diff options
Diffstat (limited to 'js/src/vm/EnvironmentObject.h')
| -rw-r--r-- | js/src/vm/EnvironmentObject.h | 1126 |
1 files changed, 1126 insertions, 0 deletions
diff --git a/js/src/vm/EnvironmentObject.h b/js/src/vm/EnvironmentObject.h new file mode 100644 index 000000000..6bdaac89e --- /dev/null +++ b/js/src/vm/EnvironmentObject.h @@ -0,0 +1,1126 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- + * vim: set ts=8 sts=4 et sw=4 tw=99: + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef vm_EnvironmentObject_h +#define vm_EnvironmentObject_h + +#include "jscntxt.h" +#include "jsobj.h" +#include "jsweakmap.h" + +#include "builtin/ModuleObject.h" +#include "frontend/NameAnalysisTypes.h" +#include "gc/Barrier.h" +#include "js/GCHashTable.h" +#include "vm/ArgumentsObject.h" +#include "vm/ProxyObject.h" +#include "vm/Scope.h" + +namespace js { + +class ModuleObject; +typedef Handle<ModuleObject*> HandleModuleObject; + +/* + * Return a shape representing the static scope containing the variable + * accessed by the ALIASEDVAR op at 'pc'. + */ +extern Shape* +EnvironmentCoordinateToEnvironmentShape(JSScript* script, jsbytecode* pc); + +/* Return the name being accessed by the given ALIASEDVAR op. */ +extern PropertyName* +EnvironmentCoordinateName(EnvironmentCoordinateNameCache& cache, JSScript* script, jsbytecode* pc); + +/* Return the function script accessed by the given ALIASEDVAR op, or nullptr. */ +extern JSScript* +EnvironmentCoordinateFunctionScript(JSScript* script, jsbytecode* pc); + + +/*** Environment objects *****************************************************/ + + +/*** Environment objects *****************************************************/ + +/* + * About environments + * ------------------ + * + * (See also: ecma262 rev c7952de (19 Aug 2016) 8.1 "Lexical Environments".) + * + * Scoping in ES is specified in terms of "Environment Records". There's a + * global Environment Record per realm, and a new Environment Record is created + * whenever control enters a function, block, or other scope. + * + * A "Lexical Environment" is a list of nested Environment Records, innermost + * first: everything that's in scope. Throughout SpiderMonkey, "environment" + * means a Lexical Environment. + * + * N.B.: "Scope" means something different: a static scope, the compile-time + * analogue of an environment. See Scope.h. + * + * How SpiderMonkey represents environments + * ---------------------------------------- + * + * Some environments are stored as JSObjects. Several kinds of objects + * represent environments: + * + * JSObject + * | + * +--NativeObject + * | | + * | +--EnvironmentObject Engine-internal environment + * | | | + * | | +--CallObject Environment of entire function + * | | | + * | | +--ModuleEnvironmentObject Module top-level environment + * | | | + * | | +--LexicalEnvironmentObject Lexical (block) environment + * | | | | + * | | | +--NamedLambdaObject Environment for `(function f(){...})` + * | | | containing only a binding for `f` + * | | +--VarEnvironmentObject See VarScope in Scope.h. + * | | | + * | | +--WithEnvironmentObject Presents object properties as bindings + * | | | + * | | +--NonSyntacticVariablesObject See "Non-syntactic environments" below + * | | + * | +--GlobalObject The global environment + * | + * +--ProxyObject + * | + * +--DebugEnvironmentProxy Environment for debugger eval-in-frame + * + * EnvironmentObjects are technically real JSObjects but only belong on the + * environment chain (that is, fp->environmentChain() or fun->environment()). + * They are never exposed to scripts. + * + * Note that reserved slots in any base classes shown above are fixed for all + * derived classes. So e.g. EnvironmentObject::enclosingEnvironment() can + * simply access a fixed slot without further dynamic type information. + * + * When the current environment is represented by an object, the stack frame + * has a pointer to that object (see AbstractFramePtr::environmentChain()). + * However, that isn't always the case. Where possible, we store binding values + * in JS stack slots. For block and function scopes where all bindings can be + * stored in stack slots, nothing is allocated in the heap; there is no + * environment object. + * + * Full information about the environment chain is always recoverable: + * EnvironmentIter can do it, and we construct a fake environment for debugger + * eval-in-frame (see "Debug environment objects" below). + * + * Syntactic Environments + * ---------------------- + * + * Environments may be syntactic, i.e., corresponding to source text, or + * non-syntactic, i.e., specially created by embedding. The distinction is + * necessary to maintain invariants about the environment chain: non-syntactic + * environments may not occur in arbitrary positions in the chain. + * + * CallObject, ModuleEnvironmentObject, and