| blob | 33751dc1296bc4def77cd7e3608fb720f4150b92 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS function support.
43 */
44 #include <string.h>
76 #if JS_HAS_GENERATORS
78 #endif
80 #if JS_HAS_XDR
82 #endif
84 #ifdef JS_METHODJIT
86 #endif
98 {
100 }
102 JSBool
104 {
111 }
117 }
119 JSBool
121 {
128 Value v;
139 }
141 }
151 }
154 /*
155 * Per ECMA-262 Ed. 3, 10.1.8, last bulleted item, do not share
156 * storage between the formal parameter and arguments[k] for all
157 * fp->argc <= k && k < fp->fun->nargs. For example, in
158 *
159 * function f(x) { x = 42; return arguments[0]; }
160 * f();
161 *
162 * the call to f should return undefined, not 42. If fp->argsobj
163 * is null at this point, as it would be in the example, return
164 * undefined in *vp.
165 */
168 }
174 }
176 }
180 {
195 /* Can't fail from here on, so initialize everything in argsobj. */
197 ? &StrictArgumentsClass
208 }
212 struct PutArg
213 {
220 }
221 };
223 }
225 JSObject *
227 {
228 /*
229 * We must be in a function activation; the function must be lightweight
230 * or else fp must have a variable object.
231 */
237 /* Create an arguments object for fp only if it lacks one. */
241 /* Compute the arguments object's parent slot from fp's scope chain. */
247 /*
248 * Strict mode functions have arguments objects that copy the initial
249 * actual parameter values. It is the caller's responsibility to get the
250 * arguments object before any parameters are modified! (The emitter
251 * ensures this by synthesizing an arguments access at the start of any
252 * strict mode function that contains an assignment to a parameter, or
253 * that calls eval.) Non-strict mode arguments use the frame pointer to
254 * retrieve up-to-date parameter values.
255 */
258 else
263 }
265 void
267 {
275 }
276 }
278 #ifdef JS_TRACER
280 /*
281 * Traced versions of js_GetArgsObject and js_PutArgsObject.
282 */
283 JSObject * JS_FASTCALL
285 {
291 /*
292 * Strict mode callers must copy arguments into the created arguments
293 * object. The trace-JITting code is in TraceRecorder::newArguments.
294 */
298 }
301 }
305 /* FIXME change the return type to void. */
306 JSBool JS_FASTCALL
308 {
312 /*
313 * TraceRecorder::putActivationObjects builds a single, contiguous array of
314 * the arguments, regardless of whether #actuals > #formals so there is no
315 * need to worry about actual vs. formal arguments.
316 */
322 }
326 }
332 static JSBool
334 {
345 }
347 }
351 {
355 /*
356 * We do not attempt to reify Call and Block objects on demand for outer
357 * scopes. This could be done (see the "v8" patch in bug 494235) but it is
358 * fragile in the face of ongoing compile-time optimization. Instead, the
359 * _DBG* opcodes used by wrappers created here must cope with unresolved
360 * upvars and throw them as reference errors. Caveat debuggers!
361 */
390 /* NB: GC must not occur before wscript is homed in wfun->u.i.script. */
421 }
425 }
429 }
433 }
439 }
443 /* FIXME should copy JSOP_TRAP? */
450 /*
451 * Rewrite JSOP_{GET,CALL}FCSLOT as JSOP_{GET,CALL}UPVAR_DBG for the
452 * case where fun is an escaping flat closure. This works because the
453 * UPVAR and FCSLOT ops by design have the same format: an upvar index
454 * immediate operand.
455 */
465 }
467 }
469 /*
470 * Fill in the rest of wscript. This means if you add members to JSScript
471 * you must update this code. FIXME: factor into JSScript::clone method.
472 */
486 #ifdef CHECK_SCRIPT_OWNER
488 #endif
490 /* Deoptimize wfun from FUN_{FLAT,NULL}_CLOSURE to FUN_INTERPRETED. */
494 }
496 static JSBool
498 {
505 /*
506 * arg can exceed the number of arguments if a script changed the
507 * prototype to point to another Arguments object with a bigger argc.
