| blob | b15810471e782b0b63164ec2028b829742219197 |
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 // vim: ft=cpp tw=78 sw=2 et ts=2
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Utilities for managing the script settings object stack defined in webapps */
9 #ifndef mozilla_dom_ScriptSettings_h
10 #define mozilla_dom_ScriptSettings_h
29 // For internal use only - use AutoJSAPI instead.
32 /**
33 * Fundamental cx pushing class. All other cx pushing classes are implemented
34 * in terms of this class.
35 */
36 class MOZ_STACK_CLASS AutoCxPusher
37 {
44 // Returns true if this AutoCxPusher performed the push that is currently at
45 // the top of the cx stack.
52 #ifdef DEBUG
55 #endif
56 };
60 /*
61 * System-wide setup/teardown routines. Init and Destroy should be invoked
62 * once each, at startup and shutdown (respectively).
63 */
68 /*
69 * Static helpers in ScriptSettings which track the number of listeners
70 * of Javascript RunToCompletion events. These should be used by the code in
71 * nsDocShell::SetRecordProfileTimelineMarkers to indicate to script
72 * settings that script run-to-completion needs to be monitored.
73 * SHOULD BE CALLED ONLY BY MAIN THREAD.
74 */
78 // To implement a web-compatible browser, it is often necessary to obtain the
79 // global object that is "associated" with the currently-running code. This
80 // process is made more complicated by the fact that, historically, different
81 // algorithms have operated with different definitions of the "associated"
82 // global.
83 //
84 // HTML5 formalizes this into two concepts: the "incumbent global" and the
85 // "entry global". The incumbent global corresponds to the global of the
86 // current script being executed, whereas the entry global corresponds to the
87 // global of the script where the current JS execution began.
88 //
89 // There is also a potentially-distinct third global that is determined by the
90 // current compartment. This roughly corresponds with the notion of Realms in
91 // ECMAScript.
92 //
93 // Suppose some event triggers an event listener in window |A|, which invokes a
94 // scripted function in window |B|, which invokes the |window.location.href|
95 // setter in window |C|. The entry global would be |A|, the incumbent global
96 // would be |B|, and the current compartment would be that of |C|.
97 //
98 // In general, it's best to use to use the most-closely-associated global
99 // unless the spec says to do otherwise. In 95% of the cases, the global of
100 // the current compartment (GetCurrentGlobal()) is the right thing. For
101 // example, WebIDL constructors (new C.XMLHttpRequest()) are initialized with
102 // the global of the current compartment (i.e. |C|).
103 //
104 // The incumbent global is very similar, but differs in a few edge cases. For
105 // example, if window |B| does |C.location.href = "..."|, the incumbent global
106 // used for the navigation algorithm is B, because no script from |C| was ever run.
107 //
108 // The entry global is used for various things like computing base URIs, mostly
109 // for historical reasons.
110 //
111 // Note that all of these functions return bonafide global objects. This means
112 // that, for Windows, they always return the inner.
114 // Returns the global associated with the top-most Candidate Entry Point on
115 // the Script Settings Stack. See the HTML spec. This may be null.
118 // If the entry global is a window, returns its extant document. Otherwise,
119 // returns null.
122 // Returns the global associated with the top-most entry of the the Script
123 // Settings Stack. See the HTML spec. This may be null.
126 // Returns the global associated with the current compartment. This may be null.
129 // JS-implemented WebIDL presents an interesting situation with respect to the
130 // subject principal. A regular C++-implemented API can simply examine the
131 // compartment of the most-recently-executed script, and use that to infer the
132 // responsible party. However, JS-implemented APIs are run with system
133 // principal, and thus clobber the subject principal of the script that
134 // invoked the API. So we have to do some extra work to keep track of this
135 // information.
136 //
137 // We therefore implement the following behavior:
138 // * Each Script Settings Object has an optional WebIDL Caller Principal field.
139 // This defaults to null.
140 // * When we push an Entry Point in preparation to run a JS-implemented WebIDL
141 // callback, we grab the subject principal at the time of invocation, and
142 // store that as the WebIDL Caller Principal.
143 // * When non-null, callers can query this principal from script via an API on
144 // Components.utils.
147 // This may be used by callers that know that their incumbent global is non-
148 // null (i.e. they know there have been no System Caller pushes since the
149 // inner-most script execution).
151 {
153 }
171 // This constructor is only for use by AutoNoJSAPI.
176 };
178 /*
179 * For any interaction with JSAPI, an AutoJSAPI (or one of its subclasses)
180 * must be on the stack.
181 *
182 * This base class should be instantiated as-is when the caller wants to use
183 * JSAPI but doesn't expect to run script. The caller must then call one of its
184 * Init functions before being able to access the JSContext through cx().
185 * Its current duties are as-follows (see individual Init comments for details):
186 *
187 * * Grabbing an appropriate JSContext, and, on the main thread, pushing it onto
188 * the JSContext stack.
189 * * Entering an initial (possibly null) compartment, to ensure that the
190 * previously entered compartment for that JSContext is not used by mistake.
191 *
192 * Additionally, the following duties are planned, but not yet implemented:
193 *
194 * * De-poisoning the JSRuntime to allow manipulation of JSAPI. We can't
195 * actually implement this poisoning until all the JSContext pushing in the
196 * system goes through AutoJSAPI (see bug 951991). For now, this de-poisoning
197 * effectively corresponds to having a non-null cx on the stack.
