| blob | 2956e95345edda0e5c89eb6136a4fe13e6fc18aa |
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set sw=4 ts=8 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS bytecode descriptors, disassemblers, and decompilers.
43 */
44 #ifdef HAVE_MEMORY_H
45 #include <memory.h>
46 #endif
47 #include <stdarg.h>
48 #include <stdio.h>
49 #include <stdlib.h>
50 #include <string.h>
84 /*
85 * Index limit must stay within 32 bits.
86 */
89 /* Verify JSOP_XXX_LENGTH constant definitions. */
90 #define OPDEF(op,val,name,token,length,nuses,ndefs,prec,format) \
91 JS_STATIC_ASSERT(op##_LENGTH == length);
93 #undef OPDEF
99 #define OPDEF(op,val,name,token,length,nuses,ndefs,prec,format) \
100 {length,nuses,ndefs,prec,format},
102 #undef OPDEF
103 };
107 /*
108 * Each element of the array is either a source literal associated with JS
109 * bytecode or null.
110 */
112 #define OPDEF(op,val,name,token,length,nuses,ndefs,prec,format) \
113 token,
115 #undef OPDEF
116 };
118 #if defined(DEBUG) || defined(JS_JIT_SPEW)
119 /*
120 * Array of JS bytecode names used by DEBUG-only js_Disassemble and by
121 * JIT debug spew.
122 */
124 #define OPDEF(op,val,name,token,length,nuses,ndefs,prec,format) \
125 name,
127 #undef OPDEF
128 };
129 #endif
131 /************************************************************************/
133 static ptrdiff_t
135 {
136 uint32 type;
142 }
144 uintN
147 {
148 JSOp op;
154 /*
155 * We need to detect index base prefix. It presents when resetbase
156 * follows the bytecode.
157 */
166 }
167 }
169 }
171 uintN
173 {
174 JSOp op;
186 do_table:
187 /* Structure: default-jump case-low case-high case1-jump ... */
201 do_lookup:
202 /* Structure: default-jump case-count (case1-value case1-jump) ... */
206 }
207 }
209 uintN
211 {
226 /* stack: fun, this, [argc arguments] */
231 }
232 }
234 uintN
236 {
242 }
244 #ifdef DEBUG
248 {
250 uintN len;
263 }
265 }
267 JSBool
269 {
271 }
275 {
283 sprop;
291 }
301 }
309 }
316 }
317 }
320 }
325 {
326 JSOp op;
329 uint32 type;
331 uintN index;
333 jsval v;
335 jsint i;
345 }
358 }
377 else
380 }
390 /* FALL THROUGH */
398 {
416 }
419 }
423 {
425 jsatomid npairs;
445 npairs--;
446 }
449 }
469 }
492 print_int:
502 }
503 }
506 }
510 /************************************************************************/
512 /*
513 * Sprintf, but with unlimited and automatically allocated buffering.
514 */
523 #define INIT_SPRINTER(cx, sp, ap, off) \
524 ((sp)->context = cx, (sp)->pool = ap, (sp)->base = NULL, (sp)->size = 0, \
525 (sp)->offset = off)
527 #define OFF2STR(sp,off) ((sp)->base + (off))
528 #define STR2OFF(sp,str) ((str) - (sp)->base)
529 #define RETRACT(sp,str) ((sp)->offset = STR2OFF(sp, str))
531 static JSBool
533 {
545 }
549 }
553 }
555 static ptrdiff_t
557 {
561 /* Allocate space for s, including the '\0' at the end. */
568 }
570 /* Advance offset and copy s into sp's buffer. */
577 }
579 static ptrdiff_t
581 {
583 }
585 static ptrdiff_t
587 {
606 }
609 static ptrdiff_t
611 {
622 }
626 }
639 };
641 #define DONT_ESCAPE 0x10000
645 {
653 /* Sample off first for later return value pointer computation. */
660 /* Loop control variables: z points at end of string sentinel. */
663 /* Move t forward from s past un-quote-worthy characters. */
670 }
673 /* Allocate space for s, including the '\0' at the end. */
677 /* Advance sp->offset and copy s into sp's buffer. */
687 /* Use js_EscapeMap, \u, or \x only if necessary. */
689 ok = dontEscape
694 }
697 }
699 /* Sprint the closing quote and return the quoted string. */
703 /*
704 * If we haven't Sprint'd anything yet, Sprint an empty string so that
705 * the OFF2STR below gives a valid result.
706 */
710 }
712 JSString *
714 {
716 Sprinter sprinter;
726 }
728 /************************************************************************/
742 };
744 JSPrinter *
747 {
769 }
770 }
772 }
774 void
776 {
779 }
781 JSString *
783 {
796 }
798 /*
799 * NB: Indexed by SRC_DECL_* defines from jsemit.h.
800 */
805 {
810 }
812 }
814 int
816 {
826 /* If pretty-printing, expand magic tab into a run of jp->indent spaces. */
828 format++;
832 }
833 }
835 /* Suppress newlines (must be once per format, at the end) if not pretty. */
842 }
845 }
847 /* Allocate temp space, convert format, and put. */
852 }
857 }
866 }
868 JSBool
870 {
872 }
874 /************************************************************************/
886 /*
887 * Find the depth of the operand stack when the interpreter reaches the given
888 * pc in script. pcstack must have space for least script->depth elements. On
889 * return it will contain pointers to opcodes that populated the interpreter's
890 * current operand stack.
891 *
892 * This function cannot raise an exception or error. However, due to a risk of
893 * potential bugs when modeling the stack, the function returns -1 if it
894 * detects an inconsistency in the model. Such an inconsistency triggers an
895 * assert in a debug build.
896 */
897 static intN
901 #define FAILED_EXPRESSION_DECOMPILER ((char *) 1)
903 /*
904 * Decompile a part of expression up to the given pc. The function returns
905 * NULL on out-of-memory, or the FAILED_EXPRESSION_DECOMPILER sentinel when
906 * the decompiler fails due to a bug and/or unimplemented feature, or the
907 * decompiled string on success.