508 */
519 }
520 }
528 /*
529 * If this function or one in it needs upvars that reach above it
530 * in the scope chain, it must not be a null closure (it could be a
531 * flat closure, or an unoptimized closure -- the latter itself not
532 * necessarily heavyweight). Rather than wrap here, we simply throw
533 * to reduce code size and tell debugger users the truth instead of
534 * passing off a fibbing wrapper.
535 */
538 JSMSG_OPTIMIZED_CLOSURE_LEAK);
540 }
542 }
543 }
545 }
547 static JSBool
549 {
550 #ifdef JS_TRACER
551 // To be able to set a property here on trace, we would have to make
552 // sure any updates also get written back to the trace native stack.
553 // For simplicity, we just leave trace, since this is presumably not
554 // a common operation.
558 }
559 #endif
571 }
572 }
576 }
578 /*
579 * For simplicity we use delete/set to replace the property with one
580 * backed by the default Object getter and setter. Note that we rely on
581 * args_delProperty to clear the corresponding reserved slot so the GC can
582 * collect its value.
583 */
587 }
589 static JSBool
592 {
609 }
616 }
618 }
620 static JSBool
622 {
625 /*
626 * Trigger reflection in args_resolve using a series of js_LookupProperty
627 * calls.
628 */
642 /* prop is null when the property was deleted. */
645 }
647 }
651 JSBool
653 {
660 /*
661 * arg can exceed the number of arguments if a script changed the
662 * prototype to point to another Arguments object with a bigger argc.
663 */
669 }
674 }
676 }
678 JSBool
680 {
689 }
692 }
694 /*
695 * For simplicity we use delete/set to replace the property with one
696 * backed by the default Object getter and setter. Note that we rely on
697 * args_delProperty to clear the corresponding reserved slot so the GC can
698 * collect its value.
699 */
703 }
705 JSBool
707 {
731 /*
732 * Strict mode arguments objects have an immutable poison-pill caller
733 * property that throws a TypeError on getting or setting.
734 */
740 }
744 }
751 }
753 }
755 JSBool
757 {
760 /*
761 * Trigger reflection in strictargs_resolve using a series of
762 * js_LookupProperty calls. Beware deleted properties!
763 */
767 // length
773 // callee
779 // caller
790 }
793 }
797 static void
799 {
801 }
803 /*
804 * If a generator's arguments or call object escapes, and the generator frame
805 * is not executing, the generator object needs to be marked because it is not
806 * otherwise reachable. An executing generator is rooted by its invocation. To
807 * distinguish the two cases (which imply different access paths to the
808 * generator object), we use the JSFRAME_FLOATING_GENERATOR flag, which is only
809 * set on the JSStackFrame kept in the generator object's JSGenerator.
810 */
813 {
814 #if JS_HAS_GENERATORS
819 }
820 #endif
821 }
823 static void
825 {
830 }
838 }
840 /*
841 * The Arguments classes aren't initialized via js_InitClass, because arguments
842 * objects have the initial value of Object.prototype as their [[Prototype]].
843 * However, Object.prototype.toString.call(arguments) === "[object Arguments]"
844 * per ES5 (although not ES3), so the class name is "Arguments" rather than
845 * "Object".
846 *
847 * The JSClass functions below collaborate to lazily reflect and synchronize
848 * actual argument values, argument count, and callee function object stored
849 * in a JSStackFrame with their corresponding property values in the frame's
850 * arguments object.
851 */
852 Class js_ArgumentsClass = {
858 args_delProperty,
861 args_enumerate,
863 ConvertStub,
872 };
876 /*
877 * Strict mode arguments is significantly less magical than non-strict mode
878 * arguments, so it is represented by a different class while sharing some
879 * functionality.
880 */
881 Class StrictArgumentsClass = {
887 args_delProperty,
890 strictargs_enumerate,
892 ConvertStub,
901 };
903 }
905 /*
906 * A Declarative Environment object stores its active JSStackFrame pointer in
907 * its private slot, just as Call and Arguments objects do.
