| blob | d2d5550364d217bb1f2d72c28b1d67a77a4a7a9d |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS function support.
43 */
44 #include <string.h>
76 #if JS_HAS_GENERATORS
78 #endif
80 #if JS_HAS_XDR
82 #endif
84 #ifdef JS_METHODJIT
86 #endif
100 {
102 }
104 JSBool
106 {
113 }
119 }
121 JSBool
123 {
130 Value v;
141 }
143 }
153 }
156 /*
157 * Per ECMA-262 Ed. 3, 10.1.8, last bulleted item, do not share
158 * storage between the formal parameter and arguments[k] for all
159 * fp->argc <= k && k < fp->fun->nargs. For example, in
160 *
161 * function f(x) { x = 42; return arguments[0]; }
162 * f();
163 *
164 * the call to f should return undefined, not 42. If fp->argsobj
165 * is null at this point, as it would be in the example, return
166 * undefined in *vp.
167 */
170 }
176 }
178 }
182 {
198 /* Can't fail from here on, so initialize everything in argsobj. */
200 ? &StrictArgumentsClass
211 }
213 struct STATIC_SKIP_INFERENCE PutArg
214 {
221 }
222 };
224 JSObject *
226 {
227 /*
228 * We must be in a function activation; the function must be lightweight
229 * or else fp must have a variable object.
230 */
236 /* Create an arguments object for fp only if it lacks one. */
240 /* Compute the arguments object's parent slot from fp's scope chain. */
246 /*
247 * Strict mode functions have arguments objects that copy the initial
248 * actual parameter values. It is the caller's responsibility to get the
249 * arguments object before any parameters are modified! (The emitter
250 * ensures this by synthesizing an arguments access at the start of any
251 * strict mode function that contains an assignment to a parameter, or
252 * that calls eval.) Non-strict mode arguments use the frame pointer to
253 * retrieve up-to-date parameter values.
254 */
257 else
262 }
264 void
266 {
274 }
276 }
278 #ifdef JS_TRACER
280 /*
281 * Traced versions of js_GetArgsObject and js_PutArgsObject.
282 */
283 JSObject * JS_FASTCALL
285 {
291 /*
292 * Strict mode callers must copy arguments into the created arguments
293 * object. The trace-JITting code is in TraceRecorder::newArguments.
294 */
298 }
301 }
305 /* FIXME change the return type to void. */
306 JSBool JS_FASTCALL
308 {
312 /*
313 * TraceRecorder::putActivationObjects builds a single, contiguous array of
314 * the arguments, regardless of whether #actuals > #formals so there is no
315 * need to worry about actual vs. formal arguments.
316 */
322 }
326 }
332 static JSBool
334 {
345 }
347 }
351 {
355 /*
356 * We do not attempt to reify Call and Block objects on demand for outer
357 * scopes. This could be done (see the "v8" patch in bug 494235) but it is
358 * fragile in the face of ongoing compile-time optimization. Instead, the
359 * _DBG* opcodes used by wrappers created here must cope with unresolved
360 * upvars and throw them as reference errors. Caveat debuggers!
361 */
387 /* NB: GC must not occur before wscript is homed in wfun->u.i.script. */
420 }
424 }
428 }
432 }
440 }
444 /* FIXME should copy JSOP_TRAP? */
451 /*
452 * Rewrite JSOP_{GET,CALL}FCSLOT as JSOP_{GET,CALL}UPVAR_DBG for the
453 * case where fun is an escaping flat closure. This works because the
454 * UPVAR and FCSLOT ops by design have the same format: an upvar index
455 * immediate operand.
456 */
464 }
466 }
468 /*
469 * Fill in the rest of wscript. This means if you add members to JSScript
470 * you must update this code. FIXME: factor into JSScript::clone method.
471 */
489 #ifdef CHECK_SCRIPT_OWNER
491 #endif
495 /* Deoptimize wfun from FUN_{FLAT,NULL}_CLOSURE to FUN_INTERPRETED. */
499 }
501 static JSBool
503 {
510 /*
511 * arg can exceed the number of arguments if a script changed the
512 * prototype to point to another Arguments object with a bigger argc.
