| blob | 3785cbed493d0940c86f2ccf983854f8823ea1e7 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef vm_JSObject_h
8 #define vm_JSObject_h
35 /****************************************************************************/
42 /*
43 * The NewObjectKind allows an allocation site to specify the lifetime
44 * requirements that must be fixed at allocation time.
45 */
47 /* This is the default. Most objects are generic. */
48 GenericObject,
50 /*
51 * Objects which will not benefit from being allocated in the nursery
52 * (e.g. because they are known to have a long lifetime) may be allocated
53 * with this kind to place them immediately into the tenured generation.
54 */
55 TenuredObject
56 };
58 // Forward declarations, required for later friend declarations.
66 /*
67 * [SMDOC] JSObject layout
68 *
69 * A JavaScript object.
70 *
71 * This is the base class for all objects exposed to JS script (as well as some
72 * objects that are only accessed indirectly). Subclasses add additional fields
73 * and execution semantics. The runtime class of an arbitrary JSObject is
74 * identified by JSObject::getClass().
75 *
76 * All objects have a non-null Shape, stored in the cell header, which describes
77 * the current layout and set of property keys of the object.
78 *
79 * Each Shape has a pointer to a BaseShape. The BaseShape contains the object's
80 * prototype object, its class, and its realm.
81 *
82 * NOTE: Some operations can change the contents of an object (including class)
83 * in-place so avoid assuming an object with same pointer has same class
84 * as before.
85 * - JSObject::swap()
86 */
87 class JSObject
90 // The Shape is stored in the cell header.
93 // Like shape(), but uses getAtomic to read the header word.
96 #ifndef JS_64BIT
97 // Ensure fixed slots have 8-byte alignment on 32-bit platforms.
99 #endif
117 }
120 }
123 }
126 }
129 }
132 }
135 }
138 }
141 }
147 // Note: use Cell::Zone() instead of zone() because zone() relies on the
148 // shape we still have to initialize.
151 }
155 }
161 }
165 }
167 // Change this object's shape for a prototype mutation.
168 //
169 // Note: the caller must ensure the object has a mutable proto, is extensible,
170 // etc.
174 // An object is marked IsUsedAsPrototype if it is (or was) another object's
175 // prototype. Optimization heuristics will make use of this flag.
176 //
177 // This flag is only relevant for static prototypes. Proxy traps can return
178 // objects without this flag set.
179 //
180 // NOTE: it's important to call setIsUsedAsPrototype *after* initializing the
181 // object's properties, because that avoids unnecessary shadowing checks and
182 // reshaping.
183 //
184 // See: ReshapeForProtoMutation, ReshapeForShadowedProp
187 }
190 }
194 }
197 }
201 }
204 }
206 // A "qualified" varobj is the object on which "qualified" variable
207 // declarations (i.e., those defined with "var") are kept.
208 //
209 // Conceptually, when a var binding is defined, it is defined on the
210 // innermost qualified varobj on the scope chain.
211 //
212 // Function scopes (CallObjects) are qualified varobjs, and there can be
213 // no other qualified varobj that is more inner for var bindings in that
214 // function. As such, all references to local var bindings in a function
215 // may be statically bound to the function scope. This is subject to
216 // further optimization. Unaliased bindings inside functions reside
217 // entirely on the frame, not in CallObjects.
218 //
219 // Global scopes are also qualified varobjs. It is possible to statically
220 // know, for a given script, that are no more inner qualified varobjs, so
221 // free variable references can be statically bound to the global.
222 //
223 // Finally, there are non-syntactic qualified varobjs used by embedders
224 // (e.g., Gecko and XPConnect), as they often wish to run scripts under a
225 // scope that captures var bindings.
229 }
231 // An "unqualified" varobj is the object on which "unqualified"
232 // assignments (i.e., bareword assignments for which the LHS does not
233 // exist on the scope chain) are kept.
236 // Once the "invalidated teleporting" flag is set for an object, it is never
237 // cleared and it may cause the JITs to insert additional guards when
238 // accessing properties on this object. While the flag remains clear, the
239 // shape teleporting optimization can be used to avoid those extra checks.
240 //
241 // The flag is set on the object if either:
242 //
243 // * Its own proto was mutated or it was on the proto chain of an object that
244 // had its proto mutated.
245 //
246 // * It was on the proto chain of an object that started shadowing a property
247 // on this object.
248 //
249 // See:
250 // - ReshapeForProtoMutation
251 // - ReshapeForShadowedProp
252 // - ProtoChainSupportsTeleporting
257 "teleporting as a concept is only applicable to static "
260 }
262 /*
263 * Whether there may be "interesting symbol" properties on this object. An
264 * interesting symbol is a symbol for which symbol->isInterestingSymbol()
265 * returns true.