LexicalEnvironmentObject always + * represent syntactic environments. (CallObject is considered syntactic even + * when it's used as the scope of strict eval code.) WithEnvironmentObject is + * syntactic when it's used to represent the scope of a `with` block. + * + * + * Non-syntactic Environments + * -------------------------- + * + * A non-syntactic environment is one that was not created due to JS source + * code. On the scope chain, a single NonSyntactic GlobalScope maps to 0+ + * non-syntactic environment objects. This is contrasted with syntactic + * environments, where each scope corresponds to 0 or 1 environment object. + * + * There are 3 kinds of dynamic environment objects: + * + * 1. WithEnvironmentObject + * + * When the embedding compiles or executes a script, it has the option to + * pass in a vector of objects to be used as the initial env chain, ordered + * from outermost env to innermost env. Each of those objects is wrapped by + * a WithEnvironmentObject. + * + * The innermost object passed in by the embedding becomes a qualified + * variables object that captures 'var' bindings. That is, it wraps the + * holder object of 'var' bindings. + * + * Does not hold 'let' or 'const' bindings. + * + * 2. NonSyntacticVariablesObject + * + * When the embedding wants qualified 'var' bindings and unqualified + * bareword assignments to go on a different object than the global + * object. While any object can be made into a qualified variables object, + * only the GlobalObject and NonSyntacticVariablesObject are considered + * unqualified variables objects. + * + * Unlike WithEnvironmentObjects that delegate to the object they wrap, + * this object is itself the holder of 'var' bindings. + * + * Does not hold 'let' or 'const' bindings. + * + * 3. LexicalEnvironmentObject + * + * Each non-syntactic object used as a qualified variables object needs to + * enclose a non-syntactic LexicalEnvironmentObject to hold 'let' and + * 'const' bindings. There is a bijection per compartment between the + * non-syntactic variables objects and their non-syntactic + * LexicalEnvironmentObjects. + * + * Does not hold 'var' bindings. + * + * The embedding (Gecko) uses non-syntactic envs for various things, some of + * which are detailed below. All env chain listings below are, from top to + * bottom, outermost to innermost. + * + * A. Component loading + * + * Components may be loaded in "reuse loader global" mode, where to save on + * memory, all JSMs and JS-implemented XPCOM modules are loaded into a single + * global. Each individual JSMs are compiled as functions with their own + * FakeBackstagePass. They have the following env chain: + * + * BackstagePass global + * | + * Global lexical scope + * | + * WithEnvironmentObject wrapping FakeBackstagePass + * | + * LexicalEnvironmentObject + * + * B. Subscript loading + * + * Subscripts may be loaded into a target object. They have the following + * env chain: + * + * Loader global + * | + * Global lexical scope + * | + * WithEnvironmentObject wrapping target + * | + * LexicalEnvironmentObject + * + * C. Frame scripts + * + * XUL frame scripts are always loaded with a NonSyntacticVariablesObject as a + * "polluting global". This is done exclusively in + * js::ExecuteInGlobalAndReturnScope. + * + * Loader global + * | + * Global lexical scope + * | + * NonSyntacticVariablesObject + * | + * LexicalEnvironmentObject + * + * D. XBL and DOM event handlers + * + * XBL methods are compiled as functions with XUL elements on the env chain, + * and DOM event handlers are compiled as functions with HTML elements on the + * env chain. For a chain of elements e0,...,eN: + * + * ... + * | + * WithEnvironmentObject wrapping eN + * | + * ... + * | + * WithEnvironmentObject wrapping e0 + * | + * LexicalEnvironmentObject + * + */ + +class EnvironmentObject : public NativeObject +{ + protected: + // The enclosing environment. Either another EnvironmentObject, a + // GlobalObject, or a non-syntactic environment object. + static const uint32_t ENCLOSING_ENV_SLOT = 0; + + inline void setAliasedBinding(JSContext* cx, uint32_t slot, PropertyName* name, + const Value& v); + + void setEnclosingEnvironment(JSObject* enclosing) { + setReservedSlot(ENCLOSING_ENV_SLOT, ObjectOrNullValue(enclosing)); + } + + public: + // Since every env chain terminates with a global object, whether + // GlobalObject or a non-syntactic one, and since those objects do not + // derive EnvironmentObject (they have completely different layouts), the + // enclosing environment of an EnvironmentObject is necessarily non-null. + JSObject& enclosingEnvironment() const { + return getReservedSlot(ENCLOSING_ENV_SLOT).toObject(); + } + + void initEnclosingEnvironment(JSObject* enclosing) { + initReservedSlot(ENCLOSING_ENV_SLOT, ObjectOrNullValue(enclosing)); + } + + // Get