| blob | 7941cbd54da6f10e077d579f9d40aeac9c6a2b11 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS function support.
43 */
44 #include <string.h>
76 #if JS_HAS_GENERATORS
78 #endif
80 #if JS_HAS_XDR
82 #endif
84 #ifdef JS_METHODJIT
86 #endif
100 {
102 }
104 JSBool
106 {
113 }
119 }
121 JSBool
123 {
130 Value v;
141 }
143 }
153 }
156 /*
157 * Per ECMA-262 Ed. 3, 10.1.8, last bulleted item, do not share
158 * storage between the formal parameter and arguments[k] for all
159 * fp->argc <= k && k < fp->fun->nargs. For example, in
160 *
161 * function f(x) { x = 42; return arguments[0]; }
162 * f();
163 *
164 * the call to f should return undefined, not 42. If fp->argsobj
165 * is null at this point, as it would be in the example, return
166 * undefined in *vp.
167 */
170 }
176 }
178 }
182 {
198 /* Can't fail from here on, so initialize everything in argsobj. */
200 ? &StrictArgumentsClass
211 }
213 struct STATIC_SKIP_INFERENCE PutArg
214 {
221 }
222 };
224 JSObject *
226 {
227 /*
228 * We must be in a function activation; the function must be lightweight
229 * or else fp must have a variable object.
230 */
236 /* Create an arguments object for fp only if it lacks one. */
240 /* Compute the arguments object's parent slot from fp's scope chain. */
246 /*
247 * Strict mode functions have arguments objects that copy the initial
248 * actual parameter values. It is the caller's responsibility to get the
249 * arguments object before any parameters are modified! (The emitter
250 * ensures this by synthesizing an arguments access at the start of any
251 * strict mode function that contains an assignment to a parameter, or
252 * that calls eval.) Non-strict mode arguments use the frame pointer to
253 * retrieve up-to-date parameter values.
254 */
257 else
262 }
264 void
266 {
274 }
276 }
278 #ifdef JS_TRACER
280 /*
281 * Traced versions of js_GetArgsObject and js_PutArgsObject.
282 */
283 JSObject * JS_FASTCALL
285 {
291 /*
292 * Strict mode callers must copy arguments into the created arguments
293 * object. The trace-JITting code is in TraceRecorder::newArguments.
294 */
298 }
301 }
305 /* FIXME change the return type to void. */
306 JSBool JS_FASTCALL
308 {
312 /*
313 * TraceRecorder::putActivationObjects builds a single, contiguous array of
314 * the arguments, regardless of whether #actuals > #formals so there is no
315 * need to worry about actual vs. formal arguments.
316 */
322 }
326 }
332 static JSBool
334 {
345 }
347 }
351 {
355 /*
356 * We do not attempt to reify Call and Block objects on demand for outer
357 * scopes. This could be done (see the "v8" patch in bug 494235) but it is
358 * fragile in the face of ongoing compile-time optimization. Instead, the
359 * _DBG* opcodes used by wrappers created here must cope with unresolved
360 * upvars and throw them as reference errors. Caveat debuggers!
361 */
387 /* NB: GC must not occur before wscript is homed in wfun->u.i.script. */
421 }
425 }
429 }
433 }
441 }
445 /* FIXME should copy JSOP_TRAP? */
452 /*
453 * Rewrite JSOP_{GET,CALL}FCSLOT as JSOP_{GET,CALL}UPVAR_DBG for the
454 * case where fun is an escaping flat closure. This works because the
455 * UPVAR and FCSLOT ops by design have the same format: an upvar index
456 * immediate operand.
457 */
465 }
467 }
469 /*
470 * Fill in the rest of wscript. This means if you add members to JSScript
471 * you must update this code. FIXME: factor into JSScript::clone method.
472 */
490 #ifdef CHECK_SCRIPT_OWNER
492 #endif
496 /* Deoptimize wfun from FUN_{FLAT,NULL}_CLOSURE to FUN_INTERPRETED. */
500 }
502 static JSBool
504 {
511 /*
512 * arg can exceed the number of arguments if a script changed the
513 * prototype to point to another Arguments object with a bigger argc.
