search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Backed out changeset 2450366cf7ca (bug 1891629) for causing win msix mochitest failures
[gecko.git] / js / src / vm / JSObject.cpp
blob8bc8bc0d52130693d398d67e8adaeef14c4a7c1b
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 /*
8 * JS object implementation.
9 */
10
11 #include "vm/JSObject-inl.h"
12
13 #include "mozilla/MemoryReporting.h"
14 #include "mozilla/Try.h"
15
16 #include <string.h>
17
18 #include "jsapi.h"
19 #include "jsexn.h"
20 #include "jsfriendapi.h"
21 #include "jsnum.h"
22 #include "jstypes.h"
23
24 #include "builtin/BigInt.h"
25 #include "builtin/MapObject.h"
26 #include "builtin/Object.h"
27 #include "builtin/String.h"
28 #include "builtin/Symbol.h"
29 #include "builtin/WeakSetObject.h"
30 #include "gc/AllocKind.h"
31 #include "gc/GC.h"
32 #include "js/CharacterEncoding.h"
33 #include "js/friend/DumpFunctions.h" // js::DumpObject
34 #include "js/friend/ErrorMessages.h" // JSErrNum, js::GetErrorMessage, JSMSG_*
35 #include "js/friend/WindowProxy.h" // js::IsWindow, js::ToWindowProxyIfWindow
36 #include "js/MemoryMetrics.h"
37 #include "js/Prefs.h" // JS::Prefs
38 #include "js/Printer.h" // js::GenericPrinter, js::Fprinter
39 #include "js/PropertyDescriptor.h" // JS::FromPropertyDescriptor
40 #include "js/PropertySpec.h" // JSPropertySpec
41 #include "js/Proxy.h"
42 #include "js/Result.h"
43 #include "js/UbiNode.h"
44 #include "js/Wrapper.h"
45 #include "proxy/DeadObjectProxy.h"
46 #include "util/Memory.h"
47 #include "util/Text.h"
48 #include "util/WindowsWrapper.h"
49 #include "vm/ArgumentsObject.h"
50 #include "vm/ArrayBufferObject.h"
51 #include "vm/ArrayBufferViewObject.h"
52 #include "vm/BytecodeUtil.h"
53 #include "vm/Compartment.h"
54 #include "vm/DateObject.h"
55 #include "vm/Interpreter.h"
56 #include "vm/Iteration.h"
57 #include "vm/JSAtomUtils.h" // Atomize
58 #include "vm/JSContext.h"
59 #include "vm/JSFunction.h"
60 #include "vm/JSONPrinter.h" // js::JSONPrinter
61 #include "vm/JSScript.h"
62 #include "vm/PromiseObject.h"
63 #include "vm/ProxyObject.h"
64 #include "vm/RegExpObject.h"
65 #include "vm/Shape.h"
66 #include "vm/TypedArrayObject.h"
67 #include "vm/Watchtower.h"
68 #include "vm/WrapperObject.h"
69 #ifdef ENABLE_RECORD_TUPLE
70 # include "builtin/RecordObject.h"
71 # include "builtin/TupleObject.h"
72 # include "vm/RecordType.h"
73 # include "vm/TupleType.h"
74 #endif
75
76 #include "gc/StableCellHasher-inl.h"
77 #include "vm/BooleanObject-inl.h"
78 #include "vm/EnvironmentObject-inl.h"
79 #include "vm/Interpreter-inl.h"
80 #include "vm/JSAtomUtils-inl.h" // AtomToId, PrimitiveValueToId, IndexToId
81 #include "vm/JSContext-inl.h"
82 #include "vm/NativeObject-inl.h"
83 #include "vm/NumberObject-inl.h"
84 #include "vm/ObjectFlags-inl.h"
85 #include "vm/Realm-inl.h"
86 #include "vm/StringObject-inl.h"
87 #include "vm/TypedArrayObject-inl.h"
88 #include "wasm/WasmGcObject-inl.h"
89
90 using namespace js;
91
92 using mozilla::Maybe;
93
94 void js::ReportNotObject(JSContext* cx, JSErrNum err, int spindex,
95 HandleValue v) {
96 MOZ_ASSERT(!v.isObject());
97 ReportValueError(cx, err, spindex, v, nullptr);
98 }
99
100 void js::ReportNotObject(JSContext* cx, JSErrNum err, HandleValue v) {
101 ReportNotObject(cx, err, JSDVG_SEARCH_STACK, v);
102 }
103
104 void js::ReportNotObject(JSContext* cx, const Value& v) {
105 RootedValue value(cx, v);
106 ReportNotObject(cx, JSMSG_OBJECT_REQUIRED, value);
107 }
108
109 void js::ReportNotObjectArg(JSContext* cx, const char* nth, const char* fun,
110 HandleValue v) {
111 MOZ_ASSERT(!v.isObject());
112
113 UniqueChars bytes;
114 if (const char* chars = ValueToSourceForError(cx, v, bytes)) {
115 JS_ReportErrorNumberLatin1(cx, GetErrorMessage, nullptr,
116 JSMSG_OBJECT_REQUIRED_ARG, nth, fun, chars);
117 }
118 }
119
120 JS_PUBLIC_API const char* JS::InformalValueTypeName(const Value& v) {
121 switch (v.type()) {
122 case ValueType::Double:
123 case ValueType::Int32:
124 return "number";
125 case ValueType::Boolean:
126 return "boolean";
127 case ValueType::Undefined:
128 return "undefined";
129 case ValueType::Null:
130 return "null";
131 case ValueType::String:
132 return "string";
133 case ValueType::Symbol:
134 return "symbol";
135 case ValueType::BigInt:
136 return "bigint";
137 case ValueType::Object:
138 #ifdef ENABLE_RECORD_TUPLE
139 case ValueType::ExtendedPrimitive:
140 #endif
141 return v.getObjectPayload().getClass()->name;
142 case ValueType::Magic:
143 return "magic";
144 case ValueType::PrivateGCThing:
145 break;
146 }
147
148 MOZ_CRASH("unexpected type");
149 }
150
151 // ES6 draft rev37 6.2.4.4 FromPropertyDescriptor
152 JS_PUBLIC_API bool JS::FromPropertyDescriptor(
153 JSContext* cx, Handle<Maybe<PropertyDescriptor>> desc_,
154 MutableHandleValue vp) {
155 AssertHeapIsIdle();
156 CHECK_THREAD(cx);
157 cx->check(desc_);
158
159 // Step 1.
160 if (desc_.isNothing()) {
161 vp.setUndefined();
162 return true;
163 }
164
165 Rooted<PropertyDescriptor> desc(cx, *desc_);
166 return FromPropertyDescriptorToObject(cx, desc, vp);
167 }
168
169 bool js::FromPropertyDescriptorToObject(JSContext* cx,
170 Handle<PropertyDescriptor> desc,
171 MutableHandleValue vp) {
172 // Step 2-3.
173 RootedObject obj(cx, NewPlainObject(cx));
174 if (!obj) {
175 return false;
176 }
177
178 const JSAtomState& names = cx->names();
179
180 // Step 4.
181 if (desc.hasValue()) {
182 if (!DefineDataProperty(cx, obj, names.value, desc.value())) {
183 return false;
184 }
185 }
186
187 // Step 5.
188 RootedValue v(cx);
189 if (desc.hasWritable()) {
190 v.setBoolean(desc.writable());
191 if (!DefineDataProperty(cx, obj, names.writable, v)) {
192 return false;
193 }
194 }
195
196 // Step 6.
197 if (desc.hasGetter()) {
198 if (JSObject* get = desc.getter()) {
199 v.setObject(*get);
200 } else {
201 v.setUndefined();
202 }
203 if (!DefineDataProperty(cx, obj, names.get, v)) {
204 return false;
205 }
206 }
207
208 // Step 7.
209 if (desc.hasSetter()) {
210 if (JSObject* set = desc.setter()) {
211 v.setObject(*set);
212 } else {
213 v.setUndefined();
214 }
215 if (!DefineDataProperty(cx, obj, names.set, v)) {
216 return false;
217 }
218 }
219
220 // Step 8.
221 if (desc.hasEnumerable()) {
222 v.setBoolean(desc.enumerable());
223 if (!DefineDataProperty(cx, obj, names.enumerable, v)) {
224 return false;
225 }
226 }
227
228 // Step 9.
229 if (desc.hasConfigurable()) {
230 v.setBoolean(desc.configurable());
231 if (!DefineDataProperty(cx, obj, names.configurable, v)) {
232 return false;
233 }
234 }
235
236 vp.setObject(*obj);
237 return true;
238 }
239
240 bool js::GetFirstArgumentAsObject(JSContext* cx, const CallArgs& args,
241 const char* method,
242 MutableHandleObject objp) {
243 if (!args.requireAtLeast(cx, method, 1)) {
244 return false;
245 }
246
247 HandleValue v = args[0];
248 if (!v.isObject()) {
249 UniqueChars bytes =
250 DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, v, nullptr);
251 if (!bytes) {
252 return false;
253 }
254 JS_ReportErrorNumberUTF8(cx, GetErrorMessage, nullptr,
255 JSMSG_UNEXPECTED_TYPE, bytes.get(),
256 "not an object");
257 return false;
258 }
259
260 objp.set(&v.toObject());
261 return true;
262 }
263
264 static bool GetPropertyIfPresent(JSContext* cx, HandleObject obj, HandleId id,
265 MutableHandleValue vp, bool* foundp) {
266 if (!HasProperty(cx, obj, id, foundp)) {
267 return false;
268 }
269 if (!*foundp) {
270 vp.setUndefined();
271 return true;
272 }
273
274 return GetProperty(cx, obj, obj, id, vp);
275 }
276
277 bool js::Throw(JSContext* cx, HandleId id, unsigned errorNumber,
278 const char* details) {
279 MOZ_ASSERT(js_ErrorFormatString[errorNumber].argCount == (details ? 2 : 1));
280 MOZ_ASSERT_IF(details, JS::StringIsASCII(details));
281
282 UniqueChars bytes =
283 IdToPrintableUTF8(cx, id, IdToPrintableBehavior::IdIsPropertyKey);
284 if (!bytes) {
285 return false;
286 }
287
288 if (details) {
289 JS_ReportErrorNumberUTF8(cx, GetErrorMessage, nullptr, errorNumber,
290 bytes.get(), details);
291 } else {
292 JS_ReportErrorNumberUTF8(cx, GetErrorMessage, nullptr, errorNumber,
293 bytes.get());
294 }
295
296 return false;
297 }
298
299 /*** PropertyDescriptor operations and DefineProperties *********************/
300
301 static Result<> CheckCallable(JSContext* cx, JSObject* obj,
302 const char* fieldName) {
303 if (obj && !obj->isCallable()) {
304 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
305 JSMSG_BAD_GET_SET_FIELD, fieldName);
306 return cx->alreadyReportedError();
307 }
308 return Ok();
309 }
310
311 // 6.2.5.5 ToPropertyDescriptor(Obj)
312 bool js::ToPropertyDescriptor(JSContext* cx, HandleValue descval,
313 bool checkAccessors,
314 MutableHandle<PropertyDescriptor> desc_) {
315 // Step 1.
316 RootedObject obj(cx,
317 RequireObject(cx, JSMSG_OBJECT_REQUIRED_PROP_DESC, descval));
318 if (!obj) {
319 return false;
320 }
321
322 // Step 2.
323 Rooted<PropertyDescriptor> desc(cx, PropertyDescriptor::Empty());
324
325 RootedId id(cx);
326 RootedValue v(cx);
327
328 // Steps 3-4.
329 id = NameToId(cx->names().enumerable);
330 bool hasEnumerable = false;
331 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasEnumerable)) {
332 return false;
333 }
334 if (hasEnumerable) {
335 desc.setEnumerable(ToBoolean(v));
336 }
337
338 // Steps 5-6.
339 id = NameToId(cx->names().configurable);
340 bool hasConfigurable = false;
341 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasConfigurable)) {
342 return false;
343 }
344 if (hasConfigurable) {
345 desc.setConfigurable(ToBoolean(v));
346 }
347
348 // Steps 7-8.
349 id = NameToId(cx->names().value);
350 bool hasValue = false;
351 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasValue)) {
352 return false;
353 }
354 if (hasValue) {
355 desc.setValue(v);
356 }
357
358 // Steps 9-10.
359 id = NameToId(cx->names().writable);
360 bool hasWritable = false;
361 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasWritable)) {
362 return false;
363 }
364 if (hasWritable) {
365 desc.setWritable(ToBoolean(v));
366 }
367
368 // Steps 11-12.
369 id = NameToId(cx->names().get);
370 bool hasGet = false;
371 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasGet)) {
372 return false;
373 }
374 RootedObject getter(cx);
375 if (hasGet) {
376 if (v.isObject()) {
377 if (checkAccessors) {
378 JS_TRY_OR_RETURN_FALSE(cx, CheckCallable(cx, &v.toObject(), "getter"));
379 }
380 getter = &v.toObject();
381 } else if (v.isUndefined()) {
382 getter = nullptr;
383 } else {
384 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
385 JSMSG_BAD_GET_SET_FIELD, "getter");
386 return false;
387 }
388 }
389
390 // Steps 13-14.
391 id = NameToId(cx->names().set);
392 bool hasSet = false;
393 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasSet)) {
394 return false;
395 }
396 RootedObject setter(cx);
397 if (hasSet) {
398 if (v.isObject()) {
399 if (checkAccessors) {
400 JS_TRY_OR_RETURN_FALSE(cx, CheckCallable(cx, &v.toObject(), "setter"));
401 }
402 setter = &v.toObject();
403 } else if (v.isUndefined()) {
404 setter = nullptr;
405 } else {
406 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
407 JSMSG_BAD_GET_SET_FIELD, "setter");
408 return false;
409 }
410 }
411
412 // Step 15.
413 if (hasGet || hasSet) {
414 if (hasValue || hasWritable) {
415 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
416 JSMSG_INVALID_DESCRIPTOR);
417 return false;
418 }
419
420 // We delay setGetter/setSetter after the previous check,
421 // because otherwise we would assert.
422 if (hasGet) {
423 desc.setGetter(getter);
424 }
425 if (hasSet) {
426 desc.setSetter(setter);
427 }
428 }
429
430 desc.assertValid();
431 desc_.set(desc);
432 return true;
433 }
434
435 Result<> js::CheckPropertyDescriptorAccessors(JSContext* cx,
436 Handle<PropertyDescriptor> desc) {
437 if (desc.hasGetter()) {
438 MOZ_TRY(CheckCallable(cx, desc.getter(), "getter"));
439 }
440
441 if (desc.hasSetter()) {
442 MOZ_TRY(CheckCallable(cx, desc.setter(), "setter"));
443 }
444
445 return Ok();
446 }
447
448 // 6.2.5.6 CompletePropertyDescriptor(Desc)
449 void js::CompletePropertyDescriptor(MutableHandle<PropertyDescriptor> desc) {
450 // Step 1.
451 desc.assertValid();
452
453 // Step 2.
454 // Let like be the Record { [[Value]]: undefined, [[Writable]]: false,
455 // [[Get]]: undefined, [[Set]]: undefined,
456 // [[Enumerable]]: false, [[Configurable]]: false }.
457
458 // Step 3.
459 if (desc.isGenericDescriptor() || desc.isDataDescriptor()) {
460 // Step 3.a.
461 if (!desc.hasValue()) {
462 desc.setValue(UndefinedHandleValue);
463 }
464 // Step 3.b.
465 if (!desc.hasWritable()) {
466 desc.setWritable(false);
467 }
468 } else {
469 // Step 4.a.
470 if (!desc.hasGetter()) {
471 desc.setGetter(nullptr);
472 }
473 // Step 4.b.
474 if (!desc.hasSetter()) {
475 desc.setSetter(nullptr);
476 }
477 }
478
479 // Step 5.
480 if (!desc.hasEnumerable()) {
481 desc.setEnumerable(false);
482 }
483
484 // Step 6.
485 if (!desc.hasConfigurable()) {
486 desc.setConfigurable(false);
487 }
488
489 desc.assertComplete();
490 }
491
492 bool js::ReadPropertyDescriptors(
493 JSContext* cx, HandleObject props, bool checkAccessors,
494 MutableHandleIdVector ids, MutableHandle<PropertyDescriptorVector> descs) {
495 if (!GetPropertyKeys(cx, props, JSITER_OWNONLY | JSITER_SYMBOLS, ids)) {
496 return false;
497 }
498
499 RootedId id(cx);
500 for (size_t i = 0, len = ids.length(); i < len; i++) {
501 id = ids[i];
502 Rooted<PropertyDescriptor> desc(cx);
503 RootedValue v(cx);
504 if (!GetProperty(cx, props, props, id, &v) ||
505 !ToPropertyDescriptor(cx, v, checkAccessors, &desc) ||
506 !descs.append(desc)) {
507 return false;
508 }
509 }
510 return true;
511 }
512
513 /*** Seal and freeze ********************************************************/
514
515 /* ES6 draft rev 29 (6 Dec 2014) 7.3.13. */
516 bool js::SetIntegrityLevel(JSContext* cx, HandleObject obj,
517 IntegrityLevel level) {
518 cx->check(obj);
519
520 // Steps 3-5. (Steps 1-2 are redundant assertions.)