908 */
913 /*
914 * Get a stacked offset from ss->sprinter.base, or if the stacked value |off|
915 * is negative, fetch the generating pc from printer->pcstack[-2 - off] and
916 * decompile the code that generated the missing value. This is used when
917 * reporting errors, where the model stack will lack |pcdepth| non-negative
918 * offsets (see DecompileExpression and DecompileCode).
919 *
920 * If the stacked offset is -1, return 0 to index the NUL padding at the start
921 * of ss->sprinter.base. If this happens, it means there is a decompiler bug
922 * to fix, but it won't violate memory safety.
923 */
924 static ptrdiff_t
926 {
950 }
954 }
955 }
957 }
961 {
964 /*
965 * Must call GetOff before using ss->sprinter.base, since it may be null
966 * until bootstrapped by GetOff.
967 */
970 }
972 /*
973 * Gap between stacked strings to allow for insertion of parens and commas
974 * when auto-parenthesizing expressions and decompiling array initialisers
975 * (see the JSOP_NEWARRAY case in Decompile).
976 */
977 #define PAREN_SLOP (2 + 1)
979 /*
980 * These pseudo-ops help js_DecompileValueGenerator decompile JSOP_SETNAME,
981 * JSOP_SETPROP, and JSOP_SETELEM, respectively. They are never stored in
982 * bytecode, so they don't preempt valid opcodes.
983 */
984 #define JSOP_GETPROP2 JSOP_LIMIT
985 #define JSOP_GETELEM2 JSOP_LIMIT + 1
988 static void
990 {
993 }
995 static JSBool
997 {
998 uintN top;
1003 /* ss->top points to the next free slot; be paranoid about overflow. */
1009 }
1011 /* The opcodes stack must contain real bytecodes that index js_CodeSpec. */
1019 }
1021 static ptrdiff_t
1023 {
1024 uintN top;
1028 /* ss->top points to the next free slot; be paranoid about underflow. */
1042 }
1044 }
1048 {
1053 }
1055 static ptrdiff_t
1057 {
1059 }
1063 {
1065 }
1068 jsval key;
1074 static JSBool
1076 {
1086 }
1088 static ptrdiff_t
1090 {
1091 jsdouble d;
1101 /* Don't use Infinity and NaN, they're mutable. */
1115 }
1121 }
1123 }
1128 static JSBool
1132 {
1137 uintN i;
1138 jsval key;
1144 /* JSOP_CONDSWITCH doesn't pop, unlike JSOP_{LOOKUP,TABLE}SWITCH. */
1159 }
1171 /*
1172 * key encodes the JSOP_CASE bytecode's offset from switchtop.
1173 * The next case expression follows immediately, unless we are
1174 * at the last case.
1175 */
1182 }
1185 /* Balance the stack as if this JSOP_CASE matched. */
1188 /*
1189 * key comes from an atom, not the decompiler, so we need to
1190 * quote it if it's a string literal. But if table[i].label
1191 * is non-null, key was constant-propagated and label is the
1192 * name of the const we should show as the case label. We set
1193 * key to undefined so this identifier is escaped, if required
1194 * by non-ASCII characters, but not quoted, by QuoteString.
1195 */
1201 JSOp junk;
1209 }
1217 }
1221 }
1230 }
1234 }
1239 /* Re-balance as if last JSOP_CASE or JSOP_DEFAULT mismatched. */
1242 }
1243 }
1249 }
1252 /* By the end of a JSOP_CONDSWITCH, the discriminant has been popped. */
1256 }
1258 #define LOCAL_ASSERT_CUSTOM(expr, BAD_EXIT) \
1259 JS_BEGIN_MACRO \
1260 JS_ASSERT(expr); \
1261 if (!(expr)) { BAD_EXIT; } \
1262 JS_END_MACRO
1264 #define LOCAL_ASSERT_RV(expr, rv) \
1265 LOCAL_ASSERT_CUSTOM(expr, return (rv))
1269 {
1275 #if !JS_HAS_DESTRUCTURING
1277 #endif
1279 }
1283 {
1300 /*
1301 * We must be called from js_DecompileValueGenerator (via Decompile) when
1302 * dereferencing a local that's undefined or null. Search script->objects
1303 * for the block containing this local by its stack index, i.
1304 *
1305 * In case of destructuring's use of JSOP_GETLOCAL, however, there may be
1306 * no such local. This could mean no blocks (no script objects at all, or
1307 * none of the script's object literals are blocks), or the stack slot i is
1308 * not in a block. In either case, return GetStr(ss, i).
1309 */
1323 }
1324 }
1330 }
1340 #undef LOCAL_ASSERT
1341 }
1343 static JSBool
1345 {
1346 uintN slot;
1350 /* The slot refers to a variable with name stored in jp->localNames. */
1353 }
1355 /* We have a local which index is relative to the stack base. */
1360 }
1362 #define LOAD_ATOM(PCOFF) \
1363 GET_ATOM_FROM_BYTECODE(jp->script, pc, PCOFF, atom)
1365 #if JS_HAS_DESTRUCTURING
1367 #define LOCAL_ASSERT(expr) LOCAL_ASSERT_RV(expr, NULL)
1368 #define LOAD_OP_DATA(pc) (oplen = (cs = &js_CodeSpec[op=(JSOp)*pc])->length)
1376 {
1379 JSOp op;
1381 uintN oplen;
1382 jsint i;
1416 /* FALL THROUGH */
1431 }
1444 }
1448 /*
1449 * We may need to auto-parenthesize the left-most value decompiled
1450 * here, so add back PAREN_SLOP temporarily. Then decompile until the
1451 * opcode that would reduce the stack depth to (ss->top-1), which we
1452 * pass to Decompile encoded as -(ss->top-1) - 1 or just -ss->top for
1453 * the nb parameter.
1454 */
1468 /* lval is from JSOP_BINDNAME, so just print xval. */
1471 /* xval is from JSOP_SETCALL or JSOP_BINDXMLNAME, print lval. */
1479 }
1481 }
1489 }
1491 /*
1492 * Starting with a SRC_DESTRUCT-annotated JSOP_DUP, decompile a destructuring
1493 * left-hand side object or array initialiser, including nested destructuring
1494 * initialisers. On successful return, the decompilation will be pushed on ss
1495 * and the return value will point to the POP or GROUP bytecode following the
1496 * destructuring expression.
