/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
 * vim: set ts=8 sts=4 et sw=4 tw=99:
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "vm/EnvironmentObject-inl.h"

#include "mozilla/PodOperations.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/SizePrintfMacros.h"

#include "jscompartment.h"
#include "jsiter.h"

#include "builtin/ModuleObject.h"
#include "frontend/ParseNode.h"
#include "gc/Policy.h"
#include "vm/ArgumentsObject.h"
#include "vm/AsyncFunction.h"
#include "vm/GlobalObject.h"
#include "vm/ProxyObject.h"
#include "vm/Shape.h"
#include "vm/Xdr.h"

#include "jsatominlines.h"
#include "jsobjinlines.h"
#include "jsscriptinlines.h"

#include "vm/Stack-inl.h"

using namespace js;
using namespace js::gc;

using mozilla::PodZero;
using mozilla::Maybe;
using mozilla::Some;
using mozilla::Nothing;
using mozilla::MakeScopeExit;

typedef Rooted<ArgumentsObject*> RootedArgumentsObject;
typedef MutableHandle<ArgumentsObject*> MutableHandleArgumentsObject;


/*****************************************************************************/

Shape*
js::EnvironmentCoordinateToEnvironmentShape(JSScript* script, jsbytecode* pc)
{
    MOZ_ASSERT(JOF_OPTYPE(JSOp(*pc)) == JOF_ENVCOORD);
    ScopeIter si(script->innermostScope(pc));
    uint32_t hops = EnvironmentCoordinate(pc).hops();
    while (true) {
        MOZ_ASSERT(!si.done());
        if (si.hasSyntacticEnvironment()) {
            if (!hops)
                break;
            hops--;
        }
        si++;
    }
    return si.environmentShape();
}

static const uint32_t ENV_COORDINATE_NAME_THRESHOLD = 20;

void
EnvironmentCoordinateNameCache::purge()
{
    shape = nullptr;
    if (map.initialized())
        map.finish();
}

PropertyName*
js::EnvironmentCoordinateName(EnvironmentCoordinateNameCache& cache, JSScript* script,
                              jsbytecode* pc)
{
    Shape* shape = EnvironmentCoordinateToEnvironmentShape(script, pc);
    if (shape != cache.shape && shape->slot() >= ENV_COORDINATE_NAME_THRESHOLD) {
        cache.purge();
        if (cache.map.init(shape->slot())) {
            cache.shape = shape;
            Shape::Range<NoGC> r(shape);
            while (!r.empty()) {
                if (!cache.map.putNew(r.front().slot(), r.front().propid())) {
                    cache.purge();
                    break;
                }
                r.popFront();
            }
        }
    }

    jsid id;
    EnvironmentCoordinate ec(pc);
    if (shape == cache.shape) {
        EnvironmentCoordinateNameCache::Map::Ptr p = cache.map.lookup(ec.slot());
        id = p->value();
    } else {
        Shape::Range<NoGC> r(shape);
        while (r.front().slot() != ec.slot())
            r.popFront();
        id = r.front().propidRaw();
    }

    /* Beware nameless destructuring formal. */
    if (!JSID_IS_ATOM(id))
        return script->runtimeFromAnyThread()->commonNames->empty;
    return JSID_TO_ATOM(id)->asPropertyName();
}

JSScript*
js::EnvironmentCoordinateFunctionScript(JSScript* script, jsbytecode* pc)
{
    MOZ_ASSERT(JOF_OPTYPE(JSOp(*pc)) == JOF_ENVCOORD);
    ScopeIter si(script->innermostScope(pc));
    uint32_t hops = EnvironmentCoordinate(pc).hops();
    while (true) {
        if (si.hasSyntacticEnvironment()) {
            if (!hops)
                break;
            hops--;
        }
        si++;
    }
    if (si.kind() != ScopeKind::Function)
        return nullptr;
    return si.scope()->as<FunctionScope>().script();
}

/*****************************************************************************/

CallObject*
CallObject::create(JSContext* cx, HandleShape shape, HandleObjectGroup group)
{
    MOZ_ASSERT(!group->singleton(),
               "passed a singleton group to create() (use createSingleton() "
               "instead)");

    gc::AllocKind kind = gc::GetGCObjectKind(shape->numFixedSlots());
    MOZ_ASSERT(CanBeFinalizedInBackground(kind, &CallObject::class_));
    kind = gc::GetBackgroundAllocKind(kind);

    JSObject* obj = JSObject::create(cx, kind, gc::DefaultHeap, shape, group);
    if (!obj)
        return nullptr;

    return &obj->as<CallObject>();
}

CallObject*
CallObject::createSingleton(JSContext* cx, HandleShape shape)
{
    gc::AllocKind kind = gc::GetGCObjectKind(shape->numFixedSlots());
    MOZ_ASSERT(CanBeFinalizedInBackground(kind, &CallObject::class_));
    kind = gc::GetBackgroundAllocKind(kind);

    RootedObjectGroup group(cx, ObjectGroup::lazySingletonGroup(cx, &class_, TaggedProto(nullptr)));
    if (!group)
        return nullptr;
    RootedObject obj(cx, JSObject::create(cx, kind, gc::TenuredHeap, shape, group));
    if (!obj)
        return nullptr;

    MOZ_ASSERT(obj->isSingleton(),
               "group created inline above must be a singleton");

    return &obj->as<CallObject>();
}

/*
 * Create a CallObject for a JSScript that is not initialized to any particular
 * callsite. This object can either be initialized (with an enclosing scope and
 * callee) or used as a template for jit compilation.
 */
CallObject*
CallObject::createTemplateObject(JSContext* cx, HandleScript script, HandleObject enclosing,
                                 gc::InitialHeap heap)
{
    Rooted<FunctionScope*> scope(cx, &script->bodyScope()->as<FunctionScope>());
    RootedShape shape(cx, scope->environmentShape());
    MOZ_ASSERT(shape->getObjectClass() == &class_);

    RootedObjectGroup group(cx, ObjectGroup::defaultNewGroup(cx, &class_, TaggedProto(nullptr)));
    if (!group)
        return nullptr;

    gc::AllocKind kind = gc::GetGCObjectKind(shape->numFixedSlots());
    MOZ_ASSERT(CanBeFinalizedInBackground(kind, &class_));
    kind = gc::GetBackgroundAllocKind(kind);

    JSObject* obj = JSObject::create(cx, kind, heap, shape, group);
    if (!obj)
        return nullptr;

    CallObject* callObj = &obj->as<CallObject>();
    callObj->initEnclosingEnvironment(enclosing);

    if (scope->hasParameterExprs()) {
        // If there are parameter expressions, all parameters are lexical and
        // have TDZ.
        for (BindingIter bi(script->bodyScope()); bi; bi++) {
            BindingLocation loc = bi.location();
            if (loc.kind() == BindingLocation::Kind::Environment && BindingKindIsLexical(bi.kind()))
                callObj->initSlot(loc.slot(), MagicValue(JS_UNINITIALIZED_LEXICAL));
        }
    }

    return callObj;
}

/*
 * Construct a call object for the given bindings.  If this is a call object
 * for a function invocation, callee should be the function being called.
 * Otherwise it must be a call object for eval of strict mode code, and callee
 * must be null.
 */
CallObject*
CallObject::create(JSContext* cx, HandleFunction callee, HandleObject enclosing)
{
    RootedScript script(cx, callee->nonLazyScript());
    gc::InitialHeap heap = script->treatAsRunOnce() ? gc::TenuredHeap : gc::DefaultHeap;
    CallObject* callobj = CallObject::createTemplateObject(cx, script, enclosing, heap);
    if (!callobj)
        return nullptr;

    callobj->initFixedSlot(CALLEE_SLOT, ObjectValue(*callee));

    if (script->treatAsRunOnce()) {
        Rooted<CallObject*> ncallobj(cx, callobj);
        if (!JSObject::setSingleton(cx, ncallobj))
            return nullptr;
        return ncallobj;
    }

    return callobj;
}

CallObject*
CallObject::create(JSContext* cx, AbstractFramePtr frame)
{
    MOZ_ASSERT(frame.isFunctionFrame());
    assertSameCompartment(cx, frame);

    RootedObject envChain(cx, frame.environmentChain());
    RootedFunction callee(cx, frame.callee());

    CallObject* callobj = create(cx, callee, envChain);
    if (!callobj)
        return nullptr;

    if (!frame.script()->bodyScope()->as<FunctionScope>().hasParameterExprs()) {
        // If there are no defaults, copy the aliased arguments into the call
        // object manually. If there are defaults, bytecode is generated to do
        // the copying.

        for (PositionalFormalParameterIter fi(frame.script()); fi; fi++) {
            if (!fi.closedOver())
                continue;
            callobj->setAliasedBinding(cx, fi, frame.unaliasedFormal(fi.argumentSlot(),
                                                                     DONT_CHECK_ALIASING));
        }
    }

    return callobj;
}

CallObject*
CallObject::createHollowForDebug(JSContext* cx, HandleFunction callee)
{
    MOZ_ASSERT(!callee->needsCallObject());

    RootedScript script(cx, callee->nonLazyScript());
    Rooted<FunctionScope*> scope(cx, &script->bodyScope()->as<FunctionScope>());
    RootedShape shape(cx, FunctionScope::getEmptyEnvironmentShape(cx, scope->hasParameterExprs()));
    if (!shape)
        return nullptr;
    RootedObjectGroup group(cx, ObjectGroup::defaultNewGroup(cx, &class_, TaggedProto(nullptr)));
    if (!group)
        return nullptr;
    Rooted<CallObject*> callobj(cx, create(cx, shape, group));
    if (!callobj)
        return nullptr;

    // This environment's enclosing link is never used: the
    // DebugEnvironmentProxy that refers to this scope carries its own
    // enclosing link, which is what Debugger uses to construct the tree of
    // Debugger.Environment objects.
    callobj->initEnclosingEnvironment(&cx->global()->lexicalEnvironment());
    callobj->initFixedSlot(CALLEE_SLOT, ObjectValue(*callee));

    RootedValue optimizedOut(cx, MagicValue(JS_OPTIMIZED_OUT));
    RootedId id(cx);
    for (Rooted<BindingIter> bi(cx, BindingIter(script)); bi; bi++) {
        id = NameToId(bi.name()->asPropertyName());
        if (!SetProperty(cx, callobj, id, optimizedOut))
            return nullptr;
    }

    return callobj;
}

const Class CallObject::class_ = {
    "Call",
    JSCLASS_IS_ANONYMOUS | JSCLASS_HAS_RESERVED_SLOTS(CallObject::RESERVED_SLOTS)
};

/*****************************************************************************/

/* static */ VarEnvironmentObject*
VarEnvironmentObject::create(JSContext* cx, HandleShape shape, HandleObject enclosing,
                             gc::InitialHeap heap)
{
    MOZ_ASSERT(shape->getObjectClass() == &class_);

    RootedObjectGroup group(cx, ObjectGroup::defaultNewGroup(cx, &class_, TaggedProto(nullptr)));
    if (!group)
        return nullptr;

    gc::AllocKind kind = gc::GetGCObjectKind(shape->numFixedSlots());
    MOZ_ASSERT(CanBeFinalizedInBackground(kind, &class_));
    kind = gc::GetBackgroundAllocKind(kind);

    NativeObject* obj = MaybeNativeObject(JSObject::create(cx, kind, heap, shape, group));
    if (!obj)
        return nullptr;

    MOZ_ASSERT(!obj->inDictionaryMode());
    MOZ_ASSERT(obj->isDelegate());

    VarEnvironmentObject* env = &obj->as<VarEnvironmentObject>();
    env->initEnclosingEnvironment(enclosing);

    return env;
}

/* static */ VarEnvironmentObject*
VarEnvironmentObject::create(JSContext* cx, HandleScope scope, AbstractFramePtr frame)
{
#ifdef DEBUG
    if (frame.isEvalFrame()) {
        MOZ_ASSERT(scope->is<EvalScope>() && scope == frame.script()->bodyScope());
        MOZ_ASSERT_IF(frame.isInterpreterFrame(),
                      cx->interpreterFrame() == frame.asInterpreterFrame());
        MOZ_ASSERT_IF(frame.isInterpreterFrame(),
                      cx->interpreterRegs().pc == frame.script()->code());
    } else {
        MOZ_ASSERT(frame.environmentChain());
        MOZ_ASSERT_IF(frame.callee()->needsCallObject(),
                      &frame.environmentChain()->as<CallObject>().callee() == frame.callee());
    }
#endif

    RootedScript script(cx, frame.script());
    RootedObject envChain(cx, frame.environmentChain());
    gc::InitialHeap heap = script->treatAsRunOnce() ? gc::TenuredHeap : gc::DefaultHeap;
    RootedShape shape(cx, scope->environmentShape());
    VarEnvironmentObject* env = create(cx, shape, envChain, heap);
    if (!env)
        return nullptr;
    env->initScope(scope);
    return env;
}

/* static */ VarEnvironmentObject*
VarEnvironmentObject::createHollowForDebug(JSContext* cx, Handle<VarScope*> scope)
{
    MOZ_ASSERT(!scope->hasEnvironment());

    RootedShape shape(cx, VarScope::getEmptyEnvironmentShape(cx));
    if (!shape)
        return nullptr;

    // This environment's enclosing link is never used: the
    // DebugEnvironmentProxy that refers to this scope carries its own
    // enclosing link, which is what Debugger uses to construct the tree of
    // Debugger.Environment objects.
    RootedObject enclosingEnv(cx, &cx->global()->lexicalEnvironment());
    Rooted<VarEnvironmentObject*> env(cx, create(cx, shape, enclosingEnv, gc::TenuredHeap));
    if (!env)
        return nullptr;

    RootedValue optimizedOut(cx, MagicValue(JS_OPTIMIZED_OUT));
    RootedId id(cx);
    for (Rooted<BindingIter> bi(cx, BindingIter(scope)); bi; bi++) {
        id = NameToId(bi.name()->asPropertyName());
        if (!SetProperty(cx, env, id, optimizedOut))
            return nullptr;
    }

    env->initScope(scope);
    return env;
}

const Class VarEnvironmentObject::class_ = {
    "Var",
    JSCLASS_IS_ANONYMOUS | JSCLASS_HAS_RESERVED_SLOTS(VarEnvironmentObject::RESERVED_SLOTS)
};

/*****************************************************************************/

const ObjectOps ModuleEnvironmentObject::objectOps_ = {
    ModuleEnvironmentObject::lookupProperty,
    nullptr,                                             /* defineProperty */
    ModuleEnvironmentObject::hasProperty,
    ModuleEnvironmentObject::getProperty,
    ModuleEnvironmentObject::setProperty,
    ModuleEnvironmentObject::getOwnPropertyDescriptor,
    ModuleEnvironmentObject::deleteProperty,
    nullptr, nullptr,                                    /* watch/unwatch */
    nullptr,                                             /* getElements */
    ModuleEnvironmentObject::enumerate,
    nullptr
};

const Class ModuleEnvironmentObject::class_ = {
    "ModuleEnvironmentObject",
    JSCLASS_HAS_RESERVED_SLOTS(ModuleEnvironmentObject::RESERVED_SLOTS) |
    JSCLASS_IS_ANONYMOUS,
    JS_NULL_CLASS_OPS,
    JS_NULL_CLASS_SPEC,
    JS_NULL_CLASS_EXT,
    &ModuleEnvironmentObject::objectOps_
};

/* static */ ModuleEnvironmentObject*
ModuleEnvironmentObject::create(ExclusiveContext* cx, HandleModuleObject module)
{
    RootedScript script(cx, module->script());
    RootedShape shape(cx, script->bodyScope()->as<ModuleScope>().environmentShape());
    MOZ_ASSERT(shape->getObjectClass() == &class_);

    RootedObjectGroup group(cx, ObjectGroup::defaultNewGroup(cx, &class_, TaggedProto(nullptr)));
    if (!group)
        return nullptr;

    gc::AllocKind kind = gc::GetGCObjectKind(shape->numFixedSlots());
    MOZ_ASSERT(CanBeFinalizedInBackground(kind, &class_));
    kind = gc::GetBackgroundAllocKind(kind);

