search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bumping manifests a=b2g-bump
[gecko.git] / dom / base / ScriptSettings.cpp
blob9d87051ca26bfaec7c7dd0a91a3f97d5fae38ca7
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 // vim: ft=cpp tw=78 sw=2 et ts=2
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "mozilla/dom/ScriptSettings.h"
8 #include "mozilla/ThreadLocal.h"
9 #include "mozilla/Assertions.h"
10
11 #include "jsapi.h"
12 #include "xpcprivate.h" // For AutoCxPusher guts
13 #include "xpcpublic.h"
14 #include "nsIGlobalObject.h"
15 #include "nsIScriptGlobalObject.h"
16 #include "nsIScriptContext.h"
17 #include "nsContentUtils.h"
18 #include "nsGlobalWindow.h"
19 #include "nsPIDOMWindow.h"
20 #include "nsTArray.h"
21 #include "nsJSUtils.h"
22 #include "nsDOMJSUtils.h"
23 #include "WorkerPrivate.h"
24
25 namespace mozilla {
26 namespace dom {
27
28 static mozilla::ThreadLocal<ScriptSettingsStackEntry*> sScriptSettingsTLS;
29
30 class ScriptSettingsStack {
31 public:
32 static ScriptSettingsStackEntry* Top() {
33 return sScriptSettingsTLS.get();
34 }
35
36 static void Push(ScriptSettingsStackEntry *aEntry) {
37 MOZ_ASSERT(!aEntry->mOlder);
38 // Whenever JSAPI use is disabled, the next stack entry pushed must
39 // always be a candidate entry point.
40 MOZ_ASSERT_IF(!Top() || Top()->NoJSAPI(), aEntry->mIsCandidateEntryPoint);
41
42 aEntry->mOlder = Top();
43 sScriptSettingsTLS.set(aEntry);
44 }
45
46 static void Pop(ScriptSettingsStackEntry *aEntry) {
47 MOZ_ASSERT(aEntry == Top());
48 sScriptSettingsTLS.set(aEntry->mOlder);
49 }
50
51 static nsIGlobalObject* IncumbentGlobal() {
52 ScriptSettingsStackEntry *entry = Top();
53 return entry ? entry->mGlobalObject : nullptr;
54 }
55
56 static ScriptSettingsStackEntry* EntryPoint() {
57 ScriptSettingsStackEntry *entry = Top();
58 if (!entry) {
59 return nullptr;
60 }
61 while (entry) {
62 if (entry->mIsCandidateEntryPoint)
63 return entry;
64 entry = entry->mOlder;
65 }
66 MOZ_CRASH("Non-empty stack should always have an entry point");
67 }
68
69 static nsIGlobalObject* EntryGlobal() {
70 ScriptSettingsStackEntry *entry = EntryPoint();
71 return entry ? entry->mGlobalObject : nullptr;
72 }
73 };
74
75 void
76 InitScriptSettings()
77 {
78 if (!sScriptSettingsTLS.initialized()) {
79 bool success = sScriptSettingsTLS.init();
80 if (!success) {
81 MOZ_CRASH();
82 }
83 }
84
85 sScriptSettingsTLS.set(nullptr);
86 }
87
88 void DestroyScriptSettings()
89 {
90 MOZ_ASSERT(sScriptSettingsTLS.get() == nullptr);
91 }
92
93 ScriptSettingsStackEntry::ScriptSettingsStackEntry(nsIGlobalObject *aGlobal,
94 bool aCandidate)
95 : mGlobalObject(aGlobal)
96 , mIsCandidateEntryPoint(aCandidate)
97 , mOlder(nullptr)
98 {
99 MOZ_ASSERT(mGlobalObject);
100 MOZ_ASSERT(mGlobalObject->GetGlobalJSObject(),
101 "Must have an actual JS global for the duration on the stack");
102 MOZ_ASSERT(JS_IsGlobalObject(mGlobalObject->GetGlobalJSObject()),
103 "No outer windows allowed");
104
105 ScriptSettingsStack::Push(this);
106 }
107
108 // This constructor is only for use by AutoNoJSAPI.
109 ScriptSettingsStackEntry::ScriptSettingsStackEntry()
110 : mGlobalObject(nullptr)
111 , mIsCandidateEntryPoint(true)
112 , mOlder(nullptr)
113 {
114 ScriptSettingsStack::Push(this);
115 }
116
117 ScriptSettingsStackEntry::~ScriptSettingsStackEntry()
118 {
119 // We must have an actual JS global for the entire time this is on the stack.
