Source code

Revision control

Other Tools

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
* vim: set ts=8 sts=2 et sw=2 tw=80:
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "builtin/Object.h"
#include "js/Object.h" // JS::GetBuiltinClass
#include "mozilla/MaybeOneOf.h"
#include "mozilla/Range.h"
#include "mozilla/RangedPtr.h"
#include <algorithm>
#include "jsapi.h"
#include "builtin/BigInt.h"
#include "builtin/Eval.h"
#include "builtin/SelfHostingDefines.h"
#include "frontend/BytecodeCompiler.h"
#include "jit/InlinableNatives.h"
#include "js/friend/ErrorMessages.h" // js::GetErrorMessage, JSMSG_*
#include "js/friend/StackLimits.h" // js::AutoCheckRecursionLimit
#include "js/PropertySpec.h"
#include "js/UniquePtr.h"
#include "util/StringBuffer.h"
#include "util/Text.h"
#include "vm/AsyncFunction.h"
#include "vm/BooleanObject.h"
#include "vm/DateObject.h"
#include "vm/EqualityOperations.h" // js::SameValue
#include "vm/ErrorObject.h"
#include "vm/JSContext.h"
#include "vm/NumberObject.h"
#include "vm/PlainObject.h" // js::PlainObject
#include "vm/RegExpObject.h"
#include "vm/StringObject.h"
#include "vm/ToSource.h" // js::ValueToSource
#include "vm/WellKnownAtom.h" // js_*_str
#include "vm/JSObject-inl.h"
#include "vm/NativeObject-inl.h"
#include "vm/Shape-inl.h"
#ifdef FUZZING
# include "builtin/TestingFunctions.h"
#endif
using namespace js;
using js::frontend::IsIdentifier;
using mozilla::Maybe;
using mozilla::Range;
using mozilla::RangedPtr;
bool js::obj_construct(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
RootedObject obj(cx, nullptr);
if (args.isConstructing() &&
(&args.newTarget().toObject() != &args.callee())) {
RootedObject newTarget(cx, &args.newTarget().toObject());
obj = CreateThis(cx, &PlainObject::class_, newTarget);
if (!obj) {
return false;
}
} else if (args.length() > 0 && !args[0].isNullOrUndefined()) {
obj = ToObject(cx, args[0]);
if (!obj) {
return false;
}
} else {
/* Make an object whether this was called with 'new' or not. */
if (!NewObjectScriptedCall(cx, &obj)) {
return false;
}
}
args.rval().setObject(*obj);
return true;
}
/* ES5 15.2.4.7. */
bool js::obj_propertyIsEnumerable(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
HandleValue idValue = args.get(0);
// As an optimization, provide a fast path when rooting is not necessary and
// we can safely retrieve the attributes from the object's shape.
/* Steps 1-2. */
jsid id;
if (args.thisv().isObject() && idValue.isPrimitive() &&
PrimitiveValueToId<NoGC>(cx, idValue, &id)) {
JSObject* obj = &args.thisv().toObject();
/* Step 3. */
PropertyResult prop;
if (obj->is<NativeObject>() &&
NativeLookupOwnProperty<NoGC>(cx, &obj->as<NativeObject>(), id,
&prop)) {
/* Step 4. */
if (prop.isNotFound()) {
args.rval().setBoolean(false);
return true;
}
/* Step 5. */
JS::PropertyAttributes attrs = GetPropertyAttributes(obj, prop);
args.rval().setBoolean(attrs.enumerable());
return true;
}
}
/* Step 1. */
RootedId idRoot(cx);
if (!ToPropertyKey(cx, idValue, &idRoot)) {
return false;
}
/* Step 2. */
RootedObject obj(cx, ToObject(cx, args.thisv()));
if (!obj) {
return false;
}
/* Step 3. */
Rooted<Maybe<PropertyDescriptor>> desc(cx);
if (!GetOwnPropertyDescriptor(cx, obj, idRoot, &desc)) {
return false;
}
/* Step 4. */
if (desc.isNothing()) {
args.rval().setBoolean(false);
return true;
}
/* Step 5. */
args.rval().setBoolean(desc->enumerable());
return true;
}
static bool obj_toSource(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
AutoCheckRecursionLimit recursion(cx);
if (!recursion.check(cx)) {
return false;
}
RootedObject obj(cx, ToObject(cx, args.thisv()));
if (!obj) {
return false;
}
JSString* str = ObjectToSource(cx, obj);
if (!str) {
return false;
}
args.rval().setString(str);
return true;
}
template <typename CharT>
static bool Consume(RangedPtr<const CharT>& s, RangedPtr<const CharT> e,
const char* chars) {
MOZ_ASSERT(s <= e);
size_t len = strlen(chars);
if (e - s < len) {
return false;
}
if (!EqualChars(s.get(), chars, len)) {
return false;
}
s += len;
return true;
}
template <typename CharT>
static bool ConsumeUntil(RangedPtr<const CharT>& s, RangedPtr<const CharT> e,
char16_t ch) {
MOZ_ASSERT(s <= e);
const CharT* result = js_strchr_limit(s.get(), ch, e.get());
if (!result) {
return false;
}
s += result - s.get();
MOZ_ASSERT(*s == ch);
return true;
}
template <typename CharT>
static void ConsumeSpaces(RangedPtr<const CharT>& s, RangedPtr<const CharT> e) {
while (s < e && *s == ' ') {
s++;
}
}
/*
* Given a function source string, return the offset and length of the part
* between '(function $name' and ')'.