    JSObject* obj = JSObject::create(cx, kind, TenuredHeap, shape, group);
    if (!obj)
        return nullptr;

    RootedModuleEnvironmentObject env(cx, &obj->as<ModuleEnvironmentObject>());

    env->initReservedSlot(MODULE_SLOT, ObjectValue(*module));
    if (!JSObject::setSingleton(cx, env))
        return nullptr;

    // Initialize this early so that we can manipulate the env object without
    // causing assertions.
    env->initEnclosingEnvironment(&cx->global()->lexicalEnvironment());

    // Initialize all lexical bindings and imports as uninitialized. Imports
    // get uninitialized because they have a special TDZ for cyclic imports.
    for (BindingIter bi(script); bi; bi++) {
        BindingLocation loc = bi.location();
        if (loc.kind() == BindingLocation::Kind::Environment && BindingKindIsLexical(bi.kind()))
            env->initSlot(loc.slot(), MagicValue(JS_UNINITIALIZED_LEXICAL));
    }

    // It is not be possible to add or remove bindings from a module environment
    // after this point as module code is always strict.
#ifdef DEBUG
    for (Shape::Range<NoGC> r(env->lastProperty()); !r.empty(); r.popFront())
        MOZ_ASSERT(!r.front().configurable());
    MOZ_ASSERT(env->lastProperty()->getObjectFlags() & BaseShape::NOT_EXTENSIBLE);
    MOZ_ASSERT(!env->inDictionaryMode());
#endif

    return env;
}

ModuleObject&
ModuleEnvironmentObject::module()
{
    return getReservedSlot(MODULE_SLOT).toObject().as<ModuleObject>();
}

IndirectBindingMap&
ModuleEnvironmentObject::importBindings()
{
    return module().importBindings();
}

bool
ModuleEnvironmentObject::createImportBinding(JSContext* cx, HandleAtom importName,
                                             HandleModuleObject module, HandleAtom localName)
{
    RootedId importNameId(cx, AtomToId(importName));
    RootedId localNameId(cx, AtomToId(localName));
    RootedModuleEnvironmentObject env(cx, module->environment());
    if (!importBindings().putNew(cx, importNameId, env, localNameId)) {
        ReportOutOfMemory(cx);
        return false;
    }

    return true;
}

bool
ModuleEnvironmentObject::hasImportBinding(HandlePropertyName name)
{
    return importBindings().has(NameToId(name));
}

bool
ModuleEnvironmentObject::lookupImport(jsid name, ModuleEnvironmentObject** envOut, Shape** shapeOut)
{
    return importBindings().lookup(name, envOut, shapeOut);
}

void
ModuleEnvironmentObject::fixEnclosingEnvironmentAfterCompartmentMerge(GlobalObject& global)
{
    setEnclosingEnvironment(&global.lexicalEnvironment());
}

/* static */ bool
ModuleEnvironmentObject::lookupProperty(JSContext* cx, HandleObject obj, HandleId id,
                                        MutableHandleObject objp, MutableHandleShape propp)
{
    const IndirectBindingMap& bindings = obj->as<ModuleEnvironmentObject>().importBindings();
    Shape* shape;
    ModuleEnvironmentObject* env;
    if (bindings.lookup(id, &env, &shape)) {
        objp.set(env);
        propp.set(shape);
        return true;
    }

    RootedNativeObject target(cx, &obj->as<NativeObject>());
    if (!NativeLookupOwnProperty<CanGC>(cx, target, id, propp))
        return false;

    objp.set(obj);
    return true;
}

/* static */ bool
ModuleEnvironmentObject::hasProperty(JSContext* cx, HandleObject obj, HandleId id, bool* foundp)
{
    if (obj->as<ModuleEnvironmentObject>().importBindings().has(id)) {
        *foundp = true;
        return true;
    }

    RootedNativeObject self(cx, &obj->as<NativeObject>());
    return NativeHasProperty(cx, self, id, foundp);
}

/* static */ bool
ModuleEnvironmentObject::getProperty(JSContext* cx, HandleObject obj, HandleValue receiver,
                                     HandleId id, MutableHandleValue vp)
{
    const IndirectBindingMap& bindings = obj->as<ModuleEnvironmentObject>().importBindings();
    Shape* shape;
    ModuleEnvironmentObject* env;
    if (bindings.lookup(id, &env, &shape)) {
        vp.set(env->getSlot(shape->slot()));
        return true;
    }

    RootedNativeObject self(cx, &obj->as<NativeObject>());
    return NativeGetProperty(cx, self, receiver, id, vp);
}

/* static */ bool
ModuleEnvironmentObject::setProperty(JSContext* cx, HandleObject obj, HandleId id, HandleValue v,
                                     HandleValue receiver, JS::ObjectOpResult& result)
{
    RootedModuleEnvironmentObject self(cx, &obj->as<ModuleEnvironmentObject>());
    if (self->importBindings().has(id))
        return result.failReadOnly();

    return NativeSetProperty(cx, self, id, v, receiver, Qualified, result);
}

/* static */ bool
ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext* cx, HandleObject obj, HandleId id,
                                                  MutableHandle<PropertyDescriptor> desc)
{
    const IndirectBindingMap& bindings = obj->as<ModuleEnvironmentObject>().importBindings();
    Shape* shape;
    ModuleEnvironmentObject* env;
    if (bindings.lookup(id, &env, &shape)) {
        desc.setAttributes(JSPROP_ENUMERATE | JSPROP_PERMANENT);
        desc.object().set(obj);
        RootedValue value(cx, env->getSlot(shape->slot()));
        desc.setValue(value);
        desc.assertComplete();
        return true;
    }

    RootedNativeObject self(cx, &obj->as<NativeObject>());
    return NativeGetOwnPropertyDescriptor(cx, self, id, desc);
}

/* static */ bool
ModuleEnvironmentObject::deleteProperty(JSContext* cx, HandleObject obj, HandleId id,
                                        ObjectOpResult& result)
{
    return result.failCantDelete();
}

/* static */ bool
ModuleEnvironmentObject::enumerate(JSContext* cx, HandleObject obj, AutoIdVector& properties,
                                   bool enumerableOnly)
{
    RootedModuleEnvironmentObject self(cx, &obj->as<ModuleEnvironmentObject>());
    const IndirectBindingMap& bs(self->importBindings());

    MOZ_ASSERT(properties.length() == 0);
    size_t count = bs.count() + self->slotSpan() - RESERVED_SLOTS;
    if (!properties.reserve(count)) {
        ReportOutOfMemory(cx);
        return false;
    }

    bs.forEachExportedName([&] (jsid name) {
        properties.infallibleAppend(name);
    });

    for (Shape::Range<NoGC> r(self->lastProperty()); !r.empty(); r.popFront())
        properties.infallibleAppend(r.front().propid());

    MOZ_ASSERT(properties.length() == count);
    return true;
}

/*****************************************************************************/

WithEnvironmentObject*
WithEnvironmentObject::create(JSContext* cx, HandleObject object, HandleObject enclosing,
                              Handle<WithScope*> scope)
{
    Rooted<WithEnvironmentObject*> obj(cx);
    obj = NewObjectWithNullTaggedProto<WithEnvironmentObject>(cx, GenericObject,
                                                              BaseShape::DELEGATE);
    if (!obj)
        return nullptr;

    Value thisv = GetThisValue(object);

    obj->initEnclosingEnvironment(enclosing);
    obj->initReservedSlot(OBJECT_SLOT, ObjectValue(*object));
    obj->initReservedSlot(THIS_SLOT, thisv);
    if (scope)
        obj->initReservedSlot(SCOPE_SLOT, PrivateGCThingValue(scope));
    else
        obj->initReservedSlot(SCOPE_SLOT, NullValue());

    return obj;
}

WithEnvironmentObject*
WithEnvironmentObject::createNonSyntactic(JSContext* cx, HandleObject object,
                                          HandleObject enclosing)
{
    return create(cx, object, enclosing, nullptr);
}

static inline bool
IsUnscopableDotName(JSContext* cx, HandleId id)
{
    return JSID_IS_ATOM(id, cx->names().dotThis) || JSID_IS_ATOM(id, cx->names().dotGenerator);
}

/* Implements ES6 8.1.1.2.1 HasBinding steps 7-9. */
static bool
CheckUnscopables(JSContext *cx, HandleObject obj, HandleId id, bool *scopable)
{
    RootedId unscopablesId(cx, SYMBOL_TO_JSID(cx->wellKnownSymbols()
                                                .get(JS::SymbolCode::unscopables)));
    RootedValue v(cx);
    if (!GetProperty(cx, obj, obj, unscopablesId, &v))
        return false;
    if (v.isObject()) {
        RootedObject unscopablesObj(cx, &v.toObject());
        if (!GetProperty(cx, unscopablesObj, unscopablesObj, id, &v))
            return false;
        *scopable = !ToBoolean(v);
    } else {
        *scopable = true;
    }
    return true;
}

static bool
with_LookupProperty(JSContext* cx, HandleObject obj, HandleId id,
                    MutableHandleObject objp, MutableHandleShape propp)
{
    // SpiderMonkey-specific: consider internal '.generator' and '.this' names
    // to be unscopable.
    if (IsUnscopableDotName(cx, id)) {
        objp.set(nullptr);
        propp.set(nullptr);
        return true;
    }

    RootedObject actual(cx, &obj->as<WithEnvironmentObject>().object());
    if (!LookupProperty(cx, actual, id, objp, propp))
        return false;

    if (propp) {
        bool scopable;
        if (!CheckUnscopables(cx, actual, id, &scopable))
            return false;
        if (!scopable) {
            objp.set(nullptr);
            propp.set(nullptr);
        }
    }
    return true;
}

static bool
with_DefineProperty(JSContext* cx, HandleObject obj, HandleId id, Handle<PropertyDescriptor> desc,
                    ObjectOpResult& result)
{
    MOZ_ASSERT(!IsUnscopableDotName(cx, id));
    RootedObject actual(cx, &obj->as<WithEnvironmentObject>().object());
    return DefineProperty(cx, actual, id, desc, result);
}

static bool
with_HasProperty(JSContext* cx, HandleObject obj, HandleId id, bool* foundp)
{
    MOZ_ASSERT(!IsUnscopableDotName(cx, id));
    RootedObject actual(cx, &obj->as<WithEnvironmentObject>().object());

    // ES 8.1.1.2.1 step 3-5.
    if (!HasProperty(cx, actual, id, foundp))
        return false;
    if (!*foundp)
        return true;

    // Steps 7-10. (Step 6 is a no-op.)
    return CheckUnscopables(cx, actual, id, foundp);
}

static bool
with_GetProperty(JSContext* cx, HandleObject obj, HandleValue receiver, HandleId id,
                 MutableHandleValue vp)
{
    MOZ_ASSERT(!IsUnscopableDotName(cx, id));
    RootedObject actual(cx, &obj->as<WithEnvironmentObject>().object());
    RootedValue actualReceiver(cx, receiver);
    if (receiver.isObject() && &receiver.toObject() == obj)
        actualReceiver.setObject(*actual);
    return GetProperty(cx, actual, actualReceiver, id, vp);
}

static bool
with_SetProperty(JSContext* cx, HandleObject obj, HandleId id, HandleValue v,
                 HandleValue receiver, ObjectOpResult& result)
{
    MOZ_ASSERT(!IsUnscopableDotName(cx, id));
    RootedObject actual(cx, &obj->as<WithEnvironmentObject>().object());
    RootedValue actualReceiver(cx, receiver);
    if (receiver.isObject() && &receiver.toObject() == obj)
        actualReceiver.setObject(*actual);
    return SetProperty(cx, actual, id, v, actualReceiver, result);
}

static bool
with_GetOwnPropertyDescriptor(JSContext* cx, HandleObject obj, HandleId id,
                              MutableHandle<PropertyDescriptor> desc)
{
    MOZ_ASSERT(!IsUnscopableDotName(cx, id));
    RootedObject actual(cx, &obj->as<WithEnvironmentObject>().object());
    return GetOwnPropertyDescriptor(cx, actual, id, desc);
}

static bool
with_DeleteProperty(JSContext* cx, HandleObject obj, HandleId id, ObjectOpResult& result)
{
    MOZ_ASSERT(!IsUnscopableDotName(cx, id));
    RootedObject actual(cx, &obj->as<WithEnvironmentObject>().object());
    return DeleteProperty(cx, actual, id, result);
}

static const ObjectOps WithEnvironmentObjectOps = {
    with_LookupProperty,
    with_DefineProperty,
    with_HasProperty,
    with_GetProperty,
    with_SetProperty,
    with_GetOwnPropertyDescriptor,
    with_DeleteProperty,
    nullptr, nullptr,    /* watch/unwatch */
    nullptr,             /* getElements */
    nullptr,             /* enumerate (native enumeration of target doesn't work) */
    nullptr,
};

const Class WithEnvironmentObject::class_ = {
    "With",
    JSCLASS_HAS_RESERVED_SLOTS(WithEnvironmentObject::RESERVED_SLOTS) |
    JSCLASS_IS_ANONYMOUS,
    JS_NULL_CLASS_OPS,
    JS_NULL_CLASS_SPEC,
    JS_NULL_CLASS_EXT,
    &WithEnvironmentObjectOps
};

/* static */ NonSyntacticVariablesObject*
NonSyntacticVariablesObject::create(JSContext* cx)
{
    Rooted<NonSyntacticVariablesObject*> obj(cx,
        NewObjectWithNullTaggedProto<NonSyntacticVariablesObject>(cx, TenuredObject,
                                                                  BaseShape::DELEGATE));
    if (!obj)
        return nullptr;

    MOZ_ASSERT(obj->isUnqualifiedVarObj());
    if (!JSObject::setQualifiedVarObj(cx, obj))
        return nullptr;

    obj->initEnclosingEnvironment(&cx->global()->lexicalEnvironment());
    return obj;
}

const Class NonSyntacticVariablesObject::class_ = {
    "NonSyntacticVariablesObject",
    JSCLASS_HAS_RESERVED_SLOTS(NonSyntacticVariablesObject::RESERVED_SLOTS) |
    JSCLASS_IS_ANONYMOUS
};

/*****************************************************************************/

/* static */ LexicalEnvironmentObject*
LexicalEnvironmentObject::createTemplateObject(JSContext* cx, HandleShape shape,
                                               HandleObject enclosing, gc::InitialHeap heap)
{
    MOZ_ASSERT(shape->getObjectClass() == &LexicalEnvironmentObject::class_);

    RootedObjectGroup group(cx,
        ObjectGroup::defaultNewGroup(cx, &LexicalEnvironmentObject::class_, TaggedProto(nullptr)));
    if (!group)
        return nullptr;

    gc::AllocKind allocKind = gc::GetGCObjectKind(shape->numFixedSlots());
    MOZ_ASSERT(CanBeFinalizedInBackground(allocKind, &LexicalEnvironmentObject::class_));
    allocKind = GetBackgroundAllocKind(allocKind);
    RootedNativeObject obj(cx,
        MaybeNativeObject(JSObject::create(cx, allocKind, heap, shape, group)));
    if (!obj)
        return nullptr;

    MOZ_ASSERT(!obj->inDictionaryMode());
    MOZ_ASSERT(obj->isDelegate());

    LexicalEnvironmentObject* env = &obj->as<LexicalEnvironmentObject>();
    if (enclosing)
        env->initEnclosingEnvironment(enclosing);

    return env;
}

/* static */ LexicalEnvironmentObject*
LexicalEnvironmentObject::createTemplateObject(JSContext* cx, Handle<LexicalScope*> scope,
                                               HandleObject enclosing, gc::InitialHeap heap)
{
    assertSameCompartment(cx, enclosing);
    MOZ_ASSERT(scope->hasEnvironment());

    RootedShape shape(cx, scope->environmentShape());
    LexicalEnvironmentObject* env = createTemplateObject(cx, shape, enclosing, heap);
    if (!env)
        return nullptr;

