1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 * JS object implementation.
11 #include "vm/JSObject-inl.h"
13 #include "mozilla/MemoryReporting.h"
14 #include "mozilla/Try.h"
20 #include "jsfriendapi.h"
24 #include "builtin/BigInt.h"
25 #include "builtin/MapObject.h"
26 #include "builtin/Object.h"
27 #include "builtin/String.h"
28 #include "builtin/Symbol.h"
29 #include "builtin/WeakSetObject.h"
30 #include "gc/AllocKind.h"
32 #include "js/CharacterEncoding.h"
33 #include "js/friend/DumpFunctions.h" // js::DumpObject
34 #include "js/friend/ErrorMessages.h" // JSErrNum, js::GetErrorMessage, JSMSG_*
35 #include "js/friend/WindowProxy.h" // js::IsWindow, js::ToWindowProxyIfWindow
36 #include "js/MemoryMetrics.h"
37 #include "js/PropertyDescriptor.h" // JS::FromPropertyDescriptor
38 #include "js/PropertySpec.h" // JSPropertySpec
40 #include "js/Result.h"
41 #include "js/UbiNode.h"
42 #include "js/Wrapper.h"
43 #include "proxy/DeadObjectProxy.h"
44 #include "util/Memory.h"
45 #include "util/Text.h"
46 #include "util/WindowsWrapper.h"
47 #include "vm/ArgumentsObject.h"
48 #include "vm/BytecodeUtil.h"
49 #include "vm/Compartment.h"
50 #include "vm/DateObject.h"
51 #include "vm/Interpreter.h"
52 #include "vm/Iteration.h"
53 #include "vm/JSAtomUtils.h" // Atomize
54 #include "vm/JSContext.h"
55 #include "vm/JSFunction.h"
56 #include "vm/JSScript.h"
57 #include "vm/ProxyObject.h"
58 #include "vm/RegExpObject.h"
60 #include "vm/TypedArrayObject.h"
61 #include "vm/Watchtower.h"
62 #include "vm/WrapperObject.h"
63 #ifdef ENABLE_RECORD_TUPLE
64 # include "builtin/RecordObject.h"
65 # include "builtin/TupleObject.h"
66 # include "vm/RecordType.h"
67 # include "vm/TupleType.h"
69 #include "wasm/WasmGcObject.h"
71 #include "gc/StableCellHasher-inl.h"
72 #include "vm/BooleanObject-inl.h"
73 #include "vm/EnvironmentObject-inl.h"
74 #include "vm/Interpreter-inl.h"
75 #include "vm/JSAtomUtils-inl.h" // AtomToId, PrimitiveValueToId, IndexToId
76 #include "vm/JSContext-inl.h"
77 #include "vm/NativeObject-inl.h"
78 #include "vm/NumberObject-inl.h"
79 #include "vm/ObjectFlags-inl.h"
80 #include "vm/Realm-inl.h"
81 #include "vm/StringObject-inl.h"
82 #include "vm/TypedArrayObject-inl.h"
88 void js::ReportNotObject(JSContext
* cx
, JSErrNum err
, int spindex
,
90 MOZ_ASSERT(!v
.isObject());
91 ReportValueError(cx
, err
, spindex
, v
, nullptr);
94 void js::ReportNotObject(JSContext
* cx
, JSErrNum err
, HandleValue v
) {
95 ReportNotObject(cx
, err
, JSDVG_SEARCH_STACK
, v
);
98 void js::ReportNotObject(JSContext
* cx
, const Value
& v
) {
99 RootedValue
value(cx
, v
);
100 ReportNotObject(cx
, JSMSG_OBJECT_REQUIRED
, value
);
103 void js::ReportNotObjectArg(JSContext
* cx
, const char* nth
, const char* fun
,
105 MOZ_ASSERT(!v
.isObject());
108 if (const char* chars
= ValueToSourceForError(cx
, v
, bytes
)) {
109 JS_ReportErrorNumberLatin1(cx
, GetErrorMessage
, nullptr,
110 JSMSG_OBJECT_REQUIRED_ARG
, nth
, fun
, chars
);
114 JS_PUBLIC_API
const char* JS::InformalValueTypeName(const Value
& v
) {
116 case ValueType::Double
:
117 case ValueType::Int32
:
119 case ValueType::Boolean
:
121 case ValueType::Undefined
:
123 case ValueType::Null
:
125 case ValueType::String
:
127 case ValueType::Symbol
:
129 case ValueType::BigInt
:
131 case ValueType::Object
:
132 #ifdef ENABLE_RECORD_TUPLE
133 case ValueType::ExtendedPrimitive
:
135 return v
.getObjectPayload().getClass()->name
;
136 case ValueType::Magic
:
138 case ValueType::PrivateGCThing
:
142 MOZ_CRASH("unexpected type");
145 // ES6 draft rev37 6.2.4.4 FromPropertyDescriptor
146 JS_PUBLIC_API
bool JS::FromPropertyDescriptor(
147 JSContext
* cx
, Handle
<Maybe
<PropertyDescriptor
>> desc_
,
148 MutableHandleValue vp
) {
154 if (desc_
.isNothing()) {
159 Rooted
<PropertyDescriptor
> desc(cx
, *desc_
);
160 return FromPropertyDescriptorToObject(cx
, desc
, vp
);
163 bool js::FromPropertyDescriptorToObject(JSContext
* cx
,
164 Handle
<PropertyDescriptor
> desc
,
165 MutableHandleValue vp
) {
167 RootedObject
obj(cx
, NewPlainObject(cx
));
172 const JSAtomState
& names
= cx
->names();
175 if (desc
.hasValue()) {
176 if (!DefineDataProperty(cx
, obj
, names
.value
, desc
.value())) {
183 if (desc
.hasWritable()) {
184 v
.setBoolean(desc
.writable());
185 if (!DefineDataProperty(cx
, obj
, names
.writable
, v
)) {
191 if (desc
.hasGetter()) {
192 if (JSObject
* get
= desc
.getter()) {
197 if (!DefineDataProperty(cx
, obj
, names
.get
, v
)) {
203 if (desc
.hasSetter()) {
204 if (JSObject
* set
= desc
.setter()) {
209 if (!DefineDataProperty(cx
, obj
, names
.set
, v
)) {
215 if (desc
.hasEnumerable()) {
216 v
.setBoolean(desc
.enumerable());
217 if (!DefineDataProperty(cx
, obj
, names
.enumerable
, v
)) {
223 if (desc
.hasConfigurable()) {
224 v
.setBoolean(desc
.configurable());
225 if (!DefineDataProperty(cx
, obj
, names
.configurable
, v
)) {
234 bool js::GetFirstArgumentAsObject(JSContext
* cx
, const CallArgs
& args
,
236 MutableHandleObject objp
) {
237 if (!args
.requireAtLeast(cx
, method
, 1)) {
241 HandleValue v
= args
[0];
244 DecompileValueGenerator(cx
, JSDVG_SEARCH_STACK
, v
, nullptr);
248 JS_ReportErrorNumberUTF8(cx
, GetErrorMessage
, nullptr,
249 JSMSG_UNEXPECTED_TYPE
, bytes
.get(),
254 objp
.set(&v
.toObject());
258 static bool GetPropertyIfPresent(JSContext
* cx
, HandleObject obj
, HandleId id
,
259 MutableHandleValue vp
, bool* foundp
) {
260 if (!HasProperty(cx
, obj
, id
, foundp
)) {
268 return GetProperty(cx
, obj
, obj
, id
, vp
);
271 bool js::Throw(JSContext
* cx
, HandleId id
, unsigned errorNumber
,
272 const char* details
) {
273 MOZ_ASSERT(js_ErrorFormatString
[errorNumber
].argCount
== (details
? 2 : 1));
274 MOZ_ASSERT_IF(details
, JS::StringIsASCII(details
));
277 IdToPrintableUTF8(cx
, id
, IdToPrintableBehavior::IdIsPropertyKey
);
283 JS_ReportErrorNumberUTF8(cx
, GetErrorMessage
, nullptr, errorNumber
,
284 bytes
.get(), details
);
286 JS_ReportErrorNumberUTF8(cx
, GetErrorMessage
, nullptr, errorNumber
,
293 /*** PropertyDescriptor operations and DefineProperties *********************/
295 static Result
<> CheckCallable(JSContext
* cx
, JSObject
* obj
,
296 const char* fieldName
) {
297 if (obj
&& !obj
->isCallable()) {
298 JS_ReportErrorNumberASCII(cx
, GetErrorMessage
, nullptr,
299 JSMSG_BAD_GET_SET_FIELD
, fieldName
);
300 return cx
->alreadyReportedError();
305 // 6.2.5.5 ToPropertyDescriptor(Obj)
306 bool js::ToPropertyDescriptor(JSContext
* cx
, HandleValue descval
,
308 MutableHandle
<PropertyDescriptor
> desc_
) {
311 RequireObject(cx
, JSMSG_OBJECT_REQUIRED_PROP_DESC
, descval
));
317 Rooted
<PropertyDescriptor
> desc(cx
, PropertyDescriptor::Empty());
323 id
= NameToId(cx
->names().enumerable
);
324 bool hasEnumerable
= false;
325 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasEnumerable
)) {
329 desc
.setEnumerable(ToBoolean(v
));
333 id
= NameToId(cx
->names().configurable
);
334 bool hasConfigurable
= false;
335 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasConfigurable
)) {
338 if (hasConfigurable
) {
339 desc
.setConfigurable(ToBoolean(v
));
343 id
= NameToId(cx
->names().value
);
344 bool hasValue
= false;
345 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasValue
)) {
353 id
= NameToId(cx
->names().writable
);
354 bool hasWritable
= false;
355 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasWritable
)) {
359 desc
.setWritable(ToBoolean(v
));
363 id
= NameToId(cx
->names().get
);
365 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasGet
)) {
368 RootedObject
getter(cx
);
371 if (checkAccessors
) {
372 JS_TRY_OR_RETURN_FALSE(cx
, CheckCallable(cx
, &v
.toObject(), "getter"));
374 getter
= &v
.toObject();
375 } else if (v
.isUndefined()) {
378 JS_ReportErrorNumberASCII(cx
, GetErrorMessage
, nullptr,
379 JSMSG_BAD_GET_SET_FIELD
, "getter");
385 id
= NameToId(cx
->names().set
);
387 if (!GetPropertyIfPresent(cx
, obj
, id
, &v
, &hasSet
)) {
390 RootedObject
setter(cx
);
393 if (checkAccessors
) {
394 JS_TRY_OR_RETURN_FALSE(cx
, CheckCallable(cx
, &v
.toObject(), "setter"));
396 setter
= &v
.toObject();
397 } else if (v
.isUndefined()) {
400 JS_ReportErrorNumberASCII(cx
, GetErrorMessage
, nullptr,
401 JSMSG_BAD_GET_SET_FIELD
, "setter");
407 if (hasGet
|| hasSet
) {
408 if (hasValue
|| hasWritable
) {
409 JS_ReportErrorNumberASCII(cx
, GetErrorMessage
, nullptr,
410 JSMSG_INVALID_DESCRIPTOR
);
414 // We delay setGetter/setSetter after the previous check,
415 // because otherwise we would assert.
417 desc
.setGetter(getter
);
420 desc
.setSetter(setter
);
429 Result
<> js::CheckPropertyDescriptorAccessors(JSContext
* cx
,
430 Handle
<PropertyDescriptor
> desc
) {
431 if (desc
.hasGetter()) {
432 MOZ_TRY(CheckCallable(cx
, desc
.getter(), "getter"));
435 if (desc
.hasSetter()) {
436 MOZ_TRY(CheckCallable(cx
, desc
.setter(), "setter"));
442 // 6.2.5.6 CompletePropertyDescriptor(Desc)
443 void js::CompletePropertyDescriptor(MutableHandle
<PropertyDescriptor
> desc
) {
448 // Let like be the Record { [[Value]]: undefined, [[Writable]]: false,
449 // [[Get]]: undefined, [[Set]]: undefined,
450 // [[Enumerable]]: false, [[Configurable]]: false }.
453 if (desc
.isGenericDescriptor() || desc
.isDataDescriptor()) {
455 if (!desc
.hasValue()) {
456 desc
.setValue(UndefinedHandleValue
);
459 if (!desc
.hasWritable()) {
460 desc
.setWritable(false);
464 if (!desc
.hasGetter()) {
465 desc
.setGetter(nullptr);
468 if (!desc
.hasSetter()) {
469 desc
.setSetter(nullptr);
474 if (!desc
.hasEnumerable()) {
475 desc
.setEnumerable(false);
479 if (!desc
.hasConfigurable()) {
480 desc
.setConfigurable(false);
483 desc
.assertComplete();
486 bool js::ReadPropertyDescriptors(
487 JSContext
* cx
, HandleObject props
, bool checkAccessors
,
488 MutableHandleIdVector ids
, MutableHandle
<PropertyDescriptorVector
> descs
) {
489 if (!GetPropertyKeys(cx
, props
, JSITER_OWNONLY
| JSITER_SYMBOLS
, ids
)) {
494 for (size_t i
= 0, len
= ids
.length(); i
< len
; i
++) {
496 Rooted
<PropertyDescriptor
> desc(cx
);
498 if (!GetProperty(cx
, props
, props
, id
, &v
) ||
499 !ToPropertyDescriptor(cx
, v
, checkAccessors
, &desc
) ||
500 !descs
.append(desc
)) {
507 /*** Seal and freeze ********************************************************/
509 /* ES6 draft rev 29 (6 Dec 2014) 7.3.13. */
510 bool js::SetIntegrityLevel(JSContext
* cx
, HandleObject obj
,
511 IntegrityLevel level
) {
514 // Steps 3-5. (Steps 1-2 are redundant assertions.)
515 if (!PreventExtensions(cx
, obj
)) {
519 // Steps 6-9, loosely interpreted.
520 if (obj
->is
<NativeObject
>() && !obj
->is
<TypedArrayObject
>() &&
521 !obj
->is
<MappedArgumentsObject
>()) {
522 Handle
<NativeObject
*> nobj
= obj
.as
<NativeObject
>();
524 // Use a fast path to seal/freeze properties. This has the benefit of
525 // creating shared property maps if possible, whereas the slower/generic
526 // implementation below ends up converting non-empty objects to dictionary
528 if (nobj
->shape()->propMapLength() > 0) {
529 if (!NativeObject::freezeOrSealProperties(cx
, nobj
, level
)) {
534 // Ordinarily ArraySetLength handles this, but we're going behind its back
535 // right now, so we must do this manually.
536 if (level
== IntegrityLevel::Frozen
&& obj
->is
<ArrayObject
>()) {
537 obj
->as
<ArrayObject
>().setNonWritableLength(cx
);
541 RootedIdVector
keys(cx
);
542 if (!GetPropertyKeys(
543 cx
, obj
, JSITER_HIDDEN
| JSITER_OWNONLY
| JSITER_SYMBOLS
, &keys
)) {
548 Rooted
<PropertyDescriptor
> desc(cx
, PropertyDescriptor::Empty());
550 // 8.a/9.a. The two different loops are merged here.
551 for (size_t i
= 0; i
< keys
.length(); i
++) {
554 if (level
== IntegrityLevel::Sealed
) {
556 desc
.setConfigurable(false);
559 Rooted
<Maybe
<PropertyDescriptor
>> currentDesc(cx
);
560 if (!GetOwnPropertyDescriptor(cx
, obj
, id
, ¤tDesc
)) {
565 if (currentDesc
.isNothing()) {
570 desc
= PropertyDescriptor::Empty();
571 if (currentDesc
->isAccessorDescriptor()) {
572 desc
.setConfigurable(false);
574 desc
.setConfigurable(false);
575 desc
.setWritable(false);
579 // 8.a.i-ii. / 9.a.iii.3-4
580 if (!DefineProperty(cx
, obj
, id
, desc
)) {
586 // Finally, freeze or seal the dense elements.
