在文中中，大家来剖析JavaScript在运行内存中的基础结构，另外了解一下在其中牵涉到的butterfly（蝶式）结构。

我们可以根据运行内存中的 *** Object结构来掌握JavaScriptCore內部完成。以前saelo早已在phrack的一篇文章中探讨过这些方面內容，但希望能运用上一篇文章中详细介绍的程序调试技术性来剖析这种知识要点。在上一篇文章中，大家迅速过去了一遍[1, 2, 3, 4]数组的运行内存结构，找到这种标值，但大家还发觉这种标值的上位统统被设定为0xffff，这儿大家来了解一下怎么会出現这类状况。

0x01 *** Value源码

JavaScript中有一个十分关键的类，能够用于解决各种各样标值： *** Value类。我们可以在 *** C *** Value.h源代码中见到类界定，依据类界定，此类应当能够解决多种类型值，如Integer、Double或是Boolean。

//[...]

bool isInt32() const;

bool isUInt32() const;

bool isDouble() const;

bool isTrue() const;

bool isFalse() const;

int32_t asInt32() const;

uint32_t asUInt32() const;

int64_t asAnyInt() const;

uint32_t asUInt32AsAnyInt() const;

int32_t asInt32AsAnyInt() const;

double asDouble() const;

bool asBoolean() const;

double asNumber() const;

//[...]

这一类中包括一个c语言编译器电源开关，对于32位及64位构架能够应用不一样的完成。但如今绝大多数全是64位构架，因而大家关键关心这些方面完成。编码中也有一大段注解，表述了什么叫 *** Value。认真阅读注解，后边大家将数次回望在其中內容。

//[...]

#elif USE( *** VALUE64)

/*

* On 64-bit platforms USE( *** VALUE64) should be defined, and we use a NaN-encoded

* form for immediates.

*

* The encoding makes use of unused NaN space in the IEEE754 representation. Any value

* with the top 13 bits set represents a QNaN (with the sign bit set). QNaN values

* can encode a 51-bit payload. Hardware produced and C-library payloads typically

* have a payload of zero. We assume that non-zero payloads are available to encode

* pointer and integer values. Since any 64-bit bit pattern where the top 15 bits are

* all set represents a NaN with a non-zero payload, we can use this space in the NaN

* ranges to encode other values (however there are also other ranges of NaN space that

* could have been selected).

*

* This range of NaN space is represented by 64-bit numbers begining with the 16-bit

* hex patterns 0xFFFE and 0xFFFF - we rely on the fact that no valid double-precision

* numbers will fall in these ranges.

*

* The top 16-bits denote the type of the encoded *** Value:

*

* Pointer{ 0000:PPPP:PPPP:PPPP

* / 0001:****:****:****

* Double{ ...

* FFFE:****:****:****

* Integer{ FFFF:0000:IIII:IIII

* *

* The scheme we have implemented encodes double precision values by performing a

* 64-bit integer addition of the value 2^48 to the number. After this manipulation

* no encoded double-precision value will begin with the pattern 0x0000 or 0xFFFF.

* Values must be decoded by reversing this operation before subsequent floating point

* operations may be peformed.

*

* 32-bit signed integers are marked with the 16-bit tag 0xFFFF.

*

* The tag 0x0000 denotes a pointer, or another form of tagged immediate. Boolean,

* null and undefined values are represented by specific, invalid pointer values:

*

* False: 0x06

* True: 0x07