514 */
520 else
522 }
530 /*
531 * If this function or one in it needs upvars that reach above it
532 * in the scope chain, it must not be a null closure (it could be a
533 * flat closure, or an unoptimized closure -- the latter itself not
534 * necessarily heavyweight). Rather than wrap here, we simply throw
535 * to reduce code size and tell debugger users the truth instead of
536 * passing off a fibbing wrapper.
537 */
540 JSMSG_OPTIMIZED_CLOSURE_LEAK);
542 }
544 }
545 }
547 }
549 static JSBool
551 {
552 #ifdef JS_TRACER
553 // To be able to set a property here on trace, we would have to make
554 // sure any updates also get written back to the trace native stack.
555 // For simplicity, we just leave trace, since this is presumably not
556 // a common operation.
558 #endif
572 }
573 }
577 }
579 /*
580 * For simplicity we use delete/define to replace the property with one
581 * backed by the default Object getter and setter. Note that we rely on
582 * args_delProperty to clear the corresponding reserved slot so the GC can
583 * collect its value. Note also that we must define the property instead
584 * of setting it in case the user has changed the prototype to an object
585 * that has a setter for this id.
586 */
590 }
592 static JSBool
595 {
616 }
624 }
626 static JSBool
628 {
631 /*
632 * Trigger reflection in args_resolve using a series of js_LookupProperty
633 * calls.
634 */
647 }
649 }
651 static JSBool
653 {
660 /*
661 * arg can exceed the number of arguments if a script changed the
662 * prototype to point to another Arguments object with a bigger argc.
663 */
669 }
674 }
676 }
678 static JSBool
681 {
690 }
693 }
695 /*
696 * For simplicity we use delete/set to replace the property with one
697 * backed by the default Object getter and setter. Note that we rely on
698 * args_delProperty to clear the corresponding reserved slot so the GC can
699 * collect its value.
700 */
704 }
706 static JSBool
708 {
730 }
735 }
743 }
745 static JSBool
747 {
750 /*
751 * Trigger reflection in strictargs_resolve using a series of
752 * js_LookupProperty calls.
753 */
757 // length
761 // callee
765 // caller
772 }
775 }
777 static void
779 {
781 }
783 /*
784 * If a generator's arguments or call object escapes, and the generator frame
785 * is not executing, the generator object needs to be marked because it is not
786 * otherwise reachable. An executing generator is rooted by its invocation. To
787 * distinguish the two cases (which imply different access paths to the
788 * generator object), we use the JSFRAME_FLOATING_GENERATOR flag, which is only
789 * set on the JSStackFrame kept in the generator object's JSGenerator.
790 */
793 {
794 #if JS_HAS_GENERATORS
799 }
800 #endif
801 }
803 static void
805 {
810 }
818 }
820 /*
821 * The Arguments classes aren't initialized via js_InitClass, because arguments
822 * objects have the initial value of Object.prototype as their [[Prototype]].
823 * However, Object.prototype.toString.call(arguments) === "[object Arguments]"
824 * per ES5 (although not ES3), so the class name is "Arguments" rather than
825 * "Object".
826 *
827 * The JSClass functions below collaborate to lazily reflect and synchronize
828 * actual argument values, argument count, and callee function object stored
829 * in a JSStackFrame with their corresponding property values in the frame's
830 * arguments object.
831 */
832 Class js_ArgumentsClass = {
838 args_delProperty,
841 args_enumerate,
843 ConvertStub,
852 };
856 /*
857 * Strict mode arguments is significantly less magical than non-strict mode
858 * arguments, so it is represented by a different class while sharing some
859 * functionality.
860 */
861 Class StrictArgumentsClass = {
867 args_delProperty,
870 strictargs_enumerate,
872 ConvertStub,
881 };
883 }
885 /*
886 * A Declarative Environment object stores its active JSStackFrame pointer in
887 * its private slot, just as Call and Arguments objects do.
888 */
889 Class js_DeclEnvClass = {
890 js_Object_str,
896 EnumerateStub,
897 ResolveStub,
898 ConvertStub
899 };
901 static JSBool
903 {
912 /*
913 * Any escaping null or flat closure that reaches above itself or
914 * contains nested functions that reach above it must be wrapped.
