1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 * JS object implementation.
11 #include "vm/JSObject-inl.h"
13 #include "mozilla/MemoryReporting.h"
14 #include "mozilla/Try.h"
20 #include "jsfriendapi.h"
24 #include "builtin/BigInt.h"
25 #include "builtin/MapObject.h"
26 #include "builtin/Object.h"
27 #include "builtin/String.h"
28 #include "builtin/Symbol.h"
29 #include "builtin/WeakSetObject.h"
30 #include "gc/AllocKind.h"
32 #include "js/CharacterEncoding.h"
33 #include "js/friend/DumpFunctions.h" // js::DumpObject
34 #include "js/friend/ErrorMessages.h" // JSErrNum, js::GetErrorMessage, JSMSG_*
35 #include "js/friend/WindowProxy.h" // js::IsWindow, js::ToWindowProxyIfWindow
36 #include "js/MemoryMetrics.h"
37 #include "js/Prefs.h" // JS::Prefs
38 #include "js/Printer.h" // js::GenericPrinter, js::Fprinter
39 #include "js/PropertyDescriptor.h" // JS::FromPropertyDescriptor
40 #include "js/PropertySpec.h" // JSPropertySpec
42 #include "js/Result.h"
43 #include "js/UbiNode.h"
44 #include "js/Wrapper.h"
45 #include "proxy/DeadObjectProxy.h"
46 #include "util/Memory.h"
47 #include "util/Text.h"
48 #include "util/WindowsWrapper.h"
49 #include "vm/ArgumentsObject.h"
50 #include "vm/ArrayBufferObject.h"
51 #include "vm/ArrayBufferViewObject.h"
52 #include "vm/BytecodeUtil.h"
53 #include "vm/Compartment.h"
54 #include "vm/DateObject.h"
55 #include "vm/Interpreter.h"
56 #include "vm/Iteration.h"
57 #include "vm/JSAtomUtils.h" // Atomize
58 #include "vm/JSContext.h"
59 #include "vm/JSFunction.h"
60 #include "vm/JSONPrinter.h" // js::JSONPrinter
61 #include "vm/JSScript.h"
62 #include "vm/PromiseObject.h"
63 #include "vm/ProxyObject.h"
64 #include "vm/RegExpObject.h"
66 #include "vm/TypedArrayObject.h"
67 #include "vm/Watchtower.h"
68 #include "vm/WrapperObject.h"
69 #ifdef ENABLE_RECORD_TUPLE
70 # include "builtin/RecordObject.h"
71 # include "builtin/TupleObject.h"
72 # include "vm/RecordType.h"
73 # include "vm/TupleType.h"
76 #include "gc/StableCellHasher-inl.h"
77 #include "vm/BooleanObject-inl.h"
78 #include "vm/EnvironmentObject-inl.h"
79 #include "vm/Interpreter-inl.h"
80 #include "vm/JSAtomUtils-inl.h" // AtomToId, PrimitiveValueToId, IndexToId
81 #include "vm/JSContext-inl.h"
82 #include "vm/NativeObject-inl.h"
83 #include "vm/NumberObject-inl.h"
84 #include "vm/ObjectFlags-inl.h"
85 #include "vm/Realm-inl.h"
86 #include "vm/StringObject-inl.h"
87 #include "vm/TypedArrayObject-inl.h"
88 #include "wasm/WasmGcObject-inl.h"
94 void js::ReportNotObject(JSContext
* cx
, JSErrNum err
, int spindex
,
96 MOZ_ASSERT(!v
.isObject());
97 ReportValueError(cx
, err
, spindex
, v
, nullptr);
100 void js::ReportNotObject(JSContext
* cx
, JSErrNum err
, HandleValue v
) {
101 ReportNotObject(cx
, err
, JSDVG_SEARCH_STACK
, v
);
104 void js::ReportNotObject(JSContext
* cx
, const Value
& v
) {
105 RootedValue
value(cx
, v
);
106 ReportNotObject(cx
, JSMSG_OBJECT_REQUIRED
, value
);
109 void js::ReportNotObjectArg(JSContext
* cx
, const char* nth
, const char* fun
,
111 MOZ_ASSERT(!v
.isObject());
114 if (const char* chars
= ValueToSourceForError(cx
, v
, bytes
)) {
115 JS_ReportErrorNumberLatin1(cx
, GetErrorMessage
, nullptr,
116 JSMSG_OBJECT_REQUIRED_ARG
, nth
, fun
, chars
);
120 JS_PUBLIC_API
const char* JS::InformalValueTypeName(const Value
& v
) {
122 case ValueType::Double
:
123 case ValueType::Int32
:
125 case ValueType::Boolean
:
127 case ValueType::Undefined
:
129 case ValueType::Null
:
131 case ValueType::String
:
133 case ValueType::Symbol
:
135 case ValueType::BigInt
:
137 case ValueType::Object
:
138 #ifdef ENABLE_RECORD_TUPLE
139 case ValueType::ExtendedPrimitive
:
141 return v
.getObjectPayload().getClass()->name
;
142 case ValueType::Magic
:
144 case ValueType::PrivateGCThing
:
148 MOZ_CRASH("unexpected type");
151 // ES6 draft rev37 6.2.4.4 FromPropertyDescriptor
152 JS_PUBLIC_API
bool JS::FromPropertyDescriptor(
153 JSContext
* cx
, Handle
<Maybe
<PropertyDescriptor
>> desc_
,
154 MutableHandleValue vp
) {
160 if (desc_
.isNothing()) {
165 Rooted
<PropertyDescriptor
> desc(cx
, *desc_
);
166 return FromPropertyDescriptorToObject(cx
, desc
, vp
);
169 bool js::FromPropertyDescriptorToObject(JSContext
* cx
,
170 Handle
<PropertyDescriptor
> desc
,
171 MutableHandleValue vp
) {
173 RootedObject
obj(cx
, NewPlainObject(cx
));
178 const JSAtomState
& names
= cx
->names();
181 if (desc
.hasValue()) {
182 if (!DefineDataProperty(cx
, obj
, names
.value
, desc
.value())) {
189 if (desc
.hasWritable()) {
190 v
.setBoolean(desc
.writable());
191 if (!DefineDataProperty(cx
, obj
, names
.writable
, v
)) {
197 if (desc
.hasGetter()) {
198 if (JSObject
* get
= desc
.getter()) {
203 if (!DefineDataProperty(cx
, obj
, names
.get
, v
)) {
209 if (desc
.hasSetter()) {
210 if (JSObject
* set
= desc
.setter()) {
215 if (!DefineDataProperty(cx
, obj
, names
.set
, v
)) {
221 if (desc
.hasEnumerable()) {
222 v
.setBoolean(desc
.enumerable());
223 if (!DefineDataProperty(cx
, obj
, names
.enumerable
, v
)) {
229 if (desc
.hasConfigurable()) {
230 v
.setBoolean(desc
.configurable());
231 if (!DefineDataProperty(cx
, obj
, names
.configurable
, v
)) {
240 bool js::GetFirstArgumentAsObject(JSContext
* cx
, const CallArgs
& args
,
242 MutableHandleObject objp
) {
243 if (!args
.requireAtLeast(cx
, method
, 1)) {
247 HandleValue v
= args
[0];
250 DecompileValueGenerator(cx
, JSDVG_SEARCH_STACK
, v
, nullptr);
254 JS_ReportErrorNumberUTF8(cx
, GetErrorMessage
, nullptr,
255 JSMSG_UNEXPECTED_TYPE
, bytes
.get(),
260 objp
.set(&v
.toObject());
264 static bool GetPropertyIfPresent(JSContext
* cx
, HandleObject obj
, HandleId id
,
265 MutableHandleValue vp
, bool* foundp
) {
266 if (!HasProperty(cx
, obj
, id
, foundp
)) {
274 return GetProperty(cx
, obj
, obj
, id
, vp
);
277 bool js::Throw(JSContext
* cx
, HandleId id
, unsigned errorNumber
,
278 const char* details
) {
279 MOZ_ASSERT(js_ErrorFormatString
[errorNumber
].argCount
== (details
? 2 : 1));
280 MOZ_ASSERT_IF(details
, JS::StringIsASCII(details
));
283 IdToPrintableUTF8(cx
, id
, IdToPrintableBehavior::IdIsPropertyKey
);
289 JS_ReportErrorNumberUTF8(cx
, GetErrorMessage
, nullptr, errorNumber
,
290 bytes
.get(), details
);
292 JS_ReportErrorNumberUTF8(cx
, GetErrorMessage
, nullptr, errorNumber
,
299 /*** PropertyDescriptor operations and DefineProperties *********************/
301 static Result
<> CheckCallable(JSContext
* cx
, JSObject
* obj
,
302 const char* fieldName
) {
303 if (obj
&& !obj
->isCallable()) {
304 JS_ReportErrorNumberASCII(cx
, GetErrorMessage
, nullptr,
305 JSMSG_BAD_GET_SET_FIELD
, fieldName
);
306 return cx
->alreadyReportedError();
311 // 6.2.5.5 ToPropertyDescriptor(Obj)
312 bool js::ToPropertyDescriptor(JSContext
* cx
, HandleValue descval
,
314 MutableHandle
<PropertyDescriptor
> desc_
) {
317 RequireObject(cx
, JSMSG_OBJECT_REQUIRED_PROP_DESC
, descval
));
323 Rooted
<PropertyDescriptor
> desc(cx
, PropertyDescriptor::Empty());
329 id
= NameToId(cx
->names().enumerable
);
330 bool hasEnumerable
= false;
331 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasEnumerable
)) {
335 desc
.setEnumerable(ToBoolean(v
));
339 id
= NameToId(cx
->names().configurable
);
340 bool hasConfigurable
= false;
341 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasConfigurable
)) {
344 if (hasConfigurable
) {
345 desc
.setConfigurable(ToBoolean(v
));
349 id
= NameToId(cx
->names().value
);
350 bool hasValue
= false;
351 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasValue
)) {
359 id
= NameToId(cx
->names().writable
);
360 bool hasWritable
= false;
361 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasWritable
)) {
365 desc
.setWritable(ToBoolean(v
));
369 id
= NameToId(cx
->names().get
);
371 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasGet
)) {
374 RootedObject
getter(cx
);
377 if (checkAccessors
) {
378 JS_TRY_OR_RETURN_FALSE(cx
, CheckCallable(cx
, &v
.toObject(), "getter"));
380 getter
= &v
.toObject();
381 } else if (v
.isUndefined()) {
384 JS_ReportErrorNumberASCII(cx
, GetErrorMessage
, nullptr,
385 JSMSG_BAD_GET_SET_FIELD
, "getter");
391 id
= NameToId(cx
->names().set
);
393 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasSet
)) {
396 RootedObject
setter(cx
);
399 if (checkAccessors
) {
400 JS_TRY_OR_RETURN_FALSE(cx
, CheckCallable(cx
, &v
.toObject(), "setter"));
402 setter
= &v
.toObject();
403 } else if (v
.isUndefined()) {
406 JS_ReportErrorNumberASCII(cx
, GetErrorMessage
, nullptr,
407 JSMSG_BAD_GET_SET_FIELD
, "setter");
413 if (hasGet
|| hasSet
) {
414 if (hasValue
|| hasWritable
) {
415 JS_ReportErrorNumberASCII(cx
, GetErrorMessage
, nullptr,
416 JSMSG_INVALID_DESCRIPTOR
);
420 // We delay setGetter/setSetter after the previous check,
421 // because otherwise we would assert.
423 desc
.setGetter(getter
);
426 desc
.setSetter(setter
);
435 Result
<> js::CheckPropertyDescriptorAccessors(JSContext
* cx
,
436 Handle
<PropertyDescriptor
> desc
) {
437 if (desc
.hasGetter()) {
438 MOZ_TRY(CheckCallable(cx
, desc
.getter(), "getter"));
441 if (desc
.hasSetter()) {
442 MOZ_TRY(CheckCallable(cx
, desc
.setter(), "setter"));
448 // 6.2.5.6 CompletePropertyDescriptor(Desc)
449 void js::CompletePropertyDescriptor(MutableHandle
<PropertyDescriptor
> desc
) {
454 // Let like be the Record { [[Value]]: undefined, [[Writable]]: false,
455 // [[Get]]: undefined, [[Set]]: undefined,
456 // [[Enumerable]]: false, [[Configurable]]: false }.
459 if (desc
.isGenericDescriptor() || desc
.isDataDescriptor()) {
461 if (!desc
.hasValue()) {
462 desc
.setValue(UndefinedHandleValue
);
465 if (!desc
.hasWritable()) {
466 desc
.setWritable(false);
470 if (!desc
.hasGetter()) {
471 desc
.setGetter(nullptr);
474 if (!desc
.hasSetter()) {
475 desc
.setSetter(nullptr);
480 if (!desc
.hasEnumerable()) {
481 desc
.setEnumerable(false);
485 if (!desc
.hasConfigurable()) {
486 desc
.setConfigurable(false);
489 desc
.assertComplete();
492 bool js::ReadPropertyDescriptors(
493 JSContext
* cx
, HandleObject props
, bool checkAccessors
,
494 MutableHandleIdVector ids
, MutableHandle
<PropertyDescriptorVector
> descs
) {
495 if (!GetPropertyKeys(cx
, props
, JSITER_OWNONLY
| JSITER_SYMBOLS
, ids
)) {
500 for (size_t i
= 0, len
= ids
.length(); i
< len
; i
++) {
502 Rooted
<PropertyDescriptor
> desc(cx
);
504 if (!GetProperty(cx
, props
, props
, id
, &v
) ||
505 !ToPropertyDescriptor(cx
, v
, checkAccessors
, &desc
) ||
506 !descs
.append(desc
)) {
513 /*** Seal and freeze ********************************************************/
515 /* ES6 draft rev 29 (6 Dec 2014) 7.3.13. */
516 bool js::SetIntegrityLevel(JSContext
* cx
, HandleObject obj
,
517 IntegrityLevel level
) {
520 // Steps 3-5. (Steps 1-2 are redundant assertions.)
521 if (!PreventExtensions(cx
, obj
)) {
525 // Steps 6-9, loosely interpreted.
526 if (obj
->is
<NativeObject
>() && !obj
->is
<TypedArrayObject
>() &&
527 !obj
->is
<MappedArgumentsObject
>()) {
528 Handle
<NativeObject
*> nobj
= obj
.as
<NativeObject
>();
530 // Use a fast path to seal/freeze properties. This has the benefit of
531 // creating shared property maps if possible, whereas the slower/generic
532 // implementation below ends up converting non-empty objects to dictionary
534 if (nobj
->shape()->propMapLength() > 0) {
535 if (!NativeObject::freezeOrSealProperties(cx
, nobj
, level
)) {
540 // Ordinarily ArraySetLength handles this, but we're going behind its back
541 // right now, so we must do this manually.
542 if (level
== IntegrityLevel::Frozen
&& obj
->is
<ArrayObject
>()) {
543 obj
->as
<ArrayObject
>().setNonWritableLength(cx
);
547 RootedIdVector
keys(cx
);
548 if (!GetPropertyKeys(
549 cx
, obj
, JSITER_HIDDEN
| JSITER_OWNONLY
| JSITER_SYMBOLS
, &keys
)) {
554 Rooted
<PropertyDescriptor
> desc(cx
, PropertyDescriptor::Empty());
556 // 8.a/9.a. The two different loops are merged here.
