search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1842773 - Part 32: Allow constructing growable SharedArrayBuffers. r=sfink
[gecko.git] / js / src / vm / JSObject.cpp
blob48cce6056a7cb0e5f1005bba8697860cdbf603a0
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 /*
8 * JS object implementation.
9 */
10
11 #include "vm/JSObject-inl.h"
12
13 #include "mozilla/MemoryReporting.h"
14 #include "mozilla/Try.h"
15
16 #include <string.h>
17
18 #include "jsapi.h"
19 #include "jsexn.h"
20 #include "jsfriendapi.h"
21 #include "jsnum.h"
22 #include "jstypes.h"
23
24 #include "builtin/BigInt.h"
25 #include "builtin/MapObject.h"
26 #include "builtin/Object.h"
27 #include "builtin/String.h"
28 #include "builtin/Symbol.h"
29 #include "builtin/WeakSetObject.h"
30 #include "gc/AllocKind.h"
31 #include "gc/GC.h"
32 #include "js/CharacterEncoding.h"
33 #include "js/friend/DumpFunctions.h" // js::DumpObject
34 #include "js/friend/ErrorMessages.h" // JSErrNum, js::GetErrorMessage, JSMSG_*
35 #include "js/friend/WindowProxy.h" // js::IsWindow, js::ToWindowProxyIfWindow
36 #include "js/MemoryMetrics.h"
37 #include "js/PropertyDescriptor.h" // JS::FromPropertyDescriptor
38 #include "js/PropertySpec.h" // JSPropertySpec
39 #include "js/Proxy.h"
40 #include "js/Result.h"
41 #include "js/UbiNode.h"
42 #include "js/Wrapper.h"
43 #include "proxy/DeadObjectProxy.h"
44 #include "util/Memory.h"
45 #include "util/Text.h"
46 #include "util/WindowsWrapper.h"
47 #include "vm/ArgumentsObject.h"
48 #include "vm/BytecodeUtil.h"
49 #include "vm/Compartment.h"
50 #include "vm/DateObject.h"
51 #include "vm/Interpreter.h"
52 #include "vm/Iteration.h"
53 #include "vm/JSAtomUtils.h" // Atomize
54 #include "vm/JSContext.h"
55 #include "vm/JSFunction.h"
56 #include "vm/JSScript.h"
57 #include "vm/ProxyObject.h"
58 #include "vm/RegExpObject.h"
59 #include "vm/Shape.h"
60 #include "vm/TypedArrayObject.h"
61 #include "vm/Watchtower.h"
62 #include "vm/WrapperObject.h"
63 #ifdef ENABLE_RECORD_TUPLE
64 # include "builtin/RecordObject.h"
65 # include "builtin/TupleObject.h"
66 # include "vm/RecordType.h"
67 # include "vm/TupleType.h"
68 #endif
69 #include "wasm/WasmGcObject.h"
70
71 #include "gc/StableCellHasher-inl.h"
72 #include "vm/BooleanObject-inl.h"
73 #include "vm/EnvironmentObject-inl.h"
74 #include "vm/Interpreter-inl.h"
75 #include "vm/JSAtomUtils-inl.h" // AtomToId, PrimitiveValueToId, IndexToId
76 #include "vm/JSContext-inl.h"
77 #include "vm/NativeObject-inl.h"
78 #include "vm/NumberObject-inl.h"
79 #include "vm/ObjectFlags-inl.h"
80 #include "vm/Realm-inl.h"
81 #include "vm/StringObject-inl.h"
82 #include "vm/TypedArrayObject-inl.h"
83
84 using namespace js;
85
86 using mozilla::Maybe;
87
88 void js::ReportNotObject(JSContext* cx, JSErrNum err, int spindex,
89 HandleValue v) {
90 MOZ_ASSERT(!v.isObject());
91 ReportValueError(cx, err, spindex, v, nullptr);
92 }
93
94 void js::ReportNotObject(JSContext* cx, JSErrNum err, HandleValue v) {
95 ReportNotObject(cx, err, JSDVG_SEARCH_STACK, v);
96 }
97
98 void js::ReportNotObject(JSContext* cx, const Value& v) {
99 RootedValue value(cx, v);
100 ReportNotObject(cx, JSMSG_OBJECT_REQUIRED, value);
101 }
102
103 void js::ReportNotObjectArg(JSContext* cx, const char* nth, const char* fun,
104 HandleValue v) {
105 MOZ_ASSERT(!v.isObject());
106
107 UniqueChars bytes;
108 if (const char* chars = ValueToSourceForError(cx, v, bytes)) {
109 JS_ReportErrorNumberLatin1(cx, GetErrorMessage, nullptr,
110 JSMSG_OBJECT_REQUIRED_ARG, nth, fun, chars);
111 }
112 }
113
114 JS_PUBLIC_API const char* JS::InformalValueTypeName(const Value& v) {
115 switch (v.type()) {
116 case ValueType::Double:
117 case ValueType::Int32:
118 return "number";
119 case ValueType::Boolean:
120 return "boolean";
121 case ValueType::Undefined:
122 return "undefined";
123 case ValueType::Null:
124 return "null";
125 case ValueType::String:
126 return "string";
127 case ValueType::Symbol:
128 return "symbol";
129 case ValueType::BigInt:
130 return "bigint";
131 case ValueType::Object:
132 #ifdef ENABLE_RECORD_TUPLE
133 case ValueType::ExtendedPrimitive:
134 #endif
135 return v.getObjectPayload().getClass()->name;
136 case ValueType::Magic:
137 return "magic";
138 case ValueType::PrivateGCThing:
139 break;
140 }
141
142 MOZ_CRASH("unexpected type");
143 }
144
145 // ES6 draft rev37 6.2.4.4 FromPropertyDescriptor
146 JS_PUBLIC_API bool JS::FromPropertyDescriptor(
147 JSContext* cx, Handle<Maybe<PropertyDescriptor>> desc_,
148 MutableHandleValue vp) {
149 AssertHeapIsIdle();
150 CHECK_THREAD(cx);
151 cx->check(desc_);
152
153 // Step 1.
154 if (desc_.isNothing()) {
155 vp.setUndefined();
156 return true;
157 }
158
159 Rooted<PropertyDescriptor> desc(cx, *desc_);
160 return FromPropertyDescriptorToObject(cx, desc, vp);
161 }
162
163 bool js::FromPropertyDescriptorToObject(JSContext* cx,
164 Handle<PropertyDescriptor> desc,
165 MutableHandleValue vp) {
166 // Step 2-3.
167 RootedObject obj(cx, NewPlainObject(cx));
168 if (!obj) {
169 return false;
170 }
171
172 const JSAtomState& names = cx->names();
173
174 // Step 4.
175 if (desc.hasValue()) {
176 if (!DefineDataProperty(cx, obj, names.value, desc.value())) {
177 return false;
178 }
179 }
180
181 // Step 5.
182 RootedValue v(cx);
183 if (desc.hasWritable()) {
184 v.setBoolean(desc.writable());
185 if (!DefineDataProperty(cx, obj, names.writable, v)) {
186 return false;
187 }
188 }
189
190 // Step 6.
191 if (desc.hasGetter()) {
192 if (JSObject* get = desc.getter()) {
193 v.setObject(*get);
194 } else {
195 v.setUndefined();
196 }
197 if (!DefineDataProperty(cx, obj, names.get, v)) {
198 return false;
199 }
200 }
201
202 // Step 7.
203 if (desc.hasSetter()) {
204 if (JSObject* set = desc.setter()) {
205 v.setObject(*set);
206 } else {
207 v.setUndefined();
208 }
209 if (!DefineDataProperty(cx, obj, names.set, v)) {
210 return false;
211 }
212 }
213
214 // Step 8.
215 if (desc.hasEnumerable()) {
216 v.setBoolean(desc.enumerable());
217 if (!DefineDataProperty(cx, obj, names.enumerable, v)) {
218 return false;
219 }
220 }
221
222 // Step 9.
223 if (desc.hasConfigurable()) {
224 v.setBoolean(desc.configurable());
225 if (!DefineDataProperty(cx, obj, names.configurable, v)) {
226 return false;
227 }
228 }
229
230 vp.setObject(*obj);
231 return true;
232 }
233
234 bool js::GetFirstArgumentAsObject(JSContext* cx, const CallArgs& args,
235 const char* method,
236 MutableHandleObject objp) {
237 if (!args.requireAtLeast(cx, method, 1)) {
238 return false;
239 }
240
241 HandleValue v = args[0];
242 if (!v.isObject()) {
243 UniqueChars bytes =
244 DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, v, nullptr);
245 if (!bytes) {
246 return false;
247 }
248 JS_ReportErrorNumberUTF8(cx, GetErrorMessage, nullptr,
249 JSMSG_UNEXPECTED_TYPE, bytes.get(),
250 "not an object");
251 return false;
252 }
253
254 objp.set(&v.toObject());
255 return true;
256 }
257
258 static bool GetPropertyIfPresent(JSContext* cx, HandleObject obj, HandleId id,
259 MutableHandleValue vp, bool* foundp) {
260 if (!HasProperty(cx, obj, id, foundp)) {
261 return false;
262 }
263 if (!*foundp) {
264 vp.setUndefined();
265 return true;
266 }
267
268 return GetProperty(cx, obj, obj, id, vp);
269 }
270
271 bool js::Throw(JSContext* cx, HandleId id, unsigned errorNumber,
272 const char* details) {
273 MOZ_ASSERT(js_ErrorFormatString[errorNumber].argCount == (details ? 2 : 1));
274 MOZ_ASSERT_IF(details, JS::StringIsASCII(details));
275
276 UniqueChars bytes =
277 IdToPrintableUTF8(cx, id, IdToPrintableBehavior::IdIsPropertyKey);
278 if (!bytes) {
279 return false;
280 }
281
282 if (details) {
283 JS_ReportErrorNumberUTF8(cx, GetErrorMessage, nullptr, errorNumber,
284 bytes.get(), details);
285 } else {
286 JS_ReportErrorNumberUTF8(cx, GetErrorMessage, nullptr, errorNumber,
287 bytes.get());
288 }
289
290 return false;
291 }
292
293 /*** PropertyDescriptor operations and DefineProperties *********************/
294
295 static Result<> CheckCallable(JSContext* cx, JSObject* obj,
296 const char* fieldName) {
297 if (obj && !obj->isCallable()) {
298 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
299 JSMSG_BAD_GET_SET_FIELD, fieldName);
300 return cx->alreadyReportedError();
301 }
302 return Ok();
303 }
304
305 // 6.2.5.5 ToPropertyDescriptor(Obj)
306 bool js::ToPropertyDescriptor(JSContext* cx, HandleValue descval,
307 bool checkAccessors,
308 MutableHandle<PropertyDescriptor> desc_) {
309 // Step 1.
310 RootedObject obj(cx,
311 RequireObject(cx, JSMSG_OBJECT_REQUIRED_PROP_DESC, descval));
312 if (!obj) {
313 return false;
314 }
315
316 // Step 2.
317 Rooted<PropertyDescriptor> desc(cx, PropertyDescriptor::Empty());
318
319 RootedId id(cx);
320 RootedValue v(cx);
321
322 // Steps 3-4.
323 id = NameToId(cx->names().enumerable);
324 bool hasEnumerable = false;
325 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasEnumerable)) {
326 return false;
327 }
328 if (hasEnumerable) {
329 desc.setEnumerable(ToBoolean(v));
330 }
331
332 // Steps 5-6.
333 id = NameToId(cx->names().configurable);
334 bool hasConfigurable = false;
335 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasConfigurable)) {
336 return false;
337 }
338 if (hasConfigurable) {
339 desc.setConfigurable(ToBoolean(v));
340 }
341
342 // Steps 7-8.
343 id = NameToId(cx->names().value);
344 bool hasValue = false;
345 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasValue)) {
346 return false;
347 }
348 if (hasValue) {
349 desc.setValue(v);
350 }
351
352 // Steps 9-10.
353 id = NameToId(cx->names().writable);
354 bool hasWritable = false;
355 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasWritable)) {
356 return false;
357 }
358 if (hasWritable) {
359 desc.setWritable(ToBoolean(v));
360 }
361
362 // Steps 11-12.
363 id = NameToId(cx->names().get);
364 bool hasGet = false;
365 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasGet)) {
366 return false;
367 }
368 RootedObject getter(cx);
369 if (hasGet) {
370 if (v.isObject()) {
371 if (checkAccessors) {
372 JS_TRY_OR_RETURN_FALSE(cx, CheckCallable(cx, &v.toObject(), "getter"));
373 }
374 getter = &v.toObject();
375 } else if (v.isUndefined()) {
376 getter = nullptr;
377 } else {
378 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
379 JSMSG_BAD_GET_SET_FIELD, "getter");
380 return false;
381 }
382 }
383
384 // Steps 13-14.
385 id = NameToId(cx->names().set);
386 bool hasSet = false;
387 if (!GetPropertyIfPresent(cx, obj, id, &v, &hasSet)) {
388 return false;
389 }
390 RootedObject setter(cx);
391 if (hasSet) {
392 if (v.isObject()) {
393 if (checkAccessors) {
394 JS_TRY_OR_RETURN_FALSE(cx, CheckCallable(cx, &v.toObject(), "setter"));
395 }
396 setter = &v.toObject();
397 } else if (v.isUndefined()) {
398 setter = nullptr;
399 } else {
400 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
401 JSMSG_BAD_GET_SET_FIELD, "setter");
402 return false;
403 }
404 }
405
406 // Step 15.
407 if (hasGet || hasSet) {
408 if (hasValue || hasWritable) {
409 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
410 JSMSG_INVALID_DESCRIPTOR);
411 return false;
412 }
413
414 // We delay setGetter/setSetter after the previous check,
415 // because otherwise we would assert.
416 if (hasGet) {
417 desc.setGetter(getter);
418 }
419 if (hasSet) {
420 desc.setSetter(setter);
421 }
422 }
423
424 desc.assertValid();
425 desc_.set(desc);
426 return true;
427 }
428
429 Result<> js::CheckPropertyDescriptorAccessors(JSContext* cx,
430 Handle<PropertyDescriptor> desc) {
431 if (desc.hasGetter()) {
432 MOZ_TRY(CheckCallable(cx, desc.getter(), "getter"));
433 }
434
435 if (desc.hasSetter()) {
436 MOZ_TRY(CheckCallable(cx, desc.setter(), "setter"));
437 }
438
439 return Ok();
440 }
441
442 // 6.2.5.6 CompletePropertyDescriptor(Desc)
443 void js::CompletePropertyDescriptor(MutableHandle<PropertyDescriptor> desc) {
444 // Step 1.
445 desc.assertValid();
446
447 // Step 2.
448 // Let like be the Record { [[Value]]: undefined, [[Writable]]: false,
449 // [[Get]]: undefined, [[Set]]: undefined,
450 // [[Enumerable]]: false, [[Configurable]]: false }.
451
452 // Step 3.
453 if (desc.isGenericDescriptor() || desc.isDataDescriptor()) {
454 // Step 3.a.
455 if (!desc.hasValue()) {
456 desc.setValue(UndefinedHandleValue);
457 }
458 // Step 3.b.
459 if (!desc.hasWritable()) {
460 desc.setWritable(false);
461 }
462 } else {
463 // Step 4.a.
464 if (!desc.hasGetter()) {
465 desc.setGetter(nullptr);
466 }
467 // Step 4.b.
468 if (!desc.hasSetter()) {
469 desc.setSetter(nullptr);
470 }
471 }
472
473 // Step 5.
474 if (!desc.hasEnumerable()) {
475 desc.setEnumerable(false);
476 }
477
478 // Step 6.
479 if (!desc.hasConfigurable()) {
480 desc.setConfigurable(false);
481 }
482
483 desc.assertComplete();
484 }
485
486 bool js::ReadPropertyDescriptors(
487 JSContext* cx, HandleObject props, bool checkAccessors,
488 MutableHandleIdVector ids, MutableHandle<PropertyDescriptorVector> descs) {
489 if (!GetPropertyKeys(cx, props, JSITER_OWNONLY | JSITER_SYMBOLS, ids)) {
490 return false;
491 }
492
493 RootedId id(cx);
494 for (size_t i = 0, len = ids.length(); i < len; i++) {
495 id = ids[i];
496 Rooted<PropertyDescriptor> desc(cx);
497 RootedValue v(cx);
498 if (!GetProperty(cx, props, props, id, &v) ||
499 !ToPropertyDescriptor(cx, v, checkAccessors, &desc) ||
500 !descs.append(desc)) {
501 return false;
502 }
503 }
504 return true;
505 }
506
507 /*** Seal and freeze ********************************************************/
508
509 /* ES6 draft rev 29 (6 Dec 2014) 7.3.13. */
510 bool js::SetIntegrityLevel(JSContext* cx, HandleObject obj,
511 IntegrityLevel level) {
512 cx->check(obj);
513
514 // Steps 3-5. (Steps 1-2 are redundant assertions.)
515 if (!PreventExtensions(cx, obj)) {
516 return false;
517 }
518
519 // Steps 6-9, loosely interpreted.
520 if (obj->is<NativeObject>() && !obj->is<TypedArrayObject>() &&
521 !obj->is<MappedArgumentsObject>()) {
522 Handle<NativeObject*> nobj = obj.as<NativeObject>();
523
524 // Use a fast path to seal/freeze properties. This has the benefit of
525 // creating shared property maps if possible, whereas the slower/generic
526 // implementation below ends up converting non-empty objects to dictionary
527 // mode.