521 if (!PreventExtensions(cx, obj)) {
522 return false;
523 }
524
525 // Steps 6-9, loosely interpreted.
526 if (obj->is<NativeObject>() && !obj->is<TypedArrayObject>() &&
527 !obj->is<MappedArgumentsObject>()) {
528 Handle<NativeObject*> nobj = obj.as<NativeObject>();
529
530 // Use a fast path to seal/freeze properties. This has the benefit of
531 // creating shared property maps if possible, whereas the slower/generic
532 // implementation below ends up converting non-empty objects to dictionary
533 // mode.
534 if (nobj->shape()->propMapLength() > 0) {
535 if (!NativeObject::freezeOrSealProperties(cx, nobj, level)) {
536 return false;
537 }
538 }
539
540 // Ordinarily ArraySetLength handles this, but we're going behind its back
541 // right now, so we must do this manually.
542 if (level == IntegrityLevel::Frozen && obj->is<ArrayObject>()) {
543 obj->as<ArrayObject>().setNonWritableLength(cx);
544 }
545 } else {
546 // Steps 6-7.
547 RootedIdVector keys(cx);
548 if (!GetPropertyKeys(
549 cx, obj, JSITER_HIDDEN | JSITER_OWNONLY | JSITER_SYMBOLS, &keys)) {
550 return false;
551 }
552
553 RootedId id(cx);
554 Rooted<PropertyDescriptor> desc(cx, PropertyDescriptor::Empty());
555
556 // 8.a/9.a. The two different loops are merged here.
557 for (size_t i = 0; i < keys.length(); i++) {
558 id = keys[i];
559
560 if (level == IntegrityLevel::Sealed) {
561 // 8.a.i.
562 desc.setConfigurable(false);
563 } else {
564 // 9.a.i-ii.
565 Rooted<Maybe<PropertyDescriptor>> currentDesc(cx);
566 if (!GetOwnPropertyDescriptor(cx, obj, id, &currentDesc)) {
567 return false;
568 }
569
570 // 9.a.iii.
571 if (currentDesc.isNothing()) {
572 continue;
573 }
574
575 // 9.a.iii.1-2
576 desc = PropertyDescriptor::Empty();
577 if (currentDesc->isAccessorDescriptor()) {
578 desc.setConfigurable(false);
579 } else {
580 desc.setConfigurable(false);
581 desc.setWritable(false);
582 }
583 }
584
585 // 8.a.i-ii. / 9.a.iii.3-4
586 if (!DefineProperty(cx, obj, id, desc)) {
587 return false;
588 }
589 }
590 }
591
592 // Finally, freeze or seal the dense elements.
593 if (obj->is<NativeObject>()) {
594 if (!ObjectElements::FreezeOrSeal(cx, obj.as<NativeObject>(), level)) {
595 return false;
596 }
597 }
598
599 return true;
600 }
601
602 static bool ResolveLazyProperties(JSContext* cx, Handle<NativeObject*> obj) {
603 const JSClass* clasp = obj->getClass();
604 if (JSEnumerateOp enumerate = clasp->getEnumerate()) {
605 if (!enumerate(cx, obj)) {
606 return false;
607 }
608 }
609 if (clasp->getNewEnumerate() && clasp->getResolve()) {
610 RootedIdVector properties(cx);
611 if (!clasp->getNewEnumerate()(cx, obj, &properties,
612 /* enumerableOnly = */ false)) {
613 return false;
614 }
615
616 RootedId id(cx);
617 for (size_t i = 0; i < properties.length(); i++) {
618 id = properties[i];
619 bool found;
620 if (!HasOwnProperty(cx, obj, id, &found)) {
621 return false;
622 }
623 }
624 }
625 return true;
626 }
627
628 // ES6 draft rev33 (12 Feb 2015) 7.3.15
629 bool js::TestIntegrityLevel(JSContext* cx, HandleObject obj,
630 IntegrityLevel level, bool* result) {
631 // Steps 3-6. (Steps 1-2 are redundant assertions.)
632 bool status;
633 if (!IsExtensible(cx, obj, &status)) {
634 return false;
635 }
636 if (status) {
637 *result = false;
638 return true;
639 }
640
641 // Fast path for native objects.
642 if (obj->is<NativeObject>()) {
643 Handle<NativeObject*> nobj = obj.as<NativeObject>();
644
645 // Force lazy properties to be resolved.
646 if (!ResolveLazyProperties(cx, nobj)) {
647 return false;
648 }
649
650 // Typed array elements are configurable, writable properties, so if any
651 // elements are present, the typed array can neither be sealed nor frozen.
652 if (nobj->is<TypedArrayObject>() &&
653 nobj->as<TypedArrayObject>().length().valueOr(0) > 0) {
654 *result = false;
655 return true;
656 }
657
658 bool hasDenseElements = false;
659 for (size_t i = 0; i < nobj->getDenseInitializedLength(); i++) {
660 if (nobj->containsDenseElement(i)) {
661 hasDenseElements = true;
662 break;
663 }
664 }
665
666 if (hasDenseElements) {
667 // Unless the sealed flag is set, dense elements are configurable.
668 if (!nobj->denseElementsAreSealed()) {
669 *result = false;
670 return true;
671 }
672
673 // Unless the frozen flag is set, dense elements are writable.
674 if (level == IntegrityLevel::Frozen && !nobj->denseElementsAreFrozen()) {
675 *result = false;
676 return true;
677 }
678 }
679
680 // Steps 7-9.
681 for (ShapePropertyIter<NoGC> iter(nobj->shape()); !iter.done(); iter++) {
682 // Steps 9.c.i-ii.
683 if (iter->configurable() ||
684 (level == IntegrityLevel::Frozen && iter->isDataDescriptor() &&
685 iter->writable())) {
686 // Private fields on objects don't participate in the frozen state, and
687 // so should be elided from checking for frozen state.
688 if (iter->key().isPrivateName()) {
689 continue;
690 }
691
692 *result = false;
693 return true;
694 }
695 }
696 } else {
697 // Steps 7-8.
698 RootedIdVector props(cx);
699 if (!GetPropertyKeys(
700 cx, obj, JSITER_HIDDEN | JSITER_OWNONLY | JSITER_SYMBOLS, &props)) {
701 return false;
702 }
703
704 // Step 9.
705 RootedId id(cx);
706 Rooted<Maybe<PropertyDescriptor>> desc(cx);
707 for (size_t i = 0, len = props.length(); i < len; i++) {
708 id = props[i];
709
710 // Steps 9.a-b.
711 if (!GetOwnPropertyDescriptor(cx, obj, id, &desc)) {
712 return false;
713 }
714
715 // Step 9.c.
716 if (desc.isNothing()) {
717 continue;
718 }
719
720 // Steps 9.c.i-ii.
721 if (desc->configurable() ||
722 (level == IntegrityLevel::Frozen && desc->isDataDescriptor() &&
723 desc->writable())) {
724 // Since we don't request JSITER_PRIVATE in GetPropertyKeys above, we
725 // should never see a private name here.
726 MOZ_ASSERT(!id.isPrivateName());
727 *result = false;
728 return true;
729 }
730 }
731 }
732
733 // Step 10.
734 *result = true;
735 return true;
736 }
737
738 /* * */
739
740 static MOZ_ALWAYS_INLINE NativeObject* NewObject(
741 JSContext* cx, const JSClass* clasp, Handle<TaggedProto> proto,
742 gc::AllocKind kind, NewObjectKind newKind, ObjectFlags objFlags) {
743 MOZ_ASSERT(clasp->isNativeObject());
744
745 // Some classes have specialized allocation functions and shouldn't end up
746 // here.
747 MOZ_ASSERT(clasp != &ArrayObject::class_);
748 MOZ_ASSERT(clasp != &PlainObject::class_);
749 MOZ_ASSERT(!clasp->isJSFunction());
750
751 // Computing nfixed based on the AllocKind isn't right for objects which can
752 // store fixed data inline (TypedArrays and ArrayBuffers) so for simplicity
753 // and performance reasons we don't support such objects here.
754 MOZ_ASSERT(!ClassCanHaveFixedData(clasp));
755 size_t nfixed = GetGCKindSlots(kind);
756
757 if (CanChangeToBackgroundAllocKind(kind, clasp)) {
758 kind = ForegroundToBackgroundAllocKind(kind);
759 }
760
761 Rooted<SharedShape*> shape(
762 cx, SharedShape::getInitialShape(cx, clasp, cx->realm(), proto, nfixed,
763 objFlags));
764 if (!shape) {
765 return nullptr;
766 }
767
768 gc::Heap heap = GetInitialHeap(newKind, clasp);
769 NativeObject* obj = NativeObject::create(cx, kind, heap, shape);
770 if (!obj) {
771 return nullptr;
772 }
773
774 probes::CreateObject(cx, obj);
775 return obj;
776 }
777
778 NativeObject* js::NewObjectWithGivenTaggedProto(
779 JSContext* cx, const JSClass* clasp, Handle<TaggedProto> proto,
780 gc::AllocKind allocKind, NewObjectKind newKind, ObjectFlags objFlags) {
781 return NewObject(cx, clasp, proto, allocKind, newKind, objFlags);
782 }
783
784 NativeObject* js::NewObjectWithClassProto(JSContext* cx, const JSClass* clasp,
785 HandleObject protoArg,
786 gc::AllocKind allocKind,
787 NewObjectKind newKind,
788 ObjectFlags objFlags) {
789 if (protoArg) {
790 return NewObjectWithGivenTaggedProto(cx, clasp, AsTaggedProto(protoArg),
791 allocKind, newKind, objFlags);
792 }
793
794 // Find the appropriate proto for clasp. Built-in classes have a cached
795 // proto on cx->global(); all others get %ObjectPrototype%.
796 JSProtoKey protoKey = JSCLASS_CACHED_PROTO_KEY(clasp);
797 if (protoKey == JSProto_Null) {
798 protoKey = JSProto_Object;
799 }
800
801 JSObject* proto = GlobalObject::getOrCreatePrototype(cx, protoKey);
802 if (!proto) {
803 return nullptr;
804 }
805
806 Rooted<TaggedProto> taggedProto(cx, TaggedProto(proto));
807 return NewObject(cx, clasp, taggedProto, allocKind, newKind, objFlags);
808 }
809
810 bool js::GetPrototypeFromConstructor(JSContext* cx, HandleObject newTarget,
811 JSProtoKey intrinsicDefaultProto,
812 MutableHandleObject proto) {
813 RootedValue protov(cx);
814 if (!GetProperty(cx, newTarget, newTarget, cx->names().prototype, &protov)) {
815 return false;
816 }
817 if (protov.isObject()) {
818 proto.set(&protov.toObject());
819 } else if (newTarget->is<JSFunction>() &&
820 newTarget->as<JSFunction>().realm() == cx->realm()) {
821 // Steps 4.a-b fetch the builtin prototype of the current realm, which we
822 // represent as nullptr.
823 proto.set(nullptr);
824 } else if (intrinsicDefaultProto == JSProto_Null) {
825 // Bug 1317416. The caller did not pass a reasonable JSProtoKey, so let the
826 // caller select a prototype object. Most likely they will choose one from
827 // the wrong realm.
828 proto.set(nullptr);
829 } else {
830 // Step 4.a: Let realm be ? GetFunctionRealm(constructor);
831 Realm* realm = JS::GetFunctionRealm(cx, newTarget);
832 if (!realm) {
833 return false;
834 }
835
836 // Step 4.b: Set proto to realm's intrinsic object named
837 // intrinsicDefaultProto.
838 {
839 Maybe<AutoRealm> ar;
840 if (cx->realm() != realm) {
841 ar.emplace(cx, realm->maybeGlobal());
842 }
843 proto.set(GlobalObject::getOrCreatePrototype(cx, intrinsicDefaultProto));
844 }
845 if (!proto) {
846 return false;
847 }
848 if (!cx->compartment()->wrap(cx, proto)) {
849 return false;
850 }
851 }
852 return true;
853 }
854
855 /* static */
856 bool JSObject::nonNativeSetProperty(JSContext* cx, HandleObject obj,
857 HandleId id, HandleValue v,
858 HandleValue receiver,
859 ObjectOpResult& result) {
860 return obj->getOpsSetProperty()(cx, obj, id, v, receiver, result);
861 }
862
863 /* static */
864 bool JSObject::nonNativeSetElement(JSContext* cx, HandleObject obj,
865 uint32_t index, HandleValue v,
866 HandleValue receiver,
867 ObjectOpResult& result) {
868 RootedId id(cx);
869 if (!IndexToId(cx, index, &id)) {
870 return false;
871 }
872 return nonNativeSetProperty(cx, obj, id, v, receiver, result);
873 }
874
875 static bool CopyPropertyFrom(JSContext* cx, HandleId id, HandleObject target,
876 HandleObject obj) {
877 // |target| must not be a CCW because we need to enter its realm below and
878 // CCWs are not associated with a single realm.
879 MOZ_ASSERT(!IsCrossCompartmentWrapper(target));
880
881 // |obj| and |cx| are generally not same-compartment with |target| here.
882 cx->check(obj, id);
883 Rooted<mozilla::Maybe<PropertyDescriptor>> desc(cx);
884
885 if (!GetOwnPropertyDescriptor(cx, obj, id, &desc)) {
886 return false;
887 }
888 MOZ_ASSERT(desc.isSome());
889
890 JSAutoRealm ar(cx, target);
891 cx->markId(id);
892 RootedId wrappedId(cx, id);
893 if (!cx->compartment()->wrap(cx, &desc)) {
894 return false;
895 }
896
897 Rooted<PropertyDescriptor> desc_(cx, *desc);
898 return DefineProperty(cx, target, wrappedId, desc_);
899 }
900
901 JS_PUBLIC_API bool JS_CopyOwnPropertiesAndPrivateFields(JSContext* cx,
902 HandleObject target,
903 HandleObject obj) {
904 // Both |obj| and |target| must not be CCWs because we need to enter their
905 // realms below and CCWs are not associated with a single realm.
906 MOZ_ASSERT(!IsCrossCompartmentWrapper(obj));
907 MOZ_ASSERT(!IsCrossCompartmentWrapper(target));
908
909 JSAutoRealm ar(cx, obj);
910
911 RootedIdVector props(cx);
912 if (!GetPropertyKeys(
913 cx, obj,
914 JSITER_PRIVATE | JSITER_OWNONLY | JSITER_HIDDEN | JSITER_SYMBOLS,
915 &props)) {
916 return false;
917 }
918
919 for (size_t i = 0; i < props.length(); ++i) {
920 if (!CopyPropertyFrom(cx, props[i], target, obj)) {
921 return false;
922 }
923 }
924
925 return true;
926 }
927
928 static bool InitializePropertiesFromCompatibleNativeObject(
929 JSContext* cx, Handle<NativeObject*> dst, Handle<NativeObject*> src) {
930 cx->check(src, dst);
931 MOZ_ASSERT(src->getClass() == dst->getClass());
932 MOZ_ASSERT(dst->shape()->objectFlags().isEmpty());
933 MOZ_ASSERT(src->numFixedSlots() == dst->numFixedSlots());
934 MOZ_ASSERT(!src->inDictionaryMode());
935 MOZ_ASSERT(!dst->inDictionaryMode());
936
937 if (!dst->ensureElements(cx, src->getDenseInitializedLength())) {
938 return false;
939 }
940
941 uint32_t initialized = src->getDenseInitializedLength();
942 for (uint32_t i = 0; i < initialized; ++i) {
943 dst->setDenseInitializedLength(i + 1);
944 dst->initDenseElement(i, src->getDenseElement(i));
945 }
946
947 // If there are no properties to copy, we're done.
948 if (!src->sharedShape()->propMap()) {
949 return true;
950 }
951
952 Rooted<SharedShape*> shape(cx);
953 if (src->staticPrototype() == dst->staticPrototype()) {
954 shape = src->sharedShape();
955 } else {
956 // We need to generate a new shape for dst that has dst's proto but all
957 // the property information from src. Note that we asserted above that
958 // dst's object flags are empty.
959 SharedShape* srcShape = src->sharedShape();
960 ObjectFlags objFlags;
961 objFlags = CopyPropMapObjectFlags(objFlags, srcShape->objectFlags());
962 Rooted<SharedPropMap*> map(cx, srcShape->propMap());
963 uint32_t mapLength = srcShape->propMapLength();
964 shape = SharedShape::getPropMapShape(cx, dst->shape()->base(),
965 dst->numFixedSlots(), map, mapLength,
966 objFlags);
967 if (!shape) {
968 return false;
969 }
970 }
971
972 uint32_t oldSpan = dst->sharedShape()->slotSpan();
973 uint32_t newSpan = shape->slotSpan();
974 if (!dst->setShapeAndAddNewSlots(cx, shape, oldSpan, newSpan)) {
975 return false;
976 }
977 for (size_t i = JSCLASS_RESERVED_SLOTS(src->getClass()); i < newSpan; i++) {
978 dst->setSlot(i, src->getSlot(i));
979 }
980
981 return true;
982 }
983
984 JS_PUBLIC_API bool JS_InitializePropertiesFromCompatibleNativeObject(
985 JSContext* cx, HandleObject dst, HandleObject src) {
986 return InitializePropertiesFromCompatibleNativeObject(
987 cx, dst.as<NativeObject>(), src.as<NativeObject>());
988 }
989
990 bool js::ObjectMayBeSwapped(const JSObject* obj) {
991 const JSClass* clasp = obj->getClass();
992
993 // We want to optimize Window/globals and Gecko doesn't require transplanting
994 // them (only the WindowProxy around them). A Window may be a DOMClass, so we
995 // explicitly check if this is a global.
