| blob | 15eb3d519236936c57eec764a816c8fca8782eb4 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=79:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS object implementation.
43 */
44 #include <stdlib.h>
45 #include <string.h>
87 #if JS_HAS_GENERATORS
89 #endif
91 #if JS_HAS_XML_SUPPORT
93 #endif
95 #if JS_HAS_XDR
97 #endif
111 Class js_ObjectClass = {
112 js_Object_str,
118 EnumerateStub,
119 ResolveStub,
120 ConvertStub
121 };
125 {
128 }
130 #if JS_HAS_OBJ_PROTO_PROP
132 static JSBool
135 static JSBool
139 {js_proto_str, 0, JSPROP_PERMANENT|JSPROP_SHARED, Jsvalify(obj_getProto), Jsvalify(obj_setProto)},
141 };
143 static JSBool
145 {
146 /* Let CheckAccess get the slot's value, based on the access mode. */
147 uintN attrs;
150 }
152 static JSBool
154 {
155 /* ECMAScript 5 8.6.2 forbids changing [[Prototype]] if not [[Extensible]]. */
159 }
166 /*
167 * Innerize pobj here to avoid sticking unwanted properties on the
168 * outer object. This ensures that any with statements only grant
169 * access to the inner object.
170 */
174 }
176 uintN attrs;
182 }
186 #define object_props NULL
190 static JSHashNumber
192 {
194 }
198 {
201 JSHashNumber hash;
203 jsatomid sharpid;
205 JSBool ok;
207 jsid id;
225 }
252 }
254 /* Mark the getter, then set val to setter. */
259 }
265 }
270 }
271 }
281 }
283 }
287 }
289 JSHashEntry *
292 {
296 JSHashNumber hash;
298 jsatomid sharpid;
305 /* Set to null in case we return an early error. */
315 }
318 }
320 /* From this point the control must flow either through out: or bad:. */
323 /*
324 * Although MarkSharpObjects tries to avoid invoking getters,
325 * it ends up doing so anyway under some circumstances; for
326 * example, if a wrapped object has getters, the wrapper will
327 * prevent MarkSharpObjects from recognizing them as such.
328 * This could lead to js_LeaveSharpObject being called while
329 * MarkSharpObjects is still working.
330 *
331 * Increment map->depth while we call MarkSharpObjects, to
332 * ensure that such a call doesn't free the hash table we're
333 * still using.
334 */
344 }
350 /*
351 * It's possible that the value of a property has changed from the
352 * first time the object's properties are traversed (when the property
353 * ids are entered into the hash table) to the second (when they are
354 * converted to strings), i.e., the JSObject::getProperty() call is not
355 * idempotent.
356 */
362 }
365 }
366 }
378 }
379 }
381 out:
390 }
392 }
393 }
395 }
401 bad:
402 /* Clean up the sharpObjectMap table on outermost error. */
408 }
410 }
412 void
414 {
425 }
431 }
432 }
433 }
435 static intN
437 {
440 }
442 void
444 {
448 /*
449 * During recursive calls to MarkSharpObjects a non-native object or
450 * object with a custom getProperty method can potentially return an
451 * unrooted value or even cut from the object graph an argument of one of
452 * MarkSharpObjects recursive invocations. So we must protect map->table
453 * entries against GC.
454 *
455 * We can not simply use JSTempValueRooter to mark the obj argument of
456 * MarkSharpObjects during recursion as we have to protect *all* entries
457 * in JSSharpObjectMap including those that contains otherwise unreachable
458 * objects just allocated through custom getProperty. Otherwise newer
459 * allocations can re-use the address of an object stored in the hashtable
460 * confusing js_EnterSharpObject. So to address the problem we simply
461 * mark all objects from map->table.
462 *
463 * An alternative "proper" solution is to use JSTempValueRooter in
464 * MarkSharpObjects with code to remove during finalization entries
465 * with otherwise unreachable objects. But this is way too complex
466 * to justify spending efforts.
467 */
469 }
471 #if JS_HAS_TOSOURCE
472 static JSBool
474 {
496 /* If outermost, we need parentheses to be an expression, not a block. */
502 }
504 /*
505 * We didn't enter -- obj is already "sharp", meaning we've visited it
506 * already in our depth first search, and therefore chars contains a
507 * string of the form "#n#".
508 */
510 #if JS_HAS_SHARP_VARS
512 #else
517 #endif
519 }
524 /* If outermost, allocate 4 + 1 for "({})" and the terminator. */
532 /* js_EnterSharpObject returned a string of the form "#n=" in chars. */
540 }
542 /*
543 * No need for parentheses around the whole shebang, because #n=
544 * unambiguously begins an object initializer, and never a block
545 * statement.
546 */
548 }
549 }
555 /*
556 * We have four local roots for cooked and raw value GC safety. Hoist the
557 * "localroot + 2" out of the loop using the val local, which refers to
558 * the raw (unconverted, "uncooked") values.
559 */
563 /* Get strings for id and value and GC-root them via vp. */
570 /*
571 * Convert id to a value and then to a string. Decide early whether we
572 * prefer get/set or old getter/setter syntax.
573 */
578 }
591 valcnt++;
592 }
597 valcnt++;
598 }
599 }
606 }
607 }
609 /*
610 * If id is a string that's not an identifier, or if it's a negative
611 * integer, then it must be quoted.
612 */
615 ? !idIsLexicalIdentifier
621 }
623 }
629 }
632 /*
633 * Censor an accessor descriptor getter or setter part if it's
634 * undefined.
635 */
639 /* Convert val[j] to its canonical source form. */
644 }
650 }
653 /*
654 * If val[j] is a non-sharp object, and we're not serializing an
655 * accessor (ECMA syntax can't accommodate sharpened accessors),
656 * consider sharpening it.
657 */
660 #if JS_HAS_SHARP_VARS
666 }
674 }
676 }
677 }
678 #endif
680 /*
681 * Remove '(function ' from the beginning of valstr and ')' from the
682 * end so that we can put "get" in front of the function definition.
683 */
690 vchars++;
692 }
694 /* Try to jump "function" keyword. */
698 /*
699 * Jump over the function's name: it can't be encoded as part
700 * of an ECMA getter or setter.
701 */
707 vchars++;
712 }
713 }
715 #define SAFE_ADD(n) \
716 JS_BEGIN_MACRO \
717 size_t n_ = (n); \
718 curlen += n_; \
719 if (curlen < n_) \
720 goto overflow; \
721 JS_END_MACRO
731 /* Account for the trailing null. */
733 #undef SAFE_ADD
738 /* Allocate 1 + 1 at end for closing brace and terminating 0. */
743 }
748 }
759 }
762 /* Extraneous space after id here will be extracted later */
768 }
774 }
775 }
782 error:
789 }
795 }
796 make_string:
802 }
805 out:
808 overflow:
813 }
818 JSString *
820 {
843 }
845 }
847 /* ES5 15.2.4.2. Note steps 1 and 2 are errata. */
848 static JSBool
850 {
853 /* ES5 15.2.4.2 step 1. */
857 }
859 /* ES5 15.2.4.2 step 2. */
863 }
865 /* ES5 15.2.4.2 step 3. */
869 /* ES5 15.2.4.2 steps 4-5. */
875 }
877 static JSBool
879 {
889 }
891 static JSBool
893 {
898 }
900 /*
901 * Check if CSP allows new Function() or eval() to run in the current
902 * principals.
903 */
904 JSBool
906 {
907 // CSP is static per document, so if our check said yes before, that
908 // answer is still valid.
914 // if there are callbacks, make sure that the CSP callback is installed and
915 // that it permits eval().
919 // update the cache in the global object for the result of the security check
921 }
923 }
925 /*
926 * Check whether principals subsumes scopeobj's principals, and return true
927 * if so (or if scopeobj has no principals, for backward compatibility with
928 * the JS API, which does not require principals), and false otherwise.
929 */
930 JSBool
933 {
942 JSAutoByteString callerstr;
948 }
949 }
951 }
953 static bool
955 {
962 /* XXX This is an awful gross hack. */
967 js_eval_str);
969 }
971 }
974 }
979 {
980 uint32 flags;
981 #ifdef DEBUG
983 #endif
988 principals &&
992 }
1000 }
1002 }
1004 #ifndef EVAL_CACHE_CHAIN_LIMIT
1005 # define EVAL_CACHE_CHAIN_LIMIT 4
1006 #endif
1010 {
1016 uint32 h;
1023 }
1028 {
1029 /*
1030 * Cache local eval scripts indexed by source qualified by scope.
