/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
 * vim: set ts=8 sts=4 et sw=4 tw=99:
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef vm_ArgumentsObject_h
#define vm_ArgumentsObject_h

#include "mozilla/MemoryReporting.h"

#include "gc/Barrier.h"
#include "vm/NativeObject.h"

namespace js {

class AbstractFramePtr;
class ScriptFrameIter;

namespace jit {
class JitFrameLayout;
} // namespace jit

// RareArgumentsData stores the deleted-elements bits for an arguments object.
// Because |delete arguments[i]| is uncommon, we allocate this data the first
// time an element is deleted.
class RareArgumentsData
{
    // Pointer to an array of bits indicating, for every argument in
    // [0, initialLength) whether the element has been deleted. See
    // ArgumentsObject::isElementDeleted comment.
    size_t deletedBits_[1];

    RareArgumentsData() = default;
    RareArgumentsData(const RareArgumentsData&) = delete;
    void operator=(const RareArgumentsData&) = delete;

  public:
    static RareArgumentsData* create(JSContext* cx, ArgumentsObject* obj);
    static size_t bytesRequired(size_t numActuals);

    bool isAnyElementDeleted(size_t len) const {
        return IsAnyBitArrayElementSet(deletedBits_, len);
    }
    bool isElementDeleted(size_t len, size_t i) const {
        MOZ_ASSERT(i < len);
        return IsBitArrayElementSet(deletedBits_, len, i);
    }
    void markElementDeleted(size_t len, size_t i) {
        MOZ_ASSERT(i < len);
        SetBitArrayElement(deletedBits_, len, i);
    }
};

/*
 * ArgumentsData stores the initial indexed arguments provided to the
 * corresponding and that function itself.  It is used to store arguments[i]
 * and arguments.callee -- up until the corresponding property is modified,
 * when the relevant value is flagged to memorialize the modification.
 */
struct ArgumentsData
{
    /*
     * numArgs = Max(numFormalArgs, numActualArgs)
     * The array 'args' has numArgs elements.
     */
    uint32_t    numArgs;

    RareArgumentsData* rareData;

    /*
     * This array holds either the current argument value or the magic
     * forwarding value. The latter means that the function has both a
     * CallObject and an ArgumentsObject AND the particular formal variable is
     * aliased by the CallObject. In such cases, the CallObject holds the
     * canonical value so any element access to the arguments object should load
     * the value out of the CallObject (which is pointed to by MAYBE_CALL_SLOT).
     */
    GCPtrValue args[1];

    /* For jit use: */
    static ptrdiff_t offsetOfArgs() { return offsetof(ArgumentsData, args); }

    /* Iterate args. */
    GCPtrValue* begin() { return args; }
    const GCPtrValue* begin() const { return args; }
    GCPtrValue* end() { return args + numArgs; }
    const GCPtrValue* end() const { return args + numArgs; }

    static size_t bytesRequired(size_t numArgs) {
        return offsetof(ArgumentsData, args) + numArgs * sizeof(Value);
    }
};

// Maximum supported value of arguments.length. This bounds the maximum
// number of arguments that can be supplied to Function.prototype.apply.
// This value also bounds the number of elements parsed in an array
// initializer.
// NB: keep this in sync with the copy in builtin/SelfHostingDefines.h.
static const unsigned ARGS_LENGTH_MAX = 500 * 1000;