528 if (nobj->shape()->propMapLength() > 0) {
529 if (!NativeObject::freezeOrSealProperties(cx, nobj, level)) {
530 return false;
531 }
532 }
533
534 // Ordinarily ArraySetLength handles this, but we're going behind its back
535 // right now, so we must do this manually.
536 if (level == IntegrityLevel::Frozen && obj->is<ArrayObject>()) {
537 obj->as<ArrayObject>().setNonWritableLength(cx);
538 }
539 } else {
540 // Steps 6-7.
541 RootedIdVector keys(cx);
542 if (!GetPropertyKeys(
543 cx, obj, JSITER_HIDDEN | JSITER_OWNONLY | JSITER_SYMBOLS, &keys)) {
544 return false;
545 }
546
547 RootedId id(cx);
548 Rooted<PropertyDescriptor> desc(cx, PropertyDescriptor::Empty());
549
550 // 8.a/9.a. The two different loops are merged here.
551 for (size_t i = 0; i < keys.length(); i++) {
552 id = keys[i];
553
554 if (level == IntegrityLevel::Sealed) {
555 // 8.a.i.
556 desc.setConfigurable(false);
557 } else {
558 // 9.a.i-ii.
559 Rooted<Maybe<PropertyDescriptor>> currentDesc(cx);
560 if (!GetOwnPropertyDescriptor(cx, obj, id, &currentDesc)) {
561 return false;
562 }
563
564 // 9.a.iii.
565 if (currentDesc.isNothing()) {
566 continue;
567 }
568
569 // 9.a.iii.1-2
570 desc = PropertyDescriptor::Empty();
571 if (currentDesc->isAccessorDescriptor()) {
572 desc.setConfigurable(false);
573 } else {
574 desc.setConfigurable(false);
575 desc.setWritable(false);
576 }
577 }
578
579 // 8.a.i-ii. / 9.a.iii.3-4
580 if (!DefineProperty(cx, obj, id, desc)) {
581 return false;
582 }
583 }
584 }
585
586 // Finally, freeze or seal the dense elements.
587 if (obj->is<NativeObject>()) {
588 if (!ObjectElements::FreezeOrSeal(cx, obj.as<NativeObject>(), level)) {
589 return false;
590 }
591 }
592
593 return true;
594 }
595
596 static bool ResolveLazyProperties(JSContext* cx, Handle<NativeObject*> obj) {
597 const JSClass* clasp = obj->getClass();
598 if (JSEnumerateOp enumerate = clasp->getEnumerate()) {
599 if (!enumerate(cx, obj)) {
600 return false;
601 }
602 }
603 if (clasp->getNewEnumerate() && clasp->getResolve()) {
604 RootedIdVector properties(cx);
605 if (!clasp->getNewEnumerate()(cx, obj, &properties,
606 /* enumerableOnly = */ false)) {
607 return false;
608 }
609
610 RootedId id(cx);
611 for (size_t i = 0; i < properties.length(); i++) {
612 id = properties[i];
613 bool found;
614 if (!HasOwnProperty(cx, obj, id, &found)) {
615 return false;
616 }
617 }
618 }
619 return true;
620 }
621
622 // ES6 draft rev33 (12 Feb 2015) 7.3.15
623 bool js::TestIntegrityLevel(JSContext* cx, HandleObject obj,
624 IntegrityLevel level, bool* result) {
625 // Steps 3-6. (Steps 1-2 are redundant assertions.)
626 bool status;
627 if (!IsExtensible(cx, obj, &status)) {
628 return false;
629 }
630 if (status) {
631 *result = false;
632 return true;
633 }
634
635 // Fast path for native objects.
636 if (obj->is<NativeObject>()) {
637 Handle<NativeObject*> nobj = obj.as<NativeObject>();
638
639 // Force lazy properties to be resolved.
640 if (!ResolveLazyProperties(cx, nobj)) {
641 return false;
642 }
643
644 // Typed array elements are configurable, writable properties, so if any
645 // elements are present, the typed array can neither be sealed nor frozen.
646 if (nobj->is<TypedArrayObject>() &&
647 nobj->as<TypedArrayObject>().length().valueOr(0) > 0) {
648 *result = false;
649 return true;
650 }
651
652 bool hasDenseElements = false;
653 for (size_t i = 0; i < nobj->getDenseInitializedLength(); i++) {
654 if (nobj->containsDenseElement(i)) {
655 hasDenseElements = true;
656 break;
657 }
658 }
659
660 if (hasDenseElements) {
661 // Unless the sealed flag is set, dense elements are configurable.
662 if (!nobj->denseElementsAreSealed()) {
663 *result = false;
664 return true;
665 }
666
667 // Unless the frozen flag is set, dense elements are writable.
668 if (level == IntegrityLevel::Frozen && !nobj->denseElementsAreFrozen()) {
669 *result = false;
670 return true;
671 }
672 }
673
674 // Steps 7-9.
675 for (ShapePropertyIter<NoGC> iter(nobj->shape()); !iter.done(); iter++) {
676 // Steps 9.c.i-ii.
677 if (iter->configurable() ||
678 (level == IntegrityLevel::Frozen && iter->isDataDescriptor() &&
679 iter->writable())) {
680 // Private fields on objects don't participate in the frozen state, and
681 // so should be elided from checking for frozen state.
682 if (iter->key().isPrivateName()) {
683 continue;
684 }
685
686 *result = false;
687 return true;
688 }
689 }
690 } else {
691 // Steps 7-8.
692 RootedIdVector props(cx);
693 if (!GetPropertyKeys(
694 cx, obj, JSITER_HIDDEN | JSITER_OWNONLY | JSITER_SYMBOLS, &props)) {
695 return false;
696 }
697
698 // Step 9.
699 RootedId id(cx);
700 Rooted<Maybe<PropertyDescriptor>> desc(cx);
701 for (size_t i = 0, len = props.length(); i < len; i++) {
702 id = props[i];
703
704 // Steps 9.a-b.
705 if (!GetOwnPropertyDescriptor(cx, obj, id, &desc)) {
706 return false;
707 }
708
709 // Step 9.c.
710 if (desc.isNothing()) {
711 continue;
712 }
713
714 // Steps 9.c.i-ii.
715 if (desc->configurable() ||
716 (level == IntegrityLevel::Frozen && desc->isDataDescriptor() &&
717 desc->writable())) {
718 // Since we don't request JSITER_PRIVATE in GetPropertyKeys above, we
719 // should never see a private name here.
720 MOZ_ASSERT(!id.isPrivateName());
721 *result = false;
722 return true;
723 }
724 }
725 }
726
727 // Step 10.
728 *result = true;
729 return true;
730 }
731
732 /* * */
733
734 static MOZ_ALWAYS_INLINE NativeObject* NewObject(
735 JSContext* cx, const JSClass* clasp, Handle<TaggedProto> proto,
736 gc::AllocKind kind, NewObjectKind newKind, ObjectFlags objFlags) {
737 MOZ_ASSERT(clasp->isNativeObject());
738
739 // Some classes have specialized allocation functions and shouldn't end up
740 // here.
741 MOZ_ASSERT(clasp != &ArrayObject::class_);
742 MOZ_ASSERT(clasp != &PlainObject::class_);
743 MOZ_ASSERT(!clasp->isJSFunction());
744
745 // Computing nfixed based on the AllocKind isn't right for objects which can
746 // store fixed data inline (TypedArrays and ArrayBuffers) so for simplicity
747 // and performance reasons we don't support such objects here.
748 MOZ_ASSERT(!ClassCanHaveFixedData(clasp));
749 size_t nfixed = GetGCKindSlots(kind);
750
751 if (CanChangeToBackgroundAllocKind(kind, clasp)) {
752 kind = ForegroundToBackgroundAllocKind(kind);
753 }
754
755 Rooted<SharedShape*> shape(
756 cx, SharedShape::getInitialShape(cx, clasp, cx->realm(), proto, nfixed,
757 objFlags));
758 if (!shape) {
759 return nullptr;
760 }
761
762 gc::Heap heap = GetInitialHeap(newKind, clasp);
763 NativeObject* obj = NativeObject::create(cx, kind, heap, shape);
764 if (!obj) {
765 return nullptr;
766 }
767
768 probes::CreateObject(cx, obj);
769 return obj;
770 }
771
772 NativeObject* js::NewObjectWithGivenTaggedProto(
773 JSContext* cx, const JSClass* clasp, Handle<TaggedProto> proto,
774 gc::AllocKind allocKind, NewObjectKind newKind, ObjectFlags objFlags) {
775 return NewObject(cx, clasp, proto, allocKind, newKind, objFlags);
776 }
777
778 NativeObject* js::NewObjectWithClassProto(JSContext* cx, const JSClass* clasp,
779 HandleObject protoArg,
780 gc::AllocKind allocKind,
781 NewObjectKind newKind,
782 ObjectFlags objFlags) {
783 if (protoArg) {
784 return NewObjectWithGivenTaggedProto(cx, clasp, AsTaggedProto(protoArg),
785 allocKind, newKind, objFlags);
786 }
787
788 // Find the appropriate proto for clasp. Built-in classes have a cached
789 // proto on cx->global(); all others get %ObjectPrototype%.
790 JSProtoKey protoKey = JSCLASS_CACHED_PROTO_KEY(clasp);
791 if (protoKey == JSProto_Null) {
792 protoKey = JSProto_Object;
793 }
794
795 JSObject* proto = GlobalObject::getOrCreatePrototype(cx, protoKey);
796 if (!proto) {
797 return nullptr;
798 }
799
800 Rooted<TaggedProto> taggedProto(cx, TaggedProto(proto));
801 return NewObject(cx, clasp, taggedProto, allocKind, newKind, objFlags);
802 }
803
804 bool js::GetPrototypeFromConstructor(JSContext* cx, HandleObject newTarget,
805 JSProtoKey intrinsicDefaultProto,
806 MutableHandleObject proto) {
807 RootedValue protov(cx);
808 if (!GetProperty(cx, newTarget, newTarget, cx->names().prototype, &protov)) {
809 return false;
810 }
811 if (protov.isObject()) {
812 proto.set(&protov.toObject());
813 } else if (newTarget->is<JSFunction>() &&
814 newTarget->as<JSFunction>().realm() == cx->realm()) {
815 // Steps 4.a-b fetch the builtin prototype of the current realm, which we
816 // represent as nullptr.
817 proto.set(nullptr);
818 } else if (intrinsicDefaultProto == JSProto_Null) {
819 // Bug 1317416. The caller did not pass a reasonable JSProtoKey, so let the
820 // caller select a prototype object. Most likely they will choose one from
821 // the wrong realm.
822 proto.set(nullptr);
823 } else {
824 // Step 4.a: Let realm be ? GetFunctionRealm(constructor);
825 Realm* realm = JS::GetFunctionRealm(cx, newTarget);
826 if (!realm) {
827 return false;
828 }
829
830 // Step 4.b: Set proto to realm's intrinsic object named
831 // intrinsicDefaultProto.
832 {
833 Maybe<AutoRealm> ar;
834 if (cx->realm() != realm) {
835 ar.emplace(cx, realm->maybeGlobal());
836 }
837 proto.set(GlobalObject::getOrCreatePrototype(cx, intrinsicDefaultProto));
838 }
839 if (!proto) {
840 return false;
841 }
842 if (!cx->compartment()->wrap(cx, proto)) {
843 return false;
844 }
845 }
846 return true;
847 }
848
849 /* static */
850 bool JSObject::nonNativeSetProperty(JSContext* cx, HandleObject obj,
851 HandleId id, HandleValue v,
852 HandleValue receiver,
853 ObjectOpResult& result) {
854 return obj->getOpsSetProperty()(cx, obj, id, v, receiver, result);
855 }
856
857 /* static */
858 bool JSObject::nonNativeSetElement(JSContext* cx, HandleObject obj,
859 uint32_t index, HandleValue v,
860 HandleValue receiver,
861 ObjectOpResult& result) {
862 RootedId id(cx);
863 if (!IndexToId(cx, index, &id)) {
864 return false;
865 }
866 return nonNativeSetProperty(cx, obj, id, v, receiver, result);
867 }
868
869 static bool CopyPropertyFrom(JSContext* cx, HandleId id, HandleObject target,
870 HandleObject obj) {
871 // |target| must not be a CCW because we need to enter its realm below and
872 // CCWs are not associated with a single realm.
873 MOZ_ASSERT(!IsCrossCompartmentWrapper(target));
874
875 // |obj| and |cx| are generally not same-compartment with |target| here.
876 cx->check(obj, id);
877 Rooted<mozilla::Maybe<PropertyDescriptor>> desc(cx);
878
879 if (!GetOwnPropertyDescriptor(cx, obj, id, &desc)) {
880 return false;
881 }
882 MOZ_ASSERT(desc.isSome());
883
884 JSAutoRealm ar(cx, target);
885 cx->markId(id);
886 RootedId wrappedId(cx, id);
887 if (!cx->compartment()->wrap(cx, &desc)) {
888 return false;
889 }
890
891 Rooted<PropertyDescriptor> desc_(cx, *desc);
892 return DefineProperty(cx, target, wrappedId, desc_);
893 }
894
895 JS_PUBLIC_API bool JS_CopyOwnPropertiesAndPrivateFields(JSContext* cx,
896 HandleObject target,
897 HandleObject obj) {
898 // Both |obj| and |target| must not be CCWs because we need to enter their
899 // realms below and CCWs are not associated with a single realm.
900 MOZ_ASSERT(!IsCrossCompartmentWrapper(obj));
901 MOZ_ASSERT(!IsCrossCompartmentWrapper(target));
902
903 JSAutoRealm ar(cx, obj);
904
905 RootedIdVector props(cx);
906 if (!GetPropertyKeys(
907 cx, obj,
908 JSITER_PRIVATE | JSITER_OWNONLY | JSITER_HIDDEN | JSITER_SYMBOLS,
909 &props)) {
910 return false;
911 }
912
913 for (size_t i = 0; i < props.length(); ++i) {
914 if (!CopyPropertyFrom(cx, props[i], target, obj)) {
915 return false;
916 }
917 }
918
919 return true;
920 }
921
922 static bool InitializePropertiesFromCompatibleNativeObject(
923 JSContext* cx, Handle<NativeObject*> dst, Handle<NativeObject*> src) {
924 cx->check(src, dst);
925 MOZ_ASSERT(src->getClass() == dst->getClass());
926 MOZ_ASSERT(dst->shape()->objectFlags().isEmpty());
927 MOZ_ASSERT(src->numFixedSlots() == dst->numFixedSlots());
928 MOZ_ASSERT(!src->inDictionaryMode());
929 MOZ_ASSERT(!dst->inDictionaryMode());
930
931 if (!dst->ensureElements(cx, src->getDenseInitializedLength())) {
932 return false;
933 }
934
935 uint32_t initialized = src->getDenseInitializedLength();
936 for (uint32_t i = 0; i < initialized; ++i) {
937 dst->setDenseInitializedLength(i + 1);
938 dst->initDenseElement(i, src->getDenseElement(i));
939 }
940
941 // If there are no properties to copy, we're done.
942 if (!src->sharedShape()->propMap()) {
943 return true;
944 }
945
946 Rooted<SharedShape*> shape(cx);
947 if (src->staticPrototype() == dst->staticPrototype()) {
948 shape = src->sharedShape();
949 } else {
950 // We need to generate a new shape for dst that has dst's proto but all
951 // the property information from src. Note that we asserted above that
952 // dst's object flags are empty.
953 SharedShape* srcShape = src->sharedShape();
954 ObjectFlags objFlags;
955 objFlags = CopyPropMapObjectFlags(objFlags, srcShape->objectFlags());
956 Rooted<SharedPropMap*> map(cx, srcShape->propMap());
957 uint32_t mapLength = srcShape->propMapLength();
958 shape = SharedShape::getPropMapShape(cx, dst->shape()->base(),
959 dst->numFixedSlots(), map, mapLength,
960 objFlags);
961 if (!shape) {
962 return false;
963 }
964 }
965
966 uint32_t oldSpan = dst->sharedShape()->slotSpan();
967 uint32_t newSpan = shape->slotSpan();
968 if (!dst->setShapeAndAddNewSlots(cx, shape, oldSpan, newSpan)) {
969 return false;
970 }
971 for (size_t i = JSCLASS_RESERVED_SLOTS(src->getClass()); i < newSpan; i++) {
972 dst->setSlot(i, src->getSlot(i));
973 }
974
975 return true;
976 }
977
978 JS_PUBLIC_API bool JS_InitializePropertiesFromCompatibleNativeObject(
979 JSContext* cx, HandleObject dst, HandleObject src) {
980 return InitializePropertiesFromCompatibleNativeObject(
981 cx, dst.as<NativeObject>(), src.as<NativeObject>());
982 }
983
984 bool js::ObjectMayBeSwapped(const JSObject* obj) {
985 const JSClass* clasp = obj->getClass();
986
987 // We want to optimize Window/globals and Gecko doesn't require transplanting
988 // them (only the WindowProxy around them). A Window may be a DOMClass, so we
989 // explicitly check if this is a global.
990 if (clasp->isGlobal()) {
991 return false;
992 }
993
994 // WindowProxy, Wrapper, DeadProxyObject, DOMProxy, and DOMClass (non-global)
995 // types may be swapped. It is hard to detect DOMProxy from shell, so target
996 // proxies in general.