996 if (clasp->isGlobal()) {
997 return false;
998 }
999
1000 // WindowProxy, Wrapper, DeadProxyObject, DOMProxy, and DOMClass (non-global)
1001 // types may be swapped. It is hard to detect DOMProxy from shell, so target
1002 // proxies in general.
1003 return clasp->isProxyObject() || clasp->isDOMClass();
1004 }
1005
1006 bool NativeObject::prepareForSwap(JSContext* cx,
1007 MutableHandleValueVector slotValuesOut) {
1008 MOZ_ASSERT(slotValuesOut.empty());
1009
1010 for (size_t i = 0; i < slotSpan(); i++) {
1011 if (!slotValuesOut.append(getSlot(i))) {
1012 return false;
1013 }
1014 }
1015
1016 if (hasDynamicSlots()) {
1017 ObjectSlots* slotsHeader = getSlotsHeader();
1018 size_t size = ObjectSlots::allocSize(slotsHeader->capacity());
1019 RemoveCellMemory(this, size, MemoryUse::ObjectSlots);
1020 if (!cx->nursery().isInside(slotsHeader)) {
1021 if (!isTenured()) {
1022 cx->nursery().removeMallocedBuffer(slotsHeader, size);
1023 }
1024 js_free(slotsHeader);
1025 }
1026 setEmptyDynamicSlots(0);
1027 }
1028
1029 if (hasDynamicElements()) {
1030 ObjectElements* elements = getElementsHeader();
1031 void* allocatedElements = getUnshiftedElementsHeader();
1032 size_t count = elements->numAllocatedElements();
1033 size_t size = count * sizeof(HeapSlot);
1034
1035 if (isTenured()) {
1036 RemoveCellMemory(this, size, MemoryUse::ObjectElements);
1037 } else if (cx->nursery().isInside(allocatedElements)) {
1038 // Move nursery allocated elements in case they end up in a tenured
1039 // object.
1040 ObjectElements* newElements =
1041 reinterpret_cast<ObjectElements*>(js_pod_malloc<HeapSlot>(count));
1042 if (!newElements) {
1043 return false;
1044 }
1045
1046 memmove(newElements, elements, size);
1047 elements_ = newElements->elements();
1048 } else {
1049 cx->nursery().removeMallocedBuffer(allocatedElements, size);
1050 }
1051 MOZ_ASSERT(hasDynamicElements());
1052 }
1053
1054 return true;
1055 }
1056
1057 /* static */
1058 bool NativeObject::fixupAfterSwap(JSContext* cx, Handle<NativeObject*> obj,
1059 gc::AllocKind kind,
1060 HandleValueVector slotValues) {
1061 // This object has just been swapped with some other object, and its shape
1062 // no longer reflects its allocated size. Correct this information and
1063 // fill the slots in with the specified values.
1064 MOZ_ASSERT_IF(!obj->inDictionaryMode(),
1065 obj->slotSpan() == slotValues.length());
1066
1067 // Make sure the shape's numFixedSlots() is correct.
1068 size_t nfixed = gc::GetGCKindSlots(kind);
1069 if (nfixed != obj->shape()->numFixedSlots()) {
1070 if (!NativeObject::changeNumFixedSlotsAfterSwap(cx, obj, nfixed)) {
1071 return false;
1072 }
1073 MOZ_ASSERT(obj->shape()->numFixedSlots() == nfixed);
1074 }
1075
1076 uint32_t oldDictionarySlotSpan =
1077 obj->inDictionaryMode() ? slotValues.length() : 0;
1078
1079 MOZ_ASSERT(!obj->hasUniqueId());
1080 size_t ndynamic =
1081 calculateDynamicSlots(nfixed, slotValues.length(), obj->getClass());
1082 size_t currentSlots = obj->getSlotsHeader()->capacity();
1083 MOZ_ASSERT(ndynamic >= currentSlots);
1084 if (ndynamic > currentSlots) {
1085 if (!obj->growSlots(cx, currentSlots, ndynamic)) {
1086 return false;
1087 }
1088 }
1089
1090 if (obj->inDictionaryMode()) {
1091 obj->setDictionaryModeSlotSpan(oldDictionarySlotSpan);
1092 }
1093
1094 for (size_t i = 0, len = slotValues.length(); i < len; i++) {
1095 obj->initSlotUnchecked(i, slotValues[i]);
1096 }
1097
1098 if (obj->hasDynamicElements()) {
1099 ObjectElements* elements = obj->getElementsHeader();
1100 void* allocatedElements = obj->getUnshiftedElementsHeader();
1101 MOZ_ASSERT(!cx->nursery().isInside(allocatedElements));
1102 size_t size = elements->numAllocatedElements() * sizeof(HeapSlot);
1103 if (obj->isTenured()) {
1104 AddCellMemory(obj, size, MemoryUse::ObjectElements);
1105 } else if (!cx->nursery().registerMallocedBuffer(allocatedElements, size)) {
1106 return false;
1107 }
1108 }
1109
1110 return true;
1111 }
1112
1113 [[nodiscard]] bool ProxyObject::prepareForSwap(
1114 JSContext* cx, MutableHandleValueVector valuesOut) {
1115 MOZ_ASSERT(valuesOut.empty());
1116
1117 // Remove the GCPtr<Value>s we're about to swap from the store buffer, to
1118 // ensure we don't trace bogus values.
1119 gc::StoreBuffer& sb = cx->runtime()->gc.storeBuffer();
1120
1121 // Reserve space for the expando, private slot and the reserved slots.
1122 if (!valuesOut.reserve(2 + numReservedSlots())) {
1123 return false;
1124 }
1125
1126 js::detail::ProxyValueArray* valArray = data.values();
1127 sb.unputValue(&valArray->expandoSlot);
1128 sb.unputValue(&valArray->privateSlot);
1129 valuesOut.infallibleAppend(valArray->expandoSlot);
1130 valuesOut.infallibleAppend(valArray->privateSlot);
1131
1132 for (size_t i = 0; i < numReservedSlots(); i++) {
1133 sb.unputValue(&valArray->reservedSlots.slots[i]);
1134 valuesOut.infallibleAppend(valArray->reservedSlots.slots[i]);
1135 }
1136
1137 if (isTenured() && !usingInlineValueArray()) {
1138 size_t count = detail::ProxyValueArray::allocCount(numReservedSlots());
1139 RemoveCellMemory(this, count * sizeof(Value),
1140 MemoryUse::ProxyExternalValueArray);
1141 js_free(valArray);
1142 data.reservedSlots = nullptr;
1143 }
1144
1145 return true;
1146 }
1147
1148 bool ProxyObject::fixupAfterSwap(JSContext* cx,
1149 const HandleValueVector values) {
1150 MOZ_ASSERT(getClass()->isProxyObject());
1151
1152 size_t nreserved = numReservedSlots();
1153
1154 // |values| contains the expando slot, private slot and the reserved slots.
1155 MOZ_ASSERT(values.length() == 2 + nreserved);
1156
1157 // Allocate the external value array in malloc memory, even for nursery
1158 // proxies.
1159 size_t count = detail::ProxyValueArray::allocCount(nreserved);
1160 auto* allocation = js_pod_malloc<JS::Value>(count);
1161 if (!allocation) {
1162 return false;
1163 }
1164
1165 size_t size = count * sizeof(Value);
1166 if (isTenured()) {
1167 AddCellMemory(&asTenured(), size, MemoryUse::ProxyExternalValueArray);
1168 } else if (!cx->nursery().registerMallocedBuffer(allocation, size)) {
1169 js_free(allocation);
1170 return false;
1171 }
1172
1173 auto* valArray = reinterpret_cast<js::detail::ProxyValueArray*>(allocation);
1174
1175 valArray->expandoSlot = values[0];
1176 valArray->privateSlot = values[1];
1177
1178 for (size_t i = 0; i < nreserved; i++) {
1179 valArray->reservedSlots.slots[i] = values[i + 2];
1180 }
1181
1182 data.reservedSlots = &valArray->reservedSlots;
1183 MOZ_ASSERT(!usingInlineValueArray());
1184 return true;
1185 }
1186
1187 static gc::AllocKind SwappableObjectAllocKind(JSObject* obj) {
1188 MOZ_ASSERT(ObjectMayBeSwapped(obj));
1189
1190 if (obj->isTenured()) {
1191 return obj->asTenured().getAllocKind();
1192 }
1193
1194 if (obj->is<NativeObject>()) {
1195 return obj->as<NativeObject>().allocKindForTenure();
1196 }
1197
1198 return obj->as<ProxyObject>().allocKindForTenure();
1199 }
1200
1201 /* Use this method with extreme caution. It trades the guts of two objects. */
1202 void JSObject::swap(JSContext* cx, HandleObject a, HandleObject b,
1203 AutoEnterOOMUnsafeRegion& oomUnsafe) {
1204 // Ensure swap doesn't cause a finalizer to be run at the wrong time.
1205 MOZ_ASSERT(a->isBackgroundFinalized() == b->isBackgroundFinalized());
1206
1207 MOZ_ASSERT(a->compartment() == b->compartment());
1208
1209 // You must have entered the objects' compartment before calling this.
1210 MOZ_ASSERT(cx->compartment() == a->compartment());
1211
1212 // Only certain types of objects are allowed to be swapped. This allows the
1213 // JITs to better optimize objects that can never swap and rules out most
1214 // builtin objects that have special behaviour.
1215 MOZ_RELEASE_ASSERT(js::ObjectMayBeSwapped(a));
1216 MOZ_RELEASE_ASSERT(js::ObjectMayBeSwapped(b));
1217
1218 if (!Watchtower::watchObjectSwap(cx, a, b)) {
1219 oomUnsafe.crash("watchObjectSwap");
1220 }
1221
1222 // Ensure we update any embedded nursery pointers in either object.
1223 gc::StoreBuffer& storeBuffer = cx->runtime()->gc.storeBuffer();
1224 if (a->isTenured()) {
1225 storeBuffer.putWholeCell(a);
1226 }
1227 if (b->isTenured()) {
1228 storeBuffer.putWholeCell(b);
1229 }
1230 if (a->isTenured() || b->isTenured()) {
1231 if (a->zone()->wasGCStarted()) {
1232 storeBuffer.setMayHavePointersToDeadCells();
1233 }
1234 }
1235
1236 unsigned r = NotifyGCPreSwap(a, b);
1237
1238 ProxyObject* pa = a->is<ProxyObject>() ? &a->as<ProxyObject>() : nullptr;
1239 ProxyObject* pb = b->is<ProxyObject>() ? &b->as<ProxyObject>() : nullptr;
1240 bool aIsProxyWithInlineValues = pa && pa->usingInlineValueArray();
1241 bool bIsProxyWithInlineValues = pb && pb->usingInlineValueArray();
1242
1243 bool aIsUsedAsPrototype = a->isUsedAsPrototype();
1244 bool bIsUsedAsPrototype = b->isUsedAsPrototype();
1245
1246 // Swap element associations.
1247 Zone* zone = a->zone();
1248
1249 // Record any associated unique IDs and prepare for swap.
1250 //
1251 // Note that unique IDs are NOT swapped but remain associated with the
1252 // original address.
1253 uint64_t aid = 0;
1254 uint64_t bid = 0;
1255 (void)gc::MaybeGetUniqueId(a, &aid);
1256 (void)gc::MaybeGetUniqueId(b, &bid);
1257 NativeObject* na = a->is<NativeObject>() ? &a->as<NativeObject>() : nullptr;
1258 NativeObject* nb = b->is<NativeObject>() ? &b->as<NativeObject>() : nullptr;
1259 if ((aid || bid) && (na || nb)) {
1260 // We can't remove unique IDs from native objects when they are swapped with
1261 // objects without an ID. Instead ensure they both have IDs so we always
1262 // have something to overwrite the old ID with.
1263 if (!gc::GetOrCreateUniqueId(a, &aid) ||
1264 !gc::GetOrCreateUniqueId(b, &bid)) {
1265 oomUnsafe.crash("Failed to create unique ID during swap");
1266 }
1267
1268 // IDs stored in NativeObjects could shadow those stored in the zone
1269 // table. Remove any zone table IDs first.
1270 if (pa && aid) {
1271 gc::RemoveUniqueId(a);
1272 }
1273 if (pb && bid) {
1274 gc::RemoveUniqueId(b);
1275 }
1276 }
1277
1278 gc::AllocKind ka = SwappableObjectAllocKind(a);
1279 gc::AllocKind kb = SwappableObjectAllocKind(b);
1280
1281 size_t sa = gc::Arena::thingSize(ka);
1282 size_t sb = gc::Arena::thingSize(kb);
1283 if (sa == sb && a->isTenured() == b->isTenured()) {
1284 // When both objects are the same size and in the same heap, just do a plain
1285 // swap of their contents.
1286
1287 // Swap slot associations.
1288 zone->swapCellMemory(a, b, MemoryUse::ObjectSlots);
1289
1290 size_t size = sa;
1291 char tmp[sizeof(JSObject_Slots16)];
1292 MOZ_ASSERT(size <= sizeof(tmp));
1293
1294 js_memcpy(tmp, a, size);
1295 js_memcpy(a, b, size);
1296 js_memcpy(b, tmp, size);
1297
1298 zone->swapCellMemory(a, b, MemoryUse::ObjectElements);
1299 zone->swapCellMemory(a, b, MemoryUse::ProxyExternalValueArray);
1300
1301 if (aIsProxyWithInlineValues) {
1302 b->as<ProxyObject>().setInlineValueArray();
1303 }
1304 if (bIsProxyWithInlineValues) {
1305 a->as<ProxyObject>().setInlineValueArray();
1306 }
1307 } else {
1308 // Avoid GC in here to avoid confusing the tracing code with our
1309 // intermediate state.
1310 gc::AutoSuppressGC suppress(cx);
1311
1312 // When the objects have different sizes, they will have different numbers
1313 // of fixed slots before and after the swap, so the slots for native objects
1314 // will need to be rearranged. Remember the original values from the
1315 // objects.
1316 RootedValueVector avals(cx);
1317 RootedValueVector bvals(cx);
1318 if (na && !na->prepareForSwap(cx, &avals)) {
1319 oomUnsafe.crash("NativeObject::prepareForSwap");
1320 }
1321 if (nb && !nb->prepareForSwap(cx, &bvals)) {
1322 oomUnsafe.crash("NativeObject::prepareForSwap");
1323 }
1324
1325 // Do the same for proxy value arrays.
1326 if (pa && !pa->prepareForSwap(cx, &avals)) {
1327 oomUnsafe.crash("ProxyObject::prepareForSwap");
1328 }
1329 if (pb && !pb->prepareForSwap(cx, &bvals)) {
1330 oomUnsafe.crash("ProxyObject::prepareForSwap");
1331 }
1332
1333 // Swap the main fields of the objects, whether they are native objects or
1334 // proxies.
1335 char tmp[sizeof(JSObject_Slots0)];
1336 js_memcpy(&tmp, a, sizeof tmp);
1337 js_memcpy(a, b, sizeof tmp);
1338 js_memcpy(b, &tmp, sizeof tmp);
1339
1340 if (na &&
1341 !NativeObject::fixupAfterSwap(cx, b.as<NativeObject>(), kb, avals)) {
1342 oomUnsafe.crash("NativeObject::fixupAfterSwap");
1343 }
1344 if (nb &&
1345 !NativeObject::fixupAfterSwap(cx, a.as<NativeObject>(), ka, bvals)) {
1346 oomUnsafe.crash("NativeObject::fixupAfterSwap");
1347 }
1348
1349 if (pa && !b->as<ProxyObject>().fixupAfterSwap(cx, avals)) {
1350 oomUnsafe.crash("ProxyObject::fixupAfterSwap");
1351 }
1352 if (pb && !a->as<ProxyObject>().fixupAfterSwap(cx, bvals)) {
1353 oomUnsafe.crash("ProxyObject::fixupAfterSwap");
1354 }
1355 }
1356
1357 // Restore original unique IDs.
1358 if ((aid || bid) && (na || nb)) {
1359 if ((aid && !gc::SetOrUpdateUniqueId(cx, a, aid)) ||
1360 (bid && !gc::SetOrUpdateUniqueId(cx, b, bid))) {
1361 oomUnsafe.crash("Failed to set unique ID after swap");
1362 }
1363 }
1364 MOZ_ASSERT_IF(aid, gc::GetUniqueIdInfallible(a) == aid);
1365 MOZ_ASSERT_IF(bid, gc::GetUniqueIdInfallible(b) == bid);
1366
1367 // Preserve the IsUsedAsPrototype flag on the objects.
1368 if (aIsUsedAsPrototype) {
1369 if (!JSObject::setIsUsedAsPrototype(cx, a)) {
1370 oomUnsafe.crash("setIsUsedAsPrototype");
1371 }
1372 }
1373 if (bIsUsedAsPrototype) {
1374 if (!JSObject::setIsUsedAsPrototype(cx, b)) {
1375 oomUnsafe.crash("setIsUsedAsPrototype");
1376 }
1377 }
1378
1379 /*
1380 * We need a write barrier here. If |a| was marked and |b| was not, then
1381 * after the swap, |b|'s guts would never be marked. The write barrier
1382 * solves this.