*/
template <typename CharT>
static bool ArgsAndBodySubstring(Range<const CharT> chars, size_t* outOffset,
size_t* outLen) {
const RangedPtr<const CharT> start = chars.begin();
RangedPtr<const CharT> s = start;
RangedPtr<const CharT> e = chars.end();
if (s == e) {
return false;
}
// Remove enclosing parentheses.
if (*s == '(' && *(e - 1) == ')') {
s++;
e--;
}
// Support the following cases, with spaces between tokens:
//
// -+---------+-+------------+-+-----+-+- [ - <any> - ] - ( -+-
// | | | | | | | |
// +- async -+ +- function -+ +- * -+ +- <any> - ( ---------+
// | |
// +- get ------+
// | |
// +- set ------+
//
// This accepts some invalid syntax, but we don't care, since it's only
// used by the non-standard toSource, and we're doing a best-effort attempt
// here.
(void)Consume(s, e, "async");
ConsumeSpaces(s, e);
(void)(Consume(s, e, "function") || Consume(s, e, "get") ||
Consume(s, e, "set"));
ConsumeSpaces(s, e);
(void)Consume(s, e, "*");
ConsumeSpaces(s, e);
// Jump over the function's name.
if (Consume(s, e, "[")) {
if (!ConsumeUntil(s, e, ']')) {
return false;
}
s++; // Skip ']'.
ConsumeSpaces(s, e);
if (s >= e || *s != '(') {
return false;
}
} else {
if (!ConsumeUntil(s, e, '(')) {
return false;
}
}
MOZ_ASSERT(*s == '(');
*outOffset = s - start;
*outLen = e - s;
MOZ_ASSERT(*outOffset + *outLen <= chars.length());
return true;
}
enum class PropertyKind { Getter, Setter, Method, Normal };
JSString* js::ObjectToSource(JSContext* cx, HandleObject obj) {
/* If outermost, we need parentheses to be an expression, not a block. */
bool outermost = cx->cycleDetectorVector().empty();
AutoCycleDetector detector(cx, obj);
if (!detector.init()) {
return nullptr;
}
if (detector.foundCycle()) {
return NewStringCopyZ<CanGC>(cx, "{}");
}
JSStringBuilder buf(cx);
if (outermost && !buf.append('(')) {
return nullptr;
}
if (!buf.append('{')) {
return nullptr;
}
RootedIdVector idv(cx);
if (!GetPropertyKeys(cx, obj, JSITER_OWNONLY | JSITER_SYMBOLS, &idv)) {
return nullptr;
}
bool comma = false;
auto AddProperty = [cx, &comma, &buf](HandleId id, HandleValue val,
PropertyKind kind) -> bool {
/* Convert id to a string. */
RootedString idstr(cx);
if (id.isSymbol()) {
RootedValue v(cx, SymbolValue(id.toSymbol()));
idstr = ValueToSource(cx, v);
if (!idstr) {
return false;
}
} else {
RootedValue idv(cx, IdToValue(id));
idstr = ToString<CanGC>(cx, idv);
if (!idstr) {
return false;
}
/*
* If id is a string that's not an identifier, or if it's a
* negative integer, then it must be quoted.
*/
if (id.isAtom() ? !IsIdentifier(id.toAtom()) : JSID_TO_INT(id) < 0) {
UniqueChars quotedId = QuoteString(cx, idstr, '\'');
if (!quotedId) {
return false;
}
idstr = NewStringCopyZ<CanGC>(cx, quotedId.get());
if (!idstr) {
return false;
}
}
}
RootedString valsource(cx, ValueToSource(cx, val));
if (!valsource) {
return false;
}
RootedLinearString valstr(cx, valsource->ensureLinear(cx));
if (!valstr) {
return false;
}
if (comma && !buf.append(", ")) {
return false;
}
comma = true;
size_t voffset, vlength;
// Methods and accessors can return exact syntax of source, that fits
// into property without adding property name or "get"/"set" prefix.
// Use the exact syntax when the following conditions are met:
//
// * It's a function object
// (exclude proxies)
// * Function's kind and property's kind are same
// (this can be false for dynamically defined properties)
// * Function has explicit name
// (this can be false for computed property and dynamically defined
// properties)
// * Function's name and property's name are same
// (this can be false for dynamically defined properties)
if (kind == PropertyKind::Getter || kind == PropertyKind::Setter ||
kind == PropertyKind::Method) {
RootedFunction fun(cx);
if (val.toObject().is<JSFunction>()) {
fun = &val.toObject().as<JSFunction>();
// Method's case should be checked on caller.
if (((fun->isGetter() && kind == PropertyKind::Getter) ||
(fun->isSetter() && kind == PropertyKind::Setter) ||
kind == PropertyKind::Method) &&
fun->explicitName()) {
bool result;
if (!EqualStrings(cx, fun->explicitName(), idstr, &result)) {
return false;
}
if (result) {
if (!buf.append(valstr)) {
return false;
}
return true;
}
}
}
{
// When falling back try to generate a better string
// representation by skipping the prelude, and also removing
// the enclosing parentheses.
