of optimized codes that weakly embed this map.
DECL_ACCESSORS(dependent_code, DependentCode)
// [prototype_validity_cell]: Cell containing the validity bit for prototype
// chains or Smi(0) if uninitialized.
// The meaning of this validity cell is different for prototype maps and
// non-prototype maps.
// For prototype maps the validity bit "guards" modifications of prototype
// chains going through this object. When a prototype object changes, both its
// own validity cell and those of all "downstream" prototypes are invalidated;
// handlers for a given receiver embed the currently valid cell for that
// receiver's prototype during their creation and check it on execution.
// For non-prototype maps which are used as transitioning store handlers this
// field contains the validity cell which guards modifications of this map's
// prototype.
DECL_ACCESSORS(prototype_validity_cell, Object)
// Returns true if prototype validity cell value represents "valid" prototype
// chain state.
inline bool IsPrototypeValidityCellValid() const;
inline PropertyDetails GetLastDescriptorDetails() const;
inline int LastAdded() const;
inline int NumberOfOwnDescriptors() const;
inline void SetNumberOfOwnDescriptors(int number);
inline Cell* RetrieveDescriptorsPointer();
// Checks whether all properties are stored either in the map or on the object
// (inobject, properties, or elements backing store), requiring no special
// checks.
bool OnlyHasSimpleProperties() const;
inline int EnumLength() const;
inline void SetEnumLength(int length);
DECL_BOOLEAN_ACCESSORS(owns_descriptors)
inline void mark_unstable();
inline bool is_stable() const;
DECL_BOOLEAN_ACCESSORS(is_migration_target)
DECL_BOOLEAN_ACCESSORS(is_immutable_proto)
// This counter is used for in-object slack tracking.
// The in-object slack tracking is considered enabled when the counter is
// non zero. The counter only has a valid count for initial maps. For
// transitioned maps only kNoSlackTracking has a meaning, namely that inobject
// slack tracking already finished for the transition tree. Any other value
// indicates that either inobject slack tracking is still in progress, or that
// the map isn't part of the transition tree anymore.
DECL_INT_ACCESSORS(construction_counter)
DECL_BOOLEAN_ACCESSORS(is_deprecated)
inline bool CanBeDeprecated() const;
// Returns a non-deprecated version of the input. If the input was not
// deprecated, it is directly returned. Otherwise, the non-deprecated version
// is found by re-transitioning from the root of the transition tree using the
// descriptor array of the map. Returns MaybeHandle<Map>() if no updated map
// is found.
static MaybeHandle<Map> TryUpdate(Isolate* isolate,
Handle<Map> map) V8_WARN_UNUSED_RESULT;
// Returns a non-deprecated version of the input. This method may deprecate
// existing maps along the way if encodings conflict. Not for use while
// gathering type feedback. Use TryUpdate in those cases instead.
static Handle<Map> Update(Isolate* isolate, Handle<Map> map);
static inline Handle<Map> CopyInitialMap(Isolate* isolate, Handle<Map> map);
static Handle<Map> CopyInitialMap(Isolate* isolate, Handle<Map> map,
int instance_size, int in_object_properties,
int unused_property_fields);
static Handle<Map> CopyInitialMapNormalized(
Isolate* isolate, Handle<Map> map,
PropertyNormalizationMode mode = CLEAR_INOBJECT_PROPERTIES);
static Handle<Map> CopyDropDescriptors(Isolate* isolate, Handle<Map> map);
static Handle<Map> CopyInsertDescriptor(Isolate* isolate, Handle<Map> map,
Descriptor* descriptor,
TransitionFlag flag);
static MaybeObjectHandle WrapFieldType(Isolate* isolate,
Handle<FieldType> type);
static FieldType* UnwrapFieldType(MaybeObject* wrapped_type);
V8_WARN_UNUSED_RESULT static MaybeHandle<Map> CopyWithField(
Isolate* isolate, Handle<Map> map, Handle<Name> name,
Handle<FieldType> type, PropertyAttributes attributes,
PropertyConstness constness, Representation representation,
TransitionFlag flag);
V8_WARN_UNUSED_RESULT static MaybeHandle<Map> CopyWithConstant(
Isolate* isolate, Handle<Map> map, Handle<Name> name,
Handle<Object> constant, PropertyAttributes attributes,
TransitionFlag flag);
// Returns a new map with all transitions dropped from the given map and
// the ElementsKind set.
