| blob | ab7808742f29985dd0d77cb4b05340a0c8d75cb3 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=79:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS object implementation.
43 */
44 #include <stdlib.h>
45 #include <string.h>
87 #if JS_HAS_GENERATORS
89 #endif
91 #if JS_HAS_XML_SUPPORT
93 #endif
95 #if JS_HAS_XDR
97 #endif
111 Class js_ObjectClass = {
112 js_Object_str,
118 EnumerateStub,
119 ResolveStub,
120 ConvertStub
121 };
125 {
128 }
130 #if JS_HAS_OBJ_PROTO_PROP
132 static JSBool
135 static JSBool
139 {js_proto_str, 0, JSPROP_PERMANENT|JSPROP_SHARED, Jsvalify(obj_getProto), Jsvalify(obj_setProto)},
141 };
143 static JSBool
145 {
146 /* Let CheckAccess get the slot's value, based on the access mode. */
147 uintN attrs;
150 }
152 static JSBool
154 {
155 /* ECMAScript 5 8.6.2 forbids changing [[Prototype]] if not [[Extensible]]. */
159 }
166 /*
167 * Innerize pobj here to avoid sticking unwanted properties on the
168 * outer object. This ensures that any with statements only grant
169 * access to the inner object.
170 */
174 }
176 uintN attrs;
182 }
186 #define object_props NULL
190 static JSHashNumber
192 {
194 }
198 {
201 JSHashNumber hash;
203 jsatomid sharpid;
205 JSBool ok;
207 jsid id;
225 }
252 }
254 /* Mark the getter, then set val to setter. */
259 }
265 }
270 }
271 }
281 }
283 }
287 }
289 JSHashEntry *
292 {
296 JSHashNumber hash;
298 jsatomid sharpid;
305 /* Set to null in case we return an early error. */
315 }
318 }
320 /* From this point the control must flow either through out: or bad:. */
323 /*
324 * Although MarkSharpObjects tries to avoid invoking getters,
325 * it ends up doing so anyway under some circumstances; for
326 * example, if a wrapped object has getters, the wrapper will
327 * prevent MarkSharpObjects from recognizing them as such.
328 * This could lead to js_LeaveSharpObject being called while
329 * MarkSharpObjects is still working.
330 *
331 * Increment map->depth while we call MarkSharpObjects, to
332 * ensure that such a call doesn't free the hash table we're
333 * still using.
334 */
344 }
350 /*
351 * It's possible that the value of a property has changed from the
352 * first time the object's properties are traversed (when the property
353 * ids are entered into the hash table) to the second (when they are
354 * converted to strings), i.e., the JSObject::getProperty() call is not
355 * idempotent.
356 */
362 }
365 }
366 }
378 }
379 }
381 out:
390 }
392 }
393 }
395 }
401 bad:
402 /* Clean up the sharpObjectMap table on outermost error. */
408 }
410 }
412 void
414 {
425 }
431 }
432 }
433 }
435 static intN
437 {
440 }
442 void
444 {
448 /*
449 * During recursive calls to MarkSharpObjects a non-native object or
450 * object with a custom getProperty method can potentially return an
451 * unrooted value or even cut from the object graph an argument of one of
452 * MarkSharpObjects recursive invocations. So we must protect map->table
453 * entries against GC.
454 *
455 * We can not simply use JSTempValueRooter to mark the obj argument of
456 * MarkSharpObjects during recursion as we have to protect *all* entries
457 * in JSSharpObjectMap including those that contains otherwise unreachable
458 * objects just allocated through custom getProperty. Otherwise newer
459 * allocations can re-use the address of an object stored in the hashtable
460 * confusing js_EnterSharpObject. So to address the problem we simply
461 * mark all objects from map->table.
462 *
463 * An alternative "proper" solution is to use JSTempValueRooter in
464 * MarkSharpObjects with code to remove during finalization entries
465 * with otherwise unreachable objects. But this is way too complex
466 * to justify spending efforts.
467 */
469 }
471 #if JS_HAS_TOSOURCE
472 static JSBool
474 {
475 JSBool ok;
495 /* If outermost, we need parentheses to be an expression, not a block. */
505 }
507 /*
508 * We didn't enter -- obj is already "sharp", meaning we've visited it
509 * already in our depth first search, and therefore chars contains a
510 * string of the form "#n#".
511 */
513 #if JS_HAS_SHARP_VARS
515 #else
520 #endif
522 }
527 /* If outermost, allocate 4 + 1 for "({})" and the terminator. */
535 /* js_EnterSharpObject returned a string of the form "#n=" in chars. */
543 }
545 /*
546 * No need for parentheses around the whole shebang, because #n=
547 * unambiguously begins an object initializer, and never a block
548 * statement.
549 */
551 }
552 }
558 /*
559 * We have four local roots for cooked and raw value GC safety. Hoist the
560 * "localroot + 2" out of the loop using the val local, which refers to
561 * the raw (unconverted, "uncooked") values.
562 */
566 /* Get strings for id and value and GC-root them via vp. */
573 /*
574 * Convert id to a value and then to a string. Decide early whether we
575 * prefer get/set or old getter/setter syntax.
576 */
581 }
594 valcnt++;
595 }
600 valcnt++;
601 }
602 }
609 }
610 }
612 /*
613 * If id is a string that's not an identifier, or if it's a negative
614 * integer, then it must be quoted.
615 */
618 ? !idIsLexicalIdentifier
624 }
626 }
632 }
635 /*
636 * Censor an accessor descriptor getter or setter part if it's
637 * undefined.
638 */
642 /* Convert val[j] to its canonical source form. */
647 }
653 }
656 /*
657 * If val[j] is a non-sharp object, and we're not serializing an
658 * accessor (ECMA syntax can't accommodate sharpened accessors),
659 * consider sharpening it.
660 */
663 #if JS_HAS_SHARP_VARS
669 }
677 }
679 }
680 }
681 #endif
683 /*
684 * Remove '(function ' from the beginning of valstr and ')' from the
685 * end so that we can put "get" in front of the function definition.
686 */
693 vchars++;
695 }
697 /* Try to jump "function" keyword. */
701 /*
702 * Jump over the function's name: it can't be encoded as part
703 * of an ECMA getter or setter.
704 */
710 vchars++;
715 }
716 }
718 #define SAFE_ADD(n) \
719 JS_BEGIN_MACRO \
720 size_t n_ = (n); \
721 curlen += n_; \
722 if (curlen < n_) \
723 goto overflow; \
724 JS_END_MACRO
734 /* Account for the trailing null. */
736 #undef SAFE_ADD
741 /* Allocate 1 + 1 at end for closing brace and terminating 0. */
746 }
751 }
762 }
765 /* Extraneous space after id here will be extracted later */
771 }
777 }
778 }
785 error:
792 }
798 }
799 make_string:
805 }
808 out:
811 overflow:
816 }
821 JSString *
823 {
846 }
848 }
850 /* ES5 15.2.4.2. Note steps 1 and 2 are errata. */
851 static JSBool
853 {
856 /* Step 1. */
860 }
862 /* Step 2. */
866 }
868 /* Step 3. */
873 /* Steps 4-5. */
879 }
881 static JSBool
883 {
894 }
896 static JSBool
898 {
904 }
906 /*
907 * Check if CSP allows new Function() or eval() to run in the current
908 * principals.
909 */
910 JSBool
912 {
913 // CSP is static per document, so if our check said yes before, that
914 // answer is still valid.
920 // if there are callbacks, make sure that the CSP callback is installed and
921 // that it permits eval().
925 // update the cache in the global object for the result of the security check
927 }
929 }
931 /*
932 * Check whether principals subsumes scopeobj's principals, and return true
933 * if so (or if scopeobj has no principals, for backward compatibility with
934 * the JS API, which does not require principals), and false otherwise.
935 */
936 JSBool
939 {
948 JSAutoByteString callerstr;
954 }
955 }
957 }
959 static bool
961 {
968 /* XXX This is an awful gross hack. */
973 js_eval_str);
975 }
977 }
980 }
985 {
986 uint32 flags;
987 #ifdef DEBUG
989 #endif
994 principals &&
998 }
1006 }
1008 }
1010 #ifndef EVAL_CACHE_CHAIN_LIMIT
1011 # define EVAL_CACHE_CHAIN_LIMIT 4
1012 #endif
1016 {
1022 uint32 h;
1029 }
1034 {
1035 /*
1036 * Cache local eval scripts indexed by source qualified by scope.