908 */
909 Class js_DeclEnvClass = {
910 js_Object_str,
916 EnumerateStub,
917 ResolveStub,
918 ConvertStub
919 };
921 static JSBool
923 {
932 /*
933 * Any escaping null or flat closure that reaches above itself or
934 * contains nested functions that reach above it must be wrapped.
935 * We can wrap only when this Call or Declarative Environment obj
936 * still has an active stack frame associated with it.
937 */
948 }
951 JSMSG_OPTIMIZED_CLOSURE_LEAK);
953 }
954 }
956 }
958 static JSBool
960 {
962 }
966 {
974 /* This must come after callobj->lastProp has been set. */
978 #ifdef DEBUG
984 }
985 }
986 #endif
990 }
994 {
1002 }
1004 JSObject *
1006 {
1007 /* Create a call object for fp only if it lacks one. */
1012 #ifdef DEBUG
1013 /* A call object should be a frame's outermost scope chain element. */
1019 #endif
1021 /*
1022 * Create the call object, using the frame's enclosing scope as its
1023 * parent, and link the call to its stack frame. For a named function
1024 * expression Call's parent points to an environment object holding
1025 * function's name.
1026 */
1034 /* Root envobj before js_DefineNativeProperty (-> JSClass.addProperty). */
1042 }
1043 }
1052 /*
1053 * Push callobj on the top of the scope chain, and make it the
1054 * variables object.
1055 */
1058 }
1060 JSObject * JS_FASTCALL
1061 js_CreateCallObjectOnTrace(JSContext *cx, JSFunction *fun, JSObject *callee, JSObject *scopeChain)
1062 {
1066 }
1068 JS_DEFINE_CALLINFO_4(extern, OBJECT, js_CreateCallObjectOnTrace, CONTEXT, FUNCTION, OBJECT, OBJECT,
1073 {
1074 /* Copy however many args fit into fslots. */
1086 /* Copy any remaining args into dslots. */
1091 /* Copy however many vars fit into any remaining fslots. */
1098 }
1100 /* Copy any remaining vars into dslots. */
1102 }
1104 void
1106 {
1109 /* Get the arguments object to snapshot fp's actual argument values. */
1114 }
1120 /*
1121 * Since for a call object all fixed slots happen to be taken, we can copy
1122 * arguments and variables straight into JSObject.dslots.
1123 */
1132 #ifdef JS_METHODJIT
1142 }
1143 }
1144 #else
1146 #endif
1147 }
1149 /* Clear private pointers to fp, which is about to go away (js_Invoke). */
1156 }
1159 }
1161 JSBool JS_FASTCALL
1164 {
1173 }
1179 JSCPK_ARGUMENTS,
1180 JSCPK_ARG,
1181 JSCPK_VAR,
1182 JSCPK_UPVAR
1183 };
1185 static JSBool
1188 {
1195 }
1201 #ifdef DEBUG
1205 #endif
1230 }
1231 }
1233 }
1238 else
1251 }
1252 }
1259 }
1261 }
1263 static JSBool
1265 {
1267 }
1269 static JSBool
1271 {
1273 }
1275 JSBool
1277 {
1279 }
1281 JSBool
1283 {
1285 }
1287 JSBool
1289 {
1291 }
1293 JSBool
1295 {
1297 }
1299 JSBool
1301 {
1303 }
1305 JSBool
1307 {
1312 }
1314 JSBool
1316 {
1318 }
1320 #if JS_TRACER
1321 JSBool JS_FASTCALL
1323 {
1326 }
1330 JSBool JS_FASTCALL
1332 {
1335 }
1338 #endif
1340 static JSBool
1343 {
1350 #ifdef DEBUG
1353 #endif
1355 /*
1356 * Resolve arguments so that we never store a particular Call object's
1357 * arguments object reference in a Call prototype's |arguments| slot.
1358 */
1365 }
1368 }
1370 /* Control flow reaches here only if id was not resolved. */
1372 }
1374 static void
1376 {
1380 /*
1381 * FIXME: Hide copies of stack values rooted by fp from the Cycle
1382 * Collector, which currently lacks a non-stub Unlink implementation
1383 * for JS objects (including Call objects), so is unable to collect
1384 * cycles involving Call objects whose frames are active without this
1385 * hiding hack.