    // All lexical bindings start off uninitialized for TDZ.
    uint32_t lastSlot = shape->slot();
    MOZ_ASSERT(lastSlot == env->lastProperty()->slot());
    for (uint32_t slot = JSSLOT_FREE(&class_); slot <= lastSlot; slot++)
        env->initSlot(slot, MagicValue(JS_UNINITIALIZED_LEXICAL));

    env->initScopeUnchecked(scope);
    return env;
}

/* static */ LexicalEnvironmentObject*
LexicalEnvironmentObject::create(JSContext* cx, Handle<LexicalScope*> scope,
                                 AbstractFramePtr frame)
{
    RootedObject enclosing(cx, frame.environmentChain());
    return createTemplateObject(cx, scope, enclosing, gc::DefaultHeap);
}

/* static */ LexicalEnvironmentObject*
LexicalEnvironmentObject::createGlobal(JSContext* cx, Handle<GlobalObject*> global)
{
    MOZ_ASSERT(global);

    RootedShape shape(cx, LexicalScope::getEmptyExtensibleEnvironmentShape(cx));
    if (!shape)
        return nullptr;

    Rooted<LexicalEnvironmentObject*> env(cx,
        LexicalEnvironmentObject::createTemplateObject(cx, shape, global, gc::TenuredHeap));
    if (!env)
        return nullptr;

    if (!JSObject::setSingleton(cx, env))
        return nullptr;

    env->initThisValue(global);
    return env;
}

/* static */ LexicalEnvironmentObject*
LexicalEnvironmentObject::createNonSyntactic(JSContext* cx, HandleObject enclosing)
{
    MOZ_ASSERT(enclosing);
    MOZ_ASSERT(!IsSyntacticEnvironment(enclosing));

    RootedShape shape(cx, LexicalScope::getEmptyExtensibleEnvironmentShape(cx));
    if (!shape)
        return nullptr;

    LexicalEnvironmentObject* env =
        LexicalEnvironmentObject::createTemplateObject(cx, shape, enclosing, gc::TenuredHeap);
    if (!env)
        return nullptr;

    env->initThisValue(enclosing);
    return env;
}

/* static */ LexicalEnvironmentObject*
LexicalEnvironmentObject::createHollowForDebug(JSContext* cx, Handle<LexicalScope*> scope)
{
    MOZ_ASSERT(!scope->hasEnvironment());

    RootedShape shape(cx, LexicalScope::getEmptyExtensibleEnvironmentShape(cx));
    if (!shape)
        return nullptr;

    // This environment's enclosing link is never used: the
    // DebugEnvironmentProxy that refers to this scope carries its own
    // enclosing link, which is what Debugger uses to construct the tree of
    // Debugger.Environment objects.
    RootedObject enclosingEnv(cx, &cx->global()->lexicalEnvironment());
    Rooted<LexicalEnvironmentObject*> env(cx, createTemplateObject(cx, shape, enclosingEnv,
                                                                   gc::TenuredHeap));
    if (!env)
        return nullptr;

    RootedValue optimizedOut(cx, MagicValue(JS_OPTIMIZED_OUT));
    RootedId id(cx);
    for (Rooted<BindingIter> bi(cx, BindingIter(scope)); bi; bi++) {
        id = NameToId(bi.name()->asPropertyName());
        if (!SetProperty(cx, env, id, optimizedOut))
            return nullptr;
    }

    if (!JSObject::setFlags(cx, env, BaseShape::NOT_EXTENSIBLE, JSObject::GENERATE_SHAPE))
        return nullptr;

    env->initScopeUnchecked(scope);
    return env;
}

/* static */ LexicalEnvironmentObject*
LexicalEnvironmentObject::clone(JSContext* cx, Handle<LexicalEnvironmentObject*> env)
{
    Rooted<LexicalScope*> scope(cx, &env->scope());
    RootedObject enclosing(cx, &env->enclosingEnvironment());
    Rooted<LexicalEnvironmentObject*> copy(cx, createTemplateObject(cx, scope, enclosing,
                                                                    gc::TenuredHeap));
    if (!copy)
        return nullptr;

    // We can't assert that the clone has the same shape, because it could
    // have been reshaped by PurgeEnvironmentChain.
    MOZ_ASSERT(env->slotSpan() == copy->slotSpan());
    for (uint32_t i = JSSLOT_FREE(&class_); i < copy->slotSpan(); i++)
        copy->setSlot(i, env->getSlot(i));

    return copy;
}

/* static */ LexicalEnvironmentObject*
LexicalEnvironmentObject::recreate(JSContext* cx, Handle<LexicalEnvironmentObject*> env)
{
    Rooted<LexicalScope*> scope(cx, &env->scope());
    RootedObject enclosing(cx, &env->enclosingEnvironment());
    return createTemplateObject(cx, scope, enclosing, gc::TenuredHeap);
}

bool
LexicalEnvironmentObject::isExtensible() const
{
    return nonProxyIsExtensible();
}

Value
LexicalEnvironmentObject::thisValue() const
{
    MOZ_ASSERT(isExtensible());
    Value v = getReservedSlot(THIS_VALUE_OR_SCOPE_SLOT);
    if (v.isObject()) {
        // If `v` is a Window, return the WindowProxy instead. We called
        // GetThisValue (which also does ToWindowProxyIfWindow) when storing
        // the value in THIS_VALUE_OR_SCOPE_SLOT, but it's possible the
        // WindowProxy was attached to the global *after* we set
        // THIS_VALUE_OR_SCOPE_SLOT.
        return ObjectValue(*ToWindowProxyIfWindow(&v.toObject()));
    }
    return v;
}

const Class LexicalEnvironmentObject::class_ = {
    "LexicalEnvironment",
    JSCLASS_HAS_RESERVED_SLOTS(LexicalEnvironmentObject::RESERVED_SLOTS) |
    JSCLASS_IS_ANONYMOUS,
    JS_NULL_CLASS_OPS,
    JS_NULL_CLASS_SPEC,
    JS_NULL_CLASS_EXT,
    JS_NULL_OBJECT_OPS
};

/* static */ NamedLambdaObject*
NamedLambdaObject::create(JSContext* cx, HandleFunction callee,
                          HandleFunction func,
                          HandleObject enclosing,
                          gc::InitialHeap heap)
{
    MOZ_ASSERT(callee->isNamedLambda());
    RootedScope scope(cx, callee->nonLazyScript()->maybeNamedLambdaScope());
    MOZ_ASSERT(scope && scope->environmentShape());
    MOZ_ASSERT(scope->environmentShape()->slot() == lambdaSlot());
    MOZ_ASSERT(!scope->environmentShape()->writable());

#ifdef DEBUG
    // There should be exactly one binding in the named lambda scope.
    BindingIter bi(scope);
    bi++;
    MOZ_ASSERT(bi.done());
#endif

    LexicalEnvironmentObject* obj =
        LexicalEnvironmentObject::createTemplateObject(cx, scope.as<LexicalScope>(),
                                                       enclosing, heap);
    if (!obj)
        return nullptr;

    obj->initFixedSlot(lambdaSlot(), ObjectValue(*func));
    return static_cast<NamedLambdaObject*>(obj);
}

/* static */ NamedLambdaObject*
NamedLambdaObject::createTemplateObject(JSContext* cx, HandleFunction callee, gc::InitialHeap heap)
{
    return create(cx, callee, callee, nullptr, heap);
}

/* static */ NamedLambdaObject*
NamedLambdaObject::create(JSContext* cx, AbstractFramePtr frame)
{
    RootedFunction fun(cx, frame.callee());
    RootedObject enclosing(cx, frame.environmentChain());
    return create(cx, fun, fun, enclosing, gc::DefaultHeap);
}

/* static */ NamedLambdaObject*
NamedLambdaObject::create(JSContext* cx, AbstractFramePtr frame, HandleFunction replacement)
{
    RootedFunction fun(cx, frame.callee());
    RootedObject enclosing(cx, frame.environmentChain());
    return create(cx, fun, replacement, enclosing, gc::DefaultHeap);
}

/* static */ size_t
NamedLambdaObject::lambdaSlot()
{
    // Named lambda environments have exactly one name.
    return JSSLOT_FREE(&LexicalEnvironmentObject::class_);
}

/* static */ RuntimeLexicalErrorObject*
RuntimeLexicalErrorObject::create(JSContext* cx, HandleObject enclosing, unsigned errorNumber)
{
    RuntimeLexicalErrorObject* obj =
        NewObjectWithNullTaggedProto<RuntimeLexicalErrorObject>(cx, GenericObject,
                                                                BaseShape::DELEGATE);
    if (!obj)
        return nullptr;
    obj->initEnclosingEnvironment(enclosing);
    obj->initReservedSlot(ERROR_SLOT, Int32Value(int32_t(errorNumber)));
    return obj;
}

static void
ReportRuntimeLexicalErrorId(JSContext* cx, unsigned errorNumber, HandleId id)
{
    if (JSID_IS_ATOM(id)) {
        RootedPropertyName name(cx, JSID_TO_ATOM(id)->asPropertyName());
        ReportRuntimeLexicalError(cx, errorNumber, name);
        return;
    }
    MOZ_CRASH("RuntimeLexicalErrorObject should only be used with property names");
}

static bool
lexicalError_LookupProperty(JSContext* cx, HandleObject obj, HandleId id,
                            MutableHandleObject objp, MutableHandleShape propp)
{
    ReportRuntimeLexicalErrorId(cx, obj->as<RuntimeLexicalErrorObject>().errorNumber(), id);
    return false;
}

static bool
lexicalError_HasProperty(JSContext* cx, HandleObject obj, HandleId id, bool* foundp)
{
    ReportRuntimeLexicalErrorId(cx, obj->as<RuntimeLexicalErrorObject>().errorNumber(), id);
    return false;
}

static bool
lexicalError_GetProperty(JSContext* cx, HandleObject obj, HandleValue receiver, HandleId id,
                         MutableHandleValue vp)
{
    ReportRuntimeLexicalErrorId(cx, obj->as<RuntimeLexicalErrorObject>().errorNumber(), id);
    return false;
}

static bool
lexicalError_SetProperty(JSContext* cx, HandleObject obj, HandleId id, HandleValue v,
                         HandleValue receiver, ObjectOpResult& result)
{
    ReportRuntimeLexicalErrorId(cx, obj->as<RuntimeLexicalErrorObject>().errorNumber(), id);
    return false;
}

static bool
lexicalError_GetOwnPropertyDescriptor(JSContext* cx, HandleObject obj, HandleId id,
                                      MutableHandle<PropertyDescriptor> desc)
{
    ReportRuntimeLexicalErrorId(cx, obj->as<RuntimeLexicalErrorObject>().errorNumber(), id);
    return false;
}

static bool
lexicalError_DeleteProperty(JSContext* cx, HandleObject obj, HandleId id, ObjectOpResult& result)
{
    ReportRuntimeLexicalErrorId(cx, obj->as<RuntimeLexicalErrorObject>().errorNumber(), id);
    return false;
}

static const ObjectOps RuntimeLexicalErrorObjectObjectOps = {
    lexicalError_LookupProperty,
    nullptr,             /* defineProperty */
    lexicalError_HasProperty,
    lexicalError_GetProperty,
    lexicalError_SetProperty,
    lexicalError_GetOwnPropertyDescriptor,
    lexicalError_DeleteProperty,
    nullptr, nullptr,    /* watch/unwatch */
    nullptr,             /* getElements */
    nullptr,             /* enumerate (native enumeration of target doesn't work) */
    nullptr,             /* this */
};

const Class RuntimeLexicalErrorObject::class_ = {
    "RuntimeLexicalError",
    JSCLASS_HAS_RESERVED_SLOTS(RuntimeLexicalErrorObject::RESERVED_SLOTS) |
    JSCLASS_IS_ANONYMOUS,
    JS_NULL_CLASS_OPS,
    JS_NULL_CLASS_SPEC,
    JS_NULL_CLASS_EXT,
    &RuntimeLexicalErrorObjectObjectOps
};

/*****************************************************************************/

EnvironmentIter::EnvironmentIter(JSContext* cx, const EnvironmentIter& ei
                                 MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL)
  : si_(cx, ei.si_.get()),
    env_(cx, ei.env_),
    frame_(ei.frame_)
{
    MOZ_GUARD_OBJECT_NOTIFIER_INIT;
}

EnvironmentIter::EnvironmentIter(JSContext* cx, JSObject* env, Scope* scope
                                 MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL)
  : si_(cx, ScopeIter(scope)),
    env_(cx, env),
    frame_(NullFramePtr())
{
    settle();
    MOZ_GUARD_OBJECT_NOTIFIER_INIT;
}

EnvironmentIter::EnvironmentIter(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc
                                 MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL)
  : si_(cx, frame.script()->innermostScope(pc)),
    env_(cx, frame.environmentChain()),
    frame_(frame)
{
    assertSameCompartment(cx, frame);
    settle();
    MOZ_GUARD_OBJECT_NOTIFIER_INIT;
}

void
EnvironmentIter::incrementScopeIter()
{
    if (si_.scope()->is<GlobalScope>()) {
        // GlobalScopes may be syntactic or non-syntactic. Non-syntactic
        // GlobalScopes correspond to zero or more non-syntactic
        // EnvironmentsObjects followed by the global lexical scope, then the
        // GlobalObject or another non-EnvironmentObject object.
        if (!env_->is<EnvironmentObject>())
            si_++;
    } else {
        si_++;
    }
}

void
EnvironmentIter::settle()
{
    // Check for trying to iterate a function or eval frame before the prologue has
    // created the CallObject, in which case we have to skip.
    if (frame_ && frame_.script()->initialEnvironmentShape() && !frame_.hasInitialEnvironment()) {
        // Skip until we're at the enclosing scope of the script.
        while (si_.scope() != frame_.script()->enclosingScope()) {
            if (env_->is<LexicalEnvironmentObject>() &&
                !env_->as<LexicalEnvironmentObject>().isExtensible() &&
                &env_->as<LexicalEnvironmentObject>().scope() == si_.scope())
            {
                MOZ_ASSERT(si_.kind() == ScopeKind::NamedLambda ||
                           si_.kind() == ScopeKind::StrictNamedLambda);
                env_ = &env_->as<EnvironmentObject>().enclosingEnvironment();
            }
            incrementScopeIter();
        }
    }

    // Check if we have left the extent of the initial frame after we've
    // settled on a static scope.
    if (frame_ && (!si_ || si_.scope() == frame_.script()->enclosingScope()))
        frame_ = NullFramePtr();

#ifdef DEBUG
    if (si_) {
        if (hasSyntacticEnvironment()) {
            Scope* scope = si_.scope();
            if (scope->is<LexicalScope>()) {
                MOZ_ASSERT(scope == &env_->as<LexicalEnvironmentObject>().scope());
            } else if (scope->is<FunctionScope>()) {
                MOZ_ASSERT(scope->as<FunctionScope>().script() ==
                           env_->as<CallObject>().callee().existingScriptNonDelazifying());
            } else if (scope->is<VarScope>()) {
                MOZ_ASSERT(scope == &env_->as<VarEnvironmentObject>().scope());
            } else if (scope->is<WithScope>()) {
                MOZ_ASSERT(scope == &env_->as<WithEnvironmentObject>().scope());
            } else if (scope->is<EvalScope>()) {
                MOZ_ASSERT(scope == &env_->as<VarEnvironmentObject>().scope());
            } else if (scope->is<GlobalScope>()) {
                MOZ_ASSERT(env_->is<GlobalObject>() || IsGlobalLexicalEnvironment(env_));
            }
        } else if (hasNonSyntacticEnvironmentObject()) {
            if (env_->is<LexicalEnvironmentObject>()) {
                // The global lexical environment still encloses non-syntactic
                // environment objects.
                MOZ_ASSERT(!env_->as<LexicalEnvironmentObject>().isSyntactic() ||
                           env_->as<LexicalEnvironmentObject>().isGlobal());
            } else if (env_->is<WithEnvironmentObject>()) {
                MOZ_ASSERT(!env_->as<WithEnvironmentObject>().isSyntactic());
            } else {
                MOZ_ASSERT(env_->is<NonSyntacticVariablesObject>());
            }
        }
    }
#endif
}