587 if (obj
->is
<NativeObject
>()) {
588 if (!ObjectElements::FreezeOrSeal(cx
, obj
.as
<NativeObject
>(), level
)) {
596 static bool ResolveLazyProperties(JSContext
* cx
, Handle
<NativeObject
*> obj
) {
597 const JSClass
* clasp
= obj
->getClass();
598 if (JSEnumerateOp enumerate
= clasp
->getEnumerate()) {
599 if (!enumerate(cx
, obj
)) {
603 if (clasp
->getNewEnumerate() && clasp
->getResolve()) {
604 RootedIdVector
properties(cx
);
605 if (!clasp
->getNewEnumerate()(cx
, obj
, &properties
,
606 /* enumerableOnly = */ false)) {
611 for (size_t i
= 0; i
< properties
.length(); i
++) {
614 if (!HasOwnProperty(cx
, obj
, id
, &found
)) {
622 // ES6 draft rev33 (12 Feb 2015) 7.3.15
623 bool js::TestIntegrityLevel(JSContext
* cx
, HandleObject obj
,
624 IntegrityLevel level
, bool* result
) {
625 // Steps 3-6. (Steps 1-2 are redundant assertions.)
627 if (!IsExtensible(cx
, obj
, &status
)) {
635 // Fast path for native objects.
636 if (obj
->is
<NativeObject
>()) {
637 Handle
<NativeObject
*> nobj
= obj
.as
<NativeObject
>();
639 // Force lazy properties to be resolved.
640 if (!ResolveLazyProperties(cx
, nobj
)) {
644 // Typed array elements are configurable, writable properties, so if any
645 // elements are present, the typed array can neither be sealed nor frozen.
646 if (nobj
->is
<TypedArrayObject
>() &&
647 nobj
->as
<TypedArrayObject
>().length().valueOr(0) > 0) {
652 bool hasDenseElements
= false;
653 for (size_t i
= 0; i
< nobj
->getDenseInitializedLength(); i
++) {
654 if (nobj
->containsDenseElement(i
)) {
655 hasDenseElements
= true;
660 if (hasDenseElements
) {
661 // Unless the sealed flag is set, dense elements are configurable.
662 if (!nobj
->denseElementsAreSealed()) {
667 // Unless the frozen flag is set, dense elements are writable.
668 if (level
== IntegrityLevel::Frozen
&& !nobj
->denseElementsAreFrozen()) {
675 for (ShapePropertyIter
<NoGC
> iter(nobj
->shape()); !iter
.done(); iter
++) {
677 if (iter
->configurable() ||
678 (level
== IntegrityLevel::Frozen
&& iter
->isDataDescriptor() &&
680 // Private fields on objects don't participate in the frozen state, and
681 // so should be elided from checking for frozen state.
682 if (iter
->key().isPrivateName()) {
692 RootedIdVector
props(cx
);
693 if (!GetPropertyKeys(
694 cx
, obj
, JSITER_HIDDEN
| JSITER_OWNONLY
| JSITER_SYMBOLS
, &props
)) {
700 Rooted
<Maybe
<PropertyDescriptor
>> desc(cx
);
701 for (size_t i
= 0, len
= props
.length(); i
< len
; i
++) {
705 if (!GetOwnPropertyDescriptor(cx
, obj
, id
, &desc
)) {
710 if (desc
.isNothing()) {
715 if (desc
->configurable() ||
716 (level
== IntegrityLevel::Frozen
&& desc
->isDataDescriptor() &&
718 // Since we don't request JSITER_PRIVATE in GetPropertyKeys above, we
719 // should never see a private name here.
720 MOZ_ASSERT(!id
.isPrivateName());
734 static MOZ_ALWAYS_INLINE NativeObject
* NewObject(
735 JSContext
* cx
, const JSClass
* clasp
, Handle
<TaggedProto
> proto
,
736 gc::AllocKind kind
, NewObjectKind newKind
, ObjectFlags objFlags
) {
737 MOZ_ASSERT(clasp
->isNativeObject());
739 // Some classes have specialized allocation functions and shouldn't end up
741 MOZ_ASSERT(clasp
!= &ArrayObject::class_
);
742 MOZ_ASSERT(clasp
!= &PlainObject::class_
);
743 MOZ_ASSERT(!clasp
->isJSFunction());
745 // Computing nfixed based on the AllocKind isn't right for objects which can
746 // store fixed data inline (TypedArrays and ArrayBuffers) so for simplicity
747 // and performance reasons we don't support such objects here.
748 MOZ_ASSERT(!ClassCanHaveFixedData(clasp
));
749 size_t nfixed
= GetGCKindSlots(kind
);
751 if (CanChangeToBackgroundAllocKind(kind
, clasp
)) {
752 kind
= ForegroundToBackgroundAllocKind(kind
);
755 Rooted
<SharedShape
*> shape(
756 cx
, SharedShape::getInitialShape(cx
, clasp
, cx
->realm(), proto
, nfixed
,
762 gc::Heap heap
= GetInitialHeap(newKind
, clasp
);
763 NativeObject
* obj
= NativeObject::create(cx
, kind
, heap
, shape
);
768 probes::CreateObject(cx
, obj
);
772 NativeObject
* js::NewObjectWithGivenTaggedProto(
773 JSContext
* cx
, const JSClass
* clasp
, Handle
<TaggedProto
> proto
,
774 gc::AllocKind allocKind
, NewObjectKind newKind
, ObjectFlags objFlags
) {
775 return NewObject(cx
, clasp
, proto
, allocKind
, newKind
, objFlags
);
778 NativeObject
* js::NewObjectWithClassProto(JSContext
* cx
, const JSClass
* clasp
,
779 HandleObject protoArg
,
780 gc::AllocKind allocKind
,
781 NewObjectKind newKind
,
782 ObjectFlags objFlags
) {
784 return NewObjectWithGivenTaggedProto(cx
, clasp
, AsTaggedProto(protoArg
),
785 allocKind
, newKind
, objFlags
);
788 // Find the appropriate proto for clasp. Built-in classes have a cached
789 // proto on cx->global(); all others get %ObjectPrototype%.
790 JSProtoKey protoKey
= JSCLASS_CACHED_PROTO_KEY(clasp
);
791 if (protoKey
== JSProto_Null
) {
792 protoKey
= JSProto_Object
;
795 JSObject
* proto
= GlobalObject::getOrCreatePrototype(cx
, protoKey
);
800 Rooted
<TaggedProto
> taggedProto(cx
, TaggedProto(proto
));
801 return NewObject(cx
, clasp
, taggedProto
, allocKind
, newKind
, objFlags
);
804 bool js::GetPrototypeFromConstructor(JSContext
* cx
, HandleObject newTarget
,
805 JSProtoKey intrinsicDefaultProto
,
806 MutableHandleObject proto
) {
807 RootedValue
protov(cx
);
808 if (!GetProperty(cx
, newTarget
, newTarget
, cx
->names().prototype
, &protov
)) {
811 if (protov
.isObject()) {
812 proto
.set(&protov
.toObject());
813 } else if (newTarget
->is
<JSFunction
>() &&
814 newTarget
->as
<JSFunction
>().realm() == cx
->realm()) {
815 // Steps 4.a-b fetch the builtin prototype of the current realm, which we
816 // represent as nullptr.
818 } else if (intrinsicDefaultProto
== JSProto_Null
) {
819 // Bug 1317416. The caller did not pass a reasonable JSProtoKey, so let the
820 // caller select a prototype object. Most likely they will choose one from
824 // Step 4.a: Let realm be ? GetFunctionRealm(constructor);
825 Realm
* realm
= JS::GetFunctionRealm(cx
, newTarget
);
830 // Step 4.b: Set proto to realm's intrinsic object named
831 // intrinsicDefaultProto.
834 if (cx
->realm() != realm
) {
835 ar
.emplace(cx
, realm
->maybeGlobal());
837 proto
.set(GlobalObject::getOrCreatePrototype(cx
, intrinsicDefaultProto
));
842 if (!cx
->compartment()->wrap(cx
, proto
)) {
850 bool JSObject::nonNativeSetProperty(JSContext
* cx
, HandleObject obj
,
851 HandleId id
, HandleValue v
,
852 HandleValue receiver
,
853 ObjectOpResult
& result
) {
854 return obj
->getOpsSetProperty()(cx
, obj
, id
, v
, receiver
, result
);
858 bool JSObject::nonNativeSetElement(JSContext
* cx
, HandleObject obj
,
859 uint32_t index
, HandleValue v
,
860 HandleValue receiver
,
861 ObjectOpResult
& result
) {
863 if (!IndexToId(cx
, index
, &id
)) {
866 return nonNativeSetProperty(cx
, obj
, id
, v
, receiver
, result
);
869 static bool CopyPropertyFrom(JSContext
* cx
, HandleId id
, HandleObject target
,
871 // |target| must not be a CCW because we need to enter its realm below and
872 // CCWs are not associated with a single realm.
873 MOZ_ASSERT(!IsCrossCompartmentWrapper(target
));
875 // |obj| and |cx| are generally not same-compartment with |target| here.
877 Rooted
<mozilla::Maybe
<PropertyDescriptor
>> desc(cx
);
879 if (!GetOwnPropertyDescriptor(cx
, obj
, id
, &desc
)) {
882 MOZ_ASSERT(desc
.isSome());
884 JSAutoRealm
ar(cx
, target
);
886 RootedId
wrappedId(cx
, id
);
887 if (!cx
->compartment()->wrap(cx
, &desc
)) {
891 Rooted
<PropertyDescriptor
> desc_(cx
, *desc
);
892 return DefineProperty(cx
, target
, wrappedId
, desc_
);
895 JS_PUBLIC_API
bool JS_CopyOwnPropertiesAndPrivateFields(JSContext
* cx
,
898 // Both |obj| and |target| must not be CCWs because we need to enter their
899 // realms below and CCWs are not associated with a single realm.
900 MOZ_ASSERT(!IsCrossCompartmentWrapper(obj
));
901 MOZ_ASSERT(!IsCrossCompartmentWrapper(target
));
903 JSAutoRealm
ar(cx
, obj
);
905 RootedIdVector
props(cx
);
906 if (!GetPropertyKeys(
908 JSITER_PRIVATE
| JSITER_OWNONLY
| JSITER_HIDDEN
| JSITER_SYMBOLS
,
913 for (size_t i
= 0; i
< props
.length(); ++i
) {
914 if (!CopyPropertyFrom(cx
, props
[i
], target
, obj
)) {
922 static bool InitializePropertiesFromCompatibleNativeObject(
923 JSContext
* cx
, Handle
<NativeObject
*> dst
, Handle
<NativeObject
*> src
) {
925 MOZ_ASSERT(src
->getClass() == dst
->getClass());
926 MOZ_ASSERT(dst
->shape()->objectFlags().isEmpty());
927 MOZ_ASSERT(src
->numFixedSlots() == dst
->numFixedSlots());
928 MOZ_ASSERT(!src
->inDictionaryMode());
929 MOZ_ASSERT(!dst
->inDictionaryMode());
931 if (!dst
->ensureElements(cx
, src
->getDenseInitializedLength())) {
935 uint32_t initialized
= src
->getDenseInitializedLength();
936 for (uint32_t i
= 0; i
< initialized
; ++i
) {
937 dst
->setDenseInitializedLength(i
+ 1);
938 dst
->initDenseElement(i
, src
->getDenseElement(i
));
941 // If there are no properties to copy, we're done.
942 if (!src
->sharedShape()->propMap()) {
946 Rooted
<SharedShape
*> shape(cx
);
947 if (src
->staticPrototype() == dst
->staticPrototype()) {
948 shape
= src
->sharedShape();
950 // We need to generate a new shape for dst that has dst's proto but all
951 // the property information from src. Note that we asserted above that
952 // dst's object flags are empty.
953 SharedShape
* srcShape
= src
->sharedShape();
954 ObjectFlags objFlags
;
955 objFlags
= CopyPropMapObjectFlags(objFlags
, srcShape
->objectFlags());
956 Rooted
<SharedPropMap
*> map(cx
, srcShape
->propMap());
957 uint32_t mapLength
= srcShape
->propMapLength();
958 shape
= SharedShape::getPropMapShape(cx
, dst
->shape()->base(),
959 dst
->numFixedSlots(), map
, mapLength
,
966 uint32_t oldSpan
= dst
->sharedShape()->slotSpan();
967 uint32_t newSpan
= shape
->slotSpan();
968 if (!dst
->setShapeAndAddNewSlots(cx
, shape
, oldSpan
, newSpan
)) {
971 for (size_t i
= JSCLASS_RESERVED_SLOTS(src
->getClass()); i
< newSpan
; i
++) {
972 dst
->setSlot(i
, src
->getSlot(i
));
978 JS_PUBLIC_API
bool JS_InitializePropertiesFromCompatibleNativeObject(
979 JSContext
* cx
, HandleObject dst
, HandleObject src
) {
980 return InitializePropertiesFromCompatibleNativeObject(
981 cx
, dst
.as
<NativeObject
>(), src
.as
<NativeObject
>());
984 bool js::ObjectMayBeSwapped(const JSObject
* obj
) {
985 const JSClass
* clasp
= obj
->getClass();
987 // We want to optimize Window/globals and Gecko doesn't require transplanting
988 // them (only the WindowProxy around them). A Window may be a DOMClass, so we
989 // explicitly check if this is a global.
990 if (clasp
->isGlobal()) {
994 // WindowProxy, Wrapper, DeadProxyObject, DOMProxy, and DOMClass (non-global)
995 // types may be swapped. It is hard to detect DOMProxy from shell, so target
996 // proxies in general.
997 return clasp
->isProxyObject() || clasp
->isDOMClass();
1000 bool NativeObject::prepareForSwap(JSContext
* cx
,
1001 MutableHandleValueVector slotValuesOut
) {
1002 MOZ_ASSERT(slotValuesOut
.empty());
1004 for (size_t i
= 0; i
< slotSpan(); i
++) {
1005 if (!slotValuesOut
.append(getSlot(i
))) {
1010 if (hasDynamicSlots()) {
1011 ObjectSlots
* slotsHeader
= getSlotsHeader();
1012 size_t size
= ObjectSlots::allocSize(slotsHeader
->capacity());
1013 RemoveCellMemory(this, size
, MemoryUse::ObjectSlots
);
1014 if (!cx
->nursery().isInside(slotsHeader
)) {
1016 cx
->nursery().removeMallocedBuffer(slotsHeader
, size
);
1018 js_free(slotsHeader
);
1020 setEmptyDynamicSlots(0);
1023 if (hasDynamicElements()) {
1024 ObjectElements
* elements
= getElementsHeader();
1025 void* allocatedElements
= getUnshiftedElementsHeader();
1026 size_t count
= elements
->numAllocatedElements();
1027 size_t size
= count
* sizeof(HeapSlot
);
1030 RemoveCellMemory(this, size
, MemoryUse::ObjectElements
);
1031 } else if (cx
->nursery().isInside(allocatedElements
)) {
1032 // Move nursery allocated elements in case they end up in a tenured
1034 ObjectElements
* newElements
=
1035 reinterpret_cast<ObjectElements
*>(js_pod_malloc
<HeapSlot
>(count
));
1040 memmove(newElements
, elements
, size
);
1041 elements_
= newElements
->elements();
1043 cx
->nursery().removeMallocedBuffer(allocatedElements
, size
);
1045 MOZ_ASSERT(hasDynamicElements());
1052 bool NativeObject::fixupAfterSwap(JSContext
* cx
, Handle
<NativeObject
*> obj
,
1054 HandleValueVector slotValues
) {
1055 // This object has just been swapped with some other object, and its shape
1056 // no longer reflects its allocated size. Correct this information and
1057 // fill the slots in with the specified values.