1031 *
1032 * An eval cache entry should never be considered a hit unless its
1033 * strictness matches that of the new eval code. The existing code takes
1034 * care of this, because hits are qualified by the function from which
1035 * eval was called, whose strictness doesn't change. (We don't cache evals
1036 * in eval code, so the calling function corresponds to the calling script,
1037 * and its strictness never varies.) Scripts produced by calls to eval from
1038 * global code aren't cached.
1039 *
1040 * FIXME bug 620141: Qualify hits by calling script rather than function.
1041 * Then we wouldn't need the unintuitive !isEvalFrame() hack in EvalKernel
1042 * to avoid caching nested evals in functions (thus potentially mismatching
1043 * on strict mode), and we could cache evals in global code if desired.
1044 */
1059 /*
1060 * Get the prior (cache-filling) eval's saved caller function.
1061 * See Compiler::compileScript in jsparse.cpp.
1062 */
1066 /*
1067 * Get the source string passed for safekeeping in the
1068 * atom map by the prior eval to Compiler::compileScript.
1069 */
1073 /*
1074 * Source matches, qualify by comparing scopeobj to the
1075 * COMPILE_N_GO-memoized parent of the first literal
1076 * function or regexp object if any. If none, then this
1077 * script has no compiled-in dependencies on the prior
1078 * eval's scopeobj.
1079 */
1090 }
1091 }
1099 }
1100 }
1101 }
1102 }
1108 }
1110 }
1112 /* ES5 15.1.2.1. */
1113 static JSBool
1115 {
1116 /*
1117 * NB: This method handles only indirect eval: direct eval is handled by
1118 * JSOP_EVAL.
1119 */
1123 /* FIXME Bug 602994: This really should be perfectly cromulent. */
1125 /* Eval code needs to inherit principals from the caller. */
1129 }
1132 }
1136 bool
1139 {
1140 /*
1141 * FIXME Bug 602994: Calls with no scripted caller should be permitted and
1142 * should be implemented as indirect calls.
1143 */
1147 /*
1148 * We once supported a second argument to eval to use as the scope chain
1149 * when evaluating the code string. Warn when such uses are seen so that
1150 * authors will know that support for eval(s, o) has been removed.
1151 */
1155 "Support for eval(code, scopeObject) has been removed. "
1160 }
1162 /*
1163 * CSP check: Is eval() allowed at all?
1164 * Report errors via CSP is done in the script security mgr.
1165 */
1169 }
1171 /* ES5 15.1.2.1 step 1. */
1175 }
1179 }
1182 /* ES5 15.1.2.1 steps 2-8. */
1187 /*
1188 * Per ES5, indirect eval runs in the global scope. (eval is specified this
1189 * way so that the compiler can make assumptions about what bindings may or
1190 * may not exist in the current frame if it doesn't see 'eval'.)
1191 */
1192 uintN staticLevel;
1196 #ifdef DEBUG
1200 #endif
1202 /* Pretend that we're top level. */
1207 }
1209 /* Ensure we compile this eval with the right object in the scope chain. */
1219 /*
1220 * If the eval string starts with '(' and ends with ')', it may be JSON.
1221 * Try the JSON parser first because it's much faster. If the eval string
1222 * isn't JSON, JSON parsing will probably fail quickly, so little time
1223 * will be lost.
1224 */
1228 /* Run JSON-parser on string inside ( and ). */
1233 }
1234 }
1236 /*
1237 * Direct calls to eval are supposed to see the caller's |this|. If we
1238 * haven't wrapped that yet, do so now, before we make a copy of it for
1239 * the eval code to use.
1240 */
1249 /*
1250 * We can't have a callerFrame (down in js::Execute's terms) if we're in
1251 * global code (or if we're an indirect eval).
1252 */
1255 uintN lineno;
1264 }
1268 /*
1269 * Belt-and-braces: check that the lesser of eval's principals and the
1270 * caller's principals has access to scopeobj.
1271 */
1278 #ifdef CHECK_SCRIPT_OWNER
1280 #endif
1283 }
1285 bool
1287 {
1289 }
1291 }
1293 #if JS_HAS_OBJ_WATCHPOINT
1295 static JSBool
1298 {
1303 JSResolvingKey key;
1305 uint32 generation;
1307 JSBool ok;
1313 /* Skip over any obj_watch_* frames between us and the real subject. */
1316 /*
1317 * Only call the watch handler if the watcher is allowed to watch
1318 * the currently executing script.
1319 */
1324 /* Silently don't call the watch handler. */
1326 }
1327 }
1328 }
1330 /* Avoid recursion on (obj, id) already being watched on cx. */
1345 }
1347 static JSBool
1349 {
1353 }
1359 /* Compute the unique int/atom symbol id needed by js_LookupProperty. */
1360 jsid propid;
1365 Value tmp;
1366 uintN attrs;
1377 }
1379 static JSBool
1381 {
1386 jsid id;
1392 }
1394 }
1398 /*
1399 * Prototype and property query methods, to complement the 'in' and
1400 * 'instanceof' operators.
1401 */
1403 /* Proposed ECMA 15.2.4.5. */
1404 static JSBool
1406 {
1410 }
1412 JSBool
1415 {
1416 jsid id;
1431 }
1436 }
1438 JSBool
1441 {
1457 }
1461 /*
1462 * The combination of JSPROP_SHARED and JSPROP_PERMANENT in a
1463 * delegated property makes that property appear to be direct in
1464 * all delegating instances of the same native class. This hack
1465 * avoids bloating every function instance with its own 'length'
1466 * (AKA 'arity') property. But it must not extend across class
1467 * boundaries, to avoid making hasOwnProperty lie (bug 320854).
1468 *
1469 * It's not really a hack, of course: a permanent property can't
1470 * be deleted, and JSPROP_SHARED means "don't allocate a slot in
1471 * any instance, prototype or delegating". Without a slot, and
1472 * without the ability to remove and recreate (with differences)
1473 * the property, there is no way to tell whether it is directly
1474 * owned, or indirectly delegated.
1475 */
1479 }
1482 }
1484 }
1486 /* Proposed ECMA 15.2.4.6. */
1487 static JSBool
1489 {
1496 }
1498 /* Proposed ECMA 15.2.4.7. */
1499 static JSBool
1501 {
1502 jsid id;
1508 }
1510 JSBool
1512 {
1521 }
1523 /*
1524 * XXX ECMA spec error compatible: return false unless hasOwnProperty.
1525 * The ECMA spec really should be fixed so propertyIsEnumerable and the
1526 * for..in loop agree on whether prototype properties are enumerable,
1527 * obviously by fixing this method (not by breaking the for..in loop!).
1528 *
1529 * We check here for shared permanent prototype properties, which should
1530 * be treated as if they are local to obj. They are an implementation
1531 * technique used to satisfy ECMA requirements; users should not be able
1532 * to distinguish a shared permanent proto-property from a local one.
1533 */
1535 uintN attrs;
1544 }
1548 }
1551 }
1553 #if OLD_GETTER_SETTER_METHODS
1562 {
1565 JSMSG_BAD_GETTER_OR_SETTER,
1566 js_getter_str);
1568 }
1571 jsid id;
1577 /*
1578 * Getters and setters are just like watchpoints from an access
1579 * control point of view.
1580 */
1581 Value junk;
1582 uintN attrs;
1588 }
1592 {
1595 JSMSG_BAD_GETTER_OR_SETTER,
1596 js_setter_str);
1598 }
1601 jsid id;
1607 /*
1608 * Getters and setters are just like watchpoints from an access
1609 * control point of view.
1610 */
1611 Value junk;
1612 uintN attrs;
1618 }
1620 static JSBool
1622 {
1623 jsid id;
1637 }
1638 }
1640 }
1642 static JSBool
1644 {
1645 jsid id;
1659 }
1660 }
1662 }
1665 JSBool
1667 {
1671 }
1681 }
1684 uintN attrs;
1687 }
1689 extern JSBool
1693 {
1694 /* We have our own property, so start creating the descriptor. */
1707 }
1715 }
1716 }
1724 }
1726 JSBool
1728 {
1739 }
1754 }
1758 }
1764 attrs,
1768 vp);
1769 }
1771 static bool
1772 GetFirstArgumentAsObject(JSContext *cx, uintN argc, Value *vp, const char *method, JSObject **objp)
1773 {
1778 }
1789 }
1793 }
1795 static JSBool
1797 {
1805 }
1807 static JSBool
1809 {
1832 }
1833 }
1842 }
1844 static bool
1846 {
1852 }
1854 /*
1855 * We must go through the method read barrier in case id is 'get' or 'set'.