or set a name contained in this environment. + const Value& aliasedBinding(EnvironmentCoordinate ec) { + return getSlot(ec.slot()); + } + + const Value& aliasedBinding(const BindingIter& bi) { + MOZ_ASSERT(bi.location().kind() == BindingLocation::Kind::Environment); + return getSlot(bi.location().slot()); + } + + inline void setAliasedBinding(JSContext* cx, EnvironmentCoordinate ec, PropertyName* name, + const Value& v); + + inline void setAliasedBinding(JSContext* cx, const BindingIter& bi, const Value& v); + + // For JITs. + static size_t offsetOfEnclosingEnvironment() { + return getFixedSlotOffset(ENCLOSING_ENV_SLOT); + } + + static uint32_t enclosingEnvironmentSlot() { + return ENCLOSING_ENV_SLOT; + } +}; + +class CallObject : public EnvironmentObject +{ + protected: + static const uint32_t CALLEE_SLOT = 1; + + static CallObject* create(JSContext* cx, HandleScript script, HandleFunction callee, + HandleObject enclosing); + + public: + static const uint32_t RESERVED_SLOTS = 2; + static const Class class_; + + /* These functions are internal and are exposed only for JITs. */ + + /* + * Construct a bare-bones call object given a shape and a non-singleton + * group. The call object must be further initialized to be usable. + */ + static CallObject* create(JSContext* cx, HandleShape shape, HandleObjectGroup group); + + /* + * Construct a bare-bones call object given a shape and make it into + * a singleton. The call object must be initialized to be usable. + */ + static CallObject* createSingleton(JSContext* cx, HandleShape shape); + + static CallObject* createTemplateObject(JSContext* cx, HandleScript script, + HandleObject enclosing, gc::InitialHeap heap); + + static CallObject* create(JSContext* cx, HandleFunction callee, HandleObject enclosing); + static CallObject* create(JSContext* cx, AbstractFramePtr frame); + + static CallObject* createHollowForDebug(JSContext* cx, HandleFunction callee); + + /* + * When an aliased formal (var accessed by nested closures) is also + * aliased by the arguments object, it must of course exist in one + * canonical location and that location is always the CallObject. For this + * to work, the ArgumentsObject stores special MagicValue in its array for + * forwarded-to-CallObject variables. This MagicValue's payload is the + * slot of the CallObject to access. + */ + const Value& aliasedFormalFromArguments(const Value& argsValue) { + return getSlot(ArgumentsObject::SlotFromMagicScopeSlotValue(argsValue)); + } + inline void setAliasedFormalFromArguments(JSContext* cx, const Value& argsValue, jsid id, + const Value& v); + + JSFunction& callee() const { + return getReservedSlot(CALLEE_SLOT).toObject().as<JSFunction>(); + } + + /* For jit access. */ + static size_t offsetOfCallee() { + return getFixedSlotOffset(CALLEE_SLOT); + } + + static size_t calleeSlot() { + return CALLEE_SLOT; + } +}; + +class VarEnvironmentObject : public EnvironmentObject +{ + static const uint32_t SCOPE_SLOT = 1; + + static VarEnvironmentObject* create(JSContext* cx, HandleShape shape, HandleObject enclosing, + gc::InitialHeap heap); + + void initScope(Scope* scope) { + initReservedSlot(SCOPE_SLOT, PrivateGCThingValue(scope)); + } + + public: + static const uint32_t RESERVED_SLOTS = 2; + static const Class class_; + + static VarEnvironmentObject* create(JSContext* cx, HandleScope scope, AbstractFramePtr frame); + static VarEnvironmentObject* createHollowForDebug(JSContext* cx, Handle<VarScope*> scope); + + Scope& scope() const { + Value v = getReservedSlot(SCOPE_SLOT); + MOZ_ASSERT(v.isPrivateGCThing()); + Scope& s = *static_cast<Scope*>(v.toGCThing()); + MOZ_ASSERT(s.is<VarScope>() || s.is<EvalScope>()); + return s; + } + + bool isForEval() const { + return scope().is<EvalScope>(); + } +}; + +class ModuleEnvironmentObject : public EnvironmentObject +{ + static const uint32_t MODULE_SLOT = 1; + + static const ObjectOps objectOps_; + + public: + static const Class class_; + + static const uint32_t RESERVED_SLOTS = 2; + + static ModuleEnvironmentObject* create(ExclusiveContext* cx, HandleModuleObject module); + ModuleObject& module(); + IndirectBindingMap& importBindings(); + + bool createImportBinding(JSContext* cx, HandleAtom importName, HandleModuleObject module, + HandleAtom exportName); + + bool hasImportBinding(HandlePropertyName name); + + bool lookupImport(jsid name, ModuleEnvironmentObject** envOut, Shape** shapeOut); + + void fixEnclosingEnvironmentAfterCompartmentMerge(GlobalObject& global); + + private: + static bool lookupProperty(JSContext* cx, HandleObject obj, HandleId id, + MutableHandleObject objp, MutableHandleShape propp); + static bool hasProperty(JSContext* cx, HandleObject obj, HandleId id, bool* foundp); + static bool getProperty(JSContext* cx, HandleObject obj, HandleValue receiver, HandleId