915 * We can wrap only when this Call or Declarative Environment obj
916 * still has an active stack frame associated with it.
917 */
928 }
931 JSMSG_OPTIMIZED_CLOSURE_LEAK);
933 }
934 }
936 }
938 static JSBool
940 {
942 }
946 /*
947 * Construct a call object for the given bindings. The callee is the function
948 * on behalf of which the call object is being created.
949 */
950 JSObject *
952 {
961 /* Init immediately to avoid GC seeing a half-init'ed object. */
965 /* This must come after callobj->lastProp has been set. */
969 #ifdef DEBUG
975 }
976 }
977 #endif
981 }
987 {
995 }
997 JSObject *
999 {
1000 /* Create a call object for fp only if it lacks one. */
1005 #ifdef DEBUG
1006 /* A call object should be a frame's outermost scope chain element. */
1012 #endif
1014 /*
1015 * Create the call object, using the frame's enclosing scope as its
1016 * parent, and link the call to its stack frame. For a named function
1017 * expression Call's parent points to an environment object holding
1018 * function's name.
1019 */
1027 /* Root envobj before js_DefineNativeProperty (-> JSClass.addProperty). */
1035 }
1036 }
1046 /*
1047 * Push callobj on the top of the scope chain, and make it the
1048 * variables object.
1049 */
1052 }
1054 JSObject * JS_FASTCALL
1055 js_CreateCallObjectOnTrace(JSContext *cx, JSFunction *fun, JSObject *callee, JSObject *scopeChain)
1056 {
1061 }
1063 JS_DEFINE_CALLINFO_4(extern, OBJECT, js_CreateCallObjectOnTrace, CONTEXT, FUNCTION, OBJECT, OBJECT,
1068 {
1073 }
1075 void
1077 {
1080 /*
1081 * Strict mode eval frames have Call objects to put. Normal eval frames
1082 * never put a Call object.
1083 */
1086 /* Get the arguments object to snapshot fp's actual argument values. */
1091 }
1100 /* This could be optimized as below, but keep it simple for now. */
1118 #ifdef JS_METHODJIT
1120 #endif
1121 ) {
1124 /*
1125 * For each arg & var that is closed over, copy it from the stack
1126 * into the call object.
1127 */
1132 }
1138 }
1139 }
1140 }
1142 /* Clear private pointers to fp, which is about to go away (js_Invoke). */
1149 }
1150 }
1154 }
1156 JSBool JS_FASTCALL
1159 {
1168 }
1175 static JSBool
1177 {
1186 }
1188 }
1190 static JSBool
1192 {
1197 }
1199 JSBool
1201 {
1207 else
1210 }
1212 JSBool
1214 {
1221 else
1227 }
1229 JSBool
1231 {
1237 }
1239 JSBool
1241 {
1250 }
1252 JSBool
1254 {
1260 else
1264 }
1266 JSBool
1268 {
1273 }
1275 JSBool
1277 {
1283 /*
1284 * As documented in TraceRecorder::attemptTreeCall(), when recording an
1285 * inner tree call, the recorder assumes the inner tree does not mutate
1286 * any tracked upvars. The abort here is a pessimistic precaution against
1287 * bug 620662, where an inner tree setting a closed stack variable in an
1288 * outer tree is illegal, and runtime would fall off trace.
1289 */
1290 #ifdef JS_TRACER
1295 }
1296 #endif
1301 else
1307 }
1311 #if JS_TRACER
1312 JSBool JS_FASTCALL
1314 {
1317 }
1321 JSBool JS_FASTCALL
1323 {
1326 }
1329 #endif
1331 static JSBool
1334 {
1342 #ifdef DEBUG
1346 }
1347 #endif
1349 /*
1350 * Resolve arguments so that we never store a particular Call object's
1351 * arguments object reference in a Call prototype's |arguments| slot.
1352 *
1353 * Include JSPROP_ENUMERATE for consistency with all other Call object
1354 * properties; see js::Bindings::add and js::Interpret's JSOP_DEFFUN
1355 * rebinding-Call-property logic.