JSObject&
EnvironmentIter::enclosingEnvironment() const
{
    // As an engine invariant (maintained internally and asserted by Execute),
    // EnvironmentObjects and non-EnvironmentObjects cannot be interleaved on
    // the scope chain; every scope chain must start with zero or more
    // EnvironmentObjects and terminate with one or more
    // non-EnvironmentObjects (viz., GlobalObject).
    MOZ_ASSERT(done());
    MOZ_ASSERT(!env_->is<EnvironmentObject>());
    return *env_;
}

bool
EnvironmentIter::hasNonSyntacticEnvironmentObject() const
{
    // The case we're worrying about here is a NonSyntactic static scope
    // which has 0+ corresponding non-syntactic WithEnvironmentObject
    // scopes, a NonSyntacticVariablesObject, or a non-syntactic
    // LexicalEnvironmentObject.
    if (si_.kind() == ScopeKind::NonSyntactic) {
        MOZ_ASSERT_IF(env_->is<WithEnvironmentObject>(),
                      !env_->as<WithEnvironmentObject>().isSyntactic());
        return env_->is<EnvironmentObject>();
    }
    return false;
}

/* static */ HashNumber
MissingEnvironmentKey::hash(MissingEnvironmentKey ek)
{
    return size_t(ek.frame_.raw()) ^ size_t(ek.scope_);
}

/* static */ bool
MissingEnvironmentKey::match(MissingEnvironmentKey ek1, MissingEnvironmentKey ek2)
{
    return ek1.frame_ == ek2.frame_ && ek1.scope_ == ek2.scope_;
}

bool
LiveEnvironmentVal::needsSweep()
{
    if (scope_)
        MOZ_ALWAYS_FALSE(IsAboutToBeFinalized(&scope_));
    return false;
}

// Live EnvironmentIter values may be added to DebugEnvironments::liveEnvs, as
// LiveEnvironmentVal instances.  They need to have write barriers when they are added
// to the hash table, but no barriers when rehashing inside GC.  It's a nasty
// hack, but the important thing is that LiveEnvironmentVal and MissingEnvironmentKey need to
// alias each other.
void
LiveEnvironmentVal::staticAsserts()
{
    static_assert(sizeof(LiveEnvironmentVal) == sizeof(MissingEnvironmentKey),
                  "LiveEnvironmentVal must be same size of MissingEnvironmentKey");
    static_assert(offsetof(LiveEnvironmentVal, scope_) == offsetof(MissingEnvironmentKey, scope_),
                  "LiveEnvironmentVal.scope_ must alias MissingEnvironmentKey.scope_");
}

/*****************************************************************************/

namespace {

static void
ReportOptimizedOut(JSContext* cx, HandleId id)
{
    JSAutoByteString printable;
    if (ValueToPrintable(cx, IdToValue(id), &printable)) {
        JS_ReportErrorNumberLatin1(cx, GetErrorMessage, nullptr, JSMSG_DEBUG_OPTIMIZED_OUT,
                                   printable.ptr());
    }
}

/*
 * DebugEnvironmentProxy is the handler for DebugEnvironmentProxy proxy
 * objects. Having a custom handler (rather than trying to reuse js::Wrapper)
 * gives us several important abilities:
 *  - We want to pass the EnvironmentObject as the receiver to forwarded scope
 *    property ops on aliased variables so that Call/Block/With ops do not all
 *    require a 'normalization' step.
 *  - The debug scope proxy can directly manipulate the stack frame to allow
 *    the debugger to read/write args/locals that were otherwise unaliased.
 *  - The debug scope proxy can store unaliased variables after the stack frame
 *    is popped so that they may still be read/written by the debugger.
 *  - The engine has made certain assumptions about the possible reads/writes
 *    in a scope. DebugEnvironmentProxy allows us to prevent the debugger from
 *    breaking those assumptions.
 *  - The engine makes optimizations that are observable to the debugger. The
 *    proxy can either hide these optimizations or make the situation more
 *    clear to the debugger. An example is 'arguments'.
 */
class DebugEnvironmentProxyHandler : public BaseProxyHandler
{
    enum Action { SET, GET };

    enum AccessResult {
        ACCESS_UNALIASED,
        ACCESS_GENERIC,
        ACCESS_LOST
    };

    /*
     * This function handles access to unaliased locals/formals. Since they
     * are unaliased, the values of these variables are not stored in the
     * slots of the normal CallObject and LexicalEnvironmentObject
     * environments and thus must be recovered from somewhere else:
     *  + if the invocation for which the env was created is still executing,
     *    there is a JS frame live on the stack holding the values;
     *  + if the invocation for which the env was created finished executing:
     *     - and there was a DebugEnvironmentProxy associated with env, then
     *       the DebugEnvironments::onPop(Call|Lexical) handler copied out the
     *       unaliased variables. In both cases, a dense array is created in
     *       onPop(Call|Lexical) to hold the unaliased values and attached to
     *       the DebugEnvironmentProxy;
     *     - and there was not a DebugEnvironmentProxy yet associated with the
     *       scope, then the unaliased values are lost and not recoverable.
     *
     * Callers should check accessResult for non-failure results:
     *  - ACCESS_UNALIASED if the access was unaliased and completed
     *  - ACCESS_GENERIC   if the access was aliased or the property not found
     *  - ACCESS_LOST      if the value has been lost to the debugger and the
     *                     action is GET; if the action is SET, we assign to the
     *                     name of the variable on the environment object
     */
    bool handleUnaliasedAccess(JSContext* cx, Handle<DebugEnvironmentProxy*> debugEnv,
                               Handle<EnvironmentObject*> env, HandleId id, Action action,
                               MutableHandleValue vp, AccessResult* accessResult) const
    {
        MOZ_ASSERT(&debugEnv->environment() == env);
        MOZ_ASSERT_IF(action == SET, !debugEnv->isOptimizedOut());
        *accessResult = ACCESS_GENERIC;
        LiveEnvironmentVal* maybeLiveEnv = DebugEnvironments::hasLiveEnvironment(*env);

        if (env->is<ModuleEnvironmentObject>()) {
            /* Everything is aliased and stored in the environment object. */
            return true;
        }

        /* Handle unaliased formals, vars, lets, and consts at function scope. */
        if (env->is<CallObject>()) {
            CallObject& callobj = env->as<CallObject>();
            RootedFunction fun(cx, &callobj.callee());
            RootedScript script(cx, JSFunction::getOrCreateScript(cx, fun));
            if (!script->ensureHasTypes(cx) || !script->ensureHasAnalyzedArgsUsage(cx))
                return false;

            BindingIter bi(script);
            while (bi && NameToId(bi.name()->asPropertyName()) != id)
                bi++;
            if (!bi)
                return true;

            if (!bi.hasArgumentSlot()) {
                if (bi.closedOver())
                    return true;

                uint32_t i = bi.location().slot();
                if (maybeLiveEnv) {
                    AbstractFramePtr frame = maybeLiveEnv->frame();
                    if (action == GET)
                        vp.set(frame.unaliasedLocal(i));
                    else
                        frame.unaliasedLocal(i) = vp;
                } else if (NativeObject* snapshot = debugEnv->maybeSnapshot()) {
                    if (action == GET)
                        vp.set(snapshot->getDenseElement(script->numArgs() + i));
                    else
                        snapshot->setDenseElement(script->numArgs() + i, vp);
                } else {
                    /* The unaliased value has been lost to the debugger. */
                    if (action == GET) {
                        *accessResult = ACCESS_LOST;
                        return true;
                    }
                }
            } else {
                unsigned i = bi.argumentSlot();
                if (bi.closedOver())
                    return true;

                if (maybeLiveEnv) {
                    AbstractFramePtr frame = maybeLiveEnv->frame();
                    if (script->argsObjAliasesFormals() && frame.hasArgsObj()) {
                        if (action == GET)
                            vp.set(frame.argsObj().arg(i));
                        else
                            frame.argsObj().setArg(i, vp);
                    } else {
                        if (action == GET)
                            vp.set(frame.unaliasedFormal(i, DONT_CHECK_ALIASING));
                        else
                            frame.unaliasedFormal(i, DONT_CHECK_ALIASING) = vp;
                    }
                } else if (NativeObject* snapshot = debugEnv->maybeSnapshot()) {
                    if (action == GET)
                        vp.set(snapshot->getDenseElement(i));
                    else
                        snapshot->setDenseElement(i, vp);
                } else {
                    /* The unaliased value has been lost to the debugger. */
                    if (action == GET) {
                        *accessResult = ACCESS_LOST;
                        return true;
                    }
                }

                if (action == SET)
                    TypeScript::SetArgument(cx, script, i, vp);
            }

            // It is possible that an optimized out value flows to this
            // location due to Debugger.Frame.prototype.eval operating on a
            // live bailed-out Baseline frame. In that case, treat the access
            // as lost.
            if (vp.isMagic() && vp.whyMagic() == JS_OPTIMIZED_OUT)
                *accessResult = ACCESS_LOST;
            else
                *accessResult = ACCESS_UNALIASED;

            return true;
        }

        /*
         * Handle unaliased vars in functions with parameter expressions and
         * lexical bindings at block scope.
         */
        if (env->is<LexicalEnvironmentObject>() || env->is<VarEnvironmentObject>()) {
            // Currently consider all global and non-syntactic top-level lexical
            // bindings to be aliased.
            if (env->is<LexicalEnvironmentObject>() &&
                env->as<LexicalEnvironmentObject>().isExtensible())
            {
                MOZ_ASSERT(IsGlobalLexicalEnvironment(env) || !IsSyntacticEnvironment(env));
                return true;
            }

            // Currently all vars inside eval var environments are aliased.
            if (env->is<VarEnvironmentObject>() && env->as<VarEnvironmentObject>().isForEval())
                return true;

            RootedScope scope(cx, getEnvironmentScope(*env));
            uint32_t firstFrameSlot;
            if (env->is<LexicalEnvironmentObject>())
                firstFrameSlot = scope->as<LexicalScope>().firstFrameSlot();
            else
                firstFrameSlot = scope->as<VarScope>().firstFrameSlot();

            BindingIter bi(scope);
            while (bi && NameToId(bi.name()->asPropertyName()) != id)
                bi++;
            if (!bi)
                return true;

            BindingLocation loc = bi.location();
            if (loc.kind() == BindingLocation::Kind::Environment)
                return true;

            // Named lambdas that are not closed over are lost.
            if (loc.kind() == BindingLocation::Kind::NamedLambdaCallee) {
                if (action == GET)
                    *accessResult = ACCESS_LOST;
                return true;
            }

            MOZ_ASSERT(loc.kind() == BindingLocation::Kind::Frame);

            if (maybeLiveEnv) {
                AbstractFramePtr frame = maybeLiveEnv->frame();
                uint32_t local = loc.slot();
                MOZ_ASSERT(local < frame.script()->nfixed());
                if (action == GET)
                    vp.set(frame.unaliasedLocal(local));
                else
                    frame.unaliasedLocal(local) = vp;
            } else if (NativeObject* snapshot = debugEnv->maybeSnapshot()) {
                // Indices in the frame snapshot are offset by the first frame
                // slot. See DebugEnvironments::takeFrameSnapshot.
                MOZ_ASSERT(loc.slot() >= firstFrameSlot);
                uint32_t snapshotIndex = loc.slot() - firstFrameSlot;
                if (action == GET)
                    vp.set(snapshot->getDenseElement(snapshotIndex));
                else
                    snapshot->setDenseElement(snapshotIndex, vp);
            } else {
                if (action == GET) {
                    // A {Lexical,Var}EnvironmentObject whose static scope
                    // does not have an environment shape at all is a "hollow"
                    // block object reflected for missing block scopes. Their
                    // slot values are lost.
                    if (!scope->hasEnvironment()) {
                        *accessResult = ACCESS_LOST;
                        return true;
                    }

                    if (!GetProperty(cx, env, env, id, vp))
                        return false;
                } else {
                    if (!SetProperty(cx, env, id, vp))
                        return false;
                }
            }

            // See comment above in analogous CallObject case.
            if (vp.isMagic() && vp.whyMagic() == JS_OPTIMIZED_OUT)
                *accessResult = ACCESS_LOST;
            else
                *accessResult = ACCESS_UNALIASED;

            return true;
        }

        /* The rest of the internal scopes do not have unaliased vars. */
        MOZ_ASSERT(!IsSyntacticEnvironment(env) ||
                   env->is<WithEnvironmentObject>());
        return true;
    }

    static bool isArguments(JSContext* cx, jsid id)
    {
        return id == NameToId(cx->names().arguments);
    }
    static bool isThis(JSContext* cx, jsid id)
    {
        return id == NameToId(cx->names().dotThis);
    }

    static bool isFunctionEnvironment(const JSObject& env)
    {
        return env.is<CallObject>();
    }

    static bool isNonExtensibleLexicalEnvironment(const JSObject& env)
    {
        return env.is<LexicalEnvironmentObject>() &&
               !env.as<LexicalEnvironmentObject>().isExtensible();
    }

    static Scope* getEnvironmentScope(const JSObject& env)
    {
        if (isFunctionEnvironment(env))
            return env.as<CallObject>().callee().nonLazyScript()->bodyScope();
        if (isNonExtensibleLexicalEnvironment(env))
            return &env.as<LexicalEnvironmentObject>().scope();
        if (env.is<VarEnvironmentObject>())
            return &env.as<VarEnvironmentObject>().scope();
        return nullptr;
    }

    /*
     * In theory, every non-arrow function scope contains an 'arguments'
     * bindings.  However, the engine only adds a binding if 'arguments' is
     * used in the function body. Thus, from the debugger's perspective,
     * 'arguments' may be missing from the list of bindings.
     */
    static bool isMissingArgumentsBinding(EnvironmentObject& env)
    {
        return isFunctionEnvironment(env) &&
               !env.as<CallObject>().callee().nonLazyScript()->argumentsHasVarBinding();
    }

    /*
     * Similar to 'arguments' above, we don't add a 'this' binding to
     * non-arrow functions if it's not used.
     */
    static bool isMissingThisBinding(EnvironmentObject& env)
    {
        return isFunctionEnvironmentWithThis(env) &&
               !env.as<CallObject>().callee().nonLazyScript()->functionHasThisBinding();
    }

    /*
     * This function checks if an arguments object needs to be created when
     * the debugger requests 'arguments' for a function scope where the
     * arguments object has been optimized away (either because the binding is
     * missing altogether or because !ScriptAnalysis::needsArgsObj).
     */
    static bool isMissingArguments(JSContext* cx, jsid id, EnvironmentObject& env)
    {
        return isArguments(cx, id) && isFunctionEnvironment(env) &&
               !env.as<CallObject>().callee().nonLazyScript()->needsArgsObj();
    }
    static bool isMissingThis(JSContext* cx, jsid id, EnvironmentObject& env)
    {
        return isThis(cx, id) && isMissingThisBinding(env);
    }

    /*
     * Check if the value is the magic value JS_OPTIMIZED_ARGUMENTS. The
     * arguments analysis may have optimized out the 'arguments', and this
     * magic value could have propagated to other local slots. e.g.,
     *
     *   function f() { var a = arguments; h(); }
     *   function h() { evalInFrame(1, "a.push(0)"); }
     *
     * where evalInFrame(N, str) means to evaluate str N frames up.
     *
     * In this case we don't know we need to recover a missing arguments
     * object until after we've performed the property get.
     */
    static bool isMagicMissingArgumentsValue(JSContext* cx, EnvironmentObject& env, HandleValue v)
    {
        bool isMagic = v.isMagic() && v.whyMagic() == JS_OPTIMIZED_ARGUMENTS;