1497 *
1498 * At any point, if pc is equal to endpc and would otherwise advance, we stop
1499 * immediately and return endpc.
1500 */
1503 {
1509 uintN oplen;
1511 jsdouble d;
1516 JSBool hole;
1521 /*
1522 * Set head so we can rewrite '[' to '{' as needed. Back up PAREN_SLOP
1523 * chars so the destructuring decompilation accumulates contiguously in
1524 * ss->sprinter starting with "[".
1525 */
1538 #if JS_HAS_DESTRUCTURING_SHORTHAND
1540 #endif
1550 /* Handle the optimized number-pushing opcodes. */
1564 do_getelem:
1572 /* Distinguish object from array by opcode or source note. */
1578 /* Sanity check for the gnarly control flow above. */
1581 /* Fill in any holes (holes at the end don't matter). */
1585 }
1586 }
1596 do_destructure_atom:
1599 #if JS_HAS_DESTRUCTURING_SHORTHAND
1601 #endif
1605 }
1612 }
1618 /*
1619 * Decompile the left-hand side expression whose bytecode starts at pc
1620 * and continues for a bounded number of bytecodes or stack operations
1621 * (and which in any event stops before endpc).
1622 */
1627 #if JS_HAS_DESTRUCTURING_SHORTHAND
1636 /* Early check to rule out odd "name: lval" length. */
1641 /*
1642 * Even "name: lval" string length: check for "x: x" and the
1643 * like, and apply the shorthand if we can.
1644 */
1652 }
1653 }
1654 }
1655 #endif
1660 /*
1661 * We should stop if JSOP_DUP is either without notes or its note is
1662 * not SRC_CONTINUE. The former happens when JSOP_DUP duplicates the
1663 * last destructuring reference implementing an op= assignment like in
1664 * '([t] = z).y += x'. In the latter case the note is SRC_DESTRUCT and
1665 * means another destructuring initialiser abuts this one like in
1666 * '[a] = [b] = c'.
1667 */
1674 }
1680 }
1682 out:
1687 }
1692 {
1693 JSOp op;
1697 JSBool hole;
1722 }
1736 }
1737 }
1745 }
1747 #undef LOCAL_ASSERT
1748 #undef LOAD_OP_DATA
1752 static JSBool
1754 {
1760 /* Allocate the parallel (to avoid padding) offset and opcode stacks. */
1767 }
1775 }
1777 /*
1778 * If nb is non-negative, decompile nb bytecodes starting at pc. Otherwise
1779 * the decompiler starts at pc and continues until it reaches an opcode for
1780 * which decompiling would result in the stack depth equaling -(nb + 1).
1781 *
1782 * The nextop parameter is either JSOP_NOP or the "next" opcode in order of
1783 * abstract interpretation (not necessarily physically next in a bytecode
1784 * vector). So nextop is JSOP_POP for the last operand in a comma expression,
1785 * or JSOP_AND for the right operand of &&.
1786 */
1789 {
1798 uintN nuses;
1805 JSBool ok;
1806 #if JS_HAS_XML_SUPPORT
1808 #else
1809 #define inXML JS_FALSE
1810 #endif
1811 jsval val;
1826 /* Argument and variables decompilation uses the following to share code. */
1829 /*
1830 * Local macros
1831 */
1832 #define LOCAL_ASSERT(expr) LOCAL_ASSERT_RV(expr, NULL)
1833 #define DECOMPILE_CODE(pc,nb) if (!Decompile(ss, pc, nb, JSOP_NOP)) return NULL
1834 #define NEXT_OP(pc) (((pc) + (len) == endpc) ? nextop : pc[len])
1835 #define TOP_STR() GetStr(ss, ss->top - 1)
1836 #define POP_STR() PopStr(ss, op)
1837 #define POP_STR_PREC(prec) PopStrPrec(ss, prec)
1839 /*
1840 * Pop a condition expression for if/while. JSOP_IFEQ's precedence forces
1841 * extra parens around assignment, which avoids a strict-mode warning.
1842 */
1843 #define POP_COND_STR() \
1844 PopStr(ss, (js_CodeSpec[ss->opcodes[ss->top - 1]].format & JOF_SET) \
1845 ? JSOP_IFEQ \
1846 : JSOP_NOP)
1848 /*
1849 * Callers know that ATOM_IS_STRING(atom), and we leave it to the optimizer to
1850 * common ATOM_TO_STRING(atom) here and near the call sites.
1851 */
1852 #define ATOM_IS_IDENTIFIER(atom) js_IsIdentifier(ATOM_TO_STRING(atom))
1853 #define ATOM_IS_KEYWORD(atom) \
1854 (js_CheckKeyword(ATOM_TO_STRING(atom)->chars(), \
1855 ATOM_TO_STRING(atom)->length()) != TOK_EOF)
1857 /*
1858 * Given an atom already fetched from jp->script's atom map, quote/escape its
1859 * string appropriately into rval, and select fmt from the quoted and unquoted
1860 * alternatives.
1861 */
1862 #define GET_QUOTE_AND_FMT(qfmt, ufmt, rval) \
1863 JS_BEGIN_MACRO \
1864 jschar quote_; \
1865 if (!ATOM_IS_IDENTIFIER(atom)) { \
1867 fmt = qfmt; \
1868 } else { \
1869 quote_ = 0; \
1870 fmt = ufmt; \
1871 } \
1872 rval = QuoteString(&ss->sprinter, ATOM_TO_STRING(atom), quote_); \
1873 if (!rval) \
1874 return NULL; \
1875 JS_END_MACRO
1877 #define LOAD_OBJECT(PCOFF) \
1878 GET_OBJECT_FROM_BYTECODE(jp->script, pc, PCOFF, obj)
1880 #define LOAD_FUNCTION(PCOFF) \
1881 GET_FUNCTION_FROM_BYTECODE(jp->script, pc, PCOFF, fun)
1883 #define LOAD_REGEXP(PCOFF) \
1884 GET_REGEXP_FROM_BYTECODE(jp->script, pc, PCOFF, obj)
1886 #define GET_SOURCE_NOTE_ATOM(sn, atom) \
1887 JS_BEGIN_MACRO \
1888 jsatomid atomIndex_ = (jsatomid) js_GetSrcNoteOffset((sn), 0); \
1889 \
1890 LOCAL_ASSERT(atomIndex_ < jp->script->atomMap.length); \
1891 (atom) = jp->script->atomMap.vector[atomIndex_]; \
1892 JS_END_MACRO
1894 /*
1895 * Get atom from jp->script's atom map, quote/escape its string appropriately
1896 * into rval, and select fmt from the quoted and unquoted alternatives.