557 for (size_t i
= 0; i
< keys
.length(); i
++) {
560 if (level
== IntegrityLevel::Sealed
) {
562 desc
.setConfigurable(false);
565 Rooted
<Maybe
<PropertyDescriptor
>> currentDesc(cx
);
566 if (!GetOwnPropertyDescriptor(cx
, obj
, id
, ¤tDesc
)) {
571 if (currentDesc
.isNothing()) {
576 desc
= PropertyDescriptor::Empty();
577 if (currentDesc
->isAccessorDescriptor()) {
578 desc
.setConfigurable(false);
580 desc
.setConfigurable(false);
581 desc
.setWritable(false);
585 // 8.a.i-ii. / 9.a.iii.3-4
586 if (!DefineProperty(cx
, obj
, id
, desc
)) {
592 // Finally, freeze or seal the dense elements.
593 if (obj
->is
<NativeObject
>()) {
594 if (!ObjectElements::FreezeOrSeal(cx
, obj
.as
<NativeObject
>(), level
)) {
602 static bool ResolveLazyProperties(JSContext
* cx
, Handle
<NativeObject
*> obj
) {
603 const JSClass
* clasp
= obj
->getClass();
604 if (JSEnumerateOp enumerate
= clasp
->getEnumerate()) {
605 if (!enumerate(cx
, obj
)) {
609 if (clasp
->getNewEnumerate() && clasp
->getResolve()) {
610 RootedIdVector
properties(cx
);
611 if (!clasp
->getNewEnumerate()(cx
, obj
, &properties
,
612 /* enumerableOnly = */ false)) {
617 for (size_t i
= 0; i
< properties
.length(); i
++) {
620 if (!HasOwnProperty(cx
, obj
, id
, &found
)) {
628 // ES6 draft rev33 (12 Feb 2015) 7.3.15
629 bool js::TestIntegrityLevel(JSContext
* cx
, HandleObject obj
,
630 IntegrityLevel level
, bool* result
) {
631 // Steps 3-6. (Steps 1-2 are redundant assertions.)
633 if (!IsExtensible(cx
, obj
, &status
)) {
641 // Fast path for native objects.
642 if (obj
->is
<NativeObject
>()) {
643 Handle
<NativeObject
*> nobj
= obj
.as
<NativeObject
>();
645 // Force lazy properties to be resolved.
646 if (!ResolveLazyProperties(cx
, nobj
)) {
650 // Typed array elements are configurable, writable properties, so if any
651 // elements are present, the typed array can neither be sealed nor frozen.
652 if (nobj
->is
<TypedArrayObject
>() &&
653 nobj
->as
<TypedArrayObject
>().length().valueOr(0) > 0) {
658 bool hasDenseElements
= false;
659 for (size_t i
= 0; i
< nobj
->getDenseInitializedLength(); i
++) {
660 if (nobj
->containsDenseElement(i
)) {
661 hasDenseElements
= true;
666 if (hasDenseElements
) {
667 // Unless the sealed flag is set, dense elements are configurable.
668 if (!nobj
->denseElementsAreSealed()) {
673 // Unless the frozen flag is set, dense elements are writable.
674 if (level
== IntegrityLevel::Frozen
&& !nobj
->denseElementsAreFrozen()) {
681 for (ShapePropertyIter
<NoGC
> iter(nobj
->shape()); !iter
.done(); iter
++) {
683 if (iter
->configurable() ||
684 (level
== IntegrityLevel::Frozen
&& iter
->isDataDescriptor() &&
686 // Private fields on objects don't participate in the frozen state, and
687 // so should be elided from checking for frozen state.
688 if (iter
->key().isPrivateName()) {
698 RootedIdVector
props(cx
);
699 if (!GetPropertyKeys(
700 cx
, obj
, JSITER_HIDDEN
| JSITER_OWNONLY
| JSITER_SYMBOLS
, &props
)) {
706 Rooted
<Maybe
<PropertyDescriptor
>> desc(cx
);
707 for (size_t i
= 0, len
= props
.length(); i
< len
; i
++) {
711 if (!GetOwnPropertyDescriptor(cx
, obj
, id
, &desc
)) {
716 if (desc
.isNothing()) {
721 if (desc
->configurable() ||
722 (level
== IntegrityLevel::Frozen
&& desc
->isDataDescriptor() &&
724 // Since we don't request JSITER_PRIVATE in GetPropertyKeys above, we
725 // should never see a private name here.
726 MOZ_ASSERT(!id
.isPrivateName());
740 static MOZ_ALWAYS_INLINE NativeObject
* NewObject(
741 JSContext
* cx
, const JSClass
* clasp
, Handle
<TaggedProto
> proto
,
742 gc::AllocKind kind
, NewObjectKind newKind
, ObjectFlags objFlags
) {
743 MOZ_ASSERT(clasp
->isNativeObject());
745 // Some classes have specialized allocation functions and shouldn't end up
747 MOZ_ASSERT(clasp
!= &ArrayObject::class_
);
748 MOZ_ASSERT(clasp
!= &PlainObject::class_
);
749 MOZ_ASSERT(!clasp
->isJSFunction());
751 // Computing nfixed based on the AllocKind isn't right for objects which can
752 // store fixed data inline (TypedArrays and ArrayBuffers) so for simplicity
753 // and performance reasons we don't support such objects here.
754 MOZ_ASSERT(!ClassCanHaveFixedData(clasp
));
755 size_t nfixed
= GetGCKindSlots(kind
);
757 if (CanChangeToBackgroundAllocKind(kind
, clasp
)) {
758 kind
= ForegroundToBackgroundAllocKind(kind
);
761 Rooted
<SharedShape
*> shape(
762 cx
, SharedShape::getInitialShape(cx
, clasp
, cx
->realm(), proto
, nfixed
,
768 gc::Heap heap
= GetInitialHeap(newKind
, clasp
);
769 NativeObject
* obj
= NativeObject::create(cx
, kind
, heap
, shape
);
774 probes::CreateObject(cx
, obj
);
778 NativeObject
* js::NewObjectWithGivenTaggedProto(
779 JSContext
* cx
, const JSClass
* clasp
, Handle
<TaggedProto
> proto
,
780 gc::AllocKind allocKind
, NewObjectKind newKind
, ObjectFlags objFlags
) {
781 return NewObject(cx
, clasp
, proto
, allocKind
, newKind
, objFlags
);
784 NativeObject
* js::NewObjectWithClassProto(JSContext
* cx
, const JSClass
* clasp
,
785 HandleObject protoArg
,
786 gc::AllocKind allocKind
,
787 NewObjectKind newKind
,
788 ObjectFlags objFlags
) {
790 return NewObjectWithGivenTaggedProto(cx
, clasp
, AsTaggedProto(protoArg
),
791 allocKind
, newKind
, objFlags
);
794 // Find the appropriate proto for clasp. Built-in classes have a cached
795 // proto on cx->global(); all others get %ObjectPrototype%.
796 JSProtoKey protoKey
= JSCLASS_CACHED_PROTO_KEY(clasp
);
797 if (protoKey
== JSProto_Null
) {
798 protoKey
= JSProto_Object
;
801 JSObject
* proto
= GlobalObject::getOrCreatePrototype(cx
, protoKey
);
806 Rooted
<TaggedProto
> taggedProto(cx
, TaggedProto(proto
));
807 return NewObject(cx
, clasp
, taggedProto
, allocKind
, newKind
, objFlags
);
810 bool js::GetPrototypeFromConstructor(JSContext
* cx
, HandleObject newTarget
,
811 JSProtoKey intrinsicDefaultProto
,
812 MutableHandleObject proto
) {
813 RootedValue
protov(cx
);
814 if (!GetProperty(cx
, newTarget
, newTarget
, cx
->names().prototype
, &protov
)) {
817 if (protov
.isObject()) {
818 proto
.set(&protov
.toObject());
819 } else if (newTarget
->is
<JSFunction
>() &&
820 newTarget
->as
<JSFunction
>().realm() == cx
->realm()) {
821 // Steps 4.a-b fetch the builtin prototype of the current realm, which we
822 // represent as nullptr.
824 } else if (intrinsicDefaultProto
== JSProto_Null
) {
825 // Bug 1317416. The caller did not pass a reasonable JSProtoKey, so let the
826 // caller select a prototype object. Most likely they will choose one from
830 // Step 4.a: Let realm be ? GetFunctionRealm(constructor);
831 Realm
* realm
= JS::GetFunctionRealm(cx
, newTarget
);
836 // Step 4.b: Set proto to realm's intrinsic object named
837 // intrinsicDefaultProto.
840 if (cx
->realm() != realm
) {
841 ar
.emplace(cx
, realm
->maybeGlobal());
843 proto
.set(GlobalObject::getOrCreatePrototype(cx
, intrinsicDefaultProto
));
848 if (!cx
->compartment()->wrap(cx
, proto
)) {
856 bool JSObject::nonNativeSetProperty(JSContext
* cx
, HandleObject obj
,
857 HandleId id
, HandleValue v
,
858 HandleValue receiver
,
859 ObjectOpResult
& result
) {
860 return obj
->getOpsSetProperty()(cx
, obj
, id
, v
, receiver
, result
);
864 bool JSObject::nonNativeSetElement(JSContext
* cx
, HandleObject obj
,
865 uint32_t index
, HandleValue v
,
866 HandleValue receiver
,
867 ObjectOpResult
& result
) {
869 if (!IndexToId(cx
, index
, &id
)) {
872 return nonNativeSetProperty(cx
, obj
, id
, v
, receiver
, result
);
875 static bool CopyPropertyFrom(JSContext
* cx
, HandleId id
, HandleObject target
,
877 // |target| must not be a CCW because we need to enter its realm below and
878 // CCWs are not associated with a single realm.
879 MOZ_ASSERT(!IsCrossCompartmentWrapper(target
));
881 // |obj| and |cx| are generally not same-compartment with |target| here.
883 Rooted
<mozilla::Maybe
<PropertyDescriptor
>> desc(cx
);
885 if (!GetOwnPropertyDescriptor(cx
, obj
, id
, &desc
)) {
888 MOZ_ASSERT(desc
.isSome());
890 JSAutoRealm
ar(cx
, target
);
892 RootedId
wrappedId(cx
, id
);
893 if (!cx
->compartment()->wrap(cx
, &desc
)) {
897 Rooted
<PropertyDescriptor
> desc_(cx
, *desc
);
898 return DefineProperty(cx
, target
, wrappedId
, desc_
);
901 JS_PUBLIC_API
bool JS_CopyOwnPropertiesAndPrivateFields(JSContext
* cx
,
904 // Both |obj| and |target| must not be CCWs because we need to enter their
905 // realms below and CCWs are not associated with a single realm.
906 MOZ_ASSERT(!IsCrossCompartmentWrapper(obj
));
907 MOZ_ASSERT(!IsCrossCompartmentWrapper(target
));
909 JSAutoRealm
ar(cx
, obj
);
911 RootedIdVector
props(cx
);
912 if (!GetPropertyKeys(
914 JSITER_PRIVATE
| JSITER_OWNONLY
| JSITER_HIDDEN
| JSITER_SYMBOLS
,
919 for (size_t i
= 0; i
< props
.length(); ++i
) {
920 if (!CopyPropertyFrom(cx
, props
[i
], target
, obj
)) {
928 static bool InitializePropertiesFromCompatibleNativeObject(
929 JSContext
* cx
, Handle
<NativeObject
*> dst
, Handle
<NativeObject
*> src
) {
931 MOZ_ASSERT(src
->getClass() == dst
->getClass());
932 MOZ_ASSERT(dst
->shape()->objectFlags().isEmpty());
933 MOZ_ASSERT(src
->numFixedSlots() == dst
->numFixedSlots());
934 MOZ_ASSERT(!src
->inDictionaryMode());
935 MOZ_ASSERT(!dst
->inDictionaryMode());
937 if (!dst
->ensureElements(cx
, src
->getDenseInitializedLength())) {
941 uint32_t initialized
= src
->getDenseInitializedLength();
942 for (uint32_t i
= 0; i
< initialized
; ++i
) {
943 dst
->setDenseInitializedLength(i
+ 1);
944 dst
->initDenseElement(i
, src
->getDenseElement(i
));
947 // If there are no properties to copy, we're done.
948 if (!src
->sharedShape()->propMap()) {
952 Rooted
<SharedShape
*> shape(cx
);
953 if (src
->staticPrototype() == dst
->staticPrototype()) {
954 shape
= src
->sharedShape();
956 // We need to generate a new shape for dst that has dst's proto but all
957 // the property information from src. Note that we asserted above that
958 // dst's object flags are empty.
959 SharedShape
* srcShape
= src
->sharedShape();
960 ObjectFlags objFlags
;
961 objFlags
= CopyPropMapObjectFlags(objFlags
, srcShape
->objectFlags());
962 Rooted
<SharedPropMap
*> map(cx
, srcShape
->propMap());
963 uint32_t mapLength
= srcShape
->propMapLength();
964 shape
= SharedShape::getPropMapShape(cx
, dst
->shape()->base(),
965 dst
->numFixedSlots(), map
, mapLength
,
972 uint32_t oldSpan
= dst
->sharedShape()->slotSpan();
973 uint32_t newSpan
= shape
->slotSpan();
974 if (!dst
->setShapeAndAddNewSlots(cx
, shape
, oldSpan
, newSpan
)) {
977 for (size_t i
= JSCLASS_RESERVED_SLOTS(src
->getClass()); i
< newSpan
; i
++) {
978 dst
->setSlot(i
, src
->getSlot(i
));
984 JS_PUBLIC_API
bool JS_InitializePropertiesFromCompatibleNativeObject(
985 JSContext
* cx
, HandleObject dst
, HandleObject src
) {
986 return InitializePropertiesFromCompatibleNativeObject(
987 cx
, dst
.as
<NativeObject
>(), src
.as
<NativeObject
>());
990 bool js::ObjectMayBeSwapped(const JSObject
* obj
) {
991 const JSClass
* clasp
= obj
->getClass();
993 // We want to optimize Window/globals and Gecko doesn't require transplanting
994 // them (only the WindowProxy around them). A Window may be a DOMClass, so we
995 // explicitly check if this is a global.
996 if (clasp
->isGlobal()) {
1000 // WindowProxy, Wrapper, DeadProxyObject, DOMProxy, and DOMClass (non-global)
1001 // types may be swapped. It is hard to detect DOMProxy from shell, so target
1002 // proxies in general.