266 */
271 /* GC support. */
284 }
287 }
292 }
295 }
299 }
301 /* Return the allocKind we would use if we were to tenure this object. */
309 }
315 // We can only use addSizeOfExcludingThis on tenured objects: it assumes it
316 // can apply mallocSizeOf to bits and pieces of the object, whereas objects
317 // in the nursery may have those bits and pieces allocated in the nursery
318 // along with them, and are not each their own malloc blocks.
321 #ifdef DEBUG
324 #else
327 #endif
329 /*
330 * We permit proxies to dynamically compute their prototype if desired.
331 * (Not all proxies will so desire: in particular, most DOM proxies can
332 * track their prototype with a single, nullable JSObject*.) If a proxy
333 * so desires, we store (JSObject*)0x1 in the proto field of the object's
334 * group.
335 *
336 * We offer three ways to get an object's prototype:
337 *
338 * 1. obj->staticPrototype() returns the prototype, but it asserts if obj
339 * is a proxy, and the proxy has opted to dynamically compute its
340 * prototype using a getPrototype() handler.
341 * 2. obj->taggedProto() returns a TaggedProto, which can be tested to
342 * check if the proto is an object, nullptr, or lazily computed.
343 * 3. js::GetPrototype(cx, obj, &proto) computes the proto of an object.
344 * If obj is a proxy with dynamically-computed prototype, this code may
345 * perform arbitrary behavior (allocation, GC, run JS) while computing
346 * the proto.
347 */
356 }
358 // Normal objects and a subset of proxies have an uninteresting, static
359 // (albeit perhaps mutable) [[Prototype]]. For such objects the
360 // [[Prototype]] is just a value returned when needed for accesses, or
361 // modified in response to requests. These objects store the
362 // [[Prototype]] directly within |obj->group()|.
365 // The remaining proxies have a [[Prototype]] requiring dynamic computation
366 // for every access, going through the proxy handler {get,set}Prototype and
367 // setImmutablePrototype methods. (Wrappers particularly use this to keep
368 // the wrapper/wrappee [[Prototype]]s consistent.)
373 }
375 // True iff this object's [[Prototype]] is immutable. Must be called only
376 // on objects with a static [[Prototype]]!
379 /*
380 * Environment chains.
381 *
382 * The environment chain of an object is the link in the search path when
383 * a script does a name lookup on an environment object. For JS internal
384 * environment objects --- Call, LexicalEnvironment, and WithEnvironment
385 * --- the chain is stored in the first fixed slot of the object. For
386 * other environment objects, the chain goes directly to the global.
387 *
388 * In code which is not marked hasNonSyntacticScope, environment chains
389 * can contain only syntactic environment objects (see
390 * IsSyntacticEnvironment) with a global object at the root as the
391 * environment of the outermost non-function script. In
392 * hasNonSyntacticScope code, the environment of the outermost
393 * non-function script might not be a global object, and can have a mix of
394 * other objects above it before the global object is reached.
395 */
397 /*
398 * Get the enclosing environment of an object. When called on a
399 * non-EnvironmentObject, this will just be the global (the name
400 * "enclosing environment" still applies in this situation because
401 * non-EnvironmentObjects can be on the environment chain).
402 */
405 // Cross-compartment wrappers are not associated with a single realm/global,
406 // so these methods assert the object is not a CCW.
412 }
415 // Returns the object's realm even if the object is a CCW (be careful, in
416 // this case the realm is not very meaningful because wrappers are shared by
417 // all realms in the compartment).
420 /*
421 * ES5 meta-object properties and operations.
422 */
425 // Indicates whether a non-proxy is extensible. Don't call on proxies!
426 // This method really shouldn't exist -- but there are a few internal
427 // places that want it (JITs and the like), and it'd be a pain to mark them
428 // all as friends.
433 /*
434 * Back to generic stuff.
435 */
458 /*
459 * In addition to the generic object interface provided by JSObject,
460 * specific types of objects may provide additional operations. To access,
461 * these addition operations, callers should use the pattern:
462 *
463 * if (obj.is<XObject>()) {
464 * XObject& x = obj.as<XObject>();
465 * x.foo();
466 * }
467 *
468 * These XObject classes form a hierarchy. For example, for a cloned block
469 * object, the following predicates are true: is<ClonedBlockObject>,
470 * is<NestedScopeObject> and is<ScopeObject>. Each of these has a
471 * respective class that derives and adds operations.
472 *
473 * A class XObject is defined in a vm/XObject{.h, .cpp, -inl.h} file
474 * triplet (along with any class YObject that derives XObject).
475 *
476 * Note that X represents a low-level representation and does not query the
477 * [[Class]] property of object defined by the spec: use |JS::GetBuiltinClass|
478 * for this.