1897 */
1898 #define GET_ATOM_QUOTE_AND_FMT(qfmt, ufmt, rval) \
1899 JS_BEGIN_MACRO \
1900 LOAD_ATOM(0); \
1901 GET_QUOTE_AND_FMT(qfmt, ufmt, rval); \
1902 JS_END_MACRO
1904 /*
1905 * Per spec, new x(y).z means (new x(y))).z. For example new (x(y).z) must
1906 * decompile with the constructor parenthesized, but new x.z should not. The
1907 * normal rules give x(y).z and x.z identical precedence: both are produced by
1908 * JSOP_GETPROP.
1909 *
1910 * Therefore, we need to know in case JSOP_NEW whether the constructor
1911 * expression contains any unparenthesized function calls. So when building a
1912 * MemberExpression or CallExpression, we set ss->opcodes[n] to JSOP_CALL if
1913 * this is true. x(y).z gets JSOP_CALL, not JSOP_GETPROP.
1914 */
1915 #define PROPAGATE_CALLNESS() \
1916 JS_BEGIN_MACRO \
1917 if (ss->opcodes[ss->top - 1] == JSOP_CALL || \
1918 ss->opcodes[ss->top - 1] == JSOP_EVAL || \
1919 ss->opcodes[ss->top - 1] == JSOP_APPLY) { \
1920 saveop = JSOP_CALL; \
1921 } \
1922 JS_END_MACRO
1935 #if JS_HAS_XML_SUPPORT
1937 #endif
1940 /*
1941 * Move saveop to lastop so prefixed bytecodes can take special action
1942 * while sharing maximal code. Set op and saveop to the new bytecode,
1943 * use op in POP_STR to trigger automatic parenthesization, but push
1944 * saveop at the bottom of the loop if this op pushes. Thus op may be
1945 * set to nop or otherwise mutated to suppress auto-parens.
1946 */
1951 /*
1952 * The decompiler uses js_GetIndexFromBytecode to get atoms and
1953 * objects and ignores these suffix/prefix bytecodes, thus
1954 * simplifying code that must process JSOP_GETTER/JSOP_SETTER
1955 * prefixes.
1956 */
1962 }
1967 /*
1968 * Here it is possible that nuses > ss->top when the op has a hidden
1969 * source note. But when nb < 0 we assume that the caller knows that
1970 * Decompile would never meet such opcodes.
1971 */
1977 }
1979 /*
1980 * Save source literal associated with JS now before the following
1981 * rewrite changes op. See bug 380197.
1982 */
1989 /*
1990 * Rewrite non-get ops to their "get" format if the error is in
1991 * the bytecode at pc, so we don't decompile more than the error
1992 * expression.
1993 */
2001 /*
2002 * JOF_NAME does not imply JOF_ATOM, so we must check for
2003 * the QARG and QVAR format types, and translate those to
2004 * JSOP_GETARG or JSOP_GETLOCAL appropriately, instead of
2005 * to JSOP_NAME.
2006 */
2009 ? JSOP_GETARG
2011 ? JSOP_GETLOCAL
2019 /*
2020 * We must replace the faulting pc's bytecode with a
2021 * corresponding JSOP_GET* code. For JSOP_SET{PROP,ELEM},
2022 * we must use the "2nd" form of JSOP_GET{PROP,ELEM}, to
2023 * throw away the assignment op's right-hand operand and
2024 * decompile it as if it were a GET of its left-hand
2025 * operand.
2026 */
2029 ? JSOP_GETPROP2
2033 ? JSOP_GETELEM2
2036 /*
2037 * Unknown mode (including mode 0) means that op is
2038 * uncategorized for our purposes, so we must write
2039 * per-op special case code here.
2040 */
2050 /*
2051 * NB: JSOP_GETTHISPROP can't fail due to |this|
2052 * being null or undefined at runtime (beware that
2053 * this may change for ES4). Therefore any error
2054 * resulting from this op must be due to the value
2055 * of the property accessed via |this|, so do not
2056 * rewrite op to JSOP_THIS.
2057 *
2058 * The next two cases should not change op if
2059 * js_DecompileValueGenerator was called from the
2060 * the property getter. They should rewrite only
2061 * if the base object in the arg/var/local is null
2062 * or undefined. FIXME: bug 431569.
2063 */
2073 }
2074 }
2075 }
2076 }
2088 }
2089 }
2094 }
2101 /*
2102 * Avoid over-parenthesizing y in x op= y based on its
2103 * expansion: x = x op y (replace y by z = w to see the
2104 * problem).
2105 */
2109 /* Print only the right operand of the assignment-op. */
2118 /* In XML, just concatenate the two operands. */
2123 }
2138 }
2142 /*
2143 * Check for a do-while loop, a for-loop with an empty
2144 * initializer part, a labeled statement, a function
2145 * definition, or try/finally.
2146 */
2168 do_forloop:
2171 /* Skip the JSOP_NOP or JSOP_POP bytecode. */
2174 /* Get the cond, next, and loop-closing tail offsets. */
2179 /*
2180 * If this loop has a condition, then pc points at a goto
2181 * targeting the condition.
2182 */
2187 }
2190 /* Print the keyword and the possibly empty init-part. */
2194 /* Decompile the loop condition. */
2197 }
2199 /* Need a semicolon whether or not there was a cond. */
2203 /*
2204 * Decompile the loop updater. It may end in a JSOP_POP
2205 * that we skip; or in a JSOP_POPN that we do not skip,
2206 * followed by a JSOP_NOP (skipped as if it's a POP).