bool success;
JS::AutoCheckCannotGC nogc;
if (valstr->hasLatin1Chars()) {
success = ArgsAndBodySubstring(valstr->latin1Range(nogc), &voffset,
&vlength);
} else {
success = ArgsAndBodySubstring(valstr->twoByteRange(nogc), &voffset,
&vlength);
}
if (!success) {
kind = PropertyKind::Normal;
}
}
if (kind == PropertyKind::Getter) {
if (!buf.append("get ")) {
return false;
}
} else if (kind == PropertyKind::Setter) {
if (!buf.append("set ")) {
return false;
}
} else if (kind == PropertyKind::Method && fun) {
if (fun->isAsync()) {
if (!buf.append("async ")) {
return false;
}
}
if (fun->isGenerator()) {
if (!buf.append('*')) {
return false;
}
}
}
}
bool needsBracket = id.isSymbol();
if (needsBracket && !buf.append('[')) {
return false;
}
if (!buf.append(idstr)) {
return false;
}
if (needsBracket && !buf.append(']')) {
return false;
}
if (kind == PropertyKind::Getter || kind == PropertyKind::Setter ||
kind == PropertyKind::Method) {
if (!buf.appendSubstring(valstr, voffset, vlength)) {
return false;
}
} else {
if (!buf.append(':')) {
return false;
}
if (!buf.append(valstr)) {
return false;
}
}
return true;
};
RootedId id(cx);
Rooted<Maybe<PropertyDescriptor>> desc(cx);
RootedValue val(cx);
for (size_t i = 0; i < idv.length(); ++i) {
id = idv[i];
if (!GetOwnPropertyDescriptor(cx, obj, id, &desc)) {
return nullptr;
}
if (desc.isNothing()) {
continue;
}
if (desc->isAccessorDescriptor()) {
if (desc->hasGetter() && desc->getter()) {
val.setObject(*desc->getter());
if (!AddProperty(id, val, PropertyKind::Getter)) {
return nullptr;
}
}
if (desc->hasSetter() && desc->setter()) {
val.setObject(*desc->setter());
if (!AddProperty(id, val, PropertyKind::Setter)) {
return nullptr;
}
}
continue;
}
val.set(desc->value());
JSFunction* fun;
if (IsFunctionObject(val, &fun) && fun->isMethod()) {
if (!AddProperty(id, val, PropertyKind::Method)) {
return nullptr;
}
continue;
}
if (!AddProperty(id, val, PropertyKind::Normal)) {
return nullptr;
}
}
if (!buf.append('}')) {
return nullptr;
}
if (outermost && !buf.append(')')) {
return nullptr;
}
return buf.finishString();
}
static JSString* GetBuiltinTagSlow(JSContext* cx, HandleObject obj) {
// Step 4.
bool isArray;
if (!IsArray(cx, obj, &isArray)) {
return nullptr;
}
// Step 5.
if (isArray) {
return cx->names().objectArray;
}
// Steps 6-14.
ESClass cls;
if (!JS::GetBuiltinClass(cx, obj, &cls)) {
return nullptr;
}
switch (cls) {
case ESClass::String:
return cx->names().objectString;
case ESClass::Arguments:
return cx->names().objectArguments;
case ESClass::Error:
return cx->names().objectError;
case ESClass::Boolean:
return cx->names().objectBoolean;
case ESClass::Number:
return cx->names().objectNumber;
case ESClass::Date:
return cx->names().objectDate;
case ESClass::RegExp:
return cx->names().objectRegExp;
default:
if (obj->isCallable()) {
// Non-standard: Prevent <object> from showing up as Function.
JSObject* unwrapped = CheckedUnwrapDynamic(obj, cx);
if (!unwrapped || !unwrapped->getClass()->isDOMClass()) {
return cx->names().objectFunction;
}
}
return cx->names().objectObject;
}
}
static MOZ_ALWAYS_INLINE JSString* GetBuiltinTagFast(JSObject* obj,
const JSClass* clasp,
JSContext* cx) {
MOZ_ASSERT(clasp == obj->getClass());
MOZ_ASSERT(!clasp->isProxyObject());
// Optimize the non-proxy case to bypass GetBuiltinClass.
if (clasp == &PlainObject::class_) {
// This case is by far the most common so we handle it first.
return cx->names().objectObject;
}
if (clasp == &ArrayObject::class_) {
return cx->names().objectArray;
}
if (clasp->isJSFunction()) {
return cx->names().objectFunction;
}
if (clasp == &StringObject::class_) {
return cx->names().objectString;
}
if (clasp == &NumberObject::class_) {
return cx->names().objectNumber;
}
if (clasp == &BooleanObject::class_) {
return cx->names().objectBoolean;
}
if (clasp == &DateObject::class_) {
return cx->names().objectDate;
}
if (clasp == &RegExpObject::class_) {
return cx->names().objectRegExp;
}
if (obj->is<ArgumentsObject>()) {
return cx->names().objectArguments;
}
if (obj->is<ErrorObject>()) {
return cx->names().objectError;
}
if (obj->isCallable() && !obj->getClass()->isDOMClass()) {
// Non-standard: Prevent <object> from showing up as Function.
return cx->names().objectFunction;
}
return cx->names().objectObject;
}
// For primitive values we try to avoid allocating the object if we can
// determine that the prototype it would use does not define Symbol.toStringTag.
static JSAtom* MaybeObjectToStringPrimitive(JSContext* cx, const Value& v) {
JSProtoKey protoKey = js::PrimitiveToProtoKey(cx, v);
// If prototype doesn't exist yet, just fall through.