#ifdef DEBUG
        // The |env| object here is not limited to CallObjects but may also
        // be lexical envs in case of the following:
        //
        //   function f() { { let a = arguments; } }
        //
        // We need to check that |env|'s scope's nearest function scope has an
        // 'arguments' var binding. The environment chain is not sufficient:
        // |f| above will not have a CallObject because there are no aliased
        // body-level bindings.
        if (isMagic) {
            JSFunction* callee = nullptr;
            if (isFunctionEnvironment(env)) {
                callee = &env.as<CallObject>().callee();
            } else {
                // We will never have a WithEnvironmentObject here because no
                // binding accesses on with scopes are unaliased.
                for (ScopeIter si(getEnvironmentScope(env)); si; si++) {
                    if (si.kind() == ScopeKind::Function) {
                        callee = si.scope()->as<FunctionScope>().canonicalFunction();
                        break;
                    }
                }
            }
            MOZ_ASSERT(callee && callee->nonLazyScript()->argumentsHasVarBinding());
        }
#endif

        return isMagic;
    }

    /*
     * If the value of |this| is requested before the this-binding has been
     * initialized by JSOP_FUNCTIONTHIS, the this-binding will be |undefined|.
     * In that case, we have to call createMissingThis to initialize the
     * this-binding.
     *
     * Note that an |undefined| this-binding is perfectly valid in strict-mode
     * code, but that's fine: createMissingThis will do the right thing in that
     * case.
     */
    static bool isMaybeUninitializedThisValue(JSContext* cx, jsid id, const Value& v)
    {
        return isThis(cx, id) && v.isUndefined();
    }

    /*
     * Create a missing arguments object. If the function returns true but
     * argsObj is null, it means the env is dead.
     */
    static bool createMissingArguments(JSContext* cx, EnvironmentObject& env,
                                       MutableHandleArgumentsObject argsObj)
    {
        argsObj.set(nullptr);

        LiveEnvironmentVal* maybeEnv = DebugEnvironments::hasLiveEnvironment(env);
        if (!maybeEnv)
            return true;

        argsObj.set(ArgumentsObject::createUnexpected(cx, maybeEnv->frame()));
        return !!argsObj;
    }

    /*
     * Create a missing this Value. If the function returns true but
     * *success is false, it means the scope is dead.
     */
    static bool createMissingThis(JSContext* cx, EnvironmentObject& env,
                                  MutableHandleValue thisv, bool* success)
    {
        *success = false;

        LiveEnvironmentVal* maybeEnv = DebugEnvironments::hasLiveEnvironment(env);
        if (!maybeEnv)
            return true;

        if (!GetFunctionThis(cx, maybeEnv->frame(), thisv))
            return false;

        // Update the this-argument to avoid boxing primitive |this| more
        // than once.
        maybeEnv->frame().thisArgument() = thisv;
        *success = true;
        return true;
    }

  public:
    static const char family;
    static const DebugEnvironmentProxyHandler singleton;

    constexpr DebugEnvironmentProxyHandler() : BaseProxyHandler(&family) {}

    static bool isFunctionEnvironmentWithThis(const JSObject& env)
    {
        // All functions except arrows and generator expression lambdas should
        // have their own this binding.
        return isFunctionEnvironment(env) && !env.as<CallObject>().callee().hasLexicalThis();
    }

    bool getPrototypeIfOrdinary(JSContext* cx, HandleObject proxy, bool* isOrdinary,
                                MutableHandleObject protop) const override
    {
        MOZ_CRASH("shouldn't be possible to access the prototype chain of a DebugEnvironmentProxyHandler");
    }

    bool preventExtensions(JSContext* cx, HandleObject proxy,
                           ObjectOpResult& result) const override
    {
        // always [[Extensible]], can't be made non-[[Extensible]], like most
        // proxies
        return result.fail(JSMSG_CANT_CHANGE_EXTENSIBILITY);
    }

    bool isExtensible(JSContext* cx, HandleObject proxy, bool* extensible) const override
    {
        // See above.
        *extensible = true;
        return true;
    }

    bool getPropertyDescriptor(JSContext* cx, HandleObject proxy, HandleId id,
                               MutableHandle<PropertyDescriptor> desc) const override
    {
        return getOwnPropertyDescriptor(cx, proxy, id, desc);
    }

    bool getMissingArgumentsPropertyDescriptor(JSContext* cx,
                                               Handle<DebugEnvironmentProxy*> debugEnv,
                                               EnvironmentObject& env,
                                               MutableHandle<PropertyDescriptor> desc) const
    {
        RootedArgumentsObject argsObj(cx);
        if (!createMissingArguments(cx, env, &argsObj))
            return false;

        if (!argsObj) {
            JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_DEBUG_NOT_LIVE,
                                      "Debugger scope");
            return false;
        }

        desc.object().set(debugEnv);
        desc.setAttributes(JSPROP_READONLY | JSPROP_ENUMERATE | JSPROP_PERMANENT);
        desc.value().setObject(*argsObj);
        desc.setGetter(nullptr);
        desc.setSetter(nullptr);
        return true;
    }
    bool getMissingThisPropertyDescriptor(JSContext* cx,
                                          Handle<DebugEnvironmentProxy*> debugEnv,
                                          EnvironmentObject& env,
                                          MutableHandle<PropertyDescriptor> desc) const
    {
        RootedValue thisv(cx);
        bool success;
        if (!createMissingThis(cx, env, &thisv, &success))
            return false;

        if (!success) {
            JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_DEBUG_NOT_LIVE,
                                      "Debugger scope");
            return false;
        }

        desc.object().set(debugEnv);
        desc.setAttributes(JSPROP_READONLY | JSPROP_ENUMERATE | JSPROP_PERMANENT);
        desc.value().set(thisv);
        desc.setGetter(nullptr);
        desc.setSetter(nullptr);
        return true;
    }

    bool getOwnPropertyDescriptor(JSContext* cx, HandleObject proxy, HandleId id,
                                  MutableHandle<PropertyDescriptor> desc) const override
    {
        Rooted<DebugEnvironmentProxy*> debugEnv(cx, &proxy->as<DebugEnvironmentProxy>());
        Rooted<EnvironmentObject*> env(cx, &debugEnv->environment());

        if (isMissingArguments(cx, id, *env))
            return getMissingArgumentsPropertyDescriptor(cx, debugEnv, *env, desc);

        if (isMissingThis(cx, id, *env))
            return getMissingThisPropertyDescriptor(cx, debugEnv, *env, desc);

        RootedValue v(cx);
        AccessResult access;
        if (!handleUnaliasedAccess(cx, debugEnv, env, id, GET, &v, &access))
            return false;

        switch (access) {
          case ACCESS_UNALIASED:
            if (isMagicMissingArgumentsValue(cx, *env, v))
                return getMissingArgumentsPropertyDescriptor(cx, debugEnv, *env, desc);
            desc.object().set(debugEnv);
            desc.setAttributes(JSPROP_READONLY | JSPROP_ENUMERATE | JSPROP_PERMANENT);
            desc.value().set(v);
            desc.setGetter(nullptr);
            desc.setSetter(nullptr);
            return true;
          case ACCESS_GENERIC:
            return JS_GetOwnPropertyDescriptorById(cx, env, id, desc);
          case ACCESS_LOST:
            ReportOptimizedOut(cx, id);
            return false;
          default:
            MOZ_CRASH("bad AccessResult");
        }
    }

    bool getMissingArguments(JSContext* cx, EnvironmentObject& env, MutableHandleValue vp) const
    {
        RootedArgumentsObject argsObj(cx);
        if (!createMissingArguments(cx, env, &argsObj))
            return false;

        if (!argsObj) {
            JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_DEBUG_NOT_LIVE,
                                      "Debugger env");
            return false;
        }

        vp.setObject(*argsObj);
        return true;
    }

    bool getMissingThis(JSContext* cx, EnvironmentObject& env, MutableHandleValue vp) const
    {
        RootedValue thisv(cx);
        bool success;
        if (!createMissingThis(cx, env, &thisv, &success))
            return false;

        if (!success) {
            JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_DEBUG_NOT_LIVE,
                                      "Debugger env");
            return false;
        }

        vp.set(thisv);
        return true;
    }

    bool get(JSContext* cx, HandleObject proxy, HandleValue receiver, HandleId id,
             MutableHandleValue vp) const override
    {
        Rooted<DebugEnvironmentProxy*> debugEnv(cx, &proxy->as<DebugEnvironmentProxy>());
        Rooted<EnvironmentObject*> env(cx, &proxy->as<DebugEnvironmentProxy>().environment());

        if (isMissingArguments(cx, id, *env))
            return getMissingArguments(cx, *env, vp);

        if (isMissingThis(cx, id, *env))
            return getMissingThis(cx, *env, vp);

        AccessResult access;
        if (!handleUnaliasedAccess(cx, debugEnv, env, id, GET, vp, &access))
            return false;

        switch (access) {
          case ACCESS_UNALIASED:
            if (isMagicMissingArgumentsValue(cx, *env, vp))
                return getMissingArguments(cx, *env, vp);
            if (isMaybeUninitializedThisValue(cx, id, vp))
                return getMissingThis(cx, *env, vp);
            return true;
          case ACCESS_GENERIC:
            if (!GetProperty(cx, env, env, id, vp))
                return false;
            if (isMaybeUninitializedThisValue(cx, id, vp))
                return getMissingThis(cx, *env, vp);
            return true;
          case ACCESS_LOST:
            ReportOptimizedOut(cx, id);
            return false;
          default:
            MOZ_CRASH("bad AccessResult");
        }
    }

    bool getMissingArgumentsMaybeSentinelValue(JSContext* cx, EnvironmentObject& env,
                                               MutableHandleValue vp) const
    {
        RootedArgumentsObject argsObj(cx);
        if (!createMissingArguments(cx, env, &argsObj))
            return false;
        vp.set(argsObj ? ObjectValue(*argsObj) : MagicValue(JS_OPTIMIZED_ARGUMENTS));
        return true;
    }

    bool getMissingThisMaybeSentinelValue(JSContext* cx, EnvironmentObject& env,
                                          MutableHandleValue vp) const
    {
        RootedValue thisv(cx);
        bool success;
        if (!createMissingThis(cx, env, &thisv, &success))
            return false;
        vp.set(success ? thisv : MagicValue(JS_OPTIMIZED_OUT));
        return true;
    }

    /*
     * Like 'get', but returns sentinel values instead of throwing on
     * exceptional cases.
     */
    bool getMaybeSentinelValue(JSContext* cx, Handle<DebugEnvironmentProxy*> debugEnv,
                               HandleId id, MutableHandleValue vp) const
    {
        Rooted<EnvironmentObject*> env(cx, &debugEnv->environment());

        if (isMissingArguments(cx, id, *env))
            return getMissingArgumentsMaybeSentinelValue(cx, *env, vp);
        if (isMissingThis(cx, id, *env))
            return getMissingThisMaybeSentinelValue(cx, *env, vp);

        AccessResult access;
        if (!handleUnaliasedAccess(cx, debugEnv, env, id, GET, vp, &access))
            return false;

        switch (access) {
          case ACCESS_UNALIASED:
            if (isMagicMissingArgumentsValue(cx, *env, vp))
                return getMissingArgumentsMaybeSentinelValue(cx, *env, vp);
            if (isMaybeUninitializedThisValue(cx, id, vp))
                return getMissingThisMaybeSentinelValue(cx, *env, vp);
            return true;
          case ACCESS_GENERIC:
            if (!GetProperty(cx, env, env, id, vp))
                return false;
            if (isMaybeUninitializedThisValue(cx, id, vp))
                return getMissingThisMaybeSentinelValue(cx, *env, vp);
            return true;
          case ACCESS_LOST:
            vp.setMagic(JS_OPTIMIZED_OUT);
            return true;
          default:
            MOZ_CRASH("bad AccessResult");
        }
    }

    bool set(JSContext* cx, HandleObject proxy, HandleId id, HandleValue v, HandleValue receiver,
             ObjectOpResult& result) const override
    {
        Rooted<DebugEnvironmentProxy*> debugEnv(cx, &proxy->as<DebugEnvironmentProxy>());
        Rooted<EnvironmentObject*> env(cx, &proxy->as<DebugEnvironmentProxy>().environment());

        if (debugEnv->isOptimizedOut())
            return Throw(cx, id, JSMSG_DEBUG_CANT_SET_OPT_ENV);

        AccessResult access;
        RootedValue valCopy(cx, v);
        if (!handleUnaliasedAccess(cx, debugEnv, env, id, SET, &valCopy, &access))
            return false;

        switch (access) {
          case ACCESS_UNALIASED:
            return result.succeed();
          case ACCESS_GENERIC: {
            RootedValue envVal(cx, ObjectValue(*env));
            return SetProperty(cx, env, id, v, envVal, result);
          }
          default:
            MOZ_CRASH("bad AccessResult");
        }
    }

    bool defineProperty(JSContext* cx, HandleObject proxy, HandleId id,
                        Handle<PropertyDescriptor> desc,
                        ObjectOpResult& result) const override
    {
        Rooted<EnvironmentObject*> env(cx, &proxy->as<DebugEnvironmentProxy>().environment());

        bool found;
        if (!has(cx, proxy, id, &found))
            return false;
        if (found)
            return Throw(cx, id, JSMSG_CANT_REDEFINE_PROP);

        return JS_DefinePropertyById(cx, env, id, desc, result);
    }

    bool ownPropertyKeys(JSContext* cx, HandleObject proxy, AutoIdVector& props) const override
    {
        Rooted<EnvironmentObject*> env(cx, &proxy->as<DebugEnvironmentProxy>().environment());

        if (isMissingArgumentsBinding(*env)) {
            if (!props.append(NameToId(cx->names().arguments)))
                return false;
        }
        if (isMissingThisBinding(*env)) {
            if (!props.append(NameToId(cx->names().dotThis)))
                return false;
        }

        // WithEnvironmentObject isn't a very good proxy.  It doesn't have a
        // JSNewEnumerateOp implementation, because if it just delegated to the
        // target object, the object would indicate that native enumeration is
        // the thing to do, but native enumeration over the WithEnvironmentObject
        // wrapper yields no properties.  So instead here we hack around the
        // issue: punch a hole through to the with object target, then manually
        // examine @@unscopables.
        RootedObject target(cx);
        bool isWith = env->is<WithEnvironmentObject>();
        if (isWith)
            target = &env->as<WithEnvironmentObject>().object();
        else
            target = env;
        if (!GetPropertyKeys(cx, target, JSITER_OWNONLY, &props))
            return false;

        if (isWith) {
            size_t j = 0;
            for (size_t i = 0; i < props.length(); i++) {
                bool inScope;
                if (!CheckUnscopables(cx, env, props[i], &inScope))
                    return false;
                if (inScope)
                    props[j++].set(props[i]);
            }
            if (!props.resize(j))
                return false;
        }

        /*
         * Environments with Scopes are optimized to not contain unaliased
         * variables so they must be manually appended here.
         */
        if (Scope* scope = getEnvironmentScope(*env)) {
            for (Rooted<BindingIter> bi(cx, BindingIter(scope)); bi; bi++) {
                if (!bi.closedOver() && !props.append(NameToId(bi.name()->asPropertyName())))
                    return false;
            }
        }

        return true;
    }

    bool has(JSContext* cx, HandleObject proxy, HandleId id_, bool* bp) const override
    {
        RootedId id(cx, id_);
        EnvironmentObject& envObj = proxy->as<DebugEnvironmentProxy>().environment();

        if (isArguments(cx, id) && isFunctionEnvironment(envObj)) {
            *bp = true;
            return true;
        }

        // Be careful not to look up '.this' as a normal binding below, it will
        // assert in with_HasProperty.
        if (isThis(cx, id)) {
            *bp = isFunctionEnvironmentWithThis(envObj);
            return true;
        }

        bool found;
        RootedObject env(cx, &envObj);
        if (!JS_HasPropertyById(cx, env, id, &found))
            return false;

        if (!found) {
            if (Scope* scope = getEnvironmentScope(*env)) {
                for (BindingIter bi(scope); bi; bi++) {
                    if (!bi.closedOver() && NameToId(bi.name()->asPropertyName()) == id) {
                        found = true;
                        break;
                    }
                }
            }
        }

        *bp = found;
        return true;
    }

    bool delete_(JSContext* cx, HandleObject proxy, HandleId id,
                 ObjectOpResult& result) const override
    {
        return result.fail(JSMSG_CANT_DELETE);
    }
};

} /* anonymous namespace */

template<>
bool
JSObject::is<js::DebugEnvironmentProxy>() const
{
    return IsDerivedProxyObject(this, &DebugEnvironmentProxyHandler::singleton);
}

const char DebugEnvironmentProxyHandler::family = 0;
const DebugEnvironmentProxyHandler DebugEnvironmentProxyHandler::singleton;