static Handle<Map> TransitionElementsTo(Isolate* isolate, Handle<Map> map,
ElementsKind to_kind);
static Handle<Map> AsElementsKind(Isolate* isolate, Handle<Map> map,
ElementsKind kind);
static Handle<Map> CopyAsElementsKind(Isolate* isolate, Handle<Map> map,
ElementsKind kind, TransitionFlag flag);
static Handle<Map> AsLanguageMode(Isolate* isolate, Handle<Map> initial_map,
Handle<SharedFunctionInfo> shared_info);
static Handle<Map> CopyForPreventExtensions(Isolate* isolate, Handle<Map> map,
PropertyAttributes attrs_to_add,
Handle<Symbol> transition_marker,
const char* reason);
static Handle<Map> FixProxy(Handle<Map> map, InstanceType type, int size);
// Maximal number of fast properties. Used to restrict the number of map
// transitions to avoid an explosion in the number of maps for objects used as
// dictionaries.
inline bool TooManyFastProperties(StoreFromKeyed store_mode) const;
static Handle<Map> TransitionToDataProperty(Isolate* isolate, Handle<Map> map,
Handle<Name> name,
Handle<Object> value,
PropertyAttributes attributes,
PropertyConstness constness,
StoreFromKeyed store_mode);
static Handle<Map> TransitionToAccessorProperty(
Isolate* isolate, Handle<Map> map, Handle<Name> name, int descriptor,
Handle<Object> getter, Handle<Object> setter,
PropertyAttributes attributes);
static Handle<Map> ReconfigureExistingProperty(Isolate* isolate,
Handle<Map> map,
int descriptor,
PropertyKind kind,
PropertyAttributes attributes);
inline void AppendDescriptor(Descriptor* desc);
// Returns a copy of the map, prepared for inserting into the transition
// tree (if the |map| owns descriptors then the new one will share
// descriptors with |map|).
static Handle<Map> CopyForTransition(Isolate* isolate, Handle<Map> map,
const char* reason);
// Returns a copy of the map, with all transitions dropped from the
// instance descriptors.
static Handle<Map> Copy(Isolate* isolate, Handle<Map> map,
const char* reason);
static Handle<Map> Create(Isolate* isolate, int inobject_properties);
// Returns the next free property index (only valid for FAST MODE).
int NextFreePropertyIndex() const;
// Returns the number of enumerable properties.
int NumberOfEnumerableProperties() const;
DECL_CAST(Map)
static inline int SlackForArraySize(int old_size, int size_limit);
static void EnsureDescriptorSlack(Isolate* isolate, Handle<Map> map,
int slack);
// Returns the map to be used for instances when the given {prototype} is
// passed to an Object.create call. Might transition the given {prototype}.
static Handle<Map> GetObjectCreateMap(Isolate* isolate,
Handle<HeapObject> prototype);
// Similar to {GetObjectCreateMap} but does not transition {prototype} and
// fails gracefully by returning an empty handle instead.
static MaybeHandle<Map> TryGetObjectCreateMap(Isolate* isolate,
Handle<HeapObject> prototype);
// Computes a hash value for this map, to be used in HashTables and such.
int Hash();
// Returns the transitioned map for this map with the most generic
// elements_kind that's found in |candidates|, or |nullptr| if no match is
// found at all.
Map* FindElementsKindTransitionedMap(Isolate* isolate,
MapHandles const& candidates);
inline static bool IsJSObject(InstanceType type);
inline bool CanTransition() const;
inline bool IsBooleanMap() const;
inline bool IsNullMap() const;
inline bool IsUndefinedMap() const;
inline bool IsNullOrUndefinedMap() const;
inline bool IsPrimitiveMap() const;
inline bool IsJSReceiverMap() const;
inline bool IsJSObjectMap() const;
inline bool IsJSPromiseMap() const;
inline bool IsJSArrayMap() const;
inline bool IsJSFunctionMap() const;
inline bool IsStringMap() const;
inline bool IsJSProxyMap() const;
inline bool IsModuleMap() const;
inline bool IsJSGlobalProxyMap() const;
inline bool IsJSGlobalObjectMap() const;
inline bool IsJSTypedArrayMap() const;
inline bool IsJSDataViewMap() const;
inline bool IsSpecialReceiverMap() const;
inline bool IsCustomElementsReceiverMap() const;
bool IsMapInArrayPrototypeChain(Isolate* isolate) const;
// Dispatched behavior.
DECL_PRINTER(Map)
DECL_VERIFIER(Map)
#ifdef VERIFY_HEAP
void DictionaryMapVerify(Isolate* isolate);
#endif
DECL_PRIMITIVE_ACCESSORS(visitor_id, VisitorId)
static Handle<Map> TransitionToPrototype(Isolate* isolate, Handle<Map> map,
Handle<Object> prototype);
static Handle<Map> TransitionToImmutableProto(Isolate* isolate,
Handle<Map> map);
static const int kMaxPreAllocatedPropertyFields = 255;
// Layout description.