997 return clasp->isProxyObject() || clasp->isDOMClass();
998 }
999
1000 bool NativeObject::prepareForSwap(JSContext* cx,
1001 MutableHandleValueVector slotValuesOut) {
1002 MOZ_ASSERT(slotValuesOut.empty());
1003
1004 for (size_t i = 0; i < slotSpan(); i++) {
1005 if (!slotValuesOut.append(getSlot(i))) {
1006 return false;
1007 }
1008 }
1009
1010 if (hasDynamicSlots()) {
1011 ObjectSlots* slotsHeader = getSlotsHeader();
1012 size_t size = ObjectSlots::allocSize(slotsHeader->capacity());
1013 RemoveCellMemory(this, size, MemoryUse::ObjectSlots);
1014 if (!cx->nursery().isInside(slotsHeader)) {
1015 if (!isTenured()) {
1016 cx->nursery().removeMallocedBuffer(slotsHeader, size);
1017 }
1018 js_free(slotsHeader);
1019 }
1020 setEmptyDynamicSlots(0);
1021 }
1022
1023 if (hasDynamicElements()) {
1024 ObjectElements* elements = getElementsHeader();
1025 void* allocatedElements = getUnshiftedElementsHeader();
1026 size_t count = elements->numAllocatedElements();
1027 size_t size = count * sizeof(HeapSlot);
1028
1029 if (isTenured()) {
1030 RemoveCellMemory(this, size, MemoryUse::ObjectElements);
1031 } else if (cx->nursery().isInside(allocatedElements)) {
1032 // Move nursery allocated elements in case they end up in a tenured
1033 // object.
1034 ObjectElements* newElements =
1035 reinterpret_cast<ObjectElements*>(js_pod_malloc<HeapSlot>(count));
1036 if (!newElements) {
1037 return false;
1038 }
1039
1040 memmove(newElements, elements, size);
1041 elements_ = newElements->elements();
1042 } else {
1043 cx->nursery().removeMallocedBuffer(allocatedElements, size);
1044 }
1045 MOZ_ASSERT(hasDynamicElements());
1046 }
1047
1048 return true;
1049 }
1050
1051 /* static */
1052 bool NativeObject::fixupAfterSwap(JSContext* cx, Handle<NativeObject*> obj,
1053 gc::AllocKind kind,
1054 HandleValueVector slotValues) {
1055 // This object has just been swapped with some other object, and its shape
1056 // no longer reflects its allocated size. Correct this information and
1057 // fill the slots in with the specified values.
1058 MOZ_ASSERT_IF(!obj->inDictionaryMode(),
1059 obj->slotSpan() == slotValues.length());
1060
1061 // Make sure the shape's numFixedSlots() is correct.
1062 size_t nfixed = gc::GetGCKindSlots(kind);
1063 if (nfixed != obj->shape()->numFixedSlots()) {
1064 if (!NativeObject::changeNumFixedSlotsAfterSwap(cx, obj, nfixed)) {
1065 return false;
1066 }
1067 MOZ_ASSERT(obj->shape()->numFixedSlots() == nfixed);
1068 }
1069
1070 uint32_t oldDictionarySlotSpan =
1071 obj->inDictionaryMode() ? slotValues.length() : 0;
1072
1073 MOZ_ASSERT(!obj->hasUniqueId());
1074 size_t ndynamic =
1075 calculateDynamicSlots(nfixed, slotValues.length(), obj->getClass());
1076 size_t currentSlots = obj->getSlotsHeader()->capacity();
1077 MOZ_ASSERT(ndynamic >= currentSlots);
1078 if (ndynamic > currentSlots) {
1079 if (!obj->growSlots(cx, currentSlots, ndynamic)) {
1080 return false;
1081 }
1082 }
1083
1084 if (obj->inDictionaryMode()) {
1085 obj->setDictionaryModeSlotSpan(oldDictionarySlotSpan);
1086 }
1087
1088 for (size_t i = 0, len = slotValues.length(); i < len; i++) {
1089 obj->initSlotUnchecked(i, slotValues[i]);
1090 }
1091
1092 if (obj->hasDynamicElements()) {
1093 ObjectElements* elements = obj->getElementsHeader();
1094 void* allocatedElements = obj->getUnshiftedElementsHeader();
1095 MOZ_ASSERT(!cx->nursery().isInside(allocatedElements));
1096 size_t size = elements->numAllocatedElements() * sizeof(HeapSlot);
1097 if (obj->isTenured()) {
1098 AddCellMemory(obj, size, MemoryUse::ObjectElements);
1099 } else if (!cx->nursery().registerMallocedBuffer(allocatedElements, size)) {
1100 return false;
1101 }
1102 }
1103
1104 return true;
1105 }
1106
1107 [[nodiscard]] bool ProxyObject::prepareForSwap(
1108 JSContext* cx, MutableHandleValueVector valuesOut) {
1109 MOZ_ASSERT(valuesOut.empty());
1110
1111 // Remove the GCPtr<Value>s we're about to swap from the store buffer, to
1112 // ensure we don't trace bogus values.
1113 gc::StoreBuffer& sb = cx->runtime()->gc.storeBuffer();
1114
1115 // Reserve space for the expando, private slot and the reserved slots.
1116 if (!valuesOut.reserve(2 + numReservedSlots())) {
1117 return false;
1118 }
1119
1120 js::detail::ProxyValueArray* valArray = data.values();
1121 sb.unputValue(&valArray->expandoSlot);
1122 sb.unputValue(&valArray->privateSlot);
1123 valuesOut.infallibleAppend(valArray->expandoSlot);
1124 valuesOut.infallibleAppend(valArray->privateSlot);
1125
1126 for (size_t i = 0; i < numReservedSlots(); i++) {
1127 sb.unputValue(&valArray->reservedSlots.slots[i]);
1128 valuesOut.infallibleAppend(valArray->reservedSlots.slots[i]);
1129 }
1130
1131 if (isTenured() && !usingInlineValueArray()) {
1132 size_t count = detail::ProxyValueArray::allocCount(numReservedSlots());
1133 RemoveCellMemory(this, count * sizeof(Value),
1134 MemoryUse::ProxyExternalValueArray);
1135 js_free(valArray);
1136 data.reservedSlots = nullptr;
1137 }
1138
1139 return true;
1140 }
1141
1142 bool ProxyObject::fixupAfterSwap(JSContext* cx,
1143 const HandleValueVector values) {
1144 MOZ_ASSERT(getClass()->isProxyObject());
1145
1146 size_t nreserved = numReservedSlots();
1147
1148 // |values| contains the expando slot, private slot and the reserved slots.
1149 MOZ_ASSERT(values.length() == 2 + nreserved);
1150
1151 // Allocate the external value array in malloc memory, even for nursery
1152 // proxies.
1153 size_t count = detail::ProxyValueArray::allocCount(nreserved);
1154 auto* allocation = js_pod_malloc<JS::Value>(count);
1155 if (!allocation) {
1156 return false;
1157 }
1158
1159 size_t size = count * sizeof(Value);
1160 if (isTenured()) {
1161 AddCellMemory(&asTenured(), size, MemoryUse::ProxyExternalValueArray);
1162 } else if (!cx->nursery().registerMallocedBuffer(allocation, size)) {
1163 js_free(allocation);
1164 return false;
1165 }
1166
1167 auto* valArray = reinterpret_cast<js::detail::ProxyValueArray*>(allocation);
1168
1169 valArray->expandoSlot = values[0];
1170 valArray->privateSlot = values[1];
1171
1172 for (size_t i = 0; i < nreserved; i++) {
1173 valArray->reservedSlots.slots[i] = values[i + 2];
1174 }
1175
1176 data.reservedSlots = &valArray->reservedSlots;
1177 MOZ_ASSERT(!usingInlineValueArray());
1178 return true;
1179 }
1180
1181 static gc::AllocKind SwappableObjectAllocKind(JSObject* obj) {
1182 MOZ_ASSERT(ObjectMayBeSwapped(obj));
1183
1184 if (obj->isTenured()) {
1185 return obj->asTenured().getAllocKind();
1186 }
1187
1188 if (obj->is<NativeObject>()) {
1189 return obj->as<NativeObject>().allocKindForTenure();
1190 }
1191
1192 return obj->as<ProxyObject>().allocKindForTenure();
1193 }
1194
1195 /* Use this method with extreme caution. It trades the guts of two objects. */
1196 void JSObject::swap(JSContext* cx, HandleObject a, HandleObject b,
1197 AutoEnterOOMUnsafeRegion& oomUnsafe) {
1198 // Ensure swap doesn't cause a finalizer to be run at the wrong time.
1199 MOZ_ASSERT(a->isBackgroundFinalized() == b->isBackgroundFinalized());
1200
1201 MOZ_ASSERT(a->compartment() == b->compartment());
1202
1203 // You must have entered the objects' compartment before calling this.
1204 MOZ_ASSERT(cx->compartment() == a->compartment());
1205
1206 // Only certain types of objects are allowed to be swapped. This allows the
1207 // JITs to better optimize objects that can never swap and rules out most
1208 // builtin objects that have special behaviour.
1209 MOZ_RELEASE_ASSERT(js::ObjectMayBeSwapped(a));
1210 MOZ_RELEASE_ASSERT(js::ObjectMayBeSwapped(b));
1211
1212 if (!Watchtower::watchObjectSwap(cx, a, b)) {
1213 oomUnsafe.crash("watchObjectSwap");
1214 }
1215
1216 // Ensure we update any embedded nursery pointers in either object.
1217 gc::StoreBuffer& storeBuffer = cx->runtime()->gc.storeBuffer();
1218 if (a->isTenured()) {
1219 storeBuffer.putWholeCell(a);
1220 }
1221 if (b->isTenured()) {
1222 storeBuffer.putWholeCell(b);
1223 }
1224 if (a->isTenured() || b->isTenured()) {
1225 if (a->zone()->wasGCStarted()) {
1226 storeBuffer.setMayHavePointersToDeadCells();
1227 }
1228 }
1229
1230 unsigned r = NotifyGCPreSwap(a, b);
1231
1232 ProxyObject* pa = a->is<ProxyObject>() ? &a->as<ProxyObject>() : nullptr;
1233 ProxyObject* pb = b->is<ProxyObject>() ? &b->as<ProxyObject>() : nullptr;
1234 bool aIsProxyWithInlineValues = pa && pa->usingInlineValueArray();
1235 bool bIsProxyWithInlineValues = pb && pb->usingInlineValueArray();
1236
1237 bool aIsUsedAsPrototype = a->isUsedAsPrototype();
1238 bool bIsUsedAsPrototype = b->isUsedAsPrototype();
1239
1240 // Swap element associations.
1241 Zone* zone = a->zone();
1242
1243 // Record any associated unique IDs and prepare for swap.
1244 //
1245 // Note that unique IDs are NOT swapped but remain associated with the
1246 // original address.
1247 uint64_t aid = 0;
1248 uint64_t bid = 0;
1249 (void)gc::MaybeGetUniqueId(a, &aid);
1250 (void)gc::MaybeGetUniqueId(b, &bid);
1251 NativeObject* na = a->is<NativeObject>() ? &a->as<NativeObject>() : nullptr;
1252 NativeObject* nb = b->is<NativeObject>() ? &b->as<NativeObject>() : nullptr;
1253 if ((aid || bid) && (na || nb)) {
1254 // We can't remove unique IDs from native objects when they are swapped with
1255 // objects without an ID. Instead ensure they both have IDs so we always
1256 // have something to overwrite the old ID with.
1257 if (!gc::GetOrCreateUniqueId(a, &aid) ||
1258 !gc::GetOrCreateUniqueId(b, &bid)) {
1259 oomUnsafe.crash("Failed to create unique ID during swap");
1260 }
1261
1262 // IDs stored in NativeObjects could shadow those stored in the zone
1263 // table. Remove any zone table IDs first.
1264 if (pa && aid) {
1265 gc::RemoveUniqueId(a);
1266 }
1267 if (pb && bid) {
1268 gc::RemoveUniqueId(b);
1269 }
1270 }
1271
1272 gc::AllocKind ka = SwappableObjectAllocKind(a);
1273 gc::AllocKind kb = SwappableObjectAllocKind(b);
1274
1275 size_t sa = gc::Arena::thingSize(ka);
1276 size_t sb = gc::Arena::thingSize(kb);
1277 if (sa == sb && a->isTenured() == b->isTenured()) {
1278 // When both objects are the same size and in the same heap, just do a plain
1279 // swap of their contents.
1280
1281 // Swap slot associations.
1282 zone->swapCellMemory(a, b, MemoryUse::ObjectSlots);
1283
1284 size_t size = sa;
1285 char tmp[sizeof(JSObject_Slots16)];
1286 MOZ_ASSERT(size <= sizeof(tmp));
1287
1288 js_memcpy(tmp, a, size);
1289 js_memcpy(a, b, size);
1290 js_memcpy(b, tmp, size);
1291
1292 zone->swapCellMemory(a, b, MemoryUse::ObjectElements);
1293 zone->swapCellMemory(a, b, MemoryUse::ProxyExternalValueArray);
1294
1295 if (aIsProxyWithInlineValues) {
1296 b->as<ProxyObject>().setInlineValueArray();
1297 }
1298 if (bIsProxyWithInlineValues) {
1299 a->as<ProxyObject>().setInlineValueArray();
1300 }
1301 } else {
1302 // Avoid GC in here to avoid confusing the tracing code with our
1303 // intermediate state.
1304 gc::AutoSuppressGC suppress(cx);
1305
1306 // When the objects have different sizes, they will have different numbers
1307 // of fixed slots before and after the swap, so the slots for native objects
1308 // will need to be rearranged. Remember the original values from the
1309 // objects.
1310 RootedValueVector avals(cx);
1311 RootedValueVector bvals(cx);
1312 if (na && !na->prepareForSwap(cx, &avals)) {
1313 oomUnsafe.crash("NativeObject::prepareForSwap");
1314 }
1315 if (nb && !nb->prepareForSwap(cx, &bvals)) {
1316 oomUnsafe.crash("NativeObject::prepareForSwap");
1317 }
1318
1319 // Do the same for proxy value arrays.
1320 if (pa && !pa->prepareForSwap(cx, &avals)) {
1321 oomUnsafe.crash("ProxyObject::prepareForSwap");
1322 }
1323 if (pb && !pb->prepareForSwap(cx, &bvals)) {
1324 oomUnsafe.crash("ProxyObject::prepareForSwap");
1325 }
1326
1327 // Swap the main fields of the objects, whether they are native objects or
1328 // proxies.
1329 char tmp[sizeof(JSObject_Slots0)];
1330 js_memcpy(&tmp, a, sizeof tmp);
1331 js_memcpy(a, b, sizeof tmp);
1332 js_memcpy(b, &tmp, sizeof tmp);
1333
1334 if (na &&
1335 !NativeObject::fixupAfterSwap(cx, b.as<NativeObject>(), kb, avals)) {
1336 oomUnsafe.crash("NativeObject::fixupAfterSwap");
1337 }
1338 if (nb &&
1339 !NativeObject::fixupAfterSwap(cx, a.as<NativeObject>(), ka, bvals)) {
1340 oomUnsafe.crash("NativeObject::fixupAfterSwap");
1341 }
1342
1343 if (pa && !b->as<ProxyObject>().fixupAfterSwap(cx, avals)) {
1344 oomUnsafe.crash("ProxyObject::fixupAfterSwap");
1345 }
1346 if (pb && !a->as<ProxyObject>().fixupAfterSwap(cx, bvals)) {
1347 oomUnsafe.crash("ProxyObject::fixupAfterSwap");
1348 }
1349 }
1350
1351 // Restore original unique IDs.
1352 if ((aid || bid) && (na || nb)) {
1353 if ((aid && !gc::SetOrUpdateUniqueId(cx, a, aid)) ||
1354 (bid && !gc::SetOrUpdateUniqueId(cx, b, bid))) {
1355 oomUnsafe.crash("Failed to set unique ID after swap");
1356 }
1357 }
1358 MOZ_ASSERT_IF(aid, gc::GetUniqueIdInfallible(a) == aid);
1359 MOZ_ASSERT_IF(bid, gc::GetUniqueIdInfallible(b) == bid);
1360
1361 // Preserve the IsUsedAsPrototype flag on the objects.
1362 if (aIsUsedAsPrototype) {
1363 if (!JSObject::setIsUsedAsPrototype(cx, a)) {
1364 oomUnsafe.crash("setIsUsedAsPrototype");
1365 }
1366 }
1367 if (bIsUsedAsPrototype) {
1368 if (!JSObject::setIsUsedAsPrototype(cx, b)) {
1369 oomUnsafe.crash("setIsUsedAsPrototype");
1370 }
1371 }
1372
1373 /*
1374 * We need a write barrier here. If |a| was marked and |b| was not, then
1375 * after the swap, |b|'s guts would never be marked. The write barrier
1376 * solves this.
1377 *
1378 * Normally write barriers happen before the write. However, that's not
1379 * necessary here because nothing is being destroyed. We're just swapping.
1380 */
1381 PreWriteBarrier(zone, a.get(), [](JSTracer* trc, JSObject* obj) {
1382 obj->traceChildren(trc);
1383 });
1384 PreWriteBarrier(zone, b.get(), [](JSTracer* trc, JSObject* obj) {
1385 obj->traceChildren(trc);
1386 });
1387
1388 NotifyGCPostSwap(a, b, r);
1389 }
1390
1391 static NativeObject* DefineConstructorAndPrototype(
1392 JSContext* cx, HandleObject obj, Handle<JSAtom*> atom,
1393 HandleObject protoProto, const JSClass* clasp, Native constructor,
1394 unsigned nargs, const JSPropertySpec* ps, const JSFunctionSpec* fs,
1395 const JSPropertySpec* static_ps, const JSFunctionSpec* static_fs,
1396 NativeObject** ctorp) {
1397 // Create the prototype object.