2207 * We cope with the difference between these two cases
2208 * by checking for stack imbalance and popping if there
2209 * is an rval.
2210 */
2219 }
2221 /* Do the loop body. */
2229 /* Set len so pc skips over the entire loop. */
2261 do_function:
2287 }
2291 #if JS_HAS_DESTRUCTURING
2300 }
2301 #endif
2302 /* FALL THROUGH */
2319 /*
2320 * We push push the pair of exception/restsub cookies to
2321 * simulate the effects [gosub] or control transfer during
2322 * exception capturing on the stack.
2323 */
2340 /*
2341 * JSOP_GOSUB and GOSUBX have no effect on the decompiler's
2342 * string stack because the next op in bytecode order finds
2343 * the stack balanced by a JSOP_RETSUB executed elsewhere.
2344 */
2349 {
2352 /*
2353 * The compiler models operand stack depth and fixes the stack
2354 * pointer on entry to a catch clause based on its depth model.
2355 * The decompiler must match the code generator's model, which
2356 * is why JSOP_FINALLY pushes a cookie that JSOP_RETSUB pops.
2357 */
2366 #if JS_HAS_DESTRUCTURING
2379 }
2380 }
2384 /*
2385 * If this is an empty group assignment, we have no stack
2386 * budget into which we can push our result string. Adjust
2387 * ss->sprinter.offset so that our consumer can find the
2388 * empty group assignment decompilation.
2389 */
2393 /*
2394 * Kill newtop before the end_groupassignment: label by
2395 * retracting/popping early. Control will either jump
2396 * to do_forloop: or do_letheadbody: or else break from
2397 * our case JSOP_POPN: after the switch (*pc2) below.
2398 */
2402 }
2404 end_groupassignment:
2407 /*
2408 * Thread directly to the next opcode if we can, to handle
2409 * the special cases of a group assignment in the first or
2410 * last part of a for(;;) loop head, or in a let block or
2411 * expression head.
2412 *
2413 * NB: todo at this point indexes space in ss->sprinter
2414 * that is liable to be overwritten. The code below knows
2415 * exactly how long rval lives, or else copies it down via
2416 * SprintCString.
2417 */
2428 }
2432 /*
2433 * This must be an empty destructuring
2434 * in the head of a let whose body block
2435 * is also empty.
2436 */
2443 }
2450 }
2452 /*
2453 * An unnannotated NOP following a POPN must be the
2454 * third part of for(;;) loop head. If the POPN's
2455 * immediate operand is 0, then we may have no slot
2456 * on the sprint-stack in which to push our result
2457 * string. In this case the result can be recovered
2458 * at ss->sprinter.base + ss->sprinter.offset.
2459 */
2464 }
2465 }
2467 /*
2468 * If control flow reaches this point with todo still -2,
2469 * just print rval as an expression statement.
2470 */
2474 }
2475 #endif
2479 }
2481 }
2484 /* The catch decompiler handles this op itself. */
2489 /*
2490 * By default, do not automatically parenthesize when popping
2491 * a stacked expression decompilation. We auto-parenthesize
2492 * only when JSOP_POP is annotated with SRC_PCDELTA, meaning
2493 * comma operator.
2494 */
2496 /* FALL THROUGH */
2502 /* Force parens around 'in' expression at 'for' front. */
2510 /* Comma operator: use JSOP_POP for correct precedence. */
2513 /* Pop and save to avoid blowing stack depth budget. */
2518 /*
2519 * The offset tells distance to the end of the right-hand
2520 * operand of the comma operator.
2521 */
2529 }
2531 /* Pop Decompile result and print comma expression. */
2538 /* Hide this pop, it's from a goto in a with or for/in. */
2543 /* This pop is at the end of the let block/expr head. */
2545 #if JS_HAS_DESTRUCTURING
2546 do_letheadbody:
2547 #endif
2563 /* Set saveop to reflect what we will push. */
2568 }
2576 }
2580 /* Turn off parens around a yield statement. */
2586 /*
2587 * Don't emit decompiler-pushed strings that are not
2588 * handled by other opcodes. They are pushed onto the
2589 * stack to help model the interpreter stack and should
2590 * not appear in the decompiler's output.
2591 */
2599 rval);
2603 }
2606 }
2630 {
2642 }
2645 #define LOCAL_ASSERT_OUT(expr) LOCAL_ASSERT_CUSTOM(expr, ok = JS_FALSE; \
2646 goto enterblock_out)
2653 }
2662 }
2663 }
2667 #if JS_HAS_BLOCK_SCOPE
2679 #endif
2693 }
2698 /*
2699 * This is a dup to save the exception for later.
2700 * It is emitted only when the catch head contains
2701 * an exception guard.
2702 */
2710 }
2711 }
2712 }
2714 #if JS_HAS_DESTRUCTURING
2720 }
2726 #endif
2735 }
2736 #if JS_HAS_DESTRUCTURING
2737 }
2738 #endif
2740 /*
2741 * Pop the exception_cookie (or its dup in the case of a
2742 * guarded catch head) off the stack now.
2743 */
2759 }
2767 }
2771 #undef LOCAL_ASSERT_OUT
2772 enterblock_out:
2777 }
2782 {
2795 /*
2796 * This JSOP_LEAVEBLOCK must be for a catch block. If sn's
2797 * offset does not equal the model stack depth, there must
2798 * be a copy of the exception value on the stack due to a
2799 * catch guard (see above, the JSOP_ENTERBLOCK + SRC_CATCH
2800 * case code).
2801 */
2808 }
2809 }
2819 }
2827 {
2831 }
2841 #ifdef DEBUG
2842 /*
2843 * We must be in an eval called from jp->fun, where
2844 * jp->script is the eval-compiled script.
2845 *
2846 * However, it's possible that a js_Invoke already
2847 * pushed a frame trying to call js_Construct on an
2848 * object that's not a constructor, causing us to be
2849 * called with an intervening frame on the stack.
2850 */
2860 }
2861 #endif
2864 }
2867 }
2875 }
2879 #if JS_HAS_DESTRUCTURING
2881 /*
2882 * Distinguish a js_DecompileValueGenerator call that
2883 * targets op alone, from decompilation of a full group
2884 * assignment sequence, triggered by SRC_GROUPASSIGN
2885 * annotating the first JSOP_GETLOCAL in the sequence.