1856 * There is no obvious way to defer cloning a joined function object whose
1857 * identity will be used by DefinePropertyOnObject, e.g., or reflected via
1858 * js_GetOwnPropertyDescriptor, as the getter or setter callable object.
1859 */
1861 }
1876 {
1877 }
1879 bool
1881 {
1885 /* 8.10.5 step 1 */
1889 }
1892 /* Make a copy of the descriptor. We might need it later. */
1895 /* Start with the proper defaults. */
1900 /* 8.10.5 step 3 */
1903 #endif
1910 }
1912 /* 8.10.5 step 4 */
1919 }
1921 /* 8.10.5 step 5 */
1927 }
1929 /* 8.10.6 step 6 */
1936 }
1938 /* 8.10.7 step 7 */
1944 js_getter_str);
1946 }
1950 }
1952 /* 8.10.7 step 8 */
1958 js_setter_str);
1960 }
1964 }
1966 /* 8.10.7 step 9 */
1970 }
1973 }
1975 static JSBool
1977 {
1979 jsid idstr;
1987 }
1991 }
1993 static JSBool
1995 {
2004 }
2006 }
2010 }
2012 static JSBool
2015 {
2016 /* 8.12.9 step 1. */
2025 /*
2026 * If we find a shared permanent property in a different object obj2 from
2027 * obj, then if the property is shared permanent (an old hack to optimize
2028 * per-object properties into one prototype property), ignore that lookup
2029 * result (null current).
2030 *
2031 * FIXME: bug 575997 (see also bug 607863).
2032 */
2034 /* See same assertion with comment further below. */
2040 }
2042 /* 8.12.9 steps 2-4. */
2053 }
2057 /*
2058 * Getters and setters are just like watchpoints from an access
2059 * control point of view.
2060 */
2061 Value dummy;
2062 uintN dummyAttrs;
2069 }
2071 /* 8.12.9 steps 5-6 (note 5 is merely a special case of 6). */
2074 /*
2075 * In the special case of shared permanent properties, the "own" property
2076 * can be found on a different object. In that case the returned property
2077 * might not be native, except: the shared permanent property optimization
2078 * is not applied if the objects have different classes (bug 320854), as
2079 * must be enforced by js_HasOwnProperty for the Shape cast below to be
2080 * safe.
2081 */
2091 JSBool same;
2096 }
2099 JSBool same;
2104 }
2106 /*
2107 * Determine the current value of the property once, if the current
2108 * value might actually need to be used or preserved later. NB: we
2109 * guard on whether the current property is a data descriptor to
2110 * avoid calling a getter; we won't need the value if it's not a
2111 * data descriptor.
2112 */
2114 /*
2115 * Non-standard: if the property is non-configurable and is
2116 * represented by a native getter or setter, don't permit
2117 * redefinition. We expose properties with native getter/setter
2118 * as though they were data properties, for the most part, but
2119 * in this particular case we must worry about integrity
2120 * concerns for JSAPI users who expected that
2121 * permanent+getter/setter means precisely controlled behavior.
2122 * If we permitted such redefinitions, such a property could be
2123 * "fixed" to some specific previous value, no longer varying
2124 * according to the intent of the native getter/setter for the
2125 * property.
2126 *
2127 * Other engines expose properties of this nature using ECMA
2128 * getter/setter pairs, but we can't because we use them even
2129 * for properties which ECMA specifies as being true data
2130 * descriptors ([].length, Function.length, /regex/.lastIndex,
2131 * &c.). Longer-term perhaps we should convert such properties
2132 * to use data descriptors (at which point representing a
2133 * descriptor with native getter/setter as an accessor
2134 * descriptor would be fine) and take a small memory hit, but
2135 * for now we'll simply forbid their redefinition.
2136 */
2140 }
2143 /* current was dropped when the failure occurred. */
2145 }
2146 }
2152 JSBool same;
2158 }
2162 /* The only fields in desc will be handled below. */
2164 }
2165 }
2172 /* The conditions imposed by step 5 or step 6 apply. */
2177 /* 8.12.9 step 7. */
2179 /*
2180 * Since [[Configurable]] defaults to false, we don't need to check
2181 * whether it was specified. We can't do likewise for [[Enumerable]]
2182 * because its putative value is used in a comparison -- a comparison
2183 * whose result must always be false per spec if the [[Enumerable]]
2184 * field is not present. Perfectly pellucid logic, eh?
2185 */
2190 }
2191 }
2196 /* 8.12.9 step 8, no validation required */
2198 /* 8.12.9 step 9. */
2202 /* 8.12.9 step 10. */
2208 JSBool same;
2213 }
2214 }
2218 /* 8.12.9 step 11. */
2222 JSBool same;
2227 }
2230 JSBool same;
2235 }
2236 }
2237 }
2239 /* 8.12.9 step 12. */
2240 uintN attrs;
2256 }
2273 /*
2274 * Getters and setters are just like watchpoints from an access
2275 * control point of view.
2276 */
2277 Value dummy;
2283 /* 8.12.9 step 12. */
2299 ? PropertyStub
2301 }
2306 ? PropertyStub
2308 }
2309 }
2313 /*
2314 * Since "data" properties implemented using native C functions may rely on
2315 * side effects during setting, we must make them aware that they have been
2316 * "assigned"; deleting the property before redefining it does the trick.
2317 * See bug 539766, where we ran into problems when we redefined
2318 * arguments.length without making the property aware that its value had
2319 * been changed (which would have happened if we had deleted it before
2320 * redefining it or we had invoked its setter to change its value).
2321 */
2323 Value dummy;
2326 }
2329 }
2331 static JSBool
2334 {
2335 /*
2336 * We probably should optimize dense array property definitions where
2337 * the descriptor describes a traditional array property (enumerable,
2338 * configurable, writable, numeric index or length without altering its
2339 * attributes). Such definitions are probably unlikely, so we don't bother
2340 * for now.
2341 */
2348 /*
2349 * Our optimization of storage of the length property of arrays makes
2350 * it very difficult to properly implement defining the property. For
2351 * now simply throw an exception (NB: not merely Reject) on any attempt
2352 * to define the "length" property, rather than attempting to implement
2353 * some difficult-for-authors-to-grasp subset of that functionality.
2354 */
2357 }
2359 uint32 index;
2361 /*
2362 // Disabled until we support defining "length":
2363 if (index >= oldLen && lengthPropertyNotWritable())
2364 return ThrowTypeError(cx, JSMSG_CANT_APPEND_TO_ARRAY);
2365 */
2374 }
2378 }
2381 }
2383 static JSBool
2386 {
2394 }
2397 }
2399 JSBool
2402 {
2413 }
2415 /* ES5 15.2.3.6: Object.defineProperty(O, P, Attributes) */
2416 static JSBool
2418 {
2419 /* 15.2.3.6 steps 1 and 5. */
2425 /* 15.2.3.6 step 2. */
2430 /* 15.2.3.6 step 3. */
2433 /* 15.2.3.6 step 4 */
2434 JSBool junk;
2436 }
2438 static bool
2440 {
2455 }
2456 }
2462 }
2465 }
2467 extern JSBool
2469 {
2471 }
2473 /* ES5 15.2.3.7: Object.defineProperties(O, Properties) */
2474 static JSBool
2476 {
2477 /* 15.2.3.6 steps 1 and 5. */
2487 }
2495 }
2497 /* ES5 15.2.3.5: Object.create(O [, Properties]) */
2498 static JSBool
2500 {
2505 }
2516 }
2518 /*
2519 * Use the callee's global as the parent of the new object to avoid dynamic
2520 * scoping (i.e., using the caller's global).