513 */
519 else
521 }
529 /*
530 * If this function or one in it needs upvars that reach above it
531 * in the scope chain, it must not be a null closure (it could be a
532 * flat closure, or an unoptimized closure -- the latter itself not
533 * necessarily heavyweight). Rather than wrap here, we simply throw
534 * to reduce code size and tell debugger users the truth instead of
535 * passing off a fibbing wrapper.
536 */
539 JSMSG_OPTIMIZED_CLOSURE_LEAK);
541 }
543 }
544 }
546 }
548 static JSBool
550 {
551 #ifdef JS_TRACER
552 // To be able to set a property here on trace, we would have to make
553 // sure any updates also get written back to the trace native stack.
554 // For simplicity, we just leave trace, since this is presumably not
555 // a common operation.
559 }
560 #endif
574 }
575 }
579 }
581 /*
582 * For simplicity we use delete/set to replace the property with one
583 * backed by the default Object getter and setter. Note that we rely on
584 * args_delProperty to clear the corresponding reserved slot so the GC can
585 * collect its value.
586 */
590 }
592 static JSBool
595 {
616 }
624 }
626 static JSBool
628 {
631 /*
632 * Trigger reflection in args_resolve using a series of js_LookupProperty
633 * calls.
634 */
647 }
649 }
651 static JSBool
653 {
660 /*
661 * arg can exceed the number of arguments if a script changed the
662 * prototype to point to another Arguments object with a bigger argc.
663 */
669 }
674 }
676 }
678 static JSBool
680 {
689 }
692 }
694 /*
695 * For simplicity we use delete/set to replace the property with one
696 * backed by the default Object getter and setter. Note that we rely on
697 * args_delProperty to clear the corresponding reserved slot so the GC can
698 * collect its value.
699 */
703 }
705 static JSBool
707 {
729 }
733 }
741 }
743 static JSBool
745 {
748 /*
749 * Trigger reflection in strictargs_resolve using a series of
750 * js_LookupProperty calls.
751 */
755 // length
759 // callee
763 // caller
770 }
773 }
775 static void
777 {
779 }
781 /*
782 * If a generator's arguments or call object escapes, and the generator frame
783 * is not executing, the generator object needs to be marked because it is not
784 * otherwise reachable. An executing generator is rooted by its invocation. To
785 * distinguish the two cases (which imply different access paths to the
786 * generator object), we use the JSFRAME_FLOATING_GENERATOR flag, which is only
787 * set on the JSStackFrame kept in the generator object's JSGenerator.
788 */
791 {
792 #if JS_HAS_GENERATORS
797 }
798 #endif
799 }
801 static void
803 {
808 }
816 }
818 /*
819 * The Arguments classes aren't initialized via js_InitClass, because arguments
820 * objects have the initial value of Object.prototype as their [[Prototype]].
821 * However, Object.prototype.toString.call(arguments) === "[object Arguments]"
822 * per ES5 (although not ES3), so the class name is "Arguments" rather than
823 * "Object".
824 *
825 * The JSClass functions below collaborate to lazily reflect and synchronize
826 * actual argument values, argument count, and callee function object stored
827 * in a JSStackFrame with their corresponding property values in the frame's
828 * arguments object.
829 */
830 Class js_ArgumentsClass = {
836 args_delProperty,
839 args_enumerate,
841 ConvertStub,
850 };
854 /*
855 * Strict mode arguments is significantly less magical than non-strict mode
856 * arguments, so it is represented by a different class while sharing some
857 * functionality.
858 */
859 Class StrictArgumentsClass = {
865 args_delProperty,
868 strictargs_enumerate,
870 ConvertStub,
879 };
881 }
883 /*
884 * A Declarative Environment object stores its active JSStackFrame pointer in
885 * its private slot, just as Call and Arguments objects do.
886 */
887 Class js_DeclEnvClass = {
888 js_Object_str,
894 EnumerateStub,
895 ResolveStub,
896 ConvertStub
897 };
899 static JSBool
901 {
910 /*
911 * Any escaping null or flat closure that reaches above itself or
912 * contains nested functions that reach above it must be wrapped.