1037 *
1038 * An eval cache entry should never be considered a hit unless its
1039 * strictness matches that of the new eval code. The existing code takes
1040 * care of this, because hits are qualified by the function from which
1041 * eval was called, whose strictness doesn't change. (We don't cache evals
1042 * in eval code, so the calling function corresponds to the calling script,
1043 * and its strictness never varies.) Scripts produced by calls to eval from
1044 * global code aren't cached.
1045 *
1046 * FIXME bug 620141: Qualify hits by calling script rather than function.
1047 * Then we wouldn't need the unintuitive !isEvalFrame() hack in EvalKernel
1048 * to avoid caching nested evals in functions (thus potentially mismatching
1049 * on strict mode), and we could cache evals in global code if desired.
1050 */
1065 /*
1066 * Get the prior (cache-filling) eval's saved caller function.
1067 * See Compiler::compileScript in jsparse.cpp.
1068 */
1072 /*
1073 * Get the source string passed for safekeeping in the
1074 * atom map by the prior eval to Compiler::compileScript.
1075 */
1079 /*
1080 * Source matches, qualify by comparing scopeobj to the
1081 * COMPILE_N_GO-memoized parent of the first literal
1082 * function or regexp object if any. If none, then this
1083 * script has no compiled-in dependencies on the prior
1084 * eval's scopeobj.
1085 */
1096 }
1097 }
1105 }
1106 }
1107 }
1108 }
1114 }
1116 }
1118 /* ES5 15.1.2.1. */
1119 static JSBool
1121 {
1122 /*
1123 * NB: This method handles only indirect eval: direct eval is handled by
1124 * JSOP_EVAL.
1125 */
1129 /* FIXME Bug 602994: This really should be perfectly cromulent. */
1131 /* Eval code needs to inherit principals from the caller. */
1135 }
1138 }
1142 bool
1145 {
1146 /*
1147 * FIXME Bug 602994: Calls with no scripted caller should be permitted and
1148 * should be implemented as indirect calls.
1149 */
1153 /*
1154 * We once supported a second argument to eval to use as the scope chain
1155 * when evaluating the code string. Warn when such uses are seen so that
1156 * authors will know that support for eval(s, o) has been removed.
1157 */
1161 "Support for eval(code, scopeObject) has been removed. "
1166 }
1168 /*
1169 * CSP check: Is eval() allowed at all?
1170 * Report errors via CSP is done in the script security mgr.
1171 */
1175 }
1177 /* ES5 15.1.2.1 step 1. */
1181 }
1185 }
1188 /* ES5 15.1.2.1 steps 2-8. */
1193 /*
1194 * Per ES5, indirect eval runs in the global scope. (eval is specified this
1195 * way so that the compiler can make assumptions about what bindings may or
1196 * may not exist in the current frame if it doesn't see 'eval'.)
1197 */
1198 uintN staticLevel;
1202 #ifdef DEBUG
1206 #endif
1208 /* Pretend that we're top level. */
1213 }
1215 /* Ensure we compile this eval with the right object in the scope chain. */
1225 /*
1226 * If the eval string starts with '(' and ends with ')', it may be JSON.
1227 * Try the JSON parser first because it's much faster. If the eval string
1228 * isn't JSON, JSON parsing will probably fail quickly, so little time
1229 * will be lost.
1230 */
1234 /* Run JSON-parser on string inside ( and ). */
1239 }
1240 }
1242 /*
1243 * Direct calls to eval are supposed to see the caller's |this|. If we
1244 * haven't wrapped that yet, do so now, before we make a copy of it for
1245 * the eval code to use.
1246 */
1255 /*
1256 * Although the eval cache keeps a script alive from the perspective of
1257 * the JS engine, from a jsdbgapi user's perspective each eval()
1258 * creates and destroys a script. This hides implementation details and
1259 * allows jsdbgapi clients to avoid calling JS_GetScriptObject after a
1260 * script has been returned to the eval cache, which is invalid since
1261 * script->u.object aliases script->u.nextToGC.
1262 */
1266 }
1267 }
1269 /*
1270 * We can't have a callerFrame (down in js::Execute's terms) if we're in
1271 * global code (or if we're an indirect eval).
1272 */
1275 uintN lineno;
1285 }
1289 /*
1290 * Belt-and-braces: check that the lesser of eval's principals and the
1291 * caller's principals has access to scopeobj.
1292 */
1302 #ifdef CHECK_SCRIPT_OWNER
1304 #endif
1307 }
1311 {
1313 }
1315 }
1317 #if JS_HAS_OBJ_WATCHPOINT
1319 static JSBool
1322 {
1327 JSResolvingKey key;
1329 uint32 generation;
1331 JSBool ok;
1337 /* Skip over any obj_watch_* frames between us and the real subject. */
1340 /*
1341 * Only call the watch handler if the watcher is allowed to watch
1342 * the currently executing script.
1343 */
1348 /* Silently don't call the watch handler. */
1350 }
1351 }
1352 }
1354 /* Avoid recursion on (obj, id) already being watched on cx. */
1370 }
1372 static JSBool
1374 {
1378 }
1384 /* Compute the unique int/atom symbol id needed by js_LookupProperty. */
1385 jsid propid;
1393 Value tmp;
1394 uintN attrs;
1405 }
1407 static JSBool
1409 {
1414 jsid id;
1420 }
1422 }
1426 /*
1427 * Prototype and property query methods, to complement the 'in' and
1428 * 'instanceof' operators.
1429 */
1431 /* Proposed ECMA 15.2.4.5. */
1432 static JSBool
1434 {
1439 }
1441 JSBool
1444 {
1445 jsid id;
1460 }
1465 }
1467 JSBool
1470 {
1486 }
1490 /*
1491 * The combination of JSPROP_SHARED and JSPROP_PERMANENT in a
1492 * delegated property makes that property appear to be direct in
1493 * all delegating instances of the same native class. This hack
1494 * avoids bloating every function instance with its own 'length'
1495 * (AKA 'arity') property. But it must not extend across class
1496 * boundaries, to avoid making hasOwnProperty lie (bug 320854).
1497 *
1498 * It's not really a hack, of course: a permanent property can't
1499 * be deleted, and JSPROP_SHARED means "don't allocate a slot in
1500 * any instance, prototype or delegating". Without a slot, and
1501 * without the ability to remove and recreate (with differences)
1502 * the property, there is no way to tell whether it is directly
1503 * owned, or indirectly delegated.
1504 */
1508 }
1511 }
1513 }
1515 /* ES5 15.2.4.6. */
1516 static JSBool
1518 {
1519 /* Step 1. */
1523 }
1525 /* Step 2. */
1530 /* Step 3. */
1533 }
1535 /* ES5 15.2.4.7. */
1536 static JSBool
1538 {
1539 /* Step 1. */
1540 jsid id;
1544 /* Step 2. */
1549 /* Steps 3-5. */
1551 }
1553 JSBool
1555 {
1564 }
1566 /*
1567 * XXX ECMA spec error compatible: return false unless hasOwnProperty.
1568 * The ECMA spec really should be fixed so propertyIsEnumerable and the
1569 * for..in loop agree on whether prototype properties are enumerable,
1570 * obviously by fixing this method (not by breaking the for..in loop!).
1571 *
1572 * We check here for shared permanent prototype properties, which should
1573 * be treated as if they are local to obj. They are an implementation
1574 * technique used to satisfy ECMA requirements; users should not be able
1575 * to distinguish a shared permanent proto-property from a local one.
1576 */
1578 uintN attrs;
1587 }
1591 }
1594 }
1596 #if OLD_GETTER_SETTER_METHODS
1605 {
1612 JSMSG_BAD_GETTER_OR_SETTER,
1613 js_getter_str);
1615 }
1618 jsid id;
1623 /*
1624 * Getters and setters are just like watchpoints from an access
1625 * control point of view.
1626 */
1627 Value junk;
1628 uintN attrs;
1634 }
1638 {
1645 JSMSG_BAD_GETTER_OR_SETTER,
1646 js_setter_str);
1648 }
1651 jsid id;
1656 /*
1657 * Getters and setters are just like watchpoints from an access
1658 * control point of view.