1386 */
1395 }
1398 }
1402 JSCLASS_HAS_PRIVATE |
1409 JS_EnumerateStub,
1420 };
1422 bool
1424 {
1428 }
1432 /*
1433 * See the equivalent condition in ArgGetter for the 'callee' id case, but
1434 * note that here we do not want to throw, since this escape can happen via
1435 * a foo.caller reference alone, without any debugger or indirect eval. And
1436 * alas, it seems foo.caller is still used on the Web.
1437 */
1444 }
1449 /*
1450 * Check for an escape attempt by a joined function object, which must go
1451 * through the frame's |this| object's method read barrier for the method
1452 * atom by which it was uniquely associated with a property.
1453 */
1465 /*
1466 * The method property might have been deleted while the method
1467 * barrier flag stuck, so we must lookup and test here.
1468 *
1469 * Two cases follow: the method barrier was not crossed yet, so
1470 * we cross it here; the method barrier *was* crossed, in which
1471 * case we must fetch and validate the cloned (unjoined) funobj
1472 * in the method property's slot.
1473 *
1474 * In either case we must allow for the method property to have
1475 * been replaced, or its value to have been overwritten.
1476 */
1483 }
1495 }
1496 }
1497 }
1499 /*
1500 * If control flows here, we can't find an already-existing
1501 * clone (or force to exist a fresh clone) created via thisp's
1502 * method read barrier, so we must clone fun and store it in
1503 * fp's callee to avoid re-cloning upon repeated foo.caller
1504 * access. It seems that there are no longer any properties
1505 * referring to fun.
1506 */
1513 }
1514 }
1515 }
1518 }
1520 /* Generic function tinyids. */
1527 };
1529 static JSBool
1531 {
1537 /*
1538 * Loop because getter and setter can be delegated from another class,
1539 * but loop only for FUN_LENGTH because we must pretend that f.length
1540 * is in each function instance f, per ECMA-262, instead of only in the
1541 * Function.prototype object (we use JSPROP_PERMANENT with JSPROP_SHARED
1542 * to make it appear so).
1543 *
1544 * This code couples tightly to the attributes for lazyFunctionDataProps[]
1545 * and poisonPillProps[] initializers below, and to js_SetProperty and
1546 * js_HasOwnProperty.
1547 *
1548 * It's important to allow delegating objects, even though they inherit
1549 * this getter (fun_getProperty), to override arguments, arity, caller,
1550 * and name. If we didn't return early for slot != FUN_LENGTH, we would
1551 * clobber *vp with the native property value, instead of letting script
1552 * override that value in delegating objects.
1553 *
1554 * Note how that clobbering is what simulates JSPROP_READONLY for all of
1555 * the non-standard properties when the directly addressed object (obj)
1556 * is a function object (i.e., when this loop does not iterate).
1557 */
1566 }
1568 /* Find fun's top-most activation record. */
1574 }
1578 /* Warn if strict about f.arguments or equivalent unqualified uses. */
1582 JSMSG_DEPRECATED_USAGE,
1583 js_arguments_str)) {
1585 }
1591 }
1612 /* Censor the caller if it is from another compartment. */
1617 JSMSG_CALLER_IS_STRICT);
1619 }
1620 }
1624 /* XXX fun[0] and fun.arguments[0] are equivalent. */
1628 }
1631 }
1636 uint16 atomOffset;
1637 int8 tinyid;
1638 uint8 attrs;
1639 };
1642 uint16 atomOffset;
1643 int8 tinyid;
1644 };
1646 /* NB: no sentinels at ends -- use JS_ARRAY_LENGTH to bound loops. */
1651 };
1653 /* Properties censored into [[ThrowTypeError]] in strict mode. */
1657 };
1659 }
1661 static JSBool
1663 {
1666 jsid id;
1673 }
1684 }
1691 }
1694 }
1696 static JSBool
1699 {
1705 /*
1706 * No need to reflect fun.prototype in 'fun.prototype = ... '. Assert that
1707 * fun is not a compiler-created function object, which must never leak to
1708 * script or embedding code and then be mutated.