1058 MOZ_ASSERT_IF(!obj
->inDictionaryMode(),
1059 obj
->slotSpan() == slotValues
.length());
1061 // Make sure the shape's numFixedSlots() is correct.
1062 size_t nfixed
= gc::GetGCKindSlots(kind
);
1063 if (nfixed
!= obj
->shape()->numFixedSlots()) {
1064 if (!NativeObject::changeNumFixedSlotsAfterSwap(cx
, obj
, nfixed
)) {
1067 MOZ_ASSERT(obj
->shape()->numFixedSlots() == nfixed
);
1070 uint32_t oldDictionarySlotSpan
=
1071 obj
->inDictionaryMode() ? slotValues
.length() : 0;
1073 MOZ_ASSERT(!obj
->hasUniqueId());
1075 calculateDynamicSlots(nfixed
, slotValues
.length(), obj
->getClass());
1076 size_t currentSlots
= obj
->getSlotsHeader()->capacity();
1077 MOZ_ASSERT(ndynamic
>= currentSlots
);
1078 if (ndynamic
> currentSlots
) {
1079 if (!obj
->growSlots(cx
, currentSlots
, ndynamic
)) {
1084 if (obj
->inDictionaryMode()) {
1085 obj
->setDictionaryModeSlotSpan(oldDictionarySlotSpan
);
1088 for (size_t i
= 0, len
= slotValues
.length(); i
< len
; i
++) {
1089 obj
->initSlotUnchecked(i
, slotValues
[i
]);
1092 if (obj
->hasDynamicElements()) {
1093 ObjectElements
* elements
= obj
->getElementsHeader();
1094 void* allocatedElements
= obj
->getUnshiftedElementsHeader();
1095 MOZ_ASSERT(!cx
->nursery().isInside(allocatedElements
));
1096 size_t size
= elements
->numAllocatedElements() * sizeof(HeapSlot
);
1097 if (obj
->isTenured()) {
1098 AddCellMemory(obj
, size
, MemoryUse::ObjectElements
);
1099 } else if (!cx
->nursery().registerMallocedBuffer(allocatedElements
, size
)) {
1107 [[nodiscard
]] bool ProxyObject::prepareForSwap(
1108 JSContext
* cx
, MutableHandleValueVector valuesOut
) {
1109 MOZ_ASSERT(valuesOut
.empty());
1111 // Remove the GCPtr<Value>s we're about to swap from the store buffer, to
1112 // ensure we don't trace bogus values.
1113 gc::StoreBuffer
& sb
= cx
->runtime()->gc
.storeBuffer();
1115 // Reserve space for the expando, private slot and the reserved slots.
1116 if (!valuesOut
.reserve(2 + numReservedSlots())) {
1120 js::detail::ProxyValueArray
* valArray
= data
.values();
1121 sb
.unputValue(&valArray
->expandoSlot
);
1122 sb
.unputValue(&valArray
->privateSlot
);
1123 valuesOut
.infallibleAppend(valArray
->expandoSlot
);
1124 valuesOut
.infallibleAppend(valArray
->privateSlot
);
1126 for (size_t i
= 0; i
< numReservedSlots(); i
++) {
1127 sb
.unputValue(&valArray
->reservedSlots
.slots
[i
]);
1128 valuesOut
.infallibleAppend(valArray
->reservedSlots
.slots
[i
]);
1131 if (isTenured() && !usingInlineValueArray()) {
1132 size_t count
= detail::ProxyValueArray::allocCount(numReservedSlots());
1133 RemoveCellMemory(this, count
* sizeof(Value
),
1134 MemoryUse::ProxyExternalValueArray
);
1136 data
.reservedSlots
= nullptr;
1142 bool ProxyObject::fixupAfterSwap(JSContext
* cx
,
1143 const HandleValueVector values
) {
1144 MOZ_ASSERT(getClass()->isProxyObject());
1146 size_t nreserved
= numReservedSlots();
1148 // |values| contains the expando slot, private slot and the reserved slots.
1149 MOZ_ASSERT(values
.length() == 2 + nreserved
);
1151 // Allocate the external value array in malloc memory, even for nursery
1153 size_t count
= detail::ProxyValueArray::allocCount(nreserved
);
1154 auto* allocation
= js_pod_malloc
<JS::Value
>(count
);
1159 size_t size
= count
* sizeof(Value
);
1161 AddCellMemory(&asTenured(), size
, MemoryUse::ProxyExternalValueArray
);
1162 } else if (!cx
->nursery().registerMallocedBuffer(allocation
, size
)) {
1163 js_free(allocation
);
1167 auto* valArray
= reinterpret_cast<js::detail::ProxyValueArray
*>(allocation
);
1169 valArray
->expandoSlot
= values
[0];
1170 valArray
->privateSlot
= values
[1];
1172 for (size_t i
= 0; i
< nreserved
; i
++) {
1173 valArray
->reservedSlots
.slots
[i
] = values
[i
+ 2];
1176 data
.reservedSlots
= &valArray
->reservedSlots
;
1177 MOZ_ASSERT(!usingInlineValueArray());
1181 static gc::AllocKind
SwappableObjectAllocKind(JSObject
* obj
) {
1182 MOZ_ASSERT(ObjectMayBeSwapped(obj
));
1184 if (obj
->isTenured()) {
1185 return obj
->asTenured().getAllocKind();
1188 if (obj
->is
<NativeObject
>()) {
1189 return obj
->as
<NativeObject
>().allocKindForTenure();
1192 return obj
->as
<ProxyObject
>().allocKindForTenure();
1195 /* Use this method with extreme caution. It trades the guts of two objects. */
1196 void JSObject::swap(JSContext
* cx
, HandleObject a
, HandleObject b
,
1197 AutoEnterOOMUnsafeRegion
& oomUnsafe
) {
1198 // Ensure swap doesn't cause a finalizer to be run at the wrong time.
1199 MOZ_ASSERT(a
->isBackgroundFinalized() == b
->isBackgroundFinalized());
1201 MOZ_ASSERT(a
->compartment() == b
->compartment());
1203 // You must have entered the objects' compartment before calling this.
1204 MOZ_ASSERT(cx
->compartment() == a
->compartment());
1206 // Only certain types of objects are allowed to be swapped. This allows the
1207 // JITs to better optimize objects that can never swap and rules out most
1208 // builtin objects that have special behaviour.
1209 MOZ_RELEASE_ASSERT(js::ObjectMayBeSwapped(a
));
1210 MOZ_RELEASE_ASSERT(js::ObjectMayBeSwapped(b
));
1212 if (!Watchtower::watchObjectSwap(cx
, a
, b
)) {
1213 oomUnsafe
.crash("watchObjectSwap");
1216 // Ensure we update any embedded nursery pointers in either object.
1217 gc::StoreBuffer
& storeBuffer
= cx
->runtime()->gc
.storeBuffer();
1218 if (a
->isTenured()) {
1219 storeBuffer
.putWholeCell(a
);
1221 if (b
->isTenured()) {
1222 storeBuffer
.putWholeCell(b
);
1224 if (a
->isTenured() || b
->isTenured()) {
1225 if (a
->zone()->wasGCStarted()) {
1226 storeBuffer
.setMayHavePointersToDeadCells();
1230 unsigned r
= NotifyGCPreSwap(a
, b
);
1232 ProxyObject
* pa
= a
->is
<ProxyObject
>() ? &a
->as
<ProxyObject
>() : nullptr;
1233 ProxyObject
* pb
= b
->is
<ProxyObject
>() ? &b
->as
<ProxyObject
>() : nullptr;
1234 bool aIsProxyWithInlineValues
= pa
&& pa
->usingInlineValueArray();
1235 bool bIsProxyWithInlineValues
= pb
&& pb
->usingInlineValueArray();
1237 bool aIsUsedAsPrototype
= a
->isUsedAsPrototype();
1238 bool bIsUsedAsPrototype
= b
->isUsedAsPrototype();
1240 // Swap element associations.
1241 Zone
* zone
= a
->zone();
1243 // Record any associated unique IDs and prepare for swap.
1245 // Note that unique IDs are NOT swapped but remain associated with the
1246 // original address.
1249 (void)gc::MaybeGetUniqueId(a
, &aid
);
1250 (void)gc::MaybeGetUniqueId(b
, &bid
);
1251 NativeObject
* na
= a
->is
<NativeObject
>() ? &a
->as
<NativeObject
>() : nullptr;
1252 NativeObject
* nb
= b
->is
<NativeObject
>() ? &b
->as
<NativeObject
>() : nullptr;
1253 if ((aid
|| bid
) && (na
|| nb
)) {
1254 // We can't remove unique IDs from native objects when they are swapped with
1255 // objects without an ID. Instead ensure they both have IDs so we always
1256 // have something to overwrite the old ID with.
1257 if (!gc::GetOrCreateUniqueId(a
, &aid
) ||
1258 !gc::GetOrCreateUniqueId(b
, &bid
)) {
1259 oomUnsafe
.crash("Failed to create unique ID during swap");
1262 // IDs stored in NativeObjects could shadow those stored in the zone
1263 // table. Remove any zone table IDs first.
1265 gc::RemoveUniqueId(a
);
1268 gc::RemoveUniqueId(b
);
1272 gc::AllocKind ka
= SwappableObjectAllocKind(a
);
1273 gc::AllocKind kb
= SwappableObjectAllocKind(b
);
1275 size_t sa
= gc::Arena::thingSize(ka
);
1276 size_t sb
= gc::Arena::thingSize(kb
);
1277 if (sa
== sb
&& a
->isTenured() == b
->isTenured()) {
1278 // When both objects are the same size and in the same heap, just do a plain
1279 // swap of their contents.
1281 // Swap slot associations.
1282 zone
->swapCellMemory(a
, b
, MemoryUse::ObjectSlots
);
1285 char tmp
[sizeof(JSObject_Slots16
)];
1286 MOZ_ASSERT(size
<= sizeof(tmp
));
1288 js_memcpy(tmp
, a
, size
);
1289 js_memcpy(a
, b
, size
);
1290 js_memcpy(b
, tmp
, size
);
1292 zone
->swapCellMemory(a
, b
, MemoryUse::ObjectElements
);
1293 zone
->swapCellMemory(a
, b
, MemoryUse::ProxyExternalValueArray
);
1295 if (aIsProxyWithInlineValues
) {
1296 b
->as
<ProxyObject
>().setInlineValueArray();
1298 if (bIsProxyWithInlineValues
) {
1299 a
->as
<ProxyObject
>().setInlineValueArray();
1302 // Avoid GC in here to avoid confusing the tracing code with our
1303 // intermediate state.
1304 gc::AutoSuppressGC
suppress(cx
);
1306 // When the objects have different sizes, they will have different numbers
1307 // of fixed slots before and after the swap, so the slots for native objects
1308 // will need to be rearranged. Remember the original values from the
1310 RootedValueVector
avals(cx
);
1311 RootedValueVector
bvals(cx
);
1312 if (na
&& !na
->prepareForSwap(cx
, &avals
)) {
1313 oomUnsafe
.crash("NativeObject::prepareForSwap");
1315 if (nb
&& !nb
->prepareForSwap(cx
, &bvals
)) {
1316 oomUnsafe
.crash("NativeObject::prepareForSwap");
1319 // Do the same for proxy value arrays.
1320 if (pa
&& !pa
->prepareForSwap(cx
, &avals
)) {
1321 oomUnsafe
.crash("ProxyObject::prepareForSwap");
1323 if (pb
&& !pb
->prepareForSwap(cx
, &bvals
)) {
1324 oomUnsafe
.crash("ProxyObject::prepareForSwap");
1327 // Swap the main fields of the objects, whether they are native objects or
1329 char tmp
[sizeof(JSObject_Slots0
)];
1330 js_memcpy(&tmp
, a
, sizeof tmp
);
1331 js_memcpy(a
, b
, sizeof tmp
);
1332 js_memcpy(b
, &tmp
, sizeof tmp
);
1335 !NativeObject::fixupAfterSwap(cx
, b
.as
<NativeObject
>(), kb
, avals
)) {
1336 oomUnsafe
.crash("NativeObject::fixupAfterSwap");
1339 !NativeObject::fixupAfterSwap(cx
, a
.as
<NativeObject
>(), ka
, bvals
)) {
1340 oomUnsafe
.crash("NativeObject::fixupAfterSwap");
1343 if (pa
&& !b
->as
<ProxyObject
>().fixupAfterSwap(cx
, avals
)) {
1344 oomUnsafe
.crash("ProxyObject::fixupAfterSwap");
1346 if (pb
&& !a
->as
<ProxyObject
>().fixupAfterSwap(cx
, bvals
)) {
1347 oomUnsafe
.crash("ProxyObject::fixupAfterSwap");
1351 // Restore original unique IDs.
1352 if ((aid
|| bid
) && (na
|| nb
)) {
1353 if ((aid
&& !gc::SetOrUpdateUniqueId(cx
, a
, aid
)) ||
1354 (bid
&& !gc::SetOrUpdateUniqueId(cx
, b
, bid
))) {
1355 oomUnsafe
.crash("Failed to set unique ID after swap");
1358 MOZ_ASSERT_IF(aid
, gc::GetUniqueIdInfallible(a
) == aid
);
1359 MOZ_ASSERT_IF(bid
, gc::GetUniqueIdInfallible(b
) == bid
);
1361 // Preserve the IsUsedAsPrototype flag on the objects.
1362 if (aIsUsedAsPrototype
) {
1363 if (!JSObject::setIsUsedAsPrototype(cx
, a
)) {
1364 oomUnsafe
.crash("setIsUsedAsPrototype");
1367 if (bIsUsedAsPrototype
) {
1368 if (!JSObject::setIsUsedAsPrototype(cx
, b
)) {
1369 oomUnsafe
.crash("setIsUsedAsPrototype");
1374 * We need a write barrier here. If |a| was marked and |b| was not, then
1375 * after the swap, |b|'s guts would never be marked. The write barrier
1378 * Normally write barriers happen before the write. However, that's not
1379 * necessary here because nothing is being destroyed. We're just swapping.
1381 PreWriteBarrier(zone
, a
.get(), [](JSTracer
* trc
, JSObject
* obj
) {
1382 obj
->traceChildren(trc
);
1384 PreWriteBarrier(zone
, b
.get(), [](JSTracer
* trc
, JSObject
* obj
) {
1385 obj
->traceChildren(trc
);
1388 NotifyGCPostSwap(a
, b
, r
);
1391 static NativeObject
* DefineConstructorAndPrototype(
1392 JSContext
* cx
, HandleObject obj
, Handle
<JSAtom
*> atom
,
1393 HandleObject protoProto
, const JSClass
* clasp
, Native constructor
,
1394 unsigned nargs
, const JSPropertySpec
* ps
, const JSFunctionSpec
* fs
,
1395 const JSPropertySpec
* static_ps
, const JSFunctionSpec
* static_fs
,
1396 NativeObject
** ctorp
) {
1397 // Create the prototype object.
