| blob | 45ba4a1376f54f6deee49b395cf0fcd4061602cb |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef js_Proxy_h
8 #define js_Proxy_h
22 #include "js/TypeDecls.h" // for HandleObject, HandleId, HandleValue, MutableHandleIdVector, MutableHandleValue, MutableHand...
31 /*
32 * [SMDOC] Proxy Objects
33 *
34 * A proxy is a JSObject with highly customizable behavior. ES6 specifies a
35 * single kind of proxy, but the customization mechanisms we use to implement
36 * ES6 Proxy objects are also useful wherever an object with weird behavior is
37 * wanted. Proxies are used to implement:
38 *
39 * - the scope objects used by the Debugger's frame.eval() method
40 * (see js::GetDebugEnvironment)
41 *
42 * - the khuey hack, whereby a whole compartment can be blown away
43 * even if other compartments hold references to objects in it
44 * (see js::NukeCrossCompartmentWrappers)
45 *
46 * - XPConnect security wrappers, which protect chrome from malicious content
47 * (js/xpconnect/wrappers)
48 *
49 * - DOM objects with special property behavior, like named getters
50 * (dom/bindings/Codegen.py generates these proxies from WebIDL)
51 *
52 * ### Proxies and internal methods
53 *
54 * ES2019 specifies 13 internal methods. The runtime semantics of just about
55 * everything a script can do to an object is specified in terms of these
56 * internal methods. For example:
57 *
58 * JS code ES6 internal method that gets called
59 * --------------------------- --------------------------------
60 * obj.prop obj.[[Get]](obj, "prop")
61 * "prop" in obj obj.[[HasProperty]]("prop")
62 * new obj() obj.[[Construct]](<empty argument List>)
63 *
64 * With regard to the implementation of these internal methods, there are three
65 * very different kinds of object in SpiderMonkey.
66 *
67 * 1. Native objects cover most objects and contain both internal slots and
68 * properties. JSClassOps and ObjectOps may be used to override certain
69 * default behaviors.
70 *
71 * 2. Proxy objects are composed of internal slots and a ProxyHandler. The
72 * handler contains C++ methods that can implement these standard (and
73 * non-standard) internal methods. JSClassOps and ObjectOps for the base
74 * ProxyObject invoke the handler methods as appropriate.
75 *
76 * 3. Objects with custom layouts like TypedObjects. These rely on JSClassOps
77 * and ObjectOps to implement internal methods.
78 *
79 * Native objects with custom JSClassOps / ObjectOps are used when the object
80 * behaves very similar to a normal object such as the ArrayObject and it's
81 * length property. Most usages wrapping a C++ or other type should prefer
82 * using a Proxy. Using the proxy approach makes it much easier to create an
83 * ECMAScript and JIT compatible object, particularly if using an appropriate
84 * base class.
85 *
86 * Just about anything you do to a proxy will end up going through a C++
87 * virtual method call. Possibly several. There's no reason the JITs and ICs
88 * can't specialize for particular proxies, based on the handler; but currently
89 * we don't do much of this, so the virtual method overhead typically is
90 * actually incurred.
91 *
92 * ### The proxy handler hierarchy
93 *
94 * A major use case for proxies is to forward each internal method call to
95 * another object, known as its target. The target can be an arbitrary JS
96 * object. Not every proxy has the notion of a target, however.
97 *
98 * To minimize code duplication, a set of abstract proxy handler classes is
99 * provided, from which other handlers may inherit. These abstract classes are
100 * organized in the following hierarchy:
101 *
102 * BaseProxyHandler
103 * |
104 * ForwardingProxyHandler // has a target and forwards internal methods
105 * |
106 * Wrapper // can be unwrapped to reveal target
107 * | // (see js::CheckedUnwrap)
108 * |
109 * CrossCompartmentWrapper // target is in another compartment;
110 * // implements membrane between compartments
111 *
112 * Example: Some DOM objects (including all the arraylike DOM objects) are
113 * implemented as proxies. Since these objects don't need to forward operations
114 * to any underlying JS object, BaseDOMProxyHandler directly subclasses
115 * BaseProxyHandler.
