# Spidermonkey Internals ###### tags: `browser exploitation` ## Value's memory layout ```javascript= // We set a breakpoint on Math.atan2, then we can examine // the arguments passed to the function. // The third argument vp is a pointer to a array of JS::Values Address = Math.atan2 a = [1,2,3,4] Address(a) ``` - JS::Values exist in memory as follows: - Apart from double values which uses 8 bytes, the rest uses JSVAL_TAG_SHIFT bits to represent it's value ``` JS::Value == (JSValueTag<< JSVAL_TAG_SHIFT) | _payload For example: int a = 0x1337 -------------------------------------------------- JSVAL_TAG_INT32 = 0x1fff1 _payload = 0x1337 JSVAL_TAG_SHIFT = 47 JS::Value== (0x1ff1<<47) | 0x1337 = 0xfff8800000001337 -------------------------------------------------- 0xfff8800000001337 is how the JS::Value of 'a' exist in memory ``` ## Objects and Shapes In Javascript, an object(ex:dictionary) has properites and values. - a = {x:5} ==> x=property, 5=value They are stored seperately for performence reasons. Each property is called a **Shape** in spidermonkey. Shapes are stored in a chain so that various objects can share these Shapes. ### Named properties ```javascript= // Example code var a = {} a.x = "hello" a.y = 0x1234 ```  ### Arrays ```javascript= var a = [] a.push(0x1) a.push(0x2) ```  ### ArrayBuffer