2521 */
2528 /* 15.2.3.5 step 4. */
2533 }
2548 }
2549 }
2555 }
2556 }
2558 /* 5. Return obj. */
2560 }
2562 static JSBool
2564 {
2588 }
2589 }
2597 }
2599 static JSBool
2601 {
2608 }
2610 static JSBool
2612 {
2623 }
2625 bool
2627 {
2638 }
2640 /* preventExtensions must slowify dense arrays, so we can assign to holes without checks. */
2646 uintN attrs;
2650 /* Make all attributes permanent; if freezing, make data attributes read-only. */
2651 uintN new_attrs;
2654 else
2657 /* If we already have the attributes we need, skip the setAttributes call. */
2664 }
2667 }
2669 static JSBool
2671 {
2679 }
2681 static JSBool
2683 {
2704 /* The property must be non-configurable and either read-only or an accessor. */
2708 }
2710 /* It really was sealed, so return true. */
2713 }
2715 static JSBool
2717 {
2725 }
2727 static JSBool
2729 {
2734 /* Assume not sealed until proven otherwise. */
2747 uintN attrs;
2753 }
2755 /* It really was sealed, so return true. */
2758 }
2760 #if JS_HAS_OBJ_WATCHPOINT
2763 #endif
2769 #if JS_HAS_TOSOURCE
2771 #endif
2775 #if JS_HAS_OBJ_WATCHPOINT
2778 #endif
2782 #if OLD_GETTER_SETTER_METHODS
2787 #endif
2788 JS_FS_END
2789 };
2805 JS_FS_END
2806 };
2808 JSBool
2810 {
2813 /* Trigger logic below to construct a blank object. */
2816 /* If argv[0] is null or undefined, obj comes back null. */
2819 }
2821 /* Make an object whether this was called with 'new' or not. */
2827 }
2830 }
2832 JSObject*
2834 {
2842 }
2844 Value protov;
2845 if (!callee->getProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.classPrototypeAtom), &protov))
2855 }
2857 JSObject *
2859 {
2861 return NewNonFunction<WithProto::Class>(cx, &js_ObjectClass, proto, callee->getParent(), kind);
2862 }
2864 JSObject *
2866 {
2867 Value protov;
2872 }
2875 }
2877 #ifdef JS_TRACER
2882 {
2893 }
2895 JSObject* FASTCALL
2897 {
2900 }
2906 JSObject* FASTCALL
2908 {
2912 }
2915 }
2920 JSObject* FASTCALL
2922 {
2929 }
2933 JSObject* FASTCALL
2935 {
2949 /* An object in ctor.prototype, let's use it as the new instance's proto. */
2952 /* A hole or a primitive: either way, we need to get Object.prototype. */
2957 /*
2958 * No ctor.prototype was set, so we inline-expand and optimize
2959 * fun_resolve's prototype creation code.
2960 */
2968 }
2970 /*
2971 * A primitive value in .prototype means to use Object.prototype
2972 * for proto. See ES5 13.2.2 step 7.
2973 */
2974 }
2975 }
2977 /*
2978 * FIXME: 561785 at least. Quasi-natives including XML objects prevent us
2979 * from easily or unconditionally calling NewNativeClassInstance here.
2980 */
2983 }
2985 JS_DEFINE_CALLINFO_3(extern, CONSTRUCTOR_RETRY, js_CreateThisFromTrace, CONTEXT, CLASS, OBJECT, 0,
2990 # define js_Object_trcinfo NULL
2994 /*
2995 * Given pc pointing after a property accessing bytecode, return true if the
2996 * access is "object-detecting" in the sense used by web scripts, e.g., when
2997 * checking whether document.all is defined.
2998 */
2999 JS_REQUIRES_STACK JSBool
3001 {
3004 JSOp op;
3012 /* General case: a branch or equality op follows the access. */
3019 /*
3020 * Special case #1: handle (document.all == null). Don't sweat
3021 * about JS1.2's revision of the equality operators here.
3022 */
3026 }
3031 /*
3032 * Special case #2: handle (document.all == undefined). Don't
3033 * worry about someone redefining undefined, which was added by
3034 * Edition 3, so is read/write for backward compatibility.
3035 */
3042 }
3046 /*
3047 * At this point, anything but an extended atom index prefix means
3048 * we're not detecting.
3049 */
3053 }
3054 }
3055 }
3057 /*
3058 * Infer lookup flags from the currently executing bytecode. This does
3059 * not attempt to infer JSRESOLVE_WITH, because the current bytecode
3060 * does not indicate whether we are in a with statement. Return defaultFlags
3061 * if a currently executing bytecode cannot be determined.
3062 */
3063 uintN
3065 {
3066 #ifdef JS_TRACER
3069 #endif
3075 uint32 format;
3092 }
3096 }
3098 /*
3099 * ObjectOps and Class for with-statement stack objects.
3100 */
3101 static JSBool
3104 {
3105 /* Fixes bug 463997 */
3112 }
3114 static JSBool
3116 {
3118 }
3120 static JSBool
3122 {
3124 }
3126 static JSBool
3128 {
3130 }
3132 static JSBool
3134 {
3136 }
3138 static JSBool
3140 {
3142 }
3144 static JSBool
3147 {
3149 }
3151 static JSType
3153 {
3155 }
3159 {
3161 }
3163 Class js_WithClass = {
3170 EnumerateStub,
3171 ResolveStub,
3172 ConvertStub,
3181 JS_NULL_CLASS_EXT,
3182 {
3183 with_LookupProperty,
3185 with_GetProperty,
3186 with_SetProperty,
3187 with_GetAttributes,
3188 with_SetAttributes,
3189 with_DeleteProperty,
3190 with_Enumerate,
3191 with_TypeOf,
3194 with_ThisObject,
3196 }
3197 };
3199 JS_REQUIRES_STACK JSObject *
3201 {
3223 }
3225 JSObject *
3227 {
3228 /*
3229 * Null obj's proto slot so that Object.prototype.* does not pollute block
3230 * scopes and to give the block object its own scope.
3231 */
3239 }
3241 JSObject *
3243 {
3255 /* The caller sets parent on its own. */
3266 }
3268 JS_REQUIRES_STACK JSBool
3270 {
3276 /* Block objects should have all reserved slots allocated early. */
3280 /* The block and its locals must be on the current stack for GC safety. */
3285 /* See comments in CheckDestructuring from jsparse.cpp. */
3292 }
3294 /* We must clear the private slot even with errors. */
3298 }
3300 static JSBool
3302 {
3303 /*
3304 * Block objects are never exposed to script, and the engine handles them
3305 * with care. So unlike other getters, this one can assert (rather than
3306 * check) certain invariants about obj.
3307 */
3319 }
3321 /* Values are in slots immediately following the class-reserved ones. */
3324 }
3326 static JSBool
3328 {
3340 }
3342 /*
3343 * The value in *vp will be written back to the slot in obj that was
3344 * allocated when this let binding was defined.
3345 */
3347 }
3351 {
3354 /* Use JSPROP_ENUMERATE to aid the disassembler. */
3365 }
3367 static size_t
3369 {
3373 }
3375 bool
3377 {
3378 // If we're not native, then we cannot copy properties.
3387 }
3404 }
3406 }
3408 static bool
3410 {
3422 }
3429 }
3431 }
3433 JSObject *
3435 {
3436 /*
3437 * We can only clone native objects and proxies. Dense arrays are slowified if
3438 * we try to clone them.
3439 */
3446 JSMSG_CANT_CLONE_OBJECT);
3448 }
3449 }
3458 JSMSG_CANT_CLONE_OBJECT);
3460 }
3468 }
3470 }
3472 static void
3474 {
3478 /*
3479 * Regexp guts are more complicated -- we would need to migrate the
3480 * refcounted JIT code blob for them across compartments instead of just
3481 * swapping guts.
3482 */
3488 /* Trade the guts of the objects. */
3491 /*
3492 * If the objects are the same size, then we make no assumptions about
3493 * whether they have dynamically allocated slots and instead just copy
3494 * them over wholesale.
3495 */
3503 /* Fixup pointers for inline slots on the objects. */
3509 /*
3510 * If the objects are of differing sizes, then we only copy over the
3511 * JSObject portion (things like class, etc.) and leave it to
3512 * JSObject::clone to copy over the dynamic slots for us.
3513 */
3515 JSFunction tmp;
3520 JSObject tmp;
3524 }
3528 }
3529 }
3531 /*
3532 * Use this method with extreme caution. It trades the guts of two objects and updates
3533 * scope ownership. This operation is not thread-safe, just as fast array to slow array
3534 * transitions are inherently not thread-safe. Don't perform a swap operation on objects
3535 * shared across threads or, or bad things will happen. You have been warned.