913 * We can wrap only when this Call or Declarative Environment obj
914 * still has an active stack frame associated with it.
915 */
926 }
929 JSMSG_OPTIMIZED_CLOSURE_LEAK);
931 }
932 }
934 }
936 static JSBool
938 {
940 }
944 /*
945 * Construct a call object for the given bindings. The callee is the function
946 * on behalf of which the call object is being created.
947 */
948 JSObject *
950 {
959 /* Init immediately to avoid GC seeing a half-init'ed object. */
963 /* This must come after callobj->lastProp has been set. */
967 #ifdef DEBUG
973 }
974 }
975 #endif
979 }
985 {
993 }
995 JSObject *
997 {
998 /* Create a call object for fp only if it lacks one. */
1003 #ifdef DEBUG
1004 /* A call object should be a frame's outermost scope chain element. */
1010 #endif
1012 /*
1013 * Create the call object, using the frame's enclosing scope as its
1014 * parent, and link the call to its stack frame. For a named function
1015 * expression Call's parent points to an environment object holding
1016 * function's name.
1017 */
1025 /* Root envobj before js_DefineNativeProperty (-> JSClass.addProperty). */
1033 }
1034 }
1044 /*
1045 * Push callobj on the top of the scope chain, and make it the
1046 * variables object.
1047 */
1050 }
1052 JSObject * JS_FASTCALL
1053 js_CreateCallObjectOnTrace(JSContext *cx, JSFunction *fun, JSObject *callee, JSObject *scopeChain)
1054 {
1059 }
1061 JS_DEFINE_CALLINFO_4(extern, OBJECT, js_CreateCallObjectOnTrace, CONTEXT, FUNCTION, OBJECT, OBJECT,
1066 {
1071 }
1073 void
1075 {
1078 /*
1079 * Strict mode eval frames have Call objects to put. Normal eval frames
1080 * never put a Call object.
1081 */
1084 /* Get the arguments object to snapshot fp's actual argument values. */
1089 }
1098 /* This could be optimized as below, but keep it simple for now. */
1116 #ifdef JS_METHODJIT
1118 #endif
1119 ) {
1122 /*
1123 * For each arg & var that is closed over, copy it from the stack
1124 * into the call object.
1125 */
1130 }
1136 }
1137 }
1138 }
1140 /* Clear private pointers to fp, which is about to go away (js_Invoke). */
1147 }
1148 }
1152 }
1154 JSBool JS_FASTCALL
1157 {
1166 }
1173 static JSBool
1175 {
1184 }
1186 }
1188 static JSBool
1190 {
1195 }
1197 JSBool
1199 {
1205 else
1208 }
1210 JSBool
1212 {
1219 else
1225 }
1227 JSBool
1229 {
1235 }
1237 JSBool
1239 {
1248 }
1250 JSBool
1252 {
1258 else
1262 }
1264 JSBool
1266 {
1271 }
1273 JSBool
1275 {
1281 /*
1282 * As documented in TraceRecorder::attemptTreeCall(), when recording an
1283 * inner tree call, the recorder assumes the inner tree does not mutate
1284 * any tracked upvars. The abort here is a pessimistic precaution against
1285 * bug 620662, where an inner tree setting a closed stack variable in an
1286 * outer tree is illegal, and runtime would fall off trace.
1287 */
1288 #ifdef JS_TRACER
1292 #endif
1297 else
1303 }
1307 #if JS_TRACER
1308 JSBool JS_FASTCALL
1310 {
1313 }
1317 JSBool JS_FASTCALL
1319 {
1322 }
1325 #endif
1327 static JSBool
1330 {
1338 #ifdef DEBUG
1342 }
1343 #endif
1345 /*
1346 * Resolve arguments so that we never store a particular Call object's
1347 * arguments object reference in a Call prototype's |arguments| slot.
1348 *
1349 * Include JSPROP_ENUMERATE for consistency with all other Call object
1350 * properties; see js::Bindings::add and js::Interpret's JSOP_DEFFUN
1351 * rebinding-Call-property logic.