1398 Rooted
<NativeObject
*> proto(
1399 cx
, GlobalObject::createBlankPrototypeInheriting(cx
, clasp
, protoProto
));
1404 Rooted
<NativeObject
*> ctor(cx
);
1408 ctor
= NewNativeConstructor(cx
, constructor
, nargs
, atom
);
1413 if (!LinkConstructorAndPrototype(cx
, ctor
, proto
)) {
1418 if (!DefinePropertiesAndFunctions(cx
, proto
, ps
, fs
) ||
1420 !DefinePropertiesAndFunctions(cx
, ctor
, static_ps
, static_fs
))) {
1424 RootedId
id(cx
, AtomToId(atom
));
1425 RootedValue
value(cx
, ObjectValue(*ctor
));
1426 if (!DefineDataProperty(cx
, obj
, id
, value
, 0)) {
1436 NativeObject
* js::InitClass(JSContext
* cx
, HandleObject obj
,
1437 const JSClass
* protoClass
, HandleObject protoProto_
,
1438 const char* name
, Native constructor
,
1439 unsigned nargs
, const JSPropertySpec
* ps
,
1440 const JSFunctionSpec
* fs
,
1441 const JSPropertySpec
* static_ps
,
1442 const JSFunctionSpec
* static_fs
,
1443 NativeObject
** ctorp
) {
1444 Rooted
<JSAtom
*> atom(cx
, Atomize(cx
, name
, strlen(name
)));
1450 * All instances of the class will inherit properties from the prototype
1451 * object we are about to create (in DefineConstructorAndPrototype), which
1452 * in turn will inherit from protoProto.
1454 * If protoProto is nullptr, default to Object.prototype.
1455 * If protoClass is nullptr, default to PlainObject.
1457 RootedObject
protoProto(cx
, protoProto_
);
1459 protoProto
= &cx
->global()->getObjectPrototype();
1462 protoClass
= &PlainObject::class_
;
1465 return DefineConstructorAndPrototype(cx
, obj
, atom
, protoProto
, protoClass
,
1466 constructor
, nargs
, ps
, fs
, static_ps
,
1471 * Returns the original Object.prototype from the embedding-provided incumbent
1474 * Really, we want the incumbent global itself so we can pass it to other
1475 * embedding hooks which need it. Specifically, the enqueue promise hook
1476 * takes an incumbent global so it can set that on the PromiseCallbackJob
1479 * The reason for not just returning the global itself is that we'd need to
1480 * wrap it into the current compartment, and later unwrap it. Unwrapping
1481 * globals is tricky, though: we might accidentally unwrap through an inner
1482 * to its outer window and end up with the wrong global. Plain objects don't
1483 * have this problem, so we use the global's Object.prototype. The code using
1484 * it - e.g. EnqueuePromiseReactionJob - can then unwrap the object and get
1485 * its global without fear of unwrapping too far.
1487 bool js::GetObjectFromIncumbentGlobal(JSContext
* cx
, MutableHandleObject obj
) {
1488 Rooted
<GlobalObject
*> globalObj(cx
, cx
->runtime()->getIncumbentGlobal(cx
));
1494 obj
.set(&globalObj
->getObjectPrototype());
1496 // The object might be from a different compartment, so wrap it.
1497 if (obj
&& !cx
->compartment()->wrap(cx
, obj
)) {
1504 static bool IsStandardPrototype(JSObject
* obj
, JSProtoKey key
) {
1505 return obj
->nonCCWGlobal().maybeGetPrototype(key
) == obj
;
1508 JSProtoKey
JS::IdentifyStandardInstance(JSObject
* obj
) {
1509 // Note: The prototype shares its JSClass with instances.
1510 MOZ_ASSERT(!obj
->is
<CrossCompartmentWrapperObject
>());
1511 JSProtoKey key
= StandardProtoKeyOrNull(obj
);
1512 if (key
!= JSProto_Null
&& !IsStandardPrototype(obj
, key
)) {
1515 return JSProto_Null
;
1518 JSProtoKey
JS::IdentifyStandardPrototype(JSObject
* obj
) {
1519 // Note: The prototype shares its JSClass with instances.
1520 MOZ_ASSERT(!obj
->is
<CrossCompartmentWrapperObject
>());
1521 JSProtoKey key
= StandardProtoKeyOrNull(obj
);
1522 if (key
!= JSProto_Null
&& IsStandardPrototype(obj
, key
)) {
1525 return JSProto_Null
;
1528 JSProtoKey
JS::IdentifyStandardInstanceOrPrototype(JSObject
* obj
) {
1529 return StandardProtoKeyOrNull(obj
);
1532 JSProtoKey
JS::IdentifyStandardConstructor(JSObject
* obj
) {
1533 // Note that isNativeConstructor does not imply that we are a standard
1534 // constructor, but the converse is true (at least until we start having
1535 // self-hosted constructors for standard classes). This lets us avoid a costly
1536 // loop for many functions (which, depending on the call site, may be the
1538 if (!obj
->is
<JSFunction
>() ||
1539 !(obj
->as
<JSFunction
>().flags().isNativeConstructor())) {
1540 return JSProto_Null
;
1543 static_assert(JSProto_Null
== 0,
1544 "Loop below can start at 1 to skip JSProto_Null");
1546 GlobalObject
& global
= obj
->as
<JSFunction
>().global();
1547 for (size_t k
= 1; k
< JSProto_LIMIT
; ++k
) {
1548 JSProtoKey key
= static_cast<JSProtoKey
>(k
);
1549 if (global
.maybeGetConstructor(key
) == obj
) {
1554 return JSProto_Null
;
1557 bool js::LookupProperty(JSContext
* cx
, HandleObject obj
, js::HandleId id
,
1558 MutableHandleObject objp
, PropertyResult
* propp
) {
1559 if (LookupPropertyOp op
= obj
->getOpsLookupProperty()) {
1560 return op(cx
, obj
, id
, objp
, propp
);
1562 return NativeLookupPropertyInline
<CanGC
>(cx
, obj
.as
<NativeObject
>(), id
, objp
,
1566 bool js::LookupName(JSContext
* cx
, Handle
<PropertyName
*> name
,
1567 HandleObject envChain
, MutableHandleObject objp
,
1568 MutableHandleObject pobjp
, PropertyResult
* propp
) {
1569 RootedId
id(cx
, NameToId(name
));
1571 for (RootedObject
env(cx
, envChain
); env
; env
= env
->enclosingEnvironment()) {
1572 if (!LookupProperty(cx
, env
, id
, pobjp
, propp
)) {
1575 if (propp
->isFound()) {
1583 propp
->setNotFound();
1587 bool js::LookupNameNoGC(JSContext
* cx
, PropertyName
* name
, JSObject
* envChain
,
1588 JSObject
** objp
, NativeObject
** pobjp
,
1589 PropertyResult
* propp
) {
1590 AutoAssertNoPendingException
nogc(cx
);
1592 MOZ_ASSERT(!*objp
&& !*pobjp
&& propp
->isNotFound());
1594 for (JSObject
* env
= envChain
; env
; env
= env
->enclosingEnvironment()) {
1595 if (env
->getOpsLookupProperty()) {
1598 if (!NativeLookupPropertyInline
<NoGC
>(cx
, &env
->as
<NativeObject
>(),
1599 NameToId(name
), pobjp
, propp
)) {
1602 if (propp
->isFound()) {
1611 bool js::LookupNameWithGlobalDefault(JSContext
* cx
, Handle
<PropertyName
*> name
,
1612 HandleObject envChain
,
1613 MutableHandleObject objp
) {
1614 RootedId
id(cx
, NameToId(name
));
1616 RootedObject
pobj(cx
);
1617 PropertyResult prop
;
1619 RootedObject
env(cx
, envChain
);
1620 for (; !env
->is
<GlobalObject
>(); env
= env
->enclosingEnvironment()) {
1621 if (!LookupProperty(cx
, env
, id
, &pobj
, &prop
)) {
1624 if (prop
.isFound()) {
1633 bool js::LookupNameUnqualified(JSContext
* cx
, Handle
<PropertyName
*> name
,
1634 HandleObject envChain
,
1635 MutableHandleObject objp
) {
1636 RootedId
id(cx
, NameToId(name
));
1638 RootedObject
pobj(cx
);
1639 PropertyResult prop
;
1641 RootedObject
env(cx
, envChain
);
1642 for (; !env
->isUnqualifiedVarObj(); env
= env
->enclosingEnvironment()) {
1643 if (!LookupProperty(cx
, env
, id
, &pobj
, &prop
)) {
1646 if (prop
.isFound()) {
1651 // See note above RuntimeLexicalErrorObject.
1654 if (prop
.isFound() && name
!= cx
->names().dot_this_
) {
1655 // Treat Debugger environments specially for TDZ checks, as they
1656 // look like non-native environments but in fact wrap native
1658 if (env
->is
<DebugEnvironmentProxy
>()) {
1660 Rooted
<DebugEnvironmentProxy
*> envProxy(
1661 cx
, &env
->as
<DebugEnvironmentProxy
>());
1662 if (!DebugEnvironmentProxy::getMaybeSentinelValue(cx
, envProxy
, id
,
1666 isTDZ
= IsUninitializedLexical(v
);
1668 isTDZ
= IsUninitializedLexicalSlot(env
, prop
);
1673 env
= RuntimeLexicalErrorObject::create(cx
, env
,
1674 JSMSG_UNINITIALIZED_LEXICAL
);
1678 } else if (env
->is
<LexicalEnvironmentObject
>() &&
1679 !prop
.propertyInfo().writable()) {
1680 // Assigning to a named lambda callee name is a no-op in sloppy mode.
1681 if (!(env
->is
<BlockLexicalEnvironmentObject
>() &&
1682 env
->as
<BlockLexicalEnvironmentObject
>().scope().kind() ==
1683 ScopeKind::NamedLambda
)) {
1684 MOZ_ASSERT(name
!= cx
->names().dot_this_
);
1686 RuntimeLexicalErrorObject::create(cx
, env
, JSMSG_BAD_CONST_ASSIGN
);
1698 bool js::HasOwnProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
1700 if (obj
->is
<ProxyObject
>()) {
1701 return Proxy::hasOwn(cx
, obj
, id
, result
);
1704 if (GetOwnPropertyOp op
= obj
->getOpsGetOwnPropertyDescriptor()) {
1705 Rooted
<mozilla::Maybe
<PropertyDescriptor
>> desc(cx
);
1706 if (!op(cx
, obj
, id
, &desc
)) {
1709 *result
= desc
.isSome();
1713 PropertyResult prop
;
1714 if (!NativeLookupOwnProperty
<CanGC
>(cx
, obj
.as
<NativeObject
>(), id
, &prop
)) {
1717 *result
= prop
.isFound();
1721 bool js::LookupPropertyPure(JSContext
* cx
, JSObject
* obj
, jsid id
,
1722 NativeObject
** objp
, PropertyResult
* propp
) {
1723 if (obj
->getOpsLookupProperty()) {
1726 return NativeLookupPropertyInline
<NoGC
, LookupResolveMode::CheckMayResolve
>(
1727 cx
, &obj
->as
<NativeObject
>(), id
, objp
, propp
);
1730 bool js::LookupOwnPropertyPure(JSContext
* cx
, JSObject
* obj
, jsid id
,
1731 PropertyResult
* propp
) {
1732 if (obj
->getOpsLookupProperty()) {
1735 return NativeLookupOwnPropertyInline
<NoGC
,
1736 LookupResolveMode::CheckMayResolve
>(
1737 cx
, &obj
->as
<NativeObject
>(), id
, propp
);
1740 static inline bool NativeGetPureInline(NativeObject
* pobj
, jsid id
,
1741 PropertyResult prop
, Value
* vp
,
1743 if (prop
.isDenseElement()) {
1744 *vp
= pobj
->getDenseElement(prop
.denseElementIndex());
1747 if (prop
.isTypedArrayElement()) {
1748 size_t idx
= prop
.typedArrayElementIndex();
1749 return pobj
->as
<TypedArrayObject
>().getElement
<NoGC
>(cx
, idx
, vp
);
1752 // Fail if we have a custom getter.
1753 PropertyInfo propInfo
= prop
.propertyInfo();
1754 if (!propInfo
.isDataProperty()) {
1758 *vp
= pobj
->getSlot(propInfo
.slot());
1759 MOZ_ASSERT(!vp
->isMagic());
1763 bool js::GetPropertyPure(JSContext
* cx
, JSObject
* obj
, jsid id
, Value
* vp
) {
1765 PropertyResult prop
;
1766 if (!LookupPropertyPure(cx
, obj
, id
, &pobj
, &prop
)) {
1770 if (prop
.isNotFound()) {
1775 return NativeGetPureInline(pobj
, id
, prop
, vp
, cx
);
1778 bool js::GetOwnPropertyPure(JSContext
* cx
, JSObject
* obj
, jsid id
, Value
* vp
,
1780 PropertyResult prop
;
1781 if (!LookupOwnPropertyPure(cx
, obj
, id
, &prop
)) {
1785 if (prop
.isNotFound()) {
1792 return obj
->is
<NativeObject
>() &&
1793 NativeGetPureInline(&obj
->as
<NativeObject
>(), id
, prop
, vp
, cx
);
1796 static inline bool NativeGetGetterPureInline(NativeObject
* holder
,
1797 PropertyResult prop
,
1799 MOZ_ASSERT(prop
.isNativeProperty());
1801 PropertyInfo propInfo
= prop
.propertyInfo();
1802 if (holder
->hasGetter(propInfo
)) {
1803 JSObject
* getter
= holder
->getGetter(propInfo
);
1804 if (getter
->is
<JSFunction
>()) {
1805 *fp
= &getter
->as
<JSFunction
>();
1814 bool js::GetGetterPure(JSContext
* cx
, JSObject
* obj
, jsid id
, JSFunction
** fp
) {
1815 /* Just like GetPropertyPure, but get getter function, without invoking
1818 PropertyResult prop
;
1819 if (!LookupPropertyPure(cx
, obj
, id
, &pobj
, &prop
)) {
1823 if (prop
.isNotFound()) {
1828 return prop
.isNativeProperty() && NativeGetGetterPureInline(pobj
, prop
, fp
);
1831 bool js::GetOwnGetterPure(JSContext
* cx
, JSObject
* obj
, jsid id
,
1833 JS::AutoCheckCannotGC nogc
;
1834 PropertyResult prop
;
1835 if (!LookupOwnPropertyPure(cx
, obj
, id
, &prop
)) {
1839 if (prop
.isNotFound()) {
1844 return prop
.isNativeProperty() &&
1845 NativeGetGetterPureInline(&obj
->as
<NativeObject
>(), prop
, fp
);
1848 bool js::GetOwnNativeGetterPure(JSContext
* cx
, JSObject
* obj
, jsid id
,
1850 JS::AutoCheckCannotGC nogc
;
1852 PropertyResult prop
;
1853 if (!LookupOwnPropertyPure(cx
, obj
, id
, &prop
)) {
1857 if (!prop
.isNativeProperty()) {
1861 PropertyInfo propInfo
= prop
.propertyInfo();
1863 NativeObject
* nobj
= &obj
->as
<NativeObject
>();
1864 if (!nobj
->hasGetter(propInfo
)) {
1868 JSObject
* getterObj
= nobj
->getGetter(propInfo
);
1869 if (!getterObj
->is
<JSFunction
>()) {
1873 JSFunction
* getter
= &getterObj
->as
<JSFunction
>();
1874 if (!getter
->isNativeFun()) {
1878 *native
= getter
->native();
1882 bool js::HasOwnDataPropertyPure(JSContext
* cx
, JSObject
* obj
, jsid id
,
1884 PropertyResult prop
;
1885 if (!LookupOwnPropertyPure(cx
, obj
, id
, &prop
)) {
1889 *result
= prop
.isNativeProperty() && prop
.propertyInfo().isDataProperty();
1893 bool js::GetPrototypeIfOrdinary(JSContext
* cx
, HandleObject obj
,
1894 bool* isOrdinary
, MutableHandleObject protop
) {
1895 if (obj
->is
<js::ProxyObject
>()) {
1896 return js::Proxy::getPrototypeIfOrdinary(cx
, obj
, isOrdinary
, protop
);
1900 protop
.set(obj
->staticPrototype());
1904 /*** ES6 standard internal methods ******************************************/
1906 bool js::SetPrototype(JSContext
* cx
, HandleObject obj
, HandleObject proto
,
1907 JS::ObjectOpResult
& result
) {
1908 // The proxy trap subsystem fully handles prototype-setting for proxies
1909 // with dynamic [[Prototype]]s.