3536 */
3537 bool
3539 {
3540 /*
3541 * If we are swapping objects with a different number of builtin slots, force
3542 * both to not use their inline slots.
3543 */
3548 }
3552 }
3553 }
3558 }
3562 {
3569 }
3570 {
3577 }
3582 }
3584 #if JS_HAS_XDR
3586 #define NO_PARENT_INDEX ((uint32)-1)
3588 uint32
3590 {
3600 }
3603 }
3605 JSBool
3607 {
3609 uint32 parentId;
3612 uint32 depthAndCount;
3616 #ifdef __GNUC__
3618 #endif
3629 }
3632 #endif
3634 /* First, XDR the parent atomid. */
3644 /*
3645 * If there's a parent id, then get the parent out of our script's
3646 * object array. We know that we XDR block object in outer-to-inner
3647 * order, which means that getting the parent now will work.
3648 */
3651 else
3654 }
3666 /*
3667 * XDR the block object's properties. We know that there are 'count'
3668 * properties to XDR, stored as id/shortid pairs.
3669 */
3672 uint16 shortid;
3674 /* XDR the real id, then the shortid. */
3680 }
3688 }
3690 /*
3691 * XDR the block object's properties. We know that there are 'count'
3692 * properties to XDR, stored as id/shortid pairs.
3693 */
3705 /* XDR the real id, then the shortid. */
3708 }
3709 }
3711 }
3713 #endif
3715 Class js_BlockClass = {
3722 EnumerateStub,
3723 ResolveStub,
3724 ConvertStub
3725 };
3727 JSObject *
3729 {
3735 /* ECMA (15.1.2.1) says 'eval' is a property of the global object. */
3741 }
3743 static bool
3746 {
3750 /*
3751 * Initializing an actual standard class on a global object. If the
3752 * property is not yet present, force it into a new one bound to a
3753 * reserved slot. Otherwise, go through the normal property path.
3754 */
3771 }
3772 }
3776 }
3778 JSObject *
3783 {
3785 JSProtoKey key;
3793 /*
3794 * When initializing a standard class, if no parent_proto (grand-proto of
3795 * instances of the class, parent-proto of the class's prototype object)
3796 * is given, we must use Object.prototype if it is available. Otherwise,
3797 * we could look up the wrong binding for a class name in obj. Example:
3798 *
3799 * String = Array;
3800 * print("hi there".join);
3801 *
3802 * should print undefined, not Array.prototype.join. This is required by
3803 * ECMA-262, alas. It might have been better to make String readonly and
3804 * permanent in the global object, instead -- but that's too big a change
3805 * to swallow at this point.
3806 */
3812 }
3814 /*
3815 * Create a prototype object for this class.
3816 *
3817 * FIXME: lazy standard (built-in) class initialization and even older
3818 * eager boostrapping code rely on all of these properties:
3819 *
3820 * 1. NewObject attempting to compute a default prototype object when
3821 * passed null for proto; and
3822 *
3823 * 2. NewObject tolerating no default prototype (null proto slot value)
3824 * due to this js_InitClass call coming from js_InitFunctionClass on an
3825 * otherwise-uninitialized global.
3826 *
3827 * 3. NewObject allocating a JSFunction-sized GC-thing when clasp is
3828 * &js_FunctionClass, not a JSObject-sized (smaller) GC-thing.
3829 *
3830 * The JS_NewObjectForGivenProto and JS_NewObject APIs also allow clasp to
3831 * be &js_FunctionClass (we could break compatibility easily). But fixing
3832 * (3) is not enough without addressing the bootstrapping dependency on (1)
3833 * and (2).
3834 */
3841 /* After this point, control must exit via label bad or out. */
3846 /*
3847 * Lacking a constructor, name the prototype (e.g., Math) unless this
3848 * class (a) is anonymous, i.e. for internal use only; (b) the class
3849 * of obj (the global object) is has a reserved slot indexed by key;
3850 * and (c) key is not the null key.
3851 */
3858 }
3870 /*
3871 * Remember the class this function is a constructor for so that
3872 * we know to create an object of this class when we call the
3873 * constructor.
3874 */
3877 /*
3878 * Optionally construct the prototype object, before the class has
3879 * been fully initialized. Allow the ctor to replace proto with a
3880 * different object, as is done for operator new -- and as at least
3881 * XML support requires.
3882 */
3885 Value rval;
3889 }
3892 }
3894 /* Connect constructor and prototype by named properties. */
3898 }
3900 /* Bootstrap Function.prototype (see also JS_InitStandardClasses). */
3903 }
3905 /* Add properties and methods to the prototype and the constructor. */
3911 }
3913 /*
3914 * Pre-brand the prototype and constructor if they have built-in methods.
3915 * This avoids extra shape guard branch exits in the tracejitted code.
3916 */
3922 /*
3923 * Make sure proto's emptyShape is available to be shared by objects of
3924 * this class. JSObject::emptyShape is a one-slot cache. If we omit this,
3925 * some other class could snap it up. (The risk is particularly great for
3926 * Object.prototype.)
3927 *
3928 * All callers of JSObject::initSharingEmptyShape depend on this.
3929 *
3930 * FIXME: bug 592296 -- js_InitArrayClass should pass &js_SlowArrayClass
3931 * and make the Array.prototype slow from the start.
3932 */
3944 }
3946 /* If this is a standard class, cache its prototype. */
3952 bad:
3954 Value rval;
3956 }
3958 }
3960 bool
3962 {
3971 }
3979 /* Copy over anything from the inline buffer. */
3983 }
3985 bool
3987 {
3988 /*
3989 * When an object with CAPACITY_DOUBLING_MAX or fewer slots needs to
3990 * grow, double its capacity, to add N elements in amortized O(N) time.
3991 *
3992 * Above this limit, grow by 12.5% each time. Speed is still amortized
3993 * O(N), with a higher constant factor, and we waste less space.
3994 */
4011 /* Don't let nslots get close to wrapping around uint32. */
4015 }
4017 /* If nothing was allocated yet, treat it as initial allocation. */
4021 Value *tmpslots = (Value*) cx->realloc(slots, oldcap * sizeof(Value), actualCapacity * sizeof(Value));
4027 /* Initialize the additional slots we added. */
4030 }
4032 void
4034 {
4040 /* We won't shrink the slots any more. Clear excess holes. */
4043 }
4058 /* Clear any excess holes if we tried to shrink below SLOT_CAPACITY_MIN. */
4060 }
4061 }
4063 bool
4065 {
4071 }
4075 {
4078 }
4080 #define JS_PROTO(name,code,init) extern JSObject *init(JSContext *, JSObject *);
4082 #undef JS_PROTO
4085 #define JS_PROTO(name,code,init) init,
4087 #undef JS_PROTO
4088 };
4092 bool
4094 {
4101 }
4103 /*
4104 * Regenerate property cache shape ids for all of the scopes along the
4105 * old prototype chain to invalidate their property cache entries, in
4106 * case any entries were filled by looking up through obj.
4107 */
4112 }
4119 }
4121 }
4123 }
4125 JSBool
4128 {
4130 JSResolvingKey rkey;
4132 uint32 generation;
4133 JSObjectOp init;
4134 Value v;
4140 }
4146 }
4153 /* Already caching key in obj -- suppress recursion. */
4156 }
4169 }
4170 }
4175 }
4177 JSBool
4178 js_SetClassObject(JSContext *cx, JSObject *obj, JSProtoKey key, JSObject *cobj, JSObject *proto)
4179 {
4186 }
4188 JSBool
4191 {
4194 jsid id;
4198 /*
4199 * Find the global object. Use cx->fp() directly to avoid falling off
4200 * trace; all JIT-elided stack frames have the same global object as
4201 * cx->fp().
4202 */
4208 /* Find the topmost object in the scope chain. */
4218 }
4219 }
4233 }
4240 }
4246 }
4254 }
4255 }
4258 }
4260 JSObject *
4263 {
4268 /* Protect constructor in case a crazy getter for .prototype uproots it. */
4277 }
4279 /*
4280 * If proto is NULL, set it to Constructor.prototype, just like JSOP_NEW
4281 * does, likewise for the new object's parent.