1003 return clasp
->isProxyObject() || clasp
->isDOMClass();
1006 bool NativeObject::prepareForSwap(JSContext
* cx
,
1007 MutableHandleValueVector slotValuesOut
) {
1008 MOZ_ASSERT(slotValuesOut
.empty());
1010 for (size_t i
= 0; i
< slotSpan(); i
++) {
1011 if (!slotValuesOut
.append(getSlot(i
))) {
1016 if (hasDynamicSlots()) {
1017 ObjectSlots
* slotsHeader
= getSlotsHeader();
1018 size_t size
= ObjectSlots::allocSize(slotsHeader
->capacity());
1019 RemoveCellMemory(this, size
, MemoryUse::ObjectSlots
);
1020 if (!cx
->nursery().isInside(slotsHeader
)) {
1022 cx
->nursery().removeMallocedBuffer(slotsHeader
, size
);
1024 js_free(slotsHeader
);
1026 setEmptyDynamicSlots(0);
1029 if (hasDynamicElements()) {
1030 ObjectElements
* elements
= getElementsHeader();
1031 void* allocatedElements
= getUnshiftedElementsHeader();
1032 size_t count
= elements
->numAllocatedElements();
1033 size_t size
= count
* sizeof(HeapSlot
);
1036 RemoveCellMemory(this, size
, MemoryUse::ObjectElements
);
1037 } else if (cx
->nursery().isInside(allocatedElements
)) {
1038 // Move nursery allocated elements in case they end up in a tenured
1040 ObjectElements
* newElements
=
1041 reinterpret_cast<ObjectElements
*>(js_pod_malloc
<HeapSlot
>(count
));
1046 memmove(newElements
, elements
, size
);
1047 elements_
= newElements
->elements();
1049 cx
->nursery().removeMallocedBuffer(allocatedElements
, size
);
1051 MOZ_ASSERT(hasDynamicElements());
1058 bool NativeObject::fixupAfterSwap(JSContext
* cx
, Handle
<NativeObject
*> obj
,
1060 HandleValueVector slotValues
) {
1061 // This object has just been swapped with some other object, and its shape
1062 // no longer reflects its allocated size. Correct this information and
1063 // fill the slots in with the specified values.
1064 MOZ_ASSERT_IF(!obj
->inDictionaryMode(),
1065 obj
->slotSpan() == slotValues
.length());
1067 // Make sure the shape's numFixedSlots() is correct.
1068 size_t nfixed
= gc::GetGCKindSlots(kind
);
1069 if (nfixed
!= obj
->shape()->numFixedSlots()) {
1070 if (!NativeObject::changeNumFixedSlotsAfterSwap(cx
, obj
, nfixed
)) {
1073 MOZ_ASSERT(obj
->shape()->numFixedSlots() == nfixed
);
1076 uint32_t oldDictionarySlotSpan
=
1077 obj
->inDictionaryMode() ? slotValues
.length() : 0;
1079 MOZ_ASSERT(!obj
->hasUniqueId());
1081 calculateDynamicSlots(nfixed
, slotValues
.length(), obj
->getClass());
1082 size_t currentSlots
= obj
->getSlotsHeader()->capacity();
1083 MOZ_ASSERT(ndynamic
>= currentSlots
);
1084 if (ndynamic
> currentSlots
) {
1085 if (!obj
->growSlots(cx
, currentSlots
, ndynamic
)) {
1090 if (obj
->inDictionaryMode()) {
1091 obj
->setDictionaryModeSlotSpan(oldDictionarySlotSpan
);
1094 for (size_t i
= 0, len
= slotValues
.length(); i
< len
; i
++) {
1095 obj
->initSlotUnchecked(i
, slotValues
[i
]);
1098 if (obj
->hasDynamicElements()) {
1099 ObjectElements
* elements
= obj
->getElementsHeader();
1100 void* allocatedElements
= obj
->getUnshiftedElementsHeader();
1101 MOZ_ASSERT(!cx
->nursery().isInside(allocatedElements
));
1102 size_t size
= elements
->numAllocatedElements() * sizeof(HeapSlot
);
1103 if (obj
->isTenured()) {
1104 AddCellMemory(obj
, size
, MemoryUse::ObjectElements
);
1105 } else if (!cx
->nursery().registerMallocedBuffer(allocatedElements
, size
)) {
1113 [[nodiscard
]] bool ProxyObject::prepareForSwap(
1114 JSContext
* cx
, MutableHandleValueVector valuesOut
) {
1115 MOZ_ASSERT(valuesOut
.empty());
1117 // Remove the GCPtr<Value>s we're about to swap from the store buffer, to
1118 // ensure we don't trace bogus values.
1119 gc::StoreBuffer
& sb
= cx
->runtime()->gc
.storeBuffer();
1121 // Reserve space for the expando, private slot and the reserved slots.
1122 if (!valuesOut
.reserve(2 + numReservedSlots())) {
1126 js::detail::ProxyValueArray
* valArray
= data
.values();
1127 sb
.unputValue(&valArray
->expandoSlot
);
1128 sb
.unputValue(&valArray
->privateSlot
);
1129 valuesOut
.infallibleAppend(valArray
->expandoSlot
);
1130 valuesOut
.infallibleAppend(valArray
->privateSlot
);
1132 for (size_t i
= 0; i
< numReservedSlots(); i
++) {
1133 sb
.unputValue(&valArray
->reservedSlots
.slots
[i
]);
1134 valuesOut
.infallibleAppend(valArray
->reservedSlots
.slots
[i
]);
1137 if (isTenured() && !usingInlineValueArray()) {
1138 size_t count
= detail::ProxyValueArray::allocCount(numReservedSlots());
1139 RemoveCellMemory(this, count
* sizeof(Value
),
1140 MemoryUse::ProxyExternalValueArray
);
1142 data
.reservedSlots
= nullptr;
1148 bool ProxyObject::fixupAfterSwap(JSContext
* cx
,
1149 const HandleValueVector values
) {
1150 MOZ_ASSERT(getClass()->isProxyObject());
1152 size_t nreserved
= numReservedSlots();
1154 // |values| contains the expando slot, private slot and the reserved slots.
1155 MOZ_ASSERT(values
.length() == 2 + nreserved
);
1157 // Allocate the external value array in malloc memory, even for nursery
1159 size_t count
= detail::ProxyValueArray::allocCount(nreserved
);
1160 auto* allocation
= js_pod_malloc
<JS::Value
>(count
);
1165 size_t size
= count
* sizeof(Value
);
1167 AddCellMemory(&asTenured(), size
, MemoryUse::ProxyExternalValueArray
);
1168 } else if (!cx
->nursery().registerMallocedBuffer(allocation
, size
)) {
1169 js_free(allocation
);
1173 auto* valArray
= reinterpret_cast<js::detail::ProxyValueArray
*>(allocation
);
1175 valArray
->expandoSlot
= values
[0];
1176 valArray
->privateSlot
= values
[1];
1178 for (size_t i
= 0; i
< nreserved
; i
++) {
1179 valArray
->reservedSlots
.slots
[i
] = values
[i
+ 2];
1182 data
.reservedSlots
= &valArray
->reservedSlots
;
1183 MOZ_ASSERT(!usingInlineValueArray());
1187 static gc::AllocKind
SwappableObjectAllocKind(JSObject
* obj
) {
1188 MOZ_ASSERT(ObjectMayBeSwapped(obj
));
1190 if (obj
->isTenured()) {
1191 return obj
->asTenured().getAllocKind();
1194 if (obj
->is
<NativeObject
>()) {
1195 return obj
->as
<NativeObject
>().allocKindForTenure();
1198 return obj
->as
<ProxyObject
>().allocKindForTenure();
1201 /* Use this method with extreme caution. It trades the guts of two objects. */
1202 void JSObject::swap(JSContext
* cx
, HandleObject a
, HandleObject b
,
1203 AutoEnterOOMUnsafeRegion
& oomUnsafe
) {
1204 // Ensure swap doesn't cause a finalizer to be run at the wrong time.
1205 MOZ_ASSERT(a
->isBackgroundFinalized() == b
->isBackgroundFinalized());
1207 MOZ_ASSERT(a
->compartment() == b
->compartment());
1209 // You must have entered the objects' compartment before calling this.
1210 MOZ_ASSERT(cx
->compartment() == a
->compartment());
1212 // Only certain types of objects are allowed to be swapped. This allows the
1213 // JITs to better optimize objects that can never swap and rules out most
1214 // builtin objects that have special behaviour.
1215 MOZ_RELEASE_ASSERT(js::ObjectMayBeSwapped(a
));
1216 MOZ_RELEASE_ASSERT(js::ObjectMayBeSwapped(b
));
1218 if (!Watchtower::watchObjectSwap(cx
, a
, b
)) {
1219 oomUnsafe
.crash("watchObjectSwap");
1222 // Ensure we update any embedded nursery pointers in either object.
1223 gc::StoreBuffer
& storeBuffer
= cx
->runtime()->gc
.storeBuffer();
1224 if (a
->isTenured()) {
1225 storeBuffer
.putWholeCell(a
);
1227 if (b
->isTenured()) {
1228 storeBuffer
.putWholeCell(b
);
1230 if (a
->isTenured() || b
->isTenured()) {
1231 if (a
->zone()->wasGCStarted()) {
1232 storeBuffer
.setMayHavePointersToDeadCells();
1236 unsigned r
= NotifyGCPreSwap(a
, b
);
1238 ProxyObject
* pa
= a
->is
<ProxyObject
>() ? &a
->as
<ProxyObject
>() : nullptr;
1239 ProxyObject
* pb
= b
->is
<ProxyObject
>() ? &b
->as
<ProxyObject
>() : nullptr;
1240 bool aIsProxyWithInlineValues
= pa
&& pa
->usingInlineValueArray();
1241 bool bIsProxyWithInlineValues
= pb
&& pb
->usingInlineValueArray();
1243 bool aIsUsedAsPrototype
= a
->isUsedAsPrototype();
1244 bool bIsUsedAsPrototype
= b
->isUsedAsPrototype();
1246 // Swap element associations.
1247 Zone
* zone
= a
->zone();
1249 // Record any associated unique IDs and prepare for swap.
1251 // Note that unique IDs are NOT swapped but remain associated with the
1252 // original address.
1255 (void)gc::MaybeGetUniqueId(a
, &aid
);
1256 (void)gc::MaybeGetUniqueId(b
, &bid
);
1257 NativeObject
* na
= a
->is
<NativeObject
>() ? &a
->as
<NativeObject
>() : nullptr;
1258 NativeObject
* nb
= b
->is
<NativeObject
>() ? &b
->as
<NativeObject
>() : nullptr;
1259 if ((aid
|| bid
) && (na
|| nb
)) {
1260 // We can't remove unique IDs from native objects when they are swapped with
1261 // objects without an ID. Instead ensure they both have IDs so we always
1262 // have something to overwrite the old ID with.
1263 if (!gc::GetOrCreateUniqueId(a
, &aid
) ||
1264 !gc::GetOrCreateUniqueId(b
, &bid
)) {
1265 oomUnsafe
.crash("Failed to create unique ID during swap");
1268 // IDs stored in NativeObjects could shadow those stored in the zone
1269 // table. Remove any zone table IDs first.
1271 gc::RemoveUniqueId(a
);
1274 gc::RemoveUniqueId(b
);
1278 gc::AllocKind ka
= SwappableObjectAllocKind(a
);
1279 gc::AllocKind kb
= SwappableObjectAllocKind(b
);
1281 size_t sa
= gc::Arena::thingSize(ka
);
1282 size_t sb
= gc::Arena::thingSize(kb
);
1283 if (sa
== sb
&& a
->isTenured() == b
->isTenured()) {
1284 // When both objects are the same size and in the same heap, just do a plain
1285 // swap of their contents.
1287 // Swap slot associations.
1288 zone
->swapCellMemory(a
, b
, MemoryUse::ObjectSlots
);
1291 char tmp
[sizeof(JSObject_Slots16
)];
1292 MOZ_ASSERT(size
<= sizeof(tmp
));
1294 js_memcpy(tmp
, a
, size
);
1295 js_memcpy(a
, b
, size
);
1296 js_memcpy(b
, tmp
, size
);
1298 zone
->swapCellMemory(a
, b
, MemoryUse::ObjectElements
);
1299 zone
->swapCellMemory(a
, b
, MemoryUse::ProxyExternalValueArray
);
1301 if (aIsProxyWithInlineValues
) {
1302 b
->as
<ProxyObject
>().setInlineValueArray();
1304 if (bIsProxyWithInlineValues
) {
1305 a
->as
<ProxyObject
>().setInlineValueArray();
1308 // Avoid GC in here to avoid confusing the tracing code with our
1309 // intermediate state.
1310 gc::AutoSuppressGC
suppress(cx
);
1312 // When the objects have different sizes, they will have different numbers
1313 // of fixed slots before and after the swap, so the slots for native objects
1314 // will need to be rearranged. Remember the original values from the
1316 RootedValueVector
avals(cx
);
1317 RootedValueVector
bvals(cx
);
1318 if (na
&& !na
->prepareForSwap(cx
, &avals
)) {
1319 oomUnsafe
.crash("NativeObject::prepareForSwap");
1321 if (nb
&& !nb
->prepareForSwap(cx
, &bvals
)) {
1322 oomUnsafe
.crash("NativeObject::prepareForSwap");
1325 // Do the same for proxy value arrays.
1326 if (pa
&& !pa
->prepareForSwap(cx
, &avals
)) {
1327 oomUnsafe
.crash("ProxyObject::prepareForSwap");
1329 if (pb
&& !pb
->prepareForSwap(cx
, &bvals
)) {
1330 oomUnsafe
.crash("ProxyObject::prepareForSwap");
1333 // Swap the main fields of the objects, whether they are native objects or
1335 char tmp
[sizeof(JSObject_Slots0
)];
1336 js_memcpy(&tmp
, a
, sizeof tmp
);
1337 js_memcpy(a
, b
, sizeof tmp
);
1338 js_memcpy(b
, &tmp
, sizeof tmp
);
1341 !NativeObject::fixupAfterSwap(cx
, b
.as
<NativeObject
>(), kb
, avals
)) {
1342 oomUnsafe
.crash("NativeObject::fixupAfterSwap");
1345 !NativeObject::fixupAfterSwap(cx
, a
.as
<NativeObject
>(), ka
, bvals
)) {
1346 oomUnsafe
.crash("NativeObject::fixupAfterSwap");
1349 if (pa
&& !b
->as
<ProxyObject
>().fixupAfterSwap(cx
, avals
)) {
1350 oomUnsafe
.crash("ProxyObject::fixupAfterSwap");
1352 if (pb
&& !a
->as
<ProxyObject
>().fixupAfterSwap(cx
, bvals
)) {
1353 oomUnsafe
.crash("ProxyObject::fixupAfterSwap");
1357 // Restore original unique IDs.
1358 if ((aid
|| bid
) && (na
|| nb
)) {
1359 if ((aid
&& !gc::SetOrUpdateUniqueId(cx
, a
, aid
)) ||
1360 (bid
&& !gc::SetOrUpdateUniqueId(cx
, b
, bid
))) {
1361 oomUnsafe
.crash("Failed to set unique ID after swap");
1364 MOZ_ASSERT_IF(aid
, gc::GetUniqueIdInfallible(a
) == aid
);
1365 MOZ_ASSERT_IF(bid
, gc::GetUniqueIdInfallible(b
) == bid
);
1367 // Preserve the IsUsedAsPrototype flag on the objects.
1368 if (aIsUsedAsPrototype
) {
1369 if (!JSObject::setIsUsedAsPrototype(cx
, a
)) {
1370 oomUnsafe
.crash("setIsUsedAsPrototype");
1373 if (bIsUsedAsPrototype
) {
1374 if (!JSObject::setIsUsedAsPrototype(cx
, b
)) {
1375 oomUnsafe
.crash("setIsUsedAsPrototype");
1380 * We need a write barrier here. If |a| was marked and |b| was not, then
1381 * after the swap, |b|'s guts would never be marked. The write barrier
1384 * Normally write barriers happen before the write. However, that's not
1385 * necessary here because nothing is being destroyed. We're just swapping.
