| blob | c65ed732cd6b310d9823080c70404ee09f66a634 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
15 #include <algorithm>
41 #ifdef ENABLE_RECORD_TUPLE
45 #endif
62 /* ES5 15.12.3 Quote.
63 * Requires that the destination has enough space allocated for src after
64 * escaping (that is, `2 + 6 * (srcEnd - srcBegin)` characters).
65 */
70 // Maps characters < 256 to the value that must follow the '\\' in the quoted
71 // string. Entries with 'u' are handled as \\u00xy, and entries with 0 are not
72 // escaped in any way. Characters >= 256 are all assumed to be unescaped.
74 // clang-format off
85 // clang-format on
86 };
88 /* Step 1. */
94 };
96 /* Step 2. */
100 // Handle the Latin-1 cases.
104 // Directly copy non-escaped code points.
108 }
110 // Escape the rest, elaborating Unicode escapes when needed.
122 }
125 }
127 // Non-ASCII non-surrogates are directly copied.
131 }
133 // So too for complete surrogate pairs.
139 }
141 // But lone surrogates are Unicode-escaped.
149 }
151 /* Steps 3-4. */
154 }
169 }
175 }
179 }
181 // We resize the backing buffer to the maximum size we could possibly need,
182 // write the escaped string into it, and shrink it back to the size we ended
183 // up needing.
192 }
196 }
206 }
211 }
231 }
235 RootedObject replacer;
240 };
250 }
257 }
258 }
264 }
265 }
266 }
267 }
270 }
282 }
283 };
290 }
291 };
295 /*
296 * ES5 15.12.3 Str, steps 2-4, extracted to enable preprocessing of property
297 * values when stringifying objects in JO.
298 */
302 // We don't want to do any preprocessing here if scx->maybeSafely,
303 // since the stuff we do here can have side-effects.
306 }
310 // Step 2. Modified by BigInt spec 6.1 to check for a toJSON method on the
311 // BigInt prototype when the value is a BigInt, and to pass the BigInt
312 // primitive value as receiver.
318 }
322 }
328 }
333 }
334 }
335 }
337 /* Step 3. */
346 }
347 }
353 }
354 }
356 /* Step 4. */
360 ESClass cls;
363 }
369 }
375 }
382 }
383 }
384 }
387 }
389 /*
390 * Determines whether a value which has passed by ES5 150.2.3 Str steps 1-4's
391 * gauntlet will result in Str returning |undefined|. This function is used to
392 * properly omit properties resulting in such values when stringifying objects,
393 * while properly stringifying such properties as null when they're encountered
394 * in arrays.
395 */
399 }
411 JSMSG_JSON_CYCLIC_VALUE);
413 }
414 }
417 }
423 }
424 }
428 HandleObject obj_;
430 };
432 #ifdef ENABLE_RECORD_TUPLE
435 #endif
436 /* ES5 15.12.3 JO. */
438 /*
439 * This method implements the JO algorithm in ES5 15.12.3, but:
440 *
441 * * The algorithm is somewhat reformulated to allow the final string to
442 * be streamed into a single buffer, rather than be created and copied
443 * into place incrementally as the ES5 algorithm specifies it. This
444 * requires moving portions of the Str call in 8a into this algorithm
445 * (and in JA as well).
446 */
448 #ifdef ENABLE_RECORD_TUPLE
456 }
457 #endif
460 /* Steps 1-2, 11. */
464 }
468 }
470 /* Steps 5-7. */
474 // NOTE: We can't assert |IsArray(scx->replacer)| because the replacer
475 // might have been a revocable proxy to an array. Such a proxy
476 // satisfies |IsArray|, but any side effect of JSON.stringify
477 // could revoke the proxy so that |!IsArray(scx->replacer)|. See
478 // bug 1196497.