/* static */ DebugEnvironmentProxy*
DebugEnvironmentProxy::create(JSContext* cx, EnvironmentObject& env, HandleObject enclosing)
{
    MOZ_ASSERT(env.compartment() == cx->compartment());
    MOZ_ASSERT(!enclosing->is<EnvironmentObject>());

    RootedValue priv(cx, ObjectValue(env));
    JSObject* obj = NewProxyObject(cx, &DebugEnvironmentProxyHandler::singleton, priv,
                                   nullptr /* proto */);
    if (!obj)
        return nullptr;

    DebugEnvironmentProxy* debugEnv = &obj->as<DebugEnvironmentProxy>();
    debugEnv->setExtra(ENCLOSING_EXTRA, ObjectValue(*enclosing));
    debugEnv->setExtra(SNAPSHOT_EXTRA, NullValue());

    return debugEnv;
}

EnvironmentObject&
DebugEnvironmentProxy::environment() const
{
    return target()->as<EnvironmentObject>();
}

JSObject&
DebugEnvironmentProxy::enclosingEnvironment() const
{
    return extra(ENCLOSING_EXTRA).toObject();
}

ArrayObject*
DebugEnvironmentProxy::maybeSnapshot() const
{
    JSObject* obj = extra(SNAPSHOT_EXTRA).toObjectOrNull();
    return obj ? &obj->as<ArrayObject>() : nullptr;
}

void
DebugEnvironmentProxy::initSnapshot(ArrayObject& o)
{
    MOZ_ASSERT(maybeSnapshot() == nullptr);
    setExtra(SNAPSHOT_EXTRA, ObjectValue(o));
}

bool
DebugEnvironmentProxy::isForDeclarative() const
{
    EnvironmentObject& e = environment();
    return e.is<CallObject>() ||
           e.is<VarEnvironmentObject>() ||
           e.is<ModuleEnvironmentObject>() ||
           e.is<LexicalEnvironmentObject>();
}

/* static */ bool
DebugEnvironmentProxy::getMaybeSentinelValue(JSContext* cx, Handle<DebugEnvironmentProxy*> env,
                                             HandleId id, MutableHandleValue vp)
{
    return DebugEnvironmentProxyHandler::singleton.getMaybeSentinelValue(cx, env, id, vp);
}

bool
DebugEnvironmentProxy::isFunctionEnvironmentWithThis()
{
    return DebugEnvironmentProxyHandler::isFunctionEnvironmentWithThis(environment());
}

bool
DebugEnvironmentProxy::isOptimizedOut() const
{
    EnvironmentObject& e = environment();

    if (DebugEnvironments::hasLiveEnvironment(e))
        return false;

    if (e.is<LexicalEnvironmentObject>()) {
        return !e.as<LexicalEnvironmentObject>().isExtensible() &&
               !e.as<LexicalEnvironmentObject>().scope().hasEnvironment();
    }

    if (e.is<CallObject>()) {
        return !e.as<CallObject>().callee().needsCallObject() &&
               !maybeSnapshot();
    }

    return false;
}

/*****************************************************************************/

DebugEnvironments::DebugEnvironments(JSContext* cx)
 : proxiedEnvs(cx),
   missingEnvs(cx->runtime()),
   liveEnvs(cx->runtime())
{}

DebugEnvironments::~DebugEnvironments()
{
    MOZ_ASSERT_IF(missingEnvs.initialized(), missingEnvs.empty());
}

bool
DebugEnvironments::init()
{
    return proxiedEnvs.init() && missingEnvs.init() && liveEnvs.init();
}

void
DebugEnvironments::mark(JSTracer* trc)
{
    proxiedEnvs.trace(trc);
}

void
DebugEnvironments::sweep(JSRuntime* rt)
{
    /*
     * missingEnvs points to debug envs weakly so that debug envs can be
     * released more eagerly.
     */
    for (MissingEnvironmentMap::Enum e(missingEnvs); !e.empty(); e.popFront()) {
        if (IsAboutToBeFinalized(&e.front().value())) {
            /*
             * Note that onPopCall, onPopVar, and onPopLexical rely on
             * missingEnvs to find environment objects that we synthesized for
             * the debugger's sake, and clean up the synthetic environment
             * objects' entries in liveEnvs. So if we remove an entry from
             * missingEnvs here, we must also remove the corresponding
             * liveEnvs entry.
             *
             * Since the DebugEnvironmentProxy is the only thing using its environment
             * object, and the DSO is about to be finalized, you might assume
             * that the synthetic SO is also about to be finalized too, and thus
             * the loop below will take care of things. But complex GC behavior
             * means that marks are only conservative approximations of
             * liveness; we should assume that anything could be marked.
             *
             * Thus, we must explicitly remove the entries from both liveEnvs
             * and missingEnvs here.
             */
            liveEnvs.remove(&e.front().value().unbarrieredGet()->environment());
            e.removeFront();
        } else {
            MissingEnvironmentKey key = e.front().key();
            if (IsForwarded(key.scope())) {
                key.updateScope(Forwarded(key.scope()));
                e.rekeyFront(key);
            }
        }
    }

    /*
     * Scopes can be finalized when a debugger-synthesized EnvironmentObject is
     * no longer reachable via its DebugEnvironmentProxy.
     */
    liveEnvs.sweep();
}

void
DebugEnvironments::finish()
{
    proxiedEnvs.clear();
}

#ifdef JSGC_HASH_TABLE_CHECKS
void
DebugEnvironments::checkHashTablesAfterMovingGC(JSRuntime* runtime)
{
    /*
     * This is called at the end of StoreBuffer::mark() to check that our
     * postbarriers have worked and that no hashtable keys (or values) are left
     * pointing into the nursery.
     */
    proxiedEnvs.checkAfterMovingGC();
    for (MissingEnvironmentMap::Range r = missingEnvs.all(); !r.empty(); r.popFront()) {
        CheckGCThingAfterMovingGC(r.front().key().scope());
        CheckGCThingAfterMovingGC(r.front().value().get());
    }
    for (LiveEnvironmentMap::Range r = liveEnvs.all(); !r.empty(); r.popFront()) {
        CheckGCThingAfterMovingGC(r.front().key());
        CheckGCThingAfterMovingGC(r.front().value().scope_.get());
    }
}
#endif

/*
 * Unfortunately, GetDebugEnvironmentForFrame needs to work even outside debug mode
 * (in particular, JS_GetFrameScopeChain does not require debug mode). Since
 * DebugEnvironments::onPop* are only called in debuggee frames, this means we
 * cannot use any of the maps in DebugEnvironments. This will produce debug scope
 * chains that do not obey the debugger invariants but that is just fine.
 */
static bool
CanUseDebugEnvironmentMaps(JSContext* cx)
{
    return cx->compartment()->isDebuggee();
}

DebugEnvironments*
DebugEnvironments::ensureCompartmentData(JSContext* cx)
{
    JSCompartment* c = cx->compartment();
    if (c->debugEnvs)
        return c->debugEnvs;

    auto debugEnvs = cx->make_unique<DebugEnvironments>(cx);
    if (!debugEnvs || !debugEnvs->init()) {
        ReportOutOfMemory(cx);
        return nullptr;
    }

    c->debugEnvs = debugEnvs.release();
    return c->debugEnvs;
}

/* static */ DebugEnvironmentProxy*
DebugEnvironments::hasDebugEnvironment(JSContext* cx, EnvironmentObject& env)
{
    DebugEnvironments* envs = env.compartment()->debugEnvs;
    if (!envs)
        return nullptr;

    if (JSObject* obj = envs->proxiedEnvs.lookup(&env)) {
        MOZ_ASSERT(CanUseDebugEnvironmentMaps(cx));
        return &obj->as<DebugEnvironmentProxy>();
    }

    return nullptr;
}

/* static */ bool
DebugEnvironments::addDebugEnvironment(JSContext* cx, Handle<EnvironmentObject*> env,
                                       Handle<DebugEnvironmentProxy*> debugEnv)
{
    MOZ_ASSERT(cx->compartment() == env->compartment());
    MOZ_ASSERT(cx->compartment() == debugEnv->compartment());

    if (!CanUseDebugEnvironmentMaps(cx))
        return true;

    DebugEnvironments* envs = ensureCompartmentData(cx);
    if (!envs)
        return false;

    return envs->proxiedEnvs.add(cx, env, debugEnv);
}

/* static */ DebugEnvironmentProxy*
DebugEnvironments::hasDebugEnvironment(JSContext* cx, const EnvironmentIter& ei)
{
    MOZ_ASSERT(!ei.hasSyntacticEnvironment());

    DebugEnvironments* envs = cx->compartment()->debugEnvs;
    if (!envs)
        return nullptr;

    if (MissingEnvironmentMap::Ptr p = envs->missingEnvs.lookup(MissingEnvironmentKey(ei))) {
        MOZ_ASSERT(CanUseDebugEnvironmentMaps(cx));
        return p->value();
    }
    return nullptr;
}

/* static */ bool
DebugEnvironments::addDebugEnvironment(JSContext* cx, const EnvironmentIter& ei,
                                       Handle<DebugEnvironmentProxy*> debugEnv)
{
    MOZ_ASSERT(!ei.hasSyntacticEnvironment());
    MOZ_ASSERT(cx->compartment() == debugEnv->compartment());
    // Generators should always have environments.
    MOZ_ASSERT_IF(ei.scope().is<FunctionScope>(),
                  !ei.scope().as<FunctionScope>().canonicalFunction()->isGenerator());

    if (!CanUseDebugEnvironmentMaps(cx))
        return true;

    DebugEnvironments* envs = ensureCompartmentData(cx);
    if (!envs)
        return false;

    MissingEnvironmentKey key(ei);
    MOZ_ASSERT(!envs->missingEnvs.has(key));
    if (!envs->missingEnvs.put(key, ReadBarriered<DebugEnvironmentProxy*>(debugEnv))) {
        ReportOutOfMemory(cx);
        return false;
    }

    // Only add to liveEnvs if we synthesized the debug env on a live
    // frame.
    if (ei.withinInitialFrame()) {
        MOZ_ASSERT(!envs->liveEnvs.has(&debugEnv->environment()));
        if (!envs->liveEnvs.put(&debugEnv->environment(), LiveEnvironmentVal(ei))) {
            ReportOutOfMemory(cx);
            return false;
        }
    }

    return true;
}

/* static */ void
DebugEnvironments::takeFrameSnapshot(JSContext* cx, Handle<DebugEnvironmentProxy*> debugEnv,
                                     AbstractFramePtr frame)
{
    /*
     * When the JS stack frame is popped, the values of unaliased variables
     * are lost. If there is any debug env referring to this environment, save a
     * copy of the unaliased variables' values in an array for later debugger
     * access via DebugEnvironmentProxy::handleUnaliasedAccess.
     *
     * Note: since it is simplest for this function to be infallible, failure
     * in this code will be silently ignored. This does not break any
     * invariants since DebugEnvironmentProxy::maybeSnapshot can already be nullptr.
     */

    // Act like no snapshot was taken if we run OOM while taking the snapshot.
    Rooted<GCVector<Value>> vec(cx, GCVector<Value>(cx));
    if (debugEnv->environment().is<CallObject>()) {
        JSScript* script = frame.script();

        FunctionScope* scope = &script->bodyScope()->as<FunctionScope>();
        uint32_t frameSlotCount = scope->nextFrameSlot();
        MOZ_ASSERT(frameSlotCount <= script->nfixed());

        // For simplicity, copy all frame slots from 0 to the frameSlotCount,
        // even if we don't need all of them (like in the case of a defaults
        // parameter scope having frame slots).
        uint32_t numFormals = frame.numFormalArgs();
        if (!vec.resize(numFormals + frameSlotCount)) {
            cx->recoverFromOutOfMemory();
            return;
        }
        mozilla::PodCopy(vec.begin(), frame.argv(), numFormals);
        for (uint32_t slot = 0; slot < frameSlotCount; slot++)
            vec[slot + frame.numFormalArgs()].set(frame.unaliasedLocal(slot));

        /*
         * Copy in formals that are not aliased via the scope chain
         * but are aliased via the arguments object.
         */
        if (script->analyzedArgsUsage() && script->needsArgsObj() && frame.hasArgsObj()) {
            for (unsigned i = 0; i < frame.numFormalArgs(); ++i) {
                if (script->formalLivesInArgumentsObject(i))
                    vec[i].set(frame.argsObj().arg(i));
            }
        }
    } else {
        uint32_t frameSlotStart;
        uint32_t frameSlotEnd;

        if (debugEnv->environment().is<LexicalEnvironmentObject>()) {
            LexicalScope* scope = &debugEnv->environment().as<LexicalEnvironmentObject>().scope();
            frameSlotStart = scope->firstFrameSlot();
            frameSlotEnd = scope->nextFrameSlot();
        } else {
            VarEnvironmentObject* env = &debugEnv->environment().as<VarEnvironmentObject>();
            if (frame.isFunctionFrame()) {
                VarScope* scope = &env->scope().as<VarScope>();
                frameSlotStart = scope->firstFrameSlot();
                frameSlotEnd = scope->nextFrameSlot();
            } else {
                EvalScope* scope = &env->scope().as<EvalScope>();
                MOZ_ASSERT(scope == frame.script()->bodyScope());
                frameSlotStart = 0;
                frameSlotEnd = scope->nextFrameSlot();
            }
        }

        uint32_t frameSlotCount = frameSlotEnd - frameSlotStart;
        MOZ_ASSERT(frameSlotCount <= frame.script()->nfixed());

        if (!vec.resize(frameSlotCount)) {
            cx->recoverFromOutOfMemory();
            return;
        }
        for (uint32_t slot = frameSlotStart; slot < frameSlotCount; slot++)
            vec[slot - frameSlotStart].set(frame.unaliasedLocal(slot));
    }

    if (vec.length() == 0)
        return;

    /*
     * Use a dense array as storage (since proxies do not have trace
     * hooks). This array must not escape into the wild.
     */
    RootedArrayObject snapshot(cx, NewDenseCopiedArray(cx, vec.length(), vec.begin()));
    if (!snapshot) {
        cx->recoverFromOutOfMemory();
        return;
    }

    debugEnv->initSnapshot(*snapshot);
}

/* static */ void
DebugEnvironments::onPopCall(JSContext* cx, AbstractFramePtr frame)
{
    assertSameCompartment(cx, frame);

    DebugEnvironments* envs = cx->compartment()->debugEnvs;
    if (!envs)
        return;

    Rooted<DebugEnvironmentProxy*> debugEnv(cx, nullptr);

    FunctionScope* funScope = &frame.script()->bodyScope()->as<FunctionScope>();
    if (funScope->hasEnvironment()) {
        MOZ_ASSERT(frame.callee()->needsCallObject());

        /*
         * The frame may be observed before the prologue has created the
         * CallObject. See EnvironmentIter::settle.
         */
        if (!frame.environmentChain()->is<CallObject>())
            return;

        if (frame.callee()->isGenerator())
            return;

        CallObject& callobj = frame.environmentChain()->as<CallObject>();
        envs->liveEnvs.remove(&callobj);
        if (JSObject* obj = envs->proxiedEnvs.lookup(&callobj))
            debugEnv = &obj->as<DebugEnvironmentProxy>();
    } else {
        MissingEnvironmentKey key(frame, funScope);
        if (MissingEnvironmentMap::Ptr p = envs->missingEnvs.lookup(key)) {
            debugEnv = p->value();
            envs->liveEnvs.remove(&debugEnv->environment().as<CallObject>());
            envs->missingEnvs.remove(p);
        }
    }

    if (debugEnv)
        DebugEnvironments::takeFrameSnapshot(cx, debugEnv, frame);
}

void
DebugEnvironments::onPopLexical(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc)
{
    assertSameCompartment(cx, frame);

    DebugEnvironments* envs = cx->compartment()->debugEnvs;
    if (!envs)
        return;

    EnvironmentIter ei(cx, frame, pc);
    onPopLexical(cx, ei);
}

template <typename Environment, typename Scope>
void
DebugEnvironments::onPopGeneric(JSContext* cx, const EnvironmentIter& ei)
{
    DebugEnvironments* envs = cx->compartment()->debugEnvs;
    if (!envs)
        return;