JSObject* proto = cx->global()->maybeGetPrototype(protoKey);
if (!proto) {
return nullptr;
}
// If determining this may have side-effects, we must instead create the
// object normally since it is the receiver while looking up
// Symbol.toStringTag.
if (MaybeHasInterestingSymbolProperty(
cx, proto, cx->wellKnownSymbols().toStringTag, nullptr)) {
return nullptr;
}
// Return the direct result.
switch (protoKey) {
case JSProto_String:
return cx->names().objectString;
case JSProto_Number:
return cx->names().objectNumber;
case JSProto_Boolean:
return cx->names().objectBoolean;
case JSProto_Symbol:
return cx->names().objectSymbol;
case JSProto_BigInt:
return cx->names().objectBigInt;
default:
break;
}
return nullptr;
}
// ES6 19.1.3.6
bool js::obj_toString(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
RootedObject obj(cx);
if (args.thisv().isPrimitive()) {
// Step 1.
if (args.thisv().isUndefined()) {
args.rval().setString(cx->names().objectUndefined);
return true;
}
// Step 2.
if (args.thisv().isNull()) {
args.rval().setString(cx->names().objectNull);
return true;
}
// Try fast-path for primitives. This is unusual but we encounter code like
// this in the wild.
JSAtom* result = MaybeObjectToStringPrimitive(cx, args.thisv());
if (result) {
args.rval().setString(result);
return true;
}
// Step 3.
obj = ToObject(cx, args.thisv());
if (!obj) {
return false;
}
} else {
obj = &args.thisv().toObject();
}
// When |obj| is a non-proxy object, compute |builtinTag| only when needed.
RootedString builtinTag(cx);
const JSClass* clasp = obj->getClass();
if (MOZ_UNLIKELY(clasp->isProxyObject())) {
builtinTag = GetBuiltinTagSlow(cx, obj);
if (!builtinTag) {
return false;
}
}
// Step 15.
RootedValue tag(cx);
if (!GetInterestingSymbolProperty(cx, obj, cx->wellKnownSymbols().toStringTag,
&tag)) {
return false;
}
// Step 16.
if (!tag.isString()) {
if (!builtinTag) {
builtinTag = GetBuiltinTagFast(obj, clasp, cx);
#ifdef DEBUG
// Assert this fast path is correct and matches BuiltinTagSlow.
JSString* builtinTagSlow = GetBuiltinTagSlow(cx, obj);
if (!builtinTagSlow) {
return false;
}
MOZ_ASSERT(builtinTagSlow == builtinTag);
#endif
}
args.rval().setString(builtinTag);
return true;
}
// Step 17.
StringBuffer sb(cx);
if (!sb.append("[object ") || !sb.append(tag.toString()) || !sb.append(']')) {
return false;
}
JSString* str = sb.finishAtom();
if (!str) {
return false;
}
args.rval().setString(str);
return true;
}
JSString* js::ObjectClassToString(JSContext* cx, JSObject* obj) {
AutoUnsafeCallWithABI unsafe;
if (MaybeHasInterestingSymbolProperty(cx, obj,
cx->wellKnownSymbols().toStringTag)) {
return nullptr;
}
return GetBuiltinTagFast(obj, obj->getClass(), cx);
}
static bool obj_setPrototypeOf(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
if (!args.requireAtLeast(cx, "Object.setPrototypeOf", 2)) {
return false;
}
/* Step 1-2. */
if (args[0].isNullOrUndefined()) {
JS_ReportErrorNumberASCII(
cx, GetErrorMessage, nullptr, JSMSG_CANT_CONVERT_TO,
args[0].isNull() ? "null" : "undefined", "object");
return false;
}
/* Step 3. */
if (!args[1].isObjectOrNull()) {
JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
JSMSG_NOT_EXPECTED_TYPE, "Object.setPrototypeOf",
"an object or null",
InformalValueTypeName(args[1]));
return false;
}
/* Step 4. */
if (!args[0].isObject()) {
args.rval().set(args[0]);
return true;
}
/* Step 5-7. */
RootedObject obj(cx, &args[0].toObject());
RootedObject newProto(cx, args[1].toObjectOrNull());
if (!SetPrototype(cx, obj, newProto)) {
return false;
}
/* Step 8. */
args.rval().set(args[0]);
return true;
}
static bool PropertyIsEnumerable(JSContext* cx, HandleObject obj, HandleId id,
bool* enumerable) {
PropertyResult prop;
if (obj->is<NativeObject>() &&
NativeLookupOwnProperty<NoGC>(cx, &obj->as<NativeObject>(), id, &prop)) {
if (prop.isNotFound()) {
*enumerable = false;
return true;
}
JS::PropertyAttributes attrs = GetPropertyAttributes(obj, prop);
*enumerable = attrs.enumerable();
return true;
}
Rooted<Maybe<PropertyDescriptor>> desc(cx);
if (!GetOwnPropertyDescriptor(cx, obj, id, &desc)) {
return false;
}
*enumerable = desc.isSome() && desc->enumerable();
return true;
}
// Returns true if properties not named "__proto__" can be added to |obj|
// with a fast path that doesn't check any properties on the prototype chain.
static bool CanAddNewPropertyExcludingProtoFast(PlainObject* obj) {
// The object must be an extensible, non-prototype object. Prototypes require
// extra shadowing checks for shape teleporting.
if (!obj->isExtensible() || obj->isUsedAsPrototype()) {
return false;
}
// Ensure the object has no non-writable properties or getters/setters.