1659 */
1660 Value junk;
1661 uintN attrs;
1667 }
1669 static JSBool
1671 {
1672 jsid id;
1688 }
1689 }
1691 }
1693 static JSBool
1695 {
1696 jsid id;
1712 }
1713 }
1715 }
1718 JSBool
1720 {
1724 }
1734 }
1737 uintN attrs;
1740 }
1742 extern JSBool
1746 {
1747 /* We have our own property, so start creating the descriptor. */
1760 }
1768 }
1769 }
1777 }
1779 JSBool
1781 {
1792 }
1807 }
1811 }
1817 attrs,
1821 vp);
1822 }
1824 static bool
1825 GetFirstArgumentAsObject(JSContext *cx, uintN argc, Value *vp, const char *method, JSObject **objp)
1826 {
1831 }
1842 }
1846 }
1848 static JSBool
1850 {
1858 }
1860 static JSBool
1862 {
1885 }
1886 }
1895 }
1897 static bool
1899 {
1905 }
1907 /*
1908 * We must go through the method read barrier in case id is 'get' or 'set'.
1909 * There is no obvious way to defer cloning a joined function object whose
1910 * identity will be used by DefinePropertyOnObject, e.g., or reflected via
1911 * js_GetOwnPropertyDescriptor, as the getter or setter callable object.
1912 */
1914 }
1929 {
1930 }
1932 bool
1934 {
1938 /* 8.10.5 step 1 */
1942 }
1945 /* Make a copy of the descriptor. We might need it later. */
1948 /* Start with the proper defaults. */
1953 /* 8.10.5 step 3 */
1956 #endif
1963 }
1965 /* 8.10.5 step 4 */
1972 }
1974 /* 8.10.5 step 5 */
1980 }
1982 /* 8.10.6 step 6 */
1989 }
1991 /* 8.10.7 step 7 */
1997 js_getter_str);
1999 }
2003 }
2005 /* 8.10.7 step 8 */
2011 js_setter_str);
2013 }
2017 }
2019 /* 8.10.7 step 9 */
2023 }
2026 }
2028 static JSBool
2030 {
2032 jsid idstr;
2040 }
2044 }
2046 static JSBool
2048 {
2057 }
2059 }
2063 }
2065 static JSBool
2068 {
2069 /* 8.12.9 step 1. */
2078 /*
2079 * If we find a shared permanent property in a different object obj2 from
2080 * obj, then if the property is shared permanent (an old hack to optimize
2081 * per-object properties into one prototype property), ignore that lookup
2082 * result (null current).
2083 *
2084 * FIXME: bug 575997 (see also bug 607863).
2085 */
2087 /* See same assertion with comment further below. */
2093 }
2095 /* 8.12.9 steps 2-4. */
2106 }
2110 /*
2111 * Getters and setters are just like watchpoints from an access
2112 * control point of view.
2113 */
2114 Value dummy;
2115 uintN dummyAttrs;
2122 }
2124 /* 8.12.9 steps 5-6 (note 5 is merely a special case of 6). */
2127 /*
2128 * In the special case of shared permanent properties, the "own" property
2129 * can be found on a different object. In that case the returned property
2130 * might not be native, except: the shared permanent property optimization
2131 * is not applied if the objects have different classes (bug 320854), as
2132 * must be enforced by js_HasOwnProperty for the Shape cast below to be
2133 * safe.
2134 */
2144 JSBool same;
2149 }
2152 JSBool same;
2157 }
2159 /*
2160 * Determine the current value of the property once, if the current
2161 * value might actually need to be used or preserved later. NB: we
2162 * guard on whether the current property is a data descriptor to
2163 * avoid calling a getter; we won't need the value if it's not a
2164 * data descriptor.
2165 */
2167 /*
2168 * We must rule out a non-configurable js::PropertyOp-guarded
2169 * property becoming a writable unguarded data property, since
2170 * such a property can have its value changed to one the getter
2171 * and setter preclude.
2172 *
2173 * A desc lacking writable but with value is a data descriptor
2174 * and we must reject it as if it had writable: true if current
2175 * is writable.
2176 */
2181 {
2183 }
2187 }
2193 JSBool same;
2198 /*
2199 * Insist that a non-configurable js::PropertyOp data
2200 * property is frozen at exactly the last-got value.
2201 *
2202 * Duplicate the first part of the big conjunction that
2203 * we tested above, rather than add a local bool flag.
2204 * Likewise, don't try to keep shape->writable() in a
2205 * flag we veto from true to false for non-configurable
2206 * PropertyOp-based data properties and test before the
2207 * SameValue check later on in order to re-use that "if
2208 * (!SameValue) Reject" logic.
2209 *
2210 * This function is large and complex enough that it
2211 * seems best to repeat a small bit of code and return
2212 * Reject(...) ASAP, instead of being clever.
2213 */
2216 {
2218 }
2220 }
2221 }
2225 /* The only fields in desc will be handled below. */
2227 }
2228 }
2235 /* The conditions imposed by step 5 or step 6 apply. */
2240 /* 8.12.9 step 7. */
2242 /*
2243 * Since [[Configurable]] defaults to false, we don't need to check
2244 * whether it was specified. We can't do likewise for [[Enumerable]]
2245 * because its putative value is used in a comparison -- a comparison
2246 * whose result must always be false per spec if the [[Enumerable]]
2247 * field is not present. Perfectly pellucid logic, eh?
2248 */
2253 }
2254 }
2259 /* 8.12.9 step 8, no validation required */
2261 /* 8.12.9 step 9. */
2265 /* 8.12.9 step 10. */
2271 JSBool same;
2276 }
2277 }
2281 /* 8.12.9 step 11. */
2285 JSBool same;
2290 }
2293 JSBool same;
2298 }
2299 }
2300 }
2302 /* 8.12.9 step 12. */
2303 uintN attrs;
2304 PropertyOp getter;
2305 StrictPropertyOp setter;
2321 }
2339 /*
2340 * Getters and setters are just like watchpoints from an access
2341 * control point of view.
2342 */
2343 Value dummy;
2349 /* 8.12.9 step 12. */
2365 ? PropertyStub
2367 }
2372 ? StrictPropertyStub
2374 }
2375 }
2379 /*
2380 * Since "data" properties implemented using native C functions may rely on
2381 * side effects during setting, we must make them aware that they have been
2382 * "assigned"; deleting the property before redefining it does the trick.
2383 * See bug 539766, where we ran into problems when we redefined
2384 * arguments.length without making the property aware that its value had
2385 * been changed (which would have happened if we had deleted it before
2386 * redefining it or we had invoked its setter to change its value).
2387 */
2392 }
2395 }
2397 static JSBool
2400 {
2401 /*
2402 * We probably should optimize dense array property definitions where
2403 * the descriptor describes a traditional array property (enumerable,
2404 * configurable, writable, numeric index or length without altering its
2405 * attributes). Such definitions are probably unlikely, so we don't bother
2406 * for now.
2407 */
2414 /*
2415 * Our optimization of storage of the length property of arrays makes
2416 * it very difficult to properly implement defining the property. For
2417 * now simply throw an exception (NB: not merely Reject) on any attempt
2418 * to define the "length" property, rather than attempting to implement
2419 * some difficult-for-authors-to-grasp subset of that functionality.
2420 */
2423 }
2425 uint32 index;
2427 /*
2428 // Disabled until we support defining "length":
2429 if (index >= oldLen && lengthPropertyNotWritable())
2430 return ThrowTypeError(cx, JSMSG_CANT_APPEND_TO_ARRAY);
2431 */
2440 }
2444 }
2447 }
2449 static JSBool
2452 {
2460 }
2463 }
2465 JSBool
2468 {
2479 }
2481 /* ES5 15.2.3.6: Object.defineProperty(O, P, Attributes) */
2482 static JSBool
2484 {
2485 /* 15.2.3.6 steps 1 and 5. */
2491 /* 15.2.3.6 step 2. */
2496 /* 15.2.3.6 step 3. */
2499 /* 15.2.3.6 step 4 */
2500 JSBool junk;
2502 }
2504 static bool
2506 {
2521 }
2522 }
2528 }
2531 }
2533 extern JSBool
2535 {
2537 }
2539 /* ES5 15.2.3.7: Object.defineProperties(O, Properties) */
2540 static JSBool
2542 {
2543 /* 15.2.3.6 steps 1 and 5. */
2553 }
2561 }
2563 /* ES5 15.2.3.5: Object.create(O [, Properties]) */
2564 static JSBool
2566 {
2571 }
2582 }
2584 /*
2585 * Use the callee's global as the parent of the new object to avoid dynamic
2586 * scoping (i.e., using the caller's global).