1383 *
1384 * Normally write barriers happen before the write. However, that's not
1385 * necessary here because nothing is being destroyed. We're just swapping.
1386 */
1387 PreWriteBarrier(zone, a.get(), [](JSTracer* trc, JSObject* obj) {
1388 obj->traceChildren(trc);
1389 });
1390 PreWriteBarrier(zone, b.get(), [](JSTracer* trc, JSObject* obj) {
1391 obj->traceChildren(trc);
1392 });
1393
1394 NotifyGCPostSwap(a, b, r);
1395 }
1396
1397 static NativeObject* DefineConstructorAndPrototype(
1398 JSContext* cx, HandleObject obj, Handle<JSAtom*> atom,
1399 HandleObject protoProto, const JSClass* clasp, Native constructor,
1400 unsigned nargs, const JSPropertySpec* ps, const JSFunctionSpec* fs,
1401 const JSPropertySpec* static_ps, const JSFunctionSpec* static_fs,
1402 NativeObject** ctorp) {
1403 // Create the prototype object.
1404 Rooted<NativeObject*> proto(
1405 cx, GlobalObject::createBlankPrototypeInheriting(cx, clasp, protoProto));
1406 if (!proto) {
1407 return nullptr;
1408 }
1409
1410 Rooted<NativeObject*> ctor(cx);
1411 if (!constructor) {
1412 ctor = proto;
1413 } else {
1414 ctor = NewNativeConstructor(cx, constructor, nargs, atom);
1415 if (!ctor) {
1416 return nullptr;
1417 }
1418
1419 if (!LinkConstructorAndPrototype(cx, ctor, proto)) {
1420 return nullptr;
1421 }
1422 }
1423
1424 if (!DefinePropertiesAndFunctions(cx, proto, ps, fs) ||
1425 (ctor != proto &&
1426 !DefinePropertiesAndFunctions(cx, ctor, static_ps, static_fs))) {
1427 return nullptr;
1428 }
1429
1430 RootedId id(cx, AtomToId(atom));
1431 RootedValue value(cx, ObjectValue(*ctor));
1432 if (!DefineDataProperty(cx, obj, id, value, 0)) {
1433 return nullptr;
1434 }
1435
1436 if (ctorp) {
1437 *ctorp = ctor;
1438 }
1439 return proto;
1440 }
1441
1442 NativeObject* js::InitClass(JSContext* cx, HandleObject obj,
1443 const JSClass* protoClass, HandleObject protoProto_,
1444 const char* name, Native constructor,
1445 unsigned nargs, const JSPropertySpec* ps,
1446 const JSFunctionSpec* fs,
1447 const JSPropertySpec* static_ps,
1448 const JSFunctionSpec* static_fs,
1449 NativeObject** ctorp) {
1450 Rooted<JSAtom*> atom(cx, Atomize(cx, name, strlen(name)));
1451 if (!atom) {
1452 return nullptr;
1453 }
1454
1455 /*
1456 * All instances of the class will inherit properties from the prototype
1457 * object we are about to create (in DefineConstructorAndPrototype), which
1458 * in turn will inherit from protoProto.
1459 *
1460 * If protoProto is nullptr, default to Object.prototype.
1461 * If protoClass is nullptr, default to PlainObject.
1462 */
1463 RootedObject protoProto(cx, protoProto_);
1464 if (!protoProto) {
1465 protoProto = &cx->global()->getObjectPrototype();
1466 }
1467 if (!protoClass) {
1468 protoClass = &PlainObject::class_;
1469 }
1470
1471 return DefineConstructorAndPrototype(cx, obj, atom, protoProto, protoClass,
1472 constructor, nargs, ps, fs, static_ps,
1473 static_fs, ctorp);
1474 }
1475
1476 /**
1477 * Returns the original Object.prototype from the embedding-provided incumbent
1478 * global.
1479 *
1480 * Really, we want the incumbent global itself so we can pass it to other
1481 * embedding hooks which need it. Specifically, the enqueue promise hook
1482 * takes an incumbent global so it can set that on the PromiseCallbackJob
1483 * it creates.
1484 *
1485 * The reason for not just returning the global itself is that we'd need to
1486 * wrap it into the current compartment, and later unwrap it. Unwrapping
1487 * globals is tricky, though: we might accidentally unwrap through an inner
1488 * to its outer window and end up with the wrong global. Plain objects don't
1489 * have this problem, so we use the global's Object.prototype. The code using
1490 * it - e.g. EnqueuePromiseReactionJob - can then unwrap the object and get
1491 * its global without fear of unwrapping too far.
1492 */
1493 bool js::GetObjectFromIncumbentGlobal(JSContext* cx, MutableHandleObject obj) {
1494 Rooted<GlobalObject*> globalObj(cx, cx->runtime()->getIncumbentGlobal(cx));
1495 if (!globalObj) {
1496 obj.set(nullptr);
1497 return true;
1498 }
1499
1500 obj.set(&globalObj->getObjectPrototype());
1501
1502 // The object might be from a different compartment, so wrap it.
1503 if (obj && !cx->compartment()->wrap(cx, obj)) {
1504 return false;
1505 }
1506
1507 return true;
1508 }
1509
1510 static bool IsStandardPrototype(JSObject* obj, JSProtoKey key) {
1511 return obj->nonCCWGlobal().maybeGetPrototype(key) == obj;
1512 }
1513
1514 JSProtoKey JS::IdentifyStandardInstance(JSObject* obj) {
1515 // Note: The prototype shares its JSClass with instances.
1516 MOZ_ASSERT(!obj->is<CrossCompartmentWrapperObject>());
1517 JSProtoKey key = StandardProtoKeyOrNull(obj);
1518 if (key != JSProto_Null && !IsStandardPrototype(obj, key)) {
1519 return key;
1520 }
1521 return JSProto_Null;
1522 }
1523
1524 JSProtoKey JS::IdentifyStandardPrototype(JSObject* obj) {
1525 // Note: The prototype shares its JSClass with instances.
1526 MOZ_ASSERT(!obj->is<CrossCompartmentWrapperObject>());
1527 JSProtoKey key = StandardProtoKeyOrNull(obj);
1528 if (key != JSProto_Null && IsStandardPrototype(obj, key)) {
1529 return key;
1530 }
1531 return JSProto_Null;
1532 }
1533
1534 JSProtoKey JS::IdentifyStandardInstanceOrPrototype(JSObject* obj) {
1535 return StandardProtoKeyOrNull(obj);
1536 }
1537
1538 JSProtoKey JS::IdentifyStandardConstructor(JSObject* obj) {
1539 // Note that isNativeConstructor does not imply that we are a standard
1540 // constructor, but the converse is true (at least until we start having
1541 // self-hosted constructors for standard classes). This lets us avoid a costly
1542 // loop for many functions (which, depending on the call site, may be the
1543 // common case).
1544 if (!obj->is<JSFunction>() ||
1545 !(obj->as<JSFunction>().flags().isNativeConstructor())) {
1546 return JSProto_Null;
1547 }
1548
1549 static_assert(JSProto_Null == 0,
1550 "Loop below can start at 1 to skip JSProto_Null");
1551
1552 GlobalObject& global = obj->as<JSFunction>().global();
1553 for (size_t k = 1; k < JSProto_LIMIT; ++k) {
1554 JSProtoKey key = static_cast<JSProtoKey>(k);
1555 if (global.maybeGetConstructor(key) == obj) {
1556 return key;
1557 }
1558 }
1559
1560 return JSProto_Null;
1561 }
1562
1563 bool js::LookupProperty(JSContext* cx, HandleObject obj, js::HandleId id,
1564 MutableHandleObject objp, PropertyResult* propp) {
1565 if (LookupPropertyOp op = obj->getOpsLookupProperty()) {
1566 return op(cx, obj, id, objp, propp);
1567 }
1568 return NativeLookupPropertyInline<CanGC>(cx, obj.as<NativeObject>(), id, objp,
1569 propp);
1570 }
1571
1572 bool js::LookupName(JSContext* cx, Handle<PropertyName*> name,
1573 HandleObject envChain, MutableHandleObject objp,
1574 MutableHandleObject pobjp, PropertyResult* propp) {
1575 RootedId id(cx, NameToId(name));
1576
1577 for (RootedObject env(cx, envChain); env; env = env->enclosingEnvironment()) {
1578 if (!LookupProperty(cx, env, id, pobjp, propp)) {
1579 return false;
1580 }
1581 if (propp->isFound()) {
1582 objp.set(env);
1583 return true;
1584 }
1585 }
1586
1587 objp.set(nullptr);
1588 pobjp.set(nullptr);
1589 propp->setNotFound();
1590 return true;
1591 }
1592
1593 bool js::LookupNameNoGC(JSContext* cx, PropertyName* name, JSObject* envChain,
1594 JSObject** objp, NativeObject** pobjp,
1595 PropertyResult* propp) {
1596 AutoAssertNoPendingException nogc(cx);
1597
1598 MOZ_ASSERT(!*objp && !*pobjp && propp->isNotFound());
1599
1600 for (JSObject* env = envChain; env; env = env->enclosingEnvironment()) {
1601 if (env->getOpsLookupProperty()) {
1602 return false;
1603 }
1604 if (!NativeLookupPropertyInline<NoGC>(cx, &env->as<NativeObject>(),
1605 NameToId(name), pobjp, propp)) {
1606 return false;
1607 }
1608 if (propp->isFound()) {
1609 *objp = env;
1610 return true;
1611 }
1612 }
1613
1614 return true;
1615 }
1616
1617 bool js::LookupNameWithGlobalDefault(JSContext* cx, Handle<PropertyName*> name,
1618 HandleObject envChain,
1619 MutableHandleObject objp) {
1620 RootedId id(cx, NameToId(name));
1621
1622 RootedObject pobj(cx);
1623 PropertyResult prop;
1624
1625 RootedObject env(cx, envChain);
1626 for (; !env->is<GlobalObject>(); env = env->enclosingEnvironment()) {
1627 if (!LookupProperty(cx, env, id, &pobj, &prop)) {
1628 return false;
1629 }
1630 if (prop.isFound()) {
1631 break;
1632 }
1633 }
1634
1635 objp.set(env);
1636 return true;
1637 }
1638
1639 bool js::LookupNameUnqualified(JSContext* cx, Handle<PropertyName*> name,
1640 HandleObject envChain,
1641 MutableHandleObject objp) {
1642 RootedId id(cx, NameToId(name));
1643
1644 RootedObject pobj(cx);
1645 PropertyResult prop;
1646
1647 RootedObject env(cx, envChain);
1648 for (; !env->isUnqualifiedVarObj(); env = env->enclosingEnvironment()) {
1649 if (!LookupProperty(cx, env, id, &pobj, &prop)) {
1650 return false;
1651 }
1652 if (prop.isFound()) {
1653 break;
1654 }
1655 }
1656
1657 // See note above RuntimeLexicalErrorObject.
1658 if (pobj == env) {
1659 bool isTDZ = false;
1660 if (prop.isFound() && name != cx->names().dot_this_) {
1661 // Treat Debugger environments specially for TDZ checks, as they
1662 // look like non-native environments but in fact wrap native
1663 // environments.
1664 if (env->is<DebugEnvironmentProxy>()) {
1665 RootedValue v(cx);
1666 Rooted<DebugEnvironmentProxy*> envProxy(
1667 cx, &env->as<DebugEnvironmentProxy>());
1668 if (!DebugEnvironmentProxy::getMaybeSentinelValue(cx, envProxy, id,
1669 &v)) {
1670 return false;
1671 }
1672 isTDZ = IsUninitializedLexical(v);
1673 } else {
1674 isTDZ = IsUninitializedLexicalSlot(env, prop);
1675 }
1676 }
1677
1678 if (isTDZ) {
1679 env = RuntimeLexicalErrorObject::create(cx, env,
1680 JSMSG_UNINITIALIZED_LEXICAL);
1681 if (!env) {
1682 return false;
1683 }
1684 } else if (env->is<LexicalEnvironmentObject>() &&
1685 !prop.propertyInfo().writable()) {
1686 // Assigning to a named lambda callee name is a no-op in sloppy mode.
1687 if (!(env->is<BlockLexicalEnvironmentObject>() &&
1688 env->as<BlockLexicalEnvironmentObject>().scope().kind() ==
1689 ScopeKind::NamedLambda)) {
1690 MOZ_ASSERT(name != cx->names().dot_this_);
1691 env =
1692 RuntimeLexicalErrorObject::create(cx, env, JSMSG_BAD_CONST_ASSIGN);
1693 if (!env) {
1694 return false;
1695 }
1696 }
1697 }
1698 }
1699
1700 objp.set(env);
1701 return true;
1702 }
1703
1704 bool js::HasOwnProperty(JSContext* cx, HandleObject obj, HandleId id,
1705 bool* result) {
1706 if (obj->is<ProxyObject>()) {
1707 return Proxy::hasOwn(cx, obj, id, result);
1708 }
1709
1710 if (GetOwnPropertyOp op = obj->getOpsGetOwnPropertyDescriptor()) {
1711 Rooted<mozilla::Maybe<PropertyDescriptor>> desc(cx);
1712 if (!op(cx, obj, id, &desc)) {
1713 return false;
1714 }
1715 *result = desc.isSome();
1716 return true;
1717 }
1718
1719 PropertyResult prop;
1720 if (!NativeLookupOwnProperty<CanGC>(cx, obj.as<NativeObject>(), id, &prop)) {
1721 return false;
1722 }
1723 *result = prop.isFound();
1724 return true;
1725 }
1726
1727 bool js::LookupPropertyPure(JSContext* cx, JSObject* obj, jsid id,
1728 NativeObject** objp, PropertyResult* propp) {
1729 if (obj->getOpsLookupProperty()) {
1730 return false;
1731 }
1732 return NativeLookupPropertyInline<NoGC, LookupResolveMode::CheckMayResolve>(
1733 cx, &obj->as<NativeObject>(), id, objp, propp);
1734 }
1735
1736 bool js::LookupOwnPropertyPure(JSContext* cx, JSObject* obj, jsid id,
1737 PropertyResult* propp) {
1738 if (obj->getOpsLookupProperty()) {
1739 return false;
1740 }
1741 return NativeLookupOwnPropertyInline<NoGC,
1742 LookupResolveMode::CheckMayResolve>(
1743 cx, &obj->as<NativeObject>(), id, propp);
1744 }
1745
1746 static inline bool NativeGetPureInline(NativeObject* pobj, jsid id,
1747 PropertyResult prop, Value* vp,
1748 JSContext* cx) {
1749 if (prop.isDenseElement()) {
1750 *vp = pobj->getDenseElement(prop.denseElementIndex());
1751 return true;
1752 }
1753 if (prop.isTypedArrayElement()) {
1754 size_t idx = prop.typedArrayElementIndex();
1755 return pobj->as<TypedArrayObject>().getElement<NoGC>(cx, idx, vp);
1756 }
1757
1758 // Fail if we have a custom getter.