1398 Rooted<NativeObject*> proto(
1399 cx, GlobalObject::createBlankPrototypeInheriting(cx, clasp, protoProto));
1400 if (!proto) {
1401 return nullptr;
1402 }
1403
1404 Rooted<NativeObject*> ctor(cx);
1405 if (!constructor) {
1406 ctor = proto;
1407 } else {
1408 ctor = NewNativeConstructor(cx, constructor, nargs, atom);
1409 if (!ctor) {
1410 return nullptr;
1411 }
1412
1413 if (!LinkConstructorAndPrototype(cx, ctor, proto)) {
1414 return nullptr;
1415 }
1416 }
1417
1418 if (!DefinePropertiesAndFunctions(cx, proto, ps, fs) ||
1419 (ctor != proto &&
1420 !DefinePropertiesAndFunctions(cx, ctor, static_ps, static_fs))) {
1421 return nullptr;
1422 }
1423
1424 RootedId id(cx, AtomToId(atom));
1425 RootedValue value(cx, ObjectValue(*ctor));
1426 if (!DefineDataProperty(cx, obj, id, value, 0)) {
1427 return nullptr;
1428 }
1429
1430 if (ctorp) {
1431 *ctorp = ctor;
1432 }
1433 return proto;
1434 }
1435
1436 NativeObject* js::InitClass(JSContext* cx, HandleObject obj,
1437 const JSClass* protoClass, HandleObject protoProto_,
1438 const char* name, Native constructor,
1439 unsigned nargs, const JSPropertySpec* ps,
1440 const JSFunctionSpec* fs,
1441 const JSPropertySpec* static_ps,
1442 const JSFunctionSpec* static_fs,
1443 NativeObject** ctorp) {
1444 Rooted<JSAtom*> atom(cx, Atomize(cx, name, strlen(name)));
1445 if (!atom) {
1446 return nullptr;
1447 }
1448
1449 /*
1450 * All instances of the class will inherit properties from the prototype
1451 * object we are about to create (in DefineConstructorAndPrototype), which
1452 * in turn will inherit from protoProto.
1453 *
1454 * If protoProto is nullptr, default to Object.prototype.
1455 * If protoClass is nullptr, default to PlainObject.
1456 */
1457 RootedObject protoProto(cx, protoProto_);
1458 if (!protoProto) {
1459 protoProto = &cx->global()->getObjectPrototype();
1460 }
1461 if (!protoClass) {
1462 protoClass = &PlainObject::class_;
1463 }
1464
1465 return DefineConstructorAndPrototype(cx, obj, atom, protoProto, protoClass,
1466 constructor, nargs, ps, fs, static_ps,
1467 static_fs, ctorp);
1468 }
1469
1470 /**
1471 * Returns the original Object.prototype from the embedding-provided incumbent
1472 * global.
1473 *
1474 * Really, we want the incumbent global itself so we can pass it to other
1475 * embedding hooks which need it. Specifically, the enqueue promise hook
1476 * takes an incumbent global so it can set that on the PromiseCallbackJob
1477 * it creates.
1478 *
1479 * The reason for not just returning the global itself is that we'd need to
1480 * wrap it into the current compartment, and later unwrap it. Unwrapping
1481 * globals is tricky, though: we might accidentally unwrap through an inner
1482 * to its outer window and end up with the wrong global. Plain objects don't
1483 * have this problem, so we use the global's Object.prototype. The code using
1484 * it - e.g. EnqueuePromiseReactionJob - can then unwrap the object and get
1485 * its global without fear of unwrapping too far.
1486 */
1487 bool js::GetObjectFromIncumbentGlobal(JSContext* cx, MutableHandleObject obj) {
1488 Rooted<GlobalObject*> globalObj(cx, cx->runtime()->getIncumbentGlobal(cx));
1489 if (!globalObj) {
1490 obj.set(nullptr);
1491 return true;
1492 }
1493
1494 obj.set(&globalObj->getObjectPrototype());
1495
1496 // The object might be from a different compartment, so wrap it.
1497 if (obj && !cx->compartment()->wrap(cx, obj)) {
1498 return false;
1499 }
1500
1501 return true;
1502 }
1503
1504 static bool IsStandardPrototype(JSObject* obj, JSProtoKey key) {
1505 return obj->nonCCWGlobal().maybeGetPrototype(key) == obj;
1506 }
1507
1508 JSProtoKey JS::IdentifyStandardInstance(JSObject* obj) {
1509 // Note: The prototype shares its JSClass with instances.
1510 MOZ_ASSERT(!obj->is<CrossCompartmentWrapperObject>());
1511 JSProtoKey key = StandardProtoKeyOrNull(obj);
1512 if (key != JSProto_Null && !IsStandardPrototype(obj, key)) {
1513 return key;
1514 }
1515 return JSProto_Null;
1516 }
1517
1518 JSProtoKey JS::IdentifyStandardPrototype(JSObject* obj) {
1519 // Note: The prototype shares its JSClass with instances.
1520 MOZ_ASSERT(!obj->is<CrossCompartmentWrapperObject>());
1521 JSProtoKey key = StandardProtoKeyOrNull(obj);
1522 if (key != JSProto_Null && IsStandardPrototype(obj, key)) {
1523 return key;
1524 }
1525 return JSProto_Null;
1526 }
1527
1528 JSProtoKey JS::IdentifyStandardInstanceOrPrototype(JSObject* obj) {
1529 return StandardProtoKeyOrNull(obj);
1530 }
1531
1532 JSProtoKey JS::IdentifyStandardConstructor(JSObject* obj) {
1533 // Note that isNativeConstructor does not imply that we are a standard
1534 // constructor, but the converse is true (at least until we start having
1535 // self-hosted constructors for standard classes). This lets us avoid a costly
1536 // loop for many functions (which, depending on the call site, may be the
1537 // common case).
1538 if (!obj->is<JSFunction>() ||
1539 !(obj->as<JSFunction>().flags().isNativeConstructor())) {
1540 return JSProto_Null;
1541 }
1542
1543 static_assert(JSProto_Null == 0,
1544 "Loop below can start at 1 to skip JSProto_Null");
1545
1546 GlobalObject& global = obj->as<JSFunction>().global();
1547 for (size_t k = 1; k < JSProto_LIMIT; ++k) {
1548 JSProtoKey key = static_cast<JSProtoKey>(k);
1549 if (global.maybeGetConstructor(key) == obj) {
1550 return key;
1551 }
1552 }
1553
1554 return JSProto_Null;
1555 }
1556
1557 bool js::LookupProperty(JSContext* cx, HandleObject obj, js::HandleId id,
1558 MutableHandleObject objp, PropertyResult* propp) {
1559 if (LookupPropertyOp op = obj->getOpsLookupProperty()) {
1560 return op(cx, obj, id, objp, propp);
1561 }
1562 return NativeLookupPropertyInline<CanGC>(cx, obj.as<NativeObject>(), id, objp,
1563 propp);
1564 }
1565
1566 bool js::LookupName(JSContext* cx, Handle<PropertyName*> name,
1567 HandleObject envChain, MutableHandleObject objp,
1568 MutableHandleObject pobjp, PropertyResult* propp) {
1569 RootedId id(cx, NameToId(name));
1570
1571 for (RootedObject env(cx, envChain); env; env = env->enclosingEnvironment()) {
1572 if (!LookupProperty(cx, env, id, pobjp, propp)) {
1573 return false;
1574 }
1575 if (propp->isFound()) {
1576 objp.set(env);
1577 return true;
1578 }
1579 }
1580
1581 objp.set(nullptr);
1582 pobjp.set(nullptr);
1583 propp->setNotFound();
1584 return true;
1585 }
1586
1587 bool js::LookupNameNoGC(JSContext* cx, PropertyName* name, JSObject* envChain,
1588 JSObject** objp, NativeObject** pobjp,
1589 PropertyResult* propp) {
1590 AutoAssertNoPendingException nogc(cx);
1591
1592 MOZ_ASSERT(!*objp && !*pobjp && propp->isNotFound());
1593
1594 for (JSObject* env = envChain; env; env = env->enclosingEnvironment()) {
1595 if (env->getOpsLookupProperty()) {
1596 return false;
1597 }
1598 if (!NativeLookupPropertyInline<NoGC>(cx, &env->as<NativeObject>(),
1599 NameToId(name), pobjp, propp)) {
1600 return false;
1601 }
1602 if (propp->isFound()) {
1603 *objp = env;
1604 return true;
1605 }
1606 }
1607
1608 return true;
1609 }
1610
1611 bool js::LookupNameWithGlobalDefault(JSContext* cx, Handle<PropertyName*> name,
1612 HandleObject envChain,
1613 MutableHandleObject objp) {
1614 RootedId id(cx, NameToId(name));
1615
1616 RootedObject pobj(cx);
1617 PropertyResult prop;
1618
1619 RootedObject env(cx, envChain);
1620 for (; !env->is<GlobalObject>(); env = env->enclosingEnvironment()) {
1621 if (!LookupProperty(cx, env, id, &pobj, &prop)) {
1622 return false;
1623 }
1624 if (prop.isFound()) {
1625 break;
1626 }
1627 }
1628
1629 objp.set(env);
1630 return true;
1631 }
1632
1633 bool js::LookupNameUnqualified(JSContext* cx, Handle<PropertyName*> name,
1634 HandleObject envChain,
1635 MutableHandleObject objp) {
1636 RootedId id(cx, NameToId(name));
1637
1638 RootedObject pobj(cx);
1639 PropertyResult prop;
1640
1641 RootedObject env(cx, envChain);
1642 for (; !env->isUnqualifiedVarObj(); env = env->enclosingEnvironment()) {
1643 if (!LookupProperty(cx, env, id, &pobj, &prop)) {
1644 return false;
1645 }
1646 if (prop.isFound()) {
1647 break;
1648 }
1649 }
1650
1651 // See note above RuntimeLexicalErrorObject.
1652 if (pobj == env) {
1653 bool isTDZ = false;
1654 if (prop.isFound() && name != cx->names().dot_this_) {
1655 // Treat Debugger environments specially for TDZ checks, as they
1656 // look like non-native environments but in fact wrap native
1657 // environments.
1658 if (env->is<DebugEnvironmentProxy>()) {
1659 RootedValue v(cx);
1660 Rooted<DebugEnvironmentProxy*> envProxy(
1661 cx, &env->as<DebugEnvironmentProxy>());
1662 if (!DebugEnvironmentProxy::getMaybeSentinelValue(cx, envProxy, id,
1663 &v)) {
1664 return false;
1665 }
1666 isTDZ = IsUninitializedLexical(v);
1667 } else {
1668 isTDZ = IsUninitializedLexicalSlot(env, prop);
1669 }
1670 }
1671
1672 if (isTDZ) {
1673 env = RuntimeLexicalErrorObject::create(cx, env,
1674 JSMSG_UNINITIALIZED_LEXICAL);
1675 if (!env) {
1676 return false;
1677 }
1678 } else if (env->is<LexicalEnvironmentObject>() &&
1679 !prop.propertyInfo().writable()) {
1680 // Assigning to a named lambda callee name is a no-op in sloppy mode.
1681 if (!(env->is<BlockLexicalEnvironmentObject>() &&
1682 env->as<BlockLexicalEnvironmentObject>().scope().kind() ==
1683 ScopeKind::NamedLambda)) {
1684 MOZ_ASSERT(name != cx->names().dot_this_);
1685 env =
1686 RuntimeLexicalErrorObject::create(cx, env, JSMSG_BAD_CONST_ASSIGN);
1687 if (!env) {
1688 return false;
1689 }
1690 }
1691 }
1692 }
1693
1694 objp.set(env);
1695 return true;
1696 }
1697
1698 bool js::HasOwnProperty(JSContext* cx, HandleObject obj, HandleId id,
1699 bool* result) {
1700 if (obj->is<ProxyObject>()) {
1701 return Proxy::hasOwn(cx, obj, id, result);
1702 }
1703
1704 if (GetOwnPropertyOp op = obj->getOpsGetOwnPropertyDescriptor()) {
1705 Rooted<mozilla::Maybe<PropertyDescriptor>> desc(cx);
1706 if (!op(cx, obj, id, &desc)) {
1707 return false;
1708 }
1709 *result = desc.isSome();
1710 return true;
1711 }
1712
1713 PropertyResult prop;
1714 if (!NativeLookupOwnProperty<CanGC>(cx, obj.as<NativeObject>(), id, &prop)) {
1715 return false;
1716 }
1717 *result = prop.isFound();
1718 return true;
1719 }
1720
1721 bool js::LookupPropertyPure(JSContext* cx, JSObject* obj, jsid id,
1722 NativeObject** objp, PropertyResult* propp) {
1723 if (obj->getOpsLookupProperty()) {
1724 return false;
1725 }
1726 return NativeLookupPropertyInline<NoGC, LookupResolveMode::CheckMayResolve>(
1727 cx, &obj->as<NativeObject>(), id, objp, propp);
1728 }
1729
1730 bool js::LookupOwnPropertyPure(JSContext* cx, JSObject* obj, jsid id,
1731 PropertyResult* propp) {
1732 if (obj->getOpsLookupProperty()) {
1733 return false;
1734 }
1735 return NativeLookupOwnPropertyInline<NoGC,
1736 LookupResolveMode::CheckMayResolve>(
1737 cx, &obj->as<NativeObject>(), id, propp);
1738 }
1739
1740 static inline bool NativeGetPureInline(NativeObject* pobj, jsid id,
1741 PropertyResult prop, Value* vp,
1742 JSContext* cx) {
1743 if (prop.isDenseElement()) {
1744 *vp = pobj->getDenseElement(prop.denseElementIndex());
1745 return true;
1746 }
1747 if (prop.isTypedArrayElement()) {
1748 size_t idx = prop.typedArrayElementIndex();
1749 return pobj->as<TypedArrayObject>().getElement<NoGC>(cx, idx, vp);
1750 }
1751
1752 // Fail if we have a custom getter.
1753 PropertyInfo propInfo = prop.propertyInfo();
1754 if (!propInfo.isDataProperty()) {
1755 return false;
1756 }
1757
1758 *vp = pobj->getSlot(propInfo.slot());
1759 MOZ_ASSERT(!vp->isMagic());
1760 return true;
1761 }
1762
1763 bool js::GetPropertyPure(JSContext* cx, JSObject* obj, jsid id, Value* vp) {
1764 NativeObject* pobj;
1765 PropertyResult prop;
1766 if (!LookupPropertyPure(cx, obj, id, &pobj, &prop)) {
1767 return false;
1768 }
1769
1770 if (prop.isNotFound()) {
1771 vp->setUndefined();
1772 return true;
1773 }
1774
1775 return NativeGetPureInline(pobj, id, prop, vp, cx);
1776 }
1777
1778 bool js::GetOwnPropertyPure(JSContext* cx, JSObject* obj, jsid id, Value* vp,
1779 bool* found) {
1780 PropertyResult prop;
1781 if (!LookupOwnPropertyPure(cx, obj, id, &prop)) {
1782 return false;
1783 }
1784
1785 if (prop.isNotFound()) {
1786 *found = false;
1787 vp->setUndefined();
1788 return true;
1789 }
1790
1791 *found = true;
1792 return obj->is<NativeObject>() &&
1793 NativeGetPureInline(&obj->as<NativeObject>(), id, prop, vp, cx);
1794 }
1795
1796 static inline bool NativeGetGetterPureInline(NativeObject* holder,
1797 PropertyResult prop,
1798 JSFunction** fp) {
1799 MOZ_ASSERT(prop.isNativeProperty());
1800
1801 PropertyInfo propInfo = prop.propertyInfo();
1802 if (holder->hasGetter(propInfo)) {
1803 JSObject* getter = holder->getGetter(propInfo);
1804 if (getter->is<JSFunction>()) {
1805 *fp = &getter->as<JSFunction>();
1806 return true;
1807 }
1808 }
1809
1810 *fp = nullptr;
1811 return true;
1812 }
1813
1814 bool js::GetGetterPure(JSContext* cx, JSObject* obj, jsid id, JSFunction** fp) {
1815 /* Just like GetPropertyPure, but get getter function, without invoking
1816 * it. */
1817 NativeObject* pobj;
1818 PropertyResult prop;
1819 if (!LookupPropertyPure(cx, obj, id, &pobj, &prop)) {
1820 return false;
1821 }
1822
1823 if (prop.isNotFound()) {
1824 *fp = nullptr;
1825 return true;
1826 }
1827
1828 return prop.isNativeProperty() && NativeGetGetterPureInline(pobj, prop, fp);
1829 }
1830
1831 bool js::GetOwnGetterPure(JSContext* cx, JSObject* obj, jsid id,
1832 JSFunction** fp) {
1833 JS::AutoCheckCannotGC nogc;
1834 PropertyResult prop;
1835 if (!LookupOwnPropertyPure(cx, obj, id, &prop)) {
1836 return false;
1837 }
1838
1839 if (prop.isNotFound()) {
1840 *fp = nullptr;
1841 return true;
1842 }
1843
1844 return prop.isNativeProperty() &&
1845 NativeGetGetterPureInline(&obj->as<NativeObject>(), prop, fp);
1846 }
1847
1848 bool js::GetOwnNativeGetterPure(JSContext* cx, JSObject* obj, jsid id,
1849 JSNative* native) {
1850 JS::AutoCheckCannotGC nogc;
1851 *native = nullptr;
1852 PropertyResult prop;
1853 if (!LookupOwnPropertyPure(cx, obj, id, &prop)) {
1854 return false;
1855 }
1856
1857 if (!prop.isNativeProperty()) {
1858 return true;
1859 }
1860
1861 PropertyInfo propInfo = prop.propertyInfo();
1862
1863 NativeObject* nobj = &obj->as<NativeObject>();
1864 if (!nobj->hasGetter(propInfo)) {
1865 return true;
1866 }
1867
1868 JSObject* getterObj = nobj->getGetter(propInfo);
1869 if (!getterObj->is<JSFunction>()) {
1870 return true;
1871 }
1872
1873 JSFunction* getter = &getterObj->as<JSFunction>();
1874 if (!getter->isNativeFun()) {
1875 return true;
1876 }
1877
1878 *native = getter->native();
1879 return true;
1880 }
1881
1882 bool js::HasOwnDataPropertyPure(JSContext* cx, JSObject* obj, jsid id,
1883 bool* result) {
1884 PropertyResult prop;
1885 if (!LookupOwnPropertyPure(cx, obj, id, &prop)) {
1886 return false;
1887 }
1888
1889 *result = prop.isNativeProperty() && prop.propertyInfo().isDataProperty();
1890 return true;
1891 }
1892
1893 bool js::GetPrototypeIfOrdinary(JSContext* cx, HandleObject obj,
1894 bool* isOrdinary, MutableHandleObject protop) {
1895 if (obj->is<js::ProxyObject>()) {
1896 return js::Proxy::getPrototypeIfOrdinary(cx, obj, isOrdinary, protop);
1897 }
1898
1899 *isOrdinary = true;
1900 protop.set(obj->staticPrototype());
1901 return true;
1902 }
1903
1904 /*** ES6 standard internal methods ******************************************/
1905
1906 bool js::SetPrototype(JSContext* cx, HandleObject obj, HandleObject proto,
1907 JS::ObjectOpResult& result) {
1908 // The proxy trap subsystem fully handles prototype-setting for proxies
1909 // with dynamic [[Prototype]]s.