id, + MutableHandleValue vp); + static bool setProperty(JSContext* cx, HandleObject obj, HandleId id, HandleValue v, + HandleValue receiver, JS::ObjectOpResult& result); + static bool getOwnPropertyDescriptor(JSContext* cx, HandleObject obj, HandleId id, + MutableHandle<PropertyDescriptor> desc); + static bool deleteProperty(JSContext* cx, HandleObject obj, HandleId id, + ObjectOpResult& result); + static bool enumerate(JSContext* cx, HandleObject obj, AutoIdVector& properties, + bool enumerableOnly); +}; + +typedef Rooted<ModuleEnvironmentObject*> RootedModuleEnvironmentObject; +typedef Handle<ModuleEnvironmentObject*> HandleModuleEnvironmentObject; +typedef MutableHandle<ModuleEnvironmentObject*> MutableHandleModuleEnvironmentObject; + +class LexicalEnvironmentObject : public EnvironmentObject +{ + // Global and non-syntactic lexical environments need to store a 'this' + // value and all other lexical environments have a fixed shape and store a + // backpointer to the LexicalScope. + // + // Since the two sets are disjoint, we only use one slot to save space. + static const unsigned THIS_VALUE_OR_SCOPE_SLOT = 1; + + public: + static const unsigned RESERVED_SLOTS = 2; + static const Class class_; + + private: + static LexicalEnvironmentObject* createTemplateObject(JSContext* cx, HandleShape shape, + HandleObject enclosing, + gc::InitialHeap heap); + + void initThisValue(JSObject* obj) { + MOZ_ASSERT(isGlobal() || !isSyntactic()); + initReservedSlot(THIS_VALUE_OR_SCOPE_SLOT, GetThisValue(obj)); + } + + void initScopeUnchecked(LexicalScope* scope) { + initReservedSlot(THIS_VALUE_OR_SCOPE_SLOT, PrivateGCThingValue(scope)); + } + + void initScope(LexicalScope* scope) { + MOZ_ASSERT(!isGlobal()); + MOZ_ASSERT(isSyntactic()); + initScopeUnchecked(scope); + } + + public: + static LexicalEnvironmentObject* createTemplateObject(JSContext* cx, + Handle<LexicalScope*> scope, + HandleObject enclosing, + gc::InitialHeap heap); + + static LexicalEnvironmentObject* create(JSContext* cx, Handle<LexicalScope*> scope, + AbstractFramePtr frame); + static LexicalEnvironmentObject* createGlobal(JSContext* cx, Handle<GlobalObject*> global); + static LexicalEnvironmentObject* createNonSyntactic(JSContext* cx, HandleObject enclosing); + static LexicalEnvironmentObject* createHollowForDebug(JSContext* cx, + Handle<LexicalScope*> scope); + + // Create a new LexicalEnvironmentObject with the same enclosing env and + // variable values as this. + static LexicalEnvironmentObject* clone(JSContext* cx, Handle<LexicalEnvironmentObject*> env); + + // Create a new LexicalEnvironmentObject with the same enclosing env as + // this, with all variables uninitialized. + static LexicalEnvironmentObject* recreate(JSContext* cx, Handle<LexicalEnvironmentObject*> env); + + // For non-extensible lexical environments, the LexicalScope that created + // this environment. Otherwise asserts. + LexicalScope& scope() const { + Value v = getReservedSlot(THIS_VALUE_OR_SCOPE_SLOT); + MOZ_ASSERT(!isExtensible() && v.isPrivateGCThing()); + return *static_cast<LexicalScope*>(v.toGCThing()); + } + + // Is this the global lexical scope? + bool isGlobal() const { + return enclosingEnvironment().is<GlobalObject>(); + } + + GlobalObject& global() const { + return enclosingEnvironment().as<GlobalObject>(); + } + + // Global and non-syntactic lexical scopes are extensible. All other + // lexical scopes are not. + bool isExtensible() const; + + // Is this a syntactic (i.e. corresponds to a source text) lexical + // environment? + bool isSyntactic() const { + return !isExtensible() || isGlobal(); + } + + // For extensible lexical environments, the 'this' value for its + // scope. Otherwise asserts. + Value thisValue() const; +}; + +class NamedLambdaObject : public LexicalEnvironmentObject +{ + static NamedLambdaObject* create(JSContext* cx, HandleFunction callee, + HandleFunction replacement, + HandleObject enclosing, gc::InitialHeap heap); + + public: + static NamedLambdaObject* createTemplateObject(JSContext* cx, HandleFunction callee, + gc::InitialHeap heap); + + static NamedLambdaObject* create(JSContext* cx, AbstractFramePtr frame); + static NamedLambdaObject* create(JSContext* cx, AbstractFramePtr frame, + HandleFunction replacement); + + // For JITs. + static size_t lambdaSlot(); +}; + +// A non-syntactic dynamic scope object that captures non-lexical +// bindings. That is, a scope object that captures both qualified var +// assignments and unqualified bareword assignments. Its parent is always the +// global lexical environment. +// +// This is used in ExecuteInGlobalAndReturnScope and sits in front of the +// global scope to store 'var' bindings, and to store fresh properties created +// by assignments to undeclared variables that otherwise would have gone on +// the global object. +class