1709 */
1713 }
1715 /*
1716 * Ok, check whether id is 'prototype' and bootstrap the function object's
1717 * prototype property.
1718 */
1723 /*
1724 * Beware of the wacky case of a user function named Object -- trying
1725 * to find a prototype for that will recur back here _ad perniciem_.
1726 */
1730 /* ES5 15.3.4.5: bound functions don't have a prototype property. */
1734 /*
1735 * Make the prototype object an instance of Object with the same parent
1736 * as the function object itself.
1737 */
1746 /*
1747 * ECMA (15.3.5.2) says that constructor.prototype is DontDelete for
1748 * user-defined functions, but DontEnum | ReadOnly | DontDelete for
1749 * native "system" constructors such as Object or Function. So lazily
1750 * set the former here in fun_resolve, but eagerly define the latter
1751 * in js_InitClass, with the right attributes.
1752 */
1758 }
1767 }
1770 }
1785 }
1788 }
1789 }
1809 }
1816 }
1819 }
1820 }
1823 }
1825 #if JS_HAS_XDR
1827 /* XXX store parent and proto, if defined */
1828 JSBool
1830 {
1834 plus for fun->u.i.skipmin, fun->u.i.wrapper,
1835 and 14 bits reserved for future use */
1845 JSMSG_NOT_SCRIPTED_FUNCTION,
1848 }
1851 JSMSG_XDR_CLOSURE_WRAPPER,
1854 }
1868 #ifdef __GNUC__
1870 #endif
1871 }
1882 }
1892 }
1894 /* do arguments and local vars */
1898 uintN i;
1899 uintN bitmapLength;
1903 JSLocalKind localKind;
1908 /*
1909 * From this point the control must flow via the label release_mark.
1910 *
1911 * To xdr the names we prefix the names with a bitmap descriptor and
1912 * then xdr the names as strings. For argument names (indexes below
1913 * nargs) the corresponding bit in the bitmap is unset when the name
1914 * is null. Such null names are not encoded or decoded. For variable
1915 * names (indexes starting from nargs) bitmap's bit is set when the
1916 * name is declared as const, not as ordinary var.
1917 * */
1926 }
1932 }
1940 }
1941 }
1942 }
1943 #ifdef __GNUC__
1946 }
1947 #endif
1952 }
1963 }
1965 }
1973 ? JSLOCAL_ARG
1977 ? JSLOCAL_CONST
1983 }
1984 }
1986 release_mark:
1993 }
2001 #ifdef CHECK_SCRIPT_OWNER
2003 #endif
2005 }
2006 }
2009 }
2013 #define js_XDRFunctionObject NULL
2017 /*
2018 * [[HasInstance]] internal method for Function objects: fetch the .prototype
2019 * property of its 'this' parameter, and walks the prototype chain of v (only
2020 * if v is an object) returning true if .prototype is found.
2021 */
2022 static JSBool
2024 {
2029 }
2032 Value pval;
2037 /*
2038 * Throw a runtime error if instanceof is called on a function that
2039 * has a non-object as its .prototype value.
2040 */
2043 }
2047 }
2049 static void
2051 {
2052 /* A newborn function object may have a not yet initialized private slot. */
2058 /* obj is a cloned function object, trace the clone-parent, fun. */
2061 /* The function could be a flat closure with upvar copies in the clone. */
2065 }
2075 }
2076 }
2078 static void
2080 {
2081 /* Ignore newborn function objects. */
2086 /* Cloned function objects may be flat closures with upvars to free. */
2091 }
2093 /*
2094 * Null-check of u.i.script is required since the parser sets interpreted
2095 * very early.
2096 */
2099 }
2101 int
2103 {
2104 #if JS_HAS_SHARP_VARS
2108 #ifdef DEBUG
2109 JSLocalKind kind =
2110 #endif
2114 }
2115 #endif
2117 }
2119 uint32
2121 {
2125 }
2127 /*
2128 * Reserve two slots in all function objects for XPConnect. Note that this
2129 * does not bloat every instance, only those on which reserved slots are set,
2130 * and those on which ad-hoc properties are defined.