1910 if (obj->hasDynamicPrototype()) {
1911 MOZ_ASSERT(obj->is<ProxyObject>());
1912 return Proxy::setPrototype(cx, obj, proto, result);
1913 }
1914
1915 /*
1916 * ES6 9.1.2 step 3-4 if |obj.[[Prototype]]| has SameValue as |proto| return
1917 * true. Since the values in question are objects, we can just compare
1918 * pointers.
1919 */
1920 if (proto == obj->staticPrototype()) {
1921 return result.succeed();
1922 }
1923
1924 /* Disallow mutation of immutable [[Prototype]]s. */
1925 if (obj->staticPrototypeIsImmutable()) {
1926 return result.fail(JSMSG_CANT_SET_PROTO);
1927 }
1928
1929 /*
1930 * Disallow mutating the [[Prototype]] on WebAssembly GC objects.
1931 */
1932 if (obj->is<WasmGcObject>()) {
1933 return result.fail(JSMSG_CANT_SET_PROTO);
1934 }
1935
1936 /* ES6 9.1.2 step 5 forbids changing [[Prototype]] if not [[Extensible]]. */
1937 bool extensible;
1938 if (!IsExtensible(cx, obj, &extensible)) {
1939 return false;
1940 }
1941 if (!extensible) {
1942 return result.fail(JSMSG_CANT_SET_PROTO);
1943 }
1944
1945 /*
1946 * ES6 9.1.2 step 6 forbids generating cyclical prototype chains. But we
1947 * have to do this comparison on the observable WindowProxy, not on the
1948 * possibly-Window object we're setting the proto on.
1949 */
1950 RootedObject objMaybeWindowProxy(cx, ToWindowProxyIfWindow(obj));
1951 RootedObject obj2(cx, proto);
1952 while (obj2) {
1953 MOZ_ASSERT(!IsWindow(obj2));
1954 if (obj2 == objMaybeWindowProxy) {
1955 return result.fail(JSMSG_CANT_SET_PROTO_CYCLE);
1956 }
1957
1958 bool isOrdinary;
1959 if (!GetPrototypeIfOrdinary(cx, obj2, &isOrdinary, &obj2)) {
1960 return false;
1961 }
1962 if (!isOrdinary) {
1963 break;
1964 }
1965 }
1966
1967 Rooted<TaggedProto> taggedProto(cx, TaggedProto(proto));
1968 if (!JSObject::setProtoUnchecked(cx, obj, taggedProto)) {
1969 return false;
1970 }
1971
1972 return result.succeed();
1973 }
1974
1975 bool js::SetPrototype(JSContext* cx, HandleObject obj, HandleObject proto) {
1976 ObjectOpResult result;
1977 return SetPrototype(cx, obj, proto, result) && result.checkStrict(cx, obj);
1978 }
1979
1980 bool js::PreventExtensions(JSContext* cx, HandleObject obj,
1981 ObjectOpResult& result) {
1982 if (obj->is<ProxyObject>()) {
1983 return js::Proxy::preventExtensions(cx, obj, result);
1984 }
1985
1986 if (obj->is<WasmGcObject>()) {
1987 return result.failCantPreventExtensions();
1988 }
1989
1990 if (!obj->nonProxyIsExtensible()) {
1991 // If the following assertion fails, there's somewhere else a missing
1992 // call to shrinkCapacityToInitializedLength() which needs to be found
1993 // and fixed.
1994 MOZ_ASSERT_IF(obj->is<NativeObject>(),
1995 obj->as<NativeObject>().getDenseInitializedLength() ==
1996 obj->as<NativeObject>().getDenseCapacity());
1997
1998 return result.succeed();
1999 }
2000
2001 if (obj->is<NativeObject>()) {
2002 // Force lazy properties to be resolved.
2003 Handle<NativeObject*> nobj = obj.as<NativeObject>();
2004 if (!ResolveLazyProperties(cx, nobj)) {
2005 return false;
2006 }
2007
2008 // Prepare the elements. We have to do this before we mark the object
2009 // non-extensible; that's fine because these changes are not observable.
2010 ObjectElements::PrepareForPreventExtensions(cx, nobj);
2011 }
2012
2013 // Finally, set the NotExtensible flag on the Shape and ObjectElements.
2014 if (!JSObject::setFlag(cx, obj, ObjectFlag::NotExtensible)) {
2015 return false;
2016 }
2017 if (obj->is<NativeObject>()) {
2018 ObjectElements::PreventExtensions(&obj->as<NativeObject>());
2019 }
2020
2021 return result.succeed();
2022 }
2023
2024 bool js::PreventExtensions(JSContext* cx, HandleObject obj) {
2025 ObjectOpResult result;
2026 return PreventExtensions(cx, obj, result) && result.checkStrict(cx, obj);
2027 }
2028
2029 bool js::GetOwnPropertyDescriptor(
2030 JSContext* cx, HandleObject obj, HandleId id,
2031 MutableHandle<Maybe<PropertyDescriptor>> desc) {
2032 if (GetOwnPropertyOp op = obj->getOpsGetOwnPropertyDescriptor()) {
2033 bool ok = op(cx, obj, id, desc);
2034 if (ok && desc.isSome()) {
2035 desc->assertComplete();
2036 }
2037 return ok;
2038 }
2039
2040 return NativeGetOwnPropertyDescriptor(cx, obj.as<NativeObject>(), id, desc);
2041 }
2042
2043 bool js::DefineProperty(JSContext* cx, HandleObject obj, HandleId id,
2044 Handle<PropertyDescriptor> desc) {
2045 ObjectOpResult result;
2046 return DefineProperty(cx, obj, id, desc, result) &&
2047 result.checkStrict(cx, obj, id);
2048 }
2049
2050 bool js::DefineProperty(JSContext* cx, HandleObject obj, HandleId id,
2051 Handle<PropertyDescriptor> desc,
2052 ObjectOpResult& result) {
2053 desc.assertValid();
2054 if (DefinePropertyOp op = obj->getOpsDefineProperty()) {
2055 return op(cx, obj, id, desc, result);
2056 }
2057 return NativeDefineProperty(cx, obj.as<NativeObject>(), id, desc, result);
2058 }
2059
2060 bool js::DefineAccessorProperty(JSContext* cx, HandleObject obj, HandleId id,
2061 HandleObject getter, HandleObject setter,
2062 unsigned attrs, ObjectOpResult& result) {
2063 Rooted<PropertyDescriptor> desc(
2064 cx, PropertyDescriptor::Accessor(
2065 getter ? mozilla::Some(getter) : mozilla::Nothing(),
2066 setter ? mozilla::Some(setter) : mozilla::Nothing(), attrs));
2067
2068 if (DefinePropertyOp op = obj->getOpsDefineProperty()) {
2069 return op(cx, obj, id, desc, result);
2070 }
2071 return NativeDefineProperty(cx, obj.as<NativeObject>(), id, desc, result);
2072 }
2073
2074 bool js::DefineDataProperty(JSContext* cx, HandleObject obj, HandleId id,
2075 HandleValue value, unsigned attrs,
2076 ObjectOpResult& result) {
2077 Rooted<PropertyDescriptor> desc(cx, PropertyDescriptor::Data(value, attrs));
2078 if (DefinePropertyOp op = obj->getOpsDefineProperty()) {
2079 return op(cx, obj, id, desc, result);
2080 }
2081 return NativeDefineProperty(cx, obj.as<NativeObject>(), id, desc, result);
2082 }
2083
2084 bool js::DefineAccessorProperty(JSContext* cx, HandleObject obj, HandleId id,
2085 HandleObject getter, HandleObject setter,
2086 unsigned attrs) {
2087 ObjectOpResult result;
2088 if (!DefineAccessorProperty(cx, obj, id, getter, setter, attrs, result)) {
2089 return false;
2090 }
2091 if (!result) {
2092 result.reportError(cx, obj, id);
2093 return false;
2094 }
2095 return true;
2096 }
2097
2098 bool js::DefineDataProperty(JSContext* cx, HandleObject obj, HandleId id,
2099 HandleValue value, unsigned attrs) {
2100 ObjectOpResult result;
2101 if (!DefineDataProperty(cx, obj, id, value, attrs, result)) {
2102 return false;
2103 }
2104 if (!result) {
2105 result.reportError(cx, obj, id);
2106 return false;
2107 }
2108 return true;
2109 }
2110
2111 bool js::DefineDataProperty(JSContext* cx, HandleObject obj, PropertyName* name,
2112 HandleValue value, unsigned attrs) {
2113 RootedId id(cx, NameToId(name));
2114 return DefineDataProperty(cx, obj, id, value, attrs);
2115 }
2116
2117 bool js::DefineDataElement(JSContext* cx, HandleObject obj, uint32_t index,
2118 HandleValue value, unsigned attrs) {
2119 RootedId id(cx);
2120 if (!IndexToId(cx, index, &id)) {
2121 return false;
2122 }
2123 return DefineDataProperty(cx, obj, id, value, attrs);
2124 }
2125
2126 /*** SpiderMonkey nonstandard internal methods ******************************/
2127
2128 // Mark an object as having an immutable prototype
2129 //
2130 // NOTE: This does not correspond to the SetImmutablePrototype ECMAScript
2131 // method.
2132 bool js::SetImmutablePrototype(JSContext* cx, HandleObject obj,
2133 bool* succeeded) {
2134 if (obj->hasDynamicPrototype()) {
2135 return Proxy::setImmutablePrototype(cx, obj, succeeded);
2136 }
2137
2138 if (!JSObject::setFlag(cx, obj, ObjectFlag::ImmutablePrototype)) {
2139 return false;
2140 }
2141 *succeeded = true;
2142 return true;
2143 }
2144
2145 bool js::GetPropertyDescriptor(
2146 JSContext* cx, HandleObject obj, HandleId id,
2147 MutableHandle<mozilla::Maybe<PropertyDescriptor>> desc,
2148 MutableHandleObject holder) {
2149 RootedObject pobj(cx);
2150 for (pobj = obj; pobj;) {
2151 if (!GetOwnPropertyDescriptor(cx, pobj, id, desc)) {
2152 return false;
2153 }
2154
2155 if (desc.isSome()) {
2156 holder.set(pobj);
2157 return true;
2158 }
2159
2160 if (!GetPrototype(cx, pobj, &pobj)) {
2161 return false;
2162 }
2163 }
2164
2165 MOZ_ASSERT(desc.isNothing());
2166 holder.set(nullptr);
2167 return true;
2168 }
2169
2170 /* * */
2171
2172 extern bool PropertySpecNameToId(JSContext* cx, JSPropertySpec::Name name,
2173 MutableHandleId id);
2174
2175 // If a property or method is part of an experimental feature that can be
2176 // disabled at run-time by a preference, we keep it in the JSFunctionSpec /
2177 // JSPropertySpec list, but omit the definition if the preference is off.
2178 JS_PUBLIC_API bool js::ShouldIgnorePropertyDefinition(JSContext* cx,
2179 JSProtoKey key, jsid id) {
2180 if (!cx->realm()->creationOptions().getToSourceEnabled() &&
2181 (id == NameToId(cx->names().toSource) ||
2182 id == NameToId(cx->names().uneval))) {
2183 return true;
2184 }
2185
2186 if (key == JSProto_FinalizationRegistry &&
2187 cx->realm()->creationOptions().getWeakRefsEnabled() ==
2188 JS::WeakRefSpecifier::EnabledWithoutCleanupSome &&
2189 id == NameToId(cx->names().cleanupSome)) {
2190 return true;
2191 }
2192
2193 // It's gently surprising that this is JSProto_Function, but the trick
2194 // to realize is that this is a -constructor function-, not a function
2195 // on the prototype; and the proto of the constructor is JSProto_Function.
2196 if (key == JSProto_Function &&
2197 !cx->realm()->creationOptions().getArrayGroupingEnabled() &&
2198 (id == NameToId(cx->names().groupBy))) {
2199 return true;
2200 }
2201
2202 #ifdef NIGHTLY_BUILD
2203 if (key == JSProto_Set &&
2204 !cx->realm()->creationOptions().getNewSetMethodsEnabled() &&
2205 (id == NameToId(cx->names().union_) ||
2206 id == NameToId(cx->names().difference) ||
2207 id == NameToId(cx->names().intersection) ||
2208 id == NameToId(cx->names().isSubsetOf) ||
2209 id == NameToId(cx->names().isSupersetOf) ||
2210 id == NameToId(cx->names().isDisjointFrom) ||
2211 id == NameToId(cx->names().symmetricDifference))) {
2212 return true;
2213 }
2214 #endif
2215
2216 #ifdef NIGHTLY_BUILD
2217 if (key == JSProto_ArrayBuffer &&
2218 !cx->realm()->creationOptions().getArrayBufferTransferEnabled() &&
2219 (id == NameToId(cx->names().transfer) ||
2220 id == NameToId(cx->names().transferToFixedLength) ||
2221 id == NameToId(cx->names().detached))) {
2222 return true;
2223 }
2224
2225 if (key == JSProto_ArrayBuffer &&
2226 !cx->realm()->creationOptions().getArrayBufferResizableEnabled() &&
2227 (id == NameToId(cx->names().maxByteLength) ||
2228 id == NameToId(cx->names().resizable) ||
2229 id == NameToId(cx->names().resize))) {
2230 return true;
2231 }
2232
2233 if (key == JSProto_SharedArrayBuffer &&
2234 !cx->realm()->creationOptions().getSharedArrayBufferGrowableEnabled() &&
2235 (id == NameToId(cx->names().maxByteLength) ||
2236 id == NameToId(cx->names().growable) ||
2237 id == NameToId(cx->names().grow))) {
2238 return true;
2239 }
2240 #endif
2241
2242 return false;
2243 }
2244
2245 static bool DefineFunctionFromSpec(JSContext* cx, HandleObject obj,
2246 const JSFunctionSpec* fs) {
2247 RootedId id(cx);
2248 if (!PropertySpecNameToId(cx, fs->name, &id)) {
2249 return false;
2250 }
2251
2252 if (ShouldIgnorePropertyDefinition(cx, StandardProtoKeyOrNull(obj), id)) {
2253 return true;
2254 }
2255
2256 JSFunction* fun = NewFunctionFromSpec(cx, fs, id);
2257 if (!fun) {
2258 return false;
2259 }
2260
2261 RootedValue funVal(cx, ObjectValue(*fun));
2262 return DefineDataProperty(cx, obj, id, funVal, fs->flags & ~JSFUN_FLAGS_MASK);
2263 }
2264
2265 bool js::DefineFunctions(JSContext* cx, HandleObject obj,
2266 const JSFunctionSpec* fs) {
2267 for (; fs->name; fs++) {
2268 if (!DefineFunctionFromSpec(cx, obj, fs)) {
2269 return false;
2270 }
2271 }
2272 return true;
2273 }
2274
2275 /*** ToPrimitive ************************************************************/
2276
2277 /*
2278 * Gets |obj[id]|. If that value's not callable, returns true and stores an
2279 * object value in *vp. If it's callable, calls it with no arguments and |obj|
2280 * as |this|, returning the result in *vp.
2281 *
2282 * This is a mini-abstraction for ES6 draft rev 36 (2015 Mar 17),
2283 * 7.1.1, second algorithm (OrdinaryToPrimitive), steps 5.a-c.
2284 */
2285 static bool MaybeCallMethod(JSContext* cx, HandleObject obj, HandleId id,
2286 MutableHandleValue vp) {
2287 if (!GetProperty(cx, obj, obj, id, vp)) {
2288 return false;
2289 }
2290 if (!IsCallable(vp)) {
2291 vp.setObject(*obj);
2292 return true;
2293 }
2294
2295 return js::Call(cx, vp, obj, vp);
2296 }
2297
2298 static bool ReportCantConvert(JSContext* cx, unsigned errorNumber,
2299 HandleObject obj, JSType hint) {
2300 const JSClass* clasp = obj->getClass();
2301
2302 // Avoid recursive death when decompiling in ReportValueError.