2587 */
2594 /* 15.2.3.5 step 4. */
2599 }
2614 }
2615 }
2621 }
2622 }
2624 /* 5. Return obj. */
2626 }
2628 static JSBool
2630 {
2654 }
2655 }
2663 }
2665 static JSBool
2667 {
2674 }
2676 static JSBool
2678 {
2689 }
2691 bool
2693 {
2704 }
2706 /* preventExtensions must slowify dense arrays, so we can assign to holes without checks. */
2712 uintN attrs;
2716 /* Make all attributes permanent; if freezing, make data attributes read-only. */
2717 uintN new_attrs;
2720 else
2723 /* If we already have the attributes we need, skip the setAttributes call. */
2730 }
2733 }
2735 static JSBool
2737 {
2745 }
2747 static JSBool
2749 {
2770 /* The property must be non-configurable and either read-only or an accessor. */
2774 }
2776 /* It really was sealed, so return true. */
2779 }
2781 static JSBool
2783 {
2791 }
2793 static JSBool
2795 {
2800 /* Assume not sealed until proven otherwise. */
2813 uintN attrs;
2819 }
2821 /* It really was sealed, so return true. */
2824 }
2826 #if JS_HAS_OBJ_WATCHPOINT
2829 #endif
2835 #if JS_HAS_TOSOURCE
2837 #endif
2841 #if JS_HAS_OBJ_WATCHPOINT
2844 #endif
2848 #if OLD_GETTER_SETTER_METHODS
2853 #endif
2854 JS_FS_END
2855 };
2871 JS_FS_END
2872 };
2874 JSBool
2876 {
2879 /* Trigger logic below to construct a blank object. */
2882 /* If argv[0] is null or undefined, obj comes back null. */
2885 }
2887 /* Make an object whether this was called with 'new' or not. */
2893 }
2896 }
2898 JSObject*
2900 {
2908 }
2910 Value protov;
2911 if (!callee->getProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.classPrototypeAtom), &protov))
2921 }
2923 JSObject *
2925 {
2927 return NewNonFunction<WithProto::Class>(cx, &js_ObjectClass, proto, callee->getParent(), kind);
2928 }
2930 JSObject *
2932 {
2933 Value protov;
2938 }
2941 }
2943 #ifdef JS_TRACER
2948 {
2959 }
2961 JSObject* FASTCALL
2963 {
2966 }
2972 JSObject* FASTCALL
2974 {
2978 }
2981 }
2986 JSObject* FASTCALL
2988 {
2995 }
2999 JSObject * FASTCALL
3001 {
3002 #ifdef DEBUG
3010 #endif
3018 /*
3019 * GetInterpretedFunctionPrototype found that ctor.prototype is
3020 * primitive. Use Object.prototype for proto, per ES5 13.2.2 step 7.
3021 */
3024 }
3028 }
3029 JS_DEFINE_CALLINFO_3(extern, CONSTRUCTOR_RETRY, js_CreateThisFromTrace, CONTEXT, OBJECT, UINTN, 0,
3034 # define js_Object_trcinfo NULL
3038 /*
3039 * Given pc pointing after a property accessing bytecode, return true if the
3040 * access is "object-detecting" in the sense used by web scripts, e.g., when
3041 * checking whether document.all is defined.
3042 */
3043 JS_REQUIRES_STACK JSBool
3045 {
3048 JSOp op;
3056 /* General case: a branch or equality op follows the access. */
3063 /*
3064 * Special case #1: handle (document.all == null). Don't sweat
3065 * about JS1.2's revision of the equality operators here.
3066 */
3070 }
3075 /*
3076 * Special case #2: handle (document.all == undefined). Don't
3077 * worry about someone redefining undefined, which was added by
3078 * Edition 3, so is read/write for backward compatibility.
3079 */
3086 }
3090 /*
3091 * At this point, anything but an extended atom index prefix means
3092 * we're not detecting.
3093 */
3097 }
3098 }
3099 }
3101 /*
3102 * Infer lookup flags from the currently executing bytecode. This does
3103 * not attempt to infer JSRESOLVE_WITH, because the current bytecode
3104 * does not indicate whether we are in a with statement. Return defaultFlags
3105 * if a currently executing bytecode cannot be determined.
3106 */
3107 uintN
3109 {
3110 #ifdef JS_TRACER
3113 #endif
3119 uint32 format;
3136 }
3140 }
3142 /*
3143 * ObjectOps and Class for with-statement stack objects.
3144 */
3145 static JSBool
3148 {
3149 /* Fixes bug 463997 */
3156 }
3158 static JSBool
3160 {
3162 }
3164 static JSBool
3166 {
3168 }
3170 static JSBool
3172 {
3174 }
3176 static JSBool
3178 {
3180 }
3182 static JSBool
3184 {
3186 }
3188 static JSBool
3191 {
3193 }
3195 static JSType
3197 {
3199 }
3203 {
3205 }
3207 Class js_WithClass = {
3214 EnumerateStub,
3215 ResolveStub,
3216 ConvertStub,
3225 JS_NULL_CLASS_EXT,
3226 {
3227 with_LookupProperty,
3229 with_GetProperty,
3230 with_SetProperty,
3231 with_GetAttributes,
3232 with_SetAttributes,
3233 with_DeleteProperty,
3234 with_Enumerate,
3235 with_TypeOf,
3238 with_ThisObject,
3240 }
3241 };
3243 JS_REQUIRES_STACK JSObject *
3245 {
3267 }
3269 JSObject *
3271 {
3272 /*
3273 * Null obj's proto slot so that Object.prototype.* does not pollute block
3274 * scopes and to give the block object its own scope.
3275 */
3283 }
3285 JSObject *
3287 {
3299 /* The caller sets parent on its own. */
3310 }
3312 JS_REQUIRES_STACK JSBool
3314 {
3320 /* Block objects should have all reserved slots allocated early. */
3324 /* The block and its locals must be on the current stack for GC safety. */
3329 /* See comments in CheckDestructuring from jsparse.cpp. */
3336 }
3338 /* We must clear the private slot even with errors. */
3342 }
3344 static JSBool
3346 {
3347 /*
3348 * Block objects are never exposed to script, and the engine handles them
3349 * with care. So unlike other getters, this one can assert (rather than
3350 * check) certain invariants about obj.
3351 */
3363 }
3365 /* Values are in slots immediately following the class-reserved ones. */
3368 }
3370 static JSBool
3372 {
3384 }
3386 /*
3387 * The value in *vp will be written back to the slot in obj that was
3388 * allocated when this let binding was defined.
3389 */
3391 }
3395 {
3398 /* Use JSPROP_ENUMERATE to aid the disassembler. */
3409 }
3411 static size_t
3413 {
3417 }
3419 bool
3421 {
3422 // If we're not native, then we cannot copy properties.
3431 }
3448 }
3450 }
3452 static bool
3454 {
3466 }
3473 }
3475 }
3477 JSObject *
3479 {
3480 /*
3481 * We can only clone native objects and proxies. Dense arrays are slowified if
3482 * we try to clone them.
3483 */
3490 JSMSG_CANT_CLONE_OBJECT);
3492 }
3493 }
3502 JSMSG_CANT_CLONE_OBJECT);
3504 }
3512 }
3514 }
3516 static void
3518 {
3522 /*
3523 * Regexp guts are more complicated -- we would need to migrate the
3524 * refcounted JIT code blob for them across compartments instead of just
3525 * swapping guts.
3526 */
3532 /* Trade the guts of the objects. */
3535 /*
3536 * If the objects are the same size, then we make no assumptions about
3537 * whether they have dynamically allocated slots and instead just copy
3538 * them over wholesale.
3539 */
3547 /* Fixup pointers for inline slots on the objects. */
3553 /*
3554 * If the objects are of differing sizes, then we only copy over the
3555 * JSObject portion (things like class, etc.) and leave it to
3556 * JSObject::clone to copy over the dynamic slots for us.
3557 */
3559 JSFunction tmp;
3564 JSObject tmp;
3568 }
3572 }
3573 }
3575 /*
3576 * Use this method with extreme caution. It trades the guts of two objects and updates
3577 * scope ownership. This operation is not thread-safe, just as fast array to slow array
3578 * transitions are inherently not thread-safe. Don't perform a swap operation on objects
3579 * shared across threads or, or bad things will happen. You have been warned.
3580 */
3581 bool
3583 {
3584 /*
3585 * If we are swapping objects with a different number of builtin slots, force
3586 * both to not use their inline slots.