2886 */
2894 }
2896 /* Null sn to prevent bogus VarPrefix'ing below. */
2898 }
2899 #endif
2911 }
2922 }
2932 }
2944 /* Turn on parens around comma-expression here. */
2948 rval,
2954 }
2955 /* FALL THROUGH */
2961 else
2966 #if JS_HAS_GENERATORS
2968 #if JS_HAS_GENERATOR_EXPRS
2970 #endif
2971 {
2972 /* Turn off most parens. */
2984 }
2986 #if JS_HAS_GENERATOR_EXPRS
2988 /* FALL THROUGH */
2989 #endif
2992 {
2996 /* Turn off most parens. */
2999 /* Pop the expression being pushed or yielded. */
3002 /*
3003 * Skip the for loop head stacked by JSOP_FORLOCAL until we hit
3004 * a block local slot (note empty destructuring patterns result
3005 * in unit-count blocks).
3006 */
3012 }
3015 /*
3016 * Here, forpos must index the space before the left-most |for|
3017 * in the single string of accumulated |for| heads and optional
3018 * final |if (condition)|.
3019 */
3023 /*
3024 * Now move pos downward over the block's local slots. Even an
3025 * empty destructuring pattern has one (dummy) local.
3026 */
3031 }
3033 #if JS_HAS_GENERATOR_EXPRS
3035 /*
3036 * Generator expression: decompile just rval followed by
3037 * the string starting at forpos. Leave the result string
3038 * in ss->offsets[0] so it can be recovered by our caller
3039 * (the JSOP_ANONFUNOBJ with SRC_GENEXP case). Bump the
3040 * top of stack to balance yield, which is an expression
3041 * (so has neutral stack balance).
3042 */
3052 }
3055 /*
3056 * Array comprehension: retract the sprinter to the beginning
3057 * of the array initialiser and decompile "[<rval> for ...]".
3058 */
3076 }
3094 JSITER_FOREACH;
3115 /*
3116 * The loop back-edge carries +1 stack balance, for the
3117 * flag processed by JSOP_IFNE. We do not decompile the
3118 * JSOP_IFNE, and instead push the left-hand side of 'in'
3119 * after the loop edge in this stack slot (the JSOP_FOR*
3120 * opcodes' decompilers do this pushing).
3121 */
3138 }
3140 /*
3141 * Do not AddParentSlop here, as we will push the
3142 * top-most offset again, which will add paren slop
3143 * for us. We must push to balance the stack budget
3144 * when nesting for heads in a comprehension.
3145 */
3151 }
3156 /*
3157 * As above, rval or an extension of it must remain
3158 * stacked during loop body decompilation.
3159 */
3168 }
3218 }
3224 {
3227 if_again:
3244 rval);
3246 }
3261 /*
3262 * If the second offset for sn is non-zero, it tells
3263 * the distance from the goto around the else, to the
3264 * ifeq for the if inside the else that forms an "if
3265 * else if" chain. Thus cond spans the condition of
3266 * the second if, so we simply decompile it and start
3267 * over at label if_again.
3268 */
3277 }
3282 }
3287 }
3301 }
3316 }
3318 }
3329 do_logical_connective:
3330 /* Top of stack is the first clause in a disjunction (||). */
3340 }
3352 }
3357 }
3377 }
3379 do_forvarslot:
3403 }
3414 }
3423 /*
3424 * The stack has the object under the (top) index expression.
3425 * The "rval" property id is underneath those two on the stack.
3426 * The for loop body net and gross lengths can now be adjusted
3427 * to account for the length of the indexing expression that
3428 * came after JSOP_FORELEM and before JSOP_ENUMELEM.
3429 */
3443 ? dot_format
3446 }
3460 }
3461 /* FALL THROUGH */
3464 #if JS_HAS_DESTRUCTURING
3480 // Skip POP so the SRC_FOR_IN code can pop for itself.
3486 }
3488 }
3489 #endif
3506 do_setname:
3514 do_setlval:
3518 lval,
3520 ? js_getter_str
3522 ? js_setter_str
3524 rval);
3529 }
3537 }
3541 {
3556 }
3564 }
3566 /*
3567 * The only way that our next op could be a JSOP_ADD is
3568 * if we are about to concatenate at least one non-string
3569 * literal. Deal with that here in order to avoid extra
3570 * parentheses (because JSOP_ADD is left-associative).
3571 */
3577 out:
3583 }
3601 /* Skip the JSOP_PUSHOBJ-created empty string. */
3605 /*
3606 * Special case: new (x(y)(z)) must be parenthesized like so.
3607 * Same for new (x(y).z) -- contrast with new x(y).z.
3608 * See PROPAGATE_CALLNESS.
3609 */
3617 ? JSOP_NAME
3634 }
3644 }
3645 }
3658 }
3667 do_delete_lval:
3692 #if JS_HAS_XML_SUPPORT
3700 #endif
3708 rval);
3722 do_incatom:
3727 do_inclval:
3736 /*
3737 * Force precedence below the numeric literal opcodes, so that
3738 * 42..foo or 10000..toString(16), e.g., decompile with parens
3739 * around the left-hand side of dot.
3740 */
3757 ? predot_format
3764 }
3778 do_atominc:
3783 do_lvalinc:
3792 /*
3793 * Force precedence below the numeric literal opcodes, so that
3794 * 42..foo or 10000..toString(16), e.g., decompile with parens
3795 * around the left-hand side of dot.
3796 */
3812 ? postdot_format
3819 }
3830 /* FALL THROUGH */
3837 do_getprop:
3839 do_getprop_lval:
3852 /* Get the name of the argument or variable. */
3855 do_getarg_prop:
3863 /* Get the name of the property. */
3886 /*
3887 * Force precedence below the numeric literal opcodes, so that
3888 * 42..foo or 10000..toString(16), e.g., decompile with parens
3889 * around the left-hand side of dot.