1356 */
1363 }
1366 }
1368 /* Control flow reaches here only if id was not resolved. */
1370 }
1372 static void
1374 {
1377 /*
1378 * FIXME: Hide copies of stack values rooted by fp from the Cycle
1379 * Collector, which currently lacks a non-stub Unlink implementation
1380 * for JS objects (including Call objects), so is unable to collect
1381 * cycles involving Call objects whose frames are active without this
1382 * hiding hack.
1383 */
1389 }
1392 }
1396 JSCLASS_HAS_PRIVATE |
1403 JS_EnumerateStub,
1414 };
1416 bool
1418 {
1422 }
1426 /*
1427 * See the equivalent condition in ArgGetter for the 'callee' id case, but
1428 * note that here we do not want to throw, since this escape can happen via
1429 * a foo.caller reference alone, without any debugger or indirect eval. And
1430 * alas, it seems foo.caller is still used on the Web.
1431 */
1438 }
1443 /*
1444 * Check for an escape attempt by a joined function object, which must go
1445 * through the frame's |this| object's method read barrier for the method
1446 * atom by which it was uniquely associated with a property.
1447 */
1457 /*
1458 * While a non-native object is responsible for handling its
1459 * entire prototype chain, notable non-natives including dense
1460 * and typed arrays have native prototypes, so keep going.
1461 */
1468 /*
1469 * Two cases follow: the method barrier was not crossed
1470 * yet, so we cross it here; the method barrier *was*
1471 * crossed but after the call, in which case we fetch
1472 * and validate the cloned (unjoined) funobj from the
1473 * method property's slot.
1474 *
1475 * In either case we must allow for the method property
1476 * to have been replaced, or its value overwritten.
1477 */
1483 }
1496 }
1497 }
1498 }
1502 }
1508 /*
1509 * At this point, we couldn't find an already-existing clone (or
1510 * force to exist a fresh clone) created via thisp's method read
1511 * barrier, so we must clone fun and store it in fp's callee to
1512 * avoid re-cloning upon repeated foo.caller access.
1513 *
1514 * This must mean the code in js_DeleteProperty could not find this
1515 * stack frame on the stack when the method was deleted. We've lost
1516 * track of the method, so we associate it with the first barriered
1517 * object found starting from thisp on the prototype chain.
1518 */
1526 }
1527 }
1530 }
1532 /* Generic function tinyids. */
1539 };
1541 static JSBool
1543 {
1549 /*
1550 * Loop because getter and setter can be delegated from another class,
1551 * but loop only for FUN_LENGTH because we must pretend that f.length
1552 * is in each function instance f, per ECMA-262, instead of only in the
1553 * Function.prototype object (we use JSPROP_PERMANENT with JSPROP_SHARED
1554 * to make it appear so).
1555 *
1556 * This code couples tightly to the attributes for lazyFunctionDataProps[]
1557 * and poisonPillProps[] initializers below, and to js_SetProperty and
1558 * js_HasOwnProperty.
1559 *
1560 * It's important to allow delegating objects, even though they inherit
1561 * this getter (fun_getProperty), to override arguments, arity, caller,
1562 * and name. If we didn't return early for slot != FUN_LENGTH, we would
1563 * clobber *vp with the native property value, instead of letting script
1564 * override that value in delegating objects.
1565 *
1566 * Note how that clobbering is what simulates JSPROP_READONLY for all of
1567 * the non-standard properties when the directly addressed object (obj)
1568 * is a function object (i.e., when this loop does not iterate).
1569 */
1578 }
1580 /* Find fun's top-most activation record. */
1586 }
1590 /* Warn if strict about f.arguments or equivalent unqualified uses. */
1594 JSMSG_DEPRECATED_USAGE,
1595 js_arguments_str)) {
1597 }
1603 }
1624 /* Censor the caller if it is from another compartment. */
1631 JSMSG_CALLER_IS_STRICT);
1633 }
1634 }
1635 }
1639 /* XXX fun[0] and fun.arguments[0] are equivalent. */
1643 }
1646 }
1649 uint16 atomOffset;
1650 int8 tinyid;
1651 uint8 attrs;
1652 };
1655 uint16 atomOffset;
1656 int8 tinyid;
1657 };
1659 /* NB: no sentinels at ends -- use JS_ARRAY_LENGTH to bound loops. */
1664 };
1666 /* Properties censored into [[ThrowTypeError]] in strict mode. */
1670 };
1672 static JSBool
1674 {
1677 jsid id;
1684 }
1695 }
1702 }
1705 }
1709 {
1710 #ifdef DEBUG
1714 #endif
1716 /*
1717 * Assert that fun is not a compiler-created function object, which
1718 * must never leak to script or embedding code and then be mutated.