NonSyntacticVariablesObject : public EnvironmentObject +{ + public: + static const unsigned RESERVED_SLOTS = 1; + static const Class class_; + + static NonSyntacticVariablesObject* create(JSContext* cx); +}; + +// With environment objects on the run-time environment chain. +class WithEnvironmentObject : public EnvironmentObject +{ + static const unsigned OBJECT_SLOT = 1; + static const unsigned THIS_SLOT = 2; + static const unsigned SCOPE_SLOT = 3; + + public: + static const unsigned RESERVED_SLOTS = 4; + static const Class class_; + + static WithEnvironmentObject* create(JSContext* cx, HandleObject object, HandleObject enclosing, + Handle<WithScope*> scope); + static WithEnvironmentObject* createNonSyntactic(JSContext* cx, HandleObject object, + HandleObject enclosing); + + /* Return the 'o' in 'with (o)'. */ + JSObject& object() const; + + /* Return object for GetThisValue. */ + JSObject* withThis() const; + + /* + * Return whether this object is a syntactic with object. If not, this is + * a With object we inserted between the outermost syntactic scope and the + * global object to wrap the environment chain someone explicitly passed + * via JSAPI to CompileFunction or script evaluation. + */ + bool isSyntactic() const; + + // For syntactic with environment objects, the with scope. + WithScope& scope() const; + + static inline size_t objectSlot() { + return OBJECT_SLOT; + } + + static inline size_t thisSlot() { + return THIS_SLOT; + } +}; + +// Internal scope object used by JSOP_BINDNAME upon encountering an +// uninitialized lexical slot or an assignment to a 'const' binding. +// +// ES6 lexical bindings cannot be accessed in any way (throwing +// ReferenceErrors) until initialized. Normally, NAME operations +// unconditionally check for uninitialized lexical slots. When getting or +// looking up names, this can be done without slowing down normal operations +// on the return value. When setting names, however, we do not want to pollute +// all set-property paths with uninitialized lexical checks. For setting names +// (i.e. JSOP_SETNAME), we emit an accompanying, preceding JSOP_BINDNAME which +// finds the right scope on which to set the name. Moreover, when the name on +// the scope is an uninitialized lexical, we cannot throw eagerly, as the spec +// demands that the error be thrown after evaluating the RHS of +// assignments. Instead, this sentinel scope object is pushed on the stack. +// Attempting to access anything on this scope throws the appropriate +// ReferenceError. +// +// ES6 'const' bindings induce a runtime error when assigned to outside +// of initialization, regardless of strictness. +class RuntimeLexicalErrorObject : public EnvironmentObject +{ + static const unsigned ERROR_SLOT = 1; + + public: + static const unsigned RESERVED_SLOTS = 2; + static const Class class_; + + static RuntimeLexicalErrorObject* create(JSContext* cx, HandleObject enclosing, + unsigned errorNumber); + + unsigned errorNumber() { + return getReservedSlot(ERROR_SLOT).toInt32(); + } +}; + + +/*****************************************************************************/ + +// A environment iterator describes the active environments starting from an +// environment, scope pair. This pair may be derived from the current point of +// execution in a frame. If derived in such a fashion, the EnvironmentIter +// tracks whether the current scope is within the extent of this initial +// frame. Here, "frame" means a single activation of: a function, eval, or +// global code. +class MOZ_RAII EnvironmentIter +{ + Rooted<ScopeIter> si_; + RootedObject env_; + AbstractFramePtr frame_; + + void incrementScopeIter(); + void settle(); + + // No value semantics. + EnvironmentIter(const EnvironmentIter& ei) = delete; + + public: + // Constructing from a copy of an existing EnvironmentIter. + EnvironmentIter(JSContext* cx, const EnvironmentIter& ei + MOZ_GUARD_OBJECT_NOTIFIER_PARAM); + + // Constructing from an environment, scope pair. All environments + // considered not to be withinInitialFrame, since no frame is given. + EnvironmentIter(JSContext* cx, JSObject* env, Scope* scope + MOZ_GUARD_OBJECT_NOTIFIER_PARAM); + + // Constructing from a frame. Places the EnvironmentIter on the innermost + // environment at pc. + EnvironmentIter(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc + MOZ_GUARD_OBJECT_NOTIFIER_PARAM); + + bool done() const { + return si_.done(); + } + + explicit operator bool() const { + return !done(); + } + + void operator++(int) { + if (hasAnyEnvironmentObject()) + env_ = &env_->as<EnvironmentObject>().enclosingEnvironment(); + incrementScopeIter(); + settle(); + } + + EnvironmentIter& operator++() { + operator++(1); + return *this; + } + + // If done(): + JSObject& enclosingEnvironment() const; + + // If !done(): + bool hasNonSyntacticEnvironmentObject() const; + + bool