120 MOZ_ASSERT_IF(mGlobalObject, mGlobalObject->GetGlobalJSObject());
121
122 ScriptSettingsStack::Pop(this);
123 }
124
125 // If the entry or incumbent global ends up being something that the subject
126 // principal doesn't subsume, we don't want to use it. This never happens on
127 // the web, but can happen with asymmetric privilege relationships (i.e.
128 // nsExpandedPrincipal and System Principal).
129 //
130 // The most correct thing to use instead would be the topmost global on the
131 // callstack whose principal is subsumed by the subject principal. But that's
132 // hard to compute, so we just substitute the global of the current
133 // compartment. In practice, this is fine.
134 //
135 // Note that in particular things like:
136 //
137 // |SpecialPowers.wrap(crossOriginWindow).eval(open())|
138 //
139 // trigger this case. Although both the entry global and the current global
140 // have normal principals, the use of Gecko-specific System-Principaled JS
141 // puts the code from two different origins on the callstack at once, which
142 // doesn't happen normally on the web.
143 static nsIGlobalObject*
144 ClampToSubject(nsIGlobalObject* aGlobalOrNull)
145 {
146 if (!aGlobalOrNull || !NS_IsMainThread()) {
147 return aGlobalOrNull;
148 }
149
150 nsIPrincipal* globalPrin = aGlobalOrNull->PrincipalOrNull();
151 NS_ENSURE_TRUE(globalPrin, GetCurrentGlobal());
152 if (!nsContentUtils::SubjectPrincipal()->SubsumesConsideringDomain(globalPrin)) {
153 return GetCurrentGlobal();
154 }
155
156 return aGlobalOrNull;
157 }
158
159 nsIGlobalObject*
160 GetEntryGlobal()
161 {
162 return ClampToSubject(ScriptSettingsStack::EntryGlobal());
163 }
164
165 nsIDocument*
166 GetEntryDocument()
167 {
168 nsCOMPtr<nsPIDOMWindow> entryWin = do_QueryInterface(GetEntryGlobal());
169 return entryWin ? entryWin->GetExtantDoc() : nullptr;
170 }
171
172 nsIGlobalObject*
173 GetIncumbentGlobal()
174 {
175 // We need the current JSContext in order to check the JS for
176 // scripted frames that may have appeared since anyone last
177 // manipulated the stack. If it's null, that means that there
178 // must be no entry global on the stack, and therefore no incumbent
179 // global either.
180 JSContext *cx = nsContentUtils::GetCurrentJSContextForThread();
181 if (!cx) {
182 MOZ_ASSERT(ScriptSettingsStack::EntryGlobal() == nullptr);
183 return nullptr;
184 }
185
186 // See what the JS engine has to say. If we've got a scripted caller
187 // override in place, the JS engine will lie to us and pretend that
188 // there's nothing on the JS stack, which will cause us to check the
189 // incumbent script stack below.
190 if (JSObject *global = JS::GetScriptedCallerGlobal(cx)) {
191 return ClampToSubject(xpc::GetNativeForGlobal(global));
192 }
193
194 // Ok, nothing from the JS engine. Let's use whatever's on the
195 // explicit stack.
196 return ClampToSubject(ScriptSettingsStack::IncumbentGlobal());
197 }
198
199 nsIGlobalObject*
200 GetCurrentGlobal()
201 {
202 JSContext *cx = nsContentUtils::GetCurrentJSContextForThread();
203 if (!cx) {
204 return nullptr;
205 }
206
207 JSObject *global = JS::CurrentGlobalOrNull(cx);
208 if (!global) {
209 return nullptr;
210 }
211
212 return xpc::GetNativeForGlobal(global);
213 }
214
215 nsIPrincipal*
216 GetWebIDLCallerPrincipal()
217 {
218 MOZ_ASSERT(NS_IsMainThread());
219 ScriptSettingsStackEntry *entry = ScriptSettingsStack::EntryPoint();
220
221 // If we have an entry point that is not NoJSAPI, we know it must be an
222 // AutoEntryScript.