2303 RootedString str(cx);
2304 if (hint == JSTYPE_STRING) {
2305 str = JS_AtomizeString(cx, clasp->name);
2306 if (!str) {
2307 return false;
2308 }
2309 } else {
2310 str = nullptr;
2311 }
2312
2313 RootedValue val(cx, ObjectValue(*obj));
2314 ReportValueError(cx, errorNumber, JSDVG_SEARCH_STACK, val, str,
2315 hint == JSTYPE_UNDEFINED ? "primitive type"
2316 : hint == JSTYPE_STRING ? "string"
2317 : "number");
2318 return false;
2319 }
2320
2321 bool JS::OrdinaryToPrimitive(JSContext* cx, HandleObject obj, JSType hint,
2322 MutableHandleValue vp) {
2323 MOZ_ASSERT(hint == JSTYPE_NUMBER || hint == JSTYPE_STRING ||
2324 hint == JSTYPE_UNDEFINED);
2325
2326 Rooted<jsid> id(cx);
2327
2328 const JSClass* clasp = obj->getClass();
2329 if (hint == JSTYPE_STRING) {
2330 id = NameToId(cx->names().toString);
2331
2332 bool calledToString = false;
2333 if (clasp == &StringObject::class_) {
2334 // Optimize (new String(...)).toString().
2335 StringObject* nobj = &obj->as<StringObject>();
2336 if (HasNativeMethodPure(nobj, cx->names().toString, str_toString, cx)) {
2337 vp.setString(nobj->unbox());
2338 return true;
2339 }
2340 } else if (clasp == &PlainObject::class_) {
2341 JSFunction* fun;
2342 if (GetPropertyPure(cx, obj, id, vp.address()) &&
2343 IsFunctionObject(vp, &fun)) {
2344 // Common case: we have a toString function. Try to short-circuit if
2345 // it's Object.prototype.toString and there's no @@toStringTag.
2346 if (fun->maybeNative() == obj_toString &&
2347 !MaybeHasInterestingSymbolProperty(
2348 cx, obj, cx->wellKnownSymbols().toStringTag)) {
2349 vp.setString(cx->names().object_Object_);
2350 return true;
2351 }
2352 if (!js::Call(cx, vp, obj, vp)) {
2353 return false;
2354 }
2355 calledToString = true;
2356 }
2357 }
2358
2359 if (!calledToString) {
2360 if (!MaybeCallMethod(cx, obj, id, vp)) {
2361 return false;
2362 }
2363 }
2364 if (vp.isPrimitive()) {
2365 return true;
2366 }
2367
2368 id = NameToId(cx->names().valueOf);
2369 if (!MaybeCallMethod(cx, obj, id, vp)) {
2370 return false;
2371 }
2372 if (vp.isPrimitive()) {
2373 return true;
2374 }
2375 } else {
2376 id = NameToId(cx->names().valueOf);
2377
2378 if (clasp == &StringObject::class_) {
2379 // Optimize new String(...).valueOf().
2380 StringObject* nobj = &obj->as<StringObject>();
2381 if (HasNativeMethodPure(nobj, cx->names().valueOf, str_toString, cx)) {
2382 vp.setString(nobj->unbox());
2383 return true;
2384 }
2385 } else if (clasp == &NumberObject::class_) {
2386 // Optimize new Number(...).valueOf().
2387 NumberObject* nobj = &obj->as<NumberObject>();
2388 if (HasNativeMethodPure(nobj, cx->names().valueOf, num_valueOf, cx)) {
2389 vp.setNumber(nobj->unbox());
2390 return true;
2391 }
2392 }
2393
2394 if (!MaybeCallMethod(cx, obj, id, vp)) {
2395 return false;
2396 }
2397 if (vp.isPrimitive()) {
2398 return true;
2399 }
2400
2401 id = NameToId(cx->names().toString);
2402 if (!MaybeCallMethod(cx, obj, id, vp)) {
2403 return false;
2404 }
2405 if (vp.isPrimitive()) {
2406 return true;
2407 }
2408 }
2409
2410 return ReportCantConvert(cx, JSMSG_CANT_CONVERT_TO, obj, hint);
2411 }
2412
2413 bool js::ToPrimitiveSlow(JSContext* cx, JSType preferredType,
2414 MutableHandleValue vp) {
2415 // Step numbers refer to the first algorithm listed in ES6 draft rev 36
2416 // (2015 Mar 17) 7.1.1 ToPrimitive.
2417 MOZ_ASSERT(preferredType == JSTYPE_UNDEFINED ||
2418 preferredType == JSTYPE_STRING || preferredType == JSTYPE_NUMBER);
2419 RootedObject obj(cx, &vp.toObject());
2420
2421 // Steps 4-5.
2422 RootedValue method(cx);
2423 if (!GetInterestingSymbolProperty(cx, obj, cx->wellKnownSymbols().toPrimitive,
2424 &method)) {
2425 return false;
2426 }
2427
2428 // Step 6.
2429 if (!method.isNullOrUndefined()) {
2430 // Step 6 of GetMethod. js::Call() below would do this check and throw a
2431 // TypeError anyway, but this produces a better error message.
2432 if (!IsCallable(method)) {
2433 return ReportCantConvert(cx, JSMSG_TOPRIMITIVE_NOT_CALLABLE, obj,
2434 preferredType);
2435 }
2436
2437 // Steps 1-3, 6.a-b.
2438 RootedValue arg0(
2439 cx,
2440 StringValue(preferredType == JSTYPE_STRING ? cx->names().string
2441 : preferredType == JSTYPE_NUMBER ? cx->names().number
2442 : cx->names().default_));
2443
2444 if (!js::Call(cx, method, vp, arg0, vp)) {
2445 return false;
2446 }
2447
2448 // Steps 6.c-d.
2449 if (vp.isObject()) {
2450 return ReportCantConvert(cx, JSMSG_TOPRIMITIVE_RETURNED_OBJECT, obj,
2451 preferredType);
2452 }
2453 return true;
2454 }
2455
2456 return OrdinaryToPrimitive(cx, obj, preferredType, vp);
2457 }
2458
2459 /* ES6 draft rev 28 (2014 Oct 14) 7.1.14 */
2460 bool js::ToPropertyKeySlow(JSContext* cx, HandleValue argument,
2461 MutableHandleId result) {
2462 MOZ_ASSERT(argument.isObject());
2463
2464 // Steps 1-2.
2465 RootedValue key(cx, argument);
2466 if (!ToPrimitiveSlow(cx, JSTYPE_STRING, &key)) {
2467 return false;
2468 }
2469
2470 // Steps 3-4.
2471 return PrimitiveValueToId<CanGC>(cx, key, result);
2472 }
2473
2474 /* * */
2475
2476 bool js::IsPrototypeOf(JSContext* cx, HandleObject protoObj, JSObject* obj,
2477 bool* result) {
2478 RootedObject obj2(cx, obj);
2479 for (;;) {
2480 // The [[Prototype]] chain might be cyclic.
2481 if (!CheckForInterrupt(cx)) {
2482 return false;
2483 }
2484 if (!GetPrototype(cx, obj2, &obj2)) {
2485 return false;
2486 }
2487 if (!obj2) {
2488 *result = false;
2489 return true;
2490 }
2491 if (obj2 == protoObj) {
2492 *result = true;
2493 return true;
2494 }
2495 }
2496 }
2497
2498 JSObject* js::PrimitiveToObject(JSContext* cx, const Value& v) {
2499 MOZ_ASSERT(v.isPrimitive());
2500
2501 switch (v.type()) {
2502 case ValueType::String: {
2503 Rooted<JSString*> str(cx, v.toString());
2504 return StringObject::create(cx, str);
2505 }
2506 case ValueType::Double:
2507 case ValueType::Int32:
2508 return NumberObject::create(cx, v.toNumber());
2509 case ValueType::Boolean:
2510 return BooleanObject::create(cx, v.toBoolean());
2511 case ValueType::Symbol: {
2512 RootedSymbol symbol(cx, v.toSymbol());
2513 return SymbolObject::create(cx, symbol);
2514 }
2515 case ValueType::BigInt: {
2516 RootedBigInt bigInt(cx, v.toBigInt());
2517 return BigIntObject::create(cx, bigInt);
2518 }
2519 #ifdef ENABLE_RECORD_TUPLE
2520 case ValueType::ExtendedPrimitive: {
2521 JSObject& obj = v.toExtendedPrimitive();
2522
2523 if (obj.is<RecordType>()) {
2524 Rooted<RecordType*> rec(cx, &obj.as<RecordType>());
2525 return RecordObject::create(cx, rec);
2526 }
2527 if (obj.is<TupleType>()) {
2528 Rooted<TupleType*> tuple(cx, &obj.as<TupleType>());
2529 return TupleObject::create(cx, tuple);
2530 }
2531
2532 MOZ_CRASH("Unexpected ExtendedPrimitive type.");
2533 }
2534 #endif
2535 case ValueType::Undefined:
2536 case ValueType::Null:
2537 case ValueType::Magic:
2538 case ValueType::PrivateGCThing:
2539 case ValueType::Object:
2540 break;
2541 }
2542
2543 MOZ_CRASH("unexpected type");
2544 }
2545
2546 // Like PrimitiveToObject, but returns the JSProtoKey of the prototype that
2547 // would be used without actually creating the object.
2548 JSProtoKey js::PrimitiveToProtoKey(JSContext* cx, const Value& v) {
2549 MOZ_ASSERT(v.isPrimitive());
2550
2551 switch (v.type()) {
2552 case ValueType::String:
2553 return JSProto_String;
2554 case ValueType::Double:
2555 case ValueType::Int32:
2556 return JSProto_Number;
2557 case ValueType::Boolean:
2558 return JSProto_Boolean;
2559 case ValueType::Symbol:
2560 return JSProto_Symbol;
2561 case ValueType::BigInt:
2562 return JSProto_BigInt;
2563 #ifdef ENABLE_RECORD_TUPLE
2564 case ValueType::ExtendedPrimitive:
2565 if (v.toExtendedPrimitive().is<TupleType>()) {
2566 return JSProto_Tuple;
2567 }
2568 if (v.toExtendedPrimitive().is<RecordType>()) {
2569 return JSProto_Null;
2570 }
2571 MOZ_CRASH("Unsupported ExtendedPrimitive");
2572 #endif
2573 case ValueType::Undefined:
2574 case ValueType::Null:
2575 case ValueType::Magic:
2576 case ValueType::PrivateGCThing:
2577 case ValueType::Object:
2578 break;
2579 }
2580
2581 MOZ_CRASH("unexpected type");
2582 }
2583
2584 /*
2585 * Invokes the ES5 ToObject algorithm on vp, returning the result. If vp might
2586 * already be an object, use ToObject. reportScanStack controls how null and
2587 * undefined errors are reported.
2588 *
2589 * Callers must handle the already-object case.
2590 */
2591 JSObject* js::ToObjectSlow(JSContext* cx, JS::HandleValue val,
2592 bool reportScanStack) {
2593 MOZ_ASSERT(!val.isMagic());
2594 MOZ_ASSERT(!val.isObject());
2595
2596 if (val.isNullOrUndefined()) {
2597 ReportIsNullOrUndefinedForPropertyAccess(
2598 cx, val, reportScanStack ? JSDVG_SEARCH_STACK : JSDVG_IGNORE_STACK);
2599 return nullptr;
2600 }
2601
2602 return PrimitiveToObject(cx, val);
2603 }
2604
2605 JSObject* js::ToObjectSlowForPropertyAccess(JSContext* cx, JS::HandleValue val,
2606 int valIndex, HandleId key) {
2607 MOZ_ASSERT(!val.isMagic());
2608 MOZ_ASSERT(!val.isObject());
2609
2610 if (val.isNullOrUndefined()) {
2611 ReportIsNullOrUndefinedForPropertyAccess(cx, val, valIndex, key);
2612 return nullptr;
2613 }
2614
2615 return PrimitiveToObject(cx, val);
2616 }
2617
2618 JSObject* js::ToObjectSlowForPropertyAccess(JSContext* cx, JS::HandleValue val,
2619 int valIndex,
2620 Handle<PropertyName*> key) {
2621 MOZ_ASSERT(!val.isMagic());
2622 MOZ_ASSERT(!val.isObject());
2623
2624 if (val.isNullOrUndefined()) {
2625 RootedId keyId(cx, NameToId(key));
2626 ReportIsNullOrUndefinedForPropertyAccess(cx, val, valIndex, keyId);
2627 return nullptr;
2628 }
2629
2630 return PrimitiveToObject(cx, val);
2631 }
2632
2633 JSObject* js::ToObjectSlowForPropertyAccess(JSContext* cx, JS::HandleValue val,
2634 int valIndex,
2635 HandleValue keyValue) {
2636 MOZ_ASSERT(!val.isMagic());
2637 MOZ_ASSERT(!val.isObject());
2638
2639 if (val.isNullOrUndefined()) {
2640 RootedId key(cx);
2641 if (keyValue.isPrimitive()) {
2642 if (!PrimitiveValueToId<CanGC>(cx, keyValue, &key)) {
2643 return nullptr;
2644 }
2645 ReportIsNullOrUndefinedForPropertyAccess(cx, val, valIndex, key);
2646 } else {
2647 ReportIsNullOrUndefinedForPropertyAccess(cx, val, valIndex);
2648 }
2649 return nullptr;
2650 }
2651
2652 return PrimitiveToObject(cx, val);
2653 }
2654
2655 JSObject* js::GetThisObject(JSObject* obj) {
2656 // Use the WindowProxy if the global is a Window, as Window must never be
2657 // exposed to script.
2658 if (obj->is<GlobalObject>()) {
2659 return ToWindowProxyIfWindow(obj);
2660 }
2661
2662 // We should not expose any environments except NSVOs to script. The NSVO is
2663 // pretending to be the global object in this case.
2664 MOZ_ASSERT(obj->is<NonSyntacticVariablesObject>() ||
2665 !obj->is<EnvironmentObject>());
2666
2667 return obj;
2668 }
2669
2670 JSObject* js::GetThisObjectOfLexical(JSObject* env) {
2671 return env->as<ExtensibleLexicalEnvironmentObject>().thisObject();
2672 }
2673
2674 JSObject* js::GetThisObjectOfWith(JSObject* env) {
2675 MOZ_ASSERT(env->is<WithEnvironmentObject>());
2676 return GetThisObject(env->as<WithEnvironmentObject>().withThis());
2677 }
2678
2679 class GetObjectSlotNameFunctor : public JS::TracingContext::Functor {
2680 JSObject* obj;
2681
2682 public:
2683 explicit GetObjectSlotNameFunctor(JSObject* ctx) : obj(ctx) {}
2684 virtual void operator()(JS::TracingContext* trc, char* buf,
2685 size_t bufsize) override;
2686 };
2687
2688 void GetObjectSlotNameFunctor::operator()(JS::TracingContext* tcx, char* buf,
2689 size_t bufsize) {
2690 MOZ_ASSERT(tcx->index() != JS::TracingContext::InvalidIndex);
2691
2692 uint32_t slot = uint32_t(tcx->index());
2693
2694 Maybe<PropertyKey> key;
2695 if (obj->is<NativeObject>()) {
2696 NativeShape* shape = obj->as<NativeObject>().shape();
2697 for (ShapePropertyIter<NoGC> iter(shape); !iter.done(); iter++) {
2698 if (iter->hasSlot() && iter->slot() == slot) {
2699 key.emplace(iter->key());
2700 break;
2701 }
2702 }
2703 }
2704
2705 if (key.isNothing()) {
2706 do {
2707 const char* slotname = nullptr;
2708 const char* pattern = nullptr;
2709 if (obj->is<GlobalObject>()) {
2710 pattern = "CLASS_OBJECT(%s)";
2711 if (false) {
2712 ;
2713 }
2714 #define TEST_SLOT_MATCHES_PROTOTYPE(name, clasp) \
2715 else if ((JSProto_##name) == slot) { \
2716 slotname = #name; \
2717 }
2718 JS_FOR_EACH_PROTOTYPE(TEST_SLOT_MATCHES_PROTOTYPE)
2719 #undef TEST_SLOT_MATCHES_PROTOTYPE
2720 } else {
2721 pattern = "%s";
2722 if (obj->is<EnvironmentObject>()) {
2723 if (slot == EnvironmentObject::enclosingEnvironmentSlot()) {
2724 slotname = "enclosing_environment";
2725 } else if (obj->is<CallObject>()) {
2726 if (slot == CallObject::calleeSlot()) {
2727 slotname = "callee_slot";
2728 }
2729 } else if (obj->is<WithEnvironmentObject>()) {
2730 if (slot == WithEnvironmentObject::objectSlot()) {
2731 slotname = "with_object";
2732 } else if (slot == WithEnvironmentObject::thisSlot()) {
2733 slotname = "with_this";
2734 }
2735 }
2736 }
2737 }
2738
2739 if (slotname) {
2740 snprintf(buf, bufsize, pattern, slotname);
2741 } else {
2742 snprintf(buf, bufsize, "**UNKNOWN SLOT %" PRIu32 "**", slot);
2743 }
2744 } while (false);
2745 } else {
2746 if (key->isInt()) {
2747 snprintf(buf, bufsize, "%" PRId32, key->toInt());
2748 } else if (key->isAtom()) {
2749 PutEscapedString(buf, bufsize, key->toAtom(), 0);
2750 } else if (key->isSymbol()) {
2751 snprintf(buf, bufsize, "**SYMBOL KEY**");
2752 } else {
2753 snprintf(buf, bufsize, "**FINALIZED ATOM KEY**");
2754 }
2755 }
2756 }
2757
2758 /*** Debugging routines *****************************************************/
2759
2760 #if defined(DEBUG) || defined(JS_JITSPEW)
2761
2762 /*
2763 * Routines to print out values during debugging. These are FRIEND_API to help
2764 * the debugger find them and to support temporarily hacking js::Dump* calls
2765 * into other code.