3587 */
3592 }
3596 }
3597 }
3602 }
3606 {
3613 }
3614 {
3621 }
3626 }
3628 #if JS_HAS_XDR
3630 #define NO_PARENT_INDEX ((uint32)-1)
3632 uint32
3634 {
3644 }
3647 }
3649 JSBool
3651 {
3653 uint32 parentId;
3656 uint32 depthAndCount;
3660 #ifdef __GNUC__
3662 #endif
3673 }
3676 #endif
3678 /* First, XDR the parent atomid. */
3688 /*
3689 * If there's a parent id, then get the parent out of our script's
3690 * object array. We know that we XDR block object in outer-to-inner
3691 * order, which means that getting the parent now will work.
3692 */
3695 else
3698 }
3710 /*
3711 * XDR the block object's properties. We know that there are 'count'
3712 * properties to XDR, stored as id/shortid pairs.
3713 */
3716 uint16 shortid;
3718 /* XDR the real id, then the shortid. */
3724 }
3732 }
3734 /*
3735 * XDR the block object's properties. We know that there are 'count'
3736 * properties to XDR, stored as id/shortid pairs.
3737 */
3749 /* XDR the real id, then the shortid. */
3752 }
3753 }
3755 }
3757 #endif
3759 Class js_BlockClass = {
3766 EnumerateStub,
3767 ResolveStub,
3768 ConvertStub
3769 };
3771 JSObject *
3773 {
3779 /* ECMA (15.1.2.1) says 'eval' is a property of the global object. */
3785 }
3787 static bool
3790 {
3794 /*
3795 * Initializing an actual standard class on a global object. If the
3796 * property is not yet present, force it into a new one bound to a
3797 * reserved slot. Otherwise, go through the normal property path.
3798 */
3815 }
3816 }
3820 }
3824 JSObject *
3830 {
3831 /*
3832 * Create a prototype object for this class.
3833 *
3834 * FIXME: lazy standard (built-in) class initialization and even older
3835 * eager boostrapping code rely on all of these properties:
3836 *
3837 * 1. NewObject attempting to compute a default prototype object when
3838 * passed null for proto; and
3839 *
3840 * 2. NewObject tolerating no default prototype (null proto slot value)
3841 * due to this js_InitClass call coming from js_InitFunctionClass on an
3842 * otherwise-uninitialized global.
3843 *
3844 * 3. NewObject allocating a JSFunction-sized GC-thing when clasp is
3845 * &js_FunctionClass, not a JSObject-sized (smaller) GC-thing.
3846 *
3847 * The JS_NewObjectForGivenProto and JS_NewObject APIs also allow clasp to
3848 * be &js_FunctionClass (we could break compatibility easily). But fixing
3849 * (3) is not enough without addressing the bootstrapping dependency on (1)
3850 * and (2).
3851 */
3858 /* After this point, control must exit via label bad or out. */
3864 /*
3865 * Lacking a constructor, name the prototype (e.g., Math) unless this
3866 * class (a) is anonymous, i.e. for internal use only; (b) the class
3867 * of obj (the global object) is has a reserved slot indexed by key;
3868 * and (c) key is not the null key.
3869 */
3876 }
3888 /*
3889 * Remember the class this function is a constructor for so that
3890 * we know to create an object of this class when we call the
3891 * constructor.
3892 */
3895 /*
3896 * Optionally construct the prototype object, before the class has
3897 * been fully initialized. Allow the ctor to replace proto with a
3898 * different object, as is done for operator new -- and as at least
3899 * XML support requires.
3900 */
3903 Value rval;
3907 }
3910 }
3912 /* Connect constructor and prototype by named properties. */
3916 }
3918 /* Bootstrap Function.prototype (see also JS_InitStandardClasses). */
3921 }
3923 /* Add properties and methods to the prototype and the constructor. */
3929 }
3931 /*
3932 * Pre-brand the prototype and constructor if they have built-in methods.
3933 * This avoids extra shape guard branch exits in the tracejitted code.
3934 */
3940 /*
3941 * Make sure proto's emptyShape is available to be shared by objects of
3942 * this class. JSObject::emptyShape is a one-slot cache. If we omit this,
3943 * some other class could snap it up. (The risk is particularly great for
3944 * Object.prototype.)
3945 *
3946 * All callers of JSObject::initSharingEmptyShape depend on this.
3947 *
3948 * FIXME: bug 592296 -- js_InitArrayClass should pass &js_SlowArrayClass
3949 * and make the Array.prototype slow from the start.
3950 */
3962 }
3964 /* If this is a standard class, cache its prototype. */
3970 bad:
3972 Value rval;
3974 }
3976 }
3978 }
3980 JSObject *
3985 {
3990 /*
3991 * All instances of the class will inherit properties from the prototype
3992 * object we are about to create (in DefineConstructorAndPrototype), which
3993 * in turn will inherit from protoProto.
3994 *
3995 * When initializing a standard class (other than Object), if protoProto is
3996 * null, default to the Object prototype object. The engine's internal uses
3997 * of js_InitClass depend on this nicety. Note that in
3998 * js_InitFunctionAndObjectClasses, we specially hack the resolving table
3999 * and then depend on js_GetClassPrototype here leaving protoProto NULL and
4000 * returning true.
4001 */
4007 }
4009 return DefineConstructorAndPrototype(cx, obj, key, atom, protoProto, clasp, constructor, nargs,
4011 }
4013 bool
4015 {
4024 }
4032 /* Copy over anything from the inline buffer. */
4036 }
4038 bool
4040 {
4041 /*
4042 * When an object with CAPACITY_DOUBLING_MAX or fewer slots needs to
4043 * grow, double its capacity, to add N elements in amortized O(N) time.
4044 *
4045 * Above this limit, grow by 12.5% each time. Speed is still amortized
4046 * O(N), with a higher constant factor, and we waste less space.
4047 */
4064 /* Don't let nslots get close to wrapping around uint32. */
4068 }
4070 /* If nothing was allocated yet, treat it as initial allocation. */
4074 Value *tmpslots = (Value*) cx->realloc(slots, oldcap * sizeof(Value), actualCapacity * sizeof(Value));
4080 /* Initialize the additional slots we added. */
4083 }
4085 void
4087 {
4093 /* We won't shrink the slots any more. Clear excess holes. */
4096 }
4111 /* Clear any excess holes if we tried to shrink below SLOT_CAPACITY_MIN. */
4113 }
4114 }
4116 bool
4118 {
4124 }
4128 {
4131 }
4133 #define JS_PROTO(name,code,init) extern JSObject *init(JSContext *, JSObject *);
4135 #undef JS_PROTO
4138 #define JS_PROTO(name,code,init) init,
4140 #undef JS_PROTO
4141 };
4145 bool
4147 {
4154 }
4156 /*
4157 * Regenerate property cache shape ids for all of the scopes along the
4158 * old prototype chain to invalidate their property cache entries, in
4159 * case any entries were filled by looking up through obj.
4160 */
4165 }
4172 }
4174 }
4176 }
4178 JSBool
4181 {
4183 JSResolvingKey rkey;
4185 uint32 generation;
4186 JSObjectOp init;
4187 Value v;
4193 }
4199 }
4206 /* Already caching key in obj -- suppress recursion. */
4209 }
4222 }
4223 }
4228 }
4230 JSBool
4231 js_SetClassObject(JSContext *cx, JSObject *obj, JSProtoKey key, JSObject *cobj, JSObject *proto)
4232 {
4239 }
4241 JSBool
4244 {
4247 jsid id;
4251 /*
4252 * Find the global object. Use cx->fp() directly to avoid falling off
4253 * trace; all JIT-elided stack frames have the same global object as
4254 * cx->fp().
4255 */
4261 /* Find the topmost object in the scope chain. */
4271 }
4272 }
4286 }
4293 }
4299 }
4307 }
4308 }
4311 }
4313 JSObject *
4316 {
4321 /* Protect constructor in case a crazy getter for .prototype uproots it. */
4330 }
4332 /*
4333 * If proto is NULL, set it to Constructor.prototype, just like JSOP_NEW
4334 * does, likewise for the new object's parent.
4335 */
4340 Value rval;
4344 }
4347 }
4355 Value rval;
4362 /*
4363 * If the instance's class differs from what was requested, throw a type
4364 * error. If the given class has both the JSCLASS_HAS_PRIVATE and the
4365 * JSCLASS_CONSTRUCT_PROTOTYPE flags, and the instance does not have its
4366 * private data set at this point, then the constructor was replaced and
4367 * we should throw a type error.