/*
 * ArgumentsObject instances represent |arguments| objects created to store
 * function arguments when a function is called.  It's expensive to create such
 * objects if they're never used, so they're only created when they are
 * potentially used.
 *
 * Arguments objects are complicated because, for non-strict mode code, they
 * must alias any named arguments which were provided to the function.  Gnarly
 * example:
 *
 *   function f(a, b, c, d)
 *   {
 *     arguments[0] = "seta";
 *     assertEq(a, "seta");
 *     b = "setb";
 *     assertEq(arguments[1], "setb");
 *     c = "setc";
 *     assertEq(arguments[2], undefined);
 *     arguments[3] = "setd";
 *     assertEq(d, undefined);
 *   }
 *   f("arga", "argb");
 *
 * ES5's strict mode behaves more sanely, and named arguments don't alias
 * elements of an arguments object.
 *
 * ArgumentsObject instances use the following reserved slots:
 *
 *   INITIAL_LENGTH_SLOT
 *     Stores the initial value of arguments.length, plus a bit indicating
 *     whether arguments.length and/or arguments[@@iterator] have been
 *     modified.  Use initialLength(), hasOverriddenLength(), and
 *     hasOverriddenIterator() to access these values.  If arguments.length has
 *     been modified, then the current value of arguments.length is stored in
 *     another slot associated with a new property.
 *   DATA_SLOT
 *     Stores an ArgumentsData*, described above.
 *   MAYBE_CALL_SLOT
 *     Stores the CallObject, if the callee has aliased bindings. See
 *     the ArgumentsData::args comment.
 *   CALLEE_SLOT
 *     Stores the initial arguments.callee. This value can be overridden on
 *     mapped arguments objects, see hasOverriddenCallee.
 */
class ArgumentsObject : public NativeObject
{
  protected:
    static const uint32_t INITIAL_LENGTH_SLOT = 0;
    static const uint32_t DATA_SLOT = 1;
    static const uint32_t MAYBE_CALL_SLOT = 2;
    static const uint32_t CALLEE_SLOT = 3;

  public:
    static const uint32_t LENGTH_OVERRIDDEN_BIT = 0x1;
    static const uint32_t ITERATOR_OVERRIDDEN_BIT = 0x2;
    static const uint32_t ELEMENT_OVERRIDDEN_BIT = 0x4;
    static const uint32_t CALLEE_OVERRIDDEN_BIT = 0x8;
    static const uint32_t PACKED_BITS_COUNT = 4;

    static_assert(ARGS_LENGTH_MAX <= (UINT32_MAX >> PACKED_BITS_COUNT),
                  "Max arguments length must fit in available bits");

  protected:
    template <typename CopyArgs>
    static ArgumentsObject* create(JSContext* cx, HandleFunction callee, unsigned numActuals,
                                   CopyArgs& copy);

    ArgumentsData* data() const {
        return reinterpret_cast<ArgumentsData*>(getFixedSlot(DATA_SLOT).toPrivate());
    }

    RareArgumentsData* maybeRareData() const {
        return data()->rareData;
    }

    MOZ_MUST_USE bool createRareData(JSContext* cx);

    RareArgumentsData* getOrCreateRareData(JSContext* cx) {
        if (!data()->rareData && !createRareData(cx))
            return nullptr;
        return data()->rareData;
    }

    static bool obj_delProperty(JSContext* cx, HandleObject obj, HandleId id,
                                ObjectOpResult& result);

  public:
    static const uint32_t RESERVED_SLOTS = 4;
    static const gc::AllocKind FINALIZE_KIND = gc::AllocKind::OBJECT4_BACKGROUND;

    /* Create an arguments object for a frame that is expecting them. */
    static ArgumentsObject* createExpected(JSContext* cx, AbstractFramePtr frame);

    /*
     * Purposefully disconnect the returned arguments object from the frame
     * by always creating a new copy that does not alias formal parameters.
     * This allows function-local analysis to determine that formals are
     * not aliased and generally simplifies arguments objects.
     */
    static ArgumentsObject* createUnexpected(JSContext* cx, ScriptFrameIter& iter);
    static ArgumentsObject* createUnexpected(JSContext* cx, AbstractFramePtr frame);
    static ArgumentsObject* createForIon(JSContext* cx, jit::JitFrameLayout* frame,
                                         HandleObject scopeChain);

    /*
     * Allocate ArgumentsData and fill reserved slots after allocating an
     * ArgumentsObject in Ion code.
     */
    static ArgumentsObject* finishForIon(JSContext* cx, jit::JitFrameLayout* frame,
                                         JSObject* scopeChain, ArgumentsObject* obj);

    static ArgumentsObject* createTemplateObject(JSContext* cx, bool mapped);

    /*
     * Return the initial length of the arguments.  This may differ from the
     * current value of arguments.length!
     */
    uint32_t initialLength() const {
        uint32_t argc = uint32_t(getFixedSlot(INITIAL_LENGTH_SLOT).toInt32()) >> PACKED_BITS_COUNT;
        MOZ_ASSERT(argc <= ARGS_LENGTH_MAX);
        return argc;
    }