// For now only support PlainObjects so that we don't have to worry about
// resolve hooks and other JSClass hooks.
while (true) {
if (obj->hasNonWritableOrAccessorPropExclProto()) {
return false;
}
JSObject* proto = obj->staticPrototype();
if (!proto) {
return true;
}
if (!proto->is<PlainObject>()) {
return false;
}
obj = &proto->as<PlainObject>();
}
}
[[nodiscard]] static bool TryAssignPlain(JSContext* cx, HandleObject to,
HandleObject from, bool* optimized) {
// Object.assign is used with PlainObjects most of the time. This is a fast
// path to optimize that case. This lets us avoid checks that are only
// relevant for other JSClasses.
MOZ_ASSERT(*optimized == false);
if (!from->is<PlainObject>() || !to->is<PlainObject>()) {
return true;
}
// Don't use the fast path if |from| may have extra indexed properties.
HandlePlainObject fromPlain = from.as<PlainObject>();
if (fromPlain->getDenseInitializedLength() > 0 || fromPlain->isIndexed()) {
return true;
}
MOZ_ASSERT(!fromPlain->getClass()->getNewEnumerate());
MOZ_ASSERT(!fromPlain->getClass()->getEnumerate());
// Empty |from| objects are common, so check for this first.
if (fromPlain->empty()) {
*optimized = true;
return true;
}
HandlePlainObject toPlain = to.as<PlainObject>();
if (!CanAddNewPropertyExcludingProtoFast(toPlain)) {
return true;
}
// Get a list of all enumerable |from| properties.
Rooted<PropertyInfoWithKeyVector> props(cx, PropertyInfoWithKeyVector(cx));
#ifdef DEBUG
RootedShape fromShape(cx, fromPlain->shape());
#endif
bool hasPropsWithNonDefaultAttrs = false;
for (ShapePropertyIter<NoGC> iter(fromPlain->shape()); !iter.done(); iter++) {
// Symbol properties need to be assigned last. For now fall back to the
// slow path if we see a symbol property.
jsid id = iter->key();
if (MOZ_UNLIKELY(id.isSymbol())) {
return true;
}
// __proto__ is not supported by CanAddNewPropertyExcludingProtoFast.
if (MOZ_UNLIKELY(id.isAtom(cx->names().proto))) {
return true;
}
if (MOZ_UNLIKELY(!iter->isDataProperty())) {
return true;
}
if (iter->flags() != PropertyFlags::defaultDataPropFlags) {
hasPropsWithNonDefaultAttrs = true;
}
if (!iter->enumerable()) {
continue;
}
if (MOZ_UNLIKELY(!props.append(*iter))) {
return false;
}
}
*optimized = true;
bool toWasEmpty = toPlain->empty();
// If the |to| object has no properties and the |from| object only has plain
// enumerable/writable/configurable data properties, try to use its shape.
if (toWasEmpty && !hasPropsWithNonDefaultAttrs &&
toPlain->canReuseShapeForNewProperties(fromPlain->shape())) {
Shape* newShape = fromPlain->shape();
if (!toPlain->setShapeAndUpdateSlots(cx, newShape)) {
return false;
}
for (size_t i = props.length(); i > 0; i--) {
size_t slot = props[i - 1].slot();
toPlain->initSlot(slot, fromPlain->getSlot(slot));
}
return true;
}
RootedValue propValue(cx);
RootedId nextKey(cx);
for (size_t i = props.length(); i > 0; i--) {
// Assert |from| still has the same properties.
MOZ_ASSERT(fromPlain->shape() == fromShape);
PropertyInfoWithKey fromProp = props[i - 1];
MOZ_ASSERT(fromProp.isDataProperty());
MOZ_ASSERT(fromProp.enumerable());
nextKey = fromProp.key();
propValue = fromPlain->getSlot(fromProp.slot());
Maybe<PropertyInfo> toProp;
if (toWasEmpty) {
MOZ_ASSERT(!toPlain->containsPure(nextKey));
MOZ_ASSERT(toProp.isNothing());
} else {
toProp = toPlain->lookup(cx, nextKey);
}
if (toProp.isSome()) {
MOZ_ASSERT(toProp->isDataProperty());
MOZ_ASSERT(toProp->writable());
toPlain->setSlot(toProp->slot(), propValue);
} else {
if (!AddDataPropertyNonPrototype(cx, toPlain, nextKey, propValue)) {
return false;
}
}
}
return true;
}
static bool TryAssignNative(JSContext* cx, HandleObject to, HandleObject from,
bool* optimized) {
MOZ_ASSERT(*optimized == false);
if (!from->is<NativeObject>() || !to->is<NativeObject>()) {
return true;
}
// Don't use the fast path if |from| may have extra indexed or lazy
// properties.