1910 if (obj
->hasDynamicPrototype()) {
1911 MOZ_ASSERT(obj
->is
<ProxyObject
>());
1912 return Proxy::setPrototype(cx
, obj
, proto
, result
);
1916 * ES6 9.1.2 step 3-4 if |obj.[[Prototype]]| has SameValue as |proto| return
1917 * true. Since the values in question are objects, we can just compare
1920 if (proto
== obj
->staticPrototype()) {
1921 return result
.succeed();
1924 /* Disallow mutation of immutable [[Prototype]]s. */
1925 if (obj
->staticPrototypeIsImmutable()) {
1926 return result
.fail(JSMSG_CANT_SET_PROTO
);
1930 * Disallow mutating the [[Prototype]] on WebAssembly GC objects.
1932 if (obj
->is
<WasmGcObject
>()) {
1933 return result
.fail(JSMSG_CANT_SET_PROTO
);
1936 /* ES6 9.1.2 step 5 forbids changing [[Prototype]] if not [[Extensible]]. */
1938 if (!IsExtensible(cx
, obj
, &extensible
)) {
1942 return result
.fail(JSMSG_CANT_SET_PROTO
);
1946 * ES6 9.1.2 step 6 forbids generating cyclical prototype chains. But we
1947 * have to do this comparison on the observable WindowProxy, not on the
1948 * possibly-Window object we're setting the proto on.
1950 RootedObject
objMaybeWindowProxy(cx
, ToWindowProxyIfWindow(obj
));
1951 RootedObject
obj2(cx
, proto
);
1953 MOZ_ASSERT(!IsWindow(obj2
));
1954 if (obj2
== objMaybeWindowProxy
) {
1955 return result
.fail(JSMSG_CANT_SET_PROTO_CYCLE
);
1959 if (!GetPrototypeIfOrdinary(cx
, obj2
, &isOrdinary
, &obj2
)) {
1967 Rooted
<TaggedProto
> taggedProto(cx
, TaggedProto(proto
));
1968 if (!JSObject::setProtoUnchecked(cx
, obj
, taggedProto
)) {
1972 return result
.succeed();
1975 bool js::SetPrototype(JSContext
* cx
, HandleObject obj
, HandleObject proto
) {
1976 ObjectOpResult result
;
1977 return SetPrototype(cx
, obj
, proto
, result
) && result
.checkStrict(cx
, obj
);
1980 bool js::PreventExtensions(JSContext
* cx
, HandleObject obj
,
1981 ObjectOpResult
& result
) {
1982 if (obj
->is
<ProxyObject
>()) {
1983 return js::Proxy::preventExtensions(cx
, obj
, result
);
1986 if (obj
->is
<WasmGcObject
>()) {
1987 return result
.failCantPreventExtensions();
1990 if (!obj
->nonProxyIsExtensible()) {
1991 // If the following assertion fails, there's somewhere else a missing
1992 // call to shrinkCapacityToInitializedLength() which needs to be found
1994 MOZ_ASSERT_IF(obj
->is
<NativeObject
>(),
1995 obj
->as
<NativeObject
>().getDenseInitializedLength() ==
1996 obj
->as
<NativeObject
>().getDenseCapacity());
1998 return result
.succeed();
2001 if (obj
->is
<NativeObject
>()) {
2002 // Force lazy properties to be resolved.
2003 Handle
<NativeObject
*> nobj
= obj
.as
<NativeObject
>();
2004 if (!ResolveLazyProperties(cx
, nobj
)) {
2008 // Prepare the elements. We have to do this before we mark the object
2009 // non-extensible; that's fine because these changes are not observable.
2010 ObjectElements::PrepareForPreventExtensions(cx
, nobj
);
2013 // Finally, set the NotExtensible flag on the Shape and ObjectElements.
2014 if (!JSObject::setFlag(cx
, obj
, ObjectFlag::NotExtensible
)) {
2017 if (obj
->is
<NativeObject
>()) {
2018 ObjectElements::PreventExtensions(&obj
->as
<NativeObject
>());
2021 return result
.succeed();
2024 bool js::PreventExtensions(JSContext
* cx
, HandleObject obj
) {
2025 ObjectOpResult result
;
2026 return PreventExtensions(cx
, obj
, result
) && result
.checkStrict(cx
, obj
);
2029 bool js::GetOwnPropertyDescriptor(
2030 JSContext
* cx
, HandleObject obj
, HandleId id
,
2031 MutableHandle
<Maybe
<PropertyDescriptor
>> desc
) {
2032 if (GetOwnPropertyOp op
= obj
->getOpsGetOwnPropertyDescriptor()) {
2033 bool ok
= op(cx
, obj
, id
, desc
);
2034 if (ok
&& desc
.isSome()) {
2035 desc
->assertComplete();
2040 return NativeGetOwnPropertyDescriptor(cx
, obj
.as
<NativeObject
>(), id
, desc
);
2043 bool js::DefineProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2044 Handle
<PropertyDescriptor
> desc
) {
2045 ObjectOpResult result
;
2046 return DefineProperty(cx
, obj
, id
, desc
, result
) &&
2047 result
.checkStrict(cx
, obj
, id
);
2050 bool js::DefineProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2051 Handle
<PropertyDescriptor
> desc
,
2052 ObjectOpResult
& result
) {
2054 if (DefinePropertyOp op
= obj
->getOpsDefineProperty()) {
2055 return op(cx
, obj
, id
, desc
, result
);
2057 return NativeDefineProperty(cx
, obj
.as
<NativeObject
>(), id
, desc
, result
);
2060 bool js::DefineAccessorProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2061 HandleObject getter
, HandleObject setter
,
2062 unsigned attrs
, ObjectOpResult
& result
) {
2063 Rooted
<PropertyDescriptor
> desc(
2064 cx
, PropertyDescriptor::Accessor(
2065 getter
? mozilla::Some(getter
) : mozilla::Nothing(),
2066 setter
? mozilla::Some(setter
) : mozilla::Nothing(), attrs
));
2068 if (DefinePropertyOp op
= obj
->getOpsDefineProperty()) {
2069 return op(cx
, obj
, id
, desc
, result
);
2071 return NativeDefineProperty(cx
, obj
.as
<NativeObject
>(), id
, desc
, result
);
2074 bool js::DefineDataProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2075 HandleValue value
, unsigned attrs
,
2076 ObjectOpResult
& result
) {
2077 Rooted
<PropertyDescriptor
> desc(cx
, PropertyDescriptor::Data(value
, attrs
));
2078 if (DefinePropertyOp op
= obj
->getOpsDefineProperty()) {
2079 return op(cx
, obj
, id
, desc
, result
);
2081 return NativeDefineProperty(cx
, obj
.as
<NativeObject
>(), id
, desc
, result
);
2084 bool js::DefineAccessorProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2085 HandleObject getter
, HandleObject setter
,
2087 ObjectOpResult result
;
2088 if (!DefineAccessorProperty(cx
, obj
, id
, getter
, setter
, attrs
, result
)) {
2092 result
.reportError(cx
, obj
, id
);
2098 bool js::DefineDataProperty(JSContext
* cx
, HandleObject obj
, HandleId id
,
2099 HandleValue value
, unsigned attrs
) {
2100 ObjectOpResult result
;
2101 if (!DefineDataProperty(cx
, obj
, id
, value
, attrs
, result
)) {
2105 result
.reportError(cx
, obj
, id
);
2111 bool js::DefineDataProperty(JSContext
* cx
, HandleObject obj
, PropertyName
* name
,
2112 HandleValue value
, unsigned attrs
) {
2113 RootedId
id(cx
, NameToId(name
));
2114 return DefineDataProperty(cx
, obj
, id
, value
, attrs
);
2117 bool js::DefineDataElement(JSContext
* cx
, HandleObject obj
, uint32_t index
,
2118 HandleValue value
, unsigned attrs
) {
2120 if (!IndexToId(cx
, index
, &id
)) {
2123 return DefineDataProperty(cx
, obj
, id
, value
, attrs
);
2126 /*** SpiderMonkey nonstandard internal methods ******************************/
2128 // Mark an object as having an immutable prototype
2130 // NOTE: This does not correspond to the SetImmutablePrototype ECMAScript
2132 bool js::SetImmutablePrototype(JSContext
* cx
, HandleObject obj
,
2134 if (obj
->hasDynamicPrototype()) {
2135 return Proxy::setImmutablePrototype(cx
, obj
, succeeded
);
2138 if (!JSObject::setFlag(cx
, obj
, ObjectFlag::ImmutablePrototype
)) {
2145 bool js::GetPropertyDescriptor(
2146 JSContext
* cx
, HandleObject obj
, HandleId id
,
2147 MutableHandle
<mozilla::Maybe
<PropertyDescriptor
>> desc
,
2148 MutableHandleObject holder
) {
2149 RootedObject
pobj(cx
);
2150 for (pobj
= obj
; pobj
;) {
2151 if (!GetOwnPropertyDescriptor(cx
, pobj
, id
, desc
)) {
2155 if (desc
.isSome()) {
2160 if (!GetPrototype(cx
, pobj
, &pobj
)) {
2165 MOZ_ASSERT(desc
.isNothing());
2166 holder
.set(nullptr);
2172 extern bool PropertySpecNameToId(JSContext
* cx
, JSPropertySpec::Name name
,
2173 MutableHandleId id
);
2175 // If a property or method is part of an experimental feature that can be
2176 // disabled at run-time by a preference, we keep it in the JSFunctionSpec /
2177 // JSPropertySpec list, but omit the definition if the preference is off.
2178 JS_PUBLIC_API
bool js::ShouldIgnorePropertyDefinition(JSContext
* cx
,
2179 JSProtoKey key
, jsid id
) {
2180 if (!cx
->realm()->creationOptions().getToSourceEnabled() &&
2181 (id
== NameToId(cx
->names().toSource
) ||
2182 id
== NameToId(cx
->names().uneval
))) {
2186 if (key
== JSProto_FinalizationRegistry
&&
2187 cx
->realm()->creationOptions().getWeakRefsEnabled() ==
2188 JS::WeakRefSpecifier::EnabledWithoutCleanupSome
&&
2189 id
== NameToId(cx
->names().cleanupSome
)) {
2193 // It's gently surprising that this is JSProto_Function, but the trick
2194 // to realize is that this is a -constructor function-, not a function
2195 // on the prototype; and the proto of the constructor is JSProto_Function.
2196 if (key
== JSProto_Function
&&
2197 !cx
->realm()->creationOptions().getArrayGroupingEnabled() &&
2198 (id
== NameToId(cx
->names().groupBy
))) {
2202 #ifdef NIGHTLY_BUILD
2203 if (key
== JSProto_Set
&&
2204 !cx
->realm()->creationOptions().getNewSetMethodsEnabled() &&
2205 (id
== NameToId(cx
->names().union_
) ||
2206 id
== NameToId(cx
->names().difference
) ||
2207 id
== NameToId(cx
->names().intersection
) ||
2208 id
== NameToId(cx
->names().isSubsetOf
) ||
2209 id
== NameToId(cx
->names().isSupersetOf
) ||
2210 id
== NameToId(cx
->names().isDisjointFrom
) ||
2211 id
== NameToId(cx
->names().symmetricDifference
))) {
2216 #ifdef NIGHTLY_BUILD
2217 if (key
== JSProto_ArrayBuffer
&&
2218 !cx
->realm()->creationOptions().getArrayBufferTransferEnabled() &&
2219 (id
== NameToId(cx
->names().transfer
) ||
2220 id
== NameToId(cx
->names().transferToFixedLength
) ||
2221 id
== NameToId(cx
->names().detached
))) {
2225 if (key
== JSProto_ArrayBuffer
&&
2226 !cx
->realm()->creationOptions().getArrayBufferResizableEnabled() &&
2227 (id
== NameToId(cx
->names().maxByteLength
) ||
2228 id
== NameToId(cx
->names().resizable
) ||
2229 id
== NameToId(cx
->names().resize
))) {
2233 if (key
== JSProto_SharedArrayBuffer
&&
2234 !cx
->realm()->creationOptions().getSharedArrayBufferGrowableEnabled() &&
2235 (id
== NameToId(cx
->names().maxByteLength
) ||
2236 id
== NameToId(cx
->names().growable
) ||
2237 id
== NameToId(cx
->names().grow
))) {
2245 static bool DefineFunctionFromSpec(JSContext
* cx
, HandleObject obj
,
2246 const JSFunctionSpec
* fs
) {
2248 if (!PropertySpecNameToId(cx
, fs
->name
, &id
)) {
2252 if (ShouldIgnorePropertyDefinition(cx
, StandardProtoKeyOrNull(obj
), id
)) {
2256 JSFunction
* fun
= NewFunctionFromSpec(cx
, fs
, id
);
2261 RootedValue
funVal(cx
, ObjectValue(*fun
));
2262 return DefineDataProperty(cx
, obj
, id
, funVal
, fs
->flags
& ~JSFUN_FLAGS_MASK
);
2265 bool js::DefineFunctions(JSContext
* cx
, HandleObject obj
,
2266 const JSFunctionSpec
* fs
) {
2267 for (; fs
->name
; fs
++) {
2268 if (!DefineFunctionFromSpec(cx
, obj
, fs
)) {
2275 /*** ToPrimitive ************************************************************/
2278 * Gets |obj[id]|. If that value's not callable, returns true and stores an
2279 * object value in *vp. If it's callable, calls it with no arguments and |obj|
2280 * as |this|, returning the result in *vp.
2282 * This is a mini-abstraction for ES6 draft rev 36 (2015 Mar 17),
2283 * 7.1.1, second algorithm (OrdinaryToPrimitive), steps 5.a-c.
2285 static bool MaybeCallMethod(JSContext
* cx
, HandleObject obj
, HandleId id
,
2286 MutableHandleValue vp
) {
2287 if (!GetProperty(cx
, obj
, obj
, id
, vp
)) {
2290 if (!IsCallable(vp
)) {
2295 return js::Call(cx
, vp
, obj
, vp
);
2298 static bool ReportCantConvert(JSContext
* cx
, unsigned errorNumber
,
2299 HandleObject obj
, JSType hint
) {
2300 const JSClass
* clasp
= obj
->getClass();
2302 // Avoid recursive death when decompiling in ReportValueError.