1352 */
1359 }
1362 }
1364 /* Control flow reaches here only if id was not resolved. */
1366 }
1368 static void
1370 {
1373 /*
1374 * FIXME: Hide copies of stack values rooted by fp from the Cycle
1375 * Collector, which currently lacks a non-stub Unlink implementation
1376 * for JS objects (including Call objects), so is unable to collect
1377 * cycles involving Call objects whose frames are active without this
1378 * hiding hack.
1379 */
1385 }
1388 }
1392 JSCLASS_HAS_PRIVATE |
1399 JS_EnumerateStub,
1410 };
1412 bool
1414 {
1418 }
1422 /*
1423 * See the equivalent condition in ArgGetter for the 'callee' id case, but
1424 * note that here we do not want to throw, since this escape can happen via
1425 * a foo.caller reference alone, without any debugger or indirect eval. And
1426 * alas, it seems foo.caller is still used on the Web.
1427 */
1434 }
1439 /*
1440 * Check for an escape attempt by a joined function object, which must go
1441 * through the frame's |this| object's method read barrier for the method
1442 * atom by which it was uniquely associated with a property.
1443 */
1453 /*
1454 * While a non-native object is responsible for handling its
1455 * entire prototype chain, notable non-natives including dense
1456 * and typed arrays have native prototypes, so keep going.
1457 */
1464 /*
1465 * Two cases follow: the method barrier was not crossed
1466 * yet, so we cross it here; the method barrier *was*
1467 * crossed but after the call, in which case we fetch
1468 * and validate the cloned (unjoined) funobj from the
1469 * method property's slot.
1470 *
1471 * In either case we must allow for the method property
1472 * to have been replaced, or its value overwritten.
1473 */
1479 }
1492 }
1493 }
1494 }
1498 }
1504 /*
1505 * At this point, we couldn't find an already-existing clone (or
1506 * force to exist a fresh clone) created via thisp's method read
1507 * barrier, so we must clone fun and store it in fp's callee to
1508 * avoid re-cloning upon repeated foo.caller access.
1509 *
1510 * This must mean the code in js_DeleteProperty could not find this
1511 * stack frame on the stack when the method was deleted. We've lost
1512 * track of the method, so we associate it with the first barriered
1513 * object found starting from thisp on the prototype chain.
1514 */
1522 }
1523 }
1526 }
1528 /* Generic function tinyids. */
1535 };
1537 static JSBool
1539 {
1545 /*
1546 * Loop because getter and setter can be delegated from another class,
1547 * but loop only for FUN_LENGTH because we must pretend that f.length
1548 * is in each function instance f, per ECMA-262, instead of only in the
1549 * Function.prototype object (we use JSPROP_PERMANENT with JSPROP_SHARED
1550 * to make it appear so).
1551 *
1552 * This code couples tightly to the attributes for lazyFunctionDataProps[]
1553 * and poisonPillProps[] initializers below, and to js_SetProperty and
1554 * js_HasOwnProperty.
1555 *
1556 * It's important to allow delegating objects, even though they inherit
1557 * this getter (fun_getProperty), to override arguments, arity, caller,
1558 * and name. If we didn't return early for slot != FUN_LENGTH, we would
1559 * clobber *vp with the native property value, instead of letting script
1560 * override that value in delegating objects.
1561 *
1562 * Note how that clobbering is what simulates JSPROP_READONLY for all of
1563 * the non-standard properties when the directly addressed object (obj)
1564 * is a function object (i.e., when this loop does not iterate).