1719 * Also assert that obj is not bound, per the ES5 15.3.4.5 ref above.
1720 */
1724 /*
1725 * Make the prototype object an instance of Object with the same parent
1726 * as the function object itself.
1727 */
1736 /*
1737 * ECMA (15.3.5.2) says that a user-defined function's .prototype property
1738 * is non-configurable, non-enumerable, and (initially) writable. Hence
1739 * JSPROP_PERMANENT below. By contrast, the built-in constructors, such as
1740 * Object (15.2.3.1) and Function (15.3.3.1), have non-writable
1741 * .prototype properties. Those are eagerly defined, with attributes
1742 * JSPROP_PERMANENT | JSPROP_READONLY, in js_InitClass.
1743 */
1747 }
1749 static JSBool
1752 {
1759 /*
1760 * Native or "built-in" functions do not have a .prototype property per
1761 * ECMA-262 (all editions). Built-in constructor functions, e.g. Object
1762 * and Function to name two conspicuous examples, do have a .prototype
1763 * property, but it is created eagerly by js_InitClass (jsobj.cpp).
1764 *
1765 * ES5 15.3.4: the non-native function object named Function.prototype
1766 * must not have a .prototype property.
1767 *
1768 * ES5 15.3.4.5: bound functions don't have a prototype property. The
1769 * isNative() test covers this case because bound functions are native
1770 * functions by definition/construction.
1771 */
1779 }
1787 }
1790 }
1803 }
1806 }
1807 }
1815 PropertyOp getter;
1816 StrictPropertyOp setter;
1827 }
1834 }
1837 }
1838 }
1841 }
1843 #if JS_HAS_XDR
1845 /* XXX store parent and proto, if defined */
1846 JSBool
1848 {
1852 plus for fun->u.i.skipmin, fun->u.i.wrapper,
1853 and 14 bits reserved for future use */
1860 JSAutoByteString funNameBytes;
1863 name);
1864 }
1866 }
1868 JSAutoByteString funNameBytes;
1872 }
1882 }
1899 }
1906 #ifdef CHECK_SCRIPT_OWNER
1908 #endif
1911 }
1914 }
1918 #define js_XDRFunctionObject NULL
1922 /*
1923 * [[HasInstance]] internal method for Function objects: fetch the .prototype
1924 * property of its 'this' parameter, and walks the prototype chain of v (only
1925 * if v is an object) returning true if .prototype is found.
1926 */
1927 static JSBool
1929 {
1934 }
1937 Value pval;
1942 /*
1943 * Throw a runtime error if instanceof is called on a function that
1944 * has a non-object as its .prototype value.
1945 */
1948 }
1952 }
1954 static void
1956 {
1957 /* A newborn function object may have a not yet initialized private slot. */
1963 /* obj is a cloned function object, trace the clone-parent, fun. */
1966 /* The function could be a flat closure with upvar copies in the clone. */
1970 }
1972 }
1979 }
1981 static void
1983 {
1984 /* Ignore newborn function objects. */
1989 /* Cloned function objects may be flat closures with upvars to free. */
1994 }
1996 /*
1997 * Null-check fun->script() because the parser sets interpreted very early.
1998 */
2001 }
2003 /*
2004 * Reserve two slots in all function objects for XPConnect. Note that this
2005 * does not bloat every instance, only those on which reserved slots are set,
2006 * and those on which ad-hoc properties are defined.