1759 PropertyInfo propInfo = prop.propertyInfo();
1760 if (!propInfo.isDataProperty()) {
1761 return false;
1762 }
1763
1764 *vp = pobj->getSlot(propInfo.slot());
1765 MOZ_ASSERT(!vp->isMagic());
1766 return true;
1767 }
1768
1769 bool js::GetPropertyPure(JSContext* cx, JSObject* obj, jsid id, Value* vp) {
1770 NativeObject* pobj;
1771 PropertyResult prop;
1772 if (!LookupPropertyPure(cx, obj, id, &pobj, &prop)) {
1773 return false;
1774 }
1775
1776 if (prop.isNotFound()) {
1777 vp->setUndefined();
1778 return true;
1779 }
1780
1781 return NativeGetPureInline(pobj, id, prop, vp, cx);
1782 }
1783
1784 bool js::GetOwnPropertyPure(JSContext* cx, JSObject* obj, jsid id, Value* vp,
1785 bool* found) {
1786 PropertyResult prop;
1787 if (!LookupOwnPropertyPure(cx, obj, id, &prop)) {
1788 return false;
1789 }
1790
1791 if (prop.isNotFound()) {
1792 *found = false;
1793 vp->setUndefined();
1794 return true;
1795 }
1796
1797 *found = true;
1798 return obj->is<NativeObject>() &&
1799 NativeGetPureInline(&obj->as<NativeObject>(), id, prop, vp, cx);
1800 }
1801
1802 static inline bool NativeGetGetterPureInline(NativeObject* holder,
1803 PropertyResult prop,
1804 JSFunction** fp) {
1805 MOZ_ASSERT(prop.isNativeProperty());
1806
1807 PropertyInfo propInfo = prop.propertyInfo();
1808 if (holder->hasGetter(propInfo)) {
1809 JSObject* getter = holder->getGetter(propInfo);
1810 if (getter->is<JSFunction>()) {
1811 *fp = &getter->as<JSFunction>();
1812 return true;
1813 }
1814 }
1815
1816 *fp = nullptr;
1817 return true;
1818 }
1819
1820 bool js::GetGetterPure(JSContext* cx, JSObject* obj, jsid id, JSFunction** fp) {
1821 /* Just like GetPropertyPure, but get getter function, without invoking
1822 * it. */
1823 NativeObject* pobj;
1824 PropertyResult prop;
1825 if (!LookupPropertyPure(cx, obj, id, &pobj, &prop)) {
1826 return false;
1827 }
1828
1829 if (prop.isNotFound()) {
1830 *fp = nullptr;
1831 return true;
1832 }
1833
1834 return prop.isNativeProperty() && NativeGetGetterPureInline(pobj, prop, fp);
1835 }
1836
1837 bool js::GetOwnGetterPure(JSContext* cx, JSObject* obj, jsid id,
1838 JSFunction** fp) {
1839 JS::AutoCheckCannotGC nogc;
1840 PropertyResult prop;
1841 if (!LookupOwnPropertyPure(cx, obj, id, &prop)) {
1842 return false;
1843 }
1844
1845 if (prop.isNotFound()) {
1846 *fp = nullptr;
1847 return true;
1848 }
1849
1850 return prop.isNativeProperty() &&
1851 NativeGetGetterPureInline(&obj->as<NativeObject>(), prop, fp);
1852 }
1853
1854 bool js::GetOwnNativeGetterPure(JSContext* cx, JSObject* obj, jsid id,
1855 JSNative* native) {
1856 JS::AutoCheckCannotGC nogc;
1857 *native = nullptr;
1858 PropertyResult prop;
1859 if (!LookupOwnPropertyPure(cx, obj, id, &prop)) {
1860 return false;
1861 }
1862
1863 if (!prop.isNativeProperty()) {
1864 return true;
1865 }
1866
1867 PropertyInfo propInfo = prop.propertyInfo();
1868
1869 NativeObject* nobj = &obj->as<NativeObject>();
1870 if (!nobj->hasGetter(propInfo)) {
1871 return true;
1872 }
1873
1874 JSObject* getterObj = nobj->getGetter(propInfo);
1875 if (!getterObj->is<JSFunction>()) {
1876 return true;
1877 }
1878
1879 JSFunction* getter = &getterObj->as<JSFunction>();
1880 if (!getter->isNativeFun()) {
1881 return true;
1882 }
1883
1884 *native = getter->native();
1885 return true;
1886 }
1887
1888 bool js::HasOwnDataPropertyPure(JSContext* cx, JSObject* obj, jsid id,
1889 bool* result) {
1890 PropertyResult prop;
1891 if (!LookupOwnPropertyPure(cx, obj, id, &prop)) {
1892 return false;
1893 }
1894
1895 *result = prop.isNativeProperty() && prop.propertyInfo().isDataProperty();
1896 return true;
1897 }
1898
1899 bool js::GetPrototypeIfOrdinary(JSContext* cx, HandleObject obj,
1900 bool* isOrdinary, MutableHandleObject protop) {
1901 if (obj->is<js::ProxyObject>()) {
1902 return js::Proxy::getPrototypeIfOrdinary(cx, obj, isOrdinary, protop);
1903 }
1904
1905 *isOrdinary = true;
1906 protop.set(obj->staticPrototype());
1907 return true;
1908 }
1909
1910 /*** ES6 standard internal methods ******************************************/
1911
1912 bool js::SetPrototype(JSContext* cx, HandleObject obj, HandleObject proto,
1913 JS::ObjectOpResult& result) {
1914 // The proxy trap subsystem fully handles prototype-setting for proxies
1915 // with dynamic [[Prototype]]s.
1916 if (obj->hasDynamicPrototype()) {
1917 MOZ_ASSERT(obj->is<ProxyObject>());
1918 return Proxy::setPrototype(cx, obj, proto, result);
1919 }
1920
1921 /*
1922 * ES6 9.1.2 step 3-4 if |obj.[[Prototype]]| has SameValue as |proto| return
1923 * true. Since the values in question are objects, we can just compare
1924 * pointers.
1925 */
1926 if (proto == obj->staticPrototype()) {
1927 return result.succeed();
1928 }
1929
1930 /* Disallow mutation of immutable [[Prototype]]s. */
1931 if (obj->staticPrototypeIsImmutable()) {
1932 return result.fail(JSMSG_CANT_SET_PROTO);
1933 }
1934
1935 /*
1936 * Disallow mutating the [[Prototype]] on WebAssembly GC objects.
1937 */
1938 if (obj->is<WasmGcObject>()) {
1939 return result.fail(JSMSG_CANT_SET_PROTO);
1940 }
1941
1942 /* ES6 9.1.2 step 5 forbids changing [[Prototype]] if not [[Extensible]]. */
1943 bool extensible;
1944 if (!IsExtensible(cx, obj, &extensible)) {
1945 return false;
1946 }
1947 if (!extensible) {
1948 return result.fail(JSMSG_CANT_SET_PROTO);
1949 }
1950
1951 /*
1952 * ES6 9.1.2 step 6 forbids generating cyclical prototype chains. But we
1953 * have to do this comparison on the observable WindowProxy, not on the
1954 * possibly-Window object we're setting the proto on.
1955 */
1956 RootedObject objMaybeWindowProxy(cx, ToWindowProxyIfWindow(obj));
1957 RootedObject obj2(cx, proto);
1958 while (obj2) {
1959 MOZ_ASSERT(!IsWindow(obj2));
1960 if (obj2 == objMaybeWindowProxy) {
1961 return result.fail(JSMSG_CANT_SET_PROTO_CYCLE);
1962 }
1963
1964 bool isOrdinary;
1965 if (!GetPrototypeIfOrdinary(cx, obj2, &isOrdinary, &obj2)) {
1966 return false;
1967 }
1968 if (!isOrdinary) {
1969 break;
1970 }
1971 }
1972
1973 Rooted<TaggedProto> taggedProto(cx, TaggedProto(proto));
1974 if (!JSObject::setProtoUnchecked(cx, obj, taggedProto)) {
1975 return false;
1976 }
1977
1978 return result.succeed();
1979 }
1980
1981 bool js::SetPrototype(JSContext* cx, HandleObject obj, HandleObject proto) {
1982 ObjectOpResult result;
1983 return SetPrototype(cx, obj, proto, result) && result.checkStrict(cx, obj);
1984 }
1985
1986 bool js::PreventExtensions(JSContext* cx, HandleObject obj,
1987 ObjectOpResult& result) {
1988 if (obj->is<ProxyObject>()) {
1989 return js::Proxy::preventExtensions(cx, obj, result);
1990 }
1991
1992 if (obj->is<WasmGcObject>()) {
1993 return result.failCantPreventExtensions();
1994 }
1995
1996 if (!obj->nonProxyIsExtensible()) {
1997 // If the following assertion fails, there's somewhere else a missing
1998 // call to shrinkCapacityToInitializedLength() which needs to be found
1999 // and fixed.
2000 MOZ_ASSERT_IF(obj->is<NativeObject>(),
2001 obj->as<NativeObject>().getDenseInitializedLength() ==
2002 obj->as<NativeObject>().getDenseCapacity());
2003
2004 return result.succeed();
2005 }
2006
2007 if (obj->is<NativeObject>()) {
2008 // Force lazy properties to be resolved.
2009 Handle<NativeObject*> nobj = obj.as<NativeObject>();
2010 if (!ResolveLazyProperties(cx, nobj)) {
2011 return false;
2012 }
2013
2014 // Prepare the elements. We have to do this before we mark the object
2015 // non-extensible; that's fine because these changes are not observable.
2016 ObjectElements::PrepareForPreventExtensions(cx, nobj);
2017 }
2018
2019 // Finally, set the NotExtensible flag on the Shape and ObjectElements.
2020 if (!JSObject::setFlag(cx, obj, ObjectFlag::NotExtensible)) {
2021 return false;
2022 }
2023 if (obj->is<NativeObject>()) {
2024 ObjectElements::PreventExtensions(&obj->as<NativeObject>());
2025 }
2026
2027 return result.succeed();
2028 }
2029
2030 bool js::PreventExtensions(JSContext* cx, HandleObject obj) {
2031 ObjectOpResult result;
2032 return PreventExtensions(cx, obj, result) && result.checkStrict(cx, obj);
2033 }
2034
2035 bool js::GetOwnPropertyDescriptor(
2036 JSContext* cx, HandleObject obj, HandleId id,
2037 MutableHandle<Maybe<PropertyDescriptor>> desc) {
2038 if (GetOwnPropertyOp op = obj->getOpsGetOwnPropertyDescriptor()) {
2039 bool ok = op(cx, obj, id, desc);
2040 if (ok && desc.isSome()) {
2041 desc->assertComplete();
2042 }
2043 return ok;
2044 }
2045
2046 return NativeGetOwnPropertyDescriptor(cx, obj.as<NativeObject>(), id, desc);
2047 }
2048
2049 bool js::DefineProperty(JSContext* cx, HandleObject obj, HandleId id,
2050 Handle<PropertyDescriptor> desc) {
2051 ObjectOpResult result;
2052 return DefineProperty(cx, obj, id, desc, result) &&
2053 result.checkStrict(cx, obj, id);
2054 }
2055
2056 bool js::DefineProperty(JSContext* cx, HandleObject obj, HandleId id,
2057 Handle<PropertyDescriptor> desc,
2058 ObjectOpResult& result) {
2059 desc.assertValid();
2060 if (DefinePropertyOp op = obj->getOpsDefineProperty()) {
2061 return op(cx, obj, id, desc, result);
2062 }
2063 return NativeDefineProperty(cx, obj.as<NativeObject>(), id, desc, result);
2064 }
2065
2066 bool js::DefineAccessorProperty(JSContext* cx, HandleObject obj, HandleId id,
2067 HandleObject getter, HandleObject setter,
2068 unsigned attrs, ObjectOpResult& result) {
2069 Rooted<PropertyDescriptor> desc(
2070 cx, PropertyDescriptor::Accessor(
2071 getter ? mozilla::Some(getter) : mozilla::Nothing(),
2072 setter ? mozilla::Some(setter) : mozilla::Nothing(), attrs));
2073
2074 if (DefinePropertyOp op = obj->getOpsDefineProperty()) {
2075 return op(cx, obj, id, desc, result);
2076 }
2077 return NativeDefineProperty(cx, obj.as<NativeObject>(), id, desc, result);
2078 }
2079
2080 bool js::DefineDataProperty(JSContext* cx, HandleObject obj, HandleId id,
2081 HandleValue value, unsigned attrs,
2082 ObjectOpResult& result) {
2083 Rooted<PropertyDescriptor> desc(cx, PropertyDescriptor::Data(value, attrs));
2084 if (DefinePropertyOp op = obj->getOpsDefineProperty()) {
2085 return op(cx, obj, id, desc, result);
2086 }
2087 return NativeDefineProperty(cx, obj.as<NativeObject>(), id, desc, result);
2088 }
2089
2090 bool js::DefineAccessorProperty(JSContext* cx, HandleObject obj, HandleId id,
2091 HandleObject getter, HandleObject setter,
2092 unsigned attrs) {
2093 ObjectOpResult result;
2094 if (!DefineAccessorProperty(cx, obj, id, getter, setter, attrs, result)) {
2095 return false;
2096 }
2097 if (!result) {
2098 result.reportError(cx, obj, id);
2099 return false;
2100 }
2101 return true;
2102 }
2103
2104 bool js::DefineDataProperty(JSContext* cx, HandleObject obj, HandleId id,
2105 HandleValue value, unsigned attrs) {
2106 ObjectOpResult result;
2107 if (!DefineDataProperty(cx, obj, id, value, attrs, result)) {
2108 return false;
2109 }
2110 if (!result) {
2111 result.reportError(cx, obj, id);
2112 return false;
2113 }
2114 return true;
2115 }
2116
2117 bool js::DefineDataProperty(JSContext* cx, HandleObject obj, PropertyName* name,
2118 HandleValue value, unsigned attrs) {
2119 RootedId id(cx, NameToId(name));
2120 return DefineDataProperty(cx, obj, id, value, attrs);
2121 }
2122
2123 bool js::DefineDataElement(JSContext* cx, HandleObject obj, uint32_t index,
2124 HandleValue value, unsigned attrs) {
2125 RootedId id(cx);
2126 if (!IndexToId(cx, index, &id)) {
2127 return false;
2128 }
2129 return DefineDataProperty(cx, obj, id, value, attrs);
2130 }
2131
2132 /*** SpiderMonkey nonstandard internal methods ******************************/
2133
2134 // Mark an object as having an immutable prototype
2135 //
2136 // NOTE: This does not correspond to the SetImmutablePrototype ECMAScript
2137 // method.
2138 bool js::SetImmutablePrototype(JSContext* cx, HandleObject obj,
2139 bool* succeeded) {
2140 if (obj->hasDynamicPrototype()) {
2141 return Proxy::setImmutablePrototype(cx, obj, succeeded);
2142 }
2143
2144 if (!JSObject::setFlag(cx, obj, ObjectFlag::ImmutablePrototype)) {
2145 return false;
2146 }
2147 *succeeded = true;
2148 return true;
2149 }
2150
2151 bool js::GetPropertyDescriptor(
2152 JSContext* cx, HandleObject obj, HandleId id,
2153 MutableHandle<mozilla::Maybe<PropertyDescriptor>> desc,
2154 MutableHandleObject holder) {
2155 RootedObject pobj(cx);
2156 for (pobj = obj; pobj;) {
2157 if (!GetOwnPropertyDescriptor(cx, pobj, id, desc)) {
2158 return false;
2159 }
2160
2161 if (desc.isSome()) {
2162 holder.set(pobj);
2163 return true;
2164 }
2165
2166 if (!GetPrototype(cx, pobj, &pobj)) {
2167 return false;
2168 }
2169 }
2170
2171 MOZ_ASSERT(desc.isNothing());
2172 holder.set(nullptr);
2173 return true;
2174 }
2175
2176 /* * */
2177
2178 extern bool PropertySpecNameToId(JSContext* cx, JSPropertySpec::Name name,
2179 MutableHandleId id);
2180
2181 // If a property or method is part of an experimental feature that can be
2182 // disabled at run-time by a preference, we keep it in the JSFunctionSpec /
2183 // JSPropertySpec list, but omit the definition if the preference is off.
2184 JS_PUBLIC_API bool js::ShouldIgnorePropertyDefinition(JSContext* cx,
2185 JSProtoKey key, jsid id) {
2186 if (!cx->realm()->creationOptions().getToSourceEnabled() &&
2187 (id == NameToId(cx->names().toSource) ||
2188 id == NameToId(cx->names().uneval))) {
2189 return true;
2190 }
2191
2192 if (key == JSProto_FinalizationRegistry &&
2193 JS::GetWeakRefsEnabled() ==
2194 JS::WeakRefSpecifier::EnabledWithoutCleanupSome &&
2195 id == NameToId(cx->names().cleanupSome)) {
2196 return true;
2197 }
2198
2199 // It's gently surprising that this is JSProto_Function, but the trick
2200 // to realize is that this is a -constructor function-, not a function
2201 // on the prototype; and the proto of the constructor is JSProto_Function.
2202 if (key == JSProto_Function && !JS::Prefs::array_grouping() &&
2203 (id == NameToId(cx->names().groupBy))) {
2204 return true;
2205 }
2206
2207 #ifdef NIGHTLY_BUILD
2208 if (key == JSProto_Set && !JS::Prefs::experimental_new_set_methods() &&
2209 (id == NameToId(cx->names().union_) ||
2210 id == NameToId(cx->names().difference) ||
2211 id == NameToId(cx->names().intersection) ||
2212 id == NameToId(cx->names().isSubsetOf) ||
2213 id == NameToId(cx->names().isSupersetOf) ||
2214 id == NameToId(cx->names().isDisjointFrom) ||
2215 id == NameToId(cx->names().symmetricDifference))) {
2216 return true;
2217 }
2218
2219 if (key == JSProto_ArrayBuffer && !JS::Prefs::arraybuffer_transfer() &&
2220 (id == NameToId(cx->names().transfer) ||
2221 id == NameToId(cx->names().transferToFixedLength) ||
2222 id == NameToId(cx->names().detached))) {
2223 return true;
2224 }
2225
2226 if (key == JSProto_ArrayBuffer &&
2227 !JS::Prefs::experimental_arraybuffer_resizable() &&
2228 (id == NameToId(cx->names().maxByteLength) ||
2229 id == NameToId(cx->names().resizable) ||
2230 id == NameToId(cx->names().resize))) {
2231 return true;
2232 }
2233
2234 if (key == JSProto_SharedArrayBuffer &&
2235 !JS::Prefs::experimental_sharedarraybuffer_growable() &&
2236 (id == NameToId(cx->names().maxByteLength) ||
2237 id == NameToId(cx->names().growable) ||
2238 id == NameToId(cx->names().grow))) {
2239 return true;
2240 }
2241
2242 if (key == JSProto_Uint8Array &&
2243 !JS::Prefs::experimental_uint8array_base64() &&
2244 (id == NameToId(cx->names().setFromBase64) ||
2245 id == NameToId(cx->names().setFromHex) ||
2246 id == NameToId(cx->names().toBase64) ||
2247 id == NameToId(cx->names().toHex))) {
2248 return true;
2249 }
2250
2251 // It's gently surprising that this is JSProto_Function, but the trick
2252 // to realize is that this is a -constructor function-, not a function
2253 // on the prototype; and the proto of the constructor is JSProto_Function.