2766 */
2767
2768 static void dumpValue(const Value& v, js::GenericPrinter& out) {
2769 switch (v.type()) {
2770 case ValueType::Null:
2771 out.put("null");
2772 break;
2773 case ValueType::Undefined:
2774 out.put("undefined");
2775 break;
2776 case ValueType::Int32:
2777 out.printf("%d", v.toInt32());
2778 break;
2779 case ValueType::Double:
2780 out.printf("%g", v.toDouble());
2781 break;
2782 case ValueType::String:
2783 v.toString()->dumpNoNewline(out);
2784 break;
2785 case ValueType::Symbol:
2786 v.toSymbol()->dump(out);
2787 break;
2788 case ValueType::BigInt:
2789 v.toBigInt()->dump(out);
2790 break;
2791 case ValueType::Object:
2792 if (v.toObject().is<JSFunction>()) {
2793 JSFunction* fun = &v.toObject().as<JSFunction>();
2794 if (fun->maybePartialDisplayAtom()) {
2795 out.put("<function ");
2796 EscapedStringPrinter(out, fun->maybePartialDisplayAtom(), 0);
2797 } else {
2798 out.put("<unnamed function");
2799 }
2800 if (fun->hasBaseScript()) {
2801 BaseScript* script = fun->baseScript();
2802 out.printf(" (%s:%u)", script->filename() ? script->filename() : "",
2803 script->lineno());
2804 }
2805 out.printf(" at %p>", (void*)fun);
2806 } else {
2807 JSObject* obj = &v.toObject();
2808 const JSClass* clasp = obj->getClass();
2809 out.printf("<%s%s at %p>", clasp->name,
2810 (clasp == &PlainObject::class_) ? "" : " object",
2811 (void*)obj);
2812 }
2813 break;
2814 # ifdef ENABLE_RECORD_TUPLE
2815 case ValueType::ExtendedPrimitive: {
2816 JSObject* obj = &v.toExtendedPrimitive();
2817 out.printf("<%s at %p>", obj->getClass()->name, (void*)obj);
2818 break;
2819 }
2820 # endif
2821 case ValueType::Boolean:
2822 if (v.toBoolean()) {
2823 out.put("true");
2824 } else {
2825 out.put("false");
2826 }
2827 break;
2828 case ValueType::Magic:
2829 out.put("<magic");
2830 switch (v.whyMagic()) {
2831 case JS_ELEMENTS_HOLE:
2832 out.put(" elements hole");
2833 break;
2834 case JS_NO_ITER_VALUE:
2835 out.put(" no iter value");
2836 break;
2837 case JS_GENERATOR_CLOSING:
2838 out.put(" generator closing");
2839 break;
2840 case JS_OPTIMIZED_OUT:
2841 out.put(" optimized out");
2842 break;
2843 default:
2844 out.put(" ?!");
2845 break;
2846 }
2847 out.putChar('>');
2848 break;
2849 case ValueType::PrivateGCThing:
2850 out.printf("<PrivateGCThing %p>", v.toGCThing());
2851 break;
2852 }
2853 }
2854
2855 namespace js {
2856
2857 // We don't want jsfriendapi.h to depend on GenericPrinter,
2858 // so these functions are declared directly in the cpp.
2859
2860 JS_PUBLIC_API void DumpValue(const JS::Value& val, js::GenericPrinter& out);
2861
2862 JS_PUBLIC_API void DumpId(jsid id, js::GenericPrinter& out);
2863
2864 JS_PUBLIC_API void DumpInterpreterFrame(JSContext* cx, js::GenericPrinter& out,
2865 InterpreterFrame* start = nullptr);
2866
2867 } // namespace js
2868
2869 JS_PUBLIC_API void js::DumpValue(const Value& val, js::GenericPrinter& out) {
2870 dumpValue(val, out);
2871 out.putChar('\n');
2872 }
2873
2874 JS_PUBLIC_API void js::DumpId(jsid id, js::GenericPrinter& out) {
2875 out.printf("jsid %p = ", (void*)id.asRawBits());
2876 dumpValue(IdToValue(id), out);
2877 out.putChar('\n');
2878 }
2879
2880 static void DumpProperty(const NativeObject* obj, PropMap* map, uint32_t index,
2881 js::GenericPrinter& out) {
2882 PropertyInfoWithKey prop = map->getPropertyInfoWithKey(index);
2883 jsid id = prop.key();
2884 if (id.isAtom()) {
2885 id.toAtom()->dumpCharsNoNewline(out);
2886 } else if (id.isInt()) {
2887 out.printf("%d", id.toInt());
2888 } else if (id.isSymbol()) {
2889 id.toSymbol()->dump(out);
2890 } else {
2891 out.printf("id %p", reinterpret_cast<void*>(id.asRawBits()));
2892 }
2893
2894 if (prop.isDataProperty()) {
2895 out.printf(": ");
2896 dumpValue(obj->getSlot(prop.slot()), out);
2897 } else if (prop.isAccessorProperty()) {
2898 out.printf(": getter %p setter %p", obj->getGetter(prop),
2899 obj->getSetter(prop));
2900 }
2901
2902 out.printf(" (map %p/%u", map, index);
2903
2904 if (prop.enumerable()) {
2905 out.put(" enumerable");
2906 }
2907 if (prop.configurable()) {
2908 out.put(" configurable");
2909 }
2910 if (prop.isDataDescriptor() && prop.writable()) {
2911 out.put(" writable");
2912 }
2913
2914 if (prop.isCustomDataProperty()) {
2915 out.printf(" <custom-data-prop>");
2916 }
2917
2918 if (prop.hasSlot()) {
2919 out.printf(" slot %u", prop.slot());
2920 }
2921
2922 out.printf(")\n");
2923 }
2924
2925 bool JSObject::hasSameRealmAs(JSContext* cx) const {
2926 return nonCCWRealm() == cx->realm();
2927 }
2928
2929 bool JSObject::uninlinedIsProxyObject() const { return is<ProxyObject>(); }
2930
2931 bool JSObject::uninlinedNonProxyIsExtensible() const {
2932 return nonProxyIsExtensible();
2933 }
2934
2935 void JSObject::dump(js::GenericPrinter& out) const {
2936 const JSObject* obj = this;
2937 out.printf("object %p\n", obj);
2938
2939 if (IsCrossCompartmentWrapper(this)) {
2940 out.printf(" compartment %p\n", compartment());
2941 } else {
2942 JSObject* globalObj = &nonCCWGlobal();
2943 out.printf(" global %p [%s]\n", globalObj, globalObj->getClass()->name);
2944 }
2945
2946 const JSClass* clasp = obj->getClass();
2947 out.printf(" class %p %s\n", clasp, clasp->name);
2948
2949 if (IsProxy(obj)) {
2950 auto* handler = GetProxyHandler(obj);
2951 out.printf(" handler %p", handler);
2952 if (IsDeadProxyObject(obj)) {
2953 out.printf(" (DeadObjectProxy)");
2954 } else if (IsCrossCompartmentWrapper(obj)) {
2955 out.printf(" (CCW)");
2956 }
2957 out.putChar('\n');
2958
2959 Value priv = GetProxyPrivate(obj);
2960 if (!priv.isUndefined()) {
2961 out.printf(" private ");
2962 dumpValue(priv, out);
2963 out.putChar('\n');
2964 }
2965
2966 Value expando = GetProxyExpando(obj);
2967 if (!expando.isNull()) {
2968 out.printf(" expando ");
2969 dumpValue(expando, out);
2970 out.putChar('\n');
2971 }
2972 }
2973
2974 const Shape* shape = obj->shape();
2975 out.printf(" shape %p\n", shape);
2976
2977 out.put(" flags:");
2978 if (obj->isUsedAsPrototype()) {
2979 out.put(" used_as_prototype");
2980 }
2981 if (!obj->is<ProxyObject>() && !obj->nonProxyIsExtensible()) {
2982 out.put(" not_extensible");
2983 }
2984 if (obj->maybeHasInterestingSymbolProperty()) {
2985 out.put(" maybe_has_interesting_symbol");
2986 }
2987 if (obj->isQualifiedVarObj()) {
2988 out.put(" varobj");
2989 }
2990 if (obj->isUnqualifiedVarObj()) {
2991 out.put(" unqualified_varobj");
2992 }
2993 if (obj->hasInvalidatedTeleporting()) {
2994 out.put(" invalidated_teleporting");
2995 }
2996 if (obj->hasStaticPrototype() && obj->staticPrototypeIsImmutable()) {
2997 out.put(" immutable_prototype");
2998 }
2999
3000 const NativeObject* nobj =
3001 obj->is<NativeObject>() ? &obj->as<NativeObject>() : nullptr;
3002 if (nobj) {
3003 if (nobj->inDictionaryMode()) {
3004 out.put(" inDictionaryMode");
3005 }
3006 if (nobj->hadGetterSetterChange()) {
3007 out.put(" had_getter_setter_change");
3008 }
3009 if (nobj->isIndexed()) {
3010 out.put(" indexed");
3011 }
3012 if (nobj->hasEnumerableProperty()) {
3013 out.put(" has_enumerable");
3014 }
3015 if (nobj->is<PlainObject>() &&
3016 nobj->as<PlainObject>().hasNonWritableOrAccessorPropExclProto()) {
3017 out.put(" has_non_writable_or_accessor_prop_excl_proto");
3018 }
3019 if (!nobj->denseElementsArePacked()) {
3020 out.put(" non_packed_elements");
3021 }
3022 if (nobj->getElementsHeader()->isNotExtensible()) {
3023 out.put(" not_extensible");
3024 }
3025 if (nobj->getElementsHeader()->isSealed()) {
3026 out.put(" sealed_elements");
3027 }
3028 if (nobj->getElementsHeader()->isFrozen()) {
3029 out.put(" frozen_elements");
3030 }
3031 if (nobj->getElementsHeader()->maybeInIteration()) {
3032 out.put(" elements_maybe_in_iteration");
3033 }
3034 } else {
3035 out.put(" not_native");
3036 }
3037 out.putChar('\n');
3038
3039 out.put(" proto ");
3040 TaggedProto proto = obj->taggedProto();
3041 if (proto.isDynamic()) {
3042 out.put("<dynamic>");
3043 } else {
3044 dumpValue(ObjectOrNullValue(proto.toObjectOrNull()), out);
3045 }
3046 out.putChar('\n');
3047
3048 if (nobj) {
3049 uint32_t reserved = JSCLASS_RESERVED_SLOTS(clasp);
3050 if (reserved) {
3051 out.printf(" reserved slots:\n");
3052 for (uint32_t i = 0; i < reserved; i++) {
3053 out.printf(" %3u ", i);
3054 out.put(": ");
3055 dumpValue(nobj->getSlot(i), out);
3056 out.putChar('\n');
3057 }
3058 }
3059
3060 out.put(" properties:\n");
3061
3062 if (PropMap* map = nobj->shape()->propMap()) {
3063 Vector<PropMap*, 8, SystemAllocPolicy> maps;
3064 while (true) {
3065 if (!maps.append(map)) {
3066 out.printf("(OOM while appending maps)\n");
3067 break;
3068 }
3069 if (!map->hasPrevious()) {
3070 break;
3071 }
3072 map = map->asLinked()->previous();
3073 }
3074
3075 for (size_t i = maps.length(); i > 0; i--) {
3076 size_t index = i - 1;
3077 uint32_t len =
3078 (index == 0) ? nobj->shape()->propMapLength() : PropMap::Capacity;
3079 for (uint32_t j = 0; j < len; j++) {
3080 PropMap* map = maps[index];
3081 if (!map->hasKey(j)) {
3082 MOZ_ASSERT(map->isDictionary());
3083 continue;
3084 }
3085 out.printf(" ");
3086 DumpProperty(nobj, map, j, out);
3087 }
3088 }
3089 }
3090
3091 uint32_t slots = nobj->getDenseInitializedLength();
3092 if (slots) {
3093 out.put(" elements:\n");
3094 for (uint32_t i = 0; i < slots; i++) {
3095 out.printf(" %3u: ", i);
3096 dumpValue(nobj->getDenseElement(i), out);
3097 out.putChar('\n');
3098 }
3099 }
3100 }
3101 }
3102
3103 // For debuggers.
3104 void JSObject::dump() const {
3105 Fprinter out(stderr);
3106 dump(out);
3107 }
3108
3109 static void MaybeDumpScope(Scope* scope, js::GenericPrinter& out) {
3110 if (scope) {
3111 out.printf(" scope: %s\n", ScopeKindString(scope->kind()));
3112 for (BindingIter bi(scope); bi; bi++) {
3113 out.put(" ");
3114 dumpValue(StringValue(bi.name()), out);
3115 out.putChar('\n');
3116 }
3117 }
3118 }
3119
3120 static void MaybeDumpValue(const char* name, const Value& v,
3121 js::GenericPrinter& out) {
3122 if (!v.isNull()) {
3123 out.printf(" %s: ", name);
3124 dumpValue(v, out);
3125 out.putChar('\n');
3126 }
3127 }
3128
3129 JS_PUBLIC_API void js::DumpInterpreterFrame(JSContext* cx,
3130 js::GenericPrinter& out,
3131 InterpreterFrame* start) {
3132 /* This should only called during live debugging. */
3133 ScriptFrameIter i(cx);
3134 if (!start) {
3135 if (i.done()) {
3136 out.printf("no stack for cx = %p\n", (void*)cx);
3137 return;
3138 }
3139 } else {
3140 while (!i.done() && !i.isJSJit() && i.interpFrame() != start) {
3141 ++i;
3142 }
3143
3144 if (i.done()) {
3145 out.printf("fp = %p not found in cx = %p\n", (void*)start, (void*)cx);
3146 return;
3147 }
3148 }
3149
3150 for (; !i.done(); ++i) {
3151 if (i.isJSJit()) {
3152 out.put("JIT frame\n");
3153 } else {
3154 out.printf("InterpreterFrame at %p\n", (void*)i.interpFrame());
3155 }
3156
3157 if (i.isFunctionFrame()) {
3158 out.put("callee fun: ");
3159 RootedValue v(cx);
3160 JSObject* fun = i.callee(cx);
3161 v.setObject(*fun);
3162 dumpValue(v, out);
3163 } else {
3164 out.put("global or eval frame, no callee");
3165 }
3166 out.putChar('\n');
3167
3168 out.printf("file %s line %u\n", i.script()->filename(),
3169 i.script()->lineno());
3170
3171 if (jsbytecode* pc = i.pc()) {
3172 out.printf(" pc = %p\n", pc);
3173 out.printf(" current op: %s\n", CodeName(JSOp(*pc)));
3174 MaybeDumpScope(i.script()->lookupScope(pc), out);
3175 }
3176 if (i.isFunctionFrame()) {
3177 MaybeDumpValue("this", i.thisArgument(cx), out);
3178 }
3179 if (!i.isJSJit()) {
3180 out.put(" rval: ");
3181 dumpValue(i.interpFrame()->returnValue(), out);
3182 out.putChar('\n');
3183 }
3184
3185 out.put(" flags:");
3186 if (i.isConstructing()) {
3187 out.put(" constructing");
3188 }
3189 if (!i.isJSJit() && i.interpFrame()->isDebuggerEvalFrame()) {
3190 out.put(" debugger eval");
3191 }
3192 if (i.isEvalFrame()) {
3193 out.put(" eval");
3194 }
3195 out.putChar('\n');
3196
3197 out.printf(" envChain: (JSObject*) %p\n", (void*)i.environmentChain(cx));
3198
3199 out.putChar('\n');
3200 }
3201 }
3202
3203 #endif /* defined(DEBUG) || defined(JS_JITSPEW) */
3204
3205 JS_PUBLIC_API void js::DumpBacktrace(JSContext* cx, FILE* fp) {
3206 Fprinter out(fp);
3207 js::DumpBacktrace(cx, out);
3208 }
3209
3210 JS_PUBLIC_API void js::DumpBacktrace(JSContext* cx, js::GenericPrinter& out) {
3211 size_t depth = 0;
3212 for (AllFramesIter i(cx); !i.done(); ++i, ++depth) {
3213 const char* filename;
3214 unsigned line;
3215 if (i.hasScript()) {
3216 filename = JS_GetScriptFilename(i.script());
3217 line = PCToLineNumber(i.script(), i.pc());
3218 } else {
3219 filename = i.filename();
3220 line = i.computeLine();
3221 }
3222 char frameType = i.isInterp() ? 'i'
3223 : i.isBaseline() ? 'b'
3224 : i.isIon() ? 'I'
3225 : i.isWasm() ? 'W'
3226 : '?';
3227
3228 out.printf("#%zu %14p %c %s:%u", depth, i.rawFramePtr(), frameType,
3229 filename, line);
3230
3231 if (i.hasScript()) {
3232 out.printf(" (%p @ %zu)\n", i.script(), i.script()->pcToOffset(i.pc()));
3233 } else {
3234 out.printf(" (%p)\n", i.pc());
3235 }
3236 }
3237 }
3238
3239 JS_PUBLIC_API void js::DumpBacktrace(JSContext* cx) {
3240 DumpBacktrace(cx, stdout);
3241 }
3242
3243 /* * */
3244
3245 bool JSObject::isBackgroundFinalized() const {
3246 if (isTenured()) {
3247 return js::gc::IsBackgroundFinalized(asTenured().getAllocKind());
3248 }
3249
3250 js::Nursery& nursery = runtimeFromMainThread()->gc.nursery();
3251 return js::gc::IsBackgroundFinalized(allocKindForTenure(nursery));
3252 }
3253
3254 js::gc::AllocKind JSObject::allocKindForTenure(
3255 const js::Nursery& nursery) const {
3256 using namespace js::gc;
3257
3258 MOZ_ASSERT(IsInsideNursery(this));
3259
3260 if (canHaveFixedElements()) {
3261 const NativeObject& nobj = as<NativeObject>();
3262 MOZ_ASSERT(nobj.numFixedSlots() == 0);
3263
3264 /* Use minimal size object if we are just going to copy the pointer. */
3265 if (!nursery.isInside(nobj.getUnshiftedElementsHeader())) {
3266 return gc::AllocKind::OBJECT0_BACKGROUND;
3267 }
3268
3269 size_t nelements = nobj.getDenseCapacity();
3270 return ForegroundToBackgroundAllocKind(GetGCArrayKind(nelements));
3271 }
3272
3273 if (is<JSFunction>()) {
3274 return as<JSFunction>().getAllocKind();
3275 }
3276
3277 // Fixed length typed arrays in the nursery may have a lazily allocated
3278 // buffer, make sure there is room for the array's fixed data when moving the
3279 // array.