1565 */
1574 }
1576 /* Find fun's top-most activation record. */
1582 }
1586 /* Warn if strict about f.arguments or equivalent unqualified uses. */
1590 JSMSG_DEPRECATED_USAGE,
1591 js_arguments_str)) {
1593 }
1599 }
1620 /* Censor the caller if it is from another compartment. */
1627 JSMSG_CALLER_IS_STRICT);
1629 }
1630 }
1631 }
1635 /* XXX fun[0] and fun.arguments[0] are equivalent. */
1639 }
1642 }
1645 uint16 atomOffset;
1646 int8 tinyid;
1647 uint8 attrs;
1648 };
1651 uint16 atomOffset;
1652 int8 tinyid;
1653 };
1655 /* NB: no sentinels at ends -- use JS_ARRAY_LENGTH to bound loops. */
1660 };
1662 /* Properties censored into [[ThrowTypeError]] in strict mode. */
1666 };
1668 static JSBool
1670 {
1673 jsid id;
1680 }
1691 }
1698 }
1701 }
1703 static JSBool
1706 {
1713 /*
1714 * Native or "built-in" functions do not have a .prototype property per
1715 * ECMA-262 (all editions). Built-in constructor functions, e.g. Object
1716 * and Function to name two conspicuous examples, do have a .prototype
1717 * property, but it is created eagerly by js_InitClass (jsobj.cpp).
1718 *
1719 * ES5 15.3.4: the non-native function object named Function.prototype
1720 * must not have a .prototype property.
1721 *
1722 * ES5 15.3.4.5: bound functions don't have a prototype property. The
1723 * isNative() test covers this case because bound functions are native
1724 * functions by definition/construction.
1725 */
1729 /*
1730 * Assert that fun is not a compiler-created function object, which
1731 * must never leak to script or embedding code and then be mutated.
1732 * Also assert that obj is not bound, per the ES5 15.3.4.5 ref above.
1733 */
1737 /*
1738 * Make the prototype object an instance of Object with the same parent
1739 * as the function object itself.
1740 */
1749 /*
1750 * ECMA (15.3.5.2) says that constructor.prototype is DontDelete for
1751 * user-defined functions, but DontEnum | ReadOnly | DontDelete for
1752 * native "system" constructors such as Object or Function. So lazily
1753 * set the former here in fun_resolve, but eagerly define the latter
1754 * in js_InitClass, with the right attributes.
1755 */
1761 }
1769 }
1772 }
1785 }
1788 }
1789 }
1808 }
1815 }
1818 }
1819 }
1822 }
1824 #if JS_HAS_XDR
1826 /* XXX store parent and proto, if defined */
1827 JSBool
1829 {
1833 plus for fun->u.i.skipmin, fun->u.i.wrapper,
1834 and 14 bits reserved for future use */
1841 JSAutoByteString funNameBytes;
1844 name);
1845 }
1847 }
1849 JSAutoByteString funNameBytes;
1853 }
1863 }
1880 }
1887 #ifdef CHECK_SCRIPT_OWNER
1889 #endif
1892 }
1895 }
1899 #define js_XDRFunctionObject NULL
1903 /*
1904 * [[HasInstance]] internal method for Function objects: fetch the .prototype
1905 * property of its 'this' parameter, and walks the prototype chain of v (only
1906 * if v is an object) returning true if .prototype is found.
1907 */
1908 static JSBool
1910 {
1915 }
1918 Value pval;
1923 /*
1924 * Throw a runtime error if instanceof is called on a function that
1925 * has a non-object as its .prototype value.
1926 */
1929 }
1933 }
1935 static void
1937 {
1938 /* A newborn function object may have a not yet initialized private slot. */
1944 /* obj is a cloned function object, trace the clone-parent, fun. */
1947 /* The function could be a flat closure with upvar copies in the clone. */
1951 }
1953 }
1960 }
1962 static void
1964 {
1965 /* Ignore newborn function objects. */
1970 /* Cloned function objects may be flat closures with upvars to free. */
1975 }
1977 /*
1978 * Null-check fun->script() because the parser sets interpreted very early.
1979 */
1982 }
1984 /*
1985 * Reserve two slots in all function objects for XPConnect. Note that this
1986 * does not bloat every instance, only those on which reserved slots are set,
1987 * and those on which ad-hoc properties are defined.