3890 */
3897 ? js_getter_str
3899 ? js_setter_str
3902 rval);
3908 /* FALL THROUGH */
3922 ? dot_format
3925 }
3946 ? js_getter_str
3948 ? js_setter_str
3951 rval);
3969 #if JS_HAS_DESTRUCTURING
3973 }
3974 #else
3976 #endif
3984 do_name:
3986 #if JS_HAS_XML_SUPPORT
3987 do_qname:
3988 #endif
4013 do_sprint_int:
4036 #if JS_HAS_GENERATOR_EXPRS
4042 SprintStack ss2;
4047 /*
4048 * All allocation when decompiling is LIFO, using malloc
4049 * or, more commonly, arena-allocating from cx->tempPool.
4050 * Therefore after InitSprintStack succeeds, we must
4051 * release to mark before returning.
4052 */
4060 }
4065 }
4068 /*
4069 * Recursively decompile this generator function as an
4070 * un-parenthesized generator expression. The ss->inGenExp
4071 * special case of JSOP_YIELD shares array comprehension
4072 * decompilation code that leaves the result as the single
4073 * string pushed on ss2.
4074 */
4089 }
4091 /*
4092 * Advance over this op and its global |this| push, and
4093 * arrange to advance over the call to this lambda.
4094 */
4102 /*
4103 * Arrange to parenthesize this genexp unless:
4104 *
4105 * 1. It is the complete expression consumed by a control
4106 * flow bytecode such as JSOP_TABLESWITCH whose syntax
4107 * always parenthesizes the controlling expression.
4108 * 2. It is the sole argument to a function call.
4109 *
4110 * But if this genexp runs up against endpc, parenthesize
4111 * regardless. (This can happen if we are called from
4112 * DecompileExpression or recursively from case
4113 * JSOP_{NOP,AND,OR}.)
4114 *
4115 * There's no special case for |if (genexp)| because the
4116 * compiler optimizes that to |if (true)|.
4117 */
4132 ? JSOP_POP
4135 /*
4136 * Stack this result as if it's a name and not an
4137 * anonymous function, so it doesn't get decompiled as
4138 * a generator function in a getter or setter context.
4139 * The precedence level is the same for JSOP_NAME and
4140 * JSOP_LAMBDA.
4141 */
4145 }
4147 /*
4148 * Alas, we have to malloc a copy of the result left on
4149 * the top of ss2 because both ss and ss2 arena-allocate
4150 * from cx's tempPool.
4151 */
4159 }
4161 /* FALL THROUGH */
4164 {
4165 /*
4166 * Always parenthesize expression closures. We can't force
4167 * saveop to a low-precedence op to arrange for auto-magic
4168 * parenthesization without confusing getter/setter code
4169 * that checks for JSOP_LAMBDA.
4170 */
4175 js_DecompileFunction);
4178 }
4179 sprint_string:
4195 do_regexp:
4203 {
4239 }
4243 j++;
4244 }
4246 }
4256 }
4257 }
4261 JS_FALSE);
4262 }
4268 }
4272 {
4299 }
4306 }
4309 JS_FALSE);
4315 }
4318 {
4320 jsint ncases;
4328 /*
4329 * Count the cases using offsets from switch to first case,
4330 * and case to case, stored in srcnote immediates.
4331 */
4339 /* End of cases, but count default as a case. */
4345 }
4346 }
4348 /*
4349 * Allocate table and rescan the cases using their srcnotes,
4350 * stashing each case's delta from switch top in table[i].key,
4351 * and the distance to its statements in table[i].offset.
4352 */
4370 }
4371 }
4373 /*
4374 * Find offset of default code by fetching the default offset
4375 * from the end of table. JSOP_CONDSWITCH always has a default
4376 * case at the end.
4377 */
4383 JS_TRUE);
4389 }
4393 {
4400 }
4430 }
4452 }
4453 }
4469 {
4474 #if JS_HAS_SHARP_VARS
4486 }
4487 }
4496 }
4498 }
4501 {
4502 JSBool inArray;
4508 /* Skip any #n= prefix to find the opening bracket. */
4515 rval,
4519 }
4521 {
4522 JSBool isFirst;
4528 /* Turn off most parens. */
4532 /* Turn off all parens for xval and lval, which we control. */
4541 }
4544 lval,
4545 maybeComma,
4546 rval);
4559 /* fall through */
4561 do_initprop:
4573 lval,
4574 maybeComma,
4577 xval,
4583 }
4585 }
4587 #if JS_HAS_SHARP_VARS
4600 #if JS_HAS_DEBUGGER_KEYWORD
4607 #if JS_HAS_XML_SUPPORT
4627 }
4637 }
4670 /* This gets reset by all XML tag expressions. */
4679 else
4684 /* Leave the name stacked and push a dummy string. */
4689 /* Pop the r.h.s., the dummy string, and the name. */
4699 /* If we're an attribute value, we shouldn't quote this. */
4713 /* These ops indicate the end of XML expressions. */
4741 DONT_ESCAPE))
4750 DONT_ESCAPE))
4779 }
4780 }
4783 /* -2 means "don't push", -1 means reported error. */
4789 }
4795 }
4798 }
4800 /*
4801 * Undefine local macros.
4802 */
4803 #undef inXML
4804 #undef DECOMPILE_CODE
4805 #undef NEXT_OP
4806 #undef TOP_STR
4807 #undef POP_STR
4808 #undef POP_STR_PREC
4809 #undef LOCAL_ASSERT
4810 #undef ATOM_IS_IDENTIFIER
4811 #undef GET_QUOTE_AND_FMT
4812 #undef GET_ATOM_QUOTE_AND_FMT
4815 }
4817 static JSBool
4819 uintN pcdepth)
4820 {
4822 SprintStack ss;
4825 JSBool ok;
4833 /* Initialize a sprinter for use with the offset stack. */
4840 /*
4841 * If we are called from js_DecompileValueGenerator with a portion of
4842 * script's bytecode that starts with a non-zero model stack depth given
4843 * by pcdepth, attempt to initialize the missing string offsets in ss to
4844 * |spindex| negative indexes from fp->sp for the activation fp in which
4845 * the error arose.
4846 *
4847 * See js_DecompileValueGenerator for how its |spindex| parameter is used,
4848 * and see also GetOff, which makes use of the ss.offsets[i] < -1 that are
4849 * potentially stored below.