2007 */
2009 js_Function_str,
2017 fun_enumerate,
2019 ConvertStub,
2020 fun_finalize,
2025 js_XDRFunctionObject,
2026 fun_hasInstance,
2028 };
2030 JSString *
2032 {
2037 JSMSG_INCOMPATIBLE_PROTO,
2041 }
2051 }
2061 }
2063 static JSBool
2065 {
2082 }
2084 #if JS_HAS_TOSOURCE
2085 static JSBool
2087 {
2100 }
2101 #endif
2103 JSBool
2105 {
2114 JSMSG_INCOMPATIBLE_PROTO,
2117 }
2118 }
2120 }
2123 Value thisv;
2129 argc--;
2130 argv++;
2131 }
2133 /* Allocate stack space for fval, obj, and the args. */
2134 InvokeArgsGuard args;
2138 /* Push fval, thisv, and the args. */
2146 }
2148 /* ES5 15.3.4.3 */
2149 JSBool
2151 {
2152 /* Step 1. */
2159 JSMSG_INCOMPATIBLE_PROTO,
2162 }
2163 }
2165 }
2167 /* Step 2. */
2171 /* N.B. Changes need to be propagated to stubs::SplatApplyArgs. */
2173 /* Step 3. */
2177 }
2179 /*
2180 * Steps 4-5 (note erratum removing steps originally numbered 5 and 7 in
2181 * original version of ES5).
2182 */
2184 jsuint length;
2190 /* Step 6. */
2193 InvokeArgsGuard args;
2197 /* Push fval, obj, and aobj's elements as args. */
2201 /* Steps 7-8. */
2205 /* Step 9. */
2210 }
2214 JSBool
2217 }
2222 {
2229 /* FIXME? Burn memory on an empty scope whose shape covers the args slots. */
2242 }
2244 }
2248 {
2252 /* Bound functions abuse |parent| to store their target function. */
2254 }
2258 {
2263 }
2267 {
2275 }
2279 /* ES5 15.3.4.5.1 and 15.3.4.5.2. */
2280 JSBool
2282 {
2291 /* 15.3.4.5.1 step 1, 15.3.4.5.2 step 3. */
2292 uintN argslen;
2298 }
2300 /* 15.3.4.5.1 step 3, 15.3.4.5.2 step 1. */
2303 /* 15.3.4.5.1 step 2. */
2306 InvokeArgsGuard args;
2310 /* 15.3.4.5.1, 15.3.4.5.2 step 4. */
2314 /* 15.3.4.5.1, 15.3.4.5.2 step 5. */
2325 }
2327 }
2329 /* ES5 15.3.4.5. */
2330 static JSBool
2332 {
2333 /* Step 1. */
2336 /* Step 2. */
2342 JSMSG_INCOMPATIBLE_PROTO,
2344 }
2345 }
2347 }
2351 /* Step 3. */
2357 }
2359 /* Steps 15-16. */
2365 }
2367 /* Step 4-6, 10-11. */
2370 /* NB: Bound functions abuse |parent| to store their target. */
2377 /* Steps 7-9. */
2382 /* Steps 17, 19-21 are handled by fun_resolve. */
2383 /* Step 18 is the default for new functions. */
2385 /* Step 22. */
2388 }
2391 #if JS_HAS_TOSOURCE
2393 #endif
2398 JS_FS_END
2399 };
2401 static JSBool
2403 {
2408 /* N.B. overwriting callee with return value */
2412 /*
2413 * NB: (new Function) is not lexically closed by its caller, it's just an
2414 * anonymous function in the top-level scope that its constructor inhabits.
2415 * Thus 'var x = 42; f = new Function("return x"); print(f())' prints 42,
2416 * and so would a call to f from another top-level's script or function.
2417 *
2418 * In older versions, before call objects, a new Function was adopted by
2419 * its running context's globalObject, which might be different from the
2420 * top-level reachable from scopeChain (in HTML frames, e.g.).
2421 */
2427 /*
2428 * Function is static and not called directly by other functions in this
2429 * file, therefore it is callable only as a native function by js_Invoke.
2430 * Find the scripted caller, possibly skipping other native frames such as
2431 * are built for Function.prototype.call or .apply activations that invoke
2432 * Function indirectly from a script.
2433 */
2435 uintN lineno;
2446 }
2448 /* Belt-and-braces: check that the caller has access to parent. */
2452 }
2454 /*
2455 * CSP check: whether new Function() is allowed at all.