2303 RootedString
str(cx
);
2304 if (hint
== JSTYPE_STRING
) {
2305 str
= JS_AtomizeString(cx
, clasp
->name
);
2313 RootedValue
val(cx
, ObjectValue(*obj
));
2314 ReportValueError(cx
, errorNumber
, JSDVG_SEARCH_STACK
, val
, str
,
2315 hint
== JSTYPE_UNDEFINED
? "primitive type"
2316 : hint
== JSTYPE_STRING
? "string"
2321 bool JS::OrdinaryToPrimitive(JSContext
* cx
, HandleObject obj
, JSType hint
,
2322 MutableHandleValue vp
) {
2323 MOZ_ASSERT(hint
== JSTYPE_NUMBER
|| hint
== JSTYPE_STRING
||
2324 hint
== JSTYPE_UNDEFINED
);
2326 Rooted
<jsid
> id(cx
);
2328 const JSClass
* clasp
= obj
->getClass();
2329 if (hint
== JSTYPE_STRING
) {
2330 id
= NameToId(cx
->names().toString
);
2332 bool calledToString
= false;
2333 if (clasp
== &StringObject::class_
) {
2334 // Optimize (new String(...)).toString().
2335 StringObject
* nobj
= &obj
->as
<StringObject
>();
2336 if (HasNativeMethodPure(nobj
, cx
->names().toString
, str_toString
, cx
)) {
2337 vp
.setString(nobj
->unbox());
2340 } else if (clasp
== &PlainObject::class_
) {
2342 if (GetPropertyPure(cx
, obj
, id
, vp
.address()) &&
2343 IsFunctionObject(vp
, &fun
)) {
2344 // Common case: we have a toString function. Try to short-circuit if
2345 // it's Object.prototype.toString and there's no @@toStringTag.
2346 if (fun
->maybeNative() == obj_toString
&&
2347 !MaybeHasInterestingSymbolProperty(
2348 cx
, obj
, cx
->wellKnownSymbols().toStringTag
)) {
2349 vp
.setString(cx
->names().object_Object_
);
2352 if (!js::Call(cx
, vp
, obj
, vp
)) {
2355 calledToString
= true;
2359 if (!calledToString
) {
2360 if (!MaybeCallMethod(cx
, obj
, id
, vp
)) {
2364 if (vp
.isPrimitive()) {
2368 id
= NameToId(cx
->names().valueOf
);
2369 if (!MaybeCallMethod(cx
, obj
, id
, vp
)) {
2372 if (vp
.isPrimitive()) {
2376 id
= NameToId(cx
->names().valueOf
);
2378 if (clasp
== &StringObject::class_
) {
2379 // Optimize new String(...).valueOf().
2380 StringObject
* nobj
= &obj
->as
<StringObject
>();
2381 if (HasNativeMethodPure(nobj
, cx
->names().valueOf
, str_toString
, cx
)) {
2382 vp
.setString(nobj
->unbox());
2385 } else if (clasp
== &NumberObject::class_
) {
2386 // Optimize new Number(...).valueOf().
2387 NumberObject
* nobj
= &obj
->as
<NumberObject
>();
2388 if (HasNativeMethodPure(nobj
, cx
->names().valueOf
, num_valueOf
, cx
)) {
2389 vp
.setNumber(nobj
->unbox());
2394 if (!MaybeCallMethod(cx
, obj
, id
, vp
)) {
2397 if (vp
.isPrimitive()) {
2401 id
= NameToId(cx
->names().toString
);
2402 if (!MaybeCallMethod(cx
, obj
, id
, vp
)) {
2405 if (vp
.isPrimitive()) {
2410 return ReportCantConvert(cx
, JSMSG_CANT_CONVERT_TO
, obj
, hint
);
2413 bool js::ToPrimitiveSlow(JSContext
* cx
, JSType preferredType
,
2414 MutableHandleValue vp
) {
2415 // Step numbers refer to the first algorithm listed in ES6 draft rev 36
2416 // (2015 Mar 17) 7.1.1 ToPrimitive.
2417 MOZ_ASSERT(preferredType
== JSTYPE_UNDEFINED
||
2418 preferredType
== JSTYPE_STRING
|| preferredType
== JSTYPE_NUMBER
);
2419 RootedObject
obj(cx
, &vp
.toObject());
2422 RootedValue
method(cx
);
2423 if (!GetInterestingSymbolProperty(cx
, obj
, cx
->wellKnownSymbols().toPrimitive
,
2429 if (!method
.isNullOrUndefined()) {
2430 // Step 6 of GetMethod. js::Call() below would do this check and throw a
2431 // TypeError anyway, but this produces a better error message.
2432 if (!IsCallable(method
)) {
2433 return ReportCantConvert(cx
, JSMSG_TOPRIMITIVE_NOT_CALLABLE
, obj
,
2437 // Steps 1-3, 6.a-b.
2440 StringValue(preferredType
== JSTYPE_STRING
? cx
->names().string
2441 : preferredType
== JSTYPE_NUMBER
? cx
->names().number
2442 : cx
->names().default_
));
2444 if (!js::Call(cx
, method
, vp
, arg0
, vp
)) {
2449 if (vp
.isObject()) {
2450 return ReportCantConvert(cx
, JSMSG_TOPRIMITIVE_RETURNED_OBJECT
, obj
,
2456 return OrdinaryToPrimitive(cx
, obj
, preferredType
, vp
);
2459 /* ES6 draft rev 28 (2014 Oct 14) 7.1.14 */
2460 bool js::ToPropertyKeySlow(JSContext
* cx
, HandleValue argument
,
2461 MutableHandleId result
) {
2462 MOZ_ASSERT(argument
.isObject());
2465 RootedValue
key(cx
, argument
);
2466 if (!ToPrimitiveSlow(cx
, JSTYPE_STRING
, &key
)) {
2471 return PrimitiveValueToId
<CanGC
>(cx
, key
, result
);
2476 bool js::IsPrototypeOf(JSContext
* cx
, HandleObject protoObj
, JSObject
* obj
,
2478 RootedObject
obj2(cx
, obj
);
2480 // The [[Prototype]] chain might be cyclic.
2481 if (!CheckForInterrupt(cx
)) {
2484 if (!GetPrototype(cx
, obj2
, &obj2
)) {
2491 if (obj2
== protoObj
) {
2498 JSObject
* js::PrimitiveToObject(JSContext
* cx
, const Value
& v
) {
2499 MOZ_ASSERT(v
.isPrimitive());
2502 case ValueType::String
: {
2503 Rooted
<JSString
*> str(cx
, v
.toString());
2504 return StringObject::create(cx
, str
);
2506 case ValueType::Double
:
2507 case ValueType::Int32
:
2508 return NumberObject::create(cx
, v
.toNumber());
2509 case ValueType::Boolean
:
2510 return BooleanObject::create(cx
, v
.toBoolean());
2511 case ValueType::Symbol
: {
2512 RootedSymbol
symbol(cx
, v
.toSymbol());
2513 return SymbolObject::create(cx
, symbol
);
2515 case ValueType::BigInt
: {
2516 RootedBigInt
bigInt(cx
, v
.toBigInt());
2517 return BigIntObject::create(cx
, bigInt
);
2519 #ifdef ENABLE_RECORD_TUPLE
2520 case ValueType::ExtendedPrimitive
: {
2521 JSObject
& obj
= v
.toExtendedPrimitive();
2523 if (obj
.is
<RecordType
>()) {
2524 Rooted
<RecordType
*> rec(cx
, &obj
.as
<RecordType
>());
2525 return RecordObject::create(cx
, rec
);
2527 if (obj
.is
<TupleType
>()) {
2528 Rooted
<TupleType
*> tuple(cx
, &obj
.as
<TupleType
>());
2529 return TupleObject::create(cx
, tuple
);
2532 MOZ_CRASH("Unexpected ExtendedPrimitive type.");
2535 case ValueType::Undefined
:
2536 case ValueType::Null
:
2537 case ValueType::Magic
:
2538 case ValueType::PrivateGCThing
:
2539 case ValueType::Object
:
2543 MOZ_CRASH("unexpected type");
2546 // Like PrimitiveToObject, but returns the JSProtoKey of the prototype that
2547 // would be used without actually creating the object.
2548 JSProtoKey
js::PrimitiveToProtoKey(JSContext
* cx
, const Value
& v
) {
2549 MOZ_ASSERT(v
.isPrimitive());
2552 case ValueType::String
:
2553 return JSProto_String
;
2554 case ValueType::Double
:
2555 case ValueType::Int32
:
2556 return JSProto_Number
;
2557 case ValueType::Boolean
:
2558 return JSProto_Boolean
;
2559 case ValueType::Symbol
:
2560 return JSProto_Symbol
;
2561 case ValueType::BigInt
:
2562 return JSProto_BigInt
;
2563 #ifdef ENABLE_RECORD_TUPLE
2564 case ValueType::ExtendedPrimitive
:
2565 if (v
.toExtendedPrimitive().is
<TupleType
>()) {
2566 return JSProto_Tuple
;
2568 if (v
.toExtendedPrimitive().is
<RecordType
>()) {
2569 return JSProto_Null
;
2571 MOZ_CRASH("Unsupported ExtendedPrimitive");
2573 case ValueType::Undefined
:
2574 case ValueType::Null
:
2575 case ValueType::Magic
:
2576 case ValueType::PrivateGCThing
:
2577 case ValueType::Object
:
2581 MOZ_CRASH("unexpected type");
2585 * Invokes the ES5 ToObject algorithm on vp, returning the result. If vp might
2586 * already be an object, use ToObject. reportScanStack controls how null and
2587 * undefined errors are reported.
2589 * Callers must handle the already-object case.
2591 JSObject
* js::ToObjectSlow(JSContext
* cx
, JS::HandleValue val
,
2592 bool reportScanStack
) {
2593 MOZ_ASSERT(!val
.isMagic());
2594 MOZ_ASSERT(!val
.isObject());
2596 if (val
.isNullOrUndefined()) {
2597 ReportIsNullOrUndefinedForPropertyAccess(
2598 cx
, val
, reportScanStack
? JSDVG_SEARCH_STACK
: JSDVG_IGNORE_STACK
);
2602 return PrimitiveToObject(cx
, val
);
2605 JSObject
* js::ToObjectSlowForPropertyAccess(JSContext
* cx
, JS::HandleValue val
,
2606 int valIndex
, HandleId key
) {
2607 MOZ_ASSERT(!val
.isMagic());
2608 MOZ_ASSERT(!val
.isObject());
2610 if (val
.isNullOrUndefined()) {
2611 ReportIsNullOrUndefinedForPropertyAccess(cx
, val
, valIndex
, key
);
2615 return PrimitiveToObject(cx
, val
);
2618 JSObject
* js::ToObjectSlowForPropertyAccess(JSContext
* cx
, JS::HandleValue val
,
2620 Handle
<PropertyName
*> key
) {
2621 MOZ_ASSERT(!val
.isMagic());
2622 MOZ_ASSERT(!val
.isObject());
2624 if (val
.isNullOrUndefined()) {
2625 RootedId
keyId(cx
, NameToId(key
));
2626 ReportIsNullOrUndefinedForPropertyAccess(cx
, val
, valIndex
, keyId
);
2630 return PrimitiveToObject(cx
, val
);
2633 JSObject
* js::ToObjectSlowForPropertyAccess(JSContext
* cx
, JS::HandleValue val
,
2635 HandleValue keyValue
) {
2636 MOZ_ASSERT(!val
.isMagic());
2637 MOZ_ASSERT(!val
.isObject());
2639 if (val
.isNullOrUndefined()) {
2641 if (keyValue
.isPrimitive()) {
2642 if (!PrimitiveValueToId
<CanGC
>(cx
, keyValue
, &key
)) {
2645 ReportIsNullOrUndefinedForPropertyAccess(cx
, val
, valIndex
, key
);
2647 ReportIsNullOrUndefinedForPropertyAccess(cx
, val
, valIndex
);
2652 return PrimitiveToObject(cx
, val
);
2655 JSObject
* js::GetThisObject(JSObject
* obj
) {
2656 // Use the WindowProxy if the global is a Window, as Window must never be
2657 // exposed to script.
2658 if (obj
->is
<GlobalObject
>()) {
2659 return ToWindowProxyIfWindow(obj
);
2662 // We should not expose any environments except NSVOs to script. The NSVO is
2663 // pretending to be the global object in this case.
2664 MOZ_ASSERT(obj
->is
<NonSyntacticVariablesObject
>() ||
2665 !obj
->is
<EnvironmentObject
>());
2670 JSObject
* js::GetThisObjectOfLexical(JSObject
* env
) {
2671 return env
->as
<ExtensibleLexicalEnvironmentObject
>().thisObject();
2674 JSObject
* js::GetThisObjectOfWith(JSObject
* env
) {
2675 MOZ_ASSERT(env
->is
<WithEnvironmentObject
>());
2676 return GetThisObject(env
->as
<WithEnvironmentObject
>().withThis());
2679 class GetObjectSlotNameFunctor
: public JS::TracingContext::Functor
{
2683 explicit GetObjectSlotNameFunctor(JSObject
* ctx
) : obj(ctx
) {}
2684 virtual void operator()(JS::TracingContext
* trc
, char* buf
,
2685 size_t bufsize
) override
;
2688 void GetObjectSlotNameFunctor::operator()(JS::TracingContext
* tcx
, char* buf
,
2690 MOZ_ASSERT(tcx
->index() != JS::TracingContext::InvalidIndex
);
2692 uint32_t slot
= uint32_t(tcx
->index());
2694 Maybe
<PropertyKey
> key
;
2695 if (obj
->is
<NativeObject
>()) {
2696 NativeShape
* shape
= obj
->as
<NativeObject
>().shape();
2697 for (ShapePropertyIter
<NoGC
> iter(shape
); !iter
.done(); iter
++) {
2698 if (iter
->hasSlot() && iter
->slot() == slot
) {
2699 key
.emplace(iter
->key());
2705 if (key
.isNothing()) {
2707 const char* slotname
= nullptr;
2708 const char* pattern
= nullptr;
2709 if (obj
->is
<GlobalObject
>()) {
2710 pattern
= "CLASS_OBJECT(%s)";
2714 #define TEST_SLOT_MATCHES_PROTOTYPE(name, clasp) \
2715 else if ((JSProto_##name) == slot) { \
2718 JS_FOR_EACH_PROTOTYPE(TEST_SLOT_MATCHES_PROTOTYPE
)
2719 #undef TEST_SLOT_MATCHES_PROTOTYPE
2722 if (obj
->is
<EnvironmentObject
>()) {
2723 if (slot
== EnvironmentObject::enclosingEnvironmentSlot()) {
2724 slotname
= "enclosing_environment";
2725 } else if (obj
->is
<CallObject
>()) {
2726 if (slot
== CallObject::calleeSlot()) {
2727 slotname
= "callee_slot";
2729 } else if (obj
->is
<WithEnvironmentObject
>()) {
2730 if (slot
== WithEnvironmentObject::objectSlot()) {
2731 slotname
= "with_object";
2732 } else if (slot
== WithEnvironmentObject::thisSlot()) {
2733 slotname
= "with_this";
2740 snprintf(buf
, bufsize
, pattern
, slotname
);
2742 snprintf(buf
, bufsize
, "**UNKNOWN SLOT %" PRIu32
"**", slot
);
2747 snprintf(buf
, bufsize
, "%" PRId32
, key
->toInt());
2748 } else if (key
->isAtom()) {
2749 PutEscapedString(buf
, bufsize
, key
->toAtom(), 0);
2750 } else if (key
->isSymbol()) {
2751 snprintf(buf
, bufsize
, "**SYMBOL KEY**");
2753 snprintf(buf
, bufsize
, "**FINALIZED ATOM KEY**");
2758 /*** Debugging routines *****************************************************/
2760 #if defined(DEBUG) || defined(JS_JITSPEW)
2763 * Routines to print out values during debugging. These are FRIEND_API to help
2764 * the debugger find them and to support temporarily hacking js::Dump* calls
2768 static void dumpValue(const Value
& v
, js::GenericPrinter
& out
) {
2770 case ValueType::Null
:
2773 case ValueType::Undefined
:
2774 out
.put("undefined");
2776 case ValueType::Int32
:
2777 out
.printf("%d", v
.toInt32());
2779 case ValueType::Double
:
2780 out
.printf("%g", v
.toDouble());
2782 case ValueType::String
:
2783 v
.toString()->dumpNoNewline(out
);
2785 case ValueType::Symbol
:
2786 v
.toSymbol()->dump(out
);
2788 case ValueType::BigInt
:
2789 v
.toBigInt()->dump(out
);
2791 case ValueType::Object
:
2792 if (v
.toObject().is
<JSFunction
>()) {
2793 JSFunction
* fun
= &v
.toObject().as
<JSFunction
>();
2794 if (fun
->maybePartialDisplayAtom()) {
2795 out
.put("<function ");
2796 EscapedStringPrinter(out
, fun
->maybePartialDisplayAtom(), 0);
2798 out
.put("<unnamed function");
2800 if (fun
->hasBaseScript()) {
2801 BaseScript
* script
= fun
->baseScript();
2802 out
.printf(" (%s:%u)", script
->filename() ? script
->filename() : "",
2805 out
.printf(" at %p>", (void*)fun
);
2807 JSObject
* obj
= &v
.toObject();
2808 const JSClass
* clasp
= obj
->getClass();
2809 out
.printf("<%s%s at %p>", clasp
->name
,
2810 (clasp
== &PlainObject::class_
) ? "" : " object",
2814 # ifdef ENABLE_RECORD_TUPLE
2815 case ValueType::ExtendedPrimitive
: {
2816 JSObject
* obj
= &v
.toExtendedPrimitive();
2817 out
.printf("<%s at %p>", obj
->getClass()->name
, (void*)obj
);
2821 case ValueType::Boolean
:
2822 if (v
.toBoolean()) {
2828 case ValueType::Magic
:
2830 switch (v
.whyMagic()) {
2831 case JS_ELEMENTS_HOLE
:
2832 out
.put(" elements hole");
2834 case JS_NO_ITER_VALUE
:
2835 out
.put(" no iter value");
2837 case JS_GENERATOR_CLOSING
:
2838 out
.put(" generator closing");
2840 case JS_OPTIMIZED_OUT
:
2841 out
.put(" optimized out");
2849 case ValueType::PrivateGCThing
:
2850 out
.printf("<PrivateGCThing %p>", v
.toGCThing());
2857 // We don't want jsfriendapi.h to depend on GenericPrinter,
2858 // so these functions are declared directly in the cpp.