1387 PreWriteBarrier(zone
, a
.get(), [](JSTracer
* trc
, JSObject
* obj
) {
1388 obj
->traceChildren(trc
);
1390 PreWriteBarrier(zone
, b
.get(), [](JSTracer
* trc
, JSObject
* obj
) {
1391 obj
->traceChildren(trc
);
1394 NotifyGCPostSwap(a
, b
, r
);
1397 static NativeObject
* DefineConstructorAndPrototype(
1398 JSContext
* cx
, HandleObject obj
, Handle
<JSAtom
*> atom
,
1399 HandleObject protoProto
, const JSClass
* clasp
, Native constructor
,
1400 unsigned nargs
, const JSPropertySpec
* ps
, const JSFunctionSpec
* fs
,
1401 const JSPropertySpec
* static_ps
, const JSFunctionSpec
* static_fs
,
1402 NativeObject
** ctorp
) {
1403 // Create the prototype object.
1404 Rooted
<NativeObject
*> proto(
1405 cx
, GlobalObject::createBlankPrototypeInheriting(cx
, clasp
, protoProto
));
1410 Rooted
<NativeObject
*> ctor(cx
);
1414 ctor
= NewNativeConstructor(cx
, constructor
, nargs
, atom
);
1419 if (!LinkConstructorAndPrototype(cx
, ctor
, proto
)) {
1424 if (!DefinePropertiesAndFunctions(cx
, proto
, ps
, fs
) ||
1426 !DefinePropertiesAndFunctions(cx
, ctor
, static_ps
, static_fs
))) {
1430 RootedId
id(cx
, AtomToId(atom
));
1431 RootedValue
value(cx
, ObjectValue(*ctor
));
1432 if (!DefineDataProperty(cx
, obj
, id
, value
, 0)) {
1442 NativeObject
* js::InitClass(JSContext
* cx
, HandleObject obj
,
1443 const JSClass
* protoClass
, HandleObject protoProto_
,
1444 const char* name
, Native constructor
,
1445 unsigned nargs
, const JSPropertySpec
* ps
,
1446 const JSFunctionSpec
* fs
,
1447 const JSPropertySpec
* static_ps
,
1448 const JSFunctionSpec
* static_fs
,
1449 NativeObject
** ctorp
) {
1450 Rooted
<JSAtom
*> atom(cx
, Atomize(cx
, name
, strlen(name
)));
1456 * All instances of the class will inherit properties from the prototype
1457 * object we are about to create (in DefineConstructorAndPrototype), which
1458 * in turn will inherit from protoProto.
1460 * If protoProto is nullptr, default to Object.prototype.
1461 * If protoClass is nullptr, default to PlainObject.
1463 RootedObject
protoProto(cx
, protoProto_
);
1465 protoProto
= &cx
->global()->getObjectPrototype();
1468 protoClass
= &PlainObject::class_
;
1471 return DefineConstructorAndPrototype(cx
, obj
, atom
, protoProto
, protoClass
,
1472 constructor
, nargs
, ps
, fs
, static_ps
,
1477 * Returns the original Object.prototype from the embedding-provided incumbent
1480 * Really, we want the incumbent global itself so we can pass it to other
1481 * embedding hooks which need it. Specifically, the enqueue promise hook
1482 * takes an incumbent global so it can set that on the PromiseCallbackJob
1485 * The reason for not just returning the global itself is that we'd need to
1486 * wrap it into the current compartment, and later unwrap it. Unwrapping
1487 * globals is tricky, though: we might accidentally unwrap through an inner
1488 * to its outer window and end up with the wrong global. Plain objects don't
1489 * have this problem, so we use the global's Object.prototype. The code using
1490 * it - e.g. EnqueuePromiseReactionJob - can then unwrap the object and get
1491 * its global without fear of unwrapping too far.
1493 bool js::GetObjectFromIncumbentGlobal(JSContext
* cx
, MutableHandleObject obj
) {
1494 Rooted
<GlobalObject
*> globalObj(cx
, cx
->runtime()->getIncumbentGlobal(cx
));
1500 obj
.set(&globalObj
->getObjectPrototype());
1502 // The object might be from a different compartment, so wrap it.
1503 if (obj
&& !cx
->compartment()->wrap(cx
, obj
)) {
1510 static bool IsStandardPrototype(JSObject
* obj
, JSProtoKey key
) {
1511 return obj
->nonCCWGlobal().maybeGetPrototype(key
) == obj
;
1514 JSProtoKey
JS::IdentifyStandardInstance(JSObject
* obj
) {
1515 // Note: The prototype shares its JSClass with instances.
1516 MOZ_ASSERT(!obj
->is
<CrossCompartmentWrapperObject
>());
1517 JSProtoKey key
= StandardProtoKeyOrNull(obj
);
1518 if (key
!= JSProto_Null
&& !IsStandardPrototype(obj
, key
)) {
1521 return JSProto_Null
;
1524 JSProtoKey
JS::IdentifyStandardPrototype(JSObject
* obj
) {
1525 // Note: The prototype shares its JSClass with instances.
1526 MOZ_ASSERT(!obj
->is
<CrossCompartmentWrapperObject
>());
1527 JSProtoKey key
= StandardProtoKeyOrNull(obj
);
1528 if (key
!= JSProto_Null
&& IsStandardPrototype(obj
, key
)) {
1531 return JSProto_Null
;
1534 JSProtoKey
JS::IdentifyStandardInstanceOrPrototype(JSObject
* obj
) {
1535 return StandardProtoKeyOrNull(obj
);
1538 JSProtoKey
JS::IdentifyStandardConstructor(JSObject
* obj
) {
1539 // Note that isNativeConstructor does not imply that we are a standard
1540 // constructor, but the converse is true (at least until we start having
1541 // self-hosted constructors for standard classes). This lets us avoid a costly
1542 // loop for many functions (which, depending on the call site, may be the
1544 if (!obj
->is
<JSFunction
>() ||
1545 !(obj
->as
<JSFunction
>().flags().isNativeConstructor())) {
1546 return JSProto_Null
;
1549 static_assert(JSProto_Null
== 0,
1550 "Loop below can start at 1 to skip JSProto_Null");
1552 GlobalObject
& global
= obj
->as
<JSFunction
>().global();
1553 for (size_t k
= 1; k
< JSProto_LIMIT
; ++k
) {
1554 JSProtoKey key
= static_cast<JSProtoKey
>(k
);
1555 if (global
.maybeGetConstructor(key
) == obj
) {
1560 return JSProto_Null
;
1563 bool js::LookupProperty(JSContext
* cx
, HandleObject obj
, js::HandleId id
,
1564 MutableHandleObject objp
, PropertyResult
* propp
) {
1565 if (LookupPropertyOp op
= obj
->getOpsLookupProperty()) {
1566 return op(cx
, obj
, id
, objp
, propp
);
1568 return NativeLookupPropertyInline
<CanGC
>(cx
, obj
.as
<NativeObject
>(), id
, objp
,
1572 bool js::LookupName(JSContext
* cx
, Handle
<PropertyName
*> name
,
1573 HandleObject envChain
, MutableHandleObject objp
,
1574 MutableHandleObject pobjp
, PropertyResult
* propp
) {
1575 RootedId
id(cx
, NameToId(name
));
1577 for (RootedObject
env(cx
, envChain
); env
; env
= env
->enclosingEnvironment()) {
1578 if (!LookupProperty(cx
, env
, id
, pobjp
, propp
)) {
1581 if (propp
->isFound()) {
1589 propp
->setNotFound();
1593 bool js::LookupNameNoGC(JSContext
* cx
, PropertyName
* name
, JSObject
* envChain
,
1594 JSObject
** objp
, NativeObject
** pobjp
,
1595 PropertyResult
* propp
) {
1596 AutoAssertNoPendingException
nogc(cx
);
1598 MOZ_ASSERT(!*objp
&& !*pobjp
&& propp
->isNotFound());
1600 for (JSObject
* env
= envChain
; env
; env
= env
->enclosingEnvironment()) {
1601 if (env
->getOpsLookupProperty()) {
1604 if (!NativeLookupPropertyInline
<NoGC
>(cx
, &env
->as
<NativeObject
>(),
1605 NameToId(name
), pobjp
, propp
)) {
1608 if (propp
->isFound()) {
1617 bool js::LookupNameWithGlobalDefault(JSContext
* cx
, Handle
<PropertyName
*> name
,
1618 HandleObject envChain
,
1619 MutableHandleObject objp
) {
1620 RootedId
id(cx
, NameToId(name
));
1622 RootedObject
pobj(cx
);
1623 PropertyResult prop
;
1625 RootedObject
env(cx
, envChain
);
1626 for (; !env
->is
<GlobalObject
>(); env
= env
->enclosingEnvironment()) {
1627 if (!LookupProperty(cx
, env
, id
, &pobj
, &prop
)) {
1630 if (prop
.isFound()) {
1639 bool js::LookupNameUnqualified(JSContext
* cx
, Handle
<PropertyName
*> name
,
1640 HandleObject envChain
,
1641 MutableHandleObject objp
) {
1642 RootedId
id(cx
, NameToId(name
));
1644 RootedObject
pobj(cx
);
1645 PropertyResult prop
;
1647 RootedObject
env(cx
, envChain
);
1648 for (; !env
->isUnqualifiedVarObj(); env
= env
->enclosingEnvironment()) {
1649 if (!LookupProperty(cx
, env
, id
, &pobj
, &prop
)) {
1652 if (prop
.isFound()) {
1657 // See note above RuntimeLexicalErrorObject.
1660 if (prop
.isFound() && name
!= cx
->names().dot_this_
) {
1661 // Treat Debugger environments specially for TDZ checks, as they
1662 // look like non-native environments but in fact wrap native
1664 if (env
->is
<DebugEnvironmentProxy
>()) {
1666 Rooted
<DebugEnvironmentProxy
*> envProxy(
1667 cx
, &env
->as
<DebugEnvironmentProxy
>());
1668 if (!DebugEnvironmentProxy::getMaybeSentinelValue(cx
, envProxy
, id
,
1672 isTDZ
= IsUninitializedLexical(v
);
1674 isTDZ
= IsUninitializedLexicalSlot(env
, prop
);
1679 env
= RuntimeLexicalErrorObject::create(cx
, env
,
1680 JSMSG_UNINITIALIZED_LEXICAL
);
1684 } else if (env
->is
<LexicalEnvironmentObject
>() &&
1685 !prop
.propertyInfo().writable()) {
1686 // Assigning to a named lambda callee name is a no-op in sloppy mode.
1687 if (!(env
->is
<BlockLexicalEnvironmentObject
>() &&
1688 env
->as
<BlockLexicalEnvironmentObject
>().scope().kind() ==
1689 ScopeKind::NamedLambda
)) {
1690 MOZ_ASSERT(name
!= cx
->names().dot_this_
);
1692 RuntimeLexicalErrorObject::create(cx
, env
, JSMSG_BAD_CONST_ASSIGN
);
1704 bool js::HasOwnProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
1706 if (obj
->is
<ProxyObject
>()) {
1707 return Proxy::hasOwn(cx
, obj
, id
, result
);
1710 if (GetOwnPropertyOp op
= obj
->getOpsGetOwnPropertyDescriptor()) {
1711 Rooted
<mozilla::Maybe
<PropertyDescriptor
>> desc(cx
);
1712 if (!op(cx
, obj
, id
, &desc
)) {
1715 *result
= desc
.isSome();
1719 PropertyResult prop
;
1720 if (!NativeLookupOwnProperty
<CanGC
>(cx
, obj
.as
<NativeObject
>(), id
, &prop
)) {
1723 *result
= prop
.isFound();
1727 bool js::LookupPropertyPure(JSContext
* cx
, JSObject
* obj
, jsid id
,
1728 NativeObject
** objp
, PropertyResult
* propp
) {
1729 if (obj
->getOpsLookupProperty()) {
1732 return NativeLookupPropertyInline
<NoGC
, LookupResolveMode::CheckMayResolve
>(
1733 cx
, &obj
->as
<NativeObject
>(), id
, objp
, propp
);
1736 bool js::LookupOwnPropertyPure(JSContext
* cx
, JSObject
* obj
, jsid id
,
1737 PropertyResult
* propp
) {
1738 if (obj
->getOpsLookupProperty()) {
1741 return NativeLookupOwnPropertyInline
<NoGC
,
1742 LookupResolveMode::CheckMayResolve
>(
1743 cx
, &obj
->as
<NativeObject
>(), id
, propp
);
1746 static inline bool NativeGetPureInline(NativeObject
* pobj
, jsid id
,
1747 PropertyResult prop
, Value
* vp
,
1749 if (prop
.isDenseElement()) {
1750 *vp
= pobj
->getDenseElement(prop
.denseElementIndex());
1753 if (prop
.isTypedArrayElement()) {
1754 size_t idx
= prop
.typedArrayElementIndex();
1755 return pobj
->as
<TypedArrayObject
>().getElement
<NoGC
>(cx
, idx
, vp
);
1758 // Fail if we have a custom getter.
1759 PropertyInfo propInfo
= prop
.propertyInfo();
1760 if (!propInfo
.isDataProperty()) {
1764 *vp
= pobj
->getSlot(propInfo
.slot());
1765 MOZ_ASSERT(!vp
->isMagic());
1769 bool js::GetPropertyPure(JSContext
* cx
, JSObject
* obj
, jsid id
, Value
* vp
) {
1771 PropertyResult prop
;
1772 if (!LookupPropertyPure(cx
, obj
, id
, &pobj
, &prop
)) {
1776 if (prop
.isNotFound()) {
1781 return NativeGetPureInline(pobj
, id
, prop
, vp
, cx
);
1784 bool js::GetOwnPropertyPure(JSContext
* cx
, JSObject
* obj
, jsid id
, Value
* vp
,
1786 PropertyResult prop
;
1787 if (!LookupOwnPropertyPure(cx
, obj
, id
, &prop
)) {
1791 if (prop
.isNotFound()) {
1798 return obj
->is
<NativeObject
>() &&
1799 NativeGetPureInline(&obj
->as
<NativeObject
>(), id
, prop
, vp
, cx
);
1802 static inline bool NativeGetGetterPureInline(NativeObject
* holder
,
1803 PropertyResult prop
,
1805 MOZ_ASSERT(prop
.isNativeProperty());
1807 PropertyInfo propInfo
= prop
.propertyInfo();
1808 if (holder
->hasGetter(propInfo
)) {
1809 JSObject
* getter
= holder
->getGetter(propInfo
);
1810 if (getter
->is
<JSFunction
>()) {
1811 *fp
= &getter
->as
<JSFunction
>();
1820 bool js::GetGetterPure(JSContext
* cx
, JSObject
* obj
, jsid id
, JSFunction
** fp
) {
1821 /* Just like GetPropertyPure, but get getter function, without invoking
1824 PropertyResult prop
;
1825 if (!LookupPropertyPure(cx
, obj
, id
, &pobj
, &prop
)) {
1829 if (prop
.isNotFound()) {
1834 return prop
.isNativeProperty() && NativeGetGetterPureInline(pobj
, prop
, fp
);
1837 bool js::GetOwnGetterPure(JSContext
* cx
, JSObject
* obj
, jsid id
,
1839 JS::AutoCheckCannotGC nogc
;
1840 PropertyResult prop
;
1841 if (!LookupOwnPropertyPure(cx
, obj
, id
, &prop
)) {
1845 if (prop
.isNotFound()) {
1850 return prop
.isNativeProperty() &&
1851 NativeGetGetterPureInline(&obj
->as
<NativeObject
>(), prop
, fp
);
1854 bool js::GetOwnNativeGetterPure(JSContext
* cx
, JSObject
* obj
, jsid id
,
1856 JS::AutoCheckCannotGC nogc
;
1858 PropertyResult prop
;
1859 if (!LookupOwnPropertyPure(cx
, obj
, id
, &prop
)) {
1863 if (!prop
.isNativeProperty()) {
1867 PropertyInfo propInfo
= prop
.propertyInfo();
1869 NativeObject
* nobj
= &obj
->as
<NativeObject
>();
1870 if (!nobj
->hasGetter(propInfo
)) {
1874 JSObject
* getterObj
= nobj
->getGetter(propInfo
);
1875 if (!getterObj
->is
<JSFunction
>()) {
1879 JSFunction
* getter
= &getterObj
->as
<JSFunction
>();
1880 if (!getter
->isNativeFun()) {
1884 *native
= getter
->native();
1888 bool js::HasOwnDataPropertyPure(JSContext
* cx
, JSObject
* obj
, jsid id
,
1890 PropertyResult prop
;
1891 if (!LookupOwnPropertyPure(cx
, obj
, id
, &prop
)) {
1895 *result
= prop
.isNativeProperty() && prop
.propertyInfo().isDataProperty();
1899 bool js::GetPrototypeIfOrdinary(JSContext
* cx
, HandleObject obj
,
1900 bool* isOrdinary
, MutableHandleObject protop
) {
1901 if (obj
->is
<js::ProxyObject
>()) {
1902 return js::Proxy::getPrototypeIfOrdinary(cx
, obj
, isOrdinary
, protop
);
1906 protop
.set(obj
->staticPrototype());
1910 /*** ES6 standard internal methods ******************************************/
1912 bool js::SetPrototype(JSContext
* cx
, HandleObject obj
, HandleObject proto
,
1913 JS::ObjectOpResult
& result
) {
1914 // The proxy trap subsystem fully handles prototype-setting for proxies
1915 // with dynamic [[Prototype]]s.