223 if (!entry || entry->NoJSAPI()) {
224 return nullptr;
225 }
226 AutoEntryScript* aes = static_cast<AutoEntryScript*>(entry);
227
228 // We can't yet rely on the Script Settings Stack to properly determine the
229 // entry script, because there are still lots of places in the tree where we
230 // don't yet use an AutoEntryScript (bug 951991 tracks this work). In the
231 // mean time though, we can make some observations to hack around the
232 // problem:
233 //
234 // (1) All calls into JS-implemented WebIDL go through CallSetup, which goes
235 // through AutoEntryScript.
236 // (2) The top candidate entry point in the Script Settings Stack is the
237 // entry point if and only if no other JSContexts have been pushed on
238 // top of the push made by that entry's AutoEntryScript.
239 //
240 // Because of (1), all of the cases where we might return a non-null
241 // WebIDL Caller are guaranteed to have put an entry on the Script Settings
242 // Stack, so we can restrict our search to that. Moreover, (2) gives us a
243 // criterion to determine whether an entry in the Script Setting Stack means
244 // that we should return a non-null WebIDL Caller.
245 //
246 // Once we fix bug 951991, this can all be simplified.
247 if (!aes->CxPusherIsStackTop()) {
248 return nullptr;
249 }
250
251 return aes->mWebIDLCallerPrincipal;
252 }
253
254 static JSContext*
255 FindJSContext(nsIGlobalObject* aGlobalObject)
256 {
257 MOZ_ASSERT(NS_IsMainThread());
258 JSContext *cx = nullptr;
259 nsCOMPtr<nsIScriptGlobalObject> sgo = do_QueryInterface(aGlobalObject);
260 if (sgo && sgo->GetScriptContext()) {
261 cx = sgo->GetScriptContext()->GetNativeContext();
262 }
263 if (!cx) {
264 cx = nsContentUtils::GetSafeJSContext();
265 }
266 return cx;
267 }
268
269 AutoJSAPI::AutoJSAPI()
270 : mCx(nullptr)
271 {
272 }
273
274 void
275 AutoJSAPI::InitInternal(JSObject* aGlobal, JSContext* aCx, bool aIsMainThread)
276 {
277 MOZ_ASSERT(aCx);
278 mCx = aCx;
279 if (aIsMainThread) {
280 // This Rooted<> is necessary only as long as AutoCxPusher::AutoCxPusher
281 // can GC, which is only possible because XPCJSContextStack::Push calls
282 // nsIPrincipal.Equals. Once that is removed, the Rooted<> will no longer
283 // be necessary.
284 JS::Rooted<JSObject*> global(JS_GetRuntime(aCx), aGlobal);
285 mCxPusher.emplace(mCx);
286 mAutoNullableCompartment.emplace(mCx, global);
287 } else {
288 mAutoNullableCompartment.emplace(mCx, aGlobal);
289 }
290 }
291
292 AutoJSAPI::AutoJSAPI(nsIGlobalObject* aGlobalObject,
293 bool aIsMainThread,
294 JSContext* aCx)
295 {
296 MOZ_ASSERT(aGlobalObject);
297 MOZ_ASSERT(aGlobalObject->GetGlobalJSObject(), "Must have a JS global");
298 MOZ_ASSERT(aCx);
299 MOZ_ASSERT_IF(aIsMainThread, NS_IsMainThread());
300
301 InitInternal(aGlobalObject->GetGlobalJSObject(), aCx, aIsMainThread);
302 }
303
304 void
305 AutoJSAPI::Init()
306 {
307 MOZ_ASSERT(!mCx, "An AutoJSAPI should only be initialised once");
308
309 InitInternal(/* aGlobal */ nullptr,
310 nsContentUtils::GetDefaultJSContextForThread(),
311 NS_IsMainThread());
312 }
313
314 bool
315 AutoJSAPI::Init(nsIGlobalObject* aGlobalObject, JSContext* aCx)
316 {
317 MOZ_ASSERT(!mCx, "An AutoJSAPI should only be initialised once");
318 MOZ_ASSERT(aCx);
319
320 if (NS_WARN_IF(!aGlobalObject)) {
321 return false;
322 }
323
324 JSObject* global = aGlobalObject->GetGlobalJSObject();
325 if (NS_WARN_IF(!global)) {
326 return false;
327 }
328
329 InitInternal(global, aCx, NS_IsMainThread());