    MOZ_ASSERT(ei.withinInitialFrame());
    MOZ_ASSERT(ei.scope().is<Scope>());

    Rooted<Environment*> env(cx);
    if (MissingEnvironmentMap::Ptr p = envs->missingEnvs.lookup(MissingEnvironmentKey(ei))) {
        env = &p->value()->environment().as<Environment>();
        envs->missingEnvs.remove(p);
    } else if (ei.hasSyntacticEnvironment()) {
        env = &ei.environment().as<Environment>();
    }

    if (env) {
        envs->liveEnvs.remove(env);

        if (JSObject* obj = envs->proxiedEnvs.lookup(env)) {
            Rooted<DebugEnvironmentProxy*> debugEnv(cx, &obj->as<DebugEnvironmentProxy>());
            DebugEnvironments::takeFrameSnapshot(cx, debugEnv, ei.initialFrame());
        }
    }
}

void
DebugEnvironments::onPopLexical(JSContext* cx, const EnvironmentIter& ei)
{
    onPopGeneric<LexicalEnvironmentObject, LexicalScope>(cx, ei);
}

void
DebugEnvironments::onPopVar(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc)
{
    assertSameCompartment(cx, frame);

    DebugEnvironments* envs = cx->compartment()->debugEnvs;
    if (!envs)
        return;

    EnvironmentIter ei(cx, frame, pc);
    onPopVar(cx, ei);
}

void
DebugEnvironments::onPopVar(JSContext* cx, const EnvironmentIter& ei)
{
    if (ei.scope().is<EvalScope>())
        onPopGeneric<VarEnvironmentObject, EvalScope>(cx, ei);
    else
        onPopGeneric<VarEnvironmentObject, VarScope>(cx, ei);
}

void
DebugEnvironments::onPopWith(AbstractFramePtr frame)
{
    if (DebugEnvironments* envs = frame.compartment()->debugEnvs)
        envs->liveEnvs.remove(&frame.environmentChain()->as<WithEnvironmentObject>());
}

void
DebugEnvironments::onCompartmentUnsetIsDebuggee(JSCompartment* c)
{
    if (DebugEnvironments* envs = c->debugEnvs) {
        envs->proxiedEnvs.clear();
        envs->missingEnvs.clear();
        envs->liveEnvs.clear();
    }
}

bool
DebugEnvironments::updateLiveEnvironments(JSContext* cx)
{
    JS_CHECK_RECURSION(cx, return false);

    /*
     * Note that we must always update the top frame's environment objects'
     * entries in liveEnvs because we can't be sure code hasn't run in that
     * frame to change the environment chain since we were last called. The
     * fp->prevUpToDate() flag indicates whether the environments of frames
     * older than fp are already included in liveEnvs. It might seem simpler
     * to have fp instead carry a flag indicating whether fp itself is
     * accurately described, but then we would need to clear that flag
     * whenever fp ran code. By storing the 'up to date' bit for fp->prev() in
     * fp, simply popping fp effectively clears the flag for us, at exactly
     * the time when execution resumes fp->prev().
     */
    for (AllFramesIter i(cx); !i.done(); ++i) {
        if (!i.hasUsableAbstractFramePtr())
            continue;

        AbstractFramePtr frame = i.abstractFramePtr();
        if (frame.environmentChain()->compartment() != cx->compartment())
            continue;

        if (frame.isFunctionFrame() && frame.callee()->isGenerator())
            continue;

        if (!frame.isDebuggee())
            continue;

        for (EnvironmentIter ei(cx, frame, i.pc()); ei.withinInitialFrame(); ei++) {
            if (ei.hasSyntacticEnvironment() && !ei.scope().is<GlobalScope>()) {
                MOZ_ASSERT(ei.environment().compartment() == cx->compartment());
                DebugEnvironments* envs = ensureCompartmentData(cx);
                if (!envs)
                    return false;
                if (!envs->liveEnvs.put(&ei.environment(), LiveEnvironmentVal(ei)))
                    return false;
            }
        }

        if (frame.prevUpToDate())
            return true;
        MOZ_ASSERT(frame.environmentChain()->compartment()->isDebuggee());
        frame.setPrevUpToDate();
    }

    return true;
}

LiveEnvironmentVal*
DebugEnvironments::hasLiveEnvironment(EnvironmentObject& env)
{
    DebugEnvironments* envs = env.compartment()->debugEnvs;
    if (!envs)
        return nullptr;

    if (LiveEnvironmentMap::Ptr p = envs->liveEnvs.lookup(&env))
        return &p->value();

    return nullptr;
}

/* static */ void
DebugEnvironments::unsetPrevUpToDateUntil(JSContext* cx, AbstractFramePtr until)
{
    // This are two exceptions where fp->prevUpToDate() is cleared without
    // popping the frame. When a frame is rematerialized or has its
    // debuggeeness toggled off->on, all frames younger than the frame must
    // have their prevUpToDate set to false. This is because unrematerialized
    // Ion frames and non-debuggee frames are skipped by updateLiveEnvironments. If
    // in the future a frame suddenly gains a usable AbstractFramePtr via
    // rematerialization or becomes a debuggee, the prevUpToDate invariant
    // will no longer hold for older frames on its stack.
    for (AllFramesIter i(cx); !i.done(); ++i) {
        if (!i.hasUsableAbstractFramePtr())
            continue;

        AbstractFramePtr frame = i.abstractFramePtr();
        if (frame == until)
            return;

        if (frame.environmentChain()->compartment() != cx->compartment())
            continue;

        frame.unsetPrevUpToDate();
    }
}

/* static */ void
DebugEnvironments::forwardLiveFrame(JSContext* cx, AbstractFramePtr from, AbstractFramePtr to)
{
    DebugEnvironments* envs = cx->compartment()->debugEnvs;
    if (!envs)
        return;

    for (MissingEnvironmentMap::Enum e(envs->missingEnvs); !e.empty(); e.popFront()) {
        MissingEnvironmentKey key = e.front().key();
        if (key.frame() == from) {
            key.updateFrame(to);
            e.rekeyFront(key);
        }
    }

    for (LiveEnvironmentMap::Enum e(envs->liveEnvs); !e.empty(); e.popFront()) {
        LiveEnvironmentVal& val = e.front().value();
        if (val.frame() == from)
            val.updateFrame(to);
    }
}

/* static */ void
DebugEnvironments::markLiveFrame(JSTracer* trc, AbstractFramePtr frame)
{
    for (MissingEnvironmentMap::Enum e(missingEnvs); !e.empty(); e.popFront()) {
        if (e.front().key().frame() == frame)
            TraceEdge(trc, &e.front().value(), "debug-env-live-frame-missing-env");
    }
}

/*****************************************************************************/

static JSObject*
GetDebugEnvironment(JSContext* cx, const EnvironmentIter& ei);

static DebugEnvironmentProxy*
GetDebugEnvironmentForEnvironmentObject(JSContext* cx, const EnvironmentIter& ei)
{
    Rooted<EnvironmentObject*> env(cx, &ei.environment());
    if (DebugEnvironmentProxy* debugEnv = DebugEnvironments::hasDebugEnvironment(cx, *env))
        return debugEnv;

    EnvironmentIter copy(cx, ei);
    RootedObject enclosingDebug(cx, GetDebugEnvironment(cx, ++copy));
    if (!enclosingDebug)
        return nullptr;

    Rooted<DebugEnvironmentProxy*> debugEnv(cx,
        DebugEnvironmentProxy::create(cx, *env, enclosingDebug));
    if (!debugEnv)
        return nullptr;

    if (!DebugEnvironments::addDebugEnvironment(cx, env, debugEnv))
        return nullptr;

    return debugEnv;
}

static DebugEnvironmentProxy*
GetDebugEnvironmentForMissing(JSContext* cx, const EnvironmentIter& ei)
{
    MOZ_ASSERT(!ei.hasSyntacticEnvironment() &&
               (ei.scope().is<FunctionScope>() ||
                ei.scope().is<LexicalScope>() ||
                ei.scope().is<VarScope>()));

    if (DebugEnvironmentProxy* debugEnv = DebugEnvironments::hasDebugEnvironment(cx, ei))
        return debugEnv;

    EnvironmentIter copy(cx, ei);
    RootedObject enclosingDebug(cx, GetDebugEnvironment(cx, ++copy));
    if (!enclosingDebug)
        return nullptr;

    /*
     * Create the missing environment object. For lexical environment objects,
     * this takes care of storing variable values after the stack frame has
     * been popped. For call objects, we only use the pretend call object to
     * access callee, bindings and to receive dynamically added
     * properties. Together, this provides the nice invariant that every
     * DebugEnvironmentProxy has a EnvironmentObject.
     *
     * Note: to preserve envChain depth invariants, these lazily-reified
     * envs must not be put on the frame's environment chain; instead, they are
     * maintained via DebugEnvironments hooks.
     */
    Rooted<DebugEnvironmentProxy*> debugEnv(cx);
    if (ei.scope().is<FunctionScope>()) {
        RootedFunction callee(cx, ei.scope().as<FunctionScope>().canonicalFunction());
        // Generators should always reify their scopes.
        MOZ_ASSERT(!callee->isGenerator());

        JS::ExposeObjectToActiveJS(callee);
        Rooted<CallObject*> callobj(cx, CallObject::createHollowForDebug(cx, callee));
        if (!callobj)
            return nullptr;

        debugEnv = DebugEnvironmentProxy::create(cx, *callobj, enclosingDebug);
    } else if (ei.scope().is<LexicalScope>()) {
        Rooted<LexicalScope*> lexicalScope(cx, &ei.scope().as<LexicalScope>());
        Rooted<LexicalEnvironmentObject*> env(cx,
            LexicalEnvironmentObject::createHollowForDebug(cx, lexicalScope));
        if (!env)
            return nullptr;

        debugEnv = DebugEnvironmentProxy::create(cx, *env, enclosingDebug);
    } else {
        Rooted<VarScope*> varScope(cx, &ei.scope().as<VarScope>());
        Rooted<VarEnvironmentObject*> env(cx,
            VarEnvironmentObject::createHollowForDebug(cx, varScope));
        if (!env)
            return nullptr;

        debugEnv = DebugEnvironmentProxy::create(cx, *env, enclosingDebug);
    }

    if (!debugEnv)
        return nullptr;

    if (!DebugEnvironments::addDebugEnvironment(cx, ei, debugEnv))
        return nullptr;

    return debugEnv;
}

static JSObject*
GetDebugEnvironmentForNonEnvironmentObject(const EnvironmentIter& ei)
{
    JSObject& enclosing = ei.enclosingEnvironment();
#ifdef DEBUG
    JSObject* o = &enclosing;
    while ((o = o->enclosingEnvironment()))
        MOZ_ASSERT(!o->is<EnvironmentObject>());
#endif
    return &enclosing;
}

static JSObject*
GetDebugEnvironment(JSContext* cx, const EnvironmentIter& ei)
{
    JS_CHECK_RECURSION(cx, return nullptr);

    if (ei.done())
        return GetDebugEnvironmentForNonEnvironmentObject(ei);

    if (ei.hasAnyEnvironmentObject())
        return GetDebugEnvironmentForEnvironmentObject(cx, ei);

    if (ei.scope().is<FunctionScope>() ||
        ei.scope().is<LexicalScope>() ||
        ei.scope().is<VarScope>())
    {
        return GetDebugEnvironmentForMissing(cx, ei);
    }

    EnvironmentIter copy(cx, ei);
    return GetDebugEnvironment(cx, ++copy);
}

JSObject*
js::GetDebugEnvironmentForFunction(JSContext* cx, HandleFunction fun)
{
    assertSameCompartment(cx, fun);
    MOZ_ASSERT(CanUseDebugEnvironmentMaps(cx));
    if (!DebugEnvironments::updateLiveEnvironments(cx))
        return nullptr;
    JSScript* script = JSFunction::getOrCreateScript(cx, fun);
    if (!script)
        return nullptr;
    EnvironmentIter ei(cx, fun->environment(), script->enclosingScope());
    return GetDebugEnvironment(cx, ei);
}

JSObject*
js::GetDebugEnvironmentForFrame(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc)
{
    assertSameCompartment(cx, frame);
    if (CanUseDebugEnvironmentMaps(cx) && !DebugEnvironments::updateLiveEnvironments(cx))
        return nullptr;

    EnvironmentIter ei(cx, frame, pc);
    return GetDebugEnvironment(cx, ei);
}

JSObject*
js::GetDebugEnvironmentForGlobalLexicalEnvironment(JSContext* cx)
{
    EnvironmentIter ei(cx, &cx->global()->lexicalEnvironment(), &cx->global()->emptyGlobalScope());
    return GetDebugEnvironment(cx, ei);
}

// See declaration and documentation in jsfriendapi.h
JS_FRIEND_API(JSObject*)
js::GetNearestEnclosingWithEnvironmentObjectForFunction(JSFunction* fun)
{
    if (!fun->isInterpreted())
        return &fun->global();

    JSObject* env = fun->environment();
    while (env && !env->is<WithEnvironmentObject>())
        env = env->enclosingEnvironment();

    if (!env)
        return &fun->global();

    return &env->as<WithEnvironmentObject>().object();
}

bool
js::CreateObjectsForEnvironmentChain(JSContext* cx, AutoObjectVector& chain,
                                     HandleObject terminatingEnv, MutableHandleObject envObj)
{
#ifdef DEBUG
    for (size_t i = 0; i < chain.length(); ++i) {
        assertSameCompartment(cx, chain[i]);
        MOZ_ASSERT(!chain[i]->is<GlobalObject>());
    }
#endif

    // Construct With object wrappers for the things on this environment chain
    // and use the result as the thing to scope the function to.
    Rooted<WithEnvironmentObject*> withEnv(cx);
    RootedObject enclosingEnv(cx, terminatingEnv);
    for (size_t i = chain.length(); i > 0; ) {
        withEnv = WithEnvironmentObject::createNonSyntactic(cx, chain[--i], enclosingEnv);
        if (!withEnv)
            return false;
        enclosingEnv = withEnv;
    }

    envObj.set(enclosingEnv);
    return true;
}

JSObject&
WithEnvironmentObject::object() const
{
    return getReservedSlot(OBJECT_SLOT).toObject();
}

JSObject*
WithEnvironmentObject::withThis() const
{
    return &getReservedSlot(THIS_SLOT).toObject();
}

bool
WithEnvironmentObject::isSyntactic() const
{
    Value v = getReservedSlot(SCOPE_SLOT);
    MOZ_ASSERT(v.isPrivateGCThing() || v.isNull());
    return v.isPrivateGCThing();
}

WithScope&
WithEnvironmentObject::scope() const
{
    MOZ_ASSERT(isSyntactic());
    return *static_cast<WithScope*>(getReservedSlot(SCOPE_SLOT).toGCThing());
}

ModuleEnvironmentObject*
js::GetModuleEnvironmentForScript(JSScript* script)
{
    for (ScopeIter si(script); si; si++) {
        if (si.kind() == ScopeKind::Module)
            return si.scope()->as<ModuleScope>().module()->environment();
    }
    return nullptr;
}

bool
js::GetThisValueForDebuggerMaybeOptimizedOut(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc,
                                             MutableHandleValue res)
{
    for (EnvironmentIter ei(cx, frame, pc); ei; ei++) {
        if (ei.scope().kind() == ScopeKind::Module) {
            res.setUndefined();
            return true;
        }

        if (!ei.scope().is<FunctionScope>() ||
            ei.scope().as<FunctionScope>().canonicalFunction()->hasLexicalThis())
        {
            continue;
        }

        RootedScript script(cx, ei.scope().as<FunctionScope>().script());

        // Figure out if we executed JSOP_FUNCTIONTHIS and set it.
        bool executedInitThisOp = false;
        if (script->functionHasThisBinding()) {
            for (jsbytecode* it = script->code(); it < script->codeEnd(); it = GetNextPc(it)) {
                if (*it == JSOP_FUNCTIONTHIS) {
                    // The next op after JSOP_FUNCTIONTHIS always sets it.
                    executedInitThisOp = pc > GetNextPc(it);
                    break;
                }
            }
        }

        if (ei.withinInitialFrame() && !executedInitThisOp) {
            // Either we're yet to initialize the this-binding
            // (JSOP_FUNCTIONTHIS), or the script does not have a this-binding
            // (because it doesn't use |this|).