2131 */
2133 js_Function_str,
2141 fun_enumerate,
2143 ConvertStub,
2144 fun_finalize,
2149 js_XDRFunctionObject,
2150 fun_hasInstance,
2152 };
2154 JSString *
2156 {
2161 JSMSG_INCOMPATIBLE_PROTO,
2165 }
2171 }
2173 static JSBool
2175 {
2192 }
2194 #if JS_HAS_TOSOURCE
2195 static JSBool
2197 {
2210 }
2211 #endif
2213 JSBool
2215 {
2230 JSMSG_INCOMPATIBLE_PROTO,
2232 bytes);
2233 }
2234 }
2236 }
2240 /* Call fun with its global object as the 'this' param if no args. */
2243 /* Otherwise convert the first arg to 'this' and skip over it. */
2248 argc--;
2249 argv++;
2250 }
2252 /* Allocate stack space for fval, obj, and the args. */
2253 InvokeArgsGuard args;
2257 /* Push fval, obj, and the args. */
2265 }
2269 struct CopyNonHoleArgs
2270 {
2277 else
2280 }
2281 };
2283 }
2285 /* ES5 15.3.4.3 */
2286 JSBool
2288 {
2293 /* Step 1. */
2299 JSMSG_INCOMPATIBLE_PROTO,
2301 bytes);
2302 }
2303 }
2305 }
2307 /* Step 2. */
2311 /* Step 3. */
2315 }
2317 /*
2318 * Steps 4-5 (note erratum removing steps originally numbered 5 and 7 in
2319 * original version of ES5).
2320 */
2322 jsuint length;
2338 }
2339 }
2341 /* Convert the first arg to 'this' and skip over it. */
2349 /* Step 6. */
2352 InvokeArgsGuard args;
2356 /* Push fval, obj, and aobj's elements as args. */
2360 /* Steps 7-8. */
2362 /*
2363 * Two cases, two loops: note how in the case of an active stack frame
2364 * backing aobj, even though we copy from fp->argv, we still must check
2365 * aobj->getArgsElement(i) for a hole, to handle a delete on the
2366 * corresponding arguments element. See args_delProperty.
2367 */
2378 }
2379 }
2385 }
2386 }
2388 /* Step 9. */
2393 }
2397 JSBool
2399 }
2401 bool
2403 {
2405 }
2410 {
2417 /* FIXME? Burn memory on an empty scope whose shape covers the args slots. */
2431 }
2433 }
2437 {
2441 /* Bound functions abuse |parent| to store their target function. */
2443 }
2447 {
2452 }
2456 {
2464 }
2468 /* ES5 15.3.4.5.1 and 15.3.4.5.2. */
2469 JSBool
2471 {
2480 /* 15.3.4.5.1 step 1, 15.3.4.5.2 step 3. */
2481 uintN argslen;
2487 }
2489 /* 15.3.4.5.1 step 3, 15.3.4.5.2 step 1. */
2492 /* 15.3.4.5.1 step 2. */
2495 InvokeArgsGuard args;
2499 /* 15.3.4.5.1, 15.3.4.5.2 step 4. */
2503 /* 15.3.4.5.1, 15.3.4.5.2 step 5. */
2507 /*
2508 * FIXME Pass boundThis directly without boxing! This will go away
2509 * very shortly when this-boxing only occurs for non-strict
2510 * functions, callee-side, in bug 514570.
2511 */
2518 }
2521 }
2528 }
2530 /* ES5 15.3.4.5. */
2531 JSBool
2533 {
2534 /* Step 1. */
2539 /* Step 2. */
2544 JSMSG_INCOMPATIBLE_PROTO,
2546 }
2547 }
2549 }
2551 /* Step 3. */
2557 }
2559 /* Steps 15-16. */
2565 }
2567 /* Step 4-6, 10-11. */
2570 /* NB: Bound functions abuse |parent| to store their target. */
2577 /* Steps 7-9. */
2582 /* Steps 17, 19-21 are handled by fun_resolve. */
2583 /* Step 18 is the default for new functions. */
2585 /* Step 22. */
2588 }
2590 }
2593 #if JS_HAS_TOSOURCE
2595 #endif
2600 JS_FS_END
2601 };
2603 static JSBool
2605 {
2610 /* N.B. overwriting callee with return value */
2614 /*
2615 * NB: (new Function) is not lexically closed by its caller, it's just an
2616 * anonymous function in the top-level scope that its constructor inhabits.