2456 * Report errors via CSP is done in the script security manager.
2457 * js_CheckContentSecurityPolicy is defined in jsobj.cpp
2458 */
2462 }
2472 /*
2473 * Collect the function-argument arguments into one string, separated
2474 * by commas, then make a tokenstream from that string, and scan it to
2475 * get the arguments. We need to throw the full scanner at the
2476 * problem, because the argument string can legitimately contain
2477 * comments and linefeeds. XXX It might be better to concatenate
2478 * everything up into a function definition and pass it to the
2479 * compiler, but doing it this way is less of a delta from the old
2480 * code. See ECMA 15.3.2.1.
2481 */
2485 /* Collect the lengths for all the function-argument arguments. */
2491 /*
2492 * Check for overflow. The < test works because the maximum
2493 * JSString length fits in 2 fewer bits than size_t has.
2494 */
2500 }
2501 }
2503 /* Add 1 for each joining comma and check for overflow (two ways). */
2510 }
2512 /*
2513 * Allocate a string to hold the concatenated arguments, including room
2514 * for a terminating 0. Mark cx->tempPool for later release, to free
2515 * collected_args and its tokenstream in one swoop.
2516 */
2524 }
2527 /*
2528 * Concatenate the arguments into the new string, separated by commas.
2529 */
2537 }
2541 /* Add separating comma or terminating 0. */
2543 }
2545 /* Initialize a tokenstream that reads from the given string. */
2550 }
2552 /* The argument string may be empty or contain no tokens. */
2556 /*
2557 * Check that it's a name. This also implicitly guards against
2558 * TOK_ERROR, which was already reported.
2559 */
2563 /*
2564 * Get the atom corresponding to the name from the token
2565 * stream; we're assured at this point that it's a valid
2566 * identifier.
2567 */
2570 /* Check for a duplicate parameter name. */
2572 JSAutoByteString name;
2576 }
2582 }
2583 }
2585 uint16 dummy;
2589 }
2591 /*
2592 * Get the next token. Stop on end of stream. Otherwise
2593 * insist on a comma, get another name, and iterate.
2594 */
2601 }
2602 }
2605 after_args:
2607 /*
2608 * Report "malformed formal parameter" iff no illegal char or
2609 * similar scanner error was already reported.
2610 */
2612 JSMSG_BAD_FORMAL);
2613 }
2618 }
2628 }
2637 }
2643 {
2645 }
2649 {
2650 #ifdef DEBUG
2655 #endif
2663 }
2669 }
2671 }
2673 static JSBool
2675 {
2677 JSMSG_THROW_TYPE_ERROR);
2679 }
2681 JSObject *
2683 {
2694 JSScript *script = JSScript::NewScript(cx, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, JSVERSION_DEFAULT);
2700 #ifdef CHECK_SCRIPT_OWNER
2702 #endif
2706 /* ES5 13.2.3: Construct the unique [[ThrowTypeError]] function object. */
2715 }
2718 }
2720 JSFunction *
2723 {
2733 }
2737 /* Initialize all function members. */
2749 #ifdef JS_TRACER
2754 #else
2756 #endif
2760 }
2762 }
2765 /* Set private to self to indicate non-cloned fully initialized function. */
2768 }
2770 JSObject * JS_FASTCALL
2773 {
2779 /*
2780 * The cloned function object does not need the extra JSFunction members
2781 * beyond JSObject as it points to fun via the private slot.
2782 */
2788 /*
2789 * Across compartments we have to deep copy JSFunction and clone the
2790 * script (for interpreted functions).
2791 */
2810 #ifdef CHECK_SCRIPT_OWNER
2812 #endif
2814 }
2815 }
2817 }
2819 #ifdef JS_TRACER
2820 JS_DEFINE_CALLINFO_4(extern, OBJECT, js_CloneFunctionObject, CONTEXT, FUNCTION, OBJECT, OBJECT, 0,
2822 #endif
2824 /*
2825 * Create a new flat closure, but don't initialize the imported upvar
2826 * values. The tracer calls this function and then initializes the upvar
2827 * slots on trace.