NativeObject* fromNative = &from->as<NativeObject>();
if (fromNative->getDenseInitializedLength() > 0 || fromNative->isIndexed() ||
fromNative->is<TypedArrayObject>() ||
fromNative->getClass()->getNewEnumerate() ||
fromNative->getClass()->getEnumerate()) {
return true;
}
// Get a list of |from| properties. As long as from->shape() == fromShape
// we can use this to speed up both the enumerability check and the GetProp.
Rooted<PropertyInfoWithKeyVector> props(cx, PropertyInfoWithKeyVector(cx));
RootedShape fromShape(cx, fromNative->shape());
for (ShapePropertyIter<NoGC> iter(fromShape); !iter.done(); iter++) {
// Symbol properties need to be assigned last. For now fall back to the
// slow path if we see a symbol property.
if (MOZ_UNLIKELY(iter->key().isSymbol())) {
return true;
}
if (MOZ_UNLIKELY(!props.append(*iter))) {
return false;
}
}
*optimized = true;
RootedValue propValue(cx);
RootedId nextKey(cx);
RootedValue toReceiver(cx, ObjectValue(*to));
for (size_t i = props.length(); i > 0; i--) {
PropertyInfoWithKey prop = props[i - 1];
nextKey = prop.key();
// If |from| still has the same shape, it must still be a NativeObject with
// the properties in |props|.
if (MOZ_LIKELY(from->shape() == fromShape && prop.isDataProperty())) {
if (!prop.enumerable()) {
continue;
}
propValue = from->as<NativeObject>().getSlot(prop.slot());
} else {
// |from| changed shape or the property is not a data property, so
// we have to do the slower enumerability check and GetProp.
bool enumerable;
if (!PropertyIsEnumerable(cx, from, nextKey, &enumerable)) {
return false;
}
if (!enumerable) {
continue;
}
if (!GetProperty(cx, from, from, nextKey, &propValue)) {
return false;
}
}
ObjectOpResult result;
if (MOZ_UNLIKELY(
!SetProperty(cx, to, nextKey, propValue, toReceiver, result))) {
return false;
}
if (MOZ_UNLIKELY(!result.checkStrict(cx, to, nextKey))) {
return false;
}
}
return true;
}
static bool AssignSlow(JSContext* cx, HandleObject to, HandleObject from) {
// Step 4.b.ii.
RootedIdVector keys(cx);
if (!GetPropertyKeys(
cx, from, JSITER_OWNONLY | JSITER_HIDDEN | JSITER_SYMBOLS, &keys)) {
return false;
}
// Step 4.c.
RootedId nextKey(cx);
RootedValue propValue(cx);
for (size_t i = 0, len = keys.length(); i < len; i++) {
nextKey = keys[i];
// Step 4.c.i.
bool enumerable;
if (MOZ_UNLIKELY(!PropertyIsEnumerable(cx, from, nextKey, &enumerable))) {
return false;
}
if (!enumerable) {
continue;
}
// Step 4.c.ii.1.
if (MOZ_UNLIKELY(!GetProperty(cx, from, from, nextKey, &propValue))) {
return false;
}
// Step 4.c.ii.2.
if (MOZ_UNLIKELY(!SetProperty(cx, to, nextKey, propValue))) {
return false;
}
}
return true;
}
JS_PUBLIC_API bool JS_AssignObject(JSContext* cx, JS::HandleObject target,
JS::HandleObject src) {
bool optimized = false;
if (!TryAssignPlain(cx, target, src, &optimized)) {
return false;
}
if (optimized) {
return true;
}
if (!TryAssignNative(cx, target, src, &optimized)) {
return false;
}
if (optimized) {
return true;
}
return AssignSlow(cx, target, src);
}
// ES2018 draft rev 48ad2688d8f964da3ea8c11163ef20eb126fb8a4
// 19.1.2.1 Object.assign(target, ...sources)
static bool obj_assign(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
// Step 1.
RootedObject to(cx, ToObject(cx, args.get(0)));
if (!to) {
return false;
}
// Note: step 2 is implicit. If there are 0 arguments, ToObject throws. If
// there's 1 argument, the loop below is a no-op.
// Step 4.
RootedObject from(cx);
for (size_t i = 1; i < args.length(); i++) {
// Step 4.a.
if (args[i].isNullOrUndefined()) {
continue;
}
// Step 4.b.i.
from = ToObject(cx, args[i]);
if (!from) {
return false;
}
// Steps 4.b.ii, 4.c.
if (!JS_AssignObject(cx, to, from)) {
return false;
}
}
// Step 5.
args.rval().setObject(*to);
return true;
}
/* ES5 15.2.4.6. */
bool js::obj_isPrototypeOf(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
/* Step 1. */
if (args.length() < 1 || !args[0].isObject()) {
args.rval().setBoolean(false);
return true;
}
/* Step 2. */
RootedObject obj(cx, ToObject(cx, args.thisv()));
if (!obj) {
return false;
}
/* Step 3. */
bool isPrototype;
if (!IsPrototypeOf(cx, obj, &args[0].toObject(), &isPrototype)) {
return false;
}
args.rval().setBoolean(isPrototype);
return true;
}
PlainObject* js::ObjectCreateImpl(JSContext* cx, HandleObject proto,
NewObjectKind newKind) {
// Give the new object a small number of fixed slots, like we do for empty
// object literals ({}).