1916 if (obj
->hasDynamicPrototype()) {
1917 MOZ_ASSERT(obj
->is
<ProxyObject
>());
1918 return Proxy::setPrototype(cx
, obj
, proto
, result
);
1922 * ES6 9.1.2 step 3-4 if |obj.[[Prototype]]| has SameValue as |proto| return
1923 * true. Since the values in question are objects, we can just compare
1926 if (proto
== obj
->staticPrototype()) {
1927 return result
.succeed();
1930 /* Disallow mutation of immutable [[Prototype]]s. */
1931 if (obj
->staticPrototypeIsImmutable()) {
1932 return result
.fail(JSMSG_CANT_SET_PROTO
);
1936 * Disallow mutating the [[Prototype]] on WebAssembly GC objects.
1938 if (obj
->is
<WasmGcObject
>()) {
1939 return result
.fail(JSMSG_CANT_SET_PROTO
);
1942 /* ES6 9.1.2 step 5 forbids changing [[Prototype]] if not [[Extensible]]. */
1944 if (!IsExtensible(cx
, obj
, &extensible
)) {
1948 return result
.fail(JSMSG_CANT_SET_PROTO
);
1952 * ES6 9.1.2 step 6 forbids generating cyclical prototype chains. But we
1953 * have to do this comparison on the observable WindowProxy, not on the
1954 * possibly-Window object we're setting the proto on.
1956 RootedObject
objMaybeWindowProxy(cx
, ToWindowProxyIfWindow(obj
));
1957 RootedObject
obj2(cx
, proto
);
1959 MOZ_ASSERT(!IsWindow(obj2
));
1960 if (obj2
== objMaybeWindowProxy
) {
1961 return result
.fail(JSMSG_CANT_SET_PROTO_CYCLE
);
1965 if (!GetPrototypeIfOrdinary(cx
, obj2
, &isOrdinary
, &obj2
)) {
1973 Rooted
<TaggedProto
> taggedProto(cx
, TaggedProto(proto
));
1974 if (!JSObject::setProtoUnchecked(cx
, obj
, taggedProto
)) {
1978 return result
.succeed();
1981 bool js::SetPrototype(JSContext
* cx
, HandleObject obj
, HandleObject proto
) {
1982 ObjectOpResult result
;
1983 return SetPrototype(cx
, obj
, proto
, result
) && result
.checkStrict(cx
, obj
);
1986 bool js::PreventExtensions(JSContext
* cx
, HandleObject obj
,
1987 ObjectOpResult
& result
) {
1988 if (obj
->is
<ProxyObject
>()) {
1989 return js::Proxy::preventExtensions(cx
, obj
, result
);
1992 if (obj
->is
<WasmGcObject
>()) {
1993 return result
.failCantPreventExtensions();
1996 if (!obj
->nonProxyIsExtensible()) {
1997 // If the following assertion fails, there's somewhere else a missing
1998 // call to shrinkCapacityToInitializedLength() which needs to be found
2000 MOZ_ASSERT_IF(obj
->is
<NativeObject
>(),
2001 obj
->as
<NativeObject
>().getDenseInitializedLength() ==
2002 obj
->as
<NativeObject
>().getDenseCapacity());
2004 return result
.succeed();
2007 if (obj
->is
<NativeObject
>()) {
2008 // Force lazy properties to be resolved.
2009 Handle
<NativeObject
*> nobj
= obj
.as
<NativeObject
>();
2010 if (!ResolveLazyProperties(cx
, nobj
)) {
2014 // Prepare the elements. We have to do this before we mark the object
2015 // non-extensible; that's fine because these changes are not observable.
2016 ObjectElements::PrepareForPreventExtensions(cx
, nobj
);
2019 // Finally, set the NotExtensible flag on the Shape and ObjectElements.
2020 if (!JSObject::setFlag(cx
, obj
, ObjectFlag::NotExtensible
)) {
2023 if (obj
->is
<NativeObject
>()) {
2024 ObjectElements::PreventExtensions(&obj
->as
<NativeObject
>());
2027 return result
.succeed();
2030 bool js::PreventExtensions(JSContext
* cx
, HandleObject obj
) {
2031 ObjectOpResult result
;
2032 return PreventExtensions(cx
, obj
, result
) && result
.checkStrict(cx
, obj
);
2035 bool js::GetOwnPropertyDescriptor(
2036 JSContext
* cx
, HandleObject obj
, HandleId id
,
2037 MutableHandle
<Maybe
<PropertyDescriptor
>> desc
) {
2038 if (GetOwnPropertyOp op
= obj
->getOpsGetOwnPropertyDescriptor()) {
2039 bool ok
= op(cx
, obj
, id
, desc
);
2040 if (ok
&& desc
.isSome()) {
2041 desc
->assertComplete();
2046 return NativeGetOwnPropertyDescriptor(cx
, obj
.as
<NativeObject
>(), id
, desc
);
2049 bool js::DefineProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2050 Handle
<PropertyDescriptor
> desc
) {
2051 ObjectOpResult result
;
2052 return DefineProperty(cx
, obj
, id
, desc
, result
) &&
2053 result
.checkStrict(cx
, obj
, id
);
2056 bool js::DefineProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2057 Handle
<PropertyDescriptor
> desc
,
2058 ObjectOpResult
& result
) {
2060 if (DefinePropertyOp op
= obj
->getOpsDefineProperty()) {
2061 return op(cx
, obj
, id
, desc
, result
);
2063 return NativeDefineProperty(cx
, obj
.as
<NativeObject
>(), id
, desc
, result
);
2066 bool js::DefineAccessorProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2067 HandleObject getter
, HandleObject setter
,
2068 unsigned attrs
, ObjectOpResult
& result
) {
2069 Rooted
<PropertyDescriptor
> desc(
2070 cx
, PropertyDescriptor::Accessor(
2071 getter
? mozilla::Some(getter
) : mozilla::Nothing(),
2072 setter
? mozilla::Some(setter
) : mozilla::Nothing(), attrs
));
2074 if (DefinePropertyOp op
= obj
->getOpsDefineProperty()) {
2075 return op(cx
, obj
, id
, desc
, result
);
2077 return NativeDefineProperty(cx
, obj
.as
<NativeObject
>(), id
, desc
, result
);
2080 bool js::DefineDataProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2081 HandleValue value
, unsigned attrs
,
2082 ObjectOpResult
& result
) {
2083 Rooted
<PropertyDescriptor
> desc(cx
, PropertyDescriptor::Data(value
, attrs
));
2084 if (DefinePropertyOp op
= obj
->getOpsDefineProperty()) {
2085 return op(cx
, obj
, id
, desc
, result
);
2087 return NativeDefineProperty(cx
, obj
.as
<NativeObject
>(), id
, desc
, result
);
2090 bool js::DefineAccessorProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2091 HandleObject getter
, HandleObject setter
,
2093 ObjectOpResult result
;
2094 if (!DefineAccessorProperty(cx
, obj
, id
, getter
, setter
, attrs
, result
)) {
2098 result
.reportError(cx
, obj
, id
);
2104 bool js::DefineDataProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2105 HandleValue value
, unsigned attrs
) {
2106 ObjectOpResult result
;
2107 if (!DefineDataProperty(cx
, obj
, id
, value
, attrs
, result
)) {
2111 result
.reportError(cx
, obj
, id
);
2117 bool js::DefineDataProperty(JSContext
* cx
, HandleObject obj
, PropertyName
* name
,
2118 HandleValue value
, unsigned attrs
) {
2119 RootedId
id(cx
, NameToId(name
));
2120 return DefineDataProperty(cx
, obj
, id
, value
, attrs
);
2123 bool js::DefineDataElement(JSContext
* cx
, HandleObject obj
, uint32_t index
,
2124 HandleValue value
, unsigned attrs
) {
2126 if (!IndexToId(cx
, index
, &id
)) {
2129 return DefineDataProperty(cx
, obj
, id
, value
, attrs
);
2132 /*** SpiderMonkey nonstandard internal methods ******************************/
2134 // Mark an object as having an immutable prototype
2136 // NOTE: This does not correspond to the SetImmutablePrototype ECMAScript
2138 bool js::SetImmutablePrototype(JSContext
* cx
, HandleObject obj
,
2140 if (obj
->hasDynamicPrototype()) {
2141 return Proxy::setImmutablePrototype(cx
, obj
, succeeded
);
2144 if (!JSObject::setFlag(cx
, obj
, ObjectFlag::ImmutablePrototype
)) {
2151 bool js::GetPropertyDescriptor(
2152 JSContext
* cx
, HandleObject obj
, HandleId id
,
2153 MutableHandle
<mozilla::Maybe
<PropertyDescriptor
>> desc
,
2154 MutableHandleObject holder
) {
2155 RootedObject
pobj(cx
);
2156 for (pobj
= obj
; pobj
;) {
2157 if (!GetOwnPropertyDescriptor(cx
, pobj
, id
, desc
)) {
2161 if (desc
.isSome()) {
2166 if (!GetPrototype(cx
, pobj
, &pobj
)) {
2171 MOZ_ASSERT(desc
.isNothing());
2172 holder
.set(nullptr);
2178 extern bool PropertySpecNameToId(JSContext
* cx
, JSPropertySpec::Name name
,
2179 MutableHandleId id
);
2181 // If a property or method is part of an experimental feature that can be
2182 // disabled at run-time by a preference, we keep it in the JSFunctionSpec /
2183 // JSPropertySpec list, but omit the definition if the preference is off.
2184 JS_PUBLIC_API
bool js::ShouldIgnorePropertyDefinition(JSContext
* cx
,
2185 JSProtoKey key
, jsid id
) {
2186 if (!cx
->realm()->creationOptions().getToSourceEnabled() &&
2187 (id
== NameToId(cx
->names().toSource
) ||
2188 id
== NameToId(cx
->names().uneval
))) {
2192 if (key
== JSProto_FinalizationRegistry
&&
2193 JS::GetWeakRefsEnabled() ==
2194 JS::WeakRefSpecifier::EnabledWithoutCleanupSome
&&
2195 id
== NameToId(cx
->names().cleanupSome
)) {
2199 // It's gently surprising that this is JSProto_Function, but the trick
2200 // to realize is that this is a -constructor function-, not a function
2201 // on the prototype; and the proto of the constructor is JSProto_Function.
2202 if (key
== JSProto_Function
&& !JS::Prefs::array_grouping() &&
2203 (id
== NameToId(cx
->names().groupBy
))) {
2207 #ifdef NIGHTLY_BUILD
2208 if (key
== JSProto_Set
&& !JS::Prefs::experimental_new_set_methods() &&
2209 (id
== NameToId(cx
->names().union_
) ||
2210 id
== NameToId(cx
->names().difference
) ||
2211 id
== NameToId(cx
->names().intersection
) ||
2212 id
== NameToId(cx
->names().isSubsetOf
) ||
2213 id
== NameToId(cx
->names().isSupersetOf
) ||
2214 id
== NameToId(cx
->names().isDisjointFrom
) ||
2215 id
== NameToId(cx
->names().symmetricDifference
))) {
2219 if (key
== JSProto_ArrayBuffer
&& !JS::Prefs::arraybuffer_transfer() &&
2220 (id
== NameToId(cx
->names().transfer
) ||
2221 id
== NameToId(cx
->names().transferToFixedLength
) ||
2222 id
== NameToId(cx
->names().detached
))) {
2226 if (key
== JSProto_ArrayBuffer
&&
2227 !JS::Prefs::experimental_arraybuffer_resizable() &&
2228 (id
== NameToId(cx
->names().maxByteLength
) ||
2229 id
== NameToId(cx
->names().resizable
) ||
2230 id
== NameToId(cx
->names().resize
))) {
2234 if (key
== JSProto_SharedArrayBuffer
&&
2235 !JS::Prefs::experimental_sharedarraybuffer_growable() &&
2236 (id
== NameToId(cx
->names().maxByteLength
) ||
2237 id
== NameToId(cx
->names().growable
) ||
2238 id
== NameToId(cx
->names().grow
))) {
2242 if (key
== JSProto_Uint8Array
&&
2243 !JS::Prefs::experimental_uint8array_base64() &&
2244 (id
== NameToId(cx
->names().setFromBase64
) ||
2245 id
== NameToId(cx
->names().setFromHex
) ||
2246 id
== NameToId(cx
->names().toBase64
) ||
2247 id
== NameToId(cx
->names().toHex
))) {
2251 // It's gently surprising that this is JSProto_Function, but the trick
2252 // to realize is that this is a -constructor function-, not a function
2253 // on the prototype; and the proto of the constructor is JSProto_Function.