4282 */
4287 Value rval;
4291 }
4294 }
4302 Value rval;
4309 /*
4310 * If the instance's class differs from what was requested, throw a type
4311 * error. If the given class has both the JSCLASS_HAS_PRIVATE and the
4312 * JSCLASS_CONSTRUCT_PROTOTYPE flags, and the instance does not have its
4313 * private data set at this point, then the constructor was replaced and
4314 * we should throw a type error.
4315 */
4319 JSCLASS_CONSTRUCT_PROTOTYPE)) &&
4324 }
4326 }
4328 bool
4330 {
4334 /*
4335 * If this object is in dictionary mode and it has a property table, try to
4336 * pull a free slot from the property table's slot-number freelist.
4337 */
4341 #ifdef DEBUG
4345 #endif
4353 }
4354 }
4359 /* JSObject::growSlots or JSObject::freeSlot should set the free slots to void. */
4363 }
4365 bool
4367 {
4375 /* Can't afford to check the whole freelist, but let's check the head. */
4378 /*
4379 * Freeing a slot other than the last one mapped by this object's
4380 * shape (and not a reserved slot; see bug 595230): push the slot onto
4381 * the dictionary property table's freelist. We want to let the last
4382 * slot be freed by shrinking the dslots vector; see js_TraceObject.
4383 */
4389 }
4390 }
4393 }
4395 /* JSBOXEDWORD_INT_MAX as a string */
4398 /*
4399 * Convert string indexes that convert to int jsvals as ints to save memory.
4400 * Care must be taken to use this macro every time a property name is used, or
4401 * else double-sets, incorrect property cache misses, or other mistakes could
4402 * occur.
4403 */
4404 jsid
4406 {
4438 cp++;
4439 }
4440 }
4442 /*
4443 * Non-integer indexes can't be represented as integers. Also, distinguish
4444 * index "-0" from "0", because JSBOXEDWORD_INT cannot.
4445 */
4452 {
4454 }
4458 {
4460 }
4461 }
4464 }
4466 static JSBool
4468 {
4475 }
4482 /*
4483 * All scope chains end in a global object, so this will change
4484 * the global shape. jstracer.cpp assumes that the global shape
4485 * never changes on trace, so we must deep-bail here.
4486 */
4488 }
4490 }
4492 }
4494 }
4496 void
4498 {
4502 /*
4503 * We must purge the scope chain only for Call objects as they are the only
4504 * kind of cacheable non-global object that can gain properties after outer
4505 * properties with the same names have been cached or traced. Call objects
4506 * may gain such properties via eval introducing new vars; see bug 490364.
4507 */
4512 }
4513 }
4514 }
4520 {
4523 /*
4524 * Purge the property cache of now-shadowed id in obj's scope chain. Do
4525 * this optimistically (assuming no failure below) before locking obj, so
4526 * we can lock the shadowed scope.
4527 */
4533 /* Convert string indices to integers if appropriate. */
4536 }
4542 {
4546 }
4548 JSBool
4551 {
4554 }
4556 /*
4557 * Backward compatibility requires allowing addProperty hooks to mutate the
4558 * nominal initial value of a slotful property, while GC safety wants that
4559 * value to be stored before the call-out through the hook. Optimize to do
4560 * both while saving cycles for classes that stub their addProperty hook.
4561 */
4564 {
4573 }
4574 }
4576 }
4578 JSBool
4583 {
4586 JSBool added;
4587 Value valueCopy;
4592 /* Convert string indices to integers if appropriate. */
4595 /*
4596 * If defining a getter or setter, we must check for its counterpart and
4597 * update the attributes and property ops. A getter or setter is really
4598 * only half of a property.
4599 */
4605 /*
4606 * If JS_THREADSAFE and id is found, js_LookupProperty returns with
4607 * shape non-null and pobj locked. If pobj == obj, the property is
4608 * already in obj and obj has its own (mutable) scope. So if we are
4609 * defining a getter whose setter was already defined, or vice versa,
4610 * finish the job via obj->changeProperty, and refresh the property
4611 * cache line for (obj, id) to map shape.
4612 */
4620 ? getter
4623 ? setter
4631 }
4632 }
4634 /*
4635 * Purge the property cache of any properties named by id that are about
4636 * to be shadowed in obj's scope chain unless it is known a priori that it
4637 * is not possible. We do this before locking obj to avoid nesting locks.
4638 */
4642 /*
4643 * Check whether a readonly property or setter is being defined on a known
4644 * prototype object. See the comment in jscntxt.h before protoHazardShape's
4645 * member declaration.
4646 */
4650 /* Use the object's class getter and setter by default. */
4657 }
4659 /* Get obj's own scope if it has one, or create a new one for obj. */
4665 /* Add a new property, or replace an existing one of the same id. */
4676 }
4677 }
4686 /*
4687 * If shape is a method, the above call to putProperty suffices to
4688 * update the shape if necessary. But if scope->branded(), the shape
4689 * may not have changed and we may be overwriting a function-valued
4690 * property. See bug 560998.
4691 */
4693 #ifdef DEBUG
4695 #endif
4698 }
4699 }
4701 /* Store value before calling addProperty, in case the latter GC's. */
4705 }
4707 /* XXXbe called with lock held */
4712 }
4719 }
4720 }
4725 #ifdef JS_TRACER
4727 #endif
4729 }
4731 #define SCOPE_DEPTH_ACCUM(bs,val) \
4732 JS_SCOPE_DEPTH_METERING(JS_BASIC_STATS_ACCUM(bs, val))
4734 /*
4735 * Call obj's resolve hook. obj is a native object and the caller holds its
4736 * scope lock.
4737 *
4738 * cx, start, id, and flags are the parameters initially passed to the ongoing
4739 * lookup; objp and propp are its out parameters. obj is an object along
4740 * start's prototype chain.
4741 *
4742 * There are four possible outcomes:
4743 *
4744 * - On failure, report an error or exception, unlock obj, and return false.
4745 *
4746 * - If we are alrady resolving a property of *curobjp, set *recursedp = true,
4747 * unlock obj, and return true.
4748 *
4749 * - If the resolve hook finds or defines the sought property, set *objp and
4750 * *propp appropriately, set *recursedp = false, and return true with *objp's
4751 * lock held.
4752 *
4753 * - Otherwise no property was resolved. Set *propp = NULL and *recursedp = false
4754 * and return true.
4755 */
4756 static JSBool
4759 {
4763 /*
4764 * Avoid recursion on (obj, id) already being resolved on cx.
4765 *
4766 * Once we have successfully added an entry for (obj, key) to
4767 * cx->resolvingTable, control must go through cleanup: before
4768 * returning. But note that JS_DHASH_ADD may find an existing
4769 * entry, in which case we bail to suppress runaway recursion.
4770 */
4776 /* Already resolving id in obj -- suppress recursion. */
4779 }
4785 JSBool ok;
4793 {
4794 /* Protect id and all atoms from a GC nested in resolve. */
4797 }
4802 /* Resolved: lookup id again for backward compatibility. */
4804 /* Whoops, newresolve handed back a foreign obj2. */
4810 /*
4811 * Require that obj2 not be empty now, as we do for old-style
4812 * resolve. If it doesn't, then id was not truly resolved, and
4813 * we'll find it in the proto chain, or miss it if obj2's proto
4814 * is not on obj's proto chain. That last case is a "too bad!"
4815 * case.
4816 */
4819 }
4823 }
4824 }
4826 /*
4827 * Old resolve always requires id re-lookup if obj is not empty after
4828 * resolve returns.
4829 */
4836 }
4838 cleanup:
4842 }
4845 }
4850 {
4851 /* We should not get string indices which aren't already integers here. */
4854 /* Search scopes starting with obj and following the prototype link. */
4864 }
4866 /* Try obj's class resolve hook if id was not found in obj's scope. */
4874 /* Recalculate protoIndex in case it was resolved on some other object. */
4877 protoIndex++;
4880 }
4881 }
4889 #ifdef DEBUG
4890 /*
4891 * Non-native objects must have either non-native lookup results,
4892 * or else native results from the non-native's prototype chain.
4893 *
4894 * See JSStackFrame::getValidCalleeObject, where we depend on this
4895 * fact to force a prototype-delegated joined method accessed via
4896 * arguments.callee through the delegating |this| object's method
4897 * read barrier.