4368 */
4372 JSCLASS_CONSTRUCT_PROTOTYPE)) &&
4377 }
4379 }
4381 bool
4383 {
4387 /*
4388 * If this object is in dictionary mode and it has a property table, try to
4389 * pull a free slot from the property table's slot-number freelist.
4390 */
4394 #ifdef DEBUG
4398 #endif
4406 }
4407 }
4412 /* JSObject::growSlots or JSObject::freeSlot should set the free slots to void. */
4416 }
4418 bool
4420 {
4428 /* Can't afford to check the whole freelist, but let's check the head. */
4431 /*
4432 * Freeing a slot other than the last one mapped by this object's
4433 * shape (and not a reserved slot; see bug 595230): push the slot onto
4434 * the dictionary property table's freelist. We want to let the last
4435 * slot be freed by shrinking the dslots vector; see js_TraceObject.
4436 */
4442 }
4443 }
4446 }
4448 /* JSBOXEDWORD_INT_MAX as a string */
4451 /*
4452 * Convert string indexes that convert to int jsvals as ints to save memory.
4453 * Care must be taken to use this macro every time a property name is used, or
4454 * else double-sets, incorrect property cache misses, or other mistakes could
4455 * occur.
4456 */
4457 jsid
4459 {
4491 cp++;
4492 }
4493 }
4495 /*
4496 * Non-integer indexes can't be represented as integers. Also, distinguish
4497 * index "-0" from "0", because JSBOXEDWORD_INT cannot.
4498 */
4505 {
4507 }
4511 {
4513 }
4514 }
4517 }
4519 static JSBool
4521 {
4528 }
4535 /*
4536 * All scope chains end in a global object, so this will change
4537 * the global shape. jstracer.cpp assumes that the global shape
4538 * never changes on trace, so we must deep-bail here.
4539 */
4541 }
4543 }
4545 }
4547 }
4549 void
4551 {
4555 /*
4556 * We must purge the scope chain only for Call objects as they are the only
4557 * kind of cacheable non-global object that can gain properties after outer
4558 * properties with the same names have been cached or traced. Call objects
4559 * may gain such properties via eval introducing new vars; see bug 490364.
4560 */
4565 }
4566 }
4567 }
4573 {
4576 /*
4577 * Purge the property cache of now-shadowed id in obj's scope chain. Do
4578 * this optimistically (assuming no failure below) before locking obj, so
4579 * we can lock the shadowed scope.
4580 */
4586 /* Convert string indices to integers if appropriate. */
4589 }
4595 {
4599 /*
4600 * Check for freezing an object with shape-memoized methods here, on a
4601 * shape-by-shape basis. Note that getter may be a pun of the method's
4602 * joined function object value, to indicate "no getter change". In this
4603 * case we must null getter to get the desired PropertyStub behavior.
4604 */
4616 }
4617 }
4620 }
4622 JSBool
4625 {
4628 }
4630 /*
4631 * Backward compatibility requires allowing addProperty hooks to mutate the
4632 * nominal initial value of a slotful property, while GC safety wants that
4633 * value to be stored before the call-out through the hook. Optimize to do
4634 * both while saving cycles for classes that stub their addProperty hook.
4635 */
4638 {
4647 }
4648 }
4650 }
4652 JSBool
4657 {
4661 /* Convert string indices to integers if appropriate. */
4664 /*
4665 * If defining a getter or setter, we must check for its counterpart and
4666 * update the attributes and property ops. A getter or setter is really
4667 * only half of a property.
4668 */
4674 /*
4675 * If JS_THREADSAFE and id is found, js_LookupProperty returns with
4676 * shape non-null and pobj locked. If pobj == obj, the property is
4677 * already in obj and obj has its own (mutable) scope. So if we are
4678 * defining a getter whose setter was already defined, or vice versa,
4679 * finish the job via obj->changeProperty, and refresh the property
4680 * cache line for (obj, id) to map shape.
4681 */
4689 ? getter
4692 ? setter
4700 }
4701 }
4703 /*
4704 * Purge the property cache of any properties named by id that are about
4705 * to be shadowed in obj's scope chain unless it is known a priori that it
4706 * is not possible. We do this before locking obj to avoid nesting locks.
4707 */
4711 /*
4712 * Check whether a readonly property or setter is being defined on a known
4713 * prototype object. See the comment in jscntxt.h before protoHazardShape's
4714 * member declaration.
4715 */
4719 /* Use the object's class getter and setter by default. */
4726 }
4728 /* Get obj's own scope if it has one, or create a new one for obj. */
4732 /*
4733 * Make a local copy of value, in case a method barrier needs to update the
4734 * value to define, and just so addProperty can mutate its inout parameter.
4735 */
4740 /* Add a new property, or replace an existing one of the same id. */
4751 }
4752 }
4760 {
4761 /*
4762 * Redefining an existing shape-memoized method object without
4763 * changing the property's value, perhaps to change attributes.
4764 * Clone now via the method read barrier.
4765 *
4766 * But first, assert that our caller is not trying to preserve
4767 * the joined function object value as the getter object for
4768 * the redefined property. The joined function object cannot
4769 * yet have leaked, so only an internal code path could attempt
4770 * such a thing. Any such path would be a bug to fix.
4771 */
4776 }
4779 }
4787 /*
4788 * If shape is a joined method, the above call to putProperty suffices
4789 * to update the object's shape id if need be (because the shape's hash
4790 * identity includes the method value).
4791 *
4792 * But if scope->branded(), the object's shape id may not have changed
4793 * and we may be overwriting a cached function-valued property (note
4794 * how methodWriteBarrier checks previous vs. would-be current value).
4795 * See bug 560998.
4796 */
4798 #ifdef DEBUG
4800 #endif
4803 }
4804 }
4806 /* Store valueCopy before calling addProperty, in case the latter GC's. */
4810 /* XXXbe called with lock held */
4814 }
4821 }
4822 }
4827 #ifdef JS_TRACER
4829 #endif
4831 }
4833 #define SCOPE_DEPTH_ACCUM(bs,val) \
4834 JS_SCOPE_DEPTH_METERING(JS_BASIC_STATS_ACCUM(bs, val))
4836 /*
4837 * Call obj's resolve hook. obj is a native object and the caller holds its
4838 * scope lock.
4839 *
4840 * cx, start, id, and flags are the parameters initially passed to the ongoing
4841 * lookup; objp and propp are its out parameters. obj is an object along
4842 * start's prototype chain.
4843 *
4844 * There are four possible outcomes:
4845 *
4846 * - On failure, report an error or exception, unlock obj, and return false.
4847 *
4848 * - If we are alrady resolving a property of *curobjp, set *recursedp = true,
4849 * unlock obj, and return true.
4850 *
4851 * - If the resolve hook finds or defines the sought property, set *objp and
4852 * *propp appropriately, set *recursedp = false, and return true with *objp's
4853 * lock held.
4854 *
4855 * - Otherwise no property was resolved. Set *propp = NULL and *recursedp = false
4856 * and return true.
4857 */
4858 static JSBool
4861 {
4865 /*
4866 * Avoid recursion on (obj, id) already being resolved on cx.
4867 *
4868 * Once we have successfully added an entry for (obj, key) to
4869 * cx->resolvingTable, control must go through cleanup: before
4870 * returning. But note that JS_DHASH_ADD may find an existing
4871 * entry, in which case we bail to suppress runaway recursion.
4872 */
4878 /* Already resolving id in obj -- suppress recursion. */
4881 }
4887 JSBool ok;
4895 {
4896 /* Protect id and all atoms from a GC nested in resolve. */
4899 }
4904 /* Resolved: lookup id again for backward compatibility. */
4906 /* Whoops, newresolve handed back a foreign obj2. */
4912 /*
4913 * Require that obj2 not be empty now, as we do for old-style
4914 * resolve. If it doesn't, then id was not truly resolved, and
4915 * we'll find it in the proto chain, or miss it if obj2's proto
4916 * is not on obj's proto chain. That last case is a "too bad!"
4917 * case.
4918 */
4921 }
4925 }
4926 }
4928 /*
4929 * Old resolve always requires id re-lookup if obj is not empty after
4930 * resolve returns.