330 return true;
331 }
332
333 bool
334 AutoJSAPI::Init(nsIGlobalObject* aGlobalObject)
335 {
336 return Init(aGlobalObject, nsContentUtils::GetDefaultJSContextForThread());
337 }
338
339 bool
340 AutoJSAPI::InitWithLegacyErrorReporting(nsIGlobalObject* aGlobalObject)
341 {
342 MOZ_ASSERT(NS_IsMainThread());
343
344 return Init(aGlobalObject, FindJSContext(aGlobalObject));
345 }
346
347 bool
348 AutoJSAPI::Init(nsPIDOMWindow* aWindow, JSContext* aCx)
349 {
350 return Init(static_cast<nsGlobalWindow*>(aWindow), aCx);
351 }
352
353 bool
354 AutoJSAPI::Init(nsPIDOMWindow* aWindow)
355 {
356 return Init(static_cast<nsGlobalWindow*>(aWindow));
357 }
358
359 bool
360 AutoJSAPI::Init(nsGlobalWindow* aWindow, JSContext* aCx)
361 {
362 return Init(static_cast<nsIGlobalObject*>(aWindow), aCx);
363 }
364
365 bool
366 AutoJSAPI::Init(nsGlobalWindow* aWindow)
367 {
368 return Init(static_cast<nsIGlobalObject*>(aWindow));
369 }
370
371 bool
372 AutoJSAPI::InitWithLegacyErrorReporting(nsPIDOMWindow* aWindow)
373 {
374 return InitWithLegacyErrorReporting(static_cast<nsGlobalWindow*>(aWindow));
375 }
376
377 bool
378 AutoJSAPI::InitWithLegacyErrorReporting(nsGlobalWindow* aWindow)
379 {
380 return InitWithLegacyErrorReporting(static_cast<nsIGlobalObject*>(aWindow));
381 }
382
383 AutoEntryScript::AutoEntryScript(nsIGlobalObject* aGlobalObject,
384 bool aIsMainThread,
385 JSContext* aCx)
386 : AutoJSAPI(aGlobalObject, aIsMainThread,
387 aCx ? aCx : FindJSContext(aGlobalObject))
388 , ScriptSettingsStackEntry(aGlobalObject, /* aCandidate = */ true)
389 , mWebIDLCallerPrincipal(nullptr)
390 {
391 MOZ_ASSERT(aGlobalObject);
392 MOZ_ASSERT_IF(!aCx, aIsMainThread); // cx is mandatory off-main-thread.
393 MOZ_ASSERT_IF(aCx && aIsMainThread, aCx == FindJSContext(aGlobalObject));
394 }
395
396 AutoEntryScript::~AutoEntryScript()
397 {
398 // GC when we pop a script entry point. This is a useful heuristic that helps
399 // us out on certain (flawed) benchmarks like sunspider, because it lets us
400 // avoid GCing during the timing loop.
401 JS_MaybeGC(cx());
402 }
403
404 AutoIncumbentScript::AutoIncumbentScript(nsIGlobalObject* aGlobalObject)
405 : ScriptSettingsStackEntry(aGlobalObject, /* aCandidate = */ false)
406 , mCallerOverride(nsContentUtils::GetCurrentJSContextForThread())
407 {
408 }
409
410 AutoNoJSAPI::AutoNoJSAPI(bool aIsMainThread)
411 : ScriptSettingsStackEntry()
412 {
413 MOZ_ASSERT_IF(nsContentUtils::GetCurrentJSContextForThread(),
414 !JS_IsExceptionPending(nsContentUtils::GetCurrentJSContextForThread()));
415 if (aIsMainThread) {
416 mCxPusher.emplace(static_cast<JSContext*>(nullptr),
417 /* aAllowNull = */ true);
418 }
419 }
420
421 danger::AutoCxPusher::AutoCxPusher(JSContext* cx, bool allowNull)
422 {
423 MOZ_ASSERT_IF(!allowNull, cx);
424
425 // Hold a strong ref to the nsIScriptContext, if any. This ensures that we
426 // only destroy the mContext of an nsJSContext when it is not on the cx stack
427 // (and therefore not in use). See nsJSContext::DestroyJSContext().
428 if (cx)
429 mScx = GetScriptContextFromJSContext(cx);
430
431 XPCJSContextStack *stack = XPCJSRuntime::Get()->GetJSContextStack();
432 if (!stack->Push(cx)) {
433 MOZ_CRASH();
434 }
435 mStackDepthAfterPush = stack->Count();
436
437 #ifdef DEBUG
438 mPushedContext = cx;
439 mCompartmentDepthOnEntry = cx ? js::GetEnterCompartmentDepth(cx) : 0;
440 #endif
441
442 // Enter a request and a compartment for the duration that the cx is on the
443 // stack if non-null.