1988 */
1990 js_Function_str,
1998 fun_enumerate,
2000 ConvertStub,
2001 fun_finalize,
2006 js_XDRFunctionObject,
2007 fun_hasInstance,
2009 };
2011 JSString *
2013 {
2018 JSMSG_INCOMPATIBLE_PROTO,
2022 }
2028 }
2030 static JSBool
2032 {
2049 }
2051 #if JS_HAS_TOSOURCE
2052 static JSBool
2054 {
2067 }
2068 #endif
2070 JSBool
2072 {
2086 JSMSG_INCOMPATIBLE_PROTO,
2089 }
2090 }
2092 }
2095 Value thisv;
2101 argc--;
2102 argv++;
2103 }
2105 /* Allocate stack space for fval, obj, and the args. */
2106 InvokeArgsGuard args;
2110 /* Push fval, thisv, and the args. */
2118 }
2120 /* ES5 15.3.4.3 */
2121 JSBool
2123 {
2128 /* Step 1. */
2135 JSMSG_INCOMPATIBLE_PROTO,
2138 }
2139 }
2141 }
2143 /* Step 2. */
2147 /* N.B. Changes need to be propagated to stubs::SplatApplyArgs. */
2149 /* Step 3. */
2153 }
2155 /*
2156 * Steps 4-5 (note erratum removing steps originally numbered 5 and 7 in
2157 * original version of ES5).
2158 */
2160 jsuint length;
2166 /* Step 6. */
2169 InvokeArgsGuard args;
2173 /* Push fval, obj, and aobj's elements as args. */
2177 /* Steps 7-8. */
2181 /* Step 9. */
2186 }
2188 static JSBool
2194 {
2201 /* FIXME? Burn memory on an empty scope whose shape covers the args slots. */
2214 }
2216 }
2220 {
2224 /* Bound functions abuse |parent| to store their target function. */
2226 }
2230 {
2235 }
2239 {
2247 }
2249 /* ES5 15.3.4.5.1 and 15.3.4.5.2. */
2250 static JSBool
2252 {
2261 /* 15.3.4.5.1 step 1, 15.3.4.5.2 step 3. */
2262 uintN argslen;
2268 }
2270 /* 15.3.4.5.1 step 3, 15.3.4.5.2 step 1. */
2273 /* 15.3.4.5.1 step 2. */
2276 InvokeArgsGuard args;
2280 /* 15.3.4.5.1, 15.3.4.5.2 step 4. */
2284 /* 15.3.4.5.1, 15.3.4.5.2 step 5. */
2295 }
2297 /* ES5 15.3.4.5. */
2298 static JSBool
2300 {
2301 /* Step 1. */
2306 /* Step 2. */
2312 JSMSG_INCOMPATIBLE_PROTO,
2314 }
2315 }
2317 }
2319 /* Step 3. */
2325 }
2327 /* Steps 15-16. */
2333 }
2335 /* Step 4-6, 10-11. */
2338 /* NB: Bound functions abuse |parent| to store their target. */
2345 /* Steps 7-9. */
2350 /* Steps 17, 19-21 are handled by fun_resolve. */
2351 /* Step 18 is the default for new functions. */
2353 /* Step 22. */
2356 }
2359 #if JS_HAS_TOSOURCE
2361 #endif
2366 JS_FS_END
2367 };
2369 static JSBool
2371 {
2376 /* N.B. overwriting callee with return value */
2380 /*
2381 * NB: (new Function) is not lexically closed by its caller, it's just an
2382 * anonymous function in the top-level scope that its constructor inhabits.
2383 * Thus 'var x = 42; f = new Function("return x"); print(f())' prints 42,
2384 * and so would a call to f from another top-level's script or function.
2385 *
2386 * In older versions, before call objects, a new Function was adopted by
2387 * its running context's globalObject, which might be different from the
2388 * top-level reachable from scopeChain (in HTML frames, e.g.).
2389 */
2395 /*
2396 * Function is static and not called directly by other functions in this
2397 * file, therefore it is callable only as a native function by js_Invoke.
2398 * Find the scripted caller, possibly skipping other native frames such as
2399 * are built for Function.prototype.call or .apply activations that invoke
2400 * Function indirectly from a script.