3280 if (is<FixedLengthTypedArrayObject>() &&
3281 !as<FixedLengthTypedArrayObject>().hasBuffer()) {
3282 gc::AllocKind allocKind;
3283 if (as<FixedLengthTypedArrayObject>().hasInlineElements()) {
3284 size_t nbytes = as<FixedLengthTypedArrayObject>().byteLength();
3285 allocKind = FixedLengthTypedArrayObject::AllocKindForLazyBuffer(nbytes);
3286 } else {
3287 allocKind = GetGCObjectKind(getClass());
3288 }
3289 return ForegroundToBackgroundAllocKind(allocKind);
3290 }
3291
3292 // Proxies that are CrossCompartmentWrappers may be nursery allocated.
3293 if (is<ProxyObject>()) {
3294 return as<ProxyObject>().allocKindForTenure();
3295 }
3296
3297 // WasmStructObjects have a variable-length tail which contains the first
3298 // few data fields, so make sure we copy it all over to the new object.
3299 if (is<WasmStructObject>()) {
3300 // Figure out the size of this object, from the object's TypeDef.
3301 const wasm::TypeDef* typeDef = &as<WasmStructObject>().typeDef();
3302 return WasmStructObject::allocKindForTypeDef(typeDef);
3303 }
3304
3305 if (is<WasmArrayObject>()) {
3306 return WasmArrayObject::allocKind();
3307 }
3308
3309 // All nursery allocatable non-native objects are handled above.
3310 return as<NativeObject>().allocKindForTenure();
3311 }
3312
3313 void JSObject::addSizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf,
3314 JS::ClassInfo* info,
3315 JS::RuntimeSizes* runtimeSizes) {
3316 if (is<NativeObject>() && as<NativeObject>().hasDynamicSlots()) {
3317 info->objectsMallocHeapSlots +=
3318 mallocSizeOf(as<NativeObject>().getSlotsHeader());
3319 }
3320
3321 if (is<NativeObject>() && as<NativeObject>().hasDynamicElements()) {
3322 void* allocatedElements = as<NativeObject>().getUnshiftedElementsHeader();
3323 info->objectsMallocHeapElementsNormal += mallocSizeOf(allocatedElements);
3324 }
3325
3326 // Other things may be measured in the future if DMD indicates it is
3327 // worthwhile.
3328 if (is<JSFunction>() || is<PlainObject>() || is<ArrayObject>() ||
3329 is<CallObject>() || is<RegExpObject>() || is<ProxyObject>()) {
3330 // Do nothing. But this function is hot, and we win by getting the
3331 // common cases out of the way early. Some stats on the most common
3332 // classes, as measured during a vanilla browser session:
3333 // - (53.7%, 53.7%): Function
3334 // - (18.0%, 71.7%): Object
3335 // - (16.9%, 88.6%): Array
3336 // - ( 3.9%, 92.5%): Call
3337 // - ( 2.8%, 95.3%): RegExp
3338 // - ( 1.0%, 96.4%): Proxy
3339
3340 // Note that any JSClass that is special cased below likely needs to
3341 // specify the JSCLASS_DELAY_METADATA_BUILDER flag, or else we will
3342 // probably crash if the object metadata callback attempts to get the
3343 // size of the new object (which Debugger code does) before private
3344 // slots are initialized.
3345 } else if (is<ArgumentsObject>()) {
3346 info->objectsMallocHeapMisc +=
3347 as<ArgumentsObject>().sizeOfMisc(mallocSizeOf);
3348 } else if (is<MapObject>()) {
3349 info->objectsMallocHeapMisc += as<MapObject>().sizeOfData(mallocSizeOf);
3350 } else if (is<SetObject>()) {
3351 info->objectsMallocHeapMisc += as<SetObject>().sizeOfData(mallocSizeOf);
3352 } else if (is<PropertyIteratorObject>()) {
3353 info->objectsMallocHeapMisc +=
3354 as<PropertyIteratorObject>().sizeOfMisc(mallocSizeOf);
3355 } else if (is<ArrayBufferObject>()) {
3356 ArrayBufferObject::addSizeOfExcludingThis(this, mallocSizeOf, info,
3357 runtimeSizes);
3358 } else if (is<SharedArrayBufferObject>()) {
3359 SharedArrayBufferObject::addSizeOfExcludingThis(this, mallocSizeOf, info,
3360 runtimeSizes);
3361 } else if (is<GlobalObject>()) {
3362 as<GlobalObject>().addSizeOfData(mallocSizeOf, info);
3363 } else if (is<WeakCollectionObject>()) {
3364 info->objectsMallocHeapMisc +=
3365 as<WeakCollectionObject>().sizeOfExcludingThis(mallocSizeOf);
3366 }
3367 #ifdef JS_HAS_CTYPES
3368 else {
3369 // This must be the last case.
3370 info->objectsMallocHeapMisc += ctypes::SizeOfDataIfCDataObject(
3371 mallocSizeOf, const_cast<JSObject*>(this));
3372 }
3373 #endif
3374 }
3375
3376 size_t JSObject::sizeOfIncludingThisInNursery() const {
3377 // This function doesn't concern itself yet with typed objects (bug 1133593).
3378
3379 MOZ_ASSERT(!isTenured());
3380
3381 const Nursery& nursery = runtimeFromMainThread()->gc.nursery();
3382 size_t size = gc::Arena::thingSize(allocKindForTenure(nursery));
3383
3384 if (is<NativeObject>()) {
3385 const NativeObject& native = as<NativeObject>();
3386
3387 size += native.numDynamicSlots() * sizeof(Value);
3388
3389 if (native.hasDynamicElements()) {
3390 js::ObjectElements& elements = *native.getElementsHeader();
3391 size += (elements.capacity + elements.numShiftedElements()) *
3392 sizeof(HeapSlot);
3393 }
3394
3395 if (is<ArgumentsObject>()) {
3396 size += as<ArgumentsObject>().sizeOfData();
3397 }
3398 }
3399
3400 return size;
3401 }
3402
3403 JS::ubi::Node::Size JS::ubi::Concrete<JSObject>::size(
3404 mozilla::MallocSizeOf mallocSizeOf) const {
3405 JSObject& obj = get();
3406
3407 if (!obj.isTenured()) {
3408 return obj.sizeOfIncludingThisInNursery();
3409 }
3410
3411 JS::ClassInfo info;
3412 obj.addSizeOfExcludingThis(mallocSizeOf, &info, nullptr);
3413 return obj.tenuredSizeOfThis() + info.sizeOfAllThings();
3414 }
3415
3416 const char16_t JS::ubi::Concrete<JSObject>::concreteTypeName[] = u"JSObject";
3417
3418 void JSObject::traceChildren(JSTracer* trc) {
3419 TraceCellHeaderEdge(trc, this, "shape");
3420
3421 Shape* objShape = shape();
3422 if (objShape->isNative()) {
3423 NativeObject* nobj = &as<NativeObject>();
3424
3425 {
3426 GetObjectSlotNameFunctor func(nobj);
3427 JS::AutoTracingDetails ctx(trc, func);
3428 JS::AutoTracingIndex index(trc);
3429 // Tracing can mutate the target but cannot change the slot count,
3430 // but the compiler has no way of knowing this.
3431 const uint32_t nslots = nobj->slotSpan();
3432 for (uint32_t i = 0; i < nslots; ++i) {
3433 TraceEdge(trc, &nobj->getSlotRef(i), "object slot");
3434 ++index;
3435 }
3436 MOZ_ASSERT(nslots == nobj->slotSpan());
3437 }
3438
3439 TraceRange(trc, nobj->getDenseInitializedLength(),
3440 static_cast<HeapSlot*>(nobj->getDenseElements()),
3441 "objectElements");
3442 }
3443
3444 // Call the trace hook at the end so that during a moving GC the trace hook
3445 // will see updated fields and slots.
3446 const JSClass* clasp = objShape->getObjectClass();
3447 if (clasp->hasTrace()) {
3448 clasp->doTrace(trc, this);
3449 }
3450 }
3451
3452 // ES 2016 7.3.20.
3453 [[nodiscard]] JSObject* js::SpeciesConstructor(
3454 JSContext* cx, HandleObject obj, HandleObject defaultCtor,
3455 bool (*isDefaultSpecies)(JSContext*, JSFunction*)) {
3456 // Step 1 (implicit).
3457
3458 // Fast-path for steps 2 - 8. Applies if all of the following conditions
3459 // are met:
3460 // - obj.constructor can be retrieved without side-effects.
3461 // - obj.constructor[[@@species]] can be retrieved without side-effects.
3462 // - obj.constructor[[@@species]] is the builtin's original @@species
3463 // getter.
3464 RootedValue ctor(cx);
3465 bool ctorGetSucceeded = GetPropertyPure(
3466 cx, obj, NameToId(cx->names().constructor), ctor.address());
3467 if (ctorGetSucceeded && ctor.isObject() && &ctor.toObject() == defaultCtor) {
3468 jsid speciesId = PropertyKey::Symbol(cx->wellKnownSymbols().species);
3469 JSFunction* getter;
3470 if (GetGetterPure(cx, defaultCtor, speciesId, &getter) && getter &&
3471 isDefaultSpecies(cx, getter)) {
3472 return defaultCtor;
3473 }
3474 }
3475
3476 // Step 2.
3477 if (!ctorGetSucceeded &&
3478 !GetProperty(cx, obj, obj, cx->names().constructor, &ctor)) {
3479 return nullptr;
3480 }
3481
3482 // Step 3.
3483 if (ctor.isUndefined()) {
3484 return defaultCtor;
3485 }
3486
3487 // Step 4.
3488 if (!ctor.isObject()) {
3489 JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
3490 JSMSG_OBJECT_REQUIRED,
3491 "object's 'constructor' property");
3492 return nullptr;
3493 }
3494
3495 // Step 5.
3496 RootedObject ctorObj(cx, &ctor.toObject());
3497 RootedValue s(cx);
3498 RootedId speciesId(cx, PropertyKey::Symbol(cx->wellKnownSymbols().species));
3499 if (!GetProperty(cx, ctorObj, ctor, speciesId, &s)) {
3500 return nullptr;
3501 }
3502
3503 // Step 6.
3504 if (s.isNullOrUndefined()) {
3505 return defaultCtor;
3506 }
3507
3508 // Step 7.
3509 if (IsConstructor(s)) {
3510 return &s.toObject();
3511 }
3512
3513 // Step 8.
3514 JS_ReportErrorNumberASCII(
3515 cx, GetErrorMessage, nullptr, JSMSG_NOT_CONSTRUCTOR,
3516 "[Symbol.species] property of object's constructor");
3517 return nullptr;
3518 }
3519
3520 [[nodiscard]] JSObject* js::SpeciesConstructor(
3521 JSContext* cx, HandleObject obj, JSProtoKey ctorKey,
3522 bool (*isDefaultSpecies)(JSContext*, JSFunction*)) {
3523 RootedObject defaultCtor(cx,
3524 GlobalObject::getOrCreateConstructor(cx, ctorKey));
3525 if (!defaultCtor) {
3526 return nullptr;
3527 }
3528 return SpeciesConstructor(cx, obj, defaultCtor, isDefaultSpecies);
3529 }
3530
3531 bool js::Unbox(JSContext* cx, HandleObject obj, MutableHandleValue vp) {
3532 if (MOZ_UNLIKELY(obj->is<ProxyObject>())) {
3533 return Proxy::boxedValue_unbox(cx, obj, vp);
3534 }
3535
3536 if (obj->is<BooleanObject>()) {
3537 vp.setBoolean(obj->as<BooleanObject>().unbox());
3538 } else if (obj->is<NumberObject>()) {
3539 vp.setNumber(obj->as<NumberObject>().unbox());
3540 } else if (obj->is<StringObject>()) {
3541 vp.setString(obj->as<StringObject>().unbox());
3542 } else if (obj->is<DateObject>()) {
3543 vp.set(obj->as<DateObject>().UTCTime());
3544 } else if (obj->is<SymbolObject>()) {
3545 vp.setSymbol(obj->as<SymbolObject>().unbox());
3546 } else if (obj->is<BigIntObject>()) {
3547 vp.setBigInt(obj->as<BigIntObject>().unbox());
3548 #ifdef ENABLE_RECORD_TUPLE
3549 } else if (obj->is<RecordObject>()) {
3550 vp.setExtendedPrimitive(*obj->as<RecordObject>().unbox());
3551 } else if (obj->is<TupleObject>()) {
3552 vp.setExtendedPrimitive(obj->as<TupleObject>().unbox());
3553 #endif
3554 } else {
3555 vp.setUndefined();
3556 }
3557
3558 return true;
3559 }
3560
3561 #ifdef DEBUG
3562 void js::AssertJSClassInvariants(const JSClass* clasp) {
3563 MOZ_ASSERT(JS::StringIsASCII(clasp->name));
3564
3565 // Native objects shouldn't use the property operation hooks in ObjectOps.
3566 // Doing so could violate JIT invariants.
3567 //
3568 // Environment objects unfortunately use these hooks, but environment objects
3569 // are not exposed directly to script so they're generally less of an issue.
3570 if (clasp->isNativeObject() && clasp != &WithEnvironmentObject::class_ &&
3571 clasp != &ModuleEnvironmentObject::class_ &&
3572 clasp != &RuntimeLexicalErrorObject::class_) {
3573 MOZ_ASSERT(!clasp->getOpsLookupProperty());
3574 MOZ_ASSERT_IF(clasp != &MappedArgumentsObject::class_,
3575 !clasp->getOpsDefineProperty());
3576 MOZ_ASSERT(!clasp->getOpsHasProperty());
3577 MOZ_ASSERT(!clasp->getOpsGetProperty());
3578 MOZ_ASSERT(!clasp->getOpsSetProperty());
3579 MOZ_ASSERT(!clasp->getOpsGetOwnPropertyDescriptor());
3580 MOZ_ASSERT(!clasp->getOpsDeleteProperty());
3581 }
3582 }
3583
3584 /* static */
3585 void JSObject::debugCheckNewObject(Shape* shape, js::gc::AllocKind allocKind,
3586 js::gc::Heap heap) {
3587 const JSClass* clasp = shape->getObjectClass();
3588
3589 if (!ClassCanHaveFixedData(clasp)) {
3590 NativeShape* nshape = &shape->asNative();
3591 if (clasp == &ArrayObject::class_) {
3592 // Arrays can store the ObjectElements header inline.
3593 MOZ_ASSERT(nshape->numFixedSlots() == 0);
3594 } else {
3595 MOZ_ASSERT(gc::GetGCKindSlots(allocKind) == nshape->numFixedSlots());
3596 }
3597 }
3598
3599 // Assert background finalization is used when possible.
3600 MOZ_ASSERT(!CanChangeToBackgroundAllocKind(allocKind, clasp));
3601
3602 // Classes with a finalizer must specify whether instances will be finalized
3603 // on the main thread or in the background, except proxies whose behaviour
3604 // depends on the target object.
3605 static const uint32_t FinalizeMask =
3606 JSCLASS_FOREGROUND_FINALIZE | JSCLASS_BACKGROUND_FINALIZE;
3607 uint32_t flags = clasp->flags;
3608 uint32_t finalizeFlags = flags & FinalizeMask;
3609 if (clasp->hasFinalize() && !clasp->isProxyObject()) {
3610 MOZ_ASSERT(finalizeFlags == JSCLASS_FOREGROUND_FINALIZE ||
3611 finalizeFlags == JSCLASS_BACKGROUND_FINALIZE);
3612 MOZ_ASSERT((finalizeFlags == JSCLASS_BACKGROUND_FINALIZE) ==
3613 IsBackgroundFinalized(allocKind));
3614 } else {
3615 MOZ_ASSERT(finalizeFlags == 0);
3616 }
3617
3618 MOZ_ASSERT_IF(clasp->hasFinalize(),
3619 heap == gc::Heap::Tenured ||
3620 CanNurseryAllocateFinalizedClass(clasp) ||
3621 clasp->isProxyObject());
3622
3623 MOZ_ASSERT(!shape->isDictionary());
3624 MOZ_ASSERT(!shape->realm()->hasObjectPendingMetadata());
3625
3626 // Non-native classes manage their own data and slots, so numFixedSlots is
3627 // always 0. Note that proxy classes can have reserved slots but they're not
3628 // included in numFixedSlots.
3629 if (!clasp->isNativeObject()) {
3630 MOZ_ASSERT_IF(!clasp->isProxyObject(), JSCLASS_RESERVED_SLOTS(clasp) == 0);
3631 }
3632 }
3633 #endif