4898 */
4902 }
4903 #endif
4905 }
4908 }
4913 }
4918 {
4919 /* Convert string indices to integers if appropriate. */
4923 }
4925 int
4928 {
4929 /* Convert string indices to integers if appropriate. */
4933 }
4935 PropertyCacheEntry *
4938 {
4947 /* Scan entries on the scope chain that we can cache across. */
4952 parent
4956 protoIndex =
4963 #ifdef DEBUG
4969 /*
4970 * A block instance on the scope chain is immutable and it
4971 * shares its shapes with its compile-time prototype.
4972 */
4977 /* Call and DeclEnvClass objects have no prototypes. */
4980 }
4983 }
4984 #endif
4985 /*
4986 * We must check if pobj is native as a global object can have
4987 * non-native prototype.
4988 */
4993 }
4996 }
5001 }
5004 }
5012 }
5014 /*
5015 * We conservatively assume that a resolve hook could mutate the scope
5016 * chain during JSObject::lookupProperty. So we read parent here again.
5017 */
5022 }
5024 }
5026 out:
5032 }
5034 /*
5035 * On return, if |*pobjp| is a native object, then |*propp| is a |Shape *|.
5036 * Otherwise, its type and meaning depends on the host object's implementation.
5037 */
5041 {
5043 }
5045 JSObject *
5047 {
5048 /*
5049 * This function should not be called for a global object or from the
5050 * trace and should have a valid cache entry for native scopeChain.
5051 */
5057 /*
5058 * Loop over cacheable objects on the scope chain until we find a
5059 * property. We also stop when we reach the global object skipping any
5060 * farther checks or lookups. For details see the JSOP_BINDNAME case of
5061 * js_Interpret.
5062 *
5063 * The test order here matters because js_IsCacheableNonGlobalScope
5064 * must not be passed a global object (i.e. one with null parent).
5065 */
5068 scopeIndex++) {
5080 }
5082 #ifdef DEBUG
5084 #endif
5089 }
5095 }
5097 /* Loop until we find a property or reach the global object. */
5106 /*
5107 * We conservatively assume that a resolve hook could mutate the scope
5108 * chain during JSObject::lookupProperty. So we must check if parent is
5109 * not null here even if it wasn't before the lookup.
5110 */
5117 }
5119 static JS_ALWAYS_INLINE JSBool
5122 {
5125 uint32 slot;
5126 int32 sample;
5136 }
5143 }
5146 {
5151 }
5159 }
5162 }
5164 JSBool
5167 {
5169 }
5171 JSBool
5173 {
5176 uint32 slot;
5177 int32 sample;
5185 /* If shape has a stub setter, keep obj locked and just store *vp. */
5192 }
5194 /*
5195 * Allow API consumers to create shared properties with stub setters.
5196 * Such properties effectively function as data descriptors which are
5197 * not writable, so attempting to set such a property should do nothing
5198 * or throw if we're in strict mode.
5199 */
5202 }
5205 {
5212 }
5221 }
5224 }
5230 {
5240 /* Convert string indices to integers if appropriate. */
5244 /* This call site is hot -- use the always-inlined variant of js_LookupPropertyWithFlags(). */
5260 /*
5261 * Give a strict warning if foo.bar is evaluated by a script for an
5262 * object foo with no property named 'bar'.
5263 */
5266 JSOp op;
5267 uintN flags;
5273 }
5281 }
5283 /*
5284 * XXX do not warn about missing __iterator__ as the function
5285 * may be called from JS_GetMethodById. See bug 355145.
5286 */
5290 /* Do not warn about tests like (obj[prop] == undefined). */
5298 }
5301 }
5303 /* Ok, bad undefined property reference: whine about it. */
5308 }
5309 }
5311 }
5317 }
5325 }
5327 /* This call site is hot -- use the always-inlined variant of js_NativeGet(). */
5332 }
5334 bool
5338 {
5341 }
5343 static JS_ALWAYS_INLINE JSBool
5346 {
5349 return js_GetPropertyHelperWithShapeInline(cx, obj, receiver, id, getHow, vp, &shape, &holder);
5350 }
5352 JSBool
5354 {
5356 }
5358 JSBool
5360 {
5361 /* This call site is hot -- use the always-inlined variant of js_GetPropertyHelper(). */
5363 }
5365 JSBool
5367 {
5376 }
5379 }
5381 JSBool
5383 {
5388 #if JS_HAS_XML_SUPPORT
5390 #endif
5392 }
5394 #if JS_HAS_XML_SUPPORT
5397 #endif
5399 }
5403 {
5408 /* If neither cx nor the code is strict, then no check is needed. */
5412 }
5421 }
5423 bool
5425 {
5429 }
5431 bool
5433 {
5437 }
5439 bool
5441 {
5445 }
5447 JSBool
5450 {
5456 intN shortid;
5466 /* Convert string indices to integers if appropriate. */
5489 }
5490 }
5493 }
5495 /* We should never add properties to lexical blocks. */
5502 }
5503 }
5506 /*
5507 * Now either shape is null, meaning id was not found in obj or one of its
5508 * prototypes; or shape is non-null, meaning id was found directly in pobj.
5509 */
5518 /* ES5 8.12.4 [[Put]] step 2. */
5528 /* Error in strict mode code, warn with strict option, otherwise do nothing. */
5534 }
5535 }
5539 /*
5540 * We found id in a prototype object: prepare to share or shadow.
5541 */
5550 }
5552 /*
5553 * Preserve attrs except JSPROP_SHARED, getter, and setter when
5554 * shadowing any property that has no slot (is shared). We must
5555 * clear the shared attribute for the shadowing shape so that the
5556 * property in obj that it defines has a slot to retain the value
5557 * being set, in case the setter simply cannot operate on instances
5558 * of obj's class by storing the value in some class-specific
5559 * location.
5560 *
5561 * A subset of slotless shared properties is the set of properties
5562 * with shortids, which must be preserved too. An old API requires
5563 * that the property's getter and setter receive the shortid, not
5564 * id, when they are called on the shadowing property that we are
5565 * about to create in obj.
5566 */
5572 }
5577 /* Restore attrs to the ECMA default for new properties. */
5579 }
5581 /*
5582 * Forget we found the proto-property now that we've copied any
5583 * needed member values.
5584 */
5586 }
5592 /*
5593 * JSOP_SETMETHOD is assigning to an existing own property. If it
5594 * is an identical method property, do nothing. Otherwise downgrade
5595 * to ordinary assignment. Either way, do not fill the property
5596 * cache, as the interpreter has no fast path for these unusual
5597 * cases.
5598 */
5612 }
5613 }
5615 }
5616 }
5621 /* Error in strict mode code, warn with strict option, otherwise do nothing. */
5627 }
5629 /*
5630 * Purge the property cache of now-shadowed id in obj's scope chain.
5631 * Do this early, before locking obj to avoid nesting locks.
5632 */
5635 /* Find or make a property descriptor with the right heritage. */
5639 /*
5640 * Check for Object class here to avoid defining a method on a class
5641 * with magic resolve, addProperty, getProperty, etc. hooks.
5642 */
5652 }
5653 }
5663 /*
5664 * Initialize the new property value (passed to setter) to undefined.
5665 * Note that we store before calling addProperty, to match the order
5666 * in js_DefineNativeProperty.
5667 */
5671 /* XXXbe called with obj locked */
5675 }
5677 }
5684 #ifdef JS_TRACER
5687 #endif
5688 }
5690 JSBool
5692 {
5694 }
5696 JSBool
5698 {
5705 }
5712 }
5714 JSBool
5716 {
5720 }
5722 JSBool
5724 {
5733 }
5735 JSBool
5737 {
5744 /* Convert string indices to integers if appropriate. */
5750 /*
5751 * If the property was found in a native prototype, check whether it's
5752 * shared and permanent. Such a property stands for direct properties
5753 * in all delegating objects, matching ECMA semantics without bloating
5754 * each delegating object.
5755 */
5763 }
5764 }
5766 /*
5767 * If no property, or the property comes unshared or impermanent from
5768 * a prototype, call the class's delProperty hook, passing rval as the
5769 * result parameter.
5770 */
5772 }
5780 }
5789 /*
5790 * Delete is rare enough that we can take the hit of checking for an
5791 * active cloned method function object that must be homed to a callee
5792 * slot on the active stack frame before this delete completes, in case
5793 * someone saved the clone and checks it against foo.caller for a foo
5794 * called from the active method.