2401 */
2403 uintN lineno;
2414 }
2416 /* Belt-and-braces: check that the caller has access to parent. */
2420 }
2422 /*
2423 * CSP check: whether new Function() is allowed at all.
2424 * Report errors via CSP is done in the script security manager.
2425 * js_CheckContentSecurityPolicy is defined in jsobj.cpp
2426 */
2430 }
2440 /*
2441 * Collect the function-argument arguments into one string, separated
2442 * by commas, then make a tokenstream from that string, and scan it to
2443 * get the arguments. We need to throw the full scanner at the
2444 * problem, because the argument string can legitimately contain
2445 * comments and linefeeds. XXX It might be better to concatenate
2446 * everything up into a function definition and pass it to the
2447 * compiler, but doing it this way is less of a delta from the old
2448 * code. See ECMA 15.3.2.1.
2449 */
2453 /* Collect the lengths for all the function-argument arguments. */
2459 /*
2460 * Check for overflow. The < test works because the maximum
2461 * JSString length fits in 2 fewer bits than size_t has.
2462 */
2468 }
2469 }
2471 /* Add 1 for each joining comma and check for overflow (two ways). */
2478 }
2480 /*
2481 * Allocate a string to hold the concatenated arguments, including room
2482 * for a terminating 0. Mark cx->tempPool for later release, to free
2483 * collected_args and its tokenstream in one swoop.
2484 */
2492 }
2495 /*
2496 * Concatenate the arguments into the new string, separated by commas.
2497 */
2505 }
2509 /* Add separating comma or terminating 0. */
2511 }
2513 /* Initialize a tokenstream that reads from the given string. */
2518 }
2520 /* The argument string may be empty or contain no tokens. */
2524 /*
2525 * Check that it's a name. This also implicitly guards against
2526 * TOK_ERROR, which was already reported.
2527 */
2531 /*
2532 * Get the atom corresponding to the name from the token
2533 * stream; we're assured at this point that it's a valid
2534 * identifier.
2535 */
2538 /* Check for a duplicate parameter name. */
2540 JSAutoByteString name;
2544 }
2550 }
2551 }
2553 uint16 dummy;
2557 }
2559 /*
2560 * Get the next token. Stop on end of stream. Otherwise
2561 * insist on a comma, get another name, and iterate.
2562 */
2569 }
2570 }
2573 after_args:
2575 /*
2576 * Report "malformed formal parameter" iff no illegal char or
2577 * similar scanner error was already reported.
2578 */
2580 JSMSG_BAD_FORMAL);
2581 }
2586 }
2596 }
2605 }
2607 static JSBool
2609 {
2611 JSMSG_THROW_TYPE_ERROR);
2613 }
2615 JSObject *
2617 {
2635 #ifdef CHECK_SCRIPT_OWNER
2637 #endif
2641 /* ES5 13.2.3: Construct the unique [[ThrowTypeError]] function object. */
2650 }
2653 }
2655 JSFunction *
2658 {
2668 }
2672 /* Initialize all function members. */
2684 #ifdef JS_TRACER
2689 #else
2691 #endif
2695 }
2697 }
2700 /* Set private to self to indicate non-cloned fully initialized function. */
2703 }
2705 JSObject * JS_FASTCALL
2708 {
2714 /*
2715 * The cloned function object does not need the extra JSFunction members
2716 * beyond JSObject as it points to fun via the private slot.
2717 */
2723 /*
2724 * Across compartments we have to deep copy JSFunction and clone the
2725 * script (for interpreted functions).
2726 */
2745 #ifdef CHECK_SCRIPT_OWNER
2747 #endif
2749 }
2750 }
2752 }
2754 #ifdef JS_TRACER
2755 JS_DEFINE_CALLINFO_4(extern, OBJECT, js_CloneFunctionObject, CONTEXT, FUNCTION, OBJECT, OBJECT, 0,
2757 #endif
2759 /*
2760 * Create a new flat closure, but don't initialize the imported upvar
2761 * values. The tracer calls this function and then initializes the upvar
2762 * slots on trace.