2254 if (key == JSProto_Function && !JS::Prefs::experimental_uint8array_base64() &&
2255 (id == NameToId(cx->names().fromBase64) ||
2256 id == NameToId(cx->names().fromHex))) {
2257 return true;
2258 }
2259 #endif
2260
2261 #ifdef ENABLE_JSON_PARSE_WITH_SOURCE
2262 if (key == JSProto_JSON &&
2263 !JS::Prefs::experimental_json_parse_with_source() &&
2264 (id == NameToId(cx->names().isRawJSON) ||
2265 id == NameToId(cx->names().rawJSON))) {
2266 return true;
2267 }
2268 #endif
2269
2270 return false;
2271 }
2272
2273 static bool DefineFunctionFromSpec(JSContext* cx, HandleObject obj,
2274 const JSFunctionSpec* fs) {
2275 RootedId id(cx);
2276 if (!PropertySpecNameToId(cx, fs->name, &id)) {
2277 return false;
2278 }
2279
2280 if (ShouldIgnorePropertyDefinition(cx, StandardProtoKeyOrNull(obj), id)) {
2281 return true;
2282 }
2283
2284 JSFunction* fun = NewFunctionFromSpec(cx, fs, id);
2285 if (!fun) {
2286 return false;
2287 }
2288
2289 RootedValue funVal(cx, ObjectValue(*fun));
2290 return DefineDataProperty(cx, obj, id, funVal, fs->flags & ~JSFUN_FLAGS_MASK);
2291 }
2292
2293 bool js::DefineFunctions(JSContext* cx, HandleObject obj,
2294 const JSFunctionSpec* fs) {
2295 for (; fs->name; fs++) {
2296 if (!DefineFunctionFromSpec(cx, obj, fs)) {
2297 return false;
2298 }
2299 }
2300 return true;
2301 }
2302
2303 /*** ToPrimitive ************************************************************/
2304
2305 /*
2306 * Gets |obj[id]|. If that value's not callable, returns true and stores an
2307 * object value in *vp. If it's callable, calls it with no arguments and |obj|
2308 * as |this|, returning the result in *vp.
2309 *
2310 * This is a mini-abstraction for ES6 draft rev 36 (2015 Mar 17),
2311 * 7.1.1, second algorithm (OrdinaryToPrimitive), steps 5.a-c.
2312 */
2313 static bool MaybeCallMethod(JSContext* cx, HandleObject obj, HandleId id,
2314 MutableHandleValue vp) {
2315 if (!GetProperty(cx, obj, obj, id, vp)) {
2316 return false;
2317 }
2318 if (!IsCallable(vp)) {
2319 vp.setObject(*obj);
2320 return true;
2321 }
2322
2323 return js::Call(cx, vp, obj, vp);
2324 }
2325
2326 static bool ReportCantConvert(JSContext* cx, unsigned errorNumber,
2327 HandleObject obj, JSType hint) {
2328 const JSClass* clasp = obj->getClass();
2329
2330 // Avoid recursive death when decompiling in ReportValueError.
2331 RootedString str(cx);
2332 if (hint == JSTYPE_STRING) {
2333 str = JS_AtomizeString(cx, clasp->name);
2334 if (!str) {
2335 return false;
2336 }
2337 } else {
2338 str = nullptr;
2339 }
2340
2341 RootedValue val(cx, ObjectValue(*obj));
2342 ReportValueError(cx, errorNumber, JSDVG_SEARCH_STACK, val, str,
2343 hint == JSTYPE_UNDEFINED ? "primitive type"
2344 : hint == JSTYPE_STRING ? "string"
2345 : "number");
2346 return false;
2347 }
2348
2349 bool JS::OrdinaryToPrimitive(JSContext* cx, HandleObject obj, JSType hint,
2350 MutableHandleValue vp) {
2351 MOZ_ASSERT(hint == JSTYPE_NUMBER || hint == JSTYPE_STRING ||
2352 hint == JSTYPE_UNDEFINED);
2353
2354 Rooted<jsid> id(cx);
2355
2356 const JSClass* clasp = obj->getClass();
2357 if (hint == JSTYPE_STRING) {
2358 id = NameToId(cx->names().toString);
2359
2360 bool calledToString = false;
2361 if (clasp == &StringObject::class_) {
2362 // Optimize (new String(...)).toString().
2363 StringObject* nobj = &obj->as<StringObject>();
2364 if (HasNativeMethodPure(nobj, cx->names().toString, str_toString, cx)) {
2365 vp.setString(nobj->unbox());
2366 return true;
2367 }
2368 } else if (clasp == &PlainObject::class_) {
2369 JSFunction* fun;
2370 if (GetPropertyPure(cx, obj, id, vp.address()) &&
2371 IsFunctionObject(vp, &fun)) {
2372 // Common case: we have a toString function. Try to short-circuit if
2373 // it's Object.prototype.toString and there's no @@toStringTag.
2374 if (fun->maybeNative() == obj_toString &&
2375 !MaybeHasInterestingSymbolProperty(
2376 cx, obj, cx->wellKnownSymbols().toStringTag)) {
2377 vp.setString(cx->names().object_Object_);
2378 return true;
2379 }
2380 if (!js::Call(cx, vp, obj, vp)) {
2381 return false;
2382 }
2383 calledToString = true;
2384 }
2385 }
2386
2387 if (!calledToString) {
2388 if (!MaybeCallMethod(cx, obj, id, vp)) {
2389 return false;
2390 }
2391 }
2392 if (vp.isPrimitive()) {
2393 return true;
2394 }
2395
2396 id = NameToId(cx->names().valueOf);
2397 if (!MaybeCallMethod(cx, obj, id, vp)) {
2398 return false;
2399 }
2400 if (vp.isPrimitive()) {
2401 return true;
2402 }
2403 } else {
2404 id = NameToId(cx->names().valueOf);
2405
2406 if (clasp == &StringObject::class_) {
2407 // Optimize new String(...).valueOf().
2408 StringObject* nobj = &obj->as<StringObject>();
2409 if (HasNativeMethodPure(nobj, cx->names().valueOf, str_toString, cx)) {
2410 vp.setString(nobj->unbox());
2411 return true;
2412 }
2413 } else if (clasp == &NumberObject::class_) {
2414 // Optimize new Number(...).valueOf().
2415 NumberObject* nobj = &obj->as<NumberObject>();
2416 if (HasNativeMethodPure(nobj, cx->names().valueOf, num_valueOf, cx)) {
2417 vp.setNumber(nobj->unbox());
2418 return true;
2419 }
2420 }
2421
2422 if (!MaybeCallMethod(cx, obj, id, vp)) {
2423 return false;
2424 }
2425 if (vp.isPrimitive()) {
2426 return true;
2427 }
2428
2429 id = NameToId(cx->names().toString);
2430 if (!MaybeCallMethod(cx, obj, id, vp)) {
2431 return false;
2432 }
2433 if (vp.isPrimitive()) {
2434 return true;
2435 }
2436 }
2437
2438 return ReportCantConvert(cx, JSMSG_CANT_CONVERT_TO, obj, hint);
2439 }
2440
2441 bool js::ToPrimitiveSlow(JSContext* cx, JSType preferredType,
2442 MutableHandleValue vp) {
2443 // Step numbers refer to the first algorithm listed in ES6 draft rev 36
2444 // (2015 Mar 17) 7.1.1 ToPrimitive.
2445 MOZ_ASSERT(preferredType == JSTYPE_UNDEFINED ||
2446 preferredType == JSTYPE_STRING || preferredType == JSTYPE_NUMBER);
2447 RootedObject obj(cx, &vp.toObject());
2448
2449 // Steps 4-5.
2450 RootedValue method(cx);
2451 if (!GetInterestingSymbolProperty(cx, obj, cx->wellKnownSymbols().toPrimitive,
2452 &method)) {
2453 return false;
2454 }
2455
2456 // Step 6.
2457 if (!method.isNullOrUndefined()) {
2458 // Step 6 of GetMethod. js::Call() below would do this check and throw a
2459 // TypeError anyway, but this produces a better error message.
2460 if (!IsCallable(method)) {
2461 return ReportCantConvert(cx, JSMSG_TOPRIMITIVE_NOT_CALLABLE, obj,
2462 preferredType);
2463 }
2464
2465 // Steps 1-3, 6.a-b.
2466 RootedValue arg0(
2467 cx,
2468 StringValue(preferredType == JSTYPE_STRING ? cx->names().string
2469 : preferredType == JSTYPE_NUMBER ? cx->names().number
2470 : cx->names().default_));
2471
2472 if (!js::Call(cx, method, vp, arg0, vp)) {
2473 return false;
2474 }
2475
2476 // Steps 6.c-d.
2477 if (vp.isObject()) {
2478 return ReportCantConvert(cx, JSMSG_TOPRIMITIVE_RETURNED_OBJECT, obj,
2479 preferredType);
2480 }
2481 return true;
2482 }
2483
2484 return OrdinaryToPrimitive(cx, obj, preferredType, vp);
2485 }
2486
2487 /* ES6 draft rev 28 (2014 Oct 14) 7.1.14 */
2488 bool js::ToPropertyKeySlow(JSContext* cx, HandleValue argument,
2489 MutableHandleId result) {
2490 MOZ_ASSERT(argument.isObject());
2491
2492 // Steps 1-2.
2493 RootedValue key(cx, argument);
2494 if (!ToPrimitiveSlow(cx, JSTYPE_STRING, &key)) {
2495 return false;
2496 }
2497
2498 // Steps 3-4.
2499 return PrimitiveValueToId<CanGC>(cx, key, result);
2500 }
2501
2502 /* * */
2503
2504 bool js::IsPrototypeOf(JSContext* cx, HandleObject protoObj, JSObject* obj,
2505 bool* result) {
2506 RootedObject obj2(cx, obj);
2507 for (;;) {
2508 // The [[Prototype]] chain might be cyclic.
2509 if (!CheckForInterrupt(cx)) {
2510 return false;
2511 }
2512 if (!GetPrototype(cx, obj2, &obj2)) {
2513 return false;
2514 }
2515 if (!obj2) {
2516 *result = false;
2517 return true;
2518 }
2519 if (obj2 == protoObj) {
2520 *result = true;
2521 return true;
2522 }
2523 }
2524 }
2525
2526 JSObject* js::PrimitiveToObject(JSContext* cx, const Value& v) {
2527 MOZ_ASSERT(v.isPrimitive());
2528
2529 switch (v.type()) {
2530 case ValueType::String: {
2531 Rooted<JSString*> str(cx, v.toString());
2532 return StringObject::create(cx, str);
2533 }
2534 case ValueType::Double:
2535 case ValueType::Int32:
2536 return NumberObject::create(cx, v.toNumber());
2537 case ValueType::Boolean:
2538 return BooleanObject::create(cx, v.toBoolean());
2539 case ValueType::Symbol: {
2540 RootedSymbol symbol(cx, v.toSymbol());
2541 return SymbolObject::create(cx, symbol);
2542 }
2543 case ValueType::BigInt: {
2544 RootedBigInt bigInt(cx, v.toBigInt());
2545 return BigIntObject::create(cx, bigInt);
2546 }
2547 #ifdef ENABLE_RECORD_TUPLE
2548 case ValueType::ExtendedPrimitive: {
2549 JSObject& obj = v.toExtendedPrimitive();
2550
2551 if (obj.is<RecordType>()) {
2552 Rooted<RecordType*> rec(cx, &obj.as<RecordType>());
2553 return RecordObject::create(cx, rec);
2554 }
2555 if (obj.is<TupleType>()) {
2556 Rooted<TupleType*> tuple(cx, &obj.as<TupleType>());
2557 return TupleObject::create(cx, tuple);
2558 }
2559
2560 MOZ_CRASH("Unexpected ExtendedPrimitive type.");
2561 }
2562 #endif
2563 case ValueType::Undefined:
2564 case ValueType::Null:
2565 case ValueType::Magic:
2566 case ValueType::PrivateGCThing:
2567 case ValueType::Object:
2568 break;
2569 }
2570
2571 MOZ_CRASH("unexpected type");
2572 }
2573
2574 // Like PrimitiveToObject, but returns the JSProtoKey of the prototype that
2575 // would be used without actually creating the object.
2576 JSProtoKey js::PrimitiveToProtoKey(JSContext* cx, const Value& v) {
2577 MOZ_ASSERT(v.isPrimitive());
2578
2579 switch (v.type()) {
2580 case ValueType::String:
2581 return JSProto_String;
2582 case ValueType::Double:
2583 case ValueType::Int32:
2584 return JSProto_Number;
2585 case ValueType::Boolean:
2586 return JSProto_Boolean;
2587 case ValueType::Symbol:
2588 return JSProto_Symbol;
2589 case ValueType::BigInt:
2590 return JSProto_BigInt;
2591 #ifdef ENABLE_RECORD_TUPLE
2592 case ValueType::ExtendedPrimitive:
2593 if (v.toExtendedPrimitive().is<TupleType>()) {
2594 return JSProto_Tuple;
2595 }
2596 if (v.toExtendedPrimitive().is<RecordType>()) {
2597 return JSProto_Null;
2598 }
2599 MOZ_CRASH("Unsupported ExtendedPrimitive");
2600 #endif
2601 case ValueType::Undefined:
2602 case ValueType::Null:
2603 case ValueType::Magic:
2604 case ValueType::PrivateGCThing:
2605 case ValueType::Object:
2606 break;
2607 }
2608
2609 MOZ_CRASH("unexpected type");
2610 }
2611
2612 /*
2613 * Invokes the ES5 ToObject algorithm on vp, returning the result. If vp might
2614 * already be an object, use ToObject. reportScanStack controls how null and
2615 * undefined errors are reported.
2616 *
2617 * Callers must handle the already-object case.
2618 */
2619 JSObject* js::ToObjectSlow(JSContext* cx, JS::HandleValue val,
2620 bool reportScanStack) {
2621 MOZ_ASSERT(!val.isMagic());
2622 MOZ_ASSERT(!val.isObject());
2623
2624 if (val.isNullOrUndefined()) {
2625 ReportIsNullOrUndefinedForPropertyAccess(
2626 cx, val, reportScanStack ? JSDVG_SEARCH_STACK : JSDVG_IGNORE_STACK);
2627 return nullptr;
2628 }
2629
2630 return PrimitiveToObject(cx, val);
2631 }
2632
2633 JSObject* js::ToObjectSlowForPropertyAccess(JSContext* cx, JS::HandleValue val,
2634 int valIndex, HandleId key) {
2635 MOZ_ASSERT(!val.isMagic());
2636 MOZ_ASSERT(!val.isObject());
2637
2638 if (val.isNullOrUndefined()) {
2639 ReportIsNullOrUndefinedForPropertyAccess(cx, val, valIndex, key);
2640 return nullptr;
2641 }
2642
2643 return PrimitiveToObject(cx, val);
2644 }
2645
2646 JSObject* js::ToObjectSlowForPropertyAccess(JSContext* cx, JS::HandleValue val,
2647 int valIndex,
2648 Handle<PropertyName*> key) {
2649 MOZ_ASSERT(!val.isMagic());
2650 MOZ_ASSERT(!val.isObject());
2651
2652 if (val.isNullOrUndefined()) {
2653 RootedId keyId(cx, NameToId(key));
2654 ReportIsNullOrUndefinedForPropertyAccess(cx, val, valIndex, keyId);
2655 return nullptr;
2656 }
2657
2658 return PrimitiveToObject(cx, val);
2659 }
2660
2661 JSObject* js::ToObjectSlowForPropertyAccess(JSContext* cx, JS::HandleValue val,
2662 int valIndex,
2663 HandleValue keyValue) {
2664 MOZ_ASSERT(!val.isMagic());
2665 MOZ_ASSERT(!val.isObject());
2666
2667 if (val.isNullOrUndefined()) {
2668 RootedId key(cx);
2669 if (keyValue.isPrimitive()) {
2670 if (!PrimitiveValueToId<CanGC>(cx, keyValue, &key)) {
2671 return nullptr;
2672 }
2673 ReportIsNullOrUndefinedForPropertyAccess(cx, val, valIndex, key);
2674 } else {
2675 ReportIsNullOrUndefinedForPropertyAccess(cx, val, valIndex);
2676 }
2677 return nullptr;
2678 }
2679
2680 return PrimitiveToObject(cx, val);
2681 }
2682
2683 JSObject* js::GetThisObject(JSObject* obj) {
2684 // Use the WindowProxy if the global is a Window, as Window must never be
2685 // exposed to script.
2686 if (obj->is<GlobalObject>()) {
2687 return ToWindowProxyIfWindow(obj);
2688 }
2689
2690 // We should not expose any environments except NSVOs to script. The NSVO is
2691 // pretending to be the global object in this case.