2860 JS_PUBLIC_API
void DumpValue(const JS::Value
& val
, js::GenericPrinter
& out
);
2862 JS_PUBLIC_API
void DumpId(jsid id
, js::GenericPrinter
& out
);
2864 JS_PUBLIC_API
void DumpInterpreterFrame(JSContext
* cx
, js::GenericPrinter
& out
,
2865 InterpreterFrame
* start
= nullptr);
2869 JS_PUBLIC_API
void js::DumpValue(const Value
& val
, js::GenericPrinter
& out
) {
2870 dumpValue(val
, out
);
2874 JS_PUBLIC_API
void js::DumpId(jsid id
, js::GenericPrinter
& out
) {
2875 out
.printf("jsid %p = ", (void*)id
.asRawBits());
2876 dumpValue(IdToValue(id
), out
);
2880 static void DumpProperty(const NativeObject
* obj
, PropMap
* map
, uint32_t index
,
2881 js::GenericPrinter
& out
) {
2882 PropertyInfoWithKey prop
= map
->getPropertyInfoWithKey(index
);
2883 jsid id
= prop
.key();
2885 id
.toAtom()->dumpCharsNoNewline(out
);
2886 } else if (id
.isInt()) {
2887 out
.printf("%d", id
.toInt());
2888 } else if (id
.isSymbol()) {
2889 id
.toSymbol()->dump(out
);
2891 out
.printf("id %p", reinterpret_cast<void*>(id
.asRawBits()));
2894 if (prop
.isDataProperty()) {
2896 dumpValue(obj
->getSlot(prop
.slot()), out
);
2897 } else if (prop
.isAccessorProperty()) {
2898 out
.printf(": getter %p setter %p", obj
->getGetter(prop
),
2899 obj
->getSetter(prop
));
2902 out
.printf(" (map %p/%u", map
, index
);
2904 if (prop
.enumerable()) {
2905 out
.put(" enumerable");
2907 if (prop
.configurable()) {
2908 out
.put(" configurable");
2910 if (prop
.isDataDescriptor() && prop
.writable()) {
2911 out
.put(" writable");
2914 if (prop
.isCustomDataProperty()) {
2915 out
.printf(" <custom-data-prop>");
2918 if (prop
.hasSlot()) {
2919 out
.printf(" slot %u", prop
.slot());
2925 bool JSObject::hasSameRealmAs(JSContext
* cx
) const {
2926 return nonCCWRealm() == cx
->realm();
2929 bool JSObject::uninlinedIsProxyObject() const { return is
<ProxyObject
>(); }
2931 bool JSObject::uninlinedNonProxyIsExtensible() const {
2932 return nonProxyIsExtensible();
2935 void JSObject::dump(js::GenericPrinter
& out
) const {
2936 const JSObject
* obj
= this;
2937 out
.printf("object %p\n", obj
);
2939 if (IsCrossCompartmentWrapper(this)) {
2940 out
.printf(" compartment %p\n", compartment());
2942 JSObject
* globalObj
= &nonCCWGlobal();
2943 out
.printf(" global %p [%s]\n", globalObj
, globalObj
->getClass()->name
);
2946 const JSClass
* clasp
= obj
->getClass();
2947 out
.printf(" class %p %s\n", clasp
, clasp
->name
);
2950 auto* handler
= GetProxyHandler(obj
);
2951 out
.printf(" handler %p", handler
);
2952 if (IsDeadProxyObject(obj
)) {
2953 out
.printf(" (DeadObjectProxy)");
2954 } else if (IsCrossCompartmentWrapper(obj
)) {
2955 out
.printf(" (CCW)");
2959 Value priv
= GetProxyPrivate(obj
);
2960 if (!priv
.isUndefined()) {
2961 out
.printf(" private ");
2962 dumpValue(priv
, out
);
2966 Value expando
= GetProxyExpando(obj
);
2967 if (!expando
.isNull()) {
2968 out
.printf(" expando ");
2969 dumpValue(expando
, out
);
2974 const Shape
* shape
= obj
->shape();
2975 out
.printf(" shape %p\n", shape
);
2978 if (obj
->isUsedAsPrototype()) {
2979 out
.put(" used_as_prototype");
2981 if (!obj
->is
<ProxyObject
>() && !obj
->nonProxyIsExtensible()) {
2982 out
.put(" not_extensible");
2984 if (obj
->maybeHasInterestingSymbolProperty()) {
2985 out
.put(" maybe_has_interesting_symbol");
2987 if (obj
->isQualifiedVarObj()) {
2990 if (obj
->isUnqualifiedVarObj()) {
2991 out
.put(" unqualified_varobj");
2993 if (obj
->hasInvalidatedTeleporting()) {
2994 out
.put(" invalidated_teleporting");
2996 if (obj
->hasStaticPrototype() && obj
->staticPrototypeIsImmutable()) {
2997 out
.put(" immutable_prototype");
3000 const NativeObject
* nobj
=
3001 obj
->is
<NativeObject
>() ? &obj
->as
<NativeObject
>() : nullptr;
3003 if (nobj
->inDictionaryMode()) {
3004 out
.put(" inDictionaryMode");
3006 if (nobj
->hadGetterSetterChange()) {
3007 out
.put(" had_getter_setter_change");
3009 if (nobj
->isIndexed()) {
3010 out
.put(" indexed");
3012 if (nobj
->hasEnumerableProperty()) {
3013 out
.put(" has_enumerable");
3015 if (nobj
->is
<PlainObject
>() &&
3016 nobj
->as
<PlainObject
>().hasNonWritableOrAccessorPropExclProto()) {
3017 out
.put(" has_non_writable_or_accessor_prop_excl_proto");
3019 if (!nobj
->denseElementsArePacked()) {
3020 out
.put(" non_packed_elements");
3022 if (nobj
->getElementsHeader()->isNotExtensible()) {
3023 out
.put(" not_extensible");
3025 if (nobj
->getElementsHeader()->isSealed()) {
3026 out
.put(" sealed_elements");
3028 if (nobj
->getElementsHeader()->isFrozen()) {
3029 out
.put(" frozen_elements");
3031 if (nobj
->getElementsHeader()->maybeInIteration()) {
3032 out
.put(" elements_maybe_in_iteration");
3035 out
.put(" not_native");
3040 TaggedProto proto
= obj
->taggedProto();
3041 if (proto
.isDynamic()) {
3042 out
.put("<dynamic>");
3044 dumpValue(ObjectOrNullValue(proto
.toObjectOrNull()), out
);
3049 uint32_t reserved
= JSCLASS_RESERVED_SLOTS(clasp
);
3051 out
.printf(" reserved slots:\n");
3052 for (uint32_t i
= 0; i
< reserved
; i
++) {
3053 out
.printf(" %3u ", i
);
3055 dumpValue(nobj
->getSlot(i
), out
);
3060 out
.put(" properties:\n");
3062 if (PropMap
* map
= nobj
->shape()->propMap()) {
3063 Vector
<PropMap
*, 8, SystemAllocPolicy
> maps
;
3065 if (!maps
.append(map
)) {
3066 out
.printf("(OOM while appending maps)\n");
3069 if (!map
->hasPrevious()) {
3072 map
= map
->asLinked()->previous();
3075 for (size_t i
= maps
.length(); i
> 0; i
--) {
3076 size_t index
= i
- 1;
3078 (index
== 0) ? nobj
->shape()->propMapLength() : PropMap::Capacity
;
3079 for (uint32_t j
= 0; j
< len
; j
++) {
3080 PropMap
* map
= maps
[index
];
3081 if (!map
->hasKey(j
)) {
3082 MOZ_ASSERT(map
->isDictionary());
3086 DumpProperty(nobj
, map
, j
, out
);
3091 uint32_t slots
= nobj
->getDenseInitializedLength();
3093 out
.put(" elements:\n");
3094 for (uint32_t i
= 0; i
< slots
; i
++) {
3095 out
.printf(" %3u: ", i
);
3096 dumpValue(nobj
->getDenseElement(i
), out
);
3104 void JSObject::dump() const {
3105 Fprinter
out(stderr
);
3109 static void MaybeDumpScope(Scope
* scope
, js::GenericPrinter
& out
) {
3111 out
.printf(" scope: %s\n", ScopeKindString(scope
->kind()));
3112 for (BindingIter
bi(scope
); bi
; bi
++) {
3114 dumpValue(StringValue(bi
.name()), out
);
3120 static void MaybeDumpValue(const char* name
, const Value
& v
,
3121 js::GenericPrinter
& out
) {
3123 out
.printf(" %s: ", name
);
3129 JS_PUBLIC_API
void js::DumpInterpreterFrame(JSContext
* cx
,
3130 js::GenericPrinter
& out
,
3131 InterpreterFrame
* start
) {
3132 /* This should only called during live debugging. */
3133 ScriptFrameIter
i(cx
);
3136 out
.printf("no stack for cx = %p\n", (void*)cx
);
3140 while (!i
.done() && !i
.isJSJit() && i
.interpFrame() != start
) {
3145 out
.printf("fp = %p not found in cx = %p\n", (void*)start
, (void*)cx
);
3150 for (; !i
.done(); ++i
) {
3152 out
.put("JIT frame\n");
3154 out
.printf("InterpreterFrame at %p\n", (void*)i
.interpFrame());
3157 if (i
.isFunctionFrame()) {
3158 out
.put("callee fun: ");
3160 JSObject
* fun
= i
.callee(cx
);
3164 out
.put("global or eval frame, no callee");
3168 out
.printf("file %s line %u\n", i
.script()->filename(),
3169 i
.script()->lineno());
3171 if (jsbytecode
* pc
= i
.pc()) {
3172 out
.printf(" pc = %p\n", pc
);
3173 out
.printf(" current op: %s\n", CodeName(JSOp(*pc
)));
3174 MaybeDumpScope(i
.script()->lookupScope(pc
), out
);
3176 if (i
.isFunctionFrame()) {
3177 MaybeDumpValue("this", i
.thisArgument(cx
), out
);
3181 dumpValue(i
.interpFrame()->returnValue(), out
);
3186 if (i
.isConstructing()) {
3187 out
.put(" constructing");
3189 if (!i
.isJSJit() && i
.interpFrame()->isDebuggerEvalFrame()) {
3190 out
.put(" debugger eval");
3192 if (i
.isEvalFrame()) {
3197 out
.printf(" envChain: (JSObject*) %p\n", (void*)i
.environmentChain(cx
));
3203 #endif /* defined(DEBUG) || defined(JS_JITSPEW) */
3205 JS_PUBLIC_API
void js::DumpBacktrace(JSContext
* cx
, FILE* fp
) {
3207 js::DumpBacktrace(cx
, out
);
3210 JS_PUBLIC_API
void js::DumpBacktrace(JSContext
* cx
, js::GenericPrinter
& out
) {
3212 for (AllFramesIter
i(cx
); !i
.done(); ++i
, ++depth
) {
3213 const char* filename
;
3215 if (i
.hasScript()) {
3216 filename
= JS_GetScriptFilename(i
.script());
3217 line
= PCToLineNumber(i
.script(), i
.pc());
3219 filename
= i
.filename();
3220 line
= i
.computeLine();
3222 char frameType
= i
.isInterp() ? 'i'
3223 : i
.isBaseline() ? 'b'
3228 out
.printf("#%zu %14p %c %s:%u", depth
, i
.rawFramePtr(), frameType
,
3231 if (i
.hasScript()) {
3232 out
.printf(" (%p @ %zu)\n", i
.script(), i
.script()->pcToOffset(i
.pc()));
3234 out
.printf(" (%p)\n", i
.pc());
3239 JS_PUBLIC_API
void js::DumpBacktrace(JSContext
* cx
) {
3240 DumpBacktrace(cx
, stdout
);
3245 bool JSObject::isBackgroundFinalized() const {
3247 return js::gc::IsBackgroundFinalized(asTenured().getAllocKind());
3250 js::Nursery
& nursery
= runtimeFromMainThread()->gc
.nursery();
3251 return js::gc::IsBackgroundFinalized(allocKindForTenure(nursery
));
3254 js::gc::AllocKind
JSObject::allocKindForTenure(
3255 const js::Nursery
& nursery
) const {
3256 using namespace js::gc
;
3258 MOZ_ASSERT(IsInsideNursery(this));
3260 if (canHaveFixedElements()) {
3261 const NativeObject
& nobj
= as
<NativeObject
>();
3262 MOZ_ASSERT(nobj
.numFixedSlots() == 0);
3264 /* Use minimal size object if we are just going to copy the pointer. */
3265 if (!nursery
.isInside(nobj
.getUnshiftedElementsHeader())) {
3266 return gc::AllocKind::OBJECT0_BACKGROUND
;
3269 size_t nelements
= nobj
.getDenseCapacity();
3270 return ForegroundToBackgroundAllocKind(GetGCArrayKind(nelements
));
3273 if (is
<JSFunction
>()) {
3274 return as
<JSFunction
>().getAllocKind();
3277 // Fixed length typed arrays in the nursery may have a lazily allocated
3278 // buffer, make sure there is room for the array's fixed data when moving the
3280 if (is
<FixedLengthTypedArrayObject
>() &&
3281 !as
<FixedLengthTypedArrayObject
>().hasBuffer()) {
3282 gc::AllocKind allocKind
;
3283 if (as
<FixedLengthTypedArrayObject
>().hasInlineElements()) {
3284 size_t nbytes
= as
<FixedLengthTypedArrayObject
>().byteLength();
3285 allocKind
= FixedLengthTypedArrayObject::AllocKindForLazyBuffer(nbytes
);
3287 allocKind
= GetGCObjectKind(getClass());
3289 return ForegroundToBackgroundAllocKind(allocKind
);
3292 // Proxies that are CrossCompartmentWrappers may be nursery allocated.