#define MAP_FIELDS(V) \
/* Raw data fields. */ \
V(kInstanceSizeInWordsOffset, kUInt8Size) \
V(kInObjectPropertiesStartOrConstructorFunctionIndexOffset, kUInt8Size) \
V(kUsedOrUnusedInstanceSizeInWordsOffset, kUInt8Size) \
V(kVisitorIdOffset, kUInt8Size) \
V(kInstanceTypeOffset, kUInt16Size) \
V(kBitFieldOffset, kUInt8Size) \
V(kBitField2Offset, kUInt8Size) \
V(kBitField3Offset, kUInt32Size) \
V(k64BitArchPaddingOffset, kPointerSize == kUInt32Size ? 0 : kUInt32Size) \
/* Pointer fields. */ \
V(kPointerFieldsBeginOffset, 0) \
V(kPrototypeOffset, kPointerSize) \
V(kConstructorOrBackPointerOffset, kPointerSize) \
V(kTransitionsOrPrototypeInfoOffset, kPointerSize) \
V(kDescriptorsOffset, kPointerSize) \
V(kLayoutDescriptorOffset, FLAG_unbox_double_fields ? kPointerSize : 0) \
V(kDependentCodeOffset, kPointerSize) \
V(kPrototypeValidityCellOffset, kPointerSize) \
V(kPointerFieldsEndOffset, 0) \
/* Total size. */ \
V(kSize, 0)
DEFINE_FIELD_OFFSET_CONSTANTS(HeapObject::kHeaderSize, MAP_FIELDS)
#undef MAP_FIELDS
STATIC_ASSERT(kInstanceTypeOffset == Internals::kMapInstanceTypeOffset);
class BodyDescriptor;
// Compares this map to another to see if they describe equivalent objects.
// If |mode| is set to CLEAR_INOBJECT_PROPERTIES, |other| is treated as if
// it had exactly zero inobject properties.
// The "shared" flags of both this map and |other| are ignored.
bool EquivalentToForNormalization(const Map* other,
PropertyNormalizationMode mode) const;
// Returns true if given field is unboxed double.
inline bool IsUnboxedDoubleField(FieldIndex index) const;
void PrintMapDetails(std::ostream& os);
static inline Handle<Map> AddMissingTransitionsForTesting(
Isolate* isolate, Handle<Map> split_map,
Handle<DescriptorArray> descriptors,
Handle<LayoutDescriptor> full_layout_descriptor);
// Fires when the layout of an object with a leaf map changes.
// This includes adding transitions to the leaf map or changing
// the descriptor array.
inline void NotifyLeafMapLayoutChange(Isolate* isolate);
static VisitorId GetVisitorId(Map* map);
// Returns true if objects with given instance type are allowed to have
// fast transitionable elements kinds. This predicate is used to ensure
// that objects that can have transitionable fast elements kind will not
// get in-place generalizable fields because the elements kind transition
// performed by stubs or optimized code can't properly generalize such
// fields.
static inline bool CanHaveFastTransitionableElementsKind(
InstanceType instance_type);
inline bool CanHaveFastTransitionableElementsKind() const;
private:
// This byte encodes either the instance size without the in-object slack or
// the slack size in properties backing store.
// Let H be JSObject::kHeaderSize / kPointerSize.
// If value >= H then:
// - all field properties are stored in the object.
// - there is no property array.
// - value * kPointerSize is the actual object size without the slack.
// Otherwise:
// - there is no slack in the object.
// - the property array has value slack slots.
// Note that this encoding requires that H = JSObject::kFieldsAdded.
DECL_INT_ACCESSORS(used_or_unused_instance_size_in_words)
// Returns the map that this (root) map transitions to if its elements_kind
// is changed to |elements_kind|, or |nullptr| if no such map is cached yet.
Map* LookupElementsTransitionMap(Isolate* isolate,
ElementsKind elements_kind);
// Tries to replay property transitions starting from this (root) map using
// the descriptor array of the |map|. The |root_map| is expected to have
// proper elements kind and therefore elements kinds transitions are not
// taken by this function. Returns |nullptr| if matching transition map is
// not found.