2254 if (key
== JSProto_Function
&& !JS::Prefs::experimental_uint8array_base64() &&
2255 (id
== NameToId(cx
->names().fromBase64
) ||
2256 id
== NameToId(cx
->names().fromHex
))) {
2261 #ifdef ENABLE_JSON_PARSE_WITH_SOURCE
2262 if (key
== JSProto_JSON
&&
2263 !JS::Prefs::experimental_json_parse_with_source() &&
2264 (id
== NameToId(cx
->names().isRawJSON
) ||
2265 id
== NameToId(cx
->names().rawJSON
))) {
2273 static bool DefineFunctionFromSpec(JSContext
* cx
, HandleObject obj
,
2274 const JSFunctionSpec
* fs
) {
2276 if (!PropertySpecNameToId(cx
, fs
->name
, &id
)) {
2280 if (ShouldIgnorePropertyDefinition(cx
, StandardProtoKeyOrNull(obj
), id
)) {
2284 JSFunction
* fun
= NewFunctionFromSpec(cx
, fs
, id
);
2289 RootedValue
funVal(cx
, ObjectValue(*fun
));
2290 return DefineDataProperty(cx
, obj
, id
, funVal
, fs
->flags
& ~JSFUN_FLAGS_MASK
);
2293 bool js::DefineFunctions(JSContext
* cx
, HandleObject obj
,
2294 const JSFunctionSpec
* fs
) {
2295 for (; fs
->name
; fs
++) {
2296 if (!DefineFunctionFromSpec(cx
, obj
, fs
)) {
2303 /*** ToPrimitive ************************************************************/
2306 * Gets |obj[id]|. If that value's not callable, returns true and stores an
2307 * object value in *vp. If it's callable, calls it with no arguments and |obj|
2308 * as |this|, returning the result in *vp.
2310 * This is a mini-abstraction for ES6 draft rev 36 (2015 Mar 17),
2311 * 7.1.1, second algorithm (OrdinaryToPrimitive), steps 5.a-c.
2313 static bool MaybeCallMethod(JSContext
* cx
, HandleObject obj
, HandleId id
,
2314 MutableHandleValue vp
) {
2315 if (!GetProperty(cx
, obj
, obj
, id
, vp
)) {
2318 if (!IsCallable(vp
)) {
2323 return js::Call(cx
, vp
, obj
, vp
);
2326 static bool ReportCantConvert(JSContext
* cx
, unsigned errorNumber
,
2327 HandleObject obj
, JSType hint
) {
2328 const JSClass
* clasp
= obj
->getClass();
2330 // Avoid recursive death when decompiling in ReportValueError.
2331 RootedString
str(cx
);
2332 if (hint
== JSTYPE_STRING
) {
2333 str
= JS_AtomizeString(cx
, clasp
->name
);
2341 RootedValue
val(cx
, ObjectValue(*obj
));
2342 ReportValueError(cx
, errorNumber
, JSDVG_SEARCH_STACK
, val
, str
,
2343 hint
== JSTYPE_UNDEFINED
? "primitive type"
2344 : hint
== JSTYPE_STRING
? "string"
2349 bool JS::OrdinaryToPrimitive(JSContext
* cx
, HandleObject obj
, JSType hint
,
2350 MutableHandleValue vp
) {
2351 MOZ_ASSERT(hint
== JSTYPE_NUMBER
|| hint
== JSTYPE_STRING
||
2352 hint
== JSTYPE_UNDEFINED
);
2354 Rooted
<jsid
> id(cx
);
2356 const JSClass
* clasp
= obj
->getClass();
2357 if (hint
== JSTYPE_STRING
) {
2358 id
= NameToId(cx
->names().toString
);
2360 bool calledToString
= false;
2361 if (clasp
== &StringObject::class_
) {
2362 // Optimize (new String(...)).toString().
2363 StringObject
* nobj
= &obj
->as
<StringObject
>();
2364 if (HasNativeMethodPure(nobj
, cx
->names().toString
, str_toString
, cx
)) {
2365 vp
.setString(nobj
->unbox());
2368 } else if (clasp
== &PlainObject::class_
) {
2370 if (GetPropertyPure(cx
, obj
, id
, vp
.address()) &&
2371 IsFunctionObject(vp
, &fun
)) {
2372 // Common case: we have a toString function. Try to short-circuit if
2373 // it's Object.prototype.toString and there's no @@toStringTag.
2374 if (fun
->maybeNative() == obj_toString
&&
2375 !MaybeHasInterestingSymbolProperty(
2376 cx
, obj
, cx
->wellKnownSymbols().toStringTag
)) {
2377 vp
.setString(cx
->names().object_Object_
);
2380 if (!js::Call(cx
, vp
, obj
, vp
)) {
2383 calledToString
= true;
2387 if (!calledToString
) {
2388 if (!MaybeCallMethod(cx
, obj
, id
, vp
)) {
2392 if (vp
.isPrimitive()) {
2396 id
= NameToId(cx
->names().valueOf
);
2397 if (!MaybeCallMethod(cx
, obj
, id
, vp
)) {
2400 if (vp
.isPrimitive()) {
2404 id
= NameToId(cx
->names().valueOf
);
2406 if (clasp
== &StringObject::class_
) {
2407 // Optimize new String(...).valueOf().
2408 StringObject
* nobj
= &obj
->as
<StringObject
>();
2409 if (HasNativeMethodPure(nobj
, cx
->names().valueOf
, str_toString
, cx
)) {
2410 vp
.setString(nobj
->unbox());
2413 } else if (clasp
== &NumberObject::class_
) {
2414 // Optimize new Number(...).valueOf().
2415 NumberObject
* nobj
= &obj
->as
<NumberObject
>();
2416 if (HasNativeMethodPure(nobj
, cx
->names().valueOf
, num_valueOf
, cx
)) {
2417 vp
.setNumber(nobj
->unbox());
2422 if (!MaybeCallMethod(cx
, obj
, id
, vp
)) {
2425 if (vp
.isPrimitive()) {
2429 id
= NameToId(cx
->names().toString
);
2430 if (!MaybeCallMethod(cx
, obj
, id
, vp
)) {
2433 if (vp
.isPrimitive()) {
2438 return ReportCantConvert(cx
, JSMSG_CANT_CONVERT_TO
, obj
, hint
);
2441 bool js::ToPrimitiveSlow(JSContext
* cx
, JSType preferredType
,
2442 MutableHandleValue vp
) {
2443 // Step numbers refer to the first algorithm listed in ES6 draft rev 36
2444 // (2015 Mar 17) 7.1.1 ToPrimitive.
2445 MOZ_ASSERT(preferredType
== JSTYPE_UNDEFINED
||
2446 preferredType
== JSTYPE_STRING
|| preferredType
== JSTYPE_NUMBER
);
2447 RootedObject
obj(cx
, &vp
.toObject());
2450 RootedValue
method(cx
);
2451 if (!GetInterestingSymbolProperty(cx
, obj
, cx
->wellKnownSymbols().toPrimitive
,
2457 if (!method
.isNullOrUndefined()) {
2458 // Step 6 of GetMethod. js::Call() below would do this check and throw a
2459 // TypeError anyway, but this produces a better error message.
2460 if (!IsCallable(method
)) {
2461 return ReportCantConvert(cx
, JSMSG_TOPRIMITIVE_NOT_CALLABLE
, obj
,
2465 // Steps 1-3, 6.a-b.
2468 StringValue(preferredType
== JSTYPE_STRING
? cx
->names().string
2469 : preferredType
== JSTYPE_NUMBER
? cx
->names().number
2470 : cx
->names().default_
));
2472 if (!js::Call(cx
, method
, vp
, arg0
, vp
)) {
2477 if (vp
.isObject()) {
2478 return ReportCantConvert(cx
, JSMSG_TOPRIMITIVE_RETURNED_OBJECT
, obj
,
2484 return OrdinaryToPrimitive(cx
, obj
, preferredType
, vp
);
2487 /* ES6 draft rev 28 (2014 Oct 14) 7.1.14 */
2488 bool js::ToPropertyKeySlow(JSContext
* cx
, HandleValue argument
,
2489 MutableHandleId result
) {
2490 MOZ_ASSERT(argument
.isObject());
2493 RootedValue
key(cx
, argument
);
2494 if (!ToPrimitiveSlow(cx
, JSTYPE_STRING
, &key
)) {
2499 return PrimitiveValueToId
<CanGC
>(cx
, key
, result
);
2504 bool js::IsPrototypeOf(JSContext
* cx
, HandleObject protoObj
, JSObject
* obj
,
2506 RootedObject
obj2(cx
, obj
);
2508 // The [[Prototype]] chain might be cyclic.
2509 if (!CheckForInterrupt(cx
)) {
2512 if (!GetPrototype(cx
, obj2
, &obj2
)) {
2519 if (obj2
== protoObj
) {
2526 JSObject
* js::PrimitiveToObject(JSContext
* cx
, const Value
& v
) {
2527 MOZ_ASSERT(v
.isPrimitive());
2530 case ValueType::String
: {
2531 Rooted
<JSString
*> str(cx
, v
.toString());
2532 return StringObject::create(cx
, str
);
2534 case ValueType::Double
:
2535 case ValueType::Int32
:
2536 return NumberObject::create(cx
, v
.toNumber());
2537 case ValueType::Boolean
:
2538 return BooleanObject::create(cx
, v
.toBoolean());
2539 case ValueType::Symbol
: {
2540 RootedSymbol
symbol(cx
, v
.toSymbol());
2541 return SymbolObject::create(cx
, symbol
);
2543 case ValueType::BigInt
: {
2544 RootedBigInt
bigInt(cx
, v
.toBigInt());
2545 return BigIntObject::create(cx
, bigInt
);
2547 #ifdef ENABLE_RECORD_TUPLE
2548 case ValueType::ExtendedPrimitive
: {
2549 JSObject
& obj
= v
.toExtendedPrimitive();
2551 if (obj
.is
<RecordType
>()) {
2552 Rooted
<RecordType
*> rec(cx
, &obj
.as
<RecordType
>());
2553 return RecordObject::create(cx
, rec
);
2555 if (obj
.is
<TupleType
>()) {
2556 Rooted
<TupleType
*> tuple(cx
, &obj
.as
<TupleType
>());
2557 return TupleObject::create(cx
, tuple
);
2560 MOZ_CRASH("Unexpected ExtendedPrimitive type.");
2563 case ValueType::Undefined
:
2564 case ValueType::Null
:
2565 case ValueType::Magic
:
2566 case ValueType::PrivateGCThing
:
2567 case ValueType::Object
:
2571 MOZ_CRASH("unexpected type");
2574 // Like PrimitiveToObject, but returns the JSProtoKey of the prototype that
2575 // would be used without actually creating the object.
2576 JSProtoKey
js::PrimitiveToProtoKey(JSContext
* cx
, const Value
& v
) {
2577 MOZ_ASSERT(v
.isPrimitive());
2580 case ValueType::String
:
2581 return JSProto_String
;
2582 case ValueType::Double
:
2583 case ValueType::Int32
:
2584 return JSProto_Number
;
2585 case ValueType::Boolean
:
2586 return JSProto_Boolean
;
2587 case ValueType::Symbol
:
2588 return JSProto_Symbol
;
2589 case ValueType::BigInt
:
2590 return JSProto_BigInt
;
2591 #ifdef ENABLE_RECORD_TUPLE
2592 case ValueType::ExtendedPrimitive
:
2593 if (v
.toExtendedPrimitive().is
<TupleType
>()) {
2594 return JSProto_Tuple
;
2596 if (v
.toExtendedPrimitive().is
<RecordType
>()) {
2597 return JSProto_Null
;
2599 MOZ_CRASH("Unsupported ExtendedPrimitive");
2601 case ValueType::Undefined
:
2602 case ValueType::Null
:
2603 case ValueType::Magic
:
2604 case ValueType::PrivateGCThing
:
2605 case ValueType::Object
:
2609 MOZ_CRASH("unexpected type");
2613 * Invokes the ES5 ToObject algorithm on vp, returning the result. If vp might
2614 * already be an object, use ToObject. reportScanStack controls how null and
2615 * undefined errors are reported.
2617 * Callers must handle the already-object case.
2619 JSObject
* js::ToObjectSlow(JSContext
* cx
, JS::HandleValue val
,
2620 bool reportScanStack
) {
2621 MOZ_ASSERT(!val
.isMagic());
2622 MOZ_ASSERT(!val
.isObject());
2624 if (val
.isNullOrUndefined()) {
2625 ReportIsNullOrUndefinedForPropertyAccess(
2626 cx
, val
, reportScanStack
? JSDVG_SEARCH_STACK
: JSDVG_IGNORE_STACK
);
2630 return PrimitiveToObject(cx
, val
);
2633 JSObject
* js::ToObjectSlowForPropertyAccess(JSContext
* cx
, JS::HandleValue val
,
2634 int valIndex
, HandleId key
) {
2635 MOZ_ASSERT(!val
.isMagic());
2636 MOZ_ASSERT(!val
.isObject());
2638 if (val
.isNullOrUndefined()) {
2639 ReportIsNullOrUndefinedForPropertyAccess(cx
, val
, valIndex
, key
);
2643 return PrimitiveToObject(cx
, val
);
2646 JSObject
* js::ToObjectSlowForPropertyAccess(JSContext
* cx
, JS::HandleValue val
,
2648 Handle
<PropertyName
*> key
) {
2649 MOZ_ASSERT(!val
.isMagic());
2650 MOZ_ASSERT(!val
.isObject());
2652 if (val
.isNullOrUndefined()) {
2653 RootedId
keyId(cx
, NameToId(key
));
2654 ReportIsNullOrUndefinedForPropertyAccess(cx
, val
, valIndex
, keyId
);
2658 return PrimitiveToObject(cx
, val
);
2661 JSObject
* js::ToObjectSlowForPropertyAccess(JSContext
* cx
, JS::HandleValue val
,
2663 HandleValue keyValue
) {
2664 MOZ_ASSERT(!val
.isMagic());
2665 MOZ_ASSERT(!val
.isObject());
2667 if (val
.isNullOrUndefined()) {
2669 if (keyValue
.isPrimitive()) {
2670 if (!PrimitiveValueToId
<CanGC
>(cx
, keyValue
, &key
)) {
2673 ReportIsNullOrUndefinedForPropertyAccess(cx
, val
, valIndex
, key
);
2675 ReportIsNullOrUndefinedForPropertyAccess(cx
, val
, valIndex
);
2680 return PrimitiveToObject(cx
, val
);
2683 JSObject
* js::GetThisObject(JSObject
* obj
) {
2684 // Use the WindowProxy if the global is a Window, as Window must never be
2685 // exposed to script.
2686 if (obj
->is
<GlobalObject
>()) {
2687 return ToWindowProxyIfWindow(obj
);
2690 // We should not expose any environments except NSVOs to script. The NSVO is
2691 // pretending to be the global object in this case.