116 *
117 * Gecko's security wrappers are examples of cross-compartment wrappers.
118 *
119 * ### Proxy prototype chains
120 *
121 * While most ECMAScript internal methods are handled by simply calling the
122 * handler method, the [[GetPrototypeOf]] / [[SetPrototypeOf]] behaviors may
123 * follow one of two models:
124 *
125 * 1. A concrete prototype object (or null) is passed to object construction
126 * and ordinary prototype read and write applies. The prototype-related
127 * handler hooks are never called in this case. The [[Prototype]] slot is
128 * used to store the current prototype value.
129 *
130 * 2. TaggedProto::LazyProto is passed to NewProxyObject (or the
131 * ProxyOptions::lazyProto flag is set). Each read or write of the
132 * prototype will invoke the handler. This dynamic prototype behavior may
133 * be useful for wrapper-like objects. If this mode is used the
134 * getPrototype handler at a minimum must be implemented.
135 *
136 * NOTE: In this mode the [[Prototype]] internal slot is unavailable and
137 * must be simulated if needed. This is non-standard, but an
138 * appropriate handler can hide this implementation detail.
139 *
140 * One subtlety here is that ECMAScript has a notion of "ordinary" prototypes.
141 * An object that doesn't override [[GetPrototypeOf]] is considered to have an
142 * ordinary prototype. The getPrototypeIfOrdinary handler must be implemented
143 * by you or your base class. Typically model 1 will be considered "ordinary"
144 * and model 2 will not.
145 */
147 /*
148 * BaseProxyHandler is the most generic kind of proxy handler. It does not make
149 * any assumptions about the target. Consequently, it does not provide any
150 * default implementation for most methods. As a convenience, a few high-level
151 * methods, like get() and set(), are given default implementations that work by
152 * calling the low-level methods, like getOwnPropertyDescriptor().
153 *
154 * Important: If you add a method here, you should probably also add a
155 * Proxy::foo entry point with an AutoEnterPolicy. If you don't, you need an
156 * explicit override for the method in SecurityWrapper. See bug 945826 comment
157 * 0.
158 */
160 /*
161 * Sometimes it's desirable to designate groups of proxy handlers as
162 * "similar". For this, we use the notion of a "family": A consumer-provided
163 * opaque pointer that designates the larger group to which this proxy
164 * belongs.
165 *
166 * If it will never be important to differentiate this proxy from others as
167 * part of a distinct group, nullptr may be used instead.
168 */
171 /*
172 * Proxy handlers can use mHasPrototype to request the following special
173 * treatment from the JS engine:
174 *
175 * - When mHasPrototype is true, the engine never calls these methods:
176 * has, set, enumerate, iterate. Instead, for these operations,
177 * it calls the "own" methods like getOwnPropertyDescriptor, hasOwn,
178 * defineProperty, getOwnEnumerablePropertyKeys, etc.,
179 * and consults the prototype chain if needed.
180 *
181 * - When mHasPrototype is true, the engine calls handler->get() only if
182 * handler->hasOwn() says an own property exists on the proxy. If not,
183 * it consults the prototype chain.
184 *
185 * This is useful because it frees the ProxyHandler from having to implement
186 * any behavior having to do with the prototype chain.
187 */
190 /*
191 * All proxies indicate whether they have any sort of interesting security
192 * policy that might prevent the caller from doing something it wants to
193 * the object. In the case of wrappers, this distinction is used to
194 * determine whether the caller may strip off the wrapper if it so desires.
195 */
214 /*
215 * Called on creation of a proxy to determine whether its finalize
216 * method can be finalized on the background thread.
217 */
219 }
222 /*
223 * Nursery allocation is allowed if and only if it is safe to not
224 * run |finalize| when the ProxyObject dies.
225 */
227 }
229 /* Policy enforcement methods.