            // If our this-argument is an object, or we're in strict mode,
            // the this-binding is always the same as our this-argument.
            if (frame.thisArgument().isObject() || script->strict()) {
                res.set(frame.thisArgument());
                return true;
            }

            // We didn't initialize the this-binding yet. Determine the
            // correct |this| value for this frame (box primitives if not
            // in strict mode), and assign it to the this-argument slot so
            // JSOP_FUNCTIONTHIS will use it and not box a second time.
            if (!GetFunctionThis(cx, frame, res))
                return false;
            frame.thisArgument() = res;
            return true;
        }

        if (!script->functionHasThisBinding()) {
            res.setMagic(JS_OPTIMIZED_OUT);
            return true;
        }

        for (Rooted<BindingIter> bi(cx, BindingIter(script)); bi; bi++) {
            if (bi.name() != cx->names().dotThis)
                continue;

            BindingLocation loc = bi.location();
            if (loc.kind() == BindingLocation::Kind::Environment) {
                RootedObject callObj(cx, &ei.environment().as<CallObject>());
                return GetProperty(cx, callObj, callObj, bi.name()->asPropertyName(), res);
            }

            if (loc.kind() == BindingLocation::Kind::Frame && ei.withinInitialFrame())
                res.set(frame.unaliasedLocal(loc.slot()));
            else
                res.setMagic(JS_OPTIMIZED_OUT);

            return true;
        }

        MOZ_CRASH("'this' binding must be found");
    }

    RootedObject scopeChain(cx, frame.environmentChain());
    return GetNonSyntacticGlobalThis(cx, scopeChain, res);
}

bool
js::CheckLexicalNameConflict(JSContext* cx, Handle<LexicalEnvironmentObject*> lexicalEnv,
                             HandleObject varObj, HandlePropertyName name)
{
    const char* redeclKind = nullptr;
    RootedId id(cx, NameToId(name));
    RootedShape shape(cx);
    if (varObj->is<GlobalObject>() && varObj->compartment()->isInVarNames(name)) {
        // ES 15.1.11 step 5.a
        redeclKind = "var";
    } else if ((shape = lexicalEnv->lookup(cx, name))) {
        // ES 15.1.11 step 5.b
        redeclKind = shape->writable() ? "let" : "const";
    } else if (varObj->isNative() && (shape = varObj->as<NativeObject>().lookup(cx, name))) {
        // Faster path for ES 15.1.11 step 5.c-d when the shape can be found
        // without going through a resolve hook.
        if (!shape->configurable())
            redeclKind = "non-configurable global property";
    } else {
        // ES 15.1.11 step 5.c-d
        Rooted<PropertyDescriptor> desc(cx);
        if (!GetOwnPropertyDescriptor(cx, varObj, id, &desc))
            return false;
        if (desc.object() && desc.hasConfigurable() && !desc.configurable())
            redeclKind = "non-configurable global property";
    }

    if (redeclKind) {
        ReportRuntimeRedeclaration(cx, name, redeclKind);
        return false;
    }

    return true;
}

bool
js::CheckVarNameConflict(JSContext* cx, Handle<LexicalEnvironmentObject*> lexicalEnv,
                         HandlePropertyName name)
{
    if (Shape* shape = lexicalEnv->lookup(cx, name)) {
        ReportRuntimeRedeclaration(cx, name, shape->writable() ? "let" : "const");
        return false;
    }
    return true;
}

static void
ReportCannotDeclareGlobalBinding(JSContext* cx, HandlePropertyName name, const char* reason)
{
    JSAutoByteString printable;
    if (AtomToPrintableString(cx, name, &printable)) {
        JS_ReportErrorNumberLatin1(cx, GetErrorMessage, nullptr,
                                   JSMSG_CANT_DECLARE_GLOBAL_BINDING,
                                   printable.ptr(), reason);
    }
}

bool
js::CheckCanDeclareGlobalBinding(JSContext* cx, Handle<GlobalObject*> global,
                                 HandlePropertyName name, bool isFunction)
{
    RootedId id(cx, NameToId(name));
    Rooted<PropertyDescriptor> desc(cx);
    if (!GetOwnPropertyDescriptor(cx, global, id, &desc))
        return false;

    // ES 8.1.1.4.15 CanDeclareGlobalVar
    // ES 8.1.1.4.16 CanDeclareGlobalFunction

    // Step 4.
    if (!desc.object()) {
        // 8.1.14.15 step 6.
        // 8.1.14.16 step 5.
        if (global->nonProxyIsExtensible())
            return true;

        ReportCannotDeclareGlobalBinding(cx, name, "global is non-extensible");
        return false;
    }

    // Global functions have additional restrictions.
    if (isFunction) {
        // 8.1.14.16 step 6.
        if (desc.configurable())
            return true;

        // 8.1.14.16 step 7.
        if (desc.isDataDescriptor() && desc.writable() && desc.enumerable())
            return true;

        ReportCannotDeclareGlobalBinding(cx, name,
                                         "property must be configurable or "
                                         "both writable and enumerable");
        return false;
    }

    return true;
}

bool
js::CheckGlobalDeclarationConflicts(JSContext* cx, HandleScript script,
                                    Handle<LexicalEnvironmentObject*> lexicalEnv,
                                    HandleObject varObj)
{
    // Due to the extensibility of the global lexical environment, we must
    // check for redeclaring a binding.
    //
    // In the case of non-syntactic environment chains, we are checking
    // redeclarations against the non-syntactic lexical environment and the
    // variables object that the lexical environment corresponds to.
    RootedPropertyName name(cx);
    Rooted<BindingIter> bi(cx, BindingIter(script));

    // ES 15.1.11 GlobalDeclarationInstantiation

    // Step 6.
    //
    // Check 'var' declarations do not conflict with existing bindings in the
    // global lexical environment.
    for (; bi; bi++) {
        if (bi.kind() != BindingKind::Var)
            break;
        name = bi.name()->asPropertyName();
        if (!CheckVarNameConflict(cx, lexicalEnv, name))
            return false;

        // Step 10 and 12.
        //
        // Check that global functions and vars may be declared.
        if (varObj->is<GlobalObject>()) {
            Handle<GlobalObject*> global = varObj.as<GlobalObject>();
            if (!CheckCanDeclareGlobalBinding(cx, global, name, bi.isTopLevelFunction()))
                return false;
        }
    }

    // Step 5.
    //
    // Check that lexical bindings do not conflict.
    for (; bi; bi++) {
        name = bi.name()->asPropertyName();
        if (!CheckLexicalNameConflict(cx, lexicalEnv, varObj, name))
            return false;
    }

    return true;
}

static bool
CheckVarNameConflictsInEnv(JSContext* cx, HandleScript script, HandleObject obj)
{
    Rooted<LexicalEnvironmentObject*> env(cx);

    if (obj->is<LexicalEnvironmentObject>()) {
        env = &obj->as<LexicalEnvironmentObject>();
    } else if (obj->is<DebugEnvironmentProxy>() &&
               obj->as<DebugEnvironmentProxy>().environment().is<LexicalEnvironmentObject>())
    {
        env = &obj->as<DebugEnvironmentProxy>().environment().as<LexicalEnvironmentObject>();
    } else {
        // Environment cannot contain lexical bindings.
        return true;
    }

    if (env->isSyntactic() && !env->isGlobal() && env->scope().kind() == ScopeKind::SimpleCatch) {
        // Annex B.3.5 allows redeclaring simple (non-destructured) catch
        // parameters with var declarations, except when it appears in a
        // for-of. The for-of allowance is computed in
        // Parser::isVarRedeclaredInEval.
        return true;
    }

    RootedPropertyName name(cx);
    for (BindingIter bi(script); bi; bi++) {
        name = bi.name()->asPropertyName();
        if (!CheckVarNameConflict(cx, env, name))
            return false;
    }

    return true;
}

bool
js::CheckEvalDeclarationConflicts(JSContext* cx, HandleScript script,
                                  HandleObject scopeChain, HandleObject varObj)
{
    if (!script->bodyScope()->as<EvalScope>().hasBindings())
        return true;

    RootedObject obj(cx, scopeChain);

    // ES 18.2.1.3.

    // Step 5.
    //
    // Check that a direct eval will not hoist 'var' bindings over lexical
    // bindings with the same name.
    while (obj != varObj) {
        if (!CheckVarNameConflictsInEnv(cx, script, obj))
            return false;
        obj = obj->enclosingEnvironment();
    }

    // Step 8.
    //
    // Check that global functions may be declared.
    if (varObj->is<GlobalObject>()) {
        Handle<GlobalObject*> global = varObj.as<GlobalObject>();
        RootedPropertyName name(cx);
        for (Rooted<BindingIter> bi(cx, BindingIter(script)); bi; bi++) {
            name = bi.name()->asPropertyName();
            if (!CheckCanDeclareGlobalBinding(cx, global, name, bi.isTopLevelFunction()))
                return false;
        }
    }

    return true;
}

bool
js::InitFunctionEnvironmentObjects(JSContext* cx, AbstractFramePtr frame)
{
    MOZ_ASSERT(frame.isFunctionFrame());
    MOZ_ASSERT(frame.callee()->needsSomeEnvironmentObject());

    RootedFunction callee(cx, frame.callee());

    // Named lambdas may have an environment that holds itself for recursion.
    if (callee->needsNamedLambdaEnvironment()) {
        NamedLambdaObject* declEnv;
        if (callee->isAsync()) {
            // Named async function needs special environment to return
            // wrapped function for the binding.
            RootedFunction fun(cx, GetWrappedAsyncFunction(callee));
            declEnv = NamedLambdaObject::create(cx, frame, fun);
        } else {
            declEnv = NamedLambdaObject::create(cx, frame);
        }
        if (!declEnv)
            return false;
        frame.pushOnEnvironmentChain(*declEnv);
    }

    // If the function has parameter default expressions, there may be an
    // extra environment to hold the parameters.
    if (callee->needsCallObject()) {
        CallObject* callObj = CallObject::create(cx, frame);
        if (!callObj)
            return false;
        frame.pushOnEnvironmentChain(*callObj);
    }

    return true;
}

bool
js::PushVarEnvironmentObject(JSContext* cx, HandleScope scope, AbstractFramePtr frame)
{
    VarEnvironmentObject* env = VarEnvironmentObject::create(cx, scope, frame);
    if (!env)
        return false;
    frame.pushOnEnvironmentChain(*env);
    return true;
}

#ifdef DEBUG

typedef HashSet<PropertyName*> PropertyNameSet;

static bool
RemoveReferencedNames(JSContext* cx, HandleScript script, PropertyNameSet& remainingNames)
{
    // Remove from remainingNames --- the closure variables in some outer
    // script --- any free variables in this script. This analysis isn't perfect:
    //
    // - It will not account for free variables in an inner script which are
    //   actually accessing some name in an intermediate script between the
    //   inner and outer scripts. This can cause remainingNames to be an
    //   underapproximation.
    //
    // - It will not account for new names introduced via eval. This can cause
    //   remainingNames to be an overapproximation. This would be easy to fix
    //   but is nice to have as the eval will probably not access these
    //   these names and putting eval in an inner script is bad news if you
    //   care about entraining variables unnecessarily.

    for (jsbytecode* pc = script->code(); pc != script->codeEnd(); pc += GetBytecodeLength(pc)) {
        PropertyName* name;

        switch (JSOp(*pc)) {
          case JSOP_GETNAME:
          case JSOP_SETNAME:
          case JSOP_STRICTSETNAME:
            name = script->getName(pc);
            break;

          case JSOP_GETGNAME:
          case JSOP_SETGNAME:
          case JSOP_STRICTSETGNAME:
            if (script->hasNonSyntacticScope())
                name = script->getName(pc);
            else
                name = nullptr;
            break;

          case JSOP_GETALIASEDVAR:
          case JSOP_SETALIASEDVAR:
            name = EnvironmentCoordinateName(cx->caches.envCoordinateNameCache, script, pc);
            break;

          default:
            name = nullptr;
            break;
        }

        if (name)
            remainingNames.remove(name);
    }

    if (script->hasObjects()) {
        ObjectArray* objects = script->objects();
        RootedFunction fun(cx);
        RootedScript innerScript(cx);
        for (size_t i = 0; i < objects->length; i++) {
            JSObject* obj = objects->vector[i];
            if (obj->is<JSFunction>() && obj->as<JSFunction>().isInterpreted()) {
                fun = &obj->as<JSFunction>();
                innerScript = JSFunction::getOrCreateScript(cx, fun);
                if (!innerScript)
                    return false;

                if (!RemoveReferencedNames(cx, innerScript, remainingNames))
                    return false;
            }
        }
    }

    return true;
}

static bool
AnalyzeEntrainedVariablesInScript(JSContext* cx, HandleScript script, HandleScript innerScript)
{
    PropertyNameSet remainingNames(cx);
    if (!remainingNames.init())
        return false;

    for (BindingIter bi(script); bi; bi++) {
        if (bi.closedOver()) {
            PropertyName* name = bi.name()->asPropertyName();
            PropertyNameSet::AddPtr p = remainingNames.lookupForAdd(name);
            if (!p && !remainingNames.add(p, name))
                return false;
        }
    }

    if (!RemoveReferencedNames(cx, innerScript, remainingNames))
        return false;

    if (!remainingNames.empty()) {
        Sprinter buf(cx);
        if (!buf.init())
            return false;

        buf.printf("Script ");

        if (JSAtom* name = script->functionNonDelazifying()->displayAtom()) {
            buf.putString(name);
            buf.printf(" ");
        }

        buf.printf("(%s:%" PRIuSIZE ") has variables entrained by ", script->filename(), script->lineno());

        if (JSAtom* name = innerScript->functionNonDelazifying()->displayAtom()) {
            buf.putString(name);
            buf.printf(" ");
        }

        buf.printf("(%s:%" PRIuSIZE ") ::", innerScript->filename(), innerScript->lineno());

        for (PropertyNameSet::Range r = remainingNames.all(); !r.empty(); r.popFront()) {
            buf.printf(" ");
            buf.putString(r.front());
        }

        printf("%s\n", buf.string());
    }

    if (innerScript->hasObjects()) {
        ObjectArray* objects = innerScript->objects();
        RootedFunction fun(cx);
        RootedScript innerInnerScript(cx);
        for (size_t i = 0; i < objects->length; i++) {
            JSObject* obj = objects->vector[i];
            if (obj->is<JSFunction>() && obj->as<JSFunction>().isInterpreted()) {
                fun = &obj->as<JSFunction>();
                innerInnerScript = JSFunction::getOrCreateScript(cx, fun);
                if (!innerInnerScript ||
                    !AnalyzeEntrainedVariablesInScript(cx, script, innerInnerScript))
                {
                    return false;
                }
            }
        }
    }

    return true;
}

// Look for local variables in script or any other script inner to it, which are
// part of the script's call object and are unnecessarily entrained by their own
// inner scripts which do not refer to those variables. An example is:
//
// function foo() {
//   var a, b;
//   function bar() { return a; }
//   function baz() { return b; }
// }
//
// |bar| unnecessarily entrains |b|, and |baz| unnecessarily entrains |a|.
bool
js::AnalyzeEntrainedVariables(JSContext* cx, HandleScript script)
{
    if (!script->hasObjects())
        return true;

    ObjectArray* objects = script->objects();
    RootedFunction fun(cx);
    RootedScript innerScript(cx);
    for (size_t i = 0; i < objects->length; i++) {
        JSObject* obj = objects->vector[i];
        if (obj->is<JSFunction>() && obj->as<JSFunction>().isInterpreted()) {
            fun = &obj->as<JSFunction>();
            innerScript = JSFunction::getOrCreateScript(cx, fun);
            if (!innerScript)
                return false;

            if (script->functionDelazifying() && script->functionDelazifying()->needsCallObject()) {
                if (!AnalyzeEntrainedVariablesInScript(cx, script, innerScript))
                    return false;
            }

            if (!AnalyzeEntrainedVariables(cx, innerScript))
                return false;
        }
    }

    return true;
}

#endif