4850 */
4856 }
4857 }
4859 /* Call recursive subroutine to do the hard work. */
4869 }
4876 }
4879 /* If the given code didn't empty the stack, do it now. */
4885 }
4887 out:
4888 /* Free all temporary stuff allocated under this call. */
4891 }
4893 JSBool
4895 {
4897 }
4899 JSString *
4902 JSDecompilerPtr decompiler)
4903 {
4912 else
4916 }
4920 JSBool
4922 {
4930 }
4934 }
4936 JSBool
4938 {
4940 uintN i;
4944 JSBool ok;
4950 /*
4951 * If pretty, conform to ECMA-262 Edition 3, 15.3.4.2, by decompiling a
4952 * FunctionDeclaration. Otherwise, check the JSFUN_LAMBDA flag and force
4953 * an expression by parenthesizing.
4954 */
4960 }
4979 #if JS_HAS_DESTRUCTURING
4980 SprintStack ss;
4982 #endif
4984 /* Print the parameters. */
4989 /* Skip trace hint if it appears here. */
4990 #if JS_HAS_GENERATORS
4992 #endif
4993 {
5000 }
5001 }
5003 #if JS_HAS_DESTRUCTURING
5007 #endif
5015 #if JS_HAS_DESTRUCTURING
5016 #define LOCAL_ASSERT(expr) LOCAL_ASSERT_RV(expr, JS_FALSE)
5029 }
5034 }
5042 }
5044 }
5046 #undef LOCAL_ASSERT
5047 #endif
5052 }
5053 }
5055 #if JS_HAS_DESTRUCTURING
5058 #endif
5064 /*
5065 * We have no syntax for strict function expressions;
5066 * at least give a hint.
5067 */
5070 }
5078 }
5079 }
5089 }
5090 }
5096 }
5101 {
5106 intN pcdepth;
5124 }
5129 /*
5130 * Prepare computing pcstack containing pointers to opcodes that
5131 * populated interpreter's stack with its current content.
5132 */
5148 /*
5149 * We search from fp->sp to base to find the most recently
5150 * calculated value matching v under assumption that it is
5151 * it that caused exception, see bug 328664.
5152 */
5159 }
5162 /*
5163 * The value may have come from beyond stackBase + pcdepth,
5164 * meaning that it came from a temporary slot that the
5165 * interpreter uses for GC roots or when JSOP_APPLY extended
5166 * the stack to fit the argument array elements. Only update pc
5167 * if beneath stackBase + pcdepth; otherwise blame existing
5168 * (current) PC.
5169 */
5172 }
5174 release_pcstack:
5178 }
5180 {
5186 }
5188 /*
5189 * FIXME: bug 489843. Stack reconstruction may have returned a pc
5190 * value *inside* an imacro; this would confuse the decompiler.
5191 */
5194 else
5200 }
5201 }
5205 do_fallback:
5210 }
5212 }
5217 {
5219 JSOp op;
5225 intN pcdepth;
5241 }
5245 /* None of these stack-writing ops generates novel values. */
5249 /* JSOP_PUSH is used to generate undefined for group assignment holes. */
5253 }
5255 /*
5256 * |this| could convert to a very long object initialiser, so cite it by
5257 * its keyword name instead.
5258 */
5262 }
5264 /*
5265 * JSOP_BINDNAME is special: it generates a value, the base object of a
5266 * reference. But if it is the generating op for a diagnostic produced by
5267 * js_DecompileValueGenerator, the name being bound is irrelevant. Just
5268 * fall back to the base object.
5269 */
5273 }
5275 /* NAME ops are self-contained, others require left or right context. */
5288 }
5300 }
5303 }
5308 }
5315 }
5322 }
5333 }
5335 }
5337 out:
5342 }
5346 }
5348 uintN
5350 {
5352 }
5354 #define LOCAL_ASSERT(expr) LOCAL_ASSERT_RV(expr, -1);
5356 static intN
5359 {
5366 /*
5367 * Fill the slots that the opcode defines withs its pc unless it just
5368 * reshuffles the stack. In the latter case we want to preserve the
5369 * opcode that generated the original value.
5370 */
5376 }
5381 /* Keep the switch value. */
5396 }
5405 }
5407 }
5410 }
5412 #ifdef JS_TRACER
5414 #undef LOCAL_ASSERT
5415 #define LOCAL_ASSERT(expr) LOCAL_ASSERT_CUSTOM(expr, goto failure);
5417 static intN
5421 {
5449 }
5453 }
5454 }
5461 success:
5466 failure:
5469 }
5471 #undef LOCAL_ASSERT
5472 #define LOCAL_ASSERT(expr) LOCAL_ASSERT_RV(expr, -1);
5474 static intN
5478 static intN
5482 {
5483 /*
5484 * Begin with a recursive call back to ReconstructPCStack to pick up
5485 * the state-of-the-world at the *start* of the imacro.
5486 */
5493 }
5496 #endif
5498 static intN
5501 {
5502 /*
5503 * Walk forward from script->main and compute the stack depth and stack of
5504 * operand-generating opcode PCs in pcstack.
5505 *
5506 * FIXME: Code to compute oplen copied from js_Disassemble1 and reduced.
5507 * FIXME: Optimize to use last empty-stack sequence point.
5508 */
5509 #ifdef JS_TRACER
5514 #endif
5527 /*
5528 * A (C ? T : E) expression requires skipping either T (if target is in
5529 * E) or both T and E (if target is after the whole expression) before
5530 * adjusting pcdepth based on the JSOP_IFEQ or JSOP_IFEQX at pc that
5531 * tests condition C. We know that the stack depth can't change from
5532 * what it was with C on top of stack.
5533 */
5548 }
5550 /*
5551 * Ok, target lies in E. Manually pop C off the model stack,
5552 * since we have moved beyond the IFEQ now.
5553 */
5556 }
5557 }
5559 /* Ignore early-exit code, which is annotated SRC_HIDDEN. */
5566 }
5570 #undef LOCAL_ASSERT
5571 }
5573 #undef LOCAL_ASSERT_RV