485 }
487 }
489 /* My kingdom for not-quite-initialized-from-the-start references. */
492 /* Steps 8-10, 13. */
498 }
500 /*
501 * Steps 8a-8b. Note that the call to Str is broken up into 1) getting
502 * the property; 2) processing for toJSON, calling the replacer, and
503 * handling boxed Number/String/Boolean objects; 3) filtering out
504 * values which process to |undefined|, and 4) stringifying all values
505 * which pass the filter.
506 */
509 #ifdef DEBUG
511 PropertyResult prop;
515 }
518 }
521 #ifdef ENABLE_RECORD_TUPLE
525 #endif
526 {
530 }
531 }
534 }
537 }
539 /* Output a comma unless this is the first member to write. */
542 }
547 }
552 }
558 }
559 }
563 }
566 }
568 // For JSON.stringify and JSON.parse with a reviver function, we need to know
569 // the length of an object for which JS::IsArray returned true. This must be
570 // either an ArrayObject or a proxy wrapping one.
572 HandleObject obj,
577 }
578 #ifdef ENABLE_RECORD_TUPLE
582 }
583 #endif
590 }
592 // A scripted proxy wrapping an array can return a length value larger than
593 // UINT32_MAX. Stringification will likely report an OOM in this case. Match
594 // other JS engines and report an early error in this case, although
595 // technically this is observable, for example when stringifying with a
596 // replacer function.
600 }
604 }
606 /* ES5 15.12.3 JA. */
608 /*
609 * This method implements the JA algorithm in ES5 15.12.3, but:
610 *
611 * * The algorithm is somewhat reformulated to allow the final string to
612 * be streamed into a single buffer, rather than be created and copied
613 * into place incrementally as the ES5 algorithm specifies it. This
614 * requires moving portions of the Str call in 8a into this algorithm
615 * (and in JO as well).
616 */
618 /* Steps 1-2, 11. */
622 }
626 }
628 /* Step 6. */
632 }
634 /* Steps 7-10. */
636 /* Steps 4, 10b(i). */
639 }
641 /* Steps 7-10. */
646 }
648 /*
649 * Steps 8a-8c. Again note how the call to the spec's Str method
650 * is broken up into getting the property, running it past toJSON
651 * and the replacer and maybe unboxing, and interpreting some
652 * values as |null| in separate steps.
653 */
654 #ifdef DEBUG
656 /*
657 * Trying to do a JS_AlreadyHasOwnElement runs the risk of
658 * hitting OOM on jsid creation. Let's just assert sanity for
659 * small enough indices.
660 */
667 "the array must either be small enough to remain "
668 "fully dense (and otherwise un-indexed), *or* "
669 "all its initially-dense elements were sparsified "
673 }
674 }
675 #endif
678 }
681 }
685 }
689 }
690 }
692 /* Steps 3, 4, 10b(i). */
696 }
699 }
700 }
701 }
703 /* Step 10(b)(iii). */
706 }
707 }
710 }
713 /* Step 11 must be handled by the caller. */
716 /*
717 * This method implements the Str algorithm in ES5 15.12.3, but:
718 *
719 * * We move property retrieval (step 1) into callers to stream the
720 * stringification process and avoid constantly copying strings.
721 * * We move the preprocessing in steps 2-4 into a helper function to
722 * allow both JO and JA to use this method. While JA could use it
723 * without this move, JO must omit any |undefined|-valued property per
724 * so it can't stream out a value using the Str method exactly as
725 * defined by ES5.
726 * * We move step 11 into callers, again to ease streaming.
727 */
729 /* Step 8. */
732 }
734 /* Step 5. */
737 }
739 /* Steps 6-7. */
742 }
744 /* Step 9. */
749 "input JS::ToJSONMaybeSafely must not include "
752 }
753 }
756 }
758 /* Step 10 in the BigInt proposal. */
761 JSMSG_BIGINT_NOT_SERIALIZABLE);
763 }
768 }
770 /* Step 10. */
776 "input to JS::ToJSONMaybeSafely must not include reachable "
782 #ifdef ENABLE_RECORD_TUPLE
786 }
789 }
791 }
792 #endif
797 }
800 }
805 }
808 // Arrays will look up all keys [0..length) so disallow anything that could
809 // find those keys anywhere but in the dense elements.