198 * * Reporting any exceptions left on the JSRuntime, unless the caller steals
199 * or silences them.
200 * * Entering a JSAutoRequest. At present, this is handled by the cx pushing
201 * on the main thread, and by other code on workers. Depending on the order
202 * in which various cleanup lands, this may never be necessary, because
203 * JSAutoRequests may go away.
204 *
205 * In situations where the consumer expects to run script, AutoEntryScript
206 * should be used, which does additional manipulation of the script settings
207 * stack. In bug 991758, we'll add hard invariants to SpiderMonkey, such that
208 * any attempt to run script without an AutoEntryScript on the stack will
209 * fail. This prevents system code from accidentally triggering script
210 * execution at inopportune moments via surreptitious getters and proxies.
211 */
214 // Trivial constructor. One of the Init functions must be called before
215 // accessing the JSContext through cx().
220 // This uses the SafeJSContext (or worker equivalent), and enters a null
221 // compartment, so that the consumer is forced to select a compartment to
222 // enter before manipulating objects.
225 // This uses the SafeJSContext (or worker equivalent), and enters the
226 // compartment of aGlobalObject.
227 // If aGlobalObject or its associated JS global are null then it returns
228 // false and use of cx() will cause an assertion.
231 // This is a helper that grabs the native global associated with aObject and
232 // invokes the above Init() with that.
235 // Unsurprisingly, this uses aCx and enters the compartment of aGlobalObject.
236 // If aGlobalObject or its associated JS global are null then it returns
237 // false and use of cx() will cause an assertion.
238 // If aCx is null it will cause an assertion.
241 // This may only be used on the main thread.
242 // This attempts to use the JSContext associated with aGlobalObject, otherwise
243 // it uses the SafeJSContext. It then enters the compartment of aGlobalObject.
244 // This means that existing error reporting mechanisms that use the JSContext
245 // to find the JSErrorReporter should still work as before.
246 // We should be able to remove this around bug 981198.
247 // If aGlobalObject or its associated JS global are null then it returns
248 // false and use of cx() will cause an assertion.
251 // Convenience functions to take an nsPIDOMWindow* or nsGlobalWindow*,
252 // when it is more easily available than an nsIGlobalObject.
266 }
270 // We're moving towards a world where the AutoJSAPI always handles
271 // exceptions that bubble up from the JS engine. In order to make this
272 // process incremental, we allow consumers to opt-in to the new behavior
273 // while keeping the old behavior as the default.
280 };
282 // Transfers ownership of the current exception from the JS engine to the
283 // caller. Callers must ensure that HasException() is true, and that cx()
284 // is in a non-null compartment.
285 //
286 // Note that this fails if and only if we OOM while wrapping the exception
287 // into the current compartment.
293 }
296 // Protected constructor, allowing subclasses to specify a particular cx to
297 // be used. This constructor initialises the AutoJSAPI, so Init must NOT be
298 // called on subclasses that use this.
299 // If aGlobalObject, its associated JS global or aCx are null this will cause
300 // an assertion, as will setting aIsMainThread incorrectly.
308 // Track state between the old and new error reporting modes.
317 };
319 /*
320 * A class that represents a new script entry point.
321 */
327 // Note: aCx is mandatory off-main-thread.
334 }
337 // It's safe to make this a weak pointer, since it's the subject principal
338 // when we go on the stack, so can't go away until after we're gone. In
339 // particular, this is only used from the CallSetup constructor, and only in
340 // the aIsJSImplementedWebIDL case. And in that case, the subject principal
341 // is the principal of the callee function that is part of the CallArgs just a
342 // bit up the stack, and which will outlive us. So we know the principal
343 // can't go away until then either.
350 };
352 /*
353 * A class that can be used to force a particular incumbent script on the stack.
354 */
360 };
362 /*
363 * A class to put the JS engine in an unusable state. The subject principal
364 * will become System, the information on the script settings stack is
365 * rendered inaccessible, and JSAPI may not be manipulated until the class is
366 * either popped or an AutoJSAPI instance is subsequently pushed.
367 *
368 * This class may not be instantiated if an exception is pending.
369 */
375 };
379 /**
380 * Use AutoJSContext when you need a JS context on the stack but don't have one
381 * passed as a parameter. AutoJSContext will take care of finding the most
382 * appropriate JS context and release it when leaving the stack.
383 */
392 // We need this Init() method because we can't use delegating constructor for
393 // the moment. It is a C++11 feature and we do not require C++11 to be
394 // supported to be able to compile Gecko.
399 MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
400 };
402 /**
403 * Use ThreadsafeAutoJSContext when you want an AutoJSContext but might be
404 * running on a worker thread.
405 */
415 MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
416 };
418 /**
419 * AutoSafeJSContext is similar to AutoJSContext but will only return the safe
420 * JS context. That means it will never call nsContentUtils::GetCurrentJSContext().
421 *
422 * Note - This is deprecated. Please use AutoJSAPI instead.
423 */
428 JSAutoCompartment mAc;
429 };
431 /**
432 * Like AutoSafeJSContext but can be used safely on worker threads.
433 */
443 MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
444 };