2692 MOZ_ASSERT(obj->is<NonSyntacticVariablesObject>() ||
2693 !obj->is<EnvironmentObject>());
2694
2695 return obj;
2696 }
2697
2698 JSObject* js::GetThisObjectOfLexical(JSObject* env) {
2699 return env->as<ExtensibleLexicalEnvironmentObject>().thisObject();
2700 }
2701
2702 JSObject* js::GetThisObjectOfWith(JSObject* env) {
2703 MOZ_ASSERT(env->is<WithEnvironmentObject>());
2704 return GetThisObject(env->as<WithEnvironmentObject>().withThis());
2705 }
2706
2707 class GetObjectSlotNameFunctor : public JS::TracingContext::Functor {
2708 JSObject* obj;
2709
2710 public:
2711 explicit GetObjectSlotNameFunctor(JSObject* ctx) : obj(ctx) {}
2712 virtual void operator()(JS::TracingContext* trc, char* buf,
2713 size_t bufsize) override;
2714 };
2715
2716 void GetObjectSlotNameFunctor::operator()(JS::TracingContext* tcx, char* buf,
2717 size_t bufsize) {
2718 MOZ_ASSERT(tcx->index() != JS::TracingContext::InvalidIndex);
2719
2720 uint32_t slot = uint32_t(tcx->index());
2721
2722 Maybe<PropertyKey> key;
2723 if (obj->is<NativeObject>()) {
2724 NativeShape* shape = obj->as<NativeObject>().shape();
2725 for (ShapePropertyIter<NoGC> iter(shape); !iter.done(); iter++) {
2726 if (iter->hasSlot() && iter->slot() == slot) {
2727 key.emplace(iter->key());
2728 break;
2729 }
2730 }
2731 }
2732
2733 if (key.isNothing()) {
2734 do {
2735 const char* slotname = nullptr;
2736 const char* pattern = nullptr;
2737 if (obj->is<GlobalObject>()) {
2738 pattern = "CLASS_OBJECT(%s)";
2739 if (false) {
2740 ;
2741 }
2742 #define TEST_SLOT_MATCHES_PROTOTYPE(name, clasp) \
2743 else if ((JSProto_##name) == slot) { \
2744 slotname = #name; \
2745 }
2746 JS_FOR_EACH_PROTOTYPE(TEST_SLOT_MATCHES_PROTOTYPE)
2747 #undef TEST_SLOT_MATCHES_PROTOTYPE
2748 } else {
2749 pattern = "%s";
2750 if (obj->is<EnvironmentObject>()) {
2751 if (slot == EnvironmentObject::enclosingEnvironmentSlot()) {
2752 slotname = "enclosing_environment";
2753 } else if (obj->is<CallObject>()) {
2754 if (slot == CallObject::calleeSlot()) {
2755 slotname = "callee_slot";
2756 }
2757 } else if (obj->is<WithEnvironmentObject>()) {
2758 if (slot == WithEnvironmentObject::objectSlot()) {
2759 slotname = "with_object";
2760 } else if (slot == WithEnvironmentObject::thisSlot()) {
2761 slotname = "with_this";
2762 }
2763 }
2764 }
2765 }
2766
2767 if (slotname) {
2768 snprintf(buf, bufsize, pattern, slotname);
2769 } else {
2770 snprintf(buf, bufsize, "**UNKNOWN SLOT %" PRIu32 "**", slot);
2771 }
2772 } while (false);
2773 } else {
2774 if (key->isInt()) {
2775 snprintf(buf, bufsize, "%" PRId32, key->toInt());
2776 } else if (key->isAtom()) {
2777 PutEscapedString(buf, bufsize, key->toAtom(), 0);
2778 } else if (key->isSymbol()) {
2779 snprintf(buf, bufsize, "**SYMBOL KEY**");
2780 } else {
2781 snprintf(buf, bufsize, "**FINALIZED ATOM KEY**");
2782 }
2783 }
2784 }
2785
2786 /*** Debugging routines *****************************************************/
2787
2788 #if defined(DEBUG) || defined(JS_JITSPEW)
2789
2790 /*
2791 * Routines to print out values during debugging. These are JS_PUBLIC_API to
2792 * help the debugger find them and to support temporarily hacking js::Dump*
2793 * calls into other code.
2794 */
2795
2796 namespace js {
2797
2798 // We don't want jsfriendapi.h to depend on GenericPrinter,
2799 // so these functions are declared directly in the cpp.
2800
2801 JS_PUBLIC_API void DumpValue(const JS::Value& val, js::GenericPrinter& out);
2802
2803 JS_PUBLIC_API void DumpId(jsid id, js::GenericPrinter& out);
2804
2805 JS_PUBLIC_API void DumpInterpreterFrame(JSContext* cx, js::GenericPrinter& out,
2806 InterpreterFrame* start = nullptr);
2807
2808 } // namespace js
2809
2810 JS_PUBLIC_API void js::DumpValue(const Value& val, js::GenericPrinter& out) {
2811 val.dump(out);
2812 }
2813
2814 JS_PUBLIC_API void js::DumpId(jsid id, js::GenericPrinter& out) {
2815 out.printf("jsid %p = ", (void*)id.asRawBits());
2816 id.dump(out);
2817 }
2818
2819 bool JSObject::hasSameRealmAs(JSContext* cx) const {
2820 return nonCCWRealm() == cx->realm();
2821 }
2822
2823 bool JSObject::uninlinedIsProxyObject() const { return is<ProxyObject>(); }
2824
2825 bool JSObject::uninlinedNonProxyIsExtensible() const {
2826 return nonProxyIsExtensible();
2827 }
2828
2829 void JSObject::dump() const {
2830 js::Fprinter out(stderr);
2831 dump(out);
2832 }
2833
2834 void JSObject::dump(js::GenericPrinter& out) const {
2835 js::JSONPrinter json(out);
2836 dump(json);
2837 out.put("\n");
2838 }
2839
2840 void JSObject::dump(js::JSONPrinter& json) const {
2841 json.beginObject();
2842 dumpFields(json);
2843 json.endObject();
2844 }
2845
2846 # define FOR_EACH_CLASS(M) \
2847 M(ArrayBufferViewObject) \
2848 M(ArrayBufferObject) \
2849 M(JSFunction) \
2850 M(PromiseObject) \
2851 M(RegExpObject)
2852
2853 static void DumpOwnFields(const JSObject* obj, js::JSONPrinter& json) {
2854 # define CALL(CLASS) \
2855 if (obj->is<CLASS>()) { \
2856 obj->as<CLASS>().dumpOwnFields(json); \
2857 return; \
2858 }
2859 FOR_EACH_CLASS(CALL)
2860 # undef CALL
2861 }
2862
2863 static void DumpOwnStringContent(const JSObject* obj, js::GenericPrinter& out) {
2864 # define CALL(CLASS) \
2865 if (obj->is<CLASS>()) { \
2866 out.put(" "); \
2867 obj->as<CLASS>().dumpOwnStringContent(out); \
2868 return; \
2869 }
2870 FOR_EACH_CLASS(CALL)
2871 # undef CALL
2872 }
2873
2874 # undef FOR_EACH_CLASS
2875
2876 void JSObject::dumpFields(js::JSONPrinter& json) const {
2877 json.formatProperty("address", "(JSObject*)0x%p", this);
2878
2879 if (IsCrossCompartmentWrapper(this)) {
2880 json.formatProperty("compartment", "(JS::Compartment*)0x%p", compartment());
2881 } else {
2882 JSObject* globalObj = &nonCCWGlobal();
2883 js::GenericPrinter& out = json.beginStringProperty("nonCCWGlobal");
2884 globalObj->dumpStringContent(out);
2885 json.endStringProperty();
2886 }
2887
2888 const JSClass* clasp = getClass();
2889 json.formatProperty("clasp", "<%s @ (JSClass*)0x%p>", clasp->name, clasp);
2890
2891 js::GenericPrinter& out = json.beginStringProperty("shape");
2892 shape()->dumpStringContent(out);
2893 json.endStringProperty();
2894
2895 json.beginObjectProperty("shape.base");
2896 shape()->base()->dumpFields(json);
2897 json.endObject();
2898
2899 if (IsProxy(this)) {
2900 const js::BaseProxyHandler* handler = GetProxyHandler(this);
2901 if (IsDeadProxyObject(this)) {
2902 json.formatProperty("handler", "(js::DeadObjectProxy*)0x%p", handler);
2903 } else if (IsCrossCompartmentWrapper(this)) {
2904 json.formatProperty("handler", "(js::CrossCompartmentWrapper*)0x%p",
2905 handler);
2906 } else {
2907 json.formatProperty("handler", "(js::BaseProxyHandler*)0x%p", handler);
2908 }
2909
2910 Value priv = GetProxyPrivate(this);
2911 if (!priv.isUndefined()) {
2912 js::GenericPrinter& out = json.beginStringProperty("private");
2913 priv.dumpStringContent(out);
2914 json.endStringProperty();
2915 }
2916
2917 Value expando = GetProxyExpando(this);
2918 if (!expando.isNull()) {
2919 js::GenericPrinter& out = json.beginStringProperty("expando");
2920 expando.dumpStringContent(out);
2921 json.endStringProperty();
2922 }
2923
2924 if (is<DebugEnvironmentProxy>()) {
2925 json.boolProperty("isQualifiedVarObj", isQualifiedVarObj());
2926 json.boolProperty("isUnqualifiedVarObj", isUnqualifiedVarObj());
2927 }
2928 }
2929
2930 DumpOwnFields(this, json);
2931
2932 if (is<NativeObject>()) {
2933 const auto* nobj = &as<NativeObject>();
2934
2935 js::GenericPrinter& out = json.beginStringProperty("elementsHeader");
2936 nobj->getElementsHeader()->dumpStringContent(out);
2937 json.endStringProperty();
2938
2939 uint32_t reserved = JSCLASS_RESERVED_SLOTS(clasp);
2940 if (reserved) {
2941 char name[256];
2942 json.beginObjectProperty("reservedSlots");
2943 for (uint32_t i = 0; i < reserved; i++) {
2944 SprintfLiteral(name, "%u", i);
2945 js::GenericPrinter& out = json.beginStringProperty(name);
2946 nobj->getSlot(i).dumpStringContent(out);
2947 json.endStringProperty();
2948 }
2949 json.endObject();
2950 }
2951
2952 json.beginObjectProperty("properties");
2953 if (PropMap* map = nobj->shape()->propMap()) {
2954 Vector<PropMap*, 8, SystemAllocPolicy> maps;
2955 while (true) {
2956 if (!maps.append(map)) {
2957 json.property("error", "*oom in JSObject::dumpFields*");
2958 break;
2959 }
2960 if (!map->hasPrevious()) {
2961 break;
2962 }
2963 map = map->asLinked()->previous();
2964 }
2965
2966 for (size_t i = maps.length(); i > 0; i--) {
2967 size_t index = i - 1;
2968 PropMap* map = maps[index];
2969 uint32_t len = (index == 0) ? shape()->asNative().propMapLength()
2970 : PropMap::Capacity;
2971 for (uint32_t j = 0; j < len; j++) {
2972 if (!map->hasKey(j)) {
2973 MOZ_ASSERT(map->isDictionary());
2974 continue;
2975 }
2976
2977 JS::UniqueChars propChars = map->getPropertyNameAt(j);
2978 if (!propChars) {
2979 json.property("error", "*oom in PropMap::getPropertyNameAt*");
2980 continue;
2981 }
2982
2983 js::GenericPrinter& out = json.beginStringProperty(propChars.get());
2984
2985 PropertyInfoWithKey prop = map->getPropertyInfoWithKey(j);
2986 if (prop.isDataProperty()) {
2987 nobj->getSlot(prop.slot()).dumpStringContent(out);
2988 out.put(" ");
2989 } else if (prop.isAccessorProperty()) {
2990 out.printf("getter=0x%p, setter=0x%p", nobj->getGetter(prop),
2991 nobj->getSetter(prop));
2992 out.put(" ");
2993 }
2994
2995 out.put("(");
2996 map->dumpDescriptorStringContentAt(out, j);
2997 out.put(")");
2998
2999 json.endStringProperty();
3000 }
3001 }
3002 }
3003 json.endObject();
3004
3005 uint32_t slots = nobj->getDenseInitializedLength();
3006 if (slots) {
3007 char name[64];
3008 json.beginObjectProperty("elements");
3009 for (uint32_t i = 0; i < slots; i++) {
3010 SprintfLiteral(name, "%u", i);
3011 js::GenericPrinter& out = json.beginStringProperty(name);
3012 nobj->getDenseElement(i).dumpStringContent(out);
3013 json.endStringProperty();
3014 }
3015 json.endObject();
3016 }
3017 }
3018 }
3019
3020 void JSObject::dumpStringContent(js::GenericPrinter& out) const {
3021 out.printf("<%s", getClass()->name);
3022
3023 DumpOwnStringContent(this, out);
3024
3025 out.printf(" @ (JSObject*)0x%p>", this);
3026 }
3027
3028 static void MaybeDumpScope(Scope* scope, js::GenericPrinter& out) {
3029 if (scope) {
3030 out.printf(" scope: %s\n", ScopeKindString(scope->kind()));
3031 for (BindingIter bi(scope); bi; bi++) {
3032 out.put(" ");
3033 StringValue(bi.name()).dump(out);
3034 }
3035 }
3036 }
3037
3038 static void MaybeDumpValue(const char* name, const Value& v,
3039 js::GenericPrinter& out) {
3040 if (!v.isNull()) {
3041 out.printf(" %s: ", name);
3042 v.dump(out);
3043 }
3044 }
3045
3046 JS_PUBLIC_API void js::DumpInterpreterFrame(JSContext* cx,
3047 js::GenericPrinter& out,
3048 InterpreterFrame* start) {
3049 /* This should only called during live debugging. */
3050 ScriptFrameIter i(cx);
3051 if (!start) {
3052 if (i.done()) {
3053 out.printf("no stack for cx = %p\n", (void*)cx);
3054 return;
3055 }
3056 } else {
3057 while (!i.done() && !i.isJSJit() && i.interpFrame() != start) {
3058 ++i;
3059 }
3060
3061 if (i.done()) {
3062 out.printf("fp = %p not found in cx = %p\n", (void*)start, (void*)cx);
3063 return;
3064 }
3065 }
3066
3067 for (; !i.done(); ++i) {
3068 if (i.isJSJit()) {
3069 out.put("JIT frame\n");
3070 } else {
3071 out.printf("InterpreterFrame at %p\n", (void*)i.interpFrame());
3072 }
3073
3074 if (i.isFunctionFrame()) {
3075 out.put("callee fun: ");
3076 RootedValue v(cx);
3077 JSObject* fun = i.callee(cx);
3078 v.setObject(*fun);
3079 v.get().dump(out);
3080 } else {
3081 out.put("global or eval frame, no callee\n");
3082 }
3083
3084 out.printf("file %s line %u\n", i.script()->filename(),
3085 i.script()->lineno());
3086
3087 if (jsbytecode* pc = i.pc()) {
3088 out.printf(" pc = %p\n", pc);
3089 out.printf(" current op: %s\n", CodeName(JSOp(*pc)));
3090 MaybeDumpScope(i.script()->lookupScope(pc), out);
3091 }
3092 if (i.isFunctionFrame()) {
3093 MaybeDumpValue("this", i.thisArgument(cx), out);
3094 }
3095 if (!i.isJSJit()) {
3096 out.put(" rval: ");
3097 i.interpFrame()->returnValue().get().dump(out);
3098 }
3099
3100 out.put(" flags:");
3101 if (i.isConstructing()) {
3102 out.put(" constructing");
3103 }
3104 if (!i.isJSJit() && i.interpFrame()->isDebuggerEvalFrame()) {
3105 out.put(" debugger eval");
3106 }
3107 if (i.isEvalFrame()) {
3108 out.put(" eval");
3109 }
3110 out.putChar('\n');
3111
3112 out.printf(" envChain: (JSObject*) %p\n", (void*)i.environmentChain(cx));
3113
3114 out.putChar('\n');
3115 }
3116 }
3117
3118 #endif /* defined(DEBUG) || defined(JS_JITSPEW) */
3119
3120 JS_PUBLIC_API void js::DumpBacktrace(JSContext* cx, FILE* fp) {
3121 Fprinter out(fp);
3122 js::DumpBacktrace(cx, out);
3123 }
3124
3125 JS_PUBLIC_API void js::DumpBacktrace(JSContext* cx, js::GenericPrinter& out) {
3126 size_t depth = 0;
3127 for (AllFramesIter i(cx); !i.done(); ++i, ++depth) {
3128 const char* filename;
3129 unsigned line;
3130 if (i.hasScript()) {
3131 filename = JS_GetScriptFilename(i.script());
3132 line = PCToLineNumber(i.script(), i.pc());
3133 } else {
3134 filename = i.filename();
3135 line = i.computeLine();
3136 }
3137 char frameType = i.isInterp() ? 'i'
3138 : i.isBaseline() ? 'b'
3139 : i.isIon() ? 'I'
3140 : i.isWasm() ? 'W'
3141 : '?';
3142
3143 out.printf("#%zu %14p %c %s:%u", depth, i.rawFramePtr(), frameType,
3144 filename, line);
3145
3146 if (i.hasScript()) {
3147 out.printf(" (%p @ %zu)\n", i.script(), i.script()->pcToOffset(i.pc()));
3148 } else {
3149 out.printf(" (%p)\n", i.pc());
3150 }
3151 }
3152 }
3153
3154 JS_PUBLIC_API void js::DumpBacktrace(JSContext* cx) {
3155 DumpBacktrace(cx, stdout);
3156 }
3157
3158 /* * */
3159
3160 bool JSObject::isBackgroundFinalized() const {
3161 if (isTenured()) {
3162 return js::gc::IsBackgroundFinalized(asTenured().getAllocKind());
3163 }
3164
3165 js::Nursery& nursery = runtimeFromMainThread()->gc.nursery();
3166 return js::gc::IsBackgroundFinalized(allocKindForTenure(nursery));
3167 }
3168
3169 js::gc::AllocKind JSObject::allocKindForTenure(
3170 const js::Nursery& nursery) const {
3171 using namespace js::gc;
3172
3173 MOZ_ASSERT(IsInsideNursery(this));
3174
3175 if (is<NativeObject>()) {
3176 if (canHaveFixedElements()) {
3177 const NativeObject& nobj = as<NativeObject>();
3178 MOZ_ASSERT(nobj.numFixedSlots() == 0);
3179
3180 /* Use minimal size object if we are just going to copy the pointer. */
3181 if (!nursery.isInside(nobj.getUnshiftedElementsHeader())) {
3182 return gc::AllocKind::OBJECT0_BACKGROUND;
3183 }
3184
3185 size_t nelements = nobj.getDenseCapacity();
3186 return ForegroundToBackgroundAllocKind(GetGCArrayKind(nelements));
3187 }
3188
3189 if (is<JSFunction>()) {
3190 return as<JSFunction>().getAllocKind();
3191 }
3192
3193 if (is<FixedLengthTypedArrayObject>()) {
3194 return as<FixedLengthTypedArrayObject>().allocKindForTenure();
3195 }
3196
3197 return as<NativeObject>().allocKindForTenure();
3198 }
3199
3200 // Handle all non-native objects.