gc::AllocKind allocKind = NewObjectGCKind();
return NewPlainObjectWithProtoAndAllocKind(cx, proto, allocKind, newKind);
}
PlainObject* js::ObjectCreateWithTemplate(JSContext* cx,
HandlePlainObject templateObj) {
RootedObject proto(cx, templateObj->staticPrototype());
return ObjectCreateImpl(cx, proto, GenericObject);
}
// ES 2017 draft 19.1.2.3.1
static bool ObjectDefineProperties(JSContext* cx, HandleObject obj,
HandleValue properties,
bool* failedOnWindowProxy) {
// Step 1. implicit
// Step 2.
RootedObject props(cx, ToObject(cx, properties));
if (!props) {
return false;
}
// Step 3.
RootedIdVector keys(cx);
if (!GetPropertyKeys(
cx, props, JSITER_OWNONLY | JSITER_SYMBOLS | JSITER_HIDDEN, &keys)) {
return false;
}
RootedId nextKey(cx);
Rooted<Maybe<PropertyDescriptor>> keyDesc(cx);
Rooted<PropertyDescriptor> desc(cx);
RootedValue descObj(cx);
// Step 4.
Rooted<PropertyDescriptorVector> descriptors(cx,
PropertyDescriptorVector(cx));
RootedIdVector descriptorKeys(cx);
// Step 5.
for (size_t i = 0, len = keys.length(); i < len; i++) {
nextKey = keys[i];
// Step 5.a.
if (!GetOwnPropertyDescriptor(cx, props, nextKey, &keyDesc)) {
return false;
}
// Step 5.b.
if (keyDesc.isSome() && keyDesc->enumerable()) {
if (!GetProperty(cx, props, props, nextKey, &descObj) ||
!ToPropertyDescriptor(cx, descObj, true, &desc) ||
!descriptors.append(desc) || !descriptorKeys.append(nextKey)) {
return false;
}
}
}
// Step 6.
*failedOnWindowProxy = false;
for (size_t i = 0, len = descriptors.length(); i < len; i++) {
ObjectOpResult result;
if (!DefineProperty(cx, obj, descriptorKeys[i], descriptors[i], result)) {
return false;
}
if (!result.ok()) {
if (result.failureCode() == JSMSG_CANT_DEFINE_WINDOW_NC) {
*failedOnWindowProxy = true;
} else if (!result.checkStrict(cx, obj, descriptorKeys[i])) {
return false;
}
}
}
return true;
}
// ES6 draft rev34 (2015/02/20) 19.1.2.2 Object.create(O [, Properties])
bool js::obj_create(JSContext* cx, unsigned argc, Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
// Step 1.
if (!args.requireAtLeast(cx, "Object.create", 1)) {
return false;
}
if (!args[0].isObjectOrNull()) {
UniqueChars bytes =
DecompileValueGenerator(cx, JSDVG_SEARCH_STACK, args[0], nullptr);
if (!bytes) {
return false;
}
JS_ReportErrorNumberUTF8(cx, GetErrorMessage, nullptr,
JSMSG_UNEXPECTED_TYPE, bytes.get(),
"not an object or null");
return false;
}
// Step 2.
RootedObject proto(cx, args[0].toObjectOrNull());
RootedPlainObject obj(cx, ObjectCreateImpl(cx, proto));
if (!obj) {
return false;
}
// Step 3.
if (args.hasDefined(1)) {
// we can't ever end up with failures to define on a WindowProxy
// here, because "obj" is never a WindowProxy.
bool failedOnWindowProxy = false;
if (!ObjectDefineProperties(cx, obj, args[1], &failedOnWindowProxy)) {
return false;
}
MOZ_ASSERT(!failedOnWindowProxy, "How did we get a WindowProxy here?");
}
// Step 4.
args.rval().setObject(*obj);
return true;
}
// ES2017 draft rev 6859bb9ccaea9c6ede81d71e5320e3833b92cb3e
// 6.2.4.4 FromPropertyDescriptor ( Desc )
static bool FromPropertyDescriptorToArray(
JSContext* cx, Handle<Maybe<PropertyDescriptor>> desc,
MutableHandleValue vp) {
// Step 1.
if (desc.isNothing()) {
vp.setUndefined();
return true;
}
// Steps 2-11.