230 *
231 * enter() allows the policy to specify whether the caller may perform |act|
232 * on the proxy's |id| property. In the case when |act| is CALL, |id| is
233 * generally JS::PropertyKey::isVoid. The |mayThrow| parameter indicates
234 * whether a handler that wants to throw custom exceptions when denying
235 * should do so or not.
236 *
237 * The |act| parameter to enter() specifies the action being performed.
238 * If |bp| is false, the method suggests that the caller throw (though it
239 * may still decide to squelch the error).
240 *
241 * We make these OR-able so that assertEnteredPolicy can pass a union of them.
242 * For example, get{,Own}PropertyDescriptor is invoked by calls to ::get()
243 * ::set(), in addition to being invoked on its own, so there are several
244 * valid Actions that could have been entered.
245 */
254 };
259 /* Standard internal methods. */
272 /*
273 * These methods are standard, but the engine does not normally call them.
274 * They're opt-in. See "Proxy prototype chains" above.
275 *
276 * getPrototype() crashes if called. setPrototype() throws a TypeError.
277 */
284 /* Non-standard but conceptual kin to {g,s}etPrototype, so these live here. */
296 /*
297 * These standard internal methods are implemented, as a convenience, so
298 * that ProxyHandler subclasses don't have to provide every single method.
299 *
300 * The base-class implementations work by calling getOwnPropertyDescriptor()
301 * and going up the [[Prototype]] chain if necessary. The algorithm for this
302 * follows what is defined for Ordinary Objects in the ES spec.
303 * They do not follow any standard. When in doubt, override them.
304 */
314 // Use the ProxyExpando object for private fields, rather than taking the
315 // normal get/set/defineField paths.
318 // For some exotic objects (WindowProxy, Location), we want to be able to
319 // throw rather than allow private fields on these objects.
320 //
321 // As a simplfying assumption, if throwOnPrivateFields returns true,
322 // we should also return true to useProxyExpandoObjectForPrivateFields.
325 /*
326 * [[Call]] and [[Construct]] are standard internal methods but according
327 * to the spec, they are not present on every object.
328 *
329 * SpiderMonkey never calls a proxy's call()/construct() internal method
330 * unless isCallable()/isConstructor() returns true for that proxy.
331 *
332 * BaseProxyHandler::isCallable()/isConstructor() always return false, and
333 * BaseProxyHandler::call()/construct() crash if called. So if you're
334 * creating a kind of that is never callable, you don't have to override
335 * anything, but otherwise you probably want to override all four.
336 */
342 /* SpiderMonkey extensions. */
367 // Allow proxies, wrappers in particular, to specify callability at runtime.
368 // Note: These do not take const JSObject*, but they do in spirit.
369 // We are not prepared to do this, as there's little const correctness
370 // in the external APIs that handle proxies.
379 };
385 }
389 // Proxy slot layout
390 // -----------------
391 //
392 // Every proxy has a ProxyValueArray that contains the following Values:
393 //
394 // - The expando slot. This is used to hold private fields should they be
395 // stamped into a non-forwarding proxy type.
396 // - The private slot.
397 // - The reserved slots. The number of slots is determined by the proxy's Class.
398 //
399 // Proxy objects store a pointer to the reserved slots (ProxyReservedSlots*).
400 // The ProxyValueArray and the private slot can be accessed using
401 // ProxyValueArray::fromReservedSlots or ProxyDataLayout::values.
402 //
403 // Storing a pointer to ProxyReservedSlots instead of ProxyValueArray has a
404 // number of advantages. In particular, it means JS::GetReservedSlot and
405 // JS::SetReservedSlot can be used with both proxies and native objects. This
406 // works because the ProxyReservedSlots* pointer is stored where native objects
407 // store their dynamic slots pointer.