2617 * Thus 'var x = 42; f = new Function("return x"); print(f())' prints 42,
2618 * and so would a call to f from another top-level's script or function.
2619 *
2620 * In older versions, before call objects, a new Function was adopted by
2621 * its running context's globalObject, which might be different from the
2622 * top-level reachable from scopeChain (in HTML frames, e.g.).
2623 */
2629 /*
2630 * Function is static and not called directly by other functions in this
2631 * file, therefore it is callable only as a native function by js_Invoke.
2632 * Find the scripted caller, possibly skipping other native frames such as
2633 * are built for Function.prototype.call or .apply activations that invoke
2634 * Function indirectly from a script.
2635 */
2637 uintN lineno;
2648 }
2650 /* Belt-and-braces: check that the caller has access to parent. */
2654 }
2656 /*
2657 * CSP check: whether new Function() is allowed at all.
2658 * Report errors via CSP is done in the script security manager.
2659 * js_CheckContentSecurityPolicy is defined in jsobj.cpp
2660 */
2664 }
2671 /*
2672 * Collect the function-argument arguments into one string, separated
2673 * by commas, then make a tokenstream from that string, and scan it to
2674 * get the arguments. We need to throw the full scanner at the
2675 * problem, because the argument string can legitimately contain
2676 * comments and linefeeds. XXX It might be better to concatenate
2677 * everything up into a function definition and pass it to the
2678 * compiler, but doing it this way is less of a delta from the old
2679 * code. See ECMA 15.3.2.1.
2680 */
2684 /* Collect the lengths for all the function-argument arguments. */
2690 /*
2691 * Check for overflow. The < test works because the maximum
2692 * JSString length fits in 2 fewer bits than size_t has.
2693 */
2699 }
2700 }
2702 /* Add 1 for each joining comma and check for overflow (two ways). */
2709 }
2711 /*
2712 * Allocate a string to hold the concatenated arguments, including room
2713 * for a terminating 0. Mark cx->tempPool for later release, to free
2714 * collected_args and its tokenstream in one swoop.
2715 */
2723 }
2726 /*
2727 * Concatenate the arguments into the new string, separated by commas.
2728 */
2735 /* Add separating comma or terminating 0. */
2737 }
2739 /* Initialize a tokenstream that reads from the given string. */
2744 }
2746 /* The argument string may be empty or contain no tokens. */
2750 /*
2751 * Check that it's a name. This also implicitly guards against
2752 * TOK_ERROR, which was already reported.
2753 */
2757 /*
2758 * Get the atom corresponding to the name from the token
2759 * stream; we're assured at this point that it's a valid
2760 * identifier.
2761 */
2764 /* Check for a duplicate parameter name. */
2773 }
2774 }
2778 /*
2779 * Get the next token. Stop on end of stream. Otherwise
2780 * insist on a comma, get another name, and iterate.
2781 */
2788 }
2789 }
2792 after_args:
2794 /*
2795 * Report "malformed formal parameter" iff no illegal char or
2796 * similar scanner error was already reported.
2797 */
2799 JSMSG_BAD_FORMAL);
2800 }
2805 }
2815 }
2820 }
2824 JSBool
2826 {
2828 JSMSG_THROW_TYPE_ERROR);
2830 }
2832 }
2834 JSObject *
2836 {
2848 /* ES5 13.2.3: Construct the unique [[ThrowTypeError]] function object. */
2857 }
2860 }
2862 JSFunction *
2865 {
2875 }
2879 /* Initialize all function members. */
2894 #ifdef JS_TRACER
2899 #else
2901 #endif
2905 }
2907 }
2910 /* Set private to self to indicate non-cloned fully initialized function. */
2913 }
2915 JSObject * JS_FASTCALL
2918 {
2922 /*
2923 * The cloned function object does not need the extra JSFunction members
2924 * beyond JSObject as it points to fun via the private slot.
