pub struct Value {
pub asBits_: u64,
}Expand description
[SMDOC] JS::Value type
JS::Value is the interface for a single JavaScript Engine value. A few general notes on JS::Value:
-
JS::Value has setX() and isX() members for X in
{ Int32, Double, String, Symbol, BigInt, Boolean, Undefined, Null, Object, Magic }
JS::Value also contains toX() for each of the non-singleton types.
-
Magic is a singleton type whose payload contains either a JSWhyMagic “reason” for the magic value or a uint32_t value. By providing JSWhyMagic values when creating and checking for magic values, it is possible to assert, at runtime, that only magic values with the expected reason flow through a particular value. For example, if cx->exception has a magic value, the reason must be JS_GENERATOR_CLOSING.
-
The JS::Value operations are preferred. The JSVAL_* operations remain for compatibility; they may be removed at some point. These operations mostly provide similar functionality. But there are a few key differences. One is that JS::Value gives null a separate type. Also, to help prevent mistakenly boxing a nullable JSObject* as an object, Value::setObject takes a JSObject&. (Conversely, Value::toObject returns a JSObject&.) A convenience member Value::setObjectOrNull is provided.
-
Note that JS::Value is 8 bytes on 32 and 64-bit architectures. Thus, on 32-bit user code should avoid copying jsval/JS::Value as much as possible, preferring to pass by const Value&.
Spectre mitigations
To mitigate Spectre attacks, we do the following:
-
On 64-bit platforms, when unboxing a Value, we XOR the bits with the expected type tag (instead of masking the payload bits). This guarantees that toString, toObject, toSymbol will return an invalid pointer (because some high bits will be set) when called on a Value with a different type tag.
-
On 32-bit platforms,when unboxing an object/string/symbol Value, we use a conditional move (not speculated) to zero the payload register if the type doesn’t match.
Fields§
§asBits_: u64