2828 */
2829 JSObject * JS_FASTCALL
2831 {
2852 }
2857 JSObject *
2859 {
2860 /*
2861 * Flat closures cannot yet be partial, that is, all upvars must be copied,
2862 * or the closure won't be flattened. Therefore they do not need to search
2863 * enclosing scope objects via JSOP_NAME, etc.
2864 *
2865 * FIXME: bug 545759 proposes to enable partial flat closures. Fixing this
2866 * bug requires a GetScopeChainFast call here, along with JS_REQUIRES_STACK
2867 * annotations on this function's prototype and definition.
2868 */
2884 }
2886 JSObject *
2888 {
2894 }
2896 JSFunction *
2899 {
2900 PropertyOp gop;
2901 StrictPropertyOp sop;
2905 /*
2906 * JSFUN_STUB_GSOPS is a request flag only, not stored in fun->flags or
2907 * the defined property's attributes. This allows us to encode another,
2908 * internal flag using the same bit, JSFUN_EXPR_CLOSURE -- see jsfun.h
2909 * for more on this.
2910 */
2917 }
2919 /*
2920 * Historically, all objects have had a parent member as intrinsic scope
2921 * chain link. We want to move away from this universal parent, but JS
2922 * requires that function objects have something like parent (ES3 and ES5
2923 * call it the [[Scope]] internal property), to bake a particular static
2924 * scope environment into each function object.
2925 *
2926 * All function objects thus have parent, including all native functions.
2927 * All native functions defined by the JS_DefineFunction* APIs are created
2928 * via the call below to js_NewFunction, which passes obj as the parent
2929 * parameter, and so binds fun's parent to obj using JSObject::setParent,
2930 * under js_NewFunction (in JSObject::init, called from NewObject -- see
2931 * jsobjinlines.h).
2932 *
2933 * But JSObject::setParent sets the DELEGATE object flag on its receiver,
2934 * to mark the object as a proto or parent of another object. Such objects
2935 * may intervene in property lookups and scope chain searches, so require
2936 * special handling when caching lookup and search results (since such
2937 * intervening objects can in general grow shadowing properties later).
2938 *
2939 * Thus using setParent prematurely flags certain objects, notably class
2940 * prototypes, so that defining native methods on them, where the method's
2941 * name (e.g., toString) is already bound on Object.prototype, triggers
2942 * shadowingShapeChange events and gratuitous shape regeneration.
2943 *
2944 * To fix this longstanding bug, we set check whether obj is already a
2945 * delegate, and if not, then if js_NewFunction flagged obj as a delegate,
2946 * we clear the flag.
2947 *
2948 * We thus rely on the fact that native functions (including indirect eval)
2949 * do not use the property cache or equivalent JIT techniques that require
2950 * this bit to be set on their parent-linked scope chain objects.
2951 *
2952 * Note: we keep API compatibility by setting parent to obj for all native
2953 * function objects, even if obj->getGlobal() would suffice. This should be
2954 * revisited when parent is narrowed to exist only for function objects and
2955 * possibly a few prehistoric scope objects (e.g. event targets).
2956 *
2957 * FIXME: bug 611190.
2958 */
2963 obj,
2974 }
2976 #if (JSV2F_CONSTRUCT & JSV2F_SEARCH_STACK)
2978 #endif
2980 JSFunction *
2982 {
2987 }
2989 }
2991 JSObject *
2993 {
2998 }
3001 }
3003 JSObject *
3005 {
3010 }
3014 }
3016 void
3018 {
3024 /*
3025 * We try to the print the code that produced vp if vp is a value in the
3026 * most recent interpreted stack frame. Note that additional values, not
3027 * directly produced by the script, may have been pushed onto the frame's
3028 * expression stack (e.g. by pushInvokeArgs) thereby incrementing sp past
3029 * the depth simulated by ReconstructPCStack.
3030 *
3031 * Conversely, values may have been popped from the stack in preparation
3032 * for a call (e.g., by SplatApplyArgs). Since we must pass an offset from
3033 * the top of the simulated stack to js_ReportValueError3, we do bounds
3034 * checking using the minimum of both the simulated and actual stack depth.
3035 */
3047 }
3053 }