2925 */
2931 }
2933 #ifdef JS_TRACER
2934 JS_DEFINE_CALLINFO_4(extern, OBJECT, js_CloneFunctionObject, CONTEXT, FUNCTION, OBJECT, OBJECT, 0,
2936 #endif
2938 /*
2939 * Create a new flat closure, but don't initialize the imported upvar
2940 * values. The tracer calls this function and then initializes the upvar
2941 * slots on trace.
2942 */
2943 JSObject * JS_FASTCALL
2945 {
2965 }
2970 JS_REQUIRES_STACK JSObject *
2972 {
2973 /*
2974 * Flat closures can be partial, they may need to search enclosing scope
2975 * objects via JSOP_NAME, etc.
2976 */
2993 }
2995 JSObject *
2997 {
3003 }
3005 JSFunction *
3008 {
3009 PropertyOp gsop;
3013 /*
3014 * JSFUN_STUB_GSOPS is a request flag only, not stored in fun->flags or
3015 * the defined property's attributes. This allows us to encode another,
3016 * internal flag using the same bit, JSFUN_EXPR_CLOSURE -- see jsfun.h
3017 * for more on this.
3018 */
3023 }
3032 }
3034 }
3036 #if (JSV2F_CONSTRUCT & JSV2F_SEARCH_STACK)
3038 #endif
3040 JSFunction *
3042 {
3047 }
3049 }
3051 JSObject *
3053 {
3058 }
3061 }
3063 JSObject *
3065 {
3070 }
3074 }
3076 void
3078 {
3084 /*
3085 * We try to the print the code that produced vp if vp is a value in the
3086 * most recent interpreted stack frame. Note that additional values, not
3087 * directly produced by the script, may have been pushed onto the frame's
3088 * expression stack (e.g. by pushInvokeArgs) thereby incrementing sp past
3089 * the depth simulated by ReconstructPCStack. Since we must pass an offset
3090 * from the top of the simulated stack to js_ReportValueError3, it is
3091 * important to do bounds checking using the simulated, rather than actual,
3092 * stack depth.
3093 */
3106 }
3112 }
3116 {
3121 }
3123 }
3127 {
3132 }
3134 }
3136 bool
3138 {
3142 /*
3143 * We still follow 10.2.3 of ES3 and make argument and variable properties
3144 * of the Call objects enumerable. ES5 reformulated all of its Clause 10 to
3145 * avoid objects as activations, something we should do too.
3146 */
3172 else
3175 }
3180 ? JSMSG_TOO_MANY_FUN_ARGS
3183 }
3187 jsid id;
3189 /*
3190 * The destructuring formal parameter parser adds a null atom, which we
3191 * encode as an INT id. The parser adds such locals after adding vars for
3192 * the destructured-to parameter bindings -- those must be vars to avoid
3193 * aliasing arguments[i] for any i -- so we must switch u.i.names to a
3194 * dictionary list to cope with insertion "in the middle" of an index-named
3195 * shape for the object or array argument.
3196 */
3201 /*
3202 * A dictionary list needed only if the destructing pattern wasn't
3203 * empty, i.e., there were vars for its destructured-to bindings.
3204 */
3208 }
3214 }
3223 }
3224 }
3235 }
3237 JSLocalKind
3239 {
3244 JSLocalKind localKind;
3252 else
3258 }
3260 }
3262 jsuword *
3264 {
3270 /*
3271 * No need to check for overflow of the allocation size as we are making a
3272 * copy of already allocated data. As such it must fit size_t.
3273 */
3278 }
3280 #ifdef DEBUG
3283 #endif
3300 }
3309 }
3312 }
3314 #ifdef DEBUG
3317 #endif
3319 }
3321 void
3323 {
3332 }
3333 }
3335 /*
3336 * This method is called only if we parsed a duplicate formal. Let's use the
3337 * simplest possible algorithm, risking O(n^2) pain -- anyone dup'ing formals
3338 * is asking for it!
3339 */
3340 JSAtom *
3342 {
3353 }
3354 }
3356 }