2692 MOZ_ASSERT(obj
->is
<NonSyntacticVariablesObject
>() ||
2693 !obj
->is
<EnvironmentObject
>());
2698 JSObject
* js::GetThisObjectOfLexical(JSObject
* env
) {
2699 return env
->as
<ExtensibleLexicalEnvironmentObject
>().thisObject();
2702 JSObject
* js::GetThisObjectOfWith(JSObject
* env
) {
2703 MOZ_ASSERT(env
->is
<WithEnvironmentObject
>());
2704 return GetThisObject(env
->as
<WithEnvironmentObject
>().withThis());
2707 class GetObjectSlotNameFunctor
: public JS::TracingContext::Functor
{
2711 explicit GetObjectSlotNameFunctor(JSObject
* ctx
) : obj(ctx
) {}
2712 virtual void operator()(JS::TracingContext
* trc
, char* buf
,
2713 size_t bufsize
) override
;
2716 void GetObjectSlotNameFunctor::operator()(JS::TracingContext
* tcx
, char* buf
,
2718 MOZ_ASSERT(tcx
->index() != JS::TracingContext::InvalidIndex
);
2720 uint32_t slot
= uint32_t(tcx
->index());
2722 Maybe
<PropertyKey
> key
;
2723 if (obj
->is
<NativeObject
>()) {
2724 NativeShape
* shape
= obj
->as
<NativeObject
>().shape();
2725 for (ShapePropertyIter
<NoGC
> iter(shape
); !iter
.done(); iter
++) {
2726 if (iter
->hasSlot() && iter
->slot() == slot
) {
2727 key
.emplace(iter
->key());
2733 if (key
.isNothing()) {
2735 const char* slotname
= nullptr;
2736 const char* pattern
= nullptr;
2737 if (obj
->is
<GlobalObject
>()) {
2738 pattern
= "CLASS_OBJECT(%s)";
2742 #define TEST_SLOT_MATCHES_PROTOTYPE(name, clasp) \
2743 else if ((JSProto_##name) == slot) { \
2746 JS_FOR_EACH_PROTOTYPE(TEST_SLOT_MATCHES_PROTOTYPE
)
2747 #undef TEST_SLOT_MATCHES_PROTOTYPE
2750 if (obj
->is
<EnvironmentObject
>()) {
2751 if (slot
== EnvironmentObject::enclosingEnvironmentSlot()) {
2752 slotname
= "enclosing_environment";
2753 } else if (obj
->is
<CallObject
>()) {
2754 if (slot
== CallObject::calleeSlot()) {
2755 slotname
= "callee_slot";
2757 } else if (obj
->is
<WithEnvironmentObject
>()) {
2758 if (slot
== WithEnvironmentObject::objectSlot()) {
2759 slotname
= "with_object";
2760 } else if (slot
== WithEnvironmentObject::thisSlot()) {
2761 slotname
= "with_this";
2768 snprintf(buf
, bufsize
, pattern
, slotname
);
2770 snprintf(buf
, bufsize
, "**UNKNOWN SLOT %" PRIu32
"**", slot
);
2775 snprintf(buf
, bufsize
, "%" PRId32
, key
->toInt());
2776 } else if (key
->isAtom()) {
2777 PutEscapedString(buf
, bufsize
, key
->toAtom(), 0);
2778 } else if (key
->isSymbol()) {
2779 snprintf(buf
, bufsize
, "**SYMBOL KEY**");
2781 snprintf(buf
, bufsize
, "**FINALIZED ATOM KEY**");
2786 /*** Debugging routines *****************************************************/
2788 #if defined(DEBUG) || defined(JS_JITSPEW)
2791 * Routines to print out values during debugging. These are JS_PUBLIC_API to
2792 * help the debugger find them and to support temporarily hacking js::Dump*
2793 * calls into other code.
2798 // We don't want jsfriendapi.h to depend on GenericPrinter,
2799 // so these functions are declared directly in the cpp.
2801 JS_PUBLIC_API
void DumpValue(const JS::Value
& val
, js::GenericPrinter
& out
);
2803 JS_PUBLIC_API
void DumpId(jsid id
, js::GenericPrinter
& out
);
2805 JS_PUBLIC_API
void DumpInterpreterFrame(JSContext
* cx
, js::GenericPrinter
& out
,
2806 InterpreterFrame
* start
= nullptr);
2810 JS_PUBLIC_API
void js::DumpValue(const Value
& val
, js::GenericPrinter
& out
) {
2814 JS_PUBLIC_API
void js::DumpId(jsid id
, js::GenericPrinter
& out
) {
2815 out
.printf("jsid %p = ", (void*)id
.asRawBits());
2819 bool JSObject::hasSameRealmAs(JSContext
* cx
) const {
2820 return nonCCWRealm() == cx
->realm();
2823 bool JSObject::uninlinedIsProxyObject() const { return is
<ProxyObject
>(); }
2825 bool JSObject::uninlinedNonProxyIsExtensible() const {
2826 return nonProxyIsExtensible();
2829 void JSObject::dump() const {
2830 js::Fprinter
out(stderr
);
2834 void JSObject::dump(js::GenericPrinter
& out
) const {
2835 js::JSONPrinter
json(out
);
2840 void JSObject::dump(js::JSONPrinter
& json
) const {
2846 # define FOR_EACH_CLASS(M) \
2847 M(ArrayBufferViewObject) \
2848 M(ArrayBufferObject) \
2853 static void DumpOwnFields(const JSObject
* obj
, js::JSONPrinter
& json
) {
2854 # define CALL(CLASS) \
2855 if (obj->is<CLASS>()) { \
2856 obj->as<CLASS>().dumpOwnFields(json); \
2859 FOR_EACH_CLASS(CALL
)
2863 static void DumpOwnStringContent(const JSObject
* obj
, js::GenericPrinter
& out
) {
2864 # define CALL(CLASS) \
2865 if (obj->is<CLASS>()) { \
2867 obj->as<CLASS>().dumpOwnStringContent(out); \
2870 FOR_EACH_CLASS(CALL
)
2874 # undef FOR_EACH_CLASS
2876 void JSObject::dumpFields(js::JSONPrinter
& json
) const {
2877 json
.formatProperty("address", "(JSObject*)0x%p", this);
2879 if (IsCrossCompartmentWrapper(this)) {
2880 json
.formatProperty("compartment", "(JS::Compartment*)0x%p", compartment());
2882 JSObject
* globalObj
= &nonCCWGlobal();
2883 js::GenericPrinter
& out
= json
.beginStringProperty("nonCCWGlobal");
2884 globalObj
->dumpStringContent(out
);
2885 json
.endStringProperty();
2888 const JSClass
* clasp
= getClass();
2889 json
.formatProperty("clasp", "<%s @ (JSClass*)0x%p>", clasp
->name
, clasp
);
2891 js::GenericPrinter
& out
= json
.beginStringProperty("shape");
2892 shape()->dumpStringContent(out
);
2893 json
.endStringProperty();
2895 json
.beginObjectProperty("shape.base");
2896 shape()->base()->dumpFields(json
);
2899 if (IsProxy(this)) {
2900 const js::BaseProxyHandler
* handler
= GetProxyHandler(this);
2901 if (IsDeadProxyObject(this)) {
2902 json
.formatProperty("handler", "(js::DeadObjectProxy*)0x%p", handler
);
2903 } else if (IsCrossCompartmentWrapper(this)) {
2904 json
.formatProperty("handler", "(js::CrossCompartmentWrapper*)0x%p",
2907 json
.formatProperty("handler", "(js::BaseProxyHandler*)0x%p", handler
);
2910 Value priv
= GetProxyPrivate(this);
2911 if (!priv
.isUndefined()) {
2912 js::GenericPrinter
& out
= json
.beginStringProperty("private");
2913 priv
.dumpStringContent(out
);
2914 json
.endStringProperty();
2917 Value expando
= GetProxyExpando(this);
2918 if (!expando
.isNull()) {
2919 js::GenericPrinter
& out
= json
.beginStringProperty("expando");
2920 expando
.dumpStringContent(out
);
2921 json
.endStringProperty();
2924 if (is
<DebugEnvironmentProxy
>()) {
2925 json
.boolProperty("isQualifiedVarObj", isQualifiedVarObj());
2926 json
.boolProperty("isUnqualifiedVarObj", isUnqualifiedVarObj());
2930 DumpOwnFields(this, json
);
2932 if (is
<NativeObject
>()) {
2933 const auto* nobj
= &as
<NativeObject
>();
2935 js::GenericPrinter
& out
= json
.beginStringProperty("elementsHeader");
2936 nobj
->getElementsHeader()->dumpStringContent(out
);
2937 json
.endStringProperty();
2939 uint32_t reserved
= JSCLASS_RESERVED_SLOTS(clasp
);
2942 json
.beginObjectProperty("reservedSlots");
2943 for (uint32_t i
= 0; i
< reserved
; i
++) {
2944 SprintfLiteral(name
, "%u", i
);
2945 js::GenericPrinter
& out
= json
.beginStringProperty(name
);
2946 nobj
->getSlot(i
).dumpStringContent(out
);
2947 json
.endStringProperty();
2952 json
.beginObjectProperty("properties");
2953 if (PropMap
* map
= nobj
->shape()->propMap()) {
2954 Vector
<PropMap
*, 8, SystemAllocPolicy
> maps
;
2956 if (!maps
.append(map
)) {
2957 json
.property("error", "*oom in JSObject::dumpFields*");
2960 if (!map
->hasPrevious()) {
2963 map
= map
->asLinked()->previous();
2966 for (size_t i
= maps
.length(); i
> 0; i
--) {
2967 size_t index
= i
- 1;
2968 PropMap
* map
= maps
[index
];
2969 uint32_t len
= (index
== 0) ? shape()->asNative().propMapLength()
2970 : PropMap::Capacity
;
2971 for (uint32_t j
= 0; j
< len
; j
++) {
2972 if (!map
->hasKey(j
)) {
2973 MOZ_ASSERT(map
->isDictionary());
2977 JS::UniqueChars propChars
= map
->getPropertyNameAt(j
);
2979 json
.property("error", "*oom in PropMap::getPropertyNameAt*");
2983 js::GenericPrinter
& out
= json
.beginStringProperty(propChars
.get());
2985 PropertyInfoWithKey prop
= map
->getPropertyInfoWithKey(j
);
2986 if (prop
.isDataProperty()) {
2987 nobj
->getSlot(prop
.slot()).dumpStringContent(out
);
2989 } else if (prop
.isAccessorProperty()) {
2990 out
.printf("getter=0x%p, setter=0x%p", nobj
->getGetter(prop
),
2991 nobj
->getSetter(prop
));
2996 map
->dumpDescriptorStringContentAt(out
, j
);
2999 json
.endStringProperty();
3005 uint32_t slots
= nobj
->getDenseInitializedLength();
3008 json
.beginObjectProperty("elements");
3009 for (uint32_t i
= 0; i
< slots
; i
++) {
3010 SprintfLiteral(name
, "%u", i
);
3011 js::GenericPrinter
& out
= json
.beginStringProperty(name
);
3012 nobj
->getDenseElement(i
).dumpStringContent(out
);
3013 json
.endStringProperty();
3020 void JSObject::dumpStringContent(js::GenericPrinter
& out
) const {
3021 out
.printf("<%s", getClass()->name
);
3023 DumpOwnStringContent(this, out
);
3025 out
.printf(" @ (JSObject*)0x%p>", this);
3028 static void MaybeDumpScope(Scope
* scope
, js::GenericPrinter
& out
) {
3030 out
.printf(" scope: %s\n", ScopeKindString(scope
->kind()));
3031 for (BindingIter
bi(scope
); bi
; bi
++) {
3033 StringValue(bi
.name()).dump(out
);
3038 static void MaybeDumpValue(const char* name
, const Value
& v
,
3039 js::GenericPrinter
& out
) {
3041 out
.printf(" %s: ", name
);
3046 JS_PUBLIC_API
void js::DumpInterpreterFrame(JSContext
* cx
,
3047 js::GenericPrinter
& out
,
3048 InterpreterFrame
* start
) {
3049 /* This should only called during live debugging. */
3050 ScriptFrameIter
i(cx
);
3053 out
.printf("no stack for cx = %p\n", (void*)cx
);
3057 while (!i
.done() && !i
.isJSJit() && i
.interpFrame() != start
) {
3062 out
.printf("fp = %p not found in cx = %p\n", (void*)start
, (void*)cx
);
3067 for (; !i
.done(); ++i
) {
3069 out
.put("JIT frame\n");
3071 out
.printf("InterpreterFrame at %p\n", (void*)i
.interpFrame());
3074 if (i
.isFunctionFrame()) {
3075 out
.put("callee fun: ");
3077 JSObject
* fun
= i
.callee(cx
);
3081 out
.put("global or eval frame, no callee\n");
3084 out
.printf("file %s line %u\n", i
.script()->filename(),
3085 i
.script()->lineno());
3087 if (jsbytecode
* pc
= i
.pc()) {
3088 out
.printf(" pc = %p\n", pc
);
3089 out
.printf(" current op: %s\n", CodeName(JSOp(*pc
)));
3090 MaybeDumpScope(i
.script()->lookupScope(pc
), out
);
3092 if (i
.isFunctionFrame()) {
3093 MaybeDumpValue("this", i
.thisArgument(cx
), out
);
3097 i
.interpFrame()->returnValue().get().dump(out
);
3101 if (i
.isConstructing()) {
3102 out
.put(" constructing");
3104 if (!i
.isJSJit() && i
.interpFrame()->isDebuggerEvalFrame()) {
3105 out
.put(" debugger eval");
3107 if (i
.isEvalFrame()) {
3112 out
.printf(" envChain: (JSObject*) %p\n", (void*)i
.environmentChain(cx
));
3118 #endif /* defined(DEBUG) || defined(JS_JITSPEW) */
3120 JS_PUBLIC_API
void js::DumpBacktrace(JSContext
* cx
, FILE* fp
) {
3122 js::DumpBacktrace(cx
, out
);
3125 JS_PUBLIC_API
void js::DumpBacktrace(JSContext
* cx
, js::GenericPrinter
& out
) {
3127 for (AllFramesIter
i(cx
); !i
.done(); ++i
, ++depth
) {
3128 const char* filename
;
3130 if (i
.hasScript()) {
3131 filename
= JS_GetScriptFilename(i
.script());
3132 line
= PCToLineNumber(i
.script(), i
.pc());
3134 filename
= i
.filename();
3135 line
= i
.computeLine();
3137 char frameType
= i
.isInterp() ? 'i'
3138 : i
.isBaseline() ? 'b'
3143 out
.printf("#%zu %14p %c %s:%u", depth
, i
.rawFramePtr(), frameType
,
3146 if (i
.hasScript()) {
3147 out
.printf(" (%p @ %zu)\n", i
.script(), i
.script()->pcToOffset(i
.pc()));
3149 out
.printf(" (%p)\n", i
.pc());
3154 JS_PUBLIC_API
void js::DumpBacktrace(JSContext
* cx
) {
3155 DumpBacktrace(cx
, stdout
);
3160 bool JSObject::isBackgroundFinalized() const {
3162 return js::gc::IsBackgroundFinalized(asTenured().getAllocKind());
3165 js::Nursery
& nursery
= runtimeFromMainThread()->gc
.nursery();
3166 return js::gc::IsBackgroundFinalized(allocKindForTenure(nursery
));
3169 js::gc::AllocKind
JSObject::allocKindForTenure(
3170 const js::Nursery
& nursery
) const {
3171 using namespace js::gc
;
3173 MOZ_ASSERT(IsInsideNursery(this));
3175 if (is
<NativeObject
>()) {
3176 if (canHaveFixedElements()) {
3177 const NativeObject
& nobj
= as
<NativeObject
>();
3178 MOZ_ASSERT(nobj
.numFixedSlots() == 0);
3180 /* Use minimal size object if we are just going to copy the pointer. */
3181 if (!nursery
.isInside(nobj
.getUnshiftedElementsHeader())) {
3182 return gc::AllocKind::OBJECT0_BACKGROUND
;
3185 size_t nelements
= nobj
.getDenseCapacity();
3186 return ForegroundToBackgroundAllocKind(GetGCArrayKind(nelements
));
3189 if (is
<JSFunction
>()) {
3190 return as
<JSFunction
>().getAllocKind();
3193 if (is
<FixedLengthTypedArrayObject
>()) {
3194 return as
<FixedLengthTypedArrayObject
>().allocKindForTenure();
3197 return as
<NativeObject
>().allocKindForTenure();
3200 // Handle all non-native objects.