    /* True iff arguments.length has been assigned or its attributes changed. */
    bool hasOverriddenLength() const {
        const Value& v = getFixedSlot(INITIAL_LENGTH_SLOT);
        return v.toInt32() & LENGTH_OVERRIDDEN_BIT;
    }

    void markLengthOverridden() {
        uint32_t v = getFixedSlot(INITIAL_LENGTH_SLOT).toInt32() | LENGTH_OVERRIDDEN_BIT;
        setFixedSlot(INITIAL_LENGTH_SLOT, Int32Value(v));
    }

    /* True iff arguments[@@iterator] has been assigned or its attributes
     * changed. */
    bool hasOverriddenIterator() const {
        const Value& v = getFixedSlot(INITIAL_LENGTH_SLOT);
        return v.toInt32() & ITERATOR_OVERRIDDEN_BIT;
    }

    void markIteratorOverridden() {
        uint32_t v = getFixedSlot(INITIAL_LENGTH_SLOT).toInt32() | ITERATOR_OVERRIDDEN_BIT;
        setFixedSlot(INITIAL_LENGTH_SLOT, Int32Value(v));
    }

    /* True iff any element has been assigned or its attributes
     * changed. */
    bool hasOverriddenElement() const {
        const Value& v = getFixedSlot(INITIAL_LENGTH_SLOT);
        return v.toInt32() & ELEMENT_OVERRIDDEN_BIT;
    }

    void markElementOverridden() {
        uint32_t v = getFixedSlot(INITIAL_LENGTH_SLOT).toInt32() | ELEMENT_OVERRIDDEN_BIT;
        setFixedSlot(INITIAL_LENGTH_SLOT, Int32Value(v));
    }

    /*
     * Because the arguments object is a real object, its elements may be
     * deleted. This is implemented by setting a 'deleted' flag for the arg
     * which is read by argument object resolve and getter/setter hooks.
     *
     * NB: an element, once deleted, stays deleted. Thus:
     *
     *   function f(x) { delete arguments[0]; arguments[0] = 42; return x }
     *   assertEq(f(1), 1);
     *
     * This works because, once a property is deleted from an arguments object,
     * it gets regular properties with regular getters/setters that don't alias
     * ArgumentsData::slots.
     */
    bool isElementDeleted(uint32_t i) const {
        MOZ_ASSERT(i < data()->numArgs);
        if (i >= initialLength())
            return false;
        return maybeRareData() && maybeRareData()->isElementDeleted(initialLength(), i);
    }

    bool isAnyElementDeleted() const {
        return maybeRareData() && maybeRareData()->isAnyElementDeleted(initialLength());
    }

    bool markElementDeleted(JSContext* cx, uint32_t i);

    /*
     * An ArgumentsObject serves two roles:
     *  - a real object, accessed through regular object operations, e.g..,
     *    GetElement corresponding to 'arguments[i]';
     *  - a VM-internal data structure, storing the value of arguments (formal
     *    and actual) that are accessed directly by the VM when a reading the
     *    value of a formal parameter.
     * There are two ways to access the ArgumentsData::args corresponding to
     * these two use cases:
     *  - object access should use elements(i) which will take care of
     *    forwarding when the value is the magic forwarding value;
     *  - VM argument access should use arg(i) which will assert that the
     *    value is not the magic forwarding value (since, if such forwarding was
     *    needed, the frontend should have emitted JSOP_GETALIASEDVAR).
     */
    const Value& element(uint32_t i) const;

    inline void setElement(JSContext* cx, uint32_t i, const Value& v);

    const Value& arg(unsigned i) const {
        MOZ_ASSERT(i < data()->numArgs);
        const Value& v = data()->args[i];
        MOZ_ASSERT(!v.isMagic());
        return v;
    }

    void setArg(unsigned i, const Value& v) {
        MOZ_ASSERT(i < data()->numArgs);
        GCPtrValue& lhs = data()->args[i];
        MOZ_ASSERT(!lhs.isMagic());
        lhs = v;
    }

    /*
     * Attempt to speedily and efficiently access the i-th element of this
     * arguments object.  Return true if the element was speedily returned.
     * Return false if the element must be looked up more slowly using
     * getProperty or some similar method. The second overload copies the
     * elements [start, start + count) into the locations starting at 'vp'.
     *
     * NB: Returning false does not indicate error!
     */
    bool maybeGetElement(uint32_t i, MutableHandleValue vp) {
        if (i >= initialLength() || isElementDeleted(i))
            return false;
        vp.set(element(i));
        return true;
    }

    inline bool maybeGetElements(uint32_t start, uint32_t count, js::Value* vp);