479 */
484 }
490 }
496 }
498 /*
499 * True if either this or CheckedUnwrap(this) is an object of class T.
500 * (Only two objects are checked, regardless of how many wrappers there
501 * are.)
502 *
503 * /!\ Note: This can be true at one point, but false later for the same
504 * object, thanks to js::NukeCrossCompartmentWrapper and friends.
505 */
509 /*
510 * Unwrap and downcast to class T.
511 *
512 * Precondition: `this->canUnwrapAs<T>()`. Note that it's not enough to
513 * have checked this at some point in the past; if there's any doubt as to
514 * whether js::Nuke* could have been called in the meantime, check again.
515 */
519 /*
520 * Tries to unwrap and downcast to class T. Returns nullptr if (and only if) a
521 * wrapper with a security policy is involved. Crashes in all builds if the
522 * (possibly unwrapped) object is not of class T (for example, because it's a
523 * dead wrapper).
524 */
528 /*
529 * Tries to unwrap and downcast to an object with class |clasp|. Returns
530 * nullptr if (and only if) a wrapper with a security policy is involved.
531 * Crashes in all builds if the (possibly unwrapped) object doesn't have class
532 * |clasp| (for example, because it's a dead wrapper).
533 */
536 /*
537 * Tries to unwrap and downcast to class T. Returns nullptr if a wrapper with
538 * a security policy is involved or if the object does not have class T.
539 */
543 #if defined(DEBUG) || defined(JS_JITSPEW)
546 #endif
548 // Maximum size in bytes of a JSObject.
549 #ifdef JS_64BIT
552 #else
555 #endif
558 // JIT Accessors.
559 //
560 // To help avoid writing Spectre-unsafe code, we only allow MacroAssembler
561 // to call the method below.
571 // For the allocator only, to be used with placement new.
574 };
579 }
589 }
600 }
609 }
612 }
621 }
623 // Since the caller just called canUnwrapAs<T>(), which does a
624 // CheckedUnwrap, this does not need to repeat the security check.
629 }
638 }
643 }
647 }
650 }
655 }
660 }
664 }
667 }
676 }
680 }
682 /*
683 * The only sensible way to compare JSObject with == is by identity. We use
684 * const& instead of * as a syntactic way to assert non-null. This leads to an
685 * abundance of address-of operators to identity. Hence this overload.
686 */
690 }
695 }
697 // Size of the various GC thing allocation sizes used for objects.
700 };
704 };
708 };
710 // Only used for extended functions which are required to have exactly seven
711 // fixed slots due to JIT assumptions.
714 };
718 };
722 };
726 };
728 /* static */
732 #define EXPAND_OJBECT_SIZE(_1, _2, _3, sizedType, _4, _5, _6) sizeof(sizedType),
735 }
739 // Returns true if object may possibly use JSObject::swap. The JITs may better
740 // optimize objects that can never swap (and thus change their type).
741 //
742 // If ObjectMayBeSwapped is false, it is safe to guard on pointer identity to
743 // test immutable features of the object. For example, the target of a
744 // JSFunction will not change. Note: the object can still be moved by GC.
750 /* ES6 draft rev 36 (2015 March 17) 7.1.1 ToPrimitive(vp[, preferredType]) */
756 }
758 }
761 MutableHandleValue vp) {
764 }
766 }
768 /*
769 * toString support. (This isn't called GetClassName because there's a macro in
770 * <windows.h> with that name.)
771 */
773 HandleObject obj);
775 /*
776 * Prepare a |this| object to be returned to script. This includes replacing
777 * Windows with their corresponding WindowProxy.
778 *
779 * Helpers are also provided to first extract the |this| from specific
780 * types of environment.
781 */
792 // ES6 9.1.15 GetPrototypeFromConstructor.
795 JSProtoKey intrinsicDefaultProto,
798 // https://tc39.github.io/ecma262/#sec-getprototypefromconstructor
799 //
800 // Determine which [[Prototype]] to use when creating a new object using a
801 // builtin constructor.
802 //
803 // This sets `proto` to `nullptr` to mean "the builtin prototype object for
804 // this type in the current realm", the common case.
805 //
806 // We could set it to `cx->global()->getOrCreatePrototype(protoKey)`, but
807 // nullptr gets a fast path in e.g. js::NewObjectWithClassProtoCommon.
808 //
809 // intrinsicDefaultProto can be JSProto_Null if there's no appropriate
810 // JSProtoKey enum; but we then select the wrong prototype object in a
811 // multi-realm corner case (see bug 1515167).
815 // We can skip the "prototype" lookup in the two common cases:
816 // 1. Builtin constructor called without `new`, as in `obj = Object();`.