hasSyntacticEnvironment() const { + return si_.hasSyntacticEnvironment(); + } + + bool hasAnyEnvironmentObject() const { + return hasNonSyntacticEnvironmentObject() || hasSyntacticEnvironment(); + } + + EnvironmentObject& environment() const { + MOZ_ASSERT(hasAnyEnvironmentObject()); + return env_->as<EnvironmentObject>(); + } + + Scope& scope() const { + return *si_.scope(); + } + + Scope* maybeScope() const { + if (si_) + return si_.scope(); + return nullptr; + } + + JSFunction& callee() const { + return env_->as<CallObject>().callee(); + } + + bool withinInitialFrame() const { + return !!frame_; + } + + AbstractFramePtr initialFrame() const { + MOZ_ASSERT(withinInitialFrame()); + return frame_; + } + + AbstractFramePtr maybeInitialFrame() const { + return frame_; + } + + MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER +}; + +// The key in MissingEnvironmentMap. For live frames, maps live frames to +// their synthesized environments. For completely optimized-out environments, +// maps the Scope to their synthesized environments. The env we synthesize for +// Scopes are read-only, and we never use their parent links, so they don't +// need to be distinct. +// +// That is, completely optimized out environments can't be distinguished by +// frame. Note that even if the frame corresponding to the Scope is live on +// the stack, it is unsound to synthesize an environment from that live +// frame. In other words, the provenance of the environment chain is from +// allocated closures (i.e., allocation sites) and is irrecoverable from +// simple stack inspection (i.e., call sites). +class MissingEnvironmentKey +{ + friend class LiveEnvironmentVal; + + AbstractFramePtr frame_; + Scope* scope_; + + public: + explicit MissingEnvironmentKey(const EnvironmentIter& ei) + : frame_(ei.maybeInitialFrame()), + scope_(ei.maybeScope()) + { } + + MissingEnvironmentKey(AbstractFramePtr frame, Scope* scope) + : frame_(frame), + scope_(scope) + { } + + AbstractFramePtr frame() const { return frame_; } + Scope* scope() const { return scope_; } + + void updateScope(Scope* scope) { scope_ = scope; } + void updateFrame(AbstractFramePtr frame) { frame_ = frame; } + + // For use as hash policy. + typedef MissingEnvironmentKey Lookup; + static HashNumber hash(MissingEnvironmentKey sk); + static bool match(MissingEnvironmentKey sk1, MissingEnvironmentKey sk2); + bool operator!=(const MissingEnvironmentKey& other) const { + return frame_ != other.frame_ || scope_ != other.scope_; + } + static void rekey(MissingEnvironmentKey& k, const MissingEnvironmentKey& newKey) { + k = newKey; + } +}; + +// The value in LiveEnvironmentMap, mapped from by live environment objects. +class LiveEnvironmentVal +{ + friend class DebugEnvironments; + friend class MissingEnvironmentKey; + + AbstractFramePtr frame_; + HeapPtr<Scope*> scope_; + + static void staticAsserts(); + + public: + explicit LiveEnvironmentVal(const EnvironmentIter& ei) + : frame_(ei.initialFrame()), + scope_(ei.maybeScope()) + { } + + AbstractFramePtr frame() const { return frame_; } + Scope* scope() const { return scope_; } + + void updateFrame(AbstractFramePtr frame) { frame_ = frame; } + + bool needsSweep(); +}; + + +/*****************************************************************************/ + +/* + * Debug environment objects + * + * The debugger effectively turns every opcode into a potential direct eval. + * Naively, this would require creating a EnvironmentObject for every + * call/block scope and using JSOP_GETALIASEDVAR for every access. To optimize + * this, the engine assumes there is no debugger and optimizes scope access + * and creation accordingly. When the debugger wants to perform an unexpected + * eval-in-frame (or other, similar environment-requiring operations), + * fp->environmentChain is now incomplete. + * + * To resolve this, the debugger first calls GetDebugEnvironmentFor* to + * synthesize a "debug env chain". A debug env chain is just a chain of + * objects that fill in missing environments and protect the engine from + * unexpected access. (The latter means that some debugger operations, like + * redefining a lexical binding, can fail when a true eval would succeed.) To + * do both of these things, GetDebugEnvironmentFor* creates a new proxy + * DebugEnvironmentProxy to sit in front of every existing EnvironmentObject. + * + * GetDebugEnvironmentFor* ensures the invariant that the same + * DebugEnvironmentProxy is always produced for the same underlying + * environment (optimized or not!). This is maintained by some bookkeeping + * information stored in DebugEnvironments. + */ + +extern JSObject* +GetDebugEnvironmentForFunction(JSContext* cx, HandleFunction fun); + +extern JSObject* +GetDebugEnvironmentForFrame(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc); + +extern