3201
3202 // Proxies that are CrossCompartmentWrappers may be nursery allocated.
3203 if (is<ProxyObject>()) {
3204 return as<ProxyObject>().allocKindForTenure();
3205 }
3206
3207 // WasmStructObjects have a variable-length tail which contains the first
3208 // few data fields, so make sure we copy it all over to the new object.
3209 if (is<WasmStructObject>()) {
3210 // Figure out the size of this object, from the object's TypeDef.
3211 const wasm::TypeDef* typeDef = &as<WasmStructObject>().typeDef();
3212 return WasmStructObject::allocKindForTypeDef(typeDef);
3213 }
3214
3215 // WasmArrayObjects sometimes have a variable-length tail which contains the
3216 // data for small arrays. Make sure we copy it all over to the new object.
3217 MOZ_ASSERT(is<WasmArrayObject>());
3218 gc::AllocKind allocKind = as<WasmArrayObject>().allocKind();
3219 return allocKind;
3220 }
3221
3222 void JSObject::addSizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf,
3223 JS::ClassInfo* info,
3224 JS::RuntimeSizes* runtimeSizes) {
3225 if (is<NativeObject>() && as<NativeObject>().hasDynamicSlots()) {
3226 info->objectsMallocHeapSlots +=
3227 mallocSizeOf(as<NativeObject>().getSlotsHeader());
3228 }
3229
3230 if (is<NativeObject>() && as<NativeObject>().hasDynamicElements()) {
3231 void* allocatedElements = as<NativeObject>().getUnshiftedElementsHeader();
3232 info->objectsMallocHeapElementsNormal += mallocSizeOf(allocatedElements);
3233 }
3234
3235 // Other things may be measured in the future if DMD indicates it is
3236 // worthwhile.
3237 if (is<JSFunction>() || is<PlainObject>() || is<ArrayObject>() ||
3238 is<CallObject>() || is<RegExpObject>() || is<ProxyObject>()) {
3239 // Do nothing. But this function is hot, and we win by getting the
3240 // common cases out of the way early. Some stats on the most common
3241 // classes, as measured during a vanilla browser session:
3242 // - (53.7%, 53.7%): Function
3243 // - (18.0%, 71.7%): Object
3244 // - (16.9%, 88.6%): Array
3245 // - ( 3.9%, 92.5%): Call
3246 // - ( 2.8%, 95.3%): RegExp
3247 // - ( 1.0%, 96.4%): Proxy
3248
3249 // Note that any JSClass that is special cased below likely needs to
3250 // specify the JSCLASS_DELAY_METADATA_BUILDER flag, or else we will
3251 // probably crash if the object metadata callback attempts to get the
3252 // size of the new object (which Debugger code does) before private
3253 // slots are initialized.
3254 } else if (is<ArgumentsObject>()) {
3255 info->objectsMallocHeapMisc +=
3256 as<ArgumentsObject>().sizeOfMisc(mallocSizeOf);
3257 } else if (is<MapObject>()) {
3258 info->objectsMallocHeapMisc += as<MapObject>().sizeOfData(mallocSizeOf);
3259 } else if (is<SetObject>()) {
3260 info->objectsMallocHeapMisc += as<SetObject>().sizeOfData(mallocSizeOf);
3261 } else if (is<PropertyIteratorObject>()) {
3262 info->objectsMallocHeapMisc +=
3263 as<PropertyIteratorObject>().sizeOfMisc(mallocSizeOf);
3264 } else if (is<ArrayBufferObject>()) {
3265 ArrayBufferObject::addSizeOfExcludingThis(this, mallocSizeOf, info,
3266 runtimeSizes);
3267 } else if (is<SharedArrayBufferObject>()) {
3268 SharedArrayBufferObject::addSizeOfExcludingThis(this, mallocSizeOf, info,
3269 runtimeSizes);
3270 } else if (is<GlobalObject>()) {
3271 as<GlobalObject>().addSizeOfData(mallocSizeOf, info);
3272 } else if (is<WeakCollectionObject>()) {
3273 info->objectsMallocHeapMisc +=
3274 as<WeakCollectionObject>().sizeOfExcludingThis(mallocSizeOf);
3275 }
3276 #ifdef JS_HAS_CTYPES
3277 else {
3278 // This must be the last case.
3279 info->objectsMallocHeapMisc += ctypes::SizeOfDataIfCDataObject(
3280 mallocSizeOf, const_cast<JSObject*>(this));
3281 }
3282 #endif
3283 }
3284
3285 size_t JSObject::sizeOfIncludingThisInNursery() const {
3286 // This function doesn't concern itself yet with typed objects (bug 1133593).
3287
3288 MOZ_ASSERT(!isTenured());
3289
3290 const Nursery& nursery = runtimeFromMainThread()->gc.nursery();
3291 size_t size = gc::Arena::thingSize(allocKindForTenure(nursery));
3292
3293 if (is<NativeObject>()) {
3294 const NativeObject& native = as<NativeObject>();
3295
3296 size += native.numDynamicSlots() * sizeof(Value);
3297
3298 if (native.hasDynamicElements()) {
3299 js::ObjectElements& elements = *native.getElementsHeader();
3300 size += (elements.capacity + elements.numShiftedElements()) *
3301 sizeof(HeapSlot);
3302 }
3303
3304 if (is<ArgumentsObject>()) {
3305 size += as<ArgumentsObject>().sizeOfData();
3306 }
3307 }
3308
3309 return size;
3310 }
3311
3312 JS::ubi::Node::Size JS::ubi::Concrete<JSObject>::size(
3313 mozilla::MallocSizeOf mallocSizeOf) const {
3314 JSObject& obj = get();
3315
3316 if (!obj.isTenured()) {
3317 return obj.sizeOfIncludingThisInNursery();
3318 }
3319
3320 JS::ClassInfo info;
3321 obj.addSizeOfExcludingThis(mallocSizeOf, &info, nullptr);
3322 return obj.tenuredSizeOfThis() + info.sizeOfAllThings();
3323 }
3324
3325 const char16_t JS::ubi::Concrete<JSObject>::concreteTypeName[] = u"JSObject";
3326
3327 void JSObject::traceChildren(JSTracer* trc) {
3328 TraceCellHeaderEdge(trc, this, "shape");
3329
3330 Shape* objShape = shape();
3331 if (objShape->isNative()) {
3332 NativeObject* nobj = &as<NativeObject>();
3333
3334 {
3335 GetObjectSlotNameFunctor func(nobj);
3336 JS::AutoTracingDetails ctx(trc, func);
3337 JS::AutoTracingIndex index(trc);
3338 // Tracing can mutate the target but cannot change the slot count,
3339 // but the compiler has no way of knowing this.
3340 const uint32_t nslots = nobj->slotSpan();
3341 for (uint32_t i = 0; i < nslots; ++i) {
3342 TraceEdge(trc, &nobj->getSlotRef(i), "object slot");
3343 ++index;
3344 }
3345 MOZ_ASSERT(nslots == nobj->slotSpan());
3346 }
3347
3348 TraceRange(trc, nobj->getDenseInitializedLength(),
3349 static_cast<HeapSlot*>(nobj->getDenseElements()),
3350 "objectElements");
3351 }
3352
3353 // Call the trace hook at the end so that during a moving GC the trace hook
3354 // will see updated fields and slots.
3355 const JSClass* clasp = objShape->getObjectClass();
3356 if (clasp->hasTrace()) {
3357 clasp->doTrace(trc, this);
3358 }
3359 }
3360
3361 // ES 2016 7.3.20.
3362 [[nodiscard]] JSObject* js::SpeciesConstructor(
3363 JSContext* cx, HandleObject obj, HandleObject defaultCtor,
3364 bool (*isDefaultSpecies)(JSContext*, JSFunction*)) {
3365 // Step 1 (implicit).
3366
3367 // Fast-path for steps 2 - 8. Applies if all of the following conditions
3368 // are met:
3369 // - obj.constructor can be retrieved without side-effects.
3370 // - obj.constructor[[@@species]] can be retrieved without side-effects.
3371 // - obj.constructor[[@@species]] is the builtin's original @@species
3372 // getter.
3373 RootedValue ctor(cx);
3374 bool ctorGetSucceeded = GetPropertyPure(
3375 cx, obj, NameToId(cx->names().constructor), ctor.address());
3376 if (ctorGetSucceeded && ctor.isObject() && &ctor.toObject() == defaultCtor) {
3377 jsid speciesId = PropertyKey::Symbol(cx->wellKnownSymbols().species);
3378 JSFunction* getter;
3379 if (GetGetterPure(cx, defaultCtor, speciesId, &getter) && getter &&
3380 isDefaultSpecies(cx, getter)) {
3381 return defaultCtor;
3382 }
3383 }
3384
3385 // Step 2.
3386 if (!ctorGetSucceeded &&
3387 !GetProperty(cx, obj, obj, cx->names().constructor, &ctor)) {
3388 return nullptr;
3389 }
3390
3391 // Step 3.
3392 if (ctor.isUndefined()) {
3393 return defaultCtor;
3394 }
3395
3396 // Step 4.
3397 if (!ctor.isObject()) {
3398 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
3399 JSMSG_OBJECT_REQUIRED,
3400 "object's 'constructor' property");
3401 return nullptr;
3402 }
3403
3404 // Step 5.
3405 RootedObject ctorObj(cx, &ctor.toObject());
3406 RootedValue s(cx);
3407 RootedId speciesId(cx, PropertyKey::Symbol(cx->wellKnownSymbols().species));
3408 if (!GetProperty(cx, ctorObj, ctor, speciesId, &s)) {
3409 return nullptr;
3410 }
3411
3412 // Step 6.
3413 if (s.isNullOrUndefined()) {
3414 return defaultCtor;
3415 }
3416
3417 // Step 7.
3418 if (IsConstructor(s)) {
3419 return &s.toObject();
3420 }
3421
3422 // Step 8.
3423 JS_ReportErrorNumberASCII(
3424 cx, GetErrorMessage, nullptr, JSMSG_NOT_CONSTRUCTOR,
3425 "[Symbol.species] property of object's constructor");
3426 return nullptr;
3427 }
3428
3429 [[nodiscard]] JSObject* js::SpeciesConstructor(
3430 JSContext* cx, HandleObject obj, JSProtoKey ctorKey,
3431 bool (*isDefaultSpecies)(JSContext*, JSFunction*)) {
3432 RootedObject defaultCtor(cx,
3433 GlobalObject::getOrCreateConstructor(cx, ctorKey));
3434 if (!defaultCtor) {
3435 return nullptr;
3436 }
3437 return SpeciesConstructor(cx, obj, defaultCtor, isDefaultSpecies);
3438 }
3439
3440 bool js::Unbox(JSContext* cx, HandleObject obj, MutableHandleValue vp) {
3441 if (MOZ_UNLIKELY(obj->is<ProxyObject>())) {
3442 return Proxy::boxedValue_unbox(cx, obj, vp);
3443 }
3444
3445 if (obj->is<BooleanObject>()) {
3446 vp.setBoolean(obj->as<BooleanObject>().unbox());
3447 } else if (obj->is<NumberObject>()) {
3448 vp.setNumber(obj->as<NumberObject>().unbox());
3449 } else if (obj->is<StringObject>()) {
3450 vp.setString(obj->as<StringObject>().unbox());
3451 } else if (obj->is<DateObject>()) {
3452 vp.set(obj->as<DateObject>().UTCTime());
3453 } else if (obj->is<SymbolObject>()) {
3454 vp.setSymbol(obj->as<SymbolObject>().unbox());
3455 } else if (obj->is<BigIntObject>()) {
3456 vp.setBigInt(obj->as<BigIntObject>().unbox());
3457 #ifdef ENABLE_RECORD_TUPLE
3458 } else if (obj->is<RecordObject>()) {
3459 vp.setExtendedPrimitive(*obj->as<RecordObject>().unbox());
3460 } else if (obj->is<TupleObject>()) {
3461 vp.setExtendedPrimitive(obj->as<TupleObject>().unbox());
3462 #endif
3463 } else {
3464 vp.setUndefined();
3465 }
3466
3467 return true;
3468 }
3469
3470 #ifdef DEBUG
3471 void js::AssertJSClassInvariants(const JSClass* clasp) {
3472 MOZ_ASSERT(JS::StringIsASCII(clasp->name));
3473
3474 // Native objects shouldn't use the property operation hooks in ObjectOps.
3475 // Doing so could violate JIT invariants.
3476 //
3477 // Environment objects unfortunately use these hooks, but environment objects
3478 // are not exposed directly to script so they're generally less of an issue.
3479 if (clasp->isNativeObject() && clasp != &WithEnvironmentObject::class_ &&
3480 clasp != &ModuleEnvironmentObject::class_ &&
3481 clasp != &RuntimeLexicalErrorObject::class_) {
3482 MOZ_ASSERT(!clasp->getOpsLookupProperty());
3483 MOZ_ASSERT_IF(clasp != &MappedArgumentsObject::class_,
3484 !clasp->getOpsDefineProperty());
3485 MOZ_ASSERT(!clasp->getOpsHasProperty());
3486 MOZ_ASSERT(!clasp->getOpsGetProperty());
3487 MOZ_ASSERT(!clasp->getOpsSetProperty());
3488 MOZ_ASSERT(!clasp->getOpsGetOwnPropertyDescriptor());
3489 MOZ_ASSERT(!clasp->getOpsDeleteProperty());
3490 }
3491 }
3492
3493 /* static */
3494 void JSObject::debugCheckNewObject(Shape* shape, js::gc::AllocKind allocKind,
3495 js::gc::Heap heap) {
3496 const JSClass* clasp = shape->getObjectClass();
3497
3498 if (!ClassCanHaveFixedData(clasp)) {
3499 NativeShape* nshape = &shape->asNative();
3500 if (clasp == &ArrayObject::class_) {
3501 // Arrays can store the ObjectElements header inline.
3502 MOZ_ASSERT(nshape->numFixedSlots() == 0);
3503 } else {
3504 MOZ_ASSERT(gc::GetGCKindSlots(allocKind) == nshape->numFixedSlots());
3505 }
3506 }
3507
3508 // Assert background finalization is used when possible.
3509 MOZ_ASSERT(!CanChangeToBackgroundAllocKind(allocKind, clasp));
3510
3511 // Classes with a finalizer must specify whether instances will be finalized
3512 // on the main thread or in the background, except proxies whose behaviour
3513 // depends on the target object.
3514 static const uint32_t FinalizeMask =
3515 JSCLASS_FOREGROUND_FINALIZE | JSCLASS_BACKGROUND_FINALIZE;
3516 uint32_t flags = clasp->flags;
3517 uint32_t finalizeFlags = flags & FinalizeMask;
3518 if (clasp->hasFinalize() && !clasp->isProxyObject()) {
3519 MOZ_ASSERT(finalizeFlags == JSCLASS_FOREGROUND_FINALIZE ||
3520 finalizeFlags == JSCLASS_BACKGROUND_FINALIZE);
3521 MOZ_ASSERT((finalizeFlags == JSCLASS_BACKGROUND_FINALIZE) ==
3522 IsBackgroundFinalized(allocKind));
3523 } else {
3524 MOZ_ASSERT(finalizeFlags == 0);
3525 }
3526
3527 MOZ_ASSERT_IF(clasp->hasFinalize(),
3528 heap == gc::Heap::Tenured ||
3529 CanNurseryAllocateFinalizedClass(clasp) ||
3530 clasp->isProxyObject());
3531
3532 MOZ_ASSERT(!shape->isDictionary());
3533 MOZ_ASSERT(!shape->realm()->hasObjectPendingMetadata());
3534
3535 // Non-native classes manage their own data and slots, so numFixedSlots is
3536 // always 0. Note that proxy classes can have reserved slots but they're not
3537 // included in numFixedSlots.
3538 if (!clasp->isNativeObject()) {
3539 MOZ_ASSERT_IF(!clasp->isProxyObject(), JSCLASS_RESERVED_SLOTS(clasp) == 0);
3540 }
3541 }
3542 #endif