817 // 2. Builtin constructor called with `new`, as in `obj = new Object();`.
818 //
819 // Cases that can't take the fast path include `new MySubclassOfObject()`,
820 // `new otherGlobal.Object()`, and `Reflect.construct(Object, [], Date)`.
826 }
828 // We're calling this constructor from a derived class, retrieve the
829 // actual prototype from newTarget.
832 proto);
833 }
835 /* ES6 draft rev 32 (2015 Feb 2) 6.2.4.5 ToPropertyDescriptor(Obj) */
840 /*
841 * Throw a TypeError if desc.getter() or setter() is not
842 * callable. This performs exactly the checks omitted by ToPropertyDescriptor
843 * when checkAccessors is false.
844 */
850 /*
851 * Read property descriptors from props, as for Object.defineProperties. See
852 * ES5 15.2.3.7 steps 3-5.
853 */
858 /* Read the name using a dynamic lookup on the scopeChain. */
867 /*
868 * Like LookupName except returns the global object if 'name' is not found in
869 * any preceding scope.
870 *
871 * Additionally, pobjp and propp are not needed by callers so they are not
872 * returned.
873 */
876 HandleObject scopeChain,
877 MutableHandleObject objp);
879 /*
880 * Like LookupName except returns the unqualified var object if 'name' is not
881 * found in any preceding scope. Normally the unqualified var object is the
882 * global. If the value for the name in the looked-up scope is an
883 * uninitialized lexical, an UninitializedLexicalObject is returned.
884 *
885 * Additionally, pobjp is not needed by callers so it is not returned.
886 */
888 HandleObject scopeChain,
889 MutableHandleObject objp);
895 /*
896 * Family of Pure property lookup functions. The bool return does NOT have the
897 * standard SpiderMonkey semantics. The return value means "can this operation
898 * be performed and produce a valid result without any side effects?". If any of
899 * these return true, then the outparam can be inspected to determine the
900 * result.
901 */
924 /*
925 * Like JS::FromPropertyDescriptor, but ignore desc.object() and always set vp
926 * to an object on success.
927 *
928 * Use JS::FromPropertyDescriptor for getOwnPropertyDescriptor, since
929 * desc.object() is used to indicate whether a result was found or not. Use
930 * this instead for defineProperty: it would be senseless to define a "missing"
931 * property.
932 */
935 MutableHandleValue vp);
937 // obj is a JSObject*, but we root it immediately up front. We do it
938 // that way because we need a Rooted temporary in this method anyway.
942 /* Wrap boolean, number or string as Boolean, Number or String object. */
959 HandleValue vp,
961 HandleId key) {
964 }
966 }
971 }
973 }
978 }
980 }
982 /*
983 * Report a TypeError: "so-and-so is not an object".
984 * Using NotNullObject is usually less code.
985 */
991 }
994 }
996 /*
997 * Report a TypeError: "SOMETHING must be an object, got VALUE".
998 * Using NotNullObject is usually less code.
999 *
1000 * By default this function will attempt to report the expression which computed
1001 * the value which given as argument. This can be disabled by using
1002 * JSDVG_IGNORE_STACK.
1003 */
1005 HandleValue v);
1008 HandleValue v) {
1011 }
1014 }
1021 }
1024 }
1026 /*
1027 * Report a TypeError: "N-th argument of FUN must be an object, got VALUE".
1028 * Using NotNullObjectArg is usually less code.
1029 */
1031 HandleValue v);
1037 }
1040 }
1044 MutableHandleObject objp);
1046 /* Helper for throwing, always returns false. */
1050 /*
1051 * ES6 rev 29 (6 Dec 2014) 7.3.13. Mark obj as non-extensible, and adjust each
1052 * of obj's own properties' attributes appropriately: each property becomes
1053 * non-configurable, and if level == Frozen, data properties become
1054 * non-writable as well.
1055 */
1057 IntegrityLevel level);
1061 }
1063 /*
1064 * ES6 rev 29 (6 Dec 2014) 7.3.14. Code shared by Object.isSealed and
1065 * Object.isFrozen.
1066 */
1079 MutableHandleObject obj);
1081 #ifdef DEBUG
1085 }
1087 }
1088 #endif
1090 /*
1091 * A generic trace hook that calls the object's 'trace' method.
1092 *
1093 * If you are introducing a new JSObject subclass, MyObject, that needs a custom
1094 * JSClassOps::trace function, it's often helpful to write `trace` as a
1095 * non-static member function, since `this` will the correct type. In this case,
1096 * you can use `CallTraceMethod<MyObject>` as your JSClassOps::trace value.
1097 */
1101 }
1103 #ifdef JS_HAS_CTYPES
1112 #endif
1114 #ifdef DEBUG
1116 #endif