3293 if (is
<ProxyObject
>()) {
3294 return as
<ProxyObject
>().allocKindForTenure();
3297 // WasmStructObjects have a variable-length tail which contains the first
3298 // few data fields, so make sure we copy it all over to the new object.
3299 if (is
<WasmStructObject
>()) {
3300 // Figure out the size of this object, from the object's TypeDef.
3301 const wasm::TypeDef
* typeDef
= &as
<WasmStructObject
>().typeDef();
3302 return WasmStructObject::allocKindForTypeDef(typeDef
);
3305 if (is
<WasmArrayObject
>()) {
3306 return WasmArrayObject::allocKind();
3309 // All nursery allocatable non-native objects are handled above.
3310 return as
<NativeObject
>().allocKindForTenure();
3313 void JSObject::addSizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf
,
3314 JS::ClassInfo
* info
,
3315 JS::RuntimeSizes
* runtimeSizes
) {
3316 if (is
<NativeObject
>() && as
<NativeObject
>().hasDynamicSlots()) {
3317 info
->objectsMallocHeapSlots
+=
3318 mallocSizeOf(as
<NativeObject
>().getSlotsHeader());
3321 if (is
<NativeObject
>() && as
<NativeObject
>().hasDynamicElements()) {
3322 void* allocatedElements
= as
<NativeObject
>().getUnshiftedElementsHeader();
3323 info
->objectsMallocHeapElementsNormal
+= mallocSizeOf(allocatedElements
);
3326 // Other things may be measured in the future if DMD indicates it is
3328 if (is
<JSFunction
>() || is
<PlainObject
>() || is
<ArrayObject
>() ||
3329 is
<CallObject
>() || is
<RegExpObject
>() || is
<ProxyObject
>()) {
3330 // Do nothing. But this function is hot, and we win by getting the
3331 // common cases out of the way early. Some stats on the most common
3332 // classes, as measured during a vanilla browser session:
3333 // - (53.7%, 53.7%): Function
3334 // - (18.0%, 71.7%): Object
3335 // - (16.9%, 88.6%): Array
3336 // - ( 3.9%, 92.5%): Call
3337 // - ( 2.8%, 95.3%): RegExp
3338 // - ( 1.0%, 96.4%): Proxy
3340 // Note that any JSClass that is special cased below likely needs to
3341 // specify the JSCLASS_DELAY_METADATA_BUILDER flag, or else we will
3342 // probably crash if the object metadata callback attempts to get the
3343 // size of the new object (which Debugger code does) before private
3344 // slots are initialized.
3345 } else if (is
<ArgumentsObject
>()) {
3346 info
->objectsMallocHeapMisc
+=
3347 as
<ArgumentsObject
>().sizeOfMisc(mallocSizeOf
);
3348 } else if (is
<MapObject
>()) {
3349 info
->objectsMallocHeapMisc
+= as
<MapObject
>().sizeOfData(mallocSizeOf
);
3350 } else if (is
<SetObject
>()) {
3351 info
->objectsMallocHeapMisc
+= as
<SetObject
>().sizeOfData(mallocSizeOf
);
3352 } else if (is
<PropertyIteratorObject
>()) {
3353 info
->objectsMallocHeapMisc
+=
3354 as
<PropertyIteratorObject
>().sizeOfMisc(mallocSizeOf
);
3355 } else if (is
<ArrayBufferObject
>()) {
3356 ArrayBufferObject::addSizeOfExcludingThis(this, mallocSizeOf
, info
,
3358 } else if (is
<SharedArrayBufferObject
>()) {
3359 SharedArrayBufferObject::addSizeOfExcludingThis(this, mallocSizeOf
, info
,
3361 } else if (is
<GlobalObject
>()) {
3362 as
<GlobalObject
>().addSizeOfData(mallocSizeOf
, info
);
3363 } else if (is
<WeakCollectionObject
>()) {
3364 info
->objectsMallocHeapMisc
+=
3365 as
<WeakCollectionObject
>().sizeOfExcludingThis(mallocSizeOf
);
3367 #ifdef JS_HAS_CTYPES
3369 // This must be the last case.
3370 info
->objectsMallocHeapMisc
+= ctypes::SizeOfDataIfCDataObject(
3371 mallocSizeOf
, const_cast<JSObject
*>(this));
3376 size_t JSObject::sizeOfIncludingThisInNursery() const {
3377 // This function doesn't concern itself yet with typed objects (bug 1133593).
3379 MOZ_ASSERT(!isTenured());
3381 const Nursery
& nursery
= runtimeFromMainThread()->gc
.nursery();
3382 size_t size
= gc::Arena::thingSize(allocKindForTenure(nursery
));
3384 if (is
<NativeObject
>()) {
3385 const NativeObject
& native
= as
<NativeObject
>();
3387 size
+= native
.numDynamicSlots() * sizeof(Value
);
3389 if (native
.hasDynamicElements()) {
3390 js::ObjectElements
& elements
= *native
.getElementsHeader();
3391 size
+= (elements
.capacity
+ elements
.numShiftedElements()) *
3395 if (is
<ArgumentsObject
>()) {
3396 size
+= as
<ArgumentsObject
>().sizeOfData();
3403 JS::ubi::Node::Size
JS::ubi::Concrete
<JSObject
>::size(
3404 mozilla::MallocSizeOf mallocSizeOf
) const {
3405 JSObject
& obj
= get();
3407 if (!obj
.isTenured()) {
3408 return obj
.sizeOfIncludingThisInNursery();
3412 obj
.addSizeOfExcludingThis(mallocSizeOf
, &info
, nullptr);
3413 return obj
.tenuredSizeOfThis() + info
.sizeOfAllThings();
3416 const char16_t
JS::ubi::Concrete
<JSObject
>::concreteTypeName
[] = u
"JSObject";
3418 void JSObject::traceChildren(JSTracer
* trc
) {
3419 TraceCellHeaderEdge(trc
, this, "shape");
3421 Shape
* objShape
= shape();
3422 if (objShape
->isNative()) {
3423 NativeObject
* nobj
= &as
<NativeObject
>();
3426 GetObjectSlotNameFunctor
func(nobj
);
3427 JS::AutoTracingDetails
ctx(trc
, func
);
3428 JS::AutoTracingIndex
index(trc
);
3429 // Tracing can mutate the target but cannot change the slot count,
3430 // but the compiler has no way of knowing this.
3431 const uint32_t nslots
= nobj
->slotSpan();
3432 for (uint32_t i
= 0; i
< nslots
; ++i
) {
3433 TraceEdge(trc
, &nobj
->getSlotRef(i
), "object slot");
3436 MOZ_ASSERT(nslots
== nobj
->slotSpan());
3439 TraceRange(trc
, nobj
->getDenseInitializedLength(),
3440 static_cast<HeapSlot
*>(nobj
->getDenseElements()),
3444 // Call the trace hook at the end so that during a moving GC the trace hook
3445 // will see updated fields and slots.
3446 const JSClass
* clasp
= objShape
->getObjectClass();
3447 if (clasp
->hasTrace()) {
3448 clasp
->doTrace(trc
, this);
3453 [[nodiscard
]] JSObject
* js::SpeciesConstructor(
3454 JSContext
* cx
, HandleObject obj
, HandleObject defaultCtor
,
3455 bool (*isDefaultSpecies
)(JSContext
*, JSFunction
*)) {
3456 // Step 1 (implicit).
3458 // Fast-path for steps 2 - 8. Applies if all of the following conditions
3460 // - obj.constructor can be retrieved without side-effects.
3461 // - obj.constructor[[@@species]] can be retrieved without side-effects.
3462 // - obj.constructor[[@@species]] is the builtin's original @@species
3464 RootedValue
ctor(cx
);
3465 bool ctorGetSucceeded
= GetPropertyPure(
3466 cx
, obj
, NameToId(cx
->names().constructor
), ctor
.address());
3467 if (ctorGetSucceeded
&& ctor
.isObject() && &ctor
.toObject() == defaultCtor
) {
3468 jsid speciesId
= PropertyKey::Symbol(cx
->wellKnownSymbols().species
);
3470 if (GetGetterPure(cx
, defaultCtor
, speciesId
, &getter
) && getter
&&
3471 isDefaultSpecies(cx
, getter
)) {
3477 if (!ctorGetSucceeded
&&
3478 !GetProperty(cx
, obj
, obj
, cx
->names().constructor
, &ctor
)) {
3483 if (ctor
.isUndefined()) {
3488 if (!ctor
.isObject()) {
3489 JS_ReportErrorNumberASCII(cx
, GetErrorMessage
, nullptr,
3490 JSMSG_OBJECT_REQUIRED
,
3491 "object's 'constructor' property");
3496 RootedObject
ctorObj(cx
, &ctor
.toObject());
3498 RootedId
speciesId(cx
, PropertyKey::Symbol(cx
->wellKnownSymbols().species
));
3499 if (!GetProperty(cx
, ctorObj
, ctor
, speciesId
, &s
)) {
3504 if (s
.isNullOrUndefined()) {
3509 if (IsConstructor(s
)) {
3510 return &s
.toObject();
3514 JS_ReportErrorNumberASCII(
3515 cx
, GetErrorMessage
, nullptr, JSMSG_NOT_CONSTRUCTOR
,
3516 "[Symbol.species] property of object's constructor");
3520 [[nodiscard
]] JSObject
* js::SpeciesConstructor(
3521 JSContext
* cx
, HandleObject obj
, JSProtoKey ctorKey
,
3522 bool (*isDefaultSpecies
)(JSContext
*, JSFunction
*)) {
3523 RootedObject
defaultCtor(cx
,
3524 GlobalObject::getOrCreateConstructor(cx
, ctorKey
));
3528 return SpeciesConstructor(cx
, obj
, defaultCtor
, isDefaultSpecies
);
3531 bool js::Unbox(JSContext
* cx
, HandleObject obj
, MutableHandleValue vp
) {
3532 if (MOZ_UNLIKELY(obj
->is
<ProxyObject
>())) {
3533 return Proxy::boxedValue_unbox(cx
, obj
, vp
);
3536 if (obj
->is
<BooleanObject
>()) {
3537 vp
.setBoolean(obj
->as
<BooleanObject
>().unbox());
3538 } else if (obj
->is
<NumberObject
>()) {
3539 vp
.setNumber(obj
->as
<NumberObject
>().unbox());
3540 } else if (obj
->is
<StringObject
>()) {
3541 vp
.setString(obj
->as
<StringObject
>().unbox());
3542 } else if (obj
->is
<DateObject
>()) {
3543 vp
.set(obj
->as
<DateObject
>().UTCTime());
3544 } else if (obj
->is
<SymbolObject
>()) {
3545 vp
.setSymbol(obj
->as
<SymbolObject
>().unbox());
3546 } else if (obj
->is
<BigIntObject
>()) {
3547 vp
.setBigInt(obj
->as
<BigIntObject
>().unbox());
3548 #ifdef ENABLE_RECORD_TUPLE
3549 } else if (obj
->is
<RecordObject
>()) {
3550 vp
.setExtendedPrimitive(*obj
->as
<RecordObject
>().unbox());
3551 } else if (obj
->is
<TupleObject
>()) {
3552 vp
.setExtendedPrimitive(obj
->as
<TupleObject
>().unbox());
3562 void js::AssertJSClassInvariants(const JSClass
* clasp
) {
3563 MOZ_ASSERT(JS::StringIsASCII(clasp
->name
));
3565 // Native objects shouldn't use the property operation hooks in ObjectOps.
3566 // Doing so could violate JIT invariants.
3568 // Environment objects unfortunately use these hooks, but environment objects
3569 // are not exposed directly to script so they're generally less of an issue.
3570 if (clasp
->isNativeObject() && clasp
!= &WithEnvironmentObject::class_
&&
3571 clasp
!= &ModuleEnvironmentObject::class_
&&
3572 clasp
!= &RuntimeLexicalErrorObject::class_
) {
3573 MOZ_ASSERT(!clasp
->getOpsLookupProperty());
3574 MOZ_ASSERT_IF(clasp
!= &MappedArgumentsObject::class_
,
3575 !clasp
->getOpsDefineProperty());
3576 MOZ_ASSERT(!clasp
->getOpsHasProperty());
3577 MOZ_ASSERT(!clasp
->getOpsGetProperty());
3578 MOZ_ASSERT(!clasp
->getOpsSetProperty());
3579 MOZ_ASSERT(!clasp
->getOpsGetOwnPropertyDescriptor());
3580 MOZ_ASSERT(!clasp
->getOpsDeleteProperty());
3585 void JSObject::debugCheckNewObject(Shape
* shape
, js::gc::AllocKind allocKind
,
3586 js::gc::Heap heap
) {
3587 const JSClass
* clasp
= shape
->getObjectClass();
3589 if (!ClassCanHaveFixedData(clasp
)) {
3590 NativeShape
* nshape
= &shape
->asNative();
3591 if (clasp
== &ArrayObject::class_
) {
3592 // Arrays can store the ObjectElements header inline.
3593 MOZ_ASSERT(nshape
->numFixedSlots() == 0);
3595 MOZ_ASSERT(gc::GetGCKindSlots(allocKind
) == nshape
->numFixedSlots());
3599 // Assert background finalization is used when possible.
3600 MOZ_ASSERT(!CanChangeToBackgroundAllocKind(allocKind
, clasp
));
3602 // Classes with a finalizer must specify whether instances will be finalized
3603 // on the main thread or in the background, except proxies whose behaviour
3604 // depends on the target object.
3605 static const uint32_t FinalizeMask
=
3606 JSCLASS_FOREGROUND_FINALIZE
| JSCLASS_BACKGROUND_FINALIZE
;
3607 uint32_t flags
= clasp
->flags
;
3608 uint32_t finalizeFlags
= flags
& FinalizeMask
;
3609 if (clasp
->hasFinalize() && !clasp
->isProxyObject()) {
3610 MOZ_ASSERT(finalizeFlags
== JSCLASS_FOREGROUND_FINALIZE
||
3611 finalizeFlags
== JSCLASS_BACKGROUND_FINALIZE
);
3612 MOZ_ASSERT((finalizeFlags
== JSCLASS_BACKGROUND_FINALIZE
) ==
3613 IsBackgroundFinalized(allocKind
));
3615 MOZ_ASSERT(finalizeFlags
== 0);
3618 MOZ_ASSERT_IF(clasp
->hasFinalize(),
3619 heap
== gc::Heap::Tenured
||
3620 CanNurseryAllocateFinalizedClass(clasp
) ||
3621 clasp
->isProxyObject());
3623 MOZ_ASSERT(!shape
->isDictionary());
3624 MOZ_ASSERT(!shape
->realm()->hasObjectPendingMetadata());
3626 // Non-native classes manage their own data and slots, so numFixedSlots is
3627 // always 0. Note that proxy classes can have reserved slots but they're not
3628 // included in numFixedSlots.
3629 if (!clasp
->isNativeObject()) {
3630 MOZ_ASSERT_IF(!clasp
->isProxyObject(), JSCLASS_RESERVED_SLOTS(clasp
) == 0);