// Retrieve all property descriptor fields and place them into the result
// array. The actual return object is created in self-hosted code for
// performance reasons.
int32_t attrsAndKind = 0;
if (desc->enumerable()) {
attrsAndKind |= ATTR_ENUMERABLE;
}
if (desc->configurable()) {
attrsAndKind |= ATTR_CONFIGURABLE;
}
if (!desc->isAccessorDescriptor()) {
if (desc->writable()) {
attrsAndKind |= ATTR_WRITABLE;
}
attrsAndKind |= DATA_DESCRIPTOR_KIND;
} else {
attrsAndKind |= ACCESSOR_DESCRIPTOR_KIND;
}
RootedArrayObject result(cx);
if (!desc->isAccessorDescriptor()) {
result = NewDenseFullyAllocatedArray(cx, 2);
if (!result) {
return false;
}
result->setDenseInitializedLength(2);
result->initDenseElement(PROP_DESC_ATTRS_AND_KIND_INDEX,
Int32Value(attrsAndKind));
result->initDenseElement(PROP_DESC_VALUE_INDEX, desc->value());
} else {
result = NewDenseFullyAllocatedArray(cx, 3);
if (!result) {
return false;
}
result->setDenseInitializedLength(3);
result->initDenseElement(PROP_DESC_ATTRS_AND_KIND_INDEX,
Int32Value(attrsAndKind));
if (JSObject* get = desc->getter()) {
result->initDenseElement(PROP_DESC_GETTER_INDEX, ObjectValue(*get));
} else {
result->initDenseElement(PROP_DESC_GETTER_INDEX, UndefinedValue());
}
if (JSObject* set = desc->setter()) {
result->initDenseElement(PROP_DESC_SETTER_INDEX, ObjectValue(*set));
} else {
result->initDenseElement(PROP_DESC_SETTER_INDEX, UndefinedValue());
}
}
vp.setObject(*result);
return true;
}
// ES2017 draft rev 6859bb9ccaea9c6ede81d71e5320e3833b92cb3e
// 19.1.2.6 Object.getOwnPropertyDescriptor ( O, P )
bool js::GetOwnPropertyDescriptorToArray(JSContext* cx, unsigned argc,
Value* vp) {
CallArgs args = CallArgsFromVp(argc, vp);
MOZ_ASSERT(args.length() == 2);
// Step 1.
RootedObject obj(cx, ToObject(cx, args[0]));
if (!obj) {
return false;
}
// Step 2.
RootedId id(cx);
if (!ToPropertyKey(cx, args[1], &id)) {
return false;
}
// Step 3.
Rooted<Maybe<PropertyDescriptor>> desc(cx);
if (!GetOwnPropertyDescriptor(cx, obj, id, &desc)) {
return false;
}
// Step 4.
return FromPropertyDescriptorToArray(cx, desc, args.rval());
}
static bool NewValuePair(JSContext* cx, HandleValue val1, HandleValue val2,
MutableHandleValue rval) {
ArrayObject* array = NewDenseFullyAllocatedArray(cx, 2);
if (!array) {
return false;
}
array->setDenseInitializedLength(2);
array->initDenseElement(0, val1);
array->initDenseElement(1, val2);
rval.setObject(*array);
return true;
}
enum class EnumerableOwnPropertiesKind { Keys, Values, KeysAndValues, Names };
static bool HasEnumerableStringNonDataProperties(NativeObject* obj) {
// We also check for enumerability and symbol properties, so uninteresting
// non-data properties like |array.length| don't let us fall into the slow
// path.
for (ShapePropertyIter<NoGC> iter(obj->shape()); !iter.done(); iter++) {
if (!iter->isDataProperty() && iter->enumerable() &&
!iter->key().isSymbol()) {
return true;
}
}
return false;
}
template <EnumerableOwnPropertiesKind kind>
static bool TryEnumerableOwnPropertiesNative(JSContext* cx, HandleObject obj,
MutableHandleValue rval,
bool* optimized) {
*optimized = false;
// Use the fast path if |obj| has neither extra indexed properties nor a
// newEnumerate hook. String objects need to be special-cased, because
// they're only marked as indexed after their enumerate hook ran. And
// because their enumerate hook is slowish, it's more performant to
// exclude them directly instead of executing the hook first.
if (!obj->is<NativeObject>() || obj->as<NativeObject>().isIndexed() ||
obj->getClass()->getNewEnumerate() || obj->is<StringObject>()) {
return true;
}
HandleNativeObject nobj = obj.as<NativeObject>();
// Resolve lazy properties on |nobj|.
if (JSEnumerateOp enumerate = nobj->getClass()->getEnumerate()) {
if (!enumerate(cx, nobj)) {
return false;
}
// Ensure no extra indexed properties were added through enumerate().
if (nobj->isIndexed()) {
return true;
}
}
*optimized = true;
RootedValueVector properties(cx);
RootedValue key(cx);
RootedValue value(cx);
// We have ensured |nobj| contains no extra indexed properties, so the
// only indexed properties we need to handle here are dense and typed
// array elements.
for (uint32_t i = 0, len = nobj->getDenseInitializedLength(); i < len; i++) {
value.set(nobj->getDenseElement(i));
if (value.isMagic(JS_ELEMENTS_HOLE)) {
continue;
}
JSString* str;
if (kind != EnumerableOwnPropertiesKind::Values) {
static_assert(NativeObject::MAX_DENSE_ELEMENTS_COUNT <= JSID_INT_MAX,
"dense elements don't exceed JSID_INT_MAX");
str = Int32ToString<CanGC>(cx, i);
if (!str) {
return false;
}
}
if (kind == EnumerableOwnPropertiesKind::Keys ||
kind == EnumerableOwnPropertiesKind::Names) {
value.setString(str);
} else if (kind == EnumerableOwnPropertiesKind::KeysAndValues) {
key.setString(str);
if (!NewValuePair(cx, key, value, &value)) {
return false;
}
}