JSObject* +GetDebugEnvironmentForGlobalLexicalEnvironment(JSContext* cx); + +/* Provides debugger access to a environment. */ +class DebugEnvironmentProxy : public ProxyObject +{ + /* + * The enclosing environment on the dynamic environment chain. This slot is analogous + * to the ENCLOSING_ENV_SLOT of a EnvironmentObject. + */ + static const unsigned ENCLOSING_EXTRA = 0; + + /* + * NullValue or a dense array holding the unaliased variables of a function + * frame that has been popped. + */ + static const unsigned SNAPSHOT_EXTRA = 1; + + public: + static DebugEnvironmentProxy* create(JSContext* cx, EnvironmentObject& env, + HandleObject enclosing); + + EnvironmentObject& environment() const; + JSObject& enclosingEnvironment() const; + + /* May only be called for proxies to function call objects. */ + ArrayObject* maybeSnapshot() const; + void initSnapshot(ArrayObject& snapshot); + + // Currently, the 'declarative' environments are function, module, and + // lexical environments. + bool isForDeclarative() const; + + // Get a property by 'id', but returns sentinel values instead of throwing + // on exceptional cases. + bool getMaybeSentinelValue(JSContext* cx, HandleId id, MutableHandleValue vp); + + // Returns true iff this is a function environment with its own this-binding + // (all functions except arrow functions and generator expression lambdas). + bool isFunctionEnvironmentWithThis(); + + // Does this debug environment not have a real counterpart or was never + // live (and thus does not have a synthesized EnvironmentObject or a + // snapshot)? + bool isOptimizedOut() const; +}; + +/* Maintains per-compartment debug environment bookkeeping information. */ +class DebugEnvironments +{ + /* The map from (non-debug) environments to debug environments. */ + ObjectWeakMap proxiedEnvs; + + /* + * The map from live frames which have optimized-away environments to the + * corresponding debug environments. + */ + typedef HashMap<MissingEnvironmentKey, + ReadBarrieredDebugEnvironmentProxy, + MissingEnvironmentKey, + RuntimeAllocPolicy> MissingEnvironmentMap; + MissingEnvironmentMap missingEnvs; + + /* + * The map from environment objects of live frames to the live frame. This + * map updated lazily whenever the debugger needs the information. In + * between two lazy updates, liveEnvs becomes incomplete (but not invalid, + * onPop* removes environments as they are popped). Thus, two consecutive + * debugger lazy updates of liveEnvs need only fill in the new + * environments. + */ + typedef GCHashMap<ReadBarriered<JSObject*>, + LiveEnvironmentVal, + MovableCellHasher<ReadBarriered<JSObject*>>, + RuntimeAllocPolicy> LiveEnvironmentMap; + LiveEnvironmentMap liveEnvs; + + public: + explicit DebugEnvironments(JSContext* cx); + ~DebugEnvironments(); + + private: + bool init(); + + static DebugEnvironments* ensureCompartmentData(JSContext* cx); + + template <typename Environment, typename Scope> + static void onPopGeneric(JSContext* cx, const EnvironmentIter& ei); + + public: + void mark(JSTracer* trc); + void sweep(JSRuntime* rt); + void finish(); +#ifdef JS_GC_ZEAL + void checkHashTablesAfterMovingGC(JSRuntime* rt); +#endif + + // If a live frame has a synthesized entry in missingEnvs, make sure it's not + // collected. + void markLiveFrame(JSTracer* trc, AbstractFramePtr frame); + + static DebugEnvironmentProxy* hasDebugEnvironment(JSContext* cx, EnvironmentObject& env); + static bool addDebugEnvironment(JSContext* cx, Handle<EnvironmentObject*> env, + Handle<DebugEnvironmentProxy*> debugEnv); + + static DebugEnvironmentProxy* hasDebugEnvironment(JSContext* cx, const EnvironmentIter& ei); + static bool addDebugEnvironment(JSContext* cx, const EnvironmentIter& ei, + Handle<DebugEnvironmentProxy*> debugEnv); + + static bool updateLiveEnvironments(JSContext* cx); + static LiveEnvironmentVal* hasLiveEnvironment(EnvironmentObject& env); + static void unsetPrevUpToDateUntil(JSContext* cx, AbstractFramePtr frame); + + // When a frame bails out from Ion to Baseline, there might be missing + // envs keyed on, and live envs containing, the old + // RematerializedFrame. Forward those values to the new BaselineFrame. + static void forwardLiveFrame(JSContext* cx, AbstractFramePtr from, AbstractFramePtr to); + + // When an environment is popped, we store a snapshot of its bindings that + // live on the frame. + // + // This is done during frame unwinding, which cannot handle errors + // gracefully. Errors result in no snapshot being set on the + // DebugEnvironmentProxy. + static void takeFrameSnapshot(JSContext* cx, Handle<DebugEnvironmentProxy*> debugEnv, + AbstractFramePtr frame); + + // In debug-mode, these must be called whenever exiting a scope that might + // have stack-allocated locals. + static void onPopCall(JSContext* cx, AbstractFramePtr frame); + static