4931 */
4938 }
4940 cleanup:
4944 }
4947 }
4952 {
4953 /* We should not get string indices which aren't already integers here. */
4956 /* Search scopes starting with obj and following the prototype link. */
4966 }
4968 /* Try obj's class resolve hook if id was not found in obj's scope. */
4976 /* Recalculate protoIndex in case it was resolved on some other object. */
4979 protoIndex++;
4982 }
4983 }
4991 #ifdef DEBUG
4992 /*
4993 * Non-native objects must have either non-native lookup results,
4994 * or else native results from the non-native's prototype chain.
4995 *
4996 * See JSStackFrame::getValidCalleeObject, where we depend on this
4997 * fact to force a prototype-delegated joined method accessed via
4998 * arguments.callee through the delegating |this| object's method
4999 * read barrier.
5000 */
5004 }
5005 #endif
5007 }
5010 }
5015 }
5020 {
5021 /* Convert string indices to integers if appropriate. */
5025 }
5027 int
5030 {
5031 /* Convert string indices to integers if appropriate. */
5035 }
5037 PropertyCacheEntry *
5040 {
5049 /* Scan entries on the scope chain that we can cache across. */
5054 parent
5058 protoIndex =
5065 #ifdef DEBUG
5071 /*
5072 * A block instance on the scope chain is immutable and it
5073 * shares its shapes with its compile-time prototype.
5074 */
5079 /* Call and DeclEnvClass objects have no prototypes. */
5082 }
5085 }
5086 #endif
5087 /*
5088 * We must check if pobj is native as a global object can have
5089 * non-native prototype.
5090 */
5095 }
5098 }
5103 }
5106 }
5114 }
5116 /*
5117 * We conservatively assume that a resolve hook could mutate the scope
5118 * chain during JSObject::lookupProperty. So we read parent here again.
5119 */
5124 }
5126 }
5128 out:
5134 }
5136 /*
5137 * On return, if |*pobjp| is a native object, then |*propp| is a |Shape *|.
5138 * Otherwise, its type and meaning depends on the host object's implementation.
5139 */
5143 {
5145 }
5147 JSObject *
5149 {
5150 /*
5151 * This function should not be called for a global object or from the
5152 * trace and should have a valid cache entry for native scopeChain.
5153 */
5159 /*
5160 * Loop over cacheable objects on the scope chain until we find a
5161 * property. We also stop when we reach the global object skipping any
5162 * farther checks or lookups. For details see the JSOP_BINDNAME case of
5163 * js_Interpret.
5164 *
5165 * The test order here matters because js_IsCacheableNonGlobalScope
5166 * must not be passed a global object (i.e. one with null parent).
5167 */
5170 scopeIndex++) {
5182 }
5184 #ifdef DEBUG
5186 #endif
5191 }
5197 }
5199 /* Loop until we find a property or reach the global object. */
5208 /*
5209 * We conservatively assume that a resolve hook could mutate the scope
5210 * chain during JSObject::lookupProperty. So we must check if parent is
5211 * not null here even if it wasn't before the lookup.
5212 */
5219 }
5221 static JS_ALWAYS_INLINE JSBool
5224 {
5227 uint32 slot;
5228 int32 sample;
5238 }
5245 }
5248 {
5253 }
5261 }
5264 }
5266 JSBool
5269 {
5271 }
5273 JSBool
5274 js_NativeSet(JSContext *cx, JSObject *obj, const Shape *shape, bool added, bool strict, Value *vp)
5275 {
5278 uint32 slot;
5279 int32 sample;
5287 /* If shape has a stub setter, keep obj locked and just store *vp. */
5292 /* FIXME: This should pass *shape, not slot, but see bug 630354. */
5295 }
5298 }
5300 /*
5301 * Allow API consumers to create shared properties with stub setters.
5302 * Such properties effectively function as data descriptors which are
5303 * not writable, so attempting to set such a property should do nothing
5304 * or throw if we're in strict mode.
5305 */
5308 }
5311 {
5318 }
5327 }
5329 }
5332 }
5338 {
5348 /* Convert string indices to integers if appropriate. */
5352 /* This call site is hot -- use the always-inlined variant of js_LookupPropertyWithFlags(). */
5368 /*
5369 * Give a strict warning if foo.bar is evaluated by a script for an
5370 * object foo with no property named 'bar'.
5371 */
5374 JSOp op;
5375 uintN flags;
5381 }
5389 }
5391 /*
5392 * XXX do not warn about missing __iterator__ as the function
5393 * may be called from JS_GetMethodById. See bug 355145.
5394 */
5398 /* Do not warn about tests like (obj[prop] == undefined). */
5406 }
5409 }
5411 /* Ok, bad undefined property reference: whine about it. */
5416 }
5417 }
5419 }
5425 }
5433 }
5435 /* This call site is hot -- use the always-inlined variant of js_NativeGet(). */
5440 }
5442 bool
5446 {
5449 }
5451 static JS_ALWAYS_INLINE JSBool
5454 {
5457 return js_GetPropertyHelperWithShapeInline(cx, obj, receiver, id, getHow, vp, &shape, &holder);
5458 }
5460 JSBool
5462 {
5464 }
5466 JSBool
5468 {
5469 /* This call site is hot -- use the always-inlined variant of js_GetPropertyHelper(). */
5471 }
5473 JSBool
5475 {
5484 }
5487 }
5489 JSBool
5491 {
5496 #if JS_HAS_XML_SUPPORT
5498 #endif
5500 }
5502 #if JS_HAS_XML_SUPPORT
5505 #endif
5507 }
5511 {
5516 /* If neither cx nor the code is strict, then no check is needed. */
5520 }
5529 }
5531 bool
5533 {
5537 }
5539 bool
5541 {
5545 }
5547 bool
5549 {
5553 }
5555 JSBool
5558 {
5564 intN shortid;
5566 PropertyOp getter;
5567 StrictPropertyOp setter;
5575 /* Convert string indices to integers if appropriate. */
5598 }
5599 }
5602 }
5604 /* We should never add properties to lexical blocks. */
5611 }
5612 }
5615 /*
5616 * Now either shape is null, meaning id was not found in obj or one of its
5617 * prototypes; or shape is non-null, meaning id was found directly in pobj.
5618 */
5627 /* ES5 8.12.4 [[Put]] step 2. */
5637 /* Error in strict mode code, warn with strict option, otherwise do nothing. */
5643 }
5644 }
5648 /*
5649 * We found id in a prototype object: prepare to share or shadow.
5650 */
5659 }
5661 /*
5662 * Preserve attrs except JSPROP_SHARED, getter, and setter when
5663 * shadowing any property that has no slot (is shared). We must
5664 * clear the shared attribute for the shadowing shape so that the
5665 * property in obj that it defines has a slot to retain the value
5666 * being set, in case the setter simply cannot operate on instances
5667 * of obj's class by storing the value in some class-specific
5668 * location.
5669 *
5670 * A subset of slotless shared properties is the set of properties
5671 * with shortids, which must be preserved too. An old API requires
5672 * that the property's getter and setter receive the shortid, not
5673 * id, when they are called on the shadowing property that we are
5674 * about to create in obj.
5675 */
5681 }
5686 /* Restore attrs to the ECMA default for new properties. */
5688 }
5690 /*
5691 * Forget we found the proto-property now that we've copied any
5692 * needed member values.
5693 */
5695 }
5701 /*
5702 * JSOP_SETMETHOD is assigning to an existing own property. If it
5703 * is an identical method property, do nothing. Otherwise downgrade
5704 * to ordinary assignment. Either way, do not fill the property
5705 * cache, as the interpreter has no fast path for these unusual
5706 * cases.
5707 */
5721 }
5722 }
5724 }
5725 }
5730 /* Error in strict mode code, warn with strict option, otherwise do nothing. */
5736 }
5738 /*
5739 * Purge the property cache of now-shadowed id in obj's scope chain.
5740 * Do this early, before locking obj to avoid nesting locks.
5741 */
5744 /* Find or make a property descriptor with the right heritage. */
5748 /*
5749 * Check for Object class here to avoid defining a method on a class
5750 * with magic resolve, addProperty, getProperty, etc. hooks.
5751 */
5761 }
5762 }
5772 /*
5773 * Initialize the new property value (passed to setter) to undefined.
5774 * Note that we store before calling addProperty, to match the order
5775 * in js_DefineNativeProperty.
5776 */
5780 /* XXXbe called with obj locked */
5784 }
5786 }
5793 #ifdef JS_TRACER
5796 #endif
5797 }
5799 JSBool
5801 {
5803 }
5805 JSBool
5807 {
5814 }
5821 }
5823 JSBool
5825 {
5829 }
5831 JSBool
5833 {
5842 }
5844 JSBool
5846 {
5853 /* Convert string indices to integers if appropriate. */
5859 /*
5860 * If the property was found in a native prototype, check whether it's
5861 * shared and permanent. Such a property stands for direct properties
5862 * in all delegating objects, matching ECMA semantics without bloating
5863 * each delegating object.