444 if (cx) {
445 mAutoRequest.emplace(cx);
446 }
447 }
448
449 danger::AutoCxPusher::~AutoCxPusher()
450 {
451 // Leave the request before popping.
452 mAutoRequest.reset();
453
454 // When we push a context, we may save the frame chain and pretend like we
455 // haven't entered any compartment. This gets restored on Pop(), but we can
456 // run into trouble if a Push/Pop are interleaved with a
457 // JSAutoEnterCompartment. Make sure the compartment depth right before we
458 // pop is the same as it was right after we pushed.
459 MOZ_ASSERT_IF(mPushedContext, mCompartmentDepthOnEntry ==
460 js::GetEnterCompartmentDepth(mPushedContext));
461 DebugOnly<JSContext*> stackTop;
462 MOZ_ASSERT(mPushedContext == nsXPConnect::XPConnect()->GetCurrentJSContext());
463 XPCJSRuntime::Get()->GetJSContextStack()->Pop();
464 mScx = nullptr;
465 }
466
467 bool
468 danger::AutoCxPusher::IsStackTop() const
469 {
470 uint32_t currentDepth = XPCJSRuntime::Get()->GetJSContextStack()->Count();
471 MOZ_ASSERT(currentDepth >= mStackDepthAfterPush);
472 return currentDepth == mStackDepthAfterPush;
473 }
474
475 } // namespace dom
476
477 AutoJSContext::AutoJSContext(MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM_IN_IMPL)
478 : mCx(nullptr)
479 {
480 Init(false MOZ_GUARD_OBJECT_NOTIFIER_PARAM_TO_PARENT);
481 }
482
483 AutoJSContext::AutoJSContext(bool aSafe MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL)
484 : mCx(nullptr)
485 {
486 Init(aSafe MOZ_GUARD_OBJECT_NOTIFIER_PARAM_TO_PARENT);
487 }
488
489 void
490 AutoJSContext::Init(bool aSafe MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL)
491 {
492 JS::AutoSuppressGCAnalysis nogc;
493 MOZ_ASSERT(!mCx, "mCx should not be initialized!");
494
495 MOZ_GUARD_OBJECT_NOTIFIER_INIT;
496
497 nsXPConnect *xpc = nsXPConnect::XPConnect();
498 if (!aSafe) {
499 mCx = xpc->GetCurrentJSContext();
500 }
501
502 if (!mCx) {
503 mJSAPI.Init();
504 mCx = mJSAPI.cx();
505 }
506 }
507
508 AutoJSContext::operator JSContext*() const
509 {
510 return mCx;
511 }
512
513 ThreadsafeAutoJSContext::ThreadsafeAutoJSContext(MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM_IN_IMPL)
514 {
515 MOZ_GUARD_OBJECT_NOTIFIER_INIT;
516
517 if (NS_IsMainThread()) {
518 mCx = nullptr;
519 mAutoJSContext.emplace();
520 } else {
521 mCx = mozilla::dom::workers::GetCurrentThreadJSContext();
522 mRequest.emplace(mCx);
523 }
524 }
525
526 ThreadsafeAutoJSContext::operator JSContext*() const
527 {
528 if (mCx) {
529 return mCx;
530 } else {
531 return *mAutoJSContext;
532 }
533 }
534
535 AutoSafeJSContext::AutoSafeJSContext(MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM_IN_IMPL)
536 : AutoJSContext(true MOZ_GUARD_OBJECT_NOTIFIER_PARAM_TO_PARENT)
537 , mAc(mCx, xpc::UnprivilegedJunkScope())
538 {
539 }
540
541 ThreadsafeAutoSafeJSContext::ThreadsafeAutoSafeJSContext(MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM_IN_IMPL)
542 {
543 MOZ_GUARD_OBJECT_NOTIFIER_INIT;
544
545 if (NS_IsMainThread()) {
546 mCx = nullptr;
547 mAutoSafeJSContext.emplace();
548 } else {
549 mCx = mozilla::dom::workers::GetCurrentThreadJSContext();
550 mRequest.emplace(mCx);
551 }
552 }
553
554 ThreadsafeAutoSafeJSContext::operator JSContext*() const
555 {
556 if (mCx) {
557 return mCx;
558 } else {
559 return *mAutoSafeJSContext;
560 }
561 }
562
563 } // namespace mozilla