void onPopVar(JSContext* cx, const EnvironmentIter& ei); + static void onPopVar(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc); + static void onPopLexical(JSContext* cx, const EnvironmentIter& ei); + static void onPopLexical(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc); + static void onPopWith(AbstractFramePtr frame); + static void onCompartmentUnsetIsDebuggee(JSCompartment* c); +}; + +} /* namespace js */ + +template <> +inline bool +JSObject::is<js::EnvironmentObject>() const +{ + return is<js::CallObject>() || + is<js::VarEnvironmentObject>() || + is<js::ModuleEnvironmentObject>() || + is<js::LexicalEnvironmentObject>() || + is<js::WithEnvironmentObject>() || + is<js::NonSyntacticVariablesObject>() || + is<js::RuntimeLexicalErrorObject>(); +} + +template<> +bool +JSObject::is<js::DebugEnvironmentProxy>() const; + +namespace js { + +inline bool +IsSyntacticEnvironment(JSObject* env) +{ + if (!env->is<EnvironmentObject>()) + return false; + + if (env->is<WithEnvironmentObject>()) + return env->as<WithEnvironmentObject>().isSyntactic(); + + if (env->is<LexicalEnvironmentObject>()) + return env->as<LexicalEnvironmentObject>().isSyntactic(); + + if (env->is<NonSyntacticVariablesObject>()) + return false; + + return true; +} + +inline bool +IsExtensibleLexicalEnvironment(JSObject* env) +{ + return env->is<LexicalEnvironmentObject>() && + env->as<LexicalEnvironmentObject>().isExtensible(); +} + +inline bool +IsGlobalLexicalEnvironment(JSObject* env) +{ + return env->is<LexicalEnvironmentObject>() && + env->as<LexicalEnvironmentObject>().isGlobal(); +} + +template <typename SpecificEnvironment> +inline bool +IsFrameInitialEnvironment(AbstractFramePtr frame, SpecificEnvironment& env) +{ + // A frame's initial environment is the innermost environment + // corresponding to the scope chain from frame.script()->bodyScope() to + // frame.script()->outermostScope(). This environment must be on the chain + // for the frame to be considered initialized. That is, it must be on the + // chain for the environment chain to fully match the scope chain at the + // start of execution in the frame. + // + // This logic must be in sync with the HAS_INITIAL_ENV logic in + // InitFromBailout. + + // A function frame's CallObject, if present, is always the initial + // environment. + if (mozilla::IsSame<SpecificEnvironment, CallObject>::value) + return true; + + // For an eval frame, the VarEnvironmentObject, if present, is always the + // initial environment. + if (mozilla::IsSame<SpecificEnvironment, VarEnvironmentObject>::value && + frame.isEvalFrame()) + { + return true; + } + + // For named lambda frames without CallObjects (i.e., no binding in the + // body of the function was closed over), the LexicalEnvironmentObject + // corresponding to the named lambda scope is the initial environment. + if (mozilla::IsSame<SpecificEnvironment, NamedLambdaObject>::value && + frame.isFunctionFrame() && + frame.callee()->needsNamedLambdaEnvironment() && + !frame.callee()->needsCallObject()) + { + LexicalScope* namedLambdaScope = frame.script()->maybeNamedLambdaScope(); + return &env.template as<LexicalEnvironmentObject>().scope() == namedLambdaScope; + } + + return false; +} + +extern bool +CreateObjectsForEnvironmentChain(JSContext* cx, AutoObjectVector& chain, + HandleObject terminatingEnv, + MutableHandleObject envObj); + +ModuleEnvironmentObject* GetModuleEnvironmentForScript(JSScript* script); + +MOZ_MUST_USE bool +GetThisValueForDebuggerMaybeOptimizedOut(JSContext* cx, AbstractFramePtr frame, + jsbytecode* pc, MutableHandleValue res); + +MOZ_MUST_USE bool +CheckVarNameConflict(JSContext* cx, Handle<LexicalEnvironmentObject*> lexicalEnv, + HandlePropertyName name); + +MOZ_MUST_USE bool +CheckCanDeclareGlobalBinding(JSContext* cx, Handle<GlobalObject*> global, + HandlePropertyName name, bool isFunction); + +MOZ_MUST_USE bool +CheckLexicalNameConflict(JSContext* cx, Handle<LexicalEnvironmentObject*> lexicalEnv, + HandleObject varObj, HandlePropertyName name); + +MOZ_MUST_USE bool +CheckGlobalDeclarationConflicts(JSContext* cx, HandleScript script, + Handle<LexicalEnvironmentObject*> lexicalEnv, + HandleObject varObj); + +MOZ_MUST_USE bool +CheckEvalDeclarationConflicts(JSContext* cx, HandleScript script, HandleObject envChain, + HandleObject varObj); + +MOZ_MUST_USE bool +InitFunctionEnvironmentObjects(JSContext* cx, AbstractFramePtr frame); + +MOZ_MUST_USE bool +PushVarEnvironmentObject(JSContext* cx, HandleScope scope, AbstractFramePtr frame); + +#ifdef DEBUG +bool +AnalyzeEntrainedVariables(JSContext* cx, HandleScript script); +#endif + +} // namespace js + +namespace JS { + +template <> +struct DeletePolicy<js::DebugEnvironments> : public js::GCManagedDeletePolicy<js::DebugEnvironments> +{}; + +} // namespace JS + +#endif /* vm_EnvironmentObject_h */ |