Map* TryReplayPropertyTransitions(Isolate* isolate, Map* map);
static void ConnectTransition(Isolate* isolate, Handle<Map> parent,
Handle<Map> child, Handle<Name> name,
SimpleTransitionFlag flag);
bool EquivalentToForTransition(const Map* other) const;
bool EquivalentToForElementsKindTransition(const Map* other) const;
static Handle<Map> RawCopy(Isolate* isolate, Handle<Map> map,
int instance_size, int inobject_properties);
static Handle<Map> ShareDescriptor(Isolate* isolate, Handle<Map> map,
Handle<DescriptorArray> descriptors,
Descriptor* descriptor);
static Handle<Map> AddMissingTransitions(
Isolate* isolate, Handle<Map> map, Handle<DescriptorArray> descriptors,
Handle<LayoutDescriptor> full_layout_descriptor);
static void InstallDescriptors(
Isolate* isolate, Handle<Map> parent_map, Handle<Map> child_map,
int new_descriptor, Handle<DescriptorArray> descriptors,
Handle<LayoutDescriptor> full_layout_descriptor);
static Handle<Map> CopyAddDescriptor(Isolate* isolate, Handle<Map> map,
Descriptor* descriptor,
TransitionFlag flag);
static Handle<Map> CopyReplaceDescriptors(
Isolate* isolate, Handle<Map> map, Handle<DescriptorArray> descriptors,
Handle<LayoutDescriptor> layout_descriptor, TransitionFlag flag,
MaybeHandle<Name> maybe_name, const char* reason,
SimpleTransitionFlag simple_flag);
static Handle<Map> CopyReplaceDescriptor(Isolate* isolate, Handle<Map> map,
Handle<DescriptorArray> descriptors,
Descriptor* descriptor, int index,
TransitionFlag flag);
static Handle<Map> CopyNormalized(Isolate* isolate, Handle<Map> map,
PropertyNormalizationMode mode);
// TODO(ishell): Move to MapUpdater.
static Handle<Map> CopyGeneralizeAllFields(Isolate* isolate, Handle<Map> map,
ElementsKind elements_kind,
int modify_index,
PropertyKind kind,
PropertyAttributes attributes,
const char* reason);
void DeprecateTransitionTree(Isolate* isolate);
void ReplaceDescriptors(Isolate* isolate, DescriptorArray* new_descriptors,
LayoutDescriptor* new_layout_descriptor);
// Update field type of the given descriptor to new representation and new
// type. The type must be prepared for storing in descriptor array:
// it must be either a simple type or a map wrapped in a weak cell.
void UpdateFieldType(Isolate* isolate, int descriptor_number,
Handle<Name> name, PropertyConstness new_constness,
Representation new_representation,
MaybeObjectHandle new_wrapped_type);
// TODO(ishell): Move to MapUpdater.
void PrintReconfiguration(Isolate* isolate, FILE* file, int modify_index,
PropertyKind kind, PropertyAttributes attributes);
// TODO(ishell): Move to MapUpdater.
void PrintGeneralization(
Isolate* isolate, FILE* file, const char* reason, int modify_index,
int split, int descriptors, bool constant_to_field,
Representation old_representation, Representation new_representation,
MaybeHandle<FieldType> old_field_type, MaybeHandle<Object> old_value,
MaybeHandle<FieldType> new_field_type, MaybeHandle<Object> new_value);
static const int kFastPropertiesSoftLimit = 12;
static const int kMaxFastProperties = 128;
friend class MapUpdater;
DISALLOW_IMPLICIT_CONSTRUCTORS(Map);
};
// The cache for maps used by normalized (dictionary mode) objects.
// Such maps do not have property descriptors, so a typical program
// needs very limited number of distinct normalized maps.
class NormalizedMapCache : public WeakFixedArray,
public NeverReadOnlySpaceObject {
public:
using NeverReadOnlySpaceObject::GetHeap;
using NeverReadOnlySpaceObject::GetIsolate;
static Handle<NormalizedMapCache> New(Isolate* isolate);
V8_WARN_UNUSED_RESULT MaybeHandle<Map> Get(Handle<Map> fast_map,
PropertyNormalizationMode mode);
void Set(Handle<Map> fast_map, Handle<Map> normalized_map);
DECL_CAST(NormalizedMapCache)
static inline bool IsNormalizedMapCache(const HeapObject* obj);
DECL_VERIFIER(NormalizedMapCache)
private:
static const int kEntries = 64;
static inline int GetIndex(Handle<Map> map);
// The following declarations hide base class methods.
Object* get(int index);
void set(int index, Object* value);
};
} // namespace internal
} // namespace v8
#include "src/objects/object-macros-undef.h"
#endif // V8_OBJECTS_MAP_H_