3202 // Proxies that are CrossCompartmentWrappers may be nursery allocated.
3203 if (is
<ProxyObject
>()) {
3204 return as
<ProxyObject
>().allocKindForTenure();
3207 // WasmStructObjects have a variable-length tail which contains the first
3208 // few data fields, so make sure we copy it all over to the new object.
3209 if (is
<WasmStructObject
>()) {
3210 // Figure out the size of this object, from the object's TypeDef.
3211 const wasm::TypeDef
* typeDef
= &as
<WasmStructObject
>().typeDef();
3212 return WasmStructObject::allocKindForTypeDef(typeDef
);
3215 // WasmArrayObjects sometimes have a variable-length tail which contains the
3216 // data for small arrays. Make sure we copy it all over to the new object.
3217 MOZ_ASSERT(is
<WasmArrayObject
>());
3218 gc::AllocKind allocKind
= as
<WasmArrayObject
>().allocKind();
3222 void JSObject::addSizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf
,
3223 JS::ClassInfo
* info
,
3224 JS::RuntimeSizes
* runtimeSizes
) {
3225 if (is
<NativeObject
>() && as
<NativeObject
>().hasDynamicSlots()) {
3226 info
->objectsMallocHeapSlots
+=
3227 mallocSizeOf(as
<NativeObject
>().getSlotsHeader());
3230 if (is
<NativeObject
>() && as
<NativeObject
>().hasDynamicElements()) {
3231 void* allocatedElements
= as
<NativeObject
>().getUnshiftedElementsHeader();
3232 info
->objectsMallocHeapElementsNormal
+= mallocSizeOf(allocatedElements
);
3235 // Other things may be measured in the future if DMD indicates it is
3237 if (is
<JSFunction
>() || is
<PlainObject
>() || is
<ArrayObject
>() ||
3238 is
<CallObject
>() || is
<RegExpObject
>() || is
<ProxyObject
>()) {
3239 // Do nothing. But this function is hot, and we win by getting the
3240 // common cases out of the way early. Some stats on the most common
3241 // classes, as measured during a vanilla browser session:
3242 // - (53.7%, 53.7%): Function
3243 // - (18.0%, 71.7%): Object
3244 // - (16.9%, 88.6%): Array
3245 // - ( 3.9%, 92.5%): Call
3246 // - ( 2.8%, 95.3%): RegExp
3247 // - ( 1.0%, 96.4%): Proxy
3249 // Note that any JSClass that is special cased below likely needs to
3250 // specify the JSCLASS_DELAY_METADATA_BUILDER flag, or else we will
3251 // probably crash if the object metadata callback attempts to get the
3252 // size of the new object (which Debugger code does) before private
3253 // slots are initialized.
3254 } else if (is
<ArgumentsObject
>()) {
3255 info
->objectsMallocHeapMisc
+=
3256 as
<ArgumentsObject
>().sizeOfMisc(mallocSizeOf
);
3257 } else if (is
<MapObject
>()) {
3258 info
->objectsMallocHeapMisc
+= as
<MapObject
>().sizeOfData(mallocSizeOf
);
3259 } else if (is
<SetObject
>()) {
3260 info
->objectsMallocHeapMisc
+= as
<SetObject
>().sizeOfData(mallocSizeOf
);
3261 } else if (is
<PropertyIteratorObject
>()) {
3262 info
->objectsMallocHeapMisc
+=
3263 as
<PropertyIteratorObject
>().sizeOfMisc(mallocSizeOf
);
3264 } else if (is
<ArrayBufferObject
>()) {
3265 ArrayBufferObject::addSizeOfExcludingThis(this, mallocSizeOf
, info
,
3267 } else if (is
<SharedArrayBufferObject
>()) {
3268 SharedArrayBufferObject::addSizeOfExcludingThis(this, mallocSizeOf
, info
,
3270 } else if (is
<GlobalObject
>()) {
3271 as
<GlobalObject
>().addSizeOfData(mallocSizeOf
, info
);
3272 } else if (is
<WeakCollectionObject
>()) {
3273 info
->objectsMallocHeapMisc
+=
3274 as
<WeakCollectionObject
>().sizeOfExcludingThis(mallocSizeOf
);
3276 #ifdef JS_HAS_CTYPES
3278 // This must be the last case.
3279 info
->objectsMallocHeapMisc
+= ctypes::SizeOfDataIfCDataObject(
3280 mallocSizeOf
, const_cast<JSObject
*>(this));
3285 size_t JSObject::sizeOfIncludingThisInNursery() const {
3286 // This function doesn't concern itself yet with typed objects (bug 1133593).
3288 MOZ_ASSERT(!isTenured());
3290 const Nursery
& nursery
= runtimeFromMainThread()->gc
.nursery();
3291 size_t size
= gc::Arena::thingSize(allocKindForTenure(nursery
));
3293 if (is
<NativeObject
>()) {
3294 const NativeObject
& native
= as
<NativeObject
>();
3296 size
+= native
.numDynamicSlots() * sizeof(Value
);
3298 if (native
.hasDynamicElements()) {
3299 js::ObjectElements
& elements
= *native
.getElementsHeader();
3300 size
+= (elements
.capacity
+ elements
.numShiftedElements()) *
3304 if (is
<ArgumentsObject
>()) {
3305 size
+= as
<ArgumentsObject
>().sizeOfData();
3312 JS::ubi::Node::Size
JS::ubi::Concrete
<JSObject
>::size(
3313 mozilla::MallocSizeOf mallocSizeOf
) const {
3314 JSObject
& obj
= get();
3316 if (!obj
.isTenured()) {
3317 return obj
.sizeOfIncludingThisInNursery();
3321 obj
.addSizeOfExcludingThis(mallocSizeOf
, &info
, nullptr);
3322 return obj
.tenuredSizeOfThis() + info
.sizeOfAllThings();
3325 const char16_t
JS::ubi::Concrete
<JSObject
>::concreteTypeName
[] = u
"JSObject";
3327 void JSObject::traceChildren(JSTracer
* trc
) {
3328 TraceCellHeaderEdge(trc
, this, "shape");
3330 Shape
* objShape
= shape();
3331 if (objShape
->isNative()) {
3332 NativeObject
* nobj
= &as
<NativeObject
>();
3335 GetObjectSlotNameFunctor
func(nobj
);
3336 JS::AutoTracingDetails
ctx(trc
, func
);
3337 JS::AutoTracingIndex
index(trc
);
3338 // Tracing can mutate the target but cannot change the slot count,
3339 // but the compiler has no way of knowing this.
3340 const uint32_t nslots
= nobj
->slotSpan();
3341 for (uint32_t i
= 0; i
< nslots
; ++i
) {
3342 TraceEdge(trc
, &nobj
->getSlotRef(i
), "object slot");
3345 MOZ_ASSERT(nslots
== nobj
->slotSpan());
3348 TraceRange(trc
, nobj
->getDenseInitializedLength(),
3349 static_cast<HeapSlot
*>(nobj
->getDenseElements()),
3353 // Call the trace hook at the end so that during a moving GC the trace hook
3354 // will see updated fields and slots.
3355 const JSClass
* clasp
= objShape
->getObjectClass();
3356 if (clasp
->hasTrace()) {
3357 clasp
->doTrace(trc
, this);
3362 [[nodiscard
]] JSObject
* js::SpeciesConstructor(
3363 JSContext
* cx
, HandleObject obj
, HandleObject defaultCtor
,
3364 bool (*isDefaultSpecies
)(JSContext
*, JSFunction
*)) {
3365 // Step 1 (implicit).
3367 // Fast-path for steps 2 - 8. Applies if all of the following conditions
3369 // - obj.constructor can be retrieved without side-effects.
3370 // - obj.constructor[[@@species]] can be retrieved without side-effects.
3371 // - obj.constructor[[@@species]] is the builtin's original @@species
3373 RootedValue
ctor(cx
);
3374 bool ctorGetSucceeded
= GetPropertyPure(
3375 cx
, obj
, NameToId(cx
->names().constructor
), ctor
.address());
3376 if (ctorGetSucceeded
&& ctor
.isObject() && &ctor
.toObject() == defaultCtor
) {
3377 jsid speciesId
= PropertyKey::Symbol(cx
->wellKnownSymbols().species
);
3379 if (GetGetterPure(cx
, defaultCtor
, speciesId
, &getter
) && getter
&&
3380 isDefaultSpecies(cx
, getter
)) {
3386 if (!ctorGetSucceeded
&&
3387 !GetProperty(cx
, obj
, obj
, cx
->names().constructor
, &ctor
)) {
3392 if (ctor
.isUndefined()) {
3397 if (!ctor
.isObject()) {
3398 JS_ReportErrorNumberASCII(cx
, GetErrorMessage
, nullptr,
3399 JSMSG_OBJECT_REQUIRED
,
3400 "object's 'constructor' property");
3405 RootedObject
ctorObj(cx
, &ctor
.toObject());
3407 RootedId
speciesId(cx
, PropertyKey::Symbol(cx
->wellKnownSymbols().species
));
3408 if (!GetProperty(cx
, ctorObj
, ctor
, speciesId
, &s
)) {
3413 if (s
.isNullOrUndefined()) {
3418 if (IsConstructor(s
)) {
3419 return &s
.toObject();
3423 JS_ReportErrorNumberASCII(
3424 cx
, GetErrorMessage
, nullptr, JSMSG_NOT_CONSTRUCTOR
,
3425 "[Symbol.species] property of object's constructor");
3429 [[nodiscard
]] JSObject
* js::SpeciesConstructor(
3430 JSContext
* cx
, HandleObject obj
, JSProtoKey ctorKey
,
3431 bool (*isDefaultSpecies
)(JSContext
*, JSFunction
*)) {
3432 RootedObject
defaultCtor(cx
,
3433 GlobalObject::getOrCreateConstructor(cx
, ctorKey
));
3437 return SpeciesConstructor(cx
, obj
, defaultCtor
, isDefaultSpecies
);
3440 bool js::Unbox(JSContext
* cx
, HandleObject obj
, MutableHandleValue vp
) {
3441 if (MOZ_UNLIKELY(obj
->is
<ProxyObject
>())) {
3442 return Proxy::boxedValue_unbox(cx
, obj
, vp
);
3445 if (obj
->is
<BooleanObject
>()) {
3446 vp
.setBoolean(obj
->as
<BooleanObject
>().unbox());
3447 } else if (obj
->is
<NumberObject
>()) {
3448 vp
.setNumber(obj
->as
<NumberObject
>().unbox());
3449 } else if (obj
->is
<StringObject
>()) {
3450 vp
.setString(obj
->as
<StringObject
>().unbox());
3451 } else if (obj
->is
<DateObject
>()) {
3452 vp
.set(obj
->as
<DateObject
>().UTCTime());
3453 } else if (obj
->is
<SymbolObject
>()) {
3454 vp
.setSymbol(obj
->as
<SymbolObject
>().unbox());
3455 } else if (obj
->is
<BigIntObject
>()) {
3456 vp
.setBigInt(obj
->as
<BigIntObject
>().unbox());
3457 #ifdef ENABLE_RECORD_TUPLE
3458 } else if (obj
->is
<RecordObject
>()) {
3459 vp
.setExtendedPrimitive(*obj
->as
<RecordObject
>().unbox());
3460 } else if (obj
->is
<TupleObject
>()) {
3461 vp
.setExtendedPrimitive(obj
->as
<TupleObject
>().unbox());
3471 void js::AssertJSClassInvariants(const JSClass
* clasp
) {
3472 MOZ_ASSERT(JS::StringIsASCII(clasp
->name
));
3474 // Native objects shouldn't use the property operation hooks in ObjectOps.
3475 // Doing so could violate JIT invariants.
3477 // Environment objects unfortunately use these hooks, but environment objects
3478 // are not exposed directly to script so they're generally less of an issue.
3479 if (clasp
->isNativeObject() && clasp
!= &WithEnvironmentObject::class_
&&
3480 clasp
!= &ModuleEnvironmentObject::class_
&&
3481 clasp
!= &RuntimeLexicalErrorObject::class_
) {
3482 MOZ_ASSERT(!clasp
->getOpsLookupProperty());
3483 MOZ_ASSERT_IF(clasp
!= &MappedArgumentsObject::class_
,
3484 !clasp
->getOpsDefineProperty());
3485 MOZ_ASSERT(!clasp
->getOpsHasProperty());
3486 MOZ_ASSERT(!clasp
->getOpsGetProperty());
3487 MOZ_ASSERT(!clasp
->getOpsSetProperty());
3488 MOZ_ASSERT(!clasp
->getOpsGetOwnPropertyDescriptor());
3489 MOZ_ASSERT(!clasp
->getOpsDeleteProperty());
3494 void JSObject::debugCheckNewObject(Shape
* shape
, js::gc::AllocKind allocKind
,
3495 js::gc::Heap heap
) {
3496 const JSClass
* clasp
= shape
->getObjectClass();
3498 if (!ClassCanHaveFixedData(clasp
)) {
3499 NativeShape
* nshape
= &shape
->asNative();
3500 if (clasp
== &ArrayObject::class_
) {
3501 // Arrays can store the ObjectElements header inline.
3502 MOZ_ASSERT(nshape
->numFixedSlots() == 0);
3504 MOZ_ASSERT(gc::GetGCKindSlots(allocKind
) == nshape
->numFixedSlots());
3508 // Assert background finalization is used when possible.
3509 MOZ_ASSERT(!CanChangeToBackgroundAllocKind(allocKind
, clasp
));
3511 // Classes with a finalizer must specify whether instances will be finalized
3512 // on the main thread or in the background, except proxies whose behaviour
3513 // depends on the target object.
3514 static const uint32_t FinalizeMask
=
3515 JSCLASS_FOREGROUND_FINALIZE
| JSCLASS_BACKGROUND_FINALIZE
;
3516 uint32_t flags
= clasp
->flags
;
3517 uint32_t finalizeFlags
= flags
& FinalizeMask
;
3518 if (clasp
->hasFinalize() && !clasp
->isProxyObject()) {
3519 MOZ_ASSERT(finalizeFlags
== JSCLASS_FOREGROUND_FINALIZE
||
3520 finalizeFlags
== JSCLASS_BACKGROUND_FINALIZE
);
3521 MOZ_ASSERT((finalizeFlags
== JSCLASS_BACKGROUND_FINALIZE
) ==
3522 IsBackgroundFinalized(allocKind
));
3524 MOZ_ASSERT(finalizeFlags
== 0);
3527 MOZ_ASSERT_IF(clasp
->hasFinalize(),
3528 heap
== gc::Heap::Tenured
||
3529 CanNurseryAllocateFinalizedClass(clasp
) ||
3530 clasp
->isProxyObject());
3532 MOZ_ASSERT(!shape
->isDictionary());
3533 MOZ_ASSERT(!shape
->realm()->hasObjectPendingMetadata());
3535 // Non-native classes manage their own data and slots, so numFixedSlots is
3536 // always 0. Note that proxy classes can have reserved slots but they're not
3537 // included in numFixedSlots.
3538 if (!clasp
->isNativeObject()) {
3539 MOZ_ASSERT_IF(!clasp
->isProxyObject(), JSCLASS_RESERVED_SLOTS(clasp
) == 0);