812 }
814 // Non-Arrays will only look at own properties, but still disallow any
815 // indexed properties other than in the dense elements because they would
816 // require sorting.
819 }
820 }
822 // Only used for internal environment objects that should never be passed to
823 // JSON.stringify.
826 #ifdef ENABLE_RECORD_TUPLE
829 }
830 #endif
833 }
835 #define FOR_EACH_STRINGIFY_BAIL_REASON(MACRO) \
836 MACRO(NO_REASON) \
837 MACRO(INELIGIBLE_OBJECT) \
838 MACRO(DEEP_RECURSION) \
839 MACRO(NON_DATA_PROPERTY) \
840 MACRO(TOO_MANY_PROPERTIES) \
841 MACRO(BIGINT) \
842 MACRO(API) \
843 MACRO(HAVE_REPLACER) \
844 MACRO(HAVE_SPACE) \
845 MACRO(PRIMITIVE) \
846 MACRO(HAVE_TOJSON) \
847 MACRO(IMPURE_LOOKUP) \
848 MACRO(INTERRUPT)
851 #define DECLARE_ENUM(name) name,
853 #undef DECLARE_ENUM
854 };
858 #define ENUM_NAME(name) \
859 case BailReason::name: \
860 return #name;
862 #undef ENUM_NAME
865 }
866 }
868 // Iterator over all the dense elements of an object. Used
869 // for both Arrays and non-Arrays.
871 HeapSlotArray elements;
874 // Arrays can have a length less than getDenseInitializedLength(), in which
875 // case the remaining Array elements are treated as UndefinedValue.
886 }
891 // For Arrays, steps 6-8 of
892 // https://262.ecma-international.org/13.0/#sec-serializejsonarray. For
893 // non-Arrays, step 6a of
894 // https://262.ecma-international.org/13.0/#sec-serializejsonobject
895 // following the order from
896 // https://262.ecma-international.org/13.0/#sec-ordinaryownpropertykeys
900 // Consider specializing the iterator for Arrays vs non-Arrays to avoid this
901 // branch.
903 }
906 };
908 // An iterator over the non-element properties of a Shape, returned in forward
909 // (creation) order. Note that it is fallible, so after iteration is complete
910 // isOverflowed() should be called to verify that the results are actually
911 // complete.
914 // Pointer to the current PropMap with length and an index within it.
919 // Stack of PropMaps to iterate through, oldest properties on top. The current
920 // map (map_, above) is never on this stack.
932 }
935 mapLength_ =
938 // Dictionary maps can have "holes" for removed properties, so keep
939 // going until we find a non-hole slot.
940 i_++;
943 }
944 }
945 }
949 // Set map_ to the PropMap containing the first property (the deepest map in
950 // the previous() chain). Push pointers to all other PropMaps onto stack_.
953 // No properties.
956 }
959 // Overflowed.
962 }
964 }
966 // Set mapLength_ to the number of properties in map_ (including dictionary
967 // holes, if any.)
971 }
978 i_++;
980 }
985 }
989 // Fake pointer struct to make operator-> work.
990 // See https://stackoverflow.com/a/52856349.
992 PropertyInfoWithKey val_;
994 };
996 };
998 // Iterator over EnumerableOwnPropertyNames
999 // https://262.ecma-international.org/13.0/#sec-enumerableownpropertynames
1000 // that fails if it encounters any accessor properties, as they are not handled
1001 // by JSON FastStr, or if it sees too many properties on one object.
1003 ShapePropertyForwardIterNoGC shapeIter;
1008 // Skip over any non-enumerable or Symbol properties, and permanently fail
1009 // if any enumerable non-data properties are encountered.
1013 }
1018 }
1022 }
1023 }
1025 }
1034 }
1036 // Non-Arrays with no enumerable properties can just be skipped.
1040 }
1042 }
1050 shapeIter++;
1053 }
1054 };
1056 // Steps from https://262.ecma-international.org/13.0/#sec-serializejsonproperty
1058 /* Step 8. */
1061 }
1063 /* Step 5. */
1066 }
1068 /* Steps 6-7. */
1071 }
1073 /* Step 9. */
1078 }
1079 }
1082 }
1084 // Unrepresentable values.
1088 }
1090 /* Step 10. */
1092 }
1094 // https://262.ecma-international.org/13.0/#sec-serializejsonproperty step 8b
1095 // where K is an integer index.
1097 Int32ToCStringBuf cbuf;
1102 }
1108 }
1110 // Similar to PreprocessValue: replace the value with a simpler one to
1111 // stringify, but also detect whether the value is compatible with the fast
1112 // path. If not, bail out by setting *whySlow and returning true.
1117 // Steps are from
1118 // https://262.ecma-international.org/13.0/#sec-serializejsonproperty
1120 // Disallow BigInts to avoid caring about BigInt.prototype.toJSON.
1124 }
1128 }
1133 }
1135 // Step 2: lookup a .toJSON property (and bail if found).
1137 PropertyResult toJSON;
1142 // Looking up this property would require a side effect.
1145 }
1149 }
1151 // Step 4: convert primitive wrapper objects to primitives. Disallowed for
1152 // fast path.
1157 // Primitive wrapper objects can invoke arbitrary code when being coerced to
1158 // their primitive values (eg via @@toStringTag).
1161 }
1164 // Steps 11,12: Callable objects are treated as undefined.
1167 }
1172 }
1175 }
1177 // FastStr maintains an explicit stack to handle nested objects. For each
1178 // object, first the dense elements are iterated, then the named properties
1179 // (included sparse indexes, which will cause FastStr to bail out.)
1180 //
1181 // The iterators for each of those parts are not merged into a single common
1182 // iterator because the interface is different for the two parts, and they are
1183 // handled separately in the FastStr code.
1189 // Given an object, a FastStackEntry starts with the dense elements. The
1190 // caller is expected to inspect the variant to use it differently based on
1191 // which iterator is active.
1197 // Called by Vector when moving data around.
1201 // Move assignment, called when updating the `top` entry.
1206 }
1208 // Advance from dense elements to the named properties.
1211 }
1212 };
1219 /*
1220 * FastStr is an optimistic fast path for the Str algorithm in ES5 15.12.3
1221 * that applies in limited situations. It falls back to Str() if:
1222 *
1223 * * Any externally visible code attempts to run: getter, enumerate
1224 * hook, toJSON property.
1225 * * Sparse index found (this would require accumulating props and sorting.)
1226 * * Max stack depth is reached. (This will also detect self-referential
1227 * input.)
1228 *
1229 * Algorithm:
1230 *
1231 * stack = []
1232 * top = iter(obj)
1233 * wroteMember = false
1234 * OUTER: while true:
1235 * if !wroteMember:
1236 * emit("[" or "{")
1237 * while !top.done():
1238 * key, value = top.next()
1239 * if top is a non-Array and value is skippable:
1240 * continue
1241 * if wroteMember:
1242 * emit(",")
1243 * wroteMember = true
1244 * if value is object:
1245 * emit(key + ":") if top is iterating a non-Array
1246 * stack.push(top)
1247 * top <- value
1248 * wroteMember = false
1249 * continue OUTER
1250 * else:
1251 * emit(value) or emit(key + ":" + value)
1252 * emit("]" or "}")
1253 * if stack is empty: done!
1254 * top <- stack.pop()
1255 * wroteMember = true
1256 *
1257 * except:
1258 *
1259 * * The `while !top.done()` loop is split into the dense element portion
1260 * and the slot portion. Each is iterated to completion before advancing
1261 * or finishing.
1262 *
1263 * * For Arrays, the named properties are not output, but they are still
1264 * scanned to bail if any numeric keys are found that could be indexes.
1265 */
1267 // FastStr will bail if an interrupt is requested in the middle of an
1268 // operation, so handle any interrupts now before starting. Note: this can GC,
1269 // but after this point nothing should be able to GC unless something fails,
1270 // so rooting is unnecessary.
1273 }
1279 }
1280 // Construct an iterator for the object,
1281 // https://262.ecma-international.org/13.0/#sec-serializejsonobject step 6:
1282 // EnumerableOwnPropertyNames or
1283 // https://262.ecma-international.org/13.0/#sec-serializejsonarray step 7-8.
1290 }
1296 }
1297 }
1303 // Interrupts can GC and we are working with unrooted pointers.
1308 }
1315 }
1318 }
1321 // Arrays convert unrepresentable values to "null".
1324 // Objects skip unrepresentable values.
1326 }
1327 }
1331 }
1337 }
1338 }
1344 }
1345 // Save the current iterator position on the stack and
1346 // switch to processing the nested value.
1352 }
1355 }
1356 }
1360 }
1367 }
1368 }
1374 // Interrupts can GC and we are working with unrooted pointers.
1379 }
1383 // A non-Array with indexed elements would need to sort the indexes
1384 // numerically, which this code does not support. These objects are
1385 // skipped when obj->isIndexed(), so no index properties should be found
1386 // here.
1393 }
1396 }
1398 // Undefined check in
1399 // https://262.ecma-international.org/13.0/#sec-serializejsonobject
1400 // step 8b, covering undefined, symbol
1402 }
1406 }
1412 }
1416 }
1421 }
1422 // Save the current iterator position on the stack and
1423 // switch to processing the nested value.
1429 }
1432 }
1433 }
1437 }
1440 }
1442 }
1446 }
1449 }
1454 }
1455 }
1457 /* ES6 24.3.2. */
1460 StringifyBehavior stringifyBehavior) {
1468 /**
1469 * This uses MOZ_ASSERT, since it's actually asserting something jsapi
1470 * consumers could get wrong, so needs a better error message.
1471 */
1477 /* Step 4. */
1483 }
1488 /* Step 4a(i): use replacer to transform values. */
1492 /* Step 4b(iii). */
1494 /* Step 4b(iii)(2-3). */
1498 }
1500 // Cap the initial size to a moderately small value. This avoids
1501 // ridiculous over-allocation if an array with bogusly-huge length
1502 // is passed in. If we end up having to add elements past this
1503 // size, the set will naturally resize to accommodate them.
1508 /* Step 4b(iii)(4). */
1511 /* Step 4b(iii)(5). */
1516 }
1518 /* Step 4b(iii)(5)(a-b). */
1521 }
1523 /* Step 4b(iii)(5)(c-g). */
1528 }
1530 ESClass cls;
1533 }
1537 }
1542 }
1545 }
1547 /* Step 4b(iii)(5)(g). */
1550 /* Step 4b(iii)(5)(g)(i). */
1553 }
1554 }
1555 }
1558 }
1559 }
1561 /* Step 5. */
1565 ESClass cls;
1568 }
1574 }
1580 }
1582 }
1583 }
1588 /* Step 6. */
1594 }
1596 /* Step 7. */
1600 }
1604 }
1606 /* Step 8. */
1608 }
1611 }
1616 // We can skip creating the initial wrapper object if no replacer
1617 // function is present.
1619 /* Step 9. */
1623 }
1625 /* Steps 10-11. */
1628 }
1629 }
1631 /* Step 12. */
1639 }
1641 // "Fast" stringify of primitives would create a wrapper object and thus
1642 // be slower than regular stringify.
1644 }
1648 }
1650 // Fast stringify succeeded!
1653 }
1657 }
1658 }
1660 }
1661 }
1668 }
1670 // Slow, general path.
1676 }
1679 }
1683 }
1685 // For StringBehavior::Compare, when the fast path succeeded.
1690 }
1693 }
1694 // Put the JSON back into the StringBuffer for returning.
1697 }
1698 }
1701 }
1703 /* ES5 15.12.2 Walk. */
1709 }
1711 /* Step 1. */
1715 }
1717 /* Step 2. */
1724 }
1727 /* Step 2a(ii). */
1731 }
1733 /* Step 2a(i), 2a(iii-iv). */
1739 }
1743 }
1745 /* Step 2a(iii)(1). */
1748 }
1750 ObjectOpResult ignored;
1752 /* Step 2a(iii)(2). The spec deliberately ignores strict failure. */
1755 }
1757 /* Step 2a(iii)(3). The spec deliberately ignores strict failure. */
1765 }
1766 }
1767 }
1769 /* Step 2b(i). */
1773 }
1775 /* Step 2b(ii). */
1781 }
1783 /* Step 2b(ii)(1). */
1787 }
1789 ObjectOpResult ignored;
1791 /* Step 2b(ii)(2). The spec deliberately ignores strict failure. */
1794 }
1796 /* Step 2b(ii)(3). The spec deliberately ignores strict failure. */
1804 }
1805 }
1806 }
1807 }
1808 }
1810 /* Step 3. */
1814 }
1818 }
1824 }
1828 }
1832 }
1836 MutableHandleValue vp) {
1840 }
1846 /* 15.12.2 steps 2-3. */
1849 }
1851 /* 15.12.2 steps 4-5. */
1854 }
1856 }
1870 }
1872 /* ES5 15.12.2. */
1877 /* Step 1. */
1882 }
1887 }
1892 }
1896 /* Steps 2-5. */
1902 }
1904 #ifdef ENABLE_RECORD_TUPLE
1906 HandleValue reviver,
1907 MutableHandleValue immutableRes) {
1910 // Step 1
1915 // Step 1.a-1.b
1919 // Step 1.b.iii
1925 }
1928 // Step 1.b.iv
1930 // Step 1.b.iv.1
1933 // Step 1.b.iv.2
1936 }
1938 // Step 1.b.iv.3
1942 }
1945 // Step 1.b.iv.5
1948 }
1949 }
1951 // Step 1.b.v
1956 // Step 1.c.i - We only get the property keys rather than the
1957 // entries, but the difference is not observable from user code
1958 // because `obj` is a plan object not exposed externally
1962 }
1967 }
1971 // Step 1.c.iii.1
1974 // Step 1.c.iii.2
1977 }
1979 // Step 1.c.iii.3
1983 }
1986 // Step 1.c.iii.5
1988 // Step 1.c.iii.5.a-b
1990 }
1991 }
1993 // Step 1.c.iv
1995 }
1997 // Step 2.a
1999 }
2001 // Step 3
2005 // Step 3.a
2007 immutableRes)) {
2009 }
2011 // Step 3.b
2014 JSMSG_RECORD_TUPLE_NO_OBJECT);
2016 }
2017 }
2020 }
2026 /* Step 1. */
2031 }
2036 }
2041 }
2049 }
2053 }
2054 }
2058 }
2059 #endif
2061 /* ES6 24.3.2. */
2071 #ifdef DEBUG
2073 #else
2075 #endif
2080 }
2082 // XXX This can never happen to nsJSON.cpp, but the JSON object
2083 // needs to support returning undefined. So this is a little awkward
2084 // for the API, because we want to support streaming writers.
2089 }
2093 }
2096 }
2101 #ifdef ENABLE_RECORD_TUPLE
2103 #endif
2104 JS_FS_END};
2112 }