2763 */
2764 JSObject * JS_FASTCALL
2766 {
2787 }
2792 JSObject *
2794 {
2795 /*
2796 * Flat closures cannot yet be partial, that is, all upvars must be copied,
2797 * or the closure won't be flattened. Therefore they do not need to search
2798 * enclosing scope objects via JSOP_NAME, etc.
2799 *
2800 * FIXME: bug 545759 proposes to enable partial flat closures. Fixing this
2801 * bug requires a GetScopeChainFast call here, along with JS_REQUIRES_STACK
2802 * annotations on this function's prototype and definition.
2803 */
2819 }
2821 JSObject *
2823 {
2829 }
2831 JSFunction *
2834 {
2835 PropertyOp gsop;
2839 /*
2840 * JSFUN_STUB_GSOPS is a request flag only, not stored in fun->flags or
2841 * the defined property's attributes. This allows us to encode another,
2842 * internal flag using the same bit, JSFUN_EXPR_CLOSURE -- see jsfun.h
2843 * for more on this.
2844 */
2849 }
2851 /*
2852 * Historically, all objects have had a parent member as intrinsic scope
2853 * chain link. We want to move away from this universal parent, but JS
2854 * requires that function objects have something like parent (ES3 and ES5
2855 * call it the [[Scope]] internal property), to bake a particular static
2856 * scope environment into each function object.
2857 *
2858 * All function objects thus have parent, including all native functions.
2859 * All native functions defined by the JS_DefineFunction* APIs are created
2860 * via the call below to js_NewFunction, which passes obj as the parent
2861 * parameter, and so binds fun's parent to obj using JSObject::setParent,
2862 * under js_NewFunction (in JSObject::init, called from NewObject -- see
2863 * jsobjinlines.h).
2864 *
2865 * But JSObject::setParent sets the DELEGATE object flag on its receiver,
2866 * to mark the object as a proto or parent of another object. Such objects
2867 * may intervene in property lookups and scope chain searches, so require
2868 * special handling when caching lookup and search results (since such
2869 * intervening objects can in general grow shadowing properties later).
2870 *
2871 * Thus using setParent prematurely flags certain objects, notably class
2872 * prototypes, so that defining native methods on them, where the method's
2873 * name (e.g., toString) is already bound on Object.prototype, triggers
2874 * shadowingShapeChange events and gratuitous shape regeneration.
2875 *
2876 * To fix this longstanding bug, we set check whether obj is already a
2877 * delegate, and if not, then if js_NewFunction flagged obj as a delegate,
2878 * we clear the flag.
2879 *
2880 * We thus rely on the fact that native functions (including indirect eval)
2881 * do not use the property cache or equivalent JIT techniques that require
2882 * this bit to be set on their parent-linked scope chain objects.
2883 *
2884 * Note: we keep API compatibility by setting parent to obj for all native
2885 * function objects, even if obj->getGlobal() would suffice. This should be
2886 * revisited when parent is narrowed to exist only for function objects and
2887 * possibly a few prehistoric scope objects (e.g. event targets).
2888 *
2889 * FIXME: bug 611190.
2890 */
2895 obj,
2906 }
2908 #if (JSV2F_CONSTRUCT & JSV2F_SEARCH_STACK)
2910 #endif
2912 JSFunction *
2914 {
2919 }
2921 }
2923 JSObject *
2925 {
2930 }
2933 }
2935 JSObject *
2937 {
2942 }
2946 }
2948 void
2950 {
2956 /*
2957 * We try to the print the code that produced vp if vp is a value in the
2958 * most recent interpreted stack frame. Note that additional values, not
2959 * directly produced by the script, may have been pushed onto the frame's
2960 * expression stack (e.g. by pushInvokeArgs) thereby incrementing sp past
2961 * the depth simulated by ReconstructPCStack.
2962 *
2963 * Conversely, values may have been popped from the stack in preparation
2964 * for a call (e.g., by SplatApplyArgs). Since we must pass an offset from
2965 * the top of the simulated stack to js_ReportValueError3, we do bounds
2966 * checking using the minimum of both the simulated and actual stack depth.
2967 */
2979 }
2985 }