    /*
     * Measures things hanging off this ArgumentsObject that are counted by the
     * |miscSize| argument in JSObject::sizeOfExcludingThis().
     */
    size_t sizeOfMisc(mozilla::MallocSizeOf mallocSizeOf) const {
        if (!data()) // Template arguments objects have no data.
            return 0;
        return mallocSizeOf(data()) + mallocSizeOf(maybeRareData());
    }
    size_t sizeOfData() const {
        return ArgumentsData::bytesRequired(data()->numArgs) +
               (maybeRareData() ? RareArgumentsData::bytesRequired(initialLength()) : 0);
    }

    static void finalize(FreeOp* fop, JSObject* obj);
    static void trace(JSTracer* trc, JSObject* obj);
    static size_t objectMovedDuringMinorGC(JSTracer* trc, JSObject* dst, JSObject* src);

    /* For jit use: */
    static size_t getDataSlotOffset() {
        return getFixedSlotOffset(DATA_SLOT);
    }
    static size_t getInitialLengthSlotOffset() {
        return getFixedSlotOffset(INITIAL_LENGTH_SLOT);
    }

    static Value MagicEnvSlotValue(uint32_t slot) {
        // When forwarding slots to a backing CallObject, the slot numbers are
        // stored as uint32 magic values. This raises an ambiguity if we have
        // also copied JS_OPTIMIZED_OUT magic from a JIT frame or
        // JS_UNINITIALIZED_LEXICAL magic on the CallObject. To distinguish
        // normal magic values (those with a JSWhyMagic) and uint32 magic
        // values, we add the maximum JSWhyMagic value to the slot
        // number. This is safe as ARGS_LENGTH_MAX is well below UINT32_MAX.
        JS_STATIC_ASSERT(UINT32_MAX - JS_WHY_MAGIC_COUNT > ARGS_LENGTH_MAX);
        return JS::MagicValueUint32(slot + JS_WHY_MAGIC_COUNT);
    }
    static uint32_t SlotFromMagicScopeSlotValue(const Value& v) {
        JS_STATIC_ASSERT(UINT32_MAX - JS_WHY_MAGIC_COUNT > ARGS_LENGTH_MAX);
        return v.magicUint32() - JS_WHY_MAGIC_COUNT;
    }
    static bool IsMagicScopeSlotValue(const Value& v) {
        return v.isMagic() && v.magicUint32() > JS_WHY_MAGIC_COUNT;
    }

    static void MaybeForwardToCallObject(AbstractFramePtr frame, ArgumentsObject* obj,
                                         ArgumentsData* data);
    static void MaybeForwardToCallObject(jit::JitFrameLayout* frame, HandleObject callObj,
                                         ArgumentsObject* obj, ArgumentsData* data);
};

class MappedArgumentsObject : public ArgumentsObject
{
    static const ClassOps classOps_;

  public:
    static const Class class_;

    JSFunction& callee() const {
        return getFixedSlot(CALLEE_SLOT).toObject().as<JSFunction>();
    }

    bool hasOverriddenCallee() const {
        const Value& v = getFixedSlot(INITIAL_LENGTH_SLOT);
        return v.toInt32() & CALLEE_OVERRIDDEN_BIT;
    }

    void markCalleeOverridden() {
        uint32_t v = getFixedSlot(INITIAL_LENGTH_SLOT).toInt32() | CALLEE_OVERRIDDEN_BIT;
        setFixedSlot(INITIAL_LENGTH_SLOT, Int32Value(v));
    }

  private:
    static bool obj_enumerate(JSContext* cx, HandleObject obj);
    static bool obj_resolve(JSContext* cx, HandleObject obj, HandleId id, bool* resolvedp);
};

class UnmappedArgumentsObject : public ArgumentsObject
{
    static const ClassOps classOps_;

  public:
    static const Class class_;

  private:
    static bool obj_enumerate(JSContext* cx, HandleObject obj);
    static bool obj_resolve(JSContext* cx, HandleObject obj, HandleId id, bool* resolvedp);
};

} // namespace js

template<>
inline bool
JSObject::is<js::ArgumentsObject>() const
{
    return is<js::MappedArgumentsObject>() || is<js::UnmappedArgumentsObject>();
}

#endif /* vm_ArgumentsObject_h */