5795 *
5796 * We do not check suspended frames. They can't be reached via caller,
5797 * so the only way they could have the method's joined function object
5798 * as callee is through an API abusage. We break any such edge case.
5799 */
5811 {
5817 }
5819 }
5820 }
5821 }
5822 }
5823 }
5824 }
5827 }
5831 JSObject *
5833 {
5844 }
5846 /*
5847 * When we have an object of a builtin class, we don't quite know what its
5848 * valueOf/toString methods are, since these methods may have been overwritten
5849 * or shadowed. However, we can still do better than js_TryMethod by
5850 * hard-coding the necessary properties for us to find the native we expect.
5851 *
5852 * TODO: a per-thread shape-based cache would be faster and simpler.
5853 */
5856 Native native)
5857 {
5866 }
5868 bool
5870 {
5875 /* Optimize (new String(...)).toString(). */
5880 js_str_toString)) {
5883 }
5890 }
5892 /* Optimize (new String(...)).valueOf(). */
5897 js_str_toString)) ||
5901 js_num_valueOf))) {
5904 }
5912 }
5913 }
5915 /* Avoid recursive death when decompiling in js_ReportValueError. */
5923 }
5931 }
5934 }
5940 {
5941 /* If the class has a custom JSCLASS_NEW_ENUMERATE hook, call it. */
5947 }
5952 /* Tell InitNativeIterator to treat us like a native object. */
5956 }
5960 JSBool
5963 {
5964 JSBool writing;
5970 CheckAccessOp check;
6000 }
6006 }
6008 }
6015 else
6017 }
6018 }
6020 /*
6021 * If obj's class has a stub (null) checkAccess hook, use the per-runtime
6022 * checkObjectAccess callback, if configured.
6023 *
6024 * We don't want to require all classes to supply a checkAccess hook; we
6025 * need that hook only for certain classes used when precompiling scripts
6026 * and functions ("brutal sharing"). But for general safety of built-in
6027 * magic properties like __proto__, we route all access checks, even for
6028 * classes that stub out checkAccess, through the global checkObjectAccess
6029 * hook. This covers precompilation-based sharing and (possibly
6030 * unintended) runtime sharing across trust boundaries.
6031 */
6037 }
6039 }
6041 }
6043 JSType
6045 {
6046 /*
6047 * ECMA 262, 11.4.3 says that any native object that implements
6048 * [[Call]] should be of type "function". However, RegExp is of
6049 * type "object", not "function", for Web compatibility.
6050 */
6053 ? JSTYPE_FUNCTION
6055 }
6058 }
6060 bool
6062 {
6069 }
6071 }
6073 bool
6076 {
6077 Value v;
6085 }
6089 }
6091 /*
6092 * The first part of this function has been hand-expanded and optimized into
6093 * NewBuiltinClassInstance in jsobjinlines.h.
6094 */
6095 JSBool
6098 {
6112 }
6113 }
6114 }
6121 }
6122 }
6123 }
6126 }
6128 JSBool
6130 {
6131 /*
6132 * Use the given attributes for the prototype property of the constructor,
6133 * as user-defined constructors have a DontDelete prototype (which may be
6134 * reset), while native or "system" constructors have DontEnum | ReadOnly |
6135 * DontDelete.
6136 */
6140 }
6142 /*
6143 * ECMA says that Object.prototype.constructor, or f.prototype.constructor
6144 * for a user-defined function f, is DontEnum.
6145 */
6148 }
6150 JSBool
6152 {
6164 }
6173 }
6175 JSBool
6177 {
6189 }
6192 }
6194 JSObject *
6196 {
6204 }
6206 JSBool
6208 {
6214 }
6216 JSBool
6219 {
6222 /*
6223 * Report failure only if an appropriate method was found, and calling it
6224 * returned failure. We propagate failure in this case to make exceptions
6225 * behave properly.
6226 */
6229 Value fval;
6238 }
6240 #if JS_HAS_XDR
6242 JSBool
6244 {
6249 JSProtoKey protoKey;
6268 }
6269 }
6273 }
6275 /*
6276 * XDR a flag word, which could be 0 for a class use, in which case no
6277 * name follows, only the id in xdr's class registry; 1 for a class def,
6278 * in which case the flag word is followed by the class name transferred
6279 * from or to atom; or a value greater than 1, an odd number that when
6280 * divided by two yields the JSProtoKey for class. In the last case, as
6281 * in the 0 classDef case, no name is transferred via atom.
6282 */
6293 /* NB: we know that JSProto_Null is 0 here, for backward compat. */
6308 }
6309 }
6310 }
6316 }
6318 }
6322 #ifdef JS_DUMP_SCOPE_METERS
6324 #include <stdio.h>
6328 static void
6330 {
6332 }
6334 void
6336 {
6341 {
6349 }
6354 }
6355 #endif
6357 #ifdef DEBUG
6358 void
6360 {
6375 }
6380 #define JS_PROTO(name,code,init) \
6381 if ((code) == slot) { slotname = js_##name##_str; goto found; }
6383 #undef JS_PROTO
6384 }
6385 found:
6388 else
6398 }
6399 }
6400 }
6401 #endif
6403 void
6405 {
6410 /*
6411 * Trim overlong dslots allocations from the GC, to avoid thrashing in
6412 * case of delete-happy code that settles down at a given population.
6413 * The !obj->nativeEmpty() guard above is due to the bug described by
6414 * the FIXME comment below.
6415 */
6419 }
6421 #ifdef JS_DUMP_SCOPE_METERS
6423 #endif
6430 /* No one runs while the GC is running, so we can use LOCKED_... here. */
6437 }
6441 }
6443 /*
6444 * NB: In case clasp->mark mutates something (which would be a bug, but we
6445 * want to be defensive), leave this code here -- don't move it up and
6446 * unify it with the |if (!traceScope)| section above.
6447 *
6448 * FIXME: We minimize nslots against obj->slotSpan because native objects
6449 * such as Date instances may have failed to advance slotSpan to cover all
6450 * reserved slots (this Date issue may be a bug in JSObject::growSlots, but
6451 * the general problem occurs in other built-in class implementations).
6452 */
6461 }
6462 }
6464 void
6466 {
6467 /*
6468 * Clear obj of all obj's properties. FIXME: we do not clear reserved slots
6469 * lying below JSSLOT_FREE(clasp). JS_ClearScope does that.
6470 */
6472 /* Now that we're done using real properties, clear obj. */
6475 /* Clear slot values since obj->clear reset our shape to empty. */
6480 }
6481 }
6483 bool
6485 {
6489 }
6493 else
6496 }
6498 bool
6500 {
6511 }
6516 }
6518 JSObject *
6520 {
6525 }
6527 JSBool
6529 {
6532 JSREPORT_STRICT_MODE_ERROR,
6534 JSMSG_GETTER_ONLY);
6535 }
6539 {
6542 }
6544 #ifdef DEBUG
6546 /*
6547 * Routines to print out values during debugging. These are FRIEND_API to help
6548 * the debugger find them and to support temporarily hacking js_Dump* calls
6549 * into other code.
6550 */
6552 void
6554 {
6559 }
6571 else
6573 }
6575 }
6579 {
6583 }
6585 void
6587 {
6590 else
6592 }
6596 {
6603 }
6605 }
6609 {
6612 }
6614 void
6616 {
6635 }
6640 }
6652 else
6656 #ifdef DEBUG
6664 }
6665 #endif
6669 }
6670 }
6674 {
6677 }
6681 {
6685 }
6687 static void
6689 {
6707 else
6711 }
6715 {
6737 }
6741 }
6742 }
6755 }
6757 }
6766 }
6789 }
6791 }
6793 static void
6795 {
6800 }
6801 }
6803 static void
6805 {
6810 }
6811 }
6815 {
6816 /* This should only called during live debugging. */
6828 }
6839 }
6845 }
6851 }
6857 }
6860 }
6869 }
6870 }
6872 fprintf(stderr, " actuals: %p (%u) ", (void *) fp->actualArgs(), (unsigned) fp->numActualArgs());
6873 fprintf(stderr, " formals: %p (%u)\n", (void *) fp->formalArgs(), (unsigned) fp->numFormalArgs());
6874 }
6883 }
6906 }
6907 }
6909 #ifdef DEBUG
6910 bool
6912 {
6918 }
6919 #endif