5864 */
5872 }
5873 }
5875 /*
5876 * If no property, or the property comes unshared or impermanent from
5877 * a prototype, call the class's delProperty hook, passing rval as the
5878 * result parameter.
5879 */
5881 }
5889 }
5898 /*
5899 * Delete is rare enough that we can take the hit of checking for an
5900 * active cloned method function object that must be homed to a callee
5901 * slot on the active stack frame before this delete completes, in case
5902 * someone saved the clone and checks it against foo.caller for a foo
5903 * called from the active method.
5904 *
5905 * We do not check suspended frames. They can't be reached via caller,
5906 * so the only way they could have the method's joined function object
5907 * as callee is through an API abusage. We break any such edge case.
5908 */
5920 {
5926 }
5928 }
5929 }
5930 }
5931 }
5932 }
5933 }
5936 }
5940 JSObject *
5942 {
5953 }
5955 bool
5957 {
5962 /* Optimize (new String(...)).toString(). */
5967 js_str_toString)) {
5970 }
5977 }
5979 /* Optimize (new String(...)).valueOf(). */
5984 js_str_toString)) ||
5988 js_num_valueOf))) {
5991 }
5999 }
6000 }
6002 /* Avoid recursive death when decompiling in js_ReportValueError. */
6010 }
6018 }
6021 }
6027 {
6028 /* If the class has a custom JSCLASS_NEW_ENUMERATE hook, call it. */
6034 }
6039 /* Tell InitNativeIterator to treat us like a native object. */
6043 }
6047 JSBool
6050 {
6051 JSBool writing;
6057 CheckAccessOp check;
6087 }
6093 }
6095 }
6102 else
6104 }
6105 }
6107 /*
6108 * If obj's class has a stub (null) checkAccess hook, use the per-runtime
6109 * checkObjectAccess callback, if configured.
6110 *
6111 * We don't want to require all classes to supply a checkAccess hook; we
6112 * need that hook only for certain classes used when precompiling scripts
6113 * and functions ("brutal sharing"). But for general safety of built-in
6114 * magic properties like __proto__, we route all access checks, even for
6115 * classes that stub out checkAccess, through the global checkObjectAccess
6116 * hook. This covers precompilation-based sharing and (possibly
6117 * unintended) runtime sharing across trust boundaries.
6118 */
6124 }
6126 }
6128 }
6130 JSType
6132 {
6133 /*
6134 * ECMA 262, 11.4.3 says that any native object that implements
6135 * [[Call]] should be of type "function". However, RegExp is of
6136 * type "object", not "function", for Web compatibility.
6137 */
6140 ? JSTYPE_FUNCTION
6142 }
6145 }
6147 bool
6149 {
6156 }
6158 }
6160 bool
6163 {
6164 Value v;
6172 }
6176 }
6178 /*
6179 * The first part of this function has been hand-expanded and optimized into
6180 * NewBuiltinClassInstance in jsobjinlines.h.
6181 */
6182 JSBool
6185 {
6199 }
6200 }
6201 }
6208 }
6209 }
6210 }
6213 }
6215 JSBool
6217 {
6218 /*
6219 * Use the given attributes for the prototype property of the constructor,
6220 * as user-defined constructors have a DontDelete prototype (which may be
6221 * reset), while native or "system" constructors have DontEnum | ReadOnly |
6222 * DontDelete.
6223 */
6227 }
6229 /*
6230 * ECMA says that Object.prototype.constructor, or f.prototype.constructor
6231 * for a user-defined function f, is DontEnum.
6232 */
6235 }
6237 JSObject *
6239 {
6250 }
6258 }
6260 JSBool
6262 {
6269 }
6271 JSBool
6273 {
6284 }
6287 }
6291 /* Callers must handle the already-object case . */
6292 JSObject *
6294 {
6302 }
6308 }
6310 }
6312 JSObject *
6314 {
6322 }
6324 JSBool
6326 {
6332 }
6334 JSBool
6337 {
6340 /*
6341 * Report failure only if an appropriate method was found, and calling it
6342 * returned failure. We propagate failure in this case to make exceptions
6343 * behave properly.
6344 */
6347 Value fval;
6356 }
6358 #if JS_HAS_XDR
6360 JSBool
6362 {
6367 JSProtoKey protoKey;
6386 }
6387 }
6391 }
6393 /*
6394 * XDR a flag word, which could be 0 for a class use, in which case no
6395 * name follows, only the id in xdr's class registry; 1 for a class def,
6396 * in which case the flag word is followed by the class name transferred
6397 * from or to atom; or a value greater than 1, an odd number that when
6398 * divided by two yields the JSProtoKey for class. In the last case, as
6399 * in the 0 classDef case, no name is transferred via atom.
6400 */
6411 /* NB: we know that JSProto_Null is 0 here, for backward compat. */
6426 }
6427 }
6428 }
6434 }
6436 }
6440 #ifdef JS_DUMP_SCOPE_METERS
6442 #include <stdio.h>
6446 static void
6448 {
6450 }
6452 void
6454 {
6459 {
6467 }
6472 }
6473 #endif
6475 #ifdef DEBUG
6476 void
6478 {
6493 }
6498 #define JS_PROTO(name,code,init) \
6499 if ((code) == slot) { slotname = js_##name##_str; goto found; }
6501 #undef JS_PROTO
6502 }
6503 found:
6506 else
6516 }
6517 }
6518 }
6519 #endif
6521 void
6523 {
6528 /*
6529 * Trim overlong dslots allocations from the GC, to avoid thrashing in
6530 * case of delete-happy code that settles down at a given population.
6531 * The !obj->nativeEmpty() guard above is due to the bug described by
6532 * the FIXME comment below.
6533 */
6537 }
6539 #ifdef JS_DUMP_SCOPE_METERS
6541 #endif
6548 /* No one runs while the GC is running, so we can use LOCKED_... here. */
6555 }
6559 }
6561 /*
6562 * NB: clasp->mark could mutate something (which would be a bug, but we are
6563 * defensive), so don't hoist this above calling clasp->mark.
6564 */
6570 }
6571 }
6573 void
6575 {
6576 /*
6577 * Clear obj of all obj's properties. FIXME: we do not clear reserved slots
6578 * lying below JSSLOT_FREE(clasp). JS_ClearScope does that.
6579 */
6581 /* Now that we're done using real properties, clear obj. */
6584 /* Clear slot values since obj->clear reset our shape to empty. */
6589 }
6590 }
6592 bool
6594 {
6598 }
6602 else
6605 }
6607 bool
6609 {
6620 }
6625 }
6627 JSObject *
6629 {
6634 }
6636 JSBool
6638 {
6641 JSREPORT_STRICT_MODE_ERROR,
6643 JSMSG_GETTER_ONLY);
6644 }
6648 {
6651 }
6653 #ifdef DEBUG
6655 /*
6656 * Routines to print out values during debugging. These are FRIEND_API to help
6657 * the debugger find them and to support temporarily hacking js_Dump* calls
6658 * into other code.
6659 */
6661 void
6663 {
6668 }
6680 else
6682 }
6684 }
6688 {
6692 }
6694 void
6696 {
6699 else
6701 }
6705 {
6712 }
6714 }
6718 {
6721 }
6723 void
6725 {
6744 }
6749 }
6761 else
6765 #ifdef DEBUG
6773 }
6774 #endif
6778 }
6779 }
6783 {
6786 }
6790 {
6794 }
6796 static void
6798 {
6816 else
6820 }
6824 {
6846 }
6850 }
6851 }
6864 }
6866 }
6875 }
6898 }
6900 }
6902 static void
6904 {
6909 }
6910 }
6912 static void
6914 {
6919 }
6920 }
6924 {
6925 /* This should only called during live debugging. */
6937 }
6948 }
6954 }
6960 }
6966 }
6969 }
6978 }
6979 }
6981 fprintf(stderr, " actuals: %p (%u) ", (void *) fp->actualArgs(), (unsigned) fp->numActualArgs());
6982 fprintf(stderr, " formals: %p (%u)\n", (void *) fp->formalArgs(), (unsigned) fp->numFormalArgs());
6983 }
6992 }
7015 }
7016 }