416 }
421 }
422 }
426 };
431 ProxyReservedSlots reservedSlots;
437 }
443 }
446 }
451 }
454 }
458 };
460 /* static */
464 }
466 // All proxies share the same data layout. Following the object's shape and
467 // type, the proxy has a ProxyDataLayout structure with a pointer to an array
468 // of values and the proxy's handler. This is designed both so that proxies can
469 // be easily swapped with other objects (via RemapWrapper) and to mimic the
470 // layout of other objects (proxies and other objects have the same size) so
471 // that common code can access either type of object.
472 //
473 // See GetReservedOrProxyPrivateSlot below.
480 }
481 };
483 #ifdef JS_64BIT
485 #else
487 #endif
492 ProxyDataOffset);
493 }
499 }
509 // Trigger a barrier before writing the slot.
514 }
515 }
521 }
525 }
529 }
533 }
538 }
542 }
546 #ifdef DEBUG
549 }
550 #endif
553 }
556 #ifdef DEBUG
559 }
560 #endif
564 // Trigger a barrier before writing the slot.
569 }
570 }
574 }
578 /* protected constructor for subclass */
589 }
595 }
600 };
615 #ifdef JS_DEBUG
617 #endif
618 {
623 // We want to throw an exception if all of the following are true:
624 // * The policy disallowed access.
625 // * The policy set rv to false, indicating that we should throw.
626 // * The caller did not instruct us to ignore exceptions.
627 // * The policy did not throw itself.
630 }
631 }
638 }
641 // no-op constructor for subclass
643 #ifdef JS_DEBUG
646 #endif
647 {
648 }
653 #ifdef JS_DEBUG
657 Action enteredAction;
659 // NB: We explicitly don't track the entered action here, because sometimes
660 // set() methods do an implicit get() during their implementation, leading
661 // to spurious assertions.
664 Action act);
669 #else
671 }
673 #endif
676 // This operator needs to be deleted explicitly, otherwise Visual C++ will
677 // create it automatically when it is part of the export JS API. In that
678 // case, compile would fail because HandleId is not allowed to be assigned
679 // and consequently instantiation of assign operator of mozilla::Maybe
680 // would fail. See bug 1325351 comment 16. Copy constructor is removed at
681 // the same time for consistency.
684 };
686 #ifdef JS_DEBUG
693 }
694 };
695 #else
700 };
701 #endif
703 #ifdef JS_DEBUG
705 jsid id,
707 #else
710 #endif
721 // For now assert each Proxy Class has at least 1 reserved slot. This is
722 // not a hard requirement, but helps catch Classes that need an explicit
723 // JSCLASS_HAS_RESERVED_SLOTS since bug 1360523.
730 // ProxyValueArray must fit inline in the object, so assert the number of
731 // slots does not exceed MAX_FIXED_SLOTS.
735 // Proxies must not have the JSCLASS_SKIP_NURSERY_FINALIZE flag set: they
736 // always have finalizers, and whether they can be nursery allocated is
737 // controlled by the canNurseryAllocate() method on the proxy handler.
739 "Proxies must not use JSCLASS_SKIP_NURSERY_FINALIZE; use "
742 }
744 #define PROXY_CLASS_DEF_WITH_CLASS_SPEC(name, flags, classSpec) \
745 { \
746 name, \
747 JSClass::NON_NATIVE | JSCLASS_IS_PROXY | \
748 JSCLASS_DELAY_METADATA_BUILDER | js::CheckProxyFlags<flags>(), \
749 &js::ProxyClassOps, classSpec, &js::ProxyClassExtension, \
750 &js::ProxyObjectOps \
751 }
753 #define PROXY_CLASS_DEF(name, flags) \
754 PROXY_CLASS_DEF_WITH_CLASS_SPEC(name, flags, JS_NULL_CLASS_SPEC)
756 // Converts a proxy into a DeadObjectProxy that will throw exceptions on all
757 // access. This will run the proxy's finalizer to perform clean-up before the
758 // conversion happens.
761 // This is a variant of js::NukeNonCCWProxy() for CCWs